@akotliar/sitemap-qa 1.0.0-alpha.3 → 1.0.0-alpha.5

package/dist/index.js

@@ -1,2364 +1,957 @@
 #!/usr/bin/env node
 
 // src/index.ts
-import "dotenv/config";
-import { Command as Command2 } from "commander";
+import { Command as Command3 } from "commander";
 
 // src/commands/analyze.ts
 import { Command } from "commander";
-import { promises as fs2 } from "fs";
-import ora from "ora";
-import chalk from "chalk";
-import cliProgress from "cli-progress";
-import os2 from "os";
-
-// src/config/config-loader.ts
-import { readFile } from "fs/promises";
-import { existsSync } from "fs";
-import { join } from "path";
-import { homedir } from "os";
-
-// src/types/config.ts
-var DEFAULT_CONFIG = {
-  timeout: 30,
-  concurrency: 10,
-  parsingConcurrency: 50,
-  // Optimized for network-bound parallel parsing
-  discoveryConcurrency: 50,
-  // Optimized for recursive sitemap index discovery
-  outputFormat: "html",
-  outputDir: "./sitemap-qa/report",
-  verbose: false,
-  baseUrl: "https://example.com",
-  // Default for tests
-  acceptedPatterns: [],
-  riskDetectionBatchSize: 1e4,
-  riskDetectionConcurrency: void 0,
-  // Auto-detect in risk-detector.ts
-  progressBar: void 0,
-  // Auto-detect TTY
-  silent: false,
-  benchmark: false
-};
-
-// src/config/config-loader.ts
-async function loadConfig(cliOptions) {
-  let config = { ...DEFAULT_CONFIG };
-  const globalConfigPath = join(homedir(), ".sitemap-qa", "config.json");
-  if (existsSync(globalConfigPath)) {
-    try {
-      const globalConfig = JSON.parse(await readFile(globalConfigPath, "utf-8"));
-      config = { ...config, ...globalConfig };
-    } catch (error) {
-      console.warn(`Warning: Failed to load global config: ${error}`);
-    }
-  }
-  const projectConfigPath = join(process.cwd(), ".sitemap-qa.config.json");
-  if (existsSync(projectConfigPath)) {
-    try {
-      const projectConfig = JSON.parse(await readFile(projectConfigPath, "utf-8"));
-      config = { ...config, ...projectConfig };
-    } catch (error) {
-      console.warn(`Warning: Failed to load project config: ${error}`);
-    }
-  }
-  const envConfig = loadFromEnv();
-  config = { ...config, ...envConfig };
-  config = mergeCliOptions(config, cliOptions);
-  if (cliOptions.baseUrl) {
-    config.baseUrl = cliOptions.baseUrl;
-  }
-  validateConfig(config);
-  return config;
-}
-function loadFromEnv() {
-  const env = {};
-  if (process.env.SITEMAP_VERIFY_TIMEOUT) {
-    env.timeout = parseInt(process.env.SITEMAP_VERIFY_TIMEOUT, 10);
-  }
-  return env;
-}
-function mergeCliOptions(config, cliOptions) {
-  const merged = { ...config };
-  if (cliOptions.timeout && cliOptions.timeout !== "30") {
-    merged.timeout = parseInt(cliOptions.timeout, 10);
-  }
-  if (cliOptions.output) {
-    merged.outputFormat = cliOptions.output;
-  }
-  if (cliOptions.outputDir) {
-    merged.outputDir = cliOptions.outputDir;
-  }
-  if (cliOptions.verbose === true) {
-    merged.verbose = true;
-  }
-  if (cliOptions.acceptedPatterns) {
-    merged.acceptedPatterns = cliOptions.acceptedPatterns.split(",").map((p) => p.trim()).filter(Boolean);
-  }
-  return merged;
-}
-function validateConfig(config) {
-  if (config.timeout < 1 || config.timeout > 300) {
-    throw new Error("Timeout must be between 1 and 300 seconds");
-  }
-  if (!["json", "html"].includes(config.outputFormat)) {
-    throw new Error("Output format must be json or html");
-  }
-}
+import chalk3 from "chalk";
+import path2 from "path";
+import fs4 from "fs/promises";
 
-// src/errors/network-errors.ts
-var NetworkError = class extends Error {
-  constructor(url, originalError) {
-    super(`Network request failed for ${url}: ${originalError.message}`);
-    this.url = url;
-    this.originalError = originalError;
-    this.name = "NetworkError";
-  }
-  code = "NETWORK_ERROR";
-};
-var HttpError = class extends Error {
-  constructor(url, statusCode, statusText) {
-    let message = `HTTP ${statusCode} error for ${url}`;
-    if (statusCode === 403) {
-      message += "\n   Note: 403 Forbidden often indicates bot protection (Cloudflare, etc.) or access restrictions";
-    }
-    super(message);
-    this.url = url;
-    this.statusCode = statusCode;
-    this.statusText = statusText;
-    this.name = "HttpError";
-  }
-  code = "HTTP_ERROR";
-};
+// src/config/loader.ts
+import fs from "fs";
+import path from "path";
+import yaml from "js-yaml";
 
-// src/utils/http-client.ts
-import { chromium } from "playwright";
-import axios from "axios";
-import { Agent as HttpAgent } from "http";
-import { Agent as HttpsAgent } from "https";
-var httpAgent = new HttpAgent({
-  keepAlive: true,
-  maxSockets: 200,
-  // Allow many concurrent connections
-  maxFreeSockets: 50,
-  timeout: 15e3
+// src/config/schema.ts
+import { z } from "zod";
+var PatternTypeSchema = z.enum(["literal", "glob", "regex"]);
+var PatternSchema = z.object({
+  type: PatternTypeSchema,
+  value: z.string().min(1, "Pattern value cannot be empty"),
+  reason: z.string().min(1, "Reason is mandatory for each pattern")
 });
-var httpsAgent = new HttpsAgent({
-  keepAlive: true,
-  maxSockets: 200,
-  maxFreeSockets: 50,
-  timeout: 15e3
+var PolicySchema = z.object({
+  category: z.string().min(1, "Category name is mandatory"),
+  patterns: z.array(PatternSchema).min(1, "At least one pattern is required per category")
 });
-var axiosInstance = axios.create({
-  httpAgent,
-  httpsAgent,
-  maxRedirects: 5,
-  validateStatus: () => true
-  // Don't throw on any status code
+var ConfigSchema = z.object({
+  acceptable_patterns: z.array(PatternSchema).default([]),
+  policies: z.array(PolicySchema).default([]),
+  outDir: z.string().optional(),
+  outputFormat: z.enum(["json", "html", "all"]).default("all"),
+  enforceDomainConsistency: z.boolean().default(true)
 });
-async function fetchUrlWithBrowser(url, timeout) {
-  let browser;
-  try {
-    browser = await chromium.launch({
-      headless: true,
-      args: [
-        "--disable-blink-features=AutomationControlled",
-        // Hide automation flags
-        "--disable-dev-shm-usage",
-        "--no-sandbox"
+
+// src/config/defaults.ts
+var DEFAULT_POLICIES = {
+  acceptable_patterns: [],
+  outputFormat: "all",
+  enforceDomainConsistency: true,
+  policies: [
+    {
+      category: "Security & Admin",
+      patterns: [
+        {
+          type: "glob",
+          value: "**/admin/**",
+          reason: "Administrative interfaces should not be publicly indexed."
+        },
+        {
+          type: "glob",
+          value: "**/.env*",
+          reason: "Environment files contain sensitive secrets."
+        },
+        {
+          type: "literal",
+          value: "/wp-admin",
+          reason: "WordPress admin paths are common attack vectors."
+        }
+      ]
+    },
+    {
+      category: "Environment Leakage",
+      patterns: [
+        {
+          type: "glob",
+          value: "**/staging.**",
+          reason: "Staging environments should be restricted."
+        },
+        {
+          type: "glob",
+          value: "**/dev.**",
+          reason: "Development subdomains detected in production sitemap."
+        }
+      ]
+    },
+    {
+      category: "Sensitive Files",
+      patterns: [
+        {
+          type: "glob",
+          value: "**/*.{sql,bak,zip,tar.gz}",
+          reason: "Archive or database backup files exposed."
+        }
       ]
-    });
-    const context = await browser.newContext({
-      userAgent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
-      viewport: { width: 1920, height: 1080 },
-      locale: "en-US",
-      timezoneId: "America/New_York",
-      extraHTTPHeaders: {
-        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
-        "Accept-Language": "en-US,en;q=0.9",
-        "Accept-Encoding": "gzip, deflate, br",
-        "DNT": "1",
-        "Connection": "keep-alive",
-        "Upgrade-Insecure-Requests": "1"
-      }
-    });
-    const page = await context.newPage();
-    await page.addInitScript(() => {
-      Object.defineProperty(navigator, "webdriver", {
-        get: () => false
-      });
-      window.chrome = {
-        runtime: {}
-      };
-      const originalQuery = window.navigator.permissions.query;
-      window.navigator.permissions.query = (parameters) => parameters.name === "notifications" ? Promise.resolve({ state: Notification.permission }) : originalQuery(parameters);
-    });
-    page.setDefaultTimeout(timeout * 1e3);
-    const response = await page.goto(url, {
-      waitUntil: "domcontentloaded",
-      // Changed from networkidle - faster for simple XML
-      timeout: timeout * 1e3
-    });
-    if (!response) {
-      throw new Error("No response received from page");
-    }
-    const statusCode = response.status();
-    const content = await page.content();
-    const finalUrl = page.url();
-    await browser.close();
-    if (statusCode >= 200 && statusCode < 300) {
-      return {
-        content,
-        statusCode,
-        url: finalUrl
-      };
-    }
-    throw new HttpError(finalUrl, statusCode);
-  } catch (error) {
-    if (browser) {
-      await browser.close();
-    }
-    if (error.code === "HTTP_ERROR") {
-      throw error;
     }
-    throw new NetworkError(url, error);
-  }
-}
-async function fetchUrl(url, options = {}) {
-  const {
-    timeout = 30,
-    maxRetries = 3,
-    retryDelay = 1e3,
-    useBrowser = false,
-    disableBrowserFallback = false
-  } = options;
-  new URL(url);
-  const retryableStatuses = [408, 429, 500, 502, 503, 504];
-  let lastError = null;
-  let attemptedBrowser = false;
-  for (let attempt = 0; attempt <= maxRetries; attempt++) {
-    try {
-      if (useBrowser || attemptedBrowser) {
-        return await fetchUrlWithBrowser(url, timeout);
-      }
-      const response = await axiosInstance.get(url, {
-        timeout: timeout * 1e3,
-        headers: {
-          "User-Agent": "sitemap-qa/1.0.0 (compatible; +https://github.com/Akotliar/sitemap-qa)",
-          "Accept": "text/xml,application/xml,text/plain,*/*",
-          "Accept-Encoding": "gzip, deflate",
-          "Connection": "keep-alive"
+  ]
+};
+
+// src/config/loader.ts
+import chalk from "chalk";
+var ConfigLoader = class {
+  static DEFAULT_CONFIG_PATH = "sitemap-qa.yaml";
+  static load(configPath) {
+    const targetPath = configPath || path.join(process.cwd(), this.DEFAULT_CONFIG_PATH);
+    let userConfig = { policies: [] };
+    if (fs.existsSync(targetPath)) {
+      try {
+        const fileContent = fs.readFileSync(targetPath, "utf8");
+        const parsedYaml = yaml.load(fileContent);
+        const result = ConfigSchema.safeParse(parsedYaml);
+        if (!result.success) {
+          console.error(chalk.red("Configuration Validation Error:"));
+          result.error.issues.forEach((issue) => {
+            console.error(chalk.yellow(`  - ${issue.path.join(".")}: ${issue.message}`));
+          });
+          process.exit(2);
         }
-      });
-      const statusCode = response.status;
-      const body = response.data;
-      if (statusCode >= 200 && statusCode < 300) {
-        return {
-          content: typeof body === "string" ? body : JSON.stringify(body),
-          statusCode,
-          url: response.request?.res?.responseUrl || url
-          // Final URL after redirects
-        };
-      }
-      if (statusCode === 403 && !attemptedBrowser && !disableBrowserFallback) {
-        attemptedBrowser = true;
-        continue;
-      }
-      if (!retryableStatuses.includes(statusCode)) {
-        throw new HttpError(response.request?.res?.responseUrl || url, statusCode);
+        userConfig = result.data;
+      } catch (error) {
+        console.error(chalk.red("Failed to load configuration:"), error);
+        process.exit(2);
       }
-      lastError = new HttpError(response.request?.res?.responseUrl || url, statusCode);
-    } catch (error) {
-      if (error.code === "HTTP_ERROR") {
-        const httpError = error;
-        if (!retryableStatuses.includes(httpError.statusCode)) {
-          throw error;
-        }
-        lastError = error;
+    } else if (configPath) {
+      console.error(chalk.red(`Error: Configuration file not found at ${targetPath}`));
+      process.exit(2);
+    }
+    return this.mergeConfigs(DEFAULT_POLICIES, userConfig);
+  }
+  static mergeConfigs(defaults, user) {
+    const mergedPolicies = [...defaults.policies];
+    user.policies.forEach((userPolicy) => {
+      const index = mergedPolicies.findIndex((p) => p.category === userPolicy.category);
+      if (index !== -1) {
+        mergedPolicies[index] = userPolicy;
       } else {
-        lastError = new NetworkError(url, error);
+        mergedPolicies.push(userPolicy);
       }
-      if (attempt === maxRetries) break;
+    });
+    const merged = {
+      ...defaults,
+      acceptable_patterns: [...defaults.acceptable_patterns || [], ...user.acceptable_patterns || []],
+      policies: mergedPolicies
+    };
+    if (user.outDir !== void 0) {
+      merged.outDir = user.outDir;
+    }
+    if (user.outputFormat !== void 0) {
+      merged.outputFormat = user.outputFormat;
     }
-    if (attempt < maxRetries) {
-      const delay = retryDelay * Math.pow(2, attempt);
-      await new Promise((resolve) => setTimeout(resolve, delay));
+    if (user.enforceDomainConsistency !== void 0) {
+      merged.enforceDomainConsistency = user.enforceDomainConsistency;
     }
+    return merged;
   }
-  throw lastError;
-}
+};
 
