diff --git a/.cursor/rules/log-analysis.mdc b/.cursor/rules/log-analysis.mdc
new file mode 100644
index 0000000..cdfa1d0
--- /dev/null
+++ b/.cursor/rules/log-analysis.mdc
@@ -0,0 +1,21 @@
+---
+description: Use ctrlb-decompose to analyze log files before reading them raw
+globs: **/*.log
+alwaysApply: false
+---
+
+# Log File Analysis
+
+This project includes ctrlb-decompose, a log pattern extraction tool. When you encounter a `.log` file or are asked to analyze logs, run ctrlb-decompose first to get a structural summary:
+
+```bash
+./target/release/ctrlb-decompose <file> --llm --context 2 --quiet 2>/dev/null
+```
+
+This compresses raw log lines into patterns with typed variables, quantile stats (p50/p99), and anomaly detection. Errors and warnings are prioritized first.
+
+For JSON output: `./target/release/ctrlb-decompose <file> --json --quiet 2>/dev/null`
+
+For piped input: `kubectl logs pod | ./target/release/ctrlb-decompose --llm --source-label "pod-name"`
+
+Workflow: decompose first, identify patterns of interest, then grep or use `--context N` with a higher N to see more examples.
diff --git a/.cursorrules b/.cursorrules
new file mode 100644
index 0000000..d76a2e0
--- /dev/null
+++ b/.cursorrules
@@ -0,0 +1,35 @@
+This repository contains ctrlb-decompose, a CLI tool that compresses raw log lines into structural patterns with typed variables, quantile statistics, anomaly detection, and temporal correlations.
+
+## Log Analysis
+
+When working with log files (>100 lines), run ctrlb-decompose first to get a structural summary before reading raw logs:
+
+```bash
+./target/release/ctrlb-decompose <file> --llm --context 2 --quiet 2>/dev/null
+```
+
+This compresses thousands of log lines into a handful of actionable patterns with:
+- Error/warning patterns prioritized first
+- Typed variables (IPv4, UUID, Duration, HexID, Integer, Enum, etc.)
+- Quantile statistics (p50, p99, min, max) for numeric variables
+- Example raw lines for each pattern
+
+Key flags:
+- `--llm` — Token-efficient markdown output (default context=2, banner suppressed)
+- `--json` — Structured JSON output for programmatic use
+- `--source-label <name>` — Tag output with a source name (e.g., pod name)
+- `--sim-threshold <0.0-1.0>` — Tune clustering granularity (default 0.5, lower = fewer patterns)
+- `--top <N>` — Limit to top N patterns (default 20)
+- `--context <N>` — Example lines per pattern
+
+Works with stdin: `kubectl logs pod | ./target/release/ctrlb-decompose --llm`
+
+Workflow: decompose first, identify patterns of interest, then drill into the raw file with grep or higher --context.
+
+## Build
+
+```bash
+cargo build --release
+cargo test --locked
+cargo clippy
+```
diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md
new file mode 100644
index 0000000..a6356bf
--- /dev/null
+++ b/.github/copilot-instructions.md
@@ -0,0 +1,25 @@
+This repository contains ctrlb-decompose, a CLI tool that compresses raw log lines into structural patterns with typed variables, quantile statistics, and anomaly detection.
+
+## Log Analysis
+
+When working with log files (>100 lines), run ctrlb-decompose first:
+
+```bash
+./target/release/ctrlb-decompose <file> --llm --context 2 --quiet 2>/dev/null
+```
+
+Key flags:
+- `--llm` — Token-efficient markdown (errors first, quantile stats inline)
+- `--json` — Structured JSON for programmatic use
+- `--source-label <name>` — Tag output with source name
+- `--sim-threshold <0.0-1.0>` — Tune clustering granularity (default 0.5)
+
+Works with stdin: `kubectl logs pod | ./target/release/ctrlb-decompose --llm`
+
+## Build & Test
+
+```bash
+cargo build --release
+cargo test --locked
+cargo clippy
+```
diff --git a/.gitignore b/.gitignore
index 7d5320d..a275b9b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -27,4 +27,8 @@ target
 /logs
 
 # WASM build output (regenerated by wasm-pack)
-/web/pkg
\ No newline at end of file
+/web/pkg
+
+# Perf profiling data
+perf.data
+perf.data.old
\ No newline at end of file
diff --git a/AGENTS.md b/AGENTS.md
new file mode 100644
index 0000000..6bf141a
--- /dev/null
+++ b/AGENTS.md
@@ -0,0 +1,53 @@
+# AGENTS.md
+
+This file provides guidance to Codex and other AI agents working with code in this repository.
+
+## Project
+
+ctrlb-decompose compresses raw log lines into structural patterns with typed variables, quantile statistics, anomaly detection, and temporal correlations. It runs as a CLI tool, a Rust library, or a WASM module.
+
+## Build & Test
+
+```bash
+cargo build --release
+cargo test --locked
+cargo clippy
+```
+
+## Log Analysis
+
+When working with log files (>100 lines), run ctrlb-decompose first to get a structural summary before reading raw logs:
+
+```bash
+./target/release/ctrlb-decompose <file> --llm --context 2 --quiet 2>/dev/null
+```
+
+Key flags:
+- `--llm` — Token-efficient markdown output (banner auto-suppressed, default context=2)
+- `--json` — Structured JSON for programmatic use
+- `--source-label <name>` — Tag output with source name
+- `--sim-threshold <0.0-1.0>` — Tune clustering (default 0.5, lower = fewer patterns)
+- `--top <N>` — Top N patterns (default 20)
+- `--context <N>` — Example lines per pattern
+
+Works with stdin: `kubectl logs pod | ./target/release/ctrlb-decompose --llm`
+
+Workflow: decompose first, identify patterns, then drill into raw logs with grep or higher `--context`.
+
+## Architecture
+
+Two-stage normalization + clustering pipeline (single-pass, streaming):
+
+1. Timestamp extraction (`src/timestamp.rs`)
+2. CLP encoding (`src/extraction/clp/`) — normalizes variables into typed placeholders
+3. Drain3 clustering (`src/extraction/drain3.rs`) — tree-based prefix clustering with LRU eviction
+4. Variable classification — semantic types: IPv4, UUID, Duration, HexID, Integer, Float, Enum, String
+5. Statistics (`src/stats.rs`) — DDSketch quantiles, HyperLogLog cardinality, top-k, reservoir sampling
+6. Anomaly detection (`src/anomaly.rs`) — frequency spikes, error cascades, bimodal distributions
+7. Scoring & correlation (`src/scoring.rs`, `src/correlation.rs`)
+8. Output formatting (`src/format/`) — human, llm, json
+
+Entry points:
+- CLI: `main.rs` -> `lib.rs::run(args)`
+- Library: `lib.rs::process_log_text(input, opts)`
+- WASM: `wasm.rs::analyze_logs(input, format, top_n, context_lines)`
diff --git a/CLAUDE.md b/CLAUDE.md
new file mode 100644
index 0000000..0ab7ea8
--- /dev/null
+++ b/CLAUDE.md
@@ -0,0 +1,93 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Project
+
+ctrlb-decompose compresses raw log lines into structural patterns with typed variables, quantile statistics, anomaly detection, and temporal correlations. It runs as a CLI tool, a Rust library, or a WASM module in the browser.
+
+## Build & Test Commands
+
+```bash
+# Build
+cargo build
+cargo build --release
+
+# Test
+cargo test --locked
+cargo test <test_name>             # Run a single test
+
+# Lint
+cargo clippy
+
+# Build without default features (library-only, no CLI)
+cargo build --no-default-features
+
+# WASM build
+wasm-pack build --target web --out-dir web/pkg -- --no-default-features --features wasm
+```
+
+## Architecture
+
+**Two-stage normalization + clustering pipeline** (single-pass, streaming):
+
+1. **Timestamp extraction** (`src/timestamp.rs`) — regex-based, stripped before further processing
+2. **CLP encoding** (`src/extraction/clp/`) — normalizes variables (ints, floats, IPs, hex) into typed placeholders
+3. **Drain3 clustering** (`src/extraction/drain3.rs`) — tree-based prefix clustering on logtypes with LRU eviction
+4. **Variable classification** (`src/extraction/drain3.rs`) — merges CLP-decoded values with Drain3 wildcards, classifies into semantic types (IPv4, UUID, Duration, HexID, Integer, Float, Enum, String, etc.)
+5. **Statistics** (`src/stats.rs`) — DDSketch quantiles (~200 bytes/slot), HyperLogLog++ cardinality, top-k, temporal bucketing, reservoir-sampled examples
+6. **Anomaly detection** (`src/anomaly.rs`) — frequency spikes, error cascades, bimodal distributions, low cardinality
+7. **Scoring & correlation** (`src/scoring.rs`, `src/correlation.rs`) — keyword severity, Pearson temporal co-occurrence, shared variables
+8. **Output formatting** (`src/format/`) — human (ANSI terminal), llm (compact markdown), json (structured)
+
+**Entry points:**
+- CLI: `main.rs` → `lib.rs::run(args)`
+- Library: `lib.rs::process_log_text(input, opts) -> AnalysisOutput`
+- WASM: `wasm.rs::analyze_logs(input, format, top_n, context_lines) -> String`
+
+## Feature Gates
+
+- `cli` (default) — includes `clap` and `colored` for terminal use
+- `wasm` — includes `wasm-bindgen` and `serde-wasm-bindgen` for browser use
+- The core library is WASM-safe (no stdin/filesystem deps)
+- Crate type is `["cdylib", "rlib"]` for dual WASM + library output
+
+## Key Design Decisions
+
+- **Single-pass streaming**: no second pass over data; all stats accumulated incrementally
+- **Memory-bounded**: Drain3 LRU (default 10k clusters), DDSketch fixed-size quantiles, HyperLogLog++ fixed-size cardinality, reservoir sampling for examples
+- **Lazy regex compilation**: `once_cell::sync::Lazy` for all regex patterns
+- **Minimum Rust version**: 1.94.0
+
+## Testing
+
+Tests are in `tests/integration.rs` using the fixture at `tests/fixtures/sample.log`. Snapshot testing uses `insta`. Benchmarks use `criterion` in `benches/pipeline.rs`.
+
+## CI
+
+- `ci.yml` — runs on push to main and PRs: `cargo test`, `clippy`, feature matrix (no-default-features, wasm target)
+- `release.yml` — triggered by `v*.*.*` tags: cargo-dist multi-platform binaries + homebrew
+- `wasm-deploy.yml` — deploys WASM build to GitHub Pages on push to main
+
+## Using ctrlb-decompose for log analysis
+
+When working with large log files (>100 lines), use ctrlb-decompose to get a structured summary before reading raw logs. This saves context window and surfaces errors/anomalies immediately.
+
+```bash
+# Analyze a log file (LLM-optimized output, 2 example lines per pattern)
+./target/release/ctrlb-decompose <file> --llm --context 2 --quiet 2>/dev/null
+
+# Pipe from any command
+kubectl logs <pod> | ./target/release/ctrlb-decompose --llm --context 2 --quiet --source-label "pod-name" 2>/dev/null
+journalctl -n 5000 | ./target/release/ctrlb-decompose --llm --context 2 --quiet 2>/dev/null
+
+# JSON output for programmatic use
+./target/release/ctrlb-decompose <file> --json --quiet 2>/dev/null
+
+# Tune clustering granularity (lower = more aggressive merging, higher = more patterns)
+./target/release/ctrlb-decompose <file> --llm --sim-threshold 0.6
+```
+
+In LLM mode, the banner is suppressed automatically. The `--quiet` flag suppresses the progress line on stderr.
+
+**Workflow**: Run `--llm` first to identify patterns of interest, then use `--context N` with higher N or grep for specific patterns in the raw file.
diff --git a/Cargo.lock b/Cargo.lock
index aa80da9..2bfe6e1 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -94,12 +94,36 @@ version = "1.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8"
 
+[[package]]
+name = "bit-set"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "08807e080ed7f9d5433fa9b275196cfc35414f66a0c79d864dc51a0d825231a3"
+dependencies = [
+ "bit-vec",
+]
+
+[[package]]
+name = "bit-vec"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5e764a1d40d510daf35e07be9eb06e75770908c27d411ee6c92109c9840eaaf7"
+
 [[package]]
 name = "bitflags"
 version = "2.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "843867be96c8daad0d758b57df9392b6d8d271134fce549de6ce169ff98a92af"
 
+[[package]]
+name = "block-buffer"
+version = "0.10.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3078c7629b62d3f0439517fa394996acacc5cbc91c5a20d8c658e77abd503a71"
+dependencies = [
+ "generic-array",
+]
+
 [[package]]
 name = "bumpalo"
 version = "3.20.2"
@@ -242,6 +266,15 @@ version = "0.8.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "773648b94d0e5d620f64f280777445740e61fe701025087ec8b57f45c791888b"
 
+[[package]]
+name = "cpufeatures"
+version = "0.2.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "59ed5838eebb26a2bb2e58f6d5b5316989ae9d08bab10e0e6d103e656d1b0280"
+dependencies = [
+ "libc",
+]
+
 [[package]]
 name = "criterion"
 version = "0.5.1"
@@ -309,6 +342,16 @@ version = "0.2.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "460fbee9c2c2f33933d720630a6a0bac33ba7053db5344fac858d4b8952d77d5"
 
+[[package]]
+name = "crypto-common"
+version = "0.1.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "78c8292055d1c1df0cce5d180393dc8cce0abec0a7102adb6c7b1eef6016d60a"
+dependencies = [
+ "generic-array",
+ "typenum",
+]
+
 [[package]]
 name = "ctrlb-decompose"
 version = "0.1.0"
@@ -319,11 +362,12 @@ dependencies = [
  "colored",
  "criterion",
  "fastrand",
- "getrandom",
+ "getrandom 0.4.2",
  "hyperloglogplus",
  "insta",
  "lru",
  "once_cell",
+ "proptest",
  "regex",
  "serde",
  "serde-wasm-bindgen",
@@ -332,6 +376,16 @@ dependencies = [
  "wasm-bindgen",
 ]
 
+[[package]]
+name = "digest"
+version = "0.10.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292"
+dependencies = [
+ "block-buffer",
+ "crypto-common",
+]
+
 [[package]]
 name = "either"
 version = "1.15.0"
@@ -372,12 +426,40 @@ version = "0.1.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5baebc0774151f905a1a2cc41989300b1e6fbb29aff0ceffa1064fdd3088d582"
 
+[[package]]
+name = "fnv"
+version = "1.0.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1"
+
 [[package]]
 name = "foldhash"
 version = "0.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d9c4f5dac5e15c24eb999c26181a6ca40b39fe946cbe4c263c7209467bc83af2"
 
+[[package]]
+name = "generic-array"
+version = "0.14.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a"
+dependencies = [
+ "typenum",
+ "version_check",
+]
+
+[[package]]
+name = "getrandom"
+version = "0.3.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "899def5c37c4fd7b2664648c28120ecec138e4d395b459e5ca34f9cce2dd77fd"
+dependencies = [
+ "cfg-if",
+ "libc",
+ "r-efi 5.3.0",
+ "wasip2",
+]
+
 [[package]]
 name = "getrandom"
 version = "0.4.2"
@@ -387,7 +469,7 @@ dependencies = [
  "cfg-if",
  "js-sys",
  "libc",
- "r-efi",
+ "r-efi 6.0.0",
  "wasip2",
  "wasip3",
  "wasm-bindgen",
@@ -492,6 +574,8 @@ checksum = "7b4a6248eb93a4401ed2f37dfe8ea592d3cf05b7cf4f8efa867b6895af7e094e"
 dependencies = [
  "console",
  "once_cell",
+ "pest",
+ "pest_derive",
  "serde",
  "similar",
  "tempfile",
@@ -611,6 +695,49 @@ version = "11.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d6790f58c7ff633d8771f42965289203411a5e5c68388703c06e14f24770b41e"
 
+[[package]]
+name = "pest"
+version = "2.8.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e0848c601009d37dfa3430c4666e147e49cdcf1b92ecd3e63657d8a5f19da662"
+dependencies = [
+ "memchr",
+ "ucd-trie",
+]
+
+[[package]]
+name = "pest_derive"
+version = "2.8.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "11f486f1ea21e6c10ed15d5a7c77165d0ee443402f0780849d1768e7d9d6fe77"
+dependencies = [
+ "pest",
+ "pest_generator",
+]
+
+[[package]]
+name = "pest_generator"
+version = "2.8.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8040c4647b13b210a963c1ed407c1ff4fdfa01c31d6d2a098218702e6664f94f"
+dependencies = [
+ "pest",
+ "pest_meta",
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "pest_meta"
+version = "2.8.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "89815c69d36021a140146f26659a81d6c2afa33d216d736dd4be5381a7362220"
+dependencies = [
+ "pest",
+ "sha2",
+]
+
 [[package]]
 name = "plotters"
 version = "0.3.7"
@@ -639,6 +766,15 @@ dependencies = [
  "plotters-backend",
 ]
 
+[[package]]
+name = "ppv-lite86"
+version = "0.2.21"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "85eae3c4ed2f50dcfe72643da4befc30deadb458a9b590d720cde2f2b1e97da9"
+dependencies = [
+ "zerocopy",
+]
+
 [[package]]
 name = "prettyplease"
 version = "0.2.37"
@@ -658,6 +794,31 @@ dependencies = [
  "unicode-ident",
 ]
 
+[[package]]
+name = "proptest"
+version = "1.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4b45fcc2344c680f5025fe57779faef368840d0bd1f42f216291f0dc4ace4744"
+dependencies = [
+ "bit-set",
+ "bit-vec",
+ "bitflags",
+ "num-traits",
+ "rand",
+ "rand_chacha",
+ "rand_xorshift",
+ "regex-syntax",
+ "rusty-fork",
+ "tempfile",
+ "unarray",
+]
+
+[[package]]
+name = "quick-error"
+version = "1.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a1d01941d82fa2ab50be1e79e6714289dd7cde78eba4c074bc5a4374f650dfe0"
+
 [[package]]
 name = "quote"
 version = "1.0.45"
@@ -667,12 +828,56 @@ dependencies = [
  "proc-macro2",
 ]
 
+[[package]]
+name = "r-efi"
+version = "5.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "69cdb34c158ceb288df11e18b4bd39de994f6657d83847bdffdbd7f346754b0f"
+
 [[package]]
 name = "r-efi"
 version = "6.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f8dcc9c7d52a811697d2151c701e0d08956f92b0e24136cf4cf27b57a6a0d9bf"
 
+[[package]]
+name = "rand"
+version = "0.9.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6db2770f06117d490610c7488547d543617b21bfa07796d7a12f6f1bd53850d1"
+dependencies = [
+ "rand_chacha",
+ "rand_core",
+]
+
+[[package]]
+name = "rand_chacha"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d3022b5f1df60f26e1ffddd6c66e8aa15de382ae63b3a0c1bfc0e4d3e3f325cb"
+dependencies = [
+ "ppv-lite86",
+ "rand_core",
+]
+
+[[package]]
+name = "rand_core"
+version = "0.9.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "76afc826de14238e6e8c374ddcc1fa19e374fd8dd986b0d2af0d02377261d83c"
+dependencies = [
+ "getrandom 0.3.4",
+]
+
+[[package]]
+name = "rand_xorshift"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "513962919efc330f829edb2535844d1b912b0fbe2ca165d613e4e8788bb05a5a"
+dependencies = [
+ "rand_core",
+]
+
 [[package]]
 name = "rayon"
 version = "1.11.0"
@@ -741,6 +946,18 @@ version = "1.0.22"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b39cdef0fa800fc44525c84ccb54a029961a8215f9619753635a9c0d2538d46d"
 
+[[package]]
+name = "rusty-fork"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cc6bf79ff24e648f6da1f8d1f011e9cac26491b619e6b9280f2b47f1774e6ee2"
+dependencies = [
+ "fnv",
+ "quick-error",
+ "tempfile",
+ "wait-timeout",
+]
+
 [[package]]
 name = "same-file"
 version = "1.0.6"
@@ -810,6 +1027,17 @@ dependencies = [
  "zmij",
 ]
 
+[[package]]
+name = "sha2"
+version = "0.10.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a7507d819769d01a365ab707794a4084392c824f54a7a6a7862f8c3d0892b283"
+dependencies = [
+ "cfg-if",
+ "cpufeatures",
+ "digest",
+]
+
 [[package]]
 name = "shlex"
 version = "1.3.0"
@@ -852,7 +1080,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "32497e9a4c7b38532efcdebeef879707aa9f794296a4f0244f6f69e9bc8574bd"
 dependencies = [
  "fastrand",
- "getrandom",
+ "getrandom 0.4.2",
  "once_cell",
  "rustix",
  "windows-sys 0.61.2",
@@ -868,6 +1096,24 @@ dependencies = [
  "serde_json",
 ]
 
