pinata-security-cli 0.6.0 → 0.6.1

package/dist/cli/index.js

@@ -1,15 +1,15 @@
 #!/usr/bin/env node
-import fs, { mkdir, writeFile, readFile, stat, readdir, mkdtemp, rm } from 'fs/promises';
-import path, { dirname, resolve, relative, join, basename, extname } from 'path';
+import chalk6 from 'chalk';
+import fs, { mkdir, writeFile, readFile, stat, readdir, unlink, mkdtemp, rm } from 'fs/promises';
+import path, { dirname, resolve, relative, basename, extname, join } from 'path';
 import { existsSync, readFileSync, writeFileSync, chmodSync, mkdirSync } from 'fs';
 import { homedir, tmpdir } from 'os';
 import { z } from 'zod';
-import { spawn } from 'child_process';
+import { execFile, spawn } from 'child_process';
 import { useState } from 'react';
 import { render, useApp, useInput, Box, Text } from 'ink';
 import Spinner from 'ink-spinner';
 import { jsx, jsxs } from 'react/jsx-runtime';
-import chalk6 from 'chalk';
 import { Command } from 'commander';
 import ora3 from 'ora';
 import YAML from 'yaml';
@@ -125,6 +125,359 @@ var init_result = __esm({
   "src/lib/result.ts"() {
   }
 });
+var LOG_LEVELS, Logger, logger;
+var init_logger = __esm({
+  "src/lib/logger.ts"() {
+    LOG_LEVELS = {
+      debug: 0,
+      info: 1,
+      warn: 2,
+      error: 3,
+      silent: 4
+    };
+    Logger = class _Logger {
+      level = "info";
+      prefix = "";
+      /**
+       * Configure the logger
+       */
+      configure(config2) {
+        if (config2.level !== void 0) {
+          this.level = config2.level;
+        }
+        if (config2.prefix !== void 0) {
+          this.prefix = config2.prefix;
+        }
+      }
+      /**
+       * Check if a log level should be output
+       */
+      shouldLog(level) {
+        return LOG_LEVELS[level] >= LOG_LEVELS[this.level];
+      }
+      /**
+       * Format a message with optional prefix
+       */
+      format(message) {
+        return this.prefix ? `${this.prefix} ${message}` : message;
+      }
+      /**
+       * Debug level logging (gray)
+       */
+      debug(message, ...args) {
+        if (this.shouldLog("debug")) {
+          console.debug(chalk6.gray(this.format(message)), ...args);
+        }
+      }
+      /**
+       * Info level logging (default color)
+       */
+      info(message, ...args) {
+        if (this.shouldLog("info")) {
+          console.info(this.format(message), ...args);
+        }
+      }
+      /**
+       * Warning level logging (yellow)
+       */
+      warn(message, ...args) {
+        if (this.shouldLog("warn")) {
+          console.warn(chalk6.yellow(this.format(message)), ...args);
+        }
+      }
+      /**
+       * Error level logging (red)
+       */
+      error(message, ...args) {
+        if (this.shouldLog("error")) {
+          console.error(chalk6.red(this.format(message)), ...args);
+        }
+      }
+      /**
+       * Success message (green)
+       */
+      success(message, ...args) {
+        if (this.shouldLog("info")) {
+          console.info(chalk6.green(this.format(message)), ...args);
+        }
+      }
+      /**
+       * Create a child logger with a prefix
+       */
+      child(prefix) {
+        const child = new _Logger();
+        child.level = this.level;
+        child.prefix = this.prefix ? `${this.prefix} ${prefix}` : prefix;
+        return child;
+      }
+    };
+    logger = new Logger();
+  }
+});
+async function discoverAttackSurface(projectRoot, config2 = {}) {
+  const maxFiles = config2.maxFiles ?? 200;
+  const endpoints = [];
+  const dbOperations = [];
+  const authChecks = [];
+  const stateMutations = [];
+  const findings = [];
+  const sourceFiles = await findSourceFiles(projectRoot, maxFiles);
+  log.info(`Scanning ${sourceFiles.length} files for attack surface`);
+  const hasRateLimiting = await projectHasRateLimiting(projectRoot);
+  for (const filePath of sourceFiles) {
+    try {
+      const content = await readFile(filePath, "utf-8");
+      const lines = content.split("\n");
+      const relPath = relative(projectRoot, filePath);
+      for (const [_framework, pattern] of Object.entries(ROUTE_PATTERNS)) {
+        const regex = new RegExp(pattern.source, pattern.flags);
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+          const lineStart = content.slice(0, match.index).split("\n").length;
+          const contextStart = Math.max(0, lineStart - 10);
+          const contextEnd = Math.min(lines.length, lineStart + 5);
+          const context = lines.slice(contextStart, contextEnd).join("\n");
+          const hasAuth = AUTH_MIDDLEWARE_PATTERNS.some((p) => p.test(context));
+          const method = (match[1] ?? match[2] ?? "unknown").toUpperCase();
+          const path2 = match[2] ?? match[1] ?? "/unknown";
+          endpoints.push({
+            method,
+            path: path2,
+            filePath: relPath,
+            lineStart,
+            hasAuth,
+            middlewareChain: []
+          });
+          if (!hasAuth && ["POST", "PUT", "PATCH", "DELETE"].includes(method)) {
+            findings.push({
+              type: "missing-auth",
+              description: `${method} ${path2} has no authentication middleware`,
+              filePath: relPath,
+              lineStart,
+              severity: "critical",
+              confidence: "medium"
+            });
+          }
+        }
+      }
+      for (const pattern of DB_OPERATION_PATTERNS) {
+        const regex = new RegExp(pattern.source, "gm");
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+          const lineStart = content.slice(0, match.index).split("\n").length;
+          const lineContent = lines[lineStart - 1] ?? "";
+          const isParameterized = /\$\d|\?\s*,|\?\s*\)|\bparams\b|:\w+/.test(lineContent);
+          dbOperations.push({
+            operation: match[0].slice(0, 50),
+            filePath: relPath,
+            lineStart,
+            isParameterized
+          });
+        }
+      }
+      const hasConcurrencyGuards = CONCURRENCY_GUARD_PATTERNS.some((p) => p.test(content));
+      if (!hasConcurrencyGuards) {
+        const writeOps = /\.(update|save|create|insert|upsert|increment|decrement)\s*\(/g;
+        let match;
+        while ((match = writeOps.exec(content)) !== null) {
+          const lineStart = content.slice(0, match.index).split("\n").length;
+          stateMutations.push({
+            filePath: relPath,
+            lineStart,
+            hasLock: false,
+            hasTransaction: false
+          });
+        }
+      }
+      for (const pattern of AUTH_MIDDLEWARE_PATTERNS) {
+        const regex = new RegExp(pattern.source, "gm");
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+          const lineStart = content.slice(0, match.index).split("\n").length;
+          authChecks.push({
+            filePath: relPath,
+            lineStart,
+            type: match[0]
+          });
+        }
+      }
+    } catch {
+    }
+  }
+  if (!hasRateLimiting && endpoints.length > 0) {
+    const authEndpoints = endpoints.filter(
+      (e) => e.path.includes("login") || e.path.includes("auth") || e.path.includes("signin")
+    );
+    for (const ep of authEndpoints) {
+      findings.push({
+        type: "missing-rate-limit",
+        description: `Auth endpoint ${ep.method} ${ep.path} has no rate limiting`,
+        filePath: ep.filePath,
+        lineStart: ep.lineStart,
+        severity: "high",
+        confidence: "medium"
+      });
+    }
+  }
+  const byFile = /* @__PURE__ */ new Map();
+  for (const m of stateMutations) {
+    const list = byFile.get(m.filePath) ?? [];
+    list.push(m);
+    byFile.set(m.filePath, list);
+  }
+  for (const [filePath, mutations] of byFile) {
+    if (mutations.length > 3) {
+      const first = mutations[0];
+      findings.push({
+        type: "race-condition",
+        description: `${mutations.length} state mutations in this file without concurrency guards (transactions, locks, idempotency keys)`,
+        filePath,
+        lineStart: first?.lineStart ?? 0,
+        severity: "high",
+        confidence: "low"
+      });
+    }
+  }
+  log.info(
+    `Discovery complete: ${endpoints.length} endpoints, ${dbOperations.length} DB ops, ${findings.length} findings`
+  );
+  return { endpoints, dbOperations, authChecks, stateMutations, findings };
+}
+function findingsToGaps(findings, projectRoot) {
+  return findings.map((f, i) => ({
+    categoryId: `discovery-${f.type}`,
+    categoryName: formatFindingType(f.type),
+    domain: f.type === "missing-auth" ? "security" : f.type === "missing-rate-limit" ? "security" : "concurrency",
+    level: "integration",
+    priority: f.severity === "critical" ? "P0" : "P1",
+    severity: f.severity,
+    confidence: f.confidence,
+    filePath: resolve(projectRoot, f.filePath),
+    lineStart: f.lineStart,
+    lineEnd: f.lineStart,
+    columnStart: 0,
+    columnEnd: 0,
+    codeSnippet: f.description,
+    patternId: `discovery-${f.type}-${i}`,
+    patternType: "semantic",
+    priorityScore: f.severity === "critical" ? 12 : f.severity === "high" ? 9 : 4,
+    status: "pending"
+  }));
+}
+function formatFindingType(type) {
+  const labels = {
+    "missing-auth": "Missing Authentication",
+    "idor": "Insecure Direct Object Reference",
+    "race-condition": "Potential Race Condition",
+    "unvalidated-input": "Unvalidated Input",
+    "missing-rate-limit": "Missing Rate Limiting"
+  };
+  return labels[type] ?? type;
+}
+async function findSourceFiles(projectRoot, maxFiles) {
+  const files = [];
+  const extensions = /* @__PURE__ */ new Set([".ts", ".tsx", ".js", ".jsx", ".py", ".go"]);
+  const excludeDirs = /* @__PURE__ */ new Set([
+    "node_modules",
+    ".git",
+    "dist",
+    "build",
+    "out",
+    ".next",
+    "__pycache__",
+    "venv",
+    ".venv",
+    "coverage",
+    ".nyc_output",
+    "tests",
+    "test",
+    "__tests__",
+    "spec",
+    "fixtures",
+    "corpus",
+    "benchmarks",
+    "scripts"
+  ]);
+  async function walk(dir, depth) {
+    if (depth > 10 || files.length >= maxFiles) return;
+    try {
+      const entries = await readdir(dir, { withFileTypes: true });
+      for (const entry of entries) {
+        if (files.length >= maxFiles) return;
+        if (entry.isDirectory()) {
+          if (!excludeDirs.has(entry.name) && !entry.name.startsWith(".")) {
+            await walk(resolve(dir, entry.name), depth + 1);
+          }
+        } else if (entry.isFile() && extensions.has(extname(entry.name).toLowerCase())) {
+          files.push(resolve(dir, entry.name));
+        }
+      }
+    } catch {
+    }
+  }
+  await walk(projectRoot, 0);
+  return files;
+}
+async function projectHasRateLimiting(projectRoot) {
+  const pkgPath = resolve(projectRoot, "package.json");
+  if (!existsSync(pkgPath)) return false;
+  try {
+    const pkg = JSON.parse(await readFile(pkgPath, "utf-8"));
+    const allDeps = {
+      ...pkg["dependencies"],
+      ...pkg["devDependencies"]
+    };
+    return RATE_LIMIT_PATTERNS.some(
+      (p) => Object.keys(allDeps).some((dep) => p.test(dep))
+    );
+  } catch {
+    return false;
+  }
+}
+var ROUTE_PATTERNS, AUTH_MIDDLEWARE_PATTERNS, DB_OPERATION_PATTERNS, RATE_LIMIT_PATTERNS, CONCURRENCY_GUARD_PATTERNS, log;
+var init_attack_surface = __esm({
+  "src/core/discovery/attack-surface.ts"() {
+    init_logger();
+    ROUTE_PATTERNS = {
+      express: /\.(get|post|put|patch|delete|all|use)\s*\(\s*["'`]([^"'`]+)["'`]/g,
+      fastify: /\.(get|post|put|patch|delete)\s*\(\s*["'`]([^"'`]+)["'`]/g,
+      nextjs: /export\s+(async\s+)?function\s+(GET|POST|PUT|PATCH|DELETE)\b/g,
+      flask: /@\w+\.route\s*\(\s*["']([^"']+)["']/g,
+      django: /path\s*\(\s*["']([^"']+)["']/g,
+      fastapi: /@\w+\.(get|post|put|patch|delete)\s*\(\s*["']([^"']+)["']/g
+    };
+    AUTH_MIDDLEWARE_PATTERNS = [
+      /\b(requireAuth|isAuthenticated|authenticate|authMiddleware|protect|ensureLoggedIn|passport\.authenticate|verifyToken|requireLogin)\b/,
+      /\b(auth|authentication|authorization)\s*\(/,
+      /\b(jwt|bearer|token)\s*\(/i
+    ];
+    DB_OPERATION_PATTERNS = [
+      /\.(query|execute|run|all|get|find|findOne|findMany|create|update|delete|insert|upsert|remove)\s*\(/,
+      /\b(SELECT|INSERT|UPDATE|DELETE|CREATE|ALTER|DROP)\b/
+    ];
+    RATE_LIMIT_PATTERNS = [
+      /rate[-_]?limit|rateLimiter|throttle|RateLimiterMemory|slowDown/i
+    ];
+    CONCURRENCY_GUARD_PATTERNS = [
+      /\b(transaction|BEGIN|COMMIT|ROLLBACK|LOCK|FOR UPDATE|serializable)\b/i,
+      /\b(mutex|semaphore|lock|atomic|synchronized)\b/i,
+      /\bidempotency[_-]?key\b/i
+    ];
+    log = logger.child("AttackSurface");
+  }
+});
+
+// src/core/discovery/index.ts
+var discovery_exports = {};
+__export(discovery_exports, {
+  discoverAttackSurface: () => discoverAttackSurface,
+  findingsToGaps: () => findingsToGaps
+});
+var init_discovery = __esm({
+  "src/core/discovery/index.ts"() {
+    init_attack_surface();
+  }
+});
 function getCachePath(projectRoot) {
   return resolve(projectRoot, CACHE_DIR, CACHE_FILE);
 }
@@ -845,15 +1198,19 @@ var init_ai_verifier = __esm({
         // Near sanitization
       ]
     };
-    BATCH_PROMPT = `You are a security code reviewer. Analyze these potential vulnerabilities and determine which are real issues vs false positives.
