docs: rewrite README around PQ crypto + CBOM + CNSA 2.0 (closes #247)

[peaktwilight]

Summary

Rewrites README for v0.8.0 per #247. Down from 305 → 183 lines. First screen covers all four personas (scan / pqc / cbom / tui) and leads with the CNSA 2.0 user problem instead of a generic "security scanner" pitch.

Honest-framing moves (from the pre-publication fact-check)

• CBOM framed correctly, not as "rare" — names IBM CBOMkit, sonar-cryptography, and cdxgen as existing OSS CBOM producers; foxguard's contribution is "scan and inventory are one artifact"
• CodeQL named explicitly in the hook paragraph (via advanced-security/cbom-action and experimental queries), so HN doesn't tear us down for pretending it doesn't exist
• Single narrow "first" claim with a "As far as we can tell" hedge — "first OSS source-code scanner that annotates each PQ finding with its CNSA 2.0 migration deadline"
• Both PQ parameter sets mentioned — ML-KEM-1024 / ML-DSA-87 for NSS workloads, ML-KEM-768 / ML-DSA-65 for commercial (matches the Remediation text recommends wrong PQC parameter sets for CNSA 2.0 users (ML-KEM-768 / ML-DSA-65 → should be ML-KEM-1024 / ML-DSA-87 for NSS) #253 audience split)
• Cloudflare stat refreshed to "over half" with the 2025 link
• Dropped "as fast as a linter" — that's Semgrep's 2023 tagline; replaced with "a security scanner you can run on every save"

Sections cut or condensed

• "Why foxguard" 4-bullet pitch → folded into hook paragraph
• Full per-language rule coverage table → linked to foxguard.dev/rules + docs/precision.md
• Long configuration exposition, enable/disable prose, suppression tutorial, pre-commit YAML, Claude Code JSON block, badge snippet → all one-liners or links
• "Why teams adopt it" → absorbed into the features table

Structure

1. Logo + badges + demo.gif + TUI screenshot
2. Hook: CNSA 2.0 problem → what foxguard does
3. Quick start — 4 persona one-liners + 7 common flags
4. What's in it — features table
5. Post-quantum crypto audit — dedicated section, sample output, CBOM notes, rule coverage
6. Install, CI integration (condensed), Benchmarks, Config (condensed), Contributing, License

Example-output accuracy

Initial agent draft had a synthetic example with go/pq-vulnerable-crypto-ecdh + CWE-1240. Grepping the rule definitions showed the real ID is go/pq-vulnerable-crypto and CWE is CWE-327. Migration-level string fixed to match the actual compliance.rs output ("at-risk" / "on-track" / "clean"), not the invented "82% PQ-safe". Fixed in commit 994c591.

Deferred / noted

• GitHub App CTA (GitHub App: one-click install for any repo (distribution / virality) #246 not shipped yet)
• assets/demo.gif still shows scan-only flow — worth re-recording for the PQ+CBOM+TUI sequence before cutting v0.8.0
• CNSA 2.0 timeline SVG could strengthen the PQ section but not required

Verification

• Line count: 183 (target 180-220)
• No broken markdown, no emojis
• All links resolve (except foxguard.dev/rules and foxguard.dev/blog/foxguard-0-7-0-tui-launch which I'm assuming exist — please verify on the site)

Closes #247.

Summary by CodeRabbit

• Documentation
  • Updated messaging to emphasize post-quantum cryptography auditing with CNSA 2.0 deadline annotations.
  • Enhanced documentation on component bill of materials export and terminal UI triage capabilities.
  • Added new workflow and restructured configuration examples with expanded rule management options.

[coderabbitai]

Warning

Rate limit exceeded

@peaktwilight has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 0 minutes and 49 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 0 minutes and 49 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: cfcbf4d6-5bbc-4f38-b641-8dda88701688

📥 Commits

Reviewing files that changed from the base of the PR and between 994c591 and 4d2a9c4.

📒 Files selected for processing (1)

• README.md

📝 Walkthrough

Walkthrough

Documentation-only update to README.md repositioning the tool from a general fast security scanner to a specialized Rust binary focused on post-quantum cryptography auditing, with emphasis on CNSA 2.0 compliance, CycloneDX 1.6 CBOM export, and TUI-based triage capabilities.

