feat(cli): residual-diff between two branches (#5)

[pureliture]

What

Add residual-diff — the difference in residual secrets between two branches,
computed as a finding_id set diff. No PR entity, new index, or storage change.

Why

finding_id is branch/commit-stable (#12 L1), so "what this branch added/removed"
is just residual(head) − residual(base) / residual(base) − residual(head) over
the existing per-branch residual. A PR is just a branch pair, so no PR-specific
machinery is needed.

Changes

• runtime/branch_residual.py: ResidualDiff dataclass + pure residual_diff(base, head)
  helper (added / removed sorted, unchanged_count).
• cli/commands/scan.py: residual-diff --repo --base --head reusing
  residual_for_repo for a single consistent snapshot read; fail-closed when a
  branch has no residual (an unscanned branch is not "0 added"); dynamodb-only
  with exit 2, mirroring residual.
• Spec: docs/workbench/specs/residual-diff/ (research-grounded self-Q&A).

Test

• uv run pytest — 684 passed (helper added/removed/unchanged/directional;
  CLI diff, missing-branch exit 2, jsonl exit 2).
• governance.public_safety clean.

Related to #23 follow-on residual work.

[gemini-code-assist]

Code Review

This pull request introduces the residual-diff subcommand and helper functions to compute and display the difference in residual findings (added, removed, and unchanged secrets) between two branches of a repository. It includes design specifications, domain models, CLI integration, and comprehensive tests. The review feedback suggests deduplicating the missing branches list in the error message when both --base and --head refer to the same missing branch.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.