 // src/core/discovery.ts
-async function tryStandardPaths(baseUrl, config) {
-  const baseDomain = new URL(baseUrl).origin;
-  const accessIssues = [];
-  const standardPaths = [
+import { fetch } from "undici";
+import { XMLParser } from "fast-xml-parser";
+var DiscoveryService = class {
+  parser;
+  visited = /* @__PURE__ */ new Set();
+  STANDARD_PATHS = [
     "/sitemap.xml",
     "/sitemap_index.xml",
-    "/sitemap-index.xml"
+    "/sitemap-index.xml",
+    "/sitemap.php",
+    "/sitemap.xml.gz"
   ];
-  const results = await Promise.allSettled(
-    standardPaths.map(async (path) => {
-      const sitemapUrl = `${baseDomain}${path}`;
-      try {
-        const result = await fetchUrl(sitemapUrl, {
-          timeout: config.timeout,
-          maxRetries: 0
-          // Don't retry on standard paths - fail fast
-        });
-        if (result.statusCode === 200) {
-          if (config.verbose) {
-            console.log(`\u2713 Found sitemap at: ${sitemapUrl}`);
-          }
-          return { found: true, url: sitemapUrl };
-        }
-        return { found: false };
-      } catch (error) {
-        if (error instanceof HttpError) {
-          if (error.statusCode === 401 || error.statusCode === 403) {
-            accessIssues.push({
-              url: sitemapUrl,
-              statusCode: error.statusCode,
-              error: error.statusCode === 401 ? "Unauthorized" : "Access Denied"
-            });
-            if (config.verbose) {
-              console.log(`\u26A0 Access denied: ${sitemapUrl} (${error.statusCode})`);
-            }
-          } else if (config.verbose) {
-            console.log(`\u2717 Not found: ${sitemapUrl} (${error.statusCode})`);
-          }
-        } else if (config.verbose) {
-          console.log(`\u2717 Not found: ${sitemapUrl}`);
-        }
-        return { found: false };
-      }
-    })
-  );
-  for (const result of results) {
-    if (result.status === "fulfilled" && result.value.found) {
-      return { sitemaps: [result.value.url], issues: accessIssues };
-    }
-  }
-  if (config.verbose) {
-    console.log("No sitemap found at standard paths");
-  }
-  return { sitemaps: [], issues: accessIssues };
-}
-async function parseRobotsTxt(baseUrl, config) {
-  const robotsUrl = `${new URL(baseUrl).origin}/robots.txt`;
-  try {
-    const result = await fetchUrl(robotsUrl, {
-      timeout: config.timeout,
-      maxRetries: 1
+  constructor() {
+    this.parser = new XMLParser({
+      ignoreAttributes: false,
+      attributeNamePrefix: "@_"
     });
-    const lines = result.content.split("\n");
-    const sitemaps = [];
-    for (const line of lines) {
-      const match = line.match(/^Sitemap:\s*(.+)$/i);
-      if (match) {
-        const sitemapUrl = match[1].trim();
-        try {
-          new URL(sitemapUrl);
-          sitemaps.push(sitemapUrl);
-        } catch {
-          if (config.verbose) {
-            console.warn(`Invalid sitemap URL in robots.txt: ${sitemapUrl}`);
-          }
-        }
-      }
-    }
-    if (config.verbose && sitemaps.length > 0) {
-      console.log(`Found ${sitemaps.length} sitemap(s) in robots.txt`);
-    }
-    return sitemaps;
-  } catch (error) {
-    if (config.verbose) {
-      console.log(`No robots.txt found at ${robotsUrl}`);
-    }
-    return [];
-  }
-}
-function isSitemapIndex(xmlContent) {
-  if (xmlContent.includes("<sitemapindex")) {
-    return true;
   }
-  if (xmlContent.includes("<urlset")) {
-    const urlBlockRegex = /<url[^>]*>.*?<loc>([^<]+)<\/loc>.*?<\/url>/gs;
-    const matches = Array.from(xmlContent.matchAll(urlBlockRegex));
-    const samplesToCheck = Math.min(5, matches.length);
-    let sitemapLikeCount = 0;
-    for (let i = 0; i < samplesToCheck; i++) {
-      const url = matches[i][1].trim().toLowerCase();
-      if (url.includes("sitemap") || url.endsWith(".xml")) {
-        sitemapLikeCount++;
-      }
-    }
-    return sitemapLikeCount > samplesToCheck / 2;
-  }
-  return false;
-}
-function extractSitemapIndexUrls(xmlContent) {
-  const urls = [];
-  if (xmlContent.includes("<sitemapindex")) {
-    const sitemapBlockRegex = /<sitemap[^>]*>(.*?)<\/sitemap>/gs;
-    let sitemapMatch;
-    while ((sitemapMatch = sitemapBlockRegex.exec(xmlContent)) !== null) {
-      const locMatch = /<loc>([^<]+)<\/loc>/i.exec(sitemapMatch[1]);
-      if (locMatch) {
-        const url = locMatch[1].trim();
-        try {
-          new URL(url);
-          urls.push(url);
-        } catch {
+  /**
+   * Attempts to find sitemaps for a given base website URL.
+   */
+  async findSitemaps(baseUrl) {
+    const sitemaps = /* @__PURE__ */ new Set();
+    const url = new URL(baseUrl);
+    const origin = url.origin;
+    try {
+      const robotsUrl = `${origin}/robots.txt`;
+      const response = await fetch(robotsUrl);
+      if (response.status === 200) {
+        const text = await response.text();
+        const matches = text.matchAll(/^Sitemap:\s*(.+)$/gim);
+        for (const match of matches) {
+          if (match[1]) sitemaps.add(match[1].trim());
         }
       }
+    } catch (e) {
     }
-  } else {
-    const urlBlockRegex = /<url[^>]*>(.*?)<\/url>/gs;
-    let urlMatch;
-    while ((urlMatch = urlBlockRegex.exec(xmlContent)) !== null) {
-      const locMatch = /<loc>([^<]+)<\/loc>/i.exec(urlMatch[1]);
-      if (locMatch) {
-        const url = locMatch[1].trim();
-        if (url.toLowerCase().includes("sitemap") || url.toLowerCase().endsWith(".xml")) {
-          try {
-            new URL(url);
-            urls.push(url);
-          } catch {
+    if (sitemaps.size === 0) {
+      for (const path4 of this.STANDARD_PATHS) {
+        try {
+          const sitemapUrl = `${origin}${path4}`;
+          const response = await fetch(sitemapUrl, { method: "HEAD" });
+          if (response.status === 200) {
+            sitemaps.add(sitemapUrl);
           }
+        } catch (e) {
         }
       }
     }
-  }
-  return urls;
-}
-async function discoverAllSitemaps(initialSitemaps, config) {
-  const finalSitemaps = [];
-  const toProcess = [...initialSitemaps];
-  const processed = /* @__PURE__ */ new Set();
-  const inaccessible = /* @__PURE__ */ new Set();
-  const BATCH_SIZE = config.discoveryConcurrency || 50;
-  while (toProcess.length > 0) {
-    const batch = toProcess.splice(0, Math.min(BATCH_SIZE, toProcess.length));
-    const batchResults = await Promise.all(batch.map(async (sitemapUrl) => {
-      if (processed.has(sitemapUrl)) {
-        if (config.verbose) {
-          console.warn(`Skipping duplicate sitemap: ${sitemapUrl}`);
-        }
-        return { type: "skip" };
-      }
-      processed.add(sitemapUrl);
+    return Array.from(sitemaps);
+  }
+  /**
+   * Recursively discovers all leaf sitemaps from a root URL.
+   * Returns both the sitemap URL and its XML data to avoid duplicate fetches.
+   */
+  async *discover(rootUrl) {
+    const queue = [rootUrl];
+    while (queue.length > 0) {
+      const currentUrl = queue.shift();
+      if (this.visited.has(currentUrl)) continue;
+      this.visited.add(currentUrl);
       try {
-        const result = await fetchUrl(sitemapUrl, {
-          timeout: config.timeout,
-          maxRetries: 2
-        });
-        if (isSitemapIndex(result.content)) {
-          if (config.verbose) {
-            console.log(`Found sitemap index: ${sitemapUrl}`);
-          }
-          const childUrls = extractSitemapIndexUrls(result.content);
-          if (config.verbose) {
-            console.log(`  \u2514\u2500 Contains ${childUrls.length} child sitemap(s)`);
-          }
-          return { type: "index", childUrls };
-        } else {
-          if (config.verbose) {
-            console.log(`\u2713 Discovered sitemap: ${sitemapUrl}`);
+        const response = await fetch(currentUrl);
+        if (response.status !== 200) continue;
+        const xmlData = await response.text();
+        const jsonObj = this.parser.parse(xmlData);
+        if (jsonObj.sitemapindex) {
+          const sitemaps = Array.isArray(jsonObj.sitemapindex.sitemap) ? jsonObj.sitemapindex.sitemap : [jsonObj.sitemapindex.sitemap];
+          for (const sitemap of sitemaps) {
+            if (sitemap?.loc) {
+              queue.push(sitemap.loc);
+            }
           }
-          return { type: "sitemap", url: sitemapUrl };
+        } else if (jsonObj.urlset) {
+          yield { url: currentUrl, xmlData };
         }
       } catch (error) {
-        inaccessible.add(sitemapUrl);
-        if (config.verbose) {
-          const message = error instanceof Error ? error.message : String(error);
-          console.warn(`Failed to fetch sitemap ${sitemapUrl}: ${message}`);
-        }
-        return { type: "failed" };
-      }
-    }));
-    for (const result of batchResults) {
-      if (result.type === "index") {
-        toProcess.push(...result.childUrls);
-      } else if (result.type === "sitemap") {
-        finalSitemaps.push(result.url);
+        console.error(`Failed to fetch or parse sitemap at ${currentUrl}:`, error);
       }
     }
-    if (processed.size > 1e3) {
-      console.warn(`\u26A0\uFE0F  Processed over 1000 sitemap URLs. Stopping to prevent excessive requests.`);
-      break;
-    }
   }
-  if (finalSitemaps.length === 0 && inaccessible.size > 0) {
-    console.warn(`
-\u26A0\uFE0F  All ${inaccessible.size} sitemap(s) were inaccessible`);
-    console.warn(`Common causes: 403/404 errors, network issues, or bot protection`);
-  }
-  return finalSitemaps;
-}
-async function discoverSitemaps(baseUrl, config) {
-  const normalizedUrl = new URL(baseUrl).origin;
-  if (config.verbose) {
-    console.log("Checking robots.txt for sitemap directives...");
-  }
-  const robotsSitemaps = await parseRobotsTxt(normalizedUrl, config);
-  if (robotsSitemaps.length > 0) {
-    const sitemaps = await discoverAllSitemaps(robotsSitemaps, config);
-    return {
-      sitemaps,
-      source: "robots-txt",
-      accessIssues: []
-    };
-  }
-  if (config.verbose) {
-    console.log("Trying standard sitemap paths...");
-  }
-  const { sitemaps: standardSitemaps, issues } = await tryStandardPaths(normalizedUrl, config);
-  if (standardSitemaps.length > 0) {
-    const sitemaps = await discoverAllSitemaps(standardSitemaps, config);
-    if (sitemaps.length > 0) {
-      return {
-        sitemaps,
-        source: "standard-path",
-        accessIssues: []
-      };
-    }
-    return {
-      sitemaps: [],
-      source: "standard-path",
-      accessIssues: issues
-    };
-  }
-  return {
-    sitemaps: [],
-    source: "none",
-    accessIssues: issues
-  };
-}
+};
 
 // src/core/parser.ts
-import { XMLParser, XMLValidator } from "fast-xml-parser";
-var VALID_CHANGEFREQ = /* @__PURE__ */ new Set([
-  "always",
-  "hourly",
-  "daily",
-  "weekly",
-  "monthly",
-  "yearly",
-  "never"
-]);
-var parser = new XMLParser({
-  ignoreAttributes: false,
-  attributeNamePrefix: "@_",
-  textNodeName: "_text",
-  parseAttributeValue: true,
-  trimValues: true,
-  allowBooleanAttributes: true,
-  parseTagValue: false
-  // Keep values as strings for validation
-});
-function extractUrls(parsedXml, sitemapUrl) {
-  const urls = [];
-  if (parsedXml.urlset) {
-    const urlNodes = Array.isArray(parsedXml.urlset.url) ? parsedXml.urlset.url : [parsedXml.urlset.url];
-    for (let i = 0; i < urlNodes.length; i++) {
-      const node = urlNodes[i];
-      if (!node || !node.loc) {
-        continue;
+import { XMLParser as XMLParser2 } from "fast-xml-parser";
+import { fetch as fetch2 } from "undici";
+var SitemapParser = class {
+  parser;
+  constructor() {
+    this.parser = new XMLParser2({
+      ignoreAttributes: false,
+      attributeNamePrefix: "@_"
+    });
+  }
+  /**
+   * Parses a leaf sitemap and yields SitemapUrl objects.
+   * Can accept either a URL to fetch or pre-fetched XML data with the source URL.
+   * Note: For true streaming of massive files, we'd use a SAX-like approach.
+   * fast-xml-parser's parse() is fast but loads the whole string.
+   * Given the 50k URL requirement, we'll use a more memory-efficient approach if needed,
+   * but let's start with a clean AsyncGenerator interface.
+   */
+  async *parse(sitemapUrlOrData) {
+    let sitemapUrl = typeof sitemapUrlOrData === "string" ? sitemapUrlOrData : sitemapUrlOrData.url;
+    try {
+      let xmlData;
+      if (typeof sitemapUrlOrData === "string") {
+        const response = await fetch2(sitemapUrl);
+        xmlData = await response.text();
+      } else {
+        xmlData = sitemapUrlOrData.xmlData;
       }
-      urls.push({
-        loc: node.loc,
-        lastmod: node.lastmod,
-        changefreq: node.changefreq,
-        priority: node.priority ? parseFloat(node.priority) : void 0,
-        source: sitemapUrl
-      });
+      const jsonObj = this.parser.parse(xmlData);
+      if (jsonObj.urlset && jsonObj.urlset.url) {
+        const urls = Array.isArray(jsonObj.urlset.url) ? jsonObj.urlset.url : [jsonObj.urlset.url];
+        for (const url of urls) {
+          if (url.loc) {
+            yield {
+              loc: url.loc,
+              source: sitemapUrl,
+              lastmod: url.lastmod,
+              changefreq: url.changefreq,
+              priority: url.priority,
+              risks: []
+            };
+          }
+        }
+      }
+    } catch (error) {
+      console.error(`Failed to parse sitemap at ${sitemapUrl}:`, error);
     }
   }
-  return urls;
-}
-async function parseSitemap(xml, sitemapUrl) {
-  const errors = [];
-  try {
-    const validationResult = XMLValidator.validate(xml);
-    if (validationResult !== true) {
-      const validationError = typeof validationResult === "object" ? validationResult.err.msg : "Invalid XML";
-      return {
-        urls: [],
-        errors: [
-          `[${sitemapUrl}] XML parsing failed: ${validationError}`
-        ],
-        totalCount: 0,
-        sitemapUrl
-      };
+};
+
+// src/core/extractor.ts
+var ExtractorService = class {
+  discovery;
+  parser;
+  seenUrls = /* @__PURE__ */ new Set();
+  discoveredSitemaps = /* @__PURE__ */ new Set();
+  constructor() {
+    this.discovery = new DiscoveryService();
+    this.parser = new SitemapParser();
+  }
+  /**
+   * Returns the list of sitemaps discovered during the extraction process.
+   */
+  getDiscoveredSitemaps() {
+    return Array.from(this.discoveredSitemaps);
+  }
+  /**
+   * Normalizes a URL by removing trailing slashes and converting to lowercase.
+   */
+  normalizeUrl(url) {
+    try {
+      const parsed = new URL(url);
+      let normalized = parsed.origin + parsed.pathname.replace(/\/$/, "");
+      if (parsed.search) normalized += parsed.search;
+      return normalized.toLowerCase();
+    } catch {
+      return url.toLowerCase().replace(/\/$/, "");
+    }
+  }
+  /**
+   * Extracts all unique URLs from a root sitemap URL or website base URL.
+   */
+  async *extract(inputUrl) {
+    let startUrls = [inputUrl];
+    if (!inputUrl.endsWith(".xml") && !inputUrl.endsWith(".gz")) {
+      const discovered = await this.discovery.findSitemaps(inputUrl);
+      if (discovered.length > 0) {
+        console.log(`\u2705 Discovered ${discovered.length} sitemap(s): ${discovered.join(", ")}`);
+        startUrls = discovered;
+      } else {
+        console.log(`\u26A0\uFE0F No sitemaps discovered via robots.txt or standard paths. Proceeding with input URL.`);
+      }
     }
-    const parsed = parser.parse(xml);
-    const urls = extractUrls(parsed, sitemapUrl);
-    const validUrls = [];
-    for (const entry of urls) {
-      try {
-        new URL(entry.loc);
-        if (entry.priority !== void 0) {
-          if (entry.priority < 0 || entry.priority > 1) {
-            errors.push(
-              `Invalid priority ${entry.priority} for ${entry.loc} - clamping to 0-1`
-            );
-            entry.priority = Math.max(0, Math.min(1, entry.priority));
-          }
-        }
-        if (entry.changefreq) {
-          if (!VALID_CHANGEFREQ.has(entry.changefreq.toLowerCase())) {
-            errors.push(
-              `Invalid changefreq "${entry.changefreq}" for ${entry.loc}`
-            );
-            entry.changefreq = void 0;
+    for (const startUrl of startUrls) {
+      for await (const discovered of this.discovery.discover(startUrl)) {
+        this.discoveredSitemaps.add(discovered.url);
+        for await (const urlObj of this.parser.parse(discovered)) {
+          const normalized = this.normalizeUrl(urlObj.loc);
+          if (!this.seenUrls.has(normalized)) {
+            this.seenUrls.add(normalized);
+            yield urlObj;
           }
         }
-        validUrls.push(entry);
-      } catch (urlError) {
-        errors.push(`Invalid URL format: ${entry.loc}`);
       }
     }
-    return {
-      urls: validUrls,
-      errors,
-      totalCount: validUrls.length,
-      sitemapUrl
-    };
-  } catch (parseError) {
-    const errorMsg = parseError instanceof Error ? parseError.message : String(parseError);
-    return {
-      urls: [],
-      errors: [
-        `[${sitemapUrl}] XML parsing failed: ${errorMsg}`
-      ],
-      totalCount: 0,
-      sitemapUrl
-    };
   }
-}
+};
 
