pinata-security-cli 0.1.6 → 0.2.1

package/dist/cli/index.js

@@ -1,13 +1,13 @@
 #!/usr/bin/env node
-import { existsSync, readFileSync, writeFileSync, chmodSync, mkdirSync } from 'fs';
-import fs, { mkdir, writeFile, readFile, readdir, stat } from 'fs/promises';
+import { z } from 'zod';
+import fs, { mkdir, writeFile, readFile, stat, readdir } from 'fs/promises';
 import path, { dirname, resolve, basename, relative, join, extname } from 'path';
 import { useState } from 'react';
 import { render, useApp, useInput, Box, Text } from 'ink';
 import Spinner from 'ink-spinner';
 import { jsx, jsxs } from 'react/jsx-runtime';
+import { existsSync, readFileSync, writeFileSync, chmodSync, mkdirSync } from 'fs';
 import { homedir } from 'os';
-import { z } from 'zod';
 import { fileURLToPath } from 'url';
 import chalk5 from 'chalk';
 import { Command } from 'commander';
@@ -124,6 +124,35 @@ var init_result = __esm({
   "src/lib/result.ts"() {
   }
 });
+var SEVERITY_WEIGHTS, CONFIDENCE_WEIGHTS, PRIORITY_WEIGHTS, DEFAULT_TEST_PATTERNS;
+var init_types = __esm({
+  "src/core/scanner/types.ts"() {
+    SEVERITY_WEIGHTS = {
+      critical: 4,
+      high: 3,
+      medium: 2,
+      low: 1
+    };
+    CONFIDENCE_WEIGHTS = {
+      high: 1,
+      medium: 0.7,
+      low: 0.4
+    };
+    PRIORITY_WEIGHTS = {
+      P0: 3,
+      P1: 2,
+      P2: 1
+    };
+    DEFAULT_TEST_PATTERNS = {
+      python: ["test_*.py", "*_test.py", "tests/**/*.py", "test/**/*.py"],
+      typescript: ["*.test.ts", "*.spec.ts", "__tests__/**/*.ts", "tests/**/*.ts"],
+      javascript: ["*.test.js", "*.spec.js", "__tests__/**/*.js", "tests/**/*.js"],
+      go: ["*_test.go"],
+      java: ["*Test.java", "*Tests.java", "src/test/**/*.java"],
+      rust: ["tests/**/*.rs"]
+    };
+  }
+});
 function getCachePath(projectRoot) {
   return resolve(projectRoot, CACHE_DIR, CACHE_FILE);
 }
@@ -131,9 +160,7 @@ async function saveScanResults(projectRoot, result) {
   try {
     const cacheDir = resolve(projectRoot, CACHE_DIR);
     const cachePath = getCachePath(projectRoot);
-    if (!existsSync(cacheDir)) {
-      await mkdir(cacheDir, { recursive: true });
-    }
+    await mkdir(cacheDir, { recursive: true });
     const cached = {
       timestamp: result.completedAt.toISOString(),
       targetDirectory: result.targetDirectory,
@@ -158,7 +185,10 @@ async function saveScanResults(projectRoot, result) {
 async function loadScanResults(projectRoot) {
   try {
     const cachePath = getCachePath(projectRoot);
-    if (!existsSync(cachePath)) {
+    let content;
+    try {
+      content = await readFile(cachePath, "utf-8");
+    } catch {
       return err(
         new PinataError(
           "No cached scan results found. Run `pinata analyze` first.",
@@ -166,7 +196,6 @@ async function loadScanResults(projectRoot) {
         )
       );
     }
-    const content = await readFile(cachePath, "utf-8");
     const cached = JSON.parse(content);
     if (cached.version !== CACHE_VERSION) {
       return err(
@@ -712,6 +741,388 @@ var init_junit_formatter = __esm({
   "src/cli/junit-formatter.ts"() {
   }
 });
+
+// src/core/verifier/ai-verifier.ts
+var SKIP_PATTERNS, BATCH_PROMPT, SINGLE_ITEM_TEMPLATE, AIVerifier;
+var init_ai_verifier = __esm({
+  "src/core/verifier/ai-verifier.ts"() {
+    init_types();
+    SKIP_PATTERNS = {
+      paths: [
+        /\.test\.(ts|js|tsx|jsx)$/,
+        /\.spec\.(ts|js|tsx|jsx)$/,
+        /tests?\//i,
+        /fixtures?\//i,
+        /mocks?\//i,
+        /__tests__\//,
+        /node_modules\//,
+        /dist\//,
+        /\.d\.ts$/,
+        /examples?\//i
+      ],
+      // Content patterns that indicate false positive
+      content: [
+        /\/\/ SAFE:/i,
+        // Explicit safe marker
+        /\/\/ nosec/i,
+        // Security ignore
+        /eslint-disable/i,
+        /sanitized?|escaped?|validated?/i
+        // Near sanitization
+      ]
+    };
+    BATCH_PROMPT = `You are a security code reviewer. Analyze these potential vulnerabilities and determine which are real issues vs false positives.
