npm - pinata-security-cli - Versions diffs - 0.5.2 → 0.5.3 - Mend

pinata-security-cli 0.5.2 → 0.5.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/cli/index.js CHANGED Viewed

@@ -1,19 +1,19 @@
 #!/usr/bin/env node
-import { z } from 'zod';
-import fs, { mkdir, writeFile, readFile, stat, readdir, mkdtemp, rm } from 'fs/promises';
+import fs, { readFile, mkdir, writeFile, stat, readdir, mkdtemp, rm } from 'fs/promises';
 import path, { dirname, resolve, join, basename, relative, extname } from 'path';
-import { existsSync, writeFileSync, readFileSync, chmodSync, mkdirSync } from 'fs';
+import { existsSync, readFileSync, writeFileSync, chmodSync, mkdirSync } from 'fs';
 import { homedir, tmpdir } from 'os';
+import { z } from 'zod';
 import { spawn } from 'child_process';
 import { useState } from 'react';
 import { render, useApp, useInput, Box, Text } from 'ink';
 import Spinner from 'ink-spinner';
 import { jsx, jsxs } from 'react/jsx-runtime';
-import { fileURLToPath } from 'url';
-import chalk5 from 'chalk';
+import chalk7 from 'chalk';
 import { Command } from 'commander';
-import ora from 'ora';
+import ora3 from 'ora';
 import YAML from 'yaml';
+import { fileURLToPath } from 'url';
 import { Query, Parser, Language } from 'web-tree-sitter';
 import { minimatch } from 'minimatch';
@@ -125,35 +125,6 @@ var init_result = __esm({
   "src/lib/result.ts"() {
   }
 });
-var SEVERITY_WEIGHTS, CONFIDENCE_WEIGHTS, PRIORITY_WEIGHTS, DEFAULT_TEST_PATTERNS;
-var init_types = __esm({
-  "src/core/scanner/types.ts"() {
-    SEVERITY_WEIGHTS = {
-      critical: 4,
-      high: 3,
-      medium: 2,
-      low: 1
-    };
-    CONFIDENCE_WEIGHTS = {
-      high: 1,
-      medium: 0.7,
-      low: 0.4
-    };
-    PRIORITY_WEIGHTS = {
-      P0: 3,
-      P1: 2,
-      P2: 1
-    };
-    DEFAULT_TEST_PATTERNS = {
-      python: ["test_*.py", "*_test.py", "tests/**/*.py", "test/**/*.py"],
-      typescript: ["*.test.ts", "*.spec.ts", "__tests__/**/*.ts", "tests/**/*.ts"],
-      javascript: ["*.test.js", "*.spec.js", "__tests__/**/*.js", "tests/**/*.js"],
-      go: ["*_test.go"],
-      java: ["*Test.java", "*Tests.java", "src/test/**/*.java"],
-      rust: ["tests/**/*.rs"]
-    };
-  }
-});
 function getCachePath(projectRoot) {
   return resolve(projectRoot, CACHE_DIR, CACHE_FILE);
 }
@@ -850,7 +821,6 @@ var init_config = __esm({
 var SKIP_PATTERNS, BATCH_PROMPT, SINGLE_ITEM_TEMPLATE, AIVerifier;
 var init_ai_verifier = __esm({
   "src/core/verifier/ai-verifier.ts"() {
-    init_types();
     SKIP_PATTERNS = {
       paths: [
         /\.test\.(ts|js|tsx|jsx)$/,
@@ -1255,7 +1225,7 @@ function isTestable(categoryId) {
   return TESTABLE_VULNERABILITIES.includes(categoryId);
 }
 var DEFAULT_SANDBOX_CONFIG, TESTABLE_VULNERABILITIES;
-var init_types2 = __esm({
+var init_types = __esm({
   "src/execution/types.ts"() {
     DEFAULT_SANDBOX_CONFIG = {
       image: "pinata-sandbox:latest",
@@ -1285,7 +1255,7 @@ function createSandbox(config2) {
 var Sandbox;
 var init_sandbox = __esm({
   "src/execution/sandbox.ts"() {
-    init_types2();
+    init_types();
     Sandbox = class {
       config;
       tempDir = null;
@@ -1488,7 +1458,7 @@ export default defineConfig({
        * Execute a command and capture output
        */
       exec(command, args, options = {}) {
-        return new Promise((resolve7) => {
+        return new Promise((resolve9) => {
           let stdout = "";
           let stderr = "";
           let timedOut = false;
@@ -1508,7 +1478,7 @@ export default defineConfig({
           }, timeout);
           proc.on("close", (code) => {
             clearTimeout(timer);
-            resolve7({
+            resolve9({
               stdout,
               stderr,
               exitCode: code ?? 1,
@@ -1517,7 +1487,7 @@ export default defineConfig({
           });
           proc.on("error", (err3) => {
             clearTimeout(timer);
-            resolve7({
+            resolve9({
               stdout,
               stderr: stderr + "\n" + err3.message,
               exitCode: 1,
@@ -2776,7 +2746,7 @@ var init_runner = __esm({
     init_sandbox();
     init_results();
     init_generator();
-    init_types2();
+    init_types();
     ExecutionRunner = class {
       sandbox;
       dryRun;
@@ -2983,53 +2953,35 @@ ${code}
 Generate 3-5 targeted payloads that would exploit THIS SPECIFIC code.
 Consider the exact variable names, function calls, and data flow shown above.`;
 }
+function matchFirst(code, patterns) {
+  for (const [keywords, name] of patterns) {
+    if (keywords.some((k) => code.includes(k))) {
+      return name;
+    }
+  }
+  return void 0;
+}
 function extractTechStack(code, filePath) {
+  const ext = "." + (filePath.split(".").pop() ?? "");
   const hints = {
-    language: detectLanguage2(filePath)
+    language: LANGUAGE_EXTENSIONS[ext] ?? "unknown",
+    hasEscaping: ESCAPING_KEYWORDS.some((k) => code.includes(k)),
+    hasWaf: WAF_KEYWORDS.some((k) => code.includes(k))
   };
-  if (code.includes("express") || code.includes("app.get") || code.includes("app.post")) {
-    hints.framework = "express";
-  } else if (code.includes("fastify")) {
-    hints.framework = "fastify";
-  } else if (code.includes("django") || code.includes("from django")) {
-    hints.framework = "django";
-  } else if (code.includes("flask") || code.includes("from flask")) {
-    hints.framework = "flask";
-  } else if (code.includes("gin.") || code.includes("fiber.")) {
-    hints.framework = code.includes("gin.") ? "gin" : "fiber";
-  }
-  if (code.includes("postgres") || code.includes("pg.") || code.includes("$1")) {
-    hints.database = "postgres";
-  } else if (code.includes("mysql") || code.includes("?") && code.includes("query")) {
-    hints.database = "mysql";
-  } else if (code.includes("mongodb") || code.includes("mongoose") || code.includes("$where")) {
-    hints.database = "mongodb";
-  } else if (code.includes("sqlite") || code.includes("sqlite3")) {
-    hints.database = "sqlite";
-  }
-  if (code.includes("prisma")) {
-    hints.orm = "prisma";
-  } else if (code.includes("sequelize")) {
-    hints.orm = "sequelize";
-  } else if (code.includes("typeorm") || code.includes("TypeORM")) {
-    hints.orm = "typeorm";
-  } else if (code.includes("sqlalchemy") || code.includes("SQLAlchemy")) {
-    hints.orm = "sqlalchemy";
-  }
-  hints.hasEscaping = code.includes("escape") || code.includes("sanitize") || code.includes("DOMPurify") || code.includes("htmlspecialchars");
-  hints.hasWaf = code.includes("waf") || code.includes("WAF") || code.includes("cloudflare") || code.includes("akamai");
+  const framework = matchFirst(code, FRAMEWORK_PATTERNS);
+  if (framework) {
+    hints.framework = framework;
+  }
+  const database = matchFirst(code, DATABASE_PATTERNS);
+  if (database) {
+    hints.database = database;
+  }
+  const orm = matchFirst(code, ORM_PATTERNS);
+  if (orm) {
+    hints.orm = orm;
+  }
   return hints;
 }
-function detectLanguage2(filePath) {
-  if (filePath.endsWith(".ts") || filePath.endsWith(".tsx")) return "typescript";
-  if (filePath.endsWith(".js") || filePath.endsWith(".jsx")) return "javascript";
-  if (filePath.endsWith(".py")) return "python";
-  if (filePath.endsWith(".go")) return "go";
-  if (filePath.endsWith(".java")) return "java";
-  if (filePath.endsWith(".rb")) return "ruby";
-  if (filePath.endsWith(".php")) return "php";
-  return "unknown";
-}
 function parseAiPayloadResponse(response) {
   try {
     const jsonMatch = response.match(/\{[\s\S]*"payloads"[\s\S]*\}/);
@@ -3080,7 +3032,7 @@ function getFallbackPayloads(context, maxPayloads = 10) {
   }
   return [...new Set(payloads)].slice(0, maxPayloads);
 }
-var AI_PAYLOAD_SYSTEM_PROMPT;
+var AI_PAYLOAD_SYSTEM_PROMPT, FRAMEWORK_PATTERNS, DATABASE_PATTERNS, ORM_PATTERNS, ESCAPING_KEYWORDS, WAF_KEYWORDS, LANGUAGE_EXTENSIONS;
 var init_ai_payloads = __esm({
   "src/execution/ai-payloads.ts"() {
     init_payloads();
@@ -3119,6 +3071,39 @@ Return payloads in JSON format:
     }
   ]
 }`;
+    FRAMEWORK_PATTERNS = [
+      [["express", "app.get", "app.post"], "express"],
+      [["fastify"], "fastify"],
+      [["django", "from django"], "django"],
+      [["flask", "from flask"], "flask"],
+      [["gin."], "gin"],
+      [["fiber."], "fiber"]
+    ];
+    DATABASE_PATTERNS = [
+      [["postgres", "pg."], "postgres"],
+      [["mysql"], "mysql"],
+      [["mongodb", "mongoose", "$where"], "mongodb"],
+      [["sqlite", "sqlite3"], "sqlite"]
+    ];
+    ORM_PATTERNS = [
+      [["prisma"], "prisma"],
+      [["sequelize"], "sequelize"],
+      [["typeorm", "TypeORM"], "typeorm"],
+      [["sqlalchemy", "SQLAlchemy"], "sqlalchemy"]
+    ];
+    ESCAPING_KEYWORDS = ["escape", "sanitize", "DOMPurify", "htmlspecialchars"];
+    WAF_KEYWORDS = ["waf", "WAF", "cloudflare", "akamai"];
+    LANGUAGE_EXTENSIONS = {
+      ".ts": "typescript",
+      ".tsx": "typescript",
+      ".js": "javascript",
+      ".jsx": "javascript",
+      ".py": "python",
+      ".go": "go",
+      ".java": "java",
+      ".rb": "ruby",
+      ".php": "php"
+    };
   }
 });
@@ -3441,7 +3426,7 @@ __export(execution_exports, {
 });
 var init_execution = __esm({
   "src/execution/index.ts"() {
-    init_types2();
+    init_types();
     init_sandbox();
     init_runner();
     init_results();
@@ -3792,7 +3777,7 @@ function suggestConfidence(precision) {
   return "low";
 }
 var EMPTY_FEEDBACK_STATE, CONFIDENCE_THRESHOLDS;
-var init_types3 = __esm({
+var init_types2 = __esm({
   "src/feedback/types.ts"() {
     EMPTY_FEEDBACK_STATE = {
       version: 1,
@@ -3926,7 +3911,7 @@ function generateReport(state) {
 var FEEDBACK_DIR, FEEDBACK_FILE;
 var init_store = __esm({
   "src/feedback/store.ts"() {
-    init_types3();
+    init_types2();
     FEEDBACK_DIR = join(homedir(), ".pinata");
     FEEDBACK_FILE = join(FEEDBACK_DIR, "feedback.json");
   }
@@ -3948,7 +3933,7 @@ __export(feedback_exports, {
 });
 var init_feedback = __esm({
   "src/feedback/index.ts"() {
-    init_types3();
+    init_types2();
     init_store();
   }
 });
@@ -4598,7 +4583,7 @@ var Logger = class _Logger {
    */
   debug(message, ...args) {
     if (this.shouldLog("debug")) {
-      console.debug(chalk5.gray(this.format(message)), ...args);
+      console.debug(chalk7.gray(this.format(message)), ...args);
     }
   }
   /**
@@ -4614,7 +4599,7 @@ var Logger = class _Logger {
    */
   warn(message, ...args) {
     if (this.shouldLog("warn")) {
-      console.warn(chalk5.yellow(this.format(message)), ...args);
+      console.warn(chalk7.yellow(this.format(message)), ...args);
     }
   }
   /**
@@ -4622,7 +4607,7 @@ var Logger = class _Logger {
    */
   error(message, ...args) {
     if (this.shouldLog("error")) {
-      console.error(chalk5.red(this.format(message)), ...args);
+      console.error(chalk7.red(this.format(message)), ...args);
     }
   }
   /**
@@ -4630,7 +4615,7 @@ var Logger = class _Logger {
    */
   success(message, ...args) {
     if (this.shouldLog("info")) {
-      console.info(chalk5.green(this.format(message)), ...args);
+      console.info(chalk7.green(this.format(message)), ...args);
     }
   }
   /**
@@ -5705,7 +5690,32 @@ function getProjectTypeDescription(type) {
 }
 init_errors();
 init_result();
-init_types();
+var SEVERITY_WEIGHTS = {
+  critical: 4,
+  high: 3,
+  medium: 2,
+  low: 1
+};
+var CONFIDENCE_WEIGHTS = {
+  high: 1,
+  medium: 0.7,
+  low: 0.4
+};
+var PRIORITY_WEIGHTS = {
+  P0: 3,
+  P1: 2,
+  P2: 1
+};
+var DEFAULT_TEST_PATTERNS = {
+  python: ["test_*.py", "*_test.py", "tests/**/*.py", "test/**/*.py"],
+  typescript: ["*.test.ts", "*.spec.ts", "__tests__/**/*.ts", "tests/**/*.ts"],
+  javascript: ["*.test.js", "*.spec.js", "__tests__/**/*.js", "tests/**/*.js"],
+  go: ["*_test.go"],
+  java: ["*Test.java", "*Tests.java", "src/test/**/*.java"],
+  rust: ["tests/**/*.rs"]
+};
+// src/core/scanner/scanner.ts
 var DEFAULT_OPTIONS = {
   excludeDirs: [
     // Package managers
@@ -6335,9 +6345,6 @@ function createScanner(categoryStore) {
   return new Scanner(categoryStore);
 }
-// src/core/scanner/index.ts
-init_types();
 // src/core/index.ts
 var VERSION = "0.4.0";
@@ -7071,34 +7078,34 @@ function createRenderer(options) {
   return new TemplateRenderer(options);
 }
 var SEVERITY_COLORS = {
-  critical: chalk5.red.bold,
-  high: chalk5.red,
-  medium: chalk5.yellow,
-  low: chalk5.gray
+  critical: chalk7.red.bold,
+  high: chalk7.red,
+  medium: chalk7.yellow,
+  low: chalk7.gray
 };
 var PRIORITY_COLORS = {
-  P0: chalk5.red.bold,
-  P1: chalk5.yellow,
-  P2: chalk5.gray
+  P0: chalk7.red.bold,
+  P1: chalk7.yellow,
+  P2: chalk7.gray
 };
 var DOMAIN_COLORS = {
-  security: chalk5.red,
-  data: chalk5.blue,
-  concurrency: chalk5.magenta,
-  input: chalk5.cyan,
-  resource: chalk5.yellow,
-  reliability: chalk5.green,
-  performance: chalk5.yellowBright,
-  platform: chalk5.gray,
-  business: chalk5.white,
-  compliance: chalk5.blueBright
+  security: chalk7.red,
+  data: chalk7.blue,
+  concurrency: chalk7.magenta,
+  input: chalk7.cyan,
+  resource: chalk7.yellow,
+  reliability: chalk7.green,
+  performance: chalk7.yellowBright,
+  platform: chalk7.gray,
+  business: chalk7.white,
+  compliance: chalk7.blueBright
 };
 function formatTerminal(categories) {
   if (categories.length === 0) {
-    return chalk5.yellow("No categories found matching the filters.");
+    return chalk7.yellow("No categories found matching the filters.");
   }
   const lines = [];
-  lines.push(chalk5.bold.underline(`Found ${categories.length} categories:
+  lines.push(chalk7.bold.underline(`Found ${categories.length} categories:
 `));
   const byDomain = /* @__PURE__ */ new Map();
   for (const cat of categories) {
@@ -7109,26 +7116,26 @@ function formatTerminal(categories) {
     byDomain.get(domain).push(cat);
   }
   for (const [domain, domainCategories] of byDomain) {
-    const domainColor = DOMAIN_COLORS[domain] ?? chalk5.white;
+    const domainColor = DOMAIN_COLORS[domain] ?? chalk7.white;
     lines.push(domainColor.bold(`
 ${domain.toUpperCase()} (${domainCategories.length})`));
-    lines.push(chalk5.gray("\u2500".repeat(40)));
+    lines.push(chalk7.gray("\u2500".repeat(40)));
     for (const cat of domainCategories) {
       const priorityColor = PRIORITY_COLORS[cat.priority];
       const severityColor = SEVERITY_COLORS[cat.severity];
       const priority = priorityColor(`[${cat.priority}]`);
       const severity = severityColor(`${cat.severity}`);
-      const level = chalk5.cyan(`${cat.level}`);
-      const name = chalk5.white.bold(cat.name);
-      const id = chalk5.gray(`(${cat.id})`);
+      const level = chalk7.cyan(`${cat.level}`);
+      const name = chalk7.white.bold(cat.name);
+      const id = chalk7.gray(`(${cat.id})`);
       lines.push(`  ${priority} ${name} ${id}`);
       lines.push(`     ${severity} | ${level}`);
       const desc = cat.description.length > 80 ? cat.description.slice(0, 77) + "..." : cat.description;
-      lines.push(chalk5.gray(`     ${desc}`));
+      lines.push(chalk7.gray(`     ${desc}`));
       lines.push("");
     }
   }
-  lines.push(chalk5.gray("\u2500".repeat(40)));
+  lines.push(chalk7.gray("\u2500".repeat(40)));
   lines.push(formatStats(categories));
   return lines.join("\n");
 }
@@ -7150,7 +7157,7 @@ function formatStats(categories) {
   if (stats.P0 > 0) parts.push(PRIORITY_COLORS.P0(`${stats.P0} P0`));
   if (stats.P1 > 0) parts.push(PRIORITY_COLORS.P1(`${stats.P1} P1`));
   if (stats.P2 > 0) parts.push(PRIORITY_COLORS.P2(`${stats.P2} P2`));
-  parts.push(chalk5.gray("|"));
+  parts.push(chalk7.gray("|"));
   if (stats.critical > 0) parts.push(SEVERITY_COLORS.critical(`${stats.critical} critical`));
   if (stats.high > 0) parts.push(SEVERITY_COLORS.high(`${stats.high} high`));
   if (stats.medium > 0) parts.push(SEVERITY_COLORS.medium(`${stats.medium} medium`));
@@ -7207,13 +7214,9 @@ function isValidOutputFormat(format) {
   return ["terminal", "json", "markdown"].includes(format);
 }
 function formatError(error) {
-  return chalk5.red(`Error: ${error.message}`);
+  return chalk7.red(`Error: ${error.message}`);
 }
-// src/cli/generate-formatters.ts
-init_errors();
-init_result();
 // src/ai/service.ts
 var DEFAULT_CONFIG = {
   provider: "anthropic",
@@ -7260,11 +7263,11 @@ var AIService = class {
    */
   getApiKeyFromConfig(provider) {
     try {
-      const { existsSync: existsSync5, readFileSync: readFileSync3 } = __require("fs");
+      const { existsSync: existsSync6, readFileSync: readFileSync3 } = __require("fs");
       const { homedir: homedir3 } = __require("os");
       const { join: join5 } = __require("path");
       const configPath = join5(homedir3(), ".pinata", "config.json");
-      if (!existsSync5(configPath)) {
+      if (!existsSync6(configPath)) {
         return "";
       }
       const content = readFileSync3(configPath, "utf-8");
@@ -7515,8 +7518,119 @@ function createAIService(config2) {
   return new AIService(config2);
 }
+// src/ai/explainer.ts
+var SYSTEM_PROMPT = `You are a security expert explaining code vulnerabilities to developers.
