feat: add standard-findings scan mode

AGENTS.md

@@ -11,6 +11,64 @@ Warning: Editing project/ directly is a sin against The Way. Do not read or writ
 
 This file provides guidance to AI coding agents when working with code in this repository.
 
+## Git workflow
+
+### Branching (Git Flow)
+
+- `main` — production-ready releases only; never commit directly
+- `develop` — integration branch; merge feature/fix branches here first
+- Feature branches: `feature/<short-description>`
+- Bug fix branches: `fix/<short-description>`
+- Hotfix branches (off `main`): `hotfix/<short-description>`
+
+All pull requests target `develop` unless it is a hotfix, which targets `main` directly. PRs from `develop` → `main` represent a release.
+
+### Commit messages (Semantic Release)
+
+All commits must follow the [Conventional Commits](https://www.conventionalcommits.org/) spec so that `semantic-release` can determine version bumps and generate changelogs automatically.
+
+| Prefix | When to use | Version bump |
+|--------|-------------|--------------|
+| `feat:` | New user-facing feature | minor |
+| `fix:` | Bug fix | patch |
+| `chore:` | Build, tooling, CI, or housekeeping (no production code change) | none |
+| `docs:` | Documentation only | none |
+| `refactor:` | Code restructure with no behaviour change | none |
+| `test:` | Adding or fixing tests | none |
+| `style:` | Formatting, whitespace (no logic change) | none |
+| `perf:` | Performance improvement | patch |
+| `BREAKING CHANGE:` | Footer or `!` suffix — breaking API change | major |
+
+Examples:
+```
+feat: add --mode standard-findings scan mode
+fix: resolve javascript suite packs correctly
+chore: apply black formatting to test_scanner_config
+refactor(tests): update imports to use scanner module directly
+feat!: remove legacy --output flag
+```
+
+Do not include a body or footer beyond what is necessary. Never add a `Co-authored-by` trailer or any attribution to AI tools.
+
+### Pull requests
+
+- Title must follow the same Conventional Commits format as the commit messages above.
+- Do not add `Co-authored-by` lines or any AI attribution in the PR body.
+- Keep the description concise: what changed and why. Include a brief test evidence section (e.g. "All N tests pass").
+- Assign the PR to the appropriate project/milestone if one exists in Kanbus.
+
+### Pre-push checklist
+
+Before pushing a branch or marking a PR ready for review, run the following locally and fix any failures:
+
+```sh
+make fix        # auto-format (black + ruff --fix)
+make check      # verify fmt + lint are clean (CI-equivalent)
+make test       # all tests must pass
+```
+
+CI runs the same checks. A PR with a failing lint or test step will not be merged.
+
 ## Commands
 
 ```sh

README.md

@@ -38,6 +38,7 @@ rcql --lang python,actions  # scan multiple specific languages
 | `--rule` | Comma-separated rule IDs or fnmatch patterns to restrict findings to (e.g. `py/unused-import` or `py/*`) |
 | `--limit N` | Return at most N findings (after `--files`/`--rule` filtering) |
 | `--offset N` | Skip the first N findings before applying `--limit` (for pagination) |
+| `--mode` | Scan mode: `default` (repo-config-driven) or `standard-findings` (full-repo code-quality parity mode) |
 | `--include-third-party` | Include findings from third-party/vendor paths (default output suppresses common dependency noise) |
 | `--config` | Repo config filename to load from repo root (default: `.rcql.json`; pass `--config ''` to disable) |
 | `--keep-db` | Reuse existing databases instead of recreating them |
@@ -48,7 +49,7 @@ Download behavior can be tuned with environment variables:
 `RCQL_DOWNLOAD_TIMEOUT_SECONDS`, `RCQL_DOWNLOAD_RETRY_ATTEMPTS`, and `RCQL_DOWNLOAD_RETRY_SLEEP_SECONDS`.
 
 Report cleanup behavior before scans:
-- with `--lang`, only the matching `<lang>-code-quality.sarif` reports are replaced
+- with `--lang`, only the matching `<lang>-*.sarif` reports are replaced
 - without `--lang`, all prior SARIF reports are cleared first
 - with `--keep-reports`, no reports are deleted
 
@@ -63,7 +64,7 @@ GitHub Actions workflows (`.github/workflows/*.yml` and `.github/workflows/*.yam
 ### Outputs
 
 - Databases: `.codeql/db-<lang>/`
-- SARIF reports: `.codeql/reports/<lang>-code-quality.sarif`
+- SARIF reports: `.codeql/reports/<lang>-<profile>.sarif`
 
 A `.codeql/.gitignore` with `*` is created automatically on first run so these artifacts are not committed.
 
@@ -84,6 +85,12 @@ cd ~/projects/my-repo
 rcql
 ```
 
