fix: remove non-existent CLI/Docker refs, align CI tooling

.github/PULL_REQUEST_TEMPLATE.md

@@ -40,7 +40,7 @@
 ## SARIF compatibility
 
 <!--
-  Did you change `sarif.go` or `internal/output/sarif.go`?
+  Did you change `sarif.go` or `internal/output/output.go` (the SARIF formatter)?
 
   - If yes: confirm the output still validates against the SARIF 2.1.0
     schema and call out any new fields, especially in `tool.driver`.

.github/workflows/ci.yml

@@ -55,7 +55,7 @@ jobs:
         run: git clone --depth=1 https://github.com/GrayCodeAI/hawk.git ../hawk
       - name: gofumpt diff
         run: |
-          go install mvdan.cc/gofumpt@latest
+          go install mvdan.cc/gofumpt@v0.10.0
           out=$(gofumpt -l .)
           if [ -n "$out" ]; then
             echo "::error::gofumpt would reformat the following files:"

CHANGELOG.md

@@ -18,7 +18,8 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm
   - `sarif.go`: `Driver.Version`/`Driver.SemanticVersion` → `"0.1.0"`
     (the SARIF spec version remains `"2.1.0"` — that's a different
     field; it identifies the SARIF format, not the tool)
-  - `internal/output/sarif.go`: same fix in the duplicated SARIF code
+  - `internal/output/output.go`: same fix in the duplicated SARIF code
+    (`FormatSARIF` driver-version site)
 
 ### Added
 - Numeric confidence scoring (0.0-1.0) on every finding

Makefile

@@ -66,7 +66,7 @@ bench: ## Run benchmarks.
 # Quality gates.
 # ---------------------------------------------------------------------------
 fmt: ## Format source files (gofumpt + goimports).
-	@command -v $(GOFUMPT)   >/dev/null 2>&1 || (echo "install: go install mvdan.cc/gofumpt@latest"   && exit 1)
+	@command -v $(GOFUMPT)   >/dev/null 2>&1 || (echo "install: go install mvdan.cc/gofumpt@v0.10.0"   && exit 1)
 	@command -v $(GOIMPORTS) >/dev/null 2>&1 || (echo "install: go install golang.org/x/tools/cmd/goimports@latest" && exit 1)
 	$(GOFUMPT) -w .
 	$(GOIMPORTS) -w .
@@ -75,11 +75,11 @@ vet: ## Run go vet.
 	go vet ./...
 
 lint: ## Run golangci-lint.
-	@command -v $(GOLANGCI) >/dev/null 2>&1 || (echo "install: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest" && exit 1)
+	@command -v $(GOLANGCI) >/dev/null 2>&1 || (echo "install: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.1.0" && exit 1)
 	$(GOLANGCI) run ./... --timeout=5m
 
 lint-fix: ## Run golangci-lint with --fix.
-	@command -v $(GOLANGCI) >/dev/null 2>&1 || (echo "install: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest" && exit 1)
+	@command -v $(GOLANGCI) >/dev/null 2>&1 || (echo "install: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.1.0" && exit 1)
 	$(GOLANGCI) run ./... --fix --timeout=5m
 
 security: ## Run govulncheck.

api/openapi.yaml

@@ -15,8 +15,11 @@ info:
   contact:
     url: https://github.com/GrayCodeAI/sight
 
-# No HTTP server by default — MCP uses stdio transport.
-# HTTP transport is available via: sight mcp --transport http --addr 127.0.0.1:8080
+# sight ships no standalone binary. The MCP server is embedded by the host
+# program (e.g. hawk), which injects a Provider and starts a transport:
+#   srv := mcp.New(provider, opts...)
+#   srv.ServeStdio()                 // stdio transport (default)
+#   srv.ServeHTTP("127.0.0.1:8080")  // streamable HTTP transport, served at /mcp
 
 tags:
   - name: review
@@ -26,9 +29,10 @@ tags:
 
 x-mcp-server:
   transport: stdio
-  binary: sight
-  start_command: ["sight", "mcp"]
-  http_transport_command: ["sight", "mcp", "--transport", "http", "--addr", "127.0.0.1:8080"]
+  package: github.com/GrayCodeAI/sight/mcp
+  constructor: mcp.New(provider, opts...)
+  serve_stdio: mcp.Server.ServeStdio()
+  serve_http: mcp.Server.ServeHTTP("127.0.0.1:8080")  # served at /mcp
 
 x-mcp-tools:
   sight_review:

docs/architecture.md

@@ -24,7 +24,7 @@ sight is an AI-powered code review library for Go. It parses unified diffs, enri
 ```
 sight/
 ├── api/openapi.yaml          📜 MCP tool surface reference
-├── cmd/sight/main.go         🖥️ CLI entry (mcp, taint subcommands)
+├── examples/basic/main.go    🧪 Library usage example (Review with a mock provider)
 ├── sight.go                  📤 Public API: Review(), Finding, Result, Stats
 ├── reviewer.go               🔄 Reviewer: parallel concern orchestration
 ├── options.go                ⚙️ config, With* functions, presets
@@ -93,9 +93,13 @@ type Provider interface {
 
 ## 🔌 MCP Server
 
-```bash
-sight mcp                                    # 📡 stdio transport
-sight mcp --transport http --addr :8080      # 🌐 HTTP transport
+sight ships no standalone binary — the MCP server is an embeddable component
+that the host program (e.g. `hawk`) starts after injecting a `Provider`:
+
+```go
+srv := mcp.New(myProvider, sight.Thorough)
+srv.ServeStdio()             // 📡 stdio transport
+srv.ServeHTTP("127.0.0.1:8080") // 🌐 streamable HTTP transport, served at /mcp
 ```
 
 **Tools:** `sight_review` · `sight_describe` · `sight_improve` · `sight_taint`
@@ -121,4 +125,4 @@ sight mcp --transport http --addr :8080      # 🌐 HTTP transport
 
 **30+ built-in rules** run without LLM overhead — hardcoded secret patterns, SQL injection sinks, unsafe deserialization, etc. Fused with LLM results.
 
-**Taint analysis** (`sight taint --path .`) uses SSA-based cross-function tracking to detect source→sink data flows. Sources, sinks, and sanitizers are configurable.
+**Taint analysis** (exposed via the `sight_taint` MCP tool and the taint-analysis API) uses SSA-based cross-function tracking to detect source→sink data flows. Sources, sinks, and sanitizers are configurable.

lefthook.yml

@@ -23,7 +23,7 @@ pre-commit:
       glob: "*.go"
       run: |
         if ! command -v gofumpt >/dev/null 2>&1; then
-          echo "lefthook: gofumpt not installed (go install mvdan.cc/gofumpt@latest)"; exit 1
+          echo "lefthook: gofumpt not installed (go install mvdan.cc/gofumpt@v0.10.0)"; exit 1
         fi
         gofumpt -w {staged_files}
       stage_fixed: true

sgconfig.yaml

@@ -1,4 +1,2 @@
 ruleDirs:
   - rules
-testDirs:
-  - tests