sbom_tools/config/

types.rs

//! Configuration types for sbom-tools operations.
//!
//! Provides structured configuration for diff, view, and multi-comparison operations.

use crate::matching::FuzzyMatchConfig;
use crate::reports::{ReportFormat, ReportType};
use schemars::JsonSchema;
use serde::{Deserialize, Serialize};
use std::path::PathBuf;

// ============================================================================
// Unified Application Configuration
// ============================================================================

/// Unified application configuration that can be loaded from CLI args or config files.
///
/// This is the top-level configuration struct that aggregates all configuration
/// options. It can be constructed from CLI arguments, config files, or both
/// (with CLI overriding file settings).
#[derive(Debug, Clone, Default, Serialize, Deserialize, JsonSchema)]
#[serde(default)]
pub struct AppConfig {
    /// Matching configuration (thresholds, presets)
    pub matching: MatchingConfig,
    /// Output configuration (format, file, colors)
    pub output: OutputConfig,
    /// Filtering options
    pub filtering: FilterConfig,
    /// Behavior flags
    pub behavior: BehaviorConfig,
    /// Graph-aware diffing configuration
    pub graph_diff: GraphAwareDiffConfig,
    /// Custom matching rules configuration
    pub rules: MatchingRulesPathConfig,
    /// Ecosystem-specific rules configuration
    pub ecosystem_rules: EcosystemRulesConfig,
    /// TUI-specific configuration
    pub tui: TuiConfig,
    /// Enrichment configuration (OSV, etc.)
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichment: Option<EnrichmentConfig>,
}

impl AppConfig {
    /// Create a new `AppConfig` with default values.
    #[must_use]
    pub fn new() -> Self {
        Self::default()
    }

    /// Create an `AppConfig` builder.
    pub fn builder() -> AppConfigBuilder {
        AppConfigBuilder::default()
    }
}

// ============================================================================
// Builder for AppConfig
// ============================================================================

/// Builder for constructing `AppConfig` with fluent API.
#[derive(Debug, Default)]
#[must_use]
pub struct AppConfigBuilder {
    config: AppConfig,
}

impl AppConfigBuilder {
    /// Set the fuzzy matching preset.
    pub fn fuzzy_preset(mut self, preset: FuzzyPreset) -> Self {
        self.config.matching.fuzzy_preset = preset;
        self
    }

    /// Set the matching threshold.
    pub const fn matching_threshold(mut self, threshold: f64) -> Self {
        self.config.matching.threshold = Some(threshold);
        self
    }

    /// Set the output format.
    pub const fn output_format(mut self, format: ReportFormat) -> Self {
        self.config.output.format = format;
        self
    }

    /// Set the output file.
    pub fn output_file(mut self, file: Option<PathBuf>) -> Self {
        self.config.output.file = file;
        self
    }

    /// Disable colored output.
    pub const fn no_color(mut self, no_color: bool) -> Self {
        self.config.output.no_color = no_color;
        self
    }

    /// Include unchanged components.
    pub const fn include_unchanged(mut self, include: bool) -> Self {
        self.config.matching.include_unchanged = include;
        self
    }

    /// Enable fail-on-vulnerability mode.
    pub const fn fail_on_vuln(mut self, fail: bool) -> Self {
        self.config.behavior.fail_on_vuln = fail;
        self
    }

    /// Enable fail-on-change mode.
    pub const fn fail_on_change(mut self, fail: bool) -> Self {
        self.config.behavior.fail_on_change = fail;
        self
    }

    /// Enable quiet mode.
    pub const fn quiet(mut self, quiet: bool) -> Self {
        self.config.behavior.quiet = quiet;
        self
    }

    /// Enable graph-aware diffing.
    pub fn graph_diff(mut self, enabled: bool) -> Self {
        self.config.graph_diff = if enabled {
            GraphAwareDiffConfig::enabled()
        } else {
            GraphAwareDiffConfig::default()
        };
        self
    }

    /// Set matching rules file.
    pub fn matching_rules_file(mut self, file: Option<PathBuf>) -> Self {
        self.config.rules.rules_file = file;
        self
    }

    /// Set ecosystem rules file.
    pub fn ecosystem_rules_file(mut self, file: Option<PathBuf>) -> Self {
        self.config.ecosystem_rules.config_file = file;
        self
    }

    /// Enable enrichment.
    pub fn enrichment(mut self, config: EnrichmentConfig) -> Self {
        self.config.enrichment = Some(config);
        self
    }

    /// Build the `AppConfig`.
    #[must_use]
    pub fn build(self) -> AppConfig {
        self.config
    }
}

// ============================================================================
// Config Enums
// ============================================================================