-// src/utils/batch-processor.ts
-function chunkArray(array, chunkSize) {
-  const chunks = [];
-  for (let i = 0; i < array.length; i += chunkSize) {
-    chunks.push(array.slice(i, i + chunkSize));
-  }
-  return chunks;
-}
-async function processInBatches(items, concurrency, processor, onProgress) {
-  const results = new Array(items.length);
-  let completed = 0;
-  let currentIndex = 0;
-  const errors = [];
-  const workers = Array(Math.min(concurrency, items.length)).fill(null).map(async () => {
-    while (currentIndex < items.length) {
-      const index = currentIndex++;
-      const item = items[index];
+// src/core/matcher.ts
+import micromatch from "micromatch";
+var MatcherService = class {
+  config;
+  rootDomain;
+  constructor(config, rootUrl) {
+    this.config = config;
+    if (rootUrl) {
       try {
-        results[index] = await processor(item);
-      } catch (error) {
-        errors.push({ index, error });
-        results[index] = null;
-      }
-      completed++;
-      if (onProgress) {
-        onProgress(completed, items.length);
+        this.rootDomain = new URL(rootUrl).hostname.replace(/^www\./, "");
+      } catch {
       }
     }
-  });
-  await Promise.all(workers);
-  if (errors.length > 0) {
-    console.warn(`Processed ${items.length} items with ${errors.length} errors`);
-  }
-  return results;
-}
-
-// src/core/extractor.ts
-async function extractAllUrls(sitemapUrls, config, onProgress) {
-  const allUrls = [];
-  const allErrors = [];
-  let sitemapsProcessed = 0;
-  let sitemapsFailed = 0;
-  if (config.verbose) {
-    console.log(`
-Extracting URLs from ${sitemapUrls.length} sitemap(s)...`);
-  }
-  const CONCURRENCY = config.parsingConcurrency || 50;
-  if (!config.silent && config.verbose) {
-    console.log(`Using parsing concurrency: ${CONCURRENCY}`);
   }
-  const results = await processInBatches(
-    sitemapUrls,
-    CONCURRENCY,
-    async (sitemapUrl) => {
+  /**
+   * Matches a URL against all policies and returns detected risks.
+   */
+  match(urlObj) {
+    const risks = [];
+    if (this.config.enforceDomainConsistency && this.rootDomain) {
       try {
-        if (config.verbose) {
-          console.log(`Extracting URLs from: ${sitemapUrl}`);
-        }
-        const response = await fetchUrl(sitemapUrl, {
-          timeout: 10,
-          // Fast timeout for sitemaps
-          maxRetries: 0,
-          // No retries - fail fast
-          disableBrowserFallback: true
-          // Don't use browser for bulk parsing
-        });
-        const parseResult = await parseSitemap(response.content, sitemapUrl);
-        const extractedAt = (/* @__PURE__ */ new Date()).toISOString();
-        parseResult.urls.forEach((url) => {
-          url.extractedAt = extractedAt;
-        });
-        if (config.verbose) {
-          console.log(`  \u2713 Extracted ${parseResult.urls.length} URLs from ${sitemapUrl}`);
-        }
-        return {
-          success: true,
-          urls: parseResult.urls,
-          errors: parseResult.errors
-        };
-      } catch (error) {
-        const errorMsg = `Failed to process ${sitemapUrl}: ${error instanceof Error ? error.message : String(error)}`;
-        if (config.verbose) {
-          console.error(`  \u2717 ${errorMsg}`);
+        const currentDomain = new URL(urlObj.loc).hostname.replace(/^www\./, "");
+        if (currentDomain !== this.rootDomain) {
+          risks.push({
+            category: "Domain Consistency",
+            pattern: this.rootDomain,
+            type: "literal",
+            reason: `URL domain mismatch: expected ${this.rootDomain} (or www.${this.rootDomain}), but found ${currentDomain}.`
+          });
         }
-        return {
-          success: false,
-          urls: [],
-          errors: [errorMsg]
-        };
+      } catch {
       }
-    },
-    onProgress
-    // Pass progress callback to batch processor
-  );
-  for (const result of results) {
-    if (result.success) {
-      sitemapsProcessed++;
-      allUrls.push(...result.urls);
-    } else {
-      sitemapsFailed++;
     }
-    allErrors.push(...result.errors);
-  }
-  if (config.verbose) {
-    console.log(`
-Extraction complete:`);
-    console.log(`  - Sitemaps processed: ${sitemapsProcessed}`);
-    console.log(`  - Sitemaps failed: ${sitemapsFailed}`);
-    console.log(`  - Total URLs: ${allUrls.length}`);
-    console.log(`  - Errors: ${allErrors.length}`);
-  }
-  return {
-    allUrls,
-    sitemapsProcessed,
-    sitemapsFailed,
-    totalUrls: allUrls.length,
-    errors: allErrors
-  };
-}
-
-// src/core/consolidator.ts
-function normalizeUrl(url) {
-  try {
-    const parsed = new URL(url);
-    let pathname = parsed.pathname;
-    if (pathname.endsWith("/") && pathname !== "/") {
-      pathname = pathname.slice(0, -1);
+    for (const pattern of this.config.acceptable_patterns) {
+      if (this.isMatch(urlObj.loc, pattern)) {
+        urlObj.ignored = true;
+        urlObj.ignoredBy = pattern.reason;
+        return risks;
+      }
     }
-    const params = Array.from(parsed.searchParams.entries()).sort(
-      ([a], [b]) => a.localeCompare(b)
-    );
-    const sortedParams = new URLSearchParams(params);
-    return `${parsed.protocol}//${parsed.host}${pathname}${sortedParams.toString() ? "?" + sortedParams.toString() : ""}${parsed.hash}`;
-  } catch {
-    return url;
-  }
-}
-function mergeUrlEntries(entries) {
-  if (entries.length === 1) return entries[0];
-  const merged = { ...entries[0] };
-  const sources = entries.map((e) => e.source);
-  merged.source = sources.join(", ");
-  const lastmods = entries.map((e) => e.lastmod).filter((lm) => !!lm).map((lm) => new Date(lm).getTime()).sort((a, b) => b - a);
-  if (lastmods.length > 0) {
-    merged.lastmod = new Date(lastmods[0]).toISOString();
-  }
-  const priorities = entries.map((e) => e.priority).filter((p) => p !== void 0);
-  if (priorities.length > 0) {
-    merged.priority = Math.max(...priorities);
-  }
-  const changefreqs = entries.map((e) => e.changefreq).filter((cf) => !!cf);
-  if (changefreqs.length > 0) {
-    const counts = /* @__PURE__ */ new Map();
-    for (const cf of changefreqs) {
-      counts.set(cf, (counts.get(cf) || 0) + 1);
+    for (const policy of this.config.policies) {
+      for (const pattern of policy.patterns) {
+        if (this.isMatch(urlObj.loc, pattern)) {
+          risks.push({
+            category: policy.category,
+            pattern: pattern.value,
+            type: pattern.type,
+            reason: pattern.reason
+          });
+        }
+      }
     }
-    const sorted = Array.from(counts.entries()).sort((a, b) => b[1] - a[1]);
-    merged.changefreq = sorted[0][0];
-  }
-  const extractedAts = entries.map((e) => e.extractedAt).filter((ea) => !!ea).map((ea) => new Date(ea).getTime()).sort((a, b) => b - a);
-  if (extractedAts.length > 0) {
-    merged.extractedAt = new Date(extractedAts[0]).toISOString();
+    return risks;
   }
-  return merged;
-}
-function consolidateUrls(urls, verbose = false) {
-  const totalInputUrls = urls.length;
-  if (verbose) {
-    console.log(`
-Consolidating ${urls.length} URL(s)...`);
-  }
-  const urlMap = /* @__PURE__ */ new Map();
-  for (const entry of urls) {
-    const normalized = normalizeUrl(entry.loc);
-    if (!urlMap.has(normalized)) {
-      urlMap.set(normalized, []);
+  isMatch(url, pattern) {
+    switch (pattern.type) {
+      case "literal":
+        return url.includes(pattern.value);
+      case "glob":
+        return micromatch.isMatch(url, pattern.value, { contains: true });
+      case "regex":
+        try {
+          const regex = new RegExp(pattern.value, "i");
+          return regex.test(url);
+        } catch {
+          return false;
+        }
+      default:
+        return false;
     }
-    urlMap.get(normalized).push(entry);
   }
-  const uniqueUrls = [];
-  const duplicateGroups = [];
-  for (const [normalized, entries] of urlMap.entries()) {
-    const merged = mergeUrlEntries(entries);
-    uniqueUrls.push(merged);
-    if (entries.length > 1) {
-      duplicateGroups.push({
-        url: normalized,
-        count: entries.length,
-        sources: entries.map((e) => e.source)
+};
+
+// src/reporters/console-reporter.ts
+import chalk2 from "chalk";
+var ConsoleReporter = class {
+  async generate(data) {
+    console.log("\n" + chalk2.bold.blue("=== sitemap-qa Analysis Summary ==="));
+    console.log(`Total URLs Scanned: ${data.totalUrls}`);
+    console.log(`Total Risks Found:  ${data.totalRisks > 0 ? chalk2.red(data.totalRisks) : chalk2.green(0)}`);
+    console.log(`URLs with Risks:    ${data.urlsWithRisks.length}`);
+    console.log(`URLs Ignored:       ${data.ignoredUrls.length > 0 ? chalk2.yellow(data.ignoredUrls.length) : 0}`);
+    console.log(`Duration:           ${((data.endTime.getTime() - data.startTime.getTime()) / 1e3).toFixed(2)}s`);
+    if (data.urlsWithRisks.length > 0) {
+      console.log("\n" + chalk2.bold.yellow("Top Findings:"));
+      data.urlsWithRisks.slice(0, 10).forEach((url) => {
+        console.log(`
+${chalk2.cyan(url.loc)}`);
+        url.risks.forEach((risk) => {
+          console.log(`  - [${chalk2.red(risk.category)}] ${risk.reason} (${chalk2.gray(risk.pattern)})`);
+        });
       });
-    }
-  }
-  if (verbose) {
-    console.log(`Consolidation complete:`);
-    console.log(`  - Input URLs: ${totalInputUrls}`);
-    console.log(`  - Unique URLs: ${uniqueUrls.length}`);
-    console.log(`  - Duplicates removed: ${totalInputUrls - uniqueUrls.length}`);
-    if (duplicateGroups.length > 0) {
-      console.log(`
-Top duplicates:`);
-      const top5 = duplicateGroups.sort((a, b) => b.count - a.count).slice(0, 5);
-      for (const group of top5) {
-        console.log(`  - ${group.url} (${group.count} times)`);
+      if (data.urlsWithRisks.length > 10) {
+        console.log(`
+... and ${data.urlsWithRisks.length - 10} more. See JSON/HTML report for full details.`);
       }
     }
+    console.log("\n" + chalk2.bold.blue("==================================="));
   }
-  return {
-    uniqueUrls,
-    totalInputUrls,
-    duplicatesRemoved: totalInputUrls - uniqueUrls.length,
-    duplicateGroups
-  };
-}
-
-// src/core/patterns/risk-patterns.ts
-var RISK_PATTERNS = [
-  // Sensitive Parameter Patterns (HIGH)
-  {
-    name: "Authentication Parameter",
-    category: "sensitive_params",
-    severity: "high",
-    regex: /[?&](token|auth|key|password|secret|apikey|session|credentials)=/i,
-    description: "Query parameter may contain sensitive authentication data"
-  },
-  {
-    name: "Debug Parameter",
-    category: "sensitive_params",
-    severity: "medium",
-    regex: /[?&](debug|trace|verbose|test_mode)=/i,
-    description: "Query parameter may contain debug or diagnostic flag"
-  },
-  // Protocol Inconsistency Patterns (MEDIUM)
-  {
-    name: "HTTP in HTTPS Site",
-    category: "protocol_inconsistency",
-    severity: "medium",
-    regex: /^http:\/\//,
-    description: "HTTP URL in HTTPS sitemap (potential mixed content)"
-  },
-  // Test/Unfinished Content Patterns (MEDIUM)
-  // Focuses on obvious test/placeholder patterns, avoiding false positives with legitimate content
-  {
-    name: "Test Content Path",
-    category: "test_content",
-    severity: "medium",
-    regex: /\/(?:test-|demo-|sample-|temp-|temporary-|placeholder-)|\/(test|demo|sample|temp|temporary|placeholder)(?:\/|$)/i,
-    description: "URL path suggests test, demo, or unfinished content that may not be intended for indexing"
-  }
-];
+};
 
