realitydb 1.6.3 → 1.7.0

package/dist/index.js

@@ -16436,7 +16436,7 @@ var require_caching_sha2_password = __commonJS({
     var STATE_TOKEN_SENT = 1;
     var STATE_WAIT_SERVER_KEY = 2;
     var STATE_FINAL = -1;
-    function sha256(msg) {
+    function sha2562(msg) {
       const hash = crypto.createHash("sha256");
       hash.update(msg);
       return hash.digest();
@@ -16445,9 +16445,9 @@ var require_caching_sha2_password = __commonJS({
       if (!password) {
         return Buffer.alloc(0);
       }
-      const stage1 = sha256(Buffer.from(password));
-      const stage2 = sha256(stage1);
-      const stage3 = sha256(Buffer.concat([stage2, scramble]));
+      const stage1 = sha2562(Buffer.from(password));
+      const stage2 = sha2562(stage1);
+      const stage3 = sha2562(Buffer.concat([stage2, scramble]));
       return xor(stage1, stage3);
     }
     function encrypt(password, scramble, key) {
@@ -20958,7 +20958,7 @@ var require_pool_connection = __commonJS({
 var require_make_done_cb = __commonJS({
   "../../node_modules/.pnpm/mysql2@3.19.1_@types+node@25.3.5/node_modules/mysql2/lib/promise/make_done_cb.js"(exports2, module2) {
     "use strict";
-    function makeDoneCb(resolve12, reject, localErr) {
+    function makeDoneCb(resolve13, reject, localErr) {
       return function(err, rows, fields) {
         if (err) {
           localErr.message = err.message;
@@ -20969,7 +20969,7 @@ var require_make_done_cb = __commonJS({
           localErr.sqlMessage = err.sqlMessage;
           reject(localErr);
         } else {
-          resolve12([rows, fields]);
+          resolve13([rows, fields]);
         }
       };
     }
@@ -20990,8 +20990,8 @@ var require_prepared_statement_info = __commonJS({
       execute(parameters) {
         const s = this.statement;
         const localErr = new Error();
-        return new this.Promise((resolve12, reject) => {
-          const done = makeDoneCb(resolve12, reject, localErr);
+        return new this.Promise((resolve13, reject) => {
+          const done = makeDoneCb(resolve13, reject, localErr);
           if (parameters) {
             s.execute(parameters, done);
           } else {
@@ -21000,9 +21000,9 @@ var require_prepared_statement_info = __commonJS({
         });
       }
       close() {
-        return new this.Promise((resolve12) => {
+        return new this.Promise((resolve13) => {
           this.statement.close();
-          resolve12();
+          resolve13();
         });
       }
     };
@@ -21071,8 +21071,8 @@ var require_connection2 = __commonJS({
             "Callback function is not available with promise clients."
           );
         }
-        return new this.Promise((resolve12, reject) => {
-          const done = makeDoneCb(resolve12, reject, localErr);
+        return new this.Promise((resolve13, reject) => {
+          const done = makeDoneCb(resolve13, reject, localErr);
           if (params !== void 0) {
             c.query(query, params, done);
           } else {
@@ -21088,8 +21088,8 @@ var require_connection2 = __commonJS({
             "Callback function is not available with promise clients."
           );
         }
-        return new this.Promise((resolve12, reject) => {
-          const done = makeDoneCb(resolve12, reject, localErr);
+        return new this.Promise((resolve13, reject) => {
+          const done = makeDoneCb(resolve13, reject, localErr);
           if (params !== void 0) {
             c.execute(query, params, done);
           } else {
@@ -21098,8 +21098,8 @@ var require_connection2 = __commonJS({
         });
       }
       end() {
-        return new this.Promise((resolve12) => {
-          this.connection.end(resolve12);
+        return new this.Promise((resolve13) => {
+          this.connection.end(resolve13);
         });
       }
       async [Symbol.asyncDispose]() {
@@ -21110,31 +21110,31 @@ var require_connection2 = __commonJS({
       beginTransaction() {
         const c = this.connection;
         const localErr = new Error();
-        return new this.Promise((resolve12, reject) => {
-          const done = makeDoneCb(resolve12, reject, localErr);
+        return new this.Promise((resolve13, reject) => {
+          const done = makeDoneCb(resolve13, reject, localErr);
           c.beginTransaction(done);
         });
       }
       commit() {
         const c = this.connection;
         const localErr = new Error();
-        return new this.Promise((resolve12, reject) => {
-          const done = makeDoneCb(resolve12, reject, localErr);
+        return new this.Promise((resolve13, reject) => {
+          const done = makeDoneCb(resolve13, reject, localErr);
           c.commit(done);
         });
       }
       rollback() {
         const c = this.connection;
         const localErr = new Error();
-        return new this.Promise((resolve12, reject) => {
-          const done = makeDoneCb(resolve12, reject, localErr);
+        return new this.Promise((resolve13, reject) => {
+          const done = makeDoneCb(resolve13, reject, localErr);
           c.rollback(done);
         });
       }
       ping() {
         const c = this.connection;
         const localErr = new Error();
-        return new this.Promise((resolve12, reject) => {
+        return new this.Promise((resolve13, reject) => {
           c.ping((err) => {
             if (err) {
               localErr.message = err.message;
@@ -21144,7 +21144,7 @@ var require_connection2 = __commonJS({
               localErr.sqlMessage = err.sqlMessage;
               reject(localErr);
             } else {
-              resolve12(true);
+              resolve13(true);
             }
           });
         });
@@ -21152,7 +21152,7 @@ var require_connection2 = __commonJS({
       connect() {
         const c = this.connection;
         const localErr = new Error();
-        return new this.Promise((resolve12, reject) => {
+        return new this.Promise((resolve13, reject) => {
           c.connect((err, param) => {
             if (err) {
               localErr.message = err.message;
@@ -21162,7 +21162,7 @@ var require_connection2 = __commonJS({
               localErr.sqlMessage = err.sqlMessage;
               reject(localErr);
             } else {
-              resolve12(param);
+              resolve13(param);
             }
           });
         });
@@ -21171,7 +21171,7 @@ var require_connection2 = __commonJS({
         const c = this.connection;
         const promiseImpl = this.Promise;
         const localErr = new Error();
-        return new this.Promise((resolve12, reject) => {
+        return new this.Promise((resolve13, reject) => {
           c.prepare(options, (err, statement) => {
             if (err) {
               localErr.message = err.message;
@@ -21185,7 +21185,7 @@ var require_connection2 = __commonJS({
                 statement,
                 promiseImpl
               );
-              resolve12(wrappedStatement);
+              resolve13(wrappedStatement);
             }
           });
         });
@@ -21193,7 +21193,7 @@ var require_connection2 = __commonJS({
       changeUser(options) {
         const c = this.connection;
         const localErr = new Error();
-        return new this.Promise((resolve12, reject) => {
+        return new this.Promise((resolve13, reject) => {
           c.changeUser(options, (err) => {
             if (err) {
               localErr.message = err.message;
@@ -21203,7 +21203,7 @@ var require_connection2 = __commonJS({
               localErr.sqlMessage = err.sqlMessage;
               reject(localErr);
             } else {
-              resolve12();
+              resolve13();
             }
           });
         });
@@ -21546,12 +21546,12 @@ var require_pool2 = __commonJS({
       }
       getConnection() {
         const corePool = this.pool;
-        return new this.Promise((resolve12, reject) => {
+        return new this.Promise((resolve13, reject) => {
           corePool.getConnection((err, coreConnection) => {
             if (err) {
               reject(err);
             } else {
-              resolve12(new PromisePoolConnection(coreConnection, this.Promise));
+              resolve13(new PromisePoolConnection(coreConnection, this.Promise));
             }
           });
         });
@@ -21567,8 +21567,8 @@ var require_pool2 = __commonJS({
             "Callback function is not available with promise clients."
           );
         }
-        return new this.Promise((resolve12, reject) => {
-          const done = makeDoneCb(resolve12, reject, localErr);
+        return new this.Promise((resolve13, reject) => {
+          const done = makeDoneCb(resolve13, reject, localErr);
           if (args !== void 0) {
             corePool.query(sql, args, done);
           } else {
@@ -21584,8 +21584,8 @@ var require_pool2 = __commonJS({
             "Callback function is not available with promise clients."
           );
         }
-        return new this.Promise((resolve12, reject) => {
-          const done = makeDoneCb(resolve12, reject, localErr);
+        return new this.Promise((resolve13, reject) => {
+          const done = makeDoneCb(resolve13, reject, localErr);
           if (args) {
             corePool.execute(sql, args, done);
           } else {
@@ -21596,7 +21596,7 @@ var require_pool2 = __commonJS({
       end() {
         const corePool = this.pool;
         const localErr = new Error();
-        return new this.Promise((resolve12, reject) => {
+        return new this.Promise((resolve13, reject) => {
           corePool.end((err) => {
             if (err) {
               localErr.message = err.message;
@@ -21606,7 +21606,7 @@ var require_pool2 = __commonJS({
               localErr.sqlMessage = err.sqlMessage;
               reject(localErr);
             } else {
-              resolve12();
+              resolve13();
             }
           });
         });
@@ -22051,12 +22051,12 @@ var require_pool_cluster2 = __commonJS({
       }
       getConnection() {
         const corePoolNamespace = this.poolNamespace;
-        return new this.Promise((resolve12, reject) => {
+        return new this.Promise((resolve13, reject) => {
           corePoolNamespace.getConnection((err, coreConnection) => {
             if (err) {
               reject(err);
             } else {
-              resolve12(new PromisePoolConnection(coreConnection, this.Promise));
+              resolve13(new PromisePoolConnection(coreConnection, this.Promise));
             }
           });
         });
@@ -22069,8 +22069,8 @@ var require_pool_cluster2 = __commonJS({
             "Callback function is not available with promise clients."
           );
         }
-        return new this.Promise((resolve12, reject) => {
-          const done = makeDoneCb(resolve12, reject, localErr);
+        return new this.Promise((resolve13, reject) => {
+          const done = makeDoneCb(resolve13, reject, localErr);
           corePoolNamespace.query(sql, values, done);
         });
       }
@@ -22082,8 +22082,8 @@ var require_pool_cluster2 = __commonJS({
             "Callback function is not available with promise clients."
           );
         }
-        return new this.Promise((resolve12, reject) => {
-          const done = makeDoneCb(resolve12, reject, localErr);
+        return new this.Promise((resolve13, reject) => {
+          const done = makeDoneCb(resolve13, reject, localErr);
           corePoolNamespace.execute(sql, values, done);
         });
       }
@@ -22118,9 +22118,9 @@ var require_promise = __commonJS({
           "no Promise implementation available.Use promise-enabled node version or pass userland Promise implementation as parameter, for example: { Promise: require('bluebird') }"
         );
       }
-      return new thePromise((resolve12, reject) => {
+      return new thePromise((resolve13, reject) => {
         coreConnection.once("connect", () => {
-          resolve12(new PromiseConnection(coreConnection, thePromise));
+          resolve13(new PromiseConnection(coreConnection, thePromise));
         });
         coreConnection.once("error", (err) => {
           createConnectionErr.message = err.message;
@@ -22150,7 +22150,7 @@ var require_promise = __commonJS({
       }
       getConnection(pattern, selector) {
         const corePoolCluster = this.poolCluster;
-        return new this.Promise((resolve12, reject) => {
+        return new this.Promise((resolve13, reject) => {
           corePoolCluster.getConnection(
             pattern,
             selector,
@@ -22158,7 +22158,7 @@ var require_promise = __commonJS({
               if (err) {
                 reject(err);
               } else {
-                resolve12(new PromisePoolConnection(coreConnection, this.Promise));
+                resolve13(new PromisePoolConnection(coreConnection, this.Promise));
               }
             }
           );
@@ -22172,8 +22172,8 @@ var require_promise = __commonJS({
             "Callback function is not available with promise clients."
           );
         }
-        return new this.Promise((resolve12, reject) => {
-          const done = makeDoneCb(resolve12, reject, localErr);
+        return new this.Promise((resolve13, reject) => {
+          const done = makeDoneCb(resolve13, reject, localErr);
           corePoolCluster.query(sql, args, done);
         });
       }
@@ -22185,8 +22185,8 @@ var require_promise = __commonJS({
             "Callback function is not available with promise clients."
           );
         }
-        return new this.Promise((resolve12, reject) => {
-          const done = makeDoneCb(resolve12, reject, localErr);
+        return new this.Promise((resolve13, reject) => {
+          const done = makeDoneCb(resolve13, reject, localErr);
           corePoolCluster.execute(sql, args, done);
         });
       }
@@ -22199,7 +22199,7 @@ var require_promise = __commonJS({
       end() {
         const corePoolCluster = this.poolCluster;
         const localErr = new Error();
-        return new this.Promise((resolve12, reject) => {
+        return new this.Promise((resolve13, reject) => {
           corePoolCluster.end((err) => {
             if (err) {
               localErr.message = err.message;
@@ -22209,7 +22209,7 @@ var require_promise = __commonJS({
               localErr.sqlMessage = err.sqlMessage;
               reject(localErr);
             } else {
-              resolve12();
+              resolve13();
             }
           });
         });
@@ -22428,11 +22428,29 @@ function inferColumnStrategy(column, tableForeignKeys, tableName) {
       return { kind: "enum", options: { values: enumValues } };
     }
   }
+  if (column.dataType === "set" || udtLower.startsWith("set(")) {
+    const setValues = parseMySQLEnumValues(column.udtName.replace(/^set/i, "enum"));
+    if (setValues.length > 0) {
+      return { kind: "enum", options: { values: setValues } };
+    }
+  }
   const dataType = udtLower;
   const baseType = column.dataType.toLowerCase();
   if (dataType === "uuid" || baseType === "char" && column.maxLength === 36) {
     return { kind: "uuid" };
   }
+  if (baseType === "json" || baseType === "jsonb") {
+    return { kind: "text", options: { mode: "short" } };
+  }
+  if (baseType === "year") {
+    return { kind: "integer", options: { min: 2e3, max: 2030 } };
+  }
+  if (baseType === "tinytext") {
+    return { kind: "text", options: { mode: "short" } };
+  }
+  if (baseType === "mediumtext" || baseType === "longtext") {
+    return { kind: "text", options: { mode: "long" } };
+  }
   if ((dataType === "varchar" || dataType === "text" || baseType === "varchar" || baseType === "text") && column.maxLength !== null && column.maxLength <= 10) {
     return { kind: "text", options: { mode: "short" } };
   }
@@ -23007,7 +23025,7 @@ function createGeneratorRegistry() {
         const padLength = strategy.options?.["padLength"] ?? 6;
         return (ctx) => generateSequential(ctx, prefix, padLength);
       }
-      console.warn(`[databox] Unknown custom generator "${name}", falling back to text.`);
+      console.warn(`Unknown custom generator "${name}", falling back to text.`);
       return (ctx) => generateText(ctx, "short");
     }
   };
@@ -23075,6 +23093,19 @@ function resolveForeignKey(ctx, ref) {
 }
 
