@debugbundle/cli 0.1.2 → 0.1.3

package/dist/main.cjs

@@ -14483,6 +14483,8 @@ var CaptureBreadcrumbsValues = ["local_only", "exception_only", "standalone"];
 var CaptureBreadcrumbsSchema = external_exports.enum(CaptureBreadcrumbsValues);
 var CaptureProbeEventsValues = ["buffer_only", "standalone_when_activated"];
 var CaptureProbeEventsSchema = external_exports.enum(CaptureProbeEventsValues);
+var RequestSignalClassificationValues = ["incident_signal", "context_signal"];
+var RequestSignalClassificationSchema = external_exports.enum(RequestSignalClassificationValues);
 var CapturePolicySchema = external_exports.object({
   project_id: external_exports.string().uuid(),
   preset: CapturePresetSchema,
@@ -14499,6 +14501,55 @@ var CapturePolicyUpdateSchema = external_exports.object({
   capture_breadcrumbs: CaptureBreadcrumbsSchema.nullable().optional(),
   capture_probe_events: CaptureProbeEventsSchema.nullable().optional()
 });
+var BALANCED_IMMEDIATE_REQUEST_STATUSES = /* @__PURE__ */ new Set([408, 423, 424, 425, 429]);
+var INVESTIGATIVE_IMMEDIATE_REQUEST_STATUSES = /* @__PURE__ */ new Set([...BALANCED_IMMEDIATE_REQUEST_STATUSES, 409]);
+var BALANCED_STANDARD_ANOMALY_STATUSES = /* @__PURE__ */ new Set([401, 403, 404, 409, 422]);
+var BALANCED_HIGH_VOLUME_ANOMALY_STATUSES = /* @__PURE__ */ new Set([400, 410]);
+var INVESTIGATIVE_ANOMALY_STATUSES = /* @__PURE__ */ new Set([...BALANCED_STANDARD_ANOMALY_STATUSES, ...BALANCED_HIGH_VOLUME_ANOMALY_STATUSES]);
+function classifyRequestStatus(input) {
+  const { responseStatus, capturePreset } = input;
+  if (responseStatus === null || !Number.isFinite(responseStatus)) {
+    return "context_signal";
+  }
+  if (responseStatus >= 500) {
+    return "incident_signal";
+  }
+  if (capturePreset === "investigative") {
+    return INVESTIGATIVE_IMMEDIATE_REQUEST_STATUSES.has(responseStatus) ? "incident_signal" : "context_signal";
+  }
+  if (capturePreset === "balanced") {
+    return BALANCED_IMMEDIATE_REQUEST_STATUSES.has(responseStatus) ? "incident_signal" : "context_signal";
+  }
+  return "context_signal";
+}
+function getRequestAnomalyThreshold(input) {
+  const { responseStatus, capturePreset } = input;
+  if (responseStatus === null || !Number.isFinite(responseStatus) || responseStatus < 400 || responseStatus >= 500) {
+    return null;
+  }
+  if (capturePreset === "minimal") {
+    return null;
+  }
+  if (capturePreset === "investigative") {
+    return INVESTIGATIVE_ANOMALY_STATUSES.has(responseStatus) ? {
+      minimum_occurrences_5m: 8,
+      minimum_ratio_5m_to_1h: 2
+    } : null;
+  }
+  if (BALANCED_STANDARD_ANOMALY_STATUSES.has(responseStatus)) {
+    return {
+      minimum_occurrences_5m: 20,
+      minimum_ratio_5m_to_1h: 3
+    };
+  }
+  if (BALANCED_HIGH_VOLUME_ANOMALY_STATUSES.has(responseStatus)) {
+    return {
+      minimum_occurrences_5m: 50,
+      minimum_ratio_5m_to_1h: 5
+    };
+  }
+  return null;
+}
 
 // ../../packages/shared-types/src/index.ts
 function createUuidV4() {
@@ -15124,7 +15175,7 @@ function buildCliReference() {
     "- `debugbundle ingest <file> --format <format> [--json]`",
     "- `debugbundle watch --log <file> --format <format> [--json]`",
     "- `debugbundle watch --cloud --log <file> --format <format> [--json]`",
-    "- `debugbundle process [--json]`",
+    "- `debugbundle process [--preset <minimal|balanced|investigative>] [--json]`",
     "",
     "## Investigation",
     "",
@@ -15670,7 +15721,7 @@ var import_node_path4 = require("node:path");
 
 // ../../packages/retrieval-client/src/index.ts
 var IncidentReasonSchema = external_exports.object({
-  kind: external_exports.enum(["backend_exception", "frontend_exception", "request_failure_5xx", "error_log"]),
