pinata-security-cli 0.1.0

package/dist/index.js

@@ -0,0 +1,1622 @@
+import { z } from 'zod';
+import fs from 'fs/promises';
+import path, { dirname } from 'path';
+import YAML from 'yaml';
+import chalk from 'chalk';
+import { fileURLToPath } from 'url';
+import 'web-tree-sitter';
+import 'minimatch';
+
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
+var RiskDomainSchema = z.enum([
+  "security",
+  "data",
+  "concurrency",
+  "input",
+  "resource",
+  "reliability",
+  "performance",
+  "platform",
+  "business",
+  "compliance"
+]);
+var TestLevelSchema = z.enum([
+  "unit",
+  "integration",
+  "system",
+  "chaos"
+]);
+var PrioritySchema = z.enum(["P0", "P1", "P2"]);
+var SeveritySchema = z.enum(["critical", "high", "medium", "low"]);
+var ConfidenceSchema = z.enum(["high", "medium", "low"]);
+var LanguageSchema = z.enum([
+  "python",
+  "typescript",
+  "javascript",
+  "go",
+  "java",
+  "rust"
+]);
+var ID_PATTERN = /^[a-z][a-z0-9-]*$/;
+var CategoryBaseSchema = z.object({
+  id: z.string().regex(ID_PATTERN, "ID must start with lowercase letter and contain only lowercase letters, numbers, and hyphens"),
+  version: z.number().int().positive(),
+  name: z.string().min(1, "Name is required").max(100, "Name too long"),
+  description: z.string().min(10, "Description must be at least 10 characters").max(2e3, "Description too long"),
+  domain: RiskDomainSchema,
+  level: TestLevelSchema,
+  priority: PrioritySchema,
+  severity: SeveritySchema,
+  applicableLanguages: z.array(LanguageSchema).min(1, "At least one language required"),
+  cves: z.array(z.string()).optional(),
+  references: z.array(z.string().url("Invalid URL")).optional(),
+  createdAt: z.coerce.date(),
+  updatedAt: z.coerce.date()
+});
+var RISK_DOMAINS = RiskDomainSchema.options;
+var TEST_LEVELS = TestLevelSchema.options;
+var LANGUAGES = LanguageSchema.options;
+var ID_PATTERN2 = /^[a-z][a-z0-9-]*$/;
+var ExampleSchema = z.object({
+  /** Unique identifier for this example */
+  name: z.string().regex(ID_PATTERN2, "Name must start with lowercase letter and contain only lowercase letters, numbers, and hyphens"),
+  /** Explanation of the vulnerability/edge case concept */
+  concept: z.string().min(20, "Concept must be at least 20 characters"),
+  /** Example of vulnerable or problematic code */
+  vulnerableCode: z.string().min(10, "Vulnerable code must be at least 10 characters"),
+  /** Example test code that catches this vulnerability */
+  testCode: z.string().min(50, "Test code must be at least 50 characters"),
+  /** Programming language of the example */
+  language: LanguageSchema,
+  /** Severity if this vulnerability is exploited */
+  severity: SeveritySchema,
+  /** Optional related CVE identifier */
+  cve: z.string().optional(),
+  /** Optional link to more information */
+  reference: z.string().url().optional()
+});
+var PatternTypeSchema = z.enum(["ast", "regex", "semantic"]);
+var ID_PATTERN3 = /^[a-z][a-z0-9-]*$/;
+var DetectionPatternSchema = z.object({
+  /** Unique identifier for this pattern */
+  id: z.string().regex(ID_PATTERN3, "ID must start with lowercase letter and contain only lowercase letters, numbers, and hyphens"),
+  /** Type of pattern matching to use */
+  type: PatternTypeSchema,
+  /** Target programming language */
+  language: LanguageSchema,
+  /** The pattern string (AST query, regex, or semantic description) */
+  pattern: z.string().min(1, "Pattern is required"),
+  /** How confident we are when this pattern matches */
+  confidence: ConfidenceSchema,
+  /** Human-readable description of what this pattern detects */
+  description: z.string().min(10, "Description must be at least 10 characters"),
+  /** Optional pattern that indicates code is NOT vulnerable (false positive filter) */
+  negativePattern: z.string().optional(),
+  /** Optional list of framework contexts where this pattern applies */
+  frameworks: z.array(z.string()).optional()
+});
+z.object({
+  /** ID of the pattern that matched */
+  patternId: z.string(),
+  /** Category this detection belongs to */
+  categoryId: z.string(),
+  /** File path where detection occurred */
+  filePath: z.string(),
+  /** Starting line number (1-indexed) */
+  lineStart: z.number().int().positive(),
+  /** Ending line number (1-indexed) */
+  lineEnd: z.number().int().positive(),
+  /** Code snippet that matched */
+  codeSnippet: z.string(),
+  /** Confidence of this specific match */
+  confidence: ConfidenceSchema,
+  /** Optional additional context */
+  context: z.record(z.unknown()).optional()
+});
+var PATTERN_TYPES = PatternTypeSchema.options;
+var TestFrameworkSchema = z.enum([
+  "pytest",
+  "unittest",
+  "jest",
+  "vitest",
+  "mocha",
+  "go-test",
+  "junit"
+]);
+var VariableTypeSchema = z.enum([
+  "string",
+  "number",
+  "boolean",
+  "array",
+  "object"
+]);
+var VARIABLE_NAME_PATTERN = /^[a-z][a-zA-Z0-9_]*$/;
+var TemplateVariableSchema = z.object({
+  /** Variable name (used in template as {{name}}) */
+  name: z.string().regex(VARIABLE_NAME_PATTERN, "Variable name must be camelCase"),
+  /** Type of the variable value */
+  type: VariableTypeSchema,
+  /** Human-readable description */
+  description: z.string().min(1, "Description is required"),
+  /** Whether this variable must be provided */
+  required: z.boolean().default(true),
+  /** Default value if not provided */
+  defaultValue: z.unknown().optional()
+});
+var ID_PATTERN4 = /^[a-z][a-z0-9-]*$/;
+var TestTemplateSchema = z.object({
+  /** Unique identifier for this template */
+  id: z.string().regex(ID_PATTERN4, "ID must start with lowercase letter and contain only lowercase letters, numbers, and hyphens"),
+  /** Target programming language */
+  language: LanguageSchema,
+  /** Target test framework */
+  framework: TestFrameworkSchema,
+  /** Template content with {{variable}} placeholders */
+  template: z.string().min(50, "Template must be at least 50 characters"),
+  /** Variables that can be substituted in the template */
+  variables: z.array(TemplateVariableSchema),
+  /** Required imports for the generated test */
+  imports: z.array(z.string()).optional(),
+  /** Required fixtures or setup code */
+  fixtures: z.array(z.string()).optional(),
+  /** Description of what this template tests */
+  description: z.string().optional()
+});
+var TEST_FRAMEWORKS = TestFrameworkSchema.options;
