docs: update diagram and roadmap

README.md

@@ -168,7 +168,7 @@ CVE Lite CLI is designed as a **local-first, metadata-only** scanner. Unlike tra
 * **Lockfile-Driven Accuracy:** By parsing `package-lock.json`, `pnpm-lock.yaml`, or `yarn.lock`, the tool avoids the "it works on my machine" discrepancy. It scans the *exact* dependency tree that will be deployed.
 * **Intelligent Triage:** The Analysis engine utilizes the lockfile's graph structure to distinguish between dependencies you manage directly and those brought in by third-party packages (transitive). This allows for a "Fix the Root" strategy rather than chasing individual nested vulnerabilities.
 * **Performance Optimization:** A local TTL (Time-To-Live) cache stores advisory results. This ensures that subsequent scans—common in iterative development or CI/CD retry loops—are near-instant and respect external API rate limits.
-* **Standards-Based Output:** Results are available in **SARIF (Static Analysis Results Interchange Format)**, ensuring compatibility with modern DevSecOps dashboards and IDE integrations.
+* **Standards-Based Output:** Results are natively available in **SARIF (Static Analysis Results Interchange Format)** and **JSON**, ensuring compatibility with modern DevSecOps dashboards and IDE integrations.
 
 ## What makes it stand out
 
@@ -434,17 +434,23 @@ CVE Lite CLI is best described as:
 
 **A fast, developer-friendly dependency vulnerability scanner for JavaScript and TypeScript projects, built for teams that want actionable results without the cost and complexity of a full security platform.**
 
-## Roadmap ideas
+## Roadmap
 
-Planned or possible future improvements include:
+CVE Lite CLI is evolving from a vulnerability scanner into a comprehensive remediation engine.
 
-- richer remediation guidance
-- stronger CI examples
-- broader export improvements
-- improved caching options
-- better package grouping and deduplication insights
-- publishable npm release polish
-- GitHub Action or container workflow support
+### Phase 1: Advanced Remediation Intelligence (Short-Term)
+* **Executable Fix-Plan:** Move from suggesting a plan to generating executable commands (e.g., `npm install package@version`) to resolve direct vulnerabilities.
+* **Transitive Parent Mapping:** Enhance output to explicitly map the dependency path from the root to the vulnerable nested package, making manual triage effortless.
+* **Deduplication Analysis:** Identify instances where multiple versions of the same vulnerable package exist and suggest a single version for consolidation.
+
+### Phase 2: Ecosystem & Integration (Mid-Term)
+* **Official GitHub Action:** Create a dedicated Action for one-line setup in CI/CD pipelines.
+* **Expanded Lockfile Support:** Introduce parsers for emerging JS/TS ecosystems, including `bun.lockb`.
+* **IDE Integration:** Develop a lightweight extension to highlight vulnerable packages directly within the code editor.
+
+### Phase 3: Maturity & Compliance (Long-Term)
+* **Standardized SBOM Support:** Add the ability to export findings as an **SBOM (Software Bill of Materials)** in CycloneDX or SPDX formats.
+* **Community Plugin System:** Decouple the scanner logic to allow community-contributed data sources and custom security rules.
 
 ## Contributing