npm - @blockyfy/stg-cli - Versions diffs - 0.4.0 - Mend

@blockyfy/stg-cli 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/index.js ADDED Viewed

@@ -0,0 +1,3987 @@
+#!/usr/bin/env node
+// src/index.ts
+import { Command } from "commander";
+import chalk9 from "chalk";
+import {
+  readFileSync as readFileSync7,
+  existsSync as existsSync8,
+  readdirSync,
+  statSync,
+  openSync,
+  readSync as readSync2,
+  closeSync
+} from "fs";
+import { readFile, stat as fsStat, open as fsOpen } from "fs/promises";
+import { resolve as resolve2, extname, join as join6, basename } from "path";
+import os from "os";
+// src/types.ts
+var DEFAULT_CONFIG = {
+  port: 9339,
+  targetApis: ["https://api.anthropic.com", "https://api.openai.com"],
+  languages: ["typescript", "javascript", "python", "go", "java", "csharp", "ruby", "rust"],
+  mutationRules: [
+    { tokenType: "Variable" /* Variable */, prefix: "_v" },
+    { tokenType: "Function" /* Function */, prefix: "_fn" },
+    { tokenType: "Class" /* Class */, prefix: "_cls" },
+    { tokenType: "String" /* String */ },
+    { tokenType: "Comment" /* Comment */, strip: true },
+    { tokenType: "Import" /* Import */ },
+    { tokenType: "Property" /* Property */, prefix: "_prop" },
+    { tokenType: "Method" /* Method */, prefix: "_fn" }
+  ],
+  storePath: `${process.env["HOME"] ?? "/tmp"}/.pretest`
+};
+// src/scanner.ts
+var TS_JS_KEYWORDS = /* @__PURE__ */ new Set([
+  "abstract",
+  "any",
+  "as",
+  "async",
+  "await",
+  "boolean",
+  "break",
+  "case",
+  "catch",
+  "class",
+  "const",
+  "constructor",
+  "continue",
+  "debugger",
+  "declare",
+  "default",
+  "delete",
+  "do",
+  "else",
+  "enum",
+  "export",
+  "extends",
+  "false",
+  "finally",
+  "for",
+  "from",
+  "function",
+  "get",
+  "if",
+  "implements",
+  "import",
+  "in",
+  "instanceof",
+  "interface",
+  "keyof",
+  "let",
+  "module",
+  "namespace",
+  "never",
+  "new",
+  "null",
+  "number",
+  "object",
+  "of",
+  "package",
+  "private",
+  "protected",
+  "public",
+  "readonly",
+  "require",
+  "return",
+  "set",
+  "static",
+  "string",
+  "super",
+  "switch",
+  "symbol",
+  "this",
+  "throw",
+  "true",
+  "try",
+  "type",
+  "typeof",
+  "undefined",
+  "unknown",
+  "var",
+  "void",
+  "while",
+  "with",
+  "yield",
+  "satisfies",
+  "using",
+  "infer",
+  "asserts"
+]);
+var PYTHON_KEYWORDS = /* @__PURE__ */ new Set([
+  "False",
+  "None",
+  "True",
+  "and",
+  "as",
+  "assert",
+  "async",
+  "await",
+  "break",
+  "class",
+  "continue",
+  "def",
+  "del",
+  "elif",
+  "else",
+  "except",
+  "finally",
+  "for",
+  "from",
+  "global",
+  "if",
+  "import",
+  "in",
+  "is",
+  "lambda",
+  "nonlocal",
+  "not",
+  "or",
+  "pass",
+  "raise",
+  "return",
+  "try",
+  "while",
+  "with",
+  "yield",
+  "self",
+  "cls"
+]);
+var GO_KEYWORDS = /* @__PURE__ */ new Set([
+  "break",
+  "case",
+  "chan",
+  "const",
+  "continue",
+  "default",
+  "defer",
+  "else",
+  "fallthrough",
+  "for",
+  "func",
+  "go",
+  "goto",
+  "if",
+  "import",
+  "interface",
+  "map",
+  "package",
+  "range",
+  "return",
+  "select",
+  "struct",
+  "switch",
+  "type",
+  "var",
+  "nil",
+  "true",
+  "false",
+  "error",
+  "string",
+  "int",
+  "int8",
+  "int16",
+  "int32",
+  "int64",
+  "uint",
+  "uint8",
+  "uint16",
+  "uint32",
+  "uint64",
+  "float32",
+  "float64",
+  "complex64",
+  "complex128",
+  "bool",
+  "byte",
+  "rune",
+  "uintptr",
+  "make",
+  "new",
+  "len",
+  "cap",
+  "append",
+  "copy",
+  "close",
+  "delete",
+  "panic",
+  "recover",
+  "print",
+  "println"
+]);
+var JAVA_KEYWORDS = /* @__PURE__ */ new Set([
+  "abstract",
+  "assert",
+  "boolean",
+  "break",
+  "byte",
+  "case",
+  "catch",
+  "char",
+  "class",
+  "const",
+  "continue",
+  "default",
+  "do",
+  "double",
+  "else",
+  "enum",
+  "extends",
+  "final",
+  "finally",
+  "float",
+  "for",
+  "goto",
+  "if",
+  "implements",
+  "import",
+  "instanceof",
+  "int",
+  "interface",
+  "long",
+  "native",
+  "new",
+  "package",
+  "private",
+  "protected",
+  "public",
+  "return",
+  "short",
+  "static",
+  "strictfp",
+  "super",
+  "switch",
+  "synchronized",
+  "this",
+  "throw",
+  "throws",
+  "transient",
+  "try",
+  "void",
+  "volatile",
+  "while",
+  "true",
+  "false",
+  "null",
+  "var",
+  "record",
+  "sealed",
+  "permits",
+  "yield"
+]);
+var CSHARP_KEYWORDS = /* @__PURE__ */ new Set([
+  "class",
+  "interface",
+  "namespace",
+  "public",
+  "private",
+  "protected",
+  "internal",
+  "static",
+  "void",
+  "return",
+  "new",
+  "using",
+  "override",
+  "sealed",
+  "abstract",
+  "virtual",
+  "readonly",
+  "const",
+  "var",
+  "int",
+  "string",
+  "bool",
+  "double",
+  "float",
+  "object",
+  "null",
+  "true",
+  "false",
+  "if",
+  "else",
+  "for",
+  "foreach",
+  "while",
+  "do",
+  "switch",
+  "case",
+  "break",
+  "continue",
+  "try",
+  "catch",
+  "finally",
+  "throw",
+  "async",
+  "await",
+  "get",
+  "set",
+  "partial",
+  "enum",
+  "struct",
+  "delegate",
+  "event"
+]);
+var RUBY_KEYWORDS = /* @__PURE__ */ new Set([
+  "def",
+  "class",
+  "module",
+  "end",
+  "do",
+  "if",
+  "else",
+  "elsif",
+  "unless",
+  "while",
+  "until",
+  "for",
+  "begin",
+  "rescue",
+  "ensure",
+  "raise",
+  "return",
+  "yield",
+  "self",
+  "super",
+  "true",
+  "false",
+  "nil",
+  "and",
+  "or",
+  "not",
+  "in",
+  "then",
+  "case",
+  "when",
+  "puts",
+  "print",
+  "require",
+  "require_relative",
+  "include",
+  "extend",
+  "attr_accessor",
+  "attr_reader",
+  "attr_writer",
+  "initialize",
+  "new",
+  "public",
+  "private",
+  "protected"
+]);
+var RUST_KEYWORDS = /* @__PURE__ */ new Set([
+  "fn",
+  "struct",
+  "enum",
+  "trait",
+  "impl",
+  "mod",
+  "pub",
+  "let",
+  "mut",
+  "const",
+  "type",
+  "use",
+  "crate",
+  "self",
+  "super",
+  "move",
+  "ref",
+  "match",
+  "if",
+  "else",
+  "loop",
+  "while",
+  "for",
+  "return",
+  "break",
+  "continue",
+  "where",
+  "as",
+  "in",
+  "true",
+  "false",
+  "unsafe",
+  "extern",
+  "dyn",
+  "box",
+  "static",
+  "async",
+  "await",
+  "Box",
+  "String",
+  "Vec",
+  "Option",
+  "Result",
+  "Ok",
+  "Err",
+  "Some",
+  "None"
+]);
+function detectLanguage(code) {
+  if (/:[\s]*\w+[\s]*[;,{)]/.test(code) || /import.*from\s+['"]/.test(code) || /interface\s+\w+/.test(code)) return "typescript";
+  if (/\bdef\s+\w+\s*\(/.test(code) || /\bimport\s+\w+/.test(code) && /:$/.test(code)) return "python";
+  if (/\bfunc\s+\w+\s*\(/.test(code) || /\bpackage\s+\w+/.test(code)) return "go";
+  if (/\bpublic\s+class\s+\w+/.test(code) || /\bimport\s+java\./.test(code)) return "java";
+  if (/\bnamespace\s+\w+/.test(code) || /\busing\s+System/.test(code)) return "csharp";
+  if (/\bfn\s+\w+\s*\(/.test(code) || /\blet\s+mut\s+\w+/.test(code)) return "rust";
+  if (/\bdef\s+\w+/.test(code) && /\bend\b/.test(code)) return "ruby";
+  if (/\bconst\s+\w+\s*=/.test(code) || /\bfunction\s+\w+\s*\(/.test(code)) return "javascript";
+  return "typescript";
+}
+function buildLineIndex(code) {
+  const offsets = [];
+  for (let i = 0; i < code.length; i++) {
+    if (code.charCodeAt(i) === 10) offsets.push(i);
+  }
+  return offsets;
+}
+function lineFromIndex(lineOffsets, index) {
+  let lo = 0;
+  let hi = lineOffsets.length;
+  while (lo < hi) {
+    const mid = lo + hi >> 1;
+    if (lineOffsets[mid] < index) lo = mid + 1;
+    else hi = mid;
+  }
+  return lo + 1;
+}
+function scanTypeScript(code) {
+  const tokens = [];
+  if (!code.trim()) return tokens;
+  const lineOffsets = buildLineIndex(code);
+  const patterns = [
+    // Single-line comment
+    { re: /\/\/[^\n]*/g, type: "Comment" /* Comment */ },
+    // Multi-line comment
+    { re: /\/\*[\s\S]*?\*\//g, type: "Comment" /* Comment */ },
+    // Quoted HTTP header names (fetch/axios headers objects) — mutated, not vendor-identifying literals
+    { re: /"(?:x-[a-z0-9][a-z0-9-]*|authorization|api-key)"/gi, type: "HttpHeaderString" /* HttpHeaderString */ },
+    { re: /'(?:x-[a-z0-9][a-z0-9-]*|authorization|api-key)'/gi, type: "HttpHeaderString" /* HttpHeaderString */ },
+    // Unquoted `Authorization` key — value must start with a string/template (skips interface/type shapes)
+    {
+      re: /(?:\{|\,)\s*(Authorization)\s*:\s*(?=[`'"])/g,
+      type: "HttpHeaderString" /* HttpHeaderString */,
+      groupIndex: 1
+    },
+    // Import source (the module path string)
+    { re: /\bimport\b[^'"]*['"]([^'"]+)['"]/g, type: "Import" /* Import */, groupIndex: 1 },
+    // Class name
+    { re: /\bclass\s+([A-Za-z_$][A-Za-z0-9_$]*)/g, type: "Class" /* Class */, groupIndex: 1 },
+    // Function/method name (function keyword)
+    { re: /\bfunction\s+([A-Za-z_$][A-Za-z0-9_$]*)/g, type: "Function" /* Function */, groupIndex: 1 },
+    // Arrow function assigned to const/let/var
+    { re: /\b(?:const|let|var)\s+([A-Za-z_$][A-Za-z0-9_$]*)\b(?!\s*[-.][A-Za-z0-9_$])\s*=\s*(?:async\s*)?\(/g, type: "Function" /* Function */, groupIndex: 1 },
+    // Method: identifier followed by (
+    { re: /\b([A-Za-z_$][A-Za-z0-9_$]*)\s*\(/g, type: "Method" /* Method */, groupIndex: 1 },
+    // Env-style binding names with hyphens or dots (e.g. AWS-SECRET-KEY, AWS.SECRET.KEY) — not valid JS identifiers but common in pasted config
+    { re: /\b(?:const|let|var)\s+([A-Za-z_$][A-Za-z0-9_$]*(?:(?:-|\.)(?:[A-Za-z0-9_$]+))+)(?=\s*=)/g, type: "Variable" /* Variable */, groupIndex: 1 },
+    // Variable declarations (exclude names continued with -/. so AWS-SECRET-KEY is captured only by the rule above)
+    { re: /\b(?:const|let|var)\s+([A-Za-z_$][A-Za-z0-9_$]*)\b(?!\s*[-.][A-Za-z0-9_$])/g, type: "Variable" /* Variable */, groupIndex: 1 },
+    // Member receiver: matches in matches.push, row in row.patientId, def in def.name
+    { re: /\b([A-Za-z_$][A-Za-z0-9_$]*)\s*(?:\.|\?\.)[^0-9]/g, type: "Variable" /* Variable */, groupIndex: 1 },
+    // Property after . or ?. when not immediately followed by ( — method calls use Method rule
+    { re: /\.([A-Za-z_$][A-Za-z0-9_$]*)\b(?!\s*\()/g, type: "Property" /* Property */, groupIndex: 1 },
+    { re: /\?\.([A-Za-z_$][A-Za-z0-9_$]*)\b(?!\s*\()/g, type: "Property" /* Property */, groupIndex: 1 },
+    // Template literals (preserve backtick wrapper)
+    { re: /`[^`]*`/g, type: "String" /* String */ },
+    // Double-quoted strings
+    { re: /"(?:[^"\\]|\\.)*"/g, type: "String" /* String */ },
+    // Single-quoted strings
+    { re: /'(?:[^'\\]|\\.)*'/g, type: "String" /* String */ }
+  ];
+  for (const { re, type, groupIndex } of patterns) {
+    re.lastIndex = 0;
+    let m;
+    while ((m = re.exec(code)) !== null) {
+      const fullMatch = m[0];
+      const captureValue = groupIndex !== void 0 ? m[groupIndex] ?? fullMatch : fullMatch;
+      const captureStart = groupIndex !== void 0 ? m.index + fullMatch.indexOf(captureValue) : m.index;
+      if (!captureValue || captureValue.trim() === "") continue;
+      if (type === "Variable" /* Variable */ || type === "Function" /* Function */ || type === "Class" /* Class */ || type === "Method" /* Method */ || type === "Property" /* Property */) {
+        if (TS_JS_KEYWORDS.has(captureValue)) continue;
+        if (/^(console|process|Object|Array|Math|JSON|Promise|Error|Map|Set|Date|RegExp|Symbol|Proxy|Reflect|global|globalThis|window|document|module|exports|require|__dirname|__filename|Intl|WebAssembly)$/.test(captureValue)) continue;
+        if (captureValue.length <= 1) continue;
+      }
+      if (type === "Property" /* Property */ && captureValue === "meta" && code.slice(Math.max(0, captureStart - 7), captureStart) === "import.") {
+        continue;
+      }
+      tokens.push({
+        type,
+        value: captureValue,
+        start: captureStart,
+        end: captureStart + captureValue.length,
+        line: lineFromIndex(lineOffsets, captureStart)
+      });
+    }
+  }
+  const commentSpans = tokens.filter((t) => t.type === "Comment" /* Comment */);
+  const stringLikeSpans = tokens.filter(
+    (t) => t.type === "String" /* String */ || t.type === "HttpHeaderString" /* HttpHeaderString */
+  );
+  const dropsSpanOverlap = (t) => {
+    if (t.type === "Variable" /* Variable */ || t.type === "Function" /* Function */ || t.type === "Class" /* Class */ || t.type === "Method" /* Method */ || t.type === "Property" /* Property */) {
+      if (commentSpans.some((c) => t.start < c.end && t.end > c.start)) return false;
+      if (stringLikeSpans.some((s) => t.start < s.end && t.end > s.start)) return false;
+    }
+    return true;
+  };
+  return deduplicate(tokens.filter(dropsSpanOverlap));
+}
+function scanPython(code) {
+  const tokens = [];
+  if (!code.trim()) return tokens;
+  const lineOffsets = buildLineIndex(code);
+  const patterns = [
+    // Triple-quoted docstrings
+    { re: /"""[\s\S]*?"""|'''[\s\S]*?'''/g, type: "Comment" /* Comment */ },
+    // Line comments
+    { re: /#[^\n]*/g, type: "Comment" /* Comment */ },
+    // Import module name
+    { re: /\bimport\s+([A-Za-z_][A-Za-z0-9_.]*)/g, type: "Import" /* Import */, groupIndex: 1 },
+    { re: /\bfrom\s+([A-Za-z_.][A-Za-z0-9_.]*)\s+import/g, type: "Import" /* Import */, groupIndex: 1 },
+    // Class name
+    { re: /\bclass\s+([A-Za-z_][A-Za-z0-9_]*)/g, type: "Class" /* Class */, groupIndex: 1 },
+    // Function/method def
+    { re: /\bdef\s+([A-Za-z_][A-Za-z0-9_]*)/g, type: "Function" /* Function */, groupIndex: 1 },
+    // Call site: method name in obj.method(
+    { re: /\b([A-Za-z_][A-Za-z0-9_]*)\s*\(/g, type: "Method" /* Method */, groupIndex: 1 },
+    // obj.attr receiver and attribute (matches.push-style)
+    { re: /\b([A-Za-z_][A-Za-z0-9_]*)\s*\.\s*(?=[a-zA-Z_])/g, type: "Variable" /* Variable */, groupIndex: 1 },
+    { re: /\.([A-Za-z_][A-Za-z0-9_]*)\b(?!\s*\()/g, type: "Property" /* Property */, groupIndex: 1 },
+    // Variable assignment (simple name = ...)
