defense-in-depth: add runtime duplicate rule-name check in Engine::new_with_anchor_policy

[coderabbitai]

Summary

Add a HashSet-based duplicate rule-name check in Engine::new_with_anchor_policy (and optionally load_rules_from_content) as a defense-in-depth measure against rule-name collisions.

Background

derive_rule_name_fingerprint in crates/scanner-engine/src/engine/core.rs hashes only the rule name via BLAKE3 derive-key with domain "gossip/rule/v1". Two distinct rules with the same name would produce the same RuleFingerprint, collapsing persisted finding identity for the same (tenant, item, secret).

Currently, rule-name uniqueness is enforced by convention: the 223 builtin rules in default_rules.yaml have unique names (verified), and the YAML file is deterministic. There is no runtime uniqueness check.

This was flagged in PR #230 (comment: #230 (comment)) and deferred as a follow-up.

Proposed fix

In Engine::new_with_anchor_policy, before or during rule compilation, collect rule names into a HashSet<&str> and panic (or return an error) if a duplicate is detected.

let mut seen_names: std::collections::HashSet<&str> = std::collections::HashSet::with_capacity(rules.len());
for r in &rules {
    assert!(seen_names.insert(r.name), "duplicate rule name: {:?}", r.name);
}

The same check should be considered for load_rules_from_content if it constructs rules independently.

References

• PR Feature/result persistence translation #230
• Requested by: @ahrav