-// src/core/patterns/domain-patterns.ts
-function escapeRegex(str) {
-  return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-}
-function extractRootDomain(hostname) {
-  const parts = hostname.split(".");
-  if (parts.length >= 2) {
-    return parts.slice(-2).join(".");
-  }
-  return hostname;
-}
-function createDomainMismatchPattern(baseUrl, options) {
-  const baseDomain = new URL(baseUrl).hostname;
-  const rootDomain = extractRootDomain(baseDomain);
-  if (options?.allowedSubdomains && options.allowedSubdomains.length > 0) {
-    const escapedRoot2 = escapeRegex(rootDomain);
-    const escapedSubdomains = options.allowedSubdomains.map(escapeRegex).join("|");
-    const pattern2 = `^https?://(?!(?:(?:${escapedSubdomains})\\.)?${escapedRoot2}(?:/|$))`;
-    return {
-      name: "Domain Mismatch",
-      category: "domain_mismatch",
-      severity: "high",
-      regex: new RegExp(pattern2),
-      description: `URL does not match expected domain or allowed subdomains`
+// src/reporters/json-reporter.ts
+import fs2 from "fs/promises";
+var JsonReporter = class {
+  outputPath;
+  constructor(outputPath = "sitemap-qa-report.json") {
+    this.outputPath = outputPath;
+  }
+  async generate(data) {
+    const report = {
+      metadata: {
+        generatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+        durationMs: data.endTime.getTime() - data.startTime.getTime()
+      },
+      summary: {
+        totalUrls: data.totalUrls,
+        totalRisks: data.totalRisks,
+        urlsWithRisksCount: data.urlsWithRisks.length,
+        ignoredUrlsCount: data.ignoredUrls.length
+      },
+      findings: data.urlsWithRisks,
+      ignored: data.ignoredUrls
     };
+    await fs2.writeFile(this.outputPath, JSON.stringify(report, null, 2), "utf8");
+    console.log(`JSON report generated at ${this.outputPath}`);
   }
-  const escapedRoot = escapeRegex(rootDomain);
-  const pattern = `^https?://(?!(?:www\\.)?${escapedRoot}(?:/|$))`;
-  return {
-    name: "Domain Mismatch",
-    category: "domain_mismatch",
-    severity: "high",
-    regex: new RegExp(pattern),
-    description: `URL does not match expected domain: ${rootDomain} (including www variant)`
-  };
-}
-var ENVIRONMENT_PATTERNS = [
-  {
-    name: "Staging Subdomain",
-    category: "environment_leakage",
-    severity: "high",
-    regex: /^https?:\/\/(staging|stg)\./i,
-    description: "URL uses staging subdomain"
-  },
-  {
-    name: "Development Subdomain",
-    category: "environment_leakage",
-    severity: "high",
-    regex: /^https?:\/\/(dev|development)\./i,
-    description: "URL uses development subdomain"
-  },
-  {
-    name: "QA/Test Subdomain",
-    category: "environment_leakage",
-    severity: "high",
-    regex: /^https?:\/\/(qa|test|uat|preprod)\./i,
-    description: "URL uses test environment subdomain"
-  },
-  {
-    name: "Localhost URL",
-    category: "environment_leakage",
-    severity: "high",
-    regex: /^https?:\/\/(localhost|127\.0\.0\.1|0\.0\.0\.0)/,
-    description: "URL points to localhost (development environment)"
-  },
-  {
-    name: "Environment in Path",
-    category: "environment_leakage",
-    severity: "high",
-    regex: /^https?:\/\/[^/]+\/(staging|dev|qa|uat|preprod)\//i,
-    description: "URL path contains environment identifier at root level"
-  }
-];
-
-// src/core/patterns/admin-patterns.ts
-var ADMIN_PATH_PATTERNS = [
-  {
-    name: "Admin Path",
-    category: "admin_paths",
-    severity: "high",
-    regex: /\/(admin|administrator)(?:\/|$|\?)/i,
-    description: "URL contains /admin or /administrator as a path segment"
-  },
-  {
-    name: "Dashboard Path",
-    category: "admin_paths",
-    severity: "high",
-    regex: /\/dashboard(?:\/|$|\?)/i,
-    description: "URL contains /dashboard as a path segment"
-  },
-  {
-    name: "Config Path",
-    category: "admin_paths",
-    severity: "high",
-    regex: /\/(config|configuration)(?:\/|$|\?)/i,
-    description: "URL contains /config or /configuration as a path segment"
-  },
-  {
-    name: "Console Path",
-    category: "admin_paths",
-    severity: "high",
-    regex: /\/console(?:\/|$|\?)/i,
-    description: "URL contains /console as a path segment"
-  },
-  {
-    name: "Control Panel Path",
-    category: "admin_paths",
-    severity: "high",
-    regex: /\/(cpanel|control-panel)(?:\/|$|\?)/i,
-    description: "URL contains control panel as a path segment"
-  }
-];
-var INTERNAL_CONTENT_PATTERNS = [
-  {
-    name: "Internal Content Path",
-    category: "internal_content",
-    severity: "medium",
-    regex: /\/internal\b/i,
-    description: "URL contains /internal path segment - may be internal-only content not intended for public indexing"
-  }
-];
-var SENSITIVE_PARAM_PATTERNS = [
-  {
-    name: "Authentication Token Parameter",
-    category: "sensitive_params",
-    severity: "high",
-    regex: /[?&](token|auth_token|access_token|api_token)=/i,
-    description: "Query parameter may contain authentication token"
-  },
-  {
-    name: "API Key Parameter",
-    category: "sensitive_params",
-    severity: "high",
-    regex: /[?&](apikey|api_key|key)=/i,
-    description: "Query parameter may contain API key"
-  },
-  {
-    name: "Password Parameter",
-    category: "sensitive_params",
-    severity: "high",
-    regex: /[?&](password|passwd|pwd)=/i,
-    description: "Query parameter may contain password"
-  },
-  {
-    name: "Secret Parameter",
-    category: "sensitive_params",
-    severity: "high",
-    regex: /[?&](secret|client_secret)=/i,
-    description: "Query parameter may contain secret value"
-  },
-  {
-    name: "Session Parameter",
-    category: "sensitive_params",
-    severity: "high",
-    regex: /[?&](session|sessionid|sid)=/i,
-    description: "Query parameter may contain session identifier"
-  },
-  {
-    name: "Credentials Parameter",
-    category: "sensitive_params",
-    severity: "high",
-    regex: /[?&]credentials=/i,
-    description: "Query parameter may contain credentials"
-  },
-  {
-    name: "Debug Parameter",
-    category: "sensitive_params",
-    severity: "medium",
-    regex: /[?&](debug|trace|verbose)=/i,
-    description: "Query parameter contains debug or diagnostic flag"
-  },
-  {
-    name: "Test Mode Parameter",
-    category: "sensitive_params",
-    severity: "medium",
-    regex: /[?&](test_mode|test|testing)=/i,
-    description: "Query parameter indicates test mode"
-  }
-];
+};
 
-// src/utils/sanitizer.ts
-function sanitizeUrl(url) {
-  try {
-    const parsed = new URL(url);
-    const sensitiveParams = [
-      "token",
-      "auth",
-      "auth_token",
-      "access_token",
-      "api_token",
-      "apikey",
-      "api_key",
-      "key",
-      "password",
-      "passwd",
-      "pwd",
-      "secret",
-      "client_secret",
-      "session",
-      "sessionid",
-      "sid",
-      "credentials"
-    ];
-    for (const param of sensitiveParams) {
-      if (parsed.searchParams.has(param)) {
-        parsed.searchParams.set(param, "[REDACTED]");
+// src/reporters/html-reporter.ts
+import fs3 from "fs/promises";
+var HtmlReporter = class {
+  outputPath;
+  constructor(outputPath = "sitemap-qa-report.html") {
+    this.outputPath = outputPath;
+  }
+  async generate(data) {
+    const categories = this.groupRisks(data);
+    const html = this.generateHtml(data, categories);
+    await fs3.writeFile(this.outputPath, html, "utf8");
+    console.log(`HTML report generated at ${this.outputPath}`);
+  }
+  groupRisks(data) {
+    const categories = {};
+    for (const urlObj of data.urlsWithRisks) {
+      for (const risk of urlObj.risks) {
+        if (!categories[risk.category]) {
+          categories[risk.category] = {};
+        }
+        if (!categories[risk.category][risk.pattern]) {
+          categories[risk.category][risk.pattern] = {
+            reason: risk.reason,
+            urls: []
+          };
+        }
+        categories[risk.category][risk.pattern].urls.push(urlObj.loc);
       }
     }
-    return parsed.toString();
-  } catch {
-    return url;
-  }
-}
-
-// src/core/risk-grouper.ts
-function generateRecommendation(category, _severity, count) {
-  switch (category) {
-    case "environment_leakage":
-      return {
-        rationale: `Production sitemap contains ${count} URL(s) from non-production environments (staging, dev, QA, test). This indicates configuration errors or environment leakage.`,
-        recommendedAction: "Verify sitemap generation excludes non-production environments. Review deployment configuration and environment filtering rules."
-      };
-    case "admin_paths":
-      return {
-        rationale: `${count} administrative path(s) detected in public sitemap (admin, dashboard, config). These paths may expose privileged access points.`,
-        recommendedAction: "Confirm if admin paths should be publicly indexed. Consider excluding via robots.txt or removing from sitemap. Verify access controls."
-      };
-    case "internal_content":
-      return {
-        rationale: `${count} URL(s) contain "internal" in the path. These may be internal-facing content not intended for public indexing.`,
-        recommendedAction: "Review URLs to determine if they should be publicly accessible. Consider excluding internal content from sitemap or adding noindex meta tags."
-      };
-    case "test_content":
-      return {
-        rationale: `${count} URL(s) contain test/demo/sample identifiers. These may be placeholder or unfinished content not intended for indexing.`,
-        recommendedAction: "Review and remove test content from production sitemaps. Verify content is production-ready before including in sitemap."
-      };
-    case "sensitive_params":
-      return {
-        rationale: `${count} URL(s) contain sensitive query parameters (token, auth, key, password, session). This may expose authentication credentials or debugging flags.`,
-        recommendedAction: "Review why sensitive parameters are in sitemap URLs. Remove authentication tokens from URLs. Consider POST requests for sensitive data."
-      };
-    case "protocol_inconsistency":
-      return {
-        rationale: `${count} URL(s) use HTTP protocol in HTTPS sitemap. This creates mixed content warnings and potential security issues.`,
-        recommendedAction: "Update URLs to use HTTPS consistently. Verify SSL certificate coverage. Check for hardcoded HTTP URLs in content."
-      };
-    case "domain_mismatch":
-      return {
-        rationale: `${count} URL(s) do not match expected base domain. This may indicate external links, CDN URLs, or configuration errors.`,
-        recommendedAction: "Verify if external domains are intentional. Review sitemap generation logic. Confirm CDN or subdomain configuration is correct."
-      };
-    default:
-      return {
-        rationale: `${count} URL(s) flagged in category: ${category}`,
-        recommendedAction: "Review flagged URLs and determine appropriate action."
-      };
-  }
-}
-function groupRiskFindings(findings, maxSampleUrls = 5) {
-  const categoryMap = /* @__PURE__ */ new Map();
-  for (const finding of findings) {
-    if (!categoryMap.has(finding.category)) {
-      categoryMap.set(finding.category, []);
-    }
-    categoryMap.get(finding.category).push(finding);
-  }
-  const groups = [];
-  for (const [category, categoryFindings] of categoryMap.entries()) {
-    const uniqueUrls = Array.from(new Set(categoryFindings.map((f) => f.url)));
-    const severity = categoryFindings.reduce((highest, finding) => {
-      const severityOrder = ["low", "medium", "high"];
-      return severityOrder.indexOf(finding.severity) > severityOrder.indexOf(highest) ? finding.severity : highest;
-    }, "low");
-    const sampleUrls = uniqueUrls.slice(0, maxSampleUrls);
-    const { rationale, recommendedAction } = generateRecommendation(category, severity, uniqueUrls.length);
-    groups.push({
-      category,
-      severity,
-      count: uniqueUrls.length,
-      rationale,
-      sampleUrls,
-      recommendedAction,
-      allUrls: uniqueUrls
-    });
+    return categories;
   }
-  groups.sort((a, b) => {
-    const severityOrder = ["high", "medium", "low"];
-    return severityOrder.indexOf(a.severity) - severityOrder.indexOf(b.severity);
-  });
-  const totalRiskUrls = new Set(findings.map((f) => f.url)).size;
-  const highSeverityCount = groups.filter((g) => g.severity === "high").reduce((sum, g) => sum + g.count, 0);
-  const mediumSeverityCount = groups.filter((g) => g.severity === "medium").reduce((sum, g) => sum + g.count, 0);
-  const lowSeverityCount = groups.filter((g) => g.severity === "low").reduce((sum, g) => sum + g.count, 0);
-  return {
-    groups,
-    totalRiskUrls,
-    highSeverityCount,
-    mediumSeverityCount,
-    lowSeverityCount
-  };
-}
+  generateHtml(data, categories) {
+    const duration = ((data.endTime.getTime() - data.startTime.getTime()) / 1e3).toFixed(1);
+    const timestamp = data.endTime.toLocaleString();
+    const esc = this.escapeHtml.bind(this);
+    return `
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Sitemap Analysis - ${esc(data.rootUrl)}</title>
+    <style>
+        :root {
+            --bg-dark: #0f172a;
+            --bg-light: #f8fafc;
+            --text-main: #1e293b;
+            --text-muted: #64748b;
+            --primary: #3b82f6;
+            --danger: #ef4444;
+            --warning: #f59e0b;
+            --border: #e2e8f0;
+        }
+        body { 
+            font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif;
+            line-height: 1.5;
+            color: var(--text-main);
+            background-color: #fff;
+            margin: 0;
+            padding: 0;
+        }
+        header {
+            background-color: var(--bg-dark);
+            color: white;
+            padding: 40px 20px;
+            text-align: left;
+        }
+        .container {
+            max-width: 1200px;
+            margin: 0 auto;
+            padding: 0 20px;
+        }
+        header h1 { margin: 0; font-size: 24px; }
+        header .meta { margin-top: 10px; color: #94a3b8; font-size: 14px; }
+        
+        .summary-grid {
+            display: grid;
+            grid-template-columns: repeat(5, 1fr);
+            border-bottom: 1px solid var(--border);
+            margin-bottom: 40px;
+        }
+        .summary-card {
+            padding: 30px 20px;
+            text-align: center;
+            border-right: 1px solid var(--border);
+        }
+        .summary-card:last-child { border-right: none; }
+        .summary-card h3 { 
+            margin: 0; 
+            font-size: 12px; 
+            text-transform: uppercase; 
+            color: var(--text-muted);
+            letter-spacing: 0.05em;
+        }
+        .summary-card p { 
+            margin: 10px 0 0; 
+            font-size: 32px; 
+            font-weight: 700; 
+            color: var(--text-main);
+        }
+        .summary-card.highlight p { color: var(--danger); }
 
