feat: add vdb exploits/fixes/versions/gcve subcommands, rename cve→vuln, extend product to 3-arg form

- Rename `vdb cve` → `vdb vuln` (aligns with /vuln/{id} endpoint)
- Add `vdb exploits <CVE-ID>` — GET /exploits/{id}
- Add `vdb fixes <CVE-ID>` — GET /vuln/{id}/fixes
- Add `vdb versions <package>` — GET /{pkg}/versions
- Add `vdb gcve --start --end` — GET /gcve?start=...&end=...
- Extend `vdb product` to accept optional ecosystem 3rd arg (GET /product/{name}/{ver}/{eco})
- Add corresponding API methods to internal/vdb/api.go
- Update all docs: vdb.md, vdb-quickstart.md, _index.md

Author: chrisdlangton

.claude/settings.local.json

@@ -1,28 +1,178 @@
 {
   "permissions": {
     "allow": [
-      "Bash(go test:*)",
+      "Bash(grep:*)",
+      "Bash(rg:*)",
+      "Bash(npx tsc:*)",
+      "Bash(mv:*)",
       "Bash(find:*)",
-      "mcp__claude_ai_Cloudflare_Developer_Platform__accounts_list",
+      "Bash(ls:*)",
+      "Bash(mkdir:*)",
+      "Bash(cp:*)",
+      "Bash(npm:*)",
+      "WebFetch(domain:docs.github.com)",
+      "WebFetch(domain:www.anthropic.com)",
+      "WebFetch(domain:raw.githubusercontent.com)",
+      "WebFetch(domain:cloud.google.com)",
+      "WebFetch(domain:opencode.ai)",
+      "Bash(yarn:*)",
+      "Bash(cat:*)",
+      "Bash(git status:*)",
+      "Bash(git commit:*)",
+      "Bash(git cherry-pick:*)",
+      "Bash(git log:*)",
+      "Bash(git diff:*)",
+      "Bash(git fetch:*)",
+      "Bash(git clone:*)",
+      "Bash(npx vue-tsc:*)",
+      "Bash(npx prisma:*)",
+      "WebFetch(domain:chromium.googlesource.com)",
+      "WebFetch(domain:github.com)",
+      "WebFetch(domain:vulnetix.com)",
+      "WebFetch(domain:arxiv.org)",
+      "WebFetch(domain:advisories.ecosyste.ms)",
+      "Bash(npx wrangler d1 info:*)",
+      "mcp__ide__getDiagnostics",
+      "WebFetch(domain:docs.oasis-open.org)",
+      "WebSearch",
+      "Bash(node:*)",
+      "Bash(npx tsx:*)",
+      "WebFetch(domain:www.vulnetix.com)",
+      "Bash(just:*)",
+      "Bash(curl:*)",
+      "WebFetch(domain:google.github.io)",
+      "WebFetch(domain:ossf.github.io)",
+      "Bash(magick:*)",
+      "WebFetch(domain:developers.cloudflare.com)",
+      "WebFetch(domain:gist.github.com)",
+      "WebFetch(domain:ess-api.coalitioninc.com)",
+      "WebFetch(domain:euvd.enisa.europa.eu)",
+      "WebFetch(domain:www.cisa.gov)",
+      "WebFetch(domain:nvd.nist.gov)",
+      "WebFetch(domain:csrc.nist.gov)",
+      "WebFetch(domain:services.nvd.nist.gov)",
+      "WebFetch(domain:docs.deps.dev)",
+      "Bash(npx esbuild:*)",
+      "Bash(npx wrangler r2 object list:*)",
+      "Bash(awk:*)",
+      "Bash(sed:*)",
+      "WebFetch(domain:www.first.org)",
+      "WebFetch(domain:gcve.eu)",
+      "Bash(npx wrangler d1 migrations list:*)",
+      "Bash(npx wrangler r2 bucket list:*)",
+      "WebFetch(domain:docs.astral.sh)",
+      "WebFetch(domain:cveawg.mitre.org)",
+      "Bash(nslookup:*)",
+      "Bash(dig:*)",
+      "Bash(host:*)",
+      "Read(//tmp/**)",
+      "Bash(xmllint:*)",
+      "Bash(npx wrangler d1 export:*)",
+      "Bash(npx wrangler --version)",
+      "WebFetch(domain:www.prisma.io)",
+      "Bash(npx wrangler:*)",
+      "Bash(npx vite build:*)",
+      "WebFetch(domain:owasp.org)",
+      "Bash(uv run:*)",
+      "Bash(unzip:*)",
+      "Bash(perl -i -pe:*)",
+      "Bash(psql:*)",
+      "Bash(jq:*)",
+      "WebFetch(domain:www.opengrep.dev)",
+      "Bash(npx ajv-cli:*)",
+      "Bash(head:*)",
+      "Bash(wc:*)",
+      "WebFetch(domain:sass-lang.com)",
+      "Bash(file:*)",
+      "Bash(cut:*)",
+      "WebFetch(domain:qwenlm.github.io)",
+      "WebFetch(domain:openvex.dev)",
+      "WebFetch(domain:octodex.github.com)",
+      "WebFetch(domain:spdx.org)",
+      "Bash(ping:*)",
+      "WebFetch(domain:docs.snyk.io)",
+      "WebFetch(domain:www.synopsys.com)",
+      "WebFetch(domain:help.sonatype.com)",
+      "WebFetch(domain:fossa.com)",
+      "WebFetch(domain:www.blackduck.com)",
+      "Bash(xargs:*)",
+      "WebFetch(domain:www.npmjs.com)",
+      "WebFetch(domain:pypi.org)",
+      "WebFetch(domain:crates.io)",
+      "WebFetch(domain:rubygems.org)",
+      "WebFetch(domain:www.nuget.org)",
