feat(report): add baseline, provenance, and runtime context

[ben-ranford]

Issue

Bundle the baseline, provenance, and runtime context changes for issues #493, #494, #497, #499, and #500.

Cause

Baseline comparison, policy provenance, runtime trace context, and dashboard/TUI comparison data were not propagated through the shared report model and output formatters.

Root Cause

The report schema and downstream consumers only modeled the current-run view. They did not carry baseline snapshots, merge trace provenance, or parent/entrypoint runtime relationships through the CLI, dashboard, SARIF, and TUI layers.

Fix

• Added baseline compare support to dashboard runs and TUI summary output.
• Added policy pack provenance and merge trace data to effective policy output.
• Enriched SARIF with provenance, runtime context, and baseline context.
• Correlated runtime traces with parent modules and entrypoints.
• Updated the report schema and docs to match the new output surface.

Tests

• go test ./internal/dashboard ./internal/ui ./internal/thresholds ./internal/report ./internal/runtime ./internal/cli ./internal/app
• Additional focused tests were added for dashboard baselines, TUI compare mode, policy trace resolution, runtime trace loading/annotation, and SARIF formatting.

Closes #493
Closes #494
Closes #497
Closes #499
Closes #500

[github-actions]

Feature flag enforcement

• Feature PR: yes (feat PR title)
• Check: failed
• Rule: feature PRs must add a feature flag, new flags must start as preview, and feature flag ids and names must be unique.

New feature flags in this PR

None.

Violations

• Feature PRs must add at least one new feature flag in internal/featureflags/features.json.

[sonarqubecloud]

Quality Gate failed

Failed conditions
14.0% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube Cloud

[github-actions]

Memory Benchmarks

❌ Memory benchmark summary was not produced.

Approval: unavailable because the memory benchmark gate did not complete cleanly.

[Copilot]

Pull request overview

This PR expands Lopper’s report model so baseline snapshots/comparisons, policy provenance (merge trace), and richer runtime trace context are propagated through the CLI, dashboard/TUI, SARIF output, and documentation—addressing several feature gaps where downstream formatters previously only represented the current-run view.

Changes:

• Add baseline snapshot + compare support for lopper dashboard and baseline-aware compare mode rendering in the TUI summary.
• Add effective policy field-level provenance via effectivePolicy.mergeTrace and surface it in table/JSON outputs.
• Enrich runtime trace ingestion/annotation with parentModules + entrypoints, and include runtime + provenance + baseline context in SARIF properties.

Reviewed changes

Copilot reviewed 48 out of 48 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
scripts/runtime/require-hook.cjs	Emit entrypoint for CommonJS runtime trace events.
scripts/runtime/loader.mjs	Emit entrypoint for ESM loader trace events.
README.md	Document TUI baseline compare usage + new runtime usage fields.
internal/ui/options.go	Add baseline inputs to TUI options.
internal/ui/summary.go	Load/apply baseline to summary report when baseline inputs are provided.
internal/ui/summary_test.go	Add coverage for baseline-aware TUI snapshot output.
internal/ui/view_model.go	Map new runtime usage fields into the UI view model.
internal/ui/detail.go	Render runtime parent modules + entrypoints in detail output.
internal/cli/usage.go	Update CLI help for dashboard/TUI baseline flags.
internal/cli/parse_tui.go	Parse TUI baseline flags into the request model.
internal/cli/parse_tui_test.go	Test TUI baseline flag parsing.
internal/cli/parse_dashboard.go	Parse dashboard baseline flags (store/key/label/save).
internal/cli/parse_dashboard_test.go	Test dashboard baseline flag parsing.
internal/cli/parse_analyse.go	Thread policy merge trace through analyse request building.
internal/cli/parse_analyse_test.go	Validate policy trace precedence for CLI overrides.
internal/cli/parse_analyse_overrides.go	Merge CLI-derived policy trace into resolved policy trace.
internal/app/types.go	Extend request types (analyse policy trace; TUI/dashboard baseline fields).
internal/app/app.go	Forward TUI baseline options from app layer.
internal/app/dashboard.go	Aggregate dashboard report, apply baseline compare, optionally save snapshot.
internal/app/dashboard_request.go	Resolve config-provided baseline store (relative to config dir).
internal/app/dashboard_request_options_test.go	Test baseline store resolution from config.
internal/app/dashboard_rendering_test.go	Validate dashboard JSON includes baseline_comparison when comparing.
internal/app/analyse_prepare.go	Include effectivePolicy.mergeTrace in analyse report decoration.
internal/thresholds/config.go	Add PolicyTrace to threshold load result (defaults + merged).
internal/thresholds/config_packs.go	Track field-level policy source per merged override; export as trace list.
internal/thresholds/config_cov_more_branches_test.go	Add tests for policy trace merge/source tracking.
internal/runtime/trace_types.go	Extend runtime event + trace aggregates for parent/entrypoint context.
internal/runtime/trace_load.go	Parse/store parent + entrypoint counts per dependency.
internal/runtime/trace_load_test.go	Test trace loading for parent + entrypoint fields.
internal/runtime/trace_annotate.go	Attach parentModules/entrypoints to report.RuntimeUsage.
internal/runtime/trace_annotate_test.go	Test runtime annotation includes new provenance fields.
internal/report/model/metadata.go	Add effectivePolicy.mergeTrace to report schema model.
internal/report/model/dependency.go	Add runtimeUsage.parentModules and runtimeUsage.entrypoints.
internal/report/model_aliases.go	Export PolicyMergeTrace alias from report package.
internal/report/format_table_sections.go	Print merge trace section in table formatter.
internal/report/format_table_values.go	Render parent/entrypoint runtime context in table runtime usage string.
internal/report/format_test.go	Add test ensuring table includes merge trace content.
internal/report/sarif.go	Add provenance/runtime/baseline context to SARIF result properties.
internal/report/sarif_test.go	Update SARIF tests for new function signatures/properties.
internal/dashboard/types.go	Add dashboard baseline comparison model.
internal/dashboard/baseline.go	Implement dashboard baseline snapshot storage + comparison computation.
internal/dashboard/format.go	Emit baseline comparison in dashboard CSV/HTML outputs.
internal/dashboard/dashboard_test.go	Add baseline snapshot + comparison coverage for dashboard package.
docs/threshold-tuning.md	Document effectivePolicy.mergeTrace and TUI baseline flags.
docs/sarif-code-scanning.md	Document SARIF provenance/runtime/baseline enrichment.
docs/report-schema.md	Update schema docs for mergeTrace + runtime + richer baselineComparison.
docs/report-schema.json	Add JSON schema definitions for mergeTrace + runtime parent/entrypoint fields.
docs/dashboard.md	Document dashboard baseline store/key/label/save semantics.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.