+
+For each item, consider:
+- Is user input actually reaching this code?
+- Is there sanitization, validation, or encoding nearby?
+- Is this test code, example code, or production code?
+- Is there context that makes this safe?
+
+Be rigorous. Most pattern matches are false positives.
+
+ITEMS TO ANALYZE:
+{{items}}
+
+Respond with a JSON array. Each object MUST have these exact fields:
+[
+  {
+    "id": "1",
+    "isVulnerable": true/false,
+    "confidence": "high"/"medium"/"low",
+    "reasoning": "brief explanation"
+  },
+  ...
+]
+
+Only return the JSON array, no other text.`;
+    SINGLE_ITEM_TEMPLATE = `
+---
+ID: {{id}}
+CATEGORY: {{category}}
+FILE: {{filePath}}:{{lineNumber}}
+CODE:
+\`\`\`{{language}}
+{{codeContext}}
+\`\`\`
+FLAGGED LINE: {{flaggedLine}}
+---`;
+    AIVerifier = class {
+      config;
+      batchSize;
+      concurrency;
+      constructor(config2) {
+        this.config = config2;
+        this.batchSize = config2.batchSize ?? 10;
+        this.concurrency = config2.concurrency ?? 3;
+      }
+      /**
+       * Verify multiple gaps efficiently using filtering, batching, and parallelism.
+       *
+       * Flow:
+       * 1. Pre-filter obvious false positives (test files, etc.)
+       * 2. Group remaining gaps into batches of 10
+       * 3. Process 3 batches in parallel
+       * 4. Return verified gaps and dismissed with reasons
+       */
+      async verifyAll(gaps, getFileContent) {
+        const verified = [];
+        const dismissed = [];
+        const { toVerify, preFiltered } = this.preFilter(gaps);
+        dismissed.push(...preFiltered);
+        if (toVerify.length === 0) {
+          return {
+            verified: [],
+            dismissed,
+            stats: {
+              total: gaps.length,
+              preFiltered: preFiltered.length,
+              aiDismissed: 0,
+              aiVerified: 0
+            }
+          };
+        }
+        console.log(`Pre-filtered ${preFiltered.length} gaps. Verifying ${toVerify.length} with AI...`);
+        const fileContents = /* @__PURE__ */ new Map();
+        const uniquePaths = [...new Set(toVerify.map((g) => g.filePath))];
+        await Promise.all(
+          uniquePaths.map(async (path2) => {
+            try {
+              fileContents.set(path2, await getFileContent(path2));
+            } catch {
+              fileContents.set(path2, "");
+            }
+          })
+        );
+        const batches = this.createBatches(toVerify, fileContents);
+        console.log(`Created ${batches.length} batches of ~${this.batchSize} gaps each`);
+        const results = await this.processParallel(batches, toVerify);
+        let aiVerified = 0;
+        let aiDismissed = 0;
+        for (const gap of toVerify) {
+          const gapId = `${gap.filePath}:${gap.lineStart}`;
+          const result = results.get(gapId);
+          if (!result || result.isVulnerable) {
+            verified.push(gap);
+            aiVerified++;
+          } else {
+            dismissed.push({
+              gap,
+              reason: result.reasoning
+            });
+            aiDismissed++;
+          }
+        }
+        return {
+          verified,
+          dismissed,
+          stats: {
+            total: gaps.length,
+            preFiltered: preFiltered.length,
+            aiDismissed,
+            aiVerified
+          }
+        };
+      }
+      /**
+       * Pre-filter gaps that are obviously false positives without needing AI.
