pinata-security-cli 0.5.2 → 0.6.0

package/dist/cli/index.js

@@ -1,19 +1,19 @@
 #!/usr/bin/env node
-import { z } from 'zod';
 import fs, { mkdir, writeFile, readFile, stat, readdir, mkdtemp, rm } from 'fs/promises';
-import path, { dirname, resolve, join, basename, relative, extname } from 'path';
-import { existsSync, writeFileSync, readFileSync, chmodSync, mkdirSync } from 'fs';
+import path, { dirname, resolve, relative, join, basename, extname } from 'path';
+import { existsSync, readFileSync, writeFileSync, chmodSync, mkdirSync } from 'fs';
 import { homedir, tmpdir } from 'os';
+import { z } from 'zod';
 import { spawn } from 'child_process';
 import { useState } from 'react';
 import { render, useApp, useInput, Box, Text } from 'ink';
 import Spinner from 'ink-spinner';
 import { jsx, jsxs } from 'react/jsx-runtime';
-import { fileURLToPath } from 'url';
-import chalk5 from 'chalk';
+import chalk6 from 'chalk';
 import { Command } from 'commander';
-import ora from 'ora';
+import ora3 from 'ora';
 import YAML from 'yaml';
+import { fileURLToPath } from 'url';
 import { Query, Parser, Language } from 'web-tree-sitter';
 import { minimatch } from 'minimatch';
 
@@ -125,35 +125,6 @@ var init_result = __esm({
   "src/lib/result.ts"() {
   }
 });
-var SEVERITY_WEIGHTS, CONFIDENCE_WEIGHTS, PRIORITY_WEIGHTS, DEFAULT_TEST_PATTERNS;
-var init_types = __esm({
-  "src/core/scanner/types.ts"() {
-    SEVERITY_WEIGHTS = {
-      critical: 4,
-      high: 3,
-      medium: 2,
-      low: 1
-    };
-    CONFIDENCE_WEIGHTS = {
-      high: 1,
-      medium: 0.7,
-      low: 0.4
-    };
-    PRIORITY_WEIGHTS = {
-      P0: 3,
-      P1: 2,
-      P2: 1
-    };
-    DEFAULT_TEST_PATTERNS = {
-      python: ["test_*.py", "*_test.py", "tests/**/*.py", "test/**/*.py"],
-      typescript: ["*.test.ts", "*.spec.ts", "__tests__/**/*.ts", "tests/**/*.ts"],
-      javascript: ["*.test.js", "*.spec.js", "__tests__/**/*.js", "tests/**/*.js"],
-      go: ["*_test.go"],
-      java: ["*Test.java", "*Tests.java", "src/test/**/*.java"],
-      rust: ["tests/**/*.rs"]
-    };
-  }
-});
 function getCachePath(projectRoot) {
   return resolve(projectRoot, CACHE_DIR, CACHE_FILE);
 }
@@ -850,7 +821,6 @@ var init_config = __esm({
 var SKIP_PATTERNS, BATCH_PROMPT, SINGLE_ITEM_TEMPLATE, AIVerifier;
 var init_ai_verifier = __esm({
   "src/core/verifier/ai-verifier.ts"() {
-    init_types();
     SKIP_PATTERNS = {
       paths: [
         /\.test\.(ts|js|tsx|jsx)$/,
@@ -1255,7 +1225,7 @@ function isTestable(categoryId) {
   return TESTABLE_VULNERABILITIES.includes(categoryId);
 }
 var DEFAULT_SANDBOX_CONFIG, TESTABLE_VULNERABILITIES;
-var init_types2 = __esm({
+var init_types = __esm({
   "src/execution/types.ts"() {
     DEFAULT_SANDBOX_CONFIG = {
       image: "pinata-sandbox:latest",
@@ -1285,7 +1255,7 @@ function createSandbox(config2) {
 var Sandbox;
 var init_sandbox = __esm({
   "src/execution/sandbox.ts"() {
-    init_types2();
+    init_types();
     Sandbox = class {
       config;
       tempDir = null;
@@ -1488,7 +1458,7 @@ export default defineConfig({
        * Execute a command and capture output
        */
       exec(command, args, options = {}) {
-        return new Promise((resolve7) => {
+        return new Promise((resolve9) => {
           let stdout = "";
           let stderr = "";
           let timedOut = false;
@@ -1508,18 +1478,18 @@ export default defineConfig({
           }, timeout);
           proc.on("close", (code) => {
             clearTimeout(timer);
-            resolve7({
+            resolve9({
               stdout,
               stderr,
               exitCode: code ?? 1,
               timedOut
             });
           });
-          proc.on("error", (err3) => {
+          proc.on("error", (err2) => {
             clearTimeout(timer);
-            resolve7({
+            resolve9({
               stdout,
-              stderr: stderr + "\n" + err3.message,
+              stderr: stderr + "\n" + err2.message,
               exitCode: 1,
               timedOut: false
             });
@@ -2776,7 +2746,7 @@ var init_runner = __esm({
     init_sandbox();
     init_results();
     init_generator();
-    init_types2();
+    init_types();
     ExecutionRunner = class {
       sandbox;
       dryRun;
@@ -2983,53 +2953,35 @@ ${code}
 Generate 3-5 targeted payloads that would exploit THIS SPECIFIC code.
 Consider the exact variable names, function calls, and data flow shown above.`;
 }
+function matchFirst(code, patterns) {
+  for (const [keywords, name] of patterns) {
+    if (keywords.some((k) => code.includes(k))) {
+      return name;
+    }
+  }
+  return void 0;
+}
 function extractTechStack(code, filePath) {
+  const ext = "." + (filePath.split(".").pop() ?? "");
   const hints = {
-    language: detectLanguage2(filePath)
+    language: LANGUAGE_EXTENSIONS[ext] ?? "unknown",
+    hasEscaping: ESCAPING_KEYWORDS.some((k) => code.includes(k)),
+    hasWaf: WAF_KEYWORDS.some((k) => code.includes(k))
   };
-  if (code.includes("express") || code.includes("app.get") || code.includes("app.post")) {
-    hints.framework = "express";
-  } else if (code.includes("fastify")) {
-    hints.framework = "fastify";
-  } else if (code.includes("django") || code.includes("from django")) {
-    hints.framework = "django";
-  } else if (code.includes("flask") || code.includes("from flask")) {
-    hints.framework = "flask";
-  } else if (code.includes("gin.") || code.includes("fiber.")) {
-    hints.framework = code.includes("gin.") ? "gin" : "fiber";
-  }
-  if (code.includes("postgres") || code.includes("pg.") || code.includes("$1")) {
-    hints.database = "postgres";
-  } else if (code.includes("mysql") || code.includes("?") && code.includes("query")) {
-    hints.database = "mysql";
-  } else if (code.includes("mongodb") || code.includes("mongoose") || code.includes("$where")) {
-    hints.database = "mongodb";
-  } else if (code.includes("sqlite") || code.includes("sqlite3")) {
-    hints.database = "sqlite";
-  }
-  if (code.includes("prisma")) {
-    hints.orm = "prisma";
-  } else if (code.includes("sequelize")) {
-    hints.orm = "sequelize";
-  } else if (code.includes("typeorm") || code.includes("TypeORM")) {
-    hints.orm = "typeorm";
-  } else if (code.includes("sqlalchemy") || code.includes("SQLAlchemy")) {
-    hints.orm = "sqlalchemy";
-  }
-  hints.hasEscaping = code.includes("escape") || code.includes("sanitize") || code.includes("DOMPurify") || code.includes("htmlspecialchars");
-  hints.hasWaf = code.includes("waf") || code.includes("WAF") || code.includes("cloudflare") || code.includes("akamai");
+  const framework = matchFirst(code, FRAMEWORK_PATTERNS);
+  if (framework) {
+    hints.framework = framework;
+  }
+  const database = matchFirst(code, DATABASE_PATTERNS);
+  if (database) {
+    hints.database = database;
+  }
+  const orm = matchFirst(code, ORM_PATTERNS);
+  if (orm) {
+    hints.orm = orm;
+  }
   return hints;
 }
-function detectLanguage2(filePath) {
-  if (filePath.endsWith(".ts") || filePath.endsWith(".tsx")) return "typescript";
-  if (filePath.endsWith(".js") || filePath.endsWith(".jsx")) return "javascript";
-  if (filePath.endsWith(".py")) return "python";
-  if (filePath.endsWith(".go")) return "go";
-  if (filePath.endsWith(".java")) return "java";
-  if (filePath.endsWith(".rb")) return "ruby";
-  if (filePath.endsWith(".php")) return "php";
-  return "unknown";
-}
 function parseAiPayloadResponse(response) {
   try {
     const jsonMatch = response.match(/\{[\s\S]*"payloads"[\s\S]*\}/);
@@ -3080,7 +3032,7 @@ function getFallbackPayloads(context, maxPayloads = 10) {
   }
   return [...new Set(payloads)].slice(0, maxPayloads);
 }
-var AI_PAYLOAD_SYSTEM_PROMPT;
+var AI_PAYLOAD_SYSTEM_PROMPT, FRAMEWORK_PATTERNS, DATABASE_PATTERNS, ORM_PATTERNS, ESCAPING_KEYWORDS, WAF_KEYWORDS, LANGUAGE_EXTENSIONS;
 var init_ai_payloads = __esm({
   "src/execution/ai-payloads.ts"() {
     init_payloads();
@@ -3119,6 +3071,39 @@ Return payloads in JSON format:
     }
   ]
 }`;
+    FRAMEWORK_PATTERNS = [
+      [["express", "app.get", "app.post"], "express"],
+      [["fastify"], "fastify"],
+      [["django", "from django"], "django"],
+      [["flask", "from flask"], "flask"],
+      [["gin."], "gin"],
+      [["fiber."], "fiber"]
+    ];
+    DATABASE_PATTERNS = [
+      [["postgres", "pg."], "postgres"],
+      [["mysql"], "mysql"],
+      [["mongodb", "mongoose", "$where"], "mongodb"],
+      [["sqlite", "sqlite3"], "sqlite"]
+    ];
+    ORM_PATTERNS = [
+      [["prisma"], "prisma"],
+      [["sequelize"], "sequelize"],
+      [["typeorm", "TypeORM"], "typeorm"],
+      [["sqlalchemy", "SQLAlchemy"], "sqlalchemy"]
+    ];
+    ESCAPING_KEYWORDS = ["escape", "sanitize", "DOMPurify", "htmlspecialchars"];
+    WAF_KEYWORDS = ["waf", "WAF", "cloudflare", "akamai"];
+    LANGUAGE_EXTENSIONS = {
+      ".ts": "typescript",
+      ".tsx": "typescript",
+      ".js": "javascript",
+      ".jsx": "javascript",
+      ".py": "python",
+      ".go": "go",
+      ".java": "java",
+      ".rb": "ruby",
+      ".php": "php"
+    };
   }
 });
 
@@ -3441,7 +3426,7 @@ __export(execution_exports, {
 });
 var init_execution = __esm({
   "src/execution/index.ts"() {
-    init_types2();
+    init_types();
     init_sandbox();
     init_runner();
     init_results();
@@ -3792,7 +3777,7 @@ function suggestConfidence(precision) {
   return "low";
 }
 var EMPTY_FEEDBACK_STATE, CONFIDENCE_THRESHOLDS;
-var init_types3 = __esm({
+var init_types2 = __esm({
   "src/feedback/types.ts"() {
     EMPTY_FEEDBACK_STATE = {
       version: 1,
@@ -3926,7 +3911,7 @@ function generateReport(state) {
 var FEEDBACK_DIR, FEEDBACK_FILE;
 var init_store = __esm({
   "src/feedback/store.ts"() {
-    init_types3();
+    init_types2();
     FEEDBACK_DIR = join(homedir(), ".pinata");
     FEEDBACK_FILE = join(FEEDBACK_DIR, "feedback.json");
   }
@@ -3948,7 +3933,7 @@ __export(feedback_exports, {
 });
 var init_feedback = __esm({
   "src/feedback/index.ts"() {
-    init_types3();
+    init_types2();
     init_store();
   }
 });
@@ -4598,7 +4583,7 @@ var Logger = class _Logger {
    */
   debug(message, ...args) {
     if (this.shouldLog("debug")) {
-      console.debug(chalk5.gray(this.format(message)), ...args);
+      console.debug(chalk6.gray(this.format(message)), ...args);
     }
   }
   /**
@@ -4614,7 +4599,7 @@ var Logger = class _Logger {
    */
   warn(message, ...args) {
     if (this.shouldLog("warn")) {
-      console.warn(chalk5.yellow(this.format(message)), ...args);
+      console.warn(chalk6.yellow(this.format(message)), ...args);
     }
   }
   /**
@@ -4622,7 +4607,7 @@ var Logger = class _Logger {
    */
   error(message, ...args) {
     if (this.shouldLog("error")) {
-      console.error(chalk5.red(this.format(message)), ...args);
+      console.error(chalk6.red(this.format(message)), ...args);
     }
   }
   /**
@@ -4630,7 +4615,7 @@ var Logger = class _Logger {
    */
   success(message, ...args) {
     if (this.shouldLog("info")) {
-      console.info(chalk5.green(this.format(message)), ...args);
+      console.info(chalk6.green(this.format(message)), ...args);
     }
   }
   /**
@@ -5573,6 +5558,64 @@ var SCORING_ADJUSTMENTS = [
     categoryId: "command-injection",
     lowerWeight: ["cli", "script"],
     higherWeight: ["web-server", "api", "serverless"]
+  },
+  // Connection failure handling less relevant for CLI
+  {
+    categoryId: "connection-failure",
+    lowerWeight: ["cli", "script", "library"],
+    higherWeight: ["web-server", "api"]
+  },
+  // Memory bloat less relevant for short-lived processes
+  {
+    categoryId: "memory-bloat",
+    skip: ["cli", "script", "serverless"],
+    higherWeight: ["web-server", "desktop"]
+  },
+  // Data race less relevant for single-threaded CLI
+  {
+    categoryId: "data-race",
+    lowerWeight: ["cli", "script"],
+    higherWeight: ["web-server", "api"]
+  },
+  // Network partition not relevant for CLI
+  {
+    categoryId: "network-partition",
+    skip: ["cli", "script", "library", "frontend-spa"],
+    higherWeight: ["web-server", "api"]
+  },
+  // Packet loss not relevant for CLI
+  {
+    categoryId: "packet-loss",
+    skip: ["cli", "script", "library", "frontend-spa"],
+    higherWeight: ["web-server", "api"]
+  },
+  // Thundering herd not relevant for CLI
+  {
+    categoryId: "thundering-herd",
+    skip: ["cli", "script", "library", "frontend-spa"],
+    higherWeight: ["web-server", "api"]
+  },
+  // Network timeout less relevant for CLI
+  {
+    categoryId: "network-timeout",
+    lowerWeight: ["cli", "script"],
+    higherWeight: ["web-server", "api"]
+  },
+  // High latency not relevant for CLI
+  {
+    categoryId: "high-latency",
+    skip: ["cli", "script", "library"],
+    higherWeight: ["web-server", "api"]
+  },
+  // Encoding mismatch less relevant for CLI
+  {
+    categoryId: "encoding-mismatch",
+    lowerWeight: ["cli", "script"]
+  },
+  // Precision loss less relevant for CLI
+  {
+    categoryId: "precision-loss",
+    lowerWeight: ["cli", "script"]
   }
 ];
 async function detectProjectType(projectPath) {
@@ -5705,7 +5748,32 @@ function getProjectTypeDescription(type) {
 }
 init_errors();
 init_result();
-init_types();
+var SEVERITY_WEIGHTS = {
+  critical: 4,
+  high: 3,
+  medium: 2,
+  low: 1
+};
+var CONFIDENCE_WEIGHTS = {
+  high: 1,
+  medium: 0.3,
+  low: 0.1
+};
+var PRIORITY_WEIGHTS = {
+  P0: 3,
+  P1: 2,
+  P2: 1
+};
+var DEFAULT_TEST_PATTERNS = {
+  python: ["test_*.py", "*_test.py", "tests/**/*.py", "test/**/*.py"],
+  typescript: ["*.test.ts", "*.spec.ts", "__tests__/**/*.ts", "tests/**/*.ts"],
+  javascript: ["*.test.js", "*.spec.js", "__tests__/**/*.js", "tests/**/*.js"],
+  go: ["*_test.go"],
+  java: ["*Test.java", "*Tests.java", "src/test/**/*.java"],
+  rust: ["tests/**/*.rs"]
+};
+
+// src/core/scanner/scanner.ts
 var DEFAULT_OPTIONS = {
   excludeDirs: [
     // Package managers
@@ -5770,7 +5838,7 @@ var Scanner = class {
     this.patternMatcher = new PatternMatcher();
   }
   /**
-   * Scan a directory for test coverage gaps
+   * Scan a directory for security vulnerabilities
    *
    * @param targetDirectory Directory to scan
    * @param options Scan options
@@ -5905,25 +5973,36 @@ var Scanner = class {
     for (const domain of RISK_DOMAINS) {
       domainScores.set(domain, 100);
     }
+    const gapsByCategory = /* @__PURE__ */ new Map();
     for (const gap of gaps) {
-      const severityWeight = SEVERITY_WEIGHTS[gap.severity];
-      const confidenceWeight = CONFIDENCE_WEIGHTS[gap.confidence];
-      const priorityWeight = PRIORITY_WEIGHTS[gap.priority];
       const projectTypeWeight = getCategoryWeight(gap.categoryId, projectType);
-      const basePenalty = 2;
-      const penalty = basePenalty * severityWeight * confidenceWeight * Math.sqrt(priorityWeight) * projectTypeWeight;
-      if (projectTypeWeight === 0) {
-        continue;
-      }
+      if (projectTypeWeight === 0) continue;
+      const existing = gapsByCategory.get(gap.categoryId) ?? [];
+      existing.push(gap);
+      gapsByCategory.set(gap.categoryId, existing);
+    }
+    for (const [categoryId, categoryGaps] of gapsByCategory) {
+      const representative = categoryGaps[0];
+      const severityWeight = SEVERITY_WEIGHTS[representative.severity];
+      const projectTypeWeight = getCategoryWeight(categoryId, projectType);
+      const maxConfidence = categoryGaps.reduce((max, g) => {
+        const w = CONFIDENCE_WEIGHTS[g.confidence];
+        return w > max ? w : max;
+      }, 0);
+      const count = categoryGaps.length;
+      const countFactor = Math.log2(count + 1);
+      const MAX_CATEGORY_PENALTY = 15;
+      const rawPenalty = severityWeight * maxConfidence * countFactor * projectTypeWeight;
+      const penalty = Math.min(rawPenalty, MAX_CATEGORY_PENALTY);
       baseScore -= penalty;
-      const currentDomainScore = domainScores.get(gap.domain) ?? 100;
-      domainScores.set(gap.domain, Math.max(0, currentDomainScore - penalty * 2));
-      if (penalty >= 5) {
-        const weightNote = projectTypeWeight !== 1 ? ` [${projectType} weight: ${projectTypeWeight}x]` : "";
+      const currentDomainScore = domainScores.get(representative.domain) ?? 100;
+      domainScores.set(representative.domain, Math.max(0, currentDomainScore - penalty * 1.5));
+      if (penalty >= 3) {
+        const weightNote = projectTypeWeight !== 1 ? ` [${projectType}: ${projectTypeWeight}x]` : "";
         penalties.push({
-          reason: `${gap.severity} ${gap.domain} gap: ${gap.categoryName}${weightNote}`,
+          reason: `${representative.severity} ${representative.domain}: ${representative.categoryName} (${count} findings)${weightNote}`,
           points: Math.round(penalty),
-          categoryId: gap.categoryId
+          categoryId
         });
       }
     }
@@ -6335,9 +6414,6 @@ function createScanner(categoryStore) {
   return new Scanner(categoryStore);
 }
 
-// src/core/scanner/index.ts
-init_types();
-
 // src/core/index.ts
 var VERSION = "0.4.0";
 
@@ -6346,925 +6422,197 @@ init_errors();
 init_result();
 init_errors();
 init_result();
-var TemplateRenderError = class extends PinataError {
-  constructor(message, context) {
-    super(message, "TEMPLATE_RENDER_ERROR", context);
-    this.name = "TemplateRenderError";
-  }
+var SEVERITY_COLORS = {
+  critical: chalk6.red.bold,
+  high: chalk6.red,
+  medium: chalk6.yellow,
+  low: chalk6.gray
 };
-var TemplateSyntaxError = class extends PinataError {
-  constructor(message, context) {
-    super(message, "TEMPLATE_SYNTAX_ERROR", context);
-    this.name = "TemplateSyntaxError";
-  }
+var PRIORITY_COLORS = {
+  P0: chalk6.red.bold,
+  P1: chalk6.yellow,
+  P2: chalk6.gray
 };
-var CONDITIONAL_REGEX = /\{\{#if\s+([a-zA-Z][a-zA-Z0-9_.]*)\s*\}\}([\s\S]*?)(?:\{\{#else\}\}([\s\S]*?))?\{\{\/if\}\}/g;
-var UNLESS_REGEX = /\{\{#unless\s+([a-zA-Z][a-zA-Z0-9_.]*)\s*\}\}([\s\S]*?)\{\{\/unless\}\}/g;
-var EACH_REGEX = /\{\{#each\s+([a-zA-Z][a-zA-Z0-9_.]*)\s*\}\}([\s\S]*?)\{\{\/each\}\}/g;
-var TemplateRenderer = class {
-  options;
-  constructor(options = {}) {
-    this.options = {
-      strict: options.strict ?? true,
-      allowUnresolved: options.allowUnresolved ?? false,
-      placeholderFormat: options.placeholderFormat ?? "mustache"
-    };
+var DOMAIN_COLORS = {
+  security: chalk6.red,
+  data: chalk6.blue,
+  concurrency: chalk6.magenta,
+  input: chalk6.cyan,
+  resource: chalk6.yellow,
+  reliability: chalk6.green,
+  performance: chalk6.yellowBright,
+  platform: chalk6.gray,
+  business: chalk6.white,
+  compliance: chalk6.blueBright
+};
+function formatTerminal(categories) {
+  if (categories.length === 0) {
+    return chalk6.yellow("No categories found matching the filters.");
   }
-  /**
-   * Validate template syntax for common errors
-   *
-   * @param template Template string to validate
-   * @returns Syntax validation result
-   */
-  validateSyntax(template) {
-    const errors = [];
-    if (this.hasUnclosedBlock(template, "if")) {
-      errors.push(
-        new TemplateSyntaxError("Unclosed {{#if}} block", {
-          hint: "Every {{#if variable}} must have a matching {{/if}}"
-        })
-      );
-    }
-    if (this.hasUnclosedBlock(template, "each")) {
-      errors.push(
-        new TemplateSyntaxError("Unclosed {{#each}} block", {
-          hint: "Every {{#each variable}} must have a matching {{/each}}"
-        })
-      );
-    }
-    if (this.hasUnclosedBlock(template, "unless")) {
-      errors.push(
-        new TemplateSyntaxError("Unclosed {{#unless}} block", {
-          hint: "Every {{#unless variable}} must have a matching {{/unless}}"
-        })
-      );
+  const lines = [];
+  lines.push(chalk6.bold.underline(`Found ${categories.length} categories:
+`));
+  const byDomain = /* @__PURE__ */ new Map();
+  for (const cat of categories) {
+    const domain = cat.domain;
+    if (!byDomain.has(domain)) {
+      byDomain.set(domain, []);
     }
-    if (this.hasOrphanedClosingTag(template, "if")) {
-      errors.push(
-        new TemplateSyntaxError("Orphaned {{/if}} without matching {{#if}}", {
-          hint: "Remove the extra {{/if}} or add the opening {{#if variable}}"
-        })
-      );
+    byDomain.get(domain).push(cat);
+  }
+  for (const [domain, domainCategories] of byDomain) {
+    const domainColor = DOMAIN_COLORS[domain] ?? chalk6.white;
+    lines.push(domainColor.bold(`
+${domain.toUpperCase()} (${domainCategories.length})`));
+    lines.push(chalk6.gray("\u2500".repeat(40)));
+    for (const cat of domainCategories) {
+      const priorityColor = PRIORITY_COLORS[cat.priority];
+      const severityColor = SEVERITY_COLORS[cat.severity];
+      const priority = priorityColor(`[${cat.priority}]`);
+      const severity = severityColor(`${cat.severity}`);
+      const level = chalk6.cyan(`${cat.level}`);
+      const name = chalk6.white.bold(cat.name);
+      const id = chalk6.gray(`(${cat.id})`);
+      lines.push(`  ${priority} ${name} ${id}`);
+      lines.push(`     ${severity} | ${level}`);
+      const desc = cat.description.length > 80 ? cat.description.slice(0, 77) + "..." : cat.description;
+      lines.push(chalk6.gray(`     ${desc}`));
+      lines.push("");
     }
-    if (this.hasOrphanedClosingTag(template, "each")) {
-      errors.push(
-        new TemplateSyntaxError("Orphaned {{/each}} without matching {{#each}}", {
-          hint: "Remove the extra {{/each}} or add the opening {{#each variable}}"
-        })
-      );
+  }
+  lines.push(chalk6.gray("\u2500".repeat(40)));
+  lines.push(formatStats(categories));
+  return lines.join("\n");
+}
+function formatStats(categories) {
+  const stats = {
+    P0: 0,
+    P1: 0,
+    P2: 0,
+    critical: 0,
+    high: 0,
+    medium: 0,
+    low: 0
+  };
+  for (const cat of categories) {
+    stats[cat.priority]++;
+    stats[cat.severity]++;
+  }
+  const parts = [];
+  if (stats.P0 > 0) parts.push(PRIORITY_COLORS.P0(`${stats.P0} P0`));
+  if (stats.P1 > 0) parts.push(PRIORITY_COLORS.P1(`${stats.P1} P1`));
+  if (stats.P2 > 0) parts.push(PRIORITY_COLORS.P2(`${stats.P2} P2`));
+  parts.push(chalk6.gray("|"));
+  if (stats.critical > 0) parts.push(SEVERITY_COLORS.critical(`${stats.critical} critical`));
+  if (stats.high > 0) parts.push(SEVERITY_COLORS.high(`${stats.high} high`));
+  if (stats.medium > 0) parts.push(SEVERITY_COLORS.medium(`${stats.medium} medium`));
+  if (stats.low > 0) parts.push(SEVERITY_COLORS.low(`${stats.low} low`));
+  return parts.join(" ");
+}
+function formatJson(categories) {
+  return JSON.stringify(categories, null, 2);
+}
+function formatMarkdown(categories) {
+  if (categories.length === 0) {
+    return "_No categories found matching the filters._";
+  }
+  const lines = [];
+  lines.push(`# Categories (${categories.length})
+`);
+  const byDomain = /* @__PURE__ */ new Map();
+  for (const cat of categories) {
+    const domain = cat.domain;
+    if (!byDomain.has(domain)) {
+      byDomain.set(domain, []);
     }
-    if (this.hasOrphanedClosingTag(template, "unless")) {
-      errors.push(
-        new TemplateSyntaxError("Orphaned {{/unless}} without matching {{#unless}}", {
-          hint: "Remove the extra {{/unless}} or add the opening {{#unless variable}}"
-        })
-      );
+    byDomain.get(domain).push(cat);
+  }
+  for (const [domain, domainCategories] of byDomain) {
+    lines.push(`
+## ${domain.charAt(0).toUpperCase() + domain.slice(1)} (${domainCategories.length})
+`);
+    for (const cat of domainCategories) {
+      lines.push(`### ${cat.name}`);
+      lines.push(`- **ID**: \`${cat.id}\``);
+      lines.push(`- **Priority**: ${cat.priority}`);
+      lines.push(`- **Severity**: ${cat.severity}`);
+      lines.push(`- **Level**: ${cat.level}`);
+      lines.push(`
+${cat.description}
+`);
     }
-    const mismatchErrors = this.checkBlockNesting(template);
-    errors.push(...mismatchErrors);
-    return {
-      valid: errors.length === 0,
-      errors
-    };
   }
-  /**
-   * Check if template has an unclosed block of specified type
-   */
-  hasUnclosedBlock(template, blockType) {
-    const openRegex = new RegExp(`\\{\\{#${blockType}\\s+[^}]+\\}\\}`, "g");
-    const closeRegex = new RegExp(`\\{\\{/${blockType}\\}\\}`, "g");
-    const opens = (template.match(openRegex) || []).length;
-    const closes = (template.match(closeRegex) || []).length;
-    return opens > closes;
+  return lines.join("\n");
+}
+function formatCategories(categories, format) {
+  switch (format) {
+    case "json":
+      return formatJson(categories);
+    case "markdown":
+      return formatMarkdown(categories);
+    case "terminal":
+    default:
+      return formatTerminal(categories);
   }
-  /**
-   * Check if template has orphaned closing tags
-   */
-  hasOrphanedClosingTag(template, blockType) {
-    const openRegex = new RegExp(`\\{\\{#${blockType}\\s+[^}]+\\}\\}`, "g");
-    const closeRegex = new RegExp(`\\{\\{/${blockType}\\}\\}`, "g");
-    const opens = (template.match(openRegex) || []).length;
-    const closes = (template.match(closeRegex) || []).length;
-    return closes > opens;
+}
+function isValidOutputFormat(format) {
+  return ["terminal", "json", "markdown"].includes(format);
+}
+function formatError(error) {
+  return chalk6.red(`Error: ${error.message}`);
+}
+
+// src/ai/service.ts
+var DEFAULT_CONFIG = {
+  provider: "anthropic",
+  apiKey: "",
+  model: "claude-sonnet-4-20250514",
+  maxTokens: 1024,
+  temperature: 0.3,
+  timeoutMs: 3e4
+};
+var PROVIDER_MODELS = {
+  anthropic: "claude-sonnet-4-20250514",
+  openai: "gpt-4o",
+  mock: "mock-model"
+};
+var PROVIDER_ENDPOINTS = {
+  anthropic: "https://api.anthropic.com/v1/messages",
+  openai: "https://api.openai.com/v1/chat/completions"};
+var AIService = class {
+  config;
+  constructor(config2 = {}) {
+    this.config = {
+      ...DEFAULT_CONFIG,
+      ...config2,
+      apiKey: config2.apiKey ?? this.getApiKeyFromEnv(config2.provider ?? "anthropic"),
+      model: config2.model ?? PROVIDER_MODELS[config2.provider ?? "anthropic"]
+    };
   }
   /**
-   * Check for improperly nested blocks
+   * Get API key from environment variable
+   * For config file support, use the sync version below
    */
-  checkBlockNesting(template) {
-    const errors = [];
-    const stack = [];
-    const blockPattern = /\{\{(#(?:if|each|unless)|\/(?:if|each|unless))\s*[^}]*\}\}/g;
-    let match;
-    while ((match = blockPattern.exec(template)) !== null) {
-      const tag = match[1] ?? "";
-      if (tag.startsWith("#")) {
-        const type = tag.slice(1).split(/\s/)[0] ?? "";
-        stack.push({ type, index: match.index });
-      } else if (tag.startsWith("/")) {
-        const type = tag.slice(1);
-        const last = stack.pop();
-        if (!last) {
-          continue;
-        }
-        if (last.type !== type) {
-          errors.push(
-            new TemplateSyntaxError(`Mismatched block: opened {{#${last.type}}} but closed with {{/${type}}}`, {
-              openedAt: last.index,
-              closedAt: match.index
-            })
-          );
-        }
-      }
+  getApiKeyFromEnv(provider) {
+    if (provider === "mock") return "mock-key";
+    const envVar = provider === "anthropic" ? "ANTHROPIC_API_KEY" : "OPENAI_API_KEY";
+    const envValue = process.env[envVar];
+    if (envValue !== void 0 && envValue.length > 0) {
+      return envValue;
     }
-    return errors;
+    return this.getApiKeyFromConfig(provider);
   }
   /**
-   * Parse all placeholders from a template string
-   *
-   * @param template Template string to parse
-   * @returns Array of parsed placeholders
-   */
-  parsePlaceholders(template) {
-    const placeholders = [];
-    const regex = this.getPlaceholderRegex();
-    let match;
-    regex.lastIndex = 0;
-    while ((match = regex.exec(template)) !== null) {
-      const name = match[1] ?? "";
-      const pathSegments = name.split(".");
-      placeholders.push({
-        match: match[0],
-        name,
-        startIndex: match.index,
-        endIndex: match.index + match[0].length,
-        isNestedPath: pathSegments.length > 1,
-        pathSegments
-      });
-    }
-    return placeholders;
-  }
-  /**
-   * Parse conditional blocks from template
-   *
-   * @param template Template string to parse
-   * @returns Array of parsed conditionals
-   */
-  parseConditionals(template) {
-    const conditionals = [];
-    const regex = new RegExp(CONDITIONAL_REGEX.source, "g");
-    let match;
-    while ((match = regex.exec(template)) !== null) {
-      const falseBranch = match[3];
-      conditionals.push({
-        match: match[0],
-        variable: match[1] ?? "",
-        trueBranch: match[2] ?? "",
-        ...falseBranch !== void 0 && { falseBranch },
-        startIndex: match.index,
-        endIndex: match.index + match[0].length
-      });
-    }
-    return conditionals;
-  }
-  /**
-   * Parse loop blocks from template
-   *
-   * @param template Template string to parse
-   * @returns Array of parsed loops
-   */
-  parseLoops(template) {
-    const loops = [];
-    const regex = new RegExp(EACH_REGEX.source, "g");
-    let match;
-    while ((match = regex.exec(template)) !== null) {
-      loops.push({
-        match: match[0],
-        variable: match[1] ?? "",
-        body: match[2] ?? "",
-        startIndex: match.index,
-        endIndex: match.index + match[0].length
-      });
-    }
-    return loops;
-  }
-  /**
-   * Get unique variable names from template (including nested paths)
-   * Excludes loop-internal variables like {{this}}, {{@index}}, and item properties
-   *
-   * @param template Template string to analyze
-   * @param excludeLoopInternal Whether to exclude variables inside loop blocks
-   * @returns Unique variable names found in template
-   */
-  getVariableNames(template, excludeLoopInternal = true) {
-    let processedTemplate = template;
-    if (excludeLoopInternal) {
-      processedTemplate = processedTemplate.replace(EACH_REGEX, (match, variable) => {
-        return `{{${variable}}}`;
-      });
-    }
-    const placeholders = this.parsePlaceholders(processedTemplate);
-    const names = /* @__PURE__ */ new Set();
-    const loopSpecialVars = /* @__PURE__ */ new Set(["this", "@index", "@first", "@last"]);
-    for (const p of placeholders) {
-      if (loopSpecialVars.has(p.name)) {
-        continue;
-      }
-      names.add(p.name);
-      if (p.isNestedPath && p.pathSegments[0]) {
-        names.add(p.pathSegments[0]);
-      }
-    }
-    const conditionals = this.parseConditionals(processedTemplate);
-    for (const c of conditionals) {
-      names.add(c.variable);
-      const root = c.variable.split(".")[0];
-      if (root && root !== c.variable) {
-        names.add(root);
-      }
-    }
-    const loops = this.parseLoops(template);
-    for (const l of loops) {
-      names.add(l.variable);
-      const root = l.variable.split(".")[0];
-      if (root && root !== l.variable) {
-        names.add(root);
-      }
-    }
-    return [...names];
-  }
-  /**
-   * Get value from object using dot notation path
-   *
-   * @param obj Object to traverse
-   * @param path Dot-separated path (e.g., "user.address.city")
-   * @returns Value at path or undefined
-   */
-  getNestedValue(obj, path2) {
-    const segments = path2.split(".");
-    let current = obj;
-    for (const segment of segments) {
-      if (current === null || current === void 0) {
-        return void 0;
-      }
-      if (typeof current !== "object") {
-        return void 0;
-      }
-      current = current[segment];
-    }
-    return current;
-  }
-  /**
-   * Evaluate if a value is truthy for conditional blocks
-   *
-   * @param value Value to evaluate
-   * @returns True if value is truthy
-   */
-  isTruthy(value) {
-    if (value === null || value === void 0) {
-      return false;
-    }
-    if (typeof value === "boolean") {
-      return value;
-    }
-    if (typeof value === "number") {
-      return value !== 0;
-    }
-    if (typeof value === "string") {
-      return value.length > 0;
-    }
-    if (Array.isArray(value)) {
-      return value.length > 0;
-    }
-    if (typeof value === "object") {
-      return Object.keys(value).length > 0;
-    }
-    return Boolean(value);
-  }
-  /**
-   * Process conditional blocks in template
-   *
-   * @param template Template string
-   * @param values Variable values
-   * @returns Processed template with conditionals resolved
-   */
-  processConditionals(template, values) {
-    let result = template;
-    result = result.replace(CONDITIONAL_REGEX, (match, variable, trueBranch, falseBranch) => {
-      const value = this.getNestedValue(values, variable);
-      const condition = this.isTruthy(value);
-      return condition ? trueBranch : falseBranch ?? "";
-    });
-    result = result.replace(UNLESS_REGEX, (match, variable, content) => {
-      const value = this.getNestedValue(values, variable);
-      const condition = this.isTruthy(value);
-      return condition ? "" : content;
-    });
-    return result;
-  }
-  /**
-   * Process loop blocks in template
-   *
-   * @param template Template string
-   * @param values Variable values
-   * @returns Processed template with loops expanded
-   */
-  processLoops(template, values) {
-    let result = template;
-    result = result.replace(EACH_REGEX, (match, variable, body) => {
-      const arrayValue = this.getNestedValue(values, variable);
-      if (!Array.isArray(arrayValue)) {
-        return "";
-      }
-      const expanded = [];
-      for (let i = 0; i < arrayValue.length; i++) {
-        const item = arrayValue[i];
-        let iterationBody = body;
-        iterationBody = iterationBody.replace(/\{\{this\}\}/g, this.stringify(item));
-        iterationBody = iterationBody.replace(/\{\{@index\}\}/g, String(i));
-        iterationBody = iterationBody.replace(/\{\{@first\}\}/g, String(i === 0));
-        iterationBody = iterationBody.replace(/\{\{@last\}\}/g, String(i === arrayValue.length - 1));
-        if (item !== null && typeof item === "object" && !Array.isArray(item)) {
-          const itemObj = item;
-          iterationBody = this.processConditionals(iterationBody, itemObj);
-          for (const [key, value] of Object.entries(itemObj)) {
-            const propRegex = new RegExp(`\\{\\{${key}\\}\\}`, "g");
-            iterationBody = iterationBody.replace(propRegex, this.stringify(value));
-          }
-        }
-        expanded.push(iterationBody);
-      }
-      return expanded.join("");
-    });
-    return result;
-  }
-  /**
-   * Validate provided variables against template requirements
-   *
-   * @param template Test template with variable definitions
-   * @param values Provided variable values
-   * @returns Validation result
-   */
-  validateVariables(template, values) {
-    const results = [];
-    const missingRequired = [];
-    const unknownVariables = [];
-    const typeErrors = [];
-    const usedInTemplate = new Set(this.getVariableNames(template.template));
-    const definedVariables = /* @__PURE__ */ new Map();
-    for (const v of template.variables) {
-      definedVariables.set(v.name, v);
-    }
-    for (const variable of template.variables) {
-      const result = {
-        name: variable.name,
-        valid: true,
-        errors: []
-      };
-      const value = values[variable.name];
-      const hasValue = variable.name in values;
-      if (variable.required && !hasValue && variable.defaultValue === void 0) {
-        result.valid = false;
-        result.errors.push(`Required variable '${variable.name}' is missing`);
-        missingRequired.push(variable.name);
-      }
-      if (hasValue && value !== void 0 && value !== null) {
-        const typeError = this.checkType(variable.name, value, variable.type);
-        if (typeError) {
-          result.valid = false;
-          result.errors.push(typeError);
-          typeErrors.push(typeError);
-        }
-      }
-      results.push(result);
-    }
-    const providedNames = Object.keys(values);
-    for (const name of providedNames) {
-      if (!definedVariables.has(name)) {
-        const isUsed = [...usedInTemplate].some((used) => used === name || used.startsWith(name + "."));
-        if (isUsed) {
-          results.push({
-            name,
-            valid: true,
-            errors: [`Variable '${name}' is used in template but not formally defined`]
-          });
-        } else {
-          unknownVariables.push(name);
-        }
-      }
-    }
-    for (const placeholder of usedInTemplate) {
-      const defined = definedVariables.get(placeholder);
-      const rootVar = placeholder.split(".")[0] ?? placeholder;
-      const hasValue = placeholder in values || rootVar in values;
-      if (!hasValue && !defined?.defaultValue) {
-        if (!defined) {
-          if (!placeholder.includes(".")) {
-            missingRequired.push(placeholder);
-          } else if (!(rootVar in values)) {
-            missingRequired.push(rootVar);
-          }
-        }
-      }
-    }
-    const valid = missingRequired.length === 0 && typeErrors.length === 0 && (unknownVariables.length === 0 || !this.options.strict);
-    return {
-      valid,
-      results,
-      missingRequired: [...new Set(missingRequired)],
-      unknownVariables,
-      typeErrors
-    };
-  }
-  /**
-   * Check if a value matches the expected type
-   */
-  checkType(name, value, expectedType) {
-    const actualType = this.getValueType(value);
-    if (actualType !== expectedType) {
-      return `Variable '${name}' expected type '${expectedType}' but got '${actualType}'`;
-    }
-    return null;
-  }
-  /**
-   * Determine the VariableType of a value
-   */
-  getValueType(value) {
-    if (value === null || value === void 0) {
-      return "string";
-    }
-    if (Array.isArray(value)) {
-      return "array";
-    }
-    if (typeof value === "object") {
-      return "object";
-    }
-    if (typeof value === "boolean") {
-      return "boolean";
-    }
-    if (typeof value === "number") {
-      return "number";
-    }
-    return "string";
-  }
-  /**
-   * Substitute variables in a template string
-   *
-   * @param template Template string with placeholders
-   * @param values Variable values to substitute
-   * @param variableDefs Optional variable definitions for defaults
-   * @returns Substitution result
-   */
-  substituteVariables(template, values, variableDefs) {
-    const substituted = [];
-    const unresolved = [];
-    const resolvedValues = /* @__PURE__ */ new Map();
-    if (variableDefs) {
-      for (const def of variableDefs) {
-        if (def.defaultValue !== void 0) {
-          resolvedValues.set(def.name, def.defaultValue);
-        }
-      }
-    }
-    for (const [key, value] of Object.entries(values)) {
-      if (value === void 0 || value === null) {
-        resolvedValues.set(key, null);
-      } else {
-        resolvedValues.set(key, value);
-      }
-    }
-    const combinedValues = {};
-    for (const [key, value] of resolvedValues) {
-      combinedValues[key] = value;
-    }
-    const regex = this.getPlaceholderRegex();
-    const content = template.replace(regex, (match, name) => {
-      let value;
-      let hasValue = false;
-      if (name.includes(".")) {
-        value = this.getNestedValue(combinedValues, name);
-        hasValue = value !== void 0;
-      } else {
-        hasValue = resolvedValues.has(name);
-        value = resolvedValues.get(name);
-      }
-      if (hasValue) {
-        substituted.push(name);
-        return this.stringify(value);
-      }
-      if (this.options.allowUnresolved) {
-        unresolved.push(name);
-        return match;
-      }
-      unresolved.push(name);
-      return match;
-    });
-    return {
-      content,
-      substituted: [...new Set(substituted)],
-      unresolved: [...new Set(unresolved)]
-    };
-  }
-  /**
-   * Convert a value to string for template substitution
-   */
-  stringify(value) {
-    if (value === null || value === void 0) {
-      return "";
-    }
-    if (typeof value === "string") {
-      return value;
-    }
-    if (typeof value === "number" || typeof value === "boolean") {
-      return String(value);
-    }
-    if (Array.isArray(value)) {
-      return JSON.stringify(value);
-    }
-    if (typeof value === "object") {
-      return JSON.stringify(value);
-    }
-    return String(value);
-  }
-  /**
-   * Process all template features: conditionals, loops, then variable substitution
-   *
-   * @param template Template string
-   * @param values Variable values
-   * @param variableDefs Optional variable definitions
-   * @returns Processed content with all features applied
-   */
-  processTemplate(template, values, variableDefs) {
-    const syntaxResult = this.validateSyntax(template);
-    if (!syntaxResult.valid && this.options.strict) {
-      return err(syntaxResult.errors[0] ?? new TemplateSyntaxError("Unknown syntax error"));
-    }
-    const combinedValues = {};
-    if (variableDefs) {
-      for (const def of variableDefs) {
-        if (def.defaultValue !== void 0) {
-          combinedValues[def.name] = def.defaultValue;
-        }
-      }
-    }
-    for (const [key, value] of Object.entries(values)) {
-      combinedValues[key] = value;
-    }
-    let processed = template;
-    processed = this.processLoops(processed, combinedValues);
-    processed = this.processConditionals(processed, combinedValues);
-    const result = this.substituteVariables(processed, combinedValues, variableDefs);
-    return ok(result);
-  }
-  /**
-   * Render a complete test template with variable substitution
-   *
-   * @param template Test template to render
-   * @param values Variable values to substitute
-   * @param options Optional render options
-   * @returns Render result or error
-   */
-  renderTemplate(template, values, options) {
-    const mergedOptions = { ...this.options, ...options };
-    const syntaxResult = this.validateSyntax(template.template);
-    if (!syntaxResult.valid && mergedOptions.strict) {
-      return err(syntaxResult.errors[0] ?? new TemplateSyntaxError("Unknown syntax error"));
-    }
-    const validation = this.validateVariables(template, values);
-    if (!validation.valid && mergedOptions.strict) {
-      const errors = [];
-      if (validation.missingRequired.length > 0) {
-        errors.push(`Missing required variables: ${validation.missingRequired.join(", ")}`);
-      }
-      if (validation.typeErrors.length > 0) {
-        errors.push(...validation.typeErrors);
-      }
-      if (validation.unknownVariables.length > 0) {
-        errors.push(`Unknown variables: ${validation.unknownVariables.join(", ")}`);
-      }
-      return err(
-        new TemplateRenderError("Template validation failed", {
-          errors,
-          validation
-        })
-      );
-    }
-    const processResult = this.processTemplate(template.template, values, template.variables);
-    if (!processResult.success) {
-      return processResult;
-    }
-    const { content, substituted, unresolved } = processResult.data;
-    if (unresolved.length > 0 && !mergedOptions.allowUnresolved && mergedOptions.strict) {
-      return err(
-        new TemplateRenderError("Unresolved template variables", {
-          unresolved
-        })
-      );
-    }
-    return ok({
-      content,
-      substituted,
-      unresolved,
-      imports: template.imports ?? [],
-      fixtures: template.fixtures ?? []
-    });
-  }
-  /**
-   * Render multiple templates at once
-   *
-   * @param templates Array of templates to render
-   * @param values Variable values (applied to all templates)
-   * @returns Array of render results
-   */
-  renderTemplates(templates, values) {
-    const results = [];
-    for (const template of templates) {
-      const result = this.renderTemplate(template, values);
-      if (!result.success) {
-        return err(
-          new TemplateRenderError(`Failed to render template '${template.id}'`, {
-            templateId: template.id,
-            originalError: result.error.message
-          })
-        );
-      }
-      results.push(result.data);
-    }
-    return ok(results);
-  }
-  /**
-   * Check if a template string contains nested placeholders
-   * (e.g., {{outer{{inner}}}})
-   *
-   * @param template Template string to check
-   * @returns True if nested placeholders detected
-   */
-  hasNestedPlaceholders(template) {
-    const nestedPattern = /\{\{[^{}]*\{\{/;
-    return nestedPattern.test(template);
-  }
-  /**
-   * Extract all imports from rendered templates
-   *
-   * @param results Array of render results
-   * @returns Deduplicated array of imports
