feat(query): panic-attack query subcommand (issue #33 S3)

Adds the third slice of issue #33: a panic-attack query subcommand that
evaluates a small S-expression query language over the persisted
per-finding hexads (S1) and campaign-state hexads (S2), joined by
finding_id.

Supported forms in this initial S3:

  (category UnsafeCode)
  (rule-id PA004)
  (severity Critical)
  (repo <name-substring>)        ; case-insensitive substring
  (file <path-substring>)        ; case-insensitive substring
  (pr-state pr-filed|pr-merged|pr-closed|dismissed|nil)
  (and <expr> <expr> ...)
  (or  <expr> <expr> ...)
  (not <expr>)

`pr-state nil` matches any finding without a campaign hexad — i.e. the
operationally important "open work not yet PR'd" view that the
estate-sweep campaign needs most.

CLI:
  panic-attack query "(and (category UnsafeCode) (pr-state nil))"
  panic-attack query "(severity Critical)" --format json
  panic-attack query "(repo alpha)" --verisimdb-dir verisimdb-data

Output: fixed-width table by default, JSON via `--format json`.

Deferred to S3 follow-ups (recorded in the module header):
- (crosslang :from FFI :to ProofDrift) — needs integration with
  src/kanren/crosslang.rs.
- (diff :since <date> :category <X>) — needs an explicit baseline-run
  cursor beyond created_at.

Implementation notes:
- Small hand-rolled S-expression tokenizer/parser in src/query/mod.rs
  (~170 lines including escape handling for quoted strings and `;`
  line comments). Doesn't depend on the a2ml parser since the query
  surface is narrower.
- Evaluator pre-joins findings with their latest campaign event
  (newest-by-created_at wins per finding_id) before filtering. That
  keeps `(pr-state ...)` a free clause inside `and`/`or` rather than
  forcing a special-case in the loop.

Tests: 19 new in src/query/ — 8 parser (positive + 3 rejection cases),
9 evaluator (each filter, and/or/not, pr-state nil/filed/excluded), 2
renderer. Full lib suite: 239 green. Clippy clean.

CLI smoke validated: writing a hand-crafted finding hexad + invoking
campaign register-pr + query returns the expected JSON with the
pr-filed state joined in.

Refs #33. Stacked on #56 (S2). Diff against main includes S1+S2
changes until they land; this PR rebases cleanly.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: hyperpolymath

src/lib.rs

@@ -32,6 +32,7 @@ pub mod kanren;
 pub mod mass_panic;
 pub mod notify;
 pub mod panll;
+pub mod query;
 pub mod report;
 pub mod signatures;
 pub mod storage;

src/main.rs

@@ -27,6 +27,7 @@ mod kin;
 mod mass_panic;
 mod notify;
 mod panll;
+mod query;
 mod report;
 mod signatures;
 mod storage;
@@ -753,6 +754,28 @@ enum Commands {
         #[command(subcommand)]
         action: CampaignAction,
     },
+
+    /// Query persisted findings + campaign state with a small S-expression
+    /// language (issue #33 S3). See `panic-attack query --help` for syntax.
+    Query {
+        /// Query expression, e.g. `(and (category UnsafeCode) (pr-state nil))`.
+        #[arg(value_name = "EXPR")]
+        expr: String,
+
+        /// VeriSimDB data directory (default: `verisimdb-data`).
+        #[arg(long, value_name = "DIR", default_value = "verisimdb-data")]
+        verisimdb_dir: PathBuf,
+
+        /// Output format.
+        #[arg(long, value_enum, default_value_t = QueryFormatArg::Table)]
+        format: QueryFormatArg,
+    },
+}
+
+#[derive(clap::ValueEnum, Clone, Debug)]
+enum QueryFormatArg {
+    Table,
+    Json,
 }
 
 #[derive(Subcommand)]
@@ -2404,6 +2427,24 @@ fn run_main() -> Result<()> {
             }
         },
 
+        Commands::Query {
+            expr,
+            verisimdb_dir,
+            format,
+        } => {
+            let q = query::parse(&expr)?;
+            let hits = query::run(&q, &verisimdb_dir)?;
+            match format {
+                QueryFormatArg::Table => {
+                    print!("{}", query::render_table(&hits));
+                }
+                QueryFormatArg::Json => {
+                    println!("{}", serde_json::to_string_pretty(&hits)?);
+                }
+            }
+            return Ok(());
+        }
+
         Commands::Campaign { action } => {
             match action {
                 CampaignAction::RegisterPr {