 // ../../packages/generators/dist/engine.js
+var INTEGER_TYPES = /* @__PURE__ */ new Set([
+  "int2",
+  "int4",
+  "int8",
+  "integer",
+  "serial",
+  "bigserial",
+  "smallint",
+  "bigint",
+  "int",
+  "mediumint",
+  "tinyint"
+]);
 function generateDataset(plan) {
   const seed = createSeededRandom(plan.reproducibility.randomSeed);
   const registry = createGeneratorRegistry();
@@ -23090,6 +23121,7 @@ function generateDataset(plan) {
         const isSelfRef = colPlan.foreignKeyRef.referencedTable === tableName;
         return {
           columnName: colPlan.columnName,
+          dataType: colPlan.dataType,
           generator: null,
           isForeignKey: true,
           isSelfReference: isSelfRef,
@@ -23103,6 +23135,7 @@ function generateDataset(plan) {
       }
       return {
         columnName: colPlan.columnName,
+        dataType: colPlan.dataType,
         generator: registry.getGenerator(colPlan.strategy),
         isForeignKey: false,
         isSelfReference: false,
@@ -23144,6 +23177,13 @@ function generateDataset(plan) {
         } else if (colGen.generator) {
           row[colGen.columnName] = colGen.generator(ctx);
         }
+        const val = row[colGen.columnName];
+        if (typeof val === "number" && !Number.isInteger(val)) {
+          const dt = colGen.dataType.toLowerCase();
+          if (INTEGER_TYPES.has(dt)) {
+            row[colGen.columnName] = Math.floor(val);
+          }
+        }
       }
       rows.push(row);
     }
@@ -24215,7 +24255,7 @@ function applyScenarios(dataset, scenarios, random) {
   for (const config of scenarios) {
     const definition = registry.get(config.name);
     if (!definition) {
-      console.warn(`[databox] Scenario "${config.name}" not found. Available: ${registry.list().map((s) => s.name).join(", ")}`);
+      console.warn(`Scenario "${config.name}" not found. Available: ${registry.list().map((s) => s.name).join(", ")}`);
       continue;
     }
     const beforeTotalRows = countTotalValues(dataset);
@@ -24300,7 +24340,7 @@ function composeScenarios(dataset, configs, random, customScenarios) {
   for (const config of configs) {
     const definition = registry.get(config.name);
     if (!definition) {
-      console.warn(`[databox] Scenario "${config.name}" not found, skipping.`);
+      console.warn(`Scenario "${config.name}" not found, skipping.`);
       continue;
     }
     const beforeRows = countRows(dataset);
@@ -24379,7 +24419,7 @@ function applyScheduledScenarios(dataset, scheduled, random, totalMonths, custom
   for (const scheduled_item of scheduled) {
     const definition = registry.get(scheduled_item.config.name);
     if (!definition) {
-      console.warn(`[databox] Scheduled scenario "${scheduled_item.config.name}" not found, skipping.`);
+      console.warn(`Scheduled scenario "${scheduled_item.config.name}" not found, skipping.`);
       continue;
     }
     const { subset, complementTables } = extractTimeWindow(dataset, scheduled_item.startMonth, scheduled_item.endMonth, totalMonths);
@@ -25583,6 +25623,11 @@ function generateTemplate(analyses, databaseName) {
     for (const col of table.columns) {
       if (col.detection.isPrimaryKey || col.detection.isForeignKey)
         continue;
+      if (col.refinedStrategy.kind === "enum" && col.refinedStrategy.options?.["values"] && Array.isArray(col.refinedStrategy.options["values"])) {
+        const vals = col.refinedStrategy.options["values"];
+        if (vals.length === 1 && vals[0] === "default")
+          continue;
+      }
       const entry = {
         strategy: col.refinedStrategy.kind
       };
@@ -25977,6 +26022,7 @@ function replaceText(random) {
 }
 
 // ../../packages/generators/dist/mask/auditLog.js
+var import_node_crypto = require("crypto");
 function buildAuditLog(detectionsByTable, maskResults, mode, seed, databaseName) {
   const tables = [];
   let totalPIIColumnsDetected = 0;
@@ -26017,8 +26063,9 @@ function buildAuditLog(detectionsByTable, maskResults, mode, seed, databaseName)
       columns
     });
   }
+  const integrityChain = buildIntegrityChain(tables, mode, seed, databaseName);
   return {
-    version: "1.0",
+    version: "1.1",
     timestamp: (/* @__PURE__ */ new Date()).toISOString(),
     complianceMode: mode,
     seed,
@@ -26030,7 +26077,8 @@ function buildAuditLog(detectionsByTable, maskResults, mode, seed, databaseName)
       totalColumnsMasked,
       totalRowsMasked
     },
-    tables
+    tables,
+    integrityChain
   };
 }
 function formatAuditLog(log) {
@@ -26063,11 +26111,362 @@ function formatAuditLog(log) {
     }
     lines.push("");
   }
+  if (log.integrityChain) {
+    lines.push("Integrity Chain");
+    lines.push("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
+    lines.push(`  Algorithm: ${log.integrityChain.algorithm}`);
+    lines.push(`  Genesis: ${log.integrityChain.genesisHash.substring(0, 16)}...`);
+    lines.push(`  Final:   ${log.integrityChain.finalHash.substring(0, 16)}...`);
+    const verification = verifyAuditLogIntegrity(log);
+    lines.push(`  Status:  ${verification.valid ? "VERIFIED" : `BROKEN at ${verification.brokenAt}`}`);
+    lines.push("");
+  }
   return lines.join("\n");
 }
 function serializeAuditLog(log) {
   return JSON.stringify(log, null, 2);
 }
+function buildIntegrityChain(tables, mode, seed, databaseName) {
+  const genesisHash = sha256(`genesis:${mode}:${seed}:${databaseName}`);
+  const tableHashes = [];
+  let previousHash = genesisHash;
+  for (const table of tables) {
+    const payload = `${previousHash}:${JSON.stringify(table)}`;
+    const hash = sha256(payload);
+    tableHashes.push({ tableName: table.tableName, hash });
+    previousHash = hash;
+  }
+  return {
+    algorithm: "sha256",
+    genesisHash,
+    tableHashes,
+    finalHash: previousHash
+  };
+}
+function verifyAuditLogIntegrity(log) {
+  if (!log.integrityChain) {
+    return { valid: false, brokenAt: "missing integrityChain" };
+  }
+  const chain = log.integrityChain;
+  const expectedGenesis = sha256(`genesis:${log.complianceMode}:${log.seed}:${log.databaseName}`);
+  if (chain.genesisHash !== expectedGenesis) {
+    return { valid: false, brokenAt: "genesisHash" };
+  }
+  let previousHash = chain.genesisHash;
+  for (let i = 0; i < log.tables.length; i++) {
+    const table = log.tables[i];
+    const payload = `${previousHash}:${JSON.stringify(table)}`;
+    const expectedHash = sha256(payload);
+    const recorded = chain.tableHashes[i];
+    if (!recorded || recorded.hash !== expectedHash) {
+      return { valid: false, brokenAt: table.tableName };
+    }
+    previousHash = expectedHash;
+  }
+  if (previousHash !== chain.finalHash) {
+    return { valid: false, brokenAt: "finalHash" };
+  }
+  return { valid: true };
+}
+function sha256(input) {
+  return (0, import_node_crypto.createHash)("sha256").update(input, "utf8").digest("hex");
+}
+
+// ../../packages/generators/dist/mask/tokenizer.js
+var import_node_crypto2 = require("crypto");
+function tokenizeTableRows(rows, detections, tableName, tokenPrefix = "TOK") {
+  const columnsToMask = detections.filter((d) => d.shouldMask);
+  const entries = [];
+  const tokenCache = /* @__PURE__ */ new Map();
+  const tokenizedRows = rows.map((row) => {
+    const newRow = { ...row };
+    for (const detection of columnsToMask) {
+      const originalValue = row[detection.columnName];
+      if (originalValue === null || originalValue === void 0)
+        continue;
+      const cacheKey = `${detection.columnName}:${String(originalValue)}`;
+      let token = tokenCache.get(cacheKey);
+      if (!token) {
+        const hash = (0, import_node_crypto2.createHash)("sha256").update(`${tableName}:${cacheKey}`, "utf8").digest("hex").substring(0, 12);
+        token = `${tokenPrefix}-${hash}`;
+        tokenCache.set(cacheKey, token);
+        entries.push({
+          token,
+          originalValue,
+          columnName: detection.columnName,
+          tableName,
+          piiCategory: detection.category
+        });
+      }
+      newRow[detection.columnName] = token;
+    }
+    return newRow;
+  });
+  return { tokenizedRows, entries };
+}
+function buildTokenMap(entries, tokenPrefix = "TOK") {
+  return {
+    version: "1.0",
+    createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+    tokenPrefix,
+    totalTokens: entries.length,
+    entries
+  };
+}
+function generateTokenPrefix() {
+  return `TOK-${(0, import_node_crypto2.randomBytes)(3).toString("hex").toUpperCase()}`;
+}
+function encryptTokenMap(tokenMap, passphrase) {
+  const salt = (0, import_node_crypto2.randomBytes)(16);
+  const key = (0, import_node_crypto2.pbkdf2Sync)(passphrase, salt, 1e5, 32, "sha512");
+  const iv = (0, import_node_crypto2.randomBytes)(12);
+  const cipher = (0, import_node_crypto2.createCipheriv)("aes-256-gcm", key, iv);
+  const plaintext = JSON.stringify(tokenMap);
+  const encrypted = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
+  const authTag = cipher.getAuthTag();
+  const packed = Buffer.concat([salt, iv, authTag, encrypted]);
+  return packed.toString("base64");
+}
+function decryptTokenMap(encryptedBase64, passphrase) {
+  const packed = Buffer.from(encryptedBase64, "base64");
+  const salt = packed.subarray(0, 16);
+  const iv = packed.subarray(16, 28);
+  const authTag = packed.subarray(28, 44);
+  const ciphertext = packed.subarray(44);
+  const key = (0, import_node_crypto2.pbkdf2Sync)(passphrase, salt, 1e5, 32, "sha512");
+  const decipher = (0, import_node_crypto2.createDecipheriv)("aes-256-gcm", key, iv);
+  decipher.setAuthTag(authTag);
+  try {
+    const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+    return JSON.parse(decrypted.toString("utf8"));
+  } catch {
+    throw new Error("[realitydb] Decryption failed \u2014 wrong passphrase or corrupted data");
+  }
+}
+
+// ../../packages/generators/dist/mask/valueScanners.js
+var VALUE_PATTERNS = [
+  // === Direct identifiers ===
+  {
+    category: "email",
+    patterns: [/[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/],
+    label: "email address",
+    strategy: "replace_email",
+    threshold: 0.3,
+    action: "tokenize"
+  },
+  {
+    category: "ssn",
+    patterns: [/\b\d{3}-\d{2}-\d{4}\b/],
+    label: "SSN",
+    strategy: "replace_ssn",
+    threshold: 0.1,
+    action: "block"
+  },
+  {
+    category: "phone",
+    patterns: [
+      /\b\d{3}[-.]?\d{3}[-.]?\d{4}\b/,
+      /\+1\d{10}\b/,
+      /\(\d{3}\)\s?\d{3}[-.]?\d{4}/
+    ],
+    label: "phone number",
+    strategy: "replace_phone",
+    threshold: 0.2,
+    action: "tokenize"
+  },
+  {
+    category: "ip_address",
+    patterns: [/\b(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\b/],
+    label: "IP address",
+    strategy: "replace_ip",
+    threshold: 0.2,
+    action: "mask"
+  },
+  {
+    category: "name",
+    patterns: [
+      /\b(Mr|Mrs|Ms|Dr|Prof)\.?\s+[A-Z][a-z]+/,
+      /\b[A-Z][a-z]+ [A-Z][a-z]+\b/
+    ],
+    label: "person name",
+    strategy: "replace_name",
+    threshold: 0.3,
+    action: "tokenize"
+  },
+  {
+    category: "address",
+    patterns: [
+      /\b\d{1,5}\s+[A-Z][a-z]+(\s+[A-Z][a-z]+)*\s+(St|Ave|Blvd|Dr|Ln|Rd|Way|Ct|Pl|Ter|Cir|Pike|Highway|Hwy)\b/i
+    ],
+    label: "street address",
+    strategy: "replace_address",
+    threshold: 0.2,
+    action: "tokenize"
+  },
+  // === Financial ===
+  {
+    category: "financial",
+    patterns: [
+      /\b\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}\b/,
+      /\b[A-Z]{2}\d{2}[A-Z0-9]{4}\d{7}(?:[A-Z0-9]{0,16})?\b/
+    ],
+    label: "financial identifier",
+    strategy: "replace_ssn",
+    threshold: 0.1,
+    action: "block"
+  },
+  {
+    category: "bank_routing",
+    patterns: [
+      /\b0[0-9]\d{7}\b/,
+      /\b1[0-2]\d{7}\b/,
+      /\b[2-3][0-9]\d{7}\b/
+    ],
+    label: "bank routing number",
+    strategy: "replace_ssn",
+    threshold: 0.1,
+    action: "mask"
+  },
+  // === Dates ===
+  {
+    category: "date_of_birth",
+    patterns: [
+      /\b(0[1-9]|1[0-2])[/-](0[1-9]|[12]\d|3[01])[/-](19|20)\d{2}\b/,
+      /\b(19|20)\d{2}[/-](0[1-9]|1[0-2])[/-](0[1-9]|[12]\d|3[01])\b/
+    ],
+    label: "date of birth",
+    strategy: "shift_date",
+    threshold: 0.15,
+    action: "mask"
+  },
+  // === Government IDs ===
+  {
+    category: "drivers_license",
+    patterns: [
+      /\b[A-Z]\d{3}[-\s]?\d{3}[-\s]?\d{3}[-\s]?\d{3}\b/
+    ],
+    label: "drivers license",
+    strategy: "replace_ssn",
+    threshold: 0.1,
+    action: "block"
+  },
+  {
+    category: "passport",
+    patterns: [
+      /\b[A-Z]\d{8}\b/
+    ],
+    label: "passport number",
+    strategy: "replace_ssn",
+    threshold: 0.1,
+    action: "block"
+  },
+  // === URLs ===
+  {
+    category: "url",
+    patterns: [/https?:\/\/[^\s"'<>]+/],
+    label: "URL",
+    strategy: "replace_url",
+    threshold: 0.3,
+    action: "tokenize"
+  },
+  // === Healthcare vertical ===
+  {
+    category: "medical",
+    patterns: [
+      /\bMRN[-:\s]?\d{6,10}\b/i,
+      /\bNPI[-:\s]?\d{10}\b/i
+    ],
+    label: "medical record number",
+    strategy: "redact",
+    threshold: 0.1,
+    action: "tokenize"
+  },
+  // === Education vertical ===
+  {
+    category: "student_id",
+    patterns: [
+      /\b(SID|STU|STUDENT)[-:\s]?\d{5,10}\b/i
+    ],
+    label: "student ID",
+    strategy: "replace_ssn",
+    threshold: 0.15,
+    action: "tokenize"
+  },
+  // === Legal vertical ===
+  {
+    category: "case_number",
+    patterns: [
+      /\b\d{2,4}[-]?[A-Z]{2,4}[-]?\d{3,8}\b/i
+    ],
+    label: "case number",
+    strategy: "redact",
+    threshold: 0.1,
+    action: "tokenize"
+  },
+  // === Automotive ===
+  {
+    category: "vin",
+    patterns: [
+      /\b[A-HJ-NPR-Z0-9]{17}\b/
+    ],
+    label: "VIN",
+    strategy: "redact",
+    threshold: 0.1,
+    action: "block"
+  }
+];
+var FREE_TEXT_NAME_PATTERNS = /^(notes|bio|biography|description|comments|remarks|narrative|summary|details|message|body|content|text|memo|reason|observation|feedback|review)$/i;
+var FREE_TEXT_TYPE_PATTERNS = ["text", "mediumtext", "longtext"];
+function isFreeTextColumn(columnName, dataType, maxLength) {
+  if (FREE_TEXT_NAME_PATTERNS.test(columnName))
+    return true;
+  if (FREE_TEXT_TYPE_PATTERNS.includes(dataType.toLowerCase()))
+    return true;
+  if (maxLength !== null && maxLength > 500)
+    return true;
+  return false;
+}
+function scanColumnValues(values, optionsOrMaxSampleSize) {
+  let maxSampleSize = 100;
+  let isFreeText = false;
+  if (typeof optionsOrMaxSampleSize === "number") {
+    maxSampleSize = optionsOrMaxSampleSize;
+  } else if (optionsOrMaxSampleSize) {
+    maxSampleSize = optionsOrMaxSampleSize.maxSampleSize ?? 100;
+    isFreeText = optionsOrMaxSampleSize.isFreeText ?? false;
+  }
+  if (isFreeText) {
+    maxSampleSize = Math.min(300, Math.max(maxSampleSize * 3, values.length));
+  }
+  const stringValues = values.filter((v) => typeof v === "string" && v.length > 0).slice(0, maxSampleSize);
+  if (stringValues.length === 0)
+    return [];
+  const results = [];
+  for (const check of VALUE_PATTERNS) {
+    let matches = 0;
+    for (const value of stringValues) {
+      const hasMatch = check.patterns.some((pattern) => pattern.test(value));
+      if (hasMatch)
+        matches++;
+    }
+    const hitRate = matches / stringValues.length;
+    const effectiveThreshold = isFreeText ? check.threshold * 0.5 : check.threshold;
+    if (hitRate >= effectiveThreshold) {
+      const confidence = hitRate >= 0.7 ? "high" : hitRate >= 0.3 ? "medium" : "low";
+      results.push({
+        category: check.category,
+        confidence,
+        hitRate: Math.round(hitRate * 100) / 100,
+        matchedPattern: check.label,
+        suggestedStrategy: check.strategy,
+        action: check.action,
+        isFreeTextField: isFreeText
+      });
+    }
+  }
+  return results;
+}
 