+    BATCH_PROMPT = `You are a security code reviewer. For each item, determine one of three verdicts:
+
+1. VULNERABLE: User-controlled data reaches a dangerous sink without adequate sanitization.
+   You MUST describe a concrete exploit scenario step-by-step.
 
-For each item, consider:
-- Is user input actually reaching this code?
-- Is there sanitization, validation, or encoding nearby?
-- Is this test code, example code, or production code?
-- Is there context that makes this safe?
+2. FALSE_POSITIVE: The code is safe. You MUST cite the specific line, function, or mechanism
+   that prevents exploitation (e.g., "parameterized query at line 42", "DOMPurify.sanitize
+   call wraps the input").
 
-Be rigorous. Most pattern matches are false positives.
+3. NEEDS_REVIEW: You cannot determine with high confidence. Explain what information is missing.
+
+Do not assume code is safe without identifying specific defenses.
+Do not assume code is vulnerable without tracing the data flow from source to sink.
 
 ITEMS TO ANALYZE:
 {{items}}
@@ -862,9 +1219,9 @@ Respond with a JSON array. Each object MUST have these exact fields:
 [
   {
     "id": "1",
-    "isVulnerable": true/false,
-    "confidence": "high"/"medium"/"low",
-    "reasoning": "brief explanation"
+    "verdict": "VULNERABLE" | "FALSE_POSITIVE" | "NEEDS_REVIEW",
+    "confidence": "high" | "medium" | "low",
+    "reasoning": "concrete evidence for your determination"
   },
   ...
 ]
@@ -891,32 +1248,33 @@ FLAGGED LINE: {{flaggedLine}}
         this.concurrency = config2.concurrency ?? 3;
       }
       /**
-       * Verify multiple gaps efficiently using filtering, batching, and parallelism.
+       * Prioritize gaps using AI triage. This is a SOFT prioritizer, not a gate.
+       * No findings are dropped. The three-verdict system ranks findings for the
+       * test forge queue: VULNERABLE first, NEEDS_REVIEW second, FALSE_POSITIVE last.
        *
-       * Flow:
-       * 1. Pre-filter obvious false positives (test files, etc.)
-       * 2. Group remaining gaps into batches of 10
-       * 3. Process 3 batches in parallel
-       * 4. Return verified gaps and dismissed with reasons
+       * Test execution (not AI opinion) is the deterministic proof of vulnerability.
        */
       async verifyAll(gaps, getFileContent) {
         const verified = [];
         const dismissed = [];
+        const needsReview = [];
         const { toVerify, preFiltered } = this.preFilter(gaps);
         dismissed.push(...preFiltered);
         if (toVerify.length === 0) {
           return {
             verified: [],
             dismissed,
+            needsReview: [],
             stats: {
               total: gaps.length,
               preFiltered: preFiltered.length,
               aiDismissed: 0,
-              aiVerified: 0
+              aiVerified: 0,
+              aiNeedsReview: 0
             }
           };
         }
-        console.log(`Pre-filtered ${preFiltered.length} gaps. Verifying ${toVerify.length} with AI...`);
+        console.log(`Pre-filtered ${preFiltered.length} gaps. Prioritizing ${toVerify.length} with AI...`);
         const fileContents = /* @__PURE__ */ new Map();
         const uniquePaths = [...new Set(toVerify.map((g) => g.filePath))];
         await Promise.all(
@@ -933,28 +1291,43 @@ FLAGGED LINE: {{flaggedLine}}
         const results = await this.processParallel(batches, toVerify);
         let aiVerified = 0;
         let aiDismissed = 0;
+        let aiNeedsReview = 0;
         for (const gap of toVerify) {
           const gapId = `${gap.filePath}:${gap.lineStart}`;
           const result = results.get(gapId);
-          if (!result || result.isVulnerable) {
+          if (!result) {
+            needsReview.push(gap);
+            aiNeedsReview++;
+          } else if (result.verdict === "VULNERABLE") {
             verified.push(gap);
             aiVerified++;
-          } else {
-            dismissed.push({
-              gap,
-              reason: result.reasoning
-            });
+          } else if (result.verdict === "NEEDS_REVIEW") {
+            needsReview.push(gap);
+            aiNeedsReview++;
+          } else if (result.verdict === "FALSE_POSITIVE" && result.confidence === "high") {
+            dismissed.push({ gap, reason: result.reasoning });
             aiDismissed++;
+          } else {
+            needsReview.push(gap);
+            aiNeedsReview++;
           }
         }
+        const totalAnalyzed = aiVerified + aiDismissed + aiNeedsReview;
+        if (totalAnalyzed > 0 && aiDismissed / totalAnalyzed > 0.8) {
+          console.warn(
+            `WARNING: ${Math.round(aiDismissed / totalAnalyzed * 100)}% of findings dismissed. Scanner may be miscalibrated -- consider reviewing dismissed findings.`
+          );
+        }
         return {
           verified,
           dismissed,
+          needsReview,
           stats: {
             total: gaps.length,
             preFiltered: preFiltered.length,
             aiDismissed,
-            aiVerified
+            aiVerified,
+            aiNeedsReview
           }
         };
       }
@@ -1111,7 +1484,7 @@ FLAGGED LINE: {{flaggedLine}}
               "anthropic-version": "2023-06-01"
             },
             body: JSON.stringify({
-              model: this.config.model ?? "claude-sonnet-4-20250514",
+              model: this.config.model ?? "claude-opus-4-8",
               max_tokens: 4096,
               // Larger for batch responses
               messages: [{ role: "user", content: prompt }]
@@ -1169,12 +1542,34 @@ FLAGGED LINE: {{flaggedLine}}
             return [];
           }
           const parsed = JSON.parse(jsonMatch[0]);
-          return parsed.map((item) => ({
-            id: String(item.id),
-            isVulnerable: Boolean(item.isVulnerable),
-            confidence: item.confidence ?? "medium",
-            reasoning: item.reasoning ?? "No reasoning provided"
-          }));
+          return parsed.map((item) => {
+            const rawVerdict = item["verdict"];
+            let verdict;
+            let isVulnerable;
+            if (rawVerdict === "VULNERABLE") {
+              verdict = "VULNERABLE";
+              isVulnerable = true;
+            } else if (rawVerdict === "NEEDS_REVIEW") {
+              verdict = "NEEDS_REVIEW";
+              isVulnerable = false;
+            } else if (rawVerdict === "FALSE_POSITIVE") {
+              verdict = "FALSE_POSITIVE";
+              isVulnerable = false;
+            } else if (rawVerdict) {
+              verdict = "NEEDS_REVIEW";
+              isVulnerable = false;
+            } else {
+              isVulnerable = Boolean(item["isVulnerable"]);
+              verdict = isVulnerable ? "VULNERABLE" : "FALSE_POSITIVE";
+            }
+            return {
+              id: String(item["id"]),
+              isVulnerable,
+              verdict,
+              confidence: item["confidence"] ?? "medium",
+              reasoning: item["reasoning"] ?? "No reasoning provided"
+            };
+          });
         } catch (error) {
           console.error(`Failed to parse batch response: ${error instanceof Error ? error.message : String(error)}`);
           return [];
@@ -1458,7 +1853,7 @@ export default defineConfig({
        * Execute a command and capture output
        */
       exec(command, args, options = {}) {
-        return new Promise((resolve9) => {
+        return new Promise((resolve10) => {
           let stdout = "";
           let stderr = "";
           let timedOut = false;
@@ -1478,7 +1873,7 @@ export default defineConfig({
           }, timeout);
           proc.on("close", (code) => {
             clearTimeout(timer);
-            resolve9({
+            resolve10({
               stdout,
               stderr,
               exitCode: code ?? 1,
@@ -1487,7 +1882,7 @@ export default defineConfig({
           });
           proc.on("error", (err2) => {
             clearTimeout(timer);
-            resolve9({
+            resolve10({
               stdout,
               stderr: stderr + "\n" + err2.message,
               exitCode: 1,
@@ -3436,6 +3831,719 @@ var init_execution = __esm({
     init_chains();
   }
 });
+
+// src/testgen/generator.ts
+function buildGenerationPrompt(ctx) {
+  const parts = [];
+  parts.push(`Generate a complete, runnable ${ctx.testFramework.name} test file for this security vulnerability.`);
+  parts.push("");
+  parts.push("## Vulnerability");
+  parts.push(`Type: ${ctx.gap.categoryId}`);
+  parts.push(`Severity: ${ctx.gap.severity}`);
+  parts.push(`File: ${ctx.gap.filePath}:${ctx.gap.lineStart}`);
+  parts.push(`Pattern: ${ctx.gap.patternId}`);
+  parts.push("");
+  parts.push("## Vulnerable Code");
+  parts.push("```");
+  parts.push(ctx.functionBody);
+  parts.push("```");
+  parts.push("");
+  if (ctx.functionName) {
+    parts.push(`Function name: ${ctx.functionName}`);
+  }
+  parts.push("## File Imports");
+  parts.push("```");
+  parts.push(ctx.imports.join("\n"));
+  parts.push("```");
+  parts.push("");
+  parts.push("## Context");
+  parts.push(`Language: ${ctx.language}`);
+  parts.push(`Test framework: ${ctx.testFramework.name}`);
+  if (ctx.webFramework) parts.push(`Web framework: ${ctx.webFramework}`);
+  if (ctx.dbType) parts.push(`Database: ${ctx.dbType}`);
+  parts.push("");
+  if (ctx.existingTestSample) {
+    parts.push("## Existing Test Style (match this style)");
+    parts.push("```");
+    parts.push(ctx.existingTestSample.slice(0, 1500));
+    parts.push("```");
+    parts.push("");
+  }
+  parts.push("## Requirements");
+  parts.push("1. Output ONLY the complete test file. No explanations, no markdown fences.");
+  parts.push("2. Use real imports that resolve in this project.");
+  parts.push("3. The test MUST FAIL when run against the current vulnerable code.");
+  parts.push("4. Include at least 5 attack payloads specific to this vulnerability type.");
+  parts.push("5. Include at least one boundary/edge case (empty string, null, very long input, unicode).");
+  parts.push("6. If testing an HTTP endpoint, use supertest or direct function calls.");
+  parts.push("7. Test the specific vulnerable code path, not a generic function.");
+  parts.push("8. Each test should have a clear assertion that proves the vulnerability exists or is mitigated.");
+  return parts.join("\n");
+}
+function buildPropertyPrompt(ctx) {
+  const parts = [];
+  parts.push(`Generate a property-based test using fast-check (TypeScript) or hypothesis (Python) for this security vulnerability.`);
+  parts.push("");
+  parts.push("## Vulnerability");
+  parts.push(`Type: ${ctx.gap.categoryId}`);
+  parts.push(`File: ${ctx.gap.filePath}:${ctx.gap.lineStart}`);
+  parts.push("");
+  parts.push("## Vulnerable Code");
+  parts.push("```");
+  parts.push(ctx.functionBody);
+  parts.push("```");
+  parts.push("");
+  parts.push("## Requirements");
+  parts.push("1. Output ONLY the complete test file. No explanations.");
+  parts.push("2. Express a security INVARIANT as a property.");
+  parts.push("3. The property should hold for ALL inputs, not just specific payloads.");
+  parts.push("4. Use fast-check for TypeScript/JavaScript or hypothesis for Python.");
+  parts.push("5. Example invariant: 'for all strings s, the output of sanitize(s) never contains <script>'");
+  parts.push(`6. Test framework: ${ctx.testFramework.name}`);
+  const invariantHints = {
+    "sql-injection": "user input should never appear unescaped in the SQL query string",
+    "xss": "user input should never appear as raw HTML in the output",
+    "command-injection": "user input should never be passed to a shell command unescaped",
+    "path-traversal": "resolved file path should always stay within the allowed directory",
+    "ssrf": "user-supplied URL should never resolve to a private/internal IP",
+    "xxe": "XML parsing should never resolve external entities",
+    "deserialization": "deserialized objects should only be of expected types",
+    "hardcoded-secrets": "no string matching secret patterns should exist in source",
+    "race-condition": "concurrent operations on the same resource must produce the same result as serial execution",
+    "auth-failures": "unauthenticated requests to protected endpoints must return 401 or 403",
+    "rate-limiting": "requests exceeding the rate limit from a single source must be rejected",
+    "csrf": "state-changing requests without a valid CSRF token must be rejected",
+    "data-validation": "for all inputs, output must conform to the declared schema",
+    "injection-fuzzing": "no input string should cause uncontrolled code execution or template evaluation",
+    "null-handling": "null and undefined inputs should never cause unhandled exceptions",
+    "data-exposure": "API responses should never contain fields not in the response schema",
+    "discovery-missing-auth": "unauthenticated requests to state-changing endpoints must be rejected",
+    "discovery-race-condition": "concurrent identical requests must not create duplicate state",
+    "discovery-missing-rate-limit": "rapid sequential requests to auth endpoints must be throttled",
+    "discovery-idor": "requests referencing another user's resource must return 403"
+  };
+  const hint = invariantHints[ctx.gap.categoryId];
+  if (hint) {
+    parts.push(`7. Invariant hint: "${hint}"`);
+  }
+  return parts.join("\n");
+}
+async function generateTest(ctx, callAI) {
+  const systemPrompt = [
+    "You are a senior security engineer writing adversarial tests.",
+    "You write tests that BREAK code, not tests that pass.",
+    "Your tests must be complete, runnable files with real imports.",
+    "Output ONLY code. No markdown fences. No explanations.",
+    "The test must FAIL against vulnerable code and PASS after a fix."
