feat: code scanning cleanup and Roslyn analyzers (#231)

Tune code scanning tools to reduce noise and add architectural enforcement:

## CodeQL
- Disable 6 style rules that conflict with project conventions
- Keep security-and-quality suite for actual security analysis
- All 282 existing alerts dismissed (batch API)

## Bot Configuration
- Add .github/copilot-instructions.md with ADR-based guidance
- Add .gemini/config.yaml and styleguide.md for Gemini Code Assist
- Focus bots on real issues: concurrency, performance, resource leaks

## Roslyn Analyzers (PPDS.Analyzers)
- PPDS006: UseEarlyBoundEntities - flag string literals in QueryExpression
- PPDS012: NoSyncOverAsync - flag .GetAwaiter().GetResult(), .Result, .Wait()
- PPDS013: NoFireAndForgetInCtor - flag unawaited async calls in constructors

## EditorConfig
- Fix generated code pattern to match subdirectories
- Suppress CS8981 for lowercase enum names in generated code

Closes #231

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: joshsmithxrm

.editorconfig

@@ -70,13 +70,16 @@ csharp_new_line_before_catch = true
 csharp_new_line_before_finally = true
 
 # Generated code - relax rules that are noisy for auto-generated files
-[**/Generated/*.cs]
+[**/Generated/**.cs]
 # Disable naming warnings (generated code may not follow conventions)
 dotnet_diagnostic.IDE1006.severity = none
 
 # Disable documentation warnings (generated code has its own docs)
 dotnet_diagnostic.CS1591.severity = none
 
+# Disable lowercase type name warnings (Power Platform uses lowercase for enums)
+dotnet_diagnostic.CS8981.severity = none
+
 # Disable nullable warnings (generated code handles nullability its own way)
 dotnet_diagnostic.CS8618.severity = none
 

.gemini/config.yaml

@@ -0,0 +1,20 @@
+# Gemini Code Assist Configuration
+# https://developers.google.com/gemini-code-assist/docs/customize-gemini-behavior-github
+
+code_review:
+  disable: false
+  # Keep MEDIUM - Gemini finds real bugs (concurrency, performance, logic errors)
+  comment_severity_threshold: MEDIUM
+  max_review_comments: -1  # Unlimited
+  pull_request_opened:
+    help: false
+    summary: true
+    code_review: true
+    include_drafts: true
+
+# Don't need fun features for a professional SDK
+have_fun: false
+
+# Memory for persistent context
+memory_config:
+  disabled: false

.gemini/styleguide.md

@@ -0,0 +1,107 @@
+# PPDS Coding Standards
+
+This style guide informs Gemini Code Assist about PPDS SDK architecture and patterns.
+
+## Architecture (ADRs 0015, 0024, 0025, 0026)
+
+### Layer Rules
+
+- **CLI/TUI are THIN presentation adapters** - no business logic
+- **Application Services own all business logic** - located in `PPDS.Cli/Services/`
+- Services accept `IProgressReporter`, not `Console.WriteLine`
+- UIs never read/write files directly - use Application Services
+- Services return domain objects, presentation layers format output
+
+### Shared Local State (ADR-0024)
+
+All user data lives in `~/.ppds/`:
+- `profiles.json` - Auth profiles
+- `history/` - Query history
+- `settings.json` - User preferences
+
+UIs call services for all persistent state - no direct file I/O.
+
+## Dataverse Patterns
+
+### Bulk Operations
+
+- Use `CreateMultiple`, `UpdateMultiple`, `DeleteMultiple` - not loops with single operations
+- Single-record operations in loops cause 5-10x slowdown
+- Reference: `BulkOperationExecutor.cs`
+
+### Counting Records
+
+- Use FetchXML aggregate queries for counting
+- WRONG: Retrieve records and count in memory
+- CORRECT: `<fetch aggregate='true'><attribute aggregate='count'/></fetch>`
+
+### CancellationToken
+
+- All async methods must accept and propagate `CancellationToken`
+- Enables graceful shutdown on Ctrl+C
+- Check `cancellationToken.ThrowIfCancellationRequested()` in long loops
+
+### Connection Pool
+
+- Get client INSIDE parallel loops, not outside
+- Use `pool.GetTotalRecommendedParallelism()` as DOP ceiling
+- Don't hold single client across parallel iterations
+
+## Concurrency
+
+### Sync-over-Async
+
+- NEVER use `.GetAwaiter().GetResult()` - causes deadlocks
+- NEVER use `.Result` or `.Wait()` on tasks
+- If sync context required, use `async void` event handlers
+
+### Fire-and-Forget
+
+- NEVER call async methods without await in constructors
+- Use `Loaded` events for async initialization
+- Race conditions occur when async completes before UI ready
+
+### UI Thread Safety
+
+- UI property updates must be on main thread
+- Use `Application.MainLoop.Invoke(() => ...)` in Terminal.Gui
+- Async methods resume on thread pool after await
+
+### Re-entrancy
+
+- Add guards for async operations triggered by UI events
+- User can scroll/click faster than operations complete
+- Pattern: `if (_isLoading) return; _isLoading = true; try { ... } finally { _isLoading = false; }`
+
+## Error Handling (ADR-0026)
+
+### Structured Exceptions
+
+- Services throw `PpdsException` with `ErrorCode` and `UserMessage`
+- `ErrorCode` enables programmatic handling (retry on throttle, re-auth on expired)
+- `UserMessage` is safe to display - no GUIDs, stack traces, technical details
+
+### User Messages
+
+- WRONG: "FaultException: ErrorCode -2147204784"
+- CORRECT: "Your session has expired. Please log in again."
+
+## Style Preferences
+
+These are intentional choices - do NOT flag:
+
+- `foreach` with `if` instead of LINQ `.Where()`
+- Explicit `if/else` instead of ternary operators
+- `catch (Exception ex)` at CLI command entry points
+
+## Focus Areas
+
+Please DO flag:
+
+- Code duplication across files
+- Missing `CancellationToken` propagation
+- Sync-over-async patterns
+- Resource leaks (missing disposal)
+- Thread safety issues
+- API limits (e.g., TopCount > 5000)
+- Inefficient patterns (single-record loops, counting by retrieval)

