fix(cli): diff-aware mode must not fall back to full scan on empty diff

[shivasurya]

Summary

A delete-only PR was dumping every full-repo finding instead of the expected zero. Surfaced as 207 findings on #693, which only deletes one YAML workflow file. Compare with #692 — same shape (single YAML change) but an addition — which correctly returned 0 findings.

Two paired bugs:

1. diff/git_provider.go ran git diff --name-only --diff-filter=ACMR, excluding deletions. A delete-only PR therefore produced changedFiles=[].
2. cmd/ci.go guarded the filter with diffEnabled && len(changedFiles) > 0. When the list was empty, the filter was skipped entirely and ALL full-scan findings were returned. The same guard was on the filesScanned count, so the JSON also claimed the whole repo was scanned.

Fix

• ACMR → ACMRD. Deletions show up in changedFiles. A delete-only PR now returns the deleted path, distinguishing it from a genuinely empty PR.
• Drop the len(changedFiles) > 0 guard at both call sites in cmd/ci.go. If diff-aware is requested, honour it: an empty intersection returns zero findings, not "full repo." The two states (diff-aware on, nothing matched vs diff-aware off, scan everything) must stay separable.

Test plan

• Updated TestGitDiffProvider_DeletedFileExcluded → TestGitDiffProvider_DeletedFileIncluded. The contract change is named in the test.
• New TestGitDiffProvider_DeletionOnlyPR covering the exact PR chore(ci): remove self-scan workflow, superseded by hosted scanner #693 shape (one workflow file deleted, nothing else).
• go test ./diff/... ./cmd/... passes.
• go vet, golangci-lint: clean.
• Coverage on diff package: 91.5% (GetChangedFiles 100%, diffFiles 72.7% — unchanged baseline; error-path branches are timeout-only).
• End-to-end: deploying the rebuilt scanner image to the production runner immediately after opening this PR. Will re-trigger the PR chore(ci): remove self-scan workflow, superseded by hosted scanner #693 scan and confirm it now returns 0 findings.

Docs

CLAUDE.md gains a Diff-Aware Scanning section documenting the new contract — including the explicit "do not reintroduce the full-scan fallback" rule — so this regression can't sneak back in.

[safedep]

SafeDep Report Summary

No dependency changes detected. Nothing to scan.

View complete scan results →

_{This report is generated by SafeDep Github App}

[github-actions]

Code Pathfinder Security Scan

No security issues detected.

Metric	Value
Files Scanned	4
Rules	205

---

_{Powered by Code Pathfinder}

[code-pathfinder]

Pathfinder Report

✅ No security findings on the changed files. This pull request is clean.

View report on the dashboard

---

Powered by Code Pathfinder.

[codecov]

Codecov Report

❌ Patch coverage is 77.27273% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 85.54%. Comparing base (8a39ca7) to head (810f8d0).

Files with missing lines	Patch %	Lines
sast-engine/cmd/scan.go	0.00%	4 Missing ⚠️
sast-engine/cmd/ci.go	88.88%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #712      +/-   ##
==========================================
+ Coverage   85.52%   85.54%   +0.02%     
==========================================
  Files         190      191       +1     
  Lines       27467    27467              
==========================================
+ Hits        23492    23498       +6     
+ Misses       3083     3079       -4     
+ Partials      892      890       -2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.