+[[package]]
+name = "typenum"
+version = "1.19.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "562d481066bde0658276a35467c4af00bdc6ee726305698a55b86e61d7ad82bb"
+
+[[package]]
+name = "ucd-trie"
+version = "0.1.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2896d95c02a80c6d6a5d6e953d479f5ddf2dfdb6a244441010e373ac0fb88971"
+
+[[package]]
+name = "unarray"
+version = "0.1.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "eaea85b334db583fe3274d12b4cd1880032beab409c0d774be044d4480ab9a94"
+
 [[package]]
 name = "unicode-ident"
 version = "1.0.24"
@@ -886,6 +1132,21 @@ version = "0.2.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821"
 
+[[package]]
+name = "version_check"
+version = "0.9.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0b928f33d975fc6ad9f86c8f283853ad26bdd5b10b7f1542aa2fa15e2289105a"
+
+[[package]]
+name = "wait-timeout"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "09ac3b126d3914f9849036f826e054cbabdc8519970b8998ddaf3b5bd3c65f11"
+dependencies = [
+ "libc",
+]
+
 [[package]]
 name = "walkdir"
 version = "2.5.0"
diff --git a/Cargo.toml b/Cargo.toml
index 47880aa..86dd480 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -41,8 +41,9 @@ wasm-bindgen = { version = "0.2", optional = true }
 serde-wasm-bindgen = { version = "0.6", optional = true }
 
 [dev-dependencies]
-insta = { version = "1", features = ["json"] }
+insta = { version = "1", features = ["json", "redactions"] }
 criterion = { version = "0.5", features = ["html_reports"] }
+proptest = "1"
 
 [[bench]]
 name = "pipeline"
diff --git a/README.md b/README.md
index 8b7d4a0..4491cf6 100644
--- a/README.md
+++ b/README.md
@@ -206,6 +206,38 @@ Options:
 
 ---
 
+## Use Cases
+
+ctrlb-decompose is useful for:
+
+- **Incident triage** — Surface error patterns, p99 spikes, and host concentration in thousands of log lines. See [docs/use-cases.md](docs/use-cases.md#incident-triage).
+- **Postmortem summary** — Generate LLM-friendly summaries for automated timeline reconstruction. See [docs/use-cases.md](docs/use-cases.md#postmortem-summary).
+- **CI/CD log triage** — Find failure patterns buried in verbose build output. See [docs/use-cases.md](docs/use-cases.md#cicd-log-triage).
+- **Monitoring** — Use `--json` for programmatic alerting thresholds. See [docs/use-cases.md](docs/use-cases.md#monitoring--alerting).
+- **Log comparison** — Diff patterns before and after a deployment. See [docs/use-cases.md](docs/use-cases.md#log-comparison).
+
+## Integration
+
+ctrlb-decompose pipes into any workflow:
+
+```bash
+# Kubernetes pods
+kubectl logs -l app=api --since=1h | ctrlb-decompose --llm --source-label "api"
+
+# systemd services
+journalctl -u nginx --since "1 hour ago" --no-pager | ctrlb-decompose --llm
+
+# Docker Compose
+docker compose logs api db --since 30m | ctrlb-decompose --llm
+
+# CI failure summary
+cargo test 2>&1 | ctrlb-decompose --llm --top 5 --context 2
+```
+
+See [docs/integration.md](docs/integration.md) for detailed recipes including Claude Code setup, GitHub Actions, SSH remote analysis, and JSON programmatic use.
+
+---
+
 ## License
 