+       */
+      preFilter(gaps) {
+        const toVerify = [];
+        const preFiltered = [];
+        for (const gap of gaps) {
+          const pathMatch = SKIP_PATTERNS.paths.find((p) => p.test(gap.filePath));
+          if (pathMatch) {
+            preFiltered.push({
+              gap,
+              reason: `Skipped: test/example file (${pathMatch.source})`
+            });
+            continue;
+          }
+          if (gap.categoryId === "precision-loss" && gap.filePath.endsWith(".ts")) {
+            preFiltered.push({
+              gap,
+              reason: "TypeScript type annotation, not runtime code"
+            });
+            continue;
+          }
+          toVerify.push(gap);
+        }
+        return { toVerify, preFiltered };
+      }
+      /**
+       * Create batches of gaps for batch API calls.
+       */
+      createBatches(gaps, fileContents) {
+        const batches = [];
+        for (let i = 0; i < gaps.length; i += this.batchSize) {
+          const batchGaps = gaps.slice(i, i + this.batchSize);
+          const items = [];
+          const gapIds = [];
+          for (let j = 0; j < batchGaps.length; j++) {
+            const gap = batchGaps[j];
+            const content = fileContents.get(gap.filePath) ?? "";
+            const gapId = `${gap.filePath}:${gap.lineStart}`;
+            gapIds.push(gapId);
+            const codeContext = this.extractContext(content, gap.lineStart, 10);
+            const flaggedLine = this.extractLine(content, gap.lineStart);
+            items.push(
+              SINGLE_ITEM_TEMPLATE.replace("{{id}}", String(j + 1)).replace("{{category}}", gap.categoryName).replace("{{filePath}}", gap.filePath).replace("{{lineNumber}}", String(gap.lineStart)).replace("{{language}}", this.getLanguage(gap.filePath)).replace("{{codeContext}}", codeContext).replace("{{flaggedLine}}", flaggedLine)
+            );
+          }
+          const prompt = BATCH_PROMPT.replace("{{items}}", items.join("\n"));
+          batches.push({ prompt, gapIds });
+        }
+        return batches;
+      }
+      /**
+       * Process batches in parallel with limited concurrency.
+       */
+      async processParallel(batches, gaps) {
+        const results = /* @__PURE__ */ new Map();
+        let completed = 0;
+        for (let i = 0; i < batches.length; i += this.concurrency) {
+          const wave = batches.slice(i, i + this.concurrency);
+          const waveResults = await Promise.all(
+            wave.map(async (batch) => {
+              try {
+                const response = await this.callAI(batch.prompt);
+                return { gapIds: batch.gapIds, response };
+              } catch (error) {
+                console.error(`Batch failed: ${error instanceof Error ? error.message : String(error)}`);
+                return { gapIds: batch.gapIds, response: null };
+              }
+            })
+          );
+          for (const { gapIds, response } of waveResults) {
+            if (response) {
+              const parsed = this.parseBatchResponse(response);
+              for (let j = 0; j < gapIds.length && j < parsed.length; j++) {
+                const gapId = gapIds[j];
+                const result = parsed[j];
+                if (result) {
+                  results.set(gapId, result);
+                }
+              }
+            }
+          }
+          completed += wave.length;
+          console.log(`Processed ${completed}/${batches.length} batches...`);
+        }
+        return results;
+      }
+      extractContext(content, lineNumber, radius) {
+        const lines = content.split("\n");
+        const start = Math.max(0, lineNumber - radius - 1);
+        const end = Math.min(lines.length, lineNumber + radius);
+        return lines.slice(start, end).map((line, i) => {
+          const num = start + i + 1;
+          const marker = num === lineNumber ? ">" : " ";
+          return `${marker}${num.toString().padStart(4)}| ${line}`;
+        }).join("\n");
+      }
+      extractLine(content, lineNumber) {
+        const lines = content.split("\n");
+        return lines[lineNumber - 1] ?? "";
+      }
+      getLanguage(filePath) {
+        if (filePath.endsWith(".ts") || filePath.endsWith(".tsx")) return "typescript";
+        if (filePath.endsWith(".js") || filePath.endsWith(".jsx")) return "javascript";
+        if (filePath.endsWith(".py")) return "python";