+Your explanations should be:
+- Clear and actionable
+- Focused on the specific code pattern
+- Include concrete remediation steps
+- Reference relevant security standards (OWASP, CWE) when applicable
+Always respond with valid JSON matching this structure:
+{
+  "summary": "1-2 sentence summary",
+  "explanation": "Detailed explanation of the vulnerability",
+  "risk": "What an attacker could do if this is exploited",
+  "remediation": "Step-by-step instructions to fix",
+  "safeExample": "Code example showing the safe pattern",
+  "references": ["optional array of CVE/CWE/OWASP references"]
+}`;
+async function explainGap(gap, category, config2) {
+  const ai = createAIService(config2);
+  if (!ai.isConfigured()) {
+    return {
+      success: false,
+      error: "AI service not configured",
+      durationMs: 0
+    };
+  }
+  const prompt = buildExplainPrompt(gap);
+  const response = await ai.completeJSON({
+    systemPrompt: SYSTEM_PROMPT,
+    messages: [{ role: "user", content: prompt }],
+    maxTokens: 1024,
+    temperature: 0.3
+  });
+  return response;
+}
+async function explainGaps(gaps, categories, config2) {
+  const results = /* @__PURE__ */ new Map();
+  const BATCH_SIZE = 5;
+  for (let i = 0; i < gaps.length; i += BATCH_SIZE) {
+    const batch = gaps.slice(i, i + BATCH_SIZE);
+    const promises = batch.map(async (gap) => {
+      const category = categories?.get(gap.categoryId);
+      const result = await explainGap(gap, category, config2);
+      return { key: `${gap.filePath}:${gap.lineStart}:${gap.categoryId}`, result };
+    });
+    const batchResults = await Promise.all(promises);
+    for (const { key, result } of batchResults) {
+      results.set(key, result);
+    }
+  }
+  return results;
+}
+function buildExplainPrompt(gap, category) {
+  const parts = [];
+  parts.push(`Explain this security finding:
+`);
+  parts.push(`**Category:** ${gap.categoryName} (${gap.categoryId})`);
+  parts.push(`**Severity:** ${gap.severity}`);
+  parts.push(`**Confidence:** ${gap.confidence}`);
+  parts.push(`**File:** ${gap.filePath}`);
+  parts.push(`**Line:** ${gap.lineStart}`);
+  if (gap.codeSnippet) {
+    parts.push(`
+**Code:**
+\`\`\`
+${gap.codeSnippet}
+\`\`\``);
+  }
+  parts.push(`
+**Pattern:** ${gap.patternId}`);
+  parts.push(`**Detection Type:** ${gap.patternType}`);
+  parts.push(`
+Provide a clear, actionable explanation for a developer.`);
+  return parts.join("\n");
+}
+function generateFallbackExplanation(gap) {
+  const summaries = {
+    "sql-injection": "SQL query constructed with user input may allow injection attacks.",
+    "xss": "User input rendered without escaping may allow script injection.",
+    "command-injection": "Shell command constructed with user input may allow command execution.",
+    "path-traversal": "File path constructed with user input may allow directory traversal.",
+    "hardcoded-secrets": "Sensitive credentials found in source code.",
+    "deserialization": "Untrusted data deserialization may allow code execution.",
+    "ssrf": "Server-side request with user-controlled URL may allow internal access.",
+    "xxe": "XML parser may be vulnerable to external entity injection.",
+    "csrf": "State-changing request lacks CSRF protection.",
+    "ldap-injection": "LDAP query constructed with user input may allow injection."
+  };
+  const remediations = {
+    "sql-injection": "Use parameterized queries or prepared statements. Never concatenate user input into SQL strings.",
+    "xss": "Escape all user input before rendering in HTML. Use framework auto-escaping features.",
+    "command-injection": "Avoid shell execution with user input. Use allowlists and subprocess arrays instead of shell strings.",
+    "path-traversal": "Validate and sanitize file paths. Use path.resolve() and verify the result is within allowed directories.",
+    "hardcoded-secrets": "Move secrets to environment variables or a secrets manager. Never commit credentials to source control.",
+    "deserialization": "Avoid deserializing untrusted data. If necessary, use safe formats like JSON instead of pickle/yaml.",
+    "ssrf": "Validate and allowlist URLs. Block private IP ranges and localhost.",
+    "xxe": "Disable external entity processing in XML parser configuration.",
+    "csrf": "Implement CSRF tokens for all state-changing requests.",
+    "ldap-injection": "Escape special LDAP characters in user input. Use parameterized LDAP queries."
+  };
+  const summary = summaries[gap.categoryId] ?? `Potential ${gap.categoryName} vulnerability detected.`;
+  const remediation = remediations[gap.categoryId] ?? `Review the code for security issues and apply appropriate fixes.`;
+  return {
+    summary,
+    explanation: `The pattern "${gap.patternId}" detected a potential ${gap.categoryName} vulnerability at line ${gap.lineStart}. This type of issue has ${gap.severity} severity and was detected with ${gap.confidence} confidence.`,
+    risk: `If exploited, this vulnerability could compromise the security of the application. Severity: ${gap.severity}.`,
+    remediation,
+    references: []
+  };
+}
 // src/ai/template-filler.ts
-var SYSTEM_PROMPT = `You are an expert at analyzing code and extracting meaningful variable values for test generation.
+var SYSTEM_PROMPT2 = `You are an expert at analyzing code and extracting meaningful variable values for test generation.
 Given a code snippet and a list of template variables, suggest appropriate values for each variable.
 For each variable, analyze:
@@ -7551,7 +7665,7 @@ async function suggestVariables(request, config2) {
   const prompt = buildVariablePrompt(request);
   const startTime = Date.now();
   const response = await ai.completeJSON({
-    systemPrompt: SYSTEM_PROMPT,
+    systemPrompt: SYSTEM_PROMPT2,
     messages: [{ role: "user", content: prompt }],
     maxTokens: 1024,
     temperature: 0.2
@@ -7742,438 +7856,72 @@ function toPascalCase(str) {
   return str.split(/[-_\s]+/).map((word) => word.charAt(0).toUpperCase() + word.slice(1).toLowerCase()).join("");
 }
-// src/cli/generate-formatters.ts
-function formatGeneratedTerminal(tests, basePath) {
-  const lines = [];
-  if (tests.length === 0) {
-    lines.push(chalk5.yellow("No tests generated."));
-    return lines.join("\n");
-  }
-  lines.push(chalk5.bold.cyan(`
-Generated ${tests.length} test(s):
-`));
-  lines.push(chalk5.gray("\u2500".repeat(60)));
-  for (const test of tests) {
-    const relGapPath = relative(basePath, test.gap.filePath);
-    lines.push("");
-    lines.push(chalk5.bold.white(`Test for: ${test.gap.categoryName}`));
-    lines.push(chalk5.gray(`  Gap location: ${relGapPath}:${test.gap.lineStart}`));
-    lines.push(chalk5.gray(`  Template: ${test.template.id}`));
-    lines.push(chalk5.gray(`  Output: ${test.suggestedPath}`));
-    lines.push("");
-    lines.push(chalk5.cyan(`// --- ${test.suggestedPath} ---`));
-    lines.push("");
-    if (test.result.imports.length > 0) {
-      for (const imp of test.result.imports) {
-        lines.push(chalk5.gray(imp));
-      }
-      lines.push("");
+// src/ai/pattern-suggester.ts
+var SYSTEM_PROMPT3 = `You are an expert at creating regex patterns for detecting security vulnerabilities in code.
+Given vulnerable code samples, generate regex patterns that will detect similar vulnerabilities.
+Your patterns should:
+1. Be specific enough to avoid false positives
+2. Be general enough to catch variations
+3. Use standard regex syntax (no lookbehind for compatibility)
+4. Include examples of what matches and what doesn't
+Always respond with valid JSON matching this structure:
+{
+  "suggestions": [
+    {
+      "id": "pattern-id-kebab-case",
+      "pattern": "regex pattern here",
+      "description": "What this pattern detects",
+      "confidence": "high|medium|low",
+      "matchExample": "code that should match",
+      "safeExample": "similar code that should NOT match",
+      "reasoning": "Why this pattern works"
     }
-    lines.push(test.result.content);
-    lines.push("");
-    lines.push(chalk5.gray("\u2500".repeat(60)));
+  ]
+}
+Important:
+- Escape backslashes properly for JSON (use \\\\s not \\s)
+- Test your patterns mentally against the examples
+- Prefer simpler patterns that are less likely to cause ReDoS`;
+async function suggestPatterns(request, config2) {
+  const ai = createAIService(config2);
+  if (!ai.isConfigured()) {
+    return {
+      success: false,
+      error: "AI service not configured. Set ANTHROPIC_API_KEY or OPENAI_API_KEY.",
+      durationMs: 0
+    };
   }
-  lines.push("");
-  lines.push(chalk5.bold("Summary:"));
-  lines.push(`  Tests generated: ${chalk5.green(tests.length.toString())}`);
-  const categories = new Set(tests.map((t) => t.category.id));
-  lines.push(`  Categories covered: ${chalk5.cyan(categories.size.toString())}`);
-  if (tests.some((t) => t.result.unresolved.length > 0)) {
-    const unresolvedCount = tests.reduce((acc, t) => acc + t.result.unresolved.length, 0);
-    lines.push(chalk5.yellow(`  Unresolved placeholders: ${unresolvedCount}`));
-    lines.push(chalk5.gray("  (Some placeholders need manual completion)"));
+  const prompt = buildPatternPrompt(request);
+  const response = await ai.completeJSON({
+    systemPrompt: SYSTEM_PROMPT3,
+    messages: [{ role: "user", content: prompt }],
+    maxTokens: 2048,
+    temperature: 0.3
+  });
+  if (!response.success || !response.data) {
+    return {
+      success: false,
+      error: response.error ?? "Failed to generate patterns",
+      durationMs: response.durationMs
+    };
   }
-  lines.push("");
-  lines.push(chalk5.gray("This is a dry run. Use --write to save files."));
-  return lines.join("\n");
-}
-function formatGeneratedJson(tests) {
-  const output = tests.map((test) => ({
-    gap: {
-      categoryId: test.gap.categoryId,
-      categoryName: test.gap.categoryName,
-      filePath: test.gap.filePath,
-      lineStart: test.gap.lineStart,
-      severity: test.gap.severity,
-      confidence: test.gap.confidence
-    },
-    template: {
-      id: test.template.id,
-      framework: test.template.framework,
-      language: test.template.language
-    },
-    suggestedPath: test.suggestedPath,
-    content: test.result.content,
-    imports: test.result.imports,
-    fixtures: test.result.fixtures,
-    substituted: test.result.substituted,
-    unresolved: test.result.unresolved
-  }));
-  return JSON.stringify(output, null, 2);
-}
-function suggestTestPath(sourceFile, template, basePath) {
-  const dir = dirname(sourceFile);
-  const name = basename(sourceFile);
-  const nameWithoutExt = name.replace(/\.[^.]+$/, "");
-  const extMap = {
-    python: ".py",
-    typescript: ".ts",
-    javascript: ".js",
-    go: "_test.go",
-    java: "Test.java",
-    rust: ".rs"
-  };
-  const ext = extMap[template.language] ?? ".test.ts";
-  let testFileName;
-  switch (template.language) {
-    case "python":
-      testFileName = `test_${nameWithoutExt}${ext}`;
-      break;
-    case "go":
-      testFileName = `${nameWithoutExt}${ext}`;
-      break;
-    case "java":
-      testFileName = `${nameWithoutExt}${ext}`;
-      break;
-    default:
-      testFileName = `${nameWithoutExt}.test${ext}`;
-  }
-  const relativeSrc = relative(basePath, dir);
-  const testDir = relativeSrc.replace(/^src/, "tests");
-  return `${testDir}/${testFileName}`;
-}
-function extractVariablesFromGap(gap) {
-  const fileName = basename(gap.filePath);
-  const fileNameWithoutExt = fileName.replace(/\.[^.]+$/, "");
-  const funcMatch = gap.codeSnippet.match(/(?:def|function|async function|const|let|var)\s+(\w+)/);
-  const classMatch = gap.codeSnippet.match(/(?:class)\s+(\w+)/);
-  return {
-    // File info
-    filePath: gap.filePath,
-    fileName,
-    fileNameWithoutExt,
-    lineNumber: gap.lineStart,
-    // Category info
-    categoryId: gap.categoryId,
-    categoryName: gap.categoryName,
-    domain: gap.domain,
-    level: gap.level,
-    severity: gap.severity,
-    confidence: gap.confidence,
-    // Code context
-    codeSnippet: gap.codeSnippet,
-    functionName: funcMatch?.[1] ?? "targetFunction",
-    className: classMatch?.[1] ?? "TargetClass",
-    // Common template variables
-    testName: `test_${gap.categoryId.replace(/-/g, "_")}`,
-    testDescription: `Test for ${gap.categoryName} in ${fileName}:${gap.lineStart}`,
-    // Pattern info
-    patternId: gap.patternId,
-    patternType: gap.patternType
-  };
-}
-async function extractVariablesWithAI(gap, templateVariables, aiConfig) {
-  const baseVars = extractVariablesFromGap(gap);
-  const result = await suggestVariables(
-    {
-      codeSnippet: gap.codeSnippet,
-      filePath: gap.filePath,
-      variables: templateVariables,
-      gap,
-      existingValues: baseVars
-    },
-    aiConfig
-  );
-  if (result.success && result.data) {
-    return result.data.values;
-  }
-  return baseVars;
-}
-async function writeGeneratedTests(tests, basePath, outputDir) {
-  const summary = {
-    created: [],
-    updated: [],
-    failed: [],
-    totalTests: 0
-  };
-  const testsByFile = /* @__PURE__ */ new Map();
-  for (const test of tests) {
-    let outputPath;
-    if (outputDir) {
-      outputPath = resolve(basePath, outputDir, test.suggestedPath);
-    } else {
-      outputPath = resolve(basePath, test.suggestedPath);
-    }
-    const existing = testsByFile.get(outputPath) ?? [];
-    existing.push(test);
-    testsByFile.set(outputPath, existing);
-  }
-  for (const [outputPath, fileTests] of testsByFile) {
-    try {
-      const dir = dirname(outputPath);
-      await mkdir(dir, { recursive: true });
-      let existingContent = "";
-      let fileExists = false;
-      try {
-        existingContent = await readFile(outputPath, "utf-8");
-        fileExists = true;
-      } catch {
-      }
-      const contentParts = [];
-      const allImports = /* @__PURE__ */ new Set();
-      for (const test of fileTests) {
-        for (const imp of test.result.imports) {
-          allImports.add(imp);
-        }
-      }
-      if (!fileExists && allImports.size > 0) {
-        contentParts.push(Array.from(allImports).join("\n"));
-        contentParts.push("");
-      }
-      for (const test of fileTests) {
-        contentParts.push(`// Test for ${test.gap.categoryName}`);
-        contentParts.push(`// Gap: ${relative(basePath, test.gap.filePath)}:${test.gap.lineStart}`);
-        contentParts.push(`// Generated by Pinata`);
-        contentParts.push("");
-        contentParts.push(test.result.content);
-        contentParts.push("");
-      }
-      const newContent = contentParts.join("\n");
-      let finalContent;
-      let appended = false;
-      if (fileExists) {
-        finalContent = existingContent.trimEnd() + "\n\n" + newContent;
-        appended = true;
-      } else {
-        finalContent = newContent;
-      }
-      await writeFile(outputPath, finalContent, "utf-8");
-      for (const test of fileTests) {
-        const result = {
-          path: outputPath,
-          created: !fileExists,
-          appended,
-          categoryId: test.gap.categoryId,
-          gapLocation: `${relative(basePath, test.gap.filePath)}:${test.gap.lineStart}`
-        };
-        if (fileExists) {
-          summary.updated.push(result);
-        } else {
-          summary.created.push(result);
-        }
-        summary.totalTests++;
-      }
-    } catch (error) {
-      summary.failed.push({
-        path: outputPath,
-        error: error instanceof Error ? error.message : String(error)
-      });
-    }
-  }
-  return ok(summary);
-}
-function formatWriteSummary(summary, basePath) {
-  const lines = [];
-  lines.push("");
-  lines.push(chalk5.bold.cyan("Write Summary:"));
-  lines.push(chalk5.gray("\u2500".repeat(60)));
-  if (summary.created.length > 0) {
-    const uniquePaths = new Set(summary.created.map((r) => r.path));
-    lines.push("");
-    lines.push(chalk5.green.bold(`Created ${uniquePaths.size} file(s):`));
-    for (const path2 of uniquePaths) {
-      const relPath = relative(basePath, path2);
-      const testsInFile = summary.created.filter((r) => r.path === path2).length;
-      lines.push(chalk5.green(`  + ${relPath} (${testsInFile} test(s))`));
-    }
-  }
-  if (summary.updated.length > 0) {
-    const uniquePaths = new Set(summary.updated.map((r) => r.path));
-    lines.push("");
-    lines.push(chalk5.yellow.bold(`Updated ${uniquePaths.size} file(s):`));
-    for (const path2 of uniquePaths) {
-      const relPath = relative(basePath, path2);
-      const testsInFile = summary.updated.filter((r) => r.path === path2).length;
-      lines.push(chalk5.yellow(`  ~ ${relPath} (${testsInFile} test(s) appended)`));
-    }
-  }
-  if (summary.failed.length > 0) {
-    lines.push("");
-    lines.push(chalk5.red.bold(`Failed to write ${summary.failed.length} file(s):`));
-    for (const fail of summary.failed) {
-      const relPath = relative(basePath, fail.path);
-      lines.push(chalk5.red(`  \u2717 ${relPath}: ${fail.error}`));
-    }
-  }
-  lines.push("");
-  lines.push(chalk5.gray("\u2500".repeat(60)));
-  lines.push(chalk5.bold(`Total: ${summary.totalTests} test(s) written to ${(/* @__PURE__ */ new Set([...summary.created.map((r) => r.path), ...summary.updated.map((r) => r.path)])).size} file(s)`));
-  if (summary.failed.length > 0) {
-    lines.push(chalk5.red(`Failures: ${summary.failed.length}`));
-  }
-  return lines.join("\n");
-}
-// src/ai/explainer.ts
-var SYSTEM_PROMPT2 = `You are a security expert explaining code vulnerabilities to developers.
