Skill: Assemble Lib Rules

The per-package passes author source and sink lib rules but never pair them across packages. With every created lib rule and the whole built-in set in front of you, write the security joins — one per vuln class, each merging the created rules with the built-ins, mirroring the built-in security rules. These are verified by the main scan, not a test project

Inputs

From the caller; if omitted, fall back to the default. Ask only when a required input is missing and has no sensible default

• Lib units <lib-units> — the per-package lib tracking files (rules/lib/<package-kebab>.yaml) with the created source/sink rule_ids and their vuln classes. Default: .opentaint/tracking/rules/lib/
• Rules directory <rules-dir> — where the security joins are written. Default: .opentaint/rules
• Tracking directory <tracking-dir> — where the join records are written. Default: .opentaint/tracking

Built-in rules are available at opentaint health --rules

Workflow

1. Read the created lib rules and the built-ins

Read every per-package lib unit in <lib-units> (the source/sink rule_ids create-rule wrote, sinks carrying their vuln_class) and the built-in source/sink lib rules (opentaint health --rules). Collect every source rule (built-in + created) and every sink rule grouped by vuln class