npm - @akotliar/sitemap-qa - Versions diffs - 1.0.0-alpha.0 → 1.0.0-alpha.2 - Mend

@akotliar/sitemap-qa 1.0.0-alpha.0 → 1.0.0-alpha.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/index.js CHANGED Viewed

@@ -1,27 +1,1596 @@
 #!/usr/bin/env node
-import"dotenv/config";import{Command as qe}from"commander";import{Command as Ne}from"commander";import{promises as re}from"fs";import C from"ora";import k from"chalk";import{readFile as I}from"fs/promises";import{existsSync as D}from"fs";import{join as N}from"path";import{homedir as se}from"os";var L={timeout:30,concurrency:10,outputFormat:"html",outputDir:"./sitemap-qa/report",verbose:!1,baseUrl:"https://example.com",acceptedPatterns:[]};async function F(e){let t={...L},r=N(se(),".sitemap-qa","config.json");if(D(r))try{let a=JSON.parse(await I(r,"utf-8"));t={...t,...a}}catch(a){console.warn(`Warning: Failed to load global config: ${a}`)}let s=N(process.cwd(),".sitemap-qa.config.json");if(D(s))try{let a=JSON.parse(await I(s,"utf-8"));t={...t,...a}}catch(a){console.warn(`Warning: Failed to load project config: ${a}`)}let n=ne();return t={...t,...n},t=ie(t,e),e.baseUrl&&(t.baseUrl=e.baseUrl),ae(t),t}function ne(){let e={};return process.env.SITEMAP_VERIFY_TIMEOUT&&(e.timeout=parseInt(process.env.SITEMAP_VERIFY_TIMEOUT,10)),e}function ie(e,t){let r={...e};return t.timeout&&t.timeout!=="30"&&(r.timeout=parseInt(t.timeout,10)),t.output&&(r.outputFormat=t.output),t.outputDir&&(r.outputDir=t.outputDir),t.verbose===!0&&(r.verbose=!0),t.acceptedPatterns&&(r.acceptedPatterns=t.acceptedPatterns.split(",").map(s=>s.trim()).filter(Boolean)),r}function ae(e){if(e.timeout<1||e.timeout>300)throw new Error("Timeout must be between 1 and 300 seconds");if(!["json","html"].includes(e.outputFormat))throw new Error("Output format must be json or html")}var U=class extends Error{constructor(r,s){super(`Network request failed for ${r}: ${s.message}`);this.url=r;this.originalError=s;this.name="NetworkError"}code="NETWORK_ERROR"},x=class extends Error{constructor(r,s,n){let a=`HTTP ${s} error for ${r}`;s===403&&(a+=`
-   Note: 403 Forbidden often indicates bot protection (Cloudflare, etc.) or access restrictions`);super(a);this.url=r;this.statusCode=s;this.statusText=n;this.name="HttpError"}code="HTTP_ERROR"};import{chromium as ce}from"playwright";async function le(e,t){let r;try{r=await ce.launch({headless:!0,args:["--disable-blink-features=AutomationControlled","--disable-dev-shm-usage","--no-sandbox"]});let n=await(await r.newContext({userAgent:"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",viewport:{width:1920,height:1080},locale:"en-US",timezoneId:"America/New_York",extraHTTPHeaders:{Accept:"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","Accept-Language":"en-US,en;q=0.9","Accept-Encoding":"gzip, deflate, br",DNT:"1",Connection:"keep-alive","Upgrade-Insecure-Requests":"1"}})).newPage();await n.addInitScript(()=>{Object.defineProperty(navigator,"webdriver",{get:()=>!1}),window.chrome={runtime:{}};let m=window.navigator.permissions.query;window.navigator.permissions.query=l=>l.name==="notifications"?Promise.resolve({state:Notification.permission}):m(l)}),n.setDefaultTimeout(t*1e3);let a=await n.goto(e,{waitUntil:"domcontentloaded",timeout:t*1e3});if(!a)throw new Error("No response received from page");let c=a.status(),o=await n.content(),i=n.url();if(await r.close(),c>=200&&c<300)return{content:o,statusCode:c,url:i};throw new x(i,c)}catch(s){throw r&&await r.close(),s.code==="HTTP_ERROR"?s:new U(e,s)}}async function S(e,t={}){let{timeout:r=30,maxRetries:s=3,retryDelay:n=1e3,useBrowser:a=!1}=t;new URL(e);let c=[408,429,500,502,503,504],o=null,i=!1;for(let m=0;m<=s;m++){try{if(a||i)return await le(e,r);let l=new AbortController,d=setTimeout(()=>l.abort(),r*1e3),p=await fetch(e,{method:"GET",headers:{"User-Agent":"sitemap-qa/1.0.0",Accept:"text/xml,application/xml,text/plain,*/*"},signal:l.signal,redirect:"follow"});clearTimeout(d);let u=p.status,g=await p.text();if(u>=200&&u<300)return{content:g,statusCode:u,url:p.url};if(u===403&&!i){i=!0;continue}if(!c.includes(u))throw new x(p.url,u);o=new x(p.url,u)}catch(l){if(l.code==="HTTP_ERROR"){let d=l;if(!c.includes(d.statusCode))throw l;o=l}else o=new U(e,l);if(m===s)break}if(m<s){let l=n*Math.pow(2,m);await new Promise(d=>setTimeout(d,l))}}throw o}function me(e){return new URL(e).origin}async function ue(e,t){let r=new URL(e),n=r.hostname.startsWith("www.")?r.hostname.substring(4):`www.${r.hostname}`,a=`${r.protocol}//${n}/robots.txt`;try{let c=await S(a,{timeout:t.timeout,maxRetries:1});return c.statusCode===200||c.statusCode===404?n:r.hostname}catch(c){return c instanceof x&&c.statusCode===301,r.hostname}}async function M(e,t){let r=new URL(e).origin,s=[],n=["/sitemap.xml","/sitemap_index.xml","/sitemap-index.xml"],a=await Promise.allSettled(n.map(async c=>{let o=`${r}${c}`;try{return(await S(o,{timeout:t.timeout,maxRetries:1})).statusCode===200?(t.verbose&&console.log(`\u2713 Found sitemap at: ${o}`),{found:!0,url:o}):{found:!1}}catch(i){return i instanceof x?i.statusCode===401||i.statusCode===403?(s.push({url:o,statusCode:i.statusCode,error:i.statusCode===401?"Unauthorized":"Access Denied"}),t.verbose&&console.log(`\u26A0 Access denied: ${o} (${i.statusCode})`)):t.verbose&&console.log(`\u2717 Not found: ${o} (${i.statusCode})`):t.verbose&&console.log(`\u2717 Not found: ${o}`),{found:!1}}}));for(let c of a)if(c.status==="fulfilled"&&c.value.found)return{sitemaps:[c.value.url],issues:s};return t.verbose&&console.log("No sitemap found at standard paths"),{sitemaps:[],issues:s}}async function z(e,t){let r=`${new URL(e).origin}/robots.txt`;try{let n=(await S(r,{timeout:t.timeout,maxRetries:1})).content.split(`
-`),a=[];for(let c of n){let o=c.match(/^Sitemap:\s*(.+)$/i);if(o){let i=o[1].trim();try{new URL(i),a.push(i)}catch{t.verbose&&console.warn(`Invalid sitemap URL in robots.txt: ${i}`)}}}return t.verbose&&a.length>0&&console.log(`Found ${a.length} sitemap(s) in robots.txt`),a}catch{return t.verbose&&console.log(`No robots.txt found at ${r}`),[]}}function de(e){if(e.includes("<sitemapindex"))return!0;if(e.includes("<urlset")){let t=/<url[^>]*>.*?<loc>([^<]+)<\/loc>.*?<\/url>/gs,r=Array.from(e.matchAll(t)),s=Math.min(5,r.length),n=0;for(let a=0;a<s;a++){let c=r[a][1].trim().toLowerCase();(c.includes("sitemap")||c.endsWith(".xml"))&&n++}return n>s/2}return!1}function pe(e){let t=[];if(e.includes("<sitemapindex")){let r=/<sitemap[^>]*>(.*?)<\/sitemap>/gs,s;for(;(s=r.exec(e))!==null;){let n=/<loc>([^<]+)<\/loc>/i.exec(s[1]);if(n){let a=n[1].trim();try{new URL(a),t.push(a)}catch{}}}}else{let r=/<url[^>]*>(.*?)<\/url>/gs,s;for(;(s=r.exec(e))!==null;){let n=/<loc>([^<]+)<\/loc>/i.exec(s[1]);if(n){let a=n[1].trim();if(a.toLowerCase().includes("sitemap")||a.toLowerCase().endsWith(".xml"))try{new URL(a),t.push(a)}catch{}}}}return t}async function $(e,t,r,s,n=10){let a=[],c=[...e],o=new Set,i=new Set,m=new Set,l=s,d=5;for(;c.length>0;){let w=c.splice(0,Math.min(d,c.length));if(await Promise.all(w.map(async h=>{if(o.has(h)){t.verbose&&console.warn(`Skipping duplicate sitemap: ${h}`);return}o.add(h);try{let y=await S(h,{timeout:t.timeout,maxRetries:2});if(de(y.content)){t.verbose&&console.log(`Found sitemap index: ${h}`);let R=pe(y.content);c.push(...R),t.verbose&&console.log(`  \u2514\u2500 Contains ${R.length} child sitemap(s)`)}else a.push(h),t.verbose&&console.log(`\u2713 Discovered sitemap: ${h}`)}catch(y){if(y instanceof x&&y.statusCode===301?m.add(h):i.add(h),t.verbose){let R=y instanceof Error?y.message:String(y);if(y instanceof x&&y.statusCode===301){l||(l=await ue(r,t),t.verbose&&console.log(`Canonical domain detected: ${l}`));try{let T=new URL(h);T.hostname!==l?(console.warn(`\u26A0\uFE0F  Sitemap URL redirects (301): ${h}`),console.warn("   Problem: The sitemap index contains a URL that redirects."),console.warn(`   Likely issue: Domain mismatch - expected "${l}" but got "${T.hostname}"`),console.warn(`   Fix: Update sitemap index to use "https://${l}${T.pathname}"`)):(console.warn(`\u26A0\uFE0F  Sitemap URL redirects (301): ${h}`),console.warn("   Fix: Update the sitemap index to reference the final URL after redirect."))}catch{console.warn(`Failed to fetch sitemap ${h}: ${R}`)}}else console.warn(`Failed to fetch sitemap ${h}: ${R}`)}}})),o.size>1e3){console.warn("\u26A0\uFE0F  Processed over 1000 sitemap URLs. Stopping to prevent excessive requests.");break}}let p=o.size,u=i.size,g=m.size,f=p-a.length-u-g;return a.length===0&&p>0&&(console.warn(`
-\u26A0\uFE0F  SITEMAP DISCOVERY ISSUE`),f>0&&(u>0||g>0)?(console.warn(`Found ${f} sitemap index(es) containing ${u+g} child sitemap(s):`),g>0&&console.warn(`  - ${g} sitemap(s) return 301 redirects (content not accessible without following redirect)`),u>0&&console.warn(`  - ${u} sitemap(s) returned errors (404, 403, 500, or network issues)`)):g>0?console.warn(`All ${g} sitemap(s) return 301 redirects.`):u>0?(console.warn(`All ${u} sitemap(s) returned errors.`),console.warn(`
-Common causes:`),console.warn("  - 403 Forbidden: Bot protection (Cloudflare, etc.) or IP blocking"),console.warn("  - 404 Not Found: Sitemaps don't exist at these URLs"),console.warn("  - 500/502/503: Server errors or maintenance"),console.warn(`
-If sitemaps work in your browser but not here, the site likely has bot protection.`),console.warn("Try: Check if sitemaps load without JavaScript, or contact site administrator.")):console.warn(`Processed ${p} URL(s) but found no accessible sitemaps.`),console.warn(`
-Note: This tool does not follow redirects for sitemap URLs.`),g>0&&(console.warn(`
-Possible causes of redirects:`),console.warn("  - Sitemap index uses non-canonical domain (e.g., missing 'www' or vice versa)"),console.warn("  - Sitemap URLs redirect from HTTP to HTTPS"),console.warn("  - Intentional redirects in your site configuration"),console.warn(`
-Recommendation: Update sitemap index URLs to match the final destination (no redirects).`)),console.warn("")),{sitemaps:a,canonicalDomain:l}}async function O(e,t){let r=me(e),s=[],n;t.verbose&&console.log("Strategy 1: Checking robots.txt for sitemap directives...");let a=await z(r,t);if(a.length>0){let{sitemaps:m,canonicalDomain:l}=await $(a,t,r,n);return n=l,{sitemaps:m,source:"robots-txt",accessIssues:[],canonicalDomain:n}}t.verbose&&console.log("Strategy 2: Trying standard sitemap paths...");let{sitemaps:c,issues:o,redirectedToCanonical:i}=await M(r,t);if(s=o,c.length>0){let{sitemaps:m,canonicalDomain:l}=await $(c,t,r,n);return n=l,{sitemaps:m,source:"standard-path",accessIssues:[],canonicalDomain:n}}if(i){let m=`https://${i}`;console.log(`
-\u{1F4A1} All requests redirected. Retrying with canonical domain: ${i}
-`);let l=await z(m,t);if(l.length>0){let{sitemaps:p,canonicalDomain:u}=await $(l,t,m,i);return{sitemaps:p,source:"robots-txt",accessIssues:[],canonicalDomain:u||i}}let{sitemaps:d}=await M(m,t);if(d.length>0){let{sitemaps:p,canonicalDomain:u}=await $(d,t,m,i);return{sitemaps:p,source:"standard-path",accessIssues:[],canonicalDomain:u||i}}}return{sitemaps:[],source:"none",accessIssues:s,canonicalDomain:n}}import{XMLParser as ge,XMLValidator as fe}from"fast-xml-parser";var he=new ge({ignoreAttributes:!1,attributeNamePrefix:"@_",textNodeName:"_text",parseAttributeValue:!0,trimValues:!0,allowBooleanAttributes:!0,parseTagValue:!1});function ye(e,t){let r=[];if(e.urlset){let s=Array.isArray(e.urlset.url)?e.urlset.url:[e.urlset.url];for(let n of s)!n||!n.loc||r.push({loc:n.loc,lastmod:n.lastmod,changefreq:n.changefreq,priority:n.priority?parseFloat(n.priority):void 0,source:t})}return r}async function G(e,t){let r=[];try{let s=fe.validate(e);if(s!==!0){let o=typeof s=="object"?s.err.msg:"Invalid XML";return{urls:[],errors:[`[${t}] XML parsing failed: ${o}`],totalCount:0,sitemapUrl:t}}let n=he.parse(e),a=ye(n,t),c=[];for(let o of a)try{new URL(o.loc),o.priority!==void 0&&(o.priority<0||o.priority>1)&&(r.push(`Invalid priority ${o.priority} for ${o.loc} - clamping to 0-1`),o.priority=Math.max(0,Math.min(1,o.priority))),o.changefreq&&(["always","hourly","daily","weekly","monthly","yearly","never"].includes(o.changefreq.toLowerCase())||(r.push(`Invalid changefreq "${o.changefreq}" for ${o.loc}`),o.changefreq=void 0)),c.push(o)}catch{r.push(`Invalid URL format: ${o.loc}`)}return{urls:c,errors:r,totalCount:c.length,sitemapUrl:t}}catch(s){let n=s instanceof Error?s.message:String(s);return{urls:[],errors:[`[${t}] XML parsing failed: ${n}`],totalCount:0,sitemapUrl:t}}}async function q(e,t){let r=[],s=[],n=0,a=0;t.verbose&&console.log(`
-Extracting URLs from ${e.length} sitemap(s)...`);let o=await ve(e,10,async i=>{try{t.verbose&&console.log(`Extracting URLs from: ${i}`);let m=await S(i,{timeout:t.timeout,maxRetries:2}),l=await G(m.content,i),d=l.urls.map(p=>({...p,extractedAt:new Date().toISOString()}));return t.verbose&&console.log(`  \u2713 Extracted ${l.urls.length} URLs from ${i}`),{success:!0,urls:d,errors:l.errors}}catch(m){let l=`Failed to process ${i}: ${m instanceof Error?m.message:String(m)}`;return t.verbose&&console.error(`  \u2717 ${l}`),{success:!1,urls:[],errors:[l]}}});for(let i of o)i.success?(n++,r.push(...i.urls)):a++,s.push(...i.errors);return t.verbose&&(console.log(`