-Your explanations should be:
-- Clear and actionable
-- Focused on the specific code pattern
-- Include concrete remediation steps
-- Reference relevant security standards (OWASP, CWE) when applicable
-Always respond with valid JSON matching this structure:
-{
-  "summary": "1-2 sentence summary",
-  "explanation": "Detailed explanation of the vulnerability",
-  "risk": "What an attacker could do if this is exploited",
-  "remediation": "Step-by-step instructions to fix",
-  "safeExample": "Code example showing the safe pattern",
-  "references": ["optional array of CVE/CWE/OWASP references"]
-}`;
-async function explainGap(gap, category, config2) {
-  const ai = createAIService(config2);
-  if (!ai.isConfigured()) {
-    return {
-      success: false,
-      error: "AI service not configured",
-      durationMs: 0
-    };
-  }
-  const prompt = buildExplainPrompt(gap);
-  const response = await ai.completeJSON({
-    systemPrompt: SYSTEM_PROMPT2,
-    messages: [{ role: "user", content: prompt }],
-    maxTokens: 1024,
-    temperature: 0.3
-  });
-  return response;
-}
-function buildExplainPrompt(gap, category) {
-  const parts = [];
-  parts.push(`Explain this security finding:
-`);
-  parts.push(`**Category:** ${gap.categoryName} (${gap.categoryId})`);
-  parts.push(`**Severity:** ${gap.severity}`);
-  parts.push(`**Confidence:** ${gap.confidence}`);
-  parts.push(`**File:** ${gap.filePath}`);
-  parts.push(`**Line:** ${gap.lineStart}`);
-  if (gap.codeSnippet) {
-    parts.push(`
-**Code:**
-\`\`\`
-${gap.codeSnippet}
-\`\`\``);
-  }
-  parts.push(`
-**Pattern:** ${gap.patternId}`);
-  parts.push(`**Detection Type:** ${gap.patternType}`);
-  parts.push(`
-Provide a clear, actionable explanation for a developer.`);
-  return parts.join("\n");
-}
-function generateFallbackExplanation(gap) {
-  const summaries = {
-    "sql-injection": "SQL query constructed with user input may allow injection attacks.",
-    "xss": "User input rendered without escaping may allow script injection.",
-    "command-injection": "Shell command constructed with user input may allow command execution.",
-    "path-traversal": "File path constructed with user input may allow directory traversal.",
-    "hardcoded-secrets": "Sensitive credentials found in source code.",
-    "deserialization": "Untrusted data deserialization may allow code execution.",
-    "ssrf": "Server-side request with user-controlled URL may allow internal access.",
-    "xxe": "XML parser may be vulnerable to external entity injection.",
-    "csrf": "State-changing request lacks CSRF protection.",
-    "ldap-injection": "LDAP query constructed with user input may allow injection."
-  };
-  const remediations = {
-    "sql-injection": "Use parameterized queries or prepared statements. Never concatenate user input into SQL strings.",
-    "xss": "Escape all user input before rendering in HTML. Use framework auto-escaping features.",
-    "command-injection": "Avoid shell execution with user input. Use allowlists and subprocess arrays instead of shell strings.",
-    "path-traversal": "Validate and sanitize file paths. Use path.resolve() and verify the result is within allowed directories.",
-    "hardcoded-secrets": "Move secrets to environment variables or a secrets manager. Never commit credentials to source control.",
-    "deserialization": "Avoid deserializing untrusted data. If necessary, use safe formats like JSON instead of pickle/yaml.",
-    "ssrf": "Validate and allowlist URLs. Block private IP ranges and localhost.",
-    "xxe": "Disable external entity processing in XML parser configuration.",
-    "csrf": "Implement CSRF tokens for all state-changing requests.",
-    "ldap-injection": "Escape special LDAP characters in user input. Use parameterized LDAP queries."
-  };
-  const summary = summaries[gap.categoryId] ?? `Potential ${gap.categoryName} vulnerability detected.`;
-  const remediation = remediations[gap.categoryId] ?? `Review the code for security issues and apply appropriate fixes.`;
-  return {
-    summary,
-    explanation: `The pattern "${gap.patternId}" detected a potential ${gap.categoryName} vulnerability at line ${gap.lineStart}. This type of issue has ${gap.severity} severity and was detected with ${gap.confidence} confidence.`,
-    risk: `If exploited, this vulnerability could compromise the security of the application. Severity: ${gap.severity}.`,
-    remediation,
-    references: []
-  };
-}
-// src/ai/pattern-suggester.ts
-var SYSTEM_PROMPT3 = `You are an expert at creating regex patterns for detecting security vulnerabilities in code.
-Given vulnerable code samples, generate regex patterns that will detect similar vulnerabilities.
-Your patterns should:
-1. Be specific enough to avoid false positives
-2. Be general enough to catch variations
-3. Use standard regex syntax (no lookbehind for compatibility)
-4. Include examples of what matches and what doesn't
-Always respond with valid JSON matching this structure:
-{
-  "suggestions": [
-    {
-      "id": "pattern-id-kebab-case",
-      "pattern": "regex pattern here",
-      "description": "What this pattern detects",
-      "confidence": "high|medium|low",
-      "matchExample": "code that should match",
-      "safeExample": "similar code that should NOT match",
-      "reasoning": "Why this pattern works"
-    }
-  ]
-}
-Important:
-- Escape backslashes properly for JSON (use \\\\s not \\s)
-- Test your patterns mentally against the examples
-- Prefer simpler patterns that are less likely to cause ReDoS`;
-async function suggestPatterns(request, config2) {
-  const ai = createAIService(config2);
-  if (!ai.isConfigured()) {
-    return {
-      success: false,
-      error: "AI service not configured. Set ANTHROPIC_API_KEY or OPENAI_API_KEY.",
-      durationMs: 0
-    };
-  }
-  const prompt = buildPatternPrompt(request);
-  const response = await ai.completeJSON({
-    systemPrompt: SYSTEM_PROMPT3,
-    messages: [{ role: "user", content: prompt }],
-    maxTokens: 2048,
-    temperature: 0.3
-  });
-  if (!response.success || !response.data) {
-    return {
-      success: false,
-      error: response.error ?? "Failed to generate patterns",
-      durationMs: response.durationMs
-    };
-  }
-  const validated = validatePatterns(
-    response.data.suggestions ?? [],
-    request.vulnerableCode,
-    request.safeCode ?? []
-  );
-  const result = {
-    success: true,
-    data: validated,
-    durationMs: response.durationMs
-  };
-  if (response.usage) {
-    result.usage = response.usage;
-  }
-  return result;
+  const validated = validatePatterns(
+    response.data.suggestions ?? [],
+    request.vulnerableCode,
+    request.safeCode ?? []
+  );
+  const result = {
+    success: true,
+    data: validated,
+    durationMs: response.durationMs
+  };
+  if (response.usage) {
+    result.usage = response.usage;
+  }
+  return result;
 }
 function buildPatternPrompt(request) {
   const parts = [];
@@ -8277,73 +8025,89 @@ function hasRedosPotential(pattern) {
 // src/cli/index.ts
 init_results_cache();
+var __filename2 = fileURLToPath(import.meta.url);
+var __dirname2 = dirname(__filename2);
+function getDefinitionsPath() {
+  const candidates = [
+    resolve(__dirname2, "../../src/categories/definitions"),
+    resolve(process.cwd(), "src/categories/definitions"),
+    resolve(__dirname2, "../categories/definitions")
+  ];
+  for (const candidate of candidates) {
+    if (existsSync(candidate)) {
+      return candidate;
+    }
+  }
+  return candidates[0];
+}
+init_results_cache();
 var SEVERITY_COLORS2 = {
-  critical: chalk5.red.bold,
-  high: chalk5.red,
-  medium: chalk5.yellow,
-  low: chalk5.gray
+  critical: chalk7.red.bold,
+  high: chalk7.red,
+  medium: chalk7.yellow,
+  low: chalk7.gray
 };
 var DOMAIN_COLORS2 = {
-  security: chalk5.red,
-  data: chalk5.blue,
-  concurrency: chalk5.magenta,
-  input: chalk5.cyan,
-  resource: chalk5.yellow,
-  reliability: chalk5.green,
-  performance: chalk5.yellowBright,
-  platform: chalk5.gray,
-  business: chalk5.white,
-  compliance: chalk5.blueBright
+  security: chalk7.red,
+  data: chalk7.blue,
+  concurrency: chalk7.magenta,
+  input: chalk7.cyan,
+  resource: chalk7.yellow,
+  reliability: chalk7.green,
+  performance: chalk7.yellowBright,
+  platform: chalk7.gray,
+  business: chalk7.white,
+  compliance: chalk7.blueBright
 };
 var GRADE_COLORS = {
-  A: chalk5.green.bold,
-  B: chalk5.green,
-  C: chalk5.yellow,
-  D: chalk5.red,
-  F: chalk5.red.bold
+  A: chalk7.green.bold,
+  B: chalk7.green,
+  C: chalk7.yellow,
+  D: chalk7.red,
+  F: chalk7.red.bold
 };
 var BANNER = `
-${chalk5.cyan(" ____  _             _        ")}
-${chalk5.cyan("|  _ \\(_)_ __   __ _| |_ __ _ ")}
-${chalk5.cyan("| |_) | | '_ \\ / _` | __/ _` |")}
-${chalk5.cyan("|  __/| | | | | (_| | || (_| |")}
-${chalk5.cyan("|_|   |_|_| |_|\\__,_|\\__\\__,_|")}
+${chalk7.cyan(" ____  _             _        ")}
+${chalk7.cyan("|  _ \\(_)_ __   __ _| |_ __ _ ")}
+${chalk7.cyan("| |_) | | '_ \\ / _` | __/ _` |")}
+${chalk7.cyan("|  __/| | | | | (_| | || (_| |")}
+${chalk7.cyan("|_|   |_|_| |_|\\__,_|\\__\\__,_|")}
 `;
 function formatScanTerminal(result, basePath) {
   const lines = [];
   lines.push(BANNER);
-  lines.push(chalk5.gray(`Analyzing: ${result.targetDirectory}`));
+  lines.push(chalk7.gray(`Analyzing: ${result.targetDirectory}`));
   const projectTypeLabel = getProjectTypeDescription(result.projectType.type);
-  lines.push(chalk5.gray(`Project: ${projectTypeLabel} (${result.projectType.confidence} confidence)`));
-  lines.push(chalk5.gray(`Files: ${result.fileStats.totalFiles} | Languages: ${formatLanguages(result)}`));
+  lines.push(chalk7.gray(`Project: ${projectTypeLabel} (${result.projectType.confidence} confidence)`));
+  lines.push(chalk7.gray(`Files: ${result.fileStats.totalFiles} | Languages: ${formatLanguages(result)}`));
   lines.push("");
   lines.push(formatScoreBox(result.score));
   lines.push("");
-  lines.push(chalk5.bold("Domain Coverage:"));
+  lines.push(chalk7.bold("Domain Coverage:"));
   lines.push(formatDomainCoverage(result.coverage));
   lines.push("");
   if (result.gaps.length > 0) {
     lines.push(formatGapsSummary(result.gaps, basePath));
     lines.push("");
   } else {
-    lines.push(chalk5.green.bold("No gaps detected! Your codebase has good test coverage."));
+    lines.push(chalk7.green.bold("No gaps detected! Your codebase has good test coverage."));
     lines.push("");
   }
   if (result.gaps.length > 0) {
-    lines.push(chalk5.gray("Run `pinata generate --gaps` to create tests for these gaps."));
+    lines.push(chalk7.gray("Run `pinata generate --gaps` to create tests for these gaps."));
   }
-  lines.push(chalk5.gray(`
+  lines.push(chalk7.gray(`
 Scan completed in ${result.durationMs}ms`));
   return lines.join("\n");
 }
 function formatScoreBox(score) {
-  const gradeColor = GRADE_COLORS[score.grade] ?? chalk5.white;
+  const gradeColor = GRADE_COLORS[score.grade] ?? chalk7.white;
   const scoreStr = `Pinata Score: ${score.overall}/100 ${gradeColor(`(${score.grade})`)}`;
   const boxWidth = 60;
   const padding = Math.floor((boxWidth - scoreStr.length) / 2);
-  const top = chalk5.cyan("\u2554" + "\u2550".repeat(boxWidth) + "\u2557");
-  const middle = chalk5.cyan("\u2551") + " ".repeat(padding) + scoreStr + " ".repeat(boxWidth - padding - scoreStr.length) + chalk5.cyan("\u2551");
-  const bottom = chalk5.cyan("\u255A" + "\u2550".repeat(boxWidth) + "\u255D");
+  const top = chalk7.cyan("\u2554" + "\u2550".repeat(boxWidth) + "\u2557");
+  const middle = chalk7.cyan("\u2551") + " ".repeat(padding) + scoreStr + " ".repeat(boxWidth - padding - scoreStr.length) + chalk7.cyan("\u2551");
+  const bottom = chalk7.cyan("\u255A" + "\u2550".repeat(boxWidth) + "\u255D");
   return `${top}
 ${middle}
 ${bottom}`;
@@ -8358,14 +8122,14 @@ function formatDomainCoverage(coverage) {
     }
     const percent = domainCoverage.coveragePercent;
     const filledWidth = Math.round(percent / 100 * barWidth);
-    const bar = chalk5.green("\u2588".repeat(filledWidth)) + chalk5.gray("\u2591".repeat(barWidth - filledWidth));
-    const domainColor = DOMAIN_COLORS2[domain] ?? chalk5.white;
+    const bar = chalk7.green("\u2588".repeat(filledWidth)) + chalk7.gray("\u2591".repeat(barWidth - filledWidth));
+    const domainColor = DOMAIN_COLORS2[domain] ?? chalk7.white;
     const domainName = domain.padEnd(15);
     const stats = `${domainCoverage.categoriesCovered}/${domainCoverage.categoriesScanned} categories`;
     lines.push(`  ${domainColor(domainName)} ${bar} ${percent.toString().padStart(3)}%  (${stats})`);
   }
   if (lines.length === 0) {
-    lines.push(chalk5.gray("  No domain coverage data available."));
+    lines.push(chalk7.gray("  No domain coverage data available."));
   }
   return lines.join("\n");
 }
@@ -8376,48 +8140,48 @@ function formatGapsSummary(gaps, basePath) {
   const medium = gaps.filter((g) => g.severity === "medium");
   const low = gaps.filter((g) => g.severity === "low");
   if (critical.length > 0) {
-    lines.push(chalk5.red.bold(`
+    lines.push(chalk7.red.bold(`
 Critical Gaps (${critical.length}):`));
     for (const gap of critical.slice(0, 5)) {
       lines.push(formatGapLine(gap, basePath, "critical"));
     }
     if (critical.length > 5) {
-      lines.push(chalk5.gray(`  ... and ${critical.length - 5} more critical gaps`));
+      lines.push(chalk7.gray(`  ... and ${critical.length - 5} more critical gaps`));
     }
   }
   if (high.length > 0) {
-    lines.push(chalk5.red(`
+    lines.push(chalk7.red(`
 High Severity Gaps (${high.length}):`));
     for (const gap of high.slice(0, 5)) {
       lines.push(formatGapLine(gap, basePath, "high"));
     }
     if (high.length > 5) {
-      lines.push(chalk5.gray(`  ... and ${high.length - 5} more high severity gaps`));
+      lines.push(chalk7.gray(`  ... and ${high.length - 5} more high severity gaps`));
     }
   }
   if (medium.length > 0) {
-    lines.push(chalk5.yellow(`
+    lines.push(chalk7.yellow(`
 Medium Severity Gaps (${medium.length}):`));
     for (const gap of medium.slice(0, 3)) {
       lines.push(formatGapLine(gap, basePath, "medium"));
     }
     if (medium.length > 3) {
-      lines.push(chalk5.gray(`  ... and ${medium.length - 3} more medium severity gaps`));
+      lines.push(chalk7.gray(`  ... and ${medium.length - 3} more medium severity gaps`));
     }
   }
   if (low.length > 0) {
-    lines.push(chalk5.gray(`
+    lines.push(chalk7.gray(`
 Low Severity: ${low.length} gaps`));
   }
   return lines.join("\n");
 }
 function formatGapLine(gap, basePath, severity) {
-  const severityColor = SEVERITY_COLORS2[severity] ?? chalk5.white;
+  const severityColor = SEVERITY_COLORS2[severity] ?? chalk7.white;
   const icon = severity === "critical" ? "\u26D4" : severity === "high" ? "\u{1F534}" : severity === "medium" ? "\u{1F7E1}" : "\u26AA";
   const relPath = relative(basePath, gap.filePath);
   const location = `${relPath}:${gap.lineStart}`;
   const confidence = gap.confidence.toUpperCase();
-  return `  ${icon} ${severityColor(gap.categoryName.padEnd(20))} ${chalk5.cyan(location.padEnd(30))} ${chalk5.gray(confidence)} confidence`;
+  return `  ${icon} ${severityColor(gap.categoryName.padEnd(20))} ${chalk7.cyan(location.padEnd(30))} ${chalk7.gray(confidence)} confidence`;
 }
 function formatLanguages(result) {
   const languages = [];
@@ -8640,637 +8404,785 @@ function isValidScanOutputFormat(format) {
   return ["terminal", "json", "markdown", "sarif", "html", "junit-xml"].includes(format);
 }
-// src/cli/index.ts
-var __filename2 = fileURLToPath(import.meta.url);
-var __dirname2 = dirname(__filename2);
-function getDefinitionsPath() {
-  const candidates = [
-    // When running from dist/cli/index.js
-    resolve(__dirname2, "../../src/categories/definitions"),
-    // When running from project root via npx/npm
-    resolve(process.cwd(), "src/categories/definitions"),
-    // When bundled in dist (future)
-    resolve(__dirname2, "../categories/definitions")
-  ];
-  for (const candidate of candidates) {
-    if (existsSync(candidate)) {
-      return candidate;
-    }
-  }
-  return candidates[0];
-}
-var program = new Command();
-program.name("pinata").description("AI-powered test coverage analysis and generation").version(VERSION);
-program.command("analyze [path]").description("Analyze codebase for test coverage gaps").option("-o, --output <format>", "Output format: terminal, json, markdown, sarif, html, junit-xml", "terminal").option("--output-file <path>", "Write output to file (useful for SARIF upload)").option("-d, --domains <domains>", "Filter to specific domains (comma-separated)").option("-s, --severity <level>", "Minimum severity: critical, high, medium, low", "low").option("-c, --confidence <level>", "Minimum confidence: high, medium, low", "high").option("--fail-on <level>", "Exit non-zero if gaps at level: critical, high, medium").option("--exclude <dirs>", "Directories to exclude (comma-separated)").option("--verify", "Use AI to verify each match (reduces false positives)").option("--execute", "Run dynamic tests in Docker sandbox to confirm vulnerabilities").option("--dry-run", "Preview generated tests without executing (use with --execute)").option("-v, --verbose", "Verbose output").option("-q, --quiet", "Quiet mode (errors only)").action(async (targetPath, options) => {
-  const isQuiet = Boolean(options["quiet"]);
-  const isVerbose = Boolean(options["verbose"]);
-  if (isQuiet) {
-    logger.configure({ level: "error" });
-  } else if (isVerbose) {
-    logger.configure({ level: "debug" });
-  }
-  const targetDirectory = resolve(targetPath ?? process.cwd());
-  if (!existsSync(targetDirectory)) {
-    console.error(formatError(new Error(`Directory not found: ${targetDirectory}`)));
-    process.exit(1);
-  }
-  const outputFormat = String(options["output"] ?? "terminal");
