Add hidden reach-continue-on-* flags for Coana v15

[Martin Torp (mtorp)]

Summary

Preparation for the upcoming Coana CLI v15 major release.

Coana v15 changes the default halt behavior in socket mode for four different failure conditions, and introduces matching --reach-continue-on-* flags to opt out of each halt. This PR adds those four flags to the Socket CLI (as hidden flags on socket scan create and socket scan reach) and wires them through to the coana run invocation in performReachabilityAnalysis. Nothing changes for users today — these flags are no-ops against the current default Coana version — but the Socket CLI is now ready to forward them the moment Coana v15 becomes the default.

New flags (all hidden)

Socket CLI flag	Forwards to Coana	Halt it opts out of
--reach-continue-on-analysis-errors	--reach-continue-on-analysis-errors	Timeouts, OOM, parse errors, low-confidence results
--reach-continue-on-install-errors	--reach-continue-on-install-errors	Package installation failures
--reach-continue-on-missing-lock-files	--reach-continue-on-missing-lock-files	Gradle/SBT projects missing lockfile / version catalog / pre-generated SBOM
--reach-continue-on-no-source-files	--reach-continue-on-no-source-files	Workspace with no source files for its ecosystem

When any of these are set on the Socket CLI, the corresponding flag is appended to the coana run argv; when they're unset, nothing is appended and Coana applies its own default.

Files touched

• src/commands/scan/reachability-flags.mts — declarations (all hidden: true)
• src/commands/scan/perform-reachability-analysis.mts — ReachabilityOptions type + argv forwarding
• src/commands/scan/cmd-scan-reach.mts — destructure, type, pass through
• src/commands/scan/cmd-scan-create.mts — destructure, type, include in isUsingAnyReachabilityFlags gate, pass through
• src/commands/ci/handle-ci.mts + src/commands/scan/create-scan-from-github.mts — default values for internal callers

Test plan

• pnpm check:tsc passes cleanly
• All 79 tests in cmd-scan-create.test.mts + cmd-scan-reach.test.mts pass
• Hidden flags do not appear in --help output (verified against the help-snapshot tests)
• Smoke-test against a Coana v15 build once one is available to confirm the flags propagate end-to-end

🤖 Generated with Claude Code

---

Note

Low Risk
Low risk plumbing change that only introduces new hidden CLI flags and threads them into Coana argv; behavior is unchanged unless these flags are explicitly provided (and depends on Coana version).

Overview
Prepares the CLI for Coana v15 by adding four hidden reachability flags (the --reach-continue-on-* family) to socket scan create and socket scan reach.

These new booleans are wired through internal scan entrypoints (including CI/GitHub scan flows) into performReachabilityAnalysis, which conditionally appends the corresponding coana run arguments when set, and includes them in the --reach gating logic so they can’t be used without reachability enabled.

^{Reviewed by Cursor Bugbot for commit 1b6eca6. Configure here.}