-Extraction complete:`),console.log(`  - Sitemaps processed: ${n}`),console.log(`  - Sitemaps failed: ${a}`),console.log(`  - Total URLs: ${r.length}`),console.log(`  - Errors: ${s.length}`)),{allUrls:r,sitemapsProcessed:n,sitemapsFailed:a,totalUrls:r.length,errors:s}}async function ve(e,t,r){let s=[];for(let n=0;n<e.length;n+=t){let a=e.slice(n,n+t),c=await Promise.all(a.map(r));s.push(...c)}return s}function be(e){try{let t=new URL(e),r=t.pathname;r.endsWith("/")&&r!=="/"&&(r=r.slice(0,-1));let s=Array.from(t.searchParams.entries()).sort(([a],[c])=>a.localeCompare(c)),n=new URLSearchParams(s);return`${t.protocol}//${t.host}${r}${n.toString()?"?"+n.toString():""}${t.hash}`}catch{return e}}function we(e){if(e.length===1)return e[0];let t={...e[0]},r=e.map(o=>o.source);t.source=r.join(", ");let s=e.map(o=>o.lastmod).filter(o=>!!o).map(o=>new Date(o).getTime()).sort((o,i)=>i-o);s.length>0&&(t.lastmod=new Date(s[0]).toISOString());let n=e.map(o=>o.priority).filter(o=>o!==void 0);n.length>0&&(t.priority=Math.max(...n));let a=e.map(o=>o.changefreq).filter(o=>!!o);if(a.length>0){let o=new Map;for(let m of a)o.set(m,(o.get(m)||0)+1);let i=Array.from(o.entries()).sort((m,l)=>l[1]-m[1]);t.changefreq=i[0][0]}let c=e.map(o=>o.extractedAt).filter(o=>!!o).map(o=>new Date(o).getTime()).sort((o,i)=>i-o);return c.length>0&&(t.extractedAt=new Date(c[0]).toISOString()),t}function j(e,t=!1){let r=e.length;t&&console.log(`
-Consolidating ${e.length} URL(s)...`);let s=new Map;for(let c of e){let o=be(c.loc);s.has(o)||s.set(o,[]),s.get(o).push(c)}let n=[],a=[];for(let[c,o]of s.entries()){let i=we(o);n.push(i),o.length>1&&a.push({url:c,count:o.length,sources:o.map(m=>m.source)})}if(t&&(console.log("Consolidation complete:"),console.log(`  - Input URLs: ${r}`),console.log(`  - Unique URLs: ${n.length}`),console.log(`  - Duplicates removed: ${r-n.length}`),a.length>0)){console.log(`
-Top duplicates:`);let c=a.sort((o,i)=>i.count-o.count).slice(0,5);for(let o of c)console.log(`  - ${o.url} (${o.count} times)`)}return{uniqueUrls:n,totalInputUrls:r,duplicatesRemoved:r-n.length,duplicateGroups:a}}var H=[{name:"Authentication Parameter",category:"sensitive_params",severity:"high",regex:/[?&](token|auth|key|password|secret|apikey|session|credentials)=/i,description:"Query parameter may contain sensitive authentication data"},{name:"Debug Parameter",category:"sensitive_params",severity:"medium",regex:/[?&](debug|trace|verbose|test_mode)=/i,description:"Query parameter may contain debug or diagnostic flag"},{name:"HTTP in HTTPS Site",category:"protocol_inconsistency",severity:"medium",regex:/^http:\/\//,description:"HTTP URL in HTTPS sitemap (potential mixed content)"},{name:"Test Content Path",category:"test_content",severity:"medium",regex:/\/(?:test-|demo-|sample-|temp-|temporary-|placeholder-)|\/(test|demo|sample|temp|temporary|placeholder)(?:\/|$)/i,description:"URL path suggests test, demo, or unfinished content that may not be intended for indexing"}];function E(e){return e.replace(/[.*+?^${}()|[\]\\]/g,"\\$&")}function xe(e){let t=e.split(".");return t.length>=2?t.slice(-2).join("."):e}function V(e,t){let r=new URL(e).hostname,s=xe(r);if(t?.allowedSubdomains&&t.allowedSubdomains.length>0){let c=E(s),i=`^https?://(?!(?:(?:${t.allowedSubdomains.map(E).join("|")})\\.)?${c}(?:/|$))`;return{name:"Domain Mismatch",category:"domain_mismatch",severity:"high",regex:new RegExp(i),description:"URL does not match expected domain or allowed subdomains"}}let a=`^https?://(?!(?:www\\.)?${E(s)}(?:/|$))`;return{name:"Domain Mismatch",category:"domain_mismatch",severity:"high",regex:new RegExp(a),description:`URL does not match expected domain: ${s} (including www variant)`}}var B=[{name:"Staging Subdomain",category:"environment_leakage",severity:"high",regex:/^https?:\/\/(staging|stg)\./i,description:"URL uses staging subdomain"},{name:"Development Subdomain",category:"environment_leakage",severity:"high",regex:/^https?:\/\/(dev|development)\./i,description:"URL uses development subdomain"},{name:"QA/Test Subdomain",category:"environment_leakage",severity:"high",regex:/^https?:\/\/(qa|test|uat|preprod)\./i,description:"URL uses test environment subdomain"},{name:"Localhost URL",category:"environment_leakage",severity:"high",regex:/^https?:\/\/(localhost|127\.0\.0\.1|0\.0\.0\.0)/,description:"URL points to localhost (development environment)"},{name:"Environment in Path",category:"environment_leakage",severity:"high",regex:/^https?:\/\/[^/]+\/(staging|dev|qa|uat|preprod)\//i,description:"URL path contains environment identifier at root level"}];var W=[{name:"Admin Path",category:"admin_paths",severity:"high",regex:/\/(admin|administrator)(?:\/|$|\?)/i,description:"URL contains /admin or /administrator as a path segment"},{name:"Dashboard Path",category:"admin_paths",severity:"high",regex:/\/dashboard(?:\/|$|\?)/i,description:"URL contains /dashboard as a path segment"},{name:"Config Path",category:"admin_paths",severity:"high",regex:/\/(config|configuration)(?:\/|$|\?)/i,description:"URL contains /config or /configuration as a path segment"},{name:"Console Path",category:"admin_paths",severity:"high",regex:/\/console(?:\/|$|\?)/i,description:"URL contains /console as a path segment"},{name:"Control Panel Path",category:"admin_paths",severity:"high",regex:/\/(cpanel|control-panel)(?:\/|$|\?)/i,description:"URL contains control panel as a path segment"}],J=[{name:"Internal Content Path",category:"internal_content",severity:"medium",regex:/\/internal\b/i,description:"URL contains /internal path segment - may be internal-only content not intended for public indexing"}],Q=[{name:"Authentication Token Parameter",category:"sensitive_params",severity:"high",regex:/[?&](token|auth_token|access_token|api_token)=/i,description:"Query parameter may contain authentication token"},{name:"API Key Parameter",category:"sensitive_params",severity:"high",regex:/[?&](apikey|api_key|key)=/i,description:"Query parameter may contain API key"},{name:"Password Parameter",category:"sensitive_params",severity:"high",regex:/[?&](password|passwd|pwd)=/i,description:"Query parameter may contain password"},{name:"Secret Parameter",category:"sensitive_params",severity:"high",regex:/[?&](secret|client_secret)=/i,description:"Query parameter may contain secret value"},{name:"Session Parameter",category:"sensitive_params",severity:"high",regex:/[?&](session|sessionid|sid)=/i,description:"Query parameter may contain session identifier"},{name:"Credentials Parameter",category:"sensitive_params",severity:"high",regex:/[?&]credentials=/i,description:"Query parameter may contain credentials"},{name:"Debug Parameter",category:"sensitive_params",severity:"medium",regex:/[?&](debug|trace|verbose)=/i,description:"Query parameter contains debug or diagnostic flag"},{name:"Test Mode Parameter",category:"sensitive_params",severity:"medium",regex:/[?&](test_mode|test|testing)=/i,description:"Query parameter indicates test mode"}];function K(e){try{let t=new URL(e),r=["token","auth","auth_token","access_token","api_token","apikey","api_key","key","password","passwd","pwd","secret","client_secret","session","sessionid","sid","credentials"];for(let s of r)t.searchParams.has(s)&&t.searchParams.set(s,"[REDACTED]");return t.toString()}catch{return e}}function Re(e,t,r){switch(e){case"environment_leakage":return{rationale:`Production sitemap contains ${r} URL(s) from non-production environments (staging, dev, QA, test). This indicates configuration errors or environment leakage.`,recommendedAction:"Verify sitemap generation excludes non-production environments. Review deployment configuration and environment filtering rules."};case"admin_paths":return{rationale:`${r} administrative path(s) detected in public sitemap (admin, dashboard, config). These paths may expose privileged access points.`,recommendedAction:"Confirm if admin paths should be publicly indexed. Consider excluding via robots.txt or removing from sitemap. Verify access controls."};case"internal_content":return{rationale:`${r} URL(s) contain "internal" in the path. These may be internal-facing content not intended for public indexing.`,recommendedAction:"Review URLs to determine if they should be publicly accessible. Consider excluding internal content from sitemap or adding noindex meta tags."};case"test_content":return{rationale:`${r} URL(s) contain test/demo/sample identifiers. These may be placeholder or unfinished content not intended for indexing.`,recommendedAction:"Review and remove test content from production sitemaps. Verify content is production-ready before including in sitemap."};case"sensitive_params":return{rationale:`${r} URL(s) contain sensitive query parameters (token, auth, key, password, session). This may expose authentication credentials or debugging flags.`,recommendedAction:"Review why sensitive parameters are in sitemap URLs. Remove authentication tokens from URLs. Consider POST requests for sensitive data."};case"protocol_inconsistency":return{rationale:`${r} URL(s) use HTTP protocol in HTTPS sitemap. This creates mixed content warnings and potential security issues.`,recommendedAction:"Update URLs to use HTTPS consistently. Verify SSL certificate coverage. Check for hardcoded HTTP URLs in content."};case"domain_mismatch":return{rationale:`${r} URL(s) do not match expected base domain. This may indicate external links, CDN URLs, or configuration errors.`,recommendedAction:"Verify if external domains are intentional. Review sitemap generation logic. Confirm CDN or subdomain configuration is correct."};default:return{rationale:`${r} URL(s) flagged in category: ${e}`,recommendedAction:"Review flagged URLs and determine appropriate action."}}}function P(e,t=5){let r=new Map;for(let i of e)r.has(i.category)||r.set(i.category,[]),r.get(i.category).push(i);let s=[];for(let[i,m]of r.entries()){let l=Array.from(new Set(m.map(f=>f.url))),d=m.reduce((f,w)=>{let h=["low","medium","high"];return h.indexOf(w.severity)>h.indexOf(f)?w.severity:f},"low"),p=l.slice(0,t),{rationale:u,recommendedAction:g}=Re(i,d,l.length);s.push({category:i,severity:d,count:l.length,rationale:u,sampleUrls:p,recommendedAction:g,allUrls:l})}s.sort((i,m)=>{let l=["high","medium","low"];return l.indexOf(i.severity)-l.indexOf(m.severity)});let n=new Set(e.map(i=>i.url)).size,a=s.filter(i=>i.severity==="high").reduce((i,m)=>i+m.count,0),c=s.filter(i=>i.severity==="medium").reduce((i,m)=>i+m.count,0),o=s.filter(i=>i.severity==="low").reduce((i,m)=>i+m.count,0);return{groups:s,totalRiskUrls:n,highSeverityCount:a,mediumSeverityCount:c,lowSeverityCount:o}}async function Y(e,t,r){let s=Date.now(),n=[],a=V(t),c=[...H,...B,...W,...Q,...J,a],o=[];if(r.acceptedPatterns&&r.acceptedPatterns.length>0)for(let p of r.acceptedPatterns)try{let u=p.replace(/[.+?^${}()|[\]\\]/g,"\\$&").replace(/\*/g,"[^/]*");!u.endsWith("$")&&!u.includes("(?:")&&(u=u+"(?:/|$|\\?|#)"),o.push(new RegExp(u,"i"))}catch{r.verbose&&console.warn(`Invalid accepted pattern: ${p}`)}if(r.verbose){console.log(`
-Analyzing ${e.length} URLs for risk patterns...`);try{console.log(`Base domain: ${new URL(t).hostname}`)}catch{console.log(`Base URL: ${t}`)}o.length>0&&console.log(`Accepted patterns: ${o.length}`)}let i;try{i=new URL(t).protocol}catch{r.verbose&&console.warn(`Invalid base URL: ${t}, defaulting to https:`),i="https:"}let m=0;for(let p of e){let u=p.loc;m++,(m%1e4===0||m===e.length)&&process.stdout.write(`\r\x1B[K  Analyzing: ${m.toLocaleString()}/${e.length.toLocaleString()} URLs...`);let g=!1;for(let f of o)if(f.test(u)){g=!0;break}if(!g)for(let f of c)if(f.category==="protocol_inconsistency")try{let w=new URL(u).protocol;i==="https:"&&w==="http:"&&n.push({url:u,category:f.category,severity:f.severity,pattern:f.name,rationale:f.description,matchedValue:"http://"})}catch{r.verbose&&console.warn(`Skipping invalid URL: ${u}`);continue}else try{let w=u.match(f.regex);w&&n.push({url:f.category==="sensitive_params"?K(u):u,category:f.category,severity:f.severity,pattern:f.name,rationale:f.description,matchedValue:w[0]})}catch(w){r.verbose&&console.error(`Pattern matching failed for ${f.name}: ${w instanceof Error?w.message:String(w)}`);continue}}e.length>=1e4&&process.stdout.write("\r\x1B[K");let l=P(n),d=Date.now()-s;if(r.verbose&&(console.log(`
-Risk Summary:`),console.log(`  - Total URLs analyzed: ${e.length}`),console.log(`  - Risk URLs found: ${l.totalRiskUrls}`),console.log(`  - HIGH severity: ${l.highSeverityCount}`),console.log(`  - MEDIUM severity: ${l.mediumSeverityCount}`),console.log(`  - LOW severity: ${l.lowSeverityCount}`),console.log(`  - Processing time: ${d}ms`),l.groups.length>0)){console.log(`