-  if (!isValidScanOutputFormat(outputFormat)) {
-    console.error(formatError(new Error(`Invalid output format: ${outputFormat}. Use: terminal, json, markdown, sarif`)));
-    process.exit(1);
-  }
-  const validSeverities = ["critical", "high", "medium", "low"];
-  const minSeverity = String(options["severity"] ?? "low");
-  if (!validSeverities.includes(minSeverity)) {
-    console.error(formatError(new Error(`Invalid severity: ${minSeverity}. Use: critical, high, medium, low`)));
-    process.exit(1);
-  }
-  const validConfidences = ["high", "medium", "low"];
-  const minConfidence = String(options["confidence"] ?? "high");
-  if (!validConfidences.includes(minConfidence)) {
-    console.error(formatError(new Error(`Invalid confidence: ${minConfidence}. Use: high, medium, low`)));
-    process.exit(1);
-  }
-  const domainsStr = options["domains"];
-  let domains = [];
-  if (domainsStr) {
-    const domainList = domainsStr.split(",").map((d) => d.trim());
-    for (const domain of domainList) {
-      if (!RISK_DOMAINS.includes(domain)) {
-        console.error(formatError(new Error(`Invalid domain: ${domain}. Valid domains: ${RISK_DOMAINS.join(", ")}`)));
-        process.exit(1);
-      }
+// src/cli/commands/analyze.ts
+function registerAnalyzeCommand(program2) {
+  program2.command("analyze [path]").description("Analyze codebase for test coverage gaps").option("-o, --output <format>", "Output format: terminal, json, markdown, sarif, html, junit-xml", "terminal").option("--output-file <path>", "Write output to file (useful for SARIF upload)").option("-d, --domains <domains>", "Filter to specific domains (comma-separated)").option("-s, --severity <level>", "Minimum severity: critical, high, medium, low", "low").option("-c, --confidence <level>", "Minimum confidence: high, medium, low", "high").option("--fail-on <level>", "Exit non-zero if gaps at level: critical, high, medium").option("--exclude <dirs>", "Directories to exclude (comma-separated)").option("--verify", "Use AI to verify each match (reduces false positives)").option("--execute", "Run dynamic tests in Docker sandbox to confirm vulnerabilities").option("--dry-run", "Preview generated tests without executing (use with --execute)").option("-v, --verbose", "Verbose output").option("-q, --quiet", "Quiet mode (errors only)").action(async (targetPath, options) => {
+    const isQuiet = Boolean(options["quiet"]);
+    const isVerbose = Boolean(options["verbose"]);
+    if (isQuiet) {
+      logger.configure({ level: "error" });
+    } else if (isVerbose) {
+      logger.configure({ level: "debug" });
     }
-    domains = domainList;
-  }
-  const excludeStr = options["exclude"];
-  const excludeDirs = excludeStr ? excludeStr.split(",").map((d) => d.trim()) : void 0;
-  const failOn = options["failOn"];
-  if (failOn && !["critical", "high", "medium"].includes(failOn)) {
-    console.error(formatError(new Error(`Invalid fail-on level: ${failOn}. Use: critical, high, medium`)));
-    process.exit(1);
-  }
-  const showSpinner = outputFormat === "terminal" && !isQuiet;
-  const spinner = showSpinner ? ora("Loading categories...").start() : null;
-  try {
-    const store = createCategoryStore();
-    const definitionsPath = getDefinitionsPath();
-    logger.debug(`Loading categories from: ${definitionsPath}`);
-    const loadResult = await store.loadFromDirectory(definitionsPath);
-    if (!loadResult.success) {
-      spinner?.fail("Failed to load categories");
-      console.error(formatError(loadResult.error));
+    const targetDirectory = resolve(targetPath ?? process.cwd());
+    if (!existsSync(targetDirectory)) {
+      console.error(formatError(new Error(`Directory not found: ${targetDirectory}`)));
       process.exit(1);
     }
-    if (spinner) {
-      spinner.text = `Loaded ${loadResult.data} categories. Scanning...`;
-    }
-    logger.debug(`Loaded ${loadResult.data} categories`);
-    const scanner = createScanner(store);
-    const scanOptions = {
-      minSeverity,
-      minConfidence,
-      detectTestFiles: true
-    };
-    if (domains.length > 0) {
-      scanOptions.domains = domains;
+    const outputFormat = String(options["output"] ?? "terminal");
+    if (!isValidScanOutputFormat(outputFormat)) {
+      console.error(formatError(new Error(`Invalid output format: ${outputFormat}. Use: terminal, json, markdown, sarif`)));
+      process.exit(1);
     }
-    if (excludeDirs) {
-      scanOptions.excludeDirs = excludeDirs;
+    const validSeverities = ["critical", "high", "medium", "low"];
+    const minSeverity = String(options["severity"] ?? "low");
+    if (!validSeverities.includes(minSeverity)) {
+      console.error(formatError(new Error(`Invalid severity: ${minSeverity}. Use: critical, high, medium, low`)));
+      process.exit(1);
     }
-    const scanResult = await scanner.scanDirectory(targetDirectory, scanOptions);
-    if (!scanResult.success) {
-      spinner?.fail("Scan failed");
-      console.error(formatError(scanResult.error));
+    const validConfidences = ["high", "medium", "low"];
+    const minConfidence = String(options["confidence"] ?? "high");
+    if (!validConfidences.includes(minConfidence)) {
+      console.error(formatError(new Error(`Invalid confidence: ${minConfidence}. Use: high, medium, low`)));
       process.exit(1);
     }
-    spinner?.stop();
-    const shouldVerify = Boolean(options["verify"]);
-    if (shouldVerify && scanResult.data.gaps.length > 0) {
-      const { hasApiKey: hasApiKey2, setConfigValue: setConfigValue2, getApiKey: getApiKey2 } = await Promise.resolve().then(() => (init_config(), config_exports));
-      const { createInterface } = await import('readline');
-      let provider = "anthropic";
-      if (!hasApiKey2("anthropic") && !hasApiKey2("openai")) {
-        spinner?.stop();
-        console.log(chalk5.yellow("\nAI verification requires an API key."));
-        console.log(chalk5.gray("Get one at: https://console.anthropic.com/settings/keys"));
-        console.log(chalk5.gray("Or: https://platform.openai.com/api-keys\n"));
-        const rl = createInterface({ input: process.stdin, output: process.stdout });
-        const askQuestion = (question) => {
-          return new Promise((resolve7) => {
-            rl.question(question, (answer) => resolve7(answer.trim()));
-          });
-        };
-        const apiKey = await askQuestion(chalk5.cyan("Enter your Anthropic or OpenAI API key: "));
-        rl.close();
-        if (!apiKey) {
-          console.log(chalk5.red("No API key provided. Skipping AI verification."));
-        } else {
-          if (apiKey.startsWith("sk-ant-")) {
-            setConfigValue2("anthropicApiKey", apiKey);
-            provider = "anthropic";
-            console.log(chalk5.green("Anthropic API key saved to ~/.pinata/config.json\n"));
+    const domainsStr = options["domains"];
+    let domains = [];
+    if (domainsStr) {
+      const domainList = domainsStr.split(",").map((d) => d.trim());
+      for (const domain of domainList) {
+        if (!RISK_DOMAINS.includes(domain)) {
+          console.error(formatError(new Error(`Invalid domain: ${domain}. Valid domains: ${RISK_DOMAINS.join(", ")}`)));
+          process.exit(1);
+        }
+      }
+      domains = domainList;
+    }
+    const excludeStr = options["exclude"];
+    const excludeDirs = excludeStr ? excludeStr.split(",").map((d) => d.trim()) : void 0;
+    const failOn = options["failOn"];
+    if (failOn && !["critical", "high", "medium"].includes(failOn)) {
+      console.error(formatError(new Error(`Invalid fail-on level: ${failOn}. Use: critical, high, medium`)));
+      process.exit(1);
+    }
+    const showSpinner = outputFormat === "terminal" && !isQuiet;
+    const spinner = showSpinner ? ora3("Loading categories...").start() : null;
+    try {
+      const store = createCategoryStore();
+      const definitionsPath = getDefinitionsPath();
+      logger.debug(`Loading categories from: ${definitionsPath}`);
+      const loadResult = await store.loadFromDirectory(definitionsPath);
+      if (!loadResult.success) {
+        spinner?.fail("Failed to load categories");
+        console.error(formatError(loadResult.error));
+        process.exit(1);
+      }
+      if (spinner) {
+        spinner.text = `Loaded ${loadResult.data} categories. Scanning...`;
+      }
+      const scanner = createScanner(store);
+      const scanOptions = {
+        minSeverity,
+        minConfidence,
+        detectTestFiles: true
+      };
+      if (domains.length > 0) {
+        scanOptions.domains = domains;
+      }
+      if (excludeDirs) {
+        scanOptions.excludeDirs = excludeDirs;
+      }
+      const scanResult = await scanner.scanDirectory(targetDirectory, scanOptions);
+      if (!scanResult.success) {
+        spinner?.fail("Scan failed");
+        console.error(formatError(scanResult.error));
+        process.exit(1);
+      }
+      spinner?.stop();
+      const shouldVerify = Boolean(options["verify"]);
+      if (shouldVerify && scanResult.data.gaps.length > 0) {
+        const { hasApiKey: hasApiKey2, setConfigValue: setConfigValue2, getApiKey: getApiKey2 } = await Promise.resolve().then(() => (init_config(), config_exports));
+        const { createInterface } = await import('readline');
+        let provider = "anthropic";
+        if (!hasApiKey2("anthropic") && !hasApiKey2("openai")) {
+          spinner?.stop();
+          console.log(chalk7.yellow("\nAI verification requires an API key."));
+          console.log(chalk7.gray("Get one at: https://console.anthropic.com/settings/keys"));
+          console.log(chalk7.gray("Or: https://platform.openai.com/api-keys\n"));
+          const rl = createInterface({ input: process.stdin, output: process.stdout });
+          const askQuestion = (question) => new Promise((resolve9) => rl.question(question, (answer) => resolve9(answer.trim())));
+          const apiKey = await askQuestion(chalk7.cyan("Enter your Anthropic or OpenAI API key: "));
+          rl.close();
+          if (!apiKey) {
+            console.log(chalk7.red("No API key provided. Skipping AI verification."));
           } else {
-            setConfigValue2("openaiApiKey", apiKey);
-            provider = "openai";
-            console.log(chalk5.green("OpenAI API key saved to ~/.pinata/config.json\n"));
+            if (apiKey.startsWith("sk-ant-")) {
+              setConfigValue2("anthropicApiKey", apiKey);
+              provider = "anthropic";
+              console.log(chalk7.green("Anthropic API key saved to ~/.pinata/config.json\n"));
+            } else {
+              setConfigValue2("openaiApiKey", apiKey);
+              provider = "openai";
+              console.log(chalk7.green("OpenAI API key saved to ~/.pinata/config.json\n"));
+            }
           }
+        } else if (hasApiKey2("openai") && !hasApiKey2("anthropic")) {
+          provider = "openai";
         }
-      } else if (hasApiKey2("openai") && !hasApiKey2("anthropic")) {
-        provider = "openai";
-      }
-      if (!hasApiKey2(provider)) {
-      } else {
-        const verifySpinner = showSpinner ? ora("Verifying gaps with AI...").start() : null;
-        try {
-          const { AIVerifier: AIVerifier2 } = await Promise.resolve().then(() => (init_verifier(), verifier_exports));
-          const { readFile: readFile7 } = await import('fs/promises');
-          const apiKey = getApiKey2(provider);
-          const verifier = new AIVerifier2({ provider, ...apiKey ? { apiKey } : {} });
-          const { verified, dismissed, stats } = await verifier.verifyAll(
-            scanResult.data.gaps,
-            async (path2) => readFile7(path2, "utf-8")
-          );
-          scanResult.data.gaps = verified;
-          const severityWeights = { critical: 10, high: 5, medium: 2, low: 1 };
-          let deduction = 0;
-          for (const gap of verified) {
-            deduction += severityWeights[gap.severity] ?? 1;
-          }
-          const newOverall = Math.max(0, 100 - deduction);
-          const newGrade = newOverall >= 90 ? "A" : newOverall >= 80 ? "B" : newOverall >= 70 ? "C" : newOverall >= 60 ? "D" : "F";
-          scanResult.data.score.overall = newOverall;
-          scanResult.data.score.grade = newGrade;
-          verifySpinner?.succeed(
-            `AI Verification: ${stats.total} total \u2192 ${stats.preFiltered} pre-filtered \u2192 ${stats.aiVerified} verified, ${stats.aiDismissed} AI-dismissed`
-          );
-          if (isVerbose && dismissed.length > 0) {
-            console.log(chalk5.gray("\nDismissed as false positives:"));
-            for (const { gap, reason } of dismissed.slice(0, 5)) {
-              console.log(chalk5.gray(`  - ${gap.categoryName} at ${gap.filePath}:${gap.lineStart}`));
-              console.log(chalk5.gray(`    Reason: ${reason.slice(0, 100)}...`));
+        if (hasApiKey2(provider)) {
+          const verifySpinner = showSpinner ? ora3("Verifying gaps with AI...").start() : null;
+          try {
+            const { AIVerifier: AIVerifier2 } = await Promise.resolve().then(() => (init_verifier(), verifier_exports));
+            const { readFile: readFile7 } = await import('fs/promises');
+            const apiKey = getApiKey2(provider);
+            const verifier = new AIVerifier2({ provider, ...apiKey ? { apiKey } : {} });
+            const { verified, dismissed, stats } = await verifier.verifyAll(
+              scanResult.data.gaps,
+              async (path2) => readFile7(path2, "utf-8")
+            );
+            scanResult.data.gaps = verified;
+            const severityWeights = { critical: 10, high: 5, medium: 2, low: 1 };
+            let deduction = 0;
+            for (const gap of verified) {
+              deduction += severityWeights[gap.severity] ?? 1;
+            }
+            const newOverall = Math.max(0, 100 - deduction);
+            const newGrade = newOverall >= 90 ? "A" : newOverall >= 80 ? "B" : newOverall >= 70 ? "C" : newOverall >= 60 ? "D" : "F";
+            scanResult.data.score.overall = newOverall;
+            scanResult.data.score.grade = newGrade;
+            verifySpinner?.succeed(
+              `AI Verification: ${stats.total} total \u2192 ${stats.preFiltered} pre-filtered \u2192 ${stats.aiVerified} verified, ${stats.aiDismissed} AI-dismissed`
+            );
+            if (isVerbose && dismissed.length > 0) {
+              console.log(chalk7.gray("\nDismissed as false positives:"));
+              for (const { gap, reason } of dismissed.slice(0, 5)) {
+                console.log(chalk7.gray(`  - ${gap.categoryName} at ${gap.filePath}:${gap.lineStart}`));
+                console.log(chalk7.gray(`    Reason: ${reason.slice(0, 100)}...`));
+              }
+              if (dismissed.length > 5) {
+                console.log(chalk7.gray(`  ... and ${dismissed.length - 5} more`));
+              }
             }
-            if (dismissed.length > 5) {
-              console.log(chalk5.gray(`  ... and ${dismissed.length - 5} more`));
+          } catch (error) {
+            verifySpinner?.fail("AI verification failed (results unverified)");
+            if (isVerbose) {
+              console.error(chalk7.yellow(`Verification error: ${error instanceof Error ? error.message : String(error)}`));
             }
           }
-        } catch (error) {
-          verifySpinner?.fail("AI verification failed (results unverified)");
-          if (isVerbose) {
-            console.error(chalk5.yellow(`Verification error: ${error instanceof Error ? error.message : String(error)}`));
-          }
         }
       }
-    }
-    const shouldExecute = Boolean(options["execute"]);
-    const isDryRun = Boolean(options["dryRun"]);
-    if (shouldExecute && scanResult.data.gaps.length > 0) {
-      const { createRunner: createRunner2, isTestable: isTestable2 } = await Promise.resolve().then(() => (init_execution(), execution_exports));
-      const { readFile: readFile7 } = await import('fs/promises');
-      const testableGaps = scanResult.data.gaps.filter((g) => isTestable2(g.categoryId));
-      if (testableGaps.length === 0) {
-        console.log(chalk5.yellow("\nNo dynamically testable gaps found."));
-        console.log(chalk5.gray("Testable types: sql-injection, xss, command-injection, path-traversal"));
-      } else {
-        const runner = createRunner2(void 0, isDryRun);
-        const initResult = await runner.initialize();
-        if (!initResult.ready) {
-          console.log(chalk5.red(`
-Dynamic execution unavailable: ${initResult.error}`));
+      const shouldExecute = Boolean(options["execute"]);
+      const isDryRun = Boolean(options["dryRun"]);
+      if (shouldExecute && scanResult.data.gaps.length > 0) {
+        const { createRunner: createRunner2, isTestable: isTestable2 } = await Promise.resolve().then(() => (init_execution(), execution_exports));
+        const { readFile: readFile7 } = await import('fs/promises');
+        const testableGaps = scanResult.data.gaps.filter((g) => isTestable2(g.categoryId));
+        if (testableGaps.length === 0) {
+          console.log(chalk7.yellow("\nNo dynamically testable gaps found."));
         } else {
-          const fileContents = /* @__PURE__ */ new Map();
-          for (const gap of testableGaps) {
-            if (!fileContents.has(gap.filePath)) {
-              try {
-                fileContents.set(gap.filePath, await readFile7(gap.filePath, "utf-8"));
-              } catch {
+          const runner = createRunner2(void 0, isDryRun);
+          const initResult = await runner.initialize();
+          if (!initResult.ready) {
+            console.log(chalk7.red(`
+Dynamic execution unavailable: ${initResult.error}`));
+          } else {
+            const fileContents = /* @__PURE__ */ new Map();
+            for (const gap of testableGaps) {
+              if (!fileContents.has(gap.filePath)) {
+                try {
