feat: ratcheting mode for CI adoption on codebases with existing vulnerabilities

[sonukapoor]

When adopting CVE Lite CLI as a hard CI gate, teams with existing vulnerability debt face an immediate problem: --fail-on blocks every PR until all pre-existing issues are cleared, which is rarely realistic. Ratcheting solves this by letting teams accept the current state and only fail on new findings introduced above that baseline.

How it works

Run once to establish the baseline:

cve-lite . --ratchet

This creates .cve-lite/baseline.json with all current findings and exits 0. Commit the file.

From that point, every scan automatically applies the baseline - no flag needed in CI:

cve-lite . --fail-on high

Pre-existing findings are suppressed. Only new findings trigger failure.

To reset after fixing vulnerabilities, delete .cve-lite/baseline.json and run --ratchet again.

Output

When baseline is active and all findings are known:

No new findings above baseline - 7 existing findings suppressed

When new findings are detected:

3 new findings above baseline - 7 existing findings suppressed

What changed

• src/utils/baseline.ts - new utility: readBaseline, writeBaseline, filterNewFindings
• src/types.ts - BaselineEntry, Baseline types; ratchet?: boolean on ParsedOptions
• src/cli/args.ts - --ratchet flag parsing
• src/cli/help.ts - help text
• src/index.ts - baseline auto-load and filtering integrated into scan pipeline
• tests/baseline.test.ts - 8 unit tests for baseline utilities
• examples/readme.md - ratcheting usage note

Closes #585