 [MIT](LICENSE)
diff --git a/benches/compare_drain3.sh b/benches/compare_drain3.sh
new file mode 100755
index 0000000..753aa5e
--- /dev/null
+++ b/benches/compare_drain3.sh
@@ -0,0 +1,246 @@
+#!/usr/bin/env bash
+#
+# compare_drain3.sh - Benchmark ctrlb-decompose (Rust) against Drain3 (Python)
+#
+# Generates log files at several scales, runs both tools, and prints a
+# markdown comparison table with wall-clock time, peak RSS, and throughput.
+#
+# Requirements: cargo, python3, drain3 (pip), /usr/bin/time (GNU), bc
+#
+set -euo pipefail
+
+# ── Configuration ────────────────────────────────────────────────────────────
+
+SCALES=(1000 10000 100000 1000000)
+SEED=42
+BENCH_DIR="/tmp/ctrlb-bench"
+TIME_BIN="/usr/bin/time"
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_DIR="$(cd "$SCRIPT_DIR/.." && pwd)"
+
+CTRLB_BIN="$PROJECT_DIR/target/release/ctrlb-decompose"
+GENLOG_BIN="$PROJECT_DIR/target/release/examples/generate_logs"
+DRAIN3_SCRIPT="$PROJECT_DIR/benches/drain3_baseline.py"
+
+# ── Dependency checks ────────────────────────────────────────────────────────
+
+check_deps() {
+    local missing=()
+
+    if ! command -v cargo &>/dev/null; then
+        missing+=("cargo")
+    fi
+
+    if ! command -v python3 &>/dev/null; then
+        missing+=("python3")
+    fi
+
+    if ! command -v bc &>/dev/null; then
+        missing+=("bc")
+    fi
+
+    if [[ ! -x "$TIME_BIN" ]]; then
+        missing+=("/usr/bin/time (GNU time)")
+    fi
+
+    if python3 -c "import drain3" 2>/dev/null; then
+        :
+    else
+        missing+=("drain3 (pip install drain3)")
+    fi
+
+    if (( ${#missing[@]} > 0 )); then
+        echo "ERROR: missing dependencies:" >&2
+        for dep in "${missing[@]}"; do
+            echo "  - $dep" >&2
+        done
+        exit 1
+    fi
+}
+
+# ── Build ─────────────────────────────────────────────────────────────────────
+
+build() {
+    echo "==> Building ctrlb-decompose and log generator..."
+    (cd "$PROJECT_DIR" && cargo build --release --example generate_logs 2>&1)
+    (cd "$PROJECT_DIR" && cargo build --release 2>&1)
+
+    if [[ ! -x "$CTRLB_BIN" ]]; then
+        echo "ERROR: $CTRLB_BIN not found after build" >&2
+        exit 1
+    fi
+    if [[ ! -x "$GENLOG_BIN" ]]; then
+        echo "ERROR: $GENLOG_BIN not found after build" >&2
+        exit 1
+    fi
+}
+
+# ── Log generation ────────────────────────────────────────────────────────────
+
+generate_logs() {
+    mkdir -p "$BENCH_DIR"
+    for n in "${SCALES[@]}"; do
+        local logfile="$BENCH_DIR/bench-${n}.log"
+        if [[ -f "$logfile" ]]; then
+            echo "==> Reusing existing $logfile"
+        else
+            echo "==> Generating $logfile ($n lines)..."
+            "$GENLOG_BIN" --lines "$n" --seed "$SEED" > "$logfile"
+        fi
+    done
+}
+
+# ── Time parsing helpers ──────────────────────────────────────────────────────
+
+# Parse GNU time "Elapsed (wall clock)" value to seconds.
+# Formats: "M:SS.ss" or "H:MM:SS.ss" or "H:MM:SS"
+parse_wall_clock() {
+    local raw="$1"
+    # Strip any leading/trailing whitespace
+    raw="$(echo "$raw" | xargs)"
+
+    local parts
+    IFS=':' read -ra parts <<< "$raw"
+
+    if (( ${#parts[@]} == 2 )); then
+        # M:SS.ss
+        local minutes="${parts[0]}"
+        local seconds="${parts[1]}"
+        echo "$(echo "$minutes * 60 + $seconds" | bc -l)"
+    elif (( ${#parts[@]} == 3 )); then
+        # H:MM:SS.ss
+        local hours="${parts[0]}"
+        local minutes="${parts[1]}"
+        local seconds="${parts[2]}"
+        echo "$(echo "$hours * 3600 + $minutes * 60 + $seconds" | bc -l)"
+    else
+        echo "0"
+    fi
+}
+
+# Extract wall clock time string from GNU time -v output file
+extract_wall_clock() {
+    local timefile="$1"
+    grep "Elapsed (wall clock)" "$timefile" | sed 's/.*): //'
+}
+
+# Extract max RSS in KB from GNU time -v output file
+extract_rss_kb() {
+    local timefile="$1"
+    grep "Maximum resident set size" "$timefile" | awk '{print $NF}'
+}
+
+# ── Benchmark runner ──────────────────────────────────────────────────────────
+
+# Run a single benchmark, capture time metrics.
+# Usage: run_bench <label> <tmpfile> <command...>
+# Sets global vars: BENCH_WALL_SECS, BENCH_RSS_KB
+run_bench() {
+    local label="$1"
+    local tmpfile="$2"
+    shift 2
+
+    echo "    Running $label..."
+    "$TIME_BIN" -v "$@" > /dev/null 2> "$tmpfile"
+
+    local wall_raw
+    wall_raw="$(extract_wall_clock "$tmpfile")"
+    BENCH_WALL_SECS="$(parse_wall_clock "$wall_raw")"
+    BENCH_RSS_KB="$(extract_rss_kb "$tmpfile")"
+}
+
+# ── Main ──────────────────────────────────────────────────────────────────────
+
+main() {
+    check_deps
+    build
+    generate_logs
+
+    # Result arrays (indexed by position in SCALES)
+    declare -a ctrlb_times ctrlb_rss drain3_times drain3_rss
+
+    local tmpfile
+    tmpfile="$(mktemp)"
+    trap "rm -f '$tmpfile'" EXIT
+
+    for i in "${!SCALES[@]}"; do
+        local n="${SCALES[$i]}"
+        local logfile="$BENCH_DIR/bench-${n}.log"
+        echo "==> Benchmarking $n lines..."
+
+        # ctrlb-decompose
+        run_bench "ctrlb-decompose" "$tmpfile" \
+            "$CTRLB_BIN" --json --quiet --no-banner "$logfile"
+        ctrlb_times[$i]="$BENCH_WALL_SECS"
+        ctrlb_rss[$i]="$BENCH_RSS_KB"
+
+        # Drain3
+        run_bench "drain3 (python)" "$tmpfile" \
+            bash -c "python3 '$DRAIN3_SCRIPT' < '$logfile'"
+        drain3_times[$i]="$BENCH_WALL_SECS"
+        drain3_rss[$i]="$BENCH_RSS_KB"
+    done
+
+    # ── Print results ────────────────────────────────────────────────────────
+
+    echo ""
+    echo "## ctrlb-decompose vs Drain3 (Python) Benchmark"
+    echo ""
+    echo "Seed: $SEED | Scales: ${SCALES[*]}"
+    echo ""
+
+    # Table header
+    printf "| %-10s | %-12s | %-12s | %-8s | %-12s | %-12s | %-14s | %-14s |\n" \
+        "Lines" "ctrlb (s)" "drain3 (s)" "Speedup" "ctrlb RSS" "drain3 RSS" "ctrlb lines/s" "drain3 lines/s"
+    printf "|%s|%s|%s|%s|%s|%s|%s|%s|\n" \
+        "------------" "--------------" "--------------" "----------" "--------------" "--------------" "----------------" "----------------"
+
+    for i in "${!SCALES[@]}"; do
+        local n="${SCALES[$i]}"
+        local ct="${ctrlb_times[$i]}"
+        local dt="${drain3_times[$i]}"
+        local cr="${ctrlb_rss[$i]}"
+        local dr="${drain3_rss[$i]}"
+
+        # Speedup: drain3_time / ctrlb_time
+        local speedup
+        if [[ "$(echo "$ct > 0" | bc -l)" == "1" ]]; then
+            speedup="$(echo "scale=1; $dt / $ct" | bc -l)"
+        else
+            speedup="N/A"
+        fi
+
+        # RSS in MB (from KB)
+        local cr_mb dr_mb
+        cr_mb="$(echo "scale=1; $cr / 1024" | bc -l)"
+        dr_mb="$(echo "scale=1; $dr / 1024" | bc -l)"
+
+        # Throughput: lines/s
+        local ct_lps dt_lps
+        if [[ "$(echo "$ct > 0" | bc -l)" == "1" ]]; then
+            ct_lps="$(echo "scale=0; $n / $ct" | bc -l)"
+        else
+            ct_lps="N/A"
+        fi
+        if [[ "$(echo "$dt > 0" | bc -l)" == "1" ]]; then
+            dt_lps="$(echo "scale=0; $n / $dt" | bc -l)"
+        else
+            dt_lps="N/A"
+        fi
+
+        printf "| %-10s | %-12s | %-12s | %-8s | %-12s | %-12s | %-14s | %-14s |\n" \
+            "$n" \
+            "$(printf '%.3f' "$ct")" \
+            "$(printf '%.3f' "$dt")" \
+            "${speedup}x" \
+            "${cr_mb} MB" \
+            "${dr_mb} MB" \
+            "$ct_lps" \
+            "$dt_lps"
+    done
+
+    echo ""
+    echo "Done. Log files preserved in $BENCH_DIR"
+}
+
+main "$@"
diff --git a/benches/drain3_baseline.py b/benches/drain3_baseline.py
new file mode 100755
index 0000000..cd0834a
--- /dev/null
+++ b/benches/drain3_baseline.py
@@ -0,0 +1,38 @@
+#!/usr/bin/env python3
+"""Minimal Drain3 baseline for benchmarking against ctrlb-decompose."""
+
+import sys
+import time
+from drain3 import TemplateMiner
+from drain3.template_miner_config import TemplateMinerConfig
+
+def main():
+    config = TemplateMinerConfig()
+    config.drain_sim_th = 0.4
+    config.drain_depth = 4
+    config.drain_max_clusters = 10000
+    config.profiling_enabled = False
+
+    miner = TemplateMiner(config=config)
+
+    line_count = 0
+    start = time.monotonic()
+
+    for line in sys.stdin:
+        line = line.rstrip('\n')
+        if line:
+            miner.add_log_message(line)
+            line_count += 1
+
+    elapsed = time.monotonic() - start
+    clusters = miner.drain.clusters
+    pattern_count = len(clusters)
+
+    throughput = line_count / elapsed if elapsed > 0 else 0
+    print(f"drain3_lines={line_count}", file=sys.stderr)
+    print(f"drain3_patterns={pattern_count}", file=sys.stderr)
+    print(f"drain3_elapsed={elapsed:.4f}", file=sys.stderr)
+    print(f"drain3_throughput={throughput:.0f}", file=sys.stderr)
+
+if __name__ == "__main__":
+    main()
diff --git a/docs/ai-setup.md b/docs/ai-setup.md
new file mode 100644
index 0000000..fb40f67
--- /dev/null
+++ b/docs/ai-setup.md
@@ -0,0 +1,172 @@
+# AI Assistant Setup
+
+How to configure AI coding assistants to use ctrlb-decompose for log analysis.
+
+This repo ships config files for Claude Code, Cursor, Codex, and GitHub Copilot. Clone the repo and they work automatically. To set up ctrlb-decompose in **your own project**, follow the guides below.
+
+---
+
+## Prerequisites
+
+Install ctrlb-decompose and make sure it's on your PATH or note the binary location:
+
+```bash
+# Homebrew
+brew tap ctrlb-hq/tap && brew install ctrlb-decompose
+
+# Or build from source
+git clone https://github.com/ctrlb-hq/ctrlb-decompose.git
+cd ctrlb-decompose && cargo build --release
+# Binary at ./target/release/ctrlb-decompose
+```
+
+---
+
+## Claude Code
+
+### CLAUDE.md (recommended)
+
+Add to your project's `CLAUDE.md`:
+
+```markdown
+## Log Analysis
+
+When analyzing log files (>100 lines), run ctrlb-decompose first:
+
+\`\`\`bash
+ctrlb-decompose <file> --llm --context 2 --quiet 2>/dev/null
+\`\`\`
+
+Key flags: `--llm` (token-efficient), `--json` (structured), `--source-label <name>`, `--sim-threshold <0.0-1.0>`.
+Workflow: decompose first, identify patterns, then drill into raw logs.
+\`\`\`bash
+kubectl logs <pod> | ctrlb-decompose --llm --source-label "pod-name"
+\`\`\`
+```
+
+### Optional: Hook for large log files
+
+Create `.claude/hooks/check-log-size.sh`:
+
+```bash
+#!/bin/bash
+# Warn when Claude reads large log files
+INPUT=$(cat)
+FILEPATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty')
+
+if [[ "$FILEPATH" == *.log ]]; then
+  LINES=$(wc -l < "$FILEPATH" 2>/dev/null || echo 0)
+  if (( LINES > 100 )); then
+    echo "{\"decision\": \"allow\", \"reason\": \"Large log file ($LINES lines). Consider running: ctrlb-decompose $FILEPATH --llm --context 2\"}" 
+  fi
+fi
+```
+
+Add to `.claude/settings.json`:
+
+```json
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Read",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash .claude/hooks/check-log-size.sh"
+          }
+        ]
+      }
+    ]
+  }
+}
+```
+
+---
+
+## Cursor
+
+### .cursorrules (legacy, widely supported)
+
+Create `.cursorrules` in your project root:
+
+```
+When working with log files (>100 lines), run ctrlb-decompose first:
+
+    ctrlb-decompose <file> --llm --context 2 --quiet 2>/dev/null
+
+This compresses log lines into patterns with typed variables, quantile stats, and anomaly detection.
+Key flags: --llm, --json, --source-label <name>, --sim-threshold <0.0-1.0>
+Works with stdin: kubectl logs pod | ctrlb-decompose --llm
+```
+
+### .cursor/rules/ (modern, auto-activating)
+
+Create `.cursor/rules/log-analysis.mdc`:
+
+```markdown
+---
+description: Use ctrlb-decompose to analyze log files before reading them raw
+globs: **/*.log
+alwaysApply: false
+---
+
+# Log File Analysis
+
+Run ctrlb-decompose first to get a structural summary:
+
+\`\`\`bash
+ctrlb-decompose <file> --llm --context 2 --quiet 2>/dev/null
+\`\`\`
+
+Workflow: decompose first, identify patterns, then grep or use --context N for more examples.
+```
+
+The `globs: **/*.log` ensures this rule auto-activates when any `.log` file is referenced.
+
+---
+
+## Codex / OpenAI
+
+Create `AGENTS.md` in your project root:
+
+```markdown
+# AGENTS.md
+
+## Log Analysis
+
+When working with log files (>100 lines), run ctrlb-decompose first:
+
+\`\`\`bash
+ctrlb-decompose <file> --llm --context 2 --quiet 2>/dev/null
+\`\`\`
+
+Key flags: --llm, --json, --source-label <name>, --sim-threshold <0.0-1.0>
+Works with stdin: kubectl logs pod | ctrlb-decompose --llm
+```
+
+---
+
+## GitHub Copilot
+
+Create `.github/copilot-instructions.md`:
+
+```markdown
+When working with log files (>100 lines), run ctrlb-decompose first:
+
+    ctrlb-decompose <file> --llm --context 2 --quiet 2>/dev/null
+
+Key flags: --llm (token-efficient), --json (structured), --source-label <name>, --sim-threshold <0.0-1.0>
+```
+
+---
+
+## Shipped config files in this repo
+
+| File | Tool | Purpose |
+|------|------|---------|
+| `CLAUDE.md` | Claude Code | Project guidance + log analysis instructions |
+| `.cursorrules` | Cursor (legacy) | Project-wide AI instructions |
+| `.cursor/rules/log-analysis.mdc` | Cursor (modern) | Auto-activates on `.log` files |
+| `AGENTS.md` | Codex / OpenAI | Project instructions for Codex agents |
+| `.github/copilot-instructions.md` | GitHub Copilot | Project-level Copilot instructions |
diff --git a/docs/integration.md b/docs/integration.md
new file mode 100644
index 0000000..d99846e
--- /dev/null
+++ b/docs/integration.md
@@ -0,0 +1,232 @@
+# Integration Guide
+
+How to integrate ctrlb-decompose into your tools and workflows.
+
+---
+
+## Claude Code / LLM Agents
+
+Use `--llm` mode to generate token-efficient summaries for LLM context injection. This is the most common integration pattern.
+
+### Quick start
+
+```bash
+# Analyze a log file and get LLM-ready output
+ctrlb-decompose app.log --llm --context 2
+```
+
+When in LLM mode, the banner is suppressed automatically. Add `--quiet` to also suppress the progress line on stderr:
+
+```bash
+ctrlb-decompose app.log --llm --quiet --context 2 2>/dev/null
+```
+
+### Workflow
+
+1. **Decompose first:** Run ctrlb-decompose to get the pattern summary
+2. **Identify patterns of interest:** Look at error/warn patterns, p99 spikes
+3. **Drill into specifics:** Use `grep` or `--context N` with a higher N to see more examples
+4. **Ask the LLM:** Feed the summary as context for questions like "what caused this outage?"
+
+### CLAUDE.md snippet
+
+Add this to your project's CLAUDE.md so Claude Code knows to use it:
+
+```markdown
+## Log Analysis
+
+When analyzing large log files (>100 lines), run ctrlb-decompose first:
+\`\`\`bash
+ctrlb-decompose <file> --llm --context 2 --quiet 2>/dev/null
+\`\`\`
+```
+
+---
+
+## Common Log Sources
+
+### journalctl / systemd
+
+```bash
+# Last hour of a specific service
+journalctl -u nginx --since "1 hour ago" --no-pager | ctrlb-decompose --llm
+
+# All errors from all services since boot
+journalctl -p err -b --no-pager | ctrlb-decompose --llm --context 2
+
+# Specific time window
+journalctl --since "2024-03-10 08:00" --until "2024-03-10 09:00" --no-pager | \
+  ctrlb-decompose --llm
+
+# Multiple services
+journalctl -u nginx -u postgres -u myapp --since "30 min ago" --no-pager | \
+  ctrlb-decompose --llm
+
+# With source label
+journalctl -u nginx --since "1 hour ago" --no-pager | \
+  ctrlb-decompose --llm --source-label "nginx"
+```
+
+### kubectl
+
+```bash
+# Single pod
+kubectl logs my-pod | ctrlb-decompose --llm
+
+# All pods matching a label
+kubectl logs -l app=api --all-containers --since=1h | \
+  ctrlb-decompose --llm --source-label "api-pods"
+
+# Previous container (after a crash)
+kubectl logs my-pod --previous | ctrlb-decompose --llm --context 3
+
+# Specific container in a multi-container pod
+kubectl logs my-pod -c sidecar --since=30m | ctrlb-decompose --llm
+
+# Follow + analyze (useful for live debugging, Ctrl-C when done)
+kubectl logs -l app=api --since=5m -f | ctrlb-decompose --llm
+
+# Multiple namespaces — compare
+kubectl logs -n prod -l app=api --since=1h | \
+  ctrlb-decompose --json --quiet --source-label "prod" > /tmp/prod.json
+kubectl logs -n staging -l app=api --since=1h | \
+  ctrlb-decompose --json --quiet --source-label "staging" > /tmp/staging.json
+```
+
+### docker / docker compose
+
+```bash
+# Single container
+docker logs my-container --since 1h | ctrlb-decompose --llm
+
+# With tail limit
+docker logs my-container --tail 5000 | ctrlb-decompose --llm
+
+# Docker compose — all services
+docker compose logs --since 1h | ctrlb-decompose --llm
+
+# Docker compose — specific services
+docker compose logs api db --since 30m | ctrlb-decompose --llm
+
+# Docker compose — with source label per service
+docker compose logs api --since 1h | \
+  ctrlb-decompose --llm --source-label "api"
+docker compose logs worker --since 1h | \
+  ctrlb-decompose --llm --source-label "worker"
+```
+
+### SSH / Remote
+
+```bash
+# Tail remote logs
+ssh prod-server 'tail -10000 /var/log/app/api.log' | ctrlb-decompose --llm
+
+# Compressed logs
+ssh prod-server 'zcat /var/log/app/api.log.1.gz' | ctrlb-decompose --llm
+
+# Multiple hosts — compare
+for host in prod-{1..3}; do
+  ssh $host 'tail -5000 /var/log/app.log' | \
+    ctrlb-decompose --llm --source-label "$host"
+  echo "---"
+done
+```
+
+---
+
+## CI Pipelines
+
+### GitHub Actions
+
+Add a step that summarizes build/test logs on failure:
+
+```yaml
+- name: Run tests
+  id: tests
+  run: |
+    cargo test 2>&1 | tee /tmp/test-output.log
+  continue-on-error: true
+
+- name: Summarize test output
+  if: steps.tests.outcome == 'failure'
+  run: |
+    ctrlb-decompose --llm --top 10 --context 3 /tmp/test-output.log
+```
+
+To post the summary as a PR comment:
+
+```yaml
+- name: Post log summary
+  if: steps.tests.outcome == 'failure' && github.event_name == 'pull_request'
+  run: |
+    SUMMARY=$(ctrlb-decompose --llm --top 5 --context 2 --quiet /tmp/test-output.log 2>/dev/null)
+    gh pr comment ${{ github.event.pull_request.number }} --body "## Test Failure Summary
+
+    $SUMMARY"
+```
+
+---
+
+## JSON Programmatic Use
+
+The `--json` output is structured for machine consumption.
+
+### Output schema
+
+```json
+{
+  "version": "0.1.0",
+  "summary": {
+    "total_lines": 50000,
+    "pattern_count": 23,
+    "patterns_shown": 20,
+    "patterns_omitted": 3,
+    "source_label": "api-pod",
+    "time_range": { "start": "...", "end": "..." }
+  },
+  "patterns": [
+    {
+      "id": 1,
+      "template": "<TS> ERROR [<*>] Timeout ...",
+      "count": 342,
+      "frequency_pct": 8.2,
+      "score": 57.0,
+      "severity": "error",
+      "variables": [
+        {
+          "slot": 0,
+          "type": "IPv4",
+          "label": "ip",
+          "unique_count": 3,
+          "numeric": null,
+          "top_values": [
+            { "value": "10.0.5.12", "count": 305, "pct": 89.2 }
+          ]
+        }
+      ],
+      "example_lines": ["..."]
+    }
+  ]
+}
+```
+
+### Parsing examples
+
+```bash
+# Get all error templates
+ctrlb-decompose --json --quiet app.log | jq -r '.patterns[] | select(.severity == "error") | .template'
+
+# Get p99 latency for all duration variables
+ctrlb-decompose --json --quiet app.log | \
+  jq '.patterns[].variables[] | select(.type == "Duration") | {label, p99: .numeric.p99}'
+
+# Count total error lines
+ctrlb-decompose --json --quiet app.log | \
+  jq '[.patterns[] | select(.severity == "error") | .count] | add'
+```
+
+---
+
+## AI Assistant Setup
+
+This repo ships config files for Claude Code, Cursor, Codex, and GitHub Copilot so log analysis works out of the box. To set up ctrlb-decompose in your own project, see [docs/ai-setup.md](ai-setup.md).
diff --git a/docs/use-cases.md b/docs/use-cases.md
new file mode 100644
index 0000000..e54ca93
--- /dev/null
+++ b/docs/use-cases.md
@@ -0,0 +1,133 @@
+# Use Cases
+
+Real-world scenarios where ctrlb-decompose helps you make sense of logs faster.
+
+---
+
+## Incident Triage
+
+**Problem:** Your API is returning 5xx errors. You have thousands of log lines from the last hour. Where do you start?
+
+**Approach:** Pipe recent logs through ctrlb-decompose to surface error patterns with statistics.
+
+```bash
+# From a log file
+ctrlb-decompose --context 3 /var/log/app/api.log
+
+# From journalctl
+journalctl -u myapp --since "1 hour ago" --no-pager | ctrlb-decompose --context 3
+```
+
+**What to look for:**
+- ERROR/WARN patterns sorted by severity at the top
+- p99 duration spikes indicating slow paths
+- IP or host concentration (one backend causing failures?)
+- Temporal clustering (all errors in a 2-minute window?)
+
+**Example output:**
+```
+Pattern #1 [ERROR] (342 occurrences, 8.2%)
+  "<TS> ERROR [<*>] Timeout connecting to <*>:<*> after <*>"
+  Variables:
+    IPv4:     10.0.5.12 (89.2%), 10.0.5.13 (10.8%)
+    Duration: mean=5003, p50=5001, p99=5012, min=4998, max=5050
+```
+
+One IP accounts for 89% of timeouts. Investigate that host.
+
+---
+
+## Postmortem Summary
+
+**Problem:** After an incident, you need to write a timeline for the postmortem. The raw logs are 500K lines.
+
+**Approach:** Use `--llm` to generate a token-efficient summary, then feed it to an LLM for timeline reconstruction.
+
+```bash
+ctrlb-decompose --llm --context 2 incident-logs.log > /tmp/summary.txt
+
+# Then in Claude Code or any LLM chat:
+# "Here are the decomposed log patterns from the incident.
+#  Write a timeline of what happened:"
+# <paste summary>
+```
+
+The `--llm` format prioritizes errors/warnings first and includes quantile stats inline, giving the LLM everything it needs without drowning it in raw lines.
+
+---
+
+## CI/CD Log Triage
+
+**Problem:** A CI build failed with 10,000 lines of output. The actual error is buried somewhere.
+
+**Approach:** Pipe the build log through ctrlb-decompose to find the failure patterns.
+
+```bash
+# GitHub Actions — download and analyze
+gh run view 12345 --log | ctrlb-decompose --top 5 --context 2
+
+# Local build output
+cargo build 2>&1 | ctrlb-decompose --top 5 --context 2
+
+# Test output
+pytest -v 2>&1 | ctrlb-decompose --top 10 --context 3
+```
+
+**What to look for:**
+- ERROR patterns are surfaced first
+- Repeated test failure patterns cluster together
+- Build warnings that might be related to the failure
+
+---
+
+## Monitoring / Alerting
+
+**Problem:** You want to programmatically check if error rates exceed a threshold.
+
+**Approach:** Use `--json` output and parse it.
+
+```bash
+# Check if any error pattern exceeds 5% frequency
+ctrlb-decompose --json --quiet /var/log/app.log | \
+  python3 -c "
+import json, sys
+data = json.load(sys.stdin)
+for p in data['patterns']:
+    if p['severity'] == 'error' and p['frequency_pct'] > 5.0:
+        print(f\"ALERT: {p['template']} at {p['frequency_pct']}%\")
+        sys.exit(1)
+"
+```
+
+```bash
+# In a shell script
+ERROR_PCT=$(ctrlb-decompose --json --quiet app.log | \
+  jq '[.patterns[] | select(.severity == "error")] | map(.frequency_pct) | add // 0')
+
+if (( $(echo "$ERROR_PCT > 10" | bc -l) )); then
+    echo "Error rate too high: ${ERROR_PCT}%"
+    exit 1
+fi
+```
+
+---
+
+## Log Comparison
+
+**Problem:** You deployed a new version and want to see if new error patterns appeared.
+
+**Approach:** Run ctrlb-decompose on before and after logs, compare the templates.
+
+```bash
+# Before deploy
+ctrlb-decompose --json --quiet before-deploy.log > /tmp/before.json
+
+# After deploy
+ctrlb-decompose --json --quiet after-deploy.log > /tmp/after.json
+
+# Compare templates
+diff <(jq -r '.patterns[].template' /tmp/before.json | sort) \
+     <(jq -r '.patterns[].template' /tmp/after.json | sort)
+```
+
+New templates in the "after" output are new log patterns introduced by the deployment. Disappeared templates might indicate removed functionality or fixed bugs.
diff --git a/examples/generate_logs.rs b/examples/generate_logs.rs
new file mode 100644
index 0000000..ff255c8
--- /dev/null
+++ b/examples/generate_logs.rs
@@ -0,0 +1,546 @@
+//! Deterministic synthetic log generator for benchmarking ctrlb-decompose.
+//!
+//! Usage:
+//!   cargo run --release --example generate_logs -- --lines 100000 --seed 42
+
+use std::io::{BufWriter, Write};
+
+// ---------------------------------------------------------------------------
+// Xorshift64 PRNG — deterministic, portable, no deps
+// ---------------------------------------------------------------------------
+
+struct Rng {
+    state: u64,
+}
+
+impl Rng {
+    fn new(seed: u64) -> Self {
+        // Avoid zero state which is a fixed point for xorshift.
+        Self {
+            state: if seed == 0 { 1 } else { seed },
+        }
+    }
+
+    #[inline]
+    fn next_u64(&mut self) -> u64 {
+        let mut x = self.state;
+        x ^= x << 13;
+        x ^= x >> 7;
+        x ^= x << 17;
+        self.state = x;
+        x
+    }
+
+    /// Returns a value in [0, upper).
+    #[inline]
+    fn next_bound(&mut self, upper: u64) -> u64 {
+        self.next_u64() % upper
+    }
+
+    #[inline]
+    fn next_f64(&mut self) -> f64 {
+        (self.next_u64() >> 11) as f64 / ((1u64 << 53) as f64)
+    }
+
+    /// Pick a random element from a slice.
+    #[inline]
+    fn pick<'a, T>(&mut self, items: &'a [T]) -> &'a T {
+        &items[self.next_bound(items.len() as u64) as usize]
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Helpers to generate realistic variable parts
+// ---------------------------------------------------------------------------
+
+fn gen_ipv4(rng: &mut Rng) -> String {
+    let subnets: &[(u8, u8, u8)] = &[
+        (10, 0, 1),
+        (10, 0, 2),
+        (10, 0, 3),
+        (172, 16, 0),
+        (172, 16, 1),
+        (192, 168, 1),
+        (192, 168, 2),
+    ];
+    let (a, b, c) = subnets[rng.next_bound(subnets.len() as u64) as usize];
+    let d = rng.next_bound(254) + 1;
+    format!("{a}.{b}.{c}.{d}")
+}
+
+fn gen_trace_id(rng: &mut Rng) -> String {
+    format!("{:016x}", rng.next_u64())
+}
+
+fn gen_uuid(rng: &mut Rng) -> String {
+    let a = rng.next_u64();
+    let b = rng.next_u64();
+    format!(
+        "{:08x}-{:04x}-4{:03x}-{:04x}-{:012x}",
+        (a >> 32) as u32,
+        (a >> 16) as u16 & 0xffff,
+        a as u16 & 0x0fff,
+        ((b >> 48) as u16 & 0x3fff) | 0x8000,
+        b & 0xffff_ffff_ffff
+    )
+}
+
+fn gen_http_method(rng: &mut Rng) -> &'static str {
+    *rng.pick(&["GET", "POST", "PUT", "DELETE", "PATCH"])
+}
+
+fn gen_http_path(rng: &mut Rng) -> &'static str {
+    *rng.pick(&[
+        "/api/v1/users",
+        "/api/v1/orders",
+        "/api/v1/products",
+        "/api/v2/search",
+        "/api/v1/checkout",
+        "/api/v1/auth/login",
+        "/api/v1/auth/refresh",
+        "/api/v1/inventory",
+        "/api/v1/notifications",
+        "/health",
+        "/metrics",
+        "/api/v1/payments",
+    ])
+}
+
+fn gen_status_code(rng: &mut Rng) -> u16 {
+    let r = rng.next_bound(100);
+    match r {
+        0..60 => 200,
+        60..70 => 201,
+        70..75 => 204,
+        75..78 => 301,
+        78..82 => 400,
+        82..85 => 401,
+        85..88 => 403,
+        88..92 => 404,
+        92..95 => 429,
+        95..98 => 500,
+        _ => 503,
+    }
+}
+
+fn gen_user_id(rng: &mut Rng) -> u64 {
+    rng.next_bound(99999) + 10000
+}
+
+fn gen_duration_ms(rng: &mut Rng) -> f64 {
+    // Bimodal: most fast, some slow
+    if rng.next_bound(100) < 85 {
+        rng.next_f64() * 50.0 + 1.0
+    } else {
+        rng.next_f64() * 4000.0 + 200.0
+    }
+}
+
+fn gen_db_table(rng: &mut Rng) -> &'static str {
+    *rng.pick(&["users", "orders", "products", "sessions", "payments", "inventory", "audit_log"])
+}
+
+fn gen_cache_key(rng: &mut Rng) -> String {
+    let prefixes = ["user", "session", "product", "config", "rate_limit"];
+    let prefix = rng.pick(prefixes.as_slice());
+    let id = rng.next_bound(10000);
+    format!("{prefix}:{id}")
+}
+
+fn gen_log_level_for_status(status: u16) -> &'static str {
+    match status {
+        200..=299 => "INFO",
+        300..=399 => "INFO",
+        400..=499 => "WARN",
+        _ => "ERROR",
+    }
+}
+
+fn gen_pool_name(rng: &mut Rng) -> &'static str {
+    *rng.pick(&["primary", "replica", "analytics", "cache"])
+}
+
+fn gen_job_name(rng: &mut Rng) -> &'static str {
+    *rng.pick(&[
+        "email_digest",
+        "cleanup_expired",
+        "sync_inventory",
+        "generate_report",
+        "process_webhooks",
+        "reindex_search",
+    ])
+}
+
+fn gen_tls_version(rng: &mut Rng) -> &'static str {
+    *rng.pick(&["TLSv1.2", "TLSv1.3"])
+}
+
+fn gen_cipher(rng: &mut Rng) -> &'static str {
+    *rng.pick(&[
+        "TLS_AES_256_GCM_SHA384",
+        "TLS_CHACHA20_POLY1305_SHA256",
+        "TLS_AES_128_GCM_SHA256",
+        "ECDHE-RSA-AES128-GCM-SHA256",
+    ])
+}
+
+fn gen_service(rng: &mut Rng) -> &'static str {
+    *rng.pick(&["api-gateway", "auth-service", "order-service", "user-service", "payment-service"])
+}
+
+fn gen_hostname(rng: &mut Rng) -> String {
+    let svc = gen_service(rng);
+    let idx = rng.next_bound(5);
+    format!("{svc}-{idx}")
+}
+
+fn gen_region(rng: &mut Rng) -> &'static str {
+    *rng.pick(&["us-east-1", "us-west-2", "eu-west-1", "ap-southeast-1"])
+}
+
+fn gen_disk_path(rng: &mut Rng) -> &'static str {
+    *rng.pick(&["/dev/sda1", "/dev/nvme0n1p1", "/dev/xvda1"])
+}
+
+// ---------------------------------------------------------------------------
+// Timestamp helper — increments ~1s per 100 lines
+// ---------------------------------------------------------------------------
+
+struct TimestampGen {
+    base_secs: i64, // seconds since epoch
+    sub_ms: u32,    // sub-second millis counter
+}
+
+impl TimestampGen {
+    fn new() -> Self {
+        // 2026-01-15T08:00:00Z
+        Self {
+            base_secs: 1768492800,
+            sub_ms: 0,
+        }
+    }
+
+    /// Advance by roughly 10ms per line (so ~1s per 100 lines).
+    fn next(&mut self, rng: &mut Rng) -> String {
+        let jitter = rng.next_bound(15) as u32; // 0-14 ms jitter
+        self.sub_ms += 10 + jitter; // ~10-24ms per line
+        if self.sub_ms >= 1000 {
+            self.base_secs += (self.sub_ms / 1000) as i64;
+            self.sub_ms %= 1000;
+        }
+
+        let total_secs = self.base_secs;
+        // Decompose into date/time components (UTC)
+        let days = total_secs / 86400;
+        let day_secs = (total_secs % 86400) as u32;
+        let h = day_secs / 3600;
+        let m = (day_secs % 3600) / 60;
+        let s = day_secs % 60;
+        let ms = self.sub_ms;
+
+        // Civil date from day count (algorithm from Howard Hinnant)
+        let z = days + 719468;
+        let era = if z >= 0 { z } else { z - 146096 } / 146097;
+        let doe = (z - era * 146097) as u32;
+        let yoe = (doe - doe / 1460 + doe / 36524 - doe / 146096) / 365;
+        let y = yoe as i64 + era * 400;
+        let doy = doe - (365 * yoe + yoe / 4 - yoe / 100);
+        let mp = (5 * doy + 2) / 153;
+        let d = doy - (153 * mp + 2) / 5 + 1;
+        let mo = if mp < 10 { mp + 3 } else { mp - 9 };
+        let yr = if mo <= 2 { y + 1 } else { y };
+
+        format!("{yr:04}-{mo:02}-{d:02}T{h:02}:{m:02}:{s:02}.{ms:03}Z")
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Pattern generators — each writes one log line to the buffer
+// ---------------------------------------------------------------------------
+
+fn emit_http_request(buf: &mut Vec<u8>, ts: &str, trace: &str, rng: &mut Rng) {
+    let method = gen_http_method(rng);
+    let path = gen_http_path(rng);
+    let status = gen_status_code(rng);
+    let level = gen_log_level_for_status(status);
+    let ip = gen_ipv4(rng);
+    let dur = gen_duration_ms(rng);
+    let uid = gen_user_id(rng);
+    let bytes = rng.next_bound(50000) + 200;
+    let _ = write!(
+        buf,
+        "{ts} {level} [{trace}] HTTP {method} {path} status={status} client={ip} user_id={uid} duration={dur:.2}ms bytes={bytes}\n"
+    );
+}
+
+fn emit_conn_pool(buf: &mut Vec<u8>, ts: &str, trace: &str, rng: &mut Rng) {
+    let pool = gen_pool_name(rng);
+    let active = rng.next_bound(50) + 10;
+    let max = 100u64;
+    let wait = gen_duration_ms(rng);
+    let _ = write!(
+        buf,
+        "{ts} WARN [{trace}] Connection pool '{pool}' reaching capacity: active={active}/{max} avg_wait={wait:.1}ms\n"
+    );
+}
+
+fn emit_timeout(buf: &mut Vec<u8>, ts: &str, trace: &str, rng: &mut Rng) {
+    let host = gen_ipv4(rng);
+    let port = rng.pick(&[5432u16, 6379, 3306, 9200, 27017]);
+    let timeout_ms = rng.next_bound(30000) + 5000;
+    let svc = gen_service(rng);
+    let _ = write!(
+        buf,
+        "{ts} ERROR [{trace}] Timeout connecting to {svc} at {host}:{port} after {timeout_ms}ms\n"
+    );
+}
+
+fn emit_auth(buf: &mut Vec<u8>, ts: &str, trace: &str, rng: &mut Rng) {
+    let ip = gen_ipv4(rng);
+    let uid = gen_user_id(rng);
+    if rng.next_bound(100) < 75 {
+        let method = rng.pick(&["password", "oauth2", "sso", "api_key"]);
+        let _ = write!(
+            buf,
+            "{ts} INFO [{trace}] Authentication successful for user_id={uid} from {ip} method={method}\n"
+        );
+    } else {
+        let reason = rng.pick(&[
+            "invalid_password",
+            "expired_token",
+            "account_locked",
+            "mfa_required",
+        ]);
+        let _ = write!(
+            buf,
+            "{ts} WARN [{trace}] Authentication failed for user_id={uid} from {ip} reason={reason}\n"
+        );
+    }
+}
+
+fn emit_db_query(buf: &mut Vec<u8>, ts: &str, trace: &str, rng: &mut Rng) {
+    let table = gen_db_table(rng);
+    let op = rng.pick(&["SELECT", "INSERT", "UPDATE", "DELETE"]);
+    let dur = gen_duration_ms(rng);
+    let rows = rng.next_bound(1000);
+    let level = if dur > 500.0 { "WARN" } else { "INFO" };
+    let _ = write!(
+        buf,
+        "{ts} {level} [{trace}] Database query {op} on {table}: rows={rows} duration={dur:.2}ms\n"
+    );
+}
+
+fn emit_cache(buf: &mut Vec<u8>, ts: &str, trace: &str, rng: &mut Rng) {
+    let key = gen_cache_key(rng);
+    let hit = rng.next_bound(100) < 70;
+    if hit {
+        let age = rng.next_bound(3600);
+        let _ = write!(
+            buf,
+            "{ts} DEBUG [{trace}] Cache HIT key={key} age={age}s\n"
+        );
+    } else {
+        let reason = rng.pick(&["expired", "evicted", "missing"]);
+        let _ = write!(
+            buf,
+            "{ts} DEBUG [{trace}] Cache MISS key={key} reason={reason}\n"
+        );
+    }
+}
+
+fn emit_background_job(buf: &mut Vec<u8>, ts: &str, trace: &str, rng: &mut Rng) {
+    let job = gen_job_name(rng);
+    let job_id = gen_uuid(rng);
+    let dur = rng.next_bound(60000) + 100;
+    let items = rng.next_bound(10000);
+    let status = rng.pick(&["completed", "completed", "completed", "failed", "retrying"]);
+    let level = if *status == "failed" {
+        "ERROR"
+    } else if *status == "retrying" {
+        "WARN"
+    } else {
+        "INFO"
+    };
+    let _ = write!(
+        buf,
+        "{ts} {level} [{trace}] Background job '{job}' id={job_id} status={status} processed={items} duration={dur}ms\n"
+    );
+}
+
+fn emit_memory_warning(buf: &mut Vec<u8>, ts: &str, trace: &str, rng: &mut Rng) {
+    let hostname = gen_hostname(rng);
+    let used_pct = 80.0 + rng.next_f64() * 18.0;
+    let used_mb = (rng.next_bound(8000) + 4000) as f64;
+    let total_mb = (used_mb / used_pct * 100.0).round();
+    let _ = write!(
+        buf,
+        "{ts} WARN [{trace}] Memory usage on {hostname}: {used_pct:.1}% ({used_mb:.0}MB / {total_mb:.0}MB)\n"
+    );
+}
+
+fn emit_gc_pause(buf: &mut Vec<u8>, ts: &str, trace: &str, rng: &mut Rng) {
+    let hostname = gen_hostname(rng);
+    let pause_ms = rng.next_f64() * 200.0 + 10.0;
+    let gc_gen = rng.pick(&["young", "old", "full"]);
+    let freed_mb = rng.next_bound(512) + 16;
+    let _ = write!(
+        buf,
+        "{ts} WARN [{trace}] GC pause on {hostname}: type={gc_gen} pause={pause_ms:.1}ms freed={freed_mb}MB\n"
+    );
+}
+
+fn emit_rate_limit(buf: &mut Vec<u8>, ts: &str, trace: &str, rng: &mut Rng) {
+    let ip = gen_ipv4(rng);
+    let uid = gen_user_id(rng);
+    let limit = rng.pick(&[100u32, 500, 1000, 5000]);
+    let window = rng.pick(&["1m", "5m", "1h"]);
+    let _ = write!(
+        buf,
+        "{ts} WARN [{trace}] Rate limit exceeded for user_id={uid} from {ip}: limit={limit}/{window}\n"
+    );
+}
+
+fn emit_deployment(buf: &mut Vec<u8>, ts: &str, trace: &str, rng: &mut Rng) {
+    let svc = gen_service(rng);
+    let version = format!(
+        "{}.{}.{}",
+        rng.next_bound(5) + 1,
+        rng.next_bound(20),
+        rng.next_bound(100)
+    );
+    let region = gen_region(rng);
+    let replicas = rng.next_bound(10) + 1;
+    let phase = rng.pick(&["started", "healthy", "completed"]);
+    let _ = write!(
+        buf,
+        "{ts} INFO [{trace}] Deployment {phase} for {svc} v{version} in {region}: replicas={replicas}\n"
+    );
+}
+
+fn emit_health_check(buf: &mut Vec<u8>, ts: &str, trace: &str, rng: &mut Rng) {
+    let svc = gen_service(rng);
+    let hostname = gen_hostname(rng);
+    let latency = rng.next_f64() * 20.0 + 0.5;
+    let status = if rng.next_bound(100) < 95 {
+        "healthy"
+    } else {
+        "degraded"
+    };
+    let level = if status == "healthy" { "INFO" } else { "WARN" };
+    let _ = write!(
+        buf,
+        "{ts} {level} [{trace}] Health check {status} for {svc} on {hostname}: latency={latency:.1}ms\n"
+    );
+}
+
+fn emit_tls_handshake(buf: &mut Vec<u8>, ts: &str, trace: &str, rng: &mut Rng) {
+    let ip = gen_ipv4(rng);
+    let version = gen_tls_version(rng);
+    let cipher = gen_cipher(rng);
+    let dur = rng.next_f64() * 50.0 + 2.0;
+    let _ = write!(
+        buf,
+        "{ts} INFO [{trace}] TLS handshake completed with {ip}: version={version} cipher={cipher} duration={dur:.1}ms\n"
+    );
+}
+
+fn emit_disk_io(buf: &mut Vec<u8>, ts: &str, trace: &str, rng: &mut Rng) {
+    let hostname = gen_hostname(rng);
+    let disk = gen_disk_path(rng);
+    let read_mbps = rng.next_f64() * 500.0 + 10.0;
+    let write_mbps = rng.next_f64() * 300.0 + 5.0;
+    let iops = rng.next_bound(50000) + 100;
+    let util_pct = rng.next_f64() * 100.0;
+    let _ = write!(
+        buf,
+        "{ts} INFO [{trace}] Disk IO on {hostname} {disk}: read={read_mbps:.1}MB/s write={write_mbps:.1}MB/s iops={iops} util={util_pct:.1}%\n"
+    );
+}
+
+// ---------------------------------------------------------------------------
+// Main
+// ---------------------------------------------------------------------------
+
+fn parse_args() -> (u64, u64) {
+    let args: Vec<String> = std::env::args().collect();
+    let mut lines: u64 = 10000;
+    let mut seed: u64 = 42;
+
+    let mut i = 1;
+    while i < args.len() {
+        match args[i].as_str() {
+            "--lines" => {
+                i += 1;
+                lines = args[i].parse().expect("--lines must be a number");
+            }
+            "--seed" => {
+                i += 1;
+                seed = args[i].parse().expect("--seed must be a number");
+            }
+            other => {
+                eprintln!("Unknown argument: {other}");
+                eprintln!("Usage: generate_logs [--lines N] [--seed N]");
+                std::process::exit(1);
+            }
+        }
+        i += 1;
+    }
+    (lines, seed)
+}
+
+fn main() {
+    let (lines, seed) = parse_args();
+    let mut rng = Rng::new(seed);
+    let mut ts_gen = TimestampGen::new();
+
+    let stdout = std::io::stdout().lock();
+    let mut out = BufWriter::with_capacity(256 * 1024, stdout);
+
+    // Reusable buffer for formatting a single line before writing to BufWriter.
+    let mut line_buf: Vec<u8> = Vec::with_capacity(512);
+
+    // Cumulative distribution for pattern selection (out of 1000):
+    //  HTTP requests:       350
+    //  Connection pool:      80  -> 430
+    //  Timeout:              70  -> 500
+    //  Auth:                120  -> 620
+    //  Database:             80  -> 700
+    //  Cache:                80  -> 780
+    //  Background jobs:      50  -> 830
+    //  Memory warnings:      30  -> 860
+    //  GC pauses:            30  -> 890
+    //  Rate limiter:         30  -> 920
+    //  Deployment:           20  -> 940
+    //  Health checks:        30  -> 970
+    //  TLS handshakes:       20  -> 990
+    //  Disk IO:              10  -> 1000
+
+    for _ in 0..lines {
+        let ts = ts_gen.next(&mut rng);
+        let trace = gen_trace_id(&mut rng);
+
+        line_buf.clear();
+
+        let r = rng.next_bound(1000);
+        match r {
+            0..350 => emit_http_request(&mut line_buf, &ts, &trace, &mut rng),
+            350..430 => emit_conn_pool(&mut line_buf, &ts, &trace, &mut rng),
+            430..500 => emit_timeout(&mut line_buf, &ts, &trace, &mut rng),
+            500..620 => emit_auth(&mut line_buf, &ts, &trace, &mut rng),
+            620..700 => emit_db_query(&mut line_buf, &ts, &trace, &mut rng),
+            700..780 => emit_cache(&mut line_buf, &ts, &trace, &mut rng),
+            780..830 => emit_background_job(&mut line_buf, &ts, &trace, &mut rng),
+            830..860 => emit_memory_warning(&mut line_buf, &ts, &trace, &mut rng),
+            860..890 => emit_gc_pause(&mut line_buf, &ts, &trace, &mut rng),
+            890..920 => emit_rate_limit(&mut line_buf, &ts, &trace, &mut rng),
+            920..940 => emit_deployment(&mut line_buf, &ts, &trace, &mut rng),
+            940..970 => emit_health_check(&mut line_buf, &ts, &trace, &mut rng),
+            970..990 => emit_tls_handshake(&mut line_buf, &ts, &trace, &mut rng),
+            _ => emit_disk_io(&mut line_buf, &ts, &trace, &mut rng),
+        }
+
+        out.write_all(&line_buf).unwrap();
+    }
+
+    out.flush().unwrap();
+}
diff --git a/fuzz/Cargo.toml b/fuzz/Cargo.toml
new file mode 100644
index 0000000..d3db31a
--- /dev/null
+++ b/fuzz/Cargo.toml
@@ -0,0 +1,38 @@
+[package]
+name = "ctrlb-decompose-fuzz"
+version = "0.0.0"
+publish = false
+edition = "2024"
+
+[package.metadata]
+cargo-fuzz = true
+
+[dependencies]
+libfuzzer-sys = "0.4"
+arbitrary = { version = "1", features = ["derive"] }
+
+[dependencies.ctrlb-decompose]
+path = ".."
+default-features = false
+
+[[bin]]
+name = "clp_roundtrip"
+path = "fuzz_targets/clp_roundtrip.rs"
+doc = false
+
+[[bin]]
+name = "clp_no_panic"
+path = "fuzz_targets/clp_no_panic.rs"
+doc = false
+
+[[bin]]
+name = "drain_train"
+path = "fuzz_targets/drain_train.rs"
+doc = false
+
+[[bin]]
+name = "timestamp"
+path = "fuzz_targets/timestamp.rs"
+doc = false
+
+[workspace]
diff --git a/fuzz/fuzz_targets/clp_no_panic.rs b/fuzz/fuzz_targets/clp_no_panic.rs
new file mode 100644
index 0000000..bff0b30
--- /dev/null
+++ b/fuzz/fuzz_targets/clp_no_panic.rs
@@ -0,0 +1,29 @@
+#![no_main]
+
+use libfuzzer_sys::fuzz_target;
+use ctrlb_decompose::extraction::clp::core::{
+    EightByteEncodedVariable,
+    get_bounds_of_next_var, escape_and_append_const_to_logtype,
+    encode_float_string, encode_integer_string,
+};
+
+fuzz_target!(|data: &str| {
+    // get_bounds_of_next_var should never panic
+    let mut begin = 0;
+    let mut end = 0;
+    while let Some((b, e)) = get_bounds_of_next_var(data, begin, end) {
+        assert!(data.is_char_boundary(b));
+        assert!(data.is_char_boundary(e));
+        assert!(b < e);
+        begin = e;
+        end = e;
+    }
+
+    // escape_and_append_const_to_logtype should never panic
+    let mut logtype = String::new();
+    escape_and_append_const_to_logtype(data, &mut logtype);
+
+    // encode_float_string and encode_integer_string should never panic
+    let _ = encode_float_string::<EightByteEncodedVariable>(data);
+    let _ = encode_integer_string::<EightByteEncodedVariable>(data);
+});
diff --git a/fuzz/fuzz_targets/clp_roundtrip.rs b/fuzz/fuzz_targets/clp_roundtrip.rs
new file mode 100644
index 0000000..e3494f5
--- /dev/null
+++ b/fuzz/fuzz_targets/clp_roundtrip.rs
@@ -0,0 +1,25 @@
+#![no_main]
+
+use libfuzzer_sys::fuzz_target;
+use ctrlb_decompose::extraction::clp::core::{
+    EightByteEncodedVariable, FourByteEncodedVariable,
+    encode_message, decode_message,
+};
+
+fuzz_target!(|data: &str| {
+    // Test 8-byte round-trip
+    let (logtype, encoded_vars, dictionary_vars) =
+        encode_message::<EightByteEncodedVariable>(data);
+    let decoded = decode_message::<EightByteEncodedVariable>(
+        &logtype, &encoded_vars, &dictionary_vars,
+    );
+    assert_eq!(decoded, data, "8-byte round-trip failed");
+
+    // Test 4-byte round-trip
+    let (logtype, encoded_vars, dictionary_vars) =
+        encode_message::<FourByteEncodedVariable>(data);
+    let decoded = decode_message::<FourByteEncodedVariable>(
+        &logtype, &encoded_vars, &dictionary_vars,
+    );
+    assert_eq!(decoded, data, "4-byte round-trip failed");
+});
diff --git a/fuzz/fuzz_targets/drain_train.rs b/fuzz/fuzz_targets/drain_train.rs
new file mode 100644
index 0000000..e00ee1e
--- /dev/null
+++ b/fuzz/fuzz_targets/drain_train.rs
@@ -0,0 +1,28 @@
+#![no_main]
+
+use libfuzzer_sys::fuzz_target;
+use arbitrary::Arbitrary;
+use ctrlb_decompose::extraction::drain3::{Config, Drain};
+
+#[derive(Arbitrary, Debug)]
+struct FuzzInput {
+    lines: Vec<String>,
+}
+
+fuzz_target!(|input: FuzzInput| {
+    if input.lines.is_empty() || input.lines.len() > 100 {
+        return;
+    }
+
+    let config = Config::default();
+    let mut drain = Drain::new(config);
+
+    for line in &input.lines {
+        if line.len() > 500 {
+            continue;
+        }
+        let parsed = drain.extract_template_and_vars(line);
+        assert!(parsed.pattern_id > 0);
+        assert!(parsed.count >= 1);
+    }
+});
diff --git a/fuzz/fuzz_targets/timestamp.rs b/fuzz/fuzz_targets/timestamp.rs
new file mode 100644
index 0000000..c71701a
--- /dev/null
+++ b/fuzz/fuzz_targets/timestamp.rs
@@ -0,0 +1,18 @@
+#![no_main]
+
+use libfuzzer_sys::fuzz_target;
+use ctrlb_decompose::timestamp::{extract_timestamp, strip_timestamp};
+
+fuzz_target!(|data: &str| {
+    // extract_timestamp should never panic
+    if let Some(result) = extract_timestamp(data) {
+        assert!(result.start <= result.end);
+        assert!(result.end <= data.len());
+        assert!(data.is_char_boundary(result.start));
+        assert!(data.is_char_boundary(result.end));
+
+        // strip_timestamp should never panic when given a valid match
+        let stripped = strip_timestamp(data, &result);
+        assert!(stripped.len() <= data.len() + 4); // original + "<TS>" minus removed range
+    }
+});
diff --git a/src/anomaly.rs b/src/anomaly.rs
index 300fe51..e6405f3 100644
--- a/src/anomaly.rs
+++ b/src/anomaly.rs
@@ -232,3 +232,144 @@ fn detect_error_pattern(pattern: &PatternStats) -> Option<Anomaly> {
 