+                  fileContents.set(gap.filePath, await readFile7(gap.filePath, "utf-8"));
+                } catch {
+                }
               }
             }
-          }
-          const executionSummary = await runner.executeAll(testableGaps, fileContents);
-          for (const result of executionSummary.results) {
-            const gap = scanResult.data.gaps.find(
-              (g) => g.filePath === result.gap.filePath && g.lineStart === result.gap.lineStart
-            );
-            if (gap && result.status === "confirmed") {
-              gap.confirmed = true;
-              gap.evidence = result.evidence;
+            const executionSummary = await runner.executeAll(testableGaps, fileContents);
+            for (const result of executionSummary.results) {
+              const gap = scanResult.data.gaps.find(
+                (g) => g.filePath === result.gap.filePath && g.lineStart === result.gap.lineStart
+              );
+              if (gap && result.status === "confirmed") {
+                gap.confirmed = true;
+                gap.evidence = result.evidence;
+              }
             }
-          }
-          if (executionSummary.confirmed > 0) {
-            console.log(chalk5.red.bold(`
+            if (executionSummary.confirmed > 0) {
+              console.log(chalk7.red.bold(`
 \u26A0\uFE0F  ${executionSummary.confirmed} CONFIRMED vulnerabilities found!`));
+            }
           }
         }
       }
+      const cacheResult = await saveScanResults(process.cwd(), scanResult.data);
+      if (!cacheResult.success) {
+        logger.debug(`Failed to cache results: ${cacheResult.error.message}`);
+      }
+      const output = formatScanResult(scanResult.data, outputFormat, targetDirectory);
+      const outputFile = options["outputFile"];
+      if (outputFile) {
+        writeFileSync(resolve(outputFile), output, "utf-8");
+        logger.info(`Results written to: ${resolve(outputFile)}`);
+      } else {
+        console.log(output);
+      }
+      if (isVerbose && scanResult.data.warnings.length > 0) {
+        console.error("\nWarnings:");
+        for (const warning of scanResult.data.warnings) {
+          console.error(`  - ${warning}`);
+        }
+      }
+      if (failOn) {
+        const severityOrder = { critical: 3, high: 2, medium: 1 };
+        const failLevel = severityOrder[failOn] ?? 0;
+        const hasFailingGaps = scanResult.data.gaps.some((gap) => (severityOrder[gap.severity] ?? 0) >= failLevel);
+        if (hasFailingGaps) {
+          process.exit(1);
+        }
+      }
+      process.exit(0);
+    } catch (error) {
+      spinner?.fail("Analysis failed");
+      console.error(formatError(error instanceof Error ? error : new Error(String(error))));
+      process.exit(1);
     }
-    const cacheResult = await saveScanResults(process.cwd(), scanResult.data);
-    if (!cacheResult.success) {
-      logger.debug(`Failed to cache results: ${cacheResult.error.message}`);
+  });
+}
+// src/cli/generate-formatters.ts
+init_errors();
+init_result();
+function formatGeneratedTerminal(tests, basePath) {
+  const lines = [];
+  if (tests.length === 0) {
+    lines.push(chalk7.yellow("No tests generated."));
+    return lines.join("\n");
+  }
+  lines.push(chalk7.bold.cyan(`
+Generated ${tests.length} test(s):
+`));
+  lines.push(chalk7.gray("\u2500".repeat(60)));
+  for (const test of tests) {
+    const relGapPath = relative(basePath, test.gap.filePath);
+    lines.push("");
+    lines.push(chalk7.bold.white(`Test for: ${test.gap.categoryName}`));
+    lines.push(chalk7.gray(`  Gap location: ${relGapPath}:${test.gap.lineStart}`));
+    lines.push(chalk7.gray(`  Template: ${test.template.id}`));
+    lines.push(chalk7.gray(`  Output: ${test.suggestedPath}`));
+    lines.push("");
+    lines.push(chalk7.cyan(`// --- ${test.suggestedPath} ---`));
+    lines.push("");
+    if (test.result.imports.length > 0) {
+      for (const imp of test.result.imports) {
+        lines.push(chalk7.gray(imp));
+      }
+      lines.push("");
     }
-    const output = formatScanResult(scanResult.data, outputFormat, targetDirectory);
-    const outputFile = options["outputFile"];
-    if (outputFile) {
-      const outputPath = resolve(outputFile);
-      writeFileSync(outputPath, output, "utf-8");
-      logger.info(`Results written to: ${outputPath}`);
+    lines.push(test.result.content);
+    lines.push("");
+    lines.push(chalk7.gray("\u2500".repeat(60)));
+  }
+  lines.push("");
+  lines.push(chalk7.bold("Summary:"));
+  lines.push(`  Tests generated: ${chalk7.green(tests.length.toString())}`);
+  const categories = new Set(tests.map((t) => t.category.id));
+  lines.push(`  Categories covered: ${chalk7.cyan(categories.size.toString())}`);
+  if (tests.some((t) => t.result.unresolved.length > 0)) {
+    const unresolvedCount = tests.reduce((acc, t) => acc + t.result.unresolved.length, 0);
+    lines.push(chalk7.yellow(`  Unresolved placeholders: ${unresolvedCount}`));
+    lines.push(chalk7.gray("  (Some placeholders need manual completion)"));
+  }
+  lines.push("");
+  lines.push(chalk7.gray("This is a dry run. Use --write to save files."));
+  return lines.join("\n");
+}
+function formatGeneratedJson(tests) {
+  const output = tests.map((test) => ({
+    gap: {
+      categoryId: test.gap.categoryId,
+      categoryName: test.gap.categoryName,
+      filePath: test.gap.filePath,
+      lineStart: test.gap.lineStart,
+      severity: test.gap.severity,
+      confidence: test.gap.confidence
+    },
+    template: {
+      id: test.template.id,
+      framework: test.template.framework,
+      language: test.template.language
+    },
+    suggestedPath: test.suggestedPath,
+    content: test.result.content,
+    imports: test.result.imports,
+    fixtures: test.result.fixtures,
+    substituted: test.result.substituted,
+    unresolved: test.result.unresolved
+  }));
+  return JSON.stringify(output, null, 2);
+}
+function suggestTestPath(sourceFile, template, basePath) {
+  const dir = dirname(sourceFile);
+  const name = basename(sourceFile);
+  const nameWithoutExt = name.replace(/\.[^.]+$/, "");
+  const extMap = {
+    python: ".py",
+    typescript: ".ts",
+    javascript: ".js",
+    go: "_test.go",
+    java: "Test.java",
+    rust: ".rs"
+  };
+  const ext = extMap[template.language] ?? ".test.ts";
+  let testFileName;
+  switch (template.language) {
+    case "python":
+      testFileName = `test_${nameWithoutExt}${ext}`;
+      break;
+    case "go":
+      testFileName = `${nameWithoutExt}${ext}`;
+      break;
+    case "java":
+      testFileName = `${nameWithoutExt}${ext}`;
+      break;
+    default:
+      testFileName = `${nameWithoutExt}.test${ext}`;
+  }
+  const relativeSrc = relative(basePath, dir);
+  const testDir = relativeSrc.replace(/^src/, "tests");
+  return `${testDir}/${testFileName}`;
+}
+function extractVariablesFromGap(gap) {
+  const fileName = basename(gap.filePath);
+  const fileNameWithoutExt = fileName.replace(/\.[^.]+$/, "");
+  const funcMatch = gap.codeSnippet.match(/(?:def|function|async function|const|let|var)\s+(\w+)/);
+  const classMatch = gap.codeSnippet.match(/(?:class)\s+(\w+)/);
+  return {
+    // File info
+    filePath: gap.filePath,
+    fileName,
+    fileNameWithoutExt,
+    lineNumber: gap.lineStart,
+    // Category info
+    categoryId: gap.categoryId,
+    categoryName: gap.categoryName,
+    domain: gap.domain,
+    level: gap.level,
+    severity: gap.severity,
+    confidence: gap.confidence,
+    // Code context
+    codeSnippet: gap.codeSnippet,
+    functionName: funcMatch?.[1] ?? "targetFunction",
+    className: classMatch?.[1] ?? "TargetClass",
+    // Common template variables
+    testName: `test_${gap.categoryId.replace(/-/g, "_")}`,
+    testDescription: `Test for ${gap.categoryName} in ${fileName}:${gap.lineStart}`,
+    // Pattern info
+    patternId: gap.patternId,
+    patternType: gap.patternType
+  };
+}
+async function extractVariablesWithAI(gap, templateVariables, aiConfig) {
+  const baseVars = extractVariablesFromGap(gap);
+  const result = await suggestVariables(
+    {
+      codeSnippet: gap.codeSnippet,
+      filePath: gap.filePath,
+      variables: templateVariables,
+      gap,
+      existingValues: baseVars
+    },
+    aiConfig
+  );
+  if (result.success && result.data) {
+    return result.data.values;
+  }
+  return baseVars;
+}
+async function writeGeneratedTests(tests, basePath, outputDir) {
+  const summary = {
+    created: [],
+    updated: [],
+    failed: [],
+    totalTests: 0
+  };
+  const testsByFile = /* @__PURE__ */ new Map();
+  for (const test of tests) {
+    let outputPath;
+    if (outputDir) {
+      outputPath = resolve(basePath, outputDir, test.suggestedPath);
     } else {
-      console.log(output);
+      outputPath = resolve(basePath, test.suggestedPath);
     }
-    if (isVerbose && scanResult.data.warnings.length > 0) {
-      console.error("\nWarnings:");
-      for (const warning of scanResult.data.warnings) {
-        console.error(`  - ${warning}`);
+    const existing = testsByFile.get(outputPath) ?? [];
+    existing.push(test);
+    testsByFile.set(outputPath, existing);
+  }
+  for (const [outputPath, fileTests] of testsByFile) {
+    try {
+      const dir = dirname(outputPath);
+      await mkdir(dir, { recursive: true });
+      let existingContent = "";
+      let fileExists = false;
+      try {
+        existingContent = await readFile(outputPath, "utf-8");
+        fileExists = true;
+      } catch {
       }
-    }
-    if (failOn) {
-      const severityOrder = {
-        critical: 3,
-        high: 2,
-        medium: 1
-      };
-      const failLevel = severityOrder[failOn] ?? 0;
-      const hasFailingGaps = scanResult.data.gaps.some((gap) => {
-        const gapLevel = severityOrder[gap.severity] ?? 0;
-        return gapLevel >= failLevel;
-      });
-      if (hasFailingGaps) {
-        const count = scanResult.data.gaps.filter((gap) => {
-          const gapLevel = severityOrder[gap.severity] ?? 0;
-          return gapLevel >= failLevel;
-        }).length;
-        logger.debug(`Exiting with code 1 due to ${count} gaps at ${failOn} level or above`);
-        process.exit(1);
+      const contentParts = [];
+      const allImports = /* @__PURE__ */ new Set();
+      for (const test of fileTests) {
+        for (const imp of test.result.imports) {
+          allImports.add(imp);
+        }
+      }
+      if (!fileExists && allImports.size > 0) {
+        contentParts.push(Array.from(allImports).join("\n"));
+        contentParts.push("");
+      }
+      for (const test of fileTests) {
+        contentParts.push(`// Test for ${test.gap.categoryName}`);
+        contentParts.push(`// Gap: ${relative(basePath, test.gap.filePath)}:${test.gap.lineStart}`);
+        contentParts.push(`// Generated by Pinata`);
+        contentParts.push("");
+        contentParts.push(test.result.content);
+        contentParts.push("");
+      }
+      const newContent = contentParts.join("\n");
+      let finalContent;
+      let appended = false;
+      if (fileExists) {
+        finalContent = existingContent.trimEnd() + "\n\n" + newContent;
+        appended = true;
+      } else {
+        finalContent = newContent;
+      }
+      await writeFile(outputPath, finalContent, "utf-8");
+      for (const test of fileTests) {
+        const result = {
+          path: outputPath,
+          created: !fileExists,
+          appended,
+          categoryId: test.gap.categoryId,
+          gapLocation: `${relative(basePath, test.gap.filePath)}:${test.gap.lineStart}`
+        };
+        if (fileExists) {
+          summary.updated.push(result);
+        } else {
+          summary.created.push(result);
+        }
+        summary.totalTests++;
       }
+    } catch (error) {
+      summary.failed.push({
+        path: outputPath,
+        error: error instanceof Error ? error.message : String(error)
+      });
     }
-    process.exit(0);
-  } catch (error) {
-    spinner?.fail("Analysis failed");
-    console.error(formatError(error instanceof Error ? error : new Error(String(error))));
-    process.exit(1);
-  }
-});
-program.command("generate").description("Generate tests for identified gaps").option("--gaps", "Generate tests for all identified gaps").option("-c, --category <id>", "Generate tests for specific category").option("-d, --domain <domain>", "Generate tests for all categories in domain").option("-s, --severity <level>", "Minimum severity: critical, high, medium, low", "medium").option("--output-dir <dir>", "Directory for generated test files").option("--write", "Write files to disk (default is dry-run)").option("--ai", "Use AI for smarter template variable filling").option("--ai-provider <provider>", "AI provider: anthropic, openai", "anthropic").option("-o, --output <format>", "Output format: terminal, json", "terminal").option("-v, --verbose", "Verbose output").option("-q, --quiet", "Quiet mode (errors only)").action(async (options) => {
-  const isQuiet = Boolean(options["quiet"]);
-  const isVerbose = Boolean(options["verbose"]);
-  const dryRun = !options["write"];
-  const useAI = Boolean(options["ai"]);
-  const aiProvider = String(options["aiProvider"] ?? "anthropic");
-  const outputFormat = String(options["output"] ?? "terminal");
-  if (isQuiet) {
-    logger.configure({ level: "error" });
-  } else if (isVerbose) {
-    logger.configure({ level: "debug" });
   }
-  if (!["terminal", "json"].includes(outputFormat)) {
-    console.error(formatError(new Error(`Invalid output format: ${outputFormat}. Use: terminal, json`)));
-    process.exit(1);
+  return ok(summary);
+}
+function formatWriteSummary(summary, basePath) {
+  const lines = [];
+  lines.push("");
+  lines.push(chalk7.bold.cyan("Write Summary:"));
+  lines.push(chalk7.gray("\u2500".repeat(60)));
+  if (summary.created.length > 0) {
+    const uniquePaths = new Set(summary.created.map((r) => r.path));
+    lines.push("");
+    lines.push(chalk7.green.bold(`Created ${uniquePaths.size} file(s):`));
+    for (const path2 of uniquePaths) {
+      const relPath = relative(basePath, path2);
+      const testsInFile = summary.created.filter((r) => r.path === path2).length;
+      lines.push(chalk7.green(`  + ${relPath} (${testsInFile} test(s))`));
+    }
   }
-  const hasGaps = Boolean(options["gaps"]);
-  const categoryId = options["category"];
-  const domainFilter = options["domain"];
-  if (!hasGaps && !categoryId && !domainFilter) {
-    console.error(formatError(new Error(
-      "Specify what to generate: --gaps (all gaps), --category <id>, or --domain <domain>"
-    )));
-    process.exit(1);
+  if (summary.updated.length > 0) {
+    const uniquePaths = new Set(summary.updated.map((r) => r.path));
+    lines.push("");
+    lines.push(chalk7.yellow.bold(`Updated ${uniquePaths.size} file(s):`));
+    for (const path2 of uniquePaths) {
+      const relPath = relative(basePath, path2);
+      const testsInFile = summary.updated.filter((r) => r.path === path2).length;
+      lines.push(chalk7.yellow(`  ~ ${relPath} (${testsInFile} test(s) appended)`));
+    }
   }
-  if (domainFilter && !RISK_DOMAINS.includes(domainFilter)) {
-    console.error(formatError(new Error(
-      `Invalid domain: ${domainFilter}. Valid domains: ${RISK_DOMAINS.join(", ")}`
-    )));
-    process.exit(1);
+  if (summary.failed.length > 0) {
+    lines.push("");
+    lines.push(chalk7.red.bold(`Failed to write ${summary.failed.length} file(s):`));
+    for (const fail of summary.failed) {
+      const relPath = relative(basePath, fail.path);
+      lines.push(chalk7.red(`  \u2717 ${relPath}: ${fail.error}`));
+    }
   }
-  const validSeverities = ["critical", "high", "medium", "low"];
-  const minSeverity = String(options["severity"] ?? "medium");
-  if (!validSeverities.includes(minSeverity)) {
-    console.error(formatError(new Error(
-      `Invalid severity: ${minSeverity}. Use: critical, high, medium, low`
-    )));
-    process.exit(1);
+  lines.push("");
+  lines.push(chalk7.gray("\u2500".repeat(60)));
+  lines.push(chalk7.bold(`Total: ${summary.totalTests} test(s) written to ${(/* @__PURE__ */ new Set([...summary.created.map((r) => r.path), ...summary.updated.map((r) => r.path)])).size} file(s)`));
+  if (summary.failed.length > 0) {
+    lines.push(chalk7.red(`Failures: ${summary.failed.length}`));
   }
-  const severityOrder = {
-    critical: 4,
-    high: 3,
-    medium: 2,
-    low: 1
-  };
-  const showSpinner = outputFormat === "terminal" && !isQuiet;
-  const spinner = showSpinner ? ora("Loading cached scan results...").start() : null;
-  try {
-    const projectRoot = process.cwd();
-    const cacheResult = await loadScanResults(projectRoot);
-    if (!cacheResult.success) {
-      spinner?.fail("No cached results");
-      console.error(formatError(cacheResult.error));
-      console.error(chalk5.yellow("\nRun `pinata analyze` first to scan for gaps."));
-      process.exit(1);
-    }
-    const cached = cacheResult.data;
-    let gaps = cached.gaps;
-    if (spinner) {
-      spinner.text = `Loaded ${gaps.length} gaps from cache. Filtering...`;
-    }
-    if (categoryId) {
-      gaps = gaps.filter((g) => g.categoryId === categoryId);
-    }
-    if (domainFilter) {
-      gaps = gaps.filter((g) => g.domain === domainFilter);
-    }
-    gaps = gaps.filter((g) => {
-      const gapLevel = severityOrder[g.severity] ?? 0;
-      const minLevel = severityOrder[minSeverity] ?? 0;
-      return gapLevel >= minLevel;
-    });
-    if (gaps.length === 0) {
-      spinner?.succeed("No gaps match the filters");
-      console.log(chalk5.yellow("\nNo gaps found matching the specified filters."));
-      process.exit(0);
+  return lines.join("\n");
+}
+// src/cli/commands/generate.ts
+init_results_cache();
+function registerGenerateCommand(program2) {