-Risk Categories Found:`);for(let p of l.groups)console.log(`  - ${p.category}: ${p.count} URLs (${p.severity.toUpperCase()})`)}return{findings:n,groups:l.groups,totalUrlsAnalyzed:e.length,riskUrlCount:l.totalRiskUrls,cleanUrlCount:e.length-l.totalRiskUrls,highSeverityCount:l.highSeverityCount,mediumSeverityCount:l.mediumSeverityCount,lowSeverityCount:l.lowSeverityCount,processingTimeMs:d}}function X(e){let t={high:0,medium:0,low:0},r=e.riskGroups.map(c=>{t[c.severity]+=c.count;let o=c.allUrls||c.sampleUrls;return{category:c.category,count:c.count,severity:c.severity,summary:c.rationale,examples:o.slice(0,3),allUrls:o}}),s=e.riskGroups.reduce((c,o)=>c+o.count,0),n=s>0?`Found ${s} potentially risky URLs across ${e.riskGroups.length} categories in ${e.totalUrls} total URLs.`:`Analyzed ${e.totalUrls} URLs. No suspicious patterns detected.`,a=[];return t.high>0&&a.push(`${t.high} high-severity issues require immediate attention`),t.medium>0&&a.push(`${t.medium} medium-severity issues should be reviewed`),t.low>0&&a.push(`${t.low} low-severity items flagged for awareness`),{overview:n,keyFindings:a,categoryInsights:r,severityBreakdown:t,recommendations:[],generatedBy:"rule-based analysis",metadata:{tokensUsed:0,processingTime:e.processingTime||0,model:"pattern-matching"}}}var Se="1.0.0-alpha.0";function Z(e,t,r,s,n,a,c={}){let{pretty:o=!0,indent:i=2}=c,m=ke(e,t,r,s,n,a),l=$e(m);return o?JSON.stringify(l,null,i):JSON.stringify(l)}function ke(e,t,r,s,n,a){let c=Ue(n.baseUrl||"unknown",a,e),o=s.map(d=>({category:d.category,severity:d.severity,count:d.count,pattern:d.category,rationale:d.rationale,sampleUrls:d.sampleUrls.slice(0,5),recommendedAction:d.recommendedAction})),i={highSeverityCount:e.severityBreakdown.high,mediumSeverityCount:e.severityBreakdown.medium,lowSeverityCount:e.severityBreakdown.low,totalRiskyUrls:s.reduce((d,p)=>d+p.count,0),overallStatus:Ce(e.severityBreakdown,r.errors)},m={overview:e.overview,keyFindings:e.keyFindings,recommendations:e.recommendations},l=r.errors.map(Ae);return{analysisMetadata:c,sitemapsDiscovered:t.sitemaps,totalUrlCount:r.totalCount,urlsAnalyzed:r.totalCount,suspiciousGroups:o,riskSummary:m,summary:i,errors:l}}function Ue(e,t,r){return{baseUrl:e,analysisTimestamp:new Date().toISOString(),toolVersion:Se,executionTimeMs:Date.now()-t,analysisType:r.generatedBy}}function Ce(e,t){return t.length>0?"errors":e.high+e.medium+e.low>0?"issues_found":"clean"}function $e(e){return{analysis_metadata:Pe(e.analysisMetadata),sitemaps_discovered:e.sitemapsDiscovered,total_url_count:e.totalUrlCount,urls_analyzed:e.urlsAnalyzed,suspicious_groups:e.suspiciousGroups.map(Te),risk_summary:Ee(e.riskSummary),summary:_e(e.summary),errors:e.errors}}function Pe(e){return{base_url:e.baseUrl,analysis_timestamp:e.analysisTimestamp,tool_version:e.toolVersion,execution_time_ms:e.executionTimeMs,analysis_type:e.analysisType}}function Te(e){return{category:e.category,severity:e.severity,count:e.count,pattern:e.pattern,rationale:e.rationale,sample_urls:e.sampleUrls,recommended_action:e.recommendedAction}}function Ee(e){return{overview:e.overview,key_findings:e.keyFindings,recommendations:e.recommendations}}function _e(e){return{high_severity_count:e.highSeverityCount,medium_severity_count:e.mediumSeverityCount,low_severity_count:e.lowSeverityCount,total_risky_urls:e.totalRiskyUrls,overall_status:e.overallStatus}}function Ae(e){if("code"in e){let t=e,r={code:t.code||"UNKNOWN_ERROR",message:e.message};return"attemptedPaths"in t?r.context={attempted_paths:t.attemptedPaths}:"sitemapUrl"in t&&"lineNumber"in t?r.context={sitemap_url:t.sitemapUrl,line_number:t.lineNumber}:"url"in t&&(r.context={url:t.url}),r}return{code:"UNKNOWN_ERROR",message:e.message}}import{promises as Le}from"fs";var Ie="1.0.0-alpha.0";function De(e,t,r,s,n,a={}){let c=a.maxUrlsPerGroup??10,o=new Date().toISOString(),i=e.categoryInsights.reduce((u,g)=>u+g.count,0),m=e.categoryInsights.filter(u=>u.severity==="high"),l=e.categoryInsights.filter(u=>u.severity==="medium"),d=e.categoryInsights.filter(u=>u.severity==="low");return`<!DOCTYPE html>
+// src/index.ts
+import "dotenv/config";
+import { Command as Command2 } from "commander";
+// src/commands/analyze.ts
+import { Command } from "commander";
+import { promises as fs2 } from "fs";
+import ora from "ora";
+import chalk from "chalk";
+import cliProgress from "cli-progress";
+import os2 from "os";
+// src/config/config-loader.ts
+import { readFile } from "fs/promises";
+import { existsSync } from "fs";
+import { join } from "path";
+import { homedir } from "os";
+// src/types/config.ts
+var DEFAULT_CONFIG = {
+  timeout: 30,
+  concurrency: 10,
+  parsingConcurrency: 50,
+  // Optimized for network-bound parallel parsing
+  discoveryConcurrency: 50,
+  // Optimized for recursive sitemap index discovery
+  outputFormat: "html",
+  outputDir: "./sitemap-qa/report",
+  verbose: false,
+  baseUrl: "https://example.com",
+  // Default for tests
+  acceptedPatterns: [],
+  riskDetectionBatchSize: 1e4,
+  riskDetectionConcurrency: void 0,
+  // Auto-detect in risk-detector.ts
+  progressBar: void 0,
+  // Auto-detect TTY
+  silent: false,
+  benchmark: false
+};
+// src/config/config-loader.ts
+async function loadConfig(cliOptions) {
+  let config = { ...DEFAULT_CONFIG };
+  const globalConfigPath = join(homedir(), ".sitemap-qa", "config.json");
+  if (existsSync(globalConfigPath)) {
+    try {
+      const globalConfig = JSON.parse(await readFile(globalConfigPath, "utf-8"));
+      config = { ...config, ...globalConfig };
+    } catch (error) {
+      console.warn(`Warning: Failed to load global config: ${error}`);
+    }
+  }
+  const projectConfigPath = join(process.cwd(), ".sitemap-qa.config.json");
+  if (existsSync(projectConfigPath)) {
+    try {
+      const projectConfig = JSON.parse(await readFile(projectConfigPath, "utf-8"));
+      config = { ...config, ...projectConfig };
+    } catch (error) {
+      console.warn(`Warning: Failed to load project config: ${error}`);
+    }
+  }
+  const envConfig = loadFromEnv();
+  config = { ...config, ...envConfig };
+  config = mergeCliOptions(config, cliOptions);
+  if (cliOptions.baseUrl) {
+    config.baseUrl = cliOptions.baseUrl;
+  }
+  validateConfig(config);
+  return config;
+}
+function loadFromEnv() {
+  const env = {};
+  if (process.env.SITEMAP_VERIFY_TIMEOUT) {
+    env.timeout = parseInt(process.env.SITEMAP_VERIFY_TIMEOUT, 10);
+  }
+  return env;
+}
+function mergeCliOptions(config, cliOptions) {
+  const merged = { ...config };
+  if (cliOptions.timeout && cliOptions.timeout !== "30") {
+    merged.timeout = parseInt(cliOptions.timeout, 10);
+  }
+  if (cliOptions.output) {
+    merged.outputFormat = cliOptions.output;
+  }
+  if (cliOptions.outputDir) {
+    merged.outputDir = cliOptions.outputDir;
+  }
+  if (cliOptions.verbose === true) {
+    merged.verbose = true;
+  }
+  if (cliOptions.acceptedPatterns) {
+    merged.acceptedPatterns = cliOptions.acceptedPatterns.split(",").map((p) => p.trim()).filter(Boolean);
+  }
+  return merged;
+}
+function validateConfig(config) {
+  if (config.timeout < 1 || config.timeout > 300) {
+    throw new Error("Timeout must be between 1 and 300 seconds");
+  }
+  if (!["json", "html"].includes(config.outputFormat)) {
+    throw new Error("Output format must be json or html");
+  }
+}
+// src/errors/network-errors.ts
+var NetworkError = class extends Error {
+  constructor(url, originalError) {
+    super(`Network request failed for ${url}: ${originalError.message}`);
+    this.url = url;
+    this.originalError = originalError;
+    this.name = "NetworkError";
+  }
+  code = "NETWORK_ERROR";
+};
+var HttpError = class extends Error {
+  constructor(url, statusCode, statusText) {
+    let message = `HTTP ${statusCode} error for ${url}`;
+    if (statusCode === 403) {
+      message += "\n   Note: 403 Forbidden often indicates bot protection (Cloudflare, etc.) or access restrictions";
+    }
+    super(message);
+    this.url = url;
+    this.statusCode = statusCode;
+    this.statusText = statusText;
+    this.name = "HttpError";
+  }
+  code = "HTTP_ERROR";
+};
+// src/utils/http-client.ts
+import { chromium } from "playwright";
+import axios from "axios";
+import { Agent as HttpAgent } from "http";
+import { Agent as HttpsAgent } from "https";
+var httpAgent = new HttpAgent({
+  keepAlive: true,
+  maxSockets: 200,
+  // Allow many concurrent connections
+  maxFreeSockets: 50,
+  timeout: 15e3
+});
+var httpsAgent = new HttpsAgent({
+  keepAlive: true,
+  maxSockets: 200,
+  maxFreeSockets: 50,
+  timeout: 15e3
+});
+var axiosInstance = axios.create({
+  httpAgent,
+  httpsAgent,
+  maxRedirects: 5,
+  validateStatus: () => true
+  // Don't throw on any status code
+});
+async function fetchUrlWithBrowser(url, timeout) {
+  let browser;
+  try {
+    browser = await chromium.launch({
+      headless: true,
+      args: [
+        "--disable-blink-features=AutomationControlled",
+        // Hide automation flags
+        "--disable-dev-shm-usage",
+        "--no-sandbox"
+      ]
+    });
+    const context = await browser.newContext({
+      userAgent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
+      viewport: { width: 1920, height: 1080 },
+      locale: "en-US",
+      timezoneId: "America/New_York",
+      extraHTTPHeaders: {
+        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
+        "Accept-Language": "en-US,en;q=0.9",
+        "Accept-Encoding": "gzip, deflate, br",
+        "DNT": "1",
+        "Connection": "keep-alive",
+        "Upgrade-Insecure-Requests": "1"
+      }
+    });
+    const page = await context.newPage();
+    await page.addInitScript(() => {
+      Object.defineProperty(navigator, "webdriver", {
+        get: () => false
+      });
+      window.chrome = {
+        runtime: {}
+      };
+      const originalQuery = window.navigator.permissions.query;
+      window.navigator.permissions.query = (parameters) => parameters.name === "notifications" ? Promise.resolve({ state: Notification.permission }) : originalQuery(parameters);
+    });
+    page.setDefaultTimeout(timeout * 1e3);
+    const response = await page.goto(url, {
+      waitUntil: "domcontentloaded",
+      // Changed from networkidle - faster for simple XML
+      timeout: timeout * 1e3
+    });
+    if (!response) {
+      throw new Error("No response received from page");
+    }
+    const statusCode = response.status();
+    const content = await page.content();
+    const finalUrl = page.url();
+    await browser.close();
+    if (statusCode >= 200 && statusCode < 300) {
+      return {
+        content,
+        statusCode,
+        url: finalUrl
+      };
+    }
+    throw new HttpError(finalUrl, statusCode);
+  } catch (error) {
+    if (browser) {
+      await browser.close();
+    }
+    if (error.code === "HTTP_ERROR") {
+      throw error;
+    }
+    throw new NetworkError(url, error);
+  }
+}
+async function fetchUrl(url, options = {}) {
+  const {
+    timeout = 30,
+    maxRetries = 3,
+    retryDelay = 1e3,
+    useBrowser = false,
+    disableBrowserFallback = false
+  } = options;
+  new URL(url);
+  const retryableStatuses = [408, 429, 500, 502, 503, 504];
+  let lastError = null;
+  let attemptedBrowser = false;
+  for (let attempt = 0; attempt <= maxRetries; attempt++) {
+    try {
+      if (useBrowser || attemptedBrowser) {
+        return await fetchUrlWithBrowser(url, timeout);
+      }
+      const response = await axiosInstance.get(url, {
+        timeout: timeout * 1e3,
+        headers: {
+          "User-Agent": "sitemap-qa/1.0.0 (compatible; +https://github.com/Akotliar/sitemap-qa)",
+          "Accept": "text/xml,application/xml,text/plain,*/*",
+          "Accept-Encoding": "gzip, deflate",
+          "Connection": "keep-alive"
+        }
+      });
+      const statusCode = response.status;
+      const body = response.data;
+      if (statusCode >= 200 && statusCode < 300) {
+        return {
+          content: typeof body === "string" ? body : JSON.stringify(body),
+          statusCode,
+          url: response.request?.res?.responseUrl || url
+          // Final URL after redirects
+        };
+      }
+      if (statusCode === 403 && !attemptedBrowser && !disableBrowserFallback) {
+        attemptedBrowser = true;
+        continue;
+      }
+      if (!retryableStatuses.includes(statusCode)) {
+        throw new HttpError(response.request?.res?.responseUrl || url, statusCode);
+      }
+      lastError = new HttpError(response.request?.res?.responseUrl || url, statusCode);
+    } catch (error) {
+      if (error.code === "HTTP_ERROR") {
+        const httpError = error;
+        if (!retryableStatuses.includes(httpError.statusCode)) {
+          throw error;
+        }
+        lastError = error;
+      } else {
+        lastError = new NetworkError(url, error);
+      }
+      if (attempt === maxRetries) break;
+    }
+    if (attempt < maxRetries) {
+      const delay = retryDelay * Math.pow(2, attempt);
+      await new Promise((resolve) => setTimeout(resolve, delay));
+    }
+  }
+  throw lastError;
+}
+// src/core/discovery.ts
+async function tryStandardPaths(baseUrl, config) {
+  const baseDomain = new URL(baseUrl).origin;
+  const accessIssues = [];
+  const standardPaths = [
+    "/sitemap.xml",
+    "/sitemap_index.xml",
+    "/sitemap-index.xml"
+  ];
+  const results = await Promise.allSettled(
+    standardPaths.map(async (path) => {
+      const sitemapUrl = `${baseDomain}${path}`;
+      try {
+        const result = await fetchUrl(sitemapUrl, {
+          timeout: config.timeout,
+          maxRetries: 0
+          // Don't retry on standard paths - fail fast
+        });
+        if (result.statusCode === 200) {
+          if (config.verbose) {
+            console.log(`\u2713 Found sitemap at: ${sitemapUrl}`);
+          }
+          return { found: true, url: sitemapUrl };
+        }
+        return { found: false };
+      } catch (error) {
+        if (error instanceof HttpError) {
+          if (error.statusCode === 401 || error.statusCode === 403) {
+            accessIssues.push({
+              url: sitemapUrl,
+              statusCode: error.statusCode,
+              error: error.statusCode === 401 ? "Unauthorized" : "Access Denied"
+            });
+            if (config.verbose) {
+              console.log(`\u26A0 Access denied: ${sitemapUrl} (${error.statusCode})`);
+            }
+          } else if (config.verbose) {
+            console.log(`\u2717 Not found: ${sitemapUrl} (${error.statusCode})`);
+          }
+        } else if (config.verbose) {
+          console.log(`\u2717 Not found: ${sitemapUrl}`);
+        }
+        return { found: false };
+      }