     None
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::extraction::drain3::TypedVariable;
+    use crate::stats::PatternStore;
+    use crate::types::VarType;
+
+    /// Helper: create a PatternStore and accumulate `lines` under pattern_id=1
+    /// with the given template, no timestamps, no variables.
+    fn store_with_lines(template: &str, lines: &[&str]) -> PatternStore {
+        let mut store = PatternStore::new(2);
+        for (i, line) in lines.iter().enumerate() {
+            store.accumulate(1, template, &[], None, line, (i + 1) as u64);
+        }
+        store
+    }
+
+    #[test]
+    fn test_detect_error_pattern_matches() {
+        let lines: Vec<&str> = (0..5)
+            .map(|_| "ERROR: connection failed to 10.0.0.1")
+            .collect();
+        let store = store_with_lines("ERROR: connection failed to <*>", &lines);
+        let anomalies = detect_anomalies(&store);
+        assert!(
+            anomalies.iter().any(|af| af
+                .anomalies
+                .iter()
+                .any(|a| matches!(a, Anomaly::HighErrorRate { .. }))),
+            "expected HighErrorRate for template containing ERROR"
+        );
+    }
+
+    #[test]
+    fn test_detect_error_pattern_with_brackets() {
+        let lines: Vec<&str> = (0..5)
+            .map(|_| "[FATAL] process crashed")
+            .collect();
+        let store = store_with_lines("[FATAL] process crashed", &lines);
+        let anomalies = detect_anomalies(&store);
+        assert!(
+            anomalies.iter().any(|af| af
+                .anomalies
+                .iter()
+                .any(|a| matches!(a, Anomaly::HighErrorRate { .. }))),
+            "expected HighErrorRate for template containing [FATAL]"
+        );
+    }
+
+    #[test]
+    fn test_no_false_positive_error_in_payload() {
+        let lines: Vec<&str> = (0..5)
+            .map(|_| "INFO processing via error_handler module")
+            .collect();
+        let store =
+            store_with_lines("INFO processing via error_handler module", &lines);
+        let anomalies = detect_anomalies(&store);
+        assert!(
+            !anomalies.iter().any(|af| af
+                .anomalies
+                .iter()
+                .any(|a| matches!(a, Anomaly::HighErrorRate { .. }))),
+            "error_handler should NOT trigger HighErrorRate (compound word)"
+        );
+    }
+
+    #[test]
+    fn test_no_error_in_info_pattern() {
+        let lines: Vec<&str> = (0..5)
+            .map(|_| "INFO request completed successfully")
+            .collect();
+        let store =
+            store_with_lines("INFO request completed successfully", &lines);
+        let anomalies = detect_anomalies(&store);
+        assert!(
+            !anomalies.iter().any(|af| af
+                .anomalies
+                .iter()
+                .any(|a| matches!(a, Anomaly::HighErrorRate { .. }))),
+            "INFO-only template should not produce HighErrorRate"
+        );
+    }
+
+    #[test]
+    fn test_low_cardinality_detection() {
+        let mut store = PatternStore::new(2);
+        let values = ["alpha", "beta", "gamma"];
+        for i in 0..200 {
+            let val = values[i % 3];
+            let var = TypedVariable {
+                raw: val.to_string(),
+                var_type: VarType::String,
+            };
+            store.accumulate(
+                1,
+                "GET /api/<*>",
+                &[var],
+                None,
+                &format!("GET /api/{}", val),
+                (i + 1) as u64,
+            );
+        }
+        let anomalies = detect_anomalies(&store);
+        assert!(
+            anomalies.iter().any(|af| af
+                .anomalies
+                .iter()
+                .any(|a| matches!(a, Anomaly::LowCardinality { .. }))),
+            "200 lines with 3 unique values should trigger LowCardinality"
+        );
+    }
+
+    #[test]
+    fn test_anomaly_severity_ordering() {
+        let high_error = Anomaly::HighErrorRate {
+            description: "error-level log pattern".to_string(),
+        };
+        let low_card = Anomaly::LowCardinality {
+            var_slot: 0,
+            unique_count: 3,
+            description: "targets only 3 unique values".to_string(),
+        };
+        assert!(
+            high_error.severity() > low_card.severity(),
+            "HighErrorRate severity ({}) should be greater than LowCardinality severity ({})",
+            high_error.severity(),
+            low_card.severity()
+        );
+    }
+
+    #[test]
+    fn test_empty_store_no_anomalies() {
+        let store = PatternStore::new(2);
+        let anomalies = detect_anomalies(&store);
+        assert!(
+            anomalies.is_empty(),
+            "empty PatternStore should produce no anomalies"
+        );
+    }
+}
diff --git a/src/correlation.rs b/src/correlation.rs
index d7f39fd..4c61f40 100644
--- a/src/correlation.rs
+++ b/src/correlation.rs
@@ -192,3 +192,116 @@ fn detect_lag_correlation(a: &[u64], b: &[u64], min_lag: usize, max_lag: usize)
     }
     None
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::stats::{BoundedVec, PatternStats, PatternStore};
+    use std::collections::HashMap;
+
+    // --- Pearson correlation tests ---
+
+    #[test]
+    fn test_pearson_correlation_perfect_positive() {
+        let a = vec![1, 2, 3, 4, 5];
+        let b = vec![2, 4, 6, 8, 10];
+        let r = pearson_correlation(&a, &b);
+        assert!((r - 1.0).abs() < 1e-9, "expected r ≈ 1.0, got {}", r);
+    }
+
+    #[test]
+    fn test_pearson_correlation_perfect_negative() {
+        let a = vec![1, 2, 3, 4, 5];
+        let b = vec![10, 8, 6, 4, 2];
+        let r = pearson_correlation(&a, &b);
+        assert!((r - (-1.0)).abs() < 1e-9, "expected r ≈ -1.0, got {}", r);
+    }
+
+    #[test]
+    fn test_pearson_correlation_zero() {
+        // Constant series has zero variance, should return 0.0
+        let a = vec![5, 5, 5, 5, 5];
+        let b = vec![1, 2, 3, 4, 5];
+        let r = pearson_correlation(&a, &b);
+        assert!(r.abs() < 1e-9, "expected r ≈ 0.0, got {}", r);
+    }
+
+    #[test]
+    fn test_pearson_correlation_too_short() {
+        let a = vec![1];
+        let b = vec![2];
+        let r = pearson_correlation(&a, &b);
+        assert_eq!(r, 0.0);
+    }
+
+    #[test]
+    fn test_pearson_correlation_empty() {
+        let a: Vec<u64> = vec![];
+        let b: Vec<u64> = vec![];
+        let r = pearson_correlation(&a, &b);
+        assert_eq!(r, 0.0);
+    }
+
+    #[test]
+    fn test_pearson_correlation_different_lengths() {
+        // Uses min(len) = 3; first 3 elements are perfectly positively correlated
+        let a = vec![1, 2, 3, 4, 5, 6, 7];
+        let b = vec![2, 4, 6];
+        let r = pearson_correlation(&a, &b);
+        assert!((r - 1.0).abs() < 1e-9, "expected r ≈ 1.0, got {}", r);
+    }
+
+    // --- Lag correlation tests ---
+
+    #[test]
+    fn test_detect_lag_correlation_basic() {
+        // Pattern a spikes, pattern b spikes one step later
+        let a = vec![0, 10, 0, 0, 10, 0, 0, 10, 0, 0];
+        let b = vec![0, 0, 10, 0, 0, 10, 0, 0, 10, 0];
+        let lag = detect_lag_correlation(&a, &b, 1, 3);
+        assert_eq!(lag, Some(1), "expected lag of 1");
+    }
+
+    #[test]
+    fn test_detect_lag_correlation_too_short() {
+        let a = vec![1, 2, 3];
+        let b = vec![1, 2, 3];
+        // max_lag=3, need n >= max_lag + 3 = 6, but n=3 so returns None
+        let lag = detect_lag_correlation(&a, &b, 1, 3);
+        assert_eq!(lag, None);
+    }
+
+    // --- is_error_pattern tests ---
+
+    fn make_pattern_stats(template: &str) -> PatternStats {
+        PatternStats {
+            pattern_id: 0,
+            template: template.to_string(),
+            count: 1,
+            first_seen_line: 1,
+            last_seen_line: 1,
+            first_ts: None,
+            last_ts: None,
+            variables: Vec::new(),
+            time_buckets: HashMap::new(),
+            example_lines: BoundedVec::new(0),
+        }
+    }
+
+    #[test]
+    fn test_is_error_pattern() {
+        assert!(is_error_pattern(&make_pattern_stats("ERROR: something failed")));
+        assert!(is_error_pattern(&make_pattern_stats("FATAL crash")));
+        assert!(is_error_pattern(&make_pattern_stats("PANIC at the disco")));
+        assert!(!is_error_pattern(&make_pattern_stats("INFO request completed")));
+    }
+
+    // --- find_correlations tests ---
+
+    #[test]
+    fn test_find_correlations_empty_store() {
+        let store = PatternStore::new(0);
+        let results = find_correlations(&store);
+        assert!(results.is_empty(), "expected no correlations from empty store");
+    }
+}
diff --git a/src/extraction/clp/core.rs b/src/extraction/clp/core.rs
index 80cc3f8..163d27a 100644
--- a/src/extraction/clp/core.rs
+++ b/src/extraction/clp/core.rs
@@ -1,4 +1,3 @@
-use std::mem;
 