+  program2.command("generate").description("Generate tests for identified gaps").option("--gaps", "Generate tests for all identified gaps").option("-c, --category <id>", "Generate tests for specific category").option("-d, --domain <domain>", "Generate tests for all categories in domain").option("-s, --severity <level>", "Minimum severity: critical, high, medium, low", "medium").option("--output-dir <dir>", "Directory for generated test files").option("--write", "Write files to disk (default is dry-run)").option("--ai", "Use AI for smarter template variable filling").option("--ai-provider <provider>", "AI provider: anthropic, openai", "anthropic").option("-o, --output <format>", "Output format: terminal, json", "terminal").option("-v, --verbose", "Verbose output").option("-q, --quiet", "Quiet mode (errors only)").action(async (options) => {
+    const isQuiet = Boolean(options["quiet"]);
+    const isVerbose = Boolean(options["verbose"]);
+    const dryRun = !options["write"];
+    const useAI = Boolean(options["ai"]);
+    const aiProvider = String(options["aiProvider"] ?? "anthropic");
+    const outputFormat = String(options["output"] ?? "terminal");
+    if (isQuiet) {
+      logger.configure({ level: "error" });
+    } else if (isVerbose) {
+      logger.configure({ level: "debug" });
     }
-    if (spinner) {
-      spinner.text = `Found ${gaps.length} gaps. Loading categories...`;
+    if (!["terminal", "json"].includes(outputFormat)) {
+      console.error(formatError(new Error(`Invalid output format: ${outputFormat}. Use: terminal, json`)));
+      process.exit(1);
     }
-    const store = createCategoryStore();
-    const definitionsPath = getDefinitionsPath();
-    const loadResult = await store.loadFromDirectory(definitionsPath);
-    if (!loadResult.success) {
-      spinner?.fail("Failed to load categories");
-      console.error(formatError(loadResult.error));
+    const hasGaps = Boolean(options["gaps"]);
+    const categoryId = options["category"];
+    const domainFilter = options["domain"];
+    if (!hasGaps && !categoryId && !domainFilter) {
+      console.error(formatError(new Error("Specify what to generate: --gaps (all gaps), --category <id>, or --domain <domain>")));
       process.exit(1);
     }
-    if (spinner) {
-      spinner.text = `Generating tests for ${gaps.length} gaps...`;
+    if (domainFilter && !RISK_DOMAINS.includes(domainFilter)) {
+      console.error(formatError(new Error(`Invalid domain: ${domainFilter}. Valid domains: ${RISK_DOMAINS.join(", ")}`)));
+      process.exit(1);
     }
-    const renderer = createRenderer({ strict: false, allowUnresolved: true });
-    const generatedTests = [];
-    const errors = [];
-    const gapsByCategory = /* @__PURE__ */ new Map();
-    for (const gap of gaps) {
-      const existing = gapsByCategory.get(gap.categoryId) ?? [];
-      existing.push(gap);
-      gapsByCategory.set(gap.categoryId, existing);
+    const validSeverities = ["critical", "high", "medium", "low"];
+    const minSeverity = String(options["severity"] ?? "medium");
+    if (!validSeverities.includes(minSeverity)) {
+      console.error(formatError(new Error(`Invalid severity: ${minSeverity}. Use: critical, high, medium, low`)));
+      process.exit(1);
     }
-    for (const [catId, categoryGaps] of gapsByCategory) {
-      const categoryResult = store.get(catId);
-      if (!categoryResult.success) {
-        errors.push(`Category not found: ${catId}`);
-        continue;
+    const severityOrder = { critical: 4, high: 3, medium: 2, low: 1 };
+    const showSpinner = outputFormat === "terminal" && !isQuiet;
+    const spinner = showSpinner ? ora3("Loading cached scan results...").start() : null;
+    try {
+      const projectRoot = process.cwd();
+      const cacheResult = await loadScanResults(projectRoot);
+      if (!cacheResult.success) {
+        spinner?.fail("No cached results");
+        console.error(formatError(cacheResult.error));
+        console.error(chalk7.yellow("\nRun `pinata analyze` first to scan for gaps."));
+        process.exit(1);
       }
-      const category = categoryResult.data;
-      for (const gap of categoryGaps) {
-        const gapExt = gap.filePath.split(".").pop() ?? "";
-        const langMap = {
-          py: "python",
-          ts: "typescript",
-          tsx: "typescript",
-          js: "javascript",
-          jsx: "javascript",
-          go: "go",
-          java: "java",
-          rs: "rust"
-        };
-        const gapLang = langMap[gapExt];
-        let template = category.testTemplates.find((t) => t.language === gapLang);
-        if (!template) {
-          template = category.testTemplates[0];
-        }
-        if (!template) {
-          errors.push(`No templates available for ${catId}`);
+      const cached = cacheResult.data;
+      let gaps = cached.gaps;
+      if (spinner) {
+        spinner.text = `Loaded ${gaps.length} gaps from cache. Filtering...`;
+      }
+      if (categoryId) {
+        gaps = gaps.filter((g) => g.categoryId === categoryId);
+      }
+      if (domainFilter) {
+        gaps = gaps.filter((g) => g.domain === domainFilter);
+      }
+      gaps = gaps.filter((g) => (severityOrder[g.severity] ?? 0) >= (severityOrder[minSeverity] ?? 0));
+      if (gaps.length === 0) {
+        spinner?.succeed("No gaps match the filters");
+        console.log(chalk7.yellow("\nNo gaps found matching the specified filters."));
+        process.exit(0);
+      }
+      if (spinner) {
+        spinner.text = `Found ${gaps.length} gaps. Loading categories...`;
+      }
+      const store = createCategoryStore();
+      const definitionsPath = getDefinitionsPath();
+      const loadResult = await store.loadFromDirectory(definitionsPath);
+      if (!loadResult.success) {
+        spinner?.fail("Failed to load categories");
+        console.error(formatError(loadResult.error));
+        process.exit(1);
+      }
+      if (spinner) {
+        spinner.text = `Generating tests for ${gaps.length} gaps...`;
+      }
+      const renderer = createRenderer({ strict: false, allowUnresolved: true });
+      const generatedTests = [];
+      const errors = [];
+      const gapsByCategory = /* @__PURE__ */ new Map();
+      for (const gap of gaps) {
+        const existing = gapsByCategory.get(gap.categoryId) ?? [];
+        existing.push(gap);
+        gapsByCategory.set(gap.categoryId, existing);
+      }
+      for (const [catId, categoryGaps] of gapsByCategory) {
+        const categoryResult = store.get(catId);
+        if (!categoryResult.success) {
+          errors.push(`Category not found: ${catId}`);
           continue;
         }
-        let variables;
-        if (useAI) {
-          variables = await extractVariablesWithAI(gap, template.variables, {
-            provider: aiProvider
-          });
-        } else {
-          variables = extractVariablesFromGap(gap);
-        }
-        const renderResult = renderer.renderTemplate(template, variables);
-        if (!renderResult.success) {
-          errors.push(`Failed to render ${catId}: ${renderResult.error.message}`);
-          continue;
+        const category = categoryResult.data;
+        for (const gap of categoryGaps) {
+          const gapExt = gap.filePath.split(".").pop() ?? "";
+          const langMap = { py: "python", ts: "typescript", tsx: "typescript", js: "javascript", jsx: "javascript", go: "go", java: "java", rs: "rust" };
+          const gapLang = langMap[gapExt];
+          let template = category.testTemplates.find((t) => t.language === gapLang);
+          if (!template) {
+            template = category.testTemplates[0];
+          }
+          if (!template) {
+            errors.push(`No templates available for ${catId}`);
+            continue;
+          }
+          let variables;
+          if (useAI) {
+            variables = await extractVariablesWithAI(gap, template.variables, { provider: aiProvider });
+          } else {
+            variables = extractVariablesFromGap(gap);
+          }
+          const renderResult = renderer.renderTemplate(template, variables);
+          if (!renderResult.success) {
+            errors.push(`Failed to render ${catId}: ${renderResult.error.message}`);
+            continue;
+          }
+          const suggestedPath = suggestTestPath(gap.filePath, template, cached.targetDirectory);
+          generatedTests.push({ gap, category, template, result: renderResult.data, suggestedPath });
         }
-        const suggestedPath = suggestTestPath(gap.filePath, template, cached.targetDirectory);
-        generatedTests.push({
-          gap,
-          category,
-          template,
-          result: renderResult.data,
-          suggestedPath
-        });
       }
-    }
-    spinner?.stop();
-    if (outputFormat === "json") {
-      console.log(formatGeneratedJson(generatedTests));
-    } else {
-      console.log(formatGeneratedTerminal(generatedTests, cached.targetDirectory));
-    }
-    if (isVerbose && errors.length > 0) {
-      console.error(chalk5.yellow("\nWarnings:"));
-      for (const error of errors) {
-        console.error(chalk5.gray(`  - ${error}`));
+      spinner?.stop();
+      if (outputFormat === "json") {
+        console.log(formatGeneratedJson(generatedTests));
+      } else {
+        console.log(formatGeneratedTerminal(generatedTests, cached.targetDirectory));
       }
-    }
-    if (!dryRun) {
-      const outputDirOption = options["outputDir"];
-      const writeResult = await writeGeneratedTests(
-        generatedTests,
-        cached.targetDirectory,
-        outputDirOption
-      );
-      if (!writeResult.success) {
-        console.error(formatError(writeResult.error));
-        process.exit(1);
+      if (isVerbose && errors.length > 0) {
+        console.error(chalk7.yellow("\nWarnings:"));
+        for (const error of errors) {
+          console.error(chalk7.gray(`  - ${error}`));
+        }
       }
-      console.log(formatWriteSummary(writeResult.data, cached.targetDirectory));
-      if (writeResult.data.failed.length > 0) {
-        process.exit(1);
+      if (!dryRun) {
+        const outputDirOption = options["outputDir"];
+        const writeResult = await writeGeneratedTests(generatedTests, cached.targetDirectory, outputDirOption);
+        if (!writeResult.success) {
+          console.error(formatError(writeResult.error));
+          process.exit(1);
+        }
+        console.log(formatWriteSummary(writeResult.data, cached.targetDirectory));
+        if (writeResult.data.failed.length > 0) {
+          process.exit(1);
+        }
       }
+      process.exit(0);
+    } catch (error) {
+      spinner?.fail("Generation failed");
+      console.error(formatError(error instanceof Error ? error : new Error(String(error))));
+      process.exit(1);
     }
-    process.exit(0);
-  } catch (error) {
-    spinner?.fail("Generation failed");
-    console.error(formatError(error instanceof Error ? error : new Error(String(error))));
-    process.exit(1);
-  }
-});
+  });
+}
+// src/cli/index.ts
+var program = new Command();
+program.name("pinata").description("AI-powered test coverage analysis and generation").version(VERSION);
+registerAnalyzeCommand(program);
+registerGenerateCommand(program);
 program.command("explain").description("Get natural language explanations for detected gaps").option("-n, --top <count>", "Explain top N gaps by priority", "5").option("-c, --category <id>", "Explain gaps for specific category").option("-d, --domain <domain>", "Explain gaps for specific domain").option("--ai", "Use AI for detailed explanations (requires API key)").option("--ai-provider <provider>", "AI provider: anthropic, openai", "anthropic").option("-o, --output <format>", "Output format: terminal, json, markdown", "terminal").option("-v, --verbose", "Show more details").option("-q, --quiet", "Quiet mode (errors only)").action(async (options) => {
   const isQuiet = Boolean(options["quiet"]);
   const isVerbose = Boolean(options["verbose"]);
+  const topN = parseInt(String(options["top"] ?? "5"), 10);
+  const categoryFilter = options["category"];
+  const domainFilter = options["domain"];
   const useAI = Boolean(options["ai"]);
   const aiProvider = String(options["aiProvider"] ?? "anthropic");
   const outputFormat = String(options["output"] ?? "terminal");
-  const topN = parseInt(String(options["top"] ?? "5"), 10);
   if (isQuiet) {
     logger.configure({ level: "error" });
   } else if (isVerbose) {
     logger.configure({ level: "debug" });
   }
   if (!["terminal", "json", "markdown"].includes(outputFormat)) {
-    console.error(formatError(new Error(`Invalid output format: ${outputFormat}. Use: terminal, json, markdown`)));
+    console.error(formatError(new Error(`Invalid format: ${outputFormat}. Use: terminal, json, markdown`)));
     process.exit(1);
   }
-  const showSpinner = outputFormat === "terminal" && !isQuiet;
-  const spinner = showSpinner ? ora("Loading cached scan results...").start() : null;
-  try {
-    const projectRoot = process.cwd();
-    const cacheResult = await loadScanResults(projectRoot);
-    if (!cacheResult.success) {
-      spinner?.fail("No cached results");
-      console.error(formatError(cacheResult.error));
-      console.error(chalk5.yellow("\nRun `pinata analyze` first to scan for gaps."));
+  const projectRoot = process.cwd();
+  const cacheResult = await loadScanResults(projectRoot);
+  if (!cacheResult.success) {
+    console.error(formatError(cacheResult.error));
+    console.error(chalk7.yellow("\nRun `pinata analyze` first to scan for gaps."));
+    process.exit(1);
+  }
+  const cached = cacheResult.data;
+  let gaps = cached.gaps;
+  if (categoryFilter) {
+    gaps = gaps.filter((g) => g.categoryId === categoryFilter);
+  }
+  if (domainFilter) {
+    if (!RISK_DOMAINS.includes(domainFilter)) {
+      console.error(formatError(new Error(`Invalid domain: ${domainFilter}`)));
       process.exit(1);
     }
-    const cached = cacheResult.data;
-    let gaps = cached.gaps;
-    const categoryFilter = options["category"];
-    const domainFilter = options["domain"];
-    if (categoryFilter) {
-      gaps = gaps.filter((g) => g.categoryId === categoryFilter);
-    }
-    if (domainFilter) {
-      if (!RISK_DOMAINS.includes(domainFilter)) {
-        spinner?.fail("Invalid domain");
-        console.error(formatError(new Error(`Invalid domain: ${domainFilter}. Valid: ${RISK_DOMAINS.join(", ")}`)));
-        process.exit(1);
+    gaps = gaps.filter((g) => g.domain === domainFilter);
+  }
+  gaps = gaps.slice(0, topN);
+  if (gaps.length === 0) {
+    console.log(chalk7.yellow("No gaps to explain."));
+    process.exit(0);
+  }
+  let explanations;
+  if (useAI) {
+    const spinner = ora3("Generating AI explanations...").start();
+    try {
+      const aiConfig = { provider: aiProvider };
+      const { hasApiKey: hasApiKey2, getApiKey: getApiKey2 } = await Promise.resolve().then(() => (init_config(), config_exports));
+      if (hasApiKey2(aiProvider)) {
+        const key = getApiKey2(aiProvider);
+        if (key) {
+          aiConfig.apiKey = key;
+        }
       }
-      gaps = gaps.filter((g) => g.domain === domainFilter);
-    }
-    if (gaps.length === 0) {
-      spinner?.succeed("No gaps to explain");
-      console.log(chalk5.yellow("\nNo gaps found matching the filters."));
-      process.exit(0);
-    }
-    gaps = gaps.sort((a, b) => b.priorityScore - a.priorityScore).slice(0, topN);
-    if (spinner) {
-      spinner.text = `Explaining ${gaps.length} gap(s)...`;
-    }
-    const explanations = [];
-    if (useAI) {
-      const ai = createAIService({ provider: aiProvider });
-      if (!ai.isConfigured()) {
-        spinner?.warn("AI not configured, using fallback explanations");
-        console.error(chalk5.yellow(`
+      const resultMap = await explainGaps(gaps, void 0, aiConfig);
+      explanations = gaps.map((g) => {
+        const key = `${g.categoryId}:${g.filePath}:${g.lineStart}`;
+        const result = resultMap.get(key);
+        if (result?.success && result.data) {
+          return result.data;
+        }
+        return generateFallbackExplanation(g);
+      });
+      spinner.succeed(`Generated ${explanations.length} explanations`);
+    } catch (error) {
+      spinner.fail("AI explanation failed");
+      console.error(chalk7.yellow(`
 Set ${aiProvider === "anthropic" ? "ANTHROPIC_API_KEY" : "OPENAI_API_KEY"} for AI explanations.
 `));
-        for (const gap of gaps) {
-          explanations.push({
-            gap,
-            explanation: generateFallbackExplanation(gap)
-          });
-        }
-      } else {
-        for (const gap of gaps) {
-          const result = await explainGap(gap, void 0, { provider: aiProvider });
-          if (result.success && result.data) {
-            explanations.push({ gap, explanation: result.data });
-          } else {
-            explanations.push({
-              gap,
-              explanation: generateFallbackExplanation(gap)
-            });
-          }
-        }
-      }
-    } else {
-      for (const gap of gaps) {
-        explanations.push({
-          gap,
-          explanation: generateFallbackExplanation(gap)
-        });
-      }
+      explanations = gaps.map((g) => generateFallbackExplanation(g));
     }
-    spinner?.stop();
-    if (outputFormat === "json") {
-      console.log(JSON.stringify(explanations.map((e) => ({
-        gap: {
-          categoryId: e.gap.categoryId,
-          categoryName: e.gap.categoryName,
-          filePath: e.gap.filePath,
-          lineStart: e.gap.lineStart,
-          severity: e.gap.severity,
-          confidence: e.gap.confidence,
-          codeSnippet: e.gap.codeSnippet
-        },
-        explanation: e.explanation
-      })), null, 2));
-    } else if (outputFormat === "markdown") {
-      console.log(`# Gap Explanations
-`);
-      console.log(`Generated ${explanations.length} explanation(s).