+      "WebFetch(domain:www.gnu.org)",
+      "WebFetch(domain:opensource.guide)",
+      "WebFetch(domain:opensource.org)",
+      "WebFetch(domain:choosealicense.com)",
+      "WebFetch(domain:rules.sonarsource.com)",
+      "WebFetch(domain:semgrep.dev)",
+      "Bash(podman ps:*)",
+      "Bash(gh pr:*)",
+      "Bash(git worktree:*)",
+      "Bash(podman-compose build:*)",
+      "Bash(podman-compose logs:*)",
+      "Bash(docker ps:*)",
+      "Bash(podman network:*)",
+      "Bash(docker network:*)",
+      "Bash(podman inspect:*)",
       "Bash(gh api:*)",
-      "mcp__claude_ai_Cloudflare_Developer_Platform__set_active_account",
-      "mcp__claude_ai_Cloudflare_Developer_Platform__search_cloudflare_documentation",
-      "Bash(hugo version:*)",
-      "Bash(hugo mod:*)",
-      "Bash(hugo:*)",
+      "Bash(# Check the specific tar versions installed find /home/chris/GitHub/Vulnetix/saas/node_modules -path \"\"*/tar/package.json\"\" -maxdepth 5)",
+      "Bash(# Check what version of hono is actually in node_modules for @prisma/dev find /home/chris/GitHub/Vulnetix/saas/node_modules -path \"\"*/@prisma/dev/package.json\"\" -maxdepth 5)",
+      "Bash(# Check if @prisma/studio-server has a newer version that uses a newer express npm view @prisma/studio-server versions --json)",
+      "Bash(# Check latest lodash-es version available npm view lodash-es versions --json)",
+      "Bash(# What about lodash? npm view lodash versions --json)",
+      "Bash(# Check if tst-reflect / tst-reflect-transformer are actually used in the codebase grep -r \"\"tst-reflect\"\" /home/chris/GitHub/Vulnetix/saas/src/ --include=\"\"*.ts\"\" --include=\"\"*.vue\"\" -l)",
+      "Bash(# Check vite config for tst-reflect-transformer usage grep -r \"\"tst-reflect\\\\|ttypescript\\\\|rttist\"\" /home/chris/GitHub/Vulnetix/saas/vite.config.* /home/chris/GitHub/Vulnetix/saas/tsconfig.*)",
+      "Bash(# Check if there are iconify bx/bxl/bxs sets used grep -r \"\"@iconify-json/bx\"\" /home/chris/GitHub/Vulnetix/saas/src/ --include=\"\"*.ts\"\" --include=\"\"*.vue\"\" -l)",
+      "Bash(# Check the actual boxicons usage pattern - is it direct CSS import or iconify? grep -r \"\"boxicons\"\" /home/chris/GitHub/Vulnetix/saas/src/ --include=\"\"*.ts\"\" --include=\"\"*.vue\"\" --include=\"\"*.scss\"\" --include=\"\"*.css\"\")",
+      "Bash(# Check what @parcel/watcher version is installed and who pulls it yarn why @parcel/watcher)",
+      "Bash(# Check the exact tar spec from @parcel/watcher''s node-gyp npm view @parcel/watcher@latest dependencies)",
+      "Bash(wrangler --version:*)",
       "WebFetch(domain:api.vdb.vulnetix.com)",
-      "Bash(go mod:*)",
-      "Bash(go build:*)",
-      "Bash(./bin/vulnetix version:*)",
-      "Bash(./bin/vulnetix auth:*)",
-      "Bash(./bin/vulnetix vdb:*)",
       "Bash(make dev:*)",
-      "Bash(./bin/vulnetix upload:*)",
-      "Bash(./bin/vulnetix gha:*)",
-      "Bash(gh run:*)",
-      "mcp__claude_ai_Cloudflare_Developer_Platform__kv_namespaces_list",
-      "Bash(make build:*)"
+      "Bash(make test:*)",
+      "Bash(./bin/vulnetix vdb:*)"
     ],
-    "deny": []
-  }
+    "deny": [
+      "Bash(dd:*)",
+      "Bash(chmod:*)",
+      "Bash(fsck:*)",
+      "Bash(python3:*)"
+    ],
+    "ask": [
+      "Bash(export:*)",
+      "Bash(env:*)",
+      "Bash(/bin:*)",
+      "Bash(npx wrangler d1 migrations apply:*)",
+      "Bash(git pull:*)",
+      "Bash(git push:*)",
+      "Bash(git commit:*)",
+      "Bash(git add:*)",
+      "Bash(source:*)",
+      "Bash(rm:*)",
+      "Bash(podman run:*)",
+      "Bash(podman exec:*)",
+      "Bash(git checkout:*)",
+      "Bash(git switch:*)",
+      "Bash(git rm:*)",
+      "Bash(git reset:*)",
+      "Bash(git add .)",
+      "Bash(git rebase:*)",
+      "Bash(git merge:*)",
+      "Bash(git revert:*)",
+      "Bash(git branch:*)",
+      "Bash(git remote:*)"
+    ]
+  },
+  "enableAllProjectMcpServers": true,
+  "enabledMcpjsonServers": [
+    "chrome-devtools"
+  ],
+  "statusLine": {
+    "type": "command",
+    "command": "/home/chris/GitHub/Vulnetix/cli/.claude/statusline-command.sh"
+  },
+  "outputStyle": "default",
+  "spinnerTipsEnabled": false
 }

README.md

@@ -92,14 +92,13 @@ Vulnetix supports multiple task types to cover different aspects of vulnerabilit
 | Task | Description | Use Case | Required Flags |
 |------|-------------|----------|----------------|
 | `release` | Release readiness assessment | Pre-release security validation | `--org-id`, `--production-branch`, `--release-branch` |
-| `sarif` | Upload and validate SARIF files | Integrate with external security tools | `--org-id`, `<sarif-file>` |
 
 ### Configuration Options
 
 | Flag | Description | Default | Example |
 |------|-------------|---------|---------|
 | `--org-id` | Organization ID (UUID) - **Required** | - | `123e4567-e89b-12d3-a456-426614174000` |
-| `--task` | Task to perform | - | `release` `sarif` |
+| `--task` | Task to perform | - | `release` |
 | `--project-name` | Project name for context | - | `my-web-app` |
 | `--team-name` | Team responsible for the project | - | `security-team` |
 | `--production-branch` | Production branch name | `main` | `main`, `master`, `production` |

USAGE.md

@@ -81,7 +81,7 @@ chmod +x vulnetix
 ./vulnetix --org-id "your-org-id-here" --task release --project-name "my-app"
 
 # Upload SARIF file
-./vulnetix sarif --org-id "your-org-id-here" my-scan-results.sarif
+vulnetix upload --file my-scan-results.sarif --org-id "your-org-id-here"
 ```
 
 ## Installation
@@ -372,11 +372,7 @@ echo "📤 Uploading SARIF results to Vulnetix..."
 for sarif_file in "${SCAN_RESULTS_DIR}"/*.sarif; do
   if [ -f "$sarif_file" ]; then
     echo "Uploading: $sarif_file"
-    vulnetix sarif \
-      --org-id "${ORG_ID}" \
-      --project-name "${PROJECT_NAME}" \
-      --team-name "${TEAM_NAME}" \
-      "$sarif_file"
+    vulnetix upload --file "$sarif_file" --org-id "${ORG_ID}"
   fi
 done