 // ../../packages/generators/dist/classroom/courseRegistry.js
 var CourseRegistry = class {
@@ -29595,7 +29994,7 @@ function buildGenerationPlan(schema, config, timelineConfig) {
   }
   if (config.template && !template) {
     const available = getDefaultRegistry().list().map((t) => t.name).join(", ");
-    console.warn(`[databox] Template "${config.template}" not found. Available: ${available || "none"}`);
+    console.warn(`Template "${config.template}" not found. Available: ${available || "none"}`);
   }
   const graph = buildDependencyGraph(schema.foreignKeys);
   const allTableNames = schema.tables.map((t) => t.name);
@@ -29621,10 +30020,17 @@ function buildGenerationPlan(schema, config, timelineConfig) {
     const dependencies = tableForeignKeys.map((fk) => fk.targetTable);
     const uniqueDeps = [...new Set(dependencies)];
     const tableConfig = template && registry && templateLookupName ? registry.matchTable(templateLookupName, table.name) : null;
-    const columns = table.columns.map((column) => {
+    const insertableColumns = table.columns.filter((col) => !col.isGenerated);
+    const columns = insertableColumns.map((column) => {
       let strategy;
       if (template && registry && templateLookupName) {
-        const override = resolveColumnOverride(templateLookupName, table.name, column.name, registry);
+        let override = resolveColumnOverride(templateLookupName, table.name, column.name, registry);
+        if (override?.kind === "enum" && override.options?.["values"] && Array.isArray(override.options["values"])) {
+          const vals = override.options["values"];
+          if (vals.length === 1 && vals[0] === "default") {
+            override = null;
+          }
+        }
         strategy = override ?? inferColumnStrategy(column, tableForeignKeys, table.name);
       } else {
         strategy = inferColumnStrategy(column, tableForeignKeys, table.name);
@@ -29658,6 +30064,13 @@ function buildGenerationPlan(schema, config, timelineConfig) {
           };
         }
       }
+      const INTEGER_TYPES2 = ["int2", "int4", "int8", "integer", "serial", "bigserial", "smallint", "bigint", "int", "mediumint", "tinyint"];
+      if (strategy.kind === "float" && INTEGER_TYPES2.includes(column.udtName.toLowerCase())) {
+        strategy = {
+          kind: "integer",
+          options: strategy.options
+        };
+      }
       const columnPlan = {
         columnName: column.name,
         dataType: column.udtName,
@@ -29933,7 +30346,7 @@ function createDatabaseClient(client, connectionString) {
     case "mysql":
       return createMysqlPool(connectionString);
     default:
-      throw new Error(`[databox] Unsupported database client: ${client}`);
+      throw new Error(`Unsupported database client: ${client}`);
   }
 }
 
@@ -29949,7 +30362,7 @@ async function testConnection(pool) {
     }
   } catch (err) {
     const message = err instanceof Error ? err.message : String(err);
-    throw new Error(`[databox] Database connection failed: ${message}`);
+    throw new Error(`Database connection failed: ${message}`);
   }
 }
 async function closeConnection(pool) {
@@ -29957,7 +30370,7 @@ async function closeConnection(pool) {
     await pool.end();
   } catch (err) {
     const message = err instanceof Error ? err.message : String(err);
-    throw new Error(`[databox] Failed to close database connection: ${message}`);
+    throw new Error(`Failed to close database connection: ${message}`);
   }
 }
 
@@ -29985,6 +30398,9 @@ function toMySQLValue(value) {
   if (typeof value === "string" && /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}/.test(value)) {
     return value.replace("T", " ").replace(/\.\d{3}Z$/, "").replace(/Z$/, "");
   }
+  if (value !== null && typeof value === "object") {
+    return JSON.stringify(value);
+  }
   return value;
 }
 async function batchInsertTable(client, table, batchSize, dialect = "postgres") {
@@ -30080,11 +30496,15 @@ async function truncateTables(pool, tableNames, cascade) {
 }
 
 // ../../packages/db/dist/readTable.js
-async function readTableRows(pool, tableName, columns) {
+async function readTableRows(pool, tableName, columns, limit) {
   const dialect = pool.dialect;
   const quotedColumns = columns.map((c) => quoteIdent(dialect, c)).join(", ");
   const quotedTable = quoteIdent(dialect, tableName);
-  const result = await pool.query(`SELECT ${quotedColumns} FROM ${quotedTable}`);
+  let sql = `SELECT ${quotedColumns} FROM ${quotedTable}`;
+  if (limit !== void 0 && limit > 0) {
+    sql += ` LIMIT ${Math.floor(limit)}`;
+  }
+  const result = await pool.query(sql);
   return result.rows;
 }
 
@@ -30117,25 +30537,32 @@ function normalizeSchema(raw) {
   for (const rawTable of raw.tables) {
     const rawCols = columnsByTable.get(rawTable.table_name);
     if (!rawCols || rawCols.length === 0) {
-      console.warn(`[databox] Table "${rawTable.table_name}" has no columns \u2014 excluding from schema`);
+      console.warn(`Table "${rawTable.table_name}" has no columns \u2014 excluding from schema`);
       continue;
     }
     const pk = primaryKeyMap.get(rawTable.table_name) ?? null;
     const primaryKey = pk ? { columnName: pk.column_name, constraintName: pk.constraint_name } : null;
-    const columns = rawCols.map((col) => ({
-      name: col.column_name,
-      dataType: col.data_type,
-      udtName: col.udt_name,
-      isNullable: col.is_nullable === "YES",
-      hasDefault: col.column_default !== null,
-      defaultValue: col.column_default,
-      maxLength: col.character_maximum_length,
-      numericPrecision: col.numeric_precision ?? null,
-      numericScale: col.numeric_scale ?? null,
-      isPrimaryKey: pk !== null && pk.column_name === col.column_name,
-      isUnique: pk !== null && pk.column_name === col.column_name || uniqueColumns.has(`${rawTable.table_name}.${col.column_name}`),
-      ordinalPosition: col.ordinal_position
-    }));
+    const columns = rawCols.map((col) => {
+      const extra = (col.extra ?? "").toLowerCase();
+      const isAutoIncrement = extra.includes("auto_increment");
+      const isGenerated = extra.includes("generated");
+      return {
+        name: col.column_name,
+        dataType: col.data_type,
+        udtName: col.udt_name,
+        isNullable: col.is_nullable === "YES",
+        hasDefault: col.column_default !== null || isAutoIncrement || isGenerated,
+        defaultValue: col.column_default,
+        maxLength: col.character_maximum_length,
+        numericPrecision: col.numeric_precision ?? null,
+        numericScale: col.numeric_scale ?? null,
+        isPrimaryKey: pk !== null && pk.column_name === col.column_name,
+        isUnique: pk !== null && pk.column_name === col.column_name || uniqueColumns.has(`${rawTable.table_name}.${col.column_name}`),
+        ordinalPosition: col.ordinal_position,
+        isGenerated
+      };
+    });
+    columns.sort((a, b) => a.ordinalPosition - b.ordinalPosition);
     tables.push({
       name: rawTable.table_name,
       schema: rawTable.table_schema,
@@ -30238,7 +30665,8 @@ async function getColumns(pool, schemaName = "public") {
               IS_NULLABLE AS is_nullable, COLUMN_DEFAULT AS column_default,
               CHARACTER_MAXIMUM_LENGTH AS character_maximum_length,
               NUMERIC_PRECISION AS numeric_precision, NUMERIC_SCALE AS numeric_scale,
-              ORDINAL_POSITION AS ordinal_position
+              ORDINAL_POSITION AS ordinal_position,
+              EXTRA AS extra
        FROM information_schema.columns
        WHERE TABLE_SCHEMA = ?
        ORDER BY TABLE_NAME, ORDINAL_POSITION`, [schemaName]);
@@ -30369,15 +30797,15 @@ async function introspectDatabase(pool, schemaName, options) {
   const schema = normalizeSchema({ tables, columns, foreignKeys, primaryKeys, uniqueConstraints });
   const validation = validateSchema(schema);
   for (const warning of validation.warnings) {
-    console.warn(`[databox] Schema warning: ${warning}`);
+    console.warn(`Schema warning: ${warning}`);
   }
   if (options?.verbose) {
     for (const vw of validation.verboseWarnings) {
-      console.warn(`[databox] Schema warning: ${vw}`);
+      console.warn(`Schema warning: ${vw}`);
     }
   }
   for (const error of validation.errors) {
-    console.error(`[databox] Schema error: ${error}`);
+    console.error(`Schema error: ${error}`);
   }
   return schema;
 }
@@ -30660,7 +31088,7 @@ async function scanDatabase(config) {
   try {
     const connected = await testConnection(pool);
     if (!connected) {
-      throw new Error("[databox] Database connection test returned false");
+      throw new Error("Database connection test returned false");
     }
     const schema = await introspectDatabase(pool);
     const graph = buildDependencyGraph(schema.foreignKeys);
@@ -30793,7 +31221,7 @@ function applyLifecycleOverlay(dataset, lifecycle, plan, schema) {
           if (validColumns && !validColumns.has(col)) {
             const key = `${lifecycle.rootTable}.${col}`;
             if (!warnedColumns.has(key)) {
-              console.warn(`[lifecycle] Skipping column '${col}' on table '${lifecycle.rootTable}' \u2014 does not exist in schema`);
+              console.warn(`Skipping lifecycle column '${col}' on table '${lifecycle.rootTable}' \u2014 not in schema`);
               warnedColumns.add(key);
             }
             continue;
@@ -30819,7 +31247,7 @@ function applyLifecycleOverlay(dataset, lifecycle, plan, schema) {
         if (validColumns && !validColumns.has(col)) {
           const key = `${tableName}.${col}`;
           if (!warnedColumns.has(key)) {
-            console.warn(`[lifecycle] Skipping column '${col}' on table '${tableName}' \u2014 does not exist in schema`);
+            console.warn(`Skipping lifecycle column '${col}' on table '${tableName}' \u2014 not in schema`);
             warnedColumns.add(key);
           }
           continue;
@@ -31225,7 +31653,7 @@ async function uploadToGist(content, options) {
       [options.filename]: { content }
     }
   });
-  return new Promise((resolve12, reject) => {
+  return new Promise((resolve13, reject) => {
     const req = import_node_https.default.request({
       hostname: "api.github.com",
       path: "/gists",
@@ -31247,7 +31675,7 @@ async function uploadToGist(content, options) {
           try {
             const parsed = JSON.parse(data);
             const fileEntry = parsed.files[options.filename];
-            resolve12({
+            resolve13({
               url: parsed.html_url,
               rawUrl: fileEntry?.raw_url ?? parsed.html_url,
               gistId: parsed.id
@@ -31374,7 +31802,7 @@ function fetchUrl(url, redirectCount = 0) {
     throw new Error("Too many redirects");
   }
   const lib = url.startsWith("https") ? import_node_https2.default : import_node_http.default;
-  return new Promise((resolve12, reject) => {
+  return new Promise((resolve13, reject) => {
     const req = lib.get(url, {
       headers: {
         "User-Agent": "realitydb-cli",
@@ -31382,7 +31810,7 @@ function fetchUrl(url, redirectCount = 0) {
       }
     }, (res) => {
       if (res.statusCode && res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
-        resolve12(fetchUrl(res.headers.location, redirectCount + 1));
+        resolve13(fetchUrl(res.headers.location, redirectCount + 1));
         return;
       }
       if (res.statusCode && (res.statusCode < 200 || res.statusCode >= 300)) {
@@ -31395,7 +31823,7 @@ function fetchUrl(url, redirectCount = 0) {
       });
       res.on("end", () => {
         const buffer = Buffer.concat(chunks);
-        resolve12(buffer.toString("utf-8"));
+        resolve13(buffer.toString("utf-8"));
       });
     });
     req.on("error", (err) => {
@@ -31405,17 +31833,65 @@ function fetchUrl(url, redirectCount = 0) {
 }
 