+    { re: /^([A-Za-z_][A-Za-z0-9_]*)\s*=/gm, type: "Variable" /* Variable */, groupIndex: 1 },
+    // Double-quoted strings
+    { re: /"(?:[^"\\]|\\.)*"/g, type: "String" /* String */ },
+    // Single-quoted strings
+    { re: /'(?:[^'\\]|\\.)*'/g, type: "String" /* String */ }
+  ];
+  for (const { re, type, groupIndex } of patterns) {
+    re.lastIndex = 0;
+    let m;
+    while ((m = re.exec(code)) !== null) {
+      const fullMatch = m[0];
+      const captureValue = groupIndex !== void 0 ? m[groupIndex] ?? fullMatch : fullMatch;
+      const captureStart = groupIndex !== void 0 ? m.index + fullMatch.indexOf(captureValue) : m.index;
+      if (!captureValue || captureValue.trim() === "") continue;
+      if (type === "Variable" /* Variable */ || type === "Function" /* Function */ || type === "Class" /* Class */ || type === "Method" /* Method */ || type === "Property" /* Property */) {
+        if (PYTHON_KEYWORDS.has(captureValue)) continue;
+        if (captureValue.length <= 1) continue;
+        if (captureValue.startsWith("__") && captureValue.endsWith("__")) continue;
+      }
+      tokens.push({
+        type,
+        value: captureValue,
+        start: captureStart,
+        end: captureStart + captureValue.length,
+        line: lineFromIndex(lineOffsets, captureStart)
+      });
+    }
+  }
+  const pyCommentSpans = tokens.filter((t) => t.type === "Comment" /* Comment */);
+  const pyStringSpans = tokens.filter((t) => t.type === "String" /* String */);
+  const dropsPyOverlap = (t) => {
+    if (t.type === "Variable" /* Variable */ || t.type === "Function" /* Function */ || t.type === "Class" /* Class */ || t.type === "Method" /* Method */ || t.type === "Property" /* Property */) {
+      if (pyCommentSpans.some((c) => t.start < c.end && t.end > c.start)) return false;
+      if (pyStringSpans.some((s) => t.start < s.end && t.end > s.start)) return false;
+    }
+    return true;
+  };
+  return deduplicate(tokens.filter(dropsPyOverlap));
+}
+function scanGo(code) {
+  const tokens = [];
+  if (!code.trim()) return tokens;
+  const lineOffsets = buildLineIndex(code);
+  const patterns = [
+    { re: /\/\/[^\n]*/g, type: "Comment" /* Comment */ },
+    { re: /\/\*[\s\S]*?\*\//g, type: "Comment" /* Comment */ },
+    // Import path
+    { re: /import\s*\(\s*([\s\S]*?)\s*\)/g, type: "Import" /* Import */ },
+    { re: /import\s+"([^"]+)"/g, type: "Import" /* Import */, groupIndex: 1 },
+    // Type declaration
+    { re: /\btype\s+([A-Za-z_][A-Za-z0-9_]*)\s+(?:struct|interface)/g, type: "Class" /* Class */, groupIndex: 1 },
+    // Func name
+    { re: /\bfunc\s+(?:\([^)]*\)\s*)?([A-Za-z_][A-Za-z0-9_]*)\s*\(/g, type: "Function" /* Function */, groupIndex: 1 },
+    // Var/const declaration
+    { re: /\b(?:var|const)\s+([A-Za-z_][A-Za-z0-9_]*)\b/g, type: "Variable" /* Variable */, groupIndex: 1 },
+    // Short variable declaration
+    { re: /\b([A-Za-z_][A-Za-z0-9_]*)\s*:=/g, type: "Variable" /* Variable */, groupIndex: 1 },
+    // Double-quoted strings
+    { re: /"(?:[^"\\]|\\.)*"/g, type: "String" /* String */ },
+    // Backtick raw strings
+    { re: /`[^`]*`/g, type: "String" /* String */ }
+  ];
+  for (const { re, type, groupIndex } of patterns) {
+    re.lastIndex = 0;
+    let m;
+    while ((m = re.exec(code)) !== null) {
+      const fullMatch = m[0];
+      const captureValue = groupIndex !== void 0 ? m[groupIndex] ?? fullMatch : fullMatch;
+      const captureStart = groupIndex !== void 0 ? m.index + fullMatch.indexOf(captureValue) : m.index;
+      if (!captureValue || captureValue.trim() === "") continue;
+      if (type === "Variable" /* Variable */ || type === "Function" /* Function */ || type === "Class" /* Class */) {
+        if (GO_KEYWORDS.has(captureValue)) continue;
+        if (captureValue.length <= 1) continue;
+      }
+      tokens.push({
+        type,
+        value: captureValue,
+        start: captureStart,
+        end: captureStart + captureValue.length,
+        line: lineFromIndex(lineOffsets, captureStart)
+      });
+    }
+  }
+  return deduplicate(tokens);
+}
+function scanJava(code) {
+  const tokens = [];
+  if (!code.trim()) return tokens;
+  const lineOffsets = buildLineIndex(code);
+  const patterns = [
+    { re: /\/\/[^\n]*/g, type: "Comment" /* Comment */ },
+    { re: /\/\*[\s\S]*?\*\//g, type: "Comment" /* Comment */ },
+    // Import statement
+    { re: /\bimport\s+([\w.]+);/g, type: "Import" /* Import */, groupIndex: 1 },
+    // Class/interface/enum
+    { re: /\b(?:class|interface|enum|record)\s+([A-Za-z_$][A-Za-z0-9_$]*)/g, type: "Class" /* Class */, groupIndex: 1 },
+    // Method declaration
+    { re: /\b(?:public|private|protected|static|final|abstract|synchronized|native|default)[\w\s<>\[\],]*\s+([A-Za-z_$][A-Za-z0-9_$]*)\s*\(/g, type: "Method" /* Method */, groupIndex: 1 },
+    // Variable declaration
+    { re: /\b(?:int|long|double|float|boolean|char|byte|short|String|Object|var)\s+([A-Za-z_$][A-Za-z0-9_$]*)\s*[=;,)]/g, type: "Variable" /* Variable */, groupIndex: 1 },
+    // Double-quoted strings
+    { re: /"(?:[^"\\]|\\.)*"/g, type: "String" /* String */ }
+  ];
+  for (const { re, type, groupIndex } of patterns) {
+    re.lastIndex = 0;
+    let m;
+    while ((m = re.exec(code)) !== null) {
+      const fullMatch = m[0];
+      const captureValue = groupIndex !== void 0 ? m[groupIndex] ?? fullMatch : fullMatch;
+      const captureStart = groupIndex !== void 0 ? m.index + fullMatch.indexOf(captureValue) : m.index;
+      if (!captureValue || captureValue.trim() === "") continue;
+      if (type === "Variable" /* Variable */ || type === "Method" /* Method */ || type === "Class" /* Class */) {
+        if (JAVA_KEYWORDS.has(captureValue)) continue;
+        if (captureValue.length <= 1) continue;
+        if (/^(String|Object|Integer|Long|Double|Boolean|List|Map|Set|Array|Exception|Error|System|Math|Thread|Class|Enum)$/.test(captureValue)) continue;
+      }
+      tokens.push({
+        type,
+        value: captureValue,
+        start: captureStart,
+        end: captureStart + captureValue.length,
+        line: lineFromIndex(lineOffsets, captureStart)
+      });
+    }
+  }
+  return deduplicate(tokens);
+}
+function scanCSharp(code) {
+  const tokens = [];
+  if (!code.trim()) return tokens;
+  const lineOffsets = buildLineIndex(code);
+  const patterns = [
+    { re: /\/\/[^\n]*/g, type: "Comment" /* Comment */ },
+    { re: /\/\*[\s\S]*?\*\//g, type: "Comment" /* Comment */ },
+    // Namespace/using import
+    { re: /\busing\s+([\w.]+);/g, type: "Import" /* Import */, groupIndex: 1 },
+    // Class/interface/struct/enum names
+    { re: /\b(?:class|interface|struct|enum)\s+([A-Za-z_][A-Za-z0-9_]*)/g, type: "Class" /* Class */, groupIndex: 1 },
+    // Method/property declaration
+    { re: /\b(?:public|private|protected|internal|static|virtual|override|async)\s+(?:\w+\s+)+([a-zA-Z_]\w*)\s*\(/g, type: "Method" /* Method */, groupIndex: 1 },
+    // Local variable declarations
+    { re: /\b(?:var|int|string|bool|double|float|object)\s+([a-zA-Z_]\w*)\b/g, type: "Variable" /* Variable */, groupIndex: 1 },
+    // Double-quoted strings
+    { re: /"(?:[^"\\]|\\.)*"/g, type: "String" /* String */ },
+    // Verbatim strings
+    { re: /@"(?:[^"]|"")*"/g, type: "String" /* String */ }
+  ];
+  for (const { re, type, groupIndex } of patterns) {
+    re.lastIndex = 0;
+    let m;
+    while ((m = re.exec(code)) !== null) {
+      const fullMatch = m[0];
+      const captureValue = groupIndex !== void 0 ? m[groupIndex] ?? fullMatch : fullMatch;
+      const captureStart = groupIndex !== void 0 ? m.index + fullMatch.indexOf(captureValue) : m.index;
+      if (!captureValue || captureValue.trim() === "") continue;
+      if (type === "Variable" /* Variable */ || type === "Method" /* Method */ || type === "Class" /* Class */) {
+        if (CSHARP_KEYWORDS.has(captureValue)) continue;
+        if (captureValue.length <= 1) continue;
+        if (/^(String|Object|Integer|Boolean|Double|Float|List|Dictionary|Array|Exception|Task|Console|Math|Enum|Delegate)$/.test(captureValue)) continue;
+      }
+      tokens.push({
+        type,
+        value: captureValue,
+        start: captureStart,
+        end: captureStart + captureValue.length,
+        line: lineFromIndex(lineOffsets, captureStart)
+      });
+    }
+  }
+  return deduplicate(tokens);
+}
+function scanRuby(code) {
+  const tokens = [];
+  if (!code.trim()) return tokens;
+  const lineOffsets = buildLineIndex(code);
+  const patterns = [
+    // Single-line comment
+    { re: /#[^\n]*/g, type: "Comment" /* Comment */ },
+    // Method names
+    { re: /\bdef\s+([a-zA-Z_]\w*[!?]?)/g, type: "Function" /* Function */, groupIndex: 1 },
+    // Class and module names
+    { re: /\b(?:class|module)\s+([A-Z][a-zA-Z0-9_]*)/g, type: "Class" /* Class */, groupIndex: 1 },
+    // Instance variables
+    { re: /@([a-zA-Z_]\w*)/g, type: "Property" /* Property */, groupIndex: 1 },
+    // All-caps constants (3+ chars to avoid single-letter constants)
+    { re: /\b([A-Z][A-Z0-9_]{2,})\b/g, type: "Variable" /* Variable */, groupIndex: 1 },
+    // Double-quoted strings
+    { re: /"(?:[^"\\]|\\.)*"/g, type: "String" /* String */ },
+    // Single-quoted strings
+    { re: /'(?:[^'\\]|\\.)*'/g, type: "String" /* String */ }
+  ];
+  for (const { re, type, groupIndex } of patterns) {
+    re.lastIndex = 0;
+    let m;
+    while ((m = re.exec(code)) !== null) {
+      const fullMatch = m[0];
+      const captureValue = groupIndex !== void 0 ? m[groupIndex] ?? fullMatch : fullMatch;
+      const captureStart = groupIndex !== void 0 ? m.index + fullMatch.indexOf(captureValue) : m.index;
+      if (!captureValue || captureValue.trim() === "") continue;
+      if (type === "Variable" /* Variable */ || type === "Function" /* Function */ || type === "Class" /* Class */ || type === "Property" /* Property */) {
+        if (RUBY_KEYWORDS.has(captureValue)) continue;
+        if (captureValue.length <= 1) continue;
+      }
+      tokens.push({
+        type,
+        value: captureValue,
+        start: captureStart,
+        end: captureStart + captureValue.length,
+        line: lineFromIndex(lineOffsets, captureStart)
+      });
+    }
+  }
+  return deduplicate(tokens);
+}
+function scanRust(code) {
+  const tokens = [];
+  if (!code.trim()) return tokens;
+  const lineOffsets = buildLineIndex(code);
+  const patterns = [
+    { re: /\/\/[^\n]*/g, type: "Comment" /* Comment */ },
+    { re: /\/\*[\s\S]*?\*\//g, type: "Comment" /* Comment */ },
+    // Use declarations
+    { re: /\buse\s+([\w:]+)/g, type: "Import" /* Import */, groupIndex: 1 },
+    // Named type declarations (struct, enum, trait)
+    { re: /\b(?:struct|enum|trait)\s+([A-Z][a-zA-Z0-9_]*)/g, type: "Class" /* Class */, groupIndex: 1 },
+    // Function names
+    { re: /\bfn\s+([a-zA-Z_]\w*)/g, type: "Function" /* Function */, groupIndex: 1 },
+    // Constants (ALL_CAPS)
+    { re: /\bconst\s+([A-Z_][A-Z0-9_]*)\s*:/g, type: "Variable" /* Variable */, groupIndex: 1 },
+    // Variable bindings
+    { re: /\blet\s+(?:mut\s+)?([a-zA-Z_]\w*)/g, type: "Variable" /* Variable */, groupIndex: 1 },
+    // Double-quoted strings
+    { re: /"(?:[^"\\]|\\.)*"/g, type: "String" /* String */ }
+  ];
+  for (const { re, type, groupIndex } of patterns) {
+    re.lastIndex = 0;
+    let m;
+    while ((m = re.exec(code)) !== null) {
+      const fullMatch = m[0];
+      const captureValue = groupIndex !== void 0 ? m[groupIndex] ?? fullMatch : fullMatch;
+      const captureStart = groupIndex !== void 0 ? m.index + fullMatch.indexOf(captureValue) : m.index;
+      if (!captureValue || captureValue.trim() === "") continue;
+      if (type === "Variable" /* Variable */ || type === "Function" /* Function */ || type === "Class" /* Class */) {
+        if (RUST_KEYWORDS.has(captureValue)) continue;
+        if (captureValue.length <= 1) continue;
+      }
+      tokens.push({
+        type,
+        value: captureValue,
+        start: captureStart,
+        end: captureStart + captureValue.length,
+        line: lineFromIndex(lineOffsets, captureStart)
+      });
+    }
+  }
+  return deduplicate(tokens);
+}
+function deduplicate(tokens) {
+  tokens.sort((a, b) => a.start - b.start);
+  const seen = /* @__PURE__ */ new Set();
+  const result = [];
+  for (const token of tokens) {
+    const key = `${token.start}:${token.end}`;
+    if (!seen.has(key)) {
+      seen.add(key);
+      result.push(token);
+    }
+  }
+  return result;
+}
+function scan(code, language) {
+  if (!code || !code.trim()) {
+    return { tokens: [], language };
+  }
+  const lang = language.toLowerCase();
+  let tokens;
+  switch (lang) {
+    case "typescript":
+    case "javascript":
+    case "ts":
+    case "js":
+    case "tsx":
+    case "jsx":
+      tokens = scanTypeScript(code);
+      break;
+    case "python":
+    case "py":
+      tokens = scanPython(code);
+      break;
+    case "go":
+      tokens = scanGo(code);
+      break;
+    case "java":
+      tokens = scanJava(code);
+      break;
+    case "csharp":
+    case "cs":
+      tokens = scanCSharp(code);
+      break;
+    case "ruby":
+    case "rb":
+      tokens = scanRuby(code);
+      break;
+    case "rust":
+    case "rs":
+      tokens = scanRust(code);
+      break;
+    default:
+      tokens = scanTypeScript(code);
+  }
+  return { tokens, language: lang };
+}
+// src/salt.ts
+import { readFileSync, writeFileSync, mkdirSync, existsSync as existsSync2, renameSync as renameSync2 } from "fs";
+import { join as join2 } from "path";
+import { homedir } from "os";
+import { randomBytes } from "crypto";
+// src/config-dir.ts
+import { existsSync, renameSync } from "fs";
+import { join } from "path";
+var PROJECT_CONFIG_DIR_NAME = ".pretest";
+var LEGACY_PROJECT_CONFIG_DIR_NAME = ".pretense";
+function migrateLegacyProjectConfigDir(parentDir) {
+  const next = join(parentDir, PROJECT_CONFIG_DIR_NAME);
+  const prev = join(parentDir, LEGACY_PROJECT_CONFIG_DIR_NAME);
+  if (existsSync(next)) return;
+  if (!existsSync(prev)) return;
+  try {
+    renameSync(prev, next);
+  } catch {
+  }
+}
+// src/salt.ts
+var SALT_BYTES = 32;
+function getSaltPath() {
+  const home = homedir();
+  migrateLegacyProjectConfigDir(home);
+  const dir = join2(home, PROJECT_CONFIG_DIR_NAME);
+  const legacyDir = join2(home, LEGACY_PROJECT_CONFIG_DIR_NAME);
+  const path = join2(dir, "mutation.salt");
+  const legacySalt = join2(legacyDir, "mutation.salt");
+  if (!existsSync2(path) && existsSync2(legacySalt)) {
+    try {
+      if (!existsSync2(dir)) mkdirSync(dir, { recursive: true });
+      renameSync2(legacySalt, path);
+    } catch {
+    }
+  }
+  return { dir, path };
+}
+var _cachedSalt = null;
+function getMutationSalt() {
+  if (_cachedSalt) return _cachedSalt;
+  const { dir, path } = getSaltPath();
+  if (existsSync2(path)) {
+    try {
+      const raw = readFileSync(path, "utf-8").trim();
+      if (/^[0-9a-f]{64}$/i.test(raw)) {
+        _cachedSalt = raw.toLowerCase();
+        return _cachedSalt;
+      }
+    } catch {
+    }
+  }
+  const salt = randomBytes(SALT_BYTES).toString("hex");
+  try {
+    mkdirSync(dir, { recursive: true });
+    writeFileSync(path, salt, { mode: 384 });
+  } catch {
+  }
+  _cachedSalt = salt;
+  return salt;
+}
+function buildSaltedSeed(baseSeed) {
+  return `${baseSeed}:${getMutationSalt()}`;
+}
+function effectiveSeedForMutation(userSeed) {
+  if (userSeed === "pretense" || userSeed === "pretest") {
+    return buildSaltedSeed("pretense");
+  }
+  return userSeed;
+}
+// src/deterministic-id.ts
+function hash32(str) {
+  let h = 5381;
+  for (let i = 0; i < str.length; i++) {
+    h = (h << 5) + h ^ str.charCodeAt(i);
+  }
+  return h >>> 0;
+}
+function toAlphaNum(n, len) {
+  const CHARS = "abcdefghijklmnopqrstuvwxyz0123456789";
+  let result = "";
+  let v = n;
+  for (let i = 0; i < len; i++) {
+    result = CHARS[v % CHARS.length] + result;
+    v = Math.floor(v / CHARS.length);
+  }
+  return result;
+}
+function deterministicSyntheticId(original, seed, prefix, len = 4) {
+  const combined = `${seed}:${prefix}:${original}`;
+  const h = hash32(combined);
+  return prefix + toAlphaNum(h, len);
+}
+// src/mutator.ts
+function prefixForType(type) {
+  switch (type) {
+    case "Class" /* Class */:
+      return "_cls";
+    case "Function" /* Function */:
+    case "Method" /* Method */:
+      return "_fn";
+    case "Variable" /* Variable */:
+      return "_v";
+    case "Property" /* Property */:
+      return "_prop";
+    case "HttpHeaderString" /* HttpHeaderString */:
+      return "_hk";
+    default:
+      return "_tok";
+  }
+}
+function mutate(code, language, seed = "pretest") {
+  const startMs = performance.now();
+  const lang = language ?? detectLanguage(code);
+  if (!code || !code.trim()) {
+    const emptyMap = /* @__PURE__ */ new Map();
+    return {
+      mutatedCode: code,
+      map: emptyMap,
+      stats: { tokensScanned: 0, tokensMutated: 0, durationMs: 0, language: lang }
+    };
+  }
+  const effectiveSeed = effectiveSeedForMutation(seed);
+  const { tokens } = scan(code, lang);
+  const map = /* @__PURE__ */ new Map();
+  for (const token of tokens) {
+    if (map.has(token.value)) continue;
+    if (token.type === "Comment" /* Comment */) {
+      continue;
+    }
+    if (token.type === "String" /* String */) {
+      continue;
+    }
+    if (token.type === "HttpHeaderString" /* HttpHeaderString */) {
+      const qm = /^("|')(.+)\1$/.exec(token.value);
+      if (qm) {
+        const inner = qm[2];
+        const q = qm[1];
+        const syntheticInner = deterministicSyntheticId(inner, effectiveSeed, prefixForType("HttpHeaderString" /* HttpHeaderString */));
+        map.set(token.value, `${q}${syntheticInner}${q}`);
+      } else {
+        const syntheticInner = deterministicSyntheticId(token.value, effectiveSeed, prefixForType("HttpHeaderString" /* HttpHeaderString */));
+        map.set(token.value, syntheticInner);
+      }
+      continue;
+    }
+    if (token.type === "Import" /* Import */) {
+      continue;
+    }
+    const prefix = prefixForType(token.type);
+    const synthetic = deterministicSyntheticId(token.value, effectiveSeed, prefix);
+    map.set(token.value, synthetic);
+  }
+  const entries = [...map.entries()].sort((a, b) => b[0].length - a[0].length);
+  let mutatedCode = code;
+  for (const [original, synthetic] of entries) {
+    if (!synthetic) continue;
+    const escaped = original.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+    if (original.match(/^[A-Za-z_$][A-Za-z0-9_$]*$/)) {
+      mutatedCode = mutatedCode.replace(new RegExp(`\\b${escaped}\\b`, "g"), synthetic);
+    } else {
+      mutatedCode = mutatedCode.split(original).join(synthetic);
+    }
+  }
+  const durationMs = Math.round((performance.now() - startMs) * 100) / 100;
+  return {
+    mutatedCode,
+    map,
+    stats: {
+      tokensScanned: tokens.length,
+      tokensMutated: map.size,
+      durationMs,
+      language: lang
+    }
+  };
+}
+// src/reverser.ts
+function reverse(mutatedCode, map, secretsMap) {
+  if (!mutatedCode) return mutatedCode;
+  let result = mutatedCode;
+  if (map.size > 0) {
+    const reverseMap = /* @__PURE__ */ new Map();
+    for (const [original, synthetic] of map.entries()) {
+      if (synthetic === "" || !synthetic) continue;
+      reverseMap.set(synthetic, original);
+    }
+    if (reverseMap.size > 0) {
+      const sortedEntries = [...reverseMap.entries()].sort((a, b) => b[0].length - a[0].length);
+      for (const [synthetic, original] of sortedEntries) {
+        const escaped = synthetic.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+        if (synthetic.match(/^[A-Za-z_$][A-Za-z0-9_$]*$/) || synthetic.match(/^_[a-z]+[a-z0-9]{4,}$/)) {
+          result = result.replace(new RegExp(`\\b${escaped}\\b`, "g"), original);
+        } else {
+          result = result.split(synthetic).join(original);
+        }
+      }
+    }
+  }
+  if (secretsMap && secretsMap.size > 0) {
+    const sortedSecrets = [...secretsMap.entries()].sort((a, b) => b[0].length - a[0].length);
+    for (const [placeholder, original] of sortedSecrets) {
+      result = result.split(placeholder).join(original);
+    }
+  }
+  return result;
+}
+// src/secrets.ts
+var SECRET_PATTERNS = [
+  { name: "anthropic-api-key", category: "secret", severity: "critical", defaultAction: "block", pattern: /sk-ant-api\d{2}-[A-Za-z0-9_-]{40,}/g },
+  /** Legacy `sk-…` and modern `sk-proj-…` (hyphenated body); aligned with upstream scanner heuristics */
+  { name: "openai-api-key", category: "secret", severity: "critical", defaultAction: "block", pattern: /sk-(?:proj-)?[A-Za-z0-9_-]{20,}/g },
+  { name: "aws-access-key", category: "secret", severity: "critical", defaultAction: "block", pattern: /AKIA[0-9A-Z]{16}/g },
+  /** `AWS_SECRET = '…40 chars…'` (not `AWS_SECRET_ACCESS_KEY`, which is covered below). */
+  { name: "aws-secret-assignment", category: "secret", severity: "critical", defaultAction: "block", pattern: /\bAWS_SECRET\s*=\s*['"]([A-Za-z0-9/+=]{40})['"]/gd, valueGroup: 1 },
+  /**
+   * Env-style labels with `-` or `.` (e.g. `AWS-SECRET-KEY`, `AWS.SECRET.KEY`, long `ACCESS` forms).
+   * Case-insensitive `AWS` / `SECRET` / `KEY`. Value: 40-char secret; quotes optional (matches aws-secret-key).
+   */
+  {
+    name: "aws-secret-key-delimited",
+    category: "secret",
+    severity: "critical",
+    defaultAction: "block",
+    pattern: /\bAWS[-.]SECRET(?:[-.]ACCESS)?[-.]KEY\s*[=:]\s*['"]?([A-Za-z0-9/+=]{40})['"]?/gdi,
+    valueGroup: 1
+  },
+  { name: "aws-secret-key", category: "secret", severity: "critical", defaultAction: "block", pattern: /(?:aws_secret_access_key|AWS_SECRET_ACCESS_KEY)\s*[=:]\s*['"]?([A-Za-z0-9/+=]{40})['"]?/gd, valueGroup: 1 },
+  { name: "github-token", category: "secret", severity: "critical", defaultAction: "block", pattern: /gh[ps]_[A-Za-z0-9_]{36,}/g },
+  { name: "github-fine-grained", category: "secret", severity: "critical", defaultAction: "block", pattern: /github_pat_[A-Za-z0-9_]{22,}/g },
+  { name: "stripe-key", category: "secret", severity: "critical", defaultAction: "block", pattern: /(?:sk|pk|rk)_(?:test|live)_[A-Za-z0-9]{20,}/g },
+  { name: "private-key", category: "secret", severity: "critical", defaultAction: "block", pattern: /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----[\s\S]*?-----END (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/g },
+  /** Three base64url JWT segments; payload segment is not required to start with `eyJ` (Supabase and many issuers use compact payloads). */
+  { name: "jwt-token", category: "secret", severity: "high", defaultAction: "block", pattern: /eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{4,}/g },
+  { name: "database-url", category: "credential", severity: "critical", defaultAction: "block", pattern: /(?:postgres|mysql|mongodb|redis|amqp):\/\/[^\s'"\\)]+:[^\s'"\\)]+@[^\s'"\\)]+/g },
+  {
+    name: "generic-password",
+    category: "credential",
+    severity: "high",
+    defaultAction: "redact",
+    // Do not match `token` / `secret` inside identifiers (e.g. GITHUB_TOKEN, AWS_SECRET): require no word/underscore before keyword.
+    pattern: /(?<![A-Za-z0-9_])(?:password|passwd|pwd|secret|token|api_key|apikey|api-key)\s*[=:]\s*['"]([^\s'"]{8,})['"]/gid,
+    valueGroup: 1
+  },
+  { name: "slack-token", category: "secret", severity: "critical", defaultAction: "block", pattern: /xox[bpors]-[A-Za-z0-9-]{10,}/g },
+  { name: "google-api-key", category: "secret", severity: "high", defaultAction: "block", pattern: /AIza[A-Za-z0-9_-]{35}/g },
+  { name: "npm-token", category: "secret", severity: "critical", defaultAction: "block", pattern: /npm_[A-Za-z0-9]{36}/g },
+  { name: "sendgrid-key", category: "secret", severity: "critical", defaultAction: "block", pattern: /SG\.[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43}/g },
+  { name: "twilio-key", category: "secret", severity: "critical", defaultAction: "block", pattern: /SK[a-f0-9]{32}/g },
+  // ─── Additional patterns (v0.3) ──────────────────────────────────────────────
+  { name: "azure-key", category: "secret", severity: "critical", defaultAction: "block", pattern: /(?:AccountKey|SharedAccessKey)=[A-Za-z0-9+/=]{40,}/g },
+  { name: "mailgun-key", category: "secret", severity: "critical", defaultAction: "block", pattern: /key-[a-f0-9]{32}/g },
+  { name: "twilio-sid", category: "secret", severity: "high", defaultAction: "block", pattern: /AC[a-f0-9]{32}/g },
+  { name: "heroku-api-key", category: "secret", severity: "critical", defaultAction: "block", pattern: /[hH]eroku.*[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}/g },
+  { name: "shopify-token", category: "secret", severity: "critical", defaultAction: "block", pattern: /shpat_[a-fA-F0-9]{32}/g },
+  { name: "datadog-key", category: "secret", severity: "high", defaultAction: "block", pattern: /dd[a-z]{1,2}_[a-zA-Z0-9]{32,}/g },
+  { name: "vercel-token", category: "secret", severity: "high", defaultAction: "block", pattern: /vc_[a-zA-Z0-9]{24,}/g },
+  { name: "supabase-key", category: "secret", severity: "critical", defaultAction: "block", pattern: /sbp_[a-f0-9]{40}/g },
+  { name: "linear-api-key", category: "secret", severity: "high", defaultAction: "block", pattern: /lin_api_[A-Za-z0-9]{40}/g },
+  { name: "cloudflare-api-token", category: "secret", severity: "critical", defaultAction: "block", pattern: /v1\.0-[a-f0-9]{24}-[a-f0-9]{146}/g },
+  { name: "discord-bot-token", category: "secret", severity: "critical", defaultAction: "block", pattern: /[MN][A-Za-z\d]{23,}\.[\w-]{6}\.[\w-]{27}/g },
+  { name: "grafana-api-key", category: "secret", severity: "high", defaultAction: "block", pattern: /eyJrIjoi[A-Za-z0-9_-]{40,}/g },
+  { name: "confluent-key", category: "secret", severity: "high", defaultAction: "block", pattern: /CONFLUENT[A-Z_]*\s*[=:]\s*['"]?[A-Za-z0-9/+=]{16,}['"]?/g },
+  { name: "digitalocean-token", category: "secret", severity: "critical", defaultAction: "block", pattern: /dop_v1_[a-f0-9]{64}/g },
+  { name: "doppler-token", category: "secret", severity: "high", defaultAction: "block", pattern: /dp\.st\.[a-z0-9_-]{2,}\.[A-Za-z0-9]{40,}/g },
+  { name: "planetscale-token", category: "secret", severity: "critical", defaultAction: "block", pattern: /pscale_tkn_[A-Za-z0-9_-]{32,}/g },
+  { name: "hashicorp-vault-token", category: "secret", severity: "critical", defaultAction: "block", pattern: /hvs\.[A-Za-z0-9_-]{24,}/g },
+  { name: "fastly-api-key", category: "secret", severity: "high", defaultAction: "block", pattern: /fastly_[A-Za-z0-9]{32}/g },
+  { name: "algolia-api-key", category: "secret", severity: "high", defaultAction: "block", pattern: /[a-f0-9]{32}/g, validate: (m) => /ALGOLIA|algolia/.test(m) },
+  { name: "pulumi-token", category: "secret", severity: "high", defaultAction: "block", pattern: /pul-[a-f0-9]{40}/g },
+  // ─── Extended patterns (v0.6 unit 8) ─────────────────────────────────────────
+  { name: "google-oauth-refresh", category: "secret", severity: "critical", defaultAction: "block", pattern: /\bGOCSPX-[A-Za-z0-9_-]{20,}\b/g },
+  { name: "slack-webhook-url", category: "secret", severity: "critical", defaultAction: "block", pattern: /https:\/\/hooks\.slack\.com\/services\/T[A-Z0-9]+\/B[A-Z0-9]+\/[A-Za-z0-9]{20,}/g },
+  { name: "sentry-dsn", category: "secret", severity: "high", defaultAction: "redact", pattern: /https:\/\/[a-f0-9]{32}@o\d+\.ingest\.sentry\.io\/\d+/g },
+  { name: "x509-certificate", category: "secret", severity: "high", defaultAction: "redact", pattern: /-----BEGIN CERTIFICATE-----/g },
+  { name: "launchdarkly-sdk-key", category: "secret", severity: "critical", defaultAction: "block", pattern: /\bsdk-[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}\b/g },
+  { name: "launchdarkly-mobile-key", category: "secret", severity: "high", defaultAction: "block", pattern: /\bmob-[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}\b/g },
+  /** Stripe signing secrets are often 32+ chars; allow shorter synthetic/test tails so redaction still applies. */
+  { name: "stripe-webhook-secret", category: "secret", severity: "critical", defaultAction: "block", pattern: /\bwhsec_[A-Za-z0-9]{16,}\b/g },
+  /** Stripe Price / product IDs (`price_…`) — identifiers, not card data, but leak billing context. */
+  { name: "stripe-price-id", category: "secret", severity: "high", defaultAction: "block", pattern: /\bprice_[A-Za-z0-9_]{14,}\b/g },
+  /** `FOO_PASSWORD = '…'` / `NEXT_PUBLIC_*_PASSWORD` — generic-password skips when `password` is preceded by `_`. */
+  {
+    name: "env-password-assignment",
+    category: "credential",
+    severity: "high",
+    defaultAction: "block",
+    pattern: /\b[A-Z][A-Z0-9_]*PASSWORD\s*=\s*['"]([^'"]{6,})['"]/gd,
+    valueGroup: 1
+  },
+  /** Quoted common DB dialect names — stack hints when mutating env-style config. */
+  {
+    name: "quoted-db-dialect",
+    category: "credential",
+    severity: "medium",
+    defaultAction: "block",
+    pattern: /(['"])(postgres|mysql|redis)\1/gd,
+    valueGroup: 2
+  }
+];
+var PII_PATTERNS = [
+  { name: "ssn", category: "pii", severity: "critical", defaultAction: "redact", pattern: /\b\d{3}-\d{2}-\d{4}\b/g },
+  { name: "credit-card", category: "pii", severity: "critical", defaultAction: "redact", pattern: /\b(?:\d[ -]*?){13,19}\b/g, validate: luhnCheck },
+  { name: "email", category: "pii", severity: "medium", defaultAction: "warn", pattern: /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b/g },
+  { name: "phone-us", category: "pii", severity: "medium", defaultAction: "warn", pattern: /\b(?:\+?1[-.\s]?)?\(?\d{3}\)?[-.\s]?\d{3}[-.\s]?\d{4}\b/g },
+  { name: "ip-address", category: "pii", severity: "low", defaultAction: "warn", pattern: /\b(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\b/g, validate: (ip) => !ip.startsWith("127.") && !ip.startsWith("0.") && ip !== "255.255.255.255" }
+];
+var ENV_PATTERNS = [
+  { name: "env-secret", category: "credential", severity: "high", defaultAction: "block", pattern: /(?:process\.env\.|os\.environ\[|ENV\[|getenv\()['"]?((?:SECRET|TOKEN|PASSWORD|API_KEY|PRIVATE|AUTH)[A-Z_0-9]*)['"]?\]?\)?/gi }
+];
+function luhnCheck(num) {
+  const digits = num.replace(/\D/g, "");
+  if (digits.length < 13 || digits.length > 19) return false;
+  let sum = 0;
+  let alternate = false;
+  for (let i = digits.length - 1; i >= 0; i--) {
+    let n = parseInt(digits[i], 10);
+    if (alternate) {
+      n *= 2;
+      if (n > 9) n -= 9;
+    }
+    sum += n;
+    alternate = !alternate;
+  }
+  return sum % 10 === 0;
+}
+function shannonEntropy(str) {
+  if (str.length === 0) return 0;
+  const freq = /* @__PURE__ */ new Map();
+  for (const ch of str) {
+    freq.set(ch, (freq.get(ch) ?? 0) + 1);
+  }
+  let entropy = 0;
+  const len = str.length;
+  for (const count of freq.values()) {
+    const p = count / len;
+    if (p > 0) entropy -= p * Math.log2(p);
+  }
+  return entropy;
+}
+function isHighEntropy(str, minLength = 20, threshold = 4.5) {
+  if (str.length <= minLength) return false;
+  return shannonEntropy(str) > threshold;
+}
+function maskValue(value, type) {
+  if (type.includes("key") || type.includes("token") || type.includes("secret")) return value.slice(0, 6) + "..." + value.slice(-4);
+  if (type === "ssn") return "***-**-" + value.slice(-4);
+  if (type === "credit-card") return "****-****-****-" + value.replace(/\D/g, "").slice(-4);
+  if (type === "email") {
+    const [local, domain] = value.split("@");
+    return (local?.[0] ?? "*") + "***@" + (domain ?? "");
+  }
+  if (value.length > 12) return value.slice(0, 4) + "..." + value.slice(-4);
+  return "***";
+}
+var matchCounter = 0;
+var ENTROPY_SCAN_MAX_BYTES = 512 * 1024;
+function scan2(text, actionOverrides) {
+  const start = performance.now();
+  const matches = [];
+  const allPatterns = [...SECRET_PATTERNS, ...PII_PATTERNS, ...ENV_PATTERNS];
+  for (const def of allPatterns) {
+    def.pattern.lastIndex = 0;
+    let m;
+    while ((m = def.pattern.exec(text)) !== null) {
+      let value = m[0];
+      let start2 = m.index;
+      let end = start2 + value.length;
+      if (def.valueGroup !== void 0) {
+        const span = m.indices?.[def.valueGroup];
+        if (!span) continue;
+        const [gs, ge] = span;
+        value = text.slice(gs, ge);
+        start2 = gs;
+        end = ge;
+      }
+      if (def.validate && !def.validate(value)) continue;
+      const action = actionOverrides?.[def.name] ?? def.defaultAction;
+      matchCounter++;
+      matches.push({
+        id: `scan_${matchCounter}`,
+        category: def.category,
+        type: def.name,
+        value,
+        masked: maskValue(value, def.name),
+        start: start2,
+        end,
+        severity: def.severity,
+        action
+      });
+    }
+  }
+  if (text.length <= ENTROPY_SCAN_MAX_BYTES) {
+    const sortedByStart = [...matches].sort((a, b) => a.start - b.start);
+    const coveredEnd = (idx) => {
+      let lo = 0;
+      let hi = sortedByStart.length - 1;
+      let best = -1;
+      while (lo <= hi) {
+        const mid = lo + hi >> 1;
+        if (sortedByStart[mid].start <= idx) {
+          best = mid;
+          lo = mid + 1;
+        } else {
+          hi = mid - 1;
+        }
+      }
+      return best >= 0 ? sortedByStart[best].end : -1;
+    };
+    const highEntropyPattern = /\b[A-Za-z0-9_\-/.+=$]{21,}\b/g;
+    highEntropyPattern.lastIndex = 0;
+    let hem;
+    while ((hem = highEntropyPattern.exec(text)) !== null) {
+      const value = hem[0];
+      const end = hem.index + value.length;
+      if (coveredEnd(hem.index) >= end) continue;
+      if (isHighEntropy(value)) {
+        matchCounter++;
+        matches.push({
+          id: `scan_${matchCounter}`,
+          category: "secret",
+          type: "high-entropy-string",
+          value,
+          masked: value.slice(0, 6) + "..." + value.slice(-4),
+          start: hem.index,
+          end,
+          severity: "medium",
+          action: actionOverrides?.["high-entropy-string"] ?? "warn"
+        });
+      }
+    }
+  }
+  const severityRank = { critical: 4, high: 3, medium: 2, low: 1 };
+  matches.sort((a, b) => a.start - b.start || severityRank[b.severity] - severityRank[a.severity]);
+  const deduped = [];
+  let lastEnd = -1;
+  for (const match of matches) {
+    if (match.start >= lastEnd) {
+      deduped.push(match);
+      lastEnd = match.end;
+    }
+  }
+  return {
+    clean: deduped.filter((m) => m.action === "block" || m.action === "redact").length === 0,
+    matches: deduped,
+    scannedAt: Date.now(),
+    durationMs: Math.round((performance.now() - start) * 100) / 100
+  };
+}
+function applyRedactions(text, matches) {
+  return applyRedactionsTracked(text, matches).redactedCode;
+}
+var SECRET_LITERAL_PREFIX = "_sl";
+function applyRedactionsTracked(text, matches, mutationSeed = buildSaltedSeed("pretense")) {
+  const actionable = matches.filter((m) => m.action === "block" || m.action === "redact");
+  const sorted = [...actionable].sort((a, b) => b.start - a.start);
+  const secretsMap = /* @__PURE__ */ new Map();
+  const placeholders = /* @__PURE__ */ new Map();
+  const forward = [...actionable].sort((a, b) => a.start - b.start);
+  for (const match of forward) {
+    const tag = deterministicSyntheticId(`${match.id}:${match.start}`, mutationSeed, SECRET_LITERAL_PREFIX);
+    placeholders.set(match.id, tag);
+    secretsMap.set(tag, match.value);
+  }
+  let result = text;
+  for (const match of sorted) {
+    const tag = placeholders.get(match.id);
+    result = result.slice(0, match.start) + tag + result.slice(match.end);
+  }
+  return { redactedCode: result, secretsMap };
+}
+// src/store.ts
+import { readFileSync as readFileSync2, writeFileSync as writeFileSync2, mkdirSync as mkdirSync2, existsSync as existsSync3 } from "fs";
+import { dirname } from "path";
+var MutationStore = class {
+  entries = /* @__PURE__ */ new Map();
+  filePath;
+  constructor(filePath) {
+    this.filePath = filePath;
+  }
+  /**
+   * Persist a mutation map with associated metadata.
+   *
+   * @example
+   * store.save({ id: "req-1", originalHash: "abc", mapEntries: [...], timestamp: Date.now(), language: "typescript" });
+   */
+  save(entry) {
+    this.entries.set(entry.id, { ...entry });
+  }
+  /**
+   * Retrieve a stored entry by request ID.
+   *
+   * @example
+   * const entry = store.get("req-1");
+   */
+  get(id) {
+    return this.entries.get(id) ?? null;
+  }
+  /**
+   * Find the most recent entry whose originalHash matches.
+   *
+   * @example
+   * const entry = store.getByHash("sha256-abc123");
+   */
+  getByHash(hash) {
+    for (const entry of [...this.entries.values()].reverse()) {
+      if (entry.originalHash === hash) return entry;
+    }
+    return null;
+  }
+  /**
+   * Return all stored entries, newest first, up to `limit`.
+   *
+   * @example
+   * store.list(10) // last 10 entries
+   */
+  list(limit = 50) {
+    const all = [...this.entries.values()].reverse();
+    return all.slice(0, limit);
+  }
+  /**
+   * Delete an entry by ID. Returns true if it existed.
+   */
+  delete(id) {
+    return this.entries.delete(id);
+  }
+  /**
+   * Remove all entries from memory.
+   */
+  clear() {
+    this.entries.clear();
+  }
+  /**
+   * Write current in-memory state to the JSON file.
+   */
+  persist() {
+    const dir = dirname(this.filePath);
+    if (!existsSync3(dir)) {
+      mkdirSync2(dir, { recursive: true });
+    }
+    const data = JSON.stringify([...this.entries.values()], null, 2);
+    writeFileSync2(this.filePath, data, "utf-8");
+  }
+  /**
+   * Load entries from the JSON file into memory.
+   * No-ops if the file doesn't exist.
+   */
+  load() {
+    if (!existsSync3(this.filePath)) return;
+    try {
+      const raw = readFileSync2(this.filePath, "utf-8");
+      const parsed = JSON.parse(raw);
+      this.entries.clear();
+      for (const entry of parsed) {
+        this.entries.set(entry.id, entry);
+      }
+    } catch {
+      this.entries.clear();
+    }
+  }
+  /** Total entries in memory */
+  get size() {
+    return this.entries.size;
+  }
+  /**
+   * Reconstruct a MutationMap from a stored entry.
+   *
+   * @example
+   * const map = store.toMap(entry);
+   * reverse(mutatedCode, map);
+   */
+  static toMap(entry) {
+    return new Map(entry.mapEntries);
+  }
+  /**
+   * Serialize a MutationMap to the format stored in StoreEntry.
+   */
+  static fromMap(map) {
+    return [...map.entries()];
+  }
+};
+// src/config.ts
+import { existsSync as existsSync4, mkdirSync as mkdirSync3, readFileSync as readFileSync3, writeFileSync as writeFileSync3 } from "fs";
+import { join as join3, resolve } from "path";
+import { createHmac } from "crypto";
+var CONFIG_DIR_NAME = PROJECT_CONFIG_DIR_NAME;
+var CONFIG_FILE = "config.json";
+var MUTATION_MAP_FILE = "mutation-map.json";
+var AUDIT_LOG_FILE = "audit.log";
+var USAGE_FILE = "usage.json";
+function getConfigDir(baseDir) {
+  const base = baseDir ?? process.cwd();
+  migrateLegacyProjectConfigDir(base);
+  return resolve(base, CONFIG_DIR_NAME);
+}
+function initConfig(dir) {
+  const configDir = getConfigDir(dir);
+  if (!existsSync4(configDir)) {
+    mkdirSync3(configDir, { recursive: true });
+  }
+  const configPath = join3(configDir, CONFIG_FILE);
+  if (!existsSync4(configPath)) {
+    const config = {
+      ...DEFAULT_CONFIG,
+      storePath: configDir
+    };
+    writeFileSync3(configPath, JSON.stringify(config, null, 2), "utf-8");
+  }
+  const mapPath = join3(configDir, MUTATION_MAP_FILE);
+  if (!existsSync4(mapPath)) {
+    writeFileSync3(mapPath, "[]", "utf-8");
+  }
+  const auditPath = join3(configDir, AUDIT_LOG_FILE);
+  if (!existsSync4(auditPath)) {
+    writeFileSync3(auditPath, "", "utf-8");
+  }
+  const usagePath = join3(configDir, USAGE_FILE);
+  if (!existsSync4(usagePath)) {
+    const today = (/* @__PURE__ */ new Date()).toISOString().slice(0, 10);
+    const month = today.slice(0, 7);
+    const usageData = { month, mutations: 0, firstUseDate: today };
+    writeFileSync3(
+      usagePath,
+      JSON.stringify({ ...usageData, date: today, checksum: computeUsageChecksum(usageData) }, null, 2),
+      "utf-8"
+    );
+  }
+  return configDir;
+}
+function loadConfig(dir) {
+  const configDir = getConfigDir(dir);
+  const configPath = join3(configDir, CONFIG_FILE);
+  if (!existsSync4(configPath)) {
+    return { ...DEFAULT_CONFIG };
+  }
+  try {
+    const raw = readFileSync3(configPath, "utf-8");
+    const parsed = JSON.parse(raw);
+    return { ...DEFAULT_CONFIG, ...parsed };
+  } catch {
+    return { ...DEFAULT_CONFIG };
+  }
+}
+var USAGE_HMAC_SECRET = "pretense_usage_integrity_v1";
+function getUsageSecret() {
+  return process.env["PRETEST_USAGE_SECRET"]?.trim() || process.env["PRETENSE_USAGE_SECRET"]?.trim() || USAGE_HMAC_SECRET;
+}
+function computeUsageChecksum(data) {
+  const payload = JSON.stringify({ month: data.month, mutations: data.mutations, firstUseDate: data.firstUseDate });
+  return createHmac("sha256", getUsageSecret()).update(payload).digest("hex");
+}
+function verifyUsageChecksum(data) {
+  if (!data.checksum) return false;
+  return data.checksum === computeUsageChecksum(data);
+}
+function loadUsage(dir) {
+  const configDir = getConfigDir(dir);
+  const usagePath = join3(configDir, USAGE_FILE);
+  const today = (/* @__PURE__ */ new Date()).toISOString().slice(0, 10);
+  const currentMonth = today.slice(0, 7);
+  if (!existsSync4(usagePath)) {
+    return { month: currentMonth, mutations: 0, firstUseDate: today };
+  }
+  try {
+    const raw = readFileSync3(usagePath, "utf-8");
+    const data = JSON.parse(raw);
+    if (data.date && !data.month) {
+      const legacyDate = data.date;
+      return { month: currentMonth, mutations: 0, firstUseDate: data.firstUseDate ?? legacyDate };
+    }
+    if (!verifyUsageChecksum({ month: data.month, mutations: data.mutations, firstUseDate: data.firstUseDate, checksum: data.checksum })) {
+      process.stderr.write("[PRETEST] Warning: usage.json integrity check failed. Resetting usage counter.\n");
+      return { month: currentMonth, mutations: 0, firstUseDate: data.firstUseDate ?? today };
+    }
+    if (data.month !== currentMonth) {
+      return { month: currentMonth, mutations: 0, firstUseDate: data.firstUseDate ?? today };
+    }
+    return { month: data.month, mutations: data.mutations, firstUseDate: data.firstUseDate };
+  } catch {
+    return { month: currentMonth, mutations: 0, firstUseDate: today };
+  }
+}
+function saveUsage(usage, dir) {
+  const configDir = getConfigDir(dir);
+  if (!existsSync4(configDir)) {
+    mkdirSync3(configDir, { recursive: true });
+  }
+  const usagePath = join3(configDir, USAGE_FILE);
+  const checksum = computeUsageChecksum(usage);
+  writeFileSync3(usagePath, JSON.stringify({ ...usage, checksum }, null, 2), "utf-8");
+}
+var MIN_LICENSE_KEY_LENGTH = 40;
+var LICENSE_PAYLOAD_REGEX = /^[a-zA-Z0-9]+$/;
+function isValidLicenseKey(key, prefix) {
+  if (key.length < MIN_LICENSE_KEY_LENGTH) return false;
+  const afterPrefix = key.slice(prefix.length);
+  const hmacSecret = process.env["PRETEST_LICENSE_SECRET"]?.trim() || process.env["PRETENSE_LICENSE_SECRET"]?.trim();
+  if (hmacSecret) {
+    const lastUnderscore = afterPrefix.lastIndexOf("_");
+    if (lastUnderscore === -1) return false;
+    const payload = afterPrefix.slice(0, lastUnderscore);
+    const providedHmac = afterPrefix.slice(lastUnderscore + 1);
+    if (!payload || !providedHmac) return false;
+    if (!LICENSE_PAYLOAD_REGEX.test(payload)) return false;
+    const expectedHmac = createHmac("sha256", hmacSecret).update(payload).digest("hex").slice(0, 16);
+    return providedHmac === expectedHmac;
+  }
+  return LICENSE_PAYLOAD_REGEX.test(afterPrefix);
+}
+function detectTier() {
+  const key = process.env["PRETEST_LICENSE_KEY"]?.trim() || process.env["PRETENSE_LICENSE_KEY"]?.trim() || "";
+  if (key.startsWith("pre_ent_") && isValidLicenseKey(key, "pre_ent_")) return "enterprise";
+  if (key.startsWith("pre_pro_") && isValidLicenseKey(key, "pre_pro_")) return "pro";
+  return "free";
+}
+function tierFromDashboardPlan(plan, fallback) {
+  if (plan === "ENTERPRISE") return "enterprise";
+  if (plan === "PRO") return "pro";
+  return fallback;
+}
+function getTierLimits(tier) {
+  switch (tier) {
+    case "enterprise":
+      return { monthlyMutations: Infinity, auditRetentionDays: Infinity };
+    case "pro":
+      return { monthlyMutations: Infinity, auditRetentionDays: 90 };
+    case "free":
+    default:
+      return { monthlyMutations: 1e3, auditRetentionDays: 30 };
+  }
+}
+// src/audit.ts
+import { appendFileSync, existsSync as existsSync5, readFileSync as readFileSync4, mkdirSync as mkdirSync4 } from "fs";
+import { join as join4, dirname as dirname2 } from "path";
+function writeAuditEntry(entry, dir) {
+  const configDir = getConfigDir(dir);
+  const auditPath = join4(configDir, "audit.log");
+  const logDir = dirname2(auditPath);
+  if (!existsSync5(logDir)) {
+    mkdirSync4(logDir, { recursive: true });
+  }
+  const line = JSON.stringify(entry) + "\n";
+  appendFileSync(auditPath, line, "utf-8");
+}
+function createAuditEntry(sessionId, file, identifiersMutated, secretsBlocked, llmProvider, latencyMs) {
+  return {
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    sessionId,
+    file,
+    identifiersMutated,
+    secretsBlocked,
+    llmProvider,
+    latencyMs
+  };
+}
+function readAuditLog(options = {}) {
+  const { limit, dir } = options;
+  const configDir = getConfigDir(dir);
+  const auditPath = join4(configDir, "audit.log");
+  if (!existsSync5(auditPath)) {
+    return [];
+  }
+  const raw = readFileSync4(auditPath, "utf-8");
+  const lines = raw.trim().split("\n").filter(Boolean);
+  let entries = [];
+  for (const line of lines) {
+    try {
+      entries.push(JSON.parse(line));
+    } catch {
+    }
+  }
+  const tier = detectTier();
+  const { auditRetentionDays } = getTierLimits(tier);
+  if (auditRetentionDays !== Infinity) {
+    const cutoff = Date.now() - auditRetentionDays * 24 * 60 * 60 * 1e3;
+    entries = entries.filter((e) => new Date(e.timestamp).getTime() >= cutoff);
+  }
+  entries.sort((a, b) => new Date(b.timestamp).getTime() - new Date(a.timestamp).getTime());
+  if (limit && limit > 0) {
+    entries = entries.slice(0, limit);
+  }
+  return entries;
+}
+function formatJson(entries) {
+  return JSON.stringify(entries, null, 2);
+}
+function formatCsv(entries) {
+  const headers = "timestamp,sessionId,file,identifiersMutated,secretsBlocked,llmProvider,latencyMs";
+  const rows = entries.map(
+    (e) => [
+      e.timestamp,
+      e.sessionId,
+      `"${e.file.replace(/"/g, '""')}"`,
+      e.identifiersMutated,
+      e.secretsBlocked,
+      e.llmProvider,
+      e.latencyMs
+    ].join(",")
+  );
+  return [headers, ...rows].join("\n");
+}
+function formatText(entries) {
+  if (entries.length === 0) return "No audit entries found.";
+  const lines = entries.map((e) => {
+    const date = new Date(e.timestamp).toLocaleString();
+    return `[${date}] ${e.file} | ${e.identifiersMutated} mutated | ${e.secretsBlocked} secrets blocked | ${e.llmProvider} | ${e.latencyMs}ms`;
+  });
+  return lines.join("\n");
+}
+function formatAudit(entries, format = "text") {
+  switch (format) {
+    case "json":
+      return formatJson(entries);
+    case "csv":
+      return formatCsv(entries);
+    case "text":
+    default:
+      return formatText(entries);
+  }
+}
+// src/proxy.ts
+import { Hono } from "hono";
+import { serve } from "@hono/node-server";
+import { nanoid } from "nanoid";
+import { createServer } from "net";
+import { existsSync as existsSync7, watch } from "fs";
+// src/auth.ts
+import { createHash } from "crypto";
+var AUTH_HEADERS = ["authorization", "x-api-key", "x-goog-api-key"];
+var PUBLIC_PATHS = /* @__PURE__ */ new Set([
+  "/",
+  "/health",
+  "/stats",
+  "/audit",
+  "/tokens"
+]);
+function extractApiKey(c) {
+  for (const h of AUTH_HEADERS) {
+    const v = c.req.header(h);
+    if (v && v.length > 0) {
+      return v.replace(/^Bearer\s+/i, "").trim();
+    }
+  }
+  return null;
+}
+function sessionHash(apiKey) {
+  return createHash("sha256").update(apiKey).digest("hex").slice(0, 16);
+}
+var requireApiKey = async (c, next) => {
+  if (PUBLIC_PATHS.has(c.req.path)) {
+    return next();
+  }
+  const key = extractApiKey(c);
+  if (!key) {
+    return c.json(
+      {
+        error: {
+          type: "missing_api_key",
+          message: "Authorization header required (Authorization, x-api-key, or x-goog-api-key)"
+        }
+      },
+      401
+    );
+  }
+  c.set("sessionHash", sessionHash(key));
+  return next();
+};
+// src/session-store.ts
+var sessions = /* @__PURE__ */ new Map();
+function getSession(hash) {
+  let s = sessions.get(hash);
+  if (!s) {
+    s = {
+      mutationMap: /* @__PURE__ */ new Map(),
+      reverseMap: /* @__PURE__ */ new Map(),
+      createdAt: Date.now(),
+      lastUsed: Date.now()
+    };
+    sessions.set(hash, s);
+  }
+  s.lastUsed = Date.now();
+  return s;
+}
+function sessionCount() {
+  return sessions.size;
+}
+// src/git-context.ts
+import { execFile } from "child_process";
+import { promisify } from "util";
+var execFileAsync = promisify(execFile);
+var GIT_TIMEOUT_MS = 2e3;
+async function runGit(args, cwd) {
+  try {
+    const { stdout } = await execFileAsync("git", args, {
+      cwd,
+      timeout: GIT_TIMEOUT_MS,
+      windowsHide: true
+    });
+    const trimmed = stdout.trim();
+    return trimmed.length > 0 ? trimmed : void 0;
+  } catch {
+    return void 0;
+  }
+}
+function sanitizeRemote(raw) {
+  if (/^[\w.-]+@[^:]+:/.test(raw) && !raw.includes("://")) {
+    return raw;
+  }
+  try {
+    const url = new URL(raw);
+    url.username = "";
+    url.password = "";
+    return url.toString();
+  } catch {
+    return raw;
+  }
+}
+async function collectGitContext(cwd = process.cwd()) {
+  const insideRepo = await runGit(["rev-parse", "--is-inside-work-tree"], cwd);
+  if (insideRepo !== "true") return {};
+  const [remote, branch, sha] = await Promise.all([
+    runGit(["remote", "get-url", "origin"], cwd),
+    runGit(["rev-parse", "--abbrev-ref", "HEAD"], cwd),
+    runGit(["rev-parse", "HEAD"], cwd)
+  ]);
+  const ctx = {};
+  if (remote) ctx.git_remote = sanitizeRemote(remote);
+  if (branch && branch !== "HEAD") ctx.git_branch = branch;
+  if (sha) ctx.git_commit_sha = sha;
+  return ctx;
+}
+var CACHE_TTL_MS = 3e4;
+var cache = /* @__PURE__ */ new Map();
+async function collectGitContextCached(cwd = process.cwd(), now = Date.now()) {
+  const hit = cache.get(cwd);
+  if (hit && hit.expiresAt > now) return hit.value;
+  const value = await collectGitContext(cwd);
+  cache.set(cwd, { value, expiresAt: now + CACHE_TTL_MS });
+  return value;
+}
+// src/commands/login.ts
+import { existsSync as existsSync6, mkdirSync as mkdirSync5, writeFileSync as writeFileSync4, readFileSync as readFileSync5, chmodSync, readSync } from "fs";
+import { join as join5 } from "path";
+import { homedir as homedir2 } from "os";
+import readline from "readline/promises";
+import chalk from "chalk";
+// src/dashboard-env.ts
+var DASHBOARD_API_KEY_ENVS = ["PRETEST_API_KEY", "PRETENSE_API_KEY"];
+var DASHBOARD_API_URL_ENVS = ["PRETEST_API_URL", "PRETENSE_API_URL"];
+var DASHBOARD_NO_BANNER_ENVS = ["PRETEST_NO_BANNER", "PRETENSE_NO_BANNER"];
+function firstNonEmptyEnv(names) {
+  for (const name of names) {
+    const v = process.env[name]?.trim();
+    if (v) return v;
+  }
+  return "";
+}
+function activeDashboardApiKeyEnvName() {
+  for (const name of DASHBOARD_API_KEY_ENVS) {
+    const v = process.env[name]?.trim();
+    if (v) return name;
+  }
+  return null;
+}
+function assignDashboardApiKeyToProcess(key) {
+  process.env["PRETEST_API_KEY"] = key;
+  process.env["PRETENSE_API_KEY"] = key;
+}
+function clearDashboardApiKeyFromProcess() {
+  delete process.env["PRETEST_API_KEY"];
+  delete process.env["PRETENSE_API_KEY"];
+}
+function hasDashboardApiKeyInEnv() {
+  return DASHBOARD_API_KEY_ENVS.some((n) => !!process.env[n]?.trim());
+}
+// src/publish-info.ts
+var PUBLISH_PACKAGE_URL = "https://www.npmjs.com/package/@blockyfy/stg-cli";
+// src/commands/login.ts
+var CONFIG_DIR_NAME2 = PROJECT_CONFIG_DIR_NAME;
+var CONFIG_FILE2 = "config.json";
+function getUserDashboardConfigDir() {
+  const home = homedir2();
+  migrateLegacyProjectConfigDir(home);
+  return join5(home, CONFIG_DIR_NAME2);
+}
+function getUserDashboardConfigPath() {
+  return join5(getUserDashboardConfigDir(), CONFIG_FILE2);
+}
+function isValidKeyShape(key) {
+  const trimmed = key.trim();
+  if (trimmed.length < 24) return false;
+  if (!/^[A-Za-z0-9_]+$/.test(trimmed)) return false;
+  return trimmed.startsWith("pk_live_") || trimmed.startsWith("ptns_live_") || trimmed.startsWith("prtns_live_");
+}
+function readStdinIfPiped() {
+  if (process.stdin.isTTY) return "";
+  try {
+    const chunks = [];
+    const buf = Buffer.alloc(4096);
+    let bytesRead = 0;
+    do {
+      try {
+        bytesRead = readSync(0, buf, 0, buf.length, null);
+      } catch {
+        bytesRead = 0;
+      }
+      if (bytesRead > 0) chunks.push(Buffer.from(buf.subarray(0, bytesRead)));
+    } while (bytesRead === buf.length);
+    return Buffer.concat(chunks).toString("utf-8").trim();
+  } catch {
+    return "";
+  }
+}
+function maskKey(key) {
+  const trimmed = key.trim();
+  if (trimmed.length <= 12) return trimmed;
+  return `${trimmed.slice(0, 12)}${"\u2022".repeat(8)}${trimmed.slice(-4)}`;
+}
+function logDashboardCredentialHint() {
+  const envName = activeDashboardApiKeyEnvName();
+  const env = envName ? process.env[envName]?.trim() ?? "" : "";
+  const envOk = env.length > 0 && isValidKeyShape(env);
+  const abs = getUserDashboardConfigPath();
+  const fk = loadApiKey();
+  if (envOk && envName) {
+    console.error(
+      chalk.gray(
+        `[pretest] Dashboard key source: ${envName} in environment (${maskKey(env)}) \u2014 unset this variable after logout if you expect no key.`
+      )
+    );
+  } else if (fk && isValidKeyShape(fk)) {
+    console.error(chalk.gray(`[pretest] Dashboard key source: ${abs} (${maskKey(fk)})`));
+  } else {
+    console.error(chalk.gray("[pretest] Dashboard key source: none configured."));
+  }
+}
+function saveApiKey(key, configDir = getUserDashboardConfigDir()) {
+  if (!existsSync6(configDir)) {
+    mkdirSync5(configDir, { recursive: true });
+  }
+  const path = join5(configDir, CONFIG_FILE2);
+  let existing = {};
+  if (existsSync6(path)) {
+    try {
+      existing = JSON.parse(readFileSync5(path, "utf-8"));
+    } catch {
+      existing = {};
+    }
+  }
+  const next = {
+    ...existing,
+    api_key: key.trim(),
+    saved_at: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  writeFileSync4(path, JSON.stringify(next, null, 2), { encoding: "utf-8", mode: 384 });
+  try {
+    chmodSync(path, 384);
+  } catch {
+  }
+  return path;
+}
+function removeSavedDashboardCredentials(configDir = getUserDashboardConfigDir()) {
+  const path = join5(configDir, CONFIG_FILE2);
+  if (!existsSync6(path)) return { removed: false, path };
+  let existing = {};
+  try {
+    existing = JSON.parse(readFileSync5(path, "utf-8"));
+  } catch {
+    return { removed: false, path };
+  }
+  const ak = existing.api_key;
+  const hadKey = typeof ak === "string" && ak.trim().length > 0;
+  if (!hadKey) return { removed: false, path };
+  delete existing.api_key;
+  delete existing.saved_at;
+  writeFileSync4(path, JSON.stringify(existing, null, 2), { encoding: "utf-8", mode: 384 });
+  try {
+    chmodSync(path, 384);
+  } catch {
+  }
+  return { removed: true, path };
+}
+function loadApiKey(configDir = getUserDashboardConfigDir()) {
+  const path = join5(configDir, CONFIG_FILE2);
+  if (!existsSync6(path)) return null;
+  try {
+    const raw = readFileSync5(path, "utf-8");
+    const parsed = JSON.parse(raw);
+    if (typeof parsed.api_key === "string") {
+      const t = parsed.api_key.trim();
+      if (t.length > 0) return t;
+    }
+  } catch {
+  }
+  return null;
+}
+function resolveDashboardKeyCandidate() {
+  const env = firstNonEmptyEnv(DASHBOARD_API_KEY_ENVS);
+  if (env.length > 0) {
+    if (!isValidKeyShape(env)) {
+      return { key: null, fromFile: false, badEnv: true };
+    }
+    return { key: env, fromFile: false, badEnv: false };
+  }
+  const fileKey = loadApiKey();
+  if (fileKey && isValidKeyShape(fileKey)) {
+    return { key: fileKey.trim(), fromFile: true, badEnv: false };
+  }
+  return { key: null, fromFile: Boolean(fileKey), badEnv: false };
+}
+function installDashboardKeyForCurrentProcess(key) {
+  const trimmed = key.trim();
+  const path = saveApiKey(trimmed);
+  assignDashboardApiKeyToProcess(trimmed);
+  return path;
+}
+async function promptDashboardApiKeyAfterFailure() {
+  if (!process.stdin.isTTY || !process.stdout.isTTY) return null;
+  const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+  try {
+    const line = (await rl.question(chalk.bold("Dashboard API key: "))).trim();
+    return line.length > 0 ? line : null;
+  } finally {
+    rl.close();
+  }
+}
+async function ensureDashboardKeyForStart() {
+  const { key, fromFile, badEnv } = resolveDashboardKeyCandidate();
+  if (badEnv) {
+    console.error(
+      chalk.red(
+        "Error: A dashboard API key is set in the environment but does not match the expected key shape."
+      )
+    );
+    console.error(
+      chalk.gray(
+        "Keys look like prtns_live_\u2026 or pk_live_\u2026. Fix the variable or unset it to use ~/.pretest/config.json."
+      )
+    );
+    process.exit(1);
+  }
+  if (key) {
+    return;
+  }
+  if (fromFile) {
+    console.warn(
+      chalk.yellow(
+        "Ignoring invalid `api_key` in ~/.pretest/config.json (wrong shape). Enter a new key or run `pretest login --key ...`."
+      )
+    );
+  }
+  const stdinOk = process.stdin.isTTY;
+  const stdoutOk = process.stdout.isTTY;
+  if (!stdinOk || !stdoutOk) {
+    console.error(chalk.red("Error: Dashboard API key required to start the proxy."));
+    console.error(
+      chalk.gray("Save one with `pretest login --key prtns_live_...` or set PRETEST_API_KEY.")
+    );
+    process.exit(1);
+  }
+  const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+  try {
+    console.log(
+      chalk.cyan(
+        "No dashboard API key found in ~/.pretest/config.json. Set PRETEST_API_KEY or run pretest login."
+      )
+    );
+    const entered = (await rl.question(chalk.bold("Enter your dashboard API key: "))).trim();
+    if (!entered) {
+      console.error(chalk.red("No key entered; exiting."));
+      process.exit(1);
+    }
+    if (!isValidKeyShape(entered)) {
+      console.error(chalk.red("That does not look like a dashboard API key (expect prtns_live_\u2026 or pk_live_\u2026)."));
+      console.error(chalk.gray(`Get a key via the package page, then run \`pretest login --key ...\`: ${PUBLISH_PACKAGE_URL}`));
+      process.exit(1);
+    }
+    const path = installDashboardKeyForCurrentProcess(entered);
+    console.log(chalk.green("Saved API key to"), chalk.bold(path));
+    console.log(chalk.gray(`  ${maskKey(entered)}`));
+  } finally {
+    rl.close();
+  }
+  const persisted = resolveDashboardKeyCandidate();
+  if (!persisted.key || persisted.badEnv) {
+    console.error(chalk.red("Error: Dashboard API key could not be confirmed after login prompt."));
+    process.exit(1);
+  }
+}
+function runLogin(opts = {}) {
+  const candidate = opts.key?.trim() || firstNonEmptyEnv(DASHBOARD_API_KEY_ENVS) || readStdinIfPiped();
+  if (!candidate) {
+    console.error(chalk.red("Error: no API key provided."));
+    console.error(
+      chalk.gray("Try: pretest login --key pk_live_xxxxx")
+    );
+    console.error(
+      chalk.gray("  or: echo $PRETEST_API_KEY | pretest login")
+    );
+    return 1;
+  }
+  if (!isValidKeyShape(candidate)) {
+    console.error(chalk.red("Error: that does not look like a dashboard API key."));
+    console.error(
+      chalk.gray("Keys start with prtns_live_ (or pk_live_) and are at least 24 characters long.")
+    );
+    console.error(
+      chalk.gray(`See: ${PUBLISH_PACKAGE_URL}`)
+    );
+    return 1;
+  }
+  const path = saveApiKey(candidate, opts.configDir);
+  console.log(chalk.green("Saved API key to"), chalk.bold(path));
+  console.log(chalk.gray(`  ${maskKey(candidate)}`));
+  console.log(chalk.gray("  File mode 600 \u2014 readable only by you."));
+  return 0;
+}
+// src/backend-client.ts
+function usageSummaryFromValidate(v) {
+  return {
+    plan: v.plan,
+    monthlyMutationLimit: v.monthlyMutationLimit,
+    mutationsUsed: v.mutationsUsed,
+    mutationsRemaining: v.mutationsRemaining,
+    requestsThisPeriod: 0,
+    secretsBlockedThisPeriod: 0,
+    periodResetsAt: v.periodResetsAt,
+    keyExpiresAt: null,
+    keyStatus: "active"
+  };
+}
+var DEFAULT_PRETENSE_API_URL = "https://pretense-stg-api.nxtsen.com";
+var DEFAULT_REQUEST_TIMEOUT_MS = 15e3;
+function getConfiguredApiRoot(rootOverride) {
+  const raw = (rootOverride?.trim() || firstNonEmptyEnv(DASHBOARD_API_URL_ENVS) || DEFAULT_PRETENSE_API_URL).trim();
+  if (!raw) {
+    return DEFAULT_PRETENSE_API_URL.replace(/\/$/, "");
+  }
+  let normalized = raw;
+  if (!/^https?:\/\//i.test(normalized)) {
+    normalized = `https://${normalized}`;
+  }
+  try {
+    const u = new URL(normalized);
+    const origin = /^pretense\.ai$/i.test(u.hostname) ? DEFAULT_PRETENSE_API_URL.replace(/\/$/, "") : u.origin;
+    const path = u.pathname === "/" ? "" : u.pathname.replace(/\/$/, "");
+    return `${origin}${path}`;
+  } catch {
+    return DEFAULT_PRETENSE_API_URL.replace(/\/$/, "");
+  }
+}
+function getCliApiUrl(pathWithinCli, rootOverride) {
+  const root = getConfiguredApiRoot(rootOverride);
+  const tail = pathWithinCli.replace(/^\/+/, "");
+  return `${root}/api/cli/${tail}`;
+}
+function getApiRequestTimeoutMs() {
+  const raw = process.env["PRETEST_API_TIMEOUT_MS"]?.trim() || process.env["PRETENSE_API_TIMEOUT_MS"]?.trim();
+  if (!raw || !/^\d+$/.test(raw)) return DEFAULT_REQUEST_TIMEOUT_MS;
+  const n = parseInt(raw, 10);
+  return Math.min(Math.max(n, 3e3), 12e4);
+}
+function getApiKey() {
+  const fromEnv = firstNonEmptyEnv(DASHBOARD_API_KEY_ENVS);
+  if (fromEnv) return fromEnv;
+  const fromFile = loadApiKey();
+  if (!fromFile) return null;
+  const t = fromFile.trim();
+  return t.length > 0 ? t : null;
+}
+function getDashboardApiKey() {
+  return getApiKey();
+}
+var cachedValidation = null;
+var lastValidationSuccessAt = 0;
+var VALIDATION_CACHE_FRESH_MS = 45e3;
+function getCachedValidation() {
+  return cachedValidation;
+}
+function clearValidationCache() {
+  cachedValidation = null;
+  lastValidationSuccessAt = 0;
+}
+function bumpCachedUsageAfterLog(identifiersMutated) {
+  if (!cachedValidation || identifiersMutated <= 0) return;
+  cachedValidation.mutationsUsed += identifiersMutated;
+  if (cachedValidation.mutationsRemaining !== -1) {
+    cachedValidation.mutationsRemaining = Math.max(
+      0,
+      cachedValidation.mutationsRemaining - identifiersMutated
+    );
+  }
+}
+function makeBackendReachabilityError(code, message) {
+  const err = new Error(message);
+  err.code = code;
+  return err;
+}
+async function validateKey(opts = {}) {
+  const enforceReachability = opts.enforceReachability === true;
+  const now = Date.now();
+  const cacheFresh = cachedValidation !== null && now - lastValidationSuccessAt < VALIDATION_CACHE_FRESH_MS;
+  if (!opts.force && cacheFresh) {
+    return cachedValidation;
+  }
+  const validateUrl = getCliApiUrl("auth/validate");
+  const timeoutMs = getApiRequestTimeoutMs();
+  const apiKey = getApiKey();
+  if (!apiKey) {
+    if (enforceReachability) {
+      const err = new Error("Missing dashboard API key");
+      err.code = "MISSING_API_KEY";
+      cachedValidation = null;
+      lastValidationSuccessAt = 0;
+      throw err;
+    }
+    return null;
+  }
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const resp = await fetch(validateUrl, {
+      method: "POST",
+      headers: {
+        "content-type": "application/json",
+        authorization: `Bearer ${apiKey}`
+      },
+      body: "{}",
+      signal: controller.signal
+    });
+    if (resp.status === 401 || resp.status === 403) {
+      const raw = await resp.json().catch(() => ({}));
+      const msg = typeof raw.message === "string" ? raw.message : "API key rejected by server";
+      const err = new Error(msg);
+      err.code = typeof raw.code === "string" ? raw.code : "INVALID_API_KEY";
+      cachedValidation = null;
+      lastValidationSuccessAt = 0;
+      throw err;
+    }
+    if (!resp.ok) {
+      const msg = `Dashboard API returned HTTP ${resp.status} from ${validateUrl}`;
+      if (enforceReachability) {
+        cachedValidation = null;
+        lastValidationSuccessAt = 0;
+        throw makeBackendReachabilityError("AUTH_BACKEND_REJECTED", msg);
+      }
+      return null;
+    }
+    let data;
+    try {
+      data = await resp.json();
+    } catch {
+      if (enforceReachability) {
+        cachedValidation = null;
+        lastValidationSuccessAt = 0;
+        throw makeBackendReachabilityError(
+          "AUTH_BACKEND_REJECTED",
+          `Invalid JSON from ${validateUrl}`
+        );
+      }
+      return null;
+    }
+    if (typeof data.valid === "boolean" && data.valid === false) {
+      const err = new Error("API key is not valid");
+      err.code = "INVALID_API_KEY";
+      cachedValidation = null;
+      lastValidationSuccessAt = 0;
+      throw err;
+    }
+    cachedValidation = data;
+    lastValidationSuccessAt = Date.now();
+    return data;
+  } catch (err) {
+    if (err.code === "KEY_REVOKED" || err.code === "KEY_EXPIRED" || err.code === "INVALID_API_KEY" || err.code === "AUTH_ERROR" || err.code === "ORG_INACTIVE" || err.code === "MISSING_API_KEY" || err.code === "BACKEND_UNAVAILABLE" || err.code === "AUTH_BACKEND_REJECTED") {
+      throw err;
+    }
+    if (enforceReachability) {
+      const msg = err.name === "AbortError" ? `Timed out after ${timeoutMs}ms reaching ${validateUrl} (raise PRETEST_API_TIMEOUT_MS or PRETENSE_API_TIMEOUT_MS)` : `Cannot reach dashboard API at ${validateUrl}: ${err.message}`;
+      cachedValidation = null;
+      lastValidationSuccessAt = 0;
+      throw makeBackendReachabilityError("BACKEND_UNAVAILABLE", msg);
+    }
+    if (opts.verbose) {
+      process.stderr.write(
+        `[PRETEST] Backend validation failed: ${err.message}
+`
+      );
+    }
+    return null;
+  } finally {
+    clearTimeout(timer);
+  }
+}
+async function fetchUsageSummary(opts = {}) {
+  const summaryUrl = getCliApiUrl("usage/summary");
+  const apiKey = getApiKey();
+  if (!apiKey) return null;
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), getApiRequestTimeoutMs());
+  try {
+    const resp = await fetch(summaryUrl, {
+      method: "GET",
+      headers: { authorization: `Bearer ${apiKey}` },
+      signal: controller.signal
+    });
+    if (!resp.ok) return null;
+    return await resp.json();
+  } catch (err) {
+    if (opts.verbose) {
+      process.stderr.write(
+        `[PRETEST] Usage summary fetch failed: ${err.message}
+`
+      );
+    }
+    return null;
+  } finally {
+    clearTimeout(timer);
+  }
+}
+async function isWithinLimits() {
+  const v = getCachedValidation();
+  if (!v) return { allowed: true };
+  if (v.mutationsRemaining !== -1 && v.mutationsRemaining <= 0) {
+    return {
+      allowed: false,
+      reason: `Monthly mutation limit reached (${v.mutationsUsed}/${v.monthlyMutationLimit}). See ${PUBLISH_PACKAGE_URL}`
+    };
+  }
+  return { allowed: true };
+}
+// src/log-uploader.ts
+async function uploadLog(event, options) {
+  const apiRoot = options.apiUrl?.trim() || void 0;
+  const endpoint = getCliApiUrl("log", apiRoot);
+  const { apiKey, verbose = false, timeoutMs = getApiRequestTimeoutMs() } = options;
+  if (!apiKey) return;
+  const gitCtx = options.gitContext ?? await collectGitContextCached(options.cwd);
+  const body = {
+    ...event,
+    ...gitCtx,
+    repo_remote_url: gitCtx.git_remote,
+    git_branch: gitCtx.git_branch,
+    commit_sha: gitCtx.git_commit_sha
+  };
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const resp = await fetch(endpoint, {
+      method: "POST",
+      headers: {
+        "content-type": "application/json",
+        authorization: `Bearer ${apiKey}`
+      },
+      body: JSON.stringify(body),
+      signal: controller.signal
+    });
+    if (!resp.ok && verbose) {
+      process.stderr.write(`[PRETEST] log upload HTTP ${resp.status}
+`);
+    }
+  } catch (err) {
+    if (verbose) {
+      const msg = err instanceof Error ? err.message : String(err);
+      process.stderr.write(`[PRETEST] log upload failed: ${msg}
+`);
+    }
+  } finally {
+    clearTimeout(timer);
+  }
+}
+// src/start-client-instructions.ts
+import chalk2 from "chalk";
+function printStartClientInstructions(port) {
+  const host = `http://localhost:${port}`;
+  console.log();
+  console.log(chalk2.cyan.bold("\u2500\u2500 Client setup (environment variables) \u2500\u2500"));
+  console.log(chalk2.gray("Point the CLI at the backend API (optional if using default):"));
+  console.log(
+    chalk2.white(`export PRETEST_API_URL='https://pretense-stg-api.nxtsen.com'`)
+  );
+  console.log();
+  console.log(chalk2.gray("Log in with your dashboard API key:"));
+  console.log(chalk2.white("pretest login --key your-dashboard-api-key"));
+  console.log();
+  console.log(
+    chalk2.gray("Documentation:"),
+    chalk2.cyan.underline(PUBLISH_PACKAGE_URL)
+  );
+  console.log();
+  console.log(
+    chalk2.gray("Set the LLM base URL for your provider (proxy below):")
+  );
+  console.log(chalk2.white(`export ANTHROPIC_BASE_URL="${host}"`));
+  console.log(chalk2.white(`export ANTHROPIC_BASE_URL=${host}`));
+  console.log(chalk2.white(`export OPENAI_BASE_URL=${host}/v1`));
+  console.log(chalk2.white(`export GEMINI_BASE_URL=${host}/v1beta`));
+  console.log(chalk2.white(`export OLLAMA_HOST=${host}`));
+  console.log();
+  console.log(chalk2.gray("Set your real upstream LLM API key (unchanged):"));
+  console.log(chalk2.white('export ANTHROPIC_API_KEY="sk-ant-API-KEY"'));
+  console.log();
+  console.log(chalk2.cyan.bold("\u2500\u2500 Stop & log out \u2500\u2500"));
+  console.log(
+    chalk2.gray(
+      "Stop the proxy: press Ctrl+C in the terminal where pretest start is running."
+    )
+  );
+  console.log(
+    chalk2.gray(
+      "Remove the saved dashboard key from ~/.pretest/config.json:"
+    )
+  );
+  console.log(chalk2.white("pretest logout"));
+  console.log(
+    chalk2.gray(
+      "(confirm with y / cancel with n.) Mutations stop immediately unless this proxy was started with"
+    )
+  );
+  console.log(
+    chalk2.gray(
+      "PRETEST_API_KEY in that same terminal \u2014 then press Ctrl+C and run pretest start again."
+    )
+  );
+  console.log();
+}
+// src/version.ts
+import { readFileSync as readFileSync6 } from "fs";
+import { fileURLToPath } from "url";
+var cached = null;
+function getCliSemver() {
+  if (cached !== null) return cached;
+  try {
+    const url = new URL("../package.json", import.meta.url);
+    const raw = readFileSync6(fileURLToPath(url), "utf-8");
+    cached = JSON.parse(raw).version ?? "0.0.0";
+  } catch {
+    cached = "0.0.0";
+  }
+  return cached;
+}
+// src/proxy.ts
+var dashboardSavedCredentialsRevoked = false;
+function attachDashboardLogoutWatcher(enabled) {
+  if (!enabled) return;
+  const dir = getUserDashboardConfigDir();
+  let debounceTimer;
+  const applyFilesystemCredentialState = () => {
+    const fk = loadApiKey();
+    if (!fk) {
+      if (dashboardSavedCredentialsRevoked) return;
+      dashboardSavedCredentialsRevoked = true;
+      clearDashboardApiKeyFromProcess();
+      clearValidationCache();
+      try {
+        process.stderr.write(
+          `\x1B[33m[PRETEST] Saved dashboard API key removed (~/.pretest/config.json, e.g. pretest logout). LLM proxy POST requests are disabled until you run pretest login and restart pretest start.\x1B[0m
+`
+        );
+      } catch {
+      }
+      return;
+    }
+    if (dashboardSavedCredentialsRevoked) {
+      dashboardSavedCredentialsRevoked = false;
+      clearValidationCache();
+    }
+  };
+  const schedule = () => {
+    if (debounceTimer) clearTimeout(debounceTimer);
+    debounceTimer = setTimeout(applyFilesystemCredentialState, 120);
+  };
+  try {
+    if (!existsSync7(dir)) return;
+    watch(dir, () => {
+      schedule();
+    });
+  } catch {
+  }
+}
+function anthropicUpstream() {
+  return process.env["ANTHROPIC_UPSTREAM_URL"] ?? "https://api.anthropic.com";
+}
+function openaiUpstream() {
+  return process.env["OPENAI_UPSTREAM_URL"] ?? "https://api.openai.com";
+}
+function geminiUpstream() {
+  return process.env["GEMINI_UPSTREAM_URL"] ?? "https://generativelanguage.googleapis.com";
+}
+function ollamaUpstream() {
+  return process.env["OLLAMA_UPSTREAM_URL"] ?? "http://localhost:11434";
+}
+function detectUpstream(path) {
+  if (path.startsWith("/v1/messages")) return anthropicUpstream();
+  if (path.startsWith("/v1/chat/completions") || path.startsWith("/v1/completions") || path.startsWith("/v1/responses")) {
+    return openaiUpstream();
+  }
+  if (path.startsWith("/v1beta/") || path.startsWith("/v1/models")) return geminiUpstream();
+  if (path.startsWith("/api/chat") || path.startsWith("/api/generate")) return ollamaUpstream();
+  return anthropicUpstream();
+}
+function detectProvider(path) {
+  if (path.startsWith("/v1/messages")) return "anthropic";
+  if (path.startsWith("/v1/chat/completions") || path.startsWith("/v1/completions") || path.startsWith("/v1/responses")) {
+    return "openai";
+  }
+  if (path.startsWith("/v1beta/") || path.startsWith("/v1/models")) return "google";
+  if (path.startsWith("/api/chat") || path.startsWith("/api/generate")) return "ollama";
+  return "anthropic";
+}
+function stripPretenseOnlyForwardingHeaders(headers) {
+  const drop = /* @__PURE__ */ new Set(["x-pretense-api-key", "x-pretense-key"]);
+  for (const k of [...Object.keys(headers)]) {
+    if (drop.has(k.toLowerCase())) delete headers[k];
+  }
+}
+function extractText(body) {
+  const parts = [];
+  if (typeof body["system"] === "string") parts.push(body["system"]);
+  if (Array.isArray(body["messages"])) {
+    for (const msg of body["messages"]) {
+      if (typeof msg["content"] === "string") parts.push(msg["content"]);
+      else if (Array.isArray(msg["content"])) {
+        for (const block of msg["content"]) {
+          if (block["type"] === "text" && typeof block["text"] === "string") parts.push(block["text"]);
+        }
+      }
+    }
+  }
+  return parts.join("\n");
+}
+function extractCodeBlocks(text) {
+  const blocks = [];
+  const re = /```(\w*)\n([\s\S]*?)```/g;
+  let m;
+  while ((m = re.exec(text)) !== null) {
+    blocks.push({
+      code: m[2] ?? "",
+      language: m[1] ?? "typescript",
+      start: m.index,
+      end: m.index + m[0].length
+    });
+  }
+  return blocks;
+}
+function replaceCodeBlocks(text, blocks, replacements) {
+  let result = text;
+  for (let i = blocks.length - 1; i >= 0; i--) {
+    const block = blocks[i];
+    const replacement = replacements[i] ?? block.code;
+    const lang = block.language ?? "typescript";
+    result = result.slice(0, block.start) + "```" + lang + "\n" + replacement + "```" + result.slice(block.end);
+  }
+  return result;
+}
+function applyToBody(body, transform) {
+  const mutateField = (val) => {
+    if (typeof val === "string") return transform(val);
+    if (Array.isArray(val)) return val.map(mutateField);
+    if (val && typeof val === "object") {
+      const obj = val;
+      return Object.fromEntries(Object.entries(obj).map(([k, v]) => [k, mutateField(v)]));
+    }
+    return val;
+  };
+  return mutateField(body);
+}
+var stats = {
+  requestsProcessed: 0,
+  totalTokensMutated: 0,
+  totalSecretsBlocked: 0,
+  startedAt: Date.now()
+};
+function daysSinceFirstUse() {
+  const usage = loadUsage();
+  if (!usage.firstUseDate) return 0;
+  const first = new Date(usage.firstUseDate).getTime();
+  return Math.floor((Date.now() - first) / (24 * 60 * 60 * 1e3));
+}
+function printUpgradeNudge(reason) {
+  process.stdout.write(
+    `
+\x1B[33m[PRETEST] ${reason}\x1B[0m
+\x1B[33m[PRETEST] Upgrade to Pro: ${PUBLISH_PACKAGE_URL}\x1B[0m
+`
+  );
+}
+function createProxy(opts = {}) {
+  const config = { ...DEFAULT_CONFIG, ...opts.config };
+  const store = opts.store ?? new MutationStore(`${config.storePath}/proxy-store.json`);
+  const verbose = opts.verbose ?? false;
+  const app = new Hono();
+  app.use("*", requireApiKey);
+  app.get(
+    "/",
+    (c) => c.json({
+      name: "pretest",
+      version: getCliSemver(),
+      status: "running",
+      routes: {
+        "GET /": "This welcome page",
+        "GET /health": "Health check with uptime",
+        "GET /stats": "Mutation statistics",
+        "GET /audit": "Audit log (?limit=50)",
+        "POST /*": "Proxy to upstream LLM API (Anthropic, OpenAI, Google auto-detected)"
+      },
+      languages: ["TypeScript", "JavaScript", "Python", "Go", "Java", "C#", "Ruby", "Rust"],
+      docs: PUBLISH_PACKAGE_URL
+    })
+  );
+  app.get(
+    "/health",
+    (c) => c.json({
+      status: "ok",
+      version: getCliSemver(),
+      uptime: Math.floor((Date.now() - stats.startedAt) / 1e3),
+      stats: {
+        requestsProcessed: stats.requestsProcessed,
+        totalTokensMutated: stats.totalTokensMutated
+      }
+    })
+  );
+  app.get(
+    "/stats",
+    (c) => c.json({
+      ...stats,
+      storeSize: store.size,
+      activeSessions: sessionCount()
+    })
+  );
+  app.get("/audit", (c) => {
+    const limit = parseInt(c.req.query("limit") ?? "50");
+    return c.json(store.list(limit));
+  });
+  app.all("/*", async (c) => {
+    if (c.req.method !== "POST") {
+      const upstream2 = c.req.header("x-pretense-upstream") ?? detectUpstream(c.req.path);
+      const url = upstream2 + c.req.path;
+      const headers2 = {};
+      c.req.raw.headers.forEach((v, k) => {
+        headers2[k] = v;
+      });
+      delete headers2["host"];
+      headers2["host"] = new URL(upstream2).host;
+      stripPretenseOnlyForwardingHeaders(headers2);
+      const resp = await fetch(url, { method: c.req.method, headers: headers2 });
+      return new Response(resp.body, { status: resp.status, headers: Object.fromEntries(resp.headers.entries()) });
+    }
+    const requestStart = performance.now();
+    let body;
+    try {
+      body = await c.req.json();
+    } catch {
+      return c.json({ error: { type: "invalid_request", message: "Invalid JSON body" } }, 400);
+    }
+    if (!body || Object.keys(body).length === 0) {
+      return c.json({ error: { type: "invalid_request", message: "Empty request body" } }, 400);
+    }
+    const requestId = nanoid(12);
+    const upstream = c.req.header("x-pretense-upstream") ?? detectUpstream(c.req.path);
+    const provider = detectProvider(c.req.path);
+    if (dashboardSavedCredentialsRevoked) {
+      return c.json(
+        {
+          error: {
+            type: "pretense_session_logged_out",
+            message: "Saved dashboard credentials were removed (for example pretest logout). Run pretest login, then restart pretest start. If you started the proxy with a dashboard API key in this shell, stop it (Ctrl+C) and start again after logout."
+          }
+        },
+        401
+      );
+    }
+    const dashboardApiKey = getDashboardApiKey();
+    if (!dashboardApiKey) {
+      return c.json(
+        {
+          error: {
+            type: "pretense_dashboard_key_required",
+            message: "Configure your dashboard API key: run `pretest login --key prtns_live_...` or set PRETEST_API_KEY."
+          }
+        },
+        401
+      );
+    }
+    try {
+      await validateKey({ verbose, force: false, enforceReachability: true });
+    } catch (err) {
+      const code = err.code ?? "";
+      const msg = err.message;
+      const knownAuthCodes = /* @__PURE__ */ new Set([
+        "KEY_REVOKED",
+        "KEY_EXPIRED",
+        "INVALID_API_KEY",
+        "MISSING_API_KEY"
+      ]);
+      if (knownAuthCodes.has(code)) {
+        return c.json(
+          { error: { type: "pretense_auth_error", code, message: msg } },
+          401
+        );
+      }
+      if (code === "BACKEND_UNAVAILABLE" || code === "AUTH_BACKEND_REJECTED") {
+        return c.json(
+          { error: { type: "pretense_auth_backend_error", code, message: msg } },
+          503
+        );
+      }
+      if (code === "ORG_INACTIVE") {
+        return c.json(
+          { error: { type: "pretense_org_inactive", code, message: msg } },
+          403
+        );
+      }
+      return c.json(
+        { error: { type: "pretense_auth_error", message: msg } },
+        401
+      );
+    }
+    const sessHash = c.get("sessionHash");
+    const session = getSession(sessHash);
+    const tier = tierFromDashboardPlan(
+      getCachedValidation()?.plan,
+      detectTier()
+    );
+    const { monthlyMutations } = getTierLimits(tier);
+    const usage = loadUsage();
+    if (tier === "free" && usage.mutations >= monthlyMutations) {
+      return c.json(
+        {
+          error: {
+            type: "pretense_rate_limit",
+            message: `Monthly mutation limit reached (${monthlyMutations}/month). Upgrade to Pro for unlimited: ${PUBLISH_PACKAGE_URL}`
+          }
+        },
+        429
+      );
+    }
+    const backendLimits = await isWithinLimits();
+    if (!backendLimits.allowed) {
+      return c.json(
+        {
+          error: {
+            type: "pretense_rate_limit",
+            message: backendLimits.reason ?? "Mutation limit exceeded."
+          }
+        },
+        429
+      );
+    }
+    const cliAuth = getCachedValidation();
+    if (cliAuth?.permission === "read_only") {
+      return c.json(
+        {
+          error: {
+            type: "pretense_forbidden",
+            message: "This API key is read-only. Create a read_write key in the dashboard to use the Pretest proxy."
+          }
+        },
+        403
+      );
+    }
+    const fullText = extractText(body);
+    const secretScan = scan2(fullText);
+    const blockedSecrets = secretScan.matches.filter((m) => m.action === "block");
+    if (blockedSecrets.length > 0) {
+      stats.totalSecretsBlocked += blockedSecrets.length;
+      if (tier === "free") {
+        printUpgradeNudge(`${blockedSecrets.length} secret(s) blocked. Pro tier includes real-time secret alerts via Slack/PagerDuty.`);
+      }
+      return c.json(
+        {
+          error: {
+            type: "pretense_blocked",
+            message: `Request blocked: ${blockedSecrets.length} secret(s) detected. Types: ${[...new Set(blockedSecrets.map((m) => m.type))].join(", ")}`
+          }
+        },
+        400
+      );
+    }
+    const processedBody = applyToBody(body, (text) => applyRedactions(text, secretScan.matches));
+    const mutationMap = /* @__PURE__ */ new Map();
+    let tokensMutated = 0;
+    const mutatedBody = applyToBody(processedBody, (text) => {
+      const blocks = extractCodeBlocks(text);
+      if (blocks.length === 0) {
+        const lang = detectLanguage(text);
+        const result = mutate(text, lang);
+        for (const [k, v] of result.map) {
+          mutationMap.set(k, v);
+          session.mutationMap.set(k, v);
+          session.reverseMap.set(v, k);
+        }
+        tokensMutated += result.stats.tokensMutated;
+        return result.mutatedCode;
+      }
+      const mutatedBlocks = [];
+      for (const block of blocks) {
+        const result = mutate(block.code, block.language);
+        for (const [k, v] of result.map) {
+          mutationMap.set(k, v);
+          session.mutationMap.set(k, v);
+          session.reverseMap.set(v, k);
+        }
+        tokensMutated += result.stats.tokensMutated;
+        mutatedBlocks.push(result.mutatedCode);
+      }
+      return replaceCodeBlocks(text, blocks, mutatedBlocks);
+    });
+    usage.mutations += tokensMutated;
+    saveUsage(usage);
+    const remoteLogDisabled = process.env["PRETENSE_DISABLE_REMOTE_LOG"] === "1";
+    if (dashboardApiKey && !remoteLogDisabled) {
+      void uploadLog(
+        {
+          file_count: 0,
+          identifiers_mutated: tokensMutated,
+          secrets_blocked: blockedSecrets.length,
+          llm_provider: provider,
+          cli_version: getCliSemver()
+        },
+        { apiKey: dashboardApiKey, verbose }
+      );
+      bumpCachedUsageAfterLog(tokensMutated);
+    }
+    const warningThreshold = Math.floor(monthlyMutations * 0.8);
+    if (tier === "free" && usage.mutations >= warningThreshold && usage.mutations - tokensMutated < warningThreshold) {
+      printUpgradeNudge(`${usage.mutations}/${monthlyMutations} monthly mutations used. Running low!`);
+    }
+    if (tier === "free" && daysSinceFirstUse() >= 7) {
+      printUpgradeNudge("You've been using Pretest for 7+ days. Unlock Pro features: unlimited mutations, 90-day audit, Slack alerts.");
+    }
+    const entry = {
+      id: requestId,
+      originalHash: requestId,
+      mapEntries: [...mutationMap.entries()],
+      timestamp: Date.now(),
+      language: "mixed"
+    };
+    store.save(entry);
+    stats.requestsProcessed++;
+    stats.totalTokensMutated += tokensMutated;
+    const latencyMs = Math.round((performance.now() - requestStart) * 100) / 100;
+    writeAuditEntry(
+      createAuditEntry(requestId, "proxy-request", tokensMutated, blockedSecrets.length, provider, latencyMs)
+    );
+    if (verbose && tokensMutated > 0) {
+      process.stdout.write(`[PRETEST] ${tokensMutated} tokens mutated for request ${requestId}
+`);
+    }
+    const headers = {};
+    c.req.raw.headers.forEach((v, k) => {
+      headers[k] = v;
+    });
+    delete headers["host"];
+    delete headers["content-length"];
+    headers["host"] = new URL(upstream).host;
+    headers["x-pretense-request-id"] = requestId;
+    stripPretenseOnlyForwardingHeaders(headers);
+    const forwardBody = JSON.stringify(mutatedBody);
+    let upstreamResp;
+    try {
+      upstreamResp = await fetch(upstream + c.req.path, {
+        method: "POST",
+        headers: { ...headers, "content-type": "application/json", "content-length": String(Buffer.byteLength(forwardBody)) },
+        body: forwardBody
+      });
+    } catch {
+      return c.json({ error: { type: "pretense_upstream_error", message: "Failed to reach upstream provider" } }, 502);
+    }
+    if (body["stream"] === true) {
+      const streamReverseMap = new Map(mutationMap);
+      const upstream2 = upstreamResp.body;
+      if (!upstream2 || tokensMutated === 0) {
+        return new Response(upstream2, {
+          status: upstreamResp.status,
+          headers: {
+            "content-type": upstreamResp.headers.get("content-type") ?? "text/event-stream",
+            "cache-control": "no-cache",
+            "x-pretense-request-id": requestId,
+            "x-pretense-protected": "true",
+            "x-pretense-mutations": String(tokensMutated)
+          }
+        });
+      }
+      const decoder = new TextDecoder();
+      const encoder = new TextEncoder();
+      let buffer = "";
+      const transform = new TransformStream({
+        transform(chunk, controller) {
+          buffer += decoder.decode(chunk, { stream: true });
+          const lines = buffer.split("\n");
+          buffer = lines.pop() ?? "";
+          for (const line of lines) {
+            if (line.startsWith("data: ") && line !== "data: [DONE]") {
+              try {
+                const json = JSON.parse(line.slice(6));
+                const reversed = applyToBody(json, (text) => reverse(text, streamReverseMap));
+                controller.enqueue(encoder.encode(`data: ${JSON.stringify(reversed)}
+`));
+              } catch {
+                controller.enqueue(encoder.encode(line + "\n"));
+              }
+            } else {
+              controller.enqueue(encoder.encode(line + "\n"));
+            }
+          }
+        },
+        flush(controller) {
+          if (buffer.length > 0) {
+            controller.enqueue(encoder.encode(buffer));
+          }
+        }
+      });
+      const reversedStream = upstream2.pipeThrough(transform);
+      return new Response(reversedStream, {
+        status: upstreamResp.status,
+        headers: {
+          "content-type": upstreamResp.headers.get("content-type") ?? "text/event-stream",
+          "cache-control": "no-cache",
+          "x-pretense-request-id": requestId,
+          "x-pretense-protected": "true",
+          "x-pretense-mutations": String(tokensMutated),
+          "x-pretense-stream-reversal": "active"
+        }
+      });
+    }
+    const reverseMap = new Map(mutationMap);
+    let respBody;
+    try {
+      respBody = await upstreamResp.json();
+    } catch {
+      return new Response(null, {
+        status: upstreamResp.status,
+        headers: {
+          "x-pretense-protected": "true",
+          "x-pretense-mutations": String(tokensMutated)
+        }
+      });
+    }
+    const reversedBody = applyToBody(respBody, (text) => {
+      const blocks = extractCodeBlocks(text);
+      if (blocks.length === 0) return reverse(text, reverseMap);
+      const reversedBlocks = blocks.map((b) => reverse(b.code, reverseMap));
+      return replaceCodeBlocks(text, blocks, reversedBlocks);
+    });
+    c.header("x-pretense-request-id", requestId);
+    c.header("x-pretense-protected", "true");
+    c.header("x-pretense-mutations", String(tokensMutated));
+    return c.json(reversedBody, upstreamResp.status);
+  });
+  return app;
+}
+function isPortAvailable(port) {
+  return new Promise((resolve3) => {
+    const tester = createServer().once("error", () => resolve3(false)).once("listening", () => {
+      tester.once("close", () => resolve3(true)).close();
+    }).listen(port, "127.0.0.1");
+  });
+}
+async function findAvailablePort(startPort, maxAttempts = 10) {
+  for (let i = 0; i < maxAttempts; i++) {
+    const candidate = startPort + i;
+    if (candidate < 1 || candidate > 65535) break;
+    if (await isPortAvailable(candidate)) return candidate;
+  }
+  throw new Error(
+    `No available port found in range ${startPort}-${startPort + maxAttempts - 1}. Free a port or pass --port <number>.`
+  );
+}
+function startProxy(opts = {}) {
+  const requestedPort = opts.port ?? opts.config?.port ?? DEFAULT_CONFIG.port;
+  const app = createProxy(opts);
+  void (async () => {
+    const dashboardKeyFromEnvAtLaunch = hasDashboardApiKeyInEnv();
+    const dashboardKey = getDashboardApiKey();
+    if (!dashboardKey || !isValidKeyShape(dashboardKey)) {
+      process.stderr.write(
+        `\x1B[31m[PRETEST] API key required or invalid shape. Run \`pretest login --key prtns_live_...\`\x1B[0m
+\x1B[31m[PRETEST] or set PRETEST_API_KEY. See ${PUBLISH_PACKAGE_URL}\x1B[0m
+`
+      );
+      process.exit(1);
+    }
+    const interactive = Boolean(process.stdin.isTTY && process.stdout.isTTY);
+    for (; ; ) {
+      try {
+        const validation = await validateKey({
+          force: true,
+          verbose: opts.verbose,
+          enforceReachability: true
+        });
+        if (!validation) {
+          process.stderr.write(
+            `\x1B[31m[PRETEST] Startup validation failed (no API key or unreachable backend). Cannot start proxy.\x1B[0m
+`
+          );
+          process.exit(1);
+        }
+        const plan = validation.plan ?? "FREE";
+        const remaining = validation.mutationsRemaining === -1 ? "unlimited" : String(validation.mutationsRemaining);
+        process.stdout.write(
+          `\x1B[32m[PRETEST] Key validated: ${plan} plan` + (validation.organizationName ? ` (${validation.organizationName})` : "") + ` \u2014 ${remaining} mutations remaining\x1B[0m
+`
+        );
+        break;
+      } catch (err) {
+        const code = err.code;
+        const msg = err.message;
+        if (code === "BACKEND_UNAVAILABLE" || code === "AUTH_BACKEND_REJECTED") {
+          process.stderr.write(`\x1B[31m[PRETEST] ${msg}\x1B[0m
+`);
+          process.stderr.write(`\x1B[31m[PRETEST] Fix network or set PRETEST_API_URL (or PRETENSE_API_URL) if using a custom API.\x1B[0m
+`);
+          process.exit(1);
+        }
+        if (code === "ORG_INACTIVE") {
+          process.stderr.write(`\x1B[31m[PRETEST] ${msg}\x1B[0m
+`);
+          process.stderr.write(`\x1B[31m[PRETEST] Your organization is inactive; contact support.\x1B[0m
+`);
+          process.exit(1);
+        }
+        const authRetryable = code === "INVALID_API_KEY" || code === "KEY_REVOKED" || code === "KEY_EXPIRED" || code === "AUTH_ERROR" || code === "MISSING_API_KEY";
+        if (authRetryable && interactive) {
+          process.stderr.write(`\x1B[31m[PRETEST] ${msg}\x1B[0m
+`);
+          process.stderr.write(
+            `\x1B[33m[PRETEST] Enter your dashboard API key and press Enter (Ctrl+C to quit).\x1B[0m
+`
+          );
+          let entered = null;
+          for (; ; ) {
+            entered = await promptDashboardApiKeyAfterFailure();
+            if (!entered) {
+              process.stderr.write(`\x1B[31m[PRETEST] No key entered; exiting.\x1B[0m
+`);
+              process.exit(1);
+            }
+            if (isValidKeyShape(entered)) break;
+            process.stderr.write(
+              `\x1B[31m[PRETEST] That does not look like a dashboard key (expect prtns_live_\u2026 or pk_live_\u2026).\x1B[0m
+`
+            );
+          }
+          const savedPath = installDashboardKeyForCurrentProcess(entered);
+          process.stdout.write(`\x1B[32m[PRETEST] Saved API key to ${savedPath}\x1B[0m
+`);
+          clearValidationCache();
+          continue;
+        }
+        if (code === "KEY_REVOKED" || code === "KEY_EXPIRED" || code === "INVALID_API_KEY" || code === "AUTH_ERROR" || code === "MISSING_API_KEY") {
+          process.stderr.write(`\x1B[31m[PRETEST] ${msg}\x1B[0m
+`);
+          process.stderr.write(`\x1B[31m[PRETEST] Run 'pretest login --key <new-key>' to fix.\x1B[0m
+`);
+          process.exit(1);
+        }
+        process.stderr.write(`\x1B[31m[PRETEST] ${msg}\x1B[0m
+`);
+        process.stderr.write(`\x1B[31m[PRETEST] Run 'pretest login --key <new-key>' or check connectivity.\x1B[0m
+`);
+        process.exit(1);
+      }
+    }
+    attachDashboardLogoutWatcher(!dashboardKeyFromEnvAtLaunch);
+    const bannerTier = tierFromDashboardPlan(
+      getCachedValidation()?.plan,
+      detectTier()
+    );
+    let port;
+    try {
+      port = await findAvailablePort(requestedPort, 10);
+    } catch (err) {
+      process.stderr.write(`\x1B[31m[PRETEST] ${err.message}\x1B[0m
+`);
+      process.exit(1);
+    }
+    if (port !== requestedPort) {
+      process.stderr.write(
+        `\x1B[33m[PRETEST] Port ${requestedPort} in use, falling back to ${port}.\x1B[0m
+`
+      );
+    }
+    printStartClientInstructions(port);
+    serve({ fetch: app.fetch, port }, () => {
+      const portStr = String(port);
+      process.stdout.write(`
+\x1B[36mPretest v${getCliSemver()}  [${bannerTier.toUpperCase()}]\x1B[0m
+  Your code hits AI naked. We fix that.
+  Proxy:    http://localhost:${portStr}
+  Health:   http://localhost:${portStr}/health
+  Stats:    http://localhost:${portStr}/stats
+  Drop-in env vars:
+    ANTHROPIC_BASE_URL=http://localhost:${portStr}
+    OPENAI_BASE_URL=http://localhost:${portStr}/v1
+    GEMINI_BASE_URL=http://localhost:${portStr}/v1beta
+    OLLAMA_HOST=http://localhost:${portStr}
+  Routes intercepted:
+    /v1/messages              -> Anthropic (Claude Code, SDK)
+    /v1/chat/completions      -> OpenAI (ChatGPT, Cursor)
+    /v1/responses             -> OpenAI (Codex CLI)
+    /v1beta/...               -> Google Gemini
+    /api/chat, /api/generate  -> Ollama (local)
+`);
+      setInterval(() => {
+        if (dashboardSavedCredentialsRevoked) return;
+        if (!getDashboardApiKey()) return;
+        void validateKey({
+          force: true,
+          verbose: opts.verbose,
+          enforceReachability: true
+        }).catch(() => {
+        });
+      }, 6e4);
+    });
+  })();
+}
+// src/token-footer.ts
+import chalk3 from "chalk";
+var PLAN_LIMITS = {
+  free: { monthlyMutations: 1e3, monthlyScans: 5e3, seats: 3, pricePerMonth: "$0/month" },
+  pro: { monthlyMutations: 1e5, monthlyScans: 5e5, seats: 25, pricePerMonth: "$29/seat/month" },
+  enterprise: {
+    monthlyMutations: Number.POSITIVE_INFINITY,
+    monthlyScans: Number.POSITIVE_INFINITY,
+    seats: Number.POSITIVE_INFINITY,
+    pricePerMonth: "$99/seat/month"
+  }
+};
+function getPlanLimits(tier) {
+  return PLAN_LIMITS[tier];
+}
+function fmt(n) {
+  if (!Number.isFinite(n)) return "unlimited";
+  return n.toLocaleString("en-US");
+}
+function printTokenFooter(filesScanned, mutationsMade) {
+  const tier = detectTier();
+  const limits = getPlanLimits(tier);
+  const usage = loadUsage();
+  if (tier === "enterprise") {
+    process.stderr.write(
+      chalk3.gray(`
+  ${filesScanned} files, ${mutationsMade} mutations  \xB7  Plan: Enterprise (unlimited)
+`)
+    );
+    return;
+  }
+  const used = usage.mutations;
+  const cap = limits.monthlyMutations;
+  const pct = cap > 0 ? Math.min(100, Math.round(used / cap * 100)) : 0;
+  const usageStr = pct >= 80 ? chalk3.yellow(`${fmt(used)} / ${fmt(cap)}`) : chalk3.gray(`${fmt(used)} / ${fmt(cap)}`);
+  process.stderr.write(
+    `
+  ${chalk3.cyan(filesScanned + " files")}, ${chalk3.cyan(mutationsMade + " mutations")}  \xB7  Plan: ${chalk3.bold(tier.toUpperCase())}  \xB7  Mutations this month: ${usageStr} (${pct}%)
+`
+  );
+  if (tier === "free") {
+    if (pct >= 80) {
+      process.stderr.write(
+        chalk3.yellow(`  \u26A0  Approaching free-tier limit. Upgrade: ${chalk3.bold("pretest upgrade")}
+`)
+      );
+    } else {
+      process.stderr.write(
+        chalk3.gray(`  Run ${chalk3.bold("pretest status")} for details, ${chalk3.bold("pretest upgrade")} to remove limits.
+`)
+      );
+    }
+  } else {
+    process.stderr.write("\n");
+  }
+}
+// src/banner.ts
+import chalk4 from "chalk";
+var BANNER_RAW = `\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588    pretest
+\u2588\u2588          \u2588\u2588
+\u2588\u2588          \u2588\u2588    Stop your code from
+\u2588\u2588          \u2588\u2588    leaking to any LLM.
+\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588
+\u2588\u2588                @blockyfy/stg-cli
+\u2588\u2588
+\u2588\u2588
+\u2588\u2588
+\u2588\u2588`;
+var ICE_BLUE = "#7DD3FC";
+function shouldPrint() {
+  if (DASHBOARD_NO_BANNER_ENVS.some((n) => process.env[n] === "1")) return false;
+  if (!process.stdout.isTTY) return false;
+  if (process.env.CI) return false;
+  return true;
+}
+function tint(line) {
+  try {
+    return chalk4.hex(ICE_BLUE)(line);
+  } catch {
+    return line;
+  }
+}
+function printBanner() {
+  if (!shouldPrint()) return;
+  const lines = BANNER_RAW.split("\n");
+  for (const line of lines) {
+    process.stderr.write(tint(line) + "\n");
+  }
+  process.stderr.write("\n");
+}
+// src/commands/status.ts
+import chalk5 from "chalk";
+var PLAN_LABEL = {
+  free: "Free",
+  pro: "Pro",
+  enterprise: "Enterprise"
+};
+function fmt2(n) {
+  if (n === -1 || !Number.isFinite(n)) return "unlimited";
+  return n.toLocaleString("en-US");
+}
+async function runStatus() {
+  let remote = await fetchUsageSummary();
+  if (!remote) {
+    const v = await validateKey({ force: true });
+    if (v?.valid) {
+      remote = usageSummaryFromValidate(v);
+    }
+  }
+  if (remote) {
+    const plan = remote.plan;
+    const tierBadge2 = plan === "ENTERPRISE" ? chalk5.bgMagenta.white.bold(" ENTERPRISE ") : plan === "PRO" ? chalk5.bgBlue.white.bold(" PRO ") : chalk5.bgGray.white.bold(" FREE ");
+    const lines2 = [];
+    lines2.push("");
+    lines2.push(`${chalk5.cyan("Pretest")} ${chalk5.gray(`v${getCliSemver()}`)}  ${tierBadge2}  ${chalk5.green("(synced)")}`);
+    lines2.push("");
+    lines2.push(`  Plan:        ${chalk5.bold(plan)}`);
+    lines2.push(`  Mutations:   ${fmt2(remote.mutationsUsed)} / ${fmt2(remote.monthlyMutationLimit)} this month`);
+    lines2.push(`  Remaining:   ${fmt2(remote.mutationsRemaining)}`);
+    lines2.push(`  Requests:    ${fmt2(remote.requestsThisPeriod)} this period`);
+    lines2.push(`  Secrets:     ${fmt2(remote.secretsBlockedThisPeriod)} blocked`);
+    lines2.push(`  Key status:  ${remote.keyStatus === "active" ? chalk5.green("active") : chalk5.red("revoked")}`);
+    lines2.push(`  Resets at:   ${new Date(remote.periodResetsAt).toLocaleDateString()}`);
+    if (remote.keyExpiresAt) {
+      lines2.push(`  Key expires: ${new Date(remote.keyExpiresAt).toLocaleDateString()}`);
+    }
+    lines2.push("");
+    if (plan === "FREE") {
+      lines2.push(`  ${chalk5.gray("Upgrade:")}  ${chalk5.bold("pretest upgrade")}`);
+      lines2.push("");
+    }
+    process.stdout.write(lines2.join("\n") + "\n");
+    return;
+  }
+  const tier = detectTier();
+  const planLimits = getPlanLimits(tier);
+  const tierLimits = getTierLimits(tier);
+  const usage = loadUsage();
+  const tierBadge = tier === "enterprise" ? chalk5.bgMagenta.white.bold(" ENTERPRISE ") : tier === "pro" ? chalk5.bgBlue.white.bold(" PRO ") : chalk5.bgGray.white.bold(" FREE ");
+  const lines = [];
+  lines.push("");
+  lines.push(`${chalk5.cyan("Pretest")} ${chalk5.gray(`v${getCliSemver()}`)}  ${tierBadge}  ${chalk5.yellow("(offline)")}`);
+  lines.push("");
+  lines.push(`  Plan:        ${chalk5.bold(PLAN_LABEL[tier])} ${chalk5.gray("(" + planLimits.pricePerMonth + ")")}`);
+  lines.push(`  Mutations:   ${fmt2(usage.mutations)} / ${fmt2(planLimits.monthlyMutations)} this month`);
+  lines.push(`  Scans:       0 / ${fmt2(planLimits.monthlyScans)} this month`);
+  lines.push(`  Seats:       1 / ${fmt2(planLimits.seats)}`);
+  lines.push(`  Audit log:   ${Number.isFinite(tierLimits.auditRetentionDays) ? `${tierLimits.auditRetentionDays} days` : "unlimited"}`);
+  lines.push("");
+  if (tier === "free") {
+    lines.push(`  ${chalk5.gray("Upgrade:")}  ${chalk5.bold("pretest upgrade")}`);
+    lines.push(`  ${chalk5.gray("Credits:")}  ${chalk5.bold("pretest credits")}`);
+    lines.push("");
+  }
+  process.stdout.write(lines.join("\n") + "\n");
+}
+// src/commands/upgrade.ts
+import chalk6 from "chalk";
+var PRICING_URL = PUBLISH_PACKAGE_URL;
+function runUpgrade() {
+  const tier = detectTier();
+  const lines = [];
+  lines.push("");
+  lines.push(chalk6.cyan.bold("  Pretest Plans"));
+  lines.push("");
+  lines.push(chalk6.gray("  \u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510"));
+  lines.push(chalk6.gray("  \u2502              \u2502   Free   \u2502    Pro   \u2502  Enterprise \u2502"));
+  lines.push(chalk6.gray("  \u251C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524"));
+  lines.push(`  \u2502 Price/seat   \u2502 ${chalk6.bold("$0")}      \u2502 ${chalk6.bold("$29")}     \u2502 ${chalk6.bold("$99")}         \u2502`);
+  lines.push("  \u2502 Mutations/mo \u2502 1,000    \u2502 100,000  \u2502 unlimited   \u2502");
+  lines.push("  \u2502 Scans/mo     \u2502 5,000    \u2502 500,000  \u2502 unlimited   \u2502");
+  lines.push("  \u2502 Seats        \u2502 3        \u2502 25       \u2502 unlimited   \u2502");
+  lines.push("  \u2502 Audit log    \u2502 30 days  \u2502 90 days  \u2502 unlimited   \u2502");
+  lines.push("  \u2502 SSO/SAML     \u2502   -      \u2502   -      \u2502     yes     \u2502");
+  lines.push("  \u2502 On-prem      \u2502   -      \u2502   -      \u2502     yes     \u2502");
+  lines.push("  \u2502 SLA          \u2502   -      \u2502   -      \u2502   24/7      \u2502");
+  lines.push(chalk6.gray("  \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518"));
+  lines.push("");
+  lines.push(`  ${chalk6.gray("Current plan:")} ${chalk6.bold(tier.toUpperCase())}`);
+  lines.push(`  ${chalk6.gray("Upgrade at:")}    ${chalk6.cyan.underline(PRICING_URL)}`);
+  lines.push("");
+  lines.push(chalk6.gray("  After purchase, set:"));
+  lines.push(chalk6.gray("    export PRETEST_LICENSE_KEY=pre_pro_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"));
+  lines.push("");
+  process.stdout.write(lines.join("\n") + "\n");
+}
+// src/commands/credits.ts
+import chalk7 from "chalk";
+var PLAN_LABEL2 = {
+  free: "Free",
+  pro: "Pro",
+  enterprise: "Enterprise"
+};
+function fmt3(n) {
+  if (n === -1 || !Number.isFinite(n)) return "unlimited";
+  return n.toLocaleString("en-US");
+}
+function progressBar(used, cap, width = 24) {
+  if (cap === -1 || !Number.isFinite(cap) || cap <= 0) return chalk7.green("[" + "=".repeat(width) + "]");
+  const pct = Math.min(1, used / cap);
+  const filled = Math.round(pct * width);
+  const bar = "=".repeat(filled) + "-".repeat(width - filled);
+  const colored = pct >= 0.8 ? chalk7.yellow(bar) : pct >= 1 ? chalk7.red(bar) : chalk7.green(bar);
+  return "[" + colored + "]";
+}
+async function runCredits() {
+  let remote = await fetchUsageSummary();
+  if (!remote) {
+    const v = await validateKey({ force: true });
+    if (v?.valid) {
+      remote = usageSummaryFromValidate(v);
+    }
+  }
+  if (remote) {
+    const used2 = remote.mutationsUsed;
+    const cap2 = remote.monthlyMutationLimit;
+    const remaining2 = remote.mutationsRemaining;
+    const pct2 = cap2 > 0 && cap2 !== -1 ? Math.round(used2 / cap2 * 100) : 0;
+    const lines2 = [];
+    lines2.push("");
+    lines2.push(chalk7.cyan.bold("  Pretest Credits") + "  " + chalk7.green("(synced)"));
+    lines2.push("");
+    lines2.push(`  Plan:        ${chalk7.bold(remote.plan)}`);
+    lines2.push(`  Resets:      ${new Date(remote.periodResetsAt).toLocaleDateString()}`);
+    lines2.push("");
+    lines2.push(`  Mutations:   ${progressBar(used2, cap2)}  ${fmt3(used2)} / ${fmt3(cap2)}`);
+    lines2.push(`  Used:        ${pct2}%`);
+    lines2.push(`  Remaining:   ${fmt3(remaining2)}`);
+    lines2.push("");
+    if (remote.plan === "FREE" && cap2 !== -1 && used2 >= cap2 * 0.8) {
+      lines2.push(chalk7.yellow("  Warning: Approaching free-tier limit. Run 'pretest upgrade' for unlimited."));
+      lines2.push("");
+    } else if (remote.plan === "FREE") {
+      lines2.push(chalk7.gray("  Tip: Run 'pretest upgrade' to compare plans."));
+      lines2.push("");
+    }
+    process.stdout.write(lines2.join("\n") + "\n");
+    return;
+  }
+  const tier = detectTier();
+  const limits = getPlanLimits(tier);
+  const usage = loadUsage();
+  const used = usage.mutations;
+  const cap = limits.monthlyMutations;
+  const remaining = Number.isFinite(cap) ? Math.max(0, cap - used) : Number.POSITIVE_INFINITY;
+  const pct = Number.isFinite(cap) && cap > 0 ? Math.round(used / cap * 100) : 0;
+  const lines = [];
+  lines.push("");
+  lines.push(chalk7.cyan.bold("  Pretest Credits") + "  " + chalk7.yellow("(offline)"));
+  lines.push("");
+  lines.push(`  Plan:        ${chalk7.bold(PLAN_LABEL2[tier])}`);
+  lines.push(`  Month:       ${usage.month}`);
+  lines.push("");
+  lines.push(`  Mutations:   ${progressBar(used, cap)}  ${fmt3(used)} / ${fmt3(cap)}`);
+  lines.push(`  Used:        ${pct}%`);
+  lines.push(`  Remaining:   ${fmt3(remaining)}`);
+  lines.push("");
+  if (tier === "free" && Number.isFinite(cap) && used >= cap * 0.8) {
+    lines.push(chalk7.yellow("  Warning: Approaching free-tier limit. Run 'pretest upgrade' for unlimited."));
+    lines.push("");
+  } else if (tier === "free") {
+    lines.push(chalk7.gray("  Tip: Run 'pretest upgrade' to compare plans."));
+    lines.push("");
+  }
+  process.stdout.write(lines.join("\n") + "\n");
+}
+// src/commands/logout.ts
+import readline2 from "readline/promises";
+import chalk8 from "chalk";
+async function runLogout(opts = {}) {
+  if (!loadApiKey()) {
+    console.log(chalk8.gray("No saved dashboard API key in ~/.pretest/config.json."));
+    console.log(
+      chalk8.gray("If you use PRETEST_API_KEY in your shell, run unset PRETEST_API_KEY.")
+    );
+    return 0;
+  }
+  if (!opts.assumeYes) {
+    if (!process.stdin.isTTY || !process.stdout.isTTY) {
+      console.error(chalk8.red("Error: confirmation requires an interactive terminal."));
+      console.error(chalk8.gray("Run `pretest logout --yes` to skip the prompt."));
+      return 1;
+    }
+    const rl = readline2.createInterface({ input: process.stdin, output: process.stdout });
+    try {
+      const raw = await rl.question(
+        chalk8.bold("Log out and remove your saved API key? Type y for yes, n for no: ")
+      );
+      const answer = raw.trim().toLowerCase();
+      if (answer !== "y" && answer !== "yes") {
+        console.log(chalk8.yellow("Logout cancelled."));
+        return 0;
+      }
+    } finally {
+      rl.close();
+    }
+  }
+  const hadEnvDashboardKey = hasDashboardApiKeyInEnv();
+  const { removed, path } = removeSavedDashboardCredentials();
+  clearValidationCache();
+  clearDashboardApiKeyFromProcess();
+  if (removed) {
+    console.log(chalk8.green("Logged out. Removed saved API key from"), chalk8.bold(path));
+    console.log(
+      chalk8.gray("Other terminals: run unset PRETEST_API_KEY if that variable is still exported (e.g. in ~/.zshrc).")
+    );
+    if (hadEnvDashboardKey) {
+      console.log(
+        chalk8.yellow(
+          "This shell had a dashboard key in the environment; it was cleared for this process only. Restart any running pretest proxy (Ctrl+C, then pretest start)."
+        )
+      );
+    }
+  }
+  return 0;
+}
+// src/index.ts
+{
+  const major = parseInt(process.versions.node.split(".")[0], 10);
+  if (Number.isNaN(major) || major < 18) {
+    process.stderr.write(
+      `pretest requires Node.js 18 or newer (you have v${process.versions.node}).
+`
+    );
+    process.stderr.write(`Upgrade via nvm: nvm install 20 && nvm use 20
+`);
+    process.exit(1);
+  }
+}
+var VERSION = getCliSemver();
+var SCAN_CONCURRENCY = Math.max(2, os.cpus().length);
+var PROGRESS_INTERVAL_MS = 500;
+var SUPPORTED_LANGUAGES = ["typescript", "javascript", "python", "go", "java", "csharp", "ruby", "rust"];
+var SUPPORTED_EXTENSIONS = /* @__PURE__ */ new Set([".ts", ".tsx", ".js", ".jsx", ".mjs", ".cjs", ".py", ".go", ".java", ".cs", ".rb", ".rs"]);
+var SUPPORTED_CONFIG_EXTENSIONS = /* @__PURE__ */ new Set([
+  ".json",
+  ".yaml",
+  ".yml",
+  ".toml",
+  ".env",
+  ".cfg",
+  ".ini",
+  ".tf",
+  ".tfstate",
+  ".tfvars",
+  ".hcl",
+  ".properties",
+  ".conf",
+  ".xml",
+  ".plist",
+  ".pem",
+  ".key",
+  ".crt",
+  ".pub",
+  ".pfx",
+  ".p12",
+  ".htpasswd"
+]);
+var SUPPORTED_FILENAMES = /* @__PURE__ */ new Set([
+  ".env",
+  ".env.local",
+  ".env.production",
+  ".env.development",
+  ".env.staging",
+  ".env.test",
+  ".npmrc",
+  ".netrc",
+  ".pypirc",
+  "Dockerfile",
+  "docker-compose.yml",
+  "docker-compose.yaml"
+]);
+function isScannableFile(filePath) {
+  const ext = extname(filePath).toLowerCase();
+  return SUPPORTED_EXTENSIONS.has(ext) || SUPPORTED_CONFIG_EXTENSIONS.has(ext) || SUPPORTED_FILENAMES.has(basename(filePath));
+}
+function isSourceCodeFile(filePath) {
+  return SUPPORTED_EXTENSIONS.has(extname(filePath).toLowerCase());
+}
+function langFromExt(filePath) {
+  const ext = extname(filePath).toLowerCase();
+  const map = {
+    ".ts": "typescript",
+    ".tsx": "typescript",
+    ".js": "javascript",
+    ".jsx": "javascript",
+    ".mjs": "javascript",
+    ".cjs": "javascript",
+    ".py": "python",
+    ".go": "go",
+    ".java": "java",
+    ".cs": "csharp",
+    ".rb": "ruby",
+    ".rs": "rust"
+  };
+  return map[ext] ?? "typescript";
+}
+function validatePort(value) {
+  const port = parseInt(value, 10);
+  if (isNaN(port) || port.toString() !== value.trim()) return null;
+  if (port < 1 || port > 65535) return null;
+  return port;
+}
+function isBinaryFile(filePath) {
+  let fd;
+  try {
+    fd = openSync(filePath, "r");
+    const buf = Buffer.alloc(8192);
+    const bytesRead = readSync2(fd, buf, 0, 8192, 0);
+    for (let i = 0; i < bytesRead; i++) {
+      if (buf[i] === 0) return true;
+    }
+    return false;
+  } catch {
+    return false;
+  } finally {
+    if (fd !== void 0) closeSync(fd);
+  }
+}
+async function isBinaryFileAsync(filePath) {
+  let handle;
+  try {
+    handle = await fsOpen(filePath, "r");
+    const buf = Buffer.alloc(8192);
+    const { bytesRead } = await handle.read(buf, 0, 8192, 0);
+    for (let i = 0; i < bytesRead; i++) {
+      if (buf[i] === 0) return true;
+    }
+    return false;
+  } catch {
+    return false;
+  } finally {
+    if (handle) await handle.close().catch(() => {
+    });
+  }
+}
+function validateLanguage(lang) {
+  const normalized = lang.toLowerCase();
+  const aliases = {
+    ts: "typescript",
+    tsx: "typescript",
+    js: "javascript",
+    jsx: "javascript",
+    py: "python",
+    cs: "csharp",
+    rb: "ruby",
+    rs: "rust"
+  };
+  const resolved = aliases[normalized] ?? normalized;
+  return SUPPORTED_LANGUAGES.includes(resolved) ? resolved : null;
+}
+function collectFiles(target) {
+  const abs = resolve2(target);
+  if (!existsSync8(abs)) {
+    return [];
+  }
+  const stat = statSync(abs);
+  if (stat.isFile()) return [abs];
+  const files = [];
+  function walk(dir) {
+    let entries;
+    try {
+      entries = readdirSync(dir, { withFileTypes: true });
+    } catch {
+      return;
+    }
+    const skipDirs = /* @__PURE__ */ new Set([
+      "node_modules",
+      ".git",
+      "dist",
+      "build",
+      ".pretest",
+      ".pretense",
+      ".next",
+      "__pycache__",
+      ".Trash"
+    ]);
+    for (const entry of entries) {
+      const fullPath = join6(dir, entry.name);
+      if (entry.isDirectory()) {
+        if (skipDirs.has(entry.name)) continue;
+        walk(fullPath);
+      } else if (entry.isFile() && isScannableFile(entry.name)) {
+        files.push(fullPath);
+      }
+    }
+  }
+  walk(abs);
+  return files;
+}
+var program = new Command();
+program.name("pretest").description("AI firewall CLI \u2014 mutates proprietary code before LLM API calls").version(VERSION).hook("preAction", () => {
+  printBanner();
+});
+program.command("init").description("Initialize .pretest/ config in current directory").option("-d, --dir <path>", "Target directory", process.cwd()).action((opts) => {
+  const dir = resolve2(opts.dir);
+  console.log(chalk9.cyan("Initializing Pretest in"), chalk9.bold(dir));
+  const configDir = initConfig(dir);
+  const files = collectFiles(dir);
+  const langCounts = {};
+  for (const f of files) {
+    const lang = langFromExt(f);
+    langCounts[lang] = (langCounts[lang] ?? 0) + 1;
+  }
+  console.log(chalk9.green("\n  .pretest/ created at"), chalk9.bold(configDir));
+  console.log(chalk9.gray(`
+  Scanned ${files.length} source files:`));
+  for (const [lang, count] of Object.entries(langCounts)) {
+    console.log(chalk9.gray(`    ${lang}: ${count} files`));
+  }
+  console.log(chalk9.cyan("\n  Next: run"), chalk9.bold("pretest start"), chalk9.cyan("to launch the proxy"));
+  console.log();
+});
+program.command("start").description("Start the Pretest proxy server").option("-p, --port <number>", "Port number", "9339").option("-v, --verbose", "Enable verbose logging", false).action(async (opts) => {
+  const config = loadConfig();
+  const port = validatePort(opts.port);
+  if (port === null) {
+    console.error(chalk9.red("Error: Invalid port number:"), chalk9.bold(opts.port));
+    console.error(chalk9.gray("Port must be an integer between 1 and 65535."));
+    process.exit(1);
+  }
+  await ensureDashboardKeyForStart();
+  logDashboardCredentialHint();
+  startProxy({ config, port, verbose: opts.verbose });
+});
+async function scanOneFile(file, opts) {
+  let size = 0;
+  try {
+    const st = await fsStat(file);
+    size = st.size;
+    if (st.size > opts.maxFileSize) {
+      return { file, identifiers: 0, secrets: 0, secretTypes: [], skipped: "too-large", sizeBytes: size };
+    }
+  } catch {
+    return { file, identifiers: 0, secrets: 0, secretTypes: [], skipped: "read-error" };
+  }
+  if (!isSourceCodeFile(file)) {
+    try {
+      if (await isBinaryFileAsync(file)) {
+        return { file, identifiers: 0, secrets: 0, secretTypes: [], skipped: "binary", sizeBytes: size };
+      }
+    } catch {
+    }
+  }
+  let code;
+  try {
+    code = await readFile(file, "utf-8");
+  } catch {
+    return { file, identifiers: 0, secrets: 0, secretTypes: [], skipped: "read-error", sizeBytes: size };
+  }
+  const lang = langFromExt(file);
+  let identifiers = 0;
+  if (!opts.secretsOnly && isSourceCodeFile(file)) {
+    try {
+      const scanResult = scan(code, lang);
+      identifiers = scanResult.tokens.length;
+    } catch {
+    }
+  }
+  let blocked = [];
+  try {
+    const secretResult = scan2(code);
+    blocked = secretResult.matches.filter((m) => m.action === "block" || m.action === "redact");
+  } catch {
+  }
+  return {
+    file,
+    identifiers,
+    secrets: blocked.length,
+    secretTypes: blocked.map((m) => m.type),
+    sizeBytes: size
+  };
+}
+async function scanFilesParallel(files, opts) {
+  const results = [];
+  let cursor = 0;
+  let done = 0;
+  let lastPrint = 0;
+  let interrupted = false;
+  const stopHandler = () => {
+    interrupted = true;
+  };
+  process.on("SIGINT", stopHandler);
+  process.on("SIGTERM", stopHandler);
+  const isTTY = process.stderr.isTTY === true;
+  const printProgress = (force = false) => {
+    if (opts.quiet) return;
+    const now = Date.now();
+    if (!force && now - lastPrint < PROGRESS_INTERVAL_MS) return;
+    lastPrint = now;
+    const found = results.reduce((acc, r) => acc + r.secrets, 0);
+    const msg = `Scanning ${done}/${files.length} files (${found} secrets so far)...`;
+    if (isTTY) {
+      process.stderr.write(`\r\x1B[K${msg}`);
+    } else {
+      process.stderr.write(`${msg}
+`);
+    }
+  };
+  async function worker() {
+    while (!interrupted) {
+      const i = cursor++;
+      if (i >= files.length) return;
+      const file = files[i];
+      const row = await scanOneFile(file, { secretsOnly: opts.secretsOnly, maxFileSize: opts.maxFileSize });
+      if (row) results.push(row);
+      done++;
+      printProgress();
+    }
+  }
+  printProgress(true);
+  const workers = Array.from({ length: Math.min(opts.concurrency, files.length || 1) }, () => worker());
+  await Promise.all(workers);
+  process.removeListener("SIGINT", stopHandler);
+  process.removeListener("SIGTERM", stopHandler);
+  if (!opts.quiet && isTTY) {
+    process.stderr.write(`\r\x1B[K`);
+  }
+  return { results, interrupted };
+}
+function parseSizeOption(value) {
+  const trimmed = value.trim().toLowerCase();
+  const m = /^(\d+(?:\.\d+)?)\s*(b|k|kb|m|mb|g|gb)?$/.exec(trimmed);
+  if (!m) return null;
+  const n = parseFloat(m[1]);
+  if (!isFinite(n) || n <= 0) return null;
+  const unit = m[2] ?? "b";
+  const mult = unit.startsWith("g") ? 1024 ** 3 : unit.startsWith("m") ? 1024 ** 2 : unit.startsWith("k") ? 1024 : 1;
+  return Math.floor(n * mult);
+}
+program.command("scan <target>").description("Scan file or directory for identifiers and secrets (no mutation)").option("--secrets-only", "Only scan for secrets/credentials", false).option("--json", "Output as JSON", false).option("--max-file-size <size>", "Skip files larger than this (e.g. 10mb, 500k)", "10mb").option("--concurrency <n>", "Max files scanned in parallel", String(SCAN_CONCURRENCY)).option("--quiet", "Suppress progress output", false).action(async (target, opts) => {
+  const absTarget = resolve2(target);
+  if (!existsSync8(absTarget)) {
+    console.error(chalk9.red("Error: Path not found:"), chalk9.bold(absTarget));
+    process.exit(1);
+  }
+  const maxFileSize = parseSizeOption(opts.maxFileSize);
+  if (maxFileSize === null) {
+    console.error(chalk9.red("Error: Invalid --max-file-size value:"), chalk9.bold(opts.maxFileSize));
+    console.error(chalk9.gray("Use bytes or a unit suffix, e.g. 10mb, 500k, 1048576"));
+    process.exit(1);
+  }
+  const concurrency = Math.max(1, parseInt(opts.concurrency, 10) || SCAN_CONCURRENCY);
+  if (!opts.quiet && !opts.json) {
+    process.stderr.write(chalk9.gray(`Discovering files in ${absTarget}...
+`));
+  }
+  const files = collectFiles(target);
+  if (files.length === 0) {
+    console.error(chalk9.red("Error: No source files found at"), chalk9.bold(absTarget));
+    console.error(chalk9.gray("Supported extensions: " + [...SUPPORTED_EXTENSIONS].join(", ")));
+    process.exit(1);
+  }
+  if (!opts.quiet && !opts.json) {
+    process.stderr.write(chalk9.gray(`Found ${files.length} candidate files. Scanning with concurrency=${concurrency}...
+`));
+  }
+  const startedAt = Date.now();
+  const { results: allResults, interrupted } = await scanFilesParallel(files, {
+    secretsOnly: opts.secretsOnly,
+    maxFileSize,
+    quiet: opts.quiet || opts.json,
+    concurrency
+  });
+  const elapsedMs = Date.now() - startedAt;
+  const totalIdentifiers = allResults.reduce((acc, r) => acc + r.identifiers, 0);
+  const totalSecrets = allResults.reduce((acc, r) => acc + r.secrets, 0);
+  const skippedLarge = allResults.filter((r) => r.skipped === "too-large").length;
+  const skippedBinary = allResults.filter((r) => r.skipped === "binary").length;
+  if (opts.json) {
+    console.log(JSON.stringify({
+      files: allResults,
+      totalIdentifiers,
+      totalSecrets,
+      skippedLarge,
+      skippedBinary,
+      elapsedMs,
+      interrupted
+    }, null, 2));
+  } else {
+    console.log(chalk9.cyan("\nPretest Scan Results\n"));
+    for (const r of allResults) {
+      if (r.skipped) {
+        if (r.skipped === "too-large") {
+          const mb = ((r.sizeBytes ?? 0) / 1024 / 1024).toFixed(1);
+          console.log(chalk9.gray(`  ${r.file} \u2014 skipped (${mb} MB > limit)`));
+        }
+        continue;
+      }
+      const secretBadge = r.secrets > 0 ? chalk9.red(` [${r.secrets} SECRET${r.secrets > 1 ? "S" : ""}]`) : "";
+      const showRow = r.secrets > 0 || !opts.secretsOnly && r.identifiers > 0;
+      if (!showRow) continue;
+      console.log(
+        chalk9.gray("  ") + chalk9.white(r.file) + chalk9.gray(` \u2014 ${r.identifiers} identifiers`) + secretBadge
+      );
+      if (r.secrets > 0) {
+        for (const t of r.secretTypes) {
+          console.log(chalk9.red(`    ! ${t}`));
+        }
+      }
+    }
+    const skipNote = skippedLarge + skippedBinary > 0 ? chalk9.gray(` (skipped ${skippedLarge} large, ${skippedBinary} binary)`) : "";
+    console.log(
+      chalk9.gray(`
+  Total: ${allResults.length} files in ${(elapsedMs / 1e3).toFixed(2)}s, ${totalIdentifiers} identifiers, `) + (totalSecrets > 0 ? chalk9.red(`${totalSecrets} secrets found`) : chalk9.green("0 secrets")) + skipNote
+    );
+    if (interrupted) {
+      console.log(chalk9.yellow("\n  Interrupted \u2014 partial results shown above."));
+    }
+    console.log();
+  }
+  if (!opts.json) {
+    printTokenFooter(allResults.length, totalIdentifiers);
+  }
+  if (interrupted) {
+    process.exit(130);
+  }
+  if (totalSecrets > 0) {
+    process.exit(2);
+  }
+});
+program.command("mutate <file>").description("Mutate identifiers for stdout (scanner redacts secrets/PII in the source first)").option("-s, --seed <seed>", "Mutation seed", "pretest").option("-l, --language <lang>", "Source language (typescript, javascript, python, go, java, csharp, ruby, rust)").option("--save", "Save mutation map to .pretest/", false).option("--json", "Output as JSON (includes map + stats)", false).action((file, opts) => {
+  const absPath = resolve2(file);
+  if (!existsSync8(absPath)) {
+    console.error(chalk9.red("Error: File not found:"), chalk9.bold(absPath));
+    process.exit(1);
+  }
+  if (opts.language) {
+    const validLang = validateLanguage(opts.language);
+    if (!validLang) {
+      console.error(chalk9.red("Error: Unsupported language:"), chalk9.bold(opts.language));
+      console.error(chalk9.gray("Supported languages: " + SUPPORTED_LANGUAGES.join(", ")));
+      process.exit(1);
+    }
+  }
+  if (!SUPPORTED_EXTENSIONS.has(extname(absPath).toLowerCase()) && isBinaryFile(absPath)) {
+    console.error(chalk9.red("Error: Not a supported source file:"), chalk9.bold(absPath));
+    console.error(chalk9.gray("Supported extensions: " + [...SUPPORTED_EXTENSIONS].join(", ")));
+    process.exit(1);
+  }
+  const code = readFileSync7(absPath, "utf-8");
+  const lang = opts.language ? validateLanguage(opts.language) : langFromExt(absPath);
+  const secretScan = scan2(code);
+  const effectiveSeed = effectiveSeedForMutation(opts.seed);
+  const { redactedCode: redacted, secretsMap } = applyRedactionsTracked(code, secretScan.matches, effectiveSeed);
+  const secretsRedacted = secretsMap.size;
+  const result = mutate(redacted, lang, opts.seed);
+  if (opts.save) {
+    const configDir = getConfigDir();
+    const store = new MutationStore(join6(configDir, "mutation-map.json"));
+    store.load();
+    store.save({
+      id: absPath,
+      originalHash: absPath,
+      mapEntries: MutationStore.fromMap(result.map),
+      secretsMapEntries: [...secretsMap.entries()],
+      timestamp: Date.now(),
+      language: lang
+    });
+    store.persist();
+    process.stderr.write(chalk9.gray(`Mutation map saved to ${configDir}/mutation-map.json
+`));
+  }
+  if (opts.json) {
+    console.log(JSON.stringify({
+      mutatedCode: result.mutatedCode,
+      map: Object.fromEntries(result.map),
+      stats: result.stats,
+      secretsRedacted,
+      secretsMap: Object.fromEntries(secretsMap)
+    }, null, 2));
+  } else {
+    process.stdout.write(result.mutatedCode);
+    if (secretsRedacted > 0) {
+      process.stderr.write(
+        chalk9.gray(`--- ${secretsRedacted} secret/PII span(s) redacted before identifier mutation ---
+`)
+      );
+    }
+    process.stderr.write(chalk9.gray(`
+--- ${result.stats.tokensMutated} identifiers mutated in ${result.stats.durationMs}ms ---
+`));
+    printTokenFooter(1, result.stats.tokensMutated);
+  }
+});
+program.command("reverse <file>").description("Reverse mutations using stored map").option("-m, --map <path>", "Path to mutation map JSON file").action((file, opts) => {
+  const absPath = resolve2(file);
+  if (!existsSync8(absPath)) {
+    console.error(chalk9.red("Error: File not found:"), chalk9.bold(absPath));
+    process.exit(1);
+  }
+  const mutatedCode = readFileSync7(absPath, "utf-8");
+  const mapPath = opts.map ? resolve2(opts.map) : join6(getConfigDir(), "mutation-map.json");
+  if (!existsSync8(mapPath)) {
+    console.error(chalk9.red("Error: Mutation map not found:"), chalk9.bold(mapPath));
+    console.error(chalk9.gray("Run 'pretest mutate --save' first, or specify --map <path>"));
+    process.exit(1);
+  }
+  let store;
+  try {
+    store = new MutationStore(mapPath);
+    store.load();
+  } catch {
+    console.error(chalk9.red("Error: Failed to load mutation map:"), chalk9.bold(mapPath));
+    console.error(chalk9.gray("The file may be corrupted. Run 'pretest mutate --save' to regenerate."));
+    process.exit(1);
+  }
+  const entry = store.get(absPath) ?? store.getByHash(absPath) ?? store.list(1)[0];
+  if (!entry) {
+    console.error(chalk9.red("Error: No mutation map entries found."));
+    console.error(chalk9.gray("Run 'pretest mutate --save <file>' first to generate a map."));
+    process.exit(1);
+  }
+  const map = MutationStore.toMap(entry);
+  const secretsMap = entry.secretsMapEntries ? new Map(entry.secretsMapEntries) : void 0;
+  const restored = reverse(mutatedCode, map, secretsMap);
+  process.stdout.write(restored);
+  const secretsCount = secretsMap?.size ?? 0;
+  const secretsSuffix = secretsCount > 0 ? ` + ${secretsCount} secret(s)` : "";
+  process.stderr.write(chalk9.gray(`
+--- Reversed ${map.size} mutations${secretsSuffix} ---
+`));
+});
+program.command("audit").description("View the audit log").option("--json", "Output as JSON", false).option("--csv", "Output as CSV", false).option("-l, --limit <number>", "Limit entries", "50").action((opts) => {
+  const format = opts.json ? "json" : opts.csv ? "csv" : "text";
+  const limit = parseInt(opts.limit) || 50;
+  const entries = readAuditLog({ limit, format });
+  const output = formatAudit(entries, format);
+  console.log(output);
+});
+program.command("version").description("Print Pretest CLI version").action(() => {
+  console.log(`@blockyfy/stg-cli v${VERSION}`);
+});
+program.command("status").description("Show current plan, monthly quota, seat usage").action(async () => {
+  await runStatus();
+});
+program.command("usage").description("Alias for `pretest status` \u2014 show monthly quota usage").action(async () => {
+  await runStatus();
+});
+program.command("tokens").description("Alias for `pretest credits` \u2014 show remaining mutation budget").action(async () => {
+  await runCredits();
+});
+program.command("upgrade").description("Compare plans and upgrade to Pro or Enterprise").action(() => {
+  runUpgrade();
+});
+program.command("credits").description("Show remaining mutation/scan budget for the current month").action(async () => {
+  await runCredits();
+});
+program.command("login").description("Save a dashboard API key to ~/.pretest/config.json for future CLI runs").option("-k, --key <key>", "API key (prtns_live_... or pk_live_...). If omitted, read from $PRETEST_API_KEY or stdin.").action((opts) => {
+  const code = runLogin({ key: opts.key });
+  if (code !== 0) process.exit(code);
+});
+program.command("logout").description("Remove the saved dashboard API key from ~/.pretest/config.json").option("-y, --yes", "Skip confirmation prompt", false).action(async (opts) => {
+  const code = await runLogout({ assumeYes: opts.yes === true });
+  if (code !== 0) process.exit(code);
+});
+function handleFatalError(err) {
+  if (err instanceof Error && err.message) {
+    console.error(chalk9.red("Error:"), err.message);
+  } else {
+    console.error(chalk9.red("An unexpected error occurred."));
+  }
+  process.exit(1);
+}
+process.on("uncaughtException", handleFatalError);
+process.on("unhandledRejection", handleFatalError);
+program.showSuggestionAfterError(true).showHelpAfterError("(use --help for available commands)");
+program.parse();
+//# sourceMappingURL=index.js.map