+        if (filePath.endsWith(".go")) return "go";
+        return "text";
+      }
+      async callAI(prompt) {
+        const apiKey = this.config.apiKey ?? this.getApiKeyFromEnv();
+        if (!apiKey) {
+          throw new Error(`No API key configured for ${this.config.provider}`);
+        }
+        if (this.config.provider === "anthropic") {
+          return this.callAnthropic(prompt, apiKey);
+        } else {
+          return this.callOpenAI(prompt, apiKey);
+        }
+      }
+      async callAnthropic(prompt, apiKey) {
+        const controller = new AbortController();
+        const timeout = setTimeout(() => controller.abort(), 6e4);
+        try {
+          const response = await fetch("https://api.anthropic.com/v1/messages", {
+            method: "POST",
+            headers: {
+              "Content-Type": "application/json",
+              "x-api-key": apiKey,
+              "anthropic-version": "2023-06-01"
+            },
+            body: JSON.stringify({
+              model: this.config.model ?? "claude-sonnet-4-20250514",
+              max_tokens: 4096,
+              // Larger for batch responses
+              messages: [{ role: "user", content: prompt }]
+            }),
+            signal: controller.signal
+          });
+          if (!response.ok) {
+            const body = await response.text();
+            throw new Error(`Anthropic API error: ${response.status} - ${body}`);
+          }
+          const data = await response.json();
+          return data.content[0]?.text ?? "";
+        } finally {
+          clearTimeout(timeout);
+        }
+      }
+      async callOpenAI(prompt, apiKey) {
+        const controller = new AbortController();
+        const timeout = setTimeout(() => controller.abort(), 6e4);
+        try {
+          const response = await fetch("https://api.openai.com/v1/chat/completions", {
+            method: "POST",
+            headers: {
+              "Content-Type": "application/json",
+              Authorization: `Bearer ${apiKey}`
+            },
+            body: JSON.stringify({
+              model: this.config.model ?? "gpt-4o",
+              messages: [{ role: "user", content: prompt }],
+              max_tokens: 4096
+            }),
+            signal: controller.signal
+          });
+          if (!response.ok) {
+            const body = await response.text();
+            throw new Error(`OpenAI API error: ${response.status} - ${body}`);
+          }
+          const data = await response.json();
+          return data.choices[0]?.message?.content ?? "";
+        } finally {
+          clearTimeout(timeout);
+        }
+      }
+      getApiKeyFromEnv() {
+        if (this.config.provider === "anthropic") {
+          return process.env["ANTHROPIC_API_KEY"] ?? "";
+        }
+        return process.env["OPENAI_API_KEY"] ?? "";
+      }
+      parseBatchResponse(response) {
+        try {
+          const jsonMatch = response.match(/\[[\s\S]*\]/);
+          if (!jsonMatch) {
+            console.error("No JSON array found in batch response");
+            return [];
+          }
+          const parsed = JSON.parse(jsonMatch[0]);
+          return parsed.map((item) => ({
+            id: String(item.id),
+            isVulnerable: Boolean(item.isVulnerable),
+            confidence: item.confidence ?? "medium",
+            reasoning: item.reasoning ?? "No reasoning provided"
+          }));
+        } catch (error) {
+          console.error(`Failed to parse batch response: ${error instanceof Error ? error.message : String(error)}`);
+          return [];
+        }
+      }
+      /**
+       * Legacy single-gap verification (kept for backwards compatibility).
+       */
+      async verify(gap, fileContent) {
+        const result = await this.verifyAll([gap], async () => fileContent);
+        if (result.verified.length > 0) {
+          return {
+            isVulnerable: true,
+            confidence: "high",
+            reasoning: "AI confirmed vulnerability",
+            mitigatingFactors: [],
+            exploitScenario: null,
+            recommendation: "Fix this issue"
+          };
+        }
+        const dismissal = result.dismissed[0];
+        return {
+          isVulnerable: false,
+          confidence: "high",
+          reasoning: dismissal?.reason ?? "AI dismissed as false positive",