/// TUI theme name
#[derive(Debug, Clone, Default, PartialEq, Eq, Serialize, Deserialize, JsonSchema)]
#[serde(rename_all = "kebab-case")]
pub enum ThemeName {
    /// Dark theme (default)
    #[default]
    Dark,
    /// Light theme
    Light,
    /// High-contrast theme
    HighContrast,
}

impl ThemeName {
    /// Get the string representation of the theme name.
    #[must_use]
    pub fn as_str(&self) -> &'static str {
        match self {
            Self::Dark => "dark",
            Self::Light => "light",
            Self::HighContrast => "high-contrast",
        }
    }
}

impl std::fmt::Display for ThemeName {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        f.write_str(self.as_str())
    }
}

impl std::str::FromStr for ThemeName {
    type Err = String;

    fn from_str(s: &str) -> Result<Self, Self::Err> {
        match s.to_lowercase().as_str() {
            "dark" => Ok(Self::Dark),
            "light" => Ok(Self::Light),
            "high-contrast" | "highcontrast" | "hc" => Ok(Self::HighContrast),
            _ => Err(format!("unknown theme: {s}")),
        }
    }
}

/// Fuzzy matching preset
#[derive(
    Debug, Clone, Default, PartialEq, Eq, Serialize, Deserialize, JsonSchema, clap::ValueEnum,
)]
#[serde(rename_all = "kebab-case")]
pub enum FuzzyPreset {
    /// Strict matching (fewer false positives)
    Strict,
    /// Balanced matching (default)
    #[default]
    Balanced,
    /// Permissive matching (fewer false negatives)
    Permissive,
    /// Strict matching optimized for multi-SBOM comparison
    #[value(alias = "strict_multi")]
    StrictMulti,
    /// Balanced matching optimized for multi-SBOM comparison
    #[value(alias = "balanced_multi")]
    BalancedMulti,
    /// Security-focused matching
    #[value(alias = "security_focused")]
    SecurityFocused,
}

impl FuzzyPreset {
    /// Get the string representation of the preset.
    #[must_use]
    pub fn as_str(&self) -> &'static str {
        match self {
            Self::Strict => "strict",
            Self::Balanced => "balanced",
            Self::Permissive => "permissive",
            Self::StrictMulti => "strict-multi",
            Self::BalancedMulti => "balanced-multi",
            Self::SecurityFocused => "security-focused",
        }
    }
}

impl std::str::FromStr for FuzzyPreset {
    type Err = String;

    fn from_str(s: &str) -> Result<Self, Self::Err> {
        match s.to_lowercase().replace('_', "-").as_str() {
            "strict" => Ok(Self::Strict),
            "balanced" => Ok(Self::Balanced),
            "permissive" => Ok(Self::Permissive),
            "strict-multi" => Ok(Self::StrictMulti),
            "balanced-multi" => Ok(Self::BalancedMulti),
            "security-focused" => Ok(Self::SecurityFocused),
            _ => Err(format!("unknown fuzzy preset: {s}")),
        }
    }
}

impl std::fmt::Display for FuzzyPreset {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        f.write_str(self.as_str())
    }
}

// ============================================================================
// TUI Preferences (persisted)
// ============================================================================

/// TUI preferences that persist across sessions.
#[derive(Debug, Clone, Serialize, Deserialize, JsonSchema)]
pub struct TuiPreferences {
    /// Theme name
    pub theme: ThemeName,
    /// Last active tab in diff mode (e.g., "summary", "components")
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub last_tab: Option<String>,
    /// Last active tab in view mode (e.g., "overview", "tree")
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub last_view_tab: Option<String>,
}

impl Default for TuiPreferences {
    fn default() -> Self {
        Self {
            theme: ThemeName::Dark,
            last_tab: None,
            last_view_tab: None,
        }
    }
}

impl TuiPreferences {
    /// Get the path to the preferences file.
    #[must_use]
    pub fn config_path() -> Option<PathBuf> {
        dirs::config_dir().map(|p| p.join("sbom-tools").join("preferences.json"))
    }

    /// Load preferences from disk, or return defaults if not found.
    #[must_use]
    pub fn load() -> Self {
        Self::config_path()
            .and_then(|p| std::fs::read_to_string(p).ok())
            .and_then(|s| serde_json::from_str(&s).ok())
            .unwrap_or_default()
    }

    /// Save preferences to disk.
    pub fn save(&self) -> std::io::Result<()> {
        if let Some(path) = Self::config_path() {
            if let Some(parent) = path.parent() {
                std::fs::create_dir_all(parent)?;
            }
            let json = serde_json::to_string_pretty(self)
                .map_err(|e| std::io::Error::new(std::io::ErrorKind::InvalidData, e))?;
            std::fs::write(path, json)?;
        }
        Ok(())
    }
}

// ============================================================================
// TUI Configuration
// ============================================================================

/// TUI-specific configuration.
#[derive(Debug, Clone, Serialize, Deserialize, JsonSchema)]
#[serde(default)]
pub struct TuiConfig {
    /// Theme name
    pub theme: ThemeName,
    /// Show line numbers in code views
    pub show_line_numbers: bool,
    /// Enable mouse support
    pub mouse_enabled: bool,
    /// Initial matching threshold for TUI threshold tuning
    #[schemars(range(min = 0.0, max = 1.0))]
    pub initial_threshold: f64,
}

impl Default for TuiConfig {
    fn default() -> Self {
        Self {
            theme: ThemeName::Dark,
            show_line_numbers: true,
            mouse_enabled: true,
            initial_threshold: 0.8,
        }
    }
}

