docs(01-05): complete CLI integration plan

- SUMMARY.md with all task commits and self-check
- STATE.md updated with progress, decisions, metrics
- ROADMAP.md updated with phase 01 plan progress
- Requirements CLI-01 through CLI-05 marked complete

.planning/phases/01-foundation/01-05-SUMMARY.md

@@ -0,0 +1,137 @@
+---
+phase: 01-foundation
+plan: 05
+subsystem: cli
+tags: [cobra, viper, lipgloss, cli, config, output]
+
+# Dependency graph
+requires:
+  - phase: 01-foundation/02
+    provides: Provider registry with NewRegistry(), List(), Get(), Stats(), AC()
+  - phase: 01-foundation/03
+    provides: Storage layer with Open(), SaveFinding(), DeriveKey(), NewSalt(), Encrypt/Decrypt
+  - phase: 01-foundation/04
+    provides: Scan engine with NewEngine(), Scan(), FileSource, Finding type
+provides:
+  - Cobra CLI with 11 registered commands (scan, verify, import, recon, keys, serve, dorks, hook, schedule, providers, config)
+  - Working scan command that runs three-stage pipeline and persists encrypted findings
+  - providers list/info/stats subcommands
+  - config init/set/get subcommands with viper persistence
+  - Per-installation salt stored in settings table (not hardcoded)
+  - Config package with Load() defaults
+  - Output package with lipgloss terminal table
+  - Settings CRUD (GetSetting/SetSetting) for key-value storage
+affects: [phase-02, phase-05, phase-06, phase-07, phase-08, phase-09, phase-17, phase-18]
+
+# Tech tracking
+tech-stack:
+  added: [cobra v1.10.2, viper v1.21.0, lipgloss]
+  patterns: [cmd-package-per-command, viper-config-binding, settings-table-for-runtime-state]
+
+key-files:
+  created:
+    - cmd/root.go
+    - cmd/scan.go
+    - cmd/providers.go
+    - cmd/config.go
+    - cmd/stubs.go
+    - pkg/config/config.go
+    - pkg/output/table.go
+    - pkg/storage/settings.go
+  modified: []
+
+key-decisions:
+  - "Per-installation salt via settings table -- no hardcoded salt in production code"
+  - "Exit code semantics: 0=clean, 1=keys-found, 2=error for CI/CD integration"
+  - "JSON output returns valid empty array [] when no findings"
+  - "Stub commands print phase info so users know what is coming"
+
+patterns-established:
+  - "cmd/ package: one file per command group, root.go registers all"
+  - "loadOrCreateEncKey pattern: salt from settings table, DeriveKey with Argon2id"
+  - "viper.BindPFlag for CLI flag -> config binding"
+
+requirements-completed: [CLI-01, CLI-02, CLI-03, CLI-04, CLI-05]
+
+# Metrics
+duration: 4min
+completed: 2026-04-05
+---
+
+# Phase 1 Plan 5: CLI Integration Summary
+
+**Cobra CLI wiring all Phase 1 subsystems: scan command with encrypted storage + per-installation salt, providers list/info/stats, config init/set/get, and 8 stub commands**
+
+## Performance
+
+- **Duration:** 4 min
+- **Started:** 2026-04-05T09:23:58Z
+- **Completed:** 2026-04-05T09:27:38Z
+- **Tasks:** 2 (Task 3 was auto-approved checkpoint)
+- **Files modified:** 8
+
+## Accomplishments
+- Full Cobra CLI with all 11 commands registered and accessible via --help
+- Working end-to-end scan pipeline: `keyhunter scan ./file` detects keys, encrypts them, persists to SQLite
+- Per-installation salt generated on first run, stored in settings table, reused on subsequent runs
+- providers list/info/stats showing all 3 embedded providers with metadata
+- config init/set/get with viper persistence to ~/.keyhunter.yaml
+- JSON output format with valid empty array for no-findings case
+- Production build: CGO_ENABLED=0 produces ~10MB static binary
+
+## Task Commits
+
+Each task was committed atomically:
+
+1. **Task 1: Config package, output table, root command, and settings helpers** - `9da0b68` (feat)
+
+**Plan metadata:** pending (docs: complete plan)
+
+## Files Created/Modified
+- `cmd/root.go` - Cobra root command with PersistentPreRunE config loading via viper
+- `cmd/scan.go` - Scan command wiring engine + storage + output with per-installation salt
+- `cmd/providers.go` - providers list/info/stats subcommands using Registry
+- `cmd/config.go` - config init/set/get subcommands using Viper
+- `cmd/stubs.go` - 8 stub commands for future phases (verify, import, recon, keys, serve, dorks, hook, schedule)
+- `pkg/config/config.go` - Config struct with Load() and sensible defaults
+- `pkg/output/table.go` - lipgloss terminal table for PrintFindings with color-coded confidence
+- `pkg/storage/settings.go` - GetSetting/SetSetting for settings table CRUD
+
+## Decisions Made
+- Per-installation salt via settings table: no hardcoded salt in production code, each installation gets unique encryption salt
+- Exit code semantics: 0=clean, 1=keys-found, 2=error -- standard for CI/CD pipeline integration
+- JSON output returns valid empty array `[]` when no findings (not a comment string)
+- Stub commands print their target phase so users know the feature is planned
+
+## Deviations from Plan
+
+None - plan executed exactly as written.
+
+## Issues Encountered
+None
+
+## User Setup Required
+None - no external service configuration required.
+
+## Next Phase Readiness
+- Phase 1 foundation complete: provider registry, storage, engine, and CLI all integrated
+- Ready for Phase 2 (provider YAML expansion to 108 providers)
+- Ready for Phase 5 (verification engine -- verify stub command is registered)
+- All future phase commands have stubs registered and ready to be implemented
+
+## Self-Check: PASSED
+
+- All 8 created files verified present on disk
+- Commit 9da0b68 verified in git log
+- `go test ./...` all pass
+- `go build ./...` succeeds
+- `keyhunter scan testdata/samples/openai_key.txt` exits 1 with findings
+- `keyhunter scan testdata/samples/no_keys.txt` exits 0
+- `keyhunter providers list` shows 3 providers
+- `keyhunter config init` creates ~/.keyhunter.yaml
+- No plaintext keys in raw SQLite database
+- CGO_ENABLED=0 production build succeeds
+
+---
+*Phase: 01-foundation*
+*Completed: 2026-04-05*