+
+// src/categories/schema/index.ts
+var CategorySchema = CategoryBaseSchema.extend({
+  detectionPatterns: z.array(DetectionPatternSchema).min(1, "At least one detection pattern required"),
+  testTemplates: z.array(TestTemplateSchema).min(1, "At least one test template required"),
+  examples: z.array(ExampleSchema).min(1, "At least one example required")
+});
+var CategorySummarySchema = CategoryBaseSchema.pick({
+  id: true,
+  name: true,
+  domain: true,
+  level: true,
+  priority: true,
+  severity: true,
+  description: true
+});
+
+// src/lib/errors.ts
+var PinataError = class extends Error {
+  constructor(message, code, context) {
+    super(message);
+    this.code = code;
+    this.context = context;
+    this.name = "PinataError";
+    Error.captureStackTrace?.(this, this.constructor);
+  }
+  /**
+   * Serialize error for logging or API responses
+   */
+  toJSON() {
+    return {
+      name: this.name,
+      code: this.code,
+      message: this.message,
+      context: this.context
+    };
+  }
+};
+var ValidationError = class extends PinataError {
+  constructor(message, context) {
+    super(message, "VALIDATION_ERROR", context);
+    this.name = "ValidationError";
+  }
+};
+var ParseError = class extends PinataError {
+  constructor(message, filePath, line, context) {
+    super(message, "PARSE_ERROR", { ...context, filePath, line });
+    this.filePath = filePath;
+    this.line = line;
+    this.name = "ParseError";
+  }
+};
+var ConfigError = class extends PinataError {
+  constructor(message, context) {
+    super(message, "CONFIG_ERROR", context);
+    this.name = "ConfigError";
+  }
+};
+var AnalysisError = class extends PinataError {
+  constructor(message, context) {
+    super(message, "ANALYSIS_ERROR", context);
+    this.name = "AnalysisError";
+  }
+};
+var GenerationError = class extends PinataError {
+  constructor(message, context) {
+    super(message, "GENERATION_ERROR", context);
+    this.name = "GenerationError";
+  }
+};
+var CategoryNotFoundError = class extends PinataError {
+  constructor(categoryId) {
+    super(`Category not found: ${categoryId}`, "CATEGORY_NOT_FOUND", { categoryId });
+    this.name = "CategoryNotFoundError";
+  }
+};
+var PatternNotFoundError = class extends PinataError {
+  constructor(patternId) {
+    super(`Pattern not found: ${patternId}`, "PATTERN_NOT_FOUND", { patternId });
+    this.name = "PatternNotFoundError";
+  }
+};
+
+// src/lib/result.ts
+function ok(data) {
+  return { success: true, data };
+}
+function err(error) {
+  return { success: false, error };
+}
+function unwrap(result) {
+  if (result.success) {
+    return result.data;
+  }
+  throw result.error;
+}
+function unwrapOr(result, defaultValue) {
+  if (result.success) {
+    return result.data;
+  }
+  return defaultValue;
+}
+function map(result, fn) {
+  if (result.success) {
+    return ok(fn(result.data));
+  }
+  return result;
+}
+function mapErr(result, fn) {
+  if (!result.success) {
+    return err(fn(result.error));
+  }
+  return result;
+}
+function andThen(result, fn) {
+  if (result.success) {
+    return fn(result.data);
+  }
+  return result;
+}
+function all(results) {
+  const values = [];
+  for (const result of results) {
+    if (!result.success) {
+      return result;
+    }
+    values.push(result.data);
+  }
+  return ok(values);
+}
+function tryCatch(fn) {
+  try {
+    return ok(fn());
+  } catch (e) {
+    return err(e instanceof Error ? e : new Error(String(e)));
+  }
+}
+async function tryCatchAsync(fn) {
+  try {
+    return ok(await fn());
+  } catch (e) {
+    return err(e instanceof Error ? e : new Error(String(e)));
+  }
+}
+
+// src/categories/store/category-store.ts
+var CategoryStore = class {
+  /** All loaded categories by ID */
+  categories = /* @__PURE__ */ new Map();
+  /** Index by domain */
+  domainIndex = /* @__PURE__ */ new Map();
+  /** Index by level */
+  levelIndex = /* @__PURE__ */ new Map();
+  /** Index by language */
+  languageIndex = /* @__PURE__ */ new Map();
+  /** Index by priority */
+  priorityIndex = /* @__PURE__ */ new Map();
+  /** Search index: word -> category IDs */
+  searchIndex = /* @__PURE__ */ new Map();
+  /** Version tracking for loaded categories */
+  versions = /* @__PURE__ */ new Map();
+  /**
+   * Get total number of loaded categories
+   */
+  get size() {
+    return this.categories.size;
+  }
+  /**
+   * Load a single category into the store
+   */
+  add(category) {
+    const validation = CategorySchema.safeParse(category);
+    if (!validation.success) {
+      return err(
+        new ValidationError("Invalid category", {
+          categoryId: category.id,
+          issues: validation.error.issues
+        })
+      );
+    }
+    const validated = validation.data;
+    const existing = this.categories.get(validated.id);
+    if (existing !== void 0) {
+      const existingVersion = this.versions.get(validated.id) ?? 0;
+      if (validated.version <= existingVersion) {
+        return err(
+          new ValidationError(`Category ${validated.id} already exists with same or higher version`, {
+            categoryId: validated.id,
+            existingVersion,
+            newVersion: validated.version
+          })
+        );
+      }
+      this.removeFromIndexes(existing);
+    }
+    this.categories.set(validated.id, validated);
+    this.versions.set(validated.id, validated.version);
+    this.addToIndexes(validated);
+    return ok(validated);
+  }
+  /**
+   * Get a category by ID
+   */
+  get(id) {
+    const category = this.categories.get(id);
+    if (category === void 0) {
+      return err(new CategoryNotFoundError(id));
+    }
+    return ok(category);
+  }
+  /**
+   * Check if a category exists
+   */
+  has(id) {
+    return this.categories.has(id);
+  }
+  /**
+   * Remove a category by ID
+   */
+  remove(id) {
+    const category = this.categories.get(id);
+    if (category === void 0) {
+      return err(new CategoryNotFoundError(id));
+    }
+    this.removeFromIndexes(category);
+    this.categories.delete(id);
+    this.versions.delete(id);
+    return ok(category);
+  }
+  /**
+   * List all categories, optionally filtered
+   */
+  list(filter) {
+    let ids;
+    if (filter?.domain !== void 0) {
+      const domainIds = this.domainIndex.get(filter.domain);