-   */
-  collectImports(results) {
-    const imports = /* @__PURE__ */ new Set();
-    for (const result of results) {
-      for (const imp of result.imports) {
-        imports.add(imp);
-      }
-    }
-    return [...imports];
-  }
-  /**
-   * Extract all fixtures from rendered templates
-   *
-   * @param results Array of render results
-   * @returns Deduplicated array of fixtures
-   */
-  collectFixtures(results) {
-    const fixtures = /* @__PURE__ */ new Set();
-    for (const result of results) {
-      for (const fix of result.fixtures) {
-        fixtures.add(fix);
-      }
-    }
-    return [...fixtures];
-  }
-  /**
-   * Get the appropriate regex for the configured placeholder format
-   */
-  getPlaceholderRegex() {
-    switch (this.options.placeholderFormat) {
-      case "dollar":
-        return /\$\{([a-zA-Z][a-zA-Z0-9_.]*)\}/g;
-      case "percent":
-        return /%\(([a-zA-Z][a-zA-Z0-9_.]*)\)s/g;
-      case "mustache":
-      default:
-        return /\{\{([a-zA-Z][a-zA-Z0-9_.]*)\}\}/g;
-    }
-  }
-  /**
-   * Create a template from a string with variable definitions
-   *
-   * @param templateString Template content
-   * @param variables Variable definitions
-   * @param metadata Additional template metadata
-   * @returns TestTemplate object
-   */
-  static createTemplate(templateString, variables, metadata = {}) {
-    return {
-      id: metadata.id ?? "custom-template",
-      language: metadata.language ?? "typescript",
-      framework: metadata.framework ?? "jest",
-      template: templateString,
-      variables,
-      imports: metadata.imports,
-      fixtures: metadata.fixtures,
-      description: metadata.description
-    };
-  }
-};
-function createRenderer(options) {
-  return new TemplateRenderer(options);
-}
-var SEVERITY_COLORS = {
-  critical: chalk5.red.bold,
-  high: chalk5.red,
-  medium: chalk5.yellow,
-  low: chalk5.gray
-};
-var PRIORITY_COLORS = {
-  P0: chalk5.red.bold,
-  P1: chalk5.yellow,
-  P2: chalk5.gray
-};
-var DOMAIN_COLORS = {
-  security: chalk5.red,
-  data: chalk5.blue,
-  concurrency: chalk5.magenta,
-  input: chalk5.cyan,
-  resource: chalk5.yellow,
-  reliability: chalk5.green,
-  performance: chalk5.yellowBright,
-  platform: chalk5.gray,
-  business: chalk5.white,
-  compliance: chalk5.blueBright
-};
-function formatTerminal(categories) {
-  if (categories.length === 0) {
-    return chalk5.yellow("No categories found matching the filters.");
-  }
-  const lines = [];
-  lines.push(chalk5.bold.underline(`Found ${categories.length} categories:
-`));
-  const byDomain = /* @__PURE__ */ new Map();
-  for (const cat of categories) {
-    const domain = cat.domain;
-    if (!byDomain.has(domain)) {
-      byDomain.set(domain, []);
-    }
-    byDomain.get(domain).push(cat);
-  }
-  for (const [domain, domainCategories] of byDomain) {
-    const domainColor = DOMAIN_COLORS[domain] ?? chalk5.white;
-    lines.push(domainColor.bold(`
-${domain.toUpperCase()} (${domainCategories.length})`));
-    lines.push(chalk5.gray("\u2500".repeat(40)));
-    for (const cat of domainCategories) {
-      const priorityColor = PRIORITY_COLORS[cat.priority];
-      const severityColor = SEVERITY_COLORS[cat.severity];
-      const priority = priorityColor(`[${cat.priority}]`);
-      const severity = severityColor(`${cat.severity}`);
-      const level = chalk5.cyan(`${cat.level}`);
-      const name = chalk5.white.bold(cat.name);
-      const id = chalk5.gray(`(${cat.id})`);
-      lines.push(`  ${priority} ${name} ${id}`);
-      lines.push(`     ${severity} | ${level}`);
-      const desc = cat.description.length > 80 ? cat.description.slice(0, 77) + "..." : cat.description;
-      lines.push(chalk5.gray(`     ${desc}`));
-      lines.push("");
-    }
-  }
-  lines.push(chalk5.gray("\u2500".repeat(40)));
-  lines.push(formatStats(categories));
-  return lines.join("\n");
-}
-function formatStats(categories) {
-  const stats = {
-    P0: 0,
-    P1: 0,
-    P2: 0,
-    critical: 0,
-    high: 0,
-    medium: 0,
-    low: 0
-  };
-  for (const cat of categories) {
-    stats[cat.priority]++;
-    stats[cat.severity]++;
-  }
-  const parts = [];
-  if (stats.P0 > 0) parts.push(PRIORITY_COLORS.P0(`${stats.P0} P0`));
-  if (stats.P1 > 0) parts.push(PRIORITY_COLORS.P1(`${stats.P1} P1`));
-  if (stats.P2 > 0) parts.push(PRIORITY_COLORS.P2(`${stats.P2} P2`));
-  parts.push(chalk5.gray("|"));
-  if (stats.critical > 0) parts.push(SEVERITY_COLORS.critical(`${stats.critical} critical`));
-  if (stats.high > 0) parts.push(SEVERITY_COLORS.high(`${stats.high} high`));
-  if (stats.medium > 0) parts.push(SEVERITY_COLORS.medium(`${stats.medium} medium`));
-  if (stats.low > 0) parts.push(SEVERITY_COLORS.low(`${stats.low} low`));
-  return parts.join(" ");
-}
-function formatJson(categories) {
-  return JSON.stringify(categories, null, 2);
-}
-function formatMarkdown(categories) {
-  if (categories.length === 0) {
-    return "_No categories found matching the filters._";
-  }
-  const lines = [];
-  lines.push(`# Categories (${categories.length})
-`);
-  const byDomain = /* @__PURE__ */ new Map();
-  for (const cat of categories) {
-    const domain = cat.domain;
-    if (!byDomain.has(domain)) {
-      byDomain.set(domain, []);
-    }
-    byDomain.get(domain).push(cat);
-  }
-  for (const [domain, domainCategories] of byDomain) {
-    lines.push(`
-## ${domain.charAt(0).toUpperCase() + domain.slice(1)} (${domainCategories.length})
-`);
-    for (const cat of domainCategories) {
-      lines.push(`### ${cat.name}`);
-      lines.push(`- **ID**: \`${cat.id}\``);
-      lines.push(`- **Priority**: ${cat.priority}`);
-      lines.push(`- **Severity**: ${cat.severity}`);
-      lines.push(`- **Level**: ${cat.level}`);
-      lines.push(`
-${cat.description}
-`);
-    }
-  }
-  return lines.join("\n");
-}
-function formatCategories(categories, format) {
-  switch (format) {
-    case "json":
-      return formatJson(categories);
-    case "markdown":
-      return formatMarkdown(categories);
-    case "terminal":
-    default:
-      return formatTerminal(categories);
-  }
-}
-function isValidOutputFormat(format) {
-  return ["terminal", "json", "markdown"].includes(format);
-}
-function formatError(error) {
-  return chalk5.red(`Error: ${error.message}`);
-}
-
-// src/cli/generate-formatters.ts
-init_errors();
-init_result();
-
-// src/ai/service.ts
-var DEFAULT_CONFIG = {
-  provider: "anthropic",
-  apiKey: "",
-  model: "claude-sonnet-4-20250514",
-  maxTokens: 1024,
-  temperature: 0.3,
-  timeoutMs: 3e4
-};
-var PROVIDER_MODELS = {
-  anthropic: "claude-sonnet-4-20250514",
-  openai: "gpt-4o",
-  mock: "mock-model"
-};
-var PROVIDER_ENDPOINTS = {
-  anthropic: "https://api.anthropic.com/v1/messages",
-  openai: "https://api.openai.com/v1/chat/completions"};
-var AIService = class {
-  config;
-  constructor(config2 = {}) {
-    this.config = {
-      ...DEFAULT_CONFIG,
-      ...config2,
-      apiKey: config2.apiKey ?? this.getApiKeyFromEnv(config2.provider ?? "anthropic"),
-      model: config2.model ?? PROVIDER_MODELS[config2.provider ?? "anthropic"]
-    };
-  }
-  /**
-   * Get API key from environment variable
-   * For config file support, use the sync version below
-   */
-  getApiKeyFromEnv(provider) {
-    if (provider === "mock") return "mock-key";
-    const envVar = provider === "anthropic" ? "ANTHROPIC_API_KEY" : "OPENAI_API_KEY";
-    const envValue = process.env[envVar];
-    if (envValue !== void 0 && envValue.length > 0) {
-      return envValue;
-    }
-    return this.getApiKeyFromConfig(provider);
-  }
-  /**
-   * Read API key from config file synchronously
-   * Uses require() for sync file access in constructor context
+   * Read API key from config file synchronously
+   * Uses require() for sync file access in constructor context
    */
   getApiKeyFromConfig(provider) {
     try {
-      const { existsSync: existsSync5, readFileSync: readFileSync3 } = __require("fs");
+      const { existsSync: existsSync7, readFileSync: readFileSync3 } = __require("fs");
       const { homedir: homedir3 } = __require("os");
       const { join: join5 } = __require("path");
       const configPath = join5(homedir3(), ".pinata", "config.json");
-      if (!existsSync5(configPath)) {
+      if (!existsSync7(configPath)) {
         return "";
       }
       const content = readFileSync3(configPath, "utf-8");
@@ -7481,541 +6829,42 @@ var AIService = class {
             confidence: 0.8
           },
           {
-            name: "functionName",
-            value: "get_user",
-            reasoning: "Extracted from the code snippet",
-            confidence: 0.9
-          }
-        ]
-      });
-    } else if (content.includes("pattern") || content.includes("regex")) {
-      response = JSON.stringify({
-        suggestions: [
-          {
-            id: "custom-sql-pattern",
-            pattern: "execute\\s*\\(.*\\+",
-            description: "Detects SQL execution with string concatenation",
-            confidence: "medium",
-            matchExample: "cursor.execute(query + user_input)",
-            safeExample: "cursor.execute(query, (user_input,))",
-            reasoning: "String concatenation in SQL queries is a common injection vector"
-          }
-        ]
-      });
-    }
-    return {
-      success: true,
-      data: response,
-      usage: { inputTokens: 100, outputTokens: 50 },
-      durationMs: Date.now() - startTime
-    };
-  }
-};
-function createAIService(config2) {
-  return new AIService(config2);
-}
-
-// src/ai/template-filler.ts
-var SYSTEM_PROMPT = `You are an expert at analyzing code and extracting meaningful variable values for test generation.
-Given a code snippet and a list of template variables, suggest appropriate values for each variable.
-
-For each variable, analyze:
-1. The code snippet to extract relevant information (class names, function names, etc.)
-2. The variable description to understand what's needed
-3. The variable type to ensure correct formatting
-
-Always respond with valid JSON matching this structure:
-{
-  "suggestions": [
-    {
-      "name": "variableName",
-      "value": "suggested value",
-      "reasoning": "why this value was chosen",
-      "confidence": 0.0-1.0
-    }
-  ]
-}
-
-For arrays, use: "value": ["item1", "item2"]
-For booleans, use: "value": true or "value": false
-For numbers, use: "value": 42`;
-async function suggestVariables(request, config2) {
-  const ai = createAIService(config2);
-  if (!ai.isConfigured()) {
-    return {
-      success: true,
-      data: extractVariablesFromCode(request),
-      durationMs: 0
-    };
-  }
-  const prompt = buildVariablePrompt(request);
-  const startTime = Date.now();
-  const response = await ai.completeJSON({
-    systemPrompt: SYSTEM_PROMPT,
-    messages: [{ role: "user", content: prompt }],
-    maxTokens: 1024,
-    temperature: 0.2
-  });
-  if (!response.success || !response.data) {
-    return {
-      success: true,
-      data: extractVariablesFromCode(request),
-      durationMs: Date.now() - startTime
-    };
-  }
-  const suggestions = /* @__PURE__ */ new Map();
-  const unfilled = [];
-  const values = { ...request.existingValues };
-  const suggestionsList = response.data.suggestions ?? [];
-  for (const suggestion of suggestionsList) {
-    suggestions.set(suggestion.name, suggestion);
-    if (!(suggestion.name in values)) {
-      values[suggestion.name] = suggestion.value;
-    }
-  }
-  for (const variable of request.variables) {
-    if (!suggestions.has(variable.name) && !(variable.name in values)) {
-      if (variable.defaultValue !== void 0) {
-        values[variable.name] = variable.defaultValue;
-      } else {
-        unfilled.push(variable.name);
-      }
-    }
-  }
-  const result = {
-    success: true,
-    data: { suggestions, unfilled, values },
-    durationMs: response.durationMs
-  };
-  if (response.usage) {
-    result.usage = response.usage;
-  }
-  return result;
-}
-function buildVariablePrompt(request) {
-  const parts = [];
-  parts.push("Analyze this code and suggest values for the template variables:\n");
-  parts.push("**Code:**");
-  parts.push("```");
-  parts.push(request.codeSnippet);
-  parts.push("```\n");
-  parts.push(`**File:** ${request.filePath}
-`);
-  if (request.gap) {
-    parts.push(`**Category:** ${request.gap.categoryName}`);
-    parts.push(`**Line:** ${request.gap.lineStart}
-`);
-  }
-  parts.push("**Variables to fill:**");
-  for (const variable of request.variables) {
-    const required = variable.required ? " (required)" : " (optional)";
-    const defaultVal = variable.defaultValue !== void 0 ? ` [default: ${JSON.stringify(variable.defaultValue)}]` : "";
-    parts.push(`- ${variable.name} (${variable.type})${required}${defaultVal}: ${variable.description}`);
-  }
-  if (request.existingValues && Object.keys(request.existingValues).length > 0) {
-    parts.push("\n**Already provided:**");
-    for (const [name, value] of Object.entries(request.existingValues)) {
-      parts.push(`- ${name}: ${JSON.stringify(value)}`);
-    }
-  }
-  parts.push("\nExtract appropriate values from the code context.");
-  return parts.join("\n");
-}
-function extractVariablesFromCode(request) {
-  const suggestions = /* @__PURE__ */ new Map();
-  const unfilled = [];
-  const values = { ...request.existingValues };
-  const code = request.codeSnippet;
-  const filePath = request.filePath;
-  for (const variable of request.variables) {
-    if (variable.name in values) continue;
-    let value = void 0;
-    let reasoning = "";
-    let confidence = 0;
-    switch (variable.name.toLowerCase()) {
-      case "classname":
-      case "class_name": {
-        const classMatch = code.match(/class\s+(\w+)/);
-        if (classMatch) {
-          value = classMatch[1];
-          reasoning = "Extracted from class definition in code";
-          confidence = 0.9;
-        } else {
-          const fileName = filePath.split("/").pop()?.replace(/\.\w+$/, "") ?? "";
-          value = toPascalCase(fileName);
-          reasoning = "Inferred from file name";
-          confidence = 0.6;
-        }
-        break;
-      }
-      case "functionname":
-      case "function_name":
-      case "methodname": {
-        const funcMatch = code.match(/(?:def|function|async function)\s+(\w+)/);
-        if (funcMatch) {
-          value = funcMatch[1];
-          reasoning = "Extracted from function definition";
-          confidence = 0.9;
-        }
-        break;
-      }
-      case "modulepath":
-      case "module_path": {
-        value = filePath.replace(/\.[jt]sx?$/, "").replace(/\.py$/, "").replace(/\//g, ".").replace(/^\.+/, "");
-        reasoning = "Derived from file path";
-        confidence = 0.7;
-        break;
-      }
-      case "tablename":
-      case "table_name": {
-        const tableMatch = code.match(/(?:FROM|INTO|UPDATE)\s+(\w+)/i);
-        if (tableMatch) {
-          value = tableMatch[1];
-          reasoning = "Extracted from SQL statement";
-          confidence = 0.8;
-        } else {
-          value = "users";
-          reasoning = "Default table name";
-          confidence = 0.3;
-        }
-        break;
-      }
-      case "exceptionclass":
-      case "exception_class": {
-        value = "ValueError";
-        reasoning = "Common exception for input validation";
-        confidence = 0.5;
-        break;
-      }
-      case "dbclient":
-      case "db_client": {
-        const clientMatch = code.match(/(db|conn|connection|client|cursor)\s*[=.]/i);
-        if (clientMatch) {
-          value = clientMatch[1];
-          reasoning = "Extracted from code";
-          confidence = 0.7;
-        } else {
-          value = "db";
-          reasoning = "Default database client name";
-          confidence = 0.4;
-        }
-        break;
-      }
-      case "functioncall":
-      case "function_call": {
-        const funcName = values["functionName"] ?? values["function_name"];
-        if (typeof funcName === "string" && funcName.length > 0) {
-          value = `${funcName}(user_input)`;
-          reasoning = "Constructed from function name";
-          confidence = 0.6;
-        }
-        break;
-      }
-      case "fixtures": {
-        value = "db_session";
-        reasoning = "Common pytest fixture";
-        confidence = 0.5;
-        break;
-      }
-      default:
-        if (variable.defaultValue !== void 0) {
-          value = variable.defaultValue;
-          reasoning = "Using default value";
-          confidence = 1;
-        }
-    }
-    if (value !== void 0) {
-      suggestions.set(variable.name, {
-        name: variable.name,
-        value,
-        reasoning,
-        confidence
-      });
-      values[variable.name] = value;
-    } else if (variable.required) {
-      unfilled.push(variable.name);
-    }
-  }
-  return { suggestions, unfilled, values };
-}
-function toPascalCase(str) {
-  return str.split(/[-_\s]+/).map((word) => word.charAt(0).toUpperCase() + word.slice(1).toLowerCase()).join("");
-}
-
-// src/cli/generate-formatters.ts
-function formatGeneratedTerminal(tests, basePath) {
-  const lines = [];
-  if (tests.length === 0) {
-    lines.push(chalk5.yellow("No tests generated."));
-    return lines.join("\n");
-  }
-  lines.push(chalk5.bold.cyan(`
-Generated ${tests.length} test(s):
-`));
-  lines.push(chalk5.gray("\u2500".repeat(60)));
-  for (const test of tests) {
-    const relGapPath = relative(basePath, test.gap.filePath);
-    lines.push("");
-    lines.push(chalk5.bold.white(`Test for: ${test.gap.categoryName}`));
-    lines.push(chalk5.gray(`  Gap location: ${relGapPath}:${test.gap.lineStart}`));
-    lines.push(chalk5.gray(`  Template: ${test.template.id}`));
-    lines.push(chalk5.gray(`  Output: ${test.suggestedPath}`));
-    lines.push("");
-    lines.push(chalk5.cyan(`// --- ${test.suggestedPath} ---`));
-    lines.push("");
-    if (test.result.imports.length > 0) {
-      for (const imp of test.result.imports) {
-        lines.push(chalk5.gray(imp));
-      }
-      lines.push("");
-    }
-    lines.push(test.result.content);
-    lines.push("");
-    lines.push(chalk5.gray("\u2500".repeat(60)));
-  }
-  lines.push("");
-  lines.push(chalk5.bold("Summary:"));
-  lines.push(`  Tests generated: ${chalk5.green(tests.length.toString())}`);
-  const categories = new Set(tests.map((t) => t.category.id));
-  lines.push(`  Categories covered: ${chalk5.cyan(categories.size.toString())}`);
-  if (tests.some((t) => t.result.unresolved.length > 0)) {
-    const unresolvedCount = tests.reduce((acc, t) => acc + t.result.unresolved.length, 0);
-    lines.push(chalk5.yellow(`  Unresolved placeholders: ${unresolvedCount}`));
-    lines.push(chalk5.gray("  (Some placeholders need manual completion)"));
-  }
-  lines.push("");
-  lines.push(chalk5.gray("This is a dry run. Use --write to save files."));
-  return lines.join("\n");
-}
-function formatGeneratedJson(tests) {
-  const output = tests.map((test) => ({
-    gap: {
-      categoryId: test.gap.categoryId,
-      categoryName: test.gap.categoryName,
-      filePath: test.gap.filePath,
-      lineStart: test.gap.lineStart,
-      severity: test.gap.severity,
-      confidence: test.gap.confidence
-    },
-    template: {
-      id: test.template.id,
-      framework: test.template.framework,
-      language: test.template.language
-    },
-    suggestedPath: test.suggestedPath,
-    content: test.result.content,
-    imports: test.result.imports,
-    fixtures: test.result.fixtures,
-    substituted: test.result.substituted,
-    unresolved: test.result.unresolved
-  }));
-  return JSON.stringify(output, null, 2);
-}
-function suggestTestPath(sourceFile, template, basePath) {
-  const dir = dirname(sourceFile);
-  const name = basename(sourceFile);
-  const nameWithoutExt = name.replace(/\.[^.]+$/, "");
-  const extMap = {
-    python: ".py",
-    typescript: ".ts",
-    javascript: ".js",
-    go: "_test.go",
-    java: "Test.java",
-    rust: ".rs"
-  };
-  const ext = extMap[template.language] ?? ".test.ts";
-  let testFileName;
-  switch (template.language) {
-    case "python":
-      testFileName = `test_${nameWithoutExt}${ext}`;
-      break;
-    case "go":
-      testFileName = `${nameWithoutExt}${ext}`;
-      break;
-    case "java":
-      testFileName = `${nameWithoutExt}${ext}`;
-      break;
-    default:
-      testFileName = `${nameWithoutExt}.test${ext}`;
-  }
-  const relativeSrc = relative(basePath, dir);
-  const testDir = relativeSrc.replace(/^src/, "tests");
-  return `${testDir}/${testFileName}`;
-}
-function extractVariablesFromGap(gap) {
-  const fileName = basename(gap.filePath);
-  const fileNameWithoutExt = fileName.replace(/\.[^.]+$/, "");
-  const funcMatch = gap.codeSnippet.match(/(?:def|function|async function|const|let|var)\s+(\w+)/);
-  const classMatch = gap.codeSnippet.match(/(?:class)\s+(\w+)/);
-  return {
-    // File info
-    filePath: gap.filePath,
-    fileName,
-    fileNameWithoutExt,
-    lineNumber: gap.lineStart,
-    // Category info
-    categoryId: gap.categoryId,
-    categoryName: gap.categoryName,
-    domain: gap.domain,
-    level: gap.level,
-    severity: gap.severity,
-    confidence: gap.confidence,
-    // Code context
-    codeSnippet: gap.codeSnippet,
-    functionName: funcMatch?.[1] ?? "targetFunction",
-    className: classMatch?.[1] ?? "TargetClass",
-    // Common template variables
-    testName: `test_${gap.categoryId.replace(/-/g, "_")}`,
-    testDescription: `Test for ${gap.categoryName} in ${fileName}:${gap.lineStart}`,
-    // Pattern info
-    patternId: gap.patternId,
-    patternType: gap.patternType
-  };
-}
-async function extractVariablesWithAI(gap, templateVariables, aiConfig) {
-  const baseVars = extractVariablesFromGap(gap);
-  const result = await suggestVariables(
-    {
-      codeSnippet: gap.codeSnippet,
-      filePath: gap.filePath,
-      variables: templateVariables,
-      gap,
-      existingValues: baseVars
-    },
-    aiConfig
-  );
-  if (result.success && result.data) {
-    return result.data.values;
-  }
-  return baseVars;
-}
-async function writeGeneratedTests(tests, basePath, outputDir) {
-  const summary = {
-    created: [],
-    updated: [],
-    failed: [],
-    totalTests: 0
-  };
-  const testsByFile = /* @__PURE__ */ new Map();
-  for (const test of tests) {
-    let outputPath;
-    if (outputDir) {
-      outputPath = resolve(basePath, outputDir, test.suggestedPath);
-    } else {
-      outputPath = resolve(basePath, test.suggestedPath);
-    }
-    const existing = testsByFile.get(outputPath) ?? [];
-    existing.push(test);
-    testsByFile.set(outputPath, existing);
-  }
-  for (const [outputPath, fileTests] of testsByFile) {
-    try {
-      const dir = dirname(outputPath);
-      await mkdir(dir, { recursive: true });
-      let existingContent = "";
-      let fileExists = false;
-      try {
-        existingContent = await readFile(outputPath, "utf-8");
-        fileExists = true;
-      } catch {
-      }
-      const contentParts = [];
-      const allImports = /* @__PURE__ */ new Set();
-      for (const test of fileTests) {
-        for (const imp of test.result.imports) {
-          allImports.add(imp);
-        }
-      }
-      if (!fileExists && allImports.size > 0) {
-        contentParts.push(Array.from(allImports).join("\n"));
-        contentParts.push("");
-      }
-      for (const test of fileTests) {
-        contentParts.push(`// Test for ${test.gap.categoryName}`);
-        contentParts.push(`// Gap: ${relative(basePath, test.gap.filePath)}:${test.gap.lineStart}`);
-        contentParts.push(`// Generated by Pinata`);
-        contentParts.push("");
-        contentParts.push(test.result.content);
-        contentParts.push("");
-      }
-      const newContent = contentParts.join("\n");
-      let finalContent;
-      let appended = false;
-      if (fileExists) {
-        finalContent = existingContent.trimEnd() + "\n\n" + newContent;
-        appended = true;
-      } else {
-        finalContent = newContent;
-      }
-      await writeFile(outputPath, finalContent, "utf-8");
-      for (const test of fileTests) {
-        const result = {
-          path: outputPath,
-          created: !fileExists,
-          appended,
-          categoryId: test.gap.categoryId,
-          gapLocation: `${relative(basePath, test.gap.filePath)}:${test.gap.lineStart}`
-        };
-        if (fileExists) {
-          summary.updated.push(result);
-        } else {
-          summary.created.push(result);
-        }
-        summary.totalTests++;
-      }
-    } catch (error) {
-      summary.failed.push({
-        path: outputPath,
-        error: error instanceof Error ? error.message : String(error)
+            name: "functionName",
+            value: "get_user",
+            reasoning: "Extracted from the code snippet",
+            confidence: 0.9
+          }
+        ]
+      });
+    } else if (content.includes("pattern") || content.includes("regex")) {
+      response = JSON.stringify({
+        suggestions: [
+          {
+            id: "custom-sql-pattern",
+            pattern: "execute\\s*\\(.*\\+",
+            description: "Detects SQL execution with string concatenation",
+            confidence: "medium",
+            matchExample: "cursor.execute(query + user_input)",
+            safeExample: "cursor.execute(query, (user_input,))",
+            reasoning: "String concatenation in SQL queries is a common injection vector"
+          }
+        ]
       });
     }
+    return {
+      success: true,
+      data: response,
+      usage: { inputTokens: 100, outputTokens: 50 },
+      durationMs: Date.now() - startTime
+    };
   }
-  return ok(summary);
-}
-function formatWriteSummary(summary, basePath) {
-  const lines = [];
-  lines.push("");
-  lines.push(chalk5.bold.cyan("Write Summary:"));
-  lines.push(chalk5.gray("\u2500".repeat(60)));
-  if (summary.created.length > 0) {
-    const uniquePaths = new Set(summary.created.map((r) => r.path));
-    lines.push("");
-    lines.push(chalk5.green.bold(`Created ${uniquePaths.size} file(s):`));
-    for (const path2 of uniquePaths) {
-      const relPath = relative(basePath, path2);
-      const testsInFile = summary.created.filter((r) => r.path === path2).length;
-      lines.push(chalk5.green(`  + ${relPath} (${testsInFile} test(s))`));
-    }
-  }
-  if (summary.updated.length > 0) {
-    const uniquePaths = new Set(summary.updated.map((r) => r.path));
-    lines.push("");
-    lines.push(chalk5.yellow.bold(`Updated ${uniquePaths.size} file(s):`));
-    for (const path2 of uniquePaths) {
-      const relPath = relative(basePath, path2);
-      const testsInFile = summary.updated.filter((r) => r.path === path2).length;
-      lines.push(chalk5.yellow(`  ~ ${relPath} (${testsInFile} test(s) appended)`));
-    }
-  }
-  if (summary.failed.length > 0) {
-    lines.push("");
-    lines.push(chalk5.red.bold(`Failed to write ${summary.failed.length} file(s):`));
-    for (const fail of summary.failed) {
-      const relPath = relative(basePath, fail.path);
-      lines.push(chalk5.red(`  \u2717 ${relPath}: ${fail.error}`));
-    }
-  }
-  lines.push("");
-  lines.push(chalk5.gray("\u2500".repeat(60)));
-  lines.push(chalk5.bold(`Total: ${summary.totalTests} test(s) written to ${(/* @__PURE__ */ new Set([...summary.created.map((r) => r.path), ...summary.updated.map((r) => r.path)])).size} file(s)`));
-  if (summary.failed.length > 0) {
-    lines.push(chalk5.red(`Failures: ${summary.failed.length}`));
-  }
-  return lines.join("\n");
+};
+function createAIService(config2) {
+  return new AIService(config2);
 }
 
