fix: clippy and thirdparty licenses update

src/commands/scan.rs

@@ -355,6 +355,7 @@ pub fn format_dynamic_verification_summary(summary: &DynamicVerificationSummary)
 /// composite-chain re-verification can reuse preloaded summaries and callgraph
 /// context.
 #[cfg(feature = "dynamic")]
+#[allow(clippy::too_many_arguments)]
 pub(crate) fn verify_findings_for_scan(
     diags: &mut [Diag],
     project_name: &str,

src/surface/build.rs

@@ -3,15 +3,15 @@
 //! Phase 22 dispatch:
 //!
 //! 1. Per-file framework probes (one parser per language) emit
-//!    [`SurfaceNode::EntryPoint`](crate::surface::SurfaceNode::EntryPoint) nodes for every recognised route /
+//!    [`SurfaceNode::EntryPoint`] nodes for every recognised route /
 //!    handler.
 //! 2. [`super::datastore::detect_data_stores`] walks
-//!    [`GlobalSummaries`] and emits [`SurfaceNode::DataStore`](crate::surface::SurfaceNode::DataStore) nodes
+//!    [`GlobalSummaries`] and emits [`SurfaceNode::DataStore`] nodes
 //!    for every recognised driver call.
 //! 3. [`super::external::detect_external_services`] walks summaries +
-//!    SSRF caps and emits [`SurfaceNode::ExternalService`](crate::surface::SurfaceNode::ExternalService) nodes.
+//!    SSRF caps and emits [`SurfaceNode::ExternalService`] nodes.
 //! 4. [`super::dangerous::detect_dangerous_locals`] walks summaries
-//!    and emits [`SurfaceNode::DangerousLocal`](crate::surface::SurfaceNode::DangerousLocal) nodes for every
+//!    and emits [`SurfaceNode::DangerousLocal`] nodes for every
 //!    function whose `sink_caps` include a local-sink class (code-exec,
 //!    deserialize, SSTI, format-string, LDAP / XPath / header /
 //!    open-redirect injection, XXE, prototype pollution), located at the

src/surface/exposure.rs

@@ -3,7 +3,7 @@
 //!
 //! This is the bridge that makes the attack surface participate in the
 //! core finding pipeline instead of living off to the side in `nyx
-//! surface`: every [`Diag`](crate::commands::scan::Diag) gets an
+//! surface`: every [`Diag`] gets an
 //! optional [`Exposure`] annotation describing the *worst-case* route
 //! that reaches it (unauthenticated preferred over auth-gated, direct
 //! file match preferred over transitive call-graph reach), and the
@@ -11,7 +11,7 @@
 //! reachable findings sort above internal ones.
 //!
 //! Matching granularity is file-level, same as the chain composer's
-//! [`Reach`](crate::chain::Reach): a finding in `views.py` is exposed
+//! [`Reach`](crate::chain::edges::Reach): a finding in `views.py` is exposed
 //! when an entry-point's handler lives in `views.py`, or — when a
 //! [`FileReachMap`] is supplied — when some handler's file transitively
 //! reaches `views.py` through the call graph.