+  kind: external_exports.enum(["backend_exception", "frontend_exception", "request_failure", "error_log"]),
   description: external_exports.string(),
   event_type: external_exports.enum(["backend_exception", "frontend_exception", "request_event", "log_event"]),
   event_class: external_exports.literal("incident_signal"),
@@ -16091,7 +16142,8 @@ function buildRedactionRecord(bundleBody) {
 function buildVisibilityRecord(input) {
   const routeTarget = input.primarySignal.route_template ?? input.primarySignal.request_path;
   const matchedFields = input.incident.matched_fields.length === 0 ? "none" : input.incident.matched_fields.join(", ");
-  const grouping = input.primarySignal.kind === "request_failure_5xx" && input.primarySignal.request_method !== null && routeTarget !== null ? `Repeated 5xx request failures with the same normalized route template, request method, response status, service, and environment reuse this incident fingerprint. This incident currently groups ${input.primarySignal.request_method} ${routeTarget} with matched fields ${matchedFields}.` : `This incident groups repeated failures by fingerprint version ${input.incident.fingerprint_version} inside the service and environment boundary, with matched fields ${matchedFields}.`;
+  const isRequestAnomaly = input.incident.matched_fields.includes("request_anomaly");
+  const grouping = input.primarySignal.kind === "request_failure" && input.primarySignal.request_method !== null && routeTarget !== null ? isRequestAnomaly ? `Repeated request-anomaly incidents with the same normalized route template, request method, response status, service, and environment reuse this incident fingerprint once the anomaly threshold fires. This incident currently groups ${input.primarySignal.request_method} ${routeTarget} with matched fields ${matchedFields}.` : `Repeated request-failure incidents with the same normalized route template, request method, response status, service, and environment reuse this incident fingerprint. This incident currently groups ${input.primarySignal.request_method} ${routeTarget} with matched fields ${matchedFields}.` : `This incident groups repeated failures by fingerprint version ${input.incident.fingerprint_version} inside the service and environment boundary, with matched fields ${matchedFields}.`;
   const spikeLead = input.incident.spike_detected_at === void 0 || input.incident.spike_detected_at === null ? "This incident is not currently marked as spiking." : `This incident was marked as spiking at ${input.incident.spike_detected_at}.`;
   return {
     grouping,
@@ -16102,15 +16154,16 @@ function buildVisibilityRecord(input) {
 }
 function buildSuggestedNextChecks(input) {
   const suggestions = [];
+  const isRequestAnomaly = input.incident.matched_fields.includes("request_anomaly");
   if (input.bundle.status === "pending") {
     suggestions.push("Wait for bundle generation to finish, then rerun the incident context command.");
   } else if (input.bundle.status === "failed") {
     suggestions.push("Inspect bundle generation status or retry bundle retrieval to recover missing context.");
   }
   const routeTarget = input.primarySignal.route_template ?? input.primarySignal.request_path;
-  if (input.primarySignal.request_method !== null && input.primarySignal.response_status !== null && input.primarySignal.response_status >= 500) {
+  if (input.primarySignal.kind === "request_failure" && input.primarySignal.request_method !== null && routeTarget !== null) {
     suggestions.push(
-      `Inspect the ${input.primarySignal.request_method} ${routeTarget ?? "request"} handler behind this 5xx path.`