+      if (domainIds === void 0) return [];
+      ids = this.intersect(ids, domainIds);
+    }
+    if (filter?.level !== void 0) {
+      const levelIds = this.levelIndex.get(filter.level);
+      if (levelIds === void 0) return [];
+      ids = this.intersect(ids, levelIds);
+    }
+    if (filter?.language !== void 0) {
+      const langIds = this.languageIndex.get(filter.language);
+      if (langIds === void 0) return [];
+      ids = this.intersect(ids, langIds);
+    }
+    if (filter?.priority !== void 0) {
+      const priorityIds = this.priorityIndex.get(filter.priority);
+      if (priorityIds === void 0) return [];
+      ids = this.intersect(ids, priorityIds);
+    }
+    const categories = [];
+    const targetIds = ids ?? this.categories.keys();
+    for (const id of targetIds) {
+      const category = this.categories.get(id);
+      if (category !== void 0) {
+        if (filter?.severity !== void 0 && category.severity !== filter.severity) {
+          continue;
+        }
+        categories.push(this.toSummary(category));
+      }
+    }
+    return categories.sort((a, b) => {
+      const priorityOrder = { P0: 0, P1: 1, P2: 2 };
+      const severityOrder = { critical: 0, high: 1, medium: 2, low: 3 };
+      const priorityDiff = priorityOrder[a.priority] - priorityOrder[b.priority];
+      if (priorityDiff !== 0) return priorityDiff;
+      const severityDiff = severityOrder[a.severity] - severityOrder[b.severity];
+      if (severityDiff !== 0) return severityDiff;
+      return a.name.localeCompare(b.name);
+    });
+  }
+  /**
+   * Get all categories in a specific domain
+   */
+  byDomain(domain) {
+    return this.list({ domain });
+  }
+  /**
+   * Get all categories at a specific test level
+   */
+  byLevel(level) {
+    return this.list({ level });
+  }
+  /**
+   * Get all categories applicable to a language
+   */
+  byLanguage(language) {
+    return this.list({ language });
+  }
+  /**
+   * Full-text search across categories
+   */
+  search(options) {
+    const { query, filter, limit = 20 } = options;
+    const queryTokens = this.tokenize(query.toLowerCase());
+    if (queryTokens.length === 0) {
+      return [];
+    }
+    const scores = /* @__PURE__ */ new Map();
+    for (const token of queryTokens) {
+      const exactMatches = this.searchIndex.get(token);
+      if (exactMatches !== void 0) {
+        for (const id of exactMatches) {
+          const current = scores.get(id) ?? { score: 0, matches: [] };
+          current.score += 10;
+          current.matches.push(token);
+          scores.set(id, current);
+        }
+      }
+      for (const [indexToken, ids] of this.searchIndex) {
+        if (indexToken.startsWith(token) && indexToken !== token) {
+          for (const id of ids) {
+            const current = scores.get(id) ?? { score: 0, matches: [] };
+            current.score += 5;
+            if (!current.matches.includes(token)) {
+              current.matches.push(token);
+            }
+            scores.set(id, current);
+          }
+        }
+      }
+    }
+    const results = [];
+    for (const [id, { score, matches }] of scores) {
+      const category = this.categories.get(id);
+      if (category === void 0) continue;
+      if (filter !== void 0) {
+        if (filter.domain !== void 0 && category.domain !== filter.domain) continue;
+        if (filter.level !== void 0 && category.level !== filter.level) continue;
+        if (filter.priority !== void 0 && category.priority !== filter.priority) continue;
+        if (filter.severity !== void 0 && category.severity !== filter.severity) continue;
+        if (filter.language !== void 0 && !category.applicableLanguages.includes(filter.language)) {
+          continue;
+        }
+      }
+      results.push({
+        category: this.toSummary(category),
+        score,
+        matches: [...new Set(matches)]
+      });
+    }
+    results.sort((a, b) => {
+      if (b.score !== a.score) return b.score - a.score;
+      const priorityOrder = { P0: 0, P1: 1, P2: 2 };
+      return priorityOrder[a.category.priority] - priorityOrder[b.category.priority];
+    });
+    return results.slice(0, limit);
+  }
+  /**
+   * Load categories from a directory of YAML files
+   */
+  async loadFromDirectory(dirPath) {
+    const results = await this.loadYamlFilesRecursive(dirPath);
+    const combined = all(results);
+    if (!combined.success) {
+      return combined;
+    }
+    return ok(combined.data.length);
+  }
+  /**
+   * Load a single category from a YAML file
+   */
+  async loadFromFile(filePath) {
+    const result = await tryCatchAsync(async () => {
+      const content = await fs.readFile(filePath, "utf-8");
+      return YAML.parse(content);
+    });
+    if (!result.success) {
+      return err(
+        new ValidationError(`Failed to read category file: ${filePath}`, {
+          filePath,
+          cause: result.error.message
+        })
+      );
+    }
+    const validation = CategorySchema.safeParse(result.data);
+    if (!validation.success) {
+      return err(
+        new ValidationError(`Invalid category in ${filePath}`, {
+          filePath,
+          issues: validation.error.issues
+        })
+      );
+    }
+    return this.add(validation.data);
+  }
+  /**
+   * Export all categories as an array
+   */
+  toArray() {
+    return Array.from(this.categories.values());
+  }
+  /**
+   * Clear all categories and indexes
+   */
+  clear() {
+    this.categories.clear();
+    this.domainIndex.clear();
+    this.levelIndex.clear();
+    this.languageIndex.clear();
+    this.priorityIndex.clear();
+    this.searchIndex.clear();
+    this.versions.clear();
+  }
+  /**
+   * Get statistics about loaded categories
+   */
+  stats() {
+    const byDomain = {};
+    const byLevel = {};
+    const byPriority = {};
+    for (const [domain, ids] of this.domainIndex) {
+      byDomain[domain] = ids.size;
+    }
+    for (const [level, ids] of this.levelIndex) {
+      byLevel[level] = ids.size;
+    }
+    for (const [priority, ids] of this.priorityIndex) {
+      byPriority[priority] = ids.size;
+    }
+    return {
+      total: this.categories.size,
+      byDomain,
+      byLevel,
+      byPriority
+    };
+  }
+  // ─────────────────────────────────────────────────────────────────────────
+  // Private methods
