docs: align reachability reference with v2.4.2 implementation

Bring docs/cli-reference.md in line with the v2.4.2 reachability flag
alignment (#226): canonical --reach-analysis-timeout / --reach-analysis-memory-limit
names (old names noted as hidden aliases), correct coana-derived defaults
(8 GB memory, 10-min timeout, concurrency 1), accurate --reach-min-severity
values (info/low/moderate/high/critical), the uv + Enterprise-plan
requirements, the new 2.4.x reachability flags, and clearer --only-facts-file
wording. Documentation-only; the patch bump to 2.4.3 + uv.lock refresh are
mandated by the repo's sync-version pre-commit hook.

Author: mtorp

CHANGELOG.md

@@ -1,5 +1,19 @@
 # Changelog
 
+## 2.4.3
+
+### Docs: reachability CLI reference aligned with the v2.4.2 implementation
+
+- `docs/cli-reference.md` now uses the canonical `--reach-analysis-timeout` /
+  `--reach-analysis-memory-limit` flag names (old `--reach-timeout` /
+  `--reach-memory-limit` documented as hidden aliases), the correct
+  coana-derived defaults (8 GB memory, 10-min timeout, concurrency 1), the
+  accurate `--reach-min-severity` values (info/low/moderate/high/critical),
+  the `uv` and Enterprise-plan requirements, and the newer reachability flags
+  (`--reach-enable-analysis-splitting`, `--reach-detailed-analysis-log-file`,
+  `--reach-lazy-mode`, `--reach-use-only-pregenerated-sboms`, `--reach-debug`,
+  `--reach-disable-external-tool-checks`). Documentation-only; no code changes.
+
 ## 2.4.2
 