+    })
+  );
+  for (const result of results) {
+    if (result.status === "fulfilled" && result.value.found) {
+      return { sitemaps: [result.value.url], issues: accessIssues };
+    }
+  }
+  if (config.verbose) {
+    console.log("No sitemap found at standard paths");
+  }
+  return { sitemaps: [], issues: accessIssues };
+}
+async function parseRobotsTxt(baseUrl, config) {
+  const robotsUrl = `${new URL(baseUrl).origin}/robots.txt`;
+  try {
+    const result = await fetchUrl(robotsUrl, {
+      timeout: config.timeout,
+      maxRetries: 1
+    });
+    const lines = result.content.split("\n");
+    const sitemaps = [];
+    for (const line of lines) {
+      const match = line.match(/^Sitemap:\s*(.+)$/i);
+      if (match) {
+        const sitemapUrl = match[1].trim();
+        try {
+          new URL(sitemapUrl);
+          sitemaps.push(sitemapUrl);
+        } catch {
+          if (config.verbose) {
+            console.warn(`Invalid sitemap URL in robots.txt: ${sitemapUrl}`);
+          }
+        }
+      }
+    }
+    if (config.verbose && sitemaps.length > 0) {
+      console.log(`Found ${sitemaps.length} sitemap(s) in robots.txt`);
+    }
+    return sitemaps;
+  } catch (error) {
+    if (config.verbose) {
+      console.log(`No robots.txt found at ${robotsUrl}`);
+    }
+    return [];
+  }
+}
+function isSitemapIndex(xmlContent) {
+  if (xmlContent.includes("<sitemapindex")) {
+    return true;
+  }
+  if (xmlContent.includes("<urlset")) {
+    const urlBlockRegex = /<url[^>]*>.*?<loc>([^<]+)<\/loc>.*?<\/url>/gs;
+    const matches = Array.from(xmlContent.matchAll(urlBlockRegex));
+    const samplesToCheck = Math.min(5, matches.length);
+    let sitemapLikeCount = 0;
+    for (let i = 0; i < samplesToCheck; i++) {
+      const url = matches[i][1].trim().toLowerCase();
+      if (url.includes("sitemap") || url.endsWith(".xml")) {
+        sitemapLikeCount++;
+      }
+    }
+    return sitemapLikeCount > samplesToCheck / 2;
+  }
+  return false;
+}
+function extractSitemapIndexUrls(xmlContent) {
+  const urls = [];
+  if (xmlContent.includes("<sitemapindex")) {
+    const sitemapBlockRegex = /<sitemap[^>]*>(.*?)<\/sitemap>/gs;
+    let sitemapMatch;
+    while ((sitemapMatch = sitemapBlockRegex.exec(xmlContent)) !== null) {
+      const locMatch = /<loc>([^<]+)<\/loc>/i.exec(sitemapMatch[1]);
+      if (locMatch) {
+        const url = locMatch[1].trim();
+        try {
+          new URL(url);
+          urls.push(url);
+        } catch {
+        }
+      }
+    }
+  } else {
+    const urlBlockRegex = /<url[^>]*>(.*?)<\/url>/gs;
+    let urlMatch;
+    while ((urlMatch = urlBlockRegex.exec(xmlContent)) !== null) {
+      const locMatch = /<loc>([^<]+)<\/loc>/i.exec(urlMatch[1]);
+      if (locMatch) {
+        const url = locMatch[1].trim();
+        if (url.toLowerCase().includes("sitemap") || url.toLowerCase().endsWith(".xml")) {
+          try {
+            new URL(url);
+            urls.push(url);
+          } catch {
+          }
+        }
+      }
+    }
+  }
+  return urls;
+}
+async function discoverAllSitemaps(initialSitemaps, config) {
+  const finalSitemaps = [];
+  const toProcess = [...initialSitemaps];
+  const processed = /* @__PURE__ */ new Set();
+  const inaccessible = /* @__PURE__ */ new Set();
+  const BATCH_SIZE = config.discoveryConcurrency || 50;
+  while (toProcess.length > 0) {
+    const batch = toProcess.splice(0, Math.min(BATCH_SIZE, toProcess.length));
+    const batchResults = await Promise.all(batch.map(async (sitemapUrl) => {
+      if (processed.has(sitemapUrl)) {
+        if (config.verbose) {
+          console.warn(`Skipping duplicate sitemap: ${sitemapUrl}`);
+        }
+        return { type: "skip" };
+      }
+      processed.add(sitemapUrl);
+      try {
+        const result = await fetchUrl(sitemapUrl, {
+          timeout: config.timeout,
+          maxRetries: 2
+        });
+        if (isSitemapIndex(result.content)) {
+          if (config.verbose) {
+            console.log(`Found sitemap index: ${sitemapUrl}`);
+          }
+          const childUrls = extractSitemapIndexUrls(result.content);
+          if (config.verbose) {
+            console.log(`  \u2514\u2500 Contains ${childUrls.length} child sitemap(s)`);
+          }
+          return { type: "index", childUrls };
+        } else {
+          if (config.verbose) {
+            console.log(`\u2713 Discovered sitemap: ${sitemapUrl}`);
+          }
+          return { type: "sitemap", url: sitemapUrl };
+        }
+      } catch (error) {
+        inaccessible.add(sitemapUrl);
+        if (config.verbose) {
+          const message = error instanceof Error ? error.message : String(error);
+          console.warn(`Failed to fetch sitemap ${sitemapUrl}: ${message}`);
+        }
+        return { type: "failed" };
+      }
+    }));
+    for (const result of batchResults) {
+      if (result.type === "index") {
+        toProcess.push(...result.childUrls);
+      } else if (result.type === "sitemap") {
+        finalSitemaps.push(result.url);
+      }
+    }
+    if (processed.size > 1e3) {
+      console.warn(`\u26A0\uFE0F  Processed over 1000 sitemap URLs. Stopping to prevent excessive requests.`);
+      break;
+    }
+  }
+  if (finalSitemaps.length === 0 && inaccessible.size > 0) {
+    console.warn(`
+\u26A0\uFE0F  All ${inaccessible.size} sitemap(s) were inaccessible`);
+    console.warn(`Common causes: 403/404 errors, network issues, or bot protection`);
+  }
+  return finalSitemaps;
+}
+async function discoverSitemaps(baseUrl, config) {
+  const normalizedUrl = new URL(baseUrl).origin;
+  if (config.verbose) {
+    console.log("Checking robots.txt for sitemap directives...");
+  }
+  const robotsSitemaps = await parseRobotsTxt(normalizedUrl, config);
+  if (robotsSitemaps.length > 0) {
+    const sitemaps = await discoverAllSitemaps(robotsSitemaps, config);
+    return {
+      sitemaps,
+      source: "robots-txt",
+      accessIssues: []
+    };
+  }
+  if (config.verbose) {
+    console.log("Trying standard sitemap paths...");
+  }
+  const { sitemaps: standardSitemaps, issues } = await tryStandardPaths(normalizedUrl, config);
+  if (standardSitemaps.length > 0) {
+    const sitemaps = await discoverAllSitemaps(standardSitemaps, config);
+    if (sitemaps.length > 0) {
+      return {
+        sitemaps,
+        source: "standard-path",
+        accessIssues: []
+      };
+    }
+    return {
+      sitemaps: [],
+      source: "standard-path",
+      accessIssues: issues
+    };
+  }
+  return {
+    sitemaps: [],
+    source: "none",
+    accessIssues: issues
+  };
+}
+// src/core/parser.ts
+import { XMLParser, XMLValidator } from "fast-xml-parser";
+var VALID_CHANGEFREQ = /* @__PURE__ */ new Set([
+  "always",
+  "hourly",
+  "daily",
+  "weekly",
+  "monthly",
+  "yearly",
+  "never"
+]);
+var parser = new XMLParser({
+  ignoreAttributes: false,
+  attributeNamePrefix: "@_",
+  textNodeName: "_text",
+  parseAttributeValue: true,
+  trimValues: true,
+  allowBooleanAttributes: true,
+  parseTagValue: false
+  // Keep values as strings for validation
+});
+function extractUrls(parsedXml, sitemapUrl) {
+  const urls = [];
+  if (parsedXml.urlset) {
+    const urlNodes = Array.isArray(parsedXml.urlset.url) ? parsedXml.urlset.url : [parsedXml.urlset.url];
+    for (let i = 0; i < urlNodes.length; i++) {
+      const node = urlNodes[i];
+      if (!node || !node.loc) {
+        continue;
+      }
+      urls.push({
+        loc: node.loc,
+        lastmod: node.lastmod,
+        changefreq: node.changefreq,
+        priority: node.priority ? parseFloat(node.priority) : void 0,
+        source: sitemapUrl
+      });
+    }
+  }
+  return urls;
+}
+async function parseSitemap(xml, sitemapUrl) {
+  const errors = [];
+  try {
+    const validationResult = XMLValidator.validate(xml);
+    if (validationResult !== true) {
+      const validationError = typeof validationResult === "object" ? validationResult.err.msg : "Invalid XML";
+      return {
+        urls: [],
+        errors: [
+          `[${sitemapUrl}] XML parsing failed: ${validationError}`
+        ],
+        totalCount: 0,
+        sitemapUrl
+      };
+    }
+    const parsed = parser.parse(xml);
+    const urls = extractUrls(parsed, sitemapUrl);
+    const validUrls = [];
+    for (const entry of urls) {
+      try {
+        new URL(entry.loc);
+        if (entry.priority !== void 0) {
+          if (entry.priority < 0 || entry.priority > 1) {
+            errors.push(
+              `Invalid priority ${entry.priority} for ${entry.loc} - clamping to 0-1`
+            );
+            entry.priority = Math.max(0, Math.min(1, entry.priority));
+          }
+        }
+        if (entry.changefreq) {
+          if (!VALID_CHANGEFREQ.has(entry.changefreq.toLowerCase())) {
+            errors.push(
+              `Invalid changefreq "${entry.changefreq}" for ${entry.loc}`
+            );
+            entry.changefreq = void 0;
+          }
+        }
+        validUrls.push(entry);
+      } catch (urlError) {
+        errors.push(`Invalid URL format: ${entry.loc}`);
+      }
+    }
+    return {
+      urls: validUrls,
+      errors,
+      totalCount: validUrls.length,
+      sitemapUrl
+    };
+  } catch (parseError) {
+    const errorMsg = parseError instanceof Error ? parseError.message : String(parseError);
+    return {
+      urls: [],
+      errors: [
+        `[${sitemapUrl}] XML parsing failed: ${errorMsg}`
+      ],
+      totalCount: 0,
+      sitemapUrl
+    };
+  }
+}
+// src/utils/batch-processor.ts
+function chunkArray(array, chunkSize) {
+  const chunks = [];
+  for (let i = 0; i < array.length; i += chunkSize) {
+    chunks.push(array.slice(i, i + chunkSize));
+  }
+  return chunks;
+}
+async function processInBatches(items, concurrency, processor, onProgress) {
+  const results = new Array(items.length);
+  let completed = 0;
+  let currentIndex = 0;
+  const errors = [];
+  const workers = Array(Math.min(concurrency, items.length)).fill(null).map(async () => {
+    while (currentIndex < items.length) {
+      const index = currentIndex++;
+      const item = items[index];
+      try {
+        results[index] = await processor(item);
+      } catch (error) {
+        errors.push({ index, error });
+        results[index] = null;
+      }
+      completed++;
+      if (onProgress) {
+        onProgress(completed, items.length);
+      }
+    }
+  });
+  await Promise.all(workers);
+  if (errors.length > 0) {
+    console.warn(`Processed ${items.length} items with ${errors.length} errors`);
+  }
+  return results;
+}
+// src/core/extractor.ts
+async function extractAllUrls(sitemapUrls, config, onProgress) {
+  const allUrls = [];
+  const allErrors = [];
+  let sitemapsProcessed = 0;
+  let sitemapsFailed = 0;
+  if (config.verbose) {
+    console.log(`
+Extracting URLs from ${sitemapUrls.length} sitemap(s)...`);
+  }
+  const CONCURRENCY = config.parsingConcurrency || 50;
+  if (!config.silent && config.verbose) {
+    console.log(`Using parsing concurrency: ${CONCURRENCY}`);
+  }
+  const results = await processInBatches(
+    sitemapUrls,
+    CONCURRENCY,
+    async (sitemapUrl) => {
+      try {
+        if (config.verbose) {
+          console.log(`Extracting URLs from: ${sitemapUrl}`);
+        }
+        const response = await fetchUrl(sitemapUrl, {
+          timeout: 10,
+          // Fast timeout for sitemaps
+          maxRetries: 0,
+          // No retries - fail fast
+          disableBrowserFallback: true
+          // Don't use browser for bulk parsing
+        });
+        const parseResult = await parseSitemap(response.content, sitemapUrl);
+        const extractedAt = (/* @__PURE__ */ new Date()).toISOString();
+        parseResult.urls.forEach((url) => {
+          url.extractedAt = extractedAt;
+        });
+        if (config.verbose) {
+          console.log(`  \u2713 Extracted ${parseResult.urls.length} URLs from ${sitemapUrl}`);
+        }
+        return {
+          success: true,
+          urls: parseResult.urls,
+          errors: parseResult.errors
+        };
+      } catch (error) {
+        const errorMsg = `Failed to process ${sitemapUrl}: ${error instanceof Error ? error.message : String(error)}`;
+        if (config.verbose) {
+          console.error(`  \u2717 ${errorMsg}`);
+        }
+        return {
+          success: false,
+          urls: [],
+          errors: [errorMsg]
+        };
+      }
+    },
+    onProgress
+    // Pass progress callback to batch processor
+  );
+  for (const result of results) {
+    if (result.success) {
+      sitemapsProcessed++;
+      allUrls.push(...result.urls);
+    } else {
+      sitemapsFailed++;
+    }
+    allErrors.push(...result.errors);
+  }
+  if (config.verbose) {
+    console.log(`
+Extraction complete:`);
+    console.log(`  - Sitemaps processed: ${sitemapsProcessed}`);
+    console.log(`  - Sitemaps failed: ${sitemapsFailed}`);
+    console.log(`  - Total URLs: ${allUrls.length}`);
+    console.log(`  - Errors: ${allErrors.length}`);
+  }
+  return {
+    allUrls,
+    sitemapsProcessed,
+    sitemapsFailed,
+    totalUrls: allUrls.length,
+    errors: allErrors
+  };
+}
+// src/core/consolidator.ts
+function normalizeUrl(url) {
+  try {
+    const parsed = new URL(url);
+    let pathname = parsed.pathname;
+    if (pathname.endsWith("/") && pathname !== "/") {
+      pathname = pathname.slice(0, -1);
+    }
+    const params = Array.from(parsed.searchParams.entries()).sort(
