test(cli): add command path coverage

[NhanAZ]

What changed

Added CLI command tests for existing command paths: no-argument help, scan --help, --version, and unknown command handling.

Why

These paths are part of the public CLI contract but were not directly covered by tests. The added coverage makes command behavior safer to maintain as argument parsing changes.

Testing

npm.cmd run build

> openpolicykit@0.3.0 build
> tsc

npm.cmd test

> openpolicykit@0.3.0 test
> node --test dist/tests/**/*.test.js

? CLI commands
  ? should print help and exit with 0 when no command is provided (610.36ms)
  ? should print scan help and exit with 0 (382.6356ms)
  ? should print the package version and exit with 0 (353.155ms)
  ? should exit with 2 for an unknown command (330.1722ms)
? CLI commands (1680.7797ms)
Error: Invalid --min-severity value: invalid_level. Expected info, warning, or error.
Error: --min-severity requires a value (info, warning, or error).
? CLI Integration
  ? should exit with 0 when scanning a clean directory (796.4999ms)
  ? should exit with 1 when findings are found (552.7099ms)
  ? should output JSON when --json flag is used (435.9775ms)
  ? should exit with 2 when an invalid --min-severity is provided (328.9889ms)
  ? should exit with 2 when --min-severity is missing value (336.2447ms)
  ? should filter out warnings when --min-severity error is provided (316.1019ms)
? CLI Integration (2772.3123ms)
? OPK-001: Hardcoded AI Credentials
  ? should detect a hardcoded OpenAI API key (8.9058ms)
  ? should detect a hardcoded Anthropic API key (4.2968ms)
  ? should NOT flag environment variable references (1.4126ms)
  ? should NOT flag credentials in .env files (0.7122ms)
  ? should NOT flag clean files without credentials (3.1104ms)
  ? should have correct rule metadata (0.9488ms)
? OPK-001: Hardcoded AI Credentials (24.5366ms)
? OPK-002: AI Prompt Artifacts
  ? should detect AI assistant comment in TypeScript file (4.7751ms)
  ? should detect generated-by note in Python file (5.1324ms)
  ? should NOT flag clean files without prompt artifacts (27.2461ms)
  ? should have correct rule metadata (11.528ms)
? OPK-002: AI Prompt Artifacts (55.4618ms)
? OPK-003: Placeholder Implementation
  ? should detect TODO implement comment (7.735ms)
  ? should detect Not implemented error (3.6148ms)
  ? should NOT flag specific TODO with issue reference and context (1.5799ms)
  ? should NOT flag clean files without placeholder code (3.4499ms)
  ? should detect Python pass with TODO (3.1259ms)
  ? should have correct rule metadata (0.5156ms)
? OPK-003: Placeholder Implementation (24.0731ms)
? OPK-004: Unpinned Dependency Versions
  ? should detect wildcard, range, tag, and partial dependency versions (7.3306ms)
  ? should NOT flag exact versions or non-registry dependency sources (4.6088ms)
  ? should ignore invalid package.json files without failing (5.2353ms)
  ? should ignore files other than package.json, requirements.txt, or pyproject.toml (1.1758ms)
  ? should detect unpinned dependencies in requirements.txt (2.5282ms)
  ? should detect unpinned dependencies in pyproject.toml (3.2461ms)
  ? should have correct rule metadata (0.4837ms)
? OPK-004: Unpinned Dependency Versions (29.0897ms)
? OPK-005: Risky CI/CD Workflows
  ? should detect high-risk GitHub Actions workflow patterns (21.4109ms)
  ? should NOT flag a least-privilege workflow (11.0189ms)
  ? should detect workflows when .github is the scan root (1.9036ms)
  ? should detect pull_request_target in an inline event list (1.7003ms)
  ? should ignore workflow-like files outside .github/workflows (0.5451ms)
  ? should have correct rule metadata (0.4172ms)
? OPK-005: Risky CI/CD Workflows (40.9904ms)
? OPK-006: Hallucinated Dependencies
  ? should flag packages that return 404 from npm registry (15.2537ms)
  ? should ignore packages on network errors (fail open) (15.1686ms)
  ? should have correct rule metadata (1.3064ms)
? OPK-006: Hallucinated Dependencies (39.2453ms)
? OPK-007: Large Generated Files
  ? should detect a large file with a generated marker (14.6317ms)
  ? should detect a large file with a generated filename (10.6095ms)
  ? should NOT flag a large file without generated indicators (9.444ms)
  ? should NOT flag a small generated file (6.3797ms)
  ? should ignore missing files without failing (3.1854ms)
  ? should have correct rule metadata (1.1651ms)
? OPK-007: Large Generated Files (50.6367ms)
? Scanner Integration
  ? should skip disabled rules specified in opk.config.json (30.2515ms)
  ? should filter findings by minimum severity (38.1744ms)
  ? should skip excluded paths specified in opk.config.json (12.2455ms)
? Scanner Integration (87.9249ms)
? tests 55
? suites 6
? pass 55
? fail 0
? cancelled 0
? skipped 0
? todo 0
? duration_ms 3233.2755

The two Error: lines are expected stderr output from CLI error-path tests.

npm.cmd run lint

> openpolicykit@0.3.0 lint
> tsc --noEmit

Risks

None identified.

Follow-up

Fix the stale README configuration section so it reflects existing opk.config.json support.