// ============================================================================
// Command-specific Configuration Types
// ============================================================================

/// Configuration for diff operations
#[derive(Debug, Clone)]
pub struct DiffConfig {
    /// Paths to compare
    pub paths: DiffPaths,
    /// Output configuration
    pub output: OutputConfig,
    /// Matching configuration
    pub matching: MatchingConfig,
    /// Filtering options
    pub filtering: FilterConfig,
    /// Behavior flags
    pub behavior: BehaviorConfig,
    /// Graph-aware diffing configuration
    pub graph_diff: GraphAwareDiffConfig,
    /// Custom matching rules configuration
    pub rules: MatchingRulesPathConfig,
    /// Ecosystem-specific rules configuration
    pub ecosystem_rules: EcosystemRulesConfig,
    /// Enrichment configuration (always defined, runtime feature check)
    pub enrichment: EnrichmentConfig,
}

/// Paths for diff operation
#[derive(Debug, Clone)]
pub struct DiffPaths {
    /// Path to old/baseline SBOM
    pub old: PathBuf,
    /// Path to new SBOM
    pub new: PathBuf,
}

/// Configuration for view operations
#[derive(Debug, Clone)]
pub struct ViewConfig {
    /// Path to SBOM file
    pub sbom_path: PathBuf,
    /// Output configuration
    pub output: OutputConfig,
    /// Whether to validate against NTIA
    pub validate_ntia: bool,
    /// Filter by minimum vulnerability severity (critical, high, medium, low)
    pub min_severity: Option<String>,
    /// Only show components with vulnerabilities
    pub vulnerable_only: bool,
    /// Filter by ecosystem
    pub ecosystem_filter: Option<String>,
    /// Exit with code 2 if vulnerabilities are present
    pub fail_on_vuln: bool,
    /// BOM profile override (auto-detected if None)
    pub bom_profile: Option<crate::model::BomProfile>,
    /// Enrichment configuration
    pub enrichment: EnrichmentConfig,
    /// Optional CRA sidecar metadata path (auto-discovered next to the SBOM
    /// when None). Supplements CRA compliance checks with manufacturer /
    /// disclosure / lifecycle fields the SBOM doesn't carry.
    pub cra_sidecar_path: Option<PathBuf>,
    /// CRA Annex III/IV product class as a CLI string (kebab-case).
    /// Sidecar `productClass` overrides this. Drives severity calibration
    /// for vendor-hash, EOL, cycles, DoC, EUCC, PSIRT, attestation checks.
    pub cra_product_class: Option<String>,
}

/// Configuration for multi-diff operations
#[derive(Debug, Clone)]
pub struct MultiDiffConfig {
    /// Path to baseline SBOM
    pub baseline: PathBuf,
    /// Paths to target SBOMs
    pub targets: Vec<PathBuf>,
    /// Output configuration
    pub output: OutputConfig,
    /// Matching configuration
    pub matching: MatchingConfig,
    /// Filtering options
    pub filtering: FilterConfig,
    /// Behavior flags
    pub behavior: BehaviorConfig,
    /// Graph-aware diffing configuration
    pub graph_diff: GraphAwareDiffConfig,
    /// Custom matching rules configuration
    pub rules: MatchingRulesPathConfig,
    /// Ecosystem-specific rules configuration
    pub ecosystem_rules: EcosystemRulesConfig,
    /// Enrichment configuration
    pub enrichment: EnrichmentConfig,
}

/// Configuration for timeline analysis
#[derive(Debug, Clone)]
pub struct TimelineConfig {
    /// Paths to SBOMs in chronological order
    pub sbom_paths: Vec<PathBuf>,
    /// Output configuration
    pub output: OutputConfig,
    /// Matching configuration
    pub matching: MatchingConfig,
    /// Filtering options
    pub filtering: FilterConfig,
    /// Behavior flags
    pub behavior: BehaviorConfig,
    /// Graph-aware diffing configuration
    pub graph_diff: GraphAwareDiffConfig,
    /// Custom matching rules configuration
    pub rules: MatchingRulesPathConfig,
    /// Ecosystem-specific rules configuration
    pub ecosystem_rules: EcosystemRulesConfig,
    /// Enrichment configuration
    pub enrichment: EnrichmentConfig,
}

/// Configuration for query operations (searching components across multiple SBOMs)
#[derive(Debug, Clone)]
pub struct QueryConfig {
    /// Paths to SBOM files to search
    pub sbom_paths: Vec<PathBuf>,
    /// Output configuration
    pub output: OutputConfig,
    /// Enrichment configuration
    pub enrichment: EnrichmentConfig,
    /// Maximum number of results to return
    pub limit: Option<usize>,
    /// Group results by SBOM source
    pub group_by_sbom: bool,
}