+  // ─────────────────────────────────────────────────────────────────────────
+  /**
+   * Add category to all indexes
+   */
+  addToIndexes(category) {
+    const id = category.id;
+    this.addToIndex(this.domainIndex, category.domain, id);
+    this.addToIndex(this.levelIndex, category.level, id);
+    for (const lang of category.applicableLanguages) {
+      this.addToIndex(this.languageIndex, lang, id);
+    }
+    this.addToIndex(this.priorityIndex, category.priority, id);
+    this.indexForSearch(category);
+  }
+  /**
+   * Remove category from all indexes
+   */
+  removeFromIndexes(category) {
+    const id = category.id;
+    this.removeFromIndex(this.domainIndex, category.domain, id);
+    this.removeFromIndex(this.levelIndex, category.level, id);
+    for (const lang of category.applicableLanguages) {
+      this.removeFromIndex(this.languageIndex, lang, id);
+    }
+    this.removeFromIndex(this.priorityIndex, category.priority, id);
+    this.removeFromSearchIndex(id);
+  }
+  /**
+   * Add ID to an index map
+   */
+  addToIndex(index, key, id) {
+    let set = index.get(key);
+    if (set === void 0) {
+      set = /* @__PURE__ */ new Set();
+      index.set(key, set);
+    }
+    set.add(id);
+  }
+  /**
+   * Remove ID from an index map
+   */
+  removeFromIndex(index, key, id) {
+    const set = index.get(key);
+    if (set !== void 0) {
+      set.delete(id);
+      if (set.size === 0) {
+        index.delete(key);
+      }
+    }
+  }
+  /**
+   * Index category text for search
+   */
+  indexForSearch(category) {
+    const id = category.id;
+    const textToIndex = [
+      category.id,
+      category.name,
+      category.description,
+      category.domain,
+      category.level,
+      ...category.applicableLanguages,
+      ...category.cves ?? []
+    ].join(" ");
+    const tokens = this.tokenize(textToIndex.toLowerCase());
+    for (const token of tokens) {
+      this.addToIndex(this.searchIndex, token, id);
+    }
+  }
+  /**
+   * Remove category from search index
+   */
+  removeFromSearchIndex(id) {
+    for (const [token, ids] of this.searchIndex) {
+      ids.delete(id);
+      if (ids.size === 0) {
+        this.searchIndex.delete(token);
+      }
+    }
+  }
+  /**
+   * Tokenize text for search indexing
+   */
+  tokenize(text) {
+    return text.split(/[\s\-_.,;:!?'"()\[\]{}]+/).filter((token) => token.length >= 2).map((token) => token.toLowerCase());
+  }
+  /**
+   * Intersect two sets, handling undefined
+   * Returns empty set if either input is empty set (filter found no matches)
+   */
+  intersect(a, b) {
+    if (a === void 0) return b;
+    if (b === void 0) return a;
+    if (b.size === 0) return /* @__PURE__ */ new Set();
+    return new Set([...a].filter((x) => b.has(x)));
+  }
+  /**
+   * Convert full category to summary
+   */
+  toSummary(category) {
+    return CategorySummarySchema.parse({
+      id: category.id,
+      name: category.name,
+      domain: category.domain,
+      level: category.level,
+      priority: category.priority,
+      severity: category.severity,
+      description: category.description
+    });
+  }
+  /**
+   * Recursively load YAML files from directory
+   */
+  async loadYamlFilesRecursive(dirPath) {
+    const results = [];
+    const loadResult = await tryCatchAsync(async () => {
+      const entries = await fs.readdir(dirPath, { withFileTypes: true });
+      return entries;
+    });
+    if (!loadResult.success) {
+      return [
+        err(
+          new ValidationError(`Failed to read directory: ${dirPath}`, {
+            dirPath,
+            cause: loadResult.error.message
+          })
+        )
+      ];
+    }
+    for (const entry of loadResult.data) {
+      const fullPath = path.join(dirPath, entry.name);
+      if (entry.isDirectory()) {
+        const subResults = await this.loadYamlFilesRecursive(fullPath);
+        results.push(...subResults);
+      } else if (entry.isFile() && (entry.name.endsWith(".yml") || entry.name.endsWith(".yaml"))) {
+        const result = await this.loadFromFile(fullPath);
+        results.push(result);
+      }
+    }
+    return results;
+  }
+};
+function createCategoryStore() {
+  return new CategoryStore();
+}
+var LOG_LEVELS = {
+  debug: 0,
+  info: 1,
+  warn: 2,
+  error: 3,
+  silent: 4
+};
+var Logger = class _Logger {
+  level = "info";
+  prefix = "";
+  /**
+   * Configure the logger
+   */
+  configure(config) {
+    if (config.level !== void 0) {
+      this.level = config.level;
+    }
+    if (config.prefix !== void 0) {
+      this.prefix = config.prefix;
+    }
+  }
+  /**
+   * Check if a log level should be output
+   */
+  shouldLog(level) {
+    return LOG_LEVELS[level] >= LOG_LEVELS[this.level];
+  }
+  /**
+   * Format a message with optional prefix
+   */
+  format(message) {
+    return this.prefix ? `${this.prefix} ${message}` : message;
+  }
+  /**
+   * Debug level logging (gray)
+   */
+  debug(message, ...args) {
+    if (this.shouldLog("debug")) {
+      console.debug(chalk.gray(this.format(message)), ...args);
+    }
+  }
+  /**
+   * Info level logging (default color)
+   */
+  info(message, ...args) {
+    if (this.shouldLog("info")) {
+      console.info(this.format(message), ...args);
+    }
+  }
+  /**
+   * Warning level logging (yellow)
+   */
+  warn(message, ...args) {
+    if (this.shouldLog("warn")) {
+      console.warn(chalk.yellow(this.format(message)), ...args);
+    }
+  }
+  /**
+   * Error level logging (red)
+   */
+  error(message, ...args) {
+    if (this.shouldLog("error")) {
+      console.error(chalk.red(this.format(message)), ...args);
+    }
+  }
+  /**
+   * Success message (green)
+   */
+  success(message, ...args) {
+    if (this.shouldLog("info")) {
+      console.info(chalk.green(this.format(message)), ...args);
+    }
+  }
+  /**
+   * Create a child logger with a prefix
+   */
+  child(prefix) {
+    const child = new _Logger();
+    child.level = this.level;
+    child.prefix = this.prefix ? `${this.prefix} ${prefix}` : prefix;
+    return child;
+  }
+};
+var logger = new Logger();
+var __filename$1 = fileURLToPath(import.meta.url);
+dirname(__filename$1);
+
+// src/core/index.ts
+var VERSION = "0.1.0";
+
+// src/ai/service.ts
+var DEFAULT_CONFIG = {
+  provider: "anthropic",
+  apiKey: "",
+  model: "claude-sonnet-4-20250514",