+      isRequestAnomaly ? `Inspect the ${input.primarySignal.request_method} ${routeTarget} handler behind this repeated request-anomaly path.` : `Inspect the ${input.primarySignal.request_method} ${routeTarget} handler behind this request-failure path.`
     );
   }
   const firstApplicationFrame = input.primarySignal.first_application_frame;
@@ -16199,12 +16252,13 @@ function deriveIncidentReasonFromSignal(input) {
       };
     case "request_event": {
       const responseStatus = typeof input.response_status === "number" && Number.isFinite(input.response_status) ? input.response_status : null;
+      const isRequestAnomaly = input.request_anomaly === true;
       return {
-        kind: "request_failure_5xx",
-        description: responseStatus !== null && responseStatus >= 500 ? `request_event response_status=${responseStatus} matched the 5xx request incident rule` : "request_event matched the 5xx request incident rule",
+        kind: "request_failure",
+        description: isRequestAnomaly ? responseStatus !== null ? `request_event response_status=${responseStatus} crossed the repeated request anomaly threshold` : "request_event crossed the repeated request anomaly threshold" : responseStatus !== null ? `request_event response_status=${responseStatus} matched the immediate request failure incident rule` : "request_event matched the immediate request failure incident rule",
         event_type: "request_event",
         event_class: "incident_signal",
-        matched_policy: "5xx request failures bypass capture_request_events suppression"
+        matched_policy: isRequestAnomaly ? "Repeated contextual request failures crossed the request anomaly threshold" : "Immediate request failure statuses bypass capture_request_events suppression"
       };
     }
     case "log_event": {
@@ -16511,7 +16565,7 @@ function getRequestResponseStatus(payload) {
   const status = payload?.["response_status"];
   return typeof status === "number" && Number.isFinite(status) ? status : null;
 }
-function classifyEvent(eventType, logLevel, probeActivationId, payload) {
+function classifyEvent(eventType, logLevel, probeActivationId, payload, capturePreset = "minimal") {
   switch (eventType) {
     case "backend_exception":
     case "frontend_exception":
@@ -16523,10 +16577,7 @@ function classifyEvent(eventType, logLevel, probeActivationId, payload) {
       return "context_signal";
     case "request_event": {
       const responseStatus = getRequestResponseStatus(payload);
-      if (responseStatus !== null && responseStatus >= 500) {
-        return "incident_signal";
-      }
-      return "context_signal";
+      return classifyRequestStatus({ responseStatus, capturePreset });
     }
     case "frontend_breadcrumb":
     case "deploy_metadata":
@@ -16596,6 +16647,13 @@ var STORAGE_SCHEMA_MIGRATIONS = [
         ON github_device_authorizations (expires_at)
       `
     ]
+  }),
+  defineStorageSchemaMigration({
+    id: "202605130001_allow_synthetic_webhook_test_deliveries_without_incident_fk",
+    description: "Allow webhook test deliveries to persist without requiring a backing incidents row.",
+    statements: [
+      "ALTER TABLE webhook_deliveries ALTER COLUMN incident_id DROP NOT NULL"
+    ]
   })
 ];
 
@@ -16671,7 +16729,11 @@ function parseLocalIncident(candidate) {
   }
   const serviceRuntime = candidate["service_runtime"];
   const serviceFramework = candidate["service_framework"];
-  const incidentReason = deriveIncidentReasonFromSourceEventTypes(candidate["source_event_types"]);
+  const incidentReason = candidate["matched_fields"].includes("request_anomaly") ? deriveIncidentReasonFromSignal({
+    event_type: "request_event",
+    event_class: "incident_signal",
+    request_anomaly: true