+      ([a], [b]) => a.localeCompare(b)
+    );
+    const sortedParams = new URLSearchParams(params);
+    return `${parsed.protocol}//${parsed.host}${pathname}${sortedParams.toString() ? "?" + sortedParams.toString() : ""}${parsed.hash}`;
+  } catch {
+    return url;
+  }
+}
+function mergeUrlEntries(entries) {
+  if (entries.length === 1) return entries[0];
+  const merged = { ...entries[0] };
+  const sources = entries.map((e) => e.source);
+  merged.source = sources.join(", ");
+  const lastmods = entries.map((e) => e.lastmod).filter((lm) => !!lm).map((lm) => new Date(lm).getTime()).sort((a, b) => b - a);
+  if (lastmods.length > 0) {
+    merged.lastmod = new Date(lastmods[0]).toISOString();
+  }
+  const priorities = entries.map((e) => e.priority).filter((p) => p !== void 0);
+  if (priorities.length > 0) {
+    merged.priority = Math.max(...priorities);
+  }
+  const changefreqs = entries.map((e) => e.changefreq).filter((cf) => !!cf);
+  if (changefreqs.length > 0) {
+    const counts = /* @__PURE__ */ new Map();
+    for (const cf of changefreqs) {
+      counts.set(cf, (counts.get(cf) || 0) + 1);
+    }
+    const sorted = Array.from(counts.entries()).sort((a, b) => b[1] - a[1]);
+    merged.changefreq = sorted[0][0];
+  }
+  const extractedAts = entries.map((e) => e.extractedAt).filter((ea) => !!ea).map((ea) => new Date(ea).getTime()).sort((a, b) => b - a);
+  if (extractedAts.length > 0) {
+    merged.extractedAt = new Date(extractedAts[0]).toISOString();
+  }
+  return merged;
+}
+function consolidateUrls(urls, verbose = false) {
+  const totalInputUrls = urls.length;
+  if (verbose) {
+    console.log(`
+Consolidating ${urls.length} URL(s)...`);
+  }
+  const urlMap = /* @__PURE__ */ new Map();
+  for (const entry of urls) {
+    const normalized = normalizeUrl(entry.loc);
+    if (!urlMap.has(normalized)) {
+      urlMap.set(normalized, []);
+    }
+    urlMap.get(normalized).push(entry);
+  }
+  const uniqueUrls = [];
+  const duplicateGroups = [];
+  for (const [normalized, entries] of urlMap.entries()) {
+    const merged = mergeUrlEntries(entries);
+    uniqueUrls.push(merged);
+    if (entries.length > 1) {
+      duplicateGroups.push({
+        url: normalized,
+        count: entries.length,
+        sources: entries.map((e) => e.source)
+      });
+    }
+  }
+  if (verbose) {
+    console.log(`Consolidation complete:`);
+    console.log(`  - Input URLs: ${totalInputUrls}`);
+    console.log(`  - Unique URLs: ${uniqueUrls.length}`);
+    console.log(`  - Duplicates removed: ${totalInputUrls - uniqueUrls.length}`);
+    if (duplicateGroups.length > 0) {
+      console.log(`
+Top duplicates:`);
+      const top5 = duplicateGroups.sort((a, b) => b.count - a.count).slice(0, 5);
+      for (const group of top5) {
+        console.log(`  - ${group.url} (${group.count} times)`);
+      }
+    }
+  }
+  return {
+    uniqueUrls,
+    totalInputUrls,
+    duplicatesRemoved: totalInputUrls - uniqueUrls.length,
+    duplicateGroups
+  };
+}
+// src/core/patterns/risk-patterns.ts
+var RISK_PATTERNS = [
+  // Sensitive Parameter Patterns (HIGH)
+  {
+    name: "Authentication Parameter",
+    category: "sensitive_params",
+    severity: "high",
+    regex: /[?&](token|auth|key|password|secret|apikey|session|credentials)=/i,
+    description: "Query parameter may contain sensitive authentication data"
+  },
+  {
+    name: "Debug Parameter",
+    category: "sensitive_params",
+    severity: "medium",
+    regex: /[?&](debug|trace|verbose|test_mode)=/i,
+    description: "Query parameter may contain debug or diagnostic flag"
+  },
+  // Protocol Inconsistency Patterns (MEDIUM)
+  {
+    name: "HTTP in HTTPS Site",
+    category: "protocol_inconsistency",
+    severity: "medium",
+    regex: /^http:\/\//,
+    description: "HTTP URL in HTTPS sitemap (potential mixed content)"
+  },
+  // Test/Unfinished Content Patterns (MEDIUM)
+  // Focuses on obvious test/placeholder patterns, avoiding false positives with legitimate content
+  {
+    name: "Test Content Path",
+    category: "test_content",
+    severity: "medium",
+    regex: /\/(?:test-|demo-|sample-|temp-|temporary-|placeholder-)|\/(test|demo|sample|temp|temporary|placeholder)(?:\/|$)/i,
+    description: "URL path suggests test, demo, or unfinished content that may not be intended for indexing"
+  }
+];
+// src/core/patterns/domain-patterns.ts
+function escapeRegex(str) {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+function extractRootDomain(hostname) {
+  const parts = hostname.split(".");
+  if (parts.length >= 2) {
+    return parts.slice(-2).join(".");
+  }
+  return hostname;
+}
+function createDomainMismatchPattern(baseUrl, options) {
+  const baseDomain = new URL(baseUrl).hostname;
+  const rootDomain = extractRootDomain(baseDomain);
+  if (options?.allowedSubdomains && options.allowedSubdomains.length > 0) {
+    const escapedRoot2 = escapeRegex(rootDomain);
+    const escapedSubdomains = options.allowedSubdomains.map(escapeRegex).join("|");
+    const pattern2 = `^https?://(?!(?:(?:${escapedSubdomains})\\.)?${escapedRoot2}(?:/|$))`;
+    return {
+      name: "Domain Mismatch",
+      category: "domain_mismatch",
+      severity: "high",
+      regex: new RegExp(pattern2),
+      description: `URL does not match expected domain or allowed subdomains`
+    };
+  }
+  const escapedRoot = escapeRegex(rootDomain);
+  const pattern = `^https?://(?!(?:www\\.)?${escapedRoot}(?:/|$))`;
+  return {
+    name: "Domain Mismatch",
+    category: "domain_mismatch",
+    severity: "high",
+    regex: new RegExp(pattern),
+    description: `URL does not match expected domain: ${rootDomain} (including www variant)`
+  };
+}
+var ENVIRONMENT_PATTERNS = [
+  {
+    name: "Staging Subdomain",
+    category: "environment_leakage",
+    severity: "high",
+    regex: /^https?:\/\/(staging|stg)\./i,
+    description: "URL uses staging subdomain"
+  },
+  {
+    name: "Development Subdomain",
+    category: "environment_leakage",
+    severity: "high",
+    regex: /^https?:\/\/(dev|development)\./i,
+    description: "URL uses development subdomain"
+  },
+  {
+    name: "QA/Test Subdomain",
+    category: "environment_leakage",
+    severity: "high",
+    regex: /^https?:\/\/(qa|test|uat|preprod)\./i,
+    description: "URL uses test environment subdomain"
+  },
+  {
+    name: "Localhost URL",
+    category: "environment_leakage",
+    severity: "high",
+    regex: /^https?:\/\/(localhost|127\.0\.0\.1|0\.0\.0\.0)/,
+    description: "URL points to localhost (development environment)"
+  },
+  {
+    name: "Environment in Path",
+    category: "environment_leakage",
+    severity: "high",
+    regex: /^https?:\/\/[^/]+\/(staging|dev|qa|uat|preprod)\//i,
+    description: "URL path contains environment identifier at root level"
+  }
+];
+// src/core/patterns/admin-patterns.ts
+var ADMIN_PATH_PATTERNS = [
+  {
+    name: "Admin Path",
+    category: "admin_paths",
+    severity: "high",
+    regex: /\/(admin|administrator)(?:\/|$|\?)/i,
+    description: "URL contains /admin or /administrator as a path segment"
+  },
+  {
+    name: "Dashboard Path",
+    category: "admin_paths",
+    severity: "high",
+    regex: /\/dashboard(?:\/|$|\?)/i,
+    description: "URL contains /dashboard as a path segment"
+  },
+  {
+    name: "Config Path",
+    category: "admin_paths",
+    severity: "high",
+    regex: /\/(config|configuration)(?:\/|$|\?)/i,
+    description: "URL contains /config or /configuration as a path segment"
+  },
+  {
+    name: "Console Path",
+    category: "admin_paths",
+    severity: "high",
+    regex: /\/console(?:\/|$|\?)/i,
+    description: "URL contains /console as a path segment"
+  },
+  {
+    name: "Control Panel Path",
+    category: "admin_paths",
+    severity: "high",
+    regex: /\/(cpanel|control-panel)(?:\/|$|\?)/i,
+    description: "URL contains control panel as a path segment"
+  }
+];
+var INTERNAL_CONTENT_PATTERNS = [
+  {
+    name: "Internal Content Path",
+    category: "internal_content",
+    severity: "medium",
+    regex: /\/internal\b/i,
+    description: "URL contains /internal path segment - may be internal-only content not intended for public indexing"
+  }
+];
+var SENSITIVE_PARAM_PATTERNS = [
+  {
+    name: "Authentication Token Parameter",
+    category: "sensitive_params",
+    severity: "high",
+    regex: /[?&](token|auth_token|access_token|api_token)=/i,
+    description: "Query parameter may contain authentication token"
+  },
+  {
+    name: "API Key Parameter",
+    category: "sensitive_params",
+    severity: "high",
+    regex: /[?&](apikey|api_key|key)=/i,
+    description: "Query parameter may contain API key"
+  },
+  {
+    name: "Password Parameter",
+    category: "sensitive_params",
+    severity: "high",
+    regex: /[?&](password|passwd|pwd)=/i,
+    description: "Query parameter may contain password"
+  },
+  {
+    name: "Secret Parameter",
+    category: "sensitive_params",
+    severity: "high",
+    regex: /[?&](secret|client_secret)=/i,
+    description: "Query parameter may contain secret value"
+  },
+  {
+    name: "Session Parameter",
+    category: "sensitive_params",
+    severity: "high",
+    regex: /[?&](session|sessionid|sid)=/i,
+    description: "Query parameter may contain session identifier"
+  },
+  {
+    name: "Credentials Parameter",
+    category: "sensitive_params",
+    severity: "high",
+    regex: /[?&]credentials=/i,
+    description: "Query parameter may contain credentials"
+  },
+  {
+    name: "Debug Parameter",
+    category: "sensitive_params",
+    severity: "medium",
+    regex: /[?&](debug|trace|verbose)=/i,
+    description: "Query parameter contains debug or diagnostic flag"
+  },
+  {
+    name: "Test Mode Parameter",
+    category: "sensitive_params",
+    severity: "medium",
+    regex: /[?&](test_mode|test|testing)=/i,
+    description: "Query parameter indicates test mode"
+  }
+];
+// src/utils/sanitizer.ts
+function sanitizeUrl(url) {
+  try {
+    const parsed = new URL(url);
+    const sensitiveParams = [
+      "token",
+      "auth",
+      "auth_token",
+      "access_token",
+      "api_token",
+      "apikey",
+      "api_key",
+      "key",
+      "password",
+      "passwd",
+      "pwd",
+      "secret",
+      "client_secret",
+      "session",
+      "sessionid",
+      "sid",
+      "credentials"
+    ];
+    for (const param of sensitiveParams) {
+      if (parsed.searchParams.has(param)) {
+        parsed.searchParams.set(param, "[REDACTED]");
+      }
+    }
+    return parsed.toString();
+  } catch {
+    return url;
+  }
+}
+// src/core/risk-grouper.ts
+function generateRecommendation(category, _severity, count) {
+  switch (category) {
+    case "environment_leakage":
+      return {
+        rationale: `Production sitemap contains ${count} URL(s) from non-production environments (staging, dev, QA, test). This indicates configuration errors or environment leakage.`,
+        recommendedAction: "Verify sitemap generation excludes non-production environments. Review deployment configuration and environment filtering rules."
+      };
+    case "admin_paths":
+      return {
+        rationale: `${count} administrative path(s) detected in public sitemap (admin, dashboard, config). These paths may expose privileged access points.`,
+        recommendedAction: "Confirm if admin paths should be publicly indexed. Consider excluding via robots.txt or removing from sitemap. Verify access controls."
+      };
+    case "internal_content":
+      return {
+        rationale: `${count} URL(s) contain "internal" in the path. These may be internal-facing content not intended for public indexing.`,
+        recommendedAction: "Review URLs to determine if they should be publicly accessible. Consider excluding internal content from sitemap or adding noindex meta tags."
+      };
+    case "test_content":
+      return {
+        rationale: `${count} URL(s) contain test/demo/sample identifiers. These may be placeholder or unfinished content not intended for indexing.`,
+        recommendedAction: "Review and remove test content from production sitemaps. Verify content is production-ready before including in sitemap."
+      };
+    case "sensitive_params":
+      return {
+        rationale: `${count} URL(s) contain sensitive query parameters (token, auth, key, password, session). This may expose authentication credentials or debugging flags.`,
+        recommendedAction: "Review why sensitive parameters are in sitemap URLs. Remove authentication tokens from URLs. Consider POST requests for sensitive data."
+      };
+    case "protocol_inconsistency":
+      return {
+        rationale: `${count} URL(s) use HTTP protocol in HTTPS sitemap. This creates mixed content warnings and potential security issues.`,
+        recommendedAction: "Update URLs to use HTTPS consistently. Verify SSL certificate coverage. Check for hardcoded HTTP URLs in content."
+      };
+    case "domain_mismatch":
+      return {
+        rationale: `${count} URL(s) do not match expected base domain. This may indicate external links, CDN URLs, or configuration errors.`,
+        recommendedAction: "Verify if external domains are intentional. Review sitemap generation logic. Confirm CDN or subdomain configuration is correct."
+      };
+    default:
+      return {
+        rationale: `${count} URL(s) flagged in category: ${category}`,
+        recommendedAction: "Review flagged URLs and determine appropriate action."