+  maxTokens: 1024,
+  temperature: 0.3,
+  timeoutMs: 3e4
+};
+var PROVIDER_MODELS = {
+  anthropic: "claude-sonnet-4-20250514",
+  openai: "gpt-4o",
+  mock: "mock-model"
+};
+var PROVIDER_ENDPOINTS = {
+  anthropic: "https://api.anthropic.com/v1/messages",
+  openai: "https://api.openai.com/v1/chat/completions"};
+var AIService = class {
+  config;
+  constructor(config = {}) {
+    this.config = {
+      ...DEFAULT_CONFIG,
+      ...config,
+      apiKey: config.apiKey ?? this.getApiKeyFromEnv(config.provider ?? "anthropic"),
+      model: config.model ?? PROVIDER_MODELS[config.provider ?? "anthropic"]
+    };
+  }
+  /**
+   * Get API key from environment variable
+   * For config file support, use the sync version below
+   */
+  getApiKeyFromEnv(provider) {
+    if (provider === "mock") return "mock-key";
+    const envVar = provider === "anthropic" ? "ANTHROPIC_API_KEY" : "OPENAI_API_KEY";
+    const envValue = process.env[envVar];
+    if (envValue !== void 0 && envValue.length > 0) {
+      return envValue;
+    }
+    return this.getApiKeyFromConfig(provider);
+  }
+  /**
+   * Read API key from config file synchronously
+   * Uses require() for sync file access in constructor context
+   */
+  getApiKeyFromConfig(provider) {
+    try {
+      const { existsSync, readFileSync } = __require("fs");
+      const { homedir } = __require("os");
+      const { join: join2 } = __require("path");
+      const configPath = join2(homedir(), ".pinata", "config.json");
+      if (!existsSync(configPath)) {
+        return "";
+      }
+      const content = readFileSync(configPath, "utf-8");
+      const config = JSON.parse(content);
+      return (provider === "anthropic" ? config.anthropicApiKey : config.openaiApiKey) ?? "";
+    } catch {
+      return "";
+    }
+  }
+  /**
+   * Check if the service is configured with an API key
+   */
+  isConfigured() {
+    return this.config.provider === "mock" || this.config.apiKey.length > 0;
+  }
+  /**
+   * Get the current provider
+   */
+  getProvider() {
+    return this.config.provider;
+  }
+  /**
+   * Generate a completion
+   */
+  async complete(request) {
+    const startTime = Date.now();
+    if (!this.isConfigured()) {
+      return {
+        success: false,
+        error: `API key not configured for ${this.config.provider}. Set ${this.config.provider === "anthropic" ? "ANTHROPIC_API_KEY" : "OPENAI_API_KEY"} environment variable.`,
+        durationMs: Date.now() - startTime
+      };
+    }
+    if (this.config.provider === "mock") {
+      return this.mockComplete(request, startTime);
+    }
+    try {
+      const response = await this.callProvider(request);
+      return {
+        success: true,
+        data: response.content,
+        usage: response.usage,
+        durationMs: Date.now() - startTime
+      };
+    } catch (error) {
+      return {
+        success: false,
+        error: error instanceof Error ? error.message : "Unknown error",
+        durationMs: Date.now() - startTime
+      };
+    }
+  }
+  /**
+   * Generate a JSON completion (parses response as JSON)
+   */
+  async completeJSON(request) {
+    const response = await this.complete({
+      ...request,
+      messages: [
+        ...request.messages,
+        {
+          role: "user",
+          content: "\n\nRespond with valid JSON only. No markdown, no explanation."
+        }
+      ]
+    });
+    if (!response.success || response.data === void 0) {
+      return {
+        success: false,
+        error: response.error ?? "No response data",
+        durationMs: response.durationMs
+      };
+    }
+    try {
+      let jsonStr = response.data;
+      const jsonMatch = jsonStr.match(/```(?:json)?\s*([\s\S]*?)```/);
+      if (jsonMatch) {
+        jsonStr = jsonMatch[1] ?? jsonStr;
+      }
+      const objectMatch = jsonStr.match(/\{[\s\S]*\}/);
+      const arrayMatch = jsonStr.match(/\[[\s\S]*\]/);
+      jsonStr = objectMatch?.[0] ?? arrayMatch?.[0] ?? jsonStr;
+      const parsed = JSON.parse(jsonStr.trim());
+      const result = {
+        success: true,
+        data: parsed,
+        durationMs: response.durationMs
+      };
+      if (response.usage) {
+        result.usage = response.usage;
+      }
+      return result;
+    } catch (error) {
+      return {
+        success: false,
+        error: `Failed to parse JSON response: ${error instanceof Error ? error.message : "Unknown error"}`,
+        durationMs: response.durationMs
+      };
+    }
+  }
+  /**
+   * Call the AI provider API
+   */
+  async callProvider(request) {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), this.config.timeoutMs);
+    try {
+      if (this.config.provider === "anthropic") {
+        return await this.callAnthropic(request, controller.signal);
+      } else {
+        return await this.callOpenAI(request, controller.signal);
+      }
+    } finally {
+      clearTimeout(timeout);
+    }
+  }
+  /**
+   * Call Anthropic API
+   */
+  async callAnthropic(request, signal) {
+    const messages = request.messages.filter((m) => m.role !== "system");
+    const response = await fetch(PROVIDER_ENDPOINTS.anthropic, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "x-api-key": this.config.apiKey,
+        "anthropic-version": "2023-06-01"
+      },
+      body: JSON.stringify({
+        model: this.config.model,
+        max_tokens: request.maxTokens ?? this.config.maxTokens,
+        temperature: request.temperature ?? this.config.temperature,
+        system: request.systemPrompt,
+        messages: messages.map((m) => ({
+          role: m.role,
+          content: m.content
+        }))
+      }),
+      signal
+    });
+    if (!response.ok) {
+      const error = await response.text();
+      throw new Error(`Anthropic API error: ${response.status} - ${error}`);
+    }
+    const data = await response.json();
+    return {
+      content: data.content[0]?.text ?? "",
+      usage: {
+        inputTokens: data.usage.input_tokens,
+        outputTokens: data.usage.output_tokens
+      }
+    };
+  }
+  /**
+   * Call OpenAI API
+   */
+  async callOpenAI(request, signal) {
+    const messages = [];
+    if (request.systemPrompt !== void 0 && request.systemPrompt.length > 0) {
+      messages.push({ role: "system", content: request.systemPrompt });
+    }
+    for (const m of request.messages) {