 ### Added: reachability flag and Coana environment alignment with the Node CLI

docs/cli-reference.md

@@ -152,10 +152,11 @@ socketcli [-h] [--api-token API_TOKEN] [--repo REPO] [--workspace WORKSPACE] [--
           [--enable-json] [--enable-sarif] [--sarif-file <path>] [--sarif-scope {diff,full}] [--sarif-grouping {instance,alert}] [--sarif-reachability {all,reachable,potentially,reachable-or-potentially}] [--enable-gitlab-security] [--gitlab-security-file <path>]
           [--disable-overview] [--exclude-license-details] [--allow-unverified] [--disable-security-issue]
           [--ignore-commit-files] [--disable-blocking] [--disable-ignore] [--enable-diff] [--scm SCM] [--timeout TIMEOUT] [--include-module-folders]
-          [--reach] [--reach-version REACH_VERSION] [--reach-timeout REACH_ANALYSIS_TIMEOUT]
-          [--reach-memory-limit REACH_ANALYSIS_MEMORY_LIMIT] [--reach-ecosystems REACH_ECOSYSTEMS] [--reach-exclude-paths REACH_EXCLUDE_PATHS]
-          [--reach-min-severity {low,medium,high,critical}] [--reach-skip-cache] [--reach-disable-analytics] [--reach-output-file REACH_OUTPUT_FILE]
-          [--only-facts-file] [--version]
+          [--reach] [--reach-version REACH_VERSION] [--reach-analysis-timeout SECONDS] [--reach-analysis-memory-limit MB]
+          [--reach-concurrency N] [--reach-ecosystems REACH_ECOSYSTEMS] [--reach-exclude-paths REACH_EXCLUDE_PATHS]
+          [--reach-min-severity <level>] [--reach-skip-cache] [--reach-disable-analytics] [--reach-enable-analysis-splitting]
+          [--reach-detailed-analysis-log-file] [--reach-lazy-mode] [--reach-output-file REACH_OUTPUT_FILE] [--reach-additional-params ...]
+          [--reach-use-only-pregenerated-sboms] [--reach-debug] [--reach-disable-external-tool-checks] [--only-facts-file] [--version]
 ````
 
 If you don't want to provide the Socket API Token every time then you can use the environment variable `SOCKET_SECURITY_API_TOKEN`
@@ -237,23 +238,35 @@ If you don't want to provide the Socket API Token every time then you can use th
 #### Reachability Analysis
 | Parameter                        | Required | Default | Description                                                                                                                |
 |:---------------------------------|:---------|:--------|:---------------------------------------------------------------------------------------------------------------------------|
-| `--reach`                          | False    | False   | Enable reachability analysis to identify which vulnerable functions are actually called by your code                       |
-| `--reach-version`                  | False    | latest  | Version of @coana-tech/cli to use for analysis                                                                             |
-| `--reach-timeout`                  | False    | 1200    | Timeout in seconds for the reachability analysis (default: 1200 seconds / 20 minutes)                                      |
-| `--reach-memory-limit`             | False    | 4096    | Memory limit in MB for the reachability analysis (default: 4096 MB / 4 GB)                                                 |
-| `--reach-concurrency`              | False    |         | Control parallel analysis execution (must be >= 1)                                                                         |
-| `--reach-additional-params`        | False    |         | Pass custom parameters to the coana CLI tool                                                                               |
-| `--reach-ecosystems`               | False    |         | Comma-separated list of ecosystems to analyze (e.g., "npm,pypi"). If not specified, all supported ecosystems are analyzed  |
-| `--reach-exclude-paths`            | False    |         | Comma-separated list of file paths or patterns to exclude from reachability analysis                                       |
-| `--reach-min-severity`             | False    |         | Minimum severity level for reporting reachability results (low, medium, high, critical)                                    |
-| `--reach-skip-cache`               | False    | False   | Skip cache and force fresh reachability analysis                                                                           |
-| `--reach-disable-analytics`        | False    | False   | Disable analytics collection during reachability analysis                                                                  |
-| `--reach-output-file`              | False    | .socket.facts.json | Path where reachability analysis results should be saved                                                        |
-| `--only-facts-file`                | False    | False   | Submit only the .socket.facts.json file to an existing scan (requires --reach and a prior scan)                            |
+| `--reach`                            | False    | False   | Enable reachability analysis to identify which vulnerable functions are actually called by your code. Creates a tier-1 full-application reachability scan (`scan_type=socket_tier1`). |
+| `--reach-version`                    | False    | latest  | Version of @coana-tech/cli to use for analysis                                                                             |
+| `--reach-analysis-timeout`           | False    | *coana default (10 min)*  | Timeout in seconds for the reachability analysis. When unset, the coana CLI's own default applies. Alias: `--reach-timeout` (hidden). |
+| `--reach-analysis-memory-limit`      | False    | *coana default (8192 MB / 8 GB)* | Memory limit in MB for the reachability analysis. When unset, the coana CLI's own default applies. Alias: `--reach-memory-limit` (hidden). |
+| `--reach-concurrency`                | False    | *coana default (1)* | Number of analyses to run in parallel (must be >= 1). Useful for monorepos/workspaces.                                |
+| `--reach-additional-params`          | False    |         | Pass custom parameters straight through to the coana CLI tool                                                              |
+| `--reach-ecosystems`                 | False    | *all*   | Comma-separated list of ecosystems to analyze (e.g., "npm,pypi"). If not specified, all supported ecosystems are analyzed  |
+| `--reach-exclude-paths`              | False    |         | Comma-separated list of file paths or patterns to exclude from reachability analysis                                       |
+| `--reach-min-severity`               | False    |         | Minimum severity level for reporting reachability results (info, low, moderate, high, critical)                            |
+| `--reach-skip-cache`                 | False    | False   | Skip cache and force fresh reachability analysis                                                                           |
+| `--reach-disable-analytics`          | False    | False   | Disable analytics collection during reachability analysis                                                                  |
+| `--reach-enable-analysis-splitting`  | False    | False   | Enable analysis splitting/bucketing (a legacy performance feature). Splitting is disabled by default.                      |
+| `--reach-detailed-analysis-log-file` | False    | False   | Write a detailed analysis log file; its path is printed to stdout                                                          |
+| `--reach-lazy-mode`                  | False    | False   | Enable lazy mode (experimental performance feature)                                                                        |
+| `--reach-output-file`                | False    | .socket.facts.json | Path where reachability analysis results should be saved                                                        |
+| `--reach-use-only-pregenerated-sboms`| False    | False   | Build the scan only from pre-generated CycloneDX (CDX) and SPDX files in your project (requires --reach)                    |
+| `--reach-debug`                      | False    | False   | Enable coana debug output (passes `--debug` to the coana CLI), independent of the global `--enable-debug`                   |
+| `--reach-disable-external-tool-checks`| False   | False   | Disable coana's external tool availability checks (passes `--disable-external-tool-checks` to the coana CLI)               |
+| `--only-facts-file`                  | False    | False   | Submit only the .socket.facts.json file when creating the full scan (requires --reach)                                     |
 
 **Reachability Analysis Requirements:**
-- `npm` - Required to install and run @coana-tech/cli
-- `npx` - Required to execute @coana-tech/cli
+
+The Python CLI verifies the following **up front** (before invoking the analysis engine) and exits with code **3** if any are unmet:
+- `npm` - Required to install and run `@coana-tech/cli` (the analysis engine)
+- `npx` - Required to execute `@coana-tech/cli`
+- `uv` - Required by the analysis engine
+- An **Enterprise** Socket organization plan (any `enterprise*` plan, including Enterprise trials)
+
+Separately, the analysis engine (coana) needs the **per-ecosystem build toolchain** for whatever languages your project uses — e.g. a compatible Python interpreter (3.11+, or PyPy) for Python, a JDK for Java/Kotlin/Scala, .NET 6+ for C#, the matching Go toolchain for Go, etc. These are validated by the engine **at analysis time** (the CLI does not pre-check them) and that validation can be skipped with `--reach-disable-external-tool-checks`.
 
 ## Config file support
 
@@ -299,7 +312,7 @@ Sample config files:
 
 For CI-specific examples and guidance, see [`ci-cd.md`](ci-cd.md).
 
-The CLI will automatically install `@coana-tech/cli` if not present. Use `--reach` to enable reachability analysis during a full scan, or use `--only-facts-file` with `--reach` to submit reachability results to an existing scan.
+The CLI will automatically install `@coana-tech/cli` if not present. Use `--reach` to enable reachability analysis during a full scan, or add `--only-facts-file` (with `--reach`) to submit only the reachability facts file (`.socket.facts.json`) when creating the full scan.
 
 #### Advanced Configuration
 | Parameter                | Required | Default | Description                                                           |

pyproject.toml

@@ -6,7 +6,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "socketsecurity"
-version = "2.4.2"
+version = "2.4.3"
 requires-python = ">= 3.11"
 license = {"file" = "LICENSE"}
 dependencies = [

socketsecurity/__init__.py

@@ -1,3 +1,3 @@
 __author__ = 'socket.dev'
-__version__ = '2.4.2'
+__version__ = '2.4.3'
 USER_AGENT = f'SocketPythonCLI/{__version__}'