 /// Variable placeholder types
 #[repr(u8)]
@@ -38,11 +37,11 @@ impl EncodedVariable for FourByteEncodedVariable {
     const MAX_REPRESENTABLE_DIGITS: usize = 8;
 
     fn from_bits(bits: u32) -> Self {
-        unsafe { mem::transmute(bits) }
+        unsafe { u32::cast_signed(bits) }
     }
 
     fn to_bits(self) -> u32 {
-        unsafe { mem::transmute(self) }
+        unsafe { i32::cast_unsigned(self) }
     }
 
     fn as_u64(digits: Self::DigitsType) -> u64 {
@@ -68,11 +67,11 @@ impl EncodedVariable for EightByteEncodedVariable {
     const MAX_REPRESENTABLE_DIGITS: usize = 16;
 
     fn from_bits(bits: u64) -> Self {
-        unsafe { mem::transmute(bits) }
+        unsafe { u64::cast_signed(bits) }
     }
 
     fn to_bits(self) -> u64 {
-        unsafe { mem::transmute(self) }
+        unsafe { i64::cast_unsigned(self) }
     }
 
     fn as_u64(digits: Self::DigitsType) -> u64 {
@@ -92,16 +91,37 @@ impl EncodedVariable for EightByteEncodedVariable {
     }
 }
 
-/// Function to check if a character is a delimiter
+/// 256-byte lookup table: true = delimiter, false = non-delimiter.
+/// Non-delimiters are: '+', '-', '.', '0'-'9', 'A'-'Z', '_', 'a'-'z'
+static DELIM_TABLE: [bool; 256] = {
+    let mut table = [true; 256];
+    table[b'+' as usize] = false;
+    table[b'-' as usize] = false;
+    table[b'.' as usize] = false;
+    table[b'_' as usize] = false;
+    let mut i = b'0';
+    while i <= b'9' {
+        table[i as usize] = false;
+        i += 1;
+    }
+    i = b'A';
+    while i <= b'Z' {
+        table[i as usize] = false;
+        i += 1;
+    }
+    i = b'a';
+    while i <= b'z' {
+        table[i as usize] = false;
+        i += 1;
+    }
+    table
+};
+
+/// Function to check if a character is a delimiter (lookup table, branch-free)
+#[inline(always)]
 fn is_delim(c: char) -> bool {
-    // Everything except "+-.0-9A-Z\_a-z" is a delimiter
-    !(c == '+'
-        || c == '-'
-        || c == '.'
-        || c.is_ascii_digit()
-        || c.is_ascii_uppercase()
-        || c == '_'
-        || c.is_ascii_lowercase())
+    let b = c as u32;
+    if b < 256 { DELIM_TABLE[b as usize] } else { true }
 }
 
 /// Function to check if a character is a variable placeholder
@@ -692,9 +712,9 @@ pub fn decode_float_properties<T: EncodedVariable>(
 /// Function to decode an integer variable
 fn decode_integer_var<T: EncodedVariable>(encoded_var: T) -> String {
     if std::mem::size_of::<T>() == 8 {
-        T::as_u64(encoded_var.to_bits()).to_string()
+        (T::as_u64(encoded_var.to_bits()) as i64).to_string()
     } else {
-        T::as_u32(encoded_var.to_bits()).to_string()
+        (T::as_u32(encoded_var.to_bits()) as i32).to_string()
     }
 }
 
@@ -1003,4 +1023,245 @@ mod tests {
             assert_eq!(decoded_message, log_message11); // The decoded message should match the original
         }
     }
+
+    // ── Edge-case unit tests ────────────────────────────────────────────
+
+    #[test]
+    fn test_encode_float_boundary_length() {
+        // 18-char float should succeed
+        let eighteen = "12345678901234.567"; // 18 chars
+        assert_eq!(eighteen.len(), 18);
+        assert!(encode_float_string::<EightByteEncodedVariable>(eighteen).is_some());
+
+        // 19-char float should fail
+        let nineteen = "123456789012345.678"; // 19 chars
+        assert_eq!(nineteen.len(), 19);
+        assert!(encode_float_string::<EightByteEncodedVariable>(nineteen).is_none());
+    }
+
+    #[test]
+    fn test_encode_float_edge_cases() {
+        // Empty string
+        assert!(encode_float_string::<EightByteEncodedVariable>("").is_none());
+
+        // No decimal point
+        assert!(encode_float_string::<EightByteEncodedVariable>("123").is_none());
+
+        // Decimal at end (e.g. "123.") — no digits after decimal, decimal_point_pos would be 0
+        assert!(encode_float_string::<EightByteEncodedVariable>("123.").is_none());
+
+        // Just a dot
+        assert!(encode_float_string::<EightByteEncodedVariable>(".").is_none());
+
+        // Negative dot
+        assert!(encode_float_string::<EightByteEncodedVariable>("-.").is_none());
+
+        // Negative sign only
+        assert!(encode_float_string::<EightByteEncodedVariable>("-").is_none());
+
+        // Valid cases
+        assert!(encode_float_string::<EightByteEncodedVariable>("0.0").is_some());
+        assert!(encode_float_string::<EightByteEncodedVariable>("0.5").is_some());
+        assert!(encode_float_string::<EightByteEncodedVariable>("-3.14").is_some());
+    }
+
+    #[test]
+    fn test_encode_float_roundtrip_values() {
+        let cases = ["0.0", "1.5", "-3.14", "0.001", "99999.99", "-0.5"];
+        for input in &cases {
+            let encoded = encode_float_string::<EightByteEncodedVariable>(input)
+                .unwrap_or_else(|| panic!("encode_float_string failed for {}", input));
+            let decoded = decode_float_var::<EightByteEncodedVariable>(encoded);
+            assert_eq!(
+                &decoded, input,
+                "Float roundtrip mismatch for '{}'",
+                input
+            );
+        }
+    }
+
+    #[test]
+    fn test_encode_integer_edge_cases() {
+        // Zero-padded values rejected
+        assert!(
+            encode_integer_string::<EightByteEncodedVariable>("007").is_none(),
+            "007 should be rejected (zero-padded)"
+        );
+        assert!(
+            encode_integer_string::<EightByteEncodedVariable>("00").is_none(),
+            "00 should be rejected (zero-padded)"
+        );
+
+        // "-0" rejected (starts with '-' but next char is '0')
+        assert!(
+            encode_integer_string::<EightByteEncodedVariable>("-0").is_none(),
+            "-0 should be rejected"
+        );
+
+        // Empty string rejected
+        assert!(
+            encode_integer_string::<EightByteEncodedVariable>("").is_none(),
+            "empty should be rejected"
+        );
+
+        // "0" works
+        assert!(
+            encode_integer_string::<EightByteEncodedVariable>("0").is_some(),
+            "0 should succeed"
+        );
+
+        // i64::MAX works
+        let max_str = i64::MAX.to_string();
+        assert!(
+            encode_integer_string::<EightByteEncodedVariable>(&max_str).is_some(),
+            "i64::MAX should succeed for EightByte"
+        );
+
+        // i64::MIN works (starts with '-' followed by non-zero)
+        let min_str = i64::MIN.to_string();
+        assert!(
+            encode_integer_string::<EightByteEncodedVariable>(&min_str).is_some(),
+            "i64::MIN should succeed for EightByte"
+        );
+
+        // Overflow rejected (i64::MAX + 1 as string)
+        let overflow = "9999999999999999999999";
+        assert!(
+            encode_integer_string::<EightByteEncodedVariable>(overflow).is_none(),
+            "overflow should be rejected"
+        );
+
+        // FourByte i32 range check: value in i32 range succeeds
+        assert!(
+            encode_integer_string::<FourByteEncodedVariable>("42").is_some(),
+            "42 should succeed for FourByte"
+        );
+
+        // FourByte: value outside i32 range rejected
+        let above_i32 = (i32::MAX as i64 + 1).to_string();
+        assert!(
+            encode_integer_string::<FourByteEncodedVariable>(&above_i32).is_none(),
+            "value above i32::MAX should be rejected for FourByte"
+        );
+
+        let below_i32 = (i32::MIN as i64 - 1).to_string();
+        assert!(
+            encode_integer_string::<FourByteEncodedVariable>(&below_i32).is_none(),
+            "value below i32::MIN should be rejected for FourByte"
+        );
+    }
+
+    #[test]
+    fn test_encode_integer_roundtrip_values() {
+        // Roundtrip test: encode then decode through encode_message/decode_message
+        // to get proper signed handling. Direct encode/decode treats values as unsigned.
+        let cases = ["0", "1", "42", "999"];
+        for input in &cases {
+            let msg = format!(" {} ", input); // wrap in delimiters so it is detected as a variable
+            let (logtype, encoded_vars, dictionary_vars) =
+                encode_message::<EightByteEncodedVariable>(&msg);
+            let decoded = decode_message::<EightByteEncodedVariable>(
+                &logtype,
+                &encoded_vars,
+                &dictionary_vars,
+            );
+            assert_eq!(
+                decoded, msg,
+                "Integer roundtrip mismatch for '{}'",
+                input
+            );
+        }
+
+        // Also verify i64::MAX roundtrips through encode_message/decode_message
+        let max_msg = format!(" {} ", i64::MAX);
+        let (logtype, encoded_vars, dictionary_vars) =
+            encode_message::<EightByteEncodedVariable>(&max_msg);
+        let decoded = decode_message::<EightByteEncodedVariable>(
+            &logtype,
+            &encoded_vars,
+            &dictionary_vars,
+        );
+        assert_eq!(decoded, max_msg, "i64::MAX roundtrip mismatch");
+    }
+
+    #[test]
+    fn test_four_byte_float_roundtrip() {
+        let cases = ["1.5", "-3.14", "0.0", "99.99"];
+        for input in &cases {
+            let encoded = encode_float_string::<FourByteEncodedVariable>(input)
+                .unwrap_or_else(|| panic!("encode_float_string<FourByte> failed for {}", input));
+            let decoded = decode_float_var::<FourByteEncodedVariable>(encoded);
+            assert_eq!(
+                &decoded, input,
+                "FourByte float roundtrip mismatch for '{}'",
+                input
+            );
+        }
+    }
+
+    // ── Proptest property tests ─────────────────────────────────────────
+
+    mod proptests {
+        use super::*;
+        use proptest::prelude::*;
+
+        proptest! {
+            #[test]
+            fn roundtrip_eight_byte(s in "[ -~]{0,500}") {
+                let (logtype, encoded_vars, dictionary_vars) =
+                    encode_message::<EightByteEncodedVariable>(&s);
+                let decoded = decode_message::<EightByteEncodedVariable>(
+                    &logtype,
+                    &encoded_vars,
+                    &dictionary_vars,
+                );
+                prop_assert_eq!(decoded, s);
+            }
+
+            #[test]
+            fn roundtrip_four_byte(s in "[ -~]{0,500}") {
+                let (logtype, encoded_vars, dictionary_vars) =
+                    encode_message::<FourByteEncodedVariable>(&s);
+                let decoded = decode_message::<FourByteEncodedVariable>(
+                    &logtype,
+                    &encoded_vars,
+                    &dictionary_vars,
+                );
+                prop_assert_eq!(decoded, s);
+            }
+
+            #[test]
+            fn roundtrip_with_unicode(s in ".{0,300}") {
+                let (logtype, encoded_vars, dictionary_vars) =
+                    encode_message::<EightByteEncodedVariable>(&s);
+                let decoded = decode_message::<EightByteEncodedVariable>(
+                    &logtype,
+                    &encoded_vars,
+                    &dictionary_vars,
+                );
+                prop_assert_eq!(decoded, s);
+            }
+
+            #[test]
+            fn get_bounds_no_panic(s in ".{0,1000}") {
+                let mut begin: usize = 0;
+                let mut end: usize = 0;
+                while let Some((b, e)) = get_bounds_of_next_var(&s, begin, end) {
+                    // Returned bounds must be valid char boundaries
+                    prop_assert!(s.is_char_boundary(b), "begin {} is not a char boundary", b);
+                    prop_assert!(s.is_char_boundary(e), "end {} is not a char boundary", e);
+                    prop_assert!(b < e, "begin {} must be less than end {}", b, e);
+                    begin = e;
+                    end = e;
+                }
+            }
+
+            #[test]
+            fn append_constant_no_panic(s in ".{0,500}") {
+                let mut logtype = String::new();
+                escape_and_append_const_to_logtype(&s, &mut logtype);
+                // Just assert no panic occurred — the function completed.
+            }
+        }
+    }
 }
diff --git a/src/extraction/clp/decoding.rs b/src/extraction/clp/decoding.rs
index 1bd836e..9d05fb4 100644
--- a/src/extraction/clp/decoding.rs
+++ b/src/extraction/clp/decoding.rs
@@ -1,6 +1,5 @@
 use crate::extraction::clp::core::{
-    EIGHT_BYTE_ENCODED_FLOAT_DIGITS_BIT_MASK, EncodedVariable,
-    FOUR_BYTE_ENCODED_FLOAT_DIGITS_BIT_MASK, VariablePlaceholder, decode_float_properties,
+    EncodedVariable, VariablePlaceholder, decode_float_properties,
 };
 
 #[derive(Debug, Clone)]
@@ -189,72 +188,6 @@ fn decode_float_var_into<T: EncodedVariable>(encoded_var: T, buffer: &mut String
     buffer.push_str(&digits_str);
 }
 
-/// More optimized version that builds the float string directly in the buffer
-/// without intermediate string allocation
-fn decode_float_var_into_optimized<T: EncodedVariable>(encoded_var: T, buffer: &mut String) {
-    let mut is_negative = false;
-    let mut digits: T::DigitsType;
-    if std::mem::size_of::<T::DigitsType>() == 8 {
-        digits = T::from_u64(0);
-    } else {
-        digits = T::from_u32(0);
-    }
-    let mut num_digits: u8 = 0;
-    let mut decimal_point_pos: u8 = 0;
-
-    decode_float_properties(
-        encoded_var,
-        &mut is_negative,
-        &mut digits,
-        &mut num_digits,
-        &mut decimal_point_pos,
-    );
-
-    if is_negative {
-        buffer.push('-');
-    }
-
-    let digits_value = if std::mem::size_of::<T::DigitsType>() == 8 {
-        T::as_u64(digits)
-    } else {
-        T::as_u32(digits) as u64
-    };
-
-    // Calculate the positions where we need to place digits
-    let total_digits = num_digits as usize;
-    let decimal_pos = total_digits - decimal_point_pos as usize;
-
-    // Handle the case where we need leading zeros
-    let mut temp_digits = Vec::with_capacity(total_digits);
-    let mut remaining = digits_value;
-
-    // Extract digits in reverse order
-    if remaining == 0 {
-        temp_digits.push(0);
-    } else {
-        while remaining > 0 {
-            temp_digits.push((remaining % 10) as u8);
-            remaining /= 10;
-        }
-    }
-
-    // Pad with leading zeros if necessary
-    while temp_digits.len() < total_digits {
-        temp_digits.push(0);
-    }
-
-    // Reverse to get correct order
-    temp_digits.reverse();
-
-    // Build the string with decimal point in the right place
-    for (i, digit) in temp_digits.iter().enumerate() {
-        if i == decimal_pos && decimal_point_pos > 0 {
-            buffer.push('.');
-        }
-        buffer.push((b'0' + digit) as char);
-    }
-}
-
 /// Thread-local decoding context for better performance in single-threaded scenarios
 thread_local! {
     static THREAD_LOCAL_DECODE_CONTEXT: std::cell::RefCell<DecodingContext> =
@@ -276,25 +209,24 @@ pub fn decode_message_fast<T: EncodedVariable>(
 