+      messages.push({ role: m.role, content: m.content });
+    }
+    const response = await fetch(PROVIDER_ENDPOINTS.openai, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${this.config.apiKey}`
+      },
+      body: JSON.stringify({
+        model: this.config.model,
+        max_tokens: request.maxTokens ?? this.config.maxTokens,
+        temperature: request.temperature ?? this.config.temperature,
+        messages
+      }),
+      signal
+    });
+    if (!response.ok) {
+      const error = await response.text();
+      throw new Error(`OpenAI API error: ${response.status} - ${error}`);
+    }
+    const data = await response.json();
+    return {
+      content: data.choices[0]?.message.content ?? "",
+      usage: {
+        inputTokens: data.usage.prompt_tokens,
+        outputTokens: data.usage.completion_tokens
+      }
+    };
+  }
+  /**
+   * Mock completion for testing
+   */
+  mockComplete(request, startTime) {
+    const lastMessage = request.messages[request.messages.length - 1];
+    const content = lastMessage?.content ?? "";
+    let response = "Mock AI response";
+    if (content.includes("explain") || content.includes("explanation")) {
+      response = JSON.stringify({
+        summary: "This code pattern may introduce a security vulnerability.",
+        explanation: "The detected pattern suggests potential security risk.",
+        risk: "An attacker could exploit this vulnerability to compromise the system.",
+        remediation: "Use parameterized queries or proper input validation.",
+        safeExample: "cursor.execute('SELECT * FROM users WHERE id = ?', (user_id,))"
+      });
+    } else if (content.includes("variable") || content.includes("template")) {
+      response = JSON.stringify({
+        suggestions: [
+          {
+            name: "className",
+            value: "UserService",
+            reasoning: "Based on the file name and context",
+            confidence: 0.8
+          },
+          {
+            name: "functionName",
+            value: "get_user",
+            reasoning: "Extracted from the code snippet",
+            confidence: 0.9
+          }
+        ]
+      });
+    } else if (content.includes("pattern") || content.includes("regex")) {
+      response = JSON.stringify({
+        suggestions: [
+          {
+            id: "custom-sql-pattern",
+            pattern: "execute\\s*\\(.*\\+",
+            description: "Detects SQL execution with string concatenation",
+            confidence: "medium",
+            matchExample: "cursor.execute(query + user_input)",
+            safeExample: "cursor.execute(query, (user_input,))",
+            reasoning: "String concatenation in SQL queries is a common injection vector"
+          }
+        ]
+      });
+    }
+    return {
+      success: true,
+      data: response,
+      usage: { inputTokens: 100, outputTokens: 50 },
+      durationMs: Date.now() - startTime
+    };
+  }
+};
+function createAIService(config) {
+  return new AIService(config);
+}
+
+// src/ai/explainer.ts
+var SYSTEM_PROMPT = `You are a security expert explaining code vulnerabilities to developers.
+Your explanations should be:
+- Clear and actionable
+- Focused on the specific code pattern
+- Include concrete remediation steps
+- Reference relevant security standards (OWASP, CWE) when applicable
+
+Always respond with valid JSON matching this structure:
+{
+  "summary": "1-2 sentence summary",
+  "explanation": "Detailed explanation of the vulnerability",
+  "risk": "What an attacker could do if this is exploited",
+  "remediation": "Step-by-step instructions to fix",
+  "safeExample": "Code example showing the safe pattern",
+  "references": ["optional array of CVE/CWE/OWASP references"]
+}`;
+async function explainGap(gap, category, config) {
+  const ai = createAIService(config);
+  if (!ai.isConfigured()) {
+    return {
+      success: false,
+      error: "AI service not configured",
+      durationMs: 0
+    };
+  }
+  const prompt = buildExplainPrompt(gap, category);
+  const response = await ai.completeJSON({
+    systemPrompt: SYSTEM_PROMPT,
+    messages: [{ role: "user", content: prompt }],
+    maxTokens: 1024,
+    temperature: 0.3
+  });
+  return response;
+}
+async function explainGaps(gaps, categories, config) {
+  const results = /* @__PURE__ */ new Map();
+  const BATCH_SIZE = 5;
+  for (let i = 0; i < gaps.length; i += BATCH_SIZE) {
+    const batch = gaps.slice(i, i + BATCH_SIZE);
+    const promises = batch.map(async (gap) => {
+      const category = categories?.get(gap.categoryId);
+      const result = await explainGap(gap, category, config);
+      return { key: `${gap.filePath}:${gap.lineStart}:${gap.categoryId}`, result };
+    });
+    const batchResults = await Promise.all(promises);
+    for (const { key, result } of batchResults) {
+      results.set(key, result);
+    }
+  }
+  return results;
+}
+function buildExplainPrompt(gap, category) {
+  const parts = [];
+  parts.push(`Explain this security finding:
+`);
+  parts.push(`**Category:** ${gap.categoryName} (${gap.categoryId})`);
+  parts.push(`**Severity:** ${gap.severity}`);
+  parts.push(`**Confidence:** ${gap.confidence}`);
+  parts.push(`**File:** ${gap.filePath}`);
+  parts.push(`**Line:** ${gap.lineStart}`);
+  if (gap.codeSnippet) {
+    parts.push(`
+**Code:**
+\`\`\`
+${gap.codeSnippet}
+\`\`\``);
+  }
+  parts.push(`
+**Pattern:** ${gap.patternId}`);
+  parts.push(`**Detection Type:** ${gap.patternType}`);
+  if (category) {
+    parts.push(`
+**Category Description:** ${category.description}`);
+    if (category.cves && category.cves.length > 0) {
+      parts.push(`**Related CVEs:** ${category.cves.join(", ")}`);
+    }
+    if (category.references && category.references.length > 0) {
+      parts.push(`**References:** ${category.references.slice(0, 3).join(", ")}`);
+    }
+  }
+  parts.push(`
+Provide a clear, actionable explanation for a developer.`);
+  return parts.join("\n");
+}
+
+// src/ai/template-filler.ts
+var SYSTEM_PROMPT2 = `You are an expert at analyzing code and extracting meaningful variable values for test generation.
+Given a code snippet and a list of template variables, suggest appropriate values for each variable.
+
+For each variable, analyze:
+1. The code snippet to extract relevant information (class names, function names, etc.)
