Static code analysis (project rules)

What this check means

In addition to the community Semgrep ruleset (above), we maintain a small pack of bespoke rules under tools/semgrep-rules/. Each rule fires on a pattern from a real past audit finding and starts at zero matches on main, so any future hit is a real regression. The pack runs alongside the community scan so a regression in project-specific rules surfaces here without getting lost in community-rule noise.