+          mitigatingFactors: [],
+          exploitScenario: null,
+          recommendation: "No action needed"
+        };
+      }
+    };
+  }
+});
+
+// src/core/verifier/index.ts
+var verifier_exports = {};
+__export(verifier_exports, {
+  AIVerifier: () => AIVerifier
+});
+var init_verifier = __esm({
+  "src/core/verifier/index.ts"() {
+    init_ai_verifier();
+  }
+});
 function App({ results, loading, error }) {
   const { exit } = useApp();
   const [selectedIndex, setSelectedIndex] = useState(0);
@@ -1062,15 +1473,10 @@ __export(config_exports, {
   validateApiKey: () => validateApiKey
 });
 function ensureConfigDir() {
-  if (!existsSync(CONFIG_DIR)) {
-    mkdirSync(CONFIG_DIR, { recursive: true, mode: 448 });
-  }
+  mkdirSync(CONFIG_DIR, { recursive: true, mode: 448 });
 }
 function loadConfig() {
   try {
-    if (!existsSync(CONFIG_FILE)) {
-      return {};
-    }
     const content = readFileSync(CONFIG_FILE, "utf-8");
     const parsed = JSON.parse(content);
     const result = ConfigSchema.safeParse(parsed);
@@ -2556,32 +2962,7 @@ function detectLanguage(filePath) {
 }
 init_errors();
 init_result();
-var SEVERITY_WEIGHTS = {
-  critical: 4,
-  high: 3,
-  medium: 2,
-  low: 1
-};
-var CONFIDENCE_WEIGHTS = {
-  high: 1,
-  medium: 0.7,
-  low: 0.4
-};
-var PRIORITY_WEIGHTS = {
-  P0: 3,
-  P1: 2,
-  P2: 1
-};
-var DEFAULT_TEST_PATTERNS = {
-  python: ["test_*.py", "*_test.py", "tests/**/*.py", "test/**/*.py"],
-  typescript: ["*.test.ts", "*.spec.ts", "__tests__/**/*.ts", "tests/**/*.ts"],
-  javascript: ["*.test.js", "*.spec.js", "__tests__/**/*.js", "tests/**/*.js"],
-  go: ["*_test.go"],
-  java: ["*Test.java", "*Tests.java", "src/test/**/*.java"],
-  rust: ["tests/**/*.rs"]
-};
-
-// src/core/scanner/scanner.ts
+init_types();
 var DEFAULT_OPTIONS = {
   excludeDirs: [
     // Package managers
@@ -2656,7 +3037,12 @@ var Scanner = class {
     const startedAt = /* @__PURE__ */ new Date();
     const opts = this.mergeOptions(targetDirectory, options);
     this.log.info(`Starting scan of ${targetDirectory}`);
-    if (!existsSync(targetDirectory)) {
+    try {
+      const dirStat = await stat(targetDirectory);
+      if (!dirStat.isDirectory()) {
+        return err(new AnalysisError(`Not a directory: ${targetDirectory}`));
+      }
+    } catch {
       return err(new AnalysisError(`Directory not found: ${targetDirectory}`));
     }
     const categoriesResult = this.getCategoriesToScan(opts);
@@ -2852,9 +3238,6 @@ var Scanner = class {
    */
   readPinataIgnore(targetDirectory) {
     const ignorePath = resolve(targetDirectory, ".pinataignore");
-    if (!existsSync(ignorePath)) {
-      return [];
-    }
     try {
       const { readFileSync: readFileSync2 } = __require("fs");
       const content = readFileSync2(ignorePath, "utf-8");
@@ -3189,8 +3572,11 @@ function createScanner(categoryStore) {
   return new Scanner(categoryStore);
 }
 
+// src/core/scanner/index.ts
+init_types();
+
 // src/core/index.ts
-var VERSION = "0.1.6";
+var VERSION = "0.2.1";
 
 // src/lib/index.ts
 init_errors();
@@ -4111,11 +4497,11 @@ var AIService = class {
    */
   getApiKeyFromConfig(provider) {
     try {
-      const { existsSync: existsSync7, readFileSync: readFileSync2 } = __require("fs");
+      const { existsSync: existsSync4, readFileSync: readFileSync2 } = __require("fs");
       const { homedir: homedir2 } = __require("os");
       const { join: join3 } = __require("path");
       const configPath = join3(homedir2(), ".pinata", "config.json");
-      if (!existsSync7(configPath)) {
+      if (!existsSync4(configPath)) {
         return "";
       }
       const content = readFileSync2(configPath, "utf-8");
@@ -4762,13 +5148,13 @@ async function writeGeneratedTests(tests, basePath, outputDir) {
   for (const [outputPath, fileTests] of testsByFile) {
     try {
       const dir = dirname(outputPath);
-      if (!existsSync(dir)) {
-        await mkdir(dir, { recursive: true });
-      }
-      const fileExists = existsSync(outputPath);
+      await mkdir(dir, { recursive: true });
       let existingContent = "";
-      if (fileExists) {
+      let fileExists = false;
+      try {
         existingContent = await readFile(outputPath, "utf-8");
+        fileExists = true;
+      } catch {
       }
       const contentParts = [];
       const allImports = /* @__PURE__ */ new Set();