 // src/ai/explainer.ts
-var SYSTEM_PROMPT2 = `You are a security expert explaining code vulnerabilities to developers.
+var SYSTEM_PROMPT = `You are a security expert explaining code vulnerabilities to developers.
 Your explanations should be:
 - Clear and actionable
 - Focused on the specific code pattern
@@ -8042,13 +6891,30 @@ async function explainGap(gap, category, config2) {
   }
   const prompt = buildExplainPrompt(gap);
   const response = await ai.completeJSON({
-    systemPrompt: SYSTEM_PROMPT2,
+    systemPrompt: SYSTEM_PROMPT,
     messages: [{ role: "user", content: prompt }],
     maxTokens: 1024,
     temperature: 0.3
   });
   return response;
 }
+async function explainGaps(gaps, categories, config2) {
+  const results = /* @__PURE__ */ new Map();
+  const BATCH_SIZE = 5;
+  for (let i = 0; i < gaps.length; i += BATCH_SIZE) {
+    const batch = gaps.slice(i, i + BATCH_SIZE);
+    const promises = batch.map(async (gap) => {
+      const category = categories?.get(gap.categoryId);
+      const result = await explainGap(gap, category, config2);
+      return { key: `${gap.filePath}:${gap.lineStart}:${gap.categoryId}`, result };
+    });
+    const batchResults = await Promise.all(promises);
+    for (const { key, result } of batchResults) {
+      results.set(key, result);
+    }
+  }
+  return results;
+}
 function buildExplainPrompt(gap, category) {
   const parts = [];
   parts.push(`Explain this security finding:
@@ -8109,7 +6975,7 @@ function generateFallbackExplanation(gap) {
 }
 
