feat(rules): add S3 multipart upload abort check

[axonstone]

Summary

• What changed?
  Added a new S3 rule that flags buckets missing an enabled lifecycle rule to abort incomplete multipart uploads within 7 days for both IaC and discovery scans.
  Extended the shared S3 analysis dataset so static and live S3 evaluation can detect multipart-abort lifecycle behavior, then updated docs, rule metadata, scanner expectations, and changesets.
• Why was this needed?
  CloudBurn already checked for general lifecycle management and storage-class optimization, but it did not cover the common cost-control check for incomplete multipart uploads that continue consuming storage.

Diagram

flowchart LR
  A["S3 bucket lifecycle config"] --> B["Shared S3 analysis flags"]
  B --> C["IaC rule evaluation"]
  B --> D["Discovery rule evaluation"]
  C --> E["CLDBRN-AWS-S3-3 finding"]
  D --> E

Loading

Scope

• cloudburn (cli)
• @cloudburn/sdk
• @cloudburn/rules
• docs/community files

Release Notes

• Added a .changeset/*.md file for published package changes
• No published package changes in this PR

Verification

• pnpm lint
• pnpm typecheck
• pnpm test
• pnpm build
• pnpm verify

Boundary Checks

• No engine/parser/provider logic added to @cloudburn/rules
• CLI delegates scan logic to SDK
• README/CONTRIBUTING/docs updated when behavior changed

[devin-ai-integration]

Devin Review found 1 new potential issue.

⚠️ 1 issue in files not directly in the diff

⚠️ README advertises "Custom rule support" as a shipping feature when it is not implemented (README.md:27)

The new README lists "Custom rule support, so you can bolt your own policies onto the same engine" as a current feature, but the codebase has multiple TODO markers confirming custom rule loading is unimplemented:

TODO markers proving custom rules are unimplemented

• packages/cloudburn/src/commands/scan.ts:31: // TODO(cloudburn): support profile, severity filtering, and custom rules path options.
• packages/sdk/src/engine/registry.ts:5: // TODO(cloudburn): include custom rule loading once the SDK supports custom modules.
• packages/cloudburn/src/commands/rules-list.ts:7: // TODO(cloudburn): include configured custom rule discovery when the SDK registry supports it.
• packages/rules/src/index.ts:2: // TODO(cloudburn): publish stable docs for custom rule pack authoring.

The linked guide (docs/guides/adding-a-rule.md) is about contributing built-in rules to the @cloudburn/rules package source, not about loading external custom rules at runtime. docs/REVIEW.md:89 explicitly states: "customRules is still not implemented. That gap is intentional." Advertising this to users as a feature is misleading.

View 3 additional findings in Devin Review.

[axonstone]

roborev: Combined Review (e88d626)

Verdict: No High or Critical findings.

Security review found no issues, and the remaining feedback was limited to Medium/Low severity only.

---

Synthesized from 4 reviews (agents: claude-code, codex | types: default, security)

[axonstone]

Re: comment 4134144177

No action needed: this combined review reported no unresolved findings to address.