+### GitHub standard findings parity scan
+
+```sh
+rcql --mode standard-findings
+```
+
 ### Quick re-summary after a previous scan
 
 ```sh
@@ -103,7 +110,7 @@ rcql -q -v --report-only
 Example output:
 
 ```
-[python] SARIF: /path/to/.codeql/reports/python-code-quality.sarif
+[python] SARIF: /path/to/.codeql/reports/python-security-and-quality.sarif
   error: 1
   warning: 2
   Total: 3

project/events/2026-04-03T21:06:26.726Z__4a23074d-cb66-463a-8f18-b040325ffdc5.json

@@ -0,0 +1,18 @@
+{
+  "schema_version": 1,
+  "event_id": "4a23074d-cb66-463a-8f18-b040325ffdc5",
+  "issue_id": "rcql-8d005671-fd04-4bbb-9cd8-4869e6971b65",
+  "event_type": "issue_created",
+  "occurred_at": "2026-04-03T21:06:26.726Z",
+  "actor_id": "derek.norrbom",
+  "payload": {
+    "assignee": null,
+    "description": "Regression: suite resolver builds codeql/javascript-typescript-queries, which does not exist. Must map javascript-typescript language to javascript query pack for analyze suites.",
+    "issue_type": "bug",
+    "labels": [],
+    "parent": "rcql-74ad05e0-14d1-4f81-9cd3-a14ba7b54f28",
+    "priority": 0,
+    "status": "open",
+    "title": "Fix JavaScript pack resolution for suite profile selection"
+  }
+}

project/events/2026-04-03T21:06:29.115Z__abba3e3c-9a54-4fd7-9aba-ce44a6fb9b4a.json

@@ -0,0 +1,12 @@
+{
+  "schema_version": 1,
+  "event_id": "abba3e3c-9a54-4fd7-9aba-ce44a6fb9b4a",
+  "issue_id": "rcql-8d005671-fd04-4bbb-9cd8-4869e6971b65",
+  "event_type": "state_transition",
+  "occurred_at": "2026-04-03T21:06:29.115Z",
+  "actor_id": "derek.norrbom",
+  "payload": {
+    "from_status": "open",
+    "to_status": "in_progress"
+  }
+}

project/events/2026-04-03T21:06:29.125Z__c26b969f-9deb-4dd0-9f8c-cb53d93b754c.json

@@ -0,0 +1,12 @@
+{
+  "schema_version": 1,
+  "event_id": "c26b969f-9deb-4dd0-9f8c-cb53d93b754c",
+  "issue_id": "rcql-8d005671-fd04-4bbb-9cd8-4869e6971b65",
+  "event_type": "comment_added",
+  "occurred_at": "2026-04-03T21:06:29.125Z",
+  "actor_id": "derek.norrbom",
+  "payload": {
+    "comment_author": "derek.norrbom",
+    "comment_id": "4478d333-54af-49b9-accb-f6db41e44364"
+  }
+}

project/events/2026-04-03T21:07:19.729Z__ef9bf1d3-1cd7-4a1f-bdc9-e4e7d66ee921.json

@@ -0,0 +1,12 @@
+{
+  "schema_version": 1,
+  "event_id": "ef9bf1d3-1cd7-4a1f-bdc9-e4e7d66ee921",
+  "issue_id": "rcql-8d005671-fd04-4bbb-9cd8-4869e6971b65",
+  "event_type": "comment_added",
+  "occurred_at": "2026-04-03T21:07:19.729Z",
+  "actor_id": "derek.norrbom",
+  "payload": {
+    "comment_author": "derek.norrbom",
+    "comment_id": "6aa13306-86c1-426e-aedc-909f454ed84b"
+  }
+}

project/events/2026-04-03T21:07:29.269Z__ed62f988-2473-454d-9f22-6aa2f39ea7d7.json

@@ -0,0 +1,12 @@
+{
+  "schema_version": 1,
+  "event_id": "ed62f988-2473-454d-9f22-6aa2f39ea7d7",
+  "issue_id": "rcql-8d005671-fd04-4bbb-9cd8-4869e6971b65",
+  "event_type": "state_transition",
+  "occurred_at": "2026-04-03T21:07:29.269Z",
+  "actor_id": "derek.norrbom",
+  "payload": {
+    "from_status": "in_progress",
+    "to_status": "closed"
+  }
+}

project/events/2026-04-03T21:07:29.292Z__a7790379-cf95-42f8-9d1c-411681bcc08a.json