 // src/ai/pattern-suggester.ts
-var SYSTEM_PROMPT3 = `You are an expert at creating regex patterns for detecting security vulnerabilities in code.
+var SYSTEM_PROMPT2 = `You are an expert at creating regex patterns for detecting security vulnerabilities in code.
 Given vulnerable code samples, generate regex patterns that will detect similar vulnerabilities.
 
 Your patterns should:
@@ -8148,7 +7014,7 @@ async function suggestPatterns(request, config2) {
   }
   const prompt = buildPatternPrompt(request);
   const response = await ai.completeJSON({
-    systemPrompt: SYSTEM_PROMPT3,
+    systemPrompt: SYSTEM_PROMPT2,
     messages: [{ role: "user", content: prompt }],
     maxTokens: 2048,
     temperature: 0.3
@@ -8277,73 +7143,89 @@ function hasRedosPotential(pattern) {
 
 // src/cli/index.ts
 init_results_cache();
+var __filename2 = fileURLToPath(import.meta.url);
+var __dirname2 = dirname(__filename2);
+function getDefinitionsPath() {
+  const candidates = [
+    resolve(__dirname2, "../../src/categories/definitions"),
+    resolve(process.cwd(), "src/categories/definitions"),
+    resolve(__dirname2, "../categories/definitions")
+  ];
+  for (const candidate of candidates) {
+    if (existsSync(candidate)) {
+      return candidate;
+    }
+  }
+  return candidates[0];
+}
+init_results_cache();
 var SEVERITY_COLORS2 = {
-  critical: chalk5.red.bold,
-  high: chalk5.red,
-  medium: chalk5.yellow,
-  low: chalk5.gray
+  critical: chalk6.red.bold,
+  high: chalk6.red,
+  medium: chalk6.yellow,
+  low: chalk6.gray
 };
 var DOMAIN_COLORS2 = {
-  security: chalk5.red,
-  data: chalk5.blue,
-  concurrency: chalk5.magenta,
-  input: chalk5.cyan,
-  resource: chalk5.yellow,
-  reliability: chalk5.green,
-  performance: chalk5.yellowBright,
-  platform: chalk5.gray,
-  business: chalk5.white,
-  compliance: chalk5.blueBright
+  security: chalk6.red,
+  data: chalk6.blue,
+  concurrency: chalk6.magenta,
+  input: chalk6.cyan,
+  resource: chalk6.yellow,
+  reliability: chalk6.green,
+  performance: chalk6.yellowBright,
+  platform: chalk6.gray,
+  business: chalk6.white,
+  compliance: chalk6.blueBright
 };
 var GRADE_COLORS = {
-  A: chalk5.green.bold,
-  B: chalk5.green,
-  C: chalk5.yellow,
-  D: chalk5.red,
-  F: chalk5.red.bold
+  A: chalk6.green.bold,
+  B: chalk6.green,
+  C: chalk6.yellow,
+  D: chalk6.red,
+  F: chalk6.red.bold
 };
 var BANNER = `
-${chalk5.cyan(" ____  _             _        ")}
-${chalk5.cyan("|  _ \\(_)_ __   __ _| |_ __ _ ")}
-${chalk5.cyan("| |_) | | '_ \\ / _` | __/ _` |")}
-${chalk5.cyan("|  __/| | | | | (_| | || (_| |")}
-${chalk5.cyan("|_|   |_|_| |_|\\__,_|\\__\\__,_|")}
+${chalk6.cyan(" ____  _             _        ")}
+${chalk6.cyan("|  _ \\(_)_ __   __ _| |_ __ _ ")}
+${chalk6.cyan("| |_) | | '_ \\ / _` | __/ _` |")}
+${chalk6.cyan("|  __/| | | | | (_| | || (_| |")}
+${chalk6.cyan("|_|   |_|_| |_|\\__,_|\\__\\__,_|")}
 `;
 function formatScanTerminal(result, basePath) {
   const lines = [];
   lines.push(BANNER);
-  lines.push(chalk5.gray(`Analyzing: ${result.targetDirectory}`));
+  lines.push(chalk6.gray(`Analyzing: ${result.targetDirectory}`));
   const projectTypeLabel = getProjectTypeDescription(result.projectType.type);
-  lines.push(chalk5.gray(`Project: ${projectTypeLabel} (${result.projectType.confidence} confidence)`));
-  lines.push(chalk5.gray(`Files: ${result.fileStats.totalFiles} | Languages: ${formatLanguages(result)}`));
+  lines.push(chalk6.gray(`Project: ${projectTypeLabel} (${result.projectType.confidence} confidence)`));
+  lines.push(chalk6.gray(`Files: ${result.fileStats.totalFiles} | Languages: ${formatLanguages(result)}`));
   lines.push("");
   lines.push(formatScoreBox(result.score));
   lines.push("");
-  lines.push(chalk5.bold("Domain Coverage:"));
+  lines.push(chalk6.bold("Domain Coverage:"));
   lines.push(formatDomainCoverage(result.coverage));
   lines.push("");
   if (result.gaps.length > 0) {
     lines.push(formatGapsSummary(result.gaps, basePath));
     lines.push("");
   } else {
-    lines.push(chalk5.green.bold("No gaps detected! Your codebase has good test coverage."));
+    lines.push(chalk6.green.bold("No vulnerabilities detected."));
     lines.push("");
   }
   if (result.gaps.length > 0) {
-    lines.push(chalk5.gray("Run `pinata generate --gaps` to create tests for these gaps."));
+    lines.push(chalk6.gray("Run `pinata generate --gaps` to create tests for these gaps."));
   }
-  lines.push(chalk5.gray(`
+  lines.push(chalk6.gray(`
 Scan completed in ${result.durationMs}ms`));
   return lines.join("\n");
 }
 function formatScoreBox(score) {
-  const gradeColor = GRADE_COLORS[score.grade] ?? chalk5.white;
+  const gradeColor = GRADE_COLORS[score.grade] ?? chalk6.white;
   const scoreStr = `Pinata Score: ${score.overall}/100 ${gradeColor(`(${score.grade})`)}`;
   const boxWidth = 60;
   const padding = Math.floor((boxWidth - scoreStr.length) / 2);
-  const top = chalk5.cyan("\u2554" + "\u2550".repeat(boxWidth) + "\u2557");
-  const middle = chalk5.cyan("\u2551") + " ".repeat(padding) + scoreStr + " ".repeat(boxWidth - padding - scoreStr.length) + chalk5.cyan("\u2551");
-  const bottom = chalk5.cyan("\u255A" + "\u2550".repeat(boxWidth) + "\u255D");
+  const top = chalk6.cyan("\u2554" + "\u2550".repeat(boxWidth) + "\u2557");
+  const middle = chalk6.cyan("\u2551") + " ".repeat(padding) + scoreStr + " ".repeat(boxWidth - padding - scoreStr.length) + chalk6.cyan("\u2551");
+  const bottom = chalk6.cyan("\u255A" + "\u2550".repeat(boxWidth) + "\u255D");
   return `${top}
 ${middle}
 ${bottom}`;
@@ -8358,14 +7240,14 @@ function formatDomainCoverage(coverage) {
     }
     const percent = domainCoverage.coveragePercent;
     const filledWidth = Math.round(percent / 100 * barWidth);
-    const bar = chalk5.green("\u2588".repeat(filledWidth)) + chalk5.gray("\u2591".repeat(barWidth - filledWidth));
-    const domainColor = DOMAIN_COLORS2[domain] ?? chalk5.white;
+    const bar = chalk6.green("\u2588".repeat(filledWidth)) + chalk6.gray("\u2591".repeat(barWidth - filledWidth));
+    const domainColor = DOMAIN_COLORS2[domain] ?? chalk6.white;
     const domainName = domain.padEnd(15);
     const stats = `${domainCoverage.categoriesCovered}/${domainCoverage.categoriesScanned} categories`;
     lines.push(`  ${domainColor(domainName)} ${bar} ${percent.toString().padStart(3)}%  (${stats})`);
   }
   if (lines.length === 0) {
-    lines.push(chalk5.gray("  No domain coverage data available."));
+    lines.push(chalk6.gray("  No domain coverage data available."));
   }
   return lines.join("\n");
 }
@@ -8376,48 +7258,48 @@ function formatGapsSummary(gaps, basePath) {
   const medium = gaps.filter((g) => g.severity === "medium");
   const low = gaps.filter((g) => g.severity === "low");
   if (critical.length > 0) {
-    lines.push(chalk5.red.bold(`
+    lines.push(chalk6.red.bold(`
 Critical Gaps (${critical.length}):`));
     for (const gap of critical.slice(0, 5)) {
       lines.push(formatGapLine(gap, basePath, "critical"));
     }
     if (critical.length > 5) {
-      lines.push(chalk5.gray(`  ... and ${critical.length - 5} more critical gaps`));
+      lines.push(chalk6.gray(`  ... and ${critical.length - 5} more critical gaps`));
     }
   }
   if (high.length > 0) {
-    lines.push(chalk5.red(`
+    lines.push(chalk6.red(`
 High Severity Gaps (${high.length}):`));
     for (const gap of high.slice(0, 5)) {
       lines.push(formatGapLine(gap, basePath, "high"));
     }
     if (high.length > 5) {
-      lines.push(chalk5.gray(`  ... and ${high.length - 5} more high severity gaps`));
+      lines.push(chalk6.gray(`  ... and ${high.length - 5} more high severity gaps`));
     }
   }
   if (medium.length > 0) {
-    lines.push(chalk5.yellow(`
+    lines.push(chalk6.yellow(`
 Medium Severity Gaps (${medium.length}):`));
     for (const gap of medium.slice(0, 3)) {
       lines.push(formatGapLine(gap, basePath, "medium"));
     }
     if (medium.length > 3) {
-      lines.push(chalk5.gray(`  ... and ${medium.length - 3} more medium severity gaps`));
+      lines.push(chalk6.gray(`  ... and ${medium.length - 3} more medium severity gaps`));
     }
   }
   if (low.length > 0) {
-    lines.push(chalk5.gray(`
+    lines.push(chalk6.gray(`
 Low Severity: ${low.length} gaps`));
   }
   return lines.join("\n");
 }
 function formatGapLine(gap, basePath, severity) {
-  const severityColor = SEVERITY_COLORS2[severity] ?? chalk5.white;
+  const severityColor = SEVERITY_COLORS2[severity] ?? chalk6.white;
   const icon = severity === "critical" ? "\u26D4" : severity === "high" ? "\u{1F534}" : severity === "medium" ? "\u{1F7E1}" : "\u26AA";
   const relPath = relative(basePath, gap.filePath);
   const location = `${relPath}:${gap.lineStart}`;
   const confidence = gap.confidence.toUpperCase();
-  return `  ${icon} ${severityColor(gap.categoryName.padEnd(20))} ${chalk5.cyan(location.padEnd(30))} ${chalk5.gray(confidence)} confidence`;
+  return `  ${icon} ${severityColor(gap.categoryName.padEnd(20))} ${chalk6.cyan(location.padEnd(30))} ${chalk6.gray(confidence)} confidence`;
 }
 function formatLanguages(result) {
   const languages = [];
@@ -8520,7 +7402,7 @@ _...and ${gaps.length - 10} more ${severity} gaps_
     }
   } else {
     lines.push("## No Gaps Detected\n");
-    lines.push("Your codebase has good test coverage.\n");
+    lines.push("No vulnerabilities detected.\n");
   }
   lines.push("## Summary\n");
   lines.push(`- Total Gaps: ${result.summary.totalGaps}`);
@@ -8577,7 +7459,7 @@ function buildSarifResults(result, basePath) {
     ruleId: gap.categoryId,
     level: sarifLevel(gap.severity),
     message: {
-      text: `Missing test coverage for ${gap.categoryName}`
+      text: `Potential vulnerability: ${gap.categoryName}`
     },
     locations: [
       {
@@ -8640,637 +7522,1023 @@ function isValidScanOutputFormat(format) {
   return ["terminal", "json", "markdown", "sarif", "html", "junit-xml"].includes(format);
 }
 