.github/CODE_SCANNING.md

@@ -0,0 +1,102 @@
+# Code Scanning Configuration
+
+This document explains how code scanning tools are configured for the PPDS SDK repository.
+
+## Overview
+
+| Tool | Configuration | Purpose |
+|------|---------------|---------|
+| **CodeQL** | `.github/codeql/codeql-config.yml` | Security analysis (style rules disabled) |
+| **Copilot** | `.github/copilot-instructions.md` | PR review guidance |
+| **Gemini** | `.gemini/config.yaml`, `.gemini/styleguide.md` | PR review with architecture focus |
+| **Roslyn Analyzers** | `src/PPDS.Analyzers/` | Compile-time enforcement |
+
+## CodeQL Configuration
+
+CodeQL runs the `security-and-quality` query suite with style rules disabled.
+
+### Disabled Rules
+
+| Rule ID | Name | Why Disabled |
+|---------|------|--------------|
+| `cs/linq/missed-where` | LINQ Where suggestion | Conflicts with project style (prefer explicit foreach) |
+| `cs/linq/missed-select` | LINQ Select suggestion | Conflicts with project style |
+| `cs/missed-ternary-operator` | Ternary suggestion | Style preference, not quality |
+| `cs/nested-if-statements` | Nested if suggestion | Style preference, not quality |
+| `cs/catch-of-all-exceptions` | Generic catch clause | Intentional CLI pattern (top-level handlers) |
+| `cs/path-combine` | Path.Combine usage | All paths are controlled inputs in CLI context |
+
+### Path Exclusions
+
+Test code is excluded from analysis:
+- `tests/**`
+- `**/*Tests/**`
+- `**/*.Tests/**`
+
+## Bot Review Assessment
+
+Based on PR feedback analysis:
+
+| Bot | Value | Notes |
+|-----|-------|-------|
+| **Gemini** | HIGH | Catches real bugs: concurrency, performance, logic errors |
+| **Copilot** | MIXED | Good for duplication, resource leaks; noisy for style |
+| **CodeQL** | LOW | Mostly style noise for this codebase |
+
+## Roslyn Analyzers (PPDS.Analyzers)
+
+Compile-time enforcement of architectural patterns. Analyzers run during build and show as warnings in IDE.
+
+### Implemented Rules
+
+| ID | Name | Description | Severity |
+|----|------|-------------|----------|
+| PPDS006 | UseEarlyBoundEntities | Flags string literals in QueryExpression | Warning |
+| PPDS012 | NoSyncOverAsync | Flags `.GetAwaiter().GetResult()`, `.Result`, `.Wait()` | Warning |
+| PPDS013 | NoFireAndForgetInCtor | Flags async calls in constructors without await | Warning |
+
+### Planned Rules
+
+| ID | Name | Description | Source |
+|----|------|-------------|--------|
+| PPDS001 | NoDirectFileIoInUi | UI layer using File.Read/Write directly | ADR-0024 |
+| PPDS002 | NoConsoleInServices | Service using Console.WriteLine | ADR-0015 |
+| PPDS003 | NoUiFrameworkInServices | Service referencing Spectre/Terminal.Gui | ADR-0025 |
+| PPDS004 | UseStructuredExceptions | Service throwing raw Exception | ADR-0026 |
