feat(website): redesign homepage, add version switcher, refresh docs

Redesign homepage with hero section, 3 feature pillars (VDB, Scan,
CI/CD), and Coming Soon enterprise broker banner. Add v1/v2 API
version switcher with localStorage persistence and content gating.
Create scan command reference page. Restructure VDB docs to canonical
nested command names and add V2-only commands. Apply Vulnetix brand
palette via CSS custom properties.

Author: chrisdlangton

website/assets/css/custom.css

@@ -10,36 +10,86 @@ layout: hextra-home
 
 <div class="hx-mt-6 hx-mb-6">
 {{< hextra/hero-headline >}}
-  Automated Vulnerability&nbsp;<br class="sm:hx-block hx-hidden" />Management CLI
+  Unified Vulnerability&nbsp;<br class="sm:hx-block hx-hidden" />Management CLI
 {{< /hextra/hero-headline >}}
 </div>
 
-<div class="hx-mb-12">
+<div class="hx-mb-8">
 {{< hextra/hero-subtitle >}}
-  Remediation over discovery. Collect, assess, triage, and remediate&nbsp;<br class="sm:hx-block hx-hidden" />vulnerabilities across your projects and CI/CD pipelines.
+  Remediation over discovery. Collect, assess, triage, and remediate&nbsp;<br class="sm:hx-block hx-hidden" />vulnerabilities from a single command-line tool.
 {{< /hextra/hero-subtitle >}}
 </div>
 
-<div class="hx-mb-6">
-{{< hextra/hero-button text="Get Started" link="docs/getting-started" >}}
-</div>
-
-<div class="hx-mt-6"></div>
-
-{{< hextra/feature-grid >}}
-  {{< hextra/feature-card
-    title="Multiple Installation Methods"
-    subtitle="Install via Go modules, direct binary download, or build from source."
-    style="background: radial-gradient(ellipse at 50% 80%,rgba(59,130,246,0.15),hsla(0,0%,100%,0));"
-  >}}
-  {{< hextra/feature-card
-    title="CI/CD Integrations"
-    subtitle="First-class support for GitHub Actions, GitLab CI, Bitbucket Pipelines, and Azure DevOps."
-    style="background: radial-gradient(ellipse at 50% 80%,rgba(142,53,234,0.15),hsla(0,0%,100%,0));"
-  >}}
-  {{< hextra/feature-card
-    title="Vulnerability Database"
-    subtitle="Query CVEs, package vulnerabilities, and ecosystems via the built-in VDB command."
-    style="background: radial-gradient(ellipse at 50% 80%,rgba(234,179,8,0.15),hsla(0,0%,100%,0));"
-  >}}
-{{< /hextra/feature-grid >}}
+<div class="vx-cta-row hx-mb-4">
+  <a href="docs/getting-started" class="vx-btn-primary">Get Started</a>
+  <a href="https://app.vulnetix.com/login" class="vx-btn-secondary" target="_blank" rel="noopener">Sign In</a>
+</div>
+<a href="https://www.vulnetix.com" class="vx-subtle-link" target="_blank" rel="noopener">Learn more at vulnetix.com &rarr;</a>
+
+<div class="hx-mt-16"></div>
+
+<div class="vx-feature-section vx-feature-vdb">
+
+## Vulnerability Intelligence
+
+Query vulnerabilities by any identifier format — CVE, GHSA, PYSEC, RUSTSEC, and 75+ more. Get exploit intelligence, fix data, scoring metrics, and full remediation plans from aggregated multi-source data.
+
+<ul>
+  <li>Multi-source aggregation</li>
+  <li>Exploit intelligence</li>
+  <li>Fix recommendations</li>
+  <li>Scoring metrics</li>
+  <li>Remediation plans</li>
+</ul>
+
+<a href="docs/cli-reference/vdb" class="vx-feature-link">VDB command reference &rarr;</a>
+
+</div>
+
+<div class="vx-feature-section vx-feature-scan">
+
+## Software Composition Analysis
+
+Auto-discover and scan manifest files and SBOMs for known vulnerabilities across supported ecosystems. Zero-config scanning with SPDX and CycloneDX support.
+
+<ul>
+  <li>Auto-discovery</li>
+  <li>SPDX & CycloneDX</li>
+  <li>Broad ecosystem coverage</li>
+  <li>Zero-config scanning</li>
+</ul>
+
+<a href="docs/cli-reference/scan" class="vx-feature-link">Scan command reference &rarr;</a>
+
+</div>
+
+<div class="vx-feature-section vx-feature-cicd">
+
+## CI/CD Pipeline Integration
+
+Native GitHub Actions support for automated vulnerability management. Upload SBOMs, SARIF, and VEX artifacts directly from your CI workflows. Also works with GitLab CI, Bitbucket Pipelines, and Azure DevOps.
+
+<ul>
+  <li>First-class GitHub Actions</li>
+  <li>Artifact auto-collection</li>
+  <li>GitLab CI</li>
+  <li>Bitbucket Pipelines</li>
+  <li>Azure DevOps</li>
+</ul>
+
+<a href="docs/ci-cd" class="vx-feature-link">CI/CD integration guide &rarr;</a>
+
+</div>
+
+<div class="vx-coming-soon">
+  <h3>Enterprise Broker <span class="vx-coming-soon-badge">Coming Soon</span></h3>
+  <p>Keep all Vulnetix operations within your private network. The on-prem broker enables Enterprise customers to run vulnerability scanning, VDB queries, and remediation workflows entirely behind the firewall.</p>
+  <a href="https://www.vulnetix.com" class="vx-contact-link" target="_blank" rel="noopener">Contact us &rarr;</a>
+</div>
+
+<div class="vx-footer-links">
+  <a href="https://github.com/Vulnetix/cli" target="_blank" rel="noopener">GitHub</a>
+  <a href="https://www.vulnetix.com" target="_blank" rel="noopener">Vulnetix Home</a>
+  <a href="https://app.vulnetix.com/login" target="_blank" rel="noopener">App Login</a>
+  <a href="https://redocly.github.io/redoc/?url=https://api.vdb.vulnetix.com/v1/spec" target="_blank" rel="noopener">API Docs</a>
+</div>