+  ].join(" ");
+  const prompt = buildGenerationPrompt(ctx);
+  const content = await callAI(prompt, systemPrompt);
+  const cleaned = stripMarkdownFences(content);
+  return {
+    filePath: ctx.suggestedTestPath,
+    content: cleaned,
+    categoryId: ctx.gap.categoryId,
+    description: `Security test for ${ctx.gap.categoryId} in ${ctx.functionName ?? "unknown function"} at ${ctx.gap.filePath}:${ctx.gap.lineStart}`,
+    isPropertyBased: false
+  };
+}
+async function generatePropertyTest(ctx, callAI) {
+  const systemPrompt = [
+    "You are a formal verification expert writing property-based tests.",
+    "Express security invariants that must hold for ALL inputs.",
+    "Use fast-check for TypeScript/JavaScript or hypothesis for Python.",
+    "Output ONLY code. No markdown fences. No explanations."
+  ].join(" ");
+  const prompt = buildPropertyPrompt(ctx);
+  const content = await callAI(prompt, systemPrompt);
+  const cleaned = stripMarkdownFences(content);
+  const ext = ctx.language === "python" ? ".py" : ".ts";
+  const propPath = ctx.suggestedTestPath.replace(/\.test\.(ts|js|py)$/, `.prop${ext}`);
+  return {
+    filePath: propPath,
+    content: cleaned,
+    categoryId: ctx.gap.categoryId,
+    description: `Property-based security invariant for ${ctx.gap.categoryId}`,
+    isPropertyBased: true
+  };
+}
+function buildIntegrationPrompt(ctx) {
+  const parts = [];
+  const framework = ctx.webFramework ?? "express";
+  const httpClient = HTTP_CLIENT_MAP[framework] ?? HTTP_CLIENT_MAP["express"];
+  parts.push(`Generate a complete, runnable ${ctx.testFramework.name} INTEGRATION test that hits the actual HTTP endpoint.`);
+  parts.push("");
+  parts.push("## Vulnerability");
+  parts.push(`Type: ${ctx.gap.categoryId}`);
+  parts.push(`Severity: ${ctx.gap.severity}`);
+  parts.push(`File: ${ctx.gap.filePath}:${ctx.gap.lineStart}`);
+  parts.push("");
+  parts.push("## Vulnerable Code (route handler)");
+  parts.push("```");
+  parts.push(ctx.functionBody);
+  parts.push("```");
+  parts.push("");
+  parts.push("## File Imports");
+  parts.push("```");
+  parts.push(ctx.imports.join("\n"));
+  parts.push("```");
+  parts.push("");
+  parts.push("## Context");
+  parts.push(`Language: ${ctx.language}`);
+  parts.push(`Test framework: ${ctx.testFramework.name}`);
+  parts.push(`Web framework: ${framework}`);
+  parts.push(`HTTP test client: ${httpClient.lib} (${httpClient.importStyle})`);
+  if (ctx.dbType) parts.push(`Database: ${ctx.dbType}`);
+  parts.push("");
+  if (ctx.existingTestSample) {
+    parts.push("## Existing Test Style");
+    parts.push("```");
+    parts.push(ctx.existingTestSample.slice(0, 1500));
+    parts.push("```");
+    parts.push("");
+  }
+  parts.push("## Requirements");
+  parts.push("1. Output ONLY the complete test file. No explanations, no markdown fences.");
+  parts.push(`2. Import the app/server and use ${httpClient.lib} to make real HTTP requests.`);
+  parts.push("3. The test MUST FAIL when run against the current vulnerable code.");
+  parts.push("4. Send at least 5 attack payloads as HTTP request bodies/params/headers.");
+  parts.push("5. Include boundary cases (empty body, malformed JSON, oversized input).");
+  parts.push("6. Assert on HTTP status codes AND response body content.");
+  parts.push("7. Test the specific vulnerable endpoint, not a generic route.");
+  parts.push("8. If the vulnerability is a race condition, send concurrent requests and assert consistency.");
+  parts.push("9. If the vulnerability is missing auth, send requests without auth tokens and assert 401/403.");
+  return parts.join("\n");
+}
+async function generateIntegrationTest(ctx, callAI) {
+  const systemPrompt = [
+    "You are a senior security engineer writing integration tests.",
+    "You test endpoints end-to-end by sending real HTTP requests with attack payloads.",
+    "Your tests must be complete, runnable files that import the app and use supertest/httpx.",
+    "Output ONLY code. No markdown fences. No explanations.",
+    "The test must FAIL against vulnerable code and PASS after a fix."
+  ].join(" ");
+  const prompt = buildIntegrationPrompt(ctx);
+  const content = await callAI(prompt, systemPrompt);
+  const cleaned = stripMarkdownFences(content);
+  const integPath = ctx.suggestedTestPath.replace(/\.test\.(ts|js|py)$/, ".integ.test.$1");
+  const actualPath = integPath.includes("$1") ? ctx.suggestedTestPath.replace(/\.test\.(\w+)$/, ".integ.test.$1") : integPath;
+  return {
+    filePath: actualPath,
+    content: cleaned,
+    categoryId: ctx.gap.categoryId,
+    description: `Integration security test for ${ctx.gap.categoryId} at ${ctx.gap.filePath}:${ctx.gap.lineStart}`,
+    isPropertyBased: false
+  };
+}
+function stripMarkdownFences(content) {
+  let result = content.trim();
+  if (result.startsWith("```")) {
+    const firstNewline = result.indexOf("\n");
+    if (firstNewline !== -1) {
+      result = result.slice(firstNewline + 1);
+    }
+  }
+  if (result.endsWith("```")) {
+    result = result.slice(0, -3).trimEnd();
+  }
+  return result;
+}
+var HTTP_CLIENT_MAP;
+var init_generator2 = __esm({
+  "src/testgen/generator.ts"() {
+    HTTP_CLIENT_MAP = {
+      express: { lib: "supertest", importStyle: 'import request from "supertest";' },
+      fastify: { lib: "supertest", importStyle: 'import request from "supertest";' },
+      koa: { lib: "supertest", importStyle: 'import request from "supertest";' },
+      nestjs: { lib: "supertest", importStyle: 'import request from "supertest";' },
+      flask: { lib: "httpx", importStyle: "import httpx" },
+      django: { lib: "django.test", importStyle: "from django.test import TestCase, Client" },
+      fastapi: { lib: "httpx", importStyle: "from httpx import AsyncClient" },
+      gin: { lib: "net/http/httptest", importStyle: '"net/http/httptest"' }
+    };
+  }
+});
+function runCommand(cmd, args, cwd, timeoutMs = 3e4) {
+  return new Promise((resolve10) => {
+    execFile(cmd, args, {
+      cwd,
+      timeout: timeoutMs,
+      maxBuffer: 1024 * 1024
+    }, (error, stdout, stderr) => {
+      resolve10({
+        stdout: stdout ?? "",
+        stderr: stderr ?? "",
+        exitCode: error?.code === "ERR_CHILD_PROCESS_STDIO_MAXBUFFER" ? 1 : error?.code ?? (error ? 1 : 0)
+      });
+    });
+  });
+}
+async function checkTypeScript(filePath, cwd) {
+  const result = await runCommand("npx", ["tsc", "--noEmit", "--esModuleInterop", "--skipLibCheck", filePath], cwd);
+  return {
+    ok: result.exitCode === 0,
+    errors: result.stderr || result.stdout
+  };
+}
+async function checkPython(filePath, cwd) {
+  const result = await runCommand("python3", ["-m", "py_compile", filePath], cwd);
+  return {
+    ok: result.exitCode === 0,
+    errors: result.stderr
+  };
+}
+async function runTest(filePath, cwd, framework) {
+  let result;
+  switch (framework) {
+    case "vitest":
+      result = await runCommand("npx", ["vitest", "run", filePath, "--no-coverage"], cwd, 6e4);
+      break;
+    case "jest":
+      result = await runCommand("npx", ["jest", filePath, "--no-coverage"], cwd, 6e4);
+      break;
+    case "pytest":
+      result = await runCommand("python3", ["-m", "pytest", filePath, "-x", "--no-header"], cwd, 6e4);
+      break;
+    case "go-test":
+      result = await runCommand("go", ["test", "-run", filePath], cwd, 6e4);
+      break;
+    default:
+      return { failed: false, output: `Unknown framework: ${framework}` };
+  }
+  return {
+    failed: result.exitCode !== 0,
+    output: (result.stdout + "\n" + result.stderr).trim()
+  };
+}
+async function validateTest(test, projectRoot, frameworkName, options = {}) {
+  await mkdir(dirname(test.filePath), { recursive: true });
+  await writeFile(test.filePath, test.content, "utf-8");
+  try {
+    const ext = extname(test.filePath);
+    let compileResult;
+    if (ext === ".ts" || ext === ".tsx") {
+      compileResult = await checkTypeScript(test.filePath, projectRoot);
+    } else if (ext === ".py") {
+      compileResult = await checkPython(test.filePath, projectRoot);
+    } else {
+      compileResult = { ok: true, errors: "" };
+    }
+    if (!compileResult.ok) {
+      return {
+        test,
+        compiles: false,
+        failsCorrectly: false,
+        compileErrors: compileResult.errors,
+        error: "Test does not compile"
+      };
+    }
+    if (options.skipRun) {
+      return {
+        test,
+        compiles: true,
+        failsCorrectly: true
+        // assume good if skipping run
+      };
+    }
+    const runResult = await runTest(test.filePath, projectRoot, frameworkName);
+    return {
+      test,
+      compiles: true,
+      failsCorrectly: runResult.failed,
+      testOutput: runResult.output.slice(0, 2e3),
+      // Cap output size
+      ...runResult.failed ? {} : { error: "Test passed against vulnerable code (test is useless - should fail)" }
+    };
+  } finally {
+  }
+}
+async function cleanupTest(filePath) {
+  try {
+    await unlink(filePath);
+  } catch {
+  }
+}
+async function measureMutationScore(sourceFile, testFile, projectRoot) {
+  const relSource = relative(projectRoot, sourceFile);
+  relative(projectRoot, testFile);
+  const result = await runCommand("npx", [
+    "stryker",
+    "run",
+    "--mutate",
+    relSource,
+    "--testRunner",
+    "vitest",
+    "--reporters",
+    "json",
+    "--jsonReporter.fileName",
+    ".pinata/mutation-report.json",
+    "--concurrency",
+    "1",
+    "--timeoutMS",
+    "15000"
+  ], projectRoot, 12e4);
+  const output = (result.stdout + "\n" + result.stderr).trim();
+  try {
+    const reportPath = `${projectRoot}/.pinata/mutation-report.json`;
+    const report = JSON.parse(await readFile(reportPath, "utf-8"));
+    let killed = 0;
+    let survived = 0;
+    let timedOut = 0;
+    let total = 0;
+    if (report.files) {
+      for (const file of Object.values(report.files)) {
+        for (const mutant of file.mutants ?? []) {
+          total++;
+          if (mutant.status === "Killed") killed++;
+          else if (mutant.status === "Survived") survived++;
+          else if (mutant.status === "Timeout") timedOut++;
+        }
+      }
+    }
+    const score = total > 0 ? Math.round(killed / total * 100) : 0;
+    return { score, totalMutants: total, killed, survived, timedOut, output };
+  } catch {
+    const scoreMatch = output.match(/Mutation score:\s*(\d+(?:\.\d+)?)/i);
+    const score = scoreMatch ? Math.round(parseFloat(scoreMatch[1])) : 0;
+    return { score, totalMutants: 0, killed: 0, survived: 0, timedOut: 0, output };
+  }
+}
+var init_validator = __esm({
+  "src/testgen/validator.ts"() {
+  }
+});
+
+// src/testgen/forge.ts
+var forge_exports = {};
+__export(forge_exports, {
+  TestForge: () => TestForge,
+  createTestForge: () => createTestForge
+});
+function buildCompileFixPrompt(ctx, testContent, errors) {
+  return [
+    `Fix the compilation errors in this ${ctx.testFramework.name} test file.`,
+    "",
+    "## Compile errors",
+    "```",
+    errors.slice(0, 3e3),
+    "```",
+    "",
+    "## Current test file",
+    "```",
+    testContent,
+    "```",
+    "",
+    "## Source file imports (use these exact paths)",
+    "```",
+    ctx.imports.join("\n"),
+    "```",
+    "",
+    "Fix the errors and output the complete corrected test file."
