Unus

.githooks/pre-commit

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+cargo fmt --all --check
+cargo check
+cargo clippy --all-targets --all-features -- -D warnings
+cargo test --lib --tests

.github/copilot-instructions.md

@@ -1,6 +1,6 @@
 # Vulnera Copilot Instructions
 
-Vulnera is a multi-module async Rust vulnerability analysis platform (MSRV 1.82+). AI agents should focus on domain-driven design (DDD) patterns, the sandbox-isolated execution model, and the modular analysis pipeline orchestrated by the composition root.
+Vulnera is a multi-module async Rust vulnerability analysis platform (MSRV 1.91+). AI agents should focus on domain-driven design (DDD) patterns, the sandbox-isolated execution model, and the modular analysis pipeline orchestrated by the composition root.
 
 ## Architecture: The Big Picture
 
@@ -17,7 +17,9 @@ vulnera-rust (binary - HTTP API server)
   │  └─ vulnera-llm        [Gemini-powered explanations & auto-fixes]
   └─ vulnera-core          [domain models, shared traits, infra, config]
 
-vulnera-cli (standalone workspace - offline analysis + server API calls)
+vulnera-cli (standalone workspace and repository - offline analysis cli client + server API calls)
+vulnera-advisor (standalone workspace and repository - advisors crate + server API calls)
+vulnera-adapter (standalone workspace and repository - lsp crate + server API calls)
 ```
 
 **Composition Root**: `src/app.rs` is the **single composition root**. It delegates module setup to `src/modules/mod.rs` and wires all use cases, repositories, caches, and HTTP state. Never instantiate services (PgPool, Cache, etc.) inside crate internals—wire everything at the top level and inject via `Arc<dyn Trait>`.
@@ -31,22 +33,22 @@ vulnera-cli (standalone workspace - offline analysis + server API calls)
 
 ## Critical Files & Patterns
 
-| Task               | Key Files                                                                 | Pattern                                                                                   |
-| :----------------- | :------------------------------------------------------------------------ | :---------------------------------------------------------------------------------------- |
-| **New Module**     | `vulnera-core/.../traits.rs`, `src/modules/mod.rs`                        | Implement `AnalysisModule`; register in `ModuleRegistry`                                  |
-| **Sandbox Policy** | `vulnera-sandbox/src/domain/policy.rs`, `.../application/use_cases.rs`    | Build `SandboxPolicy::for_profile(SandboxPolicyProfile::...)`; execution via `SandboxExecutor` |
-| **SAST Rules**     | `vulnera-sast/src/infrastructure/rules/`                                  | Tree-sitter queries + visitor pattern for taint/data-flow                                 |
-| **Job Lifecycle**  | `vulnera-orchestrator/src/infrastructure/job_queue.rs`                    | Dragonfly-backed queue -> worker pool -> `ExecuteAnalysisJobUseCase` -> Sandbox           |
-| **Job Storage**    | `vulnera-orchestrator/src/infrastructure/job_store/`                      | Persist snapshots (`FindingsSummary`, metadata) with optional webhook delivery            |
-| **Module Selection** | `vulnera-orchestrator/src/infrastructure/module_selector.rs`            | `RuleBasedModuleSelector` decides modules by `AnalysisDepth` + project metadata           |
-| **Auth/API Keys**  | `vulnera-core/src/infrastructure/auth/`, `.../presentation/auth/`         | JWT + Argon2; cookie auth with CSRF; API key endpoints under `/api/v1/auth/api-keys`      |
-| **Database**       | `migrations/`, `vulnera-core/.../infrastructure/`                         | SQLx `query!` macros (compile-time checked); `IEntityRepository` traits                   |
+| Task                 | Key Files                                                              | Pattern                                                                                        |
+| :------------------- | :--------------------------------------------------------------------- | :--------------------------------------------------------------------------------------------- |
+| **New Module**       | `vulnera-core/.../traits.rs`, `src/modules/mod.rs`                     | Implement `AnalysisModule`; register in `ModuleRegistry`                                       |
+| **Sandbox Policy**   | `vulnera-sandbox/src/domain/policy.rs`, `.../application/use_cases.rs` | Build `SandboxPolicy::for_profile(SandboxPolicyProfile::...)`; execution via `SandboxExecutor` |
+| **SAST Rules**       | `vulnera-sast/src/infrastructure/rules/`                               | Tree-sitter queries + visitor pattern for taint/data-flow                                      |
+| **Job Lifecycle**    | `vulnera-orchestrator/src/infrastructure/job_queue.rs`                 | Dragonfly-backed queue -> worker pool -> `ExecuteAnalysisJobUseCase` -> Sandbox                |
+| **Job Storage**      | `vulnera-orchestrator/src/infrastructure/job_store/`                   | Persist snapshots (`FindingsSummary`, metadata) with optional webhook delivery                 |
+| **Module Selection** | `vulnera-orchestrator/src/infrastructure/module_selector.rs`           | `RuleBasedModuleSelector` decides modules by `AnalysisDepth` + project metadata                |