 // ../../packages/core/dist/analyzePipeline.js
+var PII_TO_KIND = {
+  email: "email",
+  phone: "phone",
+  name: "full_name",
+  address: "address",
+  ssn: "text",
+  ip_address: "text",
+  url: "url",
+  financial: "text",
+  medical: "text",
+  date_of_birth: "timestamp"
+};
 async function analyzeDatabase(config, options) {
   const start = performance.now();
   const sampleSize = options?.sampleSize ?? 1e3;
+  const safeMode = options?.safeMode ?? true;
   const pool = createDatabaseClient(config.database.client, config.database.connectionString);
   try {
     await testConnection(pool);
     const schema = await introspectDatabase(pool);
     const tableAnalyses = [];
+    let totalScanned = 0;
+    let totalDetections = 0;
+    const byCategory = {};
     for (const table of schema.tables) {
       const tableForeignKeys = schema.foreignKeys.filter((fk) => fk.sourceTable === table.name);
       const detections = detectTableColumns(table.columns, tableForeignKeys, table.name);
+      if (safeMode && table.estimatedRowCount > 0) {
+        const scanSampleSize = Math.min(sampleSize, 100);
+        const columnNames = table.columns.map((c) => c.name);
+        const sampleRows = await readTableRows(pool, table.name, columnNames, scanSampleSize);
+        if (sampleRows.length > 0) {
+          for (let i = 0; i < detections.length; i++) {
+            const detection = detections[i];
+            if (detection.isPrimaryKey || detection.isForeignKey)
+              continue;
+            const col = table.columns.find((c) => c.name === detection.columnName);
+            const values = sampleRows.map((r) => r[detection.columnName]);
+            const freeText = col ? isFreeTextColumn(col.name, col.udtName, col.maxLength) : false;
+            const scanResults = scanColumnValues(values, { isFreeText: freeText });
+            totalScanned++;
+            if (scanResults.length > 0) {
+              for (const result of scanResults) {
+                totalDetections++;
+                byCategory[result.category] = (byCategory[result.category] ?? 0) + 1;
+              }
+              const best = scanResults.sort((a, b) => b.hitRate - a.hitRate)[0];
+              const mappedKind = PII_TO_KIND[best.category];
+              if (mappedKind && (detection.confidence === "low" || detection.confidence === "medium")) {
+                detections[i] = {
+                  ...detection,
+                  confidence: best.confidence === "high" ? "high" : "medium",
+                  reason: `${detection.reason}; value scan confirmed ${best.matchedPattern} (${Math.round(best.hitRate * 100)}% hit rate)`
+                };
+              }
+            }
+          }
+        }
+      }
       const queryFn = async (sql) => {
         const result = await pool.query(sql);
         return result.rows;
@@ -31435,13 +31911,28 @@ async function analyzeDatabase(config, options) {
     const dbName = extractDatabaseName(config.database.connectionString);
     const hasSampleData = schema.tables.some((t) => t.estimatedRowCount > 0);
     const report = buildAnalysisReport(tableAnalyses, dbName, sampleSize, hasSampleData);
+    const confidenceBreakdown = { high: 0, medium: 0, low: 0 };
+    for (const analysis of tableAnalyses) {
+      for (const col of analysis.columns) {
+        confidenceBreakdown[col.detection.confidence]++;
+      }
+    }
     let templateJson;
-    if (options?.output) {
+    if (options?.output || options?.autoTemplate) {
       const template = generateTemplate(tableAnalyses, dbName);
       templateJson = serializeTemplate(template);
     }
+    const sanitizationReport = safeMode ? { totalScanned, totalDetections, byCategory } : void 0;
     const durationMs = Math.round(performance.now() - start);
-    return { schema, report, templateJson, durationMs };
+    return {
+      schema,
+      report,
+      templateJson,
+      templatePath: options?.output,
+      confidenceBreakdown,
+      sanitizationReport,
+      durationMs
+    };
   } finally {
     await closeConnection(pool);
   }
@@ -31480,8 +31971,45 @@ async function maskDatabase(config, options) {
       const detections = detectTablePII(table.columns, tableForeignKeys, table.name, mode);
       detectionsByTable.set(table.name, detections);
     }
+    if (options?.deepScan) {
+      for (const table of schema.tables) {
+        const detections = detectionsByTable.get(table.name);
+        if (!detections)
+          continue;
+        const safeCandidates = detections.filter((d) => d.category === "safe" && !d.isPrimaryKey && !d.isForeignKey);
+        if (safeCandidates.length === 0)
+          continue;
+        const candidateNames = safeCandidates.map((d) => d.columnName);
+        const sampleRows = await readTableRows(pool, table.name, candidateNames, 100);
+        if (sampleRows.length === 0)
+          continue;
+        for (const candidate of safeCandidates) {
+          const values = sampleRows.map((r) => r[candidate.columnName]);
+          const col = table.columns.find((c) => c.name === candidate.columnName);
+          const freeText = col ? isFreeTextColumn(col.name, col.udtName, col.maxLength) : false;
+          const scanResults = scanColumnValues(values, { isFreeText: freeText });
+          if (scanResults.length > 0) {
+            const best = scanResults.sort((a, b) => b.hitRate - a.hitRate)[0];
+            const idx = detections.findIndex((d) => d.columnName === candidate.columnName);
+            if (idx !== -1) {
+              detections[idx] = {
+                ...detections[idx],
+                category: best.category,
+                confidence: best.confidence,
+                reason: `Value scan: ${Math.round(best.hitRate * 100)}% of samples contain ${best.matchedPattern}`,
+                shouldMask: true,
+                maskStrategy: best.suggestedStrategy
+              };
+            }
+          }
+        }
+      }
+    }
     const maskResults = [];
     const random = createSeededRandom(seed);
+    const useTokenization = options?.tokenize ?? false;
+    const tokenPrefix = useTokenization ? generateTokenPrefix() : "TOK";
+    const allTokenEntries = [];
     const maskedTables = /* @__PURE__ */ new Map();
     for (const tableName of tableOrder) {
       const table = schema.tables.find((t) => t.name === tableName);
@@ -31513,15 +32041,36 @@ async function maskDatabase(config, options) {
         });
         continue;
       }
-      const { maskedRows, result } = maskTableRows(rows, detections, random, tableName);
-      maskResults.push(result);
+      let outputRows;
+      if (useTokenization) {
+        const { tokenizedRows, entries } = tokenizeTableRows(rows, detections, tableName, tokenPrefix);
+        outputRows = tokenizedRows;
+        allTokenEntries.push(...entries);
+        const columnsToMask = detections.filter((d) => d.shouldMask);
+        const maskedColumns = columnsToMask.map((d) => ({
+          columnName: d.columnName,
+          strategy: d.maskStrategy,
+          rowsMasked: tokenizedRows.filter((r) => r[d.columnName] !== null && r[d.columnName] !== void 0).length
+        }));
+        maskResults.push({
+          tableName,
+          rowCount: rows.length,
+          columnsMatched: detections.length,
+          columnsMasked: columnsToMask.length,
+          maskedColumns
+        });
+      } else {
+        const { maskedRows, result } = maskTableRows(rows, detections, random, tableName);
+        outputRows = maskedRows;
+        maskResults.push(result);
+      }
       if (dryRun)
         continue;
       maskedTables.set(tableName, {
         tableName,
         columns,
-        rows: maskedRows,
-        rowCount: maskedRows.length
+        rows: outputRows,
+        rowCount: outputRows.length
       });
     }
     let outputFiles;
@@ -31563,6 +32112,10 @@ async function maskDatabase(config, options) {
     }
     const dbName = extractDatabaseName2(config.database.connectionString);
     const auditLog = buildAuditLog(detectionsByTable, maskResults, mode, seed, dbName);
+    let tokenMap;
+    if (useTokenization && allTokenEntries.length > 0) {
+      tokenMap = buildTokenMap(allTokenEntries, tokenPrefix);
+    }
     const durationMs = Math.round(performance.now() - start);
     return {
       schema,
@@ -31571,7 +32124,8 @@ async function maskDatabase(config, options) {
       dryRun,
       tablesProcessed: maskResults.length,
       totalRowsMasked: auditLog.summary.totalRowsMasked,
-      outputFiles
+      outputFiles,
+      tokenMap
     };
   } finally {
     await closeConnection(pool);
@@ -31777,9 +32331,9 @@ var DEFAULT_CONNECTIONS = {
 };
 var SUPPORTED_CLIENTS = ["postgres", "mysql"];
 function ask(rl, prompt) {
-  return new Promise((resolve12) => {
+  return new Promise((resolve13) => {
     rl.question(prompt, (answer) => {
-      resolve12(answer);
+      resolve13(answer);
     });
   });
 }
@@ -32059,7 +32613,7 @@ async function loadConfig(filePath) {
   } else {
     const found = await findConfigFile(".");
     if (!found) {
-      throw new Error(`[realitydb] Config file not found.
+      throw new Error(`Config file not found.
 Create a realitydb.config.json or specify a path with --config.`);
     }
     resolvedPath = found;
@@ -32068,23 +32622,23 @@ Create a realitydb.config.json or specify a path with --config.`);
   try {
     raw = await (0, import_promises9.readFile)(resolvedPath, "utf-8");
   } catch {
-    throw new Error(`[realitydb] Config file not found: ${resolvedPath}
+    throw new Error(`Config file not found: ${resolvedPath}
 Create a realitydb.config.json or specify a path with --config.`);
   }
   let parsed;
   try {
     parsed = JSON.parse(raw);
   } catch {
-    throw new Error(`[realitydb] Invalid JSON in config file: ${resolvedPath}`);
+    throw new Error(`Invalid JSON in config file: ${resolvedPath}`);
   }
   const config = parsed;
   const database = config["database"];
   if (!database || typeof database["connectionString"] !== "string") {
-    throw new Error("[realitydb] Config validation failed: database.connectionString is required.");
+    throw new Error("Config validation failed: database.connectionString is required.");
   }
   const client = database["client"] ?? "postgres";
   if (client !== "postgres" && client !== "mysql") {
-    throw new Error(`[realitydb] Config validation failed: database.client must be 'postgres' or 'mysql', got '${client}'.`);
+    throw new Error(`Config validation failed: database.client must be 'postgres' or 'mysql', got '${client}'.`);
   }
   return {
     database: {
@@ -32196,6 +32750,7 @@ async function scanCommand(options) {
 