+| PPDS005 | NoSdkInPresentation | CLI command calling ServiceClient directly | ADR-0015 |
+| PPDS007 | PoolClientInParallel | Pool client acquired outside parallel loop | ADR-0002/0005 |
+| PPDS008 | UseBulkOperations | Loop with single Delete/Update calls | Gemini PR#243 |
+| PPDS011 | PropagateCancellation | Async method not passing CancellationToken | Gemini PR#242 |
+
+### Suppressing Analyzer Warnings
+
+To suppress a specific warning in code:
+
+```csharp
+#pragma warning disable PPDS006
+var query = new QueryExpression("customentity"); // No early-bound class available
+#pragma warning restore PPDS006
+```
+
+To suppress project-wide in `.editorconfig`:
+
+```ini
+[*.cs]
+dotnet_diagnostic.PPDS006.severity = none
+```
+
+## Architecture (ADRs)
+
+Bot instructions reference these Architecture Decision Records:
+
+| ADR | Summary |
+|-----|---------|
+| [0015](../docs/adr/0015_APPLICATION_SERVICE_LAYER.md) | Application Services for CLI/TUI/Daemon |
+| [0024](../docs/adr/0024_SHARED_LOCAL_STATE.md) | Shared local state architecture |
+| [0025](../docs/adr/0025_UI_AGNOSTIC_PROGRESS.md) | UI-agnostic progress reporting |
+| [0026](../docs/adr/0026_STRUCTURED_ERROR_MODEL.md) | Structured error model |
+
+## Related Issues
+
+- [#231](https://github.com/joshsmithxrm/ppds-sdk/issues/231) - Tune code scanning tools to reduce noise
+- [#232](https://github.com/joshsmithxrm/ppds-sdk/issues/232) - ADR-0024 (style) - Prefer foreach over LINQ

.github/codeql/codeql-config.yml

@@ -1,14 +1,30 @@
 # CodeQL Configuration
-# Excludes test code from security analysis to reduce false positives.
 # See: https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning
+# Query filter docs: https://github.blog/changelog/2022-08-31-code-scanning-customize-your-codeql-analysis-using-query-filters/
 
 name: "PPDS SDK CodeQL Config"
 
 paths-ignore:
-  # Test projects - Path.Combine and similar alerts are false positives in test context
+  # Test projects - excluded from security analysis
   - tests/**
   - '**/*Tests/**'
   - '**/*.Tests/**'
 
 queries:
   - uses: security-and-quality
+
+# Disable style rules that conflict with project conventions
+# See .github/CODE_SCANNING.md for rationale
+query-filters:
+  - exclude:
+      id:
+        # LINQ style suggestions - conflicts with ADR-0024 (prefer explicit foreach)
+        - cs/linq/missed-where
+        - cs/linq/missed-select
+        # Style preferences - not quality issues
+        - cs/missed-ternary-operator
+        - cs/nested-if-statements
+        # CLI patterns - intentional top-level exception handlers
+        - cs/catch-of-all-exceptions
+        # Path handling - all paths are controlled inputs in CLI context
+        - cs/path-combine