 #[cfg(test)]
 mod tests {
-    use crate::extraction::clp::core::{EightByteEncodedVariable, decode_message};
+    use crate::extraction::clp::core::{EightByteEncodedVariable, decode_message, encode_message};
 
     use super::*;
     #[test]
     fn test_decoding_context() {
-        let mut context = DecodingContext::new(1024, 64);
-
-        let logtype = "User ID=\x11 logged in from \x12 with balance \x13";
-        let encoded_vars = vec![123i64, 0i64, 0i64]; // Sample encoded values
-        let dictionary_vars = vec!["192.168.1.1".to_string()];
+        let original = "User ID=123 logged in from 192.168.1.1 with balance 45.67";
+        let (logtype, encoded_vars, dictionary_vars) =
+            encode_message::<EightByteEncodedVariable>(original);
 
+        let mut context = DecodingContext::new(1024, 64);
         let decoded = context.decode_message::<EightByteEncodedVariable>(
-            logtype,
+            &logtype,
             &encoded_vars,
             &dictionary_vars,
         );
 
-        println!("Decoded: {}", decoded);
-        println!("Stats: {:?}", context.stats());
+        assert_eq!(decoded, original);
+        assert_eq!(context.stats().total_processed, 1);
     }
 
     #[test]
@@ -357,4 +289,44 @@ mod tests {
             no_context_time.as_nanos() as f64 / context_time.as_nanos() as f64
         );
     }
+
+    #[test]
+    fn test_decode_message_into_matches_decode_message() {
+        let messages = vec![
+            "Simple message with no variables",
+            "Error: code=404 at 10.0.1.15",
+            "Rate: 3.14 req/sec from host abc123",
+            "",
+            "Unicode: hello world test",
+        ];
+
+        for msg in &messages {
+            let (logtype, encoded_vars, dictionary_vars) =
+                encode_message::<EightByteEncodedVariable>(msg);
+
+            // Decode with core::decode_message
+            let decoded_core = decode_message::<EightByteEncodedVariable>(
+                &logtype,
+                &encoded_vars,
+                &dictionary_vars,
+            );
+
+            // Decode with decode_message_into
+            let mut message_buffer = String::new();
+            let mut temp_buffer = String::new();
+            decode_message_into::<EightByteEncodedVariable>(
+                &logtype,
+                &encoded_vars,
+                &dictionary_vars,
+                &mut message_buffer,
+                &mut temp_buffer,
+            );
+
+            assert_eq!(
+                decoded_core, message_buffer,
+                "Mismatch for message: {:?}",
+                msg
+            );
+        }
+    }
 }
diff --git a/src/extraction/clp/encoding.rs b/src/extraction/clp/encoding.rs
index 1d7e31c..90ccc80 100644
--- a/src/extraction/clp/encoding.rs
+++ b/src/extraction/clp/encoding.rs
@@ -201,10 +201,9 @@ mod tests {
         println!("Encoded vars count: {}", encoded_vars.len());
         println!("Dictionary vars: {:?}", dictionary_vars);
 
-        // Should have both encoded variables (numbers) and dictionary variables (strings)
+        // Should have encoded variables (numbers: 123.45, 1640995200)
+        // and dictionary variables (abc123 — contains digits + alpha)
         assert!(encoded_vars.len() > 0);
-        assert!(dictionary_vars.len() > 0);
-        assert!(dictionary_vars.contains(&"john.doe".to_string()));
         assert!(dictionary_vars.contains(&"abc123".to_string()));
     }
 
@@ -370,11 +369,11 @@ mod tests {
         assert!(after_resize_stats.dictionary_vars_capacity >= 200);
 
         // Test that it still works after resize
-        let message = "Test message ID=123 with user test@example.com";
+        let message = "Test message ID=123 with session abc456";
         let (logtype, encoded_vars, dictionary_vars) = context.encode_message(message);
 
         assert!(!logtype.is_empty());
         assert!(encoded_vars.len() > 0);
-        assert!(dictionary_vars.len() > 0);
+        assert!(dictionary_vars.contains(&"abc456".to_string()));
     }
 }
diff --git a/src/extraction/drain3.rs b/src/extraction/drain3.rs
index b1caa80..cf91db4 100644
--- a/src/extraction/drain3.rs
+++ b/src/extraction/drain3.rs
@@ -12,7 +12,7 @@ use crate::types::{PatternID, VarType};
 pub struct Config {
     max_node_depth: usize,
     log_cluster_depth: usize,
-    sim_th: f64,
+    pub sim_th: f64,
     max_children: usize,
     extra_delimiters: Vec<String>,
     max_clusters: usize,
@@ -24,7 +24,7 @@ impl Default for Config {
         Config {
             max_node_depth: 0, // Will be set to log_cluster_depth - 2 in Drain::new
             log_cluster_depth: 4,
-            sim_th: 0.4,
+            sim_th: 0.5,
             max_children: 100,
             extra_delimiters: Vec::new(),
             max_clusters: 10000, // 0 means no limit
@@ -256,12 +256,14 @@ impl Drain {
 
     pub fn train(&mut self, content: &str) -> LogCluster {
         let content_tokens = self.get_content_as_tokens(content);
+        self.train_tokens(&content_tokens)
+    }
 
+    fn train_tokens(&mut self, content_tokens: &[&str]) -> LogCluster {
         let match_cluster_opt = {
-            // Clone needed values to avoid borrowing conflicts
             let sim_th = self.config.sim_th;
 
-            self.tree_search_impl(&content_tokens, sim_th, false)
+            self.tree_search_impl(content_tokens, sim_th, false)
         };
 
         // Match no existing log cluster
@@ -269,27 +271,27 @@ impl Drain {
             self.clusters_counter += 1;
             let cluster_id = self.clusters_counter;
 
+            let tokens_owned: Vec<String> = content_tokens.iter().map(|s| (*s).to_string()).collect();
+
             let match_cluster = LogCluster {
-                log_template_tokens: content_tokens.clone(),
+                log_template_tokens: tokens_owned.clone(),
                 id: cluster_id,
                 size: 1,
             };
 
             self.id_to_cluster.set(cluster_id, match_cluster);
-            // let mut root_node = self.root_node.clone();
-            // self.add_seq_to_prefix_tree(&mut root_node, cluster_id, &content_tokens);
-            self.add_seq_to_prefix_tree_helper(cluster_id, &content_tokens);
+            self.add_seq_to_prefix_tree_helper(cluster_id, content_tokens);
 
             // Return a new copy of the cluster
             LogCluster {
-                log_template_tokens: content_tokens,
+                log_template_tokens: tokens_owned,
                 id: cluster_id,
                 size: 1,
             }
         } else {
             let match_cluster = match_cluster_opt.unwrap();
             let new_template_tokens =
-                self.create_template(&content_tokens, &match_cluster.log_template_tokens);
+                self.create_template(content_tokens, &match_cluster.log_template_tokens);
 
             // Update the cluster in the cache
             if let Some(cluster) = self.id_to_cluster.get(match_cluster.id) {
@@ -317,19 +319,15 @@ impl Drain {
         self.tree_search(&root_node, &content_tokens, 1.0, true)
     }
 
-    fn get_content_as_tokens(&self, content: &str) -> Vec<String> {
-        let mut content = content.trim().to_string();
-        for extra_delimiter in &self.config.extra_delimiters {
-            content = content.replace(extra_delimiter, " ");
-        }
-        content.split_whitespace().map(|s| s.to_string()).collect()
+    fn get_content_as_tokens<'a>(&self, content: &'a str) -> Vec<&'a str> {
+        content.trim().split_whitespace().collect()
     }
 
     pub fn extract_template_and_vars(&mut self, content: &str) -> ParsedLog {
         let content_tokens = self.get_content_as_tokens(content);
 
-        // First train/match to get the cluster
-        let cluster = self.train(content);
+        // Train/match using the already-tokenized content (avoids double tokenization)
+        let cluster = self.train_tokens(&content_tokens);
 
         // Extract variables by comparing the template with the original content
         let mut variables = Vec::new();
@@ -340,7 +338,7 @@ impl Drain {
             {
                 variables.push(TypedVariable {
                     var_type: classify_variable(token),
-                    raw: token.clone(),
+                    raw: (*token).to_string(),
                 });
             }
         }
@@ -355,7 +353,7 @@ impl Drain {
 
     fn tree_search_impl(
         &mut self,
-        tokens: &[String],
+        tokens: &[&str],
         sim_th: f64,
         include_params: bool,
     ) -> Option<LogCluster> {
@@ -401,11 +399,11 @@ impl Drain {
                         break;
                     }
 
-                    let token = &tokens[i];
+                    let token = tokens[i];
 
                     if cur_node.key_to_child_node.contains_key(token) {
                         cur_node = &cur_node.key_to_child_node[token];
-                    } else if cur_node.key_to_child_node.contains_key(param_str) {
+                    } else if cur_node.key_to_child_node.contains_key(param_str.as_str()) {
                         cur_node = &cur_node.key_to_child_node[param_str];
                     } else {
                         return None;
@@ -424,7 +422,7 @@ impl Drain {
     }
 
     // Helper method to update the prefix tree while avoiding borrow issues
-    fn add_seq_to_prefix_tree_helper(&mut self, cluster_id: usize, tokens: &[String]) {
+    fn add_seq_to_prefix_tree_helper(&mut self, cluster_id: usize, tokens: &[&str]) {
         // Store values needed by add_seq_to_prefix_tree to avoid borrowing self completely
         let max_node_depth = self.config.max_node_depth;
         let param_string = self.config.param_string.clone();
@@ -445,7 +443,7 @@ impl Drain {
     fn tree_search(
         &mut self,
         root_node: &Node,
-        tokens: &[String],
+        tokens: &[&str],
         sim_th: f64,
         include_params: bool,
     ) -> Option<LogCluster> {
@@ -488,8 +486,8 @@ impl Drain {
                 break;
             }
 
-            let token = &tokens[i];
-            let param_str = &self.config.param_string;
+            let token = tokens[i];
+            let param_str = self.config.param_string.as_str();
 
             if cur_node.key_to_child_node.contains_key(token) {
                 cur_node = &cur_node.key_to_child_node[token];
@@ -510,13 +508,13 @@ impl Drain {
     fn fast_match(
         &mut self,
         cluster_ids: &[usize],
-        tokens: &[String],
+        tokens: &[&str],
         sim_th: f64,
         include_params: bool,
     ) -> Option<LogCluster> {
         let mut max_sim = -1.0;
         let mut max_param_count = -1;
-        let mut max_cluster: Option<LogCluster> = None;
+        let mut best_id: Option<usize> = None;
 
         // Extract the param_string before the loop to avoid borrowing conflicts
         let param_string = self.config.param_string.clone();
@@ -535,18 +533,20 @@ impl Drain {
                 if cur_sim > max_sim || (cur_sim == max_sim && param_count > max_param_count) {
                     max_sim = cur_sim;
                     max_param_count = param_count;
-
-                    max_cluster = Some(LogCluster {
-                        log_template_tokens: cluster.log_template_tokens.clone(),
-                        id: cluster.id,
-                        size: cluster.size,
-                    });
+                    best_id = Some(cluster_id);
                 }
             }
         }
 
         if max_sim >= sim_th {
-            max_cluster
+            // Only clone the winning cluster, not every candidate
+            best_id.and_then(|id| {
+                self.id_to_cluster.peek(id).map(|c| LogCluster {
+                    log_template_tokens: c.log_template_tokens.clone(),
+                    id: c.id,
+                    size: c.size,
+                })
+            })
         } else {
             None
         }
@@ -555,7 +555,7 @@ impl Drain {
     fn get_seq_distance(
         &self,
         seq1: &[String],
-        seq2: &[String],
+        seq2: &[&str],
         include_params: bool,
     ) -> (f64, i32) {
         get_seq_distance_static(seq1, seq2, include_params, &self.config.param_string)
@@ -661,7 +661,7 @@ impl Drain {
         s.chars().any(|c| c.is_numeric())
     }
 
-    fn create_template(&self, seq1: &[String], seq2: &[String]) -> Vec<String> {
+    fn create_template(&self, seq1: &[&str], seq2: &[String]) -> Vec<String> {
         if seq1.len() != seq2.len() {
             panic!("seq1 and seq2 must be of same length");
         }
@@ -680,7 +680,7 @@ impl Drain {
 
 fn get_seq_distance_static(
     seq1: &[String],
-    seq2: &[String],
+    seq2: &[&str],
     include_params: bool,
     param_string: &str,
 ) -> (f64, i32) {
@@ -692,8 +692,8 @@ fn get_seq_distance_static(
     let mut param_count = 0;
 
     for i in 0..seq1.len() {
-        let token1 = &seq1[i];
-        let token2 = &seq2[i];
+        let token1 = seq1[i].as_str();
+        let token2 = seq2[i];
 
         if token1 == param_string {
             param_count += 1;
@@ -714,7 +714,7 @@ fn get_seq_distance_static(
 fn add_seq_to_prefix_tree_impl(
     root_node: &mut Node,
     cluster_id: usize,
-    tokens: &[String],
+    tokens: &[&str],
     max_node_depth: usize,
     param_string: &str,
     max_children: usize,
@@ -744,7 +744,7 @@ fn add_seq_to_prefix_tree_impl(
     let mut current_depth = 1;
 
     for i in 0..tokens.len() {
-        let token = &tokens[i];
+        let token = tokens[i];
 
         // if at max depth or this is last token in template - add current log cluster to the leaf node
         if current_depth >= max_node_depth || current_depth >= token_count {
@@ -770,7 +770,7 @@ fn add_seq_to_prefix_tree_impl(
                     if cur_node.key_to_child_node.len() < max_children {
                         cur_node
                             .key_to_child_node
-                            .insert(token.clone(), Node::new());
+                            .insert(token.to_string(), Node::new());
                         cur_node = cur_node.key_to_child_node.get_mut(token).unwrap();
                     } else {
                         cur_node = cur_node.key_to_child_node.get_mut(param_string).unwrap();
@@ -778,7 +778,7 @@ fn add_seq_to_prefix_tree_impl(
                 } else if cur_node.key_to_child_node.len() + 1 < max_children {
                     cur_node
                         .key_to_child_node
-                        .insert(token.clone(), Node::new());
+                        .insert(token.to_string(), Node::new());
                     cur_node = cur_node.key_to_child_node.get_mut(token).unwrap();
                 } else if cur_node.key_to_child_node.len() + 1 == max_children {
                     cur_node
@@ -939,4 +939,118 @@ mod tests {
         let ip_var = parsed.variables.iter().find(|v| v.var_type == VarType::IPv4);
         assert!(ip_var.is_some());
     }
+
+    #[test]
+    fn test_lru_eviction_with_small_capacity() {
+        let config = Config {
+            max_clusters: 2,
+            ..Config::default()
+        };
+        let mut drain = Drain::new(config);
+
+        // Train 3 patterns with different token counts to force distinct clusters
+        drain.train("alpha beta gamma");
+        drain.train("one two three four");
+        drain.train("x y z w v");
+
+        assert!(
+            drain.clusters().len() <= 2,
+            "Expected at most 2 clusters after LRU eviction, got {}",
+            drain.clusters().len()
+        );
+    }
+
+    #[test]
+    fn test_train_empty_string() {
+        let config = Config::default();
+        let mut drain = Drain::new(config);
+
+        // Empty strings produce zero tokens, so tree search cannot match them.
+        // Each empty train creates a new cluster (no panic, deterministic ids).
+        let c1 = drain.train("");
+        let c2 = drain.train("");
+
+        assert!(c1.id > 0, "First empty-string cluster should have a positive id");
+        assert!(c2.id > 0, "Second empty-string cluster should have a positive id");
+        assert_eq!(c1.size, 1);
+        assert_eq!(c2.size, 1);
+    }
+
+    #[test]
+    fn test_train_single_token() {
+        let config = Config::default();
+        let mut drain = Drain::new(config);
+
+        let c1 = drain.train("hello");
+        let c2 = drain.train("hello");
+
+        assert_eq!(c1.id, c2.id, "Same single token should map to same cluster");
+        assert_eq!(c2.size, 2);
+
+        let c3 = drain.train("world");
+        assert_ne!(c1.id, c3.id, "Different single token should create a different cluster");
+    }
+
+    #[test]
+    fn test_match_log_returns_none_for_unseen() {
+        let config = Config::default();
+        let mut drain = Drain::new(config);
+
+        drain.train("Request from server completed");
+        let found = drain.match_log("Request from server completed");
+        assert!(found.is_some(), "match_log should find the trained pattern");
+
+        let not_found = drain.match_log("Something completely different here now");
+        assert!(not_found.is_none(), "match_log should return None for an unseen pattern");
+    }
+
+    #[test]
+    fn test_classify_variable_empty_string() {
+        assert_eq!(classify_variable(""), VarType::String);
+    }
+
+    #[test]
+    fn test_classify_variable_zero() {
+        assert_eq!(classify_variable("0"), VarType::Integer);
+    }
+
+    #[test]
+    fn test_classify_negative_float_starting_with_neg_zero() {
+        assert_eq!(classify_variable("-0.5"), VarType::Float);
+    }
+
+    mod proptests {
+        use super::*;
+        use proptest::prelude::*;
+
+        proptest! {
+            #[test]
+            fn train_never_panics(
+                lines in proptest::collection::vec("[a-zA-Z0-9 ._=-]{1,100}", 1..=50)
+            ) {
+                let config = Config {
+                    max_clusters: 5,
+                    ..Config::default()
+                };
+                let mut drain = Drain::new(config);
+                for line in &lines {
+                    drain.train(line);
+                }
+                assert!(drain.clusters().len() <= 5);
+            }
+
+            #[test]
+            fn extract_template_and_vars_never_panics(
+                lines in proptest::collection::vec("[a-zA-Z0-9 ._=-]{1,100}", 2..=30)
+            ) {
+                let config = Config::default();
+                let mut drain = Drain::new(config);
+                for line in &lines {
+                    let parsed = drain.extract_template_and_vars(line);
+                    assert!(parsed.pattern_id > 0);
+                    assert!(parsed.count >= 1);
+                }
+            }
+        }
+    }
 }
\ No newline at end of file
diff --git a/src/format/human.rs b/src/format/human.rs
index 0abd955..4e201ed 100644
--- a/src/format/human.rs
+++ b/src/format/human.rs
@@ -26,8 +26,13 @@ pub fn format(store: &PatternStore, opts: &FormatOptions, scores: &HashMap<Patte
 
     // Header
     if !opts.no_banner {
+        let label_part = match &opts.source_label {
+            Some(label) => format!(" ({})", label),
+            None => String::new(),
+        };
         let header = format!(
-            " ctrlb-decompose: {} lines -> {} patterns ({:.1}% reduction) ",
+            " ctrlb-decompose{}: {} lines -> {} patterns ({:.1}% reduction) ",
+            label_part,
             format_count(total_lines),
             pattern_count,
             reduction
diff --git a/src/format/json.rs b/src/format/json.rs
index eefdbd3..a423950 100644
--- a/src/format/json.rs
+++ b/src/format/json.rs
@@ -22,6 +22,8 @@ struct JsonSummary {
     patterns_omitted: usize,
     #[serde(skip_serializing_if = "Option::is_none")]
     time_range: Option<JsonTimeRange>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    source_label: Option<String>,
 }
 
 #[derive(Serialize)]
@@ -162,6 +164,7 @@ pub fn format(store: &PatternStore, opts: &FormatOptions, scores: &HashMap<Patte
             patterns_shown: top_n,
             patterns_omitted: pattern_count - top_n,
             time_range,
+            source_label: opts.source_label.clone(),
         },
         patterns: json_patterns,
     };
diff --git a/src/format/llm.rs b/src/format/llm.rs
index 47bf429..a2db211 100644
--- a/src/format/llm.rs
+++ b/src/format/llm.rs
@@ -25,9 +25,13 @@ pub fn format(
         ),
         _ => String::new(),
     };
+    let label_part = match &opts.source_label {
+        Some(label) => format!(" ({})", label),
+        None => String::new(),
+    };
     out.push_str(&format!(
-        "## Log Analysis: {} lines -> {} patterns{}\n\n",
-        total_lines, pattern_count, time_range
+        "## Log Analysis{}: {} lines -> {} patterns{}\n\n",
+        label_part, total_lines, pattern_count, time_range
     ));
 