 // src/commands/seed.ts
 var import_node_path10 = require("path");
+var import_node_fs8 = require("fs");
 
 // src/resolveTemplate.ts
 function resolveTemplate(nameOrPath) {
@@ -32232,7 +32787,26 @@ async function seedCommand(options) {
     const records = options.records ? parseInt(options.records, 10) : void 0;
     const seed = options.seed ? parseInt(options.seed, 10) : void 0;
     const rawTemplateName = options.template ?? config.template;
-    const templateName = rawTemplateName && (rawTemplateName.includes("/") || rawTemplateName.includes("\\") || rawTemplateName.endsWith(".json")) ? (0, import_node_path10.resolve)(rawTemplateName) : rawTemplateName;
+    let templateName = rawTemplateName && (rawTemplateName.includes("/") || rawTemplateName.includes("\\") || rawTemplateName.endsWith(".json")) ? (0, import_node_path10.resolve)(rawTemplateName) : rawTemplateName;
+    if (options.autoTemplate && !templateName) {
+      if (!options.ci) {
+        console.log("");
+        console.log("Running auto-template analysis...");
+      }
+      const analyzeResult = await analyzeDatabase(config, {
+        sampleSize: 100,
+        autoTemplate: true,
+        safeMode: true
+      });
+      if (analyzeResult.templateJson) {
+        const autoPath = (0, import_node_path10.resolve)(".realitydb-auto-template.json");
+        (0, import_node_fs8.writeFileSync)(autoPath, analyzeResult.templateJson + "\n", "utf-8");
+        templateName = autoPath;
+        if (!options.ci) {
+          console.log(`Auto-template generated: ${autoPath}`);
+        }
+      }
+    }
     const timeline = options.timeline;
     const scenario = options.scenario;
     const scenarioIntensity = options.scenarioIntensity ?? "medium";
@@ -32656,7 +33230,7 @@ async function exportCommand(options) {
 }
 
 // src/commands/templates.ts
-var import_node_fs8 = require("fs");
+var import_node_fs9 = require("fs");
 var VERSION6 = "0.10.0";
 function templatesCommand() {
   const registry = getDefaultRegistry();
@@ -32683,7 +33257,7 @@ function templatesCommand() {
 }
 function templatesInitCommand() {
   const fileName = "realitydb.template.json";
-  if ((0, import_node_fs8.existsSync)(fileName)) {
+  if ((0, import_node_fs9.existsSync)(fileName)) {
     console.error(`[realitydb] ${fileName} already exists in this directory.`);
     process.exit(1);
   }
@@ -32717,7 +33291,7 @@ function templatesInitCommand() {
       }
     }
   };
-  (0, import_node_fs8.writeFileSync)(fileName, JSON.stringify(scaffold, null, 2) + "\n");
+  (0, import_node_fs9.writeFileSync)(fileName, JSON.stringify(scaffold, null, 2) + "\n");
   console.log("");
   console.log(`Created ${fileName}`);
   console.log("Edit this file to define your custom template.");
@@ -32728,7 +33302,7 @@ function templatesInitCommand() {
 }
 function templatesValidateCommand(filePath, options) {
   const start = performance.now();
-  if (!(0, import_node_fs8.existsSync)(filePath)) {
+  if (!(0, import_node_fs9.existsSync)(filePath)) {
     if (options.ci) {
       console.log(formatCIOutput({
         success: false,
@@ -32745,7 +33319,7 @@ function templatesValidateCommand(filePath, options) {
   }
   let json;
   try {
-    const raw = (0, import_node_fs8.readFileSync)(filePath, "utf-8");
+    const raw = (0, import_node_fs9.readFileSync)(filePath, "utf-8");
     json = JSON.parse(raw);
   } catch {
     if (options.ci) {
@@ -32808,7 +33382,7 @@ function templatesValidateCommand(filePath, options) {
 }
 
 // src/commands/scenarios.ts
-var import_node_fs9 = require("fs");
+var import_node_fs10 = require("fs");
 var import_node_path12 = require("path");
 function scenariosCommand() {
   const registry = getDefaultScenarioRegistry();
@@ -32833,12 +33407,12 @@ function scenariosCreateCommand(name) {
   const sanitized = name.trim().toLowerCase().replace(/[^a-z0-9-]/g, "-");
   const fileName = `${sanitized}.scenario.json`;
   const filePath = (0, import_node_path12.resolve)(fileName);
-  if ((0, import_node_fs9.existsSync)(filePath)) {
+  if ((0, import_node_fs10.existsSync)(filePath)) {
     console.error(`[realitydb] File already exists: ${fileName}`);
     process.exit(1);
   }
   const scaffold = scaffoldCustomScenario(sanitized);
-  (0, import_node_fs9.writeFileSync)(filePath, JSON.stringify(scaffold, null, 2) + "\n", "utf-8");
+  (0, import_node_fs10.writeFileSync)(filePath, JSON.stringify(scaffold, null, 2) + "\n", "utf-8");
   console.log("");
   console.log(`Created custom scenario: ${fileName}`);
   console.log("");
@@ -33593,7 +34167,7 @@ function getDefaultSchema() {
 }
 
 // src/commands/analyze.ts
-var import_node_fs10 = require("fs");
+var import_node_fs11 = require("fs");
 var import_node_path16 = require("path");
 var VERSION12 = "1.3.1";
 async function analyzeCommand(options) {
@@ -33602,21 +34176,26 @@ async function analyzeCommand(options) {
     const config = await loadConfig(options.configPath);
     const sampleSize = options.sampleSize ? parseInt(options.sampleSize, 10) : 1e3;
     const masked = maskConnectionString(config.database.connectionString);
+    const safeMode = !options.unsafeAnalyze;
+    const autoTemplate = options.autoTemplate ?? false;
+    const outputPath = options.output ?? (autoTemplate ? "./realitydb-template.json" : void 0);
     if (!options.ci) {
       console.log("");
-      console.log("RealityDB Analyze");
+      console.log("RealityDB Schema Analysis");
       console.log("\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550");
       console.log(`Database: ${masked}`);
       console.log(`Sample size: ${sampleSize} rows per table`);
-      if (options.output) {
-        console.log(`Output: ${options.output}`);
+      if (outputPath) {
+        console.log(`Output: ${outputPath}`);
       }
       console.log("");
       console.log("Analyzing schema...");
     }
     const result = await analyzeDatabase(config, {
       sampleSize,
-      output: options.output
+      output: outputPath,
+      safeMode,
+      autoTemplate
     });
     const durationMs = Math.round(performance.now() - start);
     if (options.ci) {
@@ -33629,20 +34208,46 @@ async function analyzeCommand(options) {
         durationMs,
         data: {
           ...ciData,
-          templateGenerated: !!options.output,
-          templateFile: options.output ?? null
+          confidenceBreakdown: result.confidenceBreakdown,
+          sanitizationReport: result.sanitizationReport ?? null,
+          templateGenerated: !!outputPath,
+          templateFile: outputPath ?? null
         }
       }));
-      if (result.templateJson && options.output) {
-        const filePath = (0, import_node_path16.resolve)(options.output);
-        (0, import_node_fs10.writeFileSync)(filePath, result.templateJson + "\n", "utf-8");
+      if (result.templateJson && outputPath) {
+        const filePath = (0, import_node_path16.resolve)(outputPath);
+        (0, import_node_fs11.writeFileSync)(filePath, result.templateJson + "\n", "utf-8");
       }
       return;
     }
     console.log(formatAnalysisReport(result.report));
-    if (result.templateJson && options.output) {
-      const filePath = (0, import_node_path16.resolve)(options.output);
-      (0, import_node_fs10.writeFileSync)(filePath, result.templateJson + "\n", "utf-8");
+    const total = result.confidenceBreakdown.high + result.confidenceBreakdown.medium + result.confidenceBreakdown.low;
+    if (total > 0) {
+      console.log("Analysis Summary:");
+      const pct = (n) => total > 0 ? Math.round(n / total * 100) : 0;
+      console.log(`  High confidence:   ${result.confidenceBreakdown.high} columns (${pct(result.confidenceBreakdown.high)}%)`);
+      console.log(`  Medium confidence:  ${result.confidenceBreakdown.medium} columns (${pct(result.confidenceBreakdown.medium)}%)`);
+      console.log(`  Low confidence:     ${result.confidenceBreakdown.low} columns (${pct(result.confidenceBreakdown.low)}%)`);
+      console.log("");
+    }
+    if (safeMode && result.sanitizationReport) {
+      const sr = result.sanitizationReport;
+      console.log("PII Sanitization: ENABLED");
+      console.log(`  Values scanned:     ${sr.totalScanned.toLocaleString()}`);
+      console.log(`  PII detected:       ${sr.totalDetections} instances`);
+      if (Object.keys(sr.byCategory).length > 0) {
+        const cats = Object.entries(sr.byCategory).map(([k, v]) => `${k} (${v})`).join(", ");
+        console.log(`  Categories:         ${cats}`);
+      }
+      console.log("");
+    } else if (!safeMode) {
+      console.log("PII Sanitization: DISABLED (--unsafe-analyze)");
+      console.log("  Warning: Sample values were NOT sanitized. Do not use on production databases.");
+      console.log("");
+    }
+    if (result.templateJson && outputPath) {
+      const filePath = (0, import_node_path16.resolve)(outputPath);
+      (0, import_node_fs11.writeFileSync)(filePath, result.templateJson + "\n", "utf-8");
       console.log("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
       console.log(`Template generated: ${filePath}`);
       console.log("");
@@ -33651,10 +34256,11 @@ async function analyzeCommand(options) {
       console.log("");
       console.log("Validate it with:");
       console.log(`  realitydb templates validate "${filePath}"`);
-    } else if (!options.output) {
+    } else if (!outputPath) {
       console.log("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
       console.log("To generate a template from this analysis:");
       console.log("  realitydb analyze --output my-template.json");
+      console.log("  realitydb analyze --auto-template");
     }
     const totalTime = (durationMs / 1e3).toFixed(1);
     console.log("");
@@ -33687,9 +34293,32 @@ async function analyzeCommand(options) {
 }
 
