P1: Add baseline/grandfather mode for enterprise adoption

[EffortlessSteven]

Problem

Diffguard has no baseline mode. Teams with existing codebases cannot adopt without immediately failing on all pre-existing violations. This is the #1 enterprise adoption blocker.

Impact

• Teams cannot adopt diffguard on repos with any existing violations
• Forces teams to either ignore all violations or fix everything before adopting
• Uncompetitive with tools that support baseline comparison

Proposed design

Add --baseline flag to check command:
diffguard check --base main --baseline previous-receipt.json

When --baseline is provided:

1. Run checks normally
2. Compare findings against baseline receipt fingerprint
3. Exit code 0 if only pre-existing violations found
4. Exit code 2 if NEW violations found (only new violations in output)
5. Optional: --report-mode=new-only to ONLY report new findings

Acceptance Criteria

• --baseline flag accepts path to previous receipt JSON
• Only NEW findings trigger failure
• Output clearly distinguishes new vs existing violations
• Tests cover: no baseline, baseline with no new findings, baseline with new findings
• Snapshots cover the new output modes

[EffortlessSteven]

Research Analysis Complete

I analyzed this issue and the codebase to understand the requirements for the baseline/grandfather mode feature.

Key Findings

1. The existing infrastructure can be largely reused:

   • fingerprint_for_finding() in diffguard-analytics computes SHA-256 fingerprints
   • baseline_from_receipt() already exists for converting receipts to baselines
   • The fingerprint format is rule_id:path:line:match_text (SHA-256)

2. Baseline mode is different from false-positive baseline:

   • --false-positive-baseline suppresses known false positives (they don't appear in output)
   • --baseline (new) is grandfather mode - shows all findings but only fails on NEW violations

3. Implementation approach:

   • Post-processing step in CLI layer (main.rs), not in core engine
   • Core run_check() remains unchanged - runs checks normally
   • Baseline comparison happens after check completes
   • Requires: new --baseline flag (path to receipt JSON) and --report-mode flag

4. Exit codes:

   • 0 if only pre-existing violations found
   • 2 if NEW violations found

Files to Modify

• crates/diffguard/src/main.rs - CLI flags and baseline comparison logic
• crates/diffguard/src/render.rs (or new) - annotate findings as baseline vs new
• crates/diffguard/tests/ - integration and snapshot tests

Risks

• Fingerprint algorithm changes could break baseline comparisons silently
• Schema version mismatches when loading old receipts
• Exit code behavior might confuse users expecting different fail_on behavior

See the full analysis in the work artifacts.

[EffortlessSteven]

Conveyor: Entering INTEGRATED
2026-04-08 19:55 UTC

Pipeline advancing to gate INTEGRATED.

Agents to dispatch:

• wisdom-agent
• changelog-docs-agent
• merge-agent

[EffortlessSteven]

Conveyor: INTEGRATED — wisdom-agent completed
2026-04-08 19:55 UTC

Agent has finished its work. Artifacts recorded. Moving to next step.

[EffortlessSteven]

Conveyor: INTEGRATED — changelog-docs-agent completed
2026-04-08 19:55 UTC

Agent has finished its work. Artifacts recorded. Moving to next step.

[EffortlessSteven]

Conveyor: INTEGRATED — merge-agent completed
2026-04-08 19:55 UTC

Agent has finished its work. Artifacts recorded. Moving to next step.

[EffortlessSteven]

Conveyor: Gate Advance
2026-04-08 19:55 UTC

Gate INTEGRATED complete → pipeline done

Completed agents:

• security-review-agent ✓
• cleanup-agent ✓
• code-quality-agent ✓
• dependency-audit-agent ✓
• refactor-agent ✓
• ci-pr-agent ✓
• deep-review-agent ✓
• pr-maintainer-vision-agent ✓
• wisdom-agent ✓
• changelog-docs-agent ✓
• merge-agent ✓