website/content/_index.md

@@ -22,6 +22,14 @@ The root command runs an authentication healthcheck.
 |------|-------------|
 | `info` (default) | Authentication healthcheck across all credential sources |
 
+**Global Flags:**
+
+| Flag | Type | Description |
+|------|------|-------------|
+| `--org-id` | string | Organization ID (UUID) |
+| `--api-key` | string | Direct API key (overrides VULNETIX_API_KEY) |
+| `--help` | - | Help for any command |
+
 ---
 
 ### vulnetix auth
@@ -175,6 +183,26 @@ vulnetix gha status --uuid <UUID>
 
 ---
 
+### vulnetix scan
+
+Auto-discover and scan manifest files and SBOMs for known vulnerabilities. See the full [Scan Command Reference](scan/) for details.
+
+```bash
+vulnetix scan [flags]
+vulnetix scan status <scan-id> [flags]
+```
+
+| Flag | Description |
+|------|-------------|
+| `--path` | Directory to scan (default: `.`) |
+| `--depth` | Max recursion depth (default: `3`) |
+| `--file` | Scan a single file (skip auto-discovery) |
+| `--exclude` | Exclude paths matching glob (repeatable) |
+| `--no-poll` | Print scan IDs without waiting for results |
+| `-o, --output` | Output format: `json`, `pretty` |
+
+---
+
 ### vulnetix vdb
 