+  ].join("\n");
+}
+function buildHardenPrompt(ctx, testContent) {
+  return [
+    "This security test PASSED against vulnerable code. That means it is useless.",
+    "The test must FAIL to prove the vulnerability exists.",
+    "",
+    "## Vulnerable code",
+    "```",
+    ctx.functionBody,
+    "```",
+    "",
+    "## Current test (passes = useless)",
+    "```",
+    testContent,
+    "```",
+    "",
+    "Rewrite the test to be adversarial enough to actually catch the vulnerability.",
+    "Use more aggressive payloads and tighter assertions."
+  ].join("\n");
+}
+function buildMutationEvolvePrompt(ctx, testContent, mutationResult) {
+  return [
+    `${mutationResult.survived} mutations survived your test (score: ${mutationResult.score}%).`,
+    "Strengthen the test to catch more code mutations.",
+    "",
+    "## Source code being mutated",
+    "```",
+    ctx.functionBody,
+    "```",
+    "",
+    "## Current test",
+    "```",
+    testContent,
+    "```",
+    "",
+    "Add more assertions, edge cases, and boundary checks to kill surviving mutants."
+  ].join("\n");
+}
+function createTestForge(config2) {
+  return new TestForge(config2);
+}
+var DEFAULT_CONFIG2, TestForge, SYSTEM_PROMPT_FIX, SYSTEM_PROMPT_HARDEN, SYSTEM_PROMPT_EVOLVE;
+var init_forge = __esm({
+  "src/testgen/forge.ts"() {
+    init_logger();
+    init_validator();
+    init_generator2();
+    init_generator2();
+    DEFAULT_CONFIG2 = {
+      maxCompileRetries: 3,
+      maxHardenRetries: 2,
+      maxMutationRetries: 2,
+      mutationScoreThreshold: 50,
+      skipRun: false,
+      skipMutation: true,
+      generateProperty: true
+    };
+    TestForge = class {
+      config;
+      log = logger.child("TestForge");
+      constructor(config2 = {}) {
+        this.config = { ...DEFAULT_CONFIG2, ...config2 };
+      }
+      async forge(ctx, callAI) {
+        const accepted = [];
+        const rejected = [];
+        let totalAICalls = 0;
+        let totalScriptCalls = 0;
+        this.log.info(`Forging unit test for ${ctx.gap.categoryId} in ${ctx.gap.filePath}:${ctx.gap.lineStart}`);
+        const unitResult = await this.forgeOne(ctx, callAI, "unit");
+        totalAICalls += unitResult.aiCalls;
+        totalScriptCalls += unitResult.scriptCalls;
+        if (unitResult.accepted) {
+          accepted.push(unitResult.accepted);
+        } else {
+          rejected.push(unitResult.rejected);
+        }
+        if (ctx.webFramework) {
+          this.log.info(`Forging integration test for ${ctx.gap.categoryId}`);
+          const integResult = await this.forgeOne(ctx, callAI, "integration");
+          totalAICalls += integResult.aiCalls;
+          totalScriptCalls += integResult.scriptCalls;
+          if (integResult.accepted) {
+            accepted.push(integResult.accepted);
+          } else {
+            rejected.push(integResult.rejected);
+          }
+        }
+        if (this.config.generateProperty) {
+          this.log.info(`Forging property test for ${ctx.gap.categoryId}`);
+          const propResult = await this.forgeOne(ctx, callAI, "property");
+          totalAICalls += propResult.aiCalls;
+          totalScriptCalls += propResult.scriptCalls;
+          if (propResult.accepted) {
+            accepted.push(propResult.accepted);
+          } else {
+            rejected.push(propResult.rejected);
+          }
+        }
+        const mutationScores = accepted.map((a) => a.mutationScore).filter((s) => s !== null);
+        const avgMutationScore = mutationScores.length > 0 ? Math.round(mutationScores.reduce((a, b) => a + b, 0) / mutationScores.length) : 0;
+        return {
+          accepted,
+          rejected,
+          stats: {
+            totalAttempts: accepted.length + rejected.length,
+            totalAICalls,
+            totalScriptCalls,
+            accepted: accepted.length,
+            rejected: rejected.length,
+            avgMutationScore
+          }
+        };
+      }
+      async forgeOne(ctx, callAI, type) {
+        let aiCalls = 0;
+        let scriptCalls = 0;
+        let lastError = "";
+        let test = null;
+        for (let attempt = 0; attempt <= this.config.maxCompileRetries; attempt++) {
+          try {
+            if (type === "property") {
+              test = await generatePropertyTest(ctx, callAI);
+            } else if (type === "integration") {
+              test = await generateIntegrationTest(ctx, callAI);
+            } else {
+              test = await generateTest(ctx, callAI);
+            }
+            aiCalls++;
+            const validation = await validateTest(
+              test,
+              ctx.projectRoot,
+              ctx.testFramework.name,
+              { skipRun: this.config.skipRun }
+            );
+            scriptCalls++;
+            if (!validation.compiles) {
+              lastError = validation.compileErrors ?? "Unknown compile error";
+              this.log.debug(`Compile attempt ${attempt + 1} failed: ${lastError.slice(0, 200)}`);
+              if (attempt < this.config.maxCompileRetries) {
+                const fixPrompt = buildCompileFixPrompt(ctx, test.content, lastError);
+                const fixed = await callAI(fixPrompt, SYSTEM_PROMPT_FIX);
+                aiCalls++;
+                test = {
+                  ...test,
+                  content: stripMarkdownFences(fixed)
+                };
+                const revalidation = await validateTest(
+                  test,
+                  ctx.projectRoot,
+                  ctx.testFramework.name,
+                  { skipRun: this.config.skipRun }
+                );
+                scriptCalls++;
+                if (revalidation.compiles) {
+                  if (!this.config.skipRun && !revalidation.failsCorrectly) {
+                    const hardenResult = await this.hardenTest(ctx, test, callAI);
+                    aiCalls += hardenResult.aiCalls;
+                    scriptCalls += hardenResult.scriptCalls;
+                    if (hardenResult.test) {
+                      test = hardenResult.test;
+                    } else {
+                      lastError = "Test passes against vulnerable code -- could not harden";
+                      continue;
+                    }
+                  }
+                  let mutationScore2 = null;
+                  if (!this.config.skipMutation) {
+                    const mutResult = await this.mutationLoop(ctx, test, callAI);
+                    aiCalls += mutResult.aiCalls;
+                    scriptCalls += mutResult.scriptCalls;
+                    mutationScore2 = mutResult.score;
+                    if (mutResult.test) test = mutResult.test;
+                  }
+                  await cleanupTest(test.filePath);
+                  return {
+                    accepted: { test, validation: revalidation, mutationScore: mutationScore2, type },
+                    rejected: null,
+                    aiCalls,
+                    scriptCalls
+                  };
+                }
+                lastError = revalidation.compileErrors ?? "Compile fix failed";
+              }
+              continue;
+            }
+            if (!this.config.skipRun && !validation.failsCorrectly) {
+              const hardenResult = await this.hardenTest(ctx, test, callAI);
+              aiCalls += hardenResult.aiCalls;
+              scriptCalls += hardenResult.scriptCalls;
+              if (hardenResult.test) {
+                test = hardenResult.test;
+              } else {
+                lastError = "Test passes against vulnerable code -- could not harden";
+                await cleanupTest(test.filePath);
+                continue;
+              }
+            }
+            let mutationScore = null;
+            if (!this.config.skipMutation) {
+              const mutResult = await this.mutationLoop(ctx, test, callAI);
+              aiCalls += mutResult.aiCalls;
+              scriptCalls += mutResult.scriptCalls;
+              mutationScore = mutResult.score;
+              if (mutResult.test) test = mutResult.test;
+            }
+            await cleanupTest(test.filePath);
+            return {
+              accepted: { test, validation, mutationScore, type },
+              rejected: null,
+              aiCalls,
+              scriptCalls
+            };
+          } catch (error) {
+            lastError = error instanceof Error ? error.message : String(error);
+            this.log.debug(`Forge attempt ${attempt + 1} error: ${lastError}`);
+          }
+        }
+        if (test) await cleanupTest(test.filePath);
+        return {
+          accepted: null,
+          rejected: {
+            categoryId: ctx.gap.categoryId,
+            filePath: ctx.gap.filePath,
+            type,
+            reason: lastError || "All retries exhausted",
+            attempts: this.config.maxCompileRetries + 1
+          },
+          aiCalls,
+          scriptCalls
+        };
+      }
+      async hardenTest(ctx, test, callAI) {
+        let aiCalls = 0;
+        let scriptCalls = 0;
+        for (let i = 0; i < this.config.maxHardenRetries; i++) {
+          const prompt = buildHardenPrompt(ctx, test.content);
+          const hardened = await callAI(prompt, SYSTEM_PROMPT_HARDEN);
+          aiCalls++;
+          const hardenedTest = {
+            ...test,
+            content: stripMarkdownFences(hardened)
+          };
+          const validation = await validateTest(
+            hardenedTest,
+            ctx.projectRoot,
+            ctx.testFramework.name,
+            { skipRun: false }
+          );
+          scriptCalls++;
+          if (validation.compiles && validation.failsCorrectly) {
+            return { test: hardenedTest, aiCalls, scriptCalls };
+          }
+        }
+        return { test: null, aiCalls, scriptCalls };
+      }
+      async mutationLoop(ctx, test, callAI) {
+        let aiCalls = 0;
+        let scriptCalls = 0;
+        let currentTest = test;
+        for (let i = 0; i <= this.config.maxMutationRetries; i++) {
+          try {
+            const result = await measureMutationScore(
+              ctx.gap.filePath,
+              currentTest.filePath,
+              ctx.projectRoot
+            );
+            scriptCalls++;
+            if (result.score >= this.config.mutationScoreThreshold) {
+              return { test: currentTest, score: result.score, aiCalls, scriptCalls };
+            }
+            if (i < this.config.maxMutationRetries) {
+              const prompt = buildMutationEvolvePrompt(ctx, currentTest.content, result);
+              const evolved = await callAI(prompt, SYSTEM_PROMPT_EVOLVE);
+              aiCalls++;
+              currentTest = {
+                ...currentTest,
+                content: stripMarkdownFences(evolved)
+              };
+            }
+          } catch {
+            return { test: currentTest, score: 0, aiCalls, scriptCalls };
+          }
+        }
+        return { test: currentTest, score: 0, aiCalls, scriptCalls };
+      }
+    };
+    SYSTEM_PROMPT_FIX = [
+      "You are a senior engineer fixing a test file that failed to compile.",
+      "Fix ONLY the compilation errors. Do not change the test logic.",
+      "Output ONLY the complete fixed test file. No markdown fences. No explanations."
