* Add support for embedding custom Rego rules in Poutine library

This enhancement allows library consumers (like pkg-supply and spicy-poutine) to embed their own custom Rego rules directly into their binaries alongside Poutine's built-in rules, creating fully self-contained deployments without filesystem dependencies.

Changes:
- Add NewOpaWithEmbeddedRules() constructor that accepts embed.FS containing custom rules
- Add AddEmbeddedRules() method for adding rules to existing Opa instances
- Modify Compile() to load custom embedded rules alongside built-in rules
- Custom rules respect skip and allowed filters like filesystem-based rules
- Fully backward compatible with existing NewOpa() usage

Usage example:
  //go:embed rules/*.rego
  var CustomRules embed.FS

  opa, err := poutineOpa.NewOpaWithEmbeddedRules(ctx, config, CustomRules, "rules")

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* Fix wrapcheck lint issues in custom embedded rules loading

Wrap errors from embed.FS.ReadFile() and fs.WalkDir() with context
to satisfy wrapcheck linter for new code.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* Add CLI support for custom embedded rules and remove AddEmbeddedRules

- Remove AddEmbeddedRules() method (no clear use case)
- Add CustomEmbeddedRules and CustomEmbeddedRulesRoot exported variables to cmd package
- Update newOpa() and newOpaWithConfig() to use NewOpaWithEmbeddedRules when set
- CLI extensions can now set poutineCmd.CustomEmbeddedRules before Execute()

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* Remove customRoot parameter - always use "." as root

The customRoot parameter was unnecessary implementation detail.
Custom embedded rules are now always loaded from "." root.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* Simplify custom embedded rules prefix to "custom/"

Remove unnecessary index from prefix - just use "custom/" like
"poutine/opa/" for built-in and "include/" for filesystem rules.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

---------

Co-authored-by: Claude <[email protected]>

* Initial plan

* Implement --allowed-rules filtering support for MCP server

- Apply global allowedRules setting to MCP server default config
- Add allowed_rules parameter to all MCP tool definitions
- Update all handler functions to parse and apply allowed_rules parameter
- Ensure consistent behavior between CLI and MCP server for rule filtering

Co-authored-by: fproulx-boostsecurity <[email protected]>

* Add comprehensive tests for --allowed-rules filtering in MCP server

- Add test cases for analyze_manifest with allowed_rules parameter
- Verify filtering works correctly with single rule, multiple rules, and non-existent rules
- Confirm both global flag and per-request parameter functionality
- All tests pass demonstrating successful implementation

Co-authored-by: fproulx-boostsecurity <[email protected]>

* Fix linting issues: gofmt formatting and testifylint violations

- Remove trailing whitespace in cmd/handle_analyze_manifest_test.go and cmd/mcp_server.go
- Replace assert.Len(t, ..., 0, ...) with assert.Empty(t, ...) for testifylint compliance
- All tests still pass and functionality remains intact

Co-authored-by: fproulx-boostsecurity <[email protected]>

* Fix global --allowed-rules flag not being honored by MCP server handlers

- Modify startMCPServer to create mcpDefaultConfig with global allowedRules applied
- Update all handler functions to accept and use the mcpDefaultConfig instead of global config
- Add comprehensive test to verify global allowed rules are properly inherited
- Handlers now properly inherit global --allowed-rules setting when no per-request rules specified
- CLI and MCP server behavior now consistent for global rule filtering

Co-authored-by: fproulx-boostsecurity <[email protected]>

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: fproulx-boostsecurity <[email protected]>

Document how to use custom Rego rules with poutine by:
- Adding a Custom Rules section to README.md with configuration
  instructions and a complete working example
- Enhancing .poutine.sample.yml with detailed comments and
  examples for the include directive

This addresses user requests for clarification on writing and
using custom rules at runtime.

Fixes #255

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: François Proulx <[email protected]>
Co-authored-by: Claude <[email protected]>

* Add YAML anchor support test cases and fixtures

- Add comprehensive unit tests for YAML 1.2 anchors in GitHub Actions workflows
- Add test fixtures demonstrating anchor usage:
  - anchors_env.yml: environment variable reuse
  - anchors_job.yml: complete job configuration reuse
  - anchors_multiple.yml: multiple anchor references
- Update scanner tests to verify anchor workflows are parsed correctly
- Update inventory tests to include new dependencies from anchor fixtures

Tests confirm gopkg.in/yaml.v3 already supports YAML anchors.
Next step: migrate to goccy/go-yaml for better YAML 1.2 compliance
and active maintenance.

* Fix testifylint: use require.NoError for error assertions

* Address PR review comments: improve anchor test coverage and verify detection rules

- Fix unit tests to actually verify anchors are used and values are inherited
  - "simple anchor and alias" test now verifies both jobs parse correctly
  - "anchor for steps configuration" test now uses the anchor in second job
  - "anchor for env variables" test now verifies both jobs' env vars
  - "complex nested anchor" test now verifies permissions inheritance/override

- Add integration test to ensure detection rules work with YAML anchors
  - Created anchors_with_vulnerability.yml with intentional injection flaw
  - Verified rules detect vulnerabilities in both anchor definition and usage
  - Added expected findings to TestFindings for the new test fixture

All PR feedback from Talgarr has been addressed.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

---------

Co-authored-by: Claude <[email protected]>

* Document skip configuration for acknowledging findings

Add "Acknowledging Findings" section to README.md to improve
discoverability of the existing skip configuration feature.
This allows users to suppress false positives or accepted risks.

Includes:
- Use case explanations for when to skip findings
- Complete documentation of all filter options (job, level, path,
  rule, purl, osv_id)
- Practical examples showing how to skip by severity level,
  workflow path, and rule name

Fixes #40

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* Document --skip command-line flag for acknowledging findings

Add documentation for the --skip command-line flag in both the Configuration
Options section and the Acknowledging Findings section. Clarify that the
command-line flag only supports skipping rules globally by name, while the
configuration file supports granular filtering by job, path, level, etc.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

---------

Co-authored-by: François Proulx <[email protected]>
Co-authored-by: Claude <[email protected]>