Changes

Cohort / File(s)

Summary

README Documentation Rewrite README.md

Repositioned messaging toward post-quantum crypto auditing; added dedicated "Post-quantum crypto audit" section with CNSA 2.0 deadline context; restructured "What's in it" table; refreshed rules coverage list; updated Quick start examples (--changed, --quiet, tui --diff, --init); revised .foxguard.yml configuration examples to include scan.enable_rules, scan.disable_rules, scan.severity_overrides; removed sections on adoption model, benchmarks, coverage tables, pre-commit/Claude Code integrations, and compatibility details.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

• Rewrite README: clearer narrative, cover everything we shipped in the PQ arc + TUI + CBOM #247: Directly aligned—both address the same README rewrite to surface PQ crypto audit capabilities, TUI features, and CBOM/CNSA 2.0 updates as core messaging.
• v0.8.0 release blog post + HN submission (content work) #254: Indirectly related through issue #247, which is listed as a hard blocker for the HN/blog post submission task.

Poem

🐰 A bunny hops through quantum gates,
With CNSA deadlines and crypto fates,
Post-quantum shields now take the stage,
README rewritten, a fresh new page! 🔐✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main change: a comprehensive rewrite of the README focused on post-quantum cryptography, CBOM, and CNSA 2.0 deadline support.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch docs/247-readme-rewrite

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@README.md`:
- Line 36: Update the README sentence that currently claims foxguard "bakes
PQ-vulnerable-crypto rules into the default scan" to clarify that PQ auditing is
provided via a dedicated subcommand; specifically replace that clause with
wording like "foxguard provides a dedicated `pqc` subcommand for
PQ-vulnerable-crypto auditing" so users aren’t misled into thinking `npx
foxguard .` (the default scan) includes PQ scanning—ensure the revised sentence
references the `pqc` subcommand and keeps the rest of the description about
annotations and CycloneDX CBOM unchanged.
- Around line 26-31: The README caption overstates the demo capabilities: update
the caption text around the <code>foxguard tui .</code> snippet to accurately
reflect that the existing demo.gif only shows the scan flow (e.g., "interactive
triage — scan mode shown") and add a short TODO or issue link note indicating
that a re-recorded demo is needed to showcase diff, secrets, and PQ modes;
ensure the updated copy replaces the phrase "scan, diff, secrets, and PQ modes"
and mentions that other modes will be added once a new demo is produced.
- Line 34: The README contains a casing error: change the repository reference
string "github/codeql" to "GitHub/codeql" and any other occurrences of lowercase
"github" in the same sentence to the correct "GitHub" spelling; update the
phrase in the sentence mentioning GitHub's advanced-security/cbom-action and the
CodeQL queries so the organization name is capitalized as "GitHub" while leaving
repository names unchanged.
- Around line 79-88: The fenced code block in README.md that currently contains
the terminal output (the lines beginning with "src/tls/client.go" and the
pq-vulnerable-crypto warning) must include a language identifier for proper
highlighting; update the opening triple backticks to include a language token
such as console or text (e.g., change ``` to ```console) so the block is
recognized as terminal output.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 0f35c1e8-27c7-42e2-af95-1757d36ede0c

📥 Commits

Reviewing files that changed from the base of the PR and between 3092aee and 994c591.

📒 Files selected for processing (1)

• README.md

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Caption overpromises compared to the demo asset.

The caption on line 31 states the TUI supports "scan, diff, secrets, and PQ modes," but according to the PR objectives, demo.gif only shows the scan-only flow and may need re-recording to demonstrate all four modes.

Do you want me to open an issue to track re-recording the demo with all four modes, or would you prefer to update the caption to reflect only what the current asset shows?

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@README.md` around lines 26 - 31, The README caption overstates the demo
capabilities: update the caption text around the <code>foxguard tui .</code>
snippet to accurately reflect that the existing demo.gif only shows the scan
flow (e.g., "interactive triage — scan mode shown") and add a short TODO or
issue link note indicating that a re-recorded demo is needed to showcase diff,
secrets, and PQ modes; ensure the updated copy replaces the phrase "scan, diff,
secrets, and PQ modes" and mentions that other modes will be added once a new
demo is produced.

