fix(cli): apply repository triage file during scans

docs/cli.md

@@ -82,6 +82,13 @@ nyx scan [PATH] [OPTIONS]
 | `--rollup-examples <N>` | `5` | Number of example locations in rollup findings |
 | `--show-instances <RULE>` | *(none)* | Expand all instances of a specific rule (bypass rollup) |
 
+`nyx scan` automatically reads `.nyx/triage.json` from the scan root when the
+file exists. Terminal triage states written by `nyx serve` (`false_positive`,
+`accepted_risk`, `suppressed`, and `fixed`) are hidden from CLI output and do
+not trigger `--fail-on` by default. Use `--show-suppressed` to include them in
+console, JSON, or SARIF output with their `triage_state` and optional
+`triage_note`.
+
 **Severity expression formats**:
 
 ```bash

docs/output.md

@@ -282,6 +282,25 @@ Without `--fail-on` or `--gate`, Nyx always exits `0` on a successful scan regar
 
 ---
 
+## Repository Triage
+
+`nyx scan` and `nyx serve` share `.nyx/triage.json` in the scan root. The file
+uses portable fingerprints so committed triage decisions survive different
+checkout paths in local runs and CI.
+
+When the file exists, CLI scans apply it automatically:
+
+- `open` and `investigating` findings remain active.
+- `false_positive`, `accepted_risk`, `suppressed`, and `fixed` findings are
+  excluded from output and `--fail-on` checks by default.
+- `--show-suppressed` includes terminal triage findings and emits
+  `triage_state` plus `triage_note` when present.
+
+`nyx serve` continues to read and write the same file when triage sync is
+enabled, so browser triage and CI gating use the same decisions.
+
+---
+
 ## Severity Levels
 
 | Level | Description | Typical rules |