+      };
+  }
+}
+function groupRiskFindings(findings, maxSampleUrls = 5) {
+  const categoryMap = /* @__PURE__ */ new Map();
+  for (const finding of findings) {
+    if (!categoryMap.has(finding.category)) {
+      categoryMap.set(finding.category, []);
+    }
+    categoryMap.get(finding.category).push(finding);
+  }
+  const groups = [];
+  for (const [category, categoryFindings] of categoryMap.entries()) {
+    const uniqueUrls = Array.from(new Set(categoryFindings.map((f) => f.url)));
+    const severity = categoryFindings.reduce((highest, finding) => {
+      const severityOrder = ["low", "medium", "high"];
+      return severityOrder.indexOf(finding.severity) > severityOrder.indexOf(highest) ? finding.severity : highest;
+    }, "low");
+    const sampleUrls = uniqueUrls.slice(0, maxSampleUrls);
+    const { rationale, recommendedAction } = generateRecommendation(category, severity, uniqueUrls.length);
+    groups.push({
+      category,
+      severity,
+      count: uniqueUrls.length,
+      rationale,
+      sampleUrls,
+      recommendedAction,
+      allUrls: uniqueUrls
+    });
+  }
+  groups.sort((a, b) => {
+    const severityOrder = ["high", "medium", "low"];
+    return severityOrder.indexOf(a.severity) - severityOrder.indexOf(b.severity);
+  });
+  const totalRiskUrls = new Set(findings.map((f) => f.url)).size;
+  const highSeverityCount = groups.filter((g) => g.severity === "high").reduce((sum, g) => sum + g.count, 0);
+  const mediumSeverityCount = groups.filter((g) => g.severity === "medium").reduce((sum, g) => sum + g.count, 0);
+  const lowSeverityCount = groups.filter((g) => g.severity === "low").reduce((sum, g) => sum + g.count, 0);
+  return {
+    groups,
+    totalRiskUrls,
+    highSeverityCount,
+    mediumSeverityCount,
+    lowSeverityCount
+  };
+}
+// src/core/risk-detector.ts
+import os from "os";
+function compileAcceptedPatterns(config) {
+  const patterns = [];
+  if (config.acceptedPatterns && config.acceptedPatterns.length > 0) {
+    for (const pattern of config.acceptedPatterns) {
+      try {
+        let regexPattern = pattern.replace(/[.+?^${}()|[\]\\]/g, "\\$&").replace(/\*/g, "[^/]*");
+        if (!regexPattern.endsWith("$") && !regexPattern.includes("(?:")) {
+          regexPattern = regexPattern + "(?:/|$|\\?|#)";
+        }
+        patterns.push(new RegExp(regexPattern, "i"));
+      } catch (error) {
+        if (config.verbose) {
+          console.warn(`Invalid accepted pattern: ${pattern}`);
+        }
+      }
+    }
+  }
+  return patterns;
+}
+async function detectRisksInBatch(urls, allPatterns, acceptedPatterns, expectedProtocol, verbose) {
+  const findings = [];
+  for (const urlEntry of urls) {
+    const url = urlEntry.loc;
+    let isAccepted = false;
+    for (const acceptedPattern of acceptedPatterns) {
+      if (acceptedPattern.test(url)) {
+        isAccepted = true;
+        break;
+      }
+    }
+    if (isAccepted) continue;
+    for (const pattern of allPatterns) {
+      if (pattern.category === "protocol_inconsistency") {
+        try {
+          const urlProtocol = new URL(url).protocol;
+          if (expectedProtocol === "https:" && urlProtocol === "http:") {
+            findings.push({
+              url,
+              category: pattern.category,
+              severity: pattern.severity,
+              pattern: pattern.name,
+              rationale: pattern.description,
+              matchedValue: "http://"
+            });
+          }
+        } catch (error) {
+          continue;
+        }
+      } else {
+        try {
+          const match = url.match(pattern.regex);
+          if (match) {
+            findings.push({
+              url: pattern.category === "sensitive_params" ? sanitizeUrl(url) : url,
+              category: pattern.category,
+              severity: pattern.severity,
+              pattern: pattern.name,
+              rationale: pattern.description,
+              matchedValue: match[0]
+            });
+          }
+        } catch (error) {
+          if (verbose) {
+            console.error(`Pattern matching failed for ${pattern.name}: ${error instanceof Error ? error.message : String(error)}`);
+          }
+          continue;
+        }
+      }
+    }
+  }
+  return { findings, urlsProcessed: urls.length };
+}
+async function detectRisks(urls, baseUrl, config) {
+  const startTime = Date.now();
+  const domainPattern = createDomainMismatchPattern(baseUrl);
+  const allPatterns = [
+    ...RISK_PATTERNS,
+    ...ENVIRONMENT_PATTERNS,
+    ...ADMIN_PATH_PATTERNS,
+    ...SENSITIVE_PARAM_PATTERNS,
+    ...INTERNAL_CONTENT_PATTERNS,
+    domainPattern
+  ];
+  const acceptedPatterns = compileAcceptedPatterns(config);
+  let expectedProtocol;
+  try {
+    expectedProtocol = new URL(baseUrl).protocol;
+  } catch (error) {
+    if (config.verbose) {
+      console.warn(`Invalid base URL: ${baseUrl}, defaulting to https:`);
+    }
+    expectedProtocol = "https:";
+  }
+  const BATCH_SIZE = config.riskDetectionBatchSize || 1e4;
+  const CONCURRENCY = config.riskDetectionConcurrency || Math.max(2, os.cpus().length - 1);
+  const batches = chunkArray(urls, BATCH_SIZE);
+  if (config.verbose) {
+    console.log(`
+Risk Detection Configuration:`);
+    console.log(`  - Total URLs: ${urls.length.toLocaleString()}`);
+    console.log(`  - Batch size: ${BATCH_SIZE.toLocaleString()}`);
+    console.log(`  - Concurrency: ${CONCURRENCY}`);
+    console.log(`  - Total batches: ${batches.length}`);
+    try {
+      console.log(`  - Base domain: ${new URL(baseUrl).hostname}`);
+    } catch (error) {
+      console.log(`  - Base URL: ${baseUrl}`);
+    }
+    if (acceptedPatterns.length > 0) {
+      console.log(`  - Accepted patterns: ${acceptedPatterns.length}`);
+    }
+  }
+  let completedBatches = 0;
+  const totalBatches = batches.length;
+  const batchStartTime = Date.now();
+  const batchResults = await processInBatches(
+    batches,
+    CONCURRENCY,
+    (batch) => detectRisksInBatch(batch, allPatterns, acceptedPatterns, expectedProtocol, config.verbose),
+    (completed) => {
+      completedBatches = completed;
+      const pct = (completed / totalBatches * 100).toFixed(1);
+      const elapsed = (Date.now() - batchStartTime) / 1e3;
+      const urlsProcessed = completed * BATCH_SIZE;
+      const speed = Math.round(urlsProcessed / elapsed);
+      const remaining = totalBatches - completed;
+      const eta = Math.round(remaining * BATCH_SIZE / speed);
+      process.stdout.write(
+        `\r\x1B[K  Analyzing batch ${completed}/${totalBatches} (${pct}%) | ETA: ~${eta}s | ${speed.toLocaleString()} URLs/sec`
+      );
+    }
+  );
+  process.stdout.write("\r\x1B[K");
+  const allFindings = batchResults.flatMap((r) => r.findings);
+  const groupingResult = groupRiskFindings(allFindings);
+  const processingTimeMs = Date.now() - startTime;
+  if (config.verbose) {
+    console.log(`
+Risk Detection Summary:`);
+    console.log(`  - Total URLs analyzed: ${urls.length.toLocaleString()}`);
+    console.log(`  - Risk URLs found: ${groupingResult.totalRiskUrls.toLocaleString()}`);
+    console.log(`  - HIGH severity: ${groupingResult.highSeverityCount}`);
+    console.log(`  - MEDIUM severity: ${groupingResult.mediumSeverityCount}`);
+    console.log(`  - LOW severity: ${groupingResult.lowSeverityCount}`);
+    console.log(`  - Processing time: ${(processingTimeMs / 1e3).toFixed(1)}s`);
+    if (groupingResult.groups.length > 0) {
+      console.log(`
+Risk Categories Found:`);
+      for (const group of groupingResult.groups) {
+        console.log(`  - ${group.category}: ${group.count} URLs (${group.severity.toUpperCase()})`);
+      }
+    }
+  }
+  return {
+    findings: allFindings,
+    groups: groupingResult.groups,
+    totalUrlsAnalyzed: urls.length,
+    riskUrlCount: groupingResult.totalRiskUrls,
+    cleanUrlCount: urls.length - groupingResult.totalRiskUrls,
+    highSeverityCount: groupingResult.highSeverityCount,
+    mediumSeverityCount: groupingResult.mediumSeverityCount,
+    lowSeverityCount: groupingResult.lowSeverityCount,
+    processingTimeMs
+  };
+}
+// src/summarizer.ts
+function summarizeRisks(request) {
+  const severityBreakdown = {
+    high: 0,
+    medium: 0,
+    low: 0
+  };
+  const categoryInsights = request.riskGroups.map((group) => {
+    severityBreakdown[group.severity] += group.count;
+    const urls = group.allUrls || group.sampleUrls;
+    return {
+      category: group.category,
+      count: group.count,
+      severity: group.severity,
+      summary: group.rationale,
+      examples: urls.slice(0, 3),
+      allUrls: urls
+      // Include all URLs for download functionality
+    };
+  });
+  const totalRisks = request.riskGroups.reduce((sum, g) => sum + g.count, 0);
+  const overview = totalRisks > 0 ? `Found ${totalRisks} potentially risky URLs across ${request.riskGroups.length} categories in ${request.totalUrls} total URLs.` : `Analyzed ${request.totalUrls} URLs. No suspicious patterns detected.`;
+  const keyFindings = [];
+  if (severityBreakdown.high > 0) {
+    keyFindings.push(`${severityBreakdown.high} high-severity issues require immediate attention`);
+  }
+  if (severityBreakdown.medium > 0) {
+    keyFindings.push(`${severityBreakdown.medium} medium-severity issues should be reviewed`);
+  }
+  if (severityBreakdown.low > 0) {
+    keyFindings.push(`${severityBreakdown.low} low-severity items flagged for awareness`);
+  }
+  return {
+    overview,
+    keyFindings,
+    categoryInsights,
+    severityBreakdown,
+    recommendations: [],
+    generatedBy: "rule-based analysis",
+    metadata: {
+      tokensUsed: 0,
+      processingTime: request.processingTime || 0,
+      model: "pattern-matching"
+    }
+  };
+}
+// src/reporters/json-reporter.ts
+var TOOL_VERSION = true ? "1.0.0-alpha.2" : "dev";
+function generateJsonReport(summary, discoveryResult, parseResult, riskGroups, config, startTime, options = {}) {
+  const {
+    pretty = true,
+    indent = 2,
+    performanceMetrics
+  } = options;
+  const result = buildAnalysisResult(
+    summary,
+    discoveryResult,
+    parseResult,
+    riskGroups,
+    config,
+    startTime
+  );
+  const jsonOutput = transformToJsonOutput(result, performanceMetrics);
+  if (pretty) {
+    return JSON.stringify(jsonOutput, null, indent);
+  } else {
+    return JSON.stringify(jsonOutput);
+  }
+}
+function buildAnalysisResult(summary, discoveryResult, parseResult, riskGroups, config, startTime) {
+  const metadata = buildAnalysisMetadata(
+    config.baseUrl || "unknown",
+    startTime,
+    summary
+  );
+  const suspiciousGroups = riskGroups.map((group) => ({
+    category: group.category,
+    severity: group.severity,
+    count: group.count,
+    pattern: group.category,
+    // Use category as pattern identifier
+    rationale: group.rationale,
+    sampleUrls: group.sampleUrls.slice(0, 5),
+    // Limit to 5 samples
+    recommendedAction: group.recommendedAction
+  }));
+  const summaryStats = {
+    highSeverityCount: summary.severityBreakdown.high,
+    mediumSeverityCount: summary.severityBreakdown.medium,
+    lowSeverityCount: summary.severityBreakdown.low,
+    totalRiskyUrls: riskGroups.reduce((sum, g) => sum + g.count, 0),
+    overallStatus: determineOverallStatus(
+      summary.severityBreakdown,
+      parseResult.errors
+    )
+  };
+  const riskSummary = {
+    overview: summary.overview,
+    keyFindings: summary.keyFindings,
+    recommendations: summary.recommendations
+  };
+  const errors = parseResult.errors.map(transformError);
+  return {
+    analysisMetadata: metadata,
+    sitemapsDiscovered: discoveryResult.sitemaps,
+    totalUrlCount: parseResult.totalCount,
+    urlsAnalyzed: parseResult.totalCount,
+    suspiciousGroups,
+    riskSummary,
+    summary: summaryStats,
+    errors
+  };
+}
+function buildAnalysisMetadata(baseUrl, startTime, summary) {
+  return {
+    baseUrl,
+    analysisTimestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    toolVersion: TOOL_VERSION,
+    executionTimeMs: Date.now() - startTime,
+    analysisType: summary.generatedBy
+  };
+}
+function determineOverallStatus(severityBreakdown, errors) {
+  if (errors.length > 0) {
+    return "errors";
+  }
+  const totalIssues = severityBreakdown.high + severityBreakdown.medium + severityBreakdown.low;
+  return totalIssues > 0 ? "issues_found" : "clean";
+}
+function transformToJsonOutput(result, performanceMetrics) {
+  const output = {
+    analysis_metadata: transformMetadata(result.analysisMetadata),
+    sitemaps_discovered: result.sitemapsDiscovered,
+    total_url_count: result.totalUrlCount,
+    urls_analyzed: result.urlsAnalyzed,
+    suspicious_groups: result.suspiciousGroups.map(transformGroup),
+    risk_summary: transformRiskSummary(result.riskSummary),
+    summary: transformSummary(result.summary),
+    errors: result.errors
+  };
+  if (performanceMetrics) {
+    output.performance_metrics = {
+      total_execution_time_ms: performanceMetrics.totalExecutionTimeMs,
+      phase_timings: performanceMetrics.phaseTimings,
+      throughput: performanceMetrics.throughput,
+      resource_usage: performanceMetrics.resourceUsage
+    };
+  }
+  return output;
+}
+function transformMetadata(meta) {
+  return {
+    base_url: meta.baseUrl,
+    analysis_timestamp: meta.analysisTimestamp,
+    tool_version: meta.toolVersion,
+    execution_time_ms: meta.executionTimeMs,
+    analysis_type: meta.analysisType
+  };
+}
+function transformGroup(group) {
+  return {
+    category: group.category,
+    severity: group.severity,
+    count: group.count,
+    pattern: group.pattern,
+    rationale: group.rationale,
+    sample_urls: group.sampleUrls,
+    recommended_action: group.recommendedAction
+  };
+}
+function transformRiskSummary(summary) {
+  return {
+    overview: summary.overview,
+    key_findings: summary.keyFindings,
+    recommendations: summary.recommendations
+  };
+}
+function transformSummary(summary) {
+  return {
+    high_severity_count: summary.highSeverityCount,
+    medium_severity_count: summary.mediumSeverityCount,
+    low_severity_count: summary.lowSeverityCount,
+    total_risky_urls: summary.totalRiskyUrls,
+    overall_status: summary.overallStatus
+  };
+}
+function transformError(error) {
+  if ("code" in error) {
+    const customError = error;
+    const errorDetail = {
+      code: customError.code || "UNKNOWN_ERROR",
+      message: error.message
+    };
+    if ("attemptedPaths" in customError) {
+      errorDetail.context = {
+        attempted_paths: customError.attemptedPaths
+      };
+    } else if ("sitemapUrl" in customError && "lineNumber" in customError) {
+      errorDetail.context = {
+        sitemap_url: customError.sitemapUrl,
+        line_number: customError.lineNumber
+      };
+    } else if ("url" in customError) {
+      errorDetail.context = {
+        url: customError.url
+      };
+    }
+    return errorDetail;
+  }
+  return {
+    code: "UNKNOWN_ERROR",
+    message: error.message
+  };
+}
+// src/reporters/html-reporter.ts
+import { promises as fs } from "fs";