+    ].join(" ");
+    SYSTEM_PROMPT_HARDEN = [
+      "You are a senior security engineer. The previous test passed against vulnerable code,",
+      "meaning it is useless. Make the test adversarial enough to actually fail.",
+      "Output ONLY the complete hardened test file. No markdown fences. No explanations."
+    ].join(" ");
+    SYSTEM_PROMPT_EVOLVE = [
+      "You are a senior security engineer. Some mutations survived your test --",
+      "meaning your test does not catch certain code changes. Strengthen the test",
+      "to kill the surviving mutants. Output ONLY the complete test file."
+    ].join(" ");
+  }
+});
 function App({ results, loading, error }) {
   const { exit } = useApp();
   const [selectedIndex, setSelectedIndex] = useState(0);
@@ -4022,7 +5130,11 @@ var DetectionPatternSchema = z.object({
   /** Optional pattern that indicates code is NOT vulnerable (false positive filter) */
   negativePattern: z.string().optional(),
   /** Optional list of framework contexts where this pattern applies */
-  frameworks: z.array(z.string()).optional()
+  frameworks: z.array(z.string()).optional(),
+  /** Regex patterns identifying taint sources (user input entry points) in the same scope */
+  sources: z.array(z.string()).optional(),
+  /** Regex patterns identifying sanitizers that neutralize tainted data */
+  sanitizers: z.array(z.string()).optional()
 });
 var DetectionResultSchema = z.object({
   /** ID of the pattern that matched */
@@ -4518,123 +5630,39 @@ var CategoryStore = class {
       const entries = await fs.readdir(dirPath, { withFileTypes: true });
       return entries;
     });
-    if (!loadResult.success) {
-      return [
-        err(
-          new ValidationError(`Failed to read directory: ${dirPath}`, {
-            dirPath,
-            cause: loadResult.error.message
-          })
-        )
-      ];
-    }
-    for (const entry of loadResult.data) {
-      const fullPath = path.join(dirPath, entry.name);
-      if (entry.isDirectory()) {
-        const subResults = await this.loadYamlFilesRecursive(fullPath);
-        results.push(...subResults);
-      } else if (entry.isFile() && (entry.name.endsWith(".yml") || entry.name.endsWith(".yaml"))) {
-        const result = await this.loadFromFile(fullPath);
-        results.push(result);
-      }
-    }
-    return results;
-  }
-};
-function createCategoryStore() {
-  return new CategoryStore();
-}
-init_errors();
-var LOG_LEVELS = {
-  debug: 0,
-  info: 1,
-  warn: 2,
-  error: 3,
-  silent: 4
-};
-var Logger = class _Logger {
-  level = "info";
-  prefix = "";
-  /**
-   * Configure the logger
-   */
-  configure(config2) {
-    if (config2.level !== void 0) {
-      this.level = config2.level;
-    }
-    if (config2.prefix !== void 0) {
-      this.prefix = config2.prefix;
-    }
-  }
-  /**
-   * Check if a log level should be output
-   */
-  shouldLog(level) {
-    return LOG_LEVELS[level] >= LOG_LEVELS[this.level];
-  }
-  /**
-   * Format a message with optional prefix
-   */
-  format(message) {
-    return this.prefix ? `${this.prefix} ${message}` : message;
-  }
-  /**
-   * Debug level logging (gray)
-   */
-  debug(message, ...args) {
-    if (this.shouldLog("debug")) {
-      console.debug(chalk6.gray(this.format(message)), ...args);
-    }
-  }
-  /**
-   * Info level logging (default color)
-   */
-  info(message, ...args) {
-    if (this.shouldLog("info")) {
-      console.info(this.format(message), ...args);
-    }
-  }
-  /**
-   * Warning level logging (yellow)
-   */
-  warn(message, ...args) {
-    if (this.shouldLog("warn")) {
-      console.warn(chalk6.yellow(this.format(message)), ...args);
-    }
-  }
-  /**
-   * Error level logging (red)
-   */
-  error(message, ...args) {
-    if (this.shouldLog("error")) {
-      console.error(chalk6.red(this.format(message)), ...args);
+    if (!loadResult.success) {
+      return [
+        err(
+          new ValidationError(`Failed to read directory: ${dirPath}`, {
+            dirPath,
+            cause: loadResult.error.message
+          })
+        )
+      ];
     }
-  }
-  /**
-   * Success message (green)
-   */
-  success(message, ...args) {
-    if (this.shouldLog("info")) {
-      console.info(chalk6.green(this.format(message)), ...args);
+    for (const entry of loadResult.data) {
+      const fullPath = path.join(dirPath, entry.name);
+      if (entry.isDirectory()) {
+        const subResults = await this.loadYamlFilesRecursive(fullPath);
+        results.push(...subResults);
+      } else if (entry.isFile() && (entry.name.endsWith(".yml") || entry.name.endsWith(".yaml"))) {
+        const result = await this.loadFromFile(fullPath);
+        results.push(result);
+      }
     }
-  }
-  /**
-   * Create a child logger with a prefix
-   */
-  child(prefix) {
-    const child = new _Logger();
-    child.level = this.level;
-    child.prefix = this.prefix ? `${this.prefix} ${prefix}` : prefix;
-    return child;
+    return results;
   }
 };
-var logger = new Logger();
-
-// src/core/detection/pattern-matcher.ts
+function createCategoryStore() {
+  return new CategoryStore();
+}
+init_errors();
+init_logger();
 init_result();
 
 // src/core/detection/ast-parser.ts
 init_errors();
+init_logger();
 init_result();
 var __filename$1 = fileURLToPath(import.meta.url);
 var __dirname$1 = dirname(__filename$1);
@@ -5013,10 +6041,11 @@ var PatternMatcher = class {
       }
     }
     const filteredMatches = this.applyNegativePatterns(matches, content, patterns);
+    const contextFiltered = this.applySourceSinkFilter(filteredMatches, content);
     return ok({
       filePath: absolutePath,
       language,
-      matches: filteredMatches,
+      matches: contextFiltered,
       scanTimeMs: performance.now() - startTime,
       warnings
     });
@@ -5229,6 +6258,97 @@ var PatternMatcher = class {
       }
     });
   }
+  /**
+   * Apply source-sink context filtering.
+   *
+   * For patterns that define `sources` and/or `sanitizers`, extract the
+   * surrounding function body and check:
+   *   1. If sources are defined but none appear in scope -> downgrade confidence
+   *   2. If a sanitizer appears in scope -> suppress the match entirely
+   *
+   * Patterns without sources/sanitizers pass through unchanged.
+   */
+  applySourceSinkFilter(matches, content) {
+    const lines = content.split("\n");
+    return matches.filter((match) => {
+      const { sources, sanitizers } = match.pattern;
+      const hasSourceDefs = sources && sources.length > 0;
+      const hasSanitizerDefs = sanitizers && sanitizers.length > 0;
+      if (!hasSourceDefs && !hasSanitizerDefs) return true;
+      const scopeCode = this.extractScope(lines, match.lineStart);
+      if (hasSanitizerDefs) {
+        for (const sanitizer of sanitizers) {
+          try {
+            if (new RegExp(sanitizer).test(scopeCode)) {
+              this.log.debug(
+                `Suppressed ${match.pattern.id} at line ${match.lineStart}: sanitizer found`
+              );
+              return false;
+            }
+          } catch {
+          }
+        }
+      }
+      if (hasSourceDefs) {
+        let sourceFound = false;
+        for (const source of sources) {
+          try {
+            if (new RegExp(source).test(scopeCode)) {
+              sourceFound = true;
+              break;
+            }
+          } catch {
+          }
+        }
+        if (!sourceFound) {
+          this.log.debug(
+            `Downgraded ${match.pattern.id} at line ${match.lineStart}: no taint source in scope`
+          );
+          const downgraded = {
+            ...match,
+            pattern: { ...match.pattern, confidence: "low" }
+          };
+          Object.assign(match, downgraded);
+        }
+      }
+      return true;
+    });
+  }
+  /**
+   * Extract the surrounding function/block scope for a given line.
+   * Walks backwards to find the function start, forwards to find the end.
+   * Falls back to +/- 30 lines if boundaries aren't found.