[greptile-apps]

Greptile Summary

This PR rewrites the README from a generic "fast security scanner" pitch to a v0.8.0-focused document leading with the CNSA 2.0 / post-quantum problem that foxguard addresses. The rewrite compresses 305 → 183 lines, adds dedicated PQ audit and CBOM sections, and makes several honest-framing corrections (names existing CBOM tools, adds a hedge to the "first" claim, correctly attributes the CodeQL action).

Verification performed:

• Sample output in the PQ section (go/pq-vulnerable-crypto, CWE-327, at-risk) verified against src/rules/go.rs and src/compliance.rs — all three match the actual implementation.
• severity_overrides key in the condensed config example confirmed as a fully implemented and tested config field.
• CNSA 2.0 FAQ URL (media.defense.gov/…/CSI_CNSA_2.0_FAQ_.PDF) confirmed to serve the December 2024 v2.1 document despite the 2022 path segment — the NSA keeps the same URL across revisions.
• Migration-level display strings (clean / on-track / at-risk) match MigrationLevel::fmt in compliance.rs.

Issues found:

• The CI integration example pins PwnKit-Labs/foxguard/action@v0.7.1; since the whole README is a v0.8.0 document (PQ audit, CBOM export, pqc subcommand), new users following this guide will install a version lacking those features. This should be bumped to @v0.8.0.
• The benchmark prose still cites foxguard 0.6.2 as the measured version; worth noting explicitly that these numbers predate v0.8.0 until a fresh benchmark run is available.

Confidence Score: 4/5

Safe to merge after bumping the CI action pin from @v0.7.1 to @v0.8.0; all other content is accurate and well-sourced.

All factual claims in the new content were verified against the source code (rule ID, CWE, migration-level strings) and external sources (CNSA 2.0 FAQ URL). One concrete P1 remains: the CI action is pinned to a version that predates every feature this README documents, which would actively mislead new adopters. Fixing that one line makes this mergeable.

README.md line 118 (action pin) and line 130 (benchmark version note)

Important Files Changed

Filename	Overview
README.md	README rewritten for v0.8.0 (PQ crypto audit + CBOM + CNSA 2.0). Rule ID, CWE, and migration-level strings in sample output verified against source. Two issues: CI action pinned to old @v0.7.1 (P1) and benchmark section still references foxguard 0.6.2 (P2).

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[npx foxguard] --> B{Subcommand?}
    B -->|none| C[Core scan\n170+ rules, taint tracking\nSARIF / JSON / terminal output]
    B -->|pqc| D[PQ crypto audit\nCNSA 2.0 deadline annotations\nML-KEM / ML-DSA guidance]
    B -->|--format cbom| E[CycloneDX 1.6 CBOM\nEvery component linked to\nsource location + severity]
    B -->|tui| F[Interactive TUI\nscan / diff / secrets / pqc modes\nBaseline, ignore, severity override]
    B -->|secrets| G[Secrets scan\nAWS, GitHub, Stripe tokens\nRedacted output + baseline]
    B -->|diff| H[Changed-file scan\nNew findings vs target branch\n--github-pr review comments]
    C --> I[CI: SARIF upload to\nGitHub Code Scanning]
    D --> I
    E --> J[Compliance reporting\nCBOM feeds SBOMs / audits]

Loading

Comments Outside Diff (1)

1. README.md, line 118 (link)

   CI action pinned to @v0.7.1 while README documents v0.8.0 features

   The entire README rewrite is framed around v0.8.0's PQ audit and CBOM export capabilities (pqc subcommand, --format cbom, CNSA 2.0 deadline annotations), but the CI integration example still pins the action to @v0.7.1. A developer who follows this guide to set up CI will run a version of foxguard that does not include any of the features prominently advertised on the same page.

   At a minimum this should pin to @v0.8.0; a floating @v0 tag avoids this class of stale-docs bug on future releases.

_{Reviews (1): Last reviewed commit: "fix: correct rule id / CWE / migration-l..." | Re-trigger Greptile}

[greptile-apps]

Benchmark version reference is stale for a v0.8.0 README

The benchmark prose calls out foxguard 0.6.2 as the measured version. This README is explicitly being rewritten for v0.8.0, so a reader has no way to know whether the numbers still hold — particularly since the new PQ rule set and CBOM serialization path add work to the default scan. Even a one-word note (e.g., "numbers measured with foxguard 0.6.2; see benchmarks/README.md for the current run") would keep the claim honest until the benchmarks are re-run against v0.8.0.