@@ -0,0 +1,12 @@
+{
+  "schema_version": 1,
+  "event_id": "a7790379-cf95-42f8-9d1c-411681bcc08a",
+  "issue_id": "rcql-8d005671-fd04-4bbb-9cd8-4869e6971b65",
+  "event_type": "comment_added",
+  "occurred_at": "2026-04-03T21:07:29.292Z",
+  "actor_id": "derek.norrbom",
+  "payload": {
+    "comment_author": "derek.norrbom",
+    "comment_id": "f2594d29-0c1c-4e26-8375-860938f7d12d"
+  }
+}

project/events/2026-04-03T21:09:09.668Z__7a7562d2-a41a-4c65-aca2-ca7c545c8740.json

@@ -0,0 +1,18 @@
+{
+  "schema_version": 1,
+  "event_id": "7a7562d2-a41a-4c65-aca2-ca7c545c8740",
+  "issue_id": "rcql-4e41eaf2-d917-409e-a462-3e3ac0830a79",
+  "event_type": "issue_created",
+  "occurred_at": "2026-04-03T21:09:09.668Z",
+  "actor_id": "derek.norrbom",
+  "payload": {
+    "assignee": null,
+    "description": "Use profile-aware SARIF filenames (<lang>-<profile>.sarif) and update report-only and cleanup logic to handle security-and-quality/code-quality reports accurately.",
+    "issue_type": "bug",
+    "labels": [],
+    "parent": "rcql-74ad05e0-14d1-4f81-9cd3-a14ba7b54f28",
+    "priority": 1,
+    "status": "open",
+    "title": "Make SARIF filenames match resolved suite profile"
+  }
+}

project/events/2026-04-03T21:09:12.034Z__700e7105-72ac-49bf-bbaf-858da40f2070.json

@@ -0,0 +1,12 @@
+{
+  "schema_version": 1,
+  "event_id": "700e7105-72ac-49bf-bbaf-858da40f2070",
+  "issue_id": "rcql-4e41eaf2-d917-409e-a462-3e3ac0830a79",
+  "event_type": "state_transition",
+  "occurred_at": "2026-04-03T21:09:12.034Z",
+  "actor_id": "derek.norrbom",
+  "payload": {
+    "from_status": "open",
+    "to_status": "in_progress"
+  }
+}

project/events/2026-04-03T21:09:12.045Z__4cdbf025-c2aa-4230-b1d4-c08672ce1a4f.json

@@ -0,0 +1,12 @@
+{
+  "schema_version": 1,
+  "event_id": "4cdbf025-c2aa-4230-b1d4-c08672ce1a4f",
+  "issue_id": "rcql-4e41eaf2-d917-409e-a462-3e3ac0830a79",
+  "event_type": "comment_added",
+  "occurred_at": "2026-04-03T21:09:12.045Z",
+  "actor_id": "derek.norrbom",
+  "payload": {
+    "comment_author": "derek.norrbom",
+    "comment_id": "8e91c39b-e2b0-42ad-8699-05c28a9fbfab"
+  }
+}

project/events/2026-04-03T21:10:45.276Z__c4cfb0c2-5679-4618-bb21-ed9551c3dc6d.json

@@ -0,0 +1,12 @@
+{
+  "schema_version": 1,
+  "event_id": "c4cfb0c2-5679-4618-bb21-ed9551c3dc6d",
+  "issue_id": "rcql-4e41eaf2-d917-409e-a462-3e3ac0830a79",
+  "event_type": "comment_added",
+  "occurred_at": "2026-04-03T21:10:45.276Z",
+  "actor_id": "derek.norrbom",
+  "payload": {
+    "comment_author": "derek.norrbom",
+    "comment_id": "28b8189b-15ae-4cc4-a7ad-5caa343e23d0"
+  }
+}

project/events/2026-04-03T21:10:54.173Z__55cae246-378f-4c46-9e80-e594ab163d25.json

@@ -0,0 +1,12 @@
+{
+  "schema_version": 1,
+  "event_id": "55cae246-378f-4c46-9e80-e594ab163d25",
+  "issue_id": "rcql-4e41eaf2-d917-409e-a462-3e3ac0830a79",
+  "event_type": "state_transition",
+  "occurred_at": "2026-04-03T21:10:54.173Z",
+  "actor_id": "derek.norrbom",
+  "payload": {
+    "from_status": "in_progress",
+    "to_status": "closed"
+  }
+}

project/events/2026-04-03T21:10:54.184Z__8fac6e1c-fbbe-4ecd-95bd-c0a9c999c658.json

@@ -0,0 +1,12 @@
+{
+  "schema_version": 1,
+  "event_id": "8fac6e1c-fbbe-4ecd-95bd-c0a9c999c658",
+  "issue_id": "rcql-4e41eaf2-d917-409e-a462-3e3ac0830a79",
+  "event_type": "comment_added",
+  "occurred_at": "2026-04-03T21:10:54.184Z",
+  "actor_id": "derek.norrbom",
+  "payload": {
+    "comment_author": "derek.norrbom",
+    "comment_id": "fab97d77-8497-4ab6-9070-02a3505c0782"
+  }
+}

project/events/2026-04-03T21:20:54.041Z__de5faea0-875e-4b20-9c7b-1355fe7ba698.json