+   */
+  extractScope(lines, targetLine) {
+    const idx = targetLine - 1;
+    const FALLBACK_RADIUS = 30;
+    let startIdx = Math.max(0, idx - FALLBACK_RADIUS);
+    for (let i = idx; i >= Math.max(0, idx - 50); i--) {
+      const line = lines[i]?.trim() ?? "";
+      if (/^(export\s+)?(async\s+)?function\s/.test(line) || /^(export\s+)?(const|let|var)\s+\w+\s*=\s*(async\s+)?\(/.test(line) || /^(public|private|protected)\s/.test(line) || /^(\s*)def\s+\w+/.test(lines[i] ?? "") || /^(\s*)async\s+def\s+\w+/.test(lines[i] ?? "")) {
+        startIdx = i;
+        break;
+      }
+    }
+    let endIdx = Math.min(lines.length - 1, idx + FALLBACK_RADIUS);
+    let braceDepth = 0;
+    let started = false;
+    for (let i = startIdx; i < lines.length; i++) {
+      const line = lines[i] ?? "";
+      for (const ch of line) {
+        if (ch === "{") {
+          braceDepth++;
+          started = true;
+        }
+        if (ch === "}") braceDepth--;
+        if (started && braceDepth === 0) {
+          endIdx = i;
+          return lines.slice(startIdx, endIdx + 1).join("\n");
+        }
+      }
+    }
+    return lines.slice(startIdx, endIdx + 1).join("\n");
+  }
   /**
    * Get code surrounding a match for negative pattern checking
    */
@@ -5529,10 +6649,10 @@ var SCORING_ADJUSTMENTS = [
     skip: ["serverless", "frontend-spa", "cli"],
     higherWeight: ["web-server", "api"]
   },
-  // Memory leaks are critical for long-running servers
+  // Memory leaks are critical for long-running servers, irrelevant for short-lived CLI
   {
     categoryId: "memory-leak",
-    skip: ["serverless", "script"],
+    skip: ["serverless", "script", "cli"],
     higherWeight: ["web-server", "desktop"]
   },
   // Rate limiting not needed for CLI
@@ -5559,10 +6679,17 @@ var SCORING_ADJUSTMENTS = [
     lowerWeight: ["cli", "script"],
     higherWeight: ["web-server", "api", "serverless"]
   },
-  // Connection failure handling less relevant for CLI
+  // Connection failure handling not relevant for CLI (short-lived, user sees the error)
   {
     categoryId: "connection-failure",
-    lowerWeight: ["cli", "script", "library"],
+    skip: ["cli", "script"],
+    lowerWeight: ["library"],
+    higherWeight: ["web-server", "api"]
+  },
+  // Thread safety not relevant for single-threaded Node.js CLI
+  {
+    categoryId: "thread-safety",
+    skip: ["cli", "script"],
     higherWeight: ["web-server", "api"]
   },
   // Memory bloat less relevant for short-lived processes
@@ -5571,10 +6698,10 @@ var SCORING_ADJUSTMENTS = [
     skip: ["cli", "script", "serverless"],
     higherWeight: ["web-server", "desktop"]
   },
-  // Data race less relevant for single-threaded CLI
+  // Data race not relevant for single-threaded CLI (Node.js is single-threaded)
   {
     categoryId: "data-race",
-    lowerWeight: ["cli", "script"],
+    skip: ["cli", "script"],
     higherWeight: ["web-server", "api"]
   },
   // Network partition not relevant for CLI
@@ -5607,6 +6734,24 @@ var SCORING_ADJUSTMENTS = [
     skip: ["cli", "script", "library"],
     higherWeight: ["web-server", "api"]
   },
+  // Idempotency is a server/API concern, not relevant for CLI
+  {
+    categoryId: "idempotency-missing",
+    skip: ["cli", "script", "library", "frontend-spa"],
+    higherWeight: ["web-server", "api"]
+  },
+  // Retry storms are a distributed systems concern
+  {
+    categoryId: "retry-storm",
+    skip: ["cli", "script", "library", "frontend-spa"],
+    higherWeight: ["web-server", "api", "serverless"]
+  },
+  // Schema migration issues less relevant for CLI
+  {
+    categoryId: "schema-migration",
+    skip: ["cli", "script", "frontend-spa"],
+    higherWeight: ["web-server", "api"]
+  },
   // Encoding mismatch less relevant for CLI
   {
     categoryId: "encoding-mismatch",
@@ -5747,6 +6892,7 @@ function getProjectTypeDescription(type) {
   return descriptions[type];
 }
 init_errors();
+init_logger();
 init_result();
 var SEVERITY_WEIGHTS = {
   critical: 4,
@@ -5756,8 +6902,8 @@ var SEVERITY_WEIGHTS = {
 };
 var CONFIDENCE_WEIGHTS = {
   high: 1,
-  medium: 0.3,
-  low: 0.1
+  medium: 0.7,
+  low: 0.4
 };
 var PRIORITY_WEIGHTS = {
   P0: 3,
@@ -6006,28 +7152,50 @@ var Scanner = class {
         });
       }
     }
-    if (coverage.overallCoverage >= 90) {
-      const bonus = 5;
-      baseScore += bonus;
-      bonuses.push({ reason: "Excellent coverage (90%+)", points: bonus });
-    } else if (coverage.overallCoverage >= 75) {
-      const bonus = 3;
-      baseScore += bonus;
-      bonuses.push({ reason: "Good coverage (75%+)", points: bonus });
-    }
-    const criticalGaps = gaps.filter((g) => g.severity === "critical");
-    if (criticalGaps.length === 0 && categories.length > 0) {
-      const bonus = 5;
-      baseScore += bonus;
-      bonuses.push({ reason: "No critical gaps", points: bonus });
-    }
-    const highGaps = gaps.filter((g) => g.severity === "high");
-    if (highGaps.length === 0 && categories.length > 0) {
-      const bonus = 3;
-      baseScore += bonus;
-      bonuses.push({ reason: "No high severity gaps", points: bonus });
-    }
-    const overall = Math.max(0, Math.min(100, Math.round(baseScore)));
+    const hasActiveGaps = gaps.filter((g) => g.status !== "dismissed").length > 0;
+    const allDismissed = gaps.length > 0 && !hasActiveGaps;
+    if (!allDismissed) {
+      if (coverage.overallCoverage >= 90) {
+        const bonus = 5;
+        baseScore += bonus;
+        bonuses.push({ reason: "Excellent coverage (90%+)", points: bonus });
+      } else if (coverage.overallCoverage >= 75) {
+        const bonus = 3;
+        baseScore += bonus;
+        bonuses.push({ reason: "Good coverage (75%+)", points: bonus });
+      }
+      const criticalGaps = gaps.filter((g) => g.severity === "critical" && g.status !== "dismissed");
+      if (criticalGaps.length === 0 && categories.length > 0) {
+        const bonus = 5;
+        baseScore += bonus;
+        bonuses.push({ reason: "No critical gaps", points: bonus });
+      }
+      const highGaps = gaps.filter((g) => g.severity === "high" && g.status !== "dismissed");
+      if (highGaps.length === 0 && categories.length > 0) {
+        const bonus = 3;
+        baseScore += bonus;
+        bonuses.push({ reason: "No high severity gaps", points: bonus });
+      }
+    }
+    const unknownGaps = gaps.filter((g) => g.status === "unknown");
+    if (unknownGaps.length > 0) {
+      const unknownPenalty = Math.min(10, unknownGaps.length * 2);
+      baseScore -= unknownPenalty;
+      penalties.push({
+        reason: `${unknownGaps.length} finding(s) could not be tested -- manual review needed`,
+        points: Math.round(unknownPenalty)
+      });
+    }
+    const scanConfidence = this.computeScanConfidence(gaps, categories, projectType);
+    const maxScore = 70 + Math.round(scanConfidence * 30);
+    const clampedScore = Math.max(0, Math.min(maxScore, Math.round(baseScore)));
+    if (clampedScore < Math.round(baseScore)) {
+      penalties.push({
+        reason: `Score capped at ${maxScore} (scan confidence: ${Math.round(scanConfidence * 100)}%)`,
+        points: Math.round(baseScore) - clampedScore
+      });
+    }
+    const overall = clampedScore;
     const grade = this.scoreToGrade(overall);
     const bySeverity = {
       critical: this.calculateSeverityScore(gaps, "critical"),
@@ -6041,8 +7209,8 @@ var Scanner = class {
       byDomain: domainScores,
       bySeverity,
       penalties: penalties.slice(0, 10),
-      // Top 10 penalties
-      bonuses
+      bonuses,
+      scanConfidence
     };
   }
   /**
@@ -6051,6 +7219,32 @@ var Scanner = class {
   getPatternMatcher() {
     return this.patternMatcher;
   }
+  /**
+   * Compute scan confidence (0-1) based on how thoroughly the scanner analyzed the codebase.
+   *
+   * Factors:
+   * - Project type detection confidence (high=1, medium=0.7, low=0.4)
+   * - Category coverage (what fraction of applicable categories were scanned)
+   * - Whether source-sink context filtering was used (higher precision = higher confidence)
+   */
+  computeScanConfidence(_gaps, categories, projectType) {
+    const ptConfidence = projectType === "unknown" ? 0.3 : 0.8;
+    const categoryBreadth = categories.length > 0 ? Math.min(1, categories.length / 20) : 0.2;
+    let annotatedPatterns = 0;
+    let totalPatterns = 0;
+    for (const cat of categories) {
+      for (const p of cat.detectionPatterns) {
+        totalPatterns++;
+        if (p.sources?.length || p.sanitizers?.length) {
+          annotatedPatterns++;
+        }
+      }
+    }
+    const annotationRatio = totalPatterns > 0 ? annotatedPatterns / totalPatterns : 0;
+    const taintBonus = annotationRatio * 0.2;
+    const confidence = Math.min(1, ptConfidence * 0.4 + categoryBreadth * 0.4 + taintBonus + 0.1);
+    return Math.round(confidence * 100) / 100;
+  }
   // ============================================================
   // Private methods
   // ============================================================
@@ -6415,11 +7609,13 @@ function createScanner(categoryStore) {
 }
 
 // src/core/index.ts
+init_discovery();
 var VERSION = "0.4.0";
 
 // src/lib/index.ts
 init_errors();
 init_result();
+init_logger();
 init_errors();
 init_result();
 var SEVERITY_COLORS = {
@@ -6566,13 +7762,13 @@ function formatError(error) {
 var DEFAULT_CONFIG = {
   provider: "anthropic",
   apiKey: "",
-  model: "claude-sonnet-4-20250514",
+  model: "claude-opus-4-8",
   maxTokens: 1024,
   temperature: 0.3,
   timeoutMs: 3e4
 };
 var PROVIDER_MODELS = {
-  anthropic: "claude-sonnet-4-20250514",
+  anthropic: "claude-opus-4-8",
   openai: "gpt-4o",
   mock: "mock-model"
 };
@@ -6608,11 +7804,11 @@ var AIService = class {
    */
   getApiKeyFromConfig(provider) {
     try {
-      const { existsSync: existsSync7, readFileSync: readFileSync3 } = __require("fs");
+      const { existsSync: existsSync8, readFileSync: readFileSync3 } = __require("fs");
       const { homedir: homedir3 } = __require("os");
       const { join: join5 } = __require("path");
       const configPath = join5(homedir3(), ".pinata", "config.json");
-      if (!existsSync7(configPath)) {
+      if (!existsSync8(configPath)) {
         return "";
       }
       const content = readFileSync3(configPath, "utf-8");
@@ -7214,6 +8410,42 @@ function formatScanTerminal(result, basePath) {
   if (result.gaps.length > 0) {
     lines.push(chalk6.gray("Run `pinata generate --gaps` to create tests for these gaps."));
   }
+  if (result.coverageTransparency) {
+    const ct = result.coverageTransparency;
+    lines.push("");
+    lines.push(chalk6.bold("Coverage transparency:"));
+    if (ct.endpointsTotal > 0) {
+      lines.push(chalk6.gray(`  Endpoints discovered: ${ct.endpointsTotal}`));
+    }
+    if (ct.unprotectedEndpoints.length > 0) {
+      lines.push(chalk6.yellow(`  Unprotected endpoints: ${ct.unprotectedEndpoints.length}`));
+      for (const ep of ct.unprotectedEndpoints.slice(0, 5)) {
+        lines.push(chalk6.yellow(`    - ${ep}`));
+      }
+      if (ct.unprotectedEndpoints.length > 5) {
+        lines.push(chalk6.gray(`    ... and ${ct.unprotectedEndpoints.length - 5} more`));
+      }
+    }
+    if (ct.concurrencyTotal > 0) {
+      lines.push(chalk6.gray(`  Concurrency guards: ${ct.concurrencyGuarded}/${ct.concurrencyTotal} state mutations guarded`));
+    }
+    if (ct.manualReviewNeeded.length > 0) {
+      lines.push(chalk6.yellow(`  Manual review needed: ${ct.manualReviewNeeded.length} items`));
+      for (const item of ct.manualReviewNeeded.slice(0, 3)) {
+        lines.push(chalk6.gray(`    - ${item}`));
+      }
+    }
+  }
+  if (result.score.scanConfidence !== void 0) {
+    lines.push(chalk6.gray(`
+Scan confidence: ${Math.round(result.score.scanConfidence * 100)}%`));
+  }
+  if (result.dismissed && result.dismissed.length > 0) {
+    lines.push(chalk6.gray(`Findings deprioritized by AI: ${result.dismissed.length} (still available for test generation)`));
+  }
+  if (result.needsReview && result.needsReview.length > 0) {
+    lines.push(chalk6.yellow(`Findings needing manual review: ${result.needsReview.length}`));
+  }
   lines.push(chalk6.gray(`
 Scan completed in ${result.durationMs}ms`));
   return lines.join("\n");
@@ -7606,6 +8838,43 @@ function registerAnalyzeCommand(program2) {
         console.error(formatError(scanResult.error));
         process.exit(1);
       }
+      if (spinner) {
+        spinner.text = "Discovering attack surface...";
+      }
+      try {
+        const { discoverAttackSurface: discoverAttackSurface2, findingsToGaps: findingsToGaps2 } = await Promise.resolve().then(() => (init_discovery(), discovery_exports));
+        const attackSurface = await discoverAttackSurface2(targetDirectory);
+        if (attackSurface.findings.length > 0) {
+          const discoveryGaps = findingsToGaps2(attackSurface.findings, targetDirectory);
+          scanResult.data.gaps.push(...discoveryGaps);