.github/copilot-instructions.md

@@ -0,0 +1,57 @@
+# Copilot Code Review Instructions
+
+This file guides GitHub Copilot's code review behavior for the PPDS SDK repository.
+
+## Architecture (ADRs 0015, 0024, 0025, 0026)
+
+### Layer Rules
+
+- CLI/TUI are THIN presentation adapters - no business logic
+- Application Services own all business logic
+- Services are UI-agnostic - no `Console.WriteLine`, no Spectre/Terminal.Gui references
+
+### File I/O (ADR-0024: Shared Local State)
+
+- UIs never read/write files directly
+- All file access through Application Services
+- WRONG: `File.ReadAllText` in command handler
+- CORRECT: `await _profileService.GetProfilesAsync()`
+
+### Progress Reporting (ADR-0025: UI-Agnostic Progress)
+
+- Services accept `IProgressReporter`, not write to console
+- UIs implement adapters for their display medium
+- Services return data, presentation layers format it
+
+### Error Handling (ADR-0026: Structured Error Model)
+
+- Services throw `PpdsException` with `ErrorCode` and `UserMessage`
+- Never expose technical details (GUIDs, stack traces) in `UserMessage`
+- UIs format errors for their medium
+
+### Dataverse Patterns
+
+- Use bulk APIs (`CreateMultiple`, `UpdateMultiple`) not loops with single operations
+- Use FetchXML aggregate for counting, not retrieve-and-count
+- Propagate `CancellationToken` through all async methods
+- Get pool client INSIDE parallel loops, not outside
+
+## Style Preferences
+
+Do NOT suggest:
+
+- Converting `foreach` loops with `if` conditions to LINQ `.Where()` chains
+- Replacing `if/else` with ternary operators
+- "Simplifying" explicit control flow
+
+These are intentional style choices per project conventions.
+
+## Valuable Findings
+
+DO flag:
+
+- Code duplication across files
+- Resource leaks (missing disposal, using statements)
+- Missing `CancellationToken` propagation
+- Sync-over-async patterns (`.GetAwaiter().GetResult()`)
+- Thread safety issues in async code

PPDS.Sdk.sln

@@ -37,6 +37,8 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "PPDS.LiveTests.Fixtures", "
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "PPDS.Cli.DaemonTests", "tests\PPDS.Cli.DaemonTests\PPDS.Cli.DaemonTests.csproj", "{04BEC730-FDD3-4204-A020-08092795BD03}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "PPDS.Analyzers", "src\PPDS.Analyzers\PPDS.Analyzers.csproj", "{E7084D22-4885-4361-9BC3-208D6AAC82C8}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -227,6 +229,18 @@ Global
 		{04BEC730-FDD3-4204-A020-08092795BD03}.Release|x64.Build.0 = Release|Any CPU
 		{04BEC730-FDD3-4204-A020-08092795BD03}.Release|x86.ActiveCfg = Release|Any CPU
 		{04BEC730-FDD3-4204-A020-08092795BD03}.Release|x86.Build.0 = Release|Any CPU
+		{E7084D22-4885-4361-9BC3-208D6AAC82C8}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{E7084D22-4885-4361-9BC3-208D6AAC82C8}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{E7084D22-4885-4361-9BC3-208D6AAC82C8}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{E7084D22-4885-4361-9BC3-208D6AAC82C8}.Debug|x64.Build.0 = Debug|Any CPU
+		{E7084D22-4885-4361-9BC3-208D6AAC82C8}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{E7084D22-4885-4361-9BC3-208D6AAC82C8}.Debug|x86.Build.0 = Debug|Any CPU
+		{E7084D22-4885-4361-9BC3-208D6AAC82C8}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{E7084D22-4885-4361-9BC3-208D6AAC82C8}.Release|Any CPU.Build.0 = Release|Any CPU
+		{E7084D22-4885-4361-9BC3-208D6AAC82C8}.Release|x64.ActiveCfg = Release|Any CPU
+		{E7084D22-4885-4361-9BC3-208D6AAC82C8}.Release|x64.Build.0 = Release|Any CPU
+		{E7084D22-4885-4361-9BC3-208D6AAC82C8}.Release|x86.ActiveCfg = Release|Any CPU
+		{E7084D22-4885-4361-9BC3-208D6AAC82C8}.Release|x86.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -247,5 +261,6 @@ Global
 		{B1D38F8D-67C5-431F-BB47-BF02AE1E4AEB} = {0AB3BF05-4346-4AA6-1389-037BE0695223}
 		{9FC294F4-9010-497A-808A-8F336AE6B5B4} = {0AB3BF05-4346-4AA6-1389-037BE0695223}
 		{04BEC730-FDD3-4204-A020-08092795BD03} = {0AB3BF05-4346-4AA6-1389-037BE0695223}
+		{E7084D22-4885-4361-9BC3-208D6AAC82C8} = {827E0CD3-B72D-47B6-A68D-7590B98EB39B}
 	EndGlobalSection
 EndGlobal