     // Partition patterns into critical vs high-volume.
@@ -219,25 +223,22 @@ fn build_labeled_template_for(pattern: &PatternStats) -> String {
 fn build_labeled_template(template: &str, labels: &[String]) -> String {
     let mut result = String::new();
     let mut label_idx = 0;
+    let wildcard = "<*>";
+    let mut remaining = template;
 
-    for token in template.split_whitespace() {
-        if !result.is_empty() {
-            result.push(' ');
-        }
-        if token == "<*>" {
-            if label_idx < labels.len() {
-                result.push('{');
-                result.push_str(&labels[label_idx]);
-                result.push('}');
-                label_idx += 1;
-            } else {
-                result.push_str("<*>");
-            }
+    while let Some(pos) = remaining.find(wildcard) {
+        result.push_str(&remaining[..pos]);
+        if label_idx < labels.len() {
+            result.push('{');
+            result.push_str(&labels[label_idx]);
+            result.push('}');
+            label_idx += 1;
         } else {
-            result.push_str(token);
+            result.push_str(wildcard);
         }
+        remaining = &remaining[pos + wildcard.len()..];
     }
-
+    result.push_str(remaining);
     result
 }
 
diff --git a/src/label.rs b/src/label.rs
index 4843173..9645fc1 100644
--- a/src/label.rs
+++ b/src/label.rs
@@ -2,65 +2,82 @@ use crate::types::VarType;
 
 /// Infer a semantic label for a variable slot based on the template context and type.
 pub fn infer_label(template: &str, slot_index: usize, var_type: VarType) -> String {
-    let tokens: Vec<&str> = template.split_whitespace().collect();
-
-    // Find the nth wildcard position
-    let mut wildcard_count = 0;
-    let mut token_idx = None;
-    for (i, token) in tokens.iter().enumerate() {
-        if *token == "<*>" {
-            if wildcard_count == slot_index {
-                token_idx = Some(i);
-                break;
-            }
-            wildcard_count += 1;
+    let wildcard = "<*>";
+    let mut current_slot = 0;
+    let mut search_start = 0;
+
+    while let Some(pos) = template[search_start..].find(wildcard) {
+        let abs_pos = search_start + pos;
+        if current_slot == slot_index {
+            let before = &template[..abs_pos];
+            let after = &template[abs_pos + wildcard.len()..];
+            return label_from_context(before, after, var_type, slot_index);
         }
+        current_slot += 1;
+        search_start = abs_pos + wildcard.len();
     }
 
-    if let Some(idx) = token_idx {
-        // Check preceding token for contextual hints
-        if idx > 0 {
-            let prev = tokens[idx - 1].to_lowercase();
+    // Fallback if slot_index exceeds <*> count
+    type_default(var_type, slot_index)
+}
 
-            // key=<*> pattern
-            if let Some(key) = prev.strip_suffix('=') {
-                return sanitize_label(key);
+fn label_from_context(before: &str, after: &str, var_type: VarType, slot_index: usize) -> String {
+    // Check for key=<*> pattern: text immediately before ends with "="
+    let before_trimmed = before.trim_end();
+    if before_trimmed.ends_with('=') {
+        let key_region = &before_trimmed[..before_trimmed.len() - 1];
+        if let Some(key) = key_region
+            .split(|c: char| c.is_whitespace() || c == '/' || c == '[' || c == '(')
+            .last()
+        {
+            let clean = key.trim_start_matches(|c: char| !c.is_alphanumeric() && c != '_');
+            if !clean.is_empty() {
+                return sanitize_label(clean);
             }
+        }
+    }
 
-            // Duration keywords
-            if matches!(prev.as_str(), "in" | "after" | "took" | "elapsed" | "waited") {
-                if var_type == VarType::Duration {
-                    return "duration".to_string();
-                }
-                return "duration_ms".to_string();
-            }
+    // Get the word immediately before the <*>
+    let prev_word = before.split_whitespace().last().unwrap_or("");
+    let prev_clean = prev_word.trim_end_matches(|c: char| !c.is_alphanumeric() && c != '_');
 
-            // Common keywords
-            let keywords = [
-                "status", "code", "port", "host", "user", "path", "method", "size", "bytes",
-                "count", "level", "thread", "pid", "latency", "timeout", "error", "retry",
-                "attempt",
-            ];
-            for kw in keywords {
-                if prev.contains(kw) {
-                    return kw.to_string();
-                }
-            }
+    // Duration keywords
+    if matches!(
+        prev_clean.to_lowercase().as_str(),
+        "in" | "after" | "took" | "elapsed" | "waited"
+    ) {
+        if var_type == VarType::Duration {
+            return "duration".to_string();
         }
+        return "duration_ms".to_string();
+    }
 
-        // Check following token for time unit suffixes
-        if idx + 1 < tokens.len() {
-            let next = tokens[idx + 1].to_lowercase();
-            if matches!(
-                next.as_str(),
-                "ms" | "seconds" | "s" | "minutes" | "hours"
-            ) {
-                return "duration".to_string();
-            }
+    // Common keywords
+    let keywords = [
+        "status", "code", "port", "host", "user", "path", "method", "size", "bytes",
+        "count", "level", "thread", "pid", "latency", "timeout", "error", "retry",
+        "attempt",
+    ];
+    let prev_lower = prev_clean.to_lowercase();
+    for kw in keywords {
+        if prev_lower.contains(kw) {
+            return kw.to_string();
         }
     }
 
-    // Type-based defaults
+    // Check following text for time unit suffixes
+    let next_word = after.split_whitespace().next().unwrap_or("");
+    if matches!(
+        next_word.to_lowercase().as_str(),
+        "ms" | "seconds" | "s" | "minutes" | "hours"
+    ) {
+        return "duration".to_string();
+    }
+
+    type_default(var_type, slot_index)
+}
+
+fn type_default(var_type: VarType, slot_index: usize) -> String {
     match var_type {
         VarType::IPv4 | VarType::IPv6 => "ip".to_string(),
         VarType::UUID => "uuid".to_string(),
@@ -124,4 +141,41 @@ mod tests {
             "uuid"
         );
     }
+
+    #[test]
+    fn test_embedded_wildcard_key_value() {
+        // "pool_size=<*>/<*> queue_depth=<*>" — 3 slots
+        assert_eq!(
+            infer_label("Pool saturated pool_size=<*>/<*> queue_depth=<*>", 0, VarType::Integer),
+            "pool_size"
+        );
+        assert_eq!(
+            infer_label("Pool saturated pool_size=<*>/<*> queue_depth=<*>", 2, VarType::Integer),
+            "queue_depth"
+        );
+    }
+
+    #[test]
+    fn test_embedded_wildcard_brackets() {
+        // slot 0=[<*>], slot 1=<*> after "job", slot 2=<*> after "in", slot 3=records=<*>
+        assert_eq!(
+            infer_label("<TS> INFO [<*>] Batch job <*> completed in <*> records=<*>", 2, VarType::Duration),
+            "duration"
+        );
+        assert_eq!(
+            infer_label("<TS> INFO [<*>] Batch job <*> completed in <*> records=<*>", 3, VarType::Integer),
+            "records"
+        );
+    }
+
+    #[test]
+    fn test_embedded_wildcard_not_mislabeled() {
+        let label = infer_label(
+            "<TS> INFO [<*>] Batch job <*> completed in <*> records=<*>",
+            1,
+            VarType::String,
+        );
+        assert_ne!(label, "duration_ms", "Batch job name should not be labeled duration_ms");
+        assert_ne!(label, "duration", "Batch job name should not be labeled duration");
+    }
 }
diff --git a/src/lib.rs b/src/lib.rs
index 3282a2b..e269262 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -77,6 +77,15 @@ pub struct Args {
     /// Suppress progress output on stderr
     #[arg(short, long)]
     pub quiet: bool,
+
+    /// Label for the log source (shown in output header)
+    #[arg(long)]
+    pub source_label: Option<String>,
+
+    /// Similarity threshold for pattern clustering (0.0-1.0, default: 0.5).
+    /// Lower merges more aggressively, higher produces more patterns.
+    #[arg(long, default_value_t = 0.5)]
+    pub sim_threshold: f64,
 }
 
 #[cfg(feature = "cli")]
@@ -96,8 +105,10 @@ impl Args {
             top: self.top,
             context: if self.llm && self.context == 0 { 2 } else { self.context },
             no_color: self.no_color,
-            no_banner: self.no_banner,
+            no_banner: self.no_banner || self.llm,
             output_mode: self.output_mode(),
+            source_label: self.source_label.clone(),
+            sim_threshold: self.sim_threshold,
         }
     }
 }
@@ -111,37 +122,46 @@ pub fn run(args: Args) -> Result<()> {
 
     let opts = args.to_format_options();
 
-    let mut pipeline = ClpDrainPipeline::new(Config::default());
+    let mut config = Config::default();
+    config.sim_th = opts.sim_threshold;
+    let mut pipeline = ClpDrainPipeline::new(config);
     let mut store = PatternStore::new(opts.context);
     let mut line_number: u64 = 0;
 
-    let mut raw_buf = Vec::new();
+    let mut line_buf = String::new();
+    let mut stripped_buf = String::new();
     loop {
-        raw_buf.clear();
-        let bytes_read = reader.read_until(b'\n', &mut raw_buf)?;
+        line_buf.clear();
+        let bytes_read = reader.read_line(&mut line_buf)?;
         if bytes_read == 0 {
             break;
         }
-        let line = String::from_utf8_lossy(&raw_buf).trim_end_matches('\n').trim_end_matches('\r').to_string();
+        let line = line_buf.trim_end_matches('\n').trim_end_matches('\r');
         if line.is_empty() {
             continue;
         }
         line_number += 1;
 
-        let ts_match = extract_timestamp(&line);
-        let stripped = match &ts_match {
-            Some(ts) => strip_timestamp(&line, ts),
-            None => line.clone(),
+        let ts_match = extract_timestamp(line);
+        let stripped: &str = match &ts_match {
+            Some(ts) => {
+                stripped_buf.clear();
+                stripped_buf.push_str(&line[..ts.start]);
+                stripped_buf.push_str("<TS>");
+                stripped_buf.push_str(&line[ts.end..]);
+                &stripped_buf
+            }
+            None => line,
         };
 
-        let parsed = pipeline.process_line(&stripped);
+        let parsed = pipeline.process_line(stripped);
 
         store.accumulate(
             parsed.pattern_id,
             &parsed.display_template,
             &parsed.variables,
             ts_match.map(|ts| ts.datetime),
-            &line,
+            line,
             line_number,
         );
     }
@@ -162,7 +182,7 @@ pub fn run(args: Args) -> Result<()> {
     let output = format_output(&store, &opts, &scores);
     print!("{}", output);
 
-    if !args.quiet {
+    if !args.quiet && !opts.no_banner {
         eprintln!(
             "\nPowered by CtrlB \u{00b7} Search 5TB of logs in 614ms \u{2192} ctrlb.ai"
         );
@@ -181,7 +201,9 @@ pub struct AnalysisOutput {
 /// Process log text and return analysis results.
 /// This is the WASM-friendly entry point — no filesystem, no stdin.
 pub fn process_log_text(input: &str, opts: &FormatOptions) -> AnalysisOutput {
-    let mut pipeline = ClpDrainPipeline::new(Config::default());
+    let mut config = Config::default();
+    config.sim_th = opts.sim_threshold;
+    let mut pipeline = ClpDrainPipeline::new(config);
     let mut store = PatternStore::new(opts.context);
     let mut line_number: u64 = 0;
 
diff --git a/src/stats.rs b/src/stats.rs
index 8886aaf..e523694 100644
--- a/src/stats.rs
+++ b/src/stats.rs
@@ -45,6 +45,10 @@ impl<T> BoundedVec<T> {
     pub fn items(&self) -> &[T] {
         &self.items
     }
+
+    pub fn total_seen(&self) -> u64 {
+        self.total_seen
+    }
 }
 
 // --- NumericStats ---
@@ -69,6 +73,9 @@ impl NumericStats {
     }
 
     pub fn update(&mut self, value: f64) {
+        if !value.is_finite() {
+            return;
+        }
         self.count += 1;
         self.sum += value;
         if value < self.min {
@@ -99,6 +106,7 @@ pub struct CategoricalStats {
     pub total_count: u64,
     exact_counts: HashMap<String, u64>,
     hll: Option<HyperLogLogPlus<String, RandomState>>,
+    hll_dirty: bool,
     cached_unique: u64,
     capped: bool,
 }
@@ -109,6 +117,7 @@ impl CategoricalStats {
             total_count: 0,
             exact_counts: HashMap::new(),
             hll: None,
+            hll_dirty: false,
             cached_unique: 0,
             capped: false,
         }
@@ -124,10 +133,15 @@ impl CategoricalStats {
             }
             if let Some(ref mut hll) = self.hll {
                 hll.insert(&value.to_string());
-                self.cached_unique = hll.count().round() as u64;
+                self.hll_dirty = true;
             }
         } else {
-            *self.exact_counts.entry(value.to_string()).or_insert(0) += 1;
+            // Only allocate a String when the key is new
+            if let Some(count) = self.exact_counts.get_mut(value) {
+                *count += 1;
+            } else {
+                self.exact_counts.insert(value.to_string(), 1);
+            }
             self.cached_unique = self.exact_counts.len() as u64;
             if self.exact_counts.len() > CARDINALITY_CAP {
                 self.capped = true;
@@ -146,6 +160,16 @@ impl CategoricalStats {
         self.cached_unique
     }
 
+    /// Recompute HLL cardinality if dirty. Called once during finalize().
+    pub fn flush_hll(&mut self) {
+        if self.hll_dirty {
+            if let Some(ref mut hll) = self.hll {
+                self.cached_unique = hll.count().round() as u64;
+            }
+            self.hll_dirty = false;
+        }
+    }
+
     /// Returns top-k entries as (value, count, percentage)
     pub fn top_k(&self, k: usize) -> Vec<(String, u64, f64)> {
         let mut entries: Vec<_> = self
@@ -375,19 +399,20 @@ impl PatternStore {
         stats.example_lines.push(raw_line.to_string());
     }
 
-    /// Run post-accumulation fixups (enum reclassification, etc.)
+    /// Run post-accumulation fixups (enum reclassification, HLL flush, etc.)
     pub fn finalize(&mut self) {
         for stats in self.patterns.values_mut() {
             for var in &mut stats.variables {
+                var.categorical.flush_hll();
                 var.check_enum_reclassify();
             }
         }
     }
 
-    /// Patterns sorted by count descending
+    /// Patterns sorted by count descending, with pattern_id as a stable tie-breaker
     pub fn sorted_patterns(&self) -> Vec<&PatternStats> {
         let mut patterns: Vec<_> = self.patterns.values().collect();
-        patterns.sort_by(|a, b| b.count.cmp(&a.count));
+        patterns.sort_by(|a, b| b.count.cmp(&a.count).then_with(|| a.pattern_id.cmp(&b.pattern_id)));
         patterns
     }
 
@@ -425,3 +450,235 @@ impl PatternStore {
         }
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::extraction::drain3::TypedVariable;
+    use crate::types::VarType;
+
+    // ---- BoundedVec tests ----
+
+    #[test]
+    fn test_bounded_vec_basic() {
+        let mut bv = BoundedVec::new(3);
+        bv.push(10);
+        bv.push(20);
+        bv.push(30);
+        assert_eq!(bv.items(), &[10, 20, 30]);
+        assert_eq!(bv.total_seen(), 3);
+    }
+
+    #[test]
+    fn test_bounded_vec_zero_capacity() {
+        let mut bv = BoundedVec::new(0);
+        bv.push(1);
+        bv.push(2);
+        bv.push(3);
+        assert!(bv.items().is_empty());
+        assert_eq!(bv.total_seen(), 3);
+    }
+
+    #[test]
+    fn test_bounded_vec_reservoir_sampling() {
+        let mut bv = BoundedVec::new(10);
+        for i in 0..1000 {
+            bv.push(i);
+        }
+        assert_eq!(bv.items().len(), 10);
+        assert_eq!(bv.total_seen(), 1000);
+    }
+
+    // ---- NumericStats tests ----
+
+    #[test]
+    fn test_numeric_stats_basic() {
+        let mut ns = NumericStats::new();
+        ns.update(10.0);
+        ns.update(20.0);
+        ns.update(30.0);
+        assert_eq!(ns.count, 3);
+        assert_eq!(ns.min, 10.0);
+        assert_eq!(ns.max, 30.0);
+        assert!((ns.mean() - 20.0).abs() < f64::EPSILON);
+    }
+
+    #[test]
+    fn test_numeric_stats_empty() {
+        let ns = NumericStats::new();
+        assert_eq!(ns.count, 0);
+        assert!((ns.mean() - 0.0).abs() < f64::EPSILON);
+        assert!(ns.quantile(0.5).is_none());
+    }
+
+    #[test]
+    fn test_numeric_stats_nan_inf() {
+        // Non-finite values (NaN, Inf, -Inf) are silently skipped
+        let mut ns = NumericStats::new();
+        ns.update(1.0);
+        ns.update(f64::NAN);
+        ns.update(f64::INFINITY);
+        ns.update(f64::NEG_INFINITY);
+        assert_eq!(ns.count, 1, "Only finite values should be counted");
+        assert_eq!(ns.min, 1.0);
+        assert_eq!(ns.max, 1.0);
+    }
+
+    #[test]
+    fn test_numeric_stats_single_value() {
+        let mut ns = NumericStats::new();
+        ns.update(42.0);
+        assert_eq!(ns.count, 1);
+        assert_eq!(ns.min, 42.0);
+        assert_eq!(ns.max, 42.0);
+        assert!((ns.mean() - 42.0).abs() < f64::EPSILON);
+        assert!((ns.sum - 42.0).abs() < f64::EPSILON);
+    }
+
+    // ---- CategoricalStats tests ----
+
+    #[test]
+    fn test_categorical_stats_basic() {
+        let mut cs = CategoricalStats::new();
+        cs.update("a");
+        cs.update("a");
+        cs.update("b");
+        assert_eq!(cs.total_count, 3);
+        assert_eq!(cs.unique_count(), 2);
+        let top = cs.top_k(10);
+        assert_eq!(top.len(), 2);
+        // "a" should be first (count 2), "b" second (count 1)
+        assert_eq!(top[0].0, "a");
+        assert_eq!(top[0].1, 2);
+        assert_eq!(top[1].0, "b");
+        assert_eq!(top[1].1, 1);
+    }
+
+    #[test]
+    fn test_categorical_stats_empty() {
+        let cs = CategoricalStats::new();
+        assert_eq!(cs.total_count, 0);
+        assert_eq!(cs.unique_count(), 0);
+        assert!(cs.top_k(10).is_empty());
+    }
+
+    #[test]
+    fn test_categorical_stats_hll_transition() {
+        let mut cs = CategoricalStats::new();
+        let n = 12_000;
+        for i in 0..n {
+            cs.update(&format!("value_{}", i));
+        }
+        // After exceeding CARDINALITY_CAP (10_000), HLL should be active
+        // Must flush before reading unique_count (lazy computation)
+        cs.flush_hll();
+        let unique = cs.unique_count();
+        let expected = n as f64;
+        let error = (unique as f64 - expected).abs() / expected;
+        assert!(
+            error < 0.10,
+            "HLL estimate {} too far from expected {} (error: {:.2}%)",
+            unique,
+            n,
+            error * 100.0
+        );
+    }
+
+    // ---- parse_numeric_value tests ----
+
+    #[test]
+    fn test_parse_numeric_value_plain() {
+        assert!((parse_numeric_value("42").unwrap() - 42.0).abs() < f64::EPSILON);
+        assert!((parse_numeric_value("-3.14").unwrap() - (-3.14)).abs() < f64::EPSILON);
+        assert!((parse_numeric_value("0").unwrap() - 0.0).abs() < f64::EPSILON);
+    }
+
+    #[test]
+    fn test_parse_numeric_value_durations() {
+        assert!((parse_numeric_value("100ms").unwrap() - 100.0).abs() < f64::EPSILON);
+        assert!((parse_numeric_value("1s").unwrap() - 1000.0).abs() < f64::EPSILON);
+        assert!((parse_numeric_value("5m").unwrap() - 300_000.0).abs() < f64::EPSILON);
+        assert!((parse_numeric_value("2h").unwrap() - 7_200_000.0).abs() < f64::EPSILON);
+        assert!((parse_numeric_value("500us").unwrap() - 0.5).abs() < f64::EPSILON);
+        assert!((parse_numeric_value("500µs").unwrap() - 0.5).abs() < f64::EPSILON);
+        assert!((parse_numeric_value("1000ns").unwrap() - 0.001).abs() < f64::EPSILON);
+    }
+
+    #[test]
+    fn test_parse_numeric_value_invalid() {
+        assert!(parse_numeric_value("hello").is_none());
+        assert!(parse_numeric_value("").is_none());
+        assert!(parse_numeric_value("abc123").is_none());
+        assert!(parse_numeric_value("ms").is_none());
+    }
+
+    #[test]
+    fn test_parse_numeric_value_special_floats() {
+        // Documenting current behavior: Rust's f64::parse accepts these
+        assert!(parse_numeric_value("inf").is_some());
+        assert!(parse_numeric_value("-inf").is_some());
+        assert!(parse_numeric_value("NaN").is_some());
+    }
+
+    // ---- VarSlotStats tests ----
+
+    #[test]
+    fn test_var_slot_stats_enum_reclassify() {
+        let mut slot = VarSlotStats::new(0);
+
+        // Feed 60 occurrences of 3 String-typed values (30+20+10)
+        for _ in 0..30 {
+            slot.update(&TypedVariable {
+                raw: "alpha".to_string(),
+                var_type: VarType::String,
+            });
+        }
+        for _ in 0..20 {
+            slot.update(&TypedVariable {
+                raw: "beta".to_string(),
+                var_type: VarType::String,
+            });
+        }
+        for _ in 0..10 {
+            slot.update(&TypedVariable {
+                raw: "gamma".to_string(),
+                var_type: VarType::String,
+            });
+        }
+
+        // Before reclassify, type should be String (majority vote)
+        assert_eq!(slot.var_type, VarType::String);
+
+        // After reclassify, should become Enum (60 occurrences, 3 unique, top 3 cover 100%)
+        slot.check_enum_reclassify();
+        assert_eq!(slot.var_type, VarType::Enum);
+    }
+
+    // ---- PatternStore tests ----
+
+    #[test]
+    fn test_pattern_store_accumulate() {
+        let mut store = PatternStore::new(5);
+
+        let vars1 = vec![TypedVariable {
+            raw: "200".to_string(),
+            var_type: VarType::Integer,
+        }];
+        let vars2 = vec![TypedVariable {
+            raw: "404".to_string(),
+            var_type: VarType::Integer,
+        }];
+
+        store.accumulate(1, "GET <*> HTTP/1.1", &vars1, None, "GET /foo HTTP/1.1", 1);
+        store.accumulate(1, "GET <*> HTTP/1.1", &vars2, None, "GET /bar HTTP/1.1", 2);
+
+        assert_eq!(store.global_line_count, 2);
+        assert_eq!(store.patterns.len(), 1);
+
+        let pattern = store.patterns.get(&1).unwrap();
+        assert_eq!(pattern.count, 2);
+        assert_eq!(pattern.first_seen_line, 1);
+        assert_eq!(pattern.last_seen_line, 2);
+        assert_eq!(pattern.variables.len(), 1);
+    }
+}
diff --git a/src/types.rs b/src/types.rs
index 73672f9..c6107b7 100644
--- a/src/types.rs
+++ b/src/types.rs
@@ -52,4 +52,6 @@ pub struct FormatOptions {
     pub no_color: bool,
     pub no_banner: bool,
     pub output_mode: OutputMode,
+    pub source_label: Option<String>,
+    pub sim_threshold: f64,
 }
diff --git a/src/wasm.rs b/src/wasm.rs
index 5f971c2..e53b635 100644
--- a/src/wasm.rs
+++ b/src/wasm.rs
@@ -29,6 +29,8 @@ pub fn analyze_logs(input: &str, format: &str, top_n: u32, context_lines: u32) -
         no_color: true,
         no_banner: false,
         output_mode,
+        source_label: None,
+        sim_threshold: 0.5,
     };
 