-// src/core/risk-detector.ts
-import os from "os";
-function compileAcceptedPatterns(config) {
-  const patterns = [];
-  if (config.acceptedPatterns && config.acceptedPatterns.length > 0) {
-    for (const pattern of config.acceptedPatterns) {
-      try {
-        let regexPattern = pattern.replace(/[.+?^${}()|[\]\\]/g, "\\$&").replace(/\*/g, "[^/]*");
-        if (!regexPattern.endsWith("$") && !regexPattern.includes("(?:")) {
-          regexPattern = regexPattern + "(?:/|$|\\?|#)";
+        details {
+            margin-bottom: 20px;
+            border: 1px solid var(--border);
+            border-radius: 8px;
+            overflow: hidden;
         }
-        patterns.push(new RegExp(regexPattern, "i"));
-      } catch (error) {
-        if (config.verbose) {
-          console.warn(`Invalid accepted pattern: ${pattern}`);
+        summary {
+            padding: 15px 20px;
+            background-color: #fff;
+            cursor: pointer;
+            font-weight: 600;
+            display: flex;
+            justify-content: space-between;
+            align-items: center;
+            list-style: none;
         }
-      }
-    }
-  }
-  return patterns;
-}
-async function detectRisksInBatch(urls, allPatterns, acceptedPatterns, expectedProtocol, verbose) {
-  const findings = [];
-  for (const urlEntry of urls) {
-    const url = urlEntry.loc;
-    let isAccepted = false;
-    for (const acceptedPattern of acceptedPatterns) {
-      if (acceptedPattern.test(url)) {
-        isAccepted = true;
-        break;
-      }
-    }
-    if (isAccepted) continue;
-    for (const pattern of allPatterns) {
-      if (pattern.category === "protocol_inconsistency") {
-        try {
-          const urlProtocol = new URL(url).protocol;
-          if (expectedProtocol === "https:" && urlProtocol === "http:") {
-            findings.push({
-              url,
-              category: pattern.category,
-              severity: pattern.severity,
-              pattern: pattern.name,
-              rationale: pattern.description,
-              matchedValue: "http://"
-            });
-          }
-        } catch (error) {
-          continue;
+        summary::-webkit-details-marker { display: none; }
+        summary::after {
+            content: '\u25B6';
+            font-size: 12px;
+            color: var(--text-muted);
+            transition: transform 0.2s;
         }
-      } else {
-        try {
-          const match = url.match(pattern.regex);
-          if (match) {
-            findings.push({
-              url: pattern.category === "sensitive_params" ? sanitizeUrl(url) : url,
-              category: pattern.category,
-              severity: pattern.severity,
-              pattern: pattern.name,
-              rationale: pattern.description,
-              matchedValue: match[0]
-            });
-          }
-        } catch (error) {
-          if (verbose) {
-            console.error(`Pattern matching failed for ${pattern.name}: ${error instanceof Error ? error.message : String(error)}`);
-          }
-          continue;
+        details[open] summary::after { transform: rotate(90deg); }
+        
+        .category-section {
+            border: 1px solid var(--warning);
+            border-radius: 8px;
+            margin-bottom: 20px;
+        }
+        .category-header {
+            padding: 15px 20px;
+            background-color: #fffbeb;
+            color: var(--warning);
+            font-weight: 600;
+            cursor: pointer;
+            display: flex;
+            justify-content: space-between;
+            align-items: center;
+        }
+        .category-content {
+            padding: 20px;
+            background-color: #fff;
         }
-      }
-    }
-  }
-  return { findings, urlsProcessed: urls.length };
-}
-async function detectRisks(urls, baseUrl, config) {
-  const startTime = Date.now();
-  const domainPattern = createDomainMismatchPattern(baseUrl);
-  const allPatterns = [
-    ...RISK_PATTERNS,
-    ...ENVIRONMENT_PATTERNS,
-    ...ADMIN_PATH_PATTERNS,
-    ...SENSITIVE_PARAM_PATTERNS,
-    ...INTERNAL_CONTENT_PATTERNS,
-    domainPattern
-  ];
-  const acceptedPatterns = compileAcceptedPatterns(config);
-  let expectedProtocol;
-  try {
-    expectedProtocol = new URL(baseUrl).protocol;
-  } catch (error) {
-    if (config.verbose) {
-      console.warn(`Invalid base URL: ${baseUrl}, defaulting to https:`);
-    }
-    expectedProtocol = "https:";
-  }
-  const BATCH_SIZE = config.riskDetectionBatchSize || 1e4;
-  const CONCURRENCY = config.riskDetectionConcurrency || Math.max(2, os.cpus().length - 1);
-  const batches = chunkArray(urls, BATCH_SIZE);
-  if (config.verbose) {
-    console.log(`
-Risk Detection Configuration:`);
-    console.log(`  - Total URLs: ${urls.length.toLocaleString()}`);
-    console.log(`  - Batch size: ${BATCH_SIZE.toLocaleString()}`);
-    console.log(`  - Concurrency: ${CONCURRENCY}`);
-    console.log(`  - Total batches: ${batches.length}`);
-    try {
-      console.log(`  - Base domain: ${new URL(baseUrl).hostname}`);
-    } catch (error) {
-      console.log(`  - Base URL: ${baseUrl}`);
-    }
-    if (acceptedPatterns.length > 0) {
-      console.log(`  - Accepted patterns: ${acceptedPatterns.length}`);
-    }
-  }
-  let completedBatches = 0;
-  const totalBatches = batches.length;
-  const batchStartTime = Date.now();
-  const batchResults = await processInBatches(
-    batches,
-    CONCURRENCY,
-    (batch) => detectRisksInBatch(batch, allPatterns, acceptedPatterns, expectedProtocol, config.verbose),
-    (completed) => {
-      completedBatches = completed;
-      const pct = (completed / totalBatches * 100).toFixed(1);
-      const elapsed = (Date.now() - batchStartTime) / 1e3;
-      const urlsProcessed = completed * BATCH_SIZE;
-      const speed = Math.round(urlsProcessed / elapsed);
-      const remaining = totalBatches - completed;
-      const eta = Math.round(remaining * BATCH_SIZE / speed);
-      process.stdout.write(
-        `\r\x1B[K  Analyzing batch ${completed}/${totalBatches} (${pct}%) | ETA: ~${eta}s | ${speed.toLocaleString()} URLs/sec`
-      );
-    }
-  );
-  process.stdout.write("\r\x1B[K");
-  const allFindings = batchResults.flatMap((r) => r.findings);
-  const groupingResult = groupRiskFindings(allFindings);
-  const processingTimeMs = Date.now() - startTime;
-  if (config.verbose) {
-    console.log(`
-Risk Detection Summary:`);
-    console.log(`  - Total URLs analyzed: ${urls.length.toLocaleString()}`);
-    console.log(`  - Risk URLs found: ${groupingResult.totalRiskUrls.toLocaleString()}`);
-    console.log(`  - HIGH severity: ${groupingResult.highSeverityCount}`);
-    console.log(`  - MEDIUM severity: ${groupingResult.mediumSeverityCount}`);
-    console.log(`  - LOW severity: ${groupingResult.lowSeverityCount}`);
-    console.log(`  - Processing time: ${(processingTimeMs / 1e3).toFixed(1)}s`);
-    if (groupingResult.groups.length > 0) {
-      console.log(`
-Risk Categories Found:`);
-      for (const group of groupingResult.groups) {
-        console.log(`  - ${group.category}: ${group.count} URLs (${group.severity.toUpperCase()})`);
-      }
-    }
-  }
-  return {
-    findings: allFindings,
-    groups: groupingResult.groups,
-    totalUrlsAnalyzed: urls.length,
-    riskUrlCount: groupingResult.totalRiskUrls,
-    cleanUrlCount: urls.length - groupingResult.totalRiskUrls,
-    highSeverityCount: groupingResult.highSeverityCount,
-    mediumSeverityCount: groupingResult.mediumSeverityCount,
-    lowSeverityCount: groupingResult.lowSeverityCount,
-    processingTimeMs
-  };
-}
 
-// src/summarizer.ts
-function summarizeRisks(request) {
-  const severityBreakdown = {
-    high: 0,
-    medium: 0,
-    low: 0
-  };
-  const categoryInsights = request.riskGroups.map((group) => {
-    severityBreakdown[group.severity] += group.count;
-    const urls = group.allUrls || group.sampleUrls;
-    return {
-      category: group.category,
-      count: group.count,
-      severity: group.severity,
-      summary: group.rationale,
-      examples: urls.slice(0, 3),
-      allUrls: urls
-      // Include all URLs for download functionality
-    };
-  });
-  const totalRisks = request.riskGroups.reduce((sum, g) => sum + g.count, 0);
-  const overview = totalRisks > 0 ? `Found ${totalRisks} potentially risky URLs across ${request.riskGroups.length} categories in ${request.totalUrls} total URLs.` : `Analyzed ${request.totalUrls} URLs. No suspicious patterns detected.`;
-  const keyFindings = [];
-  if (severityBreakdown.high > 0) {
-    keyFindings.push(`${severityBreakdown.high} high-severity issues require immediate attention`);
-  }
-  if (severityBreakdown.medium > 0) {
-    keyFindings.push(`${severityBreakdown.medium} medium-severity issues should be reviewed`);
-  }
-  if (severityBreakdown.low > 0) {
-    keyFindings.push(`${severityBreakdown.low} low-severity items flagged for awareness`);
-  }
-  return {
-    overview,
-    keyFindings,
-    categoryInsights,
-    severityBreakdown,
-    recommendations: [],
-    generatedBy: "rule-based analysis",
-    metadata: {
-      tokensUsed: 0,
-      processingTime: request.processingTime || 0,
-      model: "pattern-matching"
-    }
-  };
-}
+        .finding-group {
+            border: 1px solid var(--border);
+            border-radius: 8px;
+            padding: 20px;
+            margin-bottom: 20px;
+        }
+        .finding-header {
+            display: flex;
+            align-items: center;
+            gap: 10px;
+            margin-bottom: 10px;
+        }
+        .finding-header h4 { margin: 0; font-size: 16px; }
+        .badge {
+            background-color: var(--primary);
+            color: white;
+            padding: 2px 8px;
+            border-radius: 12px;
+            font-size: 12px;
+        }
+        .finding-description {
+            color: var(--text-muted);
+            font-size: 14px;
+            margin-bottom: 20px;
+        }
+        
+        .url-list {
+            background-color: var(--bg-light);
+            border-radius: 4px;
+            padding: 15px;
+            margin-bottom: 15px;
+        }
+        .url-item {
+            font-family: monospace;
+            font-size: 13px;
+            padding: 8px 12px;
+            background: white;
+            border: 1px solid var(--border);
+            border-radius: 4px;
+            margin-bottom: 8px;
+            white-space: nowrap;
+            overflow: hidden;
+            text-overflow: ellipsis;
+        }
+        .url-item:last-child { margin-bottom: 0; }
+        
+        .more-count {
+            font-size: 12px;
+            color: var(--text-muted);
+            font-style: italic;
+            margin-bottom: 15px;
+        }
 