+var TOOL_VERSION2 = "1.0.0-alpha.2";
+function generateHtmlReport(summary, discoveryResult, totalUrls, config, errors, options = {}) {
+  const maxUrls = options.maxUrlsPerGroup ?? 10;
+  const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+  const riskyUrlCount = summary.categoryInsights.reduce((sum, g) => sum + g.count, 0);
+  const highSeverity = summary.categoryInsights.filter((g) => g.severity === "high");
+  const mediumSeverity = summary.categoryInsights.filter((g) => g.severity === "medium");
+  const lowSeverity = summary.categoryInsights.filter((g) => g.severity === "low");
+  const html = `<!DOCTYPE html>
 <html lang="en">
 <head>
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <title>Sitemap QA Report - ${s.baseUrl}</title>
+  <title>Sitemap QA Report - ${config.baseUrl}</title>
   <style>
     * { margin: 0; padding: 0; box-sizing: border-box; }
     body {
@@ -339,93 +1908,88 @@ Risk Categories Found:`);for(let p of l.groups)console.log(`  - ${p.category}: $
     <div class="header">
       <h1>Sitemap Analysis</h1>
       <div class="meta">
-        <div>${s.baseUrl}</div>
-        <div>${new Date(o).toLocaleString()}</div>
+        <div>${config.baseUrl}</div>
+        <div>${new Date(timestamp).toLocaleString()}</div>
       </div>
     </div>
     <div class="summary">
       <div class="summary-card">
         <div class="label">Sitemaps</div>
-        <div class="value">${t.sitemaps.length}</div>
+        <div class="value">${discoveryResult.sitemaps.length}</div>
       </div>
       <div class="summary-card">
         <div class="label">URLs Analyzed</div>
-        <div class="value">${r.toLocaleString()}</div>
+        <div class="value">${totalUrls.toLocaleString()}</div>
       </div>
       <div class="summary-card">
         <div class="label">Issues Found</div>
-        <div class="value" style="color: ${i>0?"#dc2626":"#059669"}">${i}</div>
+        <div class="value" style="color: ${riskyUrlCount > 0 ? "#dc2626" : "#059669"}">${riskyUrlCount}</div>
       </div>
       <div class="summary-card">
         <div class="label">Scan Time</div>
-        <div class="value">${(e.metadata.processingTime/1e3).toFixed(1)}s</div>
+        <div class="value">${(summary.metadata.processingTime / 1e3).toFixed(1)}s</div>
       </div>
     </div>
     <div class="content">
-      ${n.length>0?`
+      ${errors.length > 0 ? `
       <div class="errors-section">
-        <h3>Parsing Errors & Warnings (${n.length})</h3>
+        <h3>Parsing Errors & Warnings (${errors.length})</h3>
         <ul>
-          ${n.map(u=>`<li>${u.message}</li>`).join(`
-          `)}
+          ${errors.map((err) => `<li>${err.message}</li>`).join("\n          ")}
         </ul>
       </div>
-      `:""}
+      ` : ""}
-      ${t.sitemaps.length>0?`
+      ${discoveryResult.sitemaps.length > 0 ? `
       <div class="sitemaps">
-        <h3 class="collapsed" onclick="toggleSection(this)">Sitemaps Discovered (${t.sitemaps.length})</h3>
+        <h3 class="collapsed" onclick="toggleSection(this)">Sitemaps Discovered (${discoveryResult.sitemaps.length})</h3>
         <div class="sitemaps-content collapsed">
           <ul>
-            ${t.sitemaps.map(u=>`<li>\u2022 ${u}</li>`).join(`
-            `)}
+            ${discoveryResult.sitemaps.map((s) => `<li>\u2022 ${s}</li>`).join("\n            ")}
           </ul>
         </div>
       </div>
-      `:""}
+      ` : ""}
-      ${i===0?`
+      ${riskyUrlCount === 0 ? `
       <div class="status-clean">
         <h2>No Issues Found</h2>
         <p>All URLs in the sitemap passed validation checks.</p>
       </div>
-      `:""}
+      ` : ""}
-      ${m.length>0?`
+      ${highSeverity.length > 0 ? `
       <div class="severity-section">
-        <h2 class="severity-high" onclick="toggleSection(this)">High Severity (${m.reduce((u,g)=>u+g.count,0)} URLs)</h2>
+        <h2 class="severity-high" onclick="toggleSection(this)">High Severity (${highSeverity.reduce((sum, g) => sum + g.count, 0)} URLs)</h2>
         <div class="severity-content">
-          ${m.map(u=>_(u,c)).join(`
-          `)}
+          ${highSeverity.map((group) => renderRiskGroup(group, maxUrls)).join("\n          ")}
         </div>
       </div>
-      `:""}
+      ` : ""}
-      ${l.length>0?`
+      ${mediumSeverity.length > 0 ? `
       <div class="severity-section">
-        <h2 class="severity-medium" onclick="toggleSection(this)">Medium Severity (${l.reduce((u,g)=>u+g.count,0)} URLs)</h2>
+        <h2 class="severity-medium" onclick="toggleSection(this)">Medium Severity (${mediumSeverity.reduce((sum, g) => sum + g.count, 0)} URLs)</h2>
         <div class="severity-content">
-          ${l.map(u=>_(u,c)).join(`
-          `)}
+          ${mediumSeverity.map((group) => renderRiskGroup(group, maxUrls)).join("\n          ")}
         </div>
       </div>
-      `:""}
+      ` : ""}
-      ${d.length>0?`
+      ${lowSeverity.length > 0 ? `
       <div class="severity-section">
-        <h2 class="severity-low" onclick="toggleSection(this)">Low Severity (${d.reduce((u,g)=>u+g.count,0)} URLs)</h2>
+        <h2 class="severity-low" onclick="toggleSection(this)">Low Severity (${lowSeverity.reduce((sum, g) => sum + g.count, 0)} URLs)</h2>
         <div class="severity-content">
-          ${d.map(u=>_(u,c)).join(`
-          `)}
+          ${lowSeverity.map((group) => renderRiskGroup(group, maxUrls)).join("\n          ")}
         </div>
       </div>
-      `:""}
+      ` : ""}
     </div>
     <div class="footer">
-      Generated by <strong>sitemap-qa</strong> v${Ie}
+      Generated by <strong>sitemap-qa</strong> v${TOOL_VERSION2}
     </div>
   </div>
@@ -458,27 +2022,354 @@ Risk Categories Found:`);for(let p of l.groups)console.log(`  - ${p.category}: $
     }
   </script>
 </body>
-</html>`}function _(e,t){let r=e.category.split("_").map(i=>i.charAt(0).toUpperCase()+i.slice(1)).join(" "),s=e.examples.slice(0,t),n=e.count-s.length,a=e.category.toLowerCase(),c=JSON.stringify(e.allUrls),o=ee(c);return`<div class="risk-group">
-        <h3>${r} <span class="count">${e.count} URLs</span></h3>
-        <div class="impact">${e.summary}</div>
+</html>`;
+  return html;
+}
+function renderRiskGroup(group, maxUrls) {
+  const categoryTitle = group.category.split("_").map((word) => word.charAt(0).toUpperCase() + word.slice(1)).join(" ");
+  const urlsToShow = group.examples.slice(0, maxUrls);
+  const remaining = group.count - urlsToShow.length;
+  const categorySlug = group.category.toLowerCase();
+  const allUrlsJson = JSON.stringify(group.allUrls);
+  const encodedUrls = escapeHtml(allUrlsJson);
+  return `<div class="risk-group">
+        <h3>${categoryTitle} <span class="count">${group.count} URLs</span></h3>
+        <div class="impact">${group.summary}</div>
         <div class="urls">
           <h4>Sample URLs</h4>
           <ul>
-            ${s.map(i=>`<li>${ee(i)}</li>`).join(`
-            `)}
+            ${urlsToShow.map((url) => `<li>${escapeHtml(url)}</li>`).join("\n            ")}
           </ul>
-          ${n>0?`<div class="more">... and ${n} more</div>`:""}
-          <button class="download-btn" onclick="downloadUrls('${a}', '${o}')">\u{1F4E5} Download All ${e.count} URLs</button>
+          ${remaining > 0 ? `<div class="more">... and ${remaining} more</div>` : ""}
+          <button class="download-btn" onclick="downloadUrls('${categorySlug}', '${encodedUrls}')">\u{1F4E5} Download All ${group.count} URLs</button>
         </div>
-      </div>`}function ee(e){return e.replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/>/g,"&gt;").replace(/"/g,"&quot;").replace(/'/g,"&#039;")}async function te(e,t,r,s,n,a,c={}){let o=De(e,t,r,s,a,c);await Le.writeFile(n,o,"utf-8")}var oe=new Ne("analyze").description("Analyze sitemap for QA issues").argument("<url>","Base URL to analyze").option("--timeout <seconds>","HTTP timeout in seconds","30").option("--no-progress","Disable progress bar").option("--output <format>","Output format: html or json","html").option("--output-dir <path>","Output directory for reports").option("--output-file <path>","Custom output filename").option("--accepted-patterns <patterns>","Comma-separated regex patterns to exclude from risk detection").option("--no-color","Disable ANSI color codes in CLI output").option("--verbose","Enable verbose logging",!1).action(async(e,t)=>{let r;try{Fe(t),r=await F({...t,baseUrl:e,outputFormat:t.output}),console.log(`
-\u{1F50D} Analyzing ${e}...
-`);let n=await ze(e,r);Me(n),await re.mkdir(r.outputDir,{recursive:!0});let a=t.outputFile||`sitemap-qa-report-${Date.now()}.html`,c=`${r.outputDir}/${a}`;if(await te(n.summary,n.discoveryResult,n.totalUrls,r,c,n.errors,{maxUrlsPerGroup:10}),console.log(`
-\u{1F4C4} Full report saved to: ${k.cyan(c)}`),t.output==="json"){let i=a.replace(/\.html$/,".json"),m=`${r.outputDir}/${i}`,l=Z(n.summary,n.discoveryResult,{totalCount:n.totalUrls,uniqueUrls:[],errors:[]},n.riskGroups,r,n.executionTime,{pretty:!0,indent:2});await re.writeFile(m,l,"utf-8"),console.log(`\u{1F4C4} JSON report saved to: ${k.cyan(m)}`)}let o=Oe(n);process.exit(o)}catch(s){Ge(s,r),process.exit(2)}});function Fe(e){let t=["json","html"];if(!t.includes(e.output))throw new Error(`Invalid output format: ${e.output}. Must be one of: ${t.join(", ")}`);let r=parseInt(e.timeout);if(isNaN(r)||r<=0)throw new Error(`Invalid timeout: ${e.timeout}. Must be a positive number.`)}function Me(e){console.log("");let t=e.summary.categoryInsights.reduce((r,s)=>r+s.count,0);if(t===0)console.log(k.green("\u2705 No issues found - sitemap looks clean!"));else{console.log(k.yellow(`\u26A0\uFE0F  Found ${t} potentially risky URL(s)`)),console.log("");let{high:r,medium:s,low:n}=e.summary.severityBreakdown;r>0&&console.log(k.red(`   \u{1F6A8} High severity:   ${r} URLs`)),s>0&&console.log(k.yellow(`   \u26A0\uFE0F  Medium severity: ${s} URLs`)),n>0&&console.log(k.blue(`   \u2139\uFE0F  Low severity:    ${n} URLs`))}console.log("")}async function ze(e,t){let r=Date.now(),s=[],n=C("Discovering sitemaps...").start(),a=await O(e,t);if(n.succeed(`Found ${a.sitemaps.length} sitemap(s)`),a.accessIssues.length>0){console.warn(`\u26A0\uFE0F  Warning: ${a.accessIssues.length} sitemap(s) are access-blocked`);for(let y of a.accessIssues)s.push(new Error(`Access blocked: ${y.url} (${y.statusCode})`))}if(a.sitemaps.length===0)throw new Error(`No sitemaps found at ${e}. Tried: /sitemap.xml, /sitemap_index.xml, /robots.txt`);let c=C("Parsing sitemaps...").start(),o=await q(a.sitemaps,t);if(c.succeed(`Extracted ${o.allUrls.length.toLocaleString()} URLs`),o.errors.length>0)for(let y of o.errors)typeof y=="string"?s.push(new Error(y)):s.push(y);if(o.allUrls.length===0)throw new Error("No URLs extracted from sitemaps");let i=C("Removing duplicates...").start(),m=j(o.allUrls),l=o.allUrls.length-m.uniqueUrls.length;l>0?i.succeed(`${m.uniqueUrls.length.toLocaleString()} unique URLs (removed ${l.toLocaleString()} duplicates)`):i.succeed(`${m.uniqueUrls.length.toLocaleString()} unique URLs`);let d=C("Analyzing for risks...").start(),p=await Y(m.uniqueUrls,e,t),u=P(p.findings),g=u.groups.reduce((y,R)=>y+R.count,0);g>0?d.warn(`Found ${g} risky URL(s)`):d.succeed("No risks detected");let f=Date.now()-r,w=C("Generating report...").start(),h=X({riskGroups:u.groups,totalUrls:m.uniqueUrls.length,sitemapUrl:e,processingTime:f});return w.succeed("Analysis complete"),{discoveryResult:a,totalUrls:m.uniqueUrls.length,riskGroups:u.groups,summary:h,errors:s,executionTime:f}}function Oe(e){return e.summary.severityBreakdown.high>0?1:0}function Ge(e,t){console.error(`
-\u274C Analysis failed
-`),e instanceof Error?(console.error(`Error: ${e.message}`),t?.verbose&&e.stack&&(console.error(`
-Stack trace:`),console.error(e.stack)),e.message.includes("No sitemaps found")?(console.error(`
-Suggestions:`),console.error("  \u2022 Verify the base URL is correct"),console.error("  \u2022 Check if the site has a sitemap"),console.error("  \u2022 Ensure the sitemap is publicly accessible")):(e.message.includes("Network")||e.message.includes("timeout"))&&(console.error(`
-Suggestions:`),console.error("  \u2022 Check your internet connection"),console.error("  \u2022 Verify the URL is accessible"),console.error("  \u2022 Try increasing the timeout with --timeout option"))):(console.error("Unknown error occurred"),console.error(String(e)))}var A=new qe;A.name("sitemap-qa").version("1.0.0").description("sitemap analysis for QA teams");A.addCommand(oe);process.on("unhandledRejection",(e,t)=>{console.error("Unhandled Rejection at:",t,"reason:",e),process.exit(1)});process.on("SIGINT",()=>{console.log(`
-Gracefully shutting down...`),process.exit(0)});process.on("SIGTERM",()=>{console.log(`
-Gracefully shutting down...`),process.exit(0)});A.parse();
+      </div>`;
+}
+function escapeHtml(text) {
+  return text.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#039;");
+}
+async function writeHtmlReport(summary, discoveryResult, totalUrls, config, outputPath, errors, options = {}) {
+  const htmlContent = generateHtmlReport(summary, discoveryResult, totalUrls, config, errors, options);
+  await fs.writeFile(outputPath, htmlContent, "utf-8");
+}
+// src/commands/analyze.ts
+var analyzeCommand = new Command("analyze").description("Analyze sitemap for QA issues").argument("<url>", "Base URL to analyze").option("--timeout <seconds>", "HTTP timeout in seconds", "30").option("--no-progress", "Disable progress bar").option("--output <format>", "Output format: html or json", "html").option("--output-dir <path>", "Output directory for reports").option("--output-file <path>", "Custom output filename").option("--accepted-patterns <patterns>", "Comma-separated regex patterns to exclude from risk detection").option("--concurrency <number>", "Number of concurrent workers for risk detection").option("--batch-size <number>", "URLs per batch for risk detection", "10000").option("--parsing-concurrency <number>", "Number of concurrent sitemap parsers", "50").option("--discovery-concurrency <number>", "Number of concurrent sitemap index fetches", "50").option("--silent", "Disable all progress output").option("--benchmark", "Save performance profile").option("--no-color", "Disable ANSI color codes in CLI output").option("--verbose", "Enable verbose logging", false).action(async (url, options) => {
+  let config;
+  try {
+    validateAnalyzeOptions(options);
+    const loadedConfig = await loadConfig({
+      ...options,
+      baseUrl: url,
+      outputFormat: options.output,
+      riskDetectionConcurrency: options.concurrency ? parseInt(options.concurrency) : void 0,
+      riskDetectionBatchSize: options.batchSize ? parseInt(options.batchSize) : void 0,
+      parsingConcurrency: options.parsingConcurrency ? parseInt(options.parsingConcurrency) : void 0,
+      discoveryConcurrency: options.discoveryConcurrency ? parseInt(options.discoveryConcurrency) : void 0,
+      silent: options.silent,
+      benchmark: options.benchmark,
+      progressBar: options.progress
+    });
+    config = loadedConfig;
+    console.log(`
+\u{1F50D} Analyzing ${url}...