-// src/cli/index.ts
-var __filename2 = fileURLToPath(import.meta.url);
-var __dirname2 = dirname(__filename2);
-function getDefinitionsPath() {
-  const candidates = [
-    // When running from dist/cli/index.js
-    resolve(__dirname2, "../../src/categories/definitions"),
-    // When running from project root via npx/npm
-    resolve(process.cwd(), "src/categories/definitions"),
-    // When bundled in dist (future)
-    resolve(__dirname2, "../categories/definitions")
-  ];
-  for (const candidate of candidates) {
-    if (existsSync(candidate)) {
-      return candidate;
+// src/cli/commands/analyze.ts
+function registerAnalyzeCommand(program2) {
+  program2.command("analyze [path]").description("Scan codebase for security vulnerabilities").option("-o, --output <format>", "Output format: terminal, json, markdown, sarif, html, junit-xml", "terminal").option("--output-file <path>", "Write output to file (useful for SARIF upload)").option("-d, --domains <domains>", "Filter to specific domains (comma-separated)").option("-s, --severity <level>", "Minimum severity: critical, high, medium, low", "low").option("-c, --confidence <level>", "Minimum confidence: high, medium, low", "high").option("--fail-on <level>", "Exit non-zero if gaps at level: critical, high, medium").option("--exclude <dirs>", "Directories to exclude (comma-separated)").option("--verify", "Use AI to verify each match (reduces false positives)").option("--execute", "Run dynamic tests in Docker sandbox to confirm vulnerabilities").option("--dry-run", "Preview generated tests without executing (use with --execute)").option("-v, --verbose", "Verbose output").option("-q, --quiet", "Quiet mode (errors only)").action(async (targetPath, options) => {
+    const isQuiet = Boolean(options["quiet"]);
+    const isVerbose = Boolean(options["verbose"]);
+    if (isQuiet) {
+      logger.configure({ level: "error" });
+    } else if (isVerbose) {
+      logger.configure({ level: "debug" });
     }
-  }
-  return candidates[0];
-}
-var program = new Command();
-program.name("pinata").description("AI-powered test coverage analysis and generation").version(VERSION);
-program.command("analyze [path]").description("Analyze codebase for test coverage gaps").option("-o, --output <format>", "Output format: terminal, json, markdown, sarif, html, junit-xml", "terminal").option("--output-file <path>", "Write output to file (useful for SARIF upload)").option("-d, --domains <domains>", "Filter to specific domains (comma-separated)").option("-s, --severity <level>", "Minimum severity: critical, high, medium, low", "low").option("-c, --confidence <level>", "Minimum confidence: high, medium, low", "high").option("--fail-on <level>", "Exit non-zero if gaps at level: critical, high, medium").option("--exclude <dirs>", "Directories to exclude (comma-separated)").option("--verify", "Use AI to verify each match (reduces false positives)").option("--execute", "Run dynamic tests in Docker sandbox to confirm vulnerabilities").option("--dry-run", "Preview generated tests without executing (use with --execute)").option("-v, --verbose", "Verbose output").option("-q, --quiet", "Quiet mode (errors only)").action(async (targetPath, options) => {
-  const isQuiet = Boolean(options["quiet"]);
-  const isVerbose = Boolean(options["verbose"]);
-  if (isQuiet) {
-    logger.configure({ level: "error" });
-  } else if (isVerbose) {
-    logger.configure({ level: "debug" });
-  }
-  const targetDirectory = resolve(targetPath ?? process.cwd());
-  if (!existsSync(targetDirectory)) {
-    console.error(formatError(new Error(`Directory not found: ${targetDirectory}`)));
-    process.exit(1);
-  }
-  const outputFormat = String(options["output"] ?? "terminal");
-  if (!isValidScanOutputFormat(outputFormat)) {
-    console.error(formatError(new Error(`Invalid output format: ${outputFormat}. Use: terminal, json, markdown, sarif`)));
-    process.exit(1);
-  }
-  const validSeverities = ["critical", "high", "medium", "low"];
-  const minSeverity = String(options["severity"] ?? "low");
-  if (!validSeverities.includes(minSeverity)) {
-    console.error(formatError(new Error(`Invalid severity: ${minSeverity}. Use: critical, high, medium, low`)));
-    process.exit(1);
-  }
-  const validConfidences = ["high", "medium", "low"];
-  const minConfidence = String(options["confidence"] ?? "high");
-  if (!validConfidences.includes(minConfidence)) {
-    console.error(formatError(new Error(`Invalid confidence: ${minConfidence}. Use: high, medium, low`)));
-    process.exit(1);
-  }
-  const domainsStr = options["domains"];
-  let domains = [];
-  if (domainsStr) {
-    const domainList = domainsStr.split(",").map((d) => d.trim());
-    for (const domain of domainList) {
-      if (!RISK_DOMAINS.includes(domain)) {
-        console.error(formatError(new Error(`Invalid domain: ${domain}. Valid domains: ${RISK_DOMAINS.join(", ")}`)));
-        process.exit(1);
-      }
+    const targetDirectory = resolve(targetPath ?? process.cwd());
+    if (!existsSync(targetDirectory)) {
+      console.error(formatError(new Error(`Directory not found: ${targetDirectory}`)));
+      process.exit(1);
     }
-    domains = domainList;
-  }
-  const excludeStr = options["exclude"];
-  const excludeDirs = excludeStr ? excludeStr.split(",").map((d) => d.trim()) : void 0;
-  const failOn = options["failOn"];
-  if (failOn && !["critical", "high", "medium"].includes(failOn)) {
-    console.error(formatError(new Error(`Invalid fail-on level: ${failOn}. Use: critical, high, medium`)));
-    process.exit(1);
-  }
-  const showSpinner = outputFormat === "terminal" && !isQuiet;
-  const spinner = showSpinner ? ora("Loading categories...").start() : null;
-  try {
-    const store = createCategoryStore();
-    const definitionsPath = getDefinitionsPath();
-    logger.debug(`Loading categories from: ${definitionsPath}`);
-    const loadResult = await store.loadFromDirectory(definitionsPath);
-    if (!loadResult.success) {
-      spinner?.fail("Failed to load categories");
-      console.error(formatError(loadResult.error));
+    const outputFormat = String(options["output"] ?? "terminal");
+    if (!isValidScanOutputFormat(outputFormat)) {
+      console.error(formatError(new Error(`Invalid output format: ${outputFormat}. Use: terminal, json, markdown, sarif`)));
       process.exit(1);
     }
-    if (spinner) {
-      spinner.text = `Loaded ${loadResult.data} categories. Scanning...`;
+    const validSeverities = ["critical", "high", "medium", "low"];
+    const minSeverity = String(options["severity"] ?? "low");
+    if (!validSeverities.includes(minSeverity)) {
+      console.error(formatError(new Error(`Invalid severity: ${minSeverity}. Use: critical, high, medium, low`)));
+      process.exit(1);
     }
-    logger.debug(`Loaded ${loadResult.data} categories`);
-    const scanner = createScanner(store);
-    const scanOptions = {
-      minSeverity,
-      minConfidence,
-      detectTestFiles: true
-    };
-    if (domains.length > 0) {
-      scanOptions.domains = domains;
+    const validConfidences = ["high", "medium", "low"];
+    const minConfidence = String(options["confidence"] ?? "high");
+    if (!validConfidences.includes(minConfidence)) {
+      console.error(formatError(new Error(`Invalid confidence: ${minConfidence}. Use: high, medium, low`)));
+      process.exit(1);
     }
-    if (excludeDirs) {
-      scanOptions.excludeDirs = excludeDirs;
+    const domainsStr = options["domains"];
+    let domains = [];
+    if (domainsStr) {
+      const domainList = domainsStr.split(",").map((d) => d.trim());
+      for (const domain of domainList) {
+        if (!RISK_DOMAINS.includes(domain)) {
+          console.error(formatError(new Error(`Invalid domain: ${domain}. Valid domains: ${RISK_DOMAINS.join(", ")}`)));
+          process.exit(1);
+        }
+      }
+      domains = domainList;
     }
-    const scanResult = await scanner.scanDirectory(targetDirectory, scanOptions);
-    if (!scanResult.success) {
-      spinner?.fail("Scan failed");
-      console.error(formatError(scanResult.error));
+    const excludeStr = options["exclude"];
+    const excludeDirs = excludeStr ? excludeStr.split(",").map((d) => d.trim()) : void 0;
+    const failOn = options["failOn"];
+    if (failOn && !["critical", "high", "medium"].includes(failOn)) {
+      console.error(formatError(new Error(`Invalid fail-on level: ${failOn}. Use: critical, high, medium`)));
       process.exit(1);
     }
-    spinner?.stop();
-    const shouldVerify = Boolean(options["verify"]);
-    if (shouldVerify && scanResult.data.gaps.length > 0) {
-      const { hasApiKey: hasApiKey2, setConfigValue: setConfigValue2, getApiKey: getApiKey2 } = await Promise.resolve().then(() => (init_config(), config_exports));
-      const { createInterface } = await import('readline');
-      let provider = "anthropic";
-      if (!hasApiKey2("anthropic") && !hasApiKey2("openai")) {
-        spinner?.stop();
-        console.log(chalk5.yellow("\nAI verification requires an API key."));
-        console.log(chalk5.gray("Get one at: https://console.anthropic.com/settings/keys"));
-        console.log(chalk5.gray("Or: https://platform.openai.com/api-keys\n"));
-        const rl = createInterface({ input: process.stdin, output: process.stdout });
-        const askQuestion = (question) => {
-          return new Promise((resolve7) => {
-            rl.question(question, (answer) => resolve7(answer.trim()));
-          });
-        };
-        const apiKey = await askQuestion(chalk5.cyan("Enter your Anthropic or OpenAI API key: "));
-        rl.close();
-        if (!apiKey) {
-          console.log(chalk5.red("No API key provided. Skipping AI verification."));
-        } else {
-          if (apiKey.startsWith("sk-ant-")) {
-            setConfigValue2("anthropicApiKey", apiKey);
-            provider = "anthropic";
-            console.log(chalk5.green("Anthropic API key saved to ~/.pinata/config.json\n"));
+    const showSpinner = outputFormat === "terminal" && !isQuiet;
+    const spinner = showSpinner ? ora3("Loading categories...").start() : null;
+    try {
+      const store = createCategoryStore();
+      const definitionsPath = getDefinitionsPath();
+      logger.debug(`Loading categories from: ${definitionsPath}`);
+      const loadResult = await store.loadFromDirectory(definitionsPath);
+      if (!loadResult.success) {
+        spinner?.fail("Failed to load categories");
+        console.error(formatError(loadResult.error));
+        process.exit(1);
+      }
+      if (spinner) {
+        spinner.text = `Loaded ${loadResult.data} categories. Scanning...`;
+      }
+      const scanner = createScanner(store);
+      const scanOptions = {
+        minSeverity,
+        minConfidence,
+        detectTestFiles: true
+      };
+      if (domains.length > 0) {
+        scanOptions.domains = domains;
+      }
+      if (excludeDirs) {
+        scanOptions.excludeDirs = excludeDirs;
+      }
+      const scanResult = await scanner.scanDirectory(targetDirectory, scanOptions);
+      if (!scanResult.success) {
+        spinner?.fail("Scan failed");
+        console.error(formatError(scanResult.error));
+        process.exit(1);
+      }
+      spinner?.stop();
+      const shouldVerify = Boolean(options["verify"]);
+      if (shouldVerify && scanResult.data.gaps.length > 0) {
+        const { hasApiKey: hasApiKey2, setConfigValue: setConfigValue2, getApiKey: getApiKey2 } = await Promise.resolve().then(() => (init_config(), config_exports));
+        const { createInterface } = await import('readline');
+        let provider = "anthropic";
+        if (!hasApiKey2("anthropic") && !hasApiKey2("openai")) {
+          spinner?.stop();
+          console.log(chalk6.yellow("\nAI verification requires an API key."));
+          console.log(chalk6.gray("Get one at: https://console.anthropic.com/settings/keys"));
+          console.log(chalk6.gray("Or: https://platform.openai.com/api-keys\n"));
+          const rl = createInterface({ input: process.stdin, output: process.stdout });
+          const askQuestion = (question) => new Promise((resolve9) => rl.question(question, (answer) => resolve9(answer.trim())));
+          const apiKey = await askQuestion(chalk6.cyan("Enter your Anthropic or OpenAI API key: "));
+          rl.close();
+          if (!apiKey) {
+            console.log(chalk6.red("No API key provided. Skipping AI verification."));
           } else {
-            setConfigValue2("openaiApiKey", apiKey);
-            provider = "openai";
-            console.log(chalk5.green("OpenAI API key saved to ~/.pinata/config.json\n"));
+            if (apiKey.startsWith("sk-ant-")) {
+              setConfigValue2("anthropicApiKey", apiKey);
+              provider = "anthropic";
+              console.log(chalk6.green("Anthropic API key saved to ~/.pinata/config.json\n"));
+            } else {
+              setConfigValue2("openaiApiKey", apiKey);
+              provider = "openai";
+              console.log(chalk6.green("OpenAI API key saved to ~/.pinata/config.json\n"));
+            }
           }
+        } else if (hasApiKey2("openai") && !hasApiKey2("anthropic")) {
+          provider = "openai";
         }
-      } else if (hasApiKey2("openai") && !hasApiKey2("anthropic")) {
-        provider = "openai";
-      }
-      if (!hasApiKey2(provider)) {
-      } else {
-        const verifySpinner = showSpinner ? ora("Verifying gaps with AI...").start() : null;
-        try {
-          const { AIVerifier: AIVerifier2 } = await Promise.resolve().then(() => (init_verifier(), verifier_exports));
-          const { readFile: readFile7 } = await import('fs/promises');
-          const apiKey = getApiKey2(provider);
-          const verifier = new AIVerifier2({ provider, ...apiKey ? { apiKey } : {} });
-          const { verified, dismissed, stats } = await verifier.verifyAll(
-            scanResult.data.gaps,
-            async (path2) => readFile7(path2, "utf-8")
-          );
-          scanResult.data.gaps = verified;
-          const severityWeights = { critical: 10, high: 5, medium: 2, low: 1 };
-          let deduction = 0;
-          for (const gap of verified) {
-            deduction += severityWeights[gap.severity] ?? 1;
-          }
-          const newOverall = Math.max(0, 100 - deduction);
-          const newGrade = newOverall >= 90 ? "A" : newOverall >= 80 ? "B" : newOverall >= 70 ? "C" : newOverall >= 60 ? "D" : "F";
-          scanResult.data.score.overall = newOverall;
-          scanResult.data.score.grade = newGrade;
-          verifySpinner?.succeed(
-            `AI Verification: ${stats.total} total \u2192 ${stats.preFiltered} pre-filtered \u2192 ${stats.aiVerified} verified, ${stats.aiDismissed} AI-dismissed`
-          );
-          if (isVerbose && dismissed.length > 0) {
-            console.log(chalk5.gray("\nDismissed as false positives:"));
-            for (const { gap, reason } of dismissed.slice(0, 5)) {
-              console.log(chalk5.gray(`  - ${gap.categoryName} at ${gap.filePath}:${gap.lineStart}`));
-              console.log(chalk5.gray(`    Reason: ${reason.slice(0, 100)}...`));
+        if (hasApiKey2(provider)) {
+          const verifySpinner = showSpinner ? ora3("Verifying gaps with AI...").start() : null;
+          try {
+            const { AIVerifier: AIVerifier2 } = await Promise.resolve().then(() => (init_verifier(), verifier_exports));
+            const { readFile: readFile7 } = await import('fs/promises');
+            const apiKey = getApiKey2(provider);
+            const verifier = new AIVerifier2({ provider, ...apiKey ? { apiKey } : {} });
+            const { verified, dismissed, stats } = await verifier.verifyAll(
+              scanResult.data.gaps,
+              async (path2) => readFile7(path2, "utf-8")
+            );
+            scanResult.data.gaps = verified;
+            const severityWeights = { critical: 10, high: 5, medium: 2, low: 1 };
+            let deduction = 0;
+            for (const gap of verified) {
+              deduction += severityWeights[gap.severity] ?? 1;
+            }
+            const newOverall = Math.max(0, 100 - deduction);
+            const newGrade = newOverall >= 90 ? "A" : newOverall >= 80 ? "B" : newOverall >= 70 ? "C" : newOverall >= 60 ? "D" : "F";
+            scanResult.data.score.overall = newOverall;
+            scanResult.data.score.grade = newGrade;
+            verifySpinner?.succeed(
+              `AI Verification: ${stats.total} total \u2192 ${stats.preFiltered} pre-filtered \u2192 ${stats.aiVerified} verified, ${stats.aiDismissed} AI-dismissed`
+            );
+            if (isVerbose && dismissed.length > 0) {
+              console.log(chalk6.gray("\nDismissed as false positives:"));
+              for (const { gap, reason } of dismissed.slice(0, 5)) {
+                console.log(chalk6.gray(`  - ${gap.categoryName} at ${gap.filePath}:${gap.lineStart}`));
+                console.log(chalk6.gray(`    Reason: ${reason.slice(0, 100)}...`));
+              }
+              if (dismissed.length > 5) {
+                console.log(chalk6.gray(`  ... and ${dismissed.length - 5} more`));
+              }
             }
-            if (dismissed.length > 5) {
-              console.log(chalk5.gray(`  ... and ${dismissed.length - 5} more`));
+          } catch (error) {
+            verifySpinner?.fail("AI verification failed (results unverified)");
+            if (isVerbose) {
+              console.error(chalk6.yellow(`Verification error: ${error instanceof Error ? error.message : String(error)}`));
             }
           }
-        } catch (error) {
-          verifySpinner?.fail("AI verification failed (results unverified)");
-          if (isVerbose) {
-            console.error(chalk5.yellow(`Verification error: ${error instanceof Error ? error.message : String(error)}`));
-          }
         }
       }
-    }
-    const shouldExecute = Boolean(options["execute"]);
-    const isDryRun = Boolean(options["dryRun"]);
-    if (shouldExecute && scanResult.data.gaps.length > 0) {
-      const { createRunner: createRunner2, isTestable: isTestable2 } = await Promise.resolve().then(() => (init_execution(), execution_exports));
-      const { readFile: readFile7 } = await import('fs/promises');
-      const testableGaps = scanResult.data.gaps.filter((g) => isTestable2(g.categoryId));
-      if (testableGaps.length === 0) {
-        console.log(chalk5.yellow("\nNo dynamically testable gaps found."));
-        console.log(chalk5.gray("Testable types: sql-injection, xss, command-injection, path-traversal"));
-      } else {
-        const runner = createRunner2(void 0, isDryRun);
-        const initResult = await runner.initialize();
-        if (!initResult.ready) {
-          console.log(chalk5.red(`
-Dynamic execution unavailable: ${initResult.error}`));
+      const shouldExecute = Boolean(options["execute"]);
+      const isDryRun = Boolean(options["dryRun"]);
+      if (shouldExecute && scanResult.data.gaps.length > 0) {
+        const { createRunner: createRunner2, isTestable: isTestable2 } = await Promise.resolve().then(() => (init_execution(), execution_exports));
+        const { readFile: readFile7 } = await import('fs/promises');
+        const testableGaps = scanResult.data.gaps.filter((g) => isTestable2(g.categoryId));
+        if (testableGaps.length === 0) {
+          console.log(chalk6.yellow("\nNo dynamically testable gaps found."));
         } else {
-          const fileContents = /* @__PURE__ */ new Map();
-          for (const gap of testableGaps) {
-            if (!fileContents.has(gap.filePath)) {
-              try {
-                fileContents.set(gap.filePath, await readFile7(gap.filePath, "utf-8"));
-              } catch {
+          const runner = createRunner2(void 0, isDryRun);
+          const initResult = await runner.initialize();
+          if (!initResult.ready) {
+            console.log(chalk6.red(`
+Dynamic execution unavailable: ${initResult.error}`));
+          } else {
+            const fileContents = /* @__PURE__ */ new Map();
+            for (const gap of testableGaps) {
+              if (!fileContents.has(gap.filePath)) {
+                try {
+                  fileContents.set(gap.filePath, await readFile7(gap.filePath, "utf-8"));
+                } catch {
+                }
               }
             }
-          }
-          const executionSummary = await runner.executeAll(testableGaps, fileContents);
-          for (const result of executionSummary.results) {
-            const gap = scanResult.data.gaps.find(
-              (g) => g.filePath === result.gap.filePath && g.lineStart === result.gap.lineStart
-            );
-            if (gap && result.status === "confirmed") {
-              gap.confirmed = true;
-              gap.evidence = result.evidence;
+            const executionSummary = await runner.executeAll(testableGaps, fileContents);
+            for (const result of executionSummary.results) {
+              const gap = scanResult.data.gaps.find(
+                (g) => g.filePath === result.gap.filePath && g.lineStart === result.gap.lineStart
+              );
+              if (gap && result.status === "confirmed") {
+                gap.confirmed = true;
+                gap.evidence = result.evidence;
+              }
             }
-          }
-          if (executionSummary.confirmed > 0) {
-            console.log(chalk5.red.bold(`
+            if (executionSummary.confirmed > 0) {
+              console.log(chalk6.red.bold(`
 \u26A0\uFE0F  ${executionSummary.confirmed} CONFIRMED vulnerabilities found!`));
+            }
           }
         }
       }
+      const cacheResult = await saveScanResults(process.cwd(), scanResult.data);
+      if (!cacheResult.success) {
+        logger.debug(`Failed to cache results: ${cacheResult.error.message}`);
+      }
+      const output = formatScanResult(scanResult.data, outputFormat, targetDirectory);
+      const outputFile = options["outputFile"];
+      if (outputFile) {
+        writeFileSync(resolve(outputFile), output, "utf-8");
+        logger.info(`Results written to: ${resolve(outputFile)}`);
+      } else {
+        console.log(output);
+      }
+      if (isVerbose && scanResult.data.warnings.length > 0) {
+        console.error("\nWarnings:");
+        for (const warning of scanResult.data.warnings) {
+          console.error(`  - ${warning}`);
+        }
+      }
+      if (failOn) {
+        const severityOrder = { critical: 3, high: 2, medium: 1 };
+        const failLevel = severityOrder[failOn] ?? 0;
+        const hasFailingGaps = scanResult.data.gaps.some((gap) => (severityOrder[gap.severity] ?? 0) >= failLevel);
+        if (hasFailingGaps) {
+          process.exit(1);
+        }
+      }
+      process.exit(0);
+    } catch (error) {
+      spinner?.fail("Analysis failed");
+      console.error(formatError(error instanceof Error ? error : new Error(String(error))));
+      process.exit(1);
+    }
+  });
+}
+init_results_cache();
+var FRAMEWORK_INDICATORS = {
+  vitest: {
+    deps: [],
+    devDeps: ["vitest"],
+    files: ["vitest.config.ts", "vitest.config.js", "vitest.config.mts"]
+  },
+  jest: {
+    deps: [],
+    devDeps: ["jest", "@jest/core", "ts-jest"],
+    files: ["jest.config.ts", "jest.config.js", "jest.config.mjs"]
+  },
+  pytest: {
+    deps: ["pytest"],
+    devDeps: ["pytest"],
+    files: ["pytest.ini", "pyproject.toml", "setup.cfg", "conftest.py"]
+  },
+  "go-test": {
+    deps: [],
+    devDeps: [],
+    files: ["go.mod"]
+  },
+  mocha: {
+    deps: [],
+    devDeps: ["mocha"],
+    files: [".mocharc.yml", ".mocharc.js"]
+  }
+};
+var FRAMEWORK_DEFAULTS = {
+  vitest: {
+    name: "vitest",
+    importStyle: 'import { describe, it, expect, beforeEach } from "vitest";',
+    runner: "npx vitest run"
+  },
+  jest: {
+    name: "jest",
+    importStyle: "// jest globals auto-imported",
+    runner: "npx jest"
+  },
+  pytest: {
+    name: "pytest",
+    importStyle: "import pytest",
+    runner: "pytest"
+  },
+  "go-test": {
+    name: "go-test",
+    importStyle: 'import "testing"',
+    runner: "go test ./..."
+  },
+  mocha: {
+    name: "mocha",
+    importStyle: 'import { describe, it } from "mocha"; import { expect } from "chai";',
+    runner: "npx mocha"
+  }
+};
+var EXT_TO_LANG = {
+  ".ts": "typescript",
+  ".tsx": "typescript",
+  ".js": "javascript",
+  ".jsx": "javascript",
+  ".py": "python",
+  ".go": "go",
+  ".java": "java",
+  ".rs": "rust"
+};
+var WEB_FRAMEWORK_PATTERNS = [
+  [/from\s+["']express["']|require\s*\(\s*["']express["']\)/, "express"],
+  [/from\s+["']fastify["']/, "fastify"],
+  [/from\s+["']koa["']/, "koa"],
+  [/from\s+["']@nestjs\//, "nestjs"],
+  [/from\s+["']next["']|from\s+["']next\//, "nextjs"],
+  [/from\s+flask\s+import|import\s+flask/, "flask"],
+  [/from\s+django|import\s+django/, "django"],
+  [/from\s+fastapi|import\s+fastapi/, "fastapi"],
+  [/"github\.com\/gin-gonic\/gin"/, "gin"],
+  [/"github\.com\/gofiber\/fiber"/, "fiber"]
+];
+var DB_PATTERNS = [
+  [/prisma|@prisma\/client/, "postgres"],
+  [/pg\b|postgres|postgresql/, "postgres"],
+  [/mysql2?["'\s]|from\s+["']mysql/, "mysql"],
+  [/mongoose|mongodb|MongoClient/, "mongodb"],
+  [/sqlite3|better-sqlite/, "sqlite"],
+  [/sqlalchemy|psycopg2/, "postgres"],
+  [/pymysql|mysqlclient/, "mysql"]
+];
+function extractFunction(source, targetLine, language) {
+  const lines = source.split("\n");
+  const idx = targetLine - 1;
+  if (idx < 0 || idx >= lines.length) {
+    const start = Math.max(0, idx - 10);
+    const end = Math.min(lines.length, idx + 10);
+    return { body: lines.slice(start, end).join("\n"), name: void 0 };
+  }
+  if (language === "python") {
+    return extractPythonFunction(lines, idx);
+  }
+  return extractBraceFunction(lines, idx);
+}
+function findBalancedEnd(lines, startLine) {
+  let depth = 0;
+  let started = false;
+  let endIdx = startLine;
+  for (let i = startLine; i < lines.length; i++) {
+    const line = lines[i];
+    for (const ch of line) {
+      if (ch === "{") {
+        depth++;
+        started = true;
+      }
+      if (ch === "}") depth--;
+      if (started && depth === 0) {
+        endIdx = i;
+        return { endIdx, started };
+      }
+    }
+  }
+  return { endIdx, started };
+}
+var SIGNATURE_PATTERN = /^(export\s+)?(async\s+)?function\s|^(export\s+)?(const|let|var)\s+\w+\s*=|^\w+\s*\(|^(public|private|protected)\s/;
+var NAME_PATTERN = /function\s+(\w+)|(?:const|let|var)\s+(\w+)\s*=|(\w+)\s*\(/;
+function extractBraceFunction(lines, targetIdx) {
+  let startIdx = targetIdx;
+  let braceDepth = 0;
+  let foundOpenBrace = false;
+  for (let i = targetIdx; i >= 0; i--) {
+    const line = lines[i];
+    for (let j = line.length - 1; j >= 0; j--) {
+      if (line[j] === "}") braceDepth++;
+      if (line[j] === "{") {
+        braceDepth--;
+        if (braceDepth < 0) {
+          startIdx = i;
+          foundOpenBrace = true;
+          break;
+        }
+      }
     }
-    const cacheResult = await saveScanResults(process.cwd(), scanResult.data);
-    if (!cacheResult.success) {
-      logger.debug(`Failed to cache results: ${cacheResult.error.message}`);
+    if (foundOpenBrace) break;
+  }
+  let sigStart = startIdx;
+  for (let i = startIdx; i >= Math.max(0, startIdx - 5); i--) {
+    const line = lines[i].trim();
+    if (line.match(SIGNATURE_PATTERN)) {
+      sigStart = i;
+      break;
     }
-    const output = formatScanResult(scanResult.data, outputFormat, targetDirectory);
-    const outputFile = options["outputFile"];
-    if (outputFile) {
-      const outputPath = resolve(outputFile);
-      writeFileSync(outputPath, output, "utf-8");
-      logger.info(`Results written to: ${outputPath}`);
-    } else {
-      console.log(output);
+  }
+  const { endIdx } = findBalancedEnd(lines, sigStart);
+  const body = lines.slice(sigStart, endIdx + 1).join("\n");
+  const sigLine = lines[sigStart]?.trim() ?? "";
+  const nameMatch = sigLine.match(NAME_PATTERN);
+  const name = nameMatch?.[1] ?? nameMatch?.[2] ?? nameMatch?.[3];
+  return { body, name };
+}
+var PYTHON_DEF_PATTERN = /^(\s*)def\s+\w+|^(\s*)class\s+\w+|^(\s*)async\s+def\s+\w+/;
+var PYTHON_INDENT_PATTERN = /^(\s*)/;
+var PYTHON_NAME_PATTERN = /def\s+(\w+)|class\s+(\w+)/;
+function extractPythonFunction(lines, targetIdx) {
+  let startIdx = targetIdx;
+  for (let i = targetIdx; i >= 0; i--) {
+    if (lines[i].match(PYTHON_DEF_PATTERN)) {
+      startIdx = i;
+      break;
+    }
+  }
+  const indent = (lines[startIdx].match(PYTHON_INDENT_PATTERN) ?? ["", ""])[1].length;
+  let endIdx = targetIdx;
+  for (let i = startIdx + 1; i < lines.length; i++) {
+    const line = lines[i];
+    const trimmedLine = line.trim();
+    if (trimmedLine === "") continue;
+    const lineIndent = (line.match(PYTHON_INDENT_PATTERN) ?? ["", ""])[1].length;
+    if (lineIndent <= indent && trimmedLine !== "") {
+      endIdx = i - 1;
+      break;
     }
-    if (isVerbose && scanResult.data.warnings.length > 0) {
-      console.error("\nWarnings:");
-      for (const warning of scanResult.data.warnings) {
-        console.error(`  - ${warning}`);
+    endIdx = i;
+  }
+  const body = lines.slice(startIdx, endIdx + 1).join("\n");
+  const nameMatch = lines[startIdx].match(PYTHON_NAME_PATTERN);
+  const name = nameMatch?.[1] ?? nameMatch?.[2];
+  return { body, name };
+}
+var REQUIRE_PATTERN = /^const\s+\w+\s*=\s*require\(/;
+function extractImports(source, language) {
+  const lines = source.split("\n");
+  const imports = [];
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (language === "python") {
+      if (trimmed.startsWith("import ") || trimmed.startsWith("from ")) {
+        imports.push(trimmed);
+      }
+    } else if (language === "typescript" || language === "javascript") {
+      if (trimmed.startsWith("import ") || trimmed.match(REQUIRE_PATTERN)) {
+        imports.push(trimmed);
+      }
+    } else if (language === "go") {
+      if (trimmed.startsWith("import ") || trimmed.startsWith('"')) {
+        imports.push(trimmed);
+      }
+    } else if (language === "java") {
+      if (trimmed.startsWith("import ")) {
+        imports.push(trimmed);
       }
     }
-    if (failOn) {
-      const severityOrder = {
-        critical: 3,
-        high: 2,
-        medium: 1
-      };
-      const failLevel = severityOrder[failOn] ?? 0;
-      const hasFailingGaps = scanResult.data.gaps.some((gap) => {
-        const gapLevel = severityOrder[gap.severity] ?? 0;
-        return gapLevel >= failLevel;
-      });
-      if (hasFailingGaps) {
-        const count = scanResult.data.gaps.filter((gap) => {
-          const gapLevel = severityOrder[gap.severity] ?? 0;
-          return gapLevel >= failLevel;
-        }).length;
-        logger.debug(`Exiting with code 1 due to ${count} gaps at ${failOn} level or above`);
-        process.exit(1);
+  }
+  return imports;
+}
+async function detectTestFramework(projectRoot, language) {
+  if (language === "typescript" || language === "javascript") {
+    const pkgPath = resolve(projectRoot, "package.json");
+    if (existsSync(pkgPath)) {
+      try {
+        const pkg = JSON.parse(await readFile(pkgPath, "utf-8"));
+        const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
+        for (const [framework, indicators] of Object.entries(FRAMEWORK_INDICATORS)) {
+          for (const dep of [...indicators.deps, ...indicators.devDeps]) {
+            if (dep in allDeps) {
+              return FRAMEWORK_DEFAULTS[framework];
+            }
+          }
+        }
+      } catch {
       }
     }
-    process.exit(0);
-  } catch (error) {
-    spinner?.fail("Analysis failed");
-    console.error(formatError(error instanceof Error ? error : new Error(String(error))));
-    process.exit(1);
+    for (const [framework, indicators] of Object.entries(FRAMEWORK_INDICATORS)) {
+      for (const file of indicators.files) {
+        if (existsSync(resolve(projectRoot, file))) {
+          return FRAMEWORK_DEFAULTS[framework];
+        }
+      }
+    }
+    return language === "typescript" ? FRAMEWORK_DEFAULTS["vitest"] : FRAMEWORK_DEFAULTS["jest"];
   }
-});
-program.command("generate").description("Generate tests for identified gaps").option("--gaps", "Generate tests for all identified gaps").option("-c, --category <id>", "Generate tests for specific category").option("-d, --domain <domain>", "Generate tests for all categories in domain").option("-s, --severity <level>", "Minimum severity: critical, high, medium, low", "medium").option("--output-dir <dir>", "Directory for generated test files").option("--write", "Write files to disk (default is dry-run)").option("--ai", "Use AI for smarter template variable filling").option("--ai-provider <provider>", "AI provider: anthropic, openai", "anthropic").option("-o, --output <format>", "Output format: terminal, json", "terminal").option("-v, --verbose", "Verbose output").option("-q, --quiet", "Quiet mode (errors only)").action(async (options) => {
-  const isQuiet = Boolean(options["quiet"]);
-  const isVerbose = Boolean(options["verbose"]);
-  const dryRun = !options["write"];
-  const useAI = Boolean(options["ai"]);
-  const aiProvider = String(options["aiProvider"] ?? "anthropic");
-  const outputFormat = String(options["output"] ?? "terminal");
-  if (isQuiet) {
-    logger.configure({ level: "error" });
-  } else if (isVerbose) {
-    logger.configure({ level: "debug" });
+  if (language === "python") return FRAMEWORK_DEFAULTS["pytest"];
+  if (language === "go") return FRAMEWORK_DEFAULTS["go-test"];
+  return FRAMEWORK_DEFAULTS["vitest"];
+}
+async function findExistingTest(filePath, projectRoot) {
+  const base = basename(filePath, extname(filePath));
+  const dir = dirname(filePath);
+  const rel = relative(projectRoot, dir);
+  const candidates = [
+    resolve(dir, `${base}.test${extname(filePath)}`),
+    resolve(dir, `${base}.spec${extname(filePath)}`),
+    resolve(dir, `__tests__/${base}${extname(filePath)}`),
+    resolve(projectRoot, "tests", rel, `${base}.test${extname(filePath)}`),
+    resolve(projectRoot, "test", rel, `${base}.test${extname(filePath)}`)
+  ];
+  for (const candidate of candidates) {
+    if (existsSync(candidate)) {
+      try {
+        const content = await readFile(candidate, "utf-8");
+        return content.split("\n").slice(0, 50).join("\n");
+      } catch {
+      }
+    }
   }
-  if (!["terminal", "json"].includes(outputFormat)) {
-    console.error(formatError(new Error(`Invalid output format: ${outputFormat}. Use: terminal, json`)));
-    process.exit(1);
+  return void 0;
+}
+function suggestTestPath(gap, projectRoot, language) {
+  relative(projectRoot, gap.filePath);
+  const base = basename(gap.filePath, extname(gap.filePath));
+  const ext = language === "python" ? ".py" : extname(gap.filePath);
+  const safeCategory = gap.categoryId.replace(/[^a-z0-9-]/g, "-");
+  return resolve(projectRoot, "tests", "security", `${safeCategory}-${base}.test${ext}`);
+}
+function detectFromCode(source, patterns) {
+  for (const [pattern, name] of patterns) {
+    if (pattern.test(source)) return name;
   }
-  const hasGaps = Boolean(options["gaps"]);
-  const categoryId = options["category"];
-  const domainFilter = options["domain"];
-  if (!hasGaps && !categoryId && !domainFilter) {
-    console.error(formatError(new Error(
-      "Specify what to generate: --gaps (all gaps), --category <id>, or --domain <domain>"
-    )));
-    process.exit(1);
+  return void 0;
+}
+async function extractTestContext(gap, projectRoot) {
+  const ext = extname(gap.filePath);
+  const language = EXT_TO_LANG[ext] ?? "unknown";
+  const fileSource = await readFile(gap.filePath, "utf-8");
+  const { body: functionBody, name: functionName } = extractFunction(fileSource, gap.lineStart, language);
+  const imports = extractImports(fileSource, language);
+  const testFramework = await detectTestFramework(projectRoot, language);
+  const webFramework = detectFromCode(fileSource, WEB_FRAMEWORK_PATTERNS);
+  const dbType = detectFromCode(fileSource, DB_PATTERNS);
+  const existingTestSample = await findExistingTest(gap.filePath, projectRoot);
+  const suggestedTestPath = suggestTestPath(gap, projectRoot, language);
+  return {
+    gap,
+    fileSource,
+    functionBody,
+    functionName,
+    imports,
+    language,
+    testFramework,
+    suggestedTestPath,
+    webFramework,
+    dbType,
+    existingTestSample,
+    projectRoot
+  };
+}
+async function extractTestContexts(gaps, projectRoot) {
+  const contexts = [];
+  for (const gap of gaps) {
+    try {
+      const ctx = await extractTestContext(gap, projectRoot);
+      contexts.push(ctx);
+    } catch {
+    }
   }
-  if (domainFilter && !RISK_DOMAINS.includes(domainFilter)) {
-    console.error(formatError(new Error(
-      `Invalid domain: ${domainFilter}. Valid domains: ${RISK_DOMAINS.join(", ")}`
-    )));
-    process.exit(1);
+  return contexts;
+}
+
+// src/testgen/generator.ts
+function buildGenerationPrompt(ctx) {
+  const parts = [];
+  parts.push(`Generate a complete, runnable ${ctx.testFramework.name} test file for this security vulnerability.`);
+  parts.push("");
+  parts.push("## Vulnerability");
+  parts.push(`Type: ${ctx.gap.categoryId}`);
+  parts.push(`Severity: ${ctx.gap.severity}`);
+  parts.push(`File: ${ctx.gap.filePath}:${ctx.gap.lineStart}`);
+  parts.push(`Pattern: ${ctx.gap.patternId}`);
+  parts.push("");
+  parts.push("## Vulnerable Code");
+  parts.push("```");
+  parts.push(ctx.functionBody);
+  parts.push("```");
+  parts.push("");
+  if (ctx.functionName) {
+    parts.push(`Function name: ${ctx.functionName}`);
   }
-  const validSeverities = ["critical", "high", "medium", "low"];
-  const minSeverity = String(options["severity"] ?? "medium");
-  if (!validSeverities.includes(minSeverity)) {
-    console.error(formatError(new Error(
-      `Invalid severity: ${minSeverity}. Use: critical, high, medium, low`
-    )));
-    process.exit(1);
+  parts.push("## File Imports");
+  parts.push("```");
+  parts.push(ctx.imports.join("\n"));
+  parts.push("```");
+  parts.push("");
+  parts.push("## Context");
+  parts.push(`Language: ${ctx.language}`);
+  parts.push(`Test framework: ${ctx.testFramework.name}`);
+  if (ctx.webFramework) parts.push(`Web framework: ${ctx.webFramework}`);
+  if (ctx.dbType) parts.push(`Database: ${ctx.dbType}`);
+  parts.push("");
+  if (ctx.existingTestSample) {
+    parts.push("## Existing Test Style (match this style)");
+    parts.push("```");
+    parts.push(ctx.existingTestSample.slice(0, 1500));
+    parts.push("```");
+    parts.push("");
+  }
+  parts.push("## Requirements");
+  parts.push("1. Output ONLY the complete test file. No explanations, no markdown fences.");
+  parts.push("2. Use real imports that resolve in this project.");
+  parts.push("3. The test MUST FAIL when run against the current vulnerable code.");
+  parts.push("4. Include at least 5 attack payloads specific to this vulnerability type.");
+  parts.push("5. Include at least one boundary/edge case (empty string, null, very long input, unicode).");
+  parts.push("6. If testing an HTTP endpoint, use supertest or direct function calls.");
+  parts.push("7. Test the specific vulnerable code path, not a generic function.");
+  parts.push("8. Each test should have a clear assertion that proves the vulnerability exists or is mitigated.");
+  return parts.join("\n");
+}
+function buildPropertyPrompt(ctx) {
+  const parts = [];
+  parts.push(`Generate a property-based test using fast-check (TypeScript) or hypothesis (Python) for this security vulnerability.`);