+2. The variable description to understand what's needed
+3. The variable type to ensure correct formatting
+
+Always respond with valid JSON matching this structure:
+{
+  "suggestions": [
+    {
+      "name": "variableName",
+      "value": "suggested value",
+      "reasoning": "why this value was chosen",
+      "confidence": 0.0-1.0
+    }
+  ]
+}
+
+For arrays, use: "value": ["item1", "item2"]
+For booleans, use: "value": true or "value": false
+For numbers, use: "value": 42`;
+async function suggestVariables(request, config) {
+  const ai = createAIService(config);
+  if (!ai.isConfigured()) {
+    return {
+      success: true,
+      data: extractVariablesFromCode(request),
+      durationMs: 0
+    };
+  }
+  const prompt = buildVariablePrompt(request);
+  const startTime = Date.now();
+  const response = await ai.completeJSON({
+    systemPrompt: SYSTEM_PROMPT2,
+    messages: [{ role: "user", content: prompt }],
+    maxTokens: 1024,
+    temperature: 0.2
+  });
+  if (!response.success || !response.data) {
+    return {
+      success: true,
+      data: extractVariablesFromCode(request),
+      durationMs: Date.now() - startTime
+    };
+  }
+  const suggestions = /* @__PURE__ */ new Map();
+  const unfilled = [];
+  const values = { ...request.existingValues };
+  const suggestionsList = response.data.suggestions ?? [];
+  for (const suggestion of suggestionsList) {
+    suggestions.set(suggestion.name, suggestion);
+    if (!(suggestion.name in values)) {
+      values[suggestion.name] = suggestion.value;
+    }
+  }
+  for (const variable of request.variables) {
+    if (!suggestions.has(variable.name) && !(variable.name in values)) {
+      if (variable.defaultValue !== void 0) {
+        values[variable.name] = variable.defaultValue;
+      } else {
+        unfilled.push(variable.name);
+      }
+    }
+  }
+  const result = {
+    success: true,
+    data: { suggestions, unfilled, values },
+    durationMs: response.durationMs
+  };
+  if (response.usage) {
+    result.usage = response.usage;
+  }
+  return result;
+}
+function buildVariablePrompt(request) {
+  const parts = [];
+  parts.push("Analyze this code and suggest values for the template variables:\n");
+  parts.push("**Code:**");
+  parts.push("```");
+  parts.push(request.codeSnippet);
+  parts.push("```\n");
+  parts.push(`**File:** ${request.filePath}
+`);
+  if (request.gap) {
+    parts.push(`**Category:** ${request.gap.categoryName}`);
+    parts.push(`**Line:** ${request.gap.lineStart}
+`);
+  }
+  parts.push("**Variables to fill:**");
+  for (const variable of request.variables) {
+    const required = variable.required ? " (required)" : " (optional)";
+    const defaultVal = variable.defaultValue !== void 0 ? ` [default: ${JSON.stringify(variable.defaultValue)}]` : "";
+    parts.push(`- ${variable.name} (${variable.type})${required}${defaultVal}: ${variable.description}`);
+  }
+  if (request.existingValues && Object.keys(request.existingValues).length > 0) {
+    parts.push("\n**Already provided:**");
+    for (const [name, value] of Object.entries(request.existingValues)) {
+      parts.push(`- ${name}: ${JSON.stringify(value)}`);
+    }
+  }
+  parts.push("\nExtract appropriate values from the code context.");
+  return parts.join("\n");
+}
+function extractVariablesFromCode(request) {
+  const suggestions = /* @__PURE__ */ new Map();
+  const unfilled = [];
+  const values = { ...request.existingValues };
+  const code = request.codeSnippet;
+  const filePath = request.filePath;
+  for (const variable of request.variables) {
+    if (variable.name in values) continue;
+    let value = void 0;
+    let reasoning = "";
+    let confidence = 0;
+    switch (variable.name.toLowerCase()) {
+      case "classname":
+      case "class_name": {
+        const classMatch = code.match(/class\s+(\w+)/);
+        if (classMatch) {
+          value = classMatch[1];
+          reasoning = "Extracted from class definition in code";
+          confidence = 0.9;
+        } else {
+          const fileName = filePath.split("/").pop()?.replace(/\.\w+$/, "") ?? "";
+          value = toPascalCase(fileName);
+          reasoning = "Inferred from file name";
+          confidence = 0.6;
+        }
+        break;
+      }
+      case "functionname":
+      case "function_name":
+      case "methodname": {
+        const funcMatch = code.match(/(?:def|function|async function)\s+(\w+)/);
+        if (funcMatch) {
+          value = funcMatch[1];
+          reasoning = "Extracted from function definition";
+          confidence = 0.9;
+        }
+        break;
+      }
+      case "modulepath":
+      case "module_path": {
+        value = filePath.replace(/\.[jt]sx?$/, "").replace(/\.py$/, "").replace(/\//g, ".").replace(/^\.+/, "");
+        reasoning = "Derived from file path";
+        confidence = 0.7;
+        break;
+      }
+      case "tablename":
+      case "table_name": {
+        const tableMatch = code.match(/(?:FROM|INTO|UPDATE)\s+(\w+)/i);
+        if (tableMatch) {
+          value = tableMatch[1];
+          reasoning = "Extracted from SQL statement";
+          confidence = 0.8;
+        } else {
+          value = "users";
+          reasoning = "Default table name";
+          confidence = 0.3;
+        }
+        break;
+      }
+      case "exceptionclass":
+      case "exception_class": {
+        value = "ValueError";
+        reasoning = "Common exception for input validation";
+        confidence = 0.5;
+        break;
+      }
+      case "dbclient":
+      case "db_client": {
+        const clientMatch = code.match(/(db|conn|connection|client|cursor)\s*[=.]/i);
+        if (clientMatch) {
+          value = clientMatch[1];
+          reasoning = "Extracted from code";
+          confidence = 0.7;
+        } else {
+          value = "db";
+          reasoning = "Default database client name";
+          confidence = 0.4;
+        }
+        break;
+      }
+      case "functioncall":
+      case "function_call": {
+        const funcName = values["functionName"] ?? values["function_name"];
+        if (typeof funcName === "string" && funcName.length > 0) {
+          value = `${funcName}(user_input)`;
+          reasoning = "Constructed from function name";
+          confidence = 0.6;
+        }
+        break;
+      }
+      case "fixtures": {
+        value = "db_session";
+        reasoning = "Common pytest fixture";
+        confidence = 0.5;
+        break;
+      }
+      default:
+        if (variable.defaultValue !== void 0) {
+          value = variable.defaultValue;
+          reasoning = "Using default value";
+          confidence = 1;
+        }
+    }
+    if (value !== void 0) {
+      suggestions.set(variable.name, {
+        name: variable.name,
+        value,
+        reasoning,
+        confidence
+      });
+      values[variable.name] = value;
+    } else if (variable.required) {
+      unfilled.push(variable.name);
+    }
+  }
+  return { suggestions, unfilled, values };
+}
+function toPascalCase(str) {
+  return str.split(/[-_\s]+/).map((word) => word.charAt(0).toUpperCase() + word.slice(1).toLowerCase()).join("");
+}
+
+// src/ai/pattern-suggester.ts
+var SYSTEM_PROMPT3 = `You are an expert at creating regex patterns for detecting security vulnerabilities in code.