+  }) : deriveIncidentReasonFromSourceEventTypes(candidate["source_event_types"]);
   if (serviceRuntime !== null && typeof serviceRuntime !== "string") {
     throw createReadError(400, "invalid_local_state");
   }
@@ -19966,7 +20028,7 @@ function buildPrivacyPreview() {
     sample_event_type: sampleEvent.event_type,
     sample_event_class: sampleEventClass,
     sample_can_create_incident: sampleEventClass === "incident_signal",
-    incident_rule: "request_event with response_status >= 500 is classified as an incident_signal",
+    incident_rule: "request_event incident classification follows the resolved capture preset: 5xx always create incidents, balanced also promotes 408/423/424/425/429, and investigative also promotes 409.",
     redacted_fields,
     omitted_fields: [],
     retained_metadata: {
@@ -21668,11 +21730,17 @@ var EVENT_TYPE_SET = new Set(EventTypeValues);
 function isEventType(value) {
   return typeof value === "string" && EVENT_TYPE_SET.has(value);
 }
-function inferSeverity2(eventType) {
-  if (eventType === "backend_exception" || eventType === "frontend_exception") {
+function inferSeverity2(event, capturePreset, incidentKind = "immediate") {
+  if (incidentKind === "request_anomaly") {
+    return "medium";
+  }
+  if (event.event_type === "request_event") {
+    return classifyRequestStatus({ responseStatus: event.payload.response_status, capturePreset }) === "incident_signal" ? "high" : "low";
+  }
+  if (event.event_type === "backend_exception" || event.event_type === "frontend_exception") {
     return "high";
   }
-  if (eventType === "error_suppressed") {
+  if (event.event_type === "error_suppressed") {
     return "medium";
   }
   return "low";
@@ -21696,15 +21764,17 @@ function compareEventEnvelopes(left, right) {
   }
   return left.event_id.localeCompare(right.event_id);
 }
-function classifyEnvelope(envelope) {
+function classifyEnvelope(envelope, capturePreset) {
   return classifyEvent(
     envelope.event_type,
     envelope.event_type === "log_event" ? envelope.payload.level : void 0,
-    envelope.event_type === "probe_event" ? envelope.payload.activation_id : void 0
+    envelope.event_type === "probe_event" ? envelope.payload.activation_id : void 0,
+    envelope.payload,
+    capturePreset
   );
 }
-function isIncidentSignalEnvelope(envelope) {
-  return classifyEnvelope(envelope) === "incident_signal";
+function isIncidentSignalEnvelope(envelope, capturePreset) {
+  return classifyEnvelope(envelope, capturePreset) === "incident_signal";
 }
 function getTraceId(envelope) {
   return envelope.correlation?.trace_id ?? null;
@@ -21749,7 +21819,10 @@ function mergeAggregateGroup(aggregates) {
     newEvents: [...canonicalAggregate.newEvents],
     mergedIncidentIds: new Set(canonicalAggregate.mergedIncidentIds),
     signalEventTypes: new Set(canonicalAggregate.signalEventTypes),
-    traceIds: new Set(canonicalAggregate.traceIds)
+    traceIds: new Set(canonicalAggregate.traceIds),
+    title: canonicalAggregate.title,
+    kind: canonicalAggregate.kind,
+    severity: canonicalAggregate.severity
   });
 }
 function hashIdentifier(parts, prefix, length) {
@@ -21775,6 +21848,111 @@ function mergeSourceEvents(existingEvents, nextEvents) {
   }
   return [...merged.values()].sort(compareEventEnvelopes);
 }
+function stableJson2(value) {
+  if (value === null || typeof value !== "object") {
+    return JSON.stringify(value);
+  }
+  if (Array.isArray(value)) {
+    return `[${value.map((entry) => stableJson2(entry)).join(",")}]`;
+  }
+  const record = value;
+  const keys = Object.keys(record).sort();
+  return `{${keys.map((key) => `${JSON.stringify(key)}:${stableJson2(record[key])}`).join(",")}}`;
+}
+function buildRequestAnomalyFingerprint(input) {