/// Configuration for matrix comparison
#[derive(Debug, Clone)]
pub struct MatrixConfig {
    /// Paths to SBOMs
    pub sbom_paths: Vec<PathBuf>,
    /// Output configuration
    pub output: OutputConfig,
    /// Matching configuration
    pub matching: MatchingConfig,
    /// Similarity threshold for clustering (0.0-1.0)
    pub cluster_threshold: f64,
    /// Filtering options
    pub filtering: FilterConfig,
    /// Behavior flags
    pub behavior: BehaviorConfig,
    /// Graph-aware diffing configuration
    pub graph_diff: GraphAwareDiffConfig,
    /// Custom matching rules configuration
    pub rules: MatchingRulesPathConfig,
    /// Ecosystem-specific rules configuration
    pub ecosystem_rules: EcosystemRulesConfig,
    /// Enrichment configuration
    pub enrichment: EnrichmentConfig,
}

/// Configuration for the `vex` subcommand.
#[derive(Debug, Clone)]
pub struct VexConfig {
    /// Path to SBOM file
    pub sbom_path: PathBuf,
    /// Paths to external VEX documents
    pub vex_paths: Vec<PathBuf>,
    /// Output format
    pub output_format: ReportFormat,
    /// Output file path (None for stdout)
    pub output_file: Option<PathBuf>,
    /// Suppress non-essential output
    pub quiet: bool,
    /// Only show actionable vulnerabilities (exclude NotAffected/Fixed)
    pub actionable_only: bool,
    /// Filter by VEX state
    pub filter_state: Option<String>,
    /// Enrichment configuration (for OSV/EOL before VEX overlay)
    pub enrichment: EnrichmentConfig,
}

// ============================================================================
// Sub-configuration Types
// ============================================================================

/// Output-related configuration
#[derive(Debug, Clone, Serialize, Deserialize, JsonSchema)]
#[serde(default)]
pub struct OutputConfig {
    /// Output format
    pub format: ReportFormat,
    /// Output file path (None for stdout)
    #[serde(skip_serializing_if = "Option::is_none")]
    pub file: Option<PathBuf>,
    /// Report types to include
    pub report_types: ReportType,
    /// Disable colored output
    pub no_color: bool,
    /// Streaming configuration for large SBOMs
    pub streaming: StreamingConfig,
    /// Optional export filename template for TUI exports.
    ///
    /// Placeholders: `{date}` (YYYY-MM-DD), `{time}` (HHMMSS),
    /// `{format}` (json/md/html), `{command}` (diff/view).
    #[serde(skip_serializing_if = "Option::is_none")]
    pub export_template: Option<String>,
}

impl Default for OutputConfig {
    fn default() -> Self {
        Self {
            format: ReportFormat::Auto,
            file: None,
            report_types: ReportType::All,
            no_color: false,
            streaming: StreamingConfig::default(),
            export_template: None,
        }
    }
}

/// Streaming configuration for memory-efficient processing of large SBOMs.
///
/// When streaming is enabled, the tool uses streaming parsers and reporters
/// to avoid loading entire SBOMs into memory. This is essential for SBOMs
/// with thousands of components.
#[derive(Debug, Clone, Serialize, Deserialize, JsonSchema)]
#[serde(default)]
pub struct StreamingConfig {
    /// Enable streaming mode automatically for files larger than this threshold (in bytes).
    /// Default: 10 MB (`10_485_760` bytes)
    #[schemars(range(min = 0))]
    pub threshold_bytes: u64,
    /// Force streaming mode regardless of file size.
    /// Useful for testing or when processing stdin.
    pub force: bool,
    /// Disable streaming mode entirely (always load full SBOMs into memory).
    pub disabled: bool,
    /// Enable streaming for stdin input (since size is unknown).
    /// Default: true
    pub stream_stdin: bool,
}

impl Default for StreamingConfig {
    fn default() -> Self {
        Self {
            threshold_bytes: 10 * 1024 * 1024, // 10 MB
            force: false,
            disabled: false,
            stream_stdin: true,
        }
    }
}

impl StreamingConfig {
    /// Check if streaming should be used for a file of the given size.
    #[must_use]
    pub fn should_stream(&self, file_size: Option<u64>, is_stdin: bool) -> bool {
        if self.disabled {
            return false;
        }
        if self.force {
            return true;
        }
        if is_stdin && self.stream_stdin {
            return true;
        }
        file_size.map_or(self.stream_stdin, |size| size >= self.threshold_bytes)
    }

    /// Create a streaming config that always streams.
    #[must_use]
    pub fn always() -> Self {
        Self {
            force: true,
            ..Default::default()
        }
    }

    /// Create a streaming config that never streams.
    #[must_use]
    pub fn never() -> Self {
        Self {
            disabled: true,
            ..Default::default()
        }
    }

    /// Set the threshold in megabytes.
    #[must_use]
    pub const fn with_threshold_mb(mut self, mb: u64) -> Self {
        self.threshold_bytes = mb * 1024 * 1024;
        self
    }
}

/// Matching and comparison configuration
#[derive(Debug, Clone, Serialize, Deserialize, JsonSchema)]
#[serde(default)]
pub struct MatchingConfig {
    /// Fuzzy matching preset
    pub fuzzy_preset: FuzzyPreset,
    /// Custom matching threshold (overrides preset)
    #[serde(skip_serializing_if = "Option::is_none")]
    #[schemars(range(min = 0.0, max = 1.0))]
    pub threshold: Option<f64>,
    /// Include unchanged components in output
    pub include_unchanged: bool,
}

impl Default for MatchingConfig {
    fn default() -> Self {
        Self {
            fuzzy_preset: FuzzyPreset::Balanced,
            threshold: None,
            include_unchanged: false,
        }
    }
}

impl MatchingConfig {
    /// Convert preset name to `FuzzyMatchConfig`
    #[must_use]
    pub fn to_fuzzy_config(&self) -> FuzzyMatchConfig {
        let mut config =
            FuzzyMatchConfig::from_preset(self.fuzzy_preset.as_str()).unwrap_or_else(|| {
                // Enum guarantees valid preset, but from_preset may not know all variants
                FuzzyMatchConfig::balanced()
            });

        // Apply custom threshold if specified
        if let Some(threshold) = self.threshold {
            config = config.with_threshold(threshold);
        }

        config
    }
}

/// Filtering options for diff results
#[derive(Debug, Clone, Default, Serialize, Deserialize, JsonSchema)]
#[serde(default)]
pub struct FilterConfig {
    /// Only show items with changes
    pub only_changes: bool,
    /// Minimum severity filter
    #[serde(skip_serializing_if = "Option::is_none")]
    pub min_severity: Option<String>,
    /// Exclude vulnerabilities with VEX status `not_affected` or fixed
    #[serde(alias = "exclude_vex_not_affected")]
    pub exclude_vex_resolved: bool,
    /// Exit with error if introduced vulnerabilities lack VEX statements
    pub fail_on_vex_gap: bool,
}

/// Behavior flags for diff operations
#[derive(Debug, Clone, Default, Serialize, Deserialize, JsonSchema)]
#[serde(default)]
pub struct BehaviorConfig {
    /// Exit with code 2 if new vulnerabilities are introduced
    pub fail_on_vuln: bool,
    /// Exit with code 6 if any introduced vulnerability is in CISA's KEV catalog
    #[serde(default)]
    pub fail_on_kev: bool,
    /// Exit with code 1 if any changes detected
    pub fail_on_change: bool,
    /// Suppress non-essential output
    pub quiet: bool,
    /// Show detailed match explanations for each matched component
    pub explain_matches: bool,
    /// Recommend optimal matching threshold based on the SBOMs
    pub recommend_threshold: bool,
}

/// Graph-aware diffing configuration
#[derive(Debug, Clone, Default, Serialize, Deserialize, JsonSchema)]
#[serde(default)]
pub struct GraphAwareDiffConfig {
    /// Enable graph-aware diffing
    pub enabled: bool,
    /// Detect component reparenting
    pub detect_reparenting: bool,
    /// Detect depth changes
    pub detect_depth_changes: bool,
    /// Maximum depth to analyze (0 = unlimited)
    pub max_depth: u32,
    /// Minimum impact level to include in output ("low", "medium", "high", "critical")
    pub impact_threshold: Option<String>,
    /// Relationship type filter — only include edges matching these types (empty = all)
    pub relation_filter: Vec<String>,
}

impl GraphAwareDiffConfig {
    /// Create enabled graph diff options with defaults
    #[must_use]
    pub const fn enabled() -> Self {
        Self {
            enabled: true,
            detect_reparenting: true,
            detect_depth_changes: true,
            max_depth: 0,
            impact_threshold: None,
            relation_filter: Vec::new(),
        }
    }
}

/// Custom matching rules configuration
#[derive(Debug, Clone, Default, Serialize, Deserialize, JsonSchema)]
#[serde(default)]
pub struct MatchingRulesPathConfig {
    /// Path to matching rules YAML file
    #[serde(skip_serializing_if = "Option::is_none")]
    pub rules_file: Option<PathBuf>,
    /// Dry-run mode (show what would match without applying)
    pub dry_run: bool,
}

/// Ecosystem-specific rules configuration
#[derive(Debug, Clone, Default, Serialize, Deserialize, JsonSchema)]
#[serde(default)]
pub struct EcosystemRulesConfig {
    /// Path to ecosystem rules configuration file
    #[serde(skip_serializing_if = "Option::is_none")]
    pub config_file: Option<PathBuf>,
    /// Disable ecosystem-specific normalization
    pub disabled: bool,
    /// Enable typosquat detection warnings
    pub detect_typosquats: bool,
}