+Given vulnerable code samples, generate regex patterns that will detect similar vulnerabilities.
+
+Your patterns should:
+1. Be specific enough to avoid false positives
+2. Be general enough to catch variations
+3. Use standard regex syntax (no lookbehind for compatibility)
+4. Include examples of what matches and what doesn't
+
+Always respond with valid JSON matching this structure:
+{
+  "suggestions": [
+    {
+      "id": "pattern-id-kebab-case",
+      "pattern": "regex pattern here",
+      "description": "What this pattern detects",
+      "confidence": "high|medium|low",
+      "matchExample": "code that should match",
+      "safeExample": "similar code that should NOT match",
+      "reasoning": "Why this pattern works"
+    }
+  ]
+}
+
+Important:
+- Escape backslashes properly for JSON (use \\\\s not \\s)
+- Test your patterns mentally against the examples
+- Prefer simpler patterns that are less likely to cause ReDoS`;
+async function suggestPatterns(request, config) {
+  const ai = createAIService(config);
+  if (!ai.isConfigured()) {
+    return {
+      success: false,
+      error: "AI service not configured. Set ANTHROPIC_API_KEY or OPENAI_API_KEY.",
+      durationMs: 0
+    };
+  }
+  const prompt = buildPatternPrompt(request);
+  const response = await ai.completeJSON({
+    systemPrompt: SYSTEM_PROMPT3,
+    messages: [{ role: "user", content: prompt }],
+    maxTokens: 2048,
+    temperature: 0.3
+  });
+  if (!response.success || !response.data) {
+    return {
+      success: false,
+      error: response.error ?? "Failed to generate patterns",
+      durationMs: response.durationMs
+    };
+  }
+  const validated = validatePatterns(
+    response.data.suggestions ?? [],
+    request.vulnerableCode,
+    request.safeCode ?? []
+  );
+  const result = {
+    success: true,
+    data: validated,
+    durationMs: response.durationMs
+  };
+  if (response.usage) {
+    result.usage = response.usage;
+  }
+  return result;
+}
+function buildPatternPrompt(request) {
+  const parts = [];
+  parts.push(`Generate regex patterns to detect ${request.category} vulnerabilities in ${request.language} code.
+`);
+  parts.push("**Vulnerable code samples (patterns SHOULD match these):**");
+  for (let i = 0; i < request.vulnerableCode.length; i++) {
+    parts.push(`
+Example ${i + 1}:`);
+    parts.push("```");
+    parts.push(request.vulnerableCode[i] ?? "");
+    parts.push("```");
+  }
+  if (request.safeCode && request.safeCode.length > 0) {
+    parts.push("\n**Safe code samples (patterns should NOT match these):**");
+    for (let i = 0; i < request.safeCode.length; i++) {
+      parts.push(`
+Safe ${i + 1}:`);
+      parts.push("```");
+      parts.push(request.safeCode[i] ?? "");
+      parts.push("```");
+    }
+  }
+  if (request.existingPatterns && request.existingPatterns.length > 0) {
+    parts.push("\n**Existing patterns (avoid duplicating):**");
+    for (const pattern of request.existingPatterns) {
+      parts.push(`- ${pattern}`);
+    }
+  }
+  parts.push(`
+Generate up to ${request.maxSuggestions ?? 3} distinct patterns.`);
+  parts.push("Focus on patterns that will have high precision (low false positives).");
+  return parts.join("\n");
+}
+function validatePatterns(suggestions, vulnerableCode, safeCode) {
+  const validated = [];
+  const rejected = [];
+  for (const suggestion of suggestions) {
+    try {
+      const regex = new RegExp(suggestion.pattern, "gm");
+      let matchCount = 0;
+      for (const code of vulnerableCode) {
+        regex.lastIndex = 0;
+        if (regex.test(code)) {
+          matchCount++;
+        }
+      }
+      let falsePositives = 0;
+      for (const code of safeCode) {
+        regex.lastIndex = 0;
+        if (regex.test(code)) {
+          falsePositives++;
+        }
+      }
+      if (hasRedosPotential(suggestion.pattern)) {
+        rejected.push({
+          pattern: suggestion.pattern,
+          reason: "Pattern may be vulnerable to ReDoS"
+        });
+        continue;
+      }
+      if (matchCount > 0) {
+        if (falsePositives > 0 && suggestion.confidence === "high") {
+          suggestion.confidence = "medium";
+        }
+        if (matchCount < vulnerableCode.length / 2 && suggestion.confidence === "high") {
+          suggestion.confidence = "medium";
+        }
+        validated.push(suggestion);
+      } else {
+        rejected.push({
+          pattern: suggestion.pattern,
+          reason: `Pattern did not match any vulnerable samples (0/${vulnerableCode.length})`
+        });
+      }
+    } catch (error) {
+      rejected.push({
+        pattern: suggestion.pattern,
+        reason: `Invalid regex: ${error instanceof Error ? error.message : "Unknown error"}`
+      });
+    }
+  }
+  return { suggestions: validated, rejected };
+}
+function hasRedosPotential(pattern) {
+  if (/\([^)]*[+*][^)]*\)[+*]/.test(pattern)) {
+    return true;
+  }
+  if (/\([^)]*\|[^)]*\)[+*]/.test(pattern)) {
+    const alternationMatch = pattern.match(/\(([^)]+)\)/g);
+    if (alternationMatch) {
+      for (const alt of alternationMatch) {
+        if (/\w+\|\w*\w/.test(alt) && /[+*]/.test(alt)) {
+          return true;
+        }
+      }
+    }
+  }
+  return false;
+}
+
+export { AIService, AnalysisError, CategoryNotFoundError, CategorySchema, CategoryStore, CategorySummarySchema, ConfidenceSchema, ConfigError, DetectionPatternSchema, ExampleSchema, GenerationError, LANGUAGES, LanguageSchema, PATTERN_TYPES, ParseError, PatternNotFoundError, PatternTypeSchema, PinataError, PrioritySchema, RISK_DOMAINS, RiskDomainSchema, SeveritySchema, TEST_FRAMEWORKS, TEST_LEVELS, TestFrameworkSchema, TestLevelSchema, TestTemplateSchema, VERSION, ValidationError, all, andThen, createAIService, createCategoryStore, err, explainGap, explainGaps, logger, map, mapErr, ok, suggestPatterns, suggestVariables, tryCatch, tryCatchAsync, unwrap, unwrapOr };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map