+  return (0, import_node_crypto4.createHash)("sha256").update(
+    stableJson2({
+      kind: "request_status_anomaly",
+      project_id: input.projectId,
+      service_name: input.serviceName,
+      environment: input.environment,
+      method: input.method,
+      route_template: input.routeTemplate,
+      response_status: input.responseStatus
+    })
+  ).digest("hex");
+}
+function buildRequestAnomalyTitle(input) {
+  return `Request anomaly: ${input.method} ${input.routeTemplate} returned ${input.responseStatus} repeatedly`;
+}
+function toUnixSeconds(occurredAt) {
+  return Math.floor(new Date(occurredAt).getTime() / 1e3);
+}
+function countOccurrencesInWindow(events, windowSeconds) {
+  const latestEvent = events.at(-1);
+  if (latestEvent === void 0) {
+    return 0;
+  }
+  const latestOccurredAt = toUnixSeconds(latestEvent.occurred_at);
+  const lowerBound = latestOccurredAt - windowSeconds + 1;
+  return events.filter((event) => {
+    const occurredAt = toUnixSeconds(event.occurred_at);
+    return occurredAt >= lowerBound && occurredAt <= latestOccurredAt;
+  }).length;
+}
+function passesRequestAnomalyThreshold(events, threshold) {
+  const occurrences5m = countOccurrencesInWindow(events, 5 * 60);
+  const occurrences1h = countOccurrencesInWindow(events, 60 * 60);
+  const baseline1hPer5m = occurrences1h / 12;
+  const ratio = occurrences5m / Math.max(baseline1hPer5m, 1);
+  return occurrences5m >= threshold.minimum_occurrences_5m && ratio >= threshold.minimum_ratio_5m_to_1h;
+}
+function collectRequestAnomalyAggregates(batches, capturePreset) {
+  const grouped = /* @__PURE__ */ new Map();
+  for (const batch of batches) {
+    for (const event of batch.events) {
+      if (event.event_type !== "request_event" || classifyEnvelope(event, capturePreset) !== "context_signal") {
+        continue;
+      }
+      const normalizedEvent = normalizeEvent(event);
+      const responseStatus = normalizedEvent.http_status;
+      const method = normalizedEvent.http_method;
+      const routeTemplate = normalizedEvent.route_template;
+      const threshold = getRequestAnomalyThreshold({ responseStatus, capturePreset });
+      if (threshold === null || responseStatus === null || method === null || routeTemplate === null) {
+        continue;
+      }
+      const projectId = requireProjectId(event);
+      const incidentFingerprint = buildRequestAnomalyFingerprint({
+        projectId,
+        serviceName: event.service.name,
+        environment: event.service.environment,
+        method,
+        routeTemplate,
+        responseStatus
+      });
+      const incidentId = deriveIncidentId(projectId, event.service.name, event.service.environment, incidentFingerprint);
+      const aggregate = grouped.get(incidentId) ?? {
+        incidentId,
+        projectId,
+        serviceName: event.service.name,
+        environment: event.service.environment,
+        fingerprint: incidentFingerprint,
+        matchedFields: /* @__PURE__ */ new Set(["request_anomaly", "route_template", "http_method", "http_status", "environment"]),
+        newEvents: [],
+        mergedIncidentIds: /* @__PURE__ */ new Set([incidentId]),
+        signalEventTypes: /* @__PURE__ */ new Set(["request_event"]),
+        traceIds: /* @__PURE__ */ new Set(),
+        title: buildRequestAnomalyTitle({ method, routeTemplate, responseStatus }),
+        kind: "request_anomaly",
+        severity: "medium"
+      };
+      aggregate.newEvents.push(event);
+      grouped.set(incidentId, aggregate);
+    }
+  }
+  return [...grouped.values()].filter((aggregate) => {
+    const latestEvent = aggregate.newEvents.at(-1);
+    if (latestEvent === void 0 || latestