4

[RAprogramm]

Closes #4.

Phase 1A: rules pack scaffolding with the first five tier-1 rules drawn verbatim from code-review-methodology/en/quick-reference.md. The schema gains a RuleDefinition enum (externally tagged) replacing the now-removed Tier enum, so a rule's analysis tier is encoded in its definition variant.

Schema (#4 feat reshape rule schema with external tagged ruledefinition)

• Rule { id, severity, title, rationale_uri, definition } — the standalone tier field is gone.
• RuleDefinition is an externally tagged enum: Pattern { regex, exclude_globs }, Ast { check }, Semantic { check }. External tagging maps cleanly to TOML's [definition.pattern] table syntax.
• rename_all_fields = "kebab-case" on the enum so inner payload fields serialize as kebab too (exclude-globs).
• Golden schemas regenerated under crates/rustmanifest-schema/schemas/.

Rules pack (#4 feat add rules pack with build script and first five tier 1 rules)

• New crates/rustmanifest-rules-core/rules/ directory, one rule per subdir:
  • RM-SEC-001 — Hardcoded credentials.
  • RM-SEC-002 — SQL injection via format!.
  • RM-SEC-003 — Command injection via format!.
  • RM-RUST-001 — Panic in production (.unwrap() / .expect( / panic!).
  • RM-PERF-001 — Vec::new() without with_capacity.
• Each rule ships rule.toml + pass.rs + fail.rs. The fixtures are real Rust snippets and double as the contract for what the regex must and must not match.
• build.rs walks rules/, parses each rule.toml via the canonical Rule type from rustmanifest-schema, validates that the directory name equals the rule id, and emits a single rules.json into OUT_DIR.
• lib.rs exposes pub static RULES: LazyLock<Vec<Rule>> via include_str! of the build-emitted JSON. The deserialization step inside the LazyLock closure carries an inline #[allow(clippy::expect_used)] with a reason field — the embedded JSON is build-time-validated, so a runtime parse failure indicates a corrupted binary, which is unrecoverable.
• Integration tests in tests/rules.rs:
  • Pack is non-empty.
  • Rule ids are unique.
  • Rule ids match ^RM-(SEC|PERF|RUST|QUAL|STRUCT)-\d{3}$.
  • Every pattern rule's regex compiles.
  • Every rule's fail.rs triggers its regex.
  • Every rule's pass.rs does NOT trigger its regex.
  • Every rule id maps to an on-disk directory.

New dependencies

• Runtime in rustmanifest-rules-core: regex 1, serde_json 1.
• Build-only in rustmanifest-rules-core: toml 1 (latest, MIT).
• Workspace dependency table: regex = "1", toml = "1".
• cargo tree --duplicates is clean — multiple-versions = "deny" in deny.toml stays satisfied.

Local verification

cargo +nightly fmt --all -- --check          # clean
cargo clippy --workspace --all-targets --all-features -- -D warnings  # clean
cargo test --workspace                        # 6/6 rule tests pass
cargo build --workspace --release             # all 8 crates
cargo run --bin rustmanifest-schema-export -- --out crates/rustmanifest-schema/schemas
git diff --exit-code crates/rustmanifest-schema/schemas   # no drift
reuse lint                                    # 92/92 compliant
cargo tree --workspace --duplicates           # none

Out of scope (deferred to follow-up Phase 1 PRs)

• Engine analyzer that consumes the bundled rules and emits findings — Phase 1B.
• AST-tier rules from STRUCTURE.md — Phase 1C.
• CLI check subcommand wiring, JSON / SARIF / TTY renderers — Phase 1D.
• Eval corpus and precision/recall measurement — Phase 1E.
• Additional rules beyond the first 5 — follow-up PRs.