-// src/reporters/json-reporter.ts
-var TOOL_VERSION = true ? "1.0.0-alpha.2" : "dev";
-function generateJsonReport(summary, discoveryResult, parseResult, riskGroups, config, startTime, options = {}) {
-  const {
-    pretty = true,
-    indent = 2,
-    performanceMetrics
-  } = options;
-  const result = buildAnalysisResult(
-    summary,
-    discoveryResult,
-    parseResult,
-    riskGroups,
-    config,
-    startTime
-  );
-  const jsonOutput = transformToJsonOutput(result, performanceMetrics);
-  if (pretty) {
-    return JSON.stringify(jsonOutput, null, indent);
-  } else {
-    return JSON.stringify(jsonOutput);
-  }
-}
-function buildAnalysisResult(summary, discoveryResult, parseResult, riskGroups, config, startTime) {
-  const metadata = buildAnalysisMetadata(
-    config.baseUrl || "unknown",
-    startTime,
-    summary
-  );
-  const suspiciousGroups = riskGroups.map((group) => ({
-    category: group.category,
-    severity: group.severity,
-    count: group.count,
-    pattern: group.category,
-    // Use category as pattern identifier
-    rationale: group.rationale,
-    sampleUrls: group.sampleUrls.slice(0, 5),
-    // Limit to 5 samples
-    recommendedAction: group.recommendedAction
-  }));
-  const summaryStats = {
-    highSeverityCount: summary.severityBreakdown.high,
-    mediumSeverityCount: summary.severityBreakdown.medium,
-    lowSeverityCount: summary.severityBreakdown.low,
-    totalRiskyUrls: riskGroups.reduce((sum, g) => sum + g.count, 0),
-    overallStatus: determineOverallStatus(
-      summary.severityBreakdown,
-      parseResult.errors
-    )
-  };
-  const riskSummary = {
-    overview: summary.overview,
-    keyFindings: summary.keyFindings,
-    recommendations: summary.recommendations
-  };
-  const errors = parseResult.errors.map(transformError);
-  return {
-    analysisMetadata: metadata,
-    sitemapsDiscovered: discoveryResult.sitemaps,
-    totalUrlCount: parseResult.totalCount,
-    urlsAnalyzed: parseResult.totalCount,
-    suspiciousGroups,
-    riskSummary,
-    summary: summaryStats,
-    errors
-  };
-}
-function buildAnalysisMetadata(baseUrl, startTime, summary) {
-  return {
-    baseUrl,
-    analysisTimestamp: (/* @__PURE__ */ new Date()).toISOString(),
-    toolVersion: TOOL_VERSION,
-    executionTimeMs: Date.now() - startTime,
-    analysisType: summary.generatedBy
-  };
-}
-function determineOverallStatus(severityBreakdown, errors) {
-  if (errors.length > 0) {
-    return "errors";
-  }
-  const totalIssues = severityBreakdown.high + severityBreakdown.medium + severityBreakdown.low;
-  return totalIssues > 0 ? "issues_found" : "clean";
-}
-function transformToJsonOutput(result, performanceMetrics) {
-  const output = {
-    analysis_metadata: transformMetadata(result.analysisMetadata),
-    sitemaps_discovered: result.sitemapsDiscovered,
-    total_url_count: result.totalUrlCount,
-    urls_analyzed: result.urlsAnalyzed,
-    suspicious_groups: result.suspiciousGroups.map(transformGroup),
-    risk_summary: transformRiskSummary(result.riskSummary),
-    summary: transformSummary(result.summary),
-    errors: result.errors
-  };
-  if (performanceMetrics) {
-    output.performance_metrics = {
-      total_execution_time_ms: performanceMetrics.totalExecutionTimeMs,
-      phase_timings: performanceMetrics.phaseTimings,
-      throughput: performanceMetrics.throughput,
-      resource_usage: performanceMetrics.resourceUsage
-    };
-  }
-  return output;
-}
-function transformMetadata(meta) {
-  return {
-    base_url: meta.baseUrl,
-    analysis_timestamp: meta.analysisTimestamp,
-    tool_version: meta.toolVersion,
-    execution_time_ms: meta.executionTimeMs,
-    analysis_type: meta.analysisType
-  };
-}
-function transformGroup(group) {
-  return {
-    category: group.category,
-    severity: group.severity,
-    count: group.count,
-    pattern: group.pattern,
-    rationale: group.rationale,
-    sample_urls: group.sampleUrls,
-    recommended_action: group.recommendedAction
-  };
-}
-function transformRiskSummary(summary) {
-  return {
-    overview: summary.overview,
-    key_findings: summary.keyFindings,
-    recommendations: summary.recommendations
-  };
-}
-function transformSummary(summary) {
-  return {
-    high_severity_count: summary.highSeverityCount,
-    medium_severity_count: summary.mediumSeverityCount,
-    low_severity_count: summary.lowSeverityCount,
-    total_risky_urls: summary.totalRiskyUrls,
-    overall_status: summary.overallStatus
-  };
-}
-function transformError(error) {
-  if ("code" in error) {
-    const customError = error;
-    const errorDetail = {
-      code: customError.code || "UNKNOWN_ERROR",
-      message: error.message
-    };
-    if ("attemptedPaths" in customError) {
-      errorDetail.context = {
-        attempted_paths: customError.attemptedPaths
-      };
-    } else if ("sitemapUrl" in customError && "lineNumber" in customError) {
-      errorDetail.context = {
-        sitemap_url: customError.sitemapUrl,
-        line_number: customError.lineNumber
-      };
-    } else if ("url" in customError) {
-      errorDetail.context = {
-        url: customError.url
-      };
-    }
-    return errorDetail;
-  }
-  return {
-    code: "UNKNOWN_ERROR",
-    message: error.message
-  };
-}
+        .btn {
+            display: inline-flex;
+            align-items: center;
+            gap: 8px;
+            background-color: var(--primary);
+            color: white;
+            padding: 8px 16px;
+            border-radius: 6px;
+            text-decoration: none;
+            font-size: 13px;
+            font-weight: 500;
+        }
+        .btn:hover { opacity: 0.9; }
 
-// src/reporters/html-reporter.ts
-import { promises as fs } from "fs";
-var TOOL_VERSION2 = "1.0.0-alpha.2";
-function generateHtmlReport(summary, discoveryResult, totalUrls, config, errors, options = {}) {
-  const maxUrls = options.maxUrlsPerGroup ?? 10;
-  const timestamp = (/* @__PURE__ */ new Date()).toISOString();
-  const riskyUrlCount = summary.categoryInsights.reduce((sum, g) => sum + g.count, 0);
-  const highSeverity = summary.categoryInsights.filter((g) => g.severity === "high");
-  const mediumSeverity = summary.categoryInsights.filter((g) => g.severity === "medium");
-  const lowSeverity = summary.categoryInsights.filter((g) => g.severity === "low");
-  const html = `<!DOCTYPE html>
-<html lang="en">
-<head>
-  <meta charset="UTF-8">
-  <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <title>Sitemap QA Report - ${config.baseUrl}</title>
-  <style>
-    * { margin: 0; padding: 0; box-sizing: border-box; }
-    body {
-      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif;
-      line-height: 1.6;
-      color: #1f2937;
-      background: #ffffff;
-      padding: 24px;
-    }
-    .container {
-      max-width: 1400px;
-      margin: 0 auto;
-      background: white;
-      box-shadow: 0 1px 3px rgba(0,0,0,0.05);
-      border-radius: 12px;
-      overflow: hidden;
-      border: 1px solid #e5e7eb;
-    }
-    .header {
-      background: #0f172a;
-      color: white;
-      padding: 48px 40px;
-      border-bottom: 3px solid #3b82f6;
-    }
-    .header h1 { 
-      font-size: 1.875rem; 
-      font-weight: 700;
-      margin-bottom: 12px;
-      letter-spacing: -0.025em;
-    }
-    .header .meta { 
-      opacity: 0.75; 
-      font-size: 0.875rem;
-      font-weight: 400;
-    }
-    .summary {
-      display: grid;
-      grid-template-columns: repeat(auto-fit, minmax(240px, 1fr));
-      gap: 1px;
-      background: #e5e7eb;
-      border-bottom: 1px solid #e5e7eb;
-    }
-    .summary-card {
-      background: white;
-      padding: 28px 32px;
-      text-align: center;
-    }
-    .summary-card .label { 
-      font-size: 0.75rem; 
-      color: #6b7280;
-      text-transform: uppercase; 
-      letter-spacing: 0.05em;
-      font-weight: 600;
-      margin-bottom: 8px;
-    }
-    .summary-card .value { 
-      font-size: 2.25rem; 
-      font-weight: 700;
-      color: #0f172a;
-      font-variant-numeric: tabular-nums;
-    }
-    .content { padding: 40px; }
-    .status-clean {
-      text-align: center;
-      padding: 80px 32px;
-      background: #f0fdf4;
-      border-radius: 8px;
-      border: 1px solid #86efac;
-    }
-    .status-clean h2 { 
-      font-size: 1.875rem;
-      margin-bottom: 12px;
-      color: #166534;
-      font-weight: 700;
-    }
-    .status-clean p { 
-      font-size: 1rem;
-      color: #65a30d;
-    }
-    .severity-section { margin-bottom: 32px; }
-    .severity-section h2 {
-      font-size: 1.125rem;
-      font-weight: 600;
-      padding: 16px 20px;
-      margin-bottom: 16px;
-      border-radius: 8px;
-      display: flex;
-      align-items: center;
-      gap: 12px;
-      cursor: pointer;
-      user-select: none;
-      transition: all 0.2s;
-    }
-    .severity-section h2:hover {
-      opacity: 0.85;
-      transform: translateY(-1px);
-    }
-    .severity-section h2::after {
-      content: '\u25BC';
-      margin-left: auto;
-      font-size: 0.8em;
-      transition: transform 0.3s ease;
-      opacity: 0.7;
-    }
-    .severity-section h2.collapsed::after {
-      transform: rotate(-90deg);
-    }
-    .severity-section h2.collapsed {
-      margin-bottom: 0;
-    }
-    .severity-content {
-      max-height: none;
-      overflow: visible;
-      transition: max-height 0.4s ease-out, opacity 0.3s ease-out;
-      opacity: 1;
-    }
-    .severity-content.collapsed {
-      max-height: 0;
-      overflow: hidden;
-      opacity: 0;
-    }
-    .severity-high { background: #fef2f2; color: #dc2626; border: 1px solid #fecaca; }
-    .severity-medium { background: #fffbeb; color: #d97706; border: 1px solid #fde68a; }
-    .severity-low { background: #eff6ff; color: #2563eb; border: 1px solid #dbeafe; }
-    .risk-group {
-      background: white;
-      border: 1px solid #e5e7eb;
-      border-radius: 8px;
-      padding: 24px;
-      margin-bottom: 16px;
-    }
-    .risk-group h3 {
-      font-size: 1rem;
-      margin-bottom: 12px;
-      color: #0f172a;
-      font-weight: 600;
-    }
-    .risk-group .count {
-      display: inline-block;
-      background: #3b82f6;
-      color: white;
-      padding: 2px 10px;
-      border-radius: 9999px;
-      font-size: 0.75rem;
-      font-weight: 600;
-      margin-left: 8px;
-    }
-    .risk-group .impact {
-      color: #64748b;
-      margin-bottom: 16px;
-      font-size: 0.875rem;
-      line-height: 1.6;
-    }
-    .risk-group .urls {
-      background: #f8fafc;
-      border: 1px solid #e2e8f0;
-      border-radius: 6px;
-      padding: 16px;
-    }
-    .risk-group .urls h4 {
-      font-size: 0.75rem;
-      color: #64748b;
-      margin-bottom: 12px;
-      text-transform: uppercase;
-      letter-spacing: 0.05em;
-      font-weight: 600;
-    }
-    .risk-group .urls ul { list-style: none; }
-    .risk-group .urls li {
-      padding: 10px 12px;
-      border-bottom: 1px solid #e2e8f0;
-      font-family: 'SF Mono', 'Monaco', 'Cascadia Code', 'Consolas', monospace;
-      font-size: 0.8125rem;
-      color: #334155;
-      background: white;
-      margin-bottom: 4px;
-      border-radius: 4px;
-      word-break: break-all;
-      line-height: 1.6;
-    }
-    .risk-group .urls li:last-child { border-bottom: none; margin-bottom: 0; }
-    .risk-group .more {
-      color: #3b82f6;
-      font-style: italic;
-      margin-top: 8px;
-      font-size: 0.8125rem;
-    }
-    .download-btn {
-      display: inline-block;
-      background: #3b82f6;
-      color: white;
-      padding: 8px 16px;
-      border-radius: 6px;
-      text-decoration: none;
-      font-size: 0.8125rem;
-      font-weight: 500;
-      margin-top: 12px;
-      cursor: pointer;
-      border: none;
-      transition: all 0.15s;
-    }
-    .download-btn:hover {
-      background: #2563eb;
-      transform: translateY(-1px);
-      box-shadow: 0 4px 6px -1px rgba(0,0,0,0.1);
-    }
-    .footer {
-      background: #f8fafc;
-      padding: 24px 40px;
-      border-top: 1px solid #e5e7eb;
-      text-align: center;
-      color: #64748b;
-      font-size: 0.8125rem;
-    }
-    .sitemaps {
-      background: white;
-      border: 1px solid #e5e7eb;
-      border-radius: 8px;
-      margin-bottom: 24px;
-      overflow: hidden;
-    }
-    .sitemaps h3 {
-      font-size: 1.125rem;
-      font-weight: 600;
-      padding: 16px 20px;
-      margin: 0;
-      color: #0f172a;
-      background: #f8fafc;
-      cursor: pointer;
-      user-select: none;
-      transition: all 0.15s;
-      display: flex;
-      align-items: center;
-      gap: 10px;
-    }
-    .sitemaps h3:hover {
-      background: #f1f5f9;
-    }
-    .sitemaps h3::after {
-      content: '\u25BC';
-      margin-left: auto;
-      font-size: 0.8em;
-      transition: transform 0.3s ease;
-      opacity: 0.7;
-    }
-    .sitemaps h3.collapsed::after {
-      transform: rotate(-90deg);
-    }
-    .sitemaps-content {
-      max-height: none;
-      overflow: visible;
-      transition: max-height 0.4s ease-out, opacity 0.3s ease-out;
-      opacity: 1;
-      padding: 20px;
-    }
-    .sitemaps-content.collapsed {
-      max-height: 0;
-      overflow: hidden;
-      opacity: 0;
-      padding: 0 20px;
-    }
-    .sitemaps ul { list-style: none; }
-    .sitemaps li {
-      padding: 10px 12px;
-      font-family: 'SF Mono', 'Monaco', 'Cascadia Code', 'Consolas', monospace;
-      font-size: 0.8125rem;
-      color: #475569;
-      word-break: break-all;
-      line-height: 1.6;
-      background: #f8fafc;
-      margin-bottom: 4px;
-      border-radius: 4px;
-    }
-    .sitemaps li:last-child { margin-bottom: 0; }
-    .errors-section {
-      background: #fffbeb;
-      border-left: 4px solid #f59e0b;
-      padding: 20px;
-      margin-bottom: 24px;
-      border-radius: 8px;
-      border: 1px solid #fde68a;
-    }
-    .errors-section h3 {
-      color: #92400e;
-      margin-bottom: 16px;
-      font-size: 1.125rem;
-      font-weight: 600;
-      display: flex;
-      align-items: center;
-      gap: 8px;
-    }
-    .errors-section ul {
-      list-style: none;
-      padding: 0;
-    }
-    .errors-section li {
-      padding: 12px;
-      background: white;
-      margin-bottom: 8px;
-      border-radius: 6px;
-      font-family: 'SF Mono', 'Monaco', 'Cascadia Code', 'Consolas', monospace;
-      font-size: 0.8125rem;
-      color: #78350f;
-      word-break: break-all;
-      line-height: 1.6;
-      border: 1px solid #fde68a;
-    }
-    .errors-section li:last-child {
-      margin-bottom: 0;
-    }
-  </style>
+        footer {
+            text-align: center;
+            padding: 40px;
+            color: var(--text-muted);
+            font-size: 12px;
+            border-top: 1px solid var(--border);
+            margin-top: 40px;
+        }
+    </style>
 </head>
 <body>
-  <div class="container">
-    <div class="header">
-      <h1>Sitemap Analysis</h1>
-      <div class="meta">
-        <div>${config.baseUrl}</div>
-        <div>${new Date(timestamp).toLocaleString()}</div>
-      </div>
-    </div>
-
-    <div class="summary">
-      <div class="summary-card">
-        <div class="label">Sitemaps</div>
-        <div class="value">${discoveryResult.sitemaps.length}</div>
-      </div>
-      <div class="summary-card">
-        <div class="label">URLs Analyzed</div>
-        <div class="value">${totalUrls.toLocaleString()}</div>
-      </div>
-      <div class="summary-card">
-        <div class="label">Issues Found</div>
-        <div class="value" style="color: ${riskyUrlCount > 0 ? "#dc2626" : "#059669"}">${riskyUrlCount}</div>
-      </div>
-      <div class="summary-card">
-        <div class="label">Scan Time</div>
-        <div class="value">${(summary.metadata.processingTime / 1e3).toFixed(1)}s</div>
-      </div>
-    </div>
-
-    <div class="content">
-      ${errors.length > 0 ? `
-      <div class="errors-section">
-        <h3>Parsing Errors & Warnings (${errors.length})</h3>
-        <ul>
-          ${errors.map((err) => `<li>${err.message}</li>`).join("\n          ")}
-        </ul>
-      </div>
-      ` : ""}
-
-      ${discoveryResult.sitemaps.length > 0 ? `
-      <div class="sitemaps">
-        <h3 class="collapsed" onclick="toggleSection(this)">Sitemaps Discovered (${discoveryResult.sitemaps.length})</h3>
-        <div class="sitemaps-content collapsed">
-          <ul>
-            ${discoveryResult.sitemaps.map((s) => `<li>\u2022 ${s}</li>`).join("\n            ")}
-          </ul>
+    <header>
+        <div class="container">
+            <h1>Sitemap Analysis</h1>
+            <div class="meta">
+                <div>${esc(data.rootUrl)}</div>
+                <div>${esc(timestamp)}</div>
+            </div>
         </div>
-      </div>
-      ` : ""}
+    </header>
 
