diff --git a/README.md b/README.md
index 65e492d..7113d98 100644
--- a/README.md
+++ b/README.md
@@ -296,6 +296,40 @@ review-bot \
   --conventions-file CONVENTIONS.md
 ```
 
+## Subcommands
+
+### `validate-docmap`
+
+Verifies that a `doc-map.yml` is consistent before running a review. Two checks:
+
+1. **Coverage**: every changed file is matched by at least one `paths:` glob.
+2. **Stale docs**: every `docs:` entry exists on disk under `--repo-root`.
+
+```bash
+# Typical CI usage — pipe git diff into the command
+git diff --name-only origin/main HEAD | \
+  review-bot validate-docmap \
+    --docmap .review-bot/doc-map.yml \
+    --repo-root .
+```
+
+| Flag | Required | Default | Description |
+|------|----------|---------|-------------|
+| `--docmap` | Yes | — | Path to doc-map YAML file |
+| `--repo-root` | No | `.` (cwd) | Root for resolving `docs:` paths |
+
+Exit codes: `0`=clean, `1`=failures found, `2`=usage/parse error.
+
+### `validate-url`
+
+Resolves a URL and verifies all IPs are publicly routable (used in CI to prevent SSRF).
+
+```bash
+review-bot validate-url https://gitea.example.com
+```
+
+Exit codes: `0`=safe, `1`=blocked/private IP, `2`=error.
+
 ## Environment Variables
 
 All flags have environment variable equivalents: