Crate fleetreach_cli 

fleetreach-cli library: config loading, fleet orchestration, report assembly + exit-code logic, and the command surface.

The pipeline lives in the library (typed, testable). The command layer — argument parsing (cli), the scan runner (scan), the vex subcommands (vex), and DB/provenance plumbing (db) — also lives here, so main.rs is a thin shell that just parses and dispatches.

Re-exports

pub use assemble::assemble;

pub use assemble::build_report;

pub use assemble::combine_baseline;

pub use assemble::drop_phantom;

pub use assemble::exit_code;

pub use assemble::retain_min_epss;

pub use assemble::retain_new;

pub use assemble::retain_reachable;

pub use assemble::Assembled;

pub use assemble::GateConfig;

pub use assemble::SuppressedOccurrence;

pub use assemble::Suppression;

pub use config::Config;

pub use config::ConfigError;

pub use orchestrate::scan_fleet;

pub use orchestrate::ScanData;

pub use orchestrate::Toolchain;

Modules

assemble

Turning raw scan output into a final FleetReport plus its exit code.

cli

The command-line surface: the clap command tree, the shared value-enums it parses into, and the top-level dispatch. The thin binary calls Cli::try_parse then dispatch; the per-command logic lives in crate::scan and crate::vex.

config

fleet.toml parsing and validation.

db

Advisory-DB loading, freshness, provenance, and enrichment fetch — the binary’s I/O wiring, kept out of the command runners. Everything here is Args-agnostic (it takes primitives), so scan and the vex subcommands share it without coupling to a particular clap struct.

diff

The diff command: compare two saved fleet reports (scan -f json) and show what appeared, what cleared, and which surviving advisories changed blast radius. A first-class take on the scan --baseline flag — that flag keeps only new findings from a live scan; diff is pure (no scanning, no DB, no network), works off two JSON files, and reports fixed + still-open too.

enrich

Exploit-risk enrichment from external feeds: the CISA Known Exploited Vulnerabilities (KEV) catalog, FIRST’s EPSS scores, and NVD CVSS severity.

npm_reach

Build-free npm reachability via a module import graph (the spec’s R2).

orchestrate

The multi-repo scan loop (§10, step 4).

reach

--reachability: a heuristic source-presence check — NOT static call-graph reachability analysis.

resolve

Feature-aware “is it actually built?” resolution via cargo tree.

scan

The scan command: parse ScanArgs, run the audit pipeline (config → fleet scan → assemble → enrich → reachability → render), and return the exit code. Also hosts the --why/--explain short-circuits and -f vex parameter build.

static_reach

--reachability=static: the sound call-graph engine (NOT the grep heuristic in crate::reach).

vex

The vex subcommands: product/assertion resolution shared by -f vex and SARIF, the pure cores of vex check (drift) and vex verify (witnesses), and the Check/Verify argument structs + runners. The binary only parses and dispatches into [run_vex_check]/[run_vex_verify].