+`);
+    const result = await runAnalysisPipeline(url, config);
+    await fs2.mkdir(config.outputDir, { recursive: true });
+    if (options.output === "json") {
+      const jsonReport = generateJsonReport(
+        result.summary,
+        result.discoveryResult,
+        { totalCount: result.totalUrls, uniqueUrls: [], errors: [] },
+        result.riskGroups,
+        config,
+        result.executionTime,
+        { pretty: true, indent: 2 }
+      );
+      console.log("\n" + jsonReport);
+      if (options.outputFile) {
+        const jsonFilePath = `${config.outputDir}/${options.outputFile}`;
+        await fs2.writeFile(jsonFilePath, jsonReport, "utf-8");
+        console.log(`
+\u{1F4C4} JSON report saved to: ${chalk.cyan(jsonFilePath)}`);
+      }
+    } else {
+      showCliSummary(result);
+      const htmlFileName = options.outputFile || `sitemap-qa-report-${Date.now()}.html`;
+      const htmlFilePath = `${config.outputDir}/${htmlFileName}`;
+      await writeHtmlReport(
+        result.summary,
+        result.discoveryResult,
+        result.totalUrls,
+        config,
+        htmlFilePath,
+        result.errors,
+        { maxUrlsPerGroup: 10 }
+      );
+      console.log(`
+\u{1F4C4} Full report saved to: ${chalk.cyan(htmlFilePath)}`);
+    }
+    const exitCode = determineExitCode(result);
+    process.exit(exitCode);
+  } catch (error) {
+    handleAnalysisError(error, config);
+    process.exit(2);
+  }
+});
+function validateAnalyzeOptions(options) {
+  const validFormats = ["json", "html"];
+  if (!validFormats.includes(options.output)) {
+    throw new Error(
+      `Invalid output format: ${options.output}. Must be one of: ${validFormats.join(", ")}`
+    );
+  }
+  const timeout = parseInt(options.timeout);
+  if (isNaN(timeout) || timeout <= 0) {
+    throw new Error(`Invalid timeout: ${options.timeout}. Must be a positive number.`);
+  }
+}
+function showCliSummary(result) {
+  const riskyUrlCount = result.summary.categoryInsights.reduce((sum, g) => sum + g.count, 0);
+  console.log(chalk.dim("\u2500".repeat(50)));
+  if (riskyUrlCount === 0) {
+    console.log(chalk.green("No issues found - sitemap looks clean!"));
+  } else {
+    const { high, medium, low } = result.summary.severityBreakdown;
+    const severityParts = [];
+    if (high > 0) severityParts.push(chalk.red(`High: ${high}`));
+    if (medium > 0) severityParts.push(chalk.yellow(`Medium: ${medium}`));
+    if (low > 0) severityParts.push(chalk.blue(`Low: ${low}`));
+    const severitySummary = severityParts.length > 0 ? ` (${severityParts.join(", ")})` : "";
+    console.log(chalk.yellow(`\u26A0\uFE0F  ${riskyUrlCount} risky URLs found${severitySummary}`));
+  }
+  console.log("");
+}
+async function runAnalysisPipeline(url, config) {
+  const overallStartTime = Date.now();
+  const phaseTimings = [];
+  const errors = [];
+  const showProgress = !config.silent && config.progressBar !== false && process.stdout.isTTY;
+  let phaseStart = Date.now();
+  const discoverySpinner = showProgress ? ora({ text: "Discovering sitemaps...", color: "cyan" }).start() : null;
+  const discoveryResult = await discoverSitemaps(url, config);
+  if (discoverySpinner) {
+    discoverySpinner.stop();
+  }
+  phaseTimings.push({
+    name: "Discovery",
+    startTime: phaseStart,
+    endTime: Date.now(),
+    duration: Date.now() - phaseStart
+  });
+  if (discoveryResult.accessIssues.length > 0) {
+    if (!config.silent) {
+      console.warn(chalk.yellow(`\u26A0\uFE0F  Warning: ${discoveryResult.accessIssues.length} sitemap(s) are access-blocked`));
+    }
+    for (const issue of discoveryResult.accessIssues) {
+      errors.push(new Error(`Access blocked: ${issue.url} (${issue.statusCode})`));
+    }
+  }
+  if (discoveryResult.sitemaps.length === 0) {
+    throw new Error(`No sitemaps found at ${url}. Tried: /sitemap.xml, /sitemap_index.xml, /robots.txt`);
+  }
+  phaseStart = Date.now();
+  let extractionResult;
+  if (showProgress && discoveryResult.sitemaps.length > 10) {
+    const parseBar = new cliProgress.SingleBar({
+      format: "{bar} {percentage}% | {value}/{total} | ETA: {eta}s | {speed} sitemaps/sec",
+      barCompleteChar: "\u2588",
+      barIncompleteChar: "\u2591",
+      hideCursor: true
+    });
+    parseBar.start(discoveryResult.sitemaps.length, 0, { speed: "0" });
+    extractionResult = await extractAllUrls(
+      discoveryResult.sitemaps,
+      config,
+      (completed, total) => {
+        const elapsed = (Date.now() - phaseStart) / 1e3;
+        const speed = elapsed > 0 ? (completed / elapsed).toFixed(1) : "0";
+        parseBar.update(completed, { speed });
+      }
+    );
+    parseBar.stop();
+  } else {
+    extractionResult = await extractAllUrls(discoveryResult.sitemaps, config);
+  }
+  phaseTimings.push({
+    name: "Parsing",
+    startTime: phaseStart,
+    endTime: Date.now(),
+    duration: Date.now() - phaseStart
+  });
+  if (extractionResult.errors.length > 0) {
+    for (const err of extractionResult.errors) {
+      if (typeof err === "string") {
+        errors.push(new Error(err));
+      } else {
+        errors.push(err);
+      }
+    }
+  }
+  if (extractionResult.allUrls.length === 0) {
+    throw new Error("No URLs extracted from sitemaps");
+  }
+  phaseStart = Date.now();
+  const consolidatedResult = consolidateUrls(extractionResult.allUrls);
+  phaseTimings.push({
+    name: "Deduplication",
+    startTime: phaseStart,
+    endTime: Date.now(),
+    duration: Date.now() - phaseStart
+  });
+  const duplicatesRemoved = extractionResult.allUrls.length - consolidatedResult.uniqueUrls.length;
+  const duplicatePercentage = duplicatesRemoved / extractionResult.allUrls.length * 100;
+  if (!config.silent) {
+    if (duplicatesRemoved > 100 || duplicatePercentage > 1) {
+      console.log(chalk.green(`Found ${discoveryResult.sitemaps.length} sitemap(s) \u2192 ${extractionResult.allUrls.length.toLocaleString()} URLs (${consolidatedResult.uniqueUrls.length.toLocaleString()} unique)`));
+    } else {
+      console.log(chalk.green(`Found ${discoveryResult.sitemaps.length} sitemap(s) \u2192 ${extractionResult.allUrls.length.toLocaleString()} URLs`));
+    }
+  }
+  phaseStart = Date.now();
+  const riskResult = await detectRisks(consolidatedResult.uniqueUrls, url, config);
+  const riskGroups = groupRiskFindings(riskResult.findings);
+  phaseTimings.push({
+    name: "Risk Detection",
+    startTime: phaseStart,
+    endTime: Date.now(),
+    duration: Date.now() - phaseStart
+  });
+  phaseStart = Date.now();
+  const executionTime = Date.now() - overallStartTime;
+  const summary = summarizeRisks({
+    riskGroups: riskGroups.groups,
+    totalUrls: consolidatedResult.uniqueUrls.length,
+    sitemapUrl: url,
+    processingTime: executionTime
+  });
+  phaseTimings.push({
+    name: "Summarization",
+    startTime: phaseStart,
+    endTime: Date.now(),
+    duration: Date.now() - phaseStart
+  });
+  if (!config.silent && config.verbose) {
+    displayPhaseSummary(phaseTimings, executionTime);
+  } else if (!config.silent) {
+    const parsingPhase = phaseTimings.find((p) => p.name === "Parsing");
+    const sitemapsPerSec = parsingPhase ? (discoveryResult.sitemaps.length / (parsingPhase.duration / 1e3)).toFixed(1) : "0";
+    console.log(chalk.green(`Analysis complete (${(executionTime / 1e3).toFixed(1)}s \xB7 ${sitemapsPerSec} sitemaps/sec)
+`));
+  }
+  if (config.benchmark) {
+    await saveBenchmark(phaseTimings, url, executionTime, discoveryResult.sitemaps.length, consolidatedResult.uniqueUrls.length, config);
+  }
+  return {
+    discoveryResult,
+    totalUrls: consolidatedResult.uniqueUrls.length,
+    riskGroups: riskGroups.groups,
+    summary,
+    errors,
+    executionTime,
+    phaseTimings
+  };
+}
+function determineExitCode(result) {
+  const highSeverityCount = result.summary.severityBreakdown.high;
+  if (highSeverityCount > 0) {
+    return 1;
+  }
+  return 0;
+}
+function handleAnalysisError(error, config) {
+  console.error("\n\u274C Analysis failed\n");
+  if (error instanceof Error) {
+    console.error(`Error: ${error.message}`);
+    if (config?.verbose && error.stack) {
+      console.error("\nStack trace:");
+      console.error(error.stack);
+    }
+    if (error.message.includes("No sitemaps found")) {
+      console.error("\nSuggestions:");
+      console.error("  \u2022 Verify the base URL is correct");
+      console.error("  \u2022 Check if the site has a sitemap");
+      console.error("  \u2022 Ensure the sitemap is publicly accessible");
+    } else if (error.message.includes("Network") || error.message.includes("timeout")) {
+      console.error("\nSuggestions:");
+      console.error("  \u2022 Check your internet connection");
+      console.error("  \u2022 Verify the URL is accessible");
+      console.error("  \u2022 Try increasing the timeout with --timeout option");
+    }
+  } else {
+    console.error("Unknown error occurred");
+    console.error(String(error));
+  }
+}
+function displayPhaseSummary(timings, totalTime) {
+  console.log(chalk.green(`
+Analysis Complete (Total: ${(totalTime / 1e3).toFixed(1)}s)
+`));
+  console.log(chalk.cyan("Phase Breakdown:"));
+  for (const timing of timings) {
+    const seconds = (timing.duration / 1e3).toFixed(1);
+    const percentage = (timing.duration / totalTime * 100).toFixed(1);
+    const bar = "\u2022";
+    console.log(`  ${bar} ${timing.name.padEnd(15)}: ${seconds.padStart(5)}s (${percentage.padStart(5)}%)`);
+  }
+  console.log("");
+}
+async function saveBenchmark(timings, url, totalTime, sitemapCount, urlCount, config) {
+  const benchmark = {
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    url,
+    total_duration_ms: totalTime,
+    phases: timings.map((t) => ({
+      name: t.name.toLowerCase(),
+      start_ms: t.startTime,
+      end_ms: t.endTime,
+      duration_ms: t.duration
+    })),
+    metrics: {
+      sitemaps_processed: sitemapCount,
+      urls_analyzed: urlCount,
+      throughput: {
+        urls_per_second: Math.round(urlCount / totalTime * 1e3),
+        sitemaps_per_second: (sitemapCount / totalTime * 1e3).toFixed(2)
+      }
+    },
+    system_info: {
+      cpu_count: os2.cpus().length,
+      node_version: process.version,
+      platform: process.platform,
+      memory_total_mb: Math.round(os2.totalmem() / 1024 / 1024)
+    },
+    config: {
+      discovery_concurrency: config.discoveryConcurrency,
+      parsing_concurrency: config.parsingConcurrency,
+      risk_detection_concurrency: config.riskDetectionConcurrency,
+      risk_detection_batch_size: config.riskDetectionBatchSize
+    }
+  };
+  const filename = `performance-profile-${Date.now()}.json`;
+  await fs2.writeFile(filename, JSON.stringify(benchmark, null, 2));
+  console.log(chalk.blue(`\u{1F4CA} Benchmark saved to: ${filename}`));
+}
+// src/index.ts
+var program = new Command2();
+program.name("sitemap-qa").version("1.0.0").description("sitemap analysis for QA teams");
+program.addCommand(analyzeCommand);
+process.on("unhandledRejection", (reason, promise) => {
+  console.error("Unhandled Rejection at:", promise, "reason:", reason);
+  process.exit(1);
+});
+process.on("SIGINT", () => {
+  console.log("\nGracefully shutting down...");
+  process.exit(0);
+});
+process.on("SIGTERM", () => {
+  console.log("\nGracefully shutting down...");
+  process.exit(0);
+});
+program.parse();
 //# sourceMappingURL=index.js.map