feat(pq): dependency-level PQ scanning (closes #221) (#260)

* feat(pq): dependency-level PQ scanning for Cargo.lock and requirements.txt (closes #221)

Scan manifest/lock files against curated crypto package databases to
surface PQ-vulnerable dependencies that source-level rules can't see.

- CargoLockPqCrypto: BFS transitive graph traversal with 6 tier-1 seeds
  (RSA, ECDSA, Ed25519, X25519 at 0.9 confidence) and 3 tier-2 seeds
  (ring, openssl-sys, aws-lc-rs at 0.6)
- RequirementsTxtPqCrypto: direct lookup against 11 curated packages
  with per-package confidence (0.5-0.95), PEP 503 normalization
- New dep_name field on Finding for manifest-level attribution
- Replace is_pq_rule_id substring hack with explicit whitelist
- Language::Manifest via bash-dummy tree-sitter pattern

* fix(pq): address CI and review feedback for manifest scanning

- Fix clippy collapsible_str_replace: use replace(['_', '.'], "-")
- Fix rustfmt formatting for struct initializer arrays
- Fix source.find() returning first occurrence for duplicate crate
  names by searching for unique name+version pair
- Fix CRLF line ending drift in requirements.txt byte offset tracking
- Normalize pip_map keys so future entries with mixed case won't break

* fix(pq): prevent is_pq_rule_id false positive on go/insecure-tls-skip-verify

id.contains("insecure-tls") matches non-PQ rules like
go/insecure-tls-skip-verify. Use exact match for the one
Dockerfile rule that belongs in the PQ set.

* fix(pq): address manifest scanning correctness issues

- Remove find_name_version_offset fallback that silently picked wrong
  package entry when name+version pair wasn't adjacent
- Stop BFS at seed crates instead of traversing through their deps
- Handle bare CR line endings in requirements.txt offset tracking
- Use .first().unwrap() over index [0] for reached_seeds
- Unify CrateEntry/PipEntry into SeedEntry, extract shared constants

* test(pq): add unit tests for manifest scanning rules

Cover CargoLockPqCrypto (BFS graph walk, seed detection, transitive
deps, version-qualified strings, confidence tiebreaking, BFS stopping
at seeds), RequirementsTxtPqCrypto (PEP 503 normalization, CRLF
offsets, comments/options skipping, environment markers, extras),
and find_name_version_offset (disambiguation, CRLF, missing entries).

* test(pq): strengthen manifest test assertions

- Redesign BFS-stops-at-seed test: use ring (0.6) → rsa (0.9) chain
  so confidence value distinguishes correct vs incorrect traversal
- Assert column and end_column in CRLF offset test, not just line
- Add test for name-exists-but-version-mismatches → returns None
- Add multi-version diamond test (syn 1.x vs 2.x with version-
  qualified dep strings)

* fix(pq): resolve version-qualified dep strings to exact package

Version-qualified dep strings like "syn 2.0.0" were split on space
but the version was discarded — edges fanned out to all indices with
that crate name regardless of version. Add name_ver_to_index lookup
so version-qualified strings resolve to exactly one package.

Strengthen multi-version diamond test: syn 1.0 now depends on ring
(0.6) while syn 2.0 depends on rsa (0.9), so incorrect edge
resolution would produce a different confidence value.

* test(pq): fix tautological multi-version diamond assertion

Swap seeds: syn 1.0 → rsa (0.9), syn 2.0 → ring (0.6). Old buggy
code (fan-out to both versions) would reach rsa and report 0.9.
Correct code resolves to syn 2.0 only → ring → 0.6. The assertion
now actually discriminates the bug from the fix.

* fix(pq): use max_by instead of sort_by for highest-confidence seed

Avoids mutating the vec just to pick one element.