+          for (const gap of discoveryGaps) {
+            const byCat = scanResult.data.gapsByCategory.get(gap.categoryId) ?? [];
+            byCat.push(gap);
+            scanResult.data.gapsByCategory.set(gap.categoryId, byCat);
+            const byFile = scanResult.data.gapsByFile.get(gap.filePath) ?? [];
+            byFile.push(gap);
+            scanResult.data.gapsByFile.set(gap.filePath, byFile);
+          }
+        }
+        scanResult.data.coverageTransparency = {
+          endpointsTested: 0,
+          endpointsTotal: attackSurface.endpoints.length,
+          endpointsUntested: attackSurface.endpoints.map((e) => `${e.method} ${e.path}`),
+          dbOperationsTested: 0,
+          dbOperationsTotal: attackSurface.dbOperations.length,
+          authChecksCovered: attackSurface.authChecks.length,
+          authChecksTotal: attackSurface.endpoints.filter((e) => ["POST", "PUT", "PATCH", "DELETE"].includes(e.method)).length,
+          unprotectedEndpoints: attackSurface.endpoints.filter((e) => !e.hasAuth && ["POST", "PUT", "PATCH", "DELETE"].includes(e.method)).map((e) => `${e.method} ${e.path} (${e.filePath}:${e.lineStart})`),
+          concurrencyGuarded: attackSurface.stateMutations.filter((s) => s.hasLock || s.hasTransaction).length,
+          concurrencyTotal: attackSurface.stateMutations.length,
+          manualReviewNeeded: []
+        };
+        if (attackSurface.findings.length > 0 && !isQuiet) {
+          logger.info(`Discovery: ${attackSurface.endpoints.length} endpoints, ${attackSurface.findings.length} findings`);
+        }
+      } catch (error) {
+        logger.debug(`Discovery skipped: ${error instanceof Error ? error.message : String(error)}`);
+      }
       spinner?.stop();
       const shouldVerify = Boolean(options["verify"]);
       if (shouldVerify && scanResult.data.gaps.length > 0) {
@@ -7618,7 +8887,7 @@ function registerAnalyzeCommand(program2) {
           console.log(chalk6.gray("Get one at: https://console.anthropic.com/settings/keys"));
           console.log(chalk6.gray("Or: https://platform.openai.com/api-keys\n"));
           const rl = createInterface({ input: process.stdin, output: process.stdout });
-          const askQuestion = (question) => new Promise((resolve9) => rl.question(question, (answer) => resolve9(answer.trim())));
+          const askQuestion = (question) => new Promise((resolve10) => rl.question(question, (answer) => resolve10(answer.trim())));
           const apiKey = await askQuestion(chalk6.cyan("Enter your Anthropic or OpenAI API key: "));
           rl.close();
           if (!apiKey) {
@@ -7638,31 +8907,44 @@ function registerAnalyzeCommand(program2) {
           provider = "openai";
         }
         if (hasApiKey2(provider)) {
-          const verifySpinner = showSpinner ? ora3("Verifying gaps with AI...").start() : null;
+          const verifySpinner = showSpinner ? ora3("Prioritizing gaps with AI...").start() : null;
           try {
             const { AIVerifier: AIVerifier2 } = await Promise.resolve().then(() => (init_verifier(), verifier_exports));
-            const { readFile: readFile7 } = await import('fs/promises');
+            const { readFile: readFile9 } = await import('fs/promises');
             const apiKey = getApiKey2(provider);
             const verifier = new AIVerifier2({ provider, ...apiKey ? { apiKey } : {} });
-            const { verified, dismissed, stats } = await verifier.verifyAll(
+            const { verified, dismissed, needsReview, stats } = await verifier.verifyAll(
               scanResult.data.gaps,
-              async (path2) => readFile7(path2, "utf-8")
+              async (path2) => readFile9(path2, "utf-8")
             );
-            scanResult.data.gaps = verified;
-            const severityWeights = { critical: 10, high: 5, medium: 2, low: 1 };
-            let deduction = 0;
-            for (const gap of verified) {
-              deduction += severityWeights[gap.severity] ?? 1;
+            const prioritized = [
+              ...verified.map((g) => ({ ...g, status: "pending" })),
+              ...needsReview.map((g) => ({ ...g, status: "pending" })),
+              ...dismissed.map(({ gap }) => ({ ...gap, status: "dismissed" }))
+            ];
+            scanResult.data.gaps = prioritized;
+            scanResult.data.dismissed = dismissed;
+            scanResult.data.needsReview = needsReview;
+            scanResult.data.rawFindingCount = stats.total;
+            const verifiedCount = verified.length;
+            const totalCount = stats.total;
+            const dismissalRate = totalCount > 0 ? stats.aiDismissed / totalCount : 0;
+            if (verifiedCount === 0 && totalCount > 0 && dismissalRate > 0.8) {
+              const MAX_SCORE_ALL_DISMISSED = 85;
+              if (scanResult.data.score.overall > MAX_SCORE_ALL_DISMISSED) {
+                scanResult.data.score.overall = MAX_SCORE_ALL_DISMISSED;
+                scanResult.data.score.grade = "B";
+                scanResult.data.score.penalties.push({
+                  reason: `All ${stats.aiDismissed} findings AI-dismissed -- score capped (manual review recommended)`,
+                  points: 100 - MAX_SCORE_ALL_DISMISSED
+                });
+              }
             }
-            const newOverall = Math.max(0, 100 - deduction);
-            const newGrade = newOverall >= 90 ? "A" : newOverall >= 80 ? "B" : newOverall >= 70 ? "C" : newOverall >= 60 ? "D" : "F";
-            scanResult.data.score.overall = newOverall;
-            scanResult.data.score.grade = newGrade;
             verifySpinner?.succeed(
-              `AI Verification: ${stats.total} total \u2192 ${stats.preFiltered} pre-filtered \u2192 ${stats.aiVerified} verified, ${stats.aiDismissed} AI-dismissed`
+              `AI Triage: ${stats.total} total \u2192 ${stats.aiVerified} likely vulnerable, ${stats.aiNeedsReview} needs review, ${stats.aiDismissed} likely false positive`
             );
             if (isVerbose && dismissed.length > 0) {
-              console.log(chalk6.gray("\nDismissed as false positives:"));
+              console.log(chalk6.gray("\nLikely false positives (still available for test generation):"));
               for (const { gap, reason } of dismissed.slice(0, 5)) {
                 console.log(chalk6.gray(`  - ${gap.categoryName} at ${gap.filePath}:${gap.lineStart}`));
                 console.log(chalk6.gray(`    Reason: ${reason.slice(0, 100)}...`));
@@ -7671,10 +8953,14 @@ function registerAnalyzeCommand(program2) {
                 console.log(chalk6.gray(`  ... and ${dismissed.length - 5} more`));
               }
             }
+            if (needsReview.length > 0) {
+              console.log(chalk6.yellow(`
+${needsReview.length} finding(s) need manual review.`));
+            }
           } catch (error) {
-            verifySpinner?.fail("AI verification failed (results unverified)");
+            verifySpinner?.fail("AI prioritization failed (results unverified)");
             if (isVerbose) {
-              console.error(chalk6.yellow(`Verification error: ${error instanceof Error ? error.message : String(error)}`));
+              console.error(chalk6.yellow(`Prioritization error: ${error instanceof Error ? error.message : String(error)}`));
             }
           }
         }
@@ -7683,7 +8969,7 @@ function registerAnalyzeCommand(program2) {
       const isDryRun = Boolean(options["dryRun"]);
       if (shouldExecute && scanResult.data.gaps.length > 0) {
         const { createRunner: createRunner2, isTestable: isTestable2 } = await Promise.resolve().then(() => (init_execution(), execution_exports));
-        const { readFile: readFile7 } = await import('fs/promises');
+        const { readFile: readFile9 } = await import('fs/promises');
         const testableGaps = scanResult.data.gaps.filter((g) => isTestable2(g.categoryId));
         if (testableGaps.length === 0) {
           console.log(chalk6.yellow("\nNo dynamically testable gaps found."));
@@ -7698,7 +8984,7 @@ Dynamic execution unavailable: ${initResult.error}`));
             for (const gap of testableGaps) {
               if (!fileContents.has(gap.filePath)) {
                 try {
-                  fileContents.set(gap.filePath, await readFile7(gap.filePath, "utf-8"));
+                  fileContents.set(gap.filePath, await readFile9(gap.filePath, "utf-8"));
                 } catch {
                 }
               }
@@ -8067,150 +9353,14 @@ async function extractTestContexts(gaps, projectRoot) {
   return contexts;
 }
 
-// src/testgen/generator.ts
-function buildGenerationPrompt(ctx) {
-  const parts = [];
-  parts.push(`Generate a complete, runnable ${ctx.testFramework.name} test file for this security vulnerability.`);
-  parts.push("");
-  parts.push("## Vulnerability");
-  parts.push(`Type: ${ctx.gap.categoryId}`);
-  parts.push(`Severity: ${ctx.gap.severity}`);
-  parts.push(`File: ${ctx.gap.filePath}:${ctx.gap.lineStart}`);
-  parts.push(`Pattern: ${ctx.gap.patternId}`);
-  parts.push("");
-  parts.push("## Vulnerable Code");
-  parts.push("```");
-  parts.push(ctx.functionBody);
-  parts.push("```");
-  parts.push("");
-  if (ctx.functionName) {
-    parts.push(`Function name: ${ctx.functionName}`);
-  }
-  parts.push("## File Imports");
-  parts.push("```");
-  parts.push(ctx.imports.join("\n"));
-  parts.push("```");
-  parts.push("");
-  parts.push("## Context");
-  parts.push(`Language: ${ctx.language}`);
-  parts.push(`Test framework: ${ctx.testFramework.name}`);
-  if (ctx.webFramework) parts.push(`Web framework: ${ctx.webFramework}`);
-  if (ctx.dbType) parts.push(`Database: ${ctx.dbType}`);
-  parts.push("");
-  if (ctx.existingTestSample) {
-    parts.push("## Existing Test Style (match this style)");
-    parts.push("```");
-    parts.push(ctx.existingTestSample.slice(0, 1500));
-    parts.push("```");
-    parts.push("");
-  }
-  parts.push("## Requirements");
-  parts.push("1. Output ONLY the complete test file. No explanations, no markdown fences.");
-  parts.push("2. Use real imports that resolve in this project.");
-  parts.push("3. The test MUST FAIL when run against the current vulnerable code.");
-  parts.push("4. Include at least 5 attack payloads specific to this vulnerability type.");
-  parts.push("5. Include at least one boundary/edge case (empty string, null, very long input, unicode).");
-  parts.push("6. If testing an HTTP endpoint, use supertest or direct function calls.");
-  parts.push("7. Test the specific vulnerable code path, not a generic function.");
-  parts.push("8. Each test should have a clear assertion that proves the vulnerability exists or is mitigated.");
-  return parts.join("\n");
-}
-function buildPropertyPrompt(ctx) {
-  const parts = [];
-  parts.push(`Generate a property-based test using fast-check (TypeScript) or hypothesis (Python) for this security vulnerability.`);
-  parts.push("");
-  parts.push("## Vulnerability");
-  parts.push(`Type: ${ctx.gap.categoryId}`);
-  parts.push(`File: ${ctx.gap.filePath}:${ctx.gap.lineStart}`);
-  parts.push("");
-  parts.push("## Vulnerable Code");
-  parts.push("```");
-  parts.push(ctx.functionBody);
-  parts.push("```");
-  parts.push("");
-  parts.push("## Requirements");
-  parts.push("1. Output ONLY the complete test file. No explanations.");
-  parts.push("2. Express a security INVARIANT as a property.");
-  parts.push("3. The property should hold for ALL inputs, not just specific payloads.");
-  parts.push("4. Use fast-check for TypeScript/JavaScript or hypothesis for Python.");
-  parts.push("5. Example invariant: 'for all strings s, the output of sanitize(s) never contains <script>'");
-  parts.push(`6. Test framework: ${ctx.testFramework.name}`);
-  const invariantHints = {
-    "sql-injection": "user input should never appear unescaped in the SQL query string",
-    "xss": "user input should never appear as raw HTML in the output",
-    "command-injection": "user input should never be passed to a shell command unescaped",
-    "path-traversal": "resolved file path should always stay within the allowed directory",
-    "ssrf": "user-supplied URL should never resolve to a private/internal IP",
-    "xxe": "XML parsing should never resolve external entities",
-    "deserialization": "deserialized objects should only be of expected types",
-    "hardcoded-secrets": "no string matching secret patterns should exist in source"
-  };
-  const hint = invariantHints[ctx.gap.categoryId];
-  if (hint) {
-    parts.push(`7. Invariant hint: "${hint}"`);
-  }
-  return parts.join("\n");
-}
-async function generateTest(ctx, callAI) {
-  const systemPrompt = [
-    "You are a senior security engineer writing adversarial tests.",
-    "You write tests that BREAK code, not tests that pass.",
-    "Your tests must be complete, runnable files with real imports.",
-    "Output ONLY code. No markdown fences. No explanations.",
-    "The test must FAIL against vulnerable code and PASS after a fix."