 // src/commands/mask.ts
-var import_node_fs11 = require("fs");
+var import_node_fs12 = require("fs");
 var import_node_path17 = require("path");
+var import_node_readline2 = require("readline");
+var import_node_process2 = require("process");
 var VERSION13 = "1.3.1";
+function askPassphrase(prompt) {
+  return new Promise((resolvePromise) => {
+    const rl = (0, import_node_readline2.createInterface)({ input: import_node_process2.stdin, output: import_node_process2.stdout });
+    const originalWrite = import_node_process2.stdout.write.bind(import_node_process2.stdout);
+    let muted = false;
+    import_node_process2.stdout.write = ((chunk, ...args) => {
+      if (muted && typeof chunk === "string" && !chunk.includes(prompt)) {
+        return originalWrite("*");
+      }
+      return originalWrite(chunk, ...args);
+    });
+    rl.question(prompt, (answer) => {
+      muted = false;
+      import_node_process2.stdout.write = originalWrite;
+      console.log("");
+      rl.close();
+      resolvePromise(answer);
+    });
+    muted = true;
+  });
+}
 async function maskCommand(options) {
   const start = performance.now();
   try {
@@ -33747,6 +34376,12 @@ async function maskCommand(options) {
       } else {
         console.log("Mode: write to database (--confirm)");
       }
+      if (options.tokenize) {
+        console.log("Masking: tokenization (reversible)");
+        if (options.tokenMap) {
+          console.log(`Token map: ${options.tokenMap} (AES-256-GCM encrypted)`);
+        }
+      }
       if (options.auditLog) {
         console.log(`Audit log: ${options.auditLog}`);
       }
@@ -33760,12 +34395,30 @@ async function maskCommand(options) {
       output: options.output,
       outputFormat,
       auditLog: options.auditLog,
-      confirm: options.confirm
+      confirm: options.confirm,
+      tokenize: options.tokenize,
+      deepScan: options.deepScan
     });
     const durationMs = Math.round(performance.now() - start);
     if (options.auditLog) {
       const auditPath = (0, import_node_path17.resolve)(options.auditLog);
-      (0, import_node_fs11.writeFileSync)(auditPath, serializeAuditLog(result.auditLog) + "\n", "utf-8");
+      (0, import_node_fs12.writeFileSync)(auditPath, serializeAuditLog(result.auditLog) + "\n", "utf-8");
+    }
+    if (options.tokenMap && result.tokenMap) {
+      const passphrase = await askPassphrase("Enter passphrase for token map encryption: ");
+      if (!passphrase || passphrase.length === 0) {
+        console.error("[realitydb] Passphrase cannot be empty. Token map not written.");
+      } else {
+        const encryptedData = encryptTokenMap(result.tokenMap, passphrase);
+        const tokenMapPath = (0, import_node_path17.resolve)(options.tokenMap);
+        (0, import_node_fs12.writeFileSync)(tokenMapPath, encryptedData + "\n", "utf-8");
+        if (!options.ci) {
+          console.log(`Token map exported (AES-256-GCM encrypted) \u2192 ${tokenMapPath}`);
+          console.log(`  ${result.tokenMap.totalTokens} unique tokens generated`);
+          console.log("  Store the passphrase securely \u2014 it cannot be recovered");
+          console.log("");
+        }
+      }
     }
     if (options.ci) {
       console.log(formatCIOutput({
@@ -33839,9 +34492,155 @@ async function maskCommand(options) {
   }
 }
 
-// src/commands/classroom.ts
-var import_node_fs12 = require("fs");
+// src/commands/audit.ts
+var import_node_fs13 = require("fs");
 var import_node_path18 = require("path");
+var import_node_readline3 = require("readline");
+var import_node_process3 = require("process");
+function askPassphrase2(prompt) {
+  return new Promise((resolvePromise) => {
+    const rl = (0, import_node_readline3.createInterface)({ input: import_node_process3.stdin, output: import_node_process3.stdout });
+    const originalWrite = import_node_process3.stdout.write.bind(import_node_process3.stdout);
+    let muted = false;
+    import_node_process3.stdout.write = ((chunk, ...args) => {
+      if (muted && typeof chunk === "string" && !chunk.includes(prompt)) {
+        return originalWrite("*");
+      }
+      return originalWrite(chunk, ...args);
+    });
+    rl.question(prompt, (answer) => {
+      muted = false;
+      import_node_process3.stdout.write = originalWrite;
+      console.log("");
+      rl.close();
+      resolvePromise(answer);
+    });
+    muted = true;
+  });
+}
+async function auditVerifyCommand(logFile, options) {
+  try {
+    const filePath = (0, import_node_path18.resolve)(logFile);
+    const raw = (0, import_node_fs13.readFileSync)(filePath, "utf-8");
+    const log = JSON.parse(raw);
+    const result = verifyAuditLogIntegrity(log);
+    const entryCount = log.tables?.length ?? 0;
+    if (options.ci) {
+      console.log(JSON.stringify({
+        file: filePath,
+        entries: entryCount,
+        valid: result.valid,
+        brokenAt: result.brokenAt ?? null
+      }));
+      process.exit(result.valid ? 0 : 1);
+    }
+    console.log("");
+    console.log("Audit Chain Verification");
+    console.log("\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550");
+    console.log(`File: ${logFile}`);
+    console.log(`Entries: ${entryCount}`);
+    if (result.valid) {
+      console.log("Chain integrity: VERIFIED (all hashes valid)");
+    } else {
+      console.log(`Chain integrity: BROKEN at table "${result.brokenAt}"`);
+      console.log("The audit log has been tampered with.");
+    }
+    console.log("");
+    process.exit(result.valid ? 0 : 1);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    console.error(`[realitydb] Audit verify failed: ${message}`);
+    process.exit(1);
+  }
+}
+async function auditSummaryCommand(logFile, options) {
+  try {
+    const filePath = (0, import_node_path18.resolve)(logFile);
+    const raw = (0, import_node_fs13.readFileSync)(filePath, "utf-8");
+    const log = JSON.parse(raw);
+    if (options.ci) {
+      console.log(JSON.stringify({
+        file: filePath,
+        complianceMode: log.complianceMode,
+        summary: log.summary,
+        tables: log.tables.map((t) => ({
+          tableName: t.tableName,
+          rowCount: t.rowCount,
+          piiColumnsDetected: t.piiColumnsDetected,
+          columnsMasked: t.columnsMasked
+        }))
+      }));
+      return;
+    }
+    console.log("");
+    console.log(formatAuditLog(log));
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    console.error(`[realitydb] Audit summary failed: ${message}`);
+    process.exit(1);
+  }
+}
+async function auditReIdentifyCommand(options) {
+  try {
+    if (!options.tokenMap) {
+      console.error("[realitydb] --token-map <file> is required for re-identify");
+      process.exit(1);
+    }
+    const filePath = (0, import_node_path18.resolve)(options.tokenMap);
+    const encryptedData = (0, import_node_fs13.readFileSync)(filePath, "utf-8").trim();
+    const passphrase = await askPassphrase2("Enter passphrase to decrypt token map: ");
+    if (!passphrase) {
+      console.error("[realitydb] Passphrase cannot be empty.");
+      process.exit(1);
+    }
+    const tokenMap = decryptTokenMap(encryptedData, passphrase);
+    if (options.ci) {
+      console.log(JSON.stringify({
+        totalTokens: tokenMap.totalTokens,
+        tokenPrefix: tokenMap.tokenPrefix,
+        createdAt: tokenMap.createdAt,
+        entries: tokenMap.entries.length
+      }));
+      return;
+    }
+    console.log("");
+    console.log("Token Map Re-Identification");
+    console.log("\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550");
+    console.log(`Token prefix: ${tokenMap.tokenPrefix}`);
+    console.log(`Created: ${tokenMap.createdAt}`);
+    console.log("");
+    const byTable = /* @__PURE__ */ new Map();
+    for (const entry of tokenMap.entries) {
+      const existing = byTable.get(entry.tableName) ?? [];
+      existing.push(entry);
+      byTable.set(entry.tableName, existing);
+    }
+    for (const [tableName, entries] of byTable) {
+      console.log(`Table: ${tableName}`);
+      console.log("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
+      for (const entry of entries) {
+        console.log(`  ${entry.token} \u2192 ${String(entry.originalValue)} (${entry.columnName}, ${entry.piiCategory})`);
+      }
+      console.log("");
+    }
+    console.log(`Restored ${tokenMap.totalTokens} token mappings`);
+    console.log("");
+    console.log("These are real PII values. Handle according to your data policy.");
+    console.log("");
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    if (message.includes("Decryption failed")) {
+      console.error(message);
+    } else {
+      console.error(`[realitydb] Re-identify failed: ${message}`);
+    }
+    process.exit(1);
+  }
+}
+
+// src/commands/classroom.ts
+var import_node_fs14 = require("fs");
+var import_node_path19 = require("path");
 var VERSION14 = "1.3.1";
 async function classroomListCommand(options) {
   const start = performance.now();
@@ -34104,8 +34903,8 @@ async function classroomCreateCommand(name, options) {
   try {
     const content = classroomCreate(name);
     const filename = `${name}.course.json`;
-    const filePath = (0, import_node_path18.resolve)(filename);
-    (0, import_node_fs12.writeFileSync)(filePath, content + "\n", "utf-8");
+    const filePath = (0, import_node_path19.resolve)(filename);
+    (0, import_node_fs14.writeFileSync)(filePath, content + "\n", "utf-8");
     const durationMs = Math.round(performance.now() - start);
     if (options.ci) {
       console.log(formatCIOutput({
@@ -34355,22 +35154,22 @@ async function simulateWebhooksCommand(options) {
 }
 