 Interact with the Vulnetix Vulnerability Database (VDB) API. See the full [VDB Command Reference](vdb/) for all subcommands and detailed usage.
@@ -191,19 +219,40 @@ vulnetix vdb <subcommand> [flags]
 | `vulns <package>` | Get vulnerabilities for a package |
 | `spec` | Get the OpenAPI specification |
 | `exploits <vuln-id>` | Get exploit intelligence for a vulnerability |
+| `exploits search` | Search exploits across all vulnerabilities |
+| `exploits sources` | List exploit intelligence sources |
+| `exploits types` | List exploit type classifications |
 | `fixes <vuln-id>` | Get fix data for a vulnerability |
+| `fixes distributions` | List supported Linux distributions for fix advisories |
 | `versions <package>` | Get all versions of a package across ecosystems |
 | `gcve` | Get vulnerabilities by date range |
+| `gcve issuances` | List GCVE issuance identifiers by calendar month |
 | `purl <purl-string>` | Query VDB using a Package URL (PURL) |
-| `gcve-issuances` | List GCVE issuance identifiers by calendar month |
 | `ids <year> <month>` | List CVE identifiers published in a calendar month |
 | `search <prefix>` | Search CVE identifiers by prefix |
 | `sources` | List all vulnerability data sources |
-| `metric-types` | List all vulnerability metric/scoring types |
-| `exploit-sources` | List all exploit intelligence sources |
-| `exploit-types` | List exploit type classifications |
-| `fix-distributions` | List supported Linux distributions for fix advisories |
+| `metrics types` | List all vulnerability metric/scoring types |
 | `status` | Check API health and display CLI/auth metadata |
+| `packages search <query>` | Full-text search across packages |
+| `ecosystem package <eco> <pkg>` | Get package info within an ecosystem |
+| `ecosystem group <eco> <grp> <art>` | Get group/artifact info (Maven-style) |
+
+<div class="vdb-v2-only">
+
+**V2-only subcommands** (use `-V v2`):
+
+| Subcommand | Description |
+|------------|-------------|
+| `workarounds <vuln-id>` | Get workaround information |
+| `advisories <vuln-id>` | Get advisory data |
+| `cwe guidance <vuln-id>` | Get CWE-based guidance |
+| `kev <vuln-id>` | Get CISA KEV status |
+| `timeline <vuln-id>` | Get vulnerability timeline |
+| `affected <vuln-id>` | Get affected products/packages |
+| `scorecard <vuln-id>` | Get vulnerability scorecard |
+| `remediation plan <vuln-id>` | Get context-aware remediation plan |
+
+</div>
 
 ---
 
@@ -291,10 +340,11 @@ Credentials are stored as JSON in one of two locations:
 
 The CLI loads credentials in this order (first match wins):
 
-1. Environment variables: `VULNETIX_API_KEY` + `VULNETIX_ORG_ID` (Direct API Key)
-2. Environment variables: `VVD_ORG` + `VVD_SECRET` (SigV4)
-3. Project dotfile: `.vulnetix/credentials.json`
-4. Home directory: `~/.vulnetix/credentials.json`
+1. CLI flags: `--org-id` + `--api-key` or `--secret`
+2. Environment variables: `VULNETIX_API_KEY` + `VULNETIX_ORG_ID` (Direct API Key)
+3. Environment variables: `VVD_ORG` + `VVD_SECRET` (SigV4)
+4. Project dotfile: `.vulnetix/credentials.json`
+5. Home directory: `~/.vulnetix/credentials.json`
 