-  ].join(" ");
-  const prompt = buildGenerationPrompt(ctx);
-  const content = await callAI(prompt, systemPrompt);
-  const cleaned = stripMarkdownFences(content);
-  return {
-    filePath: ctx.suggestedTestPath,
-    content: cleaned,
-    categoryId: ctx.gap.categoryId,
-    description: `Security test for ${ctx.gap.categoryId} in ${ctx.functionName ?? "unknown function"} at ${ctx.gap.filePath}:${ctx.gap.lineStart}`,
-    isPropertyBased: false
-  };
-}
-async function generatePropertyTest(ctx, callAI) {
-  const systemPrompt = [
-    "You are a formal verification expert writing property-based tests.",
-    "Express security invariants that must hold for ALL inputs.",
-    "Use fast-check for TypeScript/JavaScript or hypothesis for Python.",
-    "Output ONLY code. No markdown fences. No explanations."
-  ].join(" ");
-  const prompt = buildPropertyPrompt(ctx);
-  const content = await callAI(prompt, systemPrompt);
-  const cleaned = stripMarkdownFences(content);
-  const ext = ctx.language === "python" ? ".py" : ".ts";
-  const propPath = ctx.suggestedTestPath.replace(/\.test\.(ts|js|py)$/, `.prop${ext}`);
-  return {
-    filePath: propPath,
-    content: cleaned,
-    categoryId: ctx.gap.categoryId,
-    description: `Property-based security invariant for ${ctx.gap.categoryId}`,
-    isPropertyBased: true
-  };
-}
-function stripMarkdownFences(content) {
-  let result = content.trim();
-  if (result.startsWith("```")) {
-    const firstNewline = result.indexOf("\n");
-    if (firstNewline !== -1) {
-      result = result.slice(firstNewline + 1);
-    }
-  }
-  if (result.endsWith("```")) {
-    result = result.slice(0, -3).trimEnd();
-  }
-  return result;
-}
-
 // src/cli/commands/generate.ts
+init_generator2();
 function registerGenerateCommand(program2) {
-  program2.command("generate").description("Generate adversarial security tests for detected vulnerabilities").option("--gaps", "Generate tests for all detected gaps").option("-c, --category <id>", "Generate tests for specific category").option("-d, --domain <domain>", "Generate tests for all categories in domain").option("-s, --severity <level>", "Minimum severity: critical, high, medium, low", "medium").option("--write", "Write test files to disk").option("--property", "Also generate property-based tests (fast-check/hypothesis)").option("--ai-provider <provider>", "AI provider: anthropic, openai", "anthropic").option("-o, --output <format>", "Output format: terminal, json", "terminal").option("-v, --verbose", "Verbose output").option("-q, --quiet", "Quiet mode (errors only)").action(async (options) => {
+  program2.command("generate").description("Generate adversarial security tests for detected vulnerabilities").option("--gaps", "Generate tests for all detected gaps").option("-c, --category <id>", "Generate tests for specific category").option("-d, --domain <domain>", "Generate tests for all categories in domain").option("-s, --severity <level>", "Minimum severity: critical, high, medium, low", "medium").option("--write", "Write test files to disk").option("--no-property", "Skip property-based test generation (enabled by default)").option("--ai-provider <provider>", "AI provider: anthropic, openai", "anthropic").option("-o, --output <format>", "Output format: terminal, json", "terminal").option("-v, --verbose", "Verbose output").option("-q, --quiet", "Quiet mode (errors only)").action(async (options) => {
     const isQuiet = Boolean(options["quiet"]);
     const isVerbose = Boolean(options["verbose"]);
     const shouldWrite = Boolean(options["write"]);
-    const withProperty = Boolean(options["property"]);
+    const withProperty = options["property"] !== false;
     const aiProvider = String(options["aiProvider"] ?? "anthropic");
     const outputFormat = String(options["output"] ?? "terminal");
     if (isQuiet) {
@@ -8280,7 +9430,7 @@ function registerGenerateCommand(program2) {
         process.exit(1);
       }
       if (spinner) {
-        spinner.text = `Generating tests for ${contexts.length} findings with AI...`;
+        spinner.text = `Forging tests for ${contexts.length} findings with AI...`;
       }
       const { hasApiKey: hasApiKey2, getApiKey: getApiKey2 } = await Promise.resolve().then(() => (init_config(), config_exports));
       if (!hasApiKey2(aiProvider)) {
@@ -8292,23 +9442,30 @@ AI test generation requires an API key.`));
       }
       const apiKey = getApiKey2(aiProvider) ?? "";
       const callAI = buildAICaller(aiProvider, apiKey);
+      const { createTestForge: createTestForge2 } = await Promise.resolve().then(() => (init_forge(), forge_exports));
+      const forge = createTestForge2({
+        generateProperty: withProperty,
+        skipRun: false,
+        skipMutation: true
+      });
       const generated = [];
       const errors = [];
+      let totalAICalls = 0;
+      let totalScriptCalls = 0;
       for (let i = 0; i < contexts.length; i++) {
         const ctx = contexts[i];
         if (spinner) {
-          spinner.text = `Generating test ${i + 1}/${contexts.length}: ${ctx.gap.categoryId} in ${relative(projectRoot, ctx.gap.filePath)}`;
+          spinner.text = `Forging test ${i + 1}/${contexts.length}: ${ctx.gap.categoryId} in ${relative(projectRoot, ctx.gap.filePath)}`;
         }
         try {
-          const test = await generateTest(ctx, callAI);
-          generated.push(test);
-          if (withProperty) {
-            try {
-              const propTest = await generatePropertyTest(ctx, callAI);
-              generated.push(propTest);
-            } catch (err2) {
-              errors.push(`Property test failed for ${ctx.gap.categoryId}: ${err2 instanceof Error ? err2.message : String(err2)}`);
-            }
+          const result = await forge.forge(ctx, callAI);
+          totalAICalls += result.stats.totalAICalls;
+          totalScriptCalls += result.stats.totalScriptCalls;
+          for (const accepted of result.accepted) {
+            generated.push(accepted.test);
+          }
+          for (const rejected of result.rejected) {
+            errors.push(`Rejected ${rejected.categoryId} (${rejected.type}): ${rejected.reason} (${rejected.attempts} attempts)`);
           }
         } catch (err2) {
           errors.push(`Failed ${ctx.gap.categoryId}: ${err2 instanceof Error ? err2.message : String(err2)}`);
@@ -8331,11 +9488,12 @@ AI test generation requires an API key.`));
             isPropertyBased: t.isPropertyBased,
             lines: t.content.split("\n").length
           })),
-          errors
+          errors,
+          stats: { totalAICalls, totalScriptCalls }
         }, null, 2));
       } else {
         console.log();
-        console.log(chalk6.bold(`Generated ${generated.length} test file${generated.length === 1 ? "" : "s"}`));
+        console.log(chalk6.bold(`Forged ${generated.length} test file${generated.length === 1 ? "" : "s"} (${totalAICalls} AI calls, ${totalScriptCalls} validations)`));
         console.log();
         for (const test of generated) {
           const relPath = relative(projectRoot, test.filePath);
@@ -8385,7 +9543,7 @@ function buildAICaller(provider, apiKey) {
           "anthropic-version": "2023-06-01"
         },
         body: JSON.stringify({
-          model: "claude-sonnet-4-20250514",
+          model: "claude-opus-4-8",
           max_tokens: 4096,
           system: systemPrompt,
           messages: [{ role: "user", content: prompt }]
@@ -8550,9 +9708,9 @@ program.command("suggest-patterns").description("Use AI to suggest new detection
   const codeSnippets = options["code"] ?? [];
   const samples = [...codeSnippets];
   if (filePath) {
-    const { readFile: readFile7 } = await import('fs/promises');
+    const { readFile: readFile9 } = await import('fs/promises');
     try {
-      const content = await readFile7(resolve(filePath), "utf-8");
+      const content = await readFile9(resolve(filePath), "utf-8");
       samples.push(...content.split("\n---\n").filter((s) => s.trim()));
     } catch (error) {
       console.error(formatError(new Error(`Failed to read file: ${filePath}`)));
@@ -8809,16 +9967,16 @@ thresholds:
   high: 5
   medium: 20
 `;
-  const { writeFile: writeFileAsync, mkdir: mkdir4 } = await import('fs/promises');
+  const { writeFile: writeFileAsync, mkdir: mkdir5 } = await import('fs/promises');
   try {
     await writeFileAsync(configPath, defaultConfig, "utf8");
     console.log(chalk6.green("Created .pinata.yml"));
-    await mkdir4(cacheDir, { recursive: true });
+    await mkdir5(cacheDir, { recursive: true });
     console.log(chalk6.green("Created .pinata/ directory"));
     const gitignorePath = resolve(process.cwd(), ".gitignore");
     if (existsSync(gitignorePath)) {
-      const { readFile: readFile7, appendFile } = await import('fs/promises');
-      const gitignore = await readFile7(gitignorePath, "utf8");
+      const { readFile: readFile9, appendFile } = await import('fs/promises');
+      const gitignore = await readFile9(gitignorePath, "utf8");
       if (!gitignore.includes(".pinata/")) {
         await appendFile(gitignorePath, "\n# Pinata cache\n.pinata/\n");
         console.log(chalk6.green("Added .pinata/ to .gitignore"));
@@ -9090,9 +10248,9 @@ auth.command("login").description("Set API key for Pinata Cloud").option("-k, --
   }
   const configDir = resolve(process.cwd(), ".pinata");
   const authPath = resolve(configDir, "auth.json");
-  const { mkdir: mkdir4, writeFile: writeFileAsync } = await import('fs/promises');
+  const { mkdir: mkdir5, writeFile: writeFileAsync } = await import('fs/promises');
   try {
-    await mkdir4(configDir, { recursive: true });
+    await mkdir5(configDir, { recursive: true });
     const maskedKey = `****${apiKey.slice(-8)}`;
     await writeFileAsync(authPath, JSON.stringify({ configured: true, keyId: maskedKey, configuredAt: (/* @__PURE__ */ new Date()).toISOString() }, null, 2), "utf8");
     const envPath = resolve(configDir, ".env");
@@ -9135,8 +10293,8 @@ auth.command("status").description("Check authentication status").action(async (
     process.exit(0);
   }
   try {
-    const { readFile: readFile7 } = await import('fs/promises');
-    const authData = JSON.parse(await readFile7(authPath, "utf8"));
+    const { readFile: readFile9 } = await import('fs/promises');
+    const authData = JSON.parse(await readFile9(authPath, "utf8"));
     console.log(chalk6.green("Authenticated"));
     console.log(chalk6.gray(`Key ID: ${authData.keyId ?? "unknown"}`));
     console.log(chalk6.gray(`Configured: ${authData.configuredAt ?? "unknown"}`));