feat(query): panic-attack query subcommand (issue #33 S3) (#57)

## Summary

Third slice of
[#33](#33). Adds a
\`panic-attack query\` subcommand that evaluates a small S-expression
query language over the per-finding hexads from #55 (S1) joined with the
campaign-state hexads from #56 (S2).

> Stacked on #56 — diff against \`main\` includes the S1+S2 changes
until those land; this PR rebases cleanly.

## Supported forms (S3 initial)

\`\`\`scheme
(category UnsafeCode)
(rule-id PA004)
(severity Critical)
(repo <name-substring>)          ; case-insensitive substring
(file <path-substring>)          ; case-insensitive substring
(pr-state pr-filed|pr-merged|pr-closed|dismissed|nil)
(and <expr> <expr> ...)
(or  <expr> <expr> ...)
(not <expr>)
\`\`\`

\`(pr-state nil)\` matches any finding **without a campaign hexad** —
i.e. the operationally important "open work not yet PR'd" view that the
estate-sweep campaign needs most.

## CLI

\`\`\`
panic-attack query "(and (category UnsafeCode) (pr-state nil))"
panic-attack query "(severity Critical)" --format json
panic-attack query "(repo alpha)" --verisimdb-dir verisimdb-data
\`\`\`

Default output: fixed-width table. JSON via \`--format json\`.

## Deferred to S3 follow-ups

Three follow-ups will land in the next PRs in this stack:
- \`(crosslang :from FFI :to ProofDrift)\` — needs integration with
\`src/kanren/crosslang.rs\`.
- \`(diff :since <date> :category <X>)\` — needs an explicit
baseline-run cursor.
- \`panic-attack campaign poll\` (was S2 scope cut) — GitHub PR-state
polling.

## Implementation notes

- Small hand-rolled S-expression tokenizer/parser (~170 LOC) — doesn't
depend on the a2ml parser since the query surface is narrower.
- Evaluator pre-joins findings with their latest campaign event
(newest-by-\`created_at\` wins per \`finding_id\`) before filtering.
\`(pr-state ...)\` is a free clause inside \`and\`/\`or\` rather than a
special case.

## Test plan

- [x] \`cargo test --lib\` — 239 green (19 new in \`src/query/\`).
- [x] \`cargo clippy --all-targets -- -D warnings\` — clean.
- [x] \`cargo fmt --all\` — clean.
- [x] End-to-end CLI smoke: hand-crafted finding hexad + \`campaign
register-pr\` + \`query (and (category UnsafeCode) (pr-state pr-filed))
--format json\` returns the expected JSON with the joined campaign
state.

Refs #33. Stacked on #56 (S2) → #55 (S1).

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: hyperpolymath

src/lib.rs

@@ -32,6 +32,7 @@ pub mod kanren;
 pub mod mass_panic;
 pub mod notify;
 pub mod panll;
+pub mod query;
 pub mod report;
 pub mod signatures;
 pub mod storage;

src/main.rs

@@ -27,6 +27,7 @@ mod kin;
 mod mass_panic;
 mod notify;
 mod panll;
+mod query;
 mod report;
 mod signatures;
 mod storage;
@@ -778,6 +779,28 @@ enum Commands {
         #[arg(long, group = "sweep_shape", default_value_t = false)]
         by_category: bool,
     },
+
+    /// Query persisted findings + campaign state with a small S-expression
+    /// language (issue #33 S3). See `panic-attack query --help` for syntax.
+    Query {
+        /// Query expression, e.g. `(and (category UnsafeCode) (pr-state nil))`.
+        #[arg(value_name = "EXPR")]
+        expr: String,
+
+        /// VeriSimDB data directory (default: `verisimdb-data`).
+        #[arg(long, value_name = "DIR", default_value = "verisimdb-data")]
+        verisimdb_dir: PathBuf,
+
+        /// Output format.
+        #[arg(long, value_enum, default_value_t = QueryFormatArg::Table)]
+        format: QueryFormatArg,
+    },
+}
+
+#[derive(clap::ValueEnum, Clone, Debug)]
+enum QueryFormatArg {
+    Table,
+    Json,
 }
 
 #[derive(Subcommand)]
@@ -2429,6 +2452,24 @@ fn run_main() -> Result<()> {
             }
         },
 
+        Commands::Query {
+            expr,
+            verisimdb_dir,
+            format,
+        } => {
+            let q = query::parse(&expr)?;
+            let hits = query::run(&q, &verisimdb_dir)?;
+            match format {
+                QueryFormatArg::Table => {
+                    print!("{}", query::render_table(&hits));
+                }
+                QueryFormatArg::Json => {
+                    println!("{}", serde_json::to_string_pretty(&hits)?);
+                }
+            }
+            return Ok(());
+        }
+
         Commands::Campaign { action } => {
             match action {
                 CampaignAction::RegisterPr {