-`);
-      for (const { gap, explanation } of explanations) {
-        console.log(`## ${gap.categoryName}
-`);
-        console.log(`**File:** \`${gap.filePath}:${gap.lineStart}\`
-`);
-        console.log(`**Severity:** ${gap.severity} | **Confidence:** ${gap.confidence}
-`);
-        console.log(`### Summary
-${explanation.summary}
-`);
-        console.log(`### Explanation
-${explanation.explanation}
-`);
-        console.log(`### Risk
-${explanation.risk}
+  } else {
+    explanations = gaps.map((g) => generateFallbackExplanation(g));
+  }
+  if (outputFormat === "json") {
+    const output = gaps.map((g, i) => ({ gap: { categoryId: g.categoryId, severity: g.severity, filePath: g.filePath, lineStart: g.lineStart }, ...explanations[i] }));
+    console.log(JSON.stringify(output, null, 2));
+  } else if (outputFormat === "markdown") {
+    console.log("# Gap Explanations\n");
+    for (let i = 0; i < explanations.length; i++) {
+      const exp = explanations[i];
+      const gap = gaps[i];
+      console.log(`## ${exp.summary}
 `);
-        console.log(`### How to Fix
-${explanation.remediation}
+      console.log(`**Severity**: ${gap.severity} | **Category**: ${gap.categoryId}
 `);
-        if (explanation.safeExample) {
-          console.log(`### Safe Example
-\`\`\`
-${explanation.safeExample}
-\`\`\`
+      console.log(exp.explanation);
+      if (exp.remediation) {
+        console.log(`
+**Remediation**: ${exp.remediation}
 `);
-        }
-        console.log("---\n");
       }
-    } else {
+      console.log("---\n");
+    }
+  } else {
+    console.log();
+    for (let i = 0; i < explanations.length; i++) {
+      const exp = explanations[i];
+      const gap = gaps[i];
+      const severityColor = gap.severity === "critical" ? chalk7.red : gap.severity === "high" ? chalk7.yellow : chalk7.blue;
+      console.log(`${severityColor.bold(`[${gap.severity.toUpperCase()}]`)} ${chalk7.bold(exp.summary)}`);
+      console.log(chalk7.gray(`  Category: ${gap.categoryId} | ${gap.filePath}:${gap.lineStart}`));
       console.log();
-      console.log(chalk5.bold.cyan("Gap Explanations"));
-      console.log(chalk5.gray("\u2500".repeat(60)));
-      for (const { gap, explanation } of explanations) {
-        console.log();
-        console.log(chalk5.bold.white(gap.categoryName));
-        console.log(chalk5.gray(`  ${gap.filePath}:${gap.lineStart}`));
-        const severityColor = gap.severity === "critical" ? chalk5.red : gap.severity === "high" ? chalk5.yellow : chalk5.blue;
-        console.log(`  ${severityColor(gap.severity)} | ${gap.confidence} confidence`);
-        console.log();
-        console.log(chalk5.cyan("  Summary:"));
-        console.log(`    ${explanation.summary}`);
-        if (isVerbose) {
-          console.log();
-          console.log(chalk5.cyan("  Explanation:"));
-          for (const line of explanation.explanation.split("\n")) {
-            console.log(`    ${line}`);
-          }
-        }
-        console.log();
-        console.log(chalk5.red("  Risk:"));
-        console.log(`    ${explanation.risk}`);
-        console.log();
-        console.log(chalk5.green("  How to Fix:"));
-        for (const line of explanation.remediation.split("\n")) {
-          console.log(`    ${line}`);
-        }
-        if (explanation.safeExample) {
-          console.log();
-          console.log(chalk5.cyan("  Safe Example:"));
-          console.log(chalk5.gray(`    ${explanation.safeExample}`));
-        }
+      for (const line of exp.explanation.split("\n")) {
+        console.log(`  ${line}`);
+      }
+      if (exp.remediation) {
         console.log();
-        console.log(chalk5.gray("\u2500".repeat(60)));
+        console.log(chalk7.green(`  Fix: ${exp.remediation}`));
       }
+      console.log();
     }
-    process.exit(0);
-  } catch (error) {
-    spinner?.fail("Explanation failed");
-    console.error(formatError(error instanceof Error ? error : new Error(String(error))));
-    process.exit(1);
   }
 });
 program.command("suggest-patterns").description("Use AI to suggest new detection patterns based on code samples").requiredOption("-c, --category <id>", "Category to suggest patterns for").requiredOption("-l, --language <lang>", "Language of the code samples").option("-f, --file <path>", "File containing vulnerable code samples (one per line)").option("--code <snippet>", "Vulnerable code snippet (can be specified multiple times)", (v, a) => [...a, v], []).option("--ai-provider <provider>", "AI provider: anthropic, openai", "anthropic").option("-o, --output <format>", "Output format: terminal, yaml, json", "terminal").action(async (options) => {
@@ -9278,96 +9190,73 @@ program.command("suggest-patterns").description("Use AI to suggest new detection
   const language = String(options["language"]);
   const aiProvider = String(options["aiProvider"] ?? "anthropic");
   const outputFormat = String(options["output"] ?? "terminal");
-  const codeSnippets = options["code"];
   const filePath = options["file"];
-  let vulnerableCode = [...codeSnippets];
+  const codeSnippets = options["code"] ?? [];
+  const samples = [...codeSnippets];
   if (filePath) {
+    const { readFile: readFile7 } = await import('fs/promises');
     try {
-      const { readFile: readFile7 } = await import('fs/promises');
-      const content = await readFile7(filePath, "utf-8");
-      vulnerableCode = [...vulnerableCode, ...content.split("\n---\n").filter(Boolean)];
+      const content = await readFile7(resolve(filePath), "utf-8");
+      samples.push(...content.split("\n---\n").filter((s) => s.trim()));
     } catch (error) {
       console.error(formatError(new Error(`Failed to read file: ${filePath}`)));
       process.exit(1);
     }
   }
-  if (vulnerableCode.length === 0) {
+  if (samples.length === 0) {
     console.error(formatError(new Error("Provide code samples via --code or --file")));
     process.exit(1);
   }
-  const spinner = ora("Generating pattern suggestions...").start();
+  const spinner = ora3("Generating pattern suggestions with AI...").start();
   try {
+    const aiConfig = { provider: aiProvider };
+    const { hasApiKey: hasApiKey2, getApiKey: getApiKey2 } = await Promise.resolve().then(() => (init_config(), config_exports));
+    if (hasApiKey2(aiProvider)) {
+      const key = getApiKey2(aiProvider);
+      if (key) {
+        aiConfig.apiKey = key;
+      }
+    }
     const result = await suggestPatterns(
-      {
-        category: categoryId,
-        language,
-        vulnerableCode,
-        maxSuggestions: 5
-      },
-      { provider: aiProvider }
+      { category: categoryId, vulnerableCode: samples, language },
+      aiConfig
     );
-    spinner.stop();
-    if (!result.success) {
-      console.error(formatError(new Error(result.error ?? "Failed to generate patterns")));
+    if (!result.success || !result.data) {
+      spinner.fail("Pattern suggestion failed");
+      console.error(chalk7.red(result.error ?? "Unknown error"));
       process.exit(1);
     }
-    const { suggestions, rejected } = result.data ?? { suggestions: [], rejected: [] };
+    const suggestions = result.data.suggestions;
+    spinner.succeed(`Generated ${suggestions.length} pattern suggestions`);
     if (outputFormat === "json") {
-      console.log(JSON.stringify({ suggestions, rejected }, null, 2));
+      console.log(JSON.stringify(suggestions, null, 2));
     } else if (outputFormat === "yaml") {
-      console.log(`# Suggested patterns for ${categoryId}
-`);
-      console.log(`detectionPatterns:`);
-      for (const suggestion of suggestions) {
-        const escapedPattern = suggestion.pattern.replace(/\\/g, "\\\\").replace(/"/g, '\\"');
-        console.log(`  - id: ${suggestion.id}`);
-        console.log(`    type: regex`);
-        console.log(`    language: ${language}`);
-        console.log(`    pattern: "${escapedPattern}"`);
-        console.log(`    confidence: ${suggestion.confidence}`);
-        console.log(`    description: ${suggestion.description}`);
+      for (const s of suggestions) {
+        console.log("---");
+        console.log(`id: ${s.id}`);
+        console.log(`pattern: "${s.pattern}"`);
+        console.log(`confidence: ${s.confidence}`);
+        console.log(`description: "${s.description}"`);
+        console.log(`matchExample: "${s.matchExample}"`);
+        console.log(`safeExample: "${s.safeExample}"`);
         console.log();
       }
     } else {
       console.log();
-      console.log(chalk5.bold.cyan("Pattern Suggestions"));
-      console.log(chalk5.gray("\u2500".repeat(60)));
-      if (suggestions.length === 0) {
-        console.log(chalk5.yellow("\nNo valid patterns could be generated."));
-      } else {
-        for (const suggestion of suggestions) {
-          console.log();
-          console.log(chalk5.bold.white(suggestion.id));
-          console.log(chalk5.gray(`  ${suggestion.description}`));
-          console.log();
-          console.log(chalk5.cyan("  Pattern:"));
-          console.log(`    ${suggestion.pattern}`);
-          console.log();
-          console.log(chalk5.cyan("  Confidence:") + ` ${suggestion.confidence}`);
-          console.log();
-          console.log(chalk5.green("  Would match:"));
-          console.log(chalk5.gray(`    ${suggestion.matchExample}`));
-          console.log();
-          console.log(chalk5.red("  Should NOT match:"));
-          console.log(chalk5.gray(`    ${suggestion.safeExample}`));
-          console.log();
-          console.log(chalk5.cyan("  Reasoning:"));
-          console.log(`    ${suggestion.reasoning}`);
-          console.log();
-          console.log(chalk5.gray("\u2500".repeat(60)));
-        }
-      }
-      if (rejected.length > 0) {
+      console.log(chalk7.bold(`Suggested Patterns for ${categoryId}`));
+      console.log();
+      for (const s of suggestions) {
+        const confColor = s.confidence === "high" ? chalk7.green : s.confidence === "medium" ? chalk7.yellow : chalk7.red;
+        console.log(`  ${chalk7.cyan(s.id)} [${confColor(s.confidence)}]`);
+        console.log(`    Pattern: ${chalk7.gray(s.pattern)}`);
+        console.log(`    ${s.description}`);
+        console.log(`    Match:  ${chalk7.gray(s.matchExample.slice(0, 80))}`);
+        console.log(`    Safe:   ${chalk7.gray(s.safeExample.slice(0, 80))}`);
         console.log();
-        console.log(chalk5.yellow.bold(`Rejected ${rejected.length} pattern(s):`));
-        for (const r of rejected) {
-          console.log(chalk5.gray(`  - ${r.pattern.slice(0, 40)}... : ${r.reason}`));
-        }
       }
     }
-    process.exit(0);
   } catch (error) {
-    spinner.fail("Pattern generation failed");
+    spinner.fail("Pattern suggestion failed");
     console.error(formatError(error instanceof Error ? error : new Error(String(error))));
     process.exit(1);
   }
@@ -9422,9 +9311,7 @@ program.command("search <query>").description("Search category taxonomy by name,
     }
     const langFilter = options["language"];
     if (langFilter) {
-      results = results.filter(
-        (cat) => cat.applicableLanguages.includes(langFilter)
-      );
+      results = results.filter((cat) => cat.applicableLanguages.includes(langFilter));
     }
     if (outputFormat === "json") {
       console.log(JSON.stringify(results, null, 2));
@@ -9446,19 +9333,18 @@ ${cat.description}
       }
     } else {
       console.log();
-      console.log(chalk5.bold(`Search Results for "${query}"`));
-      console.log(chalk5.gray(`Found ${results.length} matching categories.`));
+      console.log(chalk7.bold(`Search Results for "${query}"`));
+      console.log(chalk7.gray(`Found ${results.length} matching categories.`));
       console.log();
       if (results.length === 0) {
-        console.log(chalk5.yellow("No categories match your search."));
-        console.log(chalk5.gray("Try a different query or broaden your filters."));
+        console.log(chalk7.yellow("No categories match your search."));
       } else {
         for (const cat of results) {
-          const domainColor = cat.domain === "security" ? chalk5.red : chalk5.blue;
-          console.log(`  ${chalk5.cyan(cat.id)} - ${chalk5.bold(cat.name)}`);
+          const domainColor = cat.domain === "security" ? chalk7.red : chalk7.blue;
+          console.log(`  ${chalk7.cyan(cat.id)} - ${chalk7.bold(cat.name)}`);
           console.log(`    ${domainColor(cat.domain)} | ${cat.level} | ${cat.priority}`);
           if (options["verbose"]) {
-            console.log(`    ${chalk5.gray(cat.description.slice(0, 100))}${cat.description.length > 100 ? "..." : ""}`);
+            console.log(`    ${chalk7.gray(cat.description.slice(0, 100))}${cat.description.length > 100 ? "..." : ""}`);
           }
           console.log();
         }
@@ -9492,21 +9378,17 @@ program.command("list").description("List all categories").option("-d, --domain
       process.exit(1);
     }
     const priorityFilter = options["priority"];
-    const validPriorities = ["P0", "P1", "P2"];
-    if (priorityFilter !== void 0 && !validPriorities.includes(priorityFilter)) {
+    if (priorityFilter !== void 0 && !["P0", "P1", "P2"].includes(priorityFilter)) {
       console.error(formatError(new Error(`Invalid priority: ${priorityFilter}. Use: P0, P1, P2`)));
       process.exit(1);
     }
-    logger.debug("Loading categories...");
     const store = createCategoryStore();
     const definitionsPath = getDefinitionsPath();
-    logger.debug(`Loading from: ${definitionsPath}`);
     const loadResult = await store.loadFromDirectory(definitionsPath);
     if (!loadResult.success) {
       console.error(formatError(loadResult.error));
       process.exit(1);
     }
-    logger.debug(`Loaded ${loadResult.data} categories`);
     const filter = {};
     if (domainFilter) {
       filter.domain = domainFilter;
@@ -9530,54 +9412,42 @@ program.command("init").description("Initialize Pinata configuration in project"
   const configPath = resolve(process.cwd(), ".pinata.yml");
   const cacheDir = resolve(process.cwd(), ".pinata");
   if (existsSync(configPath) && !options["force"]) {
-    console.log(chalk5.yellow("Configuration file already exists at .pinata.yml"));
-    console.log(chalk5.gray("Use --force to overwrite."));
+    console.log(chalk7.yellow("Configuration file already exists at .pinata.yml"));
+    console.log(chalk7.gray("Use --force to overwrite."));
     process.exit(0);
   }
   const defaultConfig = `# Pinata Configuration
 # https://github.com/pinata/pinata
-# Paths to analyze
 include:
   - "src/**/*.ts"
   - "src/**/*.tsx"
   - "src/**/*.py"
   - "src/**/*.js"
-# Paths to exclude from analysis
 exclude:
   - "node_modules/**"
   - "dist/**"
   - "build/**"
   - "**/*.test.ts"
   - "**/*.spec.ts"
-  - "**/test/**"
-  - "**/tests/**"
-  - "**/__tests__/**"
-# Risk domains to analyze
-# Options: security, data, concurrency, input, resource, reliability, performance, platform, business, compliance
 domains:
   - security
   - data
   - concurrency
   - input
-# Minimum severity to report
-# Options: critical, high, medium, low
 minSeverity: medium
-# Output configuration
 output:
-  format: terminal  # terminal, json, markdown, sarif, html
+  format: terminal
   color: true
-# Test generation settings
 generate:
   outputDir: tests/generated
-  framework: auto  # auto, pytest, jest, vitest, mocha
+  framework: auto
-# Fail CI if gaps exceed thresholds
 thresholds:
   critical: 0
   high: 5
@@ -9586,25 +9456,23 @@ thresholds:
   const { writeFile: writeFileAsync, mkdir: mkdir4 } = await import('fs/promises');
   try {
     await writeFileAsync(configPath, defaultConfig, "utf8");
-    console.log(chalk5.green("Created .pinata.yml"));
+    console.log(chalk7.green("Created .pinata.yml"));
     await mkdir4(cacheDir, { recursive: true });
-    console.log(chalk5.green("Created .pinata/ directory"));
+    console.log(chalk7.green("Created .pinata/ directory"));
     const gitignorePath = resolve(process.cwd(), ".gitignore");
     if (existsSync(gitignorePath)) {
       const { readFile: readFile7, appendFile } = await import('fs/promises');
       const gitignore = await readFile7(gitignorePath, "utf8");
       if (!gitignore.includes(".pinata/")) {
         await appendFile(gitignorePath, "\n# Pinata cache\n.pinata/\n");
-        console.log(chalk5.green("Added .pinata/ to .gitignore"));
+        console.log(chalk7.green("Added .pinata/ to .gitignore"));
       }
     }
     console.log();
-    console.log(chalk5.bold("Pinata initialized successfully!"));
-    console.log();
-    console.log("Next steps:");
-    console.log(chalk5.gray("  1. Review and customize .pinata.yml"));
-    console.log(chalk5.gray("  2. Run: pinata analyze"));
-    console.log(chalk5.gray("  3. Generate tests: pinata generate"));
+    console.log(chalk7.bold("Pinata initialized successfully!"));
+    console.log(chalk7.gray("  1. Review and customize .pinata.yml"));
+    console.log(chalk7.gray("  2. Run: pinata analyze"));
+    console.log(chalk7.gray("  3. Generate tests: pinata generate"));
   } catch (error) {
     console.error(formatError(error instanceof Error ? error : new Error(String(error))));
     process.exit(1);
@@ -9617,18 +9485,15 @@ program.command("audit-deps").description("Audit npm dependencies for supply cha
   const checkAge = Boolean(options["checkAge"]);
   const strictMode = Boolean(options["strict"]);
   const doAllChecks = !checkRegistry && !checkDownloads && !checkAge;
-  console.log(chalk5.bold("\nPinata Dependency Audit\n"));
+  console.log(chalk7.bold("\nPinata Dependency Audit\n"));
   if (!existsSync(packagePath)) {
-    console.error(chalk5.red(`Error: ${packagePath} not found`));
+    console.error(chalk7.red(`Error: ${packagePath} not found`));
     process.exit(1);
   }
   const packageJson = JSON.parse(readFileSync(packagePath, "utf-8"));
