Pass snippet scan retention days to ficus

[spatten]

Overview

This PR gets the snippet-scan-retention-days setting from the response of GET /api/cli/organization and, if it exists in the response, passes it into Ficus via the --snippet-scan-retention-days flag.

The full workflow is:

1. CLI gets the setting from the /api/cli/organization endpoint (https://github.com/fossas/FOSSA/pull/16333)
2. CLI passes that setting into Ficus (this PR)
3. Ficus includes the setting when it POSTs to finalizes a snippet scan in Sparkle (https://github.com/fossas/ficus/pull/69)
4. Sparkle sets the contents expiration on the analysis (https://github.com/fossas/sparkle/pull/680)

Acceptance criteria

The CLI will pass the snippet scan retention days param into Ficus via the --snippet-scan-retention-days flag if it exists in the response from Core.

If it does not exist in the response from Core, then it will not pass the flag in when it invokes Ficus. Ficus will default to 30 days.

Testing plan

You'll need a version of Ficus that uses this flag.

I did this by:

cd $ficus
git checkout snippet-scan-retention
cargo install --path ficus
cp `which ficus` $cli/vendor-bins

Then you can re-compile the CLI and it will embed the new Ficus version.

You'll also want to be running a version of Core that includes that setting in the response to GET /api/cli/organization. https://github.com/fossas/FOSSA/pull/16333 is merged, so you can just use prod.

Go into the org settings and set snippet scan retention days to something other than 30.

Now run the CLI against production:

cabal run fossa -- analyze --x-snippet-scan --debug --exclude-target npm --only-target npm $scandirs/snippet-demo-dir

The scan should complete successfully and create an analysis. The logs will tell you what the analysis ID is.

Ficus analysis completed successfully with analysis ID: 517

Look in the production sparkle DB. It should have an contents_expiration that matches the retention days that you set in Core. I set it to 10 days from now, and that's what I see:

select * from analysis_snippet_scan.analysis where id = 517;
-[ RECORD 1 ]-------+---------------------------------------------------
id                  | 517
organization_id     | 24987
project_locator     | custom+24987/snippet-demo-dir
revision_locator    | custom+24987/snippet-demo-dir$2025-09-10T19:42:18Z
created             | 2025-09-10 19:42:18.823705+00
contents_expiration | 2025-09-20 19:42:18.823705+00

Risks

Metrics

References

Checklist

• I added tests for this PR's change (or explained in the PR description why tests don't make sense).
• If this PR introduced a user-visible change, I added documentation into docs/.
• If this PR added docs, I added links as appropriate to the user manual's ToC in docs/README.ms and gave consideration to how discoverable or not my documentation is.
• If this change is externally visible, I updated Changelog.md. If this PR did not mark a release, I added my changes into an ## Unreleased section at the top.
• If I made changes to .fossa.yml or fossa-deps.{json.yml}, I updated docs/references/files/*.schema.json AND I have updated example files used by fossa init command. You may also need to update these if you have added/removed new dependency type (e.g. pip) or analysis target type (e.g. poetry).
• If I made changes to a subcommand's options, I updated docs/references/subcommands/<subcommand>.md.