Block Content API regressions before they merge.

Run the static scanner against a scoped integration folder during pull requests.

Fail the job on critical or high severity findings while keeping medium and NOT_VERIFIED items visible as artifacts.

Upload JSON and Markdown artifacts so reviewers can inspect rule IDs, file paths, lines, recommendations, and tested-scope limits.

The default CI script omits code snippets and records only file, line, rule, severity, and remediation metadata.

The first CI integration is repository-local; GitHub App installation, scheduled scans, and branded agency dashboards remain later P2 work.