+  parts.push("");
+  parts.push("## Vulnerability");
+  parts.push(`Type: ${ctx.gap.categoryId}`);
+  parts.push(`File: ${ctx.gap.filePath}:${ctx.gap.lineStart}`);
+  parts.push("");
+  parts.push("## Vulnerable Code");
+  parts.push("```");
+  parts.push(ctx.functionBody);
+  parts.push("```");
+  parts.push("");
+  parts.push("## Requirements");
+  parts.push("1. Output ONLY the complete test file. No explanations.");
+  parts.push("2. Express a security INVARIANT as a property.");
+  parts.push("3. The property should hold for ALL inputs, not just specific payloads.");
+  parts.push("4. Use fast-check for TypeScript/JavaScript or hypothesis for Python.");
+  parts.push("5. Example invariant: 'for all strings s, the output of sanitize(s) never contains <script>'");
+  parts.push(`6. Test framework: ${ctx.testFramework.name}`);
+  const invariantHints = {
+    "sql-injection": "user input should never appear unescaped in the SQL query string",
+    "xss": "user input should never appear as raw HTML in the output",
+    "command-injection": "user input should never be passed to a shell command unescaped",
+    "path-traversal": "resolved file path should always stay within the allowed directory",
+    "ssrf": "user-supplied URL should never resolve to a private/internal IP",
+    "xxe": "XML parsing should never resolve external entities",
+    "deserialization": "deserialized objects should only be of expected types",
+    "hardcoded-secrets": "no string matching secret patterns should exist in source"
+  };
+  const hint = invariantHints[ctx.gap.categoryId];
+  if (hint) {
+    parts.push(`7. Invariant hint: "${hint}"`);
   }
-  const severityOrder = {
-    critical: 4,
-    high: 3,
-    medium: 2,
-    low: 1
+  return parts.join("\n");
+}
+async function generateTest(ctx, callAI) {
+  const systemPrompt = [
+    "You are a senior security engineer writing adversarial tests.",
+    "You write tests that BREAK code, not tests that pass.",
+    "Your tests must be complete, runnable files with real imports.",
+    "Output ONLY code. No markdown fences. No explanations.",
+    "The test must FAIL against vulnerable code and PASS after a fix."
+  ].join(" ");
+  const prompt = buildGenerationPrompt(ctx);
+  const content = await callAI(prompt, systemPrompt);
+  const cleaned = stripMarkdownFences(content);
+  return {
+    filePath: ctx.suggestedTestPath,
+    content: cleaned,
+    categoryId: ctx.gap.categoryId,
+    description: `Security test for ${ctx.gap.categoryId} in ${ctx.functionName ?? "unknown function"} at ${ctx.gap.filePath}:${ctx.gap.lineStart}`,
+    isPropertyBased: false
   };
-  const showSpinner = outputFormat === "terminal" && !isQuiet;
-  const spinner = showSpinner ? ora("Loading cached scan results...").start() : null;
-  try {
-    const projectRoot = process.cwd();
-    const cacheResult = await loadScanResults(projectRoot);
-    if (!cacheResult.success) {
-      spinner?.fail("No cached results");
-      console.error(formatError(cacheResult.error));
-      console.error(chalk5.yellow("\nRun `pinata analyze` first to scan for gaps."));
-      process.exit(1);
-    }
-    const cached = cacheResult.data;
-    let gaps = cached.gaps;
-    if (spinner) {
-      spinner.text = `Loaded ${gaps.length} gaps from cache. Filtering...`;
-    }
-    if (categoryId) {
-      gaps = gaps.filter((g) => g.categoryId === categoryId);
-    }
-    if (domainFilter) {
-      gaps = gaps.filter((g) => g.domain === domainFilter);
+}
+async function generatePropertyTest(ctx, callAI) {
+  const systemPrompt = [
+    "You are a formal verification expert writing property-based tests.",
+    "Express security invariants that must hold for ALL inputs.",
+    "Use fast-check for TypeScript/JavaScript or hypothesis for Python.",
+    "Output ONLY code. No markdown fences. No explanations."
+  ].join(" ");
+  const prompt = buildPropertyPrompt(ctx);
+  const content = await callAI(prompt, systemPrompt);
+  const cleaned = stripMarkdownFences(content);
+  const ext = ctx.language === "python" ? ".py" : ".ts";
+  const propPath = ctx.suggestedTestPath.replace(/\.test\.(ts|js|py)$/, `.prop${ext}`);
+  return {
+    filePath: propPath,
+    content: cleaned,
+    categoryId: ctx.gap.categoryId,
+    description: `Property-based security invariant for ${ctx.gap.categoryId}`,
+    isPropertyBased: true
+  };
+}
+function stripMarkdownFences(content) {
+  let result = content.trim();
+  if (result.startsWith("```")) {
+    const firstNewline = result.indexOf("\n");
+    if (firstNewline !== -1) {
+      result = result.slice(firstNewline + 1);
     }
-    gaps = gaps.filter((g) => {
-      const gapLevel = severityOrder[g.severity] ?? 0;
-      const minLevel = severityOrder[minSeverity] ?? 0;
-      return gapLevel >= minLevel;
-    });
-    if (gaps.length === 0) {
-      spinner?.succeed("No gaps match the filters");
-      console.log(chalk5.yellow("\nNo gaps found matching the specified filters."));
-      process.exit(0);
+  }
+  if (result.endsWith("```")) {
+    result = result.slice(0, -3).trimEnd();
+  }
+  return result;
+}
+
+// src/cli/commands/generate.ts
+function registerGenerateCommand(program2) {
+  program2.command("generate").description("Generate adversarial security tests for detected vulnerabilities").option("--gaps", "Generate tests for all detected gaps").option("-c, --category <id>", "Generate tests for specific category").option("-d, --domain <domain>", "Generate tests for all categories in domain").option("-s, --severity <level>", "Minimum severity: critical, high, medium, low", "medium").option("--write", "Write test files to disk").option("--property", "Also generate property-based tests (fast-check/hypothesis)").option("--ai-provider <provider>", "AI provider: anthropic, openai", "anthropic").option("-o, --output <format>", "Output format: terminal, json", "terminal").option("-v, --verbose", "Verbose output").option("-q, --quiet", "Quiet mode (errors only)").action(async (options) => {
+    const isQuiet = Boolean(options["quiet"]);
+    const isVerbose = Boolean(options["verbose"]);
+    const shouldWrite = Boolean(options["write"]);
+    const withProperty = Boolean(options["property"]);
+    const aiProvider = String(options["aiProvider"] ?? "anthropic");
+    const outputFormat = String(options["output"] ?? "terminal");
+    if (isQuiet) {
+      logger.configure({ level: "error" });
+    } else if (isVerbose) {
+      logger.configure({ level: "debug" });
     }
-    if (spinner) {
-      spinner.text = `Found ${gaps.length} gaps. Loading categories...`;
+    if (!["terminal", "json"].includes(outputFormat)) {
+      console.error(formatError(new Error(`Invalid output format: ${outputFormat}. Use: terminal, json`)));
+      process.exit(1);
     }
-    const store = createCategoryStore();
-    const definitionsPath = getDefinitionsPath();
-    const loadResult = await store.loadFromDirectory(definitionsPath);
-    if (!loadResult.success) {
-      spinner?.fail("Failed to load categories");
-      console.error(formatError(loadResult.error));
+    const hasGaps = Boolean(options["gaps"]);
+    const categoryId = options["category"];
+    const domainFilter = options["domain"];
+    if (!hasGaps && !categoryId && !domainFilter) {
+      console.error(formatError(new Error("Specify what to generate: --gaps (all gaps), --category <id>, or --domain <domain>")));
       process.exit(1);
     }
-    if (spinner) {
-      spinner.text = `Generating tests for ${gaps.length} gaps...`;
+    if (domainFilter && !RISK_DOMAINS.includes(domainFilter)) {
+      console.error(formatError(new Error(`Invalid domain: ${domainFilter}. Valid: ${RISK_DOMAINS.join(", ")}`)));
+      process.exit(1);
     }
-    const renderer = createRenderer({ strict: false, allowUnresolved: true });
-    const generatedTests = [];
-    const errors = [];
-    const gapsByCategory = /* @__PURE__ */ new Map();
-    for (const gap of gaps) {
-      const existing = gapsByCategory.get(gap.categoryId) ?? [];
-      existing.push(gap);
-      gapsByCategory.set(gap.categoryId, existing);
+    const validSeverities = ["critical", "high", "medium", "low"];
+    const minSeverity = String(options["severity"] ?? "medium");
+    if (!validSeverities.includes(minSeverity)) {
+      console.error(formatError(new Error(`Invalid severity: ${minSeverity}`)));
+      process.exit(1);
     }
-    for (const [catId, categoryGaps] of gapsByCategory) {
-      const categoryResult = store.get(catId);
-      if (!categoryResult.success) {
-        errors.push(`Category not found: ${catId}`);
-        continue;
+    const severityOrder = { critical: 4, high: 3, medium: 2, low: 1 };
+    const showSpinner = outputFormat === "terminal" && !isQuiet;
+    const spinner = showSpinner ? ora3("Loading scan results...").start() : null;
+    try {
+      const projectRoot = process.cwd();
+      const cacheResult = await loadScanResults(projectRoot);
+      if (!cacheResult.success) {
+        spinner?.fail("No cached results");
+        console.error(formatError(cacheResult.error));
+        console.error(chalk6.yellow("\nRun `pinata analyze` first."));
+        process.exit(1);
       }
-      const category = categoryResult.data;
-      for (const gap of categoryGaps) {
-        const gapExt = gap.filePath.split(".").pop() ?? "";
-        const langMap = {
-          py: "python",
-          ts: "typescript",
-          tsx: "typescript",
-          js: "javascript",
-          jsx: "javascript",
-          go: "go",
-          java: "java",
-          rs: "rust"
-        };
-        const gapLang = langMap[gapExt];
-        let template = category.testTemplates.find((t) => t.language === gapLang);
-        if (!template) {
-          template = category.testTemplates[0];
+      let gaps = cacheResult.data.gaps;
+      if (categoryId) {
+        gaps = gaps.filter((g) => g.categoryId === categoryId);
+      }
+      if (domainFilter) {
+        gaps = gaps.filter((g) => g.domain === domainFilter);
+      }
+      gaps = gaps.filter((g) => (severityOrder[g.severity] ?? 0) >= (severityOrder[minSeverity] ?? 0));
+      const seen = /* @__PURE__ */ new Set();
+      gaps = gaps.filter((g) => {
+        const key = `${g.categoryId}:${g.filePath}`;
+        if (seen.has(key)) return false;
+        seen.add(key);
+        return true;
+      });
+      if (gaps.length === 0) {
+        spinner?.succeed("No gaps match filters");
+        console.log(chalk6.yellow("\nNo gaps to generate tests for."));
+        process.exit(0);
+      }
+      if (spinner) {
+        spinner.text = `Extracting context for ${gaps.length} findings...`;
+      }
+      const contexts = await extractTestContexts(gaps, projectRoot);
+      if (contexts.length === 0) {
+        spinner?.fail("Failed to extract context from any finding");
+        process.exit(1);
+      }
+      if (spinner) {
+        spinner.text = `Generating tests for ${contexts.length} findings with AI...`;
+      }
+      const { hasApiKey: hasApiKey2, getApiKey: getApiKey2 } = await Promise.resolve().then(() => (init_config(), config_exports));
+      if (!hasApiKey2(aiProvider)) {
+        spinner?.fail("No API key configured");
+        console.error(chalk6.yellow(`
+AI test generation requires an API key.`));
+        console.error(chalk6.gray(`  pinata config set ${aiProvider === "anthropic" ? "anthropic-api-key" : "openai-api-key"} YOUR_KEY`));
+        process.exit(1);
+      }
+      const apiKey = getApiKey2(aiProvider) ?? "";
+      const callAI = buildAICaller(aiProvider, apiKey);
+      const generated = [];
+      const errors = [];
+      for (let i = 0; i < contexts.length; i++) {
+        const ctx = contexts[i];
+        if (spinner) {
+          spinner.text = `Generating test ${i + 1}/${contexts.length}: ${ctx.gap.categoryId} in ${relative(projectRoot, ctx.gap.filePath)}`;
         }
-        if (!template) {
-          errors.push(`No templates available for ${catId}`);
-          continue;
+        try {
+          const test = await generateTest(ctx, callAI);
+          generated.push(test);
+          if (withProperty) {
+            try {
+              const propTest = await generatePropertyTest(ctx, callAI);
+              generated.push(propTest);
+            } catch (err2) {
+              errors.push(`Property test failed for ${ctx.gap.categoryId}: ${err2 instanceof Error ? err2.message : String(err2)}`);
+            }
+          }
+        } catch (err2) {
+          errors.push(`Failed ${ctx.gap.categoryId}: ${err2 instanceof Error ? err2.message : String(err2)}`);
         }
-        let variables;
-        if (useAI) {
-          variables = await extractVariablesWithAI(gap, template.variables, {
-            provider: aiProvider
-          });
-        } else {
-          variables = extractVariablesFromGap(gap);
+      }
+      spinner?.stop();
+      if (generated.length === 0) {
+        console.log(chalk6.red("Failed to generate any tests."));
+        for (const error of errors) {
+          console.error(chalk6.gray(`  ${error}`));
         }
-        const renderResult = renderer.renderTemplate(template, variables);
-        if (!renderResult.success) {
-          errors.push(`Failed to render ${catId}: ${renderResult.error.message}`);
-          continue;
+        process.exit(1);
+      }
+      if (outputFormat === "json") {
+        console.log(JSON.stringify({
+          generated: generated.map((t) => ({
+            filePath: relative(projectRoot, t.filePath),
+            categoryId: t.categoryId,
+            description: t.description,
+            isPropertyBased: t.isPropertyBased,
+            lines: t.content.split("\n").length
+          })),
+          errors
+        }, null, 2));
+      } else {
+        console.log();
+        console.log(chalk6.bold(`Generated ${generated.length} test file${generated.length === 1 ? "" : "s"}`));
+        console.log();
+        for (const test of generated) {
+          const relPath = relative(projectRoot, test.filePath);
+          const badge = test.isPropertyBased ? chalk6.magenta(" [property]") : "";
+          console.log(`  ${chalk6.green("+")} ${relPath}${badge}`);
+          console.log(chalk6.gray(`    ${test.description}`));
         }
-        const suggestedPath = suggestTestPath(gap.filePath, template, cached.targetDirectory);
-        generatedTests.push({
-          gap,
-          category,
-          template,
-          result: renderResult.data,
-          suggestedPath
-        });
+        console.log();
       }
-    }
-    spinner?.stop();
-    if (outputFormat === "json") {
-      console.log(formatGeneratedJson(generatedTests));
-    } else {
-      console.log(formatGeneratedTerminal(generatedTests, cached.targetDirectory));
-    }
-    if (isVerbose && errors.length > 0) {
-      console.error(chalk5.yellow("\nWarnings:"));
-      for (const error of errors) {
-        console.error(chalk5.gray(`  - ${error}`));
+      if (shouldWrite) {
+        let written = 0;
+        for (const test of generated) {
+          try {
+            await mkdir(dirname(test.filePath), { recursive: true });
+            await writeFile(test.filePath, test.content, "utf-8");
+            written++;
+          } catch (err2) {
+            errors.push(`Write failed: ${relative(projectRoot, test.filePath)}: ${err2 instanceof Error ? err2.message : String(err2)}`);
+          }
+        }
+        console.log(chalk6.green(`Wrote ${written} test file${written === 1 ? "" : "s"}`));
+      } else {
+        console.log(chalk6.gray("Dry run. Use --write to save test files to disk."));
       }
-    }
-    if (!dryRun) {
-      const outputDirOption = options["outputDir"];
-      const writeResult = await writeGeneratedTests(
-        generatedTests,
-        cached.targetDirectory,
-        outputDirOption
-      );
-      if (!writeResult.success) {
-        console.error(formatError(writeResult.error));
-        process.exit(1);
+      if (errors.length > 0 && isVerbose) {
+        console.error(chalk6.yellow("\nWarnings:"));
+        for (const error of errors) {
+          console.error(chalk6.gray(`  ${error}`));
+        }
       }
-      console.log(formatWriteSummary(writeResult.data, cached.targetDirectory));
-      if (writeResult.data.failed.length > 0) {
-        process.exit(1);
+      process.exit(0);
+    } catch (error) {
+      spinner?.fail("Generation failed");
+      console.error(formatError(error instanceof Error ? error : new Error(String(error))));
+      process.exit(1);
+    }
+  });
+}
+function buildAICaller(provider, apiKey) {
+  return async (prompt, systemPrompt) => {
+    if (provider === "anthropic") {
+      const response2 = await fetch("https://api.anthropic.com/v1/messages", {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "x-api-key": apiKey,
+          "anthropic-version": "2023-06-01"
+        },
+        body: JSON.stringify({
+          model: "claude-sonnet-4-20250514",
+          max_tokens: 4096,
+          system: systemPrompt,
+          messages: [{ role: "user", content: prompt }]
+        })
+      });
+      if (!response2.ok) {
+        const body = await response2.text();
+        throw new Error(`Anthropic API error: ${response2.status} - ${body}`);
       }
+      const data2 = await response2.json();
+      return data2.content[0]?.text ?? "";
     }
-    process.exit(0);
-  } catch (error) {
-    spinner?.fail("Generation failed");
-    console.error(formatError(error instanceof Error ? error : new Error(String(error))));
-    process.exit(1);
-  }
-});
+    const response = await fetch("https://api.openai.com/v1/chat/completions", {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${apiKey}`
+      },
+      body: JSON.stringify({
+        model: "gpt-4o",
+        max_tokens: 4096,
+        messages: [
+          { role: "system", content: systemPrompt },
+          { role: "user", content: prompt }
+        ]
+      })
+    });
+    if (!response.ok) {
+      const body = await response.text();
+      throw new Error(`OpenAI API error: ${response.status} - ${body}`);
+    }
+    const data = await response.json();
+    return data.choices[0]?.message?.content ?? "";
+  };
+}
+
+// src/cli/index.ts
+var program = new Command();
+program.name("pinata").description("AI-powered security vulnerability detection").version(VERSION);
+registerAnalyzeCommand(program);
+registerGenerateCommand(program);
 program.command("explain").description("Get natural language explanations for detected gaps").option("-n, --top <count>", "Explain top N gaps by priority", "5").option("-c, --category <id>", "Explain gaps for specific category").option("-d, --domain <domain>", "Explain gaps for specific domain").option("--ai", "Use AI for detailed explanations (requires API key)").option("--ai-provider <provider>", "AI provider: anthropic, openai", "anthropic").option("-o, --output <format>", "Output format: terminal, json, markdown", "terminal").option("-v, --verbose", "Show more details").option("-q, --quiet", "Quiet mode (errors only)").action(async (options) => {
   const isQuiet = Boolean(options["quiet"]);
   const isVerbose = Boolean(options["verbose"]);
+  const topN = parseInt(String(options["top"] ?? "5"), 10);
+  const categoryFilter = options["category"];
+  const domainFilter = options["domain"];
   const useAI = Boolean(options["ai"]);
   const aiProvider = String(options["aiProvider"] ?? "anthropic");
   const outputFormat = String(options["output"] ?? "terminal");
-  const topN = parseInt(String(options["top"] ?? "5"), 10);
   if (isQuiet) {
     logger.configure({ level: "error" });
   } else if (isVerbose) {
     logger.configure({ level: "debug" });
   }
   if (!["terminal", "json", "markdown"].includes(outputFormat)) {
-    console.error(formatError(new Error(`Invalid output format: ${outputFormat}. Use: terminal, json, markdown`)));
+    console.error(formatError(new Error(`Invalid format: ${outputFormat}. Use: terminal, json, markdown`)));
     process.exit(1);
   }
-  const showSpinner = outputFormat === "terminal" && !isQuiet;
-  const spinner = showSpinner ? ora("Loading cached scan results...").start() : null;
-  try {
-    const projectRoot = process.cwd();
-    const cacheResult = await loadScanResults(projectRoot);
-    if (!cacheResult.success) {
-      spinner?.fail("No cached results");
-      console.error(formatError(cacheResult.error));
-      console.error(chalk5.yellow("\nRun `pinata analyze` first to scan for gaps."));
+  const projectRoot = process.cwd();
+  const cacheResult = await loadScanResults(projectRoot);
+  if (!cacheResult.success) {
+    console.error(formatError(cacheResult.error));
+    console.error(chalk6.yellow("\nRun `pinata analyze` first to scan for gaps."));
+    process.exit(1);
+  }
+  const cached = cacheResult.data;
+  let gaps = cached.gaps;
+  if (categoryFilter) {
+    gaps = gaps.filter((g) => g.categoryId === categoryFilter);
+  }
+  if (domainFilter) {
+    if (!RISK_DOMAINS.includes(domainFilter)) {
+      console.error(formatError(new Error(`Invalid domain: ${domainFilter}`)));
       process.exit(1);
     }
-    const cached = cacheResult.data;
-    let gaps = cached.gaps;
-    const categoryFilter = options["category"];
-    const domainFilter = options["domain"];
-    if (categoryFilter) {
-      gaps = gaps.filter((g) => g.categoryId === categoryFilter);
-    }
-    if (domainFilter) {
-      if (!RISK_DOMAINS.includes(domainFilter)) {
-        spinner?.fail("Invalid domain");
-        console.error(formatError(new Error(`Invalid domain: ${domainFilter}. Valid: ${RISK_DOMAINS.join(", ")}`)));
-        process.exit(1);
+    gaps = gaps.filter((g) => g.domain === domainFilter);
+  }
+  gaps = gaps.slice(0, topN);
+  if (gaps.length === 0) {
+    console.log(chalk6.yellow("No gaps to explain."));
+    process.exit(0);
+  }
+  let explanations;
+  if (useAI) {
+    const spinner = ora3("Generating AI explanations...").start();
+    try {
+      const aiConfig = { provider: aiProvider };
+      const { hasApiKey: hasApiKey2, getApiKey: getApiKey2 } = await Promise.resolve().then(() => (init_config(), config_exports));
+      if (hasApiKey2(aiProvider)) {
+        const key = getApiKey2(aiProvider);
+        if (key) {
+          aiConfig.apiKey = key;
+        }
       }
-      gaps = gaps.filter((g) => g.domain === domainFilter);
-    }
-    if (gaps.length === 0) {
-      spinner?.succeed("No gaps to explain");
-      console.log(chalk5.yellow("\nNo gaps found matching the filters."));
-      process.exit(0);
-    }
-    gaps = gaps.sort((a, b) => b.priorityScore - a.priorityScore).slice(0, topN);
-    if (spinner) {
-      spinner.text = `Explaining ${gaps.length} gap(s)...`;
-    }
-    const explanations = [];
-    if (useAI) {
-      const ai = createAIService({ provider: aiProvider });
-      if (!ai.isConfigured()) {
-        spinner?.warn("AI not configured, using fallback explanations");
-        console.error(chalk5.yellow(`
+      const resultMap = await explainGaps(gaps, void 0, aiConfig);
+      explanations = gaps.map((g) => {
+        const key = `${g.categoryId}:${g.filePath}:${g.lineStart}`;
+        const result = resultMap.get(key);
+        if (result?.success && result.data) {
+          return result.data;
+        }
+        return generateFallbackExplanation(g);
+      });
+      spinner.succeed(`Generated ${explanations.length} explanations`);
+    } catch (error) {
+      spinner.fail("AI explanation failed");
+      console.error(chalk6.yellow(`
 Set ${aiProvider === "anthropic" ? "ANTHROPIC_API_KEY" : "OPENAI_API_KEY"} for AI explanations.
 `));
-        for (const gap of gaps) {
-          explanations.push({
-            gap,
-            explanation: generateFallbackExplanation(gap)
-          });
-        }
-      } else {
-        for (const gap of gaps) {
-          const result = await explainGap(gap, void 0, { provider: aiProvider });
-          if (result.success && result.data) {
-            explanations.push({ gap, explanation: result.data });
-          } else {
-            explanations.push({
-              gap,
-              explanation: generateFallbackExplanation(gap)
-            });
-          }
-        }
-      }
-    } else {
-      for (const gap of gaps) {
-        explanations.push({
-          gap,
-          explanation: generateFallbackExplanation(gap)
-        });
-      }
+      explanations = gaps.map((g) => generateFallbackExplanation(g));
     }
-    spinner?.stop();
-    if (outputFormat === "json") {
-      console.log(JSON.stringify(explanations.map((e) => ({
-        gap: {
-          categoryId: e.gap.categoryId,
-          categoryName: e.gap.categoryName,
-          filePath: e.gap.filePath,
-          lineStart: e.gap.lineStart,
-          severity: e.gap.severity,
-          confidence: e.gap.confidence,
-          codeSnippet: e.gap.codeSnippet
-        },
-        explanation: e.explanation
-      })), null, 2));
-    } else if (outputFormat === "markdown") {
-      console.log(`# Gap Explanations
-`);
-      console.log(`Generated ${explanations.length} explanation(s).
-`);
-      for (const { gap, explanation } of explanations) {
-        console.log(`## ${gap.categoryName}
-`);
-        console.log(`**File:** \`${gap.filePath}:${gap.lineStart}\`
-`);
-        console.log(`**Severity:** ${gap.severity} | **Confidence:** ${gap.confidence}
-`);
-        console.log(`### Summary
-${explanation.summary}
-`);
-        console.log(`### Explanation
-${explanation.explanation}
-`);
-        console.log(`### Risk
-${explanation.risk}
+  } else {
+    explanations = gaps.map((g) => generateFallbackExplanation(g));
+  }
+  if (outputFormat === "json") {
+    const output = gaps.map((g, i) => ({ gap: { categoryId: g.categoryId, severity: g.severity, filePath: g.filePath, lineStart: g.lineStart }, ...explanations[i] }));
+    console.log(JSON.stringify(output, null, 2));
+  } else if (outputFormat === "markdown") {
+    console.log("# Gap Explanations\n");
+    for (let i = 0; i < explanations.length; i++) {
+      const exp = explanations[i];
+      const gap = gaps[i];
+      console.log(`## ${exp.summary}
 `);
-        console.log(`### How to Fix
-${explanation.remediation}
+      console.log(`**Severity**: ${gap.severity} | **Category**: ${gap.categoryId}
 `);
-        if (explanation.safeExample) {
-          console.log(`### Safe Example
-\`\`\`
-${explanation.safeExample}
-\`\`\`
+      console.log(exp.explanation);
+      if (exp.remediation) {
+        console.log(`
+**Remediation**: ${exp.remediation}
 `);
-        }
-        console.log("---\n");
       }
-    } else {
+      console.log("---\n");
+    }
+  } else {
+    console.log();
+    for (let i = 0; i < explanations.length; i++) {
+      const exp = explanations[i];
+      const gap = gaps[i];
+      const severityColor = gap.severity === "critical" ? chalk6.red : gap.severity === "high" ? chalk6.yellow : chalk6.blue;
+      console.log(`${severityColor.bold(`[${gap.severity.toUpperCase()}]`)} ${chalk6.bold(exp.summary)}`);
+      console.log(chalk6.gray(`  Category: ${gap.categoryId} | ${gap.filePath}:${gap.lineStart}`));
       console.log();
-      console.log(chalk5.bold.cyan("Gap Explanations"));
-      console.log(chalk5.gray("\u2500".repeat(60)));
-      for (const { gap, explanation } of explanations) {
-        console.log();
-        console.log(chalk5.bold.white(gap.categoryName));
-        console.log(chalk5.gray(`  ${gap.filePath}:${gap.lineStart}`));
-        const severityColor = gap.severity === "critical" ? chalk5.red : gap.severity === "high" ? chalk5.yellow : chalk5.blue;
-        console.log(`  ${severityColor(gap.severity)} | ${gap.confidence} confidence`);
-        console.log();
-        console.log(chalk5.cyan("  Summary:"));
-        console.log(`    ${explanation.summary}`);
-        if (isVerbose) {
-          console.log();
-          console.log(chalk5.cyan("  Explanation:"));
-          for (const line of explanation.explanation.split("\n")) {
-            console.log(`    ${line}`);
-          }
-        }
-        console.log();
-        console.log(chalk5.red("  Risk:"));
-        console.log(`    ${explanation.risk}`);
-        console.log();
-        console.log(chalk5.green("  How to Fix:"));
-        for (const line of explanation.remediation.split("\n")) {
-          console.log(`    ${line}`);
-        }
-        if (explanation.safeExample) {
-          console.log();
-          console.log(chalk5.cyan("  Safe Example:"));
-          console.log(chalk5.gray(`    ${explanation.safeExample}`));
-        }
+      for (const line of exp.explanation.split("\n")) {
+        console.log(`  ${line}`);
+      }
+      if (exp.remediation) {
         console.log();
-        console.log(chalk5.gray("\u2500".repeat(60)));
+        console.log(chalk6.green(`  Fix: ${exp.remediation}`));
       }
+      console.log();
     }
-    process.exit(0);
-  } catch (error) {
-    spinner?.fail("Explanation failed");
-    console.error(formatError(error instanceof Error ? error : new Error(String(error))));
-    process.exit(1);
   }
 });
 program.command("suggest-patterns").description("Use AI to suggest new detection patterns based on code samples").requiredOption("-c, --category <id>", "Category to suggest patterns for").requiredOption("-l, --language <lang>", "Language of the code samples").option("-f, --file <path>", "File containing vulnerable code samples (one per line)").option("--code <snippet>", "Vulnerable code snippet (can be specified multiple times)", (v, a) => [...a, v], []).option("--ai-provider <provider>", "AI provider: anthropic, openai", "anthropic").option("-o, --output <format>", "Output format: terminal, yaml, json", "terminal").action(async (options) => {
@@ -9278,96 +8546,73 @@ program.command("suggest-patterns").description("Use AI to suggest new detection
   const language = String(options["language"]);
   const aiProvider = String(options["aiProvider"] ?? "anthropic");
   const outputFormat = String(options["output"] ?? "terminal");
-  const codeSnippets = options["code"];
   const filePath = options["file"];
-  let vulnerableCode = [...codeSnippets];
+  const codeSnippets = options["code"] ?? [];
+  const samples = [...codeSnippets];
   if (filePath) {
+    const { readFile: readFile7 } = await import('fs/promises');
     try {
-      const { readFile: readFile7 } = await import('fs/promises');
-      const content = await readFile7(filePath, "utf-8");
-      vulnerableCode = [...vulnerableCode, ...content.split("\n---\n").filter(Boolean)];
+      const content = await readFile7(resolve(filePath), "utf-8");
+      samples.push(...content.split("\n---\n").filter((s) => s.trim()));
     } catch (error) {
       console.error(formatError(new Error(`Failed to read file: ${filePath}`)));
       process.exit(1);
     }
   }
-  if (vulnerableCode.length === 0) {
+  if (samples.length === 0) {
     console.error(formatError(new Error("Provide code samples via --code or --file")));
     process.exit(1);
   }
-  const spinner = ora("Generating pattern suggestions...").start();
+  const spinner = ora3("Generating pattern suggestions with AI...").start();
   try {
+    const aiConfig = { provider: aiProvider };
+    const { hasApiKey: hasApiKey2, getApiKey: getApiKey2 } = await Promise.resolve().then(() => (init_config(), config_exports));
+    if (hasApiKey2(aiProvider)) {
+      const key = getApiKey2(aiProvider);
+      if (key) {
+        aiConfig.apiKey = key;
+      }
+    }
     const result = await suggestPatterns(
-      {
-        category: categoryId,
-        language,
-        vulnerableCode,
-        maxSuggestions: 5
-      },
-      { provider: aiProvider }
+      { category: categoryId, vulnerableCode: samples, language },
+      aiConfig
     );
-    spinner.stop();
-    if (!result.success) {
-      console.error(formatError(new Error(result.error ?? "Failed to generate patterns")));
+    if (!result.success || !result.data) {
+      spinner.fail("Pattern suggestion failed");
+      console.error(chalk6.red(result.error ?? "Unknown error"));
       process.exit(1);
     }
-    const { suggestions, rejected } = result.data ?? { suggestions: [], rejected: [] };
+    const suggestions = result.data.suggestions;
+    spinner.succeed(`Generated ${suggestions.length} pattern suggestions`);
     if (outputFormat === "json") {
-      console.log(JSON.stringify({ suggestions, rejected }, null, 2));
+      console.log(JSON.stringify(suggestions, null, 2));
     } else if (outputFormat === "yaml") {
-      console.log(`# Suggested patterns for ${categoryId}
-`);
-      console.log(`detectionPatterns:`);
-      for (const suggestion of suggestions) {
-        const escapedPattern = suggestion.pattern.replace(/\\/g, "\\\\").replace(/"/g, '\\"');
-        console.log(`  - id: ${suggestion.id}`);
-        console.log(`    type: regex`);
-        console.log(`    language: ${language}`);
-        console.log(`    pattern: "${escapedPattern}"`);
-        console.log(`    confidence: ${suggestion.confidence}`);
-        console.log(`    description: ${suggestion.description}`);
+      for (const s of suggestions) {
+        console.log("---");
+        console.log(`id: ${s.id}`);
+        console.log(`pattern: "${s.pattern}"`);
+        console.log(`confidence: ${s.confidence}`);
+        console.log(`description: "${s.description}"`);
+        console.log(`matchExample: "${s.matchExample}"`);
+        console.log(`safeExample: "${s.safeExample}"`);
         console.log();
       }
     } else {
       console.log();
-      console.log(chalk5.bold.cyan("Pattern Suggestions"));
-      console.log(chalk5.gray("\u2500".repeat(60)));
-      if (suggestions.length === 0) {
-        console.log(chalk5.yellow("\nNo valid patterns could be generated."));
-      } else {
-        for (const suggestion of suggestions) {
-          console.log();
-          console.log(chalk5.bold.white(suggestion.id));
-          console.log(chalk5.gray(`  ${suggestion.description}`));
-          console.log();
-          console.log(chalk5.cyan("  Pattern:"));
-          console.log(`    ${suggestion.pattern}`);
-          console.log();
-          console.log(chalk5.cyan("  Confidence:") + ` ${suggestion.confidence}`);
-          console.log();
-          console.log(chalk5.green("  Would match:"));
-          console.log(chalk5.gray(`    ${suggestion.matchExample}`));
-          console.log();
-          console.log(chalk5.red("  Should NOT match:"));
-          console.log(chalk5.gray(`    ${suggestion.safeExample}`));
-          console.log();
-          console.log(chalk5.cyan("  Reasoning:"));
-          console.log(`    ${suggestion.reasoning}`);
-          console.log();
-          console.log(chalk5.gray("\u2500".repeat(60)));
-        }
-      }
-      if (rejected.length > 0) {
+      console.log(chalk6.bold(`Suggested Patterns for ${categoryId}`));
+      console.log();
+      for (const s of suggestions) {
+        const confColor = s.confidence === "high" ? chalk6.green : s.confidence === "medium" ? chalk6.yellow : chalk6.red;
+        console.log(`  ${chalk6.cyan(s.id)} [${confColor(s.confidence)}]`);
+        console.log(`    Pattern: ${chalk6.gray(s.pattern)}`);
+        console.log(`    ${s.description}`);
+        console.log(`    Match:  ${chalk6.gray(s.matchExample.slice(0, 80))}`);
+        console.log(`    Safe:   ${chalk6.gray(s.safeExample.slice(0, 80))}`);
         console.log();
-        console.log(chalk5.yellow.bold(`Rejected ${rejected.length} pattern(s):`));
-        for (const r of rejected) {
-          console.log(chalk5.gray(`  - ${r.pattern.slice(0, 40)}... : ${r.reason}`));
-        }
       }
     }
-    process.exit(0);
   } catch (error) {
-    spinner.fail("Pattern generation failed");
+    spinner.fail("Pattern suggestion failed");
     console.error(formatError(error instanceof Error ? error : new Error(String(error))));
     process.exit(1);
   }
@@ -9422,9 +8667,7 @@ program.command("search <query>").description("Search category taxonomy by name,
     }
     const langFilter = options["language"];
     if (langFilter) {
-      results = results.filter(
-        (cat) => cat.applicableLanguages.includes(langFilter)
-      );
+      results = results.filter((cat) => cat.applicableLanguages.includes(langFilter));
     }
     if (outputFormat === "json") {
       console.log(JSON.stringify(results, null, 2));
@@ -9446,19 +8689,18 @@ ${cat.description}
       }
     } else {
       console.log();
-      console.log(chalk5.bold(`Search Results for "${query}"`));
-      console.log(chalk5.gray(`Found ${results.length} matching categories.`));
+      console.log(chalk6.bold(`Search Results for "${query}"`));
+      console.log(chalk6.gray(`Found ${results.length} matching categories.`));
       console.log();
       if (results.length === 0) {
-        console.log(chalk5.yellow("No categories match your search."));
-        console.log(chalk5.gray("Try a different query or broaden your filters."));
+        console.log(chalk6.yellow("No categories match your search."));
       } else {
         for (const cat of results) {
-          const domainColor = cat.domain === "security" ? chalk5.red : chalk5.blue;
-          console.log(`  ${chalk5.cyan(cat.id)} - ${chalk5.bold(cat.name)}`);
+          const domainColor = cat.domain === "security" ? chalk6.red : chalk6.blue;
+          console.log(`  ${chalk6.cyan(cat.id)} - ${chalk6.bold(cat.name)}`);
           console.log(`    ${domainColor(cat.domain)} | ${cat.level} | ${cat.priority}`);
           if (options["verbose"]) {
-            console.log(`    ${chalk5.gray(cat.description.slice(0, 100))}${cat.description.length > 100 ? "..." : ""}`);
+            console.log(`    ${chalk6.gray(cat.description.slice(0, 100))}${cat.description.length > 100 ? "..." : ""}`);
           }
           console.log();
         }
@@ -9492,21 +8734,17 @@ program.command("list").description("List all categories").option("-d, --domain
       process.exit(1);
     }
     const priorityFilter = options["priority"];
-    const validPriorities = ["P0", "P1", "P2"];
-    if (priorityFilter !== void 0 && !validPriorities.includes(priorityFilter)) {
+    if (priorityFilter !== void 0 && !["P0", "P1", "P2"].includes(priorityFilter)) {
       console.error(formatError(new Error(`Invalid priority: ${priorityFilter}. Use: P0, P1, P2`)));
       process.exit(1);
     }
-    logger.debug("Loading categories...");
     const store = createCategoryStore();
     const definitionsPath = getDefinitionsPath();
-    logger.debug(`Loading from: ${definitionsPath}`);
     const loadResult = await store.loadFromDirectory(definitionsPath);
     if (!loadResult.success) {
       console.error(formatError(loadResult.error));
       process.exit(1);
     }
-    logger.debug(`Loaded ${loadResult.data} categories`);
     const filter = {};
     if (domainFilter) {
       filter.domain = domainFilter;
@@ -9530,54 +8768,42 @@ program.command("init").description("Initialize Pinata configuration in project"
   const configPath = resolve(process.cwd(), ".pinata.yml");
   const cacheDir = resolve(process.cwd(), ".pinata");
   if (existsSync(configPath) && !options["force"]) {
-    console.log(chalk5.yellow("Configuration file already exists at .pinata.yml"));
-    console.log(chalk5.gray("Use --force to overwrite."));
+    console.log(chalk6.yellow("Configuration file already exists at .pinata.yml"));
+    console.log(chalk6.gray("Use --force to overwrite."));
     process.exit(0);
   }
   const defaultConfig = `# Pinata Configuration
 # https://github.com/pinata/pinata
 