-      ${riskyUrlCount === 0 ? `
-      <div class="status-clean">
-        <h2>No Issues Found</h2>
-        <p>All URLs in the sitemap passed validation checks.</p>
-      </div>
-      ` : ""}
-
-      ${highSeverity.length > 0 ? `
-      <div class="severity-section">
-        <h2 class="severity-high" onclick="toggleSection(this)">High Severity (${highSeverity.reduce((sum, g) => sum + g.count, 0)} URLs)</h2>
-        <div class="severity-content">
-          ${highSeverity.map((group) => renderRiskGroup(group, maxUrls)).join("\n          ")}
+    <div class="summary-grid">
+        <div class="summary-card">
+            <h3>Sitemaps</h3>
+            <p>${data.discoveredSitemaps.length}</p>
         </div>
-      </div>
-      ` : ""}
-
-      ${mediumSeverity.length > 0 ? `
-      <div class="severity-section">
-        <h2 class="severity-medium" onclick="toggleSection(this)">Medium Severity (${mediumSeverity.reduce((sum, g) => sum + g.count, 0)} URLs)</h2>
-        <div class="severity-content">
-          ${mediumSeverity.map((group) => renderRiskGroup(group, maxUrls)).join("\n          ")}
+        <div class="summary-card">
+            <h3>URLs Analyzed</h3>
+            <p>${data.totalUrls.toLocaleString()}</p>
         </div>
-      </div>
-      ` : ""}
-
-      ${lowSeverity.length > 0 ? `
-      <div class="severity-section">
-        <h2 class="severity-low" onclick="toggleSection(this)">Low Severity (${lowSeverity.reduce((sum, g) => sum + g.count, 0)} URLs)</h2>
-        <div class="severity-content">
-          ${lowSeverity.map((group) => renderRiskGroup(group, maxUrls)).join("\n          ")}
+        <div class="summary-card highlight">
+            <h3>Issues Found</h3>
+            <p>${data.totalRisks}</p>
+        </div>
+        <div class="summary-card">
+            <h3>URLs Ignored</h3>
+            <p>${data.ignoredUrls.length}</p>
+        </div>
+        <div class="summary-card">
+            <h3>Scan Time</h3>
+            <p>${duration}s</p>
         </div>
-      </div>
-      ` : ""}
     </div>
 
-    <div class="footer">
-      Generated by <strong>sitemap-qa</strong> v${TOOL_VERSION2}
+    <div class="container">
+        <details>
+            <summary>Sitemaps Discovered (${data.discoveredSitemaps.length})</summary>
+            <div style="padding: 20px; background: var(--bg-light);">
+                ${data.discoveredSitemaps.map((s) => `<div class="url-item">${esc(s)}</div>`).join("")}
+            </div>
+        </details>
+
+        ${data.ignoredUrls.length > 0 ? `
+        <details>
+            <summary>Ignored URLs (${data.ignoredUrls.length})</summary>
+            <div style="padding: 20px; background: var(--bg-light);">
+                ${data.ignoredUrls.map((u) => {
+      const suppressedRisks = u.risks.length > 0 ? ` <span style="color: var(--danger); font-size: 11px; font-weight: bold;">[Suppressed Risks: ${[...new Set(u.risks.map((r) => r.category))].map(esc).join(", ")}]</span>` : "";
+      const ignoredBy = u.ignoredBy ?? "Unknown";
+      return `<div class="url-item" title="Ignored by: ${esc(ignoredBy)}">${esc(u.loc)} <span style="color: var(--text-muted); font-size: 11px;">(by ${esc(ignoredBy)})</span>${suppressedRisks}</div>`;
+    }).join("")}
+            </div>
+        </details>
+        ` : ""}
+
+        ${Object.entries(categories).map(([category, findings]) => {
+      const totalCategoryUrls = Object.values(findings).reduce((acc, f) => acc + f.urls.length, 0);
+      return `
+            <div class="category-section">
+                <div class="category-header">
+                    <span>${esc(category)} (${totalCategoryUrls} URLs)</span>
+                    <span>\u25BC</span>
+                </div>
+                <div class="category-content">
+                    ${Object.entries(findings).map(([pattern, finding]) => `
+                        <div class="finding-group">
+                            <div class="finding-header">
+                                <h4>${esc(pattern)}</h4>
+                                <span class="badge">${finding.urls.length} URLs</span>
+                            </div>
+                            <div class="finding-description">
+                                ${esc(finding.reason)}
+                            </div>
+                            <div class="url-list">
+                                ${finding.urls.slice(0, 3).map((url) => `
+                                    <div class="url-item">${esc(url)}</div>
+                                `).join("")}
+                            </div>
+                            ${finding.urls.length > 3 ? `
+                                <div class="more-count">... and ${finding.urls.length - 3} more</div>
+                            ` : ""}
+                            <a href="#" class="btn" onclick="downloadUrls(${JSON.stringify(pattern).replace(/"/g, "&quot;")}, ${JSON.stringify(finding.urls).replace(/"/g, "&quot;")})">
+                                \u{1F4E5} Download All ${finding.urls.length} URLs
+                            </a>
+                        </div>
+                    `).join("")}
+                </div>
+            </div>
+            `;
+    }).join("")}
     </div>
-  </div>
-  
-  <script>
-    function toggleSection(header) {
-      header.classList.toggle('collapsed');
-      const content = header.nextElementSibling;
-      content.classList.toggle('collapsed');
-    }
-    
-    function downloadUrls(categorySlug, encodedUrls) {
-      // Decode HTML entities and parse JSON
-      const textarea = document.createElement('textarea');
-      textarea.innerHTML = encodedUrls;
-      const urls = JSON.parse(textarea.value);
-      
-      // Create text content (one URL per line)
-      const textContent = urls.join('\\n');
-      
-      // Create blob and download
-      const blob = new Blob([textContent], { type: 'text/plain' });
-      const url = URL.createObjectURL(blob);
-      const a = document.createElement('a');
-      a.href = url;
-      a.download = categorySlug + '_urls.txt';
-      document.body.appendChild(a);
-      a.click();
-      document.body.removeChild(a);
-      URL.revokeObjectURL(url);
-    }
-  </script>
+
+    <footer>
+        Generated by sitemap-qa v1.0.0
+    </footer>
+
+    <script>
+        function downloadUrls(name, urls) {
+            const blob = new Blob([urls.join('\\n')], { type: 'text/plain' });
+            const url = window.URL.createObjectURL(blob);
+            const a = document.createElement('a');
+            a.href = url;
+            a.download = \`\${name.replace(/[^a-z0-9]/gi, '_').toLowerCase()}_urls.txt\`;
+            document.body.appendChild(a);
+            a.click();
+            window.URL.revokeObjectURL(url);
+            document.body.removeChild(a);
+        }
+    </script>
 </body>
-</html>`;
-  return html;
-}
-function renderRiskGroup(group, maxUrls) {
-  const categoryTitle = group.category.split("_").map((word) => word.charAt(0).toUpperCase() + word.slice(1)).join(" ");
-  const urlsToShow = group.examples.slice(0, maxUrls);
-  const remaining = group.count - urlsToShow.length;
-  const categorySlug = group.category.toLowerCase();
-  const allUrlsJson = JSON.stringify(group.allUrls);
-  const encodedUrls = escapeHtml(allUrlsJson);
-  return `<div class="risk-group">
-        <h3>${categoryTitle} <span class="count">${group.count} URLs</span></h3>
-        <div class="impact">${group.summary}</div>
-        <div class="urls">
-          <h4>Sample URLs</h4>
-          <ul>
-            ${urlsToShow.map((url) => `<li>${escapeHtml(url)}</li>`).join("\n            ")}
-          </ul>
-          ${remaining > 0 ? `<div class="more">... and ${remaining} more</div>` : ""}
-          <button class="download-btn" onclick="downloadUrls('${categorySlug}', '${encodedUrls}')">\u{1F4E5} Download All ${group.count} URLs</button>
-        </div>
-      </div>`;
-}
-function escapeHtml(text) {
-  return text.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#039;");
-}
-async function writeHtmlReport(summary, discoveryResult, totalUrls, config, outputPath, errors, options = {}) {
-  const htmlContent = generateHtmlReport(summary, discoveryResult, totalUrls, config, errors, options);
-  await fs.writeFile(outputPath, htmlContent, "utf-8");
-}
+</html>
+`;
+  }
+  escapeHtml(str) {
+    return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#039;");
+  }
+};
 