/// Enrichment configuration for vulnerability data sources.
///
/// This configuration is always defined regardless of the `enrichment` feature flag.
/// When the feature is disabled, the configuration is silently ignored at runtime.
#[derive(Debug, Clone, Serialize, Deserialize, JsonSchema)]
#[serde(default)]
pub struct EnrichmentConfig {
    /// Enable enrichment (if false, no enrichment is performed)
    pub enabled: bool,
    /// Enrichment provider ("osv", "nvd", etc.)
    pub provider: String,
    /// Cache time-to-live in hours
    #[schemars(range(min = 1))]
    pub cache_ttl_hours: u64,
    /// Maximum concurrent requests
    #[schemars(range(min = 1))]
    pub max_concurrent: usize,
    /// Cache directory for vulnerability data
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cache_dir: Option<std::path::PathBuf>,
    /// Bypass cache and fetch fresh vulnerability data
    pub bypass_cache: bool,
    /// API timeout in seconds
    #[schemars(range(min = 1))]
    pub timeout_secs: u64,
    /// Enable end-of-life detection via endoflife.date API
    pub enable_eol: bool,
    /// Enable CISA KEV (Known Exploited Vulnerabilities) enrichment
    #[serde(default)]
    pub enable_kev: bool,
    /// Enable FIRST EPSS (Exploit Prediction Scoring System) enrichment
    #[serde(default)]
    pub enable_epss: bool,
    /// Enable dependency staleness enrichment via package registries
    #[serde(default)]
    pub enable_staleness: bool,
    /// Enable HuggingFace Hub enrichment for ML-model components (injects
    /// weight hashes, task from `pipeline_tag`, license, and a staleness signal)
    #[serde(default)]
    pub enable_huggingface: bool,
    /// Paths to external VEX documents (OpenVEX format)
    #[serde(default, skip_serializing_if = "Vec::is_empty")]
    pub vex_paths: Vec<std::path::PathBuf>,
    /// OSV API base URL override (defaults to the public OSV API)
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api_base: Option<String>,
    /// CISA KEV catalog URL override (defaults to the public CISA feed).
    /// Primarily a test seam for pointing the KEV enricher at a mock server.
    #[serde(skip_serializing_if = "Option::is_none")]
    pub kev_url: Option<String>,
    /// FIRST EPSS scores URL override (defaults to the public FIRST feed).
    /// Primarily a test seam for pointing the EPSS enricher at a mock server.
    #[serde(skip_serializing_if = "Option::is_none")]
    pub epss_url: Option<String>,
    /// HuggingFace Hub API base URL override (defaults to the public Hub).
    /// Primarily a test seam for pointing the HF enricher at a mock server.
    #[serde(skip_serializing_if = "Option::is_none")]
    pub huggingface_url: Option<String>,
    /// Offline mode: never make network calls. Enrichment is served purely
    /// from cache (including TTL-expired entries, with a staleness warning).
    #[serde(default)]
    pub offline: bool,
}

impl Default for EnrichmentConfig {
    fn default() -> Self {
        Self {
            enabled: false,
            provider: "osv".to_string(),
            cache_ttl_hours: 24,
            max_concurrent: 10,
            cache_dir: None,
            bypass_cache: false,
            timeout_secs: 30,
            enable_eol: false,
            enable_kev: false,
            enable_epss: false,
            enable_staleness: false,
            enable_huggingface: false,
            vex_paths: Vec::new(),
            api_base: None,
            kev_url: None,
            epss_url: None,
            huggingface_url: None,
            offline: false,
        }
    }
}

impl EnrichmentConfig {
    /// Create an enabled enrichment config with OSV provider.
    #[must_use]
    pub fn osv() -> Self {
        Self {
            enabled: true,
            provider: "osv".to_string(),
            ..Default::default()
        }
    }

    /// Create an enabled enrichment config with custom settings.
    #[must_use]
    pub fn with_cache_dir(mut self, dir: std::path::PathBuf) -> Self {
        self.cache_dir = Some(dir);
        self
    }

    /// Set the cache TTL in hours.
    #[must_use]
    pub const fn with_cache_ttl_hours(mut self, hours: u64) -> Self {
        self.cache_ttl_hours = hours;
        self
    }

    /// Enable cache bypass (refresh).
    #[must_use]
    pub const fn with_bypass_cache(mut self) -> Self {
        self.bypass_cache = true;
        self
    }

    /// Set the API timeout in seconds.
    #[must_use]
    pub const fn with_timeout_secs(mut self, secs: u64) -> Self {
        self.timeout_secs = secs;
        self
    }

    /// Set VEX document paths.
    #[must_use]
    pub fn with_vex_paths(mut self, paths: Vec<std::path::PathBuf>) -> Self {
        self.vex_paths = paths;
        self
    }

    /// Override the OSV API base URL.
    #[must_use]
    pub fn with_api_base(mut self, api_base: impl Into<String>) -> Self {
        self.api_base = Some(api_base.into());
        self
    }