     let result = crate::process_log_text(input, &opts);
diff --git a/tests/integration.rs b/tests/integration.rs
index fdb4b96..c99b5d6 100644
--- a/tests/integration.rs
+++ b/tests/integration.rs
@@ -26,7 +26,9 @@ fn test_llm_output_sample_log() {
     let (stdout, _, success) = run_cli(&["--llm", "tests/fixtures/sample.log"]);
     assert!(success);
     assert!(stdout.contains("## Log Analysis:"));
-    assert!(stdout.contains("### Patterns"));
+    assert!(
+        stdout.contains("### Patterns") || stdout.contains("### Critical Patterns"),
+    );
 }
 
 #[test]
@@ -64,6 +66,17 @@ fn test_context_includes_examples() {
     assert!(!examples.is_empty());
 }
 
+#[test]
+fn test_llm_mode_suppresses_banner_by_default() {
+    let (_, stderr, success) = run_cli(&["--llm", "tests/fixtures/sample.log"]);
+    assert!(success);
+    assert!(
+        !stderr.contains("Powered by CtrlB"),
+        "LLM mode should suppress banner by default, got stderr: {}",
+        stderr
+    );
+}
+
 #[test]
 fn test_quiet_suppresses_stderr() {
     let (_, stderr, success) = run_cli(&["-q", "tests/fixtures/sample.log"]);
@@ -74,6 +87,45 @@ fn test_quiet_suppresses_stderr() {
     );
 }
 
+#[test]
+fn test_source_label_human() {
+    let (stdout, _, success) = run_cli(&[
+        "--source-label", "pod-a",
+        "tests/fixtures/sample.log",
+    ]);
+    assert!(success);
+    assert!(
+        stdout.contains("pod-a"),
+        "Human output should include source label, got: {}",
+        stdout
+    );
+}
+
+#[test]
+fn test_source_label_llm() {
+    let (stdout, _, success) = run_cli(&[
+        "--llm", "--source-label", "pod-a",
+        "tests/fixtures/sample.log",
+    ]);
+    assert!(success);
+    assert!(
+        stdout.contains("(pod-a)"),
+        "LLM output should include source label in header, got: {}",
+        stdout
+    );
+}
+
+#[test]
+fn test_source_label_json() {
+    let (stdout, _, success) = run_cli(&[
+        "--json", "--source-label", "pod-a",
+        "tests/fixtures/sample.log",
+    ]);
+    assert!(success);
+    let parsed: serde_json::Value = serde_json::from_str(&stdout).expect("invalid JSON");
+    assert_eq!(parsed["summary"]["source_label"], "pod-a");
+}
+
 #[test]
 fn test_stdin_input() {
     let output = Command::new("cargo")
@@ -97,3 +149,206 @@ fn test_stdin_input() {
     assert!(output.status.success());
     assert!(stdout.contains("Pattern #"));
 }
+
+/// Normalize a parsed JSON output for deterministic snapshots:
+/// - Sort patterns by id
+/// - Sort top_values within each variable by count desc, then value asc
+fn normalize_json_output(value: &mut serde_json::Value) {
+    if let Some(patterns) = value.get_mut("patterns").and_then(|p| p.as_array_mut()) {
+        patterns.sort_by_key(|p| p["id"].as_u64().unwrap_or(0));
+        for pattern in patterns.iter_mut() {
+            if let Some(vars) = pattern.get_mut("variables").and_then(|v| v.as_array_mut()) {
+                for var in vars.iter_mut() {
+                    if let Some(tv) = var.get_mut("top_values").and_then(|t| t.as_array_mut()) {
+                        tv.sort_by(|a, b| {
+                            let ca = a["count"].as_u64().unwrap_or(0);
+                            let cb = b["count"].as_u64().unwrap_or(0);
+                            cb.cmp(&ca).then_with(|| {
+                                a["value"]
+                                    .as_str()
+                                    .unwrap_or("")
+                                    .cmp(b["value"].as_str().unwrap_or(""))
+                            })
+                        });
+                    }
+                }
+            }
+        }
+    }
+}
+
+#[test]
+fn test_json_output_snapshot() {
+    let (stdout, _, success) = run_cli(&[
+        "--json", "--quiet", "--no-banner", "--top", "3", "--context", "1",
+        "tests/fixtures/sample.log",
+    ]);
+    assert!(success, "CLI should succeed");
+    let mut parsed: serde_json::Value =
+        serde_json::from_str(&stdout).expect("invalid JSON output");
+    normalize_json_output(&mut parsed);
+    insta::assert_json_snapshot!("json_output", parsed, {
+        ".patterns[].example_lines" => insta::dynamic_redaction(|value, _path| {
+            let count = match &value {
+                insta::internals::Content::Seq(items) => items.len(),
+                _ => 0,
+            };
+            format!("[{} examples]", count)
+        }),
+        ".patterns[].variables[].top_values" => insta::dynamic_redaction(|value, _path| {
+            let count = match &value {
+                insta::internals::Content::Seq(items) => items.len(),
+                _ => 0,
+            };
+            format!("[{} values]", count)
+        }),
+    });
+}
+
+#[test]
+fn test_llm_output_snapshot() {
+    let (stdout, _, success) = run_cli(&[
+        "--llm", "--quiet", "--no-banner", "--top", "3",
+        "tests/fixtures/sample.log",
+    ]);
+    assert!(success, "CLI should succeed");
+    // Redact non-deterministic parts: variable value lines (pipe-separated groups
+    // with percentages) and example lines (reservoir-sampled).
+    let redacted: String = stdout
+        .lines()
+        .map(|line| {
+            let trimmed = line.trim_start();
+            if trimmed.contains('|') && trimmed.contains("%)") {
+                let indent = &line[..line.len() - trimmed.len()];
+                let group_count = trimmed.split(" | ").count();
+                format!("{}[{} variable groups redacted]", indent, group_count)
+            } else if trimmed.starts_with("e.g. ") {
+                let indent = &line[..line.len() - trimmed.len()];
+                format!("{}[example redacted]", indent)
+            } else {
+                line.to_string()
+            }
+        })
+        .collect::<Vec<_>>()
+        .join("\n");
+    insta::assert_snapshot!("llm_output", redacted);
+}
+
+#[test]
+fn test_human_output_snapshot() {
+    let (stdout, _, success) = run_cli(&[
+        "--no-banner", "--no-color", "--quiet", "--top", "3",
+        "tests/fixtures/sample.log",
+    ]);
+    assert!(success, "CLI should succeed");
+    // Redact non-deterministic parts and sort pattern blocks for stability.
+    // 1. Redact variable value lists (top-k with ties is non-deterministic)
+    // 2. Sort pattern blocks by template (patterns with equal counts swap order)
+    // 3. Renumber patterns after sorting
+    let redacted_lines: Vec<String> = stdout
+        .lines()
+        .map(|line| {
+            let trimmed = line.trim_start();
+            if let Some(colon_pos) = trimmed.find(':') {
+                let label = &trimmed[..colon_pos];
+                let is_var_line = matches!(
+                    label,
+                    "HexID" | "IPv4" | "Duration" | "Integer" | "Float"
+                        | "String" | "Enum" | "UUID"
+                );
+                if is_var_line {
+                    let indent = &line[..line.len() - trimmed.len()];
+                    let rest = trimmed[colon_pos + 1..].trim();
+                    if rest.starts_with("mean=") {
+                        return line.to_string();
+                    }
+                    let value_count = rest.split(", ").count();
+                    return format!(
+                        "{}{}:    [{} values redacted]",
+                        indent, label, value_count
+                    );
+                }
+            }
+            line.to_string()
+        })
+        .collect();
+
+    // Split into pattern blocks and sort by template for deterministic ordering
+    let text = redacted_lines.join("\n");
+    let mut blocks: Vec<String> = Vec::new();
+    let mut current_block = String::new();
+    for line in text.lines() {
+        if line.starts_with("Pattern #") && !current_block.is_empty() {
+            blocks.push(current_block.trim_end().to_string());
+            current_block = String::new();
+        }
+        current_block.push_str(line);
+        current_block.push('\n');
+    }
+    if !current_block.trim().is_empty() {
+        blocks.push(current_block.trim_end().to_string());
+    }
+    // Sort blocks by their template line (second line of each block)
+    blocks.sort_by(|a, b| {
+        let tmpl_a = a.lines().nth(1).unwrap_or("");
+        let tmpl_b = b.lines().nth(1).unwrap_or("");
+        tmpl_a.cmp(tmpl_b)
+    });
+    // Renumber pattern blocks after sorting
+    let mut renumbered = String::new();
+    for (i, block) in blocks.iter().enumerate() {
+        let mut first = true;
+        for line in block.lines() {
+            if first && line.starts_with("Pattern #") {
+                // Replace "Pattern #N" with renumbered version
+                if line.split_once(']').or_else(|| line.split_once(')')).is_some() {
+                    let after_hash = &line["Pattern #".len()..];
+                    let num_end = after_hash.find(|c: char| !c.is_ascii_digit()).unwrap_or(after_hash.len());
+                    renumbered.push_str(&format!(
+                        "Pattern #{}{}",
+                        i + 1,
+                        &after_hash[num_end..]
+                    ));
+                } else {
+                    renumbered.push_str(line);
+                }
+                first = false;
+            } else {
+                renumbered.push_str(line);
+            }
+            renumbered.push('\n');
+        }
+        renumbered.push('\n');
+    }
+    let redacted = renumbered.trim_end().to_string() + "\n";
+    insta::assert_snapshot!("human_output", redacted);
+}
+
+#[test]
+fn test_sim_threshold_flag() {
+    // Very low threshold should merge aggressively (fewer patterns)
+    let (stdout_low, _, success_low) = run_cli(&[
+        "--json", "--sim-threshold", "0.2",
+        "tests/fixtures/sample.log",
+    ]);
+    assert!(success_low);
+    let parsed_low: serde_json::Value = serde_json::from_str(&stdout_low).expect("invalid JSON");
+    let count_low = parsed_low["summary"]["pattern_count"].as_u64().unwrap();
+
+    // High threshold should produce more patterns
+    let (stdout_high, _, success_high) = run_cli(&[
+        "--json", "--sim-threshold", "0.8",
+        "tests/fixtures/sample.log",
+    ]);
+    assert!(success_high);
+    let parsed_high: serde_json::Value =
+        serde_json::from_str(&stdout_high).expect("invalid JSON");
+    let count_high = parsed_high["summary"]["pattern_count"].as_u64().unwrap();
+
+    assert!(
+        count_high >= count_low,
+        "Higher threshold should produce >= patterns: high={} low={}",
+        count_high,
+        count_low
+    );
+}
diff --git a/tests/snapshots/integration__human_output.snap b/tests/snapshots/integration__human_output.snap
new file mode 100644
index 0000000..b6e7a09
--- /dev/null
+++ b/tests/snapshots/integration__human_output.snap
@@ -0,0 +1,25 @@
+---
+source: tests/integration.rs
+expression: redacted
+---
+Pattern #1 [ERROR] (3 occurrences, 15.0%)
+  "<TS> ERROR [<*>] Timeout connecting to <*>:<*> after <*>"
+  Variables:
+    HexID:    [3 values redacted]
+    IPv4:    [3 values redacted]
+    Integer:  mean=5432, p50=5379, p99=5379, min=5432, max=5432
+    Duration: mean=5000, p50=4965, p99=4965, min=4998, max=5002
+
+Pattern #2 (14 occurrences, 70.0%)
+  "<TS> INFO [<*>] Request from <*> completed in <*> status=<*>"
+  Variables:
+    HexID:    [5 values redacted]
+    IPv4:    [5 values redacted]
+    Duration: mean=188, p50=41, p99=314, min=28, max=1847
+    Integer:  mean=243, p50=198, p99=498, min=200, max=503
+
+Pattern #3 [WARN] (3 occurrences, 15.0%)
+  "<TS> WARN [<*>] Connection pool exhausted, waiting <*>"
+  Variables:
+    HexID:    [3 values redacted]
+    Duration: mean=603, p50=228, p99=228, min=180, max=1400
diff --git a/tests/snapshots/integration__json_output.snap b/tests/snapshots/integration__json_output.snap
new file mode 100644
index 0000000..2e47f36
--- /dev/null
+++ b/tests/snapshots/integration__json_output.snap
@@ -0,0 +1,157 @@
+---
+source: tests/integration.rs
+expression: parsed
+---
+{
+  "patterns": [
+    {
+      "count": 14,
+      "example_lines": "[1 examples]",
+      "frequency_pct": 70.0,
+      "id": 1,
+      "score": 14.0,
+      "severity": "info",
+      "template": "<TS> INFO [<*>] Request from <*> completed in <*> status=<*>",
+      "variables": [
+        {
+          "label": "id",
+          "slot": 0,
+          "top_values": "[10 values]",
+          "type": "HexID",
+          "unique_count": 14
+        },
+        {
+          "label": "ip",
+          "slot": 1,
+          "top_values": "[6 values]",
+          "type": "IPv4",
+          "unique_count": 6
+        },
+        {
+          "label": "duration",
+          "numeric": {
+            "max": 1847.0,
+            "mean": 188.5,
+            "min": 28.0,
+            "p50": 40.85681640262312,
+            "p99": 314.23517661052205
+          },
+          "slot": 2,
+          "top_values": "[10 values]",
+          "type": "Duration",
+          "unique_count": 14
+        },
+        {
+          "label": "status",
+          "numeric": {
+            "max": 503.0,
+            "mean": 243.1,
+            "min": 200.0,
+            "p50": 198.36848598125036,
+            "p99": 497.77940145582954
+          },
+          "slot": 3,
+          "top_values": "[3 values]",
+          "type": "Integer",
+          "unique_count": 3
+        }
+      ]
+    },
+    {
+      "count": 3,
+      "example_lines": "[1 examples]",
+      "frequency_pct": 15.0,
+      "id": 2,
+      "score": 15.0,
+      "severity": "warn",
+      "template": "<TS> WARN [<*>] Connection pool exhausted, waiting <*>",
+      "variables": [
+        {
+          "label": "id",
+          "slot": 0,
+          "top_values": "[3 values]",
+          "type": "HexID",
+          "unique_count": 3
+        },
+        {
+          "label": "duration",
+          "numeric": {
+            "max": 1400.0,
+            "mean": 603.3,
+            "min": 180.0,
+            "p50": 228.1791368405912,
+            "p99": 228.1791368405912
+          },
+          "slot": 1,
+          "top_values": "[3 values]",
+          "type": "Duration",
+          "unique_count": 3
+        }
+      ]
+    },
+    {
+      "count": 3,
+      "example_lines": "[1 examples]",
+      "frequency_pct": 15.0,
+      "id": 3,
+      "score": 57.0,
+      "severity": "error",
+      "template": "<TS> ERROR [<*>] Timeout connecting to <*>:<*> after <*>",
+      "variables": [
+        {
+          "label": "id",
+          "slot": 0,
+          "top_values": "[3 values]",
+          "type": "HexID",
+          "unique_count": 3
+        },
+        {
+          "label": "ip",
+          "slot": 1,
+          "top_values": "[3 values]",
+          "type": "IPv4",
+          "unique_count": 3
+        },
+        {
+          "label": "n3",
+          "numeric": {
+            "max": 5432.0,
+            "mean": 5432.0,
+            "min": 5432.0,
+            "p50": 5378.884813934975,
+            "p99": 5378.884813934975
+          },
+          "slot": 2,
+          "top_values": "[1 values]",
+          "type": "Integer",
+          "unique_count": 1
+        },
+        {
+          "label": "duration",
+          "numeric": {
+            "max": 5002.0,
+            "mean": 5000.0,
+            "min": 4998.0,
+            "p50": 4965.323255400035,
+            "p99": 4965.323255400035
+          },
+          "slot": 3,
+          "top_values": "[3 values]",
+          "type": "Duration",
+          "unique_count": 3
+        }
+      ]
+    }
+  ],
+  "summary": {
+    "pattern_count": 3,
+    "patterns_omitted": 0,
+    "patterns_shown": 3,
+    "time_range": {
+      "end": "2024-01-15T14:22:04.500+00:00",
+      "start": "2024-01-15T14:22:01.100+00:00"
+    },
+    "total_lines": 20
+  },
+  "version": "0.1.0"
+}
diff --git a/tests/snapshots/integration__llm_output.snap b/tests/snapshots/integration__llm_output.snap
new file mode 100644
index 0000000..b71f504
--- /dev/null
+++ b/tests/snapshots/integration__llm_output.snap
@@ -0,0 +1,19 @@
+---
+source: tests/integration.rs
+expression: redacted
+---
+## Log Analysis: 20 lines -> 3 patterns, time span: 14:22:01-14:22:04 UTC
+
+### Critical Patterns (errors, warnings): 2
+1. [ERROR, 15.0%, 3 lines] <TS> ERROR [{id}] Timeout connecting to {ip}:{n3} after {duration}
+   [4 variable groups redacted]
+   [example redacted]
+   [example redacted]
+2. [WARN, 15.0%, 3 lines] <TS> WARN [{id}] Connection pool exhausted, waiting {duration}
+   [2 variable groups redacted]
+   [example redacted]
+   [example redacted]
+
+### High-Volume Patterns (top 1 by count):
+1. [70.0%] "<TS> INFO [{id}] Request from {ip} completed in {duration} status={status}"    (14 lines)
+   [example redacted]