-# Paths to analyze
 include:
   - "src/**/*.ts"
   - "src/**/*.tsx"
   - "src/**/*.py"
   - "src/**/*.js"
 
-# Paths to exclude from analysis
 exclude:
   - "node_modules/**"
   - "dist/**"
   - "build/**"
   - "**/*.test.ts"
   - "**/*.spec.ts"
-  - "**/test/**"
-  - "**/tests/**"
-  - "**/__tests__/**"
 
-# Risk domains to analyze
-# Options: security, data, concurrency, input, resource, reliability, performance, platform, business, compliance
 domains:
   - security
   - data
   - concurrency
   - input
 
-# Minimum severity to report
-# Options: critical, high, medium, low
 minSeverity: medium
 
-# Output configuration
 output:
-  format: terminal  # terminal, json, markdown, sarif, html
+  format: terminal
   color: true
 
-# Test generation settings
 generate:
   outputDir: tests/generated
-  framework: auto  # auto, pytest, jest, vitest, mocha
+  framework: auto
 
-# Fail CI if gaps exceed thresholds
 thresholds:
   critical: 0
   high: 5
@@ -9586,25 +8812,23 @@ thresholds:
   const { writeFile: writeFileAsync, mkdir: mkdir4 } = await import('fs/promises');
   try {
     await writeFileAsync(configPath, defaultConfig, "utf8");
-    console.log(chalk5.green("Created .pinata.yml"));
+    console.log(chalk6.green("Created .pinata.yml"));
     await mkdir4(cacheDir, { recursive: true });
-    console.log(chalk5.green("Created .pinata/ directory"));
+    console.log(chalk6.green("Created .pinata/ directory"));
     const gitignorePath = resolve(process.cwd(), ".gitignore");
     if (existsSync(gitignorePath)) {
       const { readFile: readFile7, appendFile } = await import('fs/promises');
       const gitignore = await readFile7(gitignorePath, "utf8");
       if (!gitignore.includes(".pinata/")) {
         await appendFile(gitignorePath, "\n# Pinata cache\n.pinata/\n");
-        console.log(chalk5.green("Added .pinata/ to .gitignore"));
+        console.log(chalk6.green("Added .pinata/ to .gitignore"));
       }
     }
     console.log();
-    console.log(chalk5.bold("Pinata initialized successfully!"));
-    console.log();
-    console.log("Next steps:");
-    console.log(chalk5.gray("  1. Review and customize .pinata.yml"));
-    console.log(chalk5.gray("  2. Run: pinata analyze"));
-    console.log(chalk5.gray("  3. Generate tests: pinata generate"));
+    console.log(chalk6.bold("Pinata initialized successfully!"));
+    console.log(chalk6.gray("  1. Review and customize .pinata.yml"));
+    console.log(chalk6.gray("  2. Run: pinata analyze"));
+    console.log(chalk6.gray("  3. Generate tests: pinata generate"));
   } catch (error) {
     console.error(formatError(error instanceof Error ? error : new Error(String(error))));
     process.exit(1);
@@ -9617,18 +8841,15 @@ program.command("audit-deps").description("Audit npm dependencies for supply cha
   const checkAge = Boolean(options["checkAge"]);
   const strictMode = Boolean(options["strict"]);
   const doAllChecks = !checkRegistry && !checkDownloads && !checkAge;
-  console.log(chalk5.bold("\nPinata Dependency Audit\n"));
+  console.log(chalk6.bold("\nPinata Dependency Audit\n"));
   if (!existsSync(packagePath)) {
-    console.error(chalk5.red(`Error: ${packagePath} not found`));
+    console.error(chalk6.red(`Error: ${packagePath} not found`));
     process.exit(1);
   }
   const packageJson = JSON.parse(readFileSync(packagePath, "utf-8"));
-  const allDeps = {
-    ...packageJson.dependencies,
-    ...packageJson.devDependencies
-  };
+  const allDeps = { ...packageJson.dependencies, ...packageJson.devDependencies };
   const packages = Object.keys(allDeps);
-  console.log(chalk5.gray(`Found ${packages.length} dependencies
+  console.log(chalk6.gray(`Found ${packages.length} dependencies
 `));
   const issues = [];
   const KNOWN_MALWARE = /* @__PURE__ */ new Set([
@@ -9651,56 +8872,31 @@ program.command("audit-deps").description("Audit npm dependencies for supply cha
   ]);
   for (const pkg of packages) {
     if (KNOWN_MALWARE.has(pkg)) {
-      issues.push({
-        pkg,
-        severity: "critical",
-        message: "Known malicious/compromised package (Shai-Hulud/typosquat)"
-      });
+      issues.push({ pkg, severity: "critical", message: "Known malicious/compromised package (Shai-Hulud/typosquat)" });
     }
   }
   for (const [pkg, version] of Object.entries(allDeps)) {
     if (version?.startsWith("^")) {
-      issues.push({
-        pkg,
-        severity: "warning",
-        message: `Unpinned version (${version}) - allows minor updates`
-      });
+      issues.push({ pkg, severity: "warning", message: `Unpinned version (${version}) - allows minor updates` });
     } else if (version?.startsWith("~")) {
-      issues.push({
-        pkg,
-        severity: "warning",
-        message: `Unpinned version (${version}) - allows patch updates`
-      });
+      issues.push({ pkg, severity: "warning", message: `Unpinned version (${version}) - allows patch updates` });
     } else if (version === "*" || version === "latest") {
-      issues.push({
-        pkg,
-        severity: "critical",
-        message: `Extremely dangerous version (${version}) - allows any version`
-      });
+      issues.push({ pkg, severity: "critical", message: `Extremely dangerous version (${version}) - allows any version` });
     }
   }
   if (checkRegistry || doAllChecks) {
-    const spinner = ora("Checking npm registry...").start();
+    const spinner = ora3("Checking npm registry...").start();
     for (const pkg of packages.slice(0, 50)) {
       try {
         const response = await fetch(`https://registry.npmjs.org/${encodeURIComponent(pkg)}`);
         if (response.status === 404) {
-          issues.push({
-            pkg,
-            severity: "critical",
-            message: "Package NOT FOUND in npm registry (slopsquatting risk)"
-          });
+          issues.push({ pkg, severity: "critical", message: "Package NOT FOUND in npm registry (slopsquatting risk)" });
         } else if (response.ok) {
           const data = await response.json();
           if ((checkAge || doAllChecks) && data.time?.created) {
-            const created = new Date(data.time.created);
-            const ageInDays = (Date.now() - created.getTime()) / (1e3 * 60 * 60 * 24);
+            const ageInDays = (Date.now() - new Date(data.time.created).getTime()) / (1e3 * 60 * 60 * 24);
             if (ageInDays < 30) {
-              issues.push({
-                pkg,
-                severity: "warning",
-                message: `Very new package (${Math.floor(ageInDays)} days old)`
-              });
+              issues.push({ pkg, severity: "warning", message: `Very new package (${Math.floor(ageInDays)} days old)` });
             }
           }
         }
@@ -9712,24 +8908,24 @@ program.command("audit-deps").description("Audit npm dependencies for supply cha
   const criticals = issues.filter((i) => i.severity === "critical");
   const warnings = issues.filter((i) => i.severity === "warning");
   if (criticals.length > 0) {
-    console.log(chalk5.red.bold(`
+    console.log(chalk6.red.bold(`
 Critical Issues (${criticals.length}):`));
     for (const issue of criticals) {
-      console.log(chalk5.red(`  \u2717 ${issue.pkg}: ${issue.message}`));
+      console.log(chalk6.red(`  \u2717 ${issue.pkg}: ${issue.message}`));
     }
   }
   if (warnings.length > 0) {
-    console.log(chalk5.yellow.bold(`
+    console.log(chalk6.yellow.bold(`
 Warnings (${warnings.length}):`));
     for (const issue of warnings.slice(0, 20)) {
-      console.log(chalk5.yellow(`  \u26A0 ${issue.pkg}: ${issue.message}`));
+      console.log(chalk6.yellow(`  \u26A0 ${issue.pkg}: ${issue.message}`));
     }
     if (warnings.length > 20) {
-      console.log(chalk5.gray(`  ... and ${warnings.length - 20} more`));
+      console.log(chalk6.gray(`  ... and ${warnings.length - 20} more`));
     }
   }
   if (issues.length === 0) {
-    console.log(chalk5.green("\u2713 No dependency issues found"));
+    console.log(chalk6.green("\u2713 No dependency issues found"));
   }
   console.log();
   if (criticals.length > 0 || strictMode && warnings.length > 0) {
@@ -9742,7 +8938,7 @@ program.command("feedback").description("View pattern performance feedback (Laye
   const shouldReset = Boolean(options["reset"]);
   if (shouldReset) {
     await saveFeedback2({ ...EMPTY_FEEDBACK_STATE2 });
-    console.log(chalk5.green("Feedback data reset."));
+    console.log(chalk6.green("Feedback data reset."));
     return;
   }
   const state = await loadFeedback2();
@@ -9754,20 +8950,20 @@ program.command("feedback").description("View pattern performance feedback (Laye
     console.log(generateReport2(state));
     return;
   }
-  console.log(chalk5.bold("\nPinata Feedback Report\n"));
+  console.log(chalk6.bold("\nPinata Feedback Report\n"));
   console.log(`Total scans: ${state.totalScans}`);
   console.log(`Patterns tracked: ${Object.keys(state.patterns).length}`);
   if (state.totalScans === 0) {
-    console.log(chalk5.gray("\nNo feedback data yet. Run scans with --execute to collect data.\n"));
+    console.log(chalk6.gray("\nNo feedback data yet. Run scans with --execute to collect data.\n"));
     return;
   }
   const patterns = Object.values(state.patterns).filter((p) => p.confirmedCount + p.unconfirmedCount >= 1).sort((a, b) => b.precision - a.precision);
   if (patterns.length > 0) {
-    console.log(chalk5.bold("\nPattern Performance:"));
+    console.log(chalk6.bold("\nPattern Performance:"));
     for (const p of patterns.slice(0, 15)) {
       const total = p.confirmedCount + p.unconfirmedCount;
       const precisionPct = (p.precision * 100).toFixed(0);
-      const color = p.precision >= 0.7 ? chalk5.green : p.precision >= 0.4 ? chalk5.yellow : chalk5.red;
+      const color = p.precision >= 0.7 ? chalk6.green : p.precision >= 0.4 ? chalk6.yellow : chalk6.red;
       console.log(`  ${color(`${precisionPct}%`)} ${p.patternId} (${p.confirmedCount}/${total} confirmed)`);
     }
   }
@@ -9789,76 +8985,74 @@ Examples:
     case "anthropic-api-key": {
       const validation = validateApiKey2("anthropic", value);
       if (!validation.valid) {
-        console.log(chalk5.red(`Invalid API key: ${validation.error}`));
+        console.log(chalk6.red(`Invalid API key: ${validation.error}`));
         process.exit(1);
       }
       setConfigValue2("anthropicApiKey", value);
-      console.log(chalk5.green(`Anthropic API key set: ${maskApiKey2(value)}`));
+      console.log(chalk6.green(`Anthropic API key set: ${maskApiKey2(value)}`));
       break;
     }
     case "openai-api-key": {
       const validation = validateApiKey2("openai", value);
       if (!validation.valid) {
-        console.log(chalk5.red(`Invalid API key: ${validation.error}`));
+        console.log(chalk6.red(`Invalid API key: ${validation.error}`));
         process.exit(1);
       }
       setConfigValue2("openaiApiKey", value);
-      console.log(chalk5.green(`OpenAI API key set: ${maskApiKey2(value)}`));
+      console.log(chalk6.green(`OpenAI API key set: ${maskApiKey2(value)}`));
       break;
     }
     case "default-provider": {
       if (value !== "anthropic" && value !== "openai") {
-        console.log(chalk5.red("Provider must be 'anthropic' or 'openai'"));
+        console.log(chalk6.red("Provider must be 'anthropic' or 'openai'"));
         process.exit(1);
       }
       setConfigValue2("defaultProvider", value);
-      console.log(chalk5.green(`Default provider set to: ${value}`));
+      console.log(chalk6.green(`Default provider set to: ${value}`));
       break;
     }
     default:
-      console.log(chalk5.red(`Unknown config key: ${key}`));
-      console.log(chalk5.gray("Run 'pinata config set --help' for available keys"));
+      console.log(chalk6.red(`Unknown config key: ${key}`));
+      console.log(chalk6.gray("Run 'pinata config set --help' for available keys"));
       process.exit(1);
   }
-  console.log(chalk5.gray(`Config stored at: ${getConfigPath2()}`));
+  console.log(chalk6.gray(`Config stored at: ${getConfigPath2()}`));
 });
 config.command("get <key>").description("Get a configuration value").action(async (key) => {
   const { loadConfig: loadConfig2, maskApiKey: maskApiKey2 } = await Promise.resolve().then(() => (init_config(), config_exports));
   const cfg = loadConfig2();
   switch (key) {
     case "anthropic-api-key":
-      console.log(cfg.anthropicApiKey ? maskApiKey2(cfg.anthropicApiKey) : chalk5.gray("(not set)"));
+      console.log(cfg.anthropicApiKey ? maskApiKey2(cfg.anthropicApiKey) : chalk6.gray("(not set)"));
       break;
     case "openai-api-key":
-      console.log(cfg.openaiApiKey ? maskApiKey2(cfg.openaiApiKey) : chalk5.gray("(not set)"));
+      console.log(cfg.openaiApiKey ? maskApiKey2(cfg.openaiApiKey) : chalk6.gray("(not set)"));
       break;
     case "default-provider":
-      console.log(cfg.defaultProvider ?? chalk5.gray("anthropic (default)"));
+      console.log(cfg.defaultProvider ?? chalk6.gray("anthropic (default)"));
       break;
     default:
-      console.log(chalk5.red(`Unknown config key: ${key}`));
+      console.log(chalk6.red(`Unknown config key: ${key}`));
       process.exit(1);
   }
 });
 config.command("list").description("List all configuration values").action(async () => {
   const { loadConfig: loadConfig2, maskApiKey: maskApiKey2, getConfigPath: getConfigPath2, hasApiKey: hasApiKey2 } = await Promise.resolve().then(() => (init_config(), config_exports));
   const cfg = loadConfig2();
-  console.log(chalk5.bold("Pinata Configuration"));
-  console.log(chalk5.gray(`Config file: ${getConfigPath2()}`));
+  console.log(chalk6.bold("Pinata Configuration"));
+  console.log(chalk6.gray(`Config file: ${getConfigPath2()}`));
   console.log();
   console.log("AI Providers:");
-  const anthropicStatus = hasApiKey2("anthropic") ? chalk5.green("configured") : chalk5.gray("not set");
-  const openaiStatus = hasApiKey2("openai") ? chalk5.green("configured") : chalk5.gray("not set");
-  console.log(`  Anthropic API key:  ${anthropicStatus} ${cfg.anthropicApiKey ? chalk5.gray(`(${maskApiKey2(cfg.anthropicApiKey)})`) : ""}`);
-  console.log(`  OpenAI API key:     ${openaiStatus} ${cfg.openaiApiKey ? chalk5.gray(`(${maskApiKey2(cfg.openaiApiKey)})`) : ""}`);
+  const anthropicStatus = hasApiKey2("anthropic") ? chalk6.green("configured") : chalk6.gray("not set");
+  const openaiStatus = hasApiKey2("openai") ? chalk6.green("configured") : chalk6.gray("not set");
+  console.log(`  Anthropic API key:  ${anthropicStatus} ${cfg.anthropicApiKey ? chalk6.gray(`(${maskApiKey2(cfg.anthropicApiKey)})`) : ""}`);
+  console.log(`  OpenAI API key:     ${openaiStatus} ${cfg.openaiApiKey ? chalk6.gray(`(${maskApiKey2(cfg.openaiApiKey)})`) : ""}`);
   console.log(`  Default provider:   ${cfg.defaultProvider ?? "anthropic"}`);
   console.log();
   if (!hasApiKey2("anthropic") && !hasApiKey2("openai")) {
-    console.log(chalk5.yellow("No AI provider configured."));
-    console.log(chalk5.gray("To use AI features (explain, suggest-patterns, --ai flag):"));
-    console.log(chalk5.gray("  pinata config set anthropic-api-key sk-ant-xxx"));
-    console.log(chalk5.gray("  # or"));
-    console.log(chalk5.gray("  export ANTHROPIC_API_KEY=sk-ant-xxx"));
+    console.log(chalk6.yellow("No AI provider configured."));
+    console.log(chalk6.gray("  pinata config set anthropic-api-key sk-ant-xxx"));
+    console.log(chalk6.gray("  export ANTHROPIC_API_KEY=sk-ant-xxx"));
   }
 });
 config.command("unset <key>").description("Remove a configuration value").action(async (key) => {
@@ -9866,18 +9060,18 @@ config.command("unset <key>").description("Remove a configuration value").action
   switch (key) {
     case "anthropic-api-key":
       deleteConfigValue2("anthropicApiKey");
-      console.log(chalk5.green("Anthropic API key removed"));
+      console.log(chalk6.green("Anthropic API key removed"));
       break;
     case "openai-api-key":
       deleteConfigValue2("openaiApiKey");
-      console.log(chalk5.green("OpenAI API key removed"));
+      console.log(chalk6.green("OpenAI API key removed"));
       break;
     case "default-provider":
       deleteConfigValue2("defaultProvider");
-      console.log(chalk5.green("Default provider reset to: anthropic"));
+      console.log(chalk6.green("Default provider reset to: anthropic"));
       break;
     default:
-      console.log(chalk5.red(`Unknown config key: ${key}`));
+      console.log(chalk6.red(`Unknown config key: ${key}`));
       process.exit(1);
   }
 });
@@ -9885,18 +9079,13 @@ var auth = program.command("auth").description("Manage API key authentication");
 auth.command("login").description("Set API key for Pinata Cloud").option("-k, --key <key>", "API key (or set PINATA_API_KEY env var)").action(async (options) => {
   const apiKey = options["key"] ?? process.env["PINATA_API_KEY"];
   if (!apiKey) {
-    console.log(chalk5.yellow("No API key provided."));
-    console.log();
-    console.log("Provide an API key using one of:");
-    console.log(chalk5.gray("  pinata auth login --key <your-api-key>"));
-    console.log(chalk5.gray("  PINATA_API_KEY=<your-api-key> pinata auth login"));
-    console.log();
-    console.log("Get your API key at: https://app.pinata.dev/settings/api");
+    console.log(chalk6.yellow("No API key provided."));
+    console.log(chalk6.gray("  pinata auth login --key <your-api-key>"));
+    console.log(chalk6.gray("  PINATA_API_KEY=<your-api-key> pinata auth login"));
     process.exit(1);
   }
   if (apiKey.length < 20 || !apiKey.startsWith("pk_")) {
-    console.log(chalk5.red("Invalid API key format."));
-    console.log(chalk5.gray("Keys should start with 'pk_' and be at least 20 characters."));
+    console.log(chalk6.red("Invalid API key format. Keys should start with 'pk_'."));
     process.exit(1);
   }
   const configDir = resolve(process.cwd(), ".pinata");
@@ -9905,19 +9094,13 @@ auth.command("login").description("Set API key for Pinata Cloud").option("-k, --
   try {
     await mkdir4(configDir, { recursive: true });
     const maskedKey = `****${apiKey.slice(-8)}`;
-    const authData = {
-      configured: true,
-      keyId: maskedKey,
-      configuredAt: (/* @__PURE__ */ new Date()).toISOString()
-    };
-    await writeFileAsync(authPath, JSON.stringify(authData, null, 2), "utf8");
+    await writeFileAsync(authPath, JSON.stringify({ configured: true, keyId: maskedKey, configuredAt: (/* @__PURE__ */ new Date()).toISOString() }, null, 2), "utf8");
     const envPath = resolve(configDir, ".env");
     await writeFileAsync(envPath, `PINATA_API_KEY=${apiKey}
 `, { mode: 384 });
-    console.log(chalk5.green("API key configured successfully!"));
-    console.log(chalk5.gray(`Key ID: ${maskedKey}`));
-    console.log();
-    console.log(chalk5.yellow("Important: Add .pinata/.env to your .gitignore"));
+    console.log(chalk6.green("API key configured successfully!"));
+    console.log(chalk6.gray(`Key ID: ${maskedKey}`));
+    console.log(chalk6.yellow("Important: Add .pinata/.env to your .gitignore"));
   } catch (error) {
     console.error(formatError(error instanceof Error ? error : new Error(String(error))));
     process.exit(1);
@@ -9938,11 +9121,7 @@ auth.command("logout").description("Remove stored API key").action(async () => {
       await rm2(envPath);
       removed = true;
     }
-    if (removed) {
-      console.log(chalk5.green("API key removed successfully."));
-    } else {
-      console.log(chalk5.yellow("No stored API key found."));
-    }
+    console.log(removed ? chalk6.green("API key removed successfully.") : chalk6.yellow("No stored API key found."));
   } catch (error) {
     console.error(formatError(error instanceof Error ? error : new Error(String(error))));
     process.exit(1);
@@ -9951,19 +9130,19 @@ auth.command("logout").description("Remove stored API key").action(async () => {
 auth.command("status").description("Check authentication status").action(async () => {
   const authPath = resolve(process.cwd(), ".pinata", "auth.json");
   if (!existsSync(authPath)) {
-    console.log(chalk5.yellow("Not authenticated."));
-    console.log(chalk5.gray("Run: pinata auth login --key <your-api-key>"));
+    console.log(chalk6.yellow("Not authenticated."));
+    console.log(chalk6.gray("Run: pinata auth login --key <your-api-key>"));
     process.exit(0);
   }
   try {
     const { readFile: readFile7 } = await import('fs/promises');
     const authData = JSON.parse(await readFile7(authPath, "utf8"));
-    console.log(chalk5.green("Authenticated"));
-    console.log(chalk5.gray(`Key ID: ${authData.keyId ?? "unknown"}`));
-    console.log(chalk5.gray(`Configured: ${authData.configuredAt ?? "unknown"}`));
-  } catch (error) {
-    console.log(chalk5.yellow("Authentication status unknown."));
-    console.log(chalk5.gray("Run: pinata auth login to reconfigure."));
+    console.log(chalk6.green("Authenticated"));
+    console.log(chalk6.gray(`Key ID: ${authData.keyId ?? "unknown"}`));
+    console.log(chalk6.gray(`Configured: ${authData.configuredAt ?? "unknown"}`));
+  } catch {
+    console.log(chalk6.yellow("Authentication status unknown."));
+    console.log(chalk6.gray("Run: pinata auth login to reconfigure."));
   }
 });
 program.parse();