 ## Global Flags
 

website/content/docs/cli-reference/_index.md

@@ -0,0 +1,160 @@
+---
+title: "Scan Command Reference"
+weight: 4
+description: "Auto-discover manifest files and SBOMs, then scan for known vulnerabilities via the VDB API."
+---
+
+The `scan` command auto-discovers package manifest files and SBOM documents in a directory tree, then submits them to the Vulnetix VDB API for vulnerability analysis.
+
+> **Note:** The scan command always uses API v2 automatically.
+
+## Usage
+
+```bash
+vulnetix scan [flags]
+vulnetix scan status <scan-id> [flags]
+```
+
+## Flags
+
+| Flag | Type | Default | Description |
+|------|------|---------|-------------|
+| `--path` | string | `.` | Directory to scan |
+| `--depth` | int | `3` | Maximum recursion depth for file discovery |
+| `--file` | string | - | Scan a single file (skips auto-discovery) |
+| `--type` | string | auto | Override detected file type: `manifest`, `spdx`, `cyclonedx` |
+| `--manifest-type` | string | auto | Override manifest type (e.g. `package-lock.json`) |
+| `--ecosystem` | string | auto | Override ecosystem for manifest scan |
+| `--exclude` | stringArray | - | Exclude paths matching glob pattern (repeatable) |
+| `--no-poll` | bool | `false` | Print scan IDs without waiting for results |
+| `--poll-interval` | int | `5` | Polling interval in seconds |
+| `-o, --output` | string | `pretty` | Output format: `json`, `pretty` |
+
+## Scan Status
+
+Check the status of a previously submitted scan.
+
+```bash
+vulnetix scan status <scan-id> [flags]
+```
+
+| Flag | Type | Default | Description |
+|------|------|---------|-------------|
+| `--poll` | bool | `false` | Poll until scan completes |
+| `--poll-interval` | int | `5` | Polling interval in seconds |
+| `-o, --output` | string | `pretty` | Output format: `json`, `pretty` |
+
+## Supported Manifest Files
+
+The scanner recognizes these package manager manifest and lock files:
+
+| Filename | Ecosystem | Language | Lock file? |
+|----------|-----------|----------|------------|
+| `package-lock.json` | npm | JavaScript | Yes |
+| `package.json` | npm | JavaScript | No |
+| `yarn.lock` | npm | JavaScript | Yes |
+| `pnpm-lock.yaml` | npm | JavaScript | Yes |
+| `requirements.txt` | PyPI | Python | No |
+| `Pipfile.lock` | PyPI | Python | Yes |
+| `poetry.lock` | PyPI | Python | Yes |
+| `uv.lock` | PyPI | Python | Yes |
+| `go.sum` | Go | Go | Yes |
+| `go.mod` | Go | Go | No |
+| `Gemfile.lock` | RubyGems | Ruby | Yes |
+| `Cargo.lock` | Cargo | Rust | Yes |
+| `pom.xml` | Maven | Java | No |
+| `gradle.lockfile` | Maven | Java | Yes |
+| `composer.lock` | Composer | PHP | Yes |
+| `packages.lock.json` | NuGet | C# | Yes |
+| `Package.resolved` | Swift | Swift | Yes |
+| `pubspec.lock` | Pub | Dart | Yes |
+| `mix.lock` | Hex | Elixir | Yes |
+| `build.lock` | Maven | Scala | Yes |
+| `build.gradle.kts` | Maven | Kotlin | No |
+
+Not all manifest types are supported by the backend for vulnerability scanning yet. Currently supported for scanning:
+
+- `package.json`, `package-lock.json`, `yarn.lock`, `pnpm-lock.yaml`
+- `requirements.txt`, `Pipfile.lock`
+- `go.sum`, `go.mod`
+- `Cargo.lock`
+- `Gemfile.lock`
+- `pom.xml`
+- `composer.lock`
+
+## Supported SBOM Formats
+
+The scanner detects and supports these SBOM document formats:
+
+| Format | Supported Versions |
+|--------|-------------------|
+| SPDX | 2.3 |
+| CycloneDX | 1.4, 1.5, 1.6 |
+
+SBOM detection is performed on `.json` files by checking for format-specific fields (`spdxVersion`/`SPDXID` for SPDX, `bomFormat`/`specVersion` for CycloneDX).
+
+## Auto-Discovery
+
+When run without `--file`, the scanner walks the directory tree starting from `--path` up to `--depth` levels deep. It automatically skips common non-project directories:
+
+- `node_modules`, `.git`, `.hg`
+- `__pycache__`, `.tox`, `.venv`
+- `vendor`, `.cargo`
+
+Use `--exclude` to skip additional paths by glob pattern.
+
+## Examples
+
+### Auto-discover and scan the current directory
+
+```bash
+vulnetix scan
+```
+
+### Scan a specific project directory
+
+```bash
+vulnetix scan --path /path/to/project --depth 5
+```
+
+### Scan a single manifest file
+
+```bash
+vulnetix scan --file package-lock.json
+```
+
+### Scan a CycloneDX SBOM
+
+```bash
+vulnetix scan --file sbom.cdx.json --type cyclonedx
+```
+
+### Exclude test fixtures and vendor directories
+
+```bash
+vulnetix scan --exclude "test/**" --exclude "vendor/**"
+```
+
+### Fire-and-forget mode (no polling)
+
+```bash
+vulnetix scan --no-poll
+# Returns scan IDs immediately — check later with:
+vulnetix scan status <scan-id> --poll
+```
+
+### JSON output for scripting
+
+```bash
+vulnetix scan --output json | jq '.results'
+```
+
+### Check scan status
+
+```bash
+# One-shot check
+vulnetix scan status abc123def
+
+# Poll until complete
+vulnetix scan status abc123def --poll --poll-interval 10
+```