 // src/cli.ts
-var VERSION16 = "1.6.3";
+var VERSION16 = "1.7.0";
 function run(argv) {
   const program2 = new Command();
-  program2.name("realitydb").description("RealityDB \xC3\u0192\xC6\u2019\xC3\u201A\xC2\xA2\xC3\u0192\xC2\xA2\xC3\xA2\xE2\u201A\xAC\xC5\xA1\xC3\u201A\xC2\xAC\xC3\u0192\xC2\xA2\xC3\xA2\xE2\u20AC\u0161\xC2\xAC\xC3\u201A\xC2\x9D Developer Reality Platform").version(VERSION16).option("--config <path>", "Path to config file").option("--ci", "CI mode: JSON output, no prompts, proper exit codes", false).option("--verbose", "Enable verbose output", false);
-  program2.command("init").description("Interactive setup wizard \xC3\u0192\xC6\u2019\xC3\u201A\xC2\xA2\xC3\u0192\xC2\xA2\xC3\xA2\xE2\u201A\xAC\xC5\xA1\xC3\u201A\xC2\xAC\xC3\u0192\xC2\xA2\xC3\xA2\xE2\u20AC\u0161\xC2\xAC\xC3\u201A\xC2\x9D connect, scan, and seed in one step").action(async () => {
+  program2.name("realitydb").description("RealityDB \xC3\u0192\xC6\u2019\xC3\u2020\xE2\u20AC\u2122\xC3\u0192\xE2\u20AC\u0161\xC3\u201A\xC2\xA2\xC3\u0192\xC6\u2019\xC3\u201A\xC2\xA2\xC3\u0192\xC2\xA2\xC3\xA2\xE2\u20AC\u0161\xC2\xAC\xC3\u2026\xC2\xA1\xC3\u0192\xE2\u20AC\u0161\xC3\u201A\xC2\xAC\xC3\u0192\xC6\u2019\xC3\u201A\xC2\xA2\xC3\u0192\xC2\xA2\xC3\xA2\xE2\u201A\xAC\xC5\xA1\xC3\u201A\xC2\xAC\xC3\u0192\xE2\u20AC\u0161\xC3\u201A\xC2\x9D Developer Reality Platform").version(VERSION16).option("--config <path>", "Path to config file").option("--ci", "CI mode: JSON output, no prompts, proper exit codes", false).option("--verbose", "Enable verbose output", false);
+  program2.command("init").description("Interactive setup wizard \xC3\u0192\xC6\u2019\xC3\u2020\xE2\u20AC\u2122\xC3\u0192\xE2\u20AC\u0161\xC3\u201A\xC2\xA2\xC3\u0192\xC6\u2019\xC3\u201A\xC2\xA2\xC3\u0192\xC2\xA2\xC3\xA2\xE2\u20AC\u0161\xC2\xAC\xC3\u2026\xC2\xA1\xC3\u0192\xE2\u20AC\u0161\xC3\u201A\xC2\xAC\xC3\u0192\xC6\u2019\xC3\u201A\xC2\xA2\xC3\u0192\xC2\xA2\xC3\xA2\xE2\u201A\xAC\xC5\xA1\xC3\u201A\xC2\xAC\xC3\u0192\xE2\u20AC\u0161\xC3\u201A\xC2\x9D connect, scan, and seed in one step").action(async () => {
     await initCommand();
   });
   program2.command("scan").description("Scan database schema").action(async () => {
     const opts = program2.opts();
     await scanCommand({ ci: opts.ci, configPath: opts.config });
   });
-  program2.command("analyze").description("Analyze database schema and suggest column strategies").option("--output <file>", "Generate a template JSON file from analysis").option("--sample-size <count>", "Number of rows to sample per table", "1000").action(async (cmdOpts) => {
+  program2.command("analyze").description("Analyze database schema and suggest column strategies").option("--output <file>", "Generate a template JSON file from analysis").option("--sample-size <count>", "Number of rows to sample per table", "1000").option("--unsafe-analyze", "Disable PII sanitization (local dev only)").option("--auto-template", "Generate template from analysis (default: ./realitydb-template.json)").action(async (cmdOpts) => {
     const opts = program2.opts();
     await analyzeCommand({ ...cmdOpts, ci: opts.ci, configPath: opts.config });
   });
-  program2.command("seed").description("Seed database with generated data").option("--records <count>", "Number of records per table").option("--template <name|path>", "Template name or path to custom .json file").option("--seed <number>", "Random seed for reproducibility").option("--timeline <duration>", 'Timeline duration (e.g., "12-months", "1-year")').option("--scenario <names>", "Scenarios to apply (comma-separated)").option("--scenario-intensity <level>", "Scenario intensity (low|medium|high)", "medium").option("--scenario-schedule <schedule>", 'Timeline-scheduled scenarios (e.g., "fraud-spike:month-6,churn-spike:month-9")').option("--lifecycle", "Enable lifecycle simulation for causally-connected data").action(async (cmdOpts) => {
+  program2.command("seed").description("Seed database with generated data").option("--records <count>", "Number of records per table").option("--template <name|path>", "Template name or path to custom .json file").option("--seed <number>", "Random seed for reproducibility").option("--timeline <duration>", 'Timeline duration (e.g., "12-months", "1-year")').option("--scenario <names>", "Scenarios to apply (comma-separated)").option("--scenario-intensity <level>", "Scenario intensity (low|medium|high)", "medium").option("--scenario-schedule <schedule>", 'Timeline-scheduled scenarios (e.g., "fraud-spike:month-6,churn-spike:month-9")').option("--lifecycle", "Enable lifecycle simulation for causally-connected data").option("--auto-template", "Run analyze \xE2\u2020\u2019 generate template \xE2\u2020\u2019 seed in one command").action(async (cmdOpts) => {
     const opts = program2.opts();
     await seedCommand({ ...cmdOpts, ci: opts.ci, configPath: opts.config });
   });
@@ -34398,10 +35197,23 @@ function run(argv) {
   scenarios.command("create <name>").description("Scaffold a custom scenario JSON file").action((name) => {
     scenariosCreateCommand(name);
   });
-  program2.command("mask").description("Detect and mask PII in your database").option("--mode <mode>", "Compliance mode (hipaa|gdpr|strict)", "gdpr").option("--seed <number>", "Random seed for deterministic masking").option("--dry-run", "Preview PII detection without modifying data").option("--output <dir>", "Export masked data to files instead of writing to DB").option("--output-format <format>", "Output format (json|csv|sql)", "json").option("--audit-log <file>", "Write audit log to file").option("--confirm", "Confirm writing masked data back to database").action(async (cmdOpts) => {
+  program2.command("mask").description("Detect and mask PII in your database").option("--mode <mode>", "Compliance mode (hipaa|gdpr|strict)", "gdpr").option("--seed <number>", "Random seed for deterministic masking").option("--dry-run", "Preview PII detection without modifying data").option("--output <dir>", "Export masked data to files instead of writing to DB").option("--output-format <format>", "Output format (json|csv|sql)", "json").option("--audit-log <file>", "Write audit log to file").option("--confirm", "Confirm writing masked data back to database").option("--tokenize", "Use reversible tokenization instead of irreversible masking").option("--token-map <file>", "Write token map to file (requires --tokenize)").option("--deep-scan", "Scan sample values to detect PII missed by schema analysis").action(async (cmdOpts) => {
     const opts = program2.opts();
     await maskCommand({ ...cmdOpts, ci: opts.ci, configPath: opts.config });
   });
+  const audit = program2.command("audit").description("Audit log operations");
+  audit.command("verify <log-file>").description("Verify audit log hash chain integrity").action(async (logFile) => {
+    const opts = program2.opts();
+    await auditVerifyCommand(logFile, { ci: opts.ci });
+  });
+  audit.command("summary <log-file>").description("Print formatted compliance summary from audit log").action(async (logFile) => {
+    const opts = program2.opts();
+    await auditSummaryCommand(logFile, { ci: opts.ci });
+  });
+  audit.command("re-identify").description("Decrypt token map and display original PII mappings").requiredOption("--token-map <file>", "Encrypted token map file").action(async (cmdOpts) => {
+    const opts = program2.opts();
+    await auditReIdentifyCommand({ ...cmdOpts, ci: opts.ci });
+  });
   const classroom = program2.command("classroom").description("Education and classroom mode");
   classroom.command("list", { isDefault: true }).description("List available courses").action(async () => {
     const opts = program2.opts();
@@ -34472,7 +35284,7 @@ function run(argv) {
       console.log(JSON.stringify({ name: "realitydb", version: VERSION16 }));
     } else {
       console.log("");
-      console.log(`RealityDB v${VERSION16} \xC3\u0192\xC6\u2019\xC3\u201A\xC2\xA2\xC3\u0192\xC2\xA2\xC3\xA2\xE2\u201A\xAC\xC5\xA1\xC3\u201A\xC2\xAC\xC3\u0192\xC2\xA2\xC3\xA2\xE2\u20AC\u0161\xC2\xAC\xC3\u201A\xC2\x9D Developer Reality Platform`);
+      console.log(`RealityDB v${VERSION16} \xC3\u0192\xC6\u2019\xC3\u2020\xE2\u20AC\u2122\xC3\u0192\xE2\u20AC\u0161\xC3\u201A\xC2\xA2\xC3\u0192\xC6\u2019\xC3\u201A\xC2\xA2\xC3\u0192\xC2\xA2\xC3\xA2\xE2\u20AC\u0161\xC2\xAC\xC3\u2026\xC2\xA1\xC3\u0192\xE2\u20AC\u0161\xC3\u201A\xC2\xAC\xC3\u0192\xC6\u2019\xC3\u201A\xC2\xA2\xC3\u0192\xC2\xA2\xC3\xA2\xE2\u201A\xAC\xC5\xA1\xC3\u201A\xC2\xAC\xC3\u0192\xE2\u20AC\u0161\xC3\u201A\xC2\x9D Developer Reality Platform`);
       console.log("Run `realitydb --help` for available commands.");
       console.log("");
     }