@@ -5502,7 +5888,7 @@ function getDefinitionsPath() {
 }
 var program = new Command();
 program.name("pinata").description("AI-powered test coverage analysis and generation").version(VERSION);
-program.command("analyze [path]").description("Analyze codebase for test coverage gaps").option("-o, --output <format>", "Output format: terminal, json, markdown, sarif, html, junit-xml", "terminal").option("-d, --domains <domains>", "Filter to specific domains (comma-separated)").option("-s, --severity <level>", "Minimum severity: critical, high, medium, low", "low").option("-c, --confidence <level>", "Minimum confidence: high, medium, low", "high").option("--fail-on <level>", "Exit non-zero if gaps at level: critical, high, medium").option("--exclude <dirs>", "Directories to exclude (comma-separated)").option("-v, --verbose", "Verbose output").option("-q, --quiet", "Quiet mode (errors only)").action(async (targetPath, options) => {
+program.command("analyze [path]").description("Analyze codebase for test coverage gaps").option("-o, --output <format>", "Output format: terminal, json, markdown, sarif, html, junit-xml", "terminal").option("-d, --domains <domains>", "Filter to specific domains (comma-separated)").option("-s, --severity <level>", "Minimum severity: critical, high, medium, low", "low").option("-c, --confidence <level>", "Minimum confidence: high, medium, low", "high").option("--fail-on <level>", "Exit non-zero if gaps at level: critical, high, medium").option("--exclude <dirs>", "Directories to exclude (comma-separated)").option("--verify", "Use AI to verify each match (reduces false positives)").option("-v, --verbose", "Verbose output").option("-q, --quiet", "Quiet mode (errors only)").action(async (targetPath, options) => {
   const isQuiet = Boolean(options["quiet"]);
   const isVerbose = Boolean(options["verbose"]);
   if (isQuiet) {
@@ -5586,6 +5972,47 @@ program.command("analyze [path]").description("Analyze codebase for test coverag
       process.exit(1);
     }
     spinner?.stop();
+    const shouldVerify = Boolean(options["verify"]);
+    if (shouldVerify && scanResult.data.gaps.length > 0) {
+      const verifySpinner = showSpinner ? ora("Verifying gaps with AI...").start() : null;
+      try {
+        const { AIVerifier: AIVerifier2 } = await Promise.resolve().then(() => (init_verifier(), verifier_exports));
+        const { readFile: readFile5 } = await import('fs/promises');
+        const verifier = new AIVerifier2({ provider: "anthropic" });
+        const { verified, dismissed, stats } = await verifier.verifyAll(
+          scanResult.data.gaps,
+          async (path2) => readFile5(path2, "utf-8")
+        );
+        scanResult.data.gaps = verified;
+        const severityWeights = { critical: 10, high: 5, medium: 2, low: 1 };
+        let deduction = 0;
+        for (const gap of verified) {
+          deduction += severityWeights[gap.severity] ?? 1;
+        }
+        const newOverall = Math.max(0, 100 - deduction);
+        const newGrade = newOverall >= 90 ? "A" : newOverall >= 80 ? "B" : newOverall >= 70 ? "C" : newOverall >= 60 ? "D" : "F";
+        scanResult.data.score.overall = newOverall;
+        scanResult.data.score.grade = newGrade;
+        verifySpinner?.succeed(
+          `AI Verification: ${stats.total} total \u2192 ${stats.preFiltered} pre-filtered \u2192 ${stats.aiVerified} verified, ${stats.aiDismissed} AI-dismissed`
+        );
+        if (isVerbose && dismissed.length > 0) {
+          console.log(chalk5.gray("\nDismissed as false positives:"));
+          for (const { gap, reason } of dismissed.slice(0, 5)) {
+            console.log(chalk5.gray(`  - ${gap.categoryName} at ${gap.filePath}:${gap.lineStart}`));
+            console.log(chalk5.gray(`    Reason: ${reason.slice(0, 100)}...`));
+          }
+          if (dismissed.length > 5) {
+            console.log(chalk5.gray(`  ... and ${dismissed.length - 5} more`));
+          }
+        }
+      } catch (error) {
+        verifySpinner?.fail("AI verification failed (results unverified)");
+        if (isVerbose) {
+          console.error(chalk5.yellow(`Verification error: ${error instanceof Error ? error.message : String(error)}`));
+        }
+      }
+    }
     const cacheResult = await saveScanResults(process.cwd(), scanResult.data);
     if (!cacheResult.success) {
       logger.debug(`Failed to cache results: ${cacheResult.error.message}`);