 // src/commands/analyze.ts
-var analyzeCommand = new Command("analyze").description("Analyze sitemap for QA issues").argument("<url>", "Base URL to analyze").option("--timeout <seconds>", "HTTP timeout in seconds", "30").option("--no-progress", "Disable progress bar").option("--output <format>", "Output format: html or json", "html").option("--output-dir <path>", "Output directory for reports").option("--output-file <path>", "Custom output filename").option("--accepted-patterns <patterns>", "Comma-separated regex patterns to exclude from risk detection").option("--concurrency <number>", "Number of concurrent workers for risk detection").option("--batch-size <number>", "URLs per batch for risk detection", "10000").option("--parsing-concurrency <number>", "Number of concurrent sitemap parsers", "50").option("--discovery-concurrency <number>", "Number of concurrent sitemap index fetches", "50").option("--silent", "Disable all progress output").option("--benchmark", "Save performance profile").option("--no-color", "Disable ANSI color codes in CLI output").option("--verbose", "Enable verbose logging", false).action(async (url, options) => {
-  let config;
+var analyzeCommand = new Command("analyze").description("Analyze a sitemap for potential risks").argument("<url>", "Root sitemap URL").option("-c, --config <path>", "Path to sitemap-qa.yaml").option("-o, --output <format>", "Output format (json, html, all)").option("-d, --out-dir <path>", "Directory to save reports").action(async (url, options) => {
+  const startTime = /* @__PURE__ */ new Date();
+  const config = ConfigLoader.load(options.config);
+  const outDir = options.outDir || config.outDir || ".";
+  const outputFormat = options.output || config.outputFormat || "all";
+  const extractor = new ExtractorService();
+  const matcher = new MatcherService(config, url);
+  const urlsWithRisks = [];
+  const ignoredUrls = [];
+  let totalUrls = 0;
+  let totalRisks = 0;
+  console.log(chalk3.blue(`
+\u{1F680} Starting analysis of ${url}...`));
   try {
-    validateAnalyzeOptions(options);
-    const loadedConfig = await loadConfig({
-      ...options,
-      baseUrl: url,
-      outputFormat: options.output,
-      riskDetectionConcurrency: options.concurrency ? parseInt(options.concurrency) : void 0,
-      riskDetectionBatchSize: options.batchSize ? parseInt(options.batchSize) : void 0,
-      parsingConcurrency: options.parsingConcurrency ? parseInt(options.parsingConcurrency) : void 0,
-      discoveryConcurrency: options.discoveryConcurrency ? parseInt(options.discoveryConcurrency) : void 0,
-      silent: options.silent,
-      benchmark: options.benchmark,
-      progressBar: options.progress
-    });
-    config = loadedConfig;
-    console.log(`
-\u{1F50D} Analyzing ${url}...
-`);
-    const result = await runAnalysisPipeline(url, config);
-    await fs2.mkdir(config.outputDir, { recursive: true });
-    if (options.output === "json") {
-      const jsonReport = generateJsonReport(
-        result.summary,
-        result.discoveryResult,
-        { totalCount: result.totalUrls, uniqueUrls: [], errors: [] },
-        result.riskGroups,
-        config,
-        result.executionTime,
-        { pretty: true, indent: 2 }
-      );
-      console.log("\n" + jsonReport);
-      if (options.outputFile) {
-        const jsonFilePath = `${config.outputDir}/${options.outputFile}`;
-        await fs2.writeFile(jsonFilePath, jsonReport, "utf-8");
-        console.log(`
-\u{1F4C4} JSON report saved to: ${chalk.cyan(jsonFilePath)}`);
+    for await (const urlObj of extractor.extract(url)) {
+      totalUrls++;
+      const risks = matcher.match(urlObj);
+      if (risks.length > 0) {
+        urlObj.risks = risks;
+        urlsWithRisks.push(urlObj);
+        totalRisks += risks.length;
+      } else if (urlObj.ignored) {
+        ignoredUrls.push(urlObj);
+      }
+      if (totalUrls % 100 === 0) {
+        process.stdout.write(chalk3.gray(`\rProcessed ${totalUrls} URLs...`));
       }
-    } else {
-      showCliSummary(result);
-      const htmlFileName = options.outputFile || `sitemap-qa-report-${Date.now()}.html`;
-      const htmlFilePath = `${config.outputDir}/${htmlFileName}`;
-      await writeHtmlReport(
-        result.summary,
-        result.discoveryResult,
-        result.totalUrls,
-        config,
-        htmlFilePath,
-        result.errors,
-        { maxUrlsPerGroup: 10 }
-      );
-      console.log(`
-\u{1F4C4} Full report saved to: ${chalk.cyan(htmlFilePath)}`);
     }
-    const exitCode = determineExitCode(result);
-    process.exit(exitCode);
-  } catch (error) {
-    handleAnalysisError(error, config);
-    process.exit(2);
-  }
-});
-function validateAnalyzeOptions(options) {
-  const validFormats = ["json", "html"];
-  if (!validFormats.includes(options.output)) {
-    throw new Error(
-      `Invalid output format: ${options.output}. Must be one of: ${validFormats.join(", ")}`
-    );
-  }
-  const timeout = parseInt(options.timeout);
-  if (isNaN(timeout) || timeout <= 0) {
-    throw new Error(`Invalid timeout: ${options.timeout}. Must be a positive number.`);
-  }
-}
-function showCliSummary(result) {
-  const riskyUrlCount = result.summary.categoryInsights.reduce((sum, g) => sum + g.count, 0);
-  console.log(chalk.dim("\u2500".repeat(50)));
-  if (riskyUrlCount === 0) {
-    console.log(chalk.green("No issues found - sitemap looks clean!"));
-  } else {
-    const { high, medium, low } = result.summary.severityBreakdown;
-    const severityParts = [];
-    if (high > 0) severityParts.push(chalk.red(`High: ${high}`));
-    if (medium > 0) severityParts.push(chalk.yellow(`Medium: ${medium}`));
-    if (low > 0) severityParts.push(chalk.blue(`Low: ${low}`));
-    const severitySummary = severityParts.length > 0 ? ` (${severityParts.join(", ")})` : "";
-    console.log(chalk.yellow(`\u26A0\uFE0F  ${riskyUrlCount} risky URLs found${severitySummary}`));
-  }
-  console.log("");
-}
-async function runAnalysisPipeline(url, config) {
-  const overallStartTime = Date.now();
-  const phaseTimings = [];
-  const errors = [];
-  const showProgress = !config.silent && config.progressBar !== false && process.stdout.isTTY;
-  let phaseStart = Date.now();
-  const discoverySpinner = showProgress ? ora({ text: "Discovering sitemaps...", color: "cyan" }).start() : null;
-  const discoveryResult = await discoverSitemaps(url, config);
-  if (discoverySpinner) {
-    discoverySpinner.stop();
-  }
-  phaseTimings.push({
-    name: "Discovery",
-    startTime: phaseStart,
-    endTime: Date.now(),
-    duration: Date.now() - phaseStart
-  });
-  if (discoveryResult.accessIssues.length > 0) {
-    if (!config.silent) {
-      console.warn(chalk.yellow(`\u26A0\uFE0F  Warning: ${discoveryResult.accessIssues.length} sitemap(s) are access-blocked`));
+    process.stdout.write("\n");
+    const endTime = /* @__PURE__ */ new Date();
+    const reportData = {
+      rootUrl: url,
+      discoveredSitemaps: extractor.getDiscoveredSitemaps(),
+      totalUrls,
+      totalRisks,
+      urlsWithRisks,
+      ignoredUrls,
+      startTime,
+      endTime
+    };
+    const reporters = [new ConsoleReporter()];
+    await fs4.mkdir(outDir, { recursive: true });
+    if (outputFormat === "json" || outputFormat === "all") {
+      const jsonPath = path2.join(outDir, "sitemap-qa-report.json");
+      reporters.push(new JsonReporter(jsonPath));
     }
-    for (const issue of discoveryResult.accessIssues) {
-      errors.push(new Error(`Access blocked: ${issue.url} (${issue.statusCode})`));
+    if (outputFormat === "html" || outputFormat === "all") {
+      const htmlPath = path2.join(outDir, "sitemap-qa-report.html");
+      reporters.push(new HtmlReporter(htmlPath));
     }
-  }
-  if (discoveryResult.sitemaps.length === 0) {
-    throw new Error(`No sitemaps found at ${url}. Tried: /sitemap.xml, /sitemap_index.xml, /robots.txt`);
-  }
-  phaseStart = Date.now();
-  let extractionResult;
-  if (showProgress && discoveryResult.sitemaps.length > 10) {
-    const parseBar = new cliProgress.SingleBar({
-      format: "{bar} {percentage}% | {value}/{total} | ETA: {eta}s | {speed} sitemaps/sec",
-      barCompleteChar: "\u2588",
-      barIncompleteChar: "\u2591",
-      hideCursor: true
-    });
-    parseBar.start(discoveryResult.sitemaps.length, 0, { speed: "0" });
-    extractionResult = await extractAllUrls(
-      discoveryResult.sitemaps,
-      config,
-      (completed, total) => {
-        const elapsed = (Date.now() - phaseStart) / 1e3;
-        const speed = elapsed > 0 ? (completed / elapsed).toFixed(1) : "0";
-        parseBar.update(completed, { speed });
-      }
-    );
-    parseBar.stop();
-  } else {
-    extractionResult = await extractAllUrls(discoveryResult.sitemaps, config);
-  }
-  phaseTimings.push({
-    name: "Parsing",
-    startTime: phaseStart,
-    endTime: Date.now(),
-    duration: Date.now() - phaseStart
-  });
-  if (extractionResult.errors.length > 0) {
-    for (const err of extractionResult.errors) {
-      if (typeof err === "string") {
-        errors.push(new Error(err));
-      } else {
-        errors.push(err);
-      }
+    for (const reporter of reporters) {
+      await reporter.generate(reportData);
     }
-  }
-  if (extractionResult.allUrls.length === 0) {
-    throw new Error("No URLs extracted from sitemaps");
-  }
-  phaseStart = Date.now();
-  const consolidatedResult = consolidateUrls(extractionResult.allUrls);
-  phaseTimings.push({
-    name: "Deduplication",
-    startTime: phaseStart,
-    endTime: Date.now(),
-    duration: Date.now() - phaseStart
-  });
-  const duplicatesRemoved = extractionResult.allUrls.length - consolidatedResult.uniqueUrls.length;
-  const duplicatePercentage = duplicatesRemoved / extractionResult.allUrls.length * 100;
-  if (!config.silent) {
-    if (duplicatesRemoved > 100 || duplicatePercentage > 1) {
-      console.log(chalk.green(`Found ${discoveryResult.sitemaps.length} sitemap(s) \u2192 ${extractionResult.allUrls.length.toLocaleString()} URLs (${consolidatedResult.uniqueUrls.length.toLocaleString()} unique)`));
+    if (totalRisks > 0) {
+      process.exit(1);
     } else {
-      console.log(chalk.green(`Found ${discoveryResult.sitemaps.length} sitemap(s) \u2192 ${extractionResult.allUrls.length.toLocaleString()} URLs`));
+      process.exit(0);
     }
+  } catch (error) {
+    console.error(chalk3.red("\nAnalysis failed:"), error);
+    process.exit(1);
   }
-  phaseStart = Date.now();
-  const riskResult = await detectRisks(consolidatedResult.uniqueUrls, url, config);
-  const riskGroups = groupRiskFindings(riskResult.findings);
-  phaseTimings.push({
-    name: "Risk Detection",
-    startTime: phaseStart,
-    endTime: Date.now(),
-    duration: Date.now() - phaseStart
-  });
-  phaseStart = Date.now();
-  const executionTime = Date.now() - overallStartTime;
-  const summary = summarizeRisks({
-    riskGroups: riskGroups.groups,
-    totalUrls: consolidatedResult.uniqueUrls.length,
-    sitemapUrl: url,
-    processingTime: executionTime
-  });
-  phaseTimings.push({
-    name: "Summarization",
-    startTime: phaseStart,
-    endTime: Date.now(),
-    duration: Date.now() - phaseStart
-  });
-  if (!config.silent && config.verbose) {
-    displayPhaseSummary(phaseTimings, executionTime);
-  } else if (!config.silent) {
-    const parsingPhase = phaseTimings.find((p) => p.name === "Parsing");
-    const sitemapsPerSec = parsingPhase ? (discoveryResult.sitemaps.length / (parsingPhase.duration / 1e3)).toFixed(1) : "0";
-    console.log(chalk.green(`Analysis complete (${(executionTime / 1e3).toFixed(1)}s \xB7 ${sitemapsPerSec} sitemaps/sec)
-`));
-  }
-  if (config.benchmark) {
-    await saveBenchmark(phaseTimings, url, executionTime, discoveryResult.sitemaps.length, consolidatedResult.uniqueUrls.length, config);
-  }
-  return {
-    discoveryResult,
-    totalUrls: consolidatedResult.uniqueUrls.length,
-    riskGroups: riskGroups.groups,
-    summary,
-    errors,
-    executionTime,
-    phaseTimings
-  };
-}
-function determineExitCode(result) {
-  const highSeverityCount = result.summary.severityBreakdown.high;
-  if (highSeverityCount > 0) {
-    return 1;
-  }
-  return 0;
-}
-function handleAnalysisError(error, config) {
-  console.error("\n\u274C Analysis failed\n");
-  if (error instanceof Error) {
-    console.error(`Error: ${error.message}`);
-    if (config?.verbose && error.stack) {
-      console.error("\nStack trace:");
-      console.error(error.stack);
-    }
-    if (error.message.includes("No sitemaps found")) {
-      console.error("\nSuggestions:");
-      console.error("  \u2022 Verify the base URL is correct");
-      console.error("  \u2022 Check if the site has a sitemap");
-      console.error("  \u2022 Ensure the sitemap is publicly accessible");
-    } else if (error.message.includes("Network") || error.message.includes("timeout")) {
-      console.error("\nSuggestions:");
-      console.error("  \u2022 Check your internet connection");
-      console.error("  \u2022 Verify the URL is accessible");
-      console.error("  \u2022 Try increasing the timeout with --timeout option");
-    }
-  } else {
-    console.error("Unknown error occurred");
-    console.error(String(error));
+});
+
+// src/commands/init.ts
+import { Command as Command2 } from "commander";
+import fs5 from "fs";
+import path3 from "path";
+import chalk4 from "chalk";
+var DEFAULT_CONFIG = `# sitemap-qa configuration
+# This file defines the risk categories and patterns to monitor.
+
+# Tool Settings
+outDir: "./sitemap-qa/report"
+outputFormat: "all" # Options: json, html, all
+enforceDomainConsistency: true
+
+# Risk Categories
+# Each category contains a list of patterns to match against URLs found in sitemaps.
+# Patterns can be:
+# - literal: Exact string match
+# - glob: Glob pattern (e.g., **/admin/**)
+# - regex: Regular expression (e.g., /\\/v[0-9]+\\//)
+
+# Acceptable Patterns
+# URLs matching these patterns will be ignored and not flagged as risks.
+acceptable_patterns:
+  - type: "literal"
+    value: "/acceptable-path"
+    reason: "Example of an acceptable path that should not be flagged."
+  - type: "glob"
+    value: "**/public-docs/**"
+    reason: "Public documentation is always acceptable."
+
+policies:
+  - category: "Security & Admin"
+    patterns:
+      - type: "glob"
+        value: "**/admin/**"
+        reason: "Administrative interfaces should not be publicly indexed."
+      - type: "glob"
+        value: "**/.env*"
+        reason: "Environment files contain sensitive secrets."
+      - type: "literal"
+        value: "/wp-admin"
+        reason: "WordPress admin paths are common attack vectors."
+
+  - category: "Environment Leakage"
+    patterns:
+      - type: "glob"
+        value: "**/staging.**"
+        reason: "Staging environments should be restricted."
+      - type: "glob"
+        value: "**/dev.**"
+        reason: "Development subdomains detected in production sitemap."
+
+  - category: "Sensitive Files"
+    patterns:
+      - type: "glob"
+        value: "**/*.{sql,bak,zip,tar.gz}"
+        reason: "Archive or database backup files exposed."
+`;
+var initCommand = new Command2("init").description("Initialize a default sitemap-qa.yaml configuration file").action(() => {
+  const configPath = path3.join(process.cwd(), "sitemap-qa.yaml");
+  if (fs5.existsSync(configPath)) {
+    console.error(chalk4.red(`Error: ${configPath} already exists.`));
+    process.exit(1);
   }
-}
-function displayPhaseSummary(timings, totalTime) {
-  console.log(chalk.green(`
-Analysis Complete (Total: ${(totalTime / 1e3).toFixed(1)}s)
-`));
-  console.log(chalk.cyan("Phase Breakdown:"));
-  for (const timing of timings) {
-    const seconds = (timing.duration / 1e3).toFixed(1);
-    const percentage = (timing.duration / totalTime * 100).toFixed(1);
-    const bar = "\u2022";
-    console.log(`  ${bar} ${timing.name.padEnd(15)}: ${seconds.padStart(5)}s (${percentage.padStart(5)}%)`);
+  try {
+    fs5.writeFileSync(configPath, DEFAULT_CONFIG, "utf8");
+    console.log(chalk4.green(`Successfully created ${configPath}`));
+  } catch (error) {
+    console.error(chalk4.red("Failed to create configuration file:"), error);
+    process.exit(1);
   }
-  console.log("");
-}
-async function saveBenchmark(timings, url, totalTime, sitemapCount, urlCount, config) {
-  const benchmark = {
-    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-    url,
-    total_duration_ms: totalTime,
-    phases: timings.map((t) => ({
-      name: t.name.toLowerCase(),
-      start_ms: t.startTime,
-      end_ms: t.endTime,
-      duration_ms: t.duration
-    })),
-    metrics: {
-      sitemaps_processed: sitemapCount,
-      urls_analyzed: urlCount,
-      throughput: {
-        urls_per_second: Math.round(urlCount / totalTime * 1e3),
-        sitemaps_per_second: (sitemapCount / totalTime * 1e3).toFixed(2)
-      }
-    },
-    system_info: {
-      cpu_count: os2.cpus().length,
-      node_version: process.version,
-      platform: process.platform,
-      memory_total_mb: Math.round(os2.totalmem() / 1024 / 1024)
-    },
-    config: {
-      discovery_concurrency: config.discoveryConcurrency,
-      parsing_concurrency: config.parsingConcurrency,
-      risk_detection_concurrency: config.riskDetectionConcurrency,
-      risk_detection_batch_size: config.riskDetectionBatchSize
-    }
-  };
-  const filename = `performance-profile-${Date.now()}.json`;
-  await fs2.writeFile(filename, JSON.stringify(benchmark, null, 2));
-  console.log(chalk.blue(`\u{1F4CA} Benchmark saved to: ${filename}`));
-}
+});
 
 // src/index.ts
-var program = new Command2();
+var program = new Command3();
 program.name("sitemap-qa").version("1.0.0").description("sitemap analysis for QA teams");
 program.addCommand(analyzeCommand);
+program.addCommand(initCommand);
 process.on("unhandledRejection", (reason, promise) => {
   console.error("Unhandled Rejection at:", promise, "reason:", reason);
   process.exit(1);