    /// Enable CISA KEV enrichment.
    #[must_use]
    pub const fn with_kev(mut self) -> Self {
        self.enable_kev = true;
        self
    }

    /// Override the CISA KEV catalog URL (test seam).
    #[must_use]
    pub fn with_kev_url(mut self, kev_url: impl Into<String>) -> Self {
        self.kev_url = Some(kev_url.into());
        self
    }

    /// Enable FIRST EPSS enrichment.
    #[must_use]
    pub const fn with_epss(mut self) -> Self {
        self.enable_epss = true;
        self
    }

    /// Override the FIRST EPSS scores URL (test seam).
    #[must_use]
    pub fn with_epss_url(mut self, epss_url: impl Into<String>) -> Self {
        self.epss_url = Some(epss_url.into());
        self
    }

    /// Enable dependency staleness enrichment.
    #[must_use]
    pub const fn with_staleness(mut self) -> Self {
        self.enable_staleness = true;
        self
    }

    /// Enable HuggingFace Hub enrichment for ML-model components.
    #[must_use]
    pub const fn with_huggingface(mut self) -> Self {
        self.enable_huggingface = true;
        self
    }

    /// Override the HuggingFace Hub API base URL (test seam).
    #[must_use]
    pub fn with_huggingface_url(mut self, url: impl Into<String>) -> Self {
        self.huggingface_url = Some(url.into());
        self
    }

    /// Enable offline mode (serve enrichment purely from cache).
    #[must_use]
    pub const fn with_offline(mut self) -> Self {
        self.offline = true;
        self
    }
}

// ============================================================================
// Builder for DiffConfig
// ============================================================================

/// Builder for `DiffConfig`
#[derive(Debug, Default)]
pub struct DiffConfigBuilder {
    old: Option<PathBuf>,
    new: Option<PathBuf>,
    output: OutputConfig,
    matching: MatchingConfig,
    filtering: FilterConfig,
    behavior: BehaviorConfig,
    graph_diff: GraphAwareDiffConfig,
    rules: MatchingRulesPathConfig,
    ecosystem_rules: EcosystemRulesConfig,
    enrichment: EnrichmentConfig,
}

impl DiffConfigBuilder {
    #[must_use]
    pub fn new() -> Self {
        Self::default()
    }

    #[must_use]
    pub fn old_path(mut self, path: PathBuf) -> Self {
        self.old = Some(path);
        self
    }

    #[must_use]
    pub fn new_path(mut self, path: PathBuf) -> Self {
        self.new = Some(path);
        self
    }

    #[must_use]
    pub const fn output_format(mut self, format: ReportFormat) -> Self {
        self.output.format = format;
        self
    }

    #[must_use]
    pub fn output_file(mut self, file: Option<PathBuf>) -> Self {
        self.output.file = file;
        self
    }

    #[must_use]
    pub const fn report_types(mut self, types: ReportType) -> Self {
        self.output.report_types = types;
        self
    }

    #[must_use]
    pub const fn no_color(mut self, no_color: bool) -> Self {
        self.output.no_color = no_color;
        self
    }

    #[must_use]
    pub fn fuzzy_preset(mut self, preset: FuzzyPreset) -> Self {
        self.matching.fuzzy_preset = preset;
        self
    }

    #[must_use]
    pub const fn matching_threshold(mut self, threshold: Option<f64>) -> Self {
        self.matching.threshold = threshold;
        self
    }

    #[must_use]
    pub const fn include_unchanged(mut self, include: bool) -> Self {
        self.matching.include_unchanged = include;
        self
    }

    #[must_use]
    pub const fn only_changes(mut self, only: bool) -> Self {
        self.filtering.only_changes = only;
        self
    }

    #[must_use]
    pub fn min_severity(mut self, severity: Option<String>) -> Self {
        self.filtering.min_severity = severity;
        self
    }

    #[must_use]
    pub const fn fail_on_vuln(mut self, fail: bool) -> Self {
        self.behavior.fail_on_vuln = fail;
        self
    }

    #[must_use]
    pub const fn fail_on_kev(mut self, fail: bool) -> Self {
        self.behavior.fail_on_kev = fail;
        self
    }

    #[must_use]
    pub const fn fail_on_change(mut self, fail: bool) -> Self {
        self.behavior.fail_on_change = fail;
        self
    }

    #[must_use]
    pub const fn quiet(mut self, quiet: bool) -> Self {
        self.behavior.quiet = quiet;
        self
    }

    #[must_use]
    pub const fn explain_matches(mut self, explain: bool) -> Self {
        self.behavior.explain_matches = explain;
        self
    }

    #[must_use]
    pub const fn recommend_threshold(mut self, recommend: bool) -> Self {
        self.behavior.recommend_threshold = recommend;
        self
    }

    #[must_use]
    pub fn graph_diff(mut self, enabled: bool) -> Self {
        self.graph_diff = if enabled {
            GraphAwareDiffConfig::enabled()
        } else {
            GraphAwareDiffConfig::default()
        };
        self
    }