-  const allDeps = {
-    ...packageJson.dependencies,
-    ...packageJson.devDependencies
-  };
+  const allDeps = { ...packageJson.dependencies, ...packageJson.devDependencies };
   const packages = Object.keys(allDeps);
-  console.log(chalk5.gray(`Found ${packages.length} dependencies
+  console.log(chalk7.gray(`Found ${packages.length} dependencies
 `));
   const issues = [];
   const KNOWN_MALWARE = /* @__PURE__ */ new Set([
@@ -9651,56 +9516,31 @@ program.command("audit-deps").description("Audit npm dependencies for supply cha
   ]);
   for (const pkg of packages) {
     if (KNOWN_MALWARE.has(pkg)) {
-      issues.push({
-        pkg,
-        severity: "critical",
-        message: "Known malicious/compromised package (Shai-Hulud/typosquat)"
-      });
+      issues.push({ pkg, severity: "critical", message: "Known malicious/compromised package (Shai-Hulud/typosquat)" });
     }
   }
   for (const [pkg, version] of Object.entries(allDeps)) {
     if (version?.startsWith("^")) {
-      issues.push({
-        pkg,
-        severity: "warning",
-        message: `Unpinned version (${version}) - allows minor updates`
-      });
+      issues.push({ pkg, severity: "warning", message: `Unpinned version (${version}) - allows minor updates` });
     } else if (version?.startsWith("~")) {
-      issues.push({
-        pkg,
-        severity: "warning",
-        message: `Unpinned version (${version}) - allows patch updates`
-      });
+      issues.push({ pkg, severity: "warning", message: `Unpinned version (${version}) - allows patch updates` });
     } else if (version === "*" || version === "latest") {
-      issues.push({
-        pkg,
-        severity: "critical",
-        message: `Extremely dangerous version (${version}) - allows any version`
-      });
+      issues.push({ pkg, severity: "critical", message: `Extremely dangerous version (${version}) - allows any version` });
     }
   }
   if (checkRegistry || doAllChecks) {
-    const spinner = ora("Checking npm registry...").start();
+    const spinner = ora3("Checking npm registry...").start();
     for (const pkg of packages.slice(0, 50)) {
       try {
         const response = await fetch(`https://registry.npmjs.org/${encodeURIComponent(pkg)}`);
         if (response.status === 404) {
-          issues.push({
-            pkg,
-            severity: "critical",
-            message: "Package NOT FOUND in npm registry (slopsquatting risk)"
-          });
+          issues.push({ pkg, severity: "critical", message: "Package NOT FOUND in npm registry (slopsquatting risk)" });
         } else if (response.ok) {
           const data = await response.json();
           if ((checkAge || doAllChecks) && data.time?.created) {
-            const created = new Date(data.time.created);
-            const ageInDays = (Date.now() - created.getTime()) / (1e3 * 60 * 60 * 24);
+            const ageInDays = (Date.now() - new Date(data.time.created).getTime()) / (1e3 * 60 * 60 * 24);
             if (ageInDays < 30) {
-              issues.push({
-                pkg,
-                severity: "warning",
-                message: `Very new package (${Math.floor(ageInDays)} days old)`
-              });
+              issues.push({ pkg, severity: "warning", message: `Very new package (${Math.floor(ageInDays)} days old)` });
             }
           }
         }
@@ -9712,24 +9552,24 @@ program.command("audit-deps").description("Audit npm dependencies for supply cha
   const criticals = issues.filter((i) => i.severity === "critical");
   const warnings = issues.filter((i) => i.severity === "warning");
   if (criticals.length > 0) {
-    console.log(chalk5.red.bold(`
+    console.log(chalk7.red.bold(`
 Critical Issues (${criticals.length}):`));
     for (const issue of criticals) {
-      console.log(chalk5.red(`  \u2717 ${issue.pkg}: ${issue.message}`));
+      console.log(chalk7.red(`  \u2717 ${issue.pkg}: ${issue.message}`));
     }
   }
   if (warnings.length > 0) {
-    console.log(chalk5.yellow.bold(`
+    console.log(chalk7.yellow.bold(`
 Warnings (${warnings.length}):`));
     for (const issue of warnings.slice(0, 20)) {
-      console.log(chalk5.yellow(`  \u26A0 ${issue.pkg}: ${issue.message}`));
+      console.log(chalk7.yellow(`  \u26A0 ${issue.pkg}: ${issue.message}`));
     }
     if (warnings.length > 20) {
-      console.log(chalk5.gray(`  ... and ${warnings.length - 20} more`));
+      console.log(chalk7.gray(`  ... and ${warnings.length - 20} more`));
     }
   }
   if (issues.length === 0) {
-    console.log(chalk5.green("\u2713 No dependency issues found"));
+    console.log(chalk7.green("\u2713 No dependency issues found"));
   }
   console.log();
   if (criticals.length > 0 || strictMode && warnings.length > 0) {
@@ -9742,7 +9582,7 @@ program.command("feedback").description("View pattern performance feedback (Laye
   const shouldReset = Boolean(options["reset"]);
   if (shouldReset) {
     await saveFeedback2({ ...EMPTY_FEEDBACK_STATE2 });
-    console.log(chalk5.green("Feedback data reset."));
+    console.log(chalk7.green("Feedback data reset."));
     return;
   }
   const state = await loadFeedback2();
@@ -9754,20 +9594,20 @@ program.command("feedback").description("View pattern performance feedback (Laye
     console.log(generateReport2(state));
     return;
   }
-  console.log(chalk5.bold("\nPinata Feedback Report\n"));
+  console.log(chalk7.bold("\nPinata Feedback Report\n"));
   console.log(`Total scans: ${state.totalScans}`);
   console.log(`Patterns tracked: ${Object.keys(state.patterns).length}`);
   if (state.totalScans === 0) {
-    console.log(chalk5.gray("\nNo feedback data yet. Run scans with --execute to collect data.\n"));
+    console.log(chalk7.gray("\nNo feedback data yet. Run scans with --execute to collect data.\n"));
     return;
   }
   const patterns = Object.values(state.patterns).filter((p) => p.confirmedCount + p.unconfirmedCount >= 1).sort((a, b) => b.precision - a.precision);
   if (patterns.length > 0) {
-    console.log(chalk5.bold("\nPattern Performance:"));
+    console.log(chalk7.bold("\nPattern Performance:"));
     for (const p of patterns.slice(0, 15)) {
       const total = p.confirmedCount + p.unconfirmedCount;
       const precisionPct = (p.precision * 100).toFixed(0);
-      const color = p.precision >= 0.7 ? chalk5.green : p.precision >= 0.4 ? chalk5.yellow : chalk5.red;
+      const color = p.precision >= 0.7 ? chalk7.green : p.precision >= 0.4 ? chalk7.yellow : chalk7.red;
       console.log(`  ${color(`${precisionPct}%`)} ${p.patternId} (${p.confirmedCount}/${total} confirmed)`);
     }
   }
@@ -9789,76 +9629,74 @@ Examples:
     case "anthropic-api-key": {
       const validation = validateApiKey2("anthropic", value);
       if (!validation.valid) {
-        console.log(chalk5.red(`Invalid API key: ${validation.error}`));
+        console.log(chalk7.red(`Invalid API key: ${validation.error}`));
         process.exit(1);
       }
       setConfigValue2("anthropicApiKey", value);
-      console.log(chalk5.green(`Anthropic API key set: ${maskApiKey2(value)}`));
+      console.log(chalk7.green(`Anthropic API key set: ${maskApiKey2(value)}`));
       break;
     }
     case "openai-api-key": {
       const validation = validateApiKey2("openai", value);
       if (!validation.valid) {
-        console.log(chalk5.red(`Invalid API key: ${validation.error}`));
+        console.log(chalk7.red(`Invalid API key: ${validation.error}`));
         process.exit(1);
       }
       setConfigValue2("openaiApiKey", value);
-      console.log(chalk5.green(`OpenAI API key set: ${maskApiKey2(value)}`));
+      console.log(chalk7.green(`OpenAI API key set: ${maskApiKey2(value)}`));
       break;
     }
     case "default-provider": {
       if (value !== "anthropic" && value !== "openai") {
-        console.log(chalk5.red("Provider must be 'anthropic' or 'openai'"));
+        console.log(chalk7.red("Provider must be 'anthropic' or 'openai'"));
         process.exit(1);
       }
       setConfigValue2("defaultProvider", value);
-      console.log(chalk5.green(`Default provider set to: ${value}`));
+      console.log(chalk7.green(`Default provider set to: ${value}`));
       break;
     }
     default:
-      console.log(chalk5.red(`Unknown config key: ${key}`));
-      console.log(chalk5.gray("Run 'pinata config set --help' for available keys"));
+      console.log(chalk7.red(`Unknown config key: ${key}`));
+      console.log(chalk7.gray("Run 'pinata config set --help' for available keys"));
       process.exit(1);
   }
-  console.log(chalk5.gray(`Config stored at: ${getConfigPath2()}`));
+  console.log(chalk7.gray(`Config stored at: ${getConfigPath2()}`));
 });
 config.command("get <key>").description("Get a configuration value").action(async (key) => {
   const { loadConfig: loadConfig2, maskApiKey: maskApiKey2 } = await Promise.resolve().then(() => (init_config(), config_exports));
   const cfg = loadConfig2();
   switch (key) {
     case "anthropic-api-key":
-      console.log(cfg.anthropicApiKey ? maskApiKey2(cfg.anthropicApiKey) : chalk5.gray("(not set)"));
+      console.log(cfg.anthropicApiKey ? maskApiKey2(cfg.anthropicApiKey) : chalk7.gray("(not set)"));
       break;
     case "openai-api-key":
-      console.log(cfg.openaiApiKey ? maskApiKey2(cfg.openaiApiKey) : chalk5.gray("(not set)"));
+      console.log(cfg.openaiApiKey ? maskApiKey2(cfg.openaiApiKey) : chalk7.gray("(not set)"));
       break;
     case "default-provider":
-      console.log(cfg.defaultProvider ?? chalk5.gray("anthropic (default)"));
+      console.log(cfg.defaultProvider ?? chalk7.gray("anthropic (default)"));
       break;
     default:
-      console.log(chalk5.red(`Unknown config key: ${key}`));
+      console.log(chalk7.red(`Unknown config key: ${key}`));
       process.exit(1);
   }
 });
 config.command("list").description("List all configuration values").action(async () => {
   const { loadConfig: loadConfig2, maskApiKey: maskApiKey2, getConfigPath: getConfigPath2, hasApiKey: hasApiKey2 } = await Promise.resolve().then(() => (init_config(), config_exports));
   const cfg = loadConfig2();
-  console.log(chalk5.bold("Pinata Configuration"));
-  console.log(chalk5.gray(`Config file: ${getConfigPath2()}`));
+  console.log(chalk7.bold("Pinata Configuration"));
+  console.log(chalk7.gray(`Config file: ${getConfigPath2()}`));
   console.log();
   console.log("AI Providers:");
-  const anthropicStatus = hasApiKey2("anthropic") ? chalk5.green("configured") : chalk5.gray("not set");
-  const openaiStatus = hasApiKey2("openai") ? chalk5.green("configured") : chalk5.gray("not set");
-  console.log(`  Anthropic API key:  ${anthropicStatus} ${cfg.anthropicApiKey ? chalk5.gray(`(${maskApiKey2(cfg.anthropicApiKey)})`) : ""}`);
-  console.log(`  OpenAI API key:     ${openaiStatus} ${cfg.openaiApiKey ? chalk5.gray(`(${maskApiKey2(cfg.openaiApiKey)})`) : ""}`);
+  const anthropicStatus = hasApiKey2("anthropic") ? chalk7.green("configured") : chalk7.gray("not set");
+  const openaiStatus = hasApiKey2("openai") ? chalk7.green("configured") : chalk7.gray("not set");
+  console.log(`  Anthropic API key:  ${anthropicStatus} ${cfg.anthropicApiKey ? chalk7.gray(`(${maskApiKey2(cfg.anthropicApiKey)})`) : ""}`);
+  console.log(`  OpenAI API key:     ${openaiStatus} ${cfg.openaiApiKey ? chalk7.gray(`(${maskApiKey2(cfg.openaiApiKey)})`) : ""}`);
   console.log(`  Default provider:   ${cfg.defaultProvider ?? "anthropic"}`);
   console.log();
   if (!hasApiKey2("anthropic") && !hasApiKey2("openai")) {
-    console.log(chalk5.yellow("No AI provider configured."));
-    console.log(chalk5.gray("To use AI features (explain, suggest-patterns, --ai flag):"));
-    console.log(chalk5.gray("  pinata config set anthropic-api-key sk-ant-xxx"));
-    console.log(chalk5.gray("  # or"));
-    console.log(chalk5.gray("  export ANTHROPIC_API_KEY=sk-ant-xxx"));
+    console.log(chalk7.yellow("No AI provider configured."));
+    console.log(chalk7.gray("  pinata config set anthropic-api-key sk-ant-xxx"));
+    console.log(chalk7.gray("  export ANTHROPIC_API_KEY=sk-ant-xxx"));
   }
 });
 config.command("unset <key>").description("Remove a configuration value").action(async (key) => {
@@ -9866,18 +9704,18 @@ config.command("unset <key>").description("Remove a configuration value").action
   switch (key) {
     case "anthropic-api-key":
       deleteConfigValue2("anthropicApiKey");
-      console.log(chalk5.green("Anthropic API key removed"));
+      console.log(chalk7.green("Anthropic API key removed"));
       break;
     case "openai-api-key":
       deleteConfigValue2("openaiApiKey");
-      console.log(chalk5.green("OpenAI API key removed"));
+      console.log(chalk7.green("OpenAI API key removed"));
       break;
     case "default-provider":
       deleteConfigValue2("defaultProvider");
-      console.log(chalk5.green("Default provider reset to: anthropic"));
+      console.log(chalk7.green("Default provider reset to: anthropic"));
       break;
     default:
-      console.log(chalk5.red(`Unknown config key: ${key}`));
+      console.log(chalk7.red(`Unknown config key: ${key}`));
       process.exit(1);
   }
 });
@@ -9885,18 +9723,13 @@ var auth = program.command("auth").description("Manage API key authentication");
 auth.command("login").description("Set API key for Pinata Cloud").option("-k, --key <key>", "API key (or set PINATA_API_KEY env var)").action(async (options) => {
   const apiKey = options["key"] ?? process.env["PINATA_API_KEY"];
   if (!apiKey) {
-    console.log(chalk5.yellow("No API key provided."));
-    console.log();
-    console.log("Provide an API key using one of:");
-    console.log(chalk5.gray("  pinata auth login --key <your-api-key>"));
-    console.log(chalk5.gray("  PINATA_API_KEY=<your-api-key> pinata auth login"));
-    console.log();
-    console.log("Get your API key at: https://app.pinata.dev/settings/api");
+    console.log(chalk7.yellow("No API key provided."));
+    console.log(chalk7.gray("  pinata auth login --key <your-api-key>"));
+    console.log(chalk7.gray("  PINATA_API_KEY=<your-api-key> pinata auth login"));
     process.exit(1);
   }
   if (apiKey.length < 20 || !apiKey.startsWith("pk_")) {
-    console.log(chalk5.red("Invalid API key format."));
-    console.log(chalk5.gray("Keys should start with 'pk_' and be at least 20 characters."));
+    console.log(chalk7.red("Invalid API key format. Keys should start with 'pk_'."));
     process.exit(1);
   }
   const configDir = resolve(process.cwd(), ".pinata");
@@ -9905,19 +9738,13 @@ auth.command("login").description("Set API key for Pinata Cloud").option("-k, --
   try {
     await mkdir4(configDir, { recursive: true });
     const maskedKey = `****${apiKey.slice(-8)}`;
-    const authData = {
-      configured: true,
-      keyId: maskedKey,
-      configuredAt: (/* @__PURE__ */ new Date()).toISOString()
-    };
-    await writeFileAsync(authPath, JSON.stringify(authData, null, 2), "utf8");
+    await writeFileAsync(authPath, JSON.stringify({ configured: true, keyId: maskedKey, configuredAt: (/* @__PURE__ */ new Date()).toISOString() }, null, 2), "utf8");
     const envPath = resolve(configDir, ".env");
     await writeFileAsync(envPath, `PINATA_API_KEY=${apiKey}
 `, { mode: 384 });
-    console.log(chalk5.green("API key configured successfully!"));
-    console.log(chalk5.gray(`Key ID: ${maskedKey}`));
-    console.log();
-    console.log(chalk5.yellow("Important: Add .pinata/.env to your .gitignore"));
+    console.log(chalk7.green("API key configured successfully!"));
+    console.log(chalk7.gray(`Key ID: ${maskedKey}`));
+    console.log(chalk7.yellow("Important: Add .pinata/.env to your .gitignore"));
   } catch (error) {
     console.error(formatError(error instanceof Error ? error : new Error(String(error))));
     process.exit(1);
@@ -9938,11 +9765,7 @@ auth.command("logout").description("Remove stored API key").action(async () => {
       await rm2(envPath);
       removed = true;
     }
-    if (removed) {
-      console.log(chalk5.green("API key removed successfully."));
-    } else {
-      console.log(chalk5.yellow("No stored API key found."));
-    }
+    console.log(removed ? chalk7.green("API key removed successfully.") : chalk7.yellow("No stored API key found."));
   } catch (error) {
     console.error(formatError(error instanceof Error ? error : new Error(String(error))));
     process.exit(1);
@@ -9951,19 +9774,19 @@ auth.command("logout").description("Remove stored API key").action(async () => {
 auth.command("status").description("Check authentication status").action(async () => {
   const authPath = resolve(process.cwd(), ".pinata", "auth.json");
   if (!existsSync(authPath)) {
-    console.log(chalk5.yellow("Not authenticated."));
-    console.log(chalk5.gray("Run: pinata auth login --key <your-api-key>"));
+    console.log(chalk7.yellow("Not authenticated."));
+    console.log(chalk7.gray("Run: pinata auth login --key <your-api-key>"));
     process.exit(0);
   }
   try {
     const { readFile: readFile7 } = await import('fs/promises');
     const authData = JSON.parse(await readFile7(authPath, "utf8"));
-    console.log(chalk5.green("Authenticated"));
-    console.log(chalk5.gray(`Key ID: ${authData.keyId ?? "unknown"}`));
-    console.log(chalk5.gray(`Configured: ${authData.configuredAt ?? "unknown"}`));
-  } catch (error) {
-    console.log(chalk5.yellow("Authentication status unknown."));
-    console.log(chalk5.gray("Run: pinata auth login to reconfigure."));
+    console.log(chalk7.green("Authenticated"));
+    console.log(chalk7.gray(`Key ID: ${authData.keyId ?? "unknown"}`));
+    console.log(chalk7.gray(`Configured: ${authData.configuredAt ?? "unknown"}`));
+  } catch {
+    console.log(chalk7.yellow("Authentication status unknown."));
+    console.log(chalk7.gray("Run: pinata auth login to reconfigure."));
   }
 });
 program.parse();