Author: Darkroom4364

Cargo.lock

@@ -37,6 +37,7 @@ globset = "0.4"
 tempfile = "3"
 ratatui = "0.30"
 crossterm = "0.28"
+toml = "0.8"
 
 [[bin]]
 name = "foxguard-mcp"

Cargo.toml

@@ -495,7 +495,7 @@ fn validate_rules_path(rules: Option<&str>) -> Result<(), String> {
 fn is_pq_rule_id(id: &str) -> bool {
     id.contains("pq-vulnerable")
         || id.contains("hardcoded-crypto-algorithm")
-        || (id.starts_with("config/") && id.contains("tls"))
+        || id == "config/dockerfile-insecure-tls-env"
 }
 
 fn collect_changed_targets(path: &str, changed: bool) -> Result<Option<Vec<PathBuf>>, String> {

src/app.rs

@@ -176,6 +176,7 @@ mod tests {
             tags: vec![],
             crypto_algorithm: None,
             cnsa2_deadline: None,
+            dep_name: None,
         }
     }
 

src/baseline.rs

@@ -29,6 +29,7 @@ const LANGUAGE_ORDER: &[Language] = &[
     Language::ApacheConf,
     Language::HAProxyConf,
     Language::Dockerfile,
+    Language::Manifest,
 ];
 
 fn language_slug(language: Language) -> &'static str {
@@ -47,6 +48,7 @@ fn language_slug(language: Language) -> &'static str {
         Language::ApacheConf => "apacheconf",
         Language::HAProxyConf => "haproxyconf",
         Language::Dockerfile => "dockerfile",
+        Language::Manifest => "manifest",
     }
 }
 
@@ -66,6 +68,7 @@ fn language_display_name(language: Language) -> &'static str {
         Language::ApacheConf => "Apache",
         Language::HAProxyConf => "HAProxy",
         Language::Dockerfile => "Dockerfile",
+        Language::Manifest => "Manifest",
     }
 }
 
@@ -85,6 +88,7 @@ fn language_array_name(language: Language) -> &'static str {
         Language::ApacheConf => "apacheconfRules",
         Language::HAProxyConf => "haproxyconfRules",
         Language::Dockerfile => "dockerfileRules",
+        Language::Manifest => "manifestRules",
     }
 }
 

src/bin/gen_rules_ts.rs

@@ -262,6 +262,7 @@ mod tests {
             tags: vec![],
             crypto_algorithm: None,
             cnsa2_deadline: deadline.map(String::from),
+            dep_name: None,
         }
     }
 

src/compliance.rs

@@ -1238,6 +1238,7 @@ mod tests {
             tags: vec![],
             crypto_algorithm: None,
             cnsa2_deadline: None,
+            dep_name: None,
         };
 
         let (config_path, added) =
@@ -1303,6 +1304,7 @@ mod tests {
             tags: vec![],
             crypto_algorithm: None,
             cnsa2_deadline: None,
+            dep_name: None,
         }
     }
 

src/config.rs

@@ -289,6 +289,7 @@ mod tests {
             tags: vec![],
             crypto_algorithm: None,
             cnsa2_deadline: None,
+            dep_name: None,
         }
     }
 

src/diff.rs

@@ -18,7 +18,8 @@ pub fn parse_file(source: &str, language: Language) -> Option<tree_sitter::Tree>
         Language::NginxConf
         | Language::ApacheConf
         | Language::HAProxyConf
-        | Language::Dockerfile => tree_sitter_bash::LANGUAGE.into(),
+        | Language::Dockerfile
+        | Language::Manifest => tree_sitter_bash::LANGUAGE.into(),
     };
 
     parser.set_language(&ts_language).ok()?;

src/engine/parser.rs

@@ -116,6 +116,7 @@ fn detect_config_language(path: &Path) -> Option<Language> {
         "nginx.conf" => return Some(Language::NginxConf),
         "httpd.conf" | "apache2.conf" => return Some(Language::ApacheConf),
         "haproxy.cfg" => return Some(Language::HAProxyConf),
+        "Cargo.lock" | "requirements.txt" => return Some(Language::Manifest),
         _ => {}
     }
 
@@ -492,7 +493,8 @@ fn comment_markers(language: Language) -> &'static [&'static str] {
         Language::NginxConf
         | Language::ApacheConf
         | Language::HAProxyConf
-        | Language::Dockerfile => &["#"],
+        | Language::Dockerfile
+        | Language::Manifest => &["#"],
     }
 }