    #[must_use]
    pub fn matching_rules_file(mut self, file: Option<PathBuf>) -> Self {
        self.rules.rules_file = file;
        self
    }

    #[must_use]
    pub const fn dry_run_rules(mut self, dry_run: bool) -> Self {
        self.rules.dry_run = dry_run;
        self
    }

    #[must_use]
    pub fn ecosystem_rules_file(mut self, file: Option<PathBuf>) -> Self {
        self.ecosystem_rules.config_file = file;
        self
    }

    #[must_use]
    pub const fn disable_ecosystem_rules(mut self, disabled: bool) -> Self {
        self.ecosystem_rules.disabled = disabled;
        self
    }

    #[must_use]
    pub const fn detect_typosquats(mut self, detect: bool) -> Self {
        self.ecosystem_rules.detect_typosquats = detect;
        self
    }

    #[must_use]
    pub fn enrichment(mut self, config: EnrichmentConfig) -> Self {
        self.enrichment = config;
        self
    }

    #[must_use]
    pub const fn enable_enrichment(mut self, enabled: bool) -> Self {
        self.enrichment.enabled = enabled;
        self
    }

    pub fn build(self) -> anyhow::Result<DiffConfig> {
        let old = self
            .old
            .ok_or_else(|| anyhow::anyhow!("old path is required"))?;
        let new = self
            .new
            .ok_or_else(|| anyhow::anyhow!("new path is required"))?;

        Ok(DiffConfig {
            paths: DiffPaths { old, new },
            output: self.output,
            matching: self.matching,
            filtering: self.filtering,
            behavior: self.behavior,
            graph_diff: self.graph_diff,
            rules: self.rules,
            ecosystem_rules: self.ecosystem_rules,
            enrichment: self.enrichment,
        })
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn theme_name_serde_roundtrip() {
        // JSON deserialization (preferences.json format)
        let dark: ThemeName = serde_json::from_str(r#""dark""#).unwrap();
        assert_eq!(dark, ThemeName::Dark);

        let light: ThemeName = serde_json::from_str(r#""light""#).unwrap();
        assert_eq!(light, ThemeName::Light);

        let hc: ThemeName = serde_json::from_str(r#""high-contrast""#).unwrap();
        assert_eq!(hc, ThemeName::HighContrast);

        // Roundtrip
        let serialized = serde_json::to_string(&ThemeName::HighContrast).unwrap();
        assert_eq!(serialized, r#""high-contrast""#);
    }

    #[test]
    fn theme_name_from_str() {
        assert_eq!("dark".parse::<ThemeName>().unwrap(), ThemeName::Dark);
        assert_eq!("light".parse::<ThemeName>().unwrap(), ThemeName::Light);
        assert_eq!(
            "high-contrast".parse::<ThemeName>().unwrap(),
            ThemeName::HighContrast
        );
        assert_eq!("hc".parse::<ThemeName>().unwrap(), ThemeName::HighContrast);
        assert!("neon".parse::<ThemeName>().is_err());
    }

    #[test]
    fn fuzzy_preset_serde_roundtrip() {
        let presets = [
            ("strict", FuzzyPreset::Strict),
            ("balanced", FuzzyPreset::Balanced),
            ("permissive", FuzzyPreset::Permissive),
            ("strict-multi", FuzzyPreset::StrictMulti),
            ("balanced-multi", FuzzyPreset::BalancedMulti),
            ("security-focused", FuzzyPreset::SecurityFocused),
        ];

        for (json_str, expected) in presets {
            let json = format!(r#""{json_str}""#);
            let parsed: FuzzyPreset = serde_json::from_str(&json).unwrap();
            assert_eq!(parsed, expected, "failed to deserialize {json_str}");

            let serialized = serde_json::to_string(&expected).unwrap();
            assert_eq!(serialized, json, "failed to serialize {expected:?}");
        }
    }

    #[test]
    fn fuzzy_preset_from_str() {
        assert_eq!(
            "strict".parse::<FuzzyPreset>().unwrap(),
            FuzzyPreset::Strict
        );
        assert_eq!(
            "security-focused".parse::<FuzzyPreset>().unwrap(),
            FuzzyPreset::SecurityFocused
        );
        // Underscore variant accepted
        assert_eq!(
            "strict_multi".parse::<FuzzyPreset>().unwrap(),
            FuzzyPreset::StrictMulti
        );
        assert!("invalid".parse::<FuzzyPreset>().is_err());
    }

    #[test]
    fn tui_preferences_json_backward_compat() {
        // Simulates loading a preferences.json written by older version
        let old_json = r#"{"theme":"high-contrast","last_tab":"components"}"#;
        let prefs: TuiPreferences = serde_json::from_str(old_json).unwrap();
        assert_eq!(prefs.theme, ThemeName::HighContrast);
        assert_eq!(prefs.last_tab.as_deref(), Some("components"));
    }
}