Wave 2 polish: tests, clippy/fmt clean, CI

[Peterc3-dev]

Summary

A polish-to-completion pass on the existing Phase 2.5/3 codebase. No behavior changes to the agent loop or tools — this hardens the core with tests, lint cleanliness, and CI.

Changes

• Tests (8 -> 38). Added unit tests for the pure, deterministic core logic that previously had none:
  • scope: host_in_scope / normalize_host (scheme/port/path stripping, bare vs *. wildcard, apex matching, case handling, empty patterns).
  • findings::parse: extract_hosts_from_subfinder, parse_httpx_output (URL/status/severity classification, host-derived-from-URL fallback, malformed-line skipping), parse_nuclei_output (severity/name/target, matched-at -> host fallback, graceful defaults).
  • findings::models: Severity ordering, from_str_loose aliases/unknowns, dedup_findings (kind+details folding, severity promotion, target dedup with insertion order, severity-desc sort, empty input).
  • llm::parser: strip_think (balanced/multiple/unclosed blocks), parse_action across all four supported shapes ({tool,arguments}, args alias, OpenAI tool_calls with stringified args, {action:done/stop/finish}), code-fence + think-block stripping, prose-surrounded JSON, and None on unparseable/unknown.
  • tools::dnsx: parse_dnsx_output (bare hosts, host [record] pairs, trailing-dot + blank handling).
• Lint. Fixed all clippy warnings (single_char_add_str in the report generator, sort_by_key in the ReAct loop). Repo now passes cargo clippy --all-targets -- -D warnings.
• Formatting. Ran cargo fmt across the tree. The diffs in config.rs, findings/mod.rs, preflight/pius.rs, tools/ffuf.rs, tools/nuclei.rs are formatting-only (no logic change).
• CI. Added .github/workflows/ci.yml (stable Rust): cargo fmt --check, cargo clippy -D warnings, build, test, with cargo caching. No untrusted input is interpolated into any run: step.
• Docs. Updated the README "Honest state" section — the stale "No automated tests yet" line is replaced with the actual test + CI status.

Verified on this machine (cargo 1.95.0, rustc 1.95.0)

• cargo build — passes (baseline also passed before changes).
• cargo test — 38 passed, 0 failed.
• cargo clippy --all-targets -- -D warnings — clean.
• cargo fmt --check — clean.

Unverified

• The CI workflow itself has not run on GitHub Actions yet; it mirrors the commands verified locally but the hosted run is unverified until this PR triggers it.
• No new end-to-end run against a live LLM server or live targets was performed — only the pure parsing/logic paths are exercised by the new tests. External-tool wrappers (exec_*) and the network LLM client remain manually-verified-only, as before.

TODOs left

• None introduced. No stubs were finished because there were none (todo!/unimplemented!/FIXME/pass-only stubs: none found). The exec_* tool wrappers and LlmClient are I/O boundaries left untested by design (they shell out / hit the network).

🤖 Generated with Claude Code

[Peterc3-dev]

Independent verification — VERDICT: solid, ready to merge

Re-built and re-ran everything from a clean clone of wave2-polish (cargo 1.95.0, rustc 1.95.0). All four self-reported claims confirmed:

• cargo build — passes (exit 0)
• cargo test — 38 passed, 0 failed (exact match to the claim)
• cargo clippy --all-targets -- -D warnings — clean
• cargo fmt --check — clean

Regression check

• Baseline (origin/main) builds green with 8 tests; branch has 38. The 8 -> 38 claim is exact, and all 8 original tests are preserved and still pass — no test was deleted or weakened.
• Every non-test diff in react_loop.rs, config.rs, findings/mod.rs, preflight/pius.rs, tools/{ffuf,nuclei,dnsx}.rs, report/generator.rs, findings/parse.rs is either pure cargo fmt reflow or a behavior-preserving clippy fix. Confirmed the two real logic-touching changes are equivalent:
  • sort_by(|a,b| b.severity.cmp(&a.severity)) -> sort_by_key(|f| Reverse(f.severity)) — same stable descending order (Severity is Copy/Ord).
  • push_str("\n") -> push('\n') — identical output.
• No todo!/unimplemented!/FIXME anywhere in src/; the "no stubs finished because there were none" statement holds.

Overclaim check

None found. The PR body is honest. Two notes (not blockers):

1. The new scope::matching_is_case_insensitive test actually documents that the matcher only lowercases the host, not the pattern — so an uppercase pattern won't match. The module doc comment still says "Matches case-insensitively," which is slightly misleading. The test correctly encodes the real contract (callers must pass lowercase patterns); worth a one-line doc tweak someday but not a defect.
2. CI workflow is sound — RUSTFLAGS: -D warnings + clippy --all-targets -D warnings, no untrusted input interpolated into run: steps. As the PR states, the hosted run hasn't executed yet; it mirrors the locally-verified commands.

Approving. Merge as-is.