+| **Auth/API Keys**    | `vulnera-core/src/infrastructure/auth/`, `.../presentation/auth/`      | JWT + Argon2; cookie auth with CSRF; API key endpoints under `/api/v1/auth/api-keys`           |
+| **Database**         | `migrations/`, `vulnera-core/.../infrastructure/`                      | SQLx `query!` macros (compile-time checked); `IEntityRepository` traits                        |
 
 ## Analysis Capabilities
 
 - **SAST**: Supports **Python, JavaScript, TypeScript, Rust, Go, C, C++** using Tree-sitter.
 - **Sandboxing**: Tiered isolation. Linux (Landlock + Seccomp) -> Process -> fallback. `SandboxPolicy::for_analysis` includes system paths, `/tmp` RW, and optional HTTP/Redis ports.
-- **Dependency Analysis**: Cross-ecosystem (NPM, PyPI, Cargo, Maven) with `vulnera-advisor` intelligence.
+- **Dependency Analysis**: Cross-ecosystem (NPM, PyPI, Cargo, Maven) with `vulnera-advisor` intelligence. Supports CWE filtering and Git commit range matching.
 - **LLM**: Integrated `GeminiLlmProvider` for automated remediation and finding enrichment.
 
 ## Configuration & Secrets

.gitignore

@@ -157,5 +157,4 @@ vulnera-sast/tests/snapshots/*
 /.vulnera_data
 curls.txt
 # Decoupled components
-/vulnera-cli/
 docs/modules.md

.pre-commit-config.yaml

@@ -0,0 +1,23 @@
+repos:
+  - repo: local
+    hooks:
+      - id: cargo-fmt
+        name: cargo fmt
+        entry: cargo fmt --all
+        language: system
+        pass_filenames: false
+      - id: cargo-check
+        name: cargo check
+        entry: cargo check
+        language: system
+        pass_filenames: false
+      - id: cargo-clippy
+        name: cargo clippy
+        entry: cargo clippy --all-targets --all-features -- -D warnings
+        language: system
+        pass_filenames: false
+      - id: cargo-test
+        name: cargo test
+        entry: cargo test --lib --tests
+        language: system
+        pass_filenames: false

CHANGELOG.md

@@ -6,8 +6,20 @@ The format is based on Keep a Changelog and this project adheres to Semantic Ver
 ## [0.5.1] - 2026-02-13
 
 ### Added
+- **CLI Architecture & UX (vulnera-cli):**
+  - Introduced application use-case orchestration for CLI command flows (`analyze`, `sast`, `secrets`, `deps`, `auth`, `quota`, `api`, `generate-fix`) to reduce command-layer coupling.
+  - Added shared CLI services for watch execution and scan-target resolution (changed files, explicit file list, excludes, language filters).
+  - Added user-facing project hook management via `vulnera config hooks` with `install`, `status`, and `remove` subcommands.
+  - Added backend selection for hook install (`git` or `pre-commit`) with idempotent managed blocks.
+- **SAST Remediation Pipeline (vulnera-cli):**
+  - Implemented true bulk LLM-backed fix generation for `vulnera sast --fix`.
+  - Added remediation aggregation in SAST output including generated LLM fixes, SAST-native suggestions, and dependency upgrade suggestions.
+  - Added SARIF emission with fix payloads when bulk fixes are generated.
+
 - **Dependency Analysis Improvements:**
   - Precise semver interval intersection in `VersionRange::overlaps_with` for better vulnerability matching.
+  - Support for Git commit range matching in vulnerability checks via `matches_git_range`.
+  - CWE ID filtering and normalization (standardizing formats like "79" → "CWE-79").
   - Robust glob pattern matching for dependency ignore rules using `globset`.
   - Resolution of dependency edges to actual package versions in npm, Ruby, PHP, Python (uv), and Rust lockfile parsers.
   - Preserved dependency edges for git/path dependencies in Cargo parser for accurate graph analysis.
@@ -48,6 +60,13 @@ The format is based on Keep a Changelog and this project adheres to Semantic Ver
   - Replaced `.map/.any` patterns with `.contains/.iter` where clearer.
 
 ### Fixed
+- **CLI Quality & Reliability:**
+  - Unified API client construction in `CliContext` to eliminate per-command drift.
+  - Improved watch-mode safety by centralizing scan execution behavior.
+  - Replaced brittle CLI version assertion with package-version-based assertion in tests.
+- **CLI Lint/Tooling:**
+  - Addressed strict clippy findings in CLI paths touched during refactor (including pointer-arg and conditional simplifications).
+
 - **Robustness:** Added resilient regex compilation in API analyzers with graceful error handling.
 - **Error Handling:** Replaced unchecked `unwrap()` calls with explicit error propagation in `app.rs`.
 - **Startup:** Added validation for loaded configuration at startup with clear diagnostics.
@@ -57,6 +76,10 @@ The format is based on Keep a Changelog and this project adheres to Semantic Ver
 ### Dependencies Added
 - `globset` for robust glob pattern matching.
 
+### Tests
+- Extended `vulnera-cli` command smoke tests to cover `config hooks` command surface and subcommand help.
+- Added focused unit tests for SAST bulk-fix suggestion builders and dependency-suggestion deduplication logic.
+
 ## [0.5.0] - 2026-02-11
 
 ### Added

CONTRIBUTING.md

@@ -23,7 +23,7 @@ If you'd like to financially support the project, you can do so via [GitHub Spon
 ## Getting Started
 
 1. Fork the repo and create a feature branch from `main`.
-2. Install Rust stable (MSRV 1.82+) and PostgreSQL 12+.
+2. Install Rust stable (MSRV 1.91+) and PostgreSQL 12+.
 3. Set up the development database:
 
    ```bash