@@ -0,0 +1,18 @@
+{
+  "schema_version": 1,
+  "event_id": "de5faea0-875e-4b20-9c7b-1355fe7ba698",
+  "issue_id": "rcql-813e9f03-4501-4e7f-aff3-da97cd62f79c",
+  "event_type": "issue_created",
+  "occurred_at": "2026-04-03T21:20:54.041Z",
+  "actor_id": "derek.norrbom",
+  "payload": {
+    "assignee": null,
+    "description": "Introduce a scan mode that runs full-repo code-quality analysis (ignoring codescanning config path restrictions) to approximate GitHub Security & quality Standard findings counts.",
+    "issue_type": "bug",
+    "labels": [],
+    "parent": "rcql-74ad05e0-14d1-4f81-9cd3-a14ba7b54f28",
+    "priority": 1,
+    "status": "open",
+    "title": "Add full-quality mode to mirror GitHub Standard findings"
+  }
+}

project/events/2026-04-03T21:20:57.603Z__8dfea089-18a4-499d-8ccc-bffa0b4022a9.json

@@ -0,0 +1,12 @@
+{
+  "schema_version": 1,
+  "event_id": "8dfea089-18a4-499d-8ccc-bffa0b4022a9",
+  "issue_id": "rcql-813e9f03-4501-4e7f-aff3-da97cd62f79c",
+  "event_type": "state_transition",
+  "occurred_at": "2026-04-03T21:20:57.603Z",
+  "actor_id": "derek.norrbom",
+  "payload": {
+    "from_status": "open",
+    "to_status": "in_progress"
+  }
+}

project/events/2026-04-03T21:20:57.613Z__d4b1781f-09a0-400b-917f-ed298d7892a5.json

@@ -0,0 +1,12 @@
+{
+  "schema_version": 1,
+  "event_id": "d4b1781f-09a0-400b-917f-ed298d7892a5",
+  "issue_id": "rcql-813e9f03-4501-4e7f-aff3-da97cd62f79c",
+  "event_type": "comment_added",
+  "occurred_at": "2026-04-03T21:20:57.613Z",
+  "actor_id": "derek.norrbom",
+  "payload": {
+    "comment_author": "derek.norrbom",
+    "comment_id": "465f03a2-c93d-464e-8a1f-efc65f38431f"
+  }
+}

project/events/2026-04-03T21:22:56.699Z__15b091d4-3746-45ea-be82-3154749bf129.json

@@ -0,0 +1,12 @@
+{
+  "schema_version": 1,
+  "event_id": "15b091d4-3746-45ea-be82-3154749bf129",
+  "issue_id": "rcql-813e9f03-4501-4e7f-aff3-da97cd62f79c",
+  "event_type": "comment_added",
+  "occurred_at": "2026-04-03T21:22:56.699Z",
+  "actor_id": "derek.norrbom",
+  "payload": {
+    "comment_author": "derek.norrbom",
+    "comment_id": "915c80c7-bd59-47eb-ae32-d3c7dcafd9f9"
+  }
+}

project/events/2026-04-03T21:23:08.340Z__427b927c-1308-4f3f-912a-4ca4ece878bb.json

@@ -0,0 +1,12 @@
+{
+  "schema_version": 1,
+  "event_id": "427b927c-1308-4f3f-912a-4ca4ece878bb",
+  "issue_id": "rcql-813e9f03-4501-4e7f-aff3-da97cd62f79c",
+  "event_type": "state_transition",
+  "occurred_at": "2026-04-03T21:23:08.340Z",
+  "actor_id": "derek.norrbom",
+  "payload": {
+    "from_status": "in_progress",
+    "to_status": "closed"
+  }
+}

project/events/2026-04-03T21:23:08.352Z__d24a9c10-e8e7-4453-8408-d0eea5630de2.json

@@ -0,0 +1,12 @@
+{
+  "schema_version": 1,
+  "event_id": "d24a9c10-e8e7-4453-8408-d0eea5630de2",
+  "issue_id": "rcql-813e9f03-4501-4e7f-aff3-da97cd62f79c",
+  "event_type": "comment_added",
+  "occurred_at": "2026-04-03T21:23:08.352Z",
+  "actor_id": "derek.norrbom",
+  "payload": {
+    "comment_author": "derek.norrbom",
+    "comment_id": "46fca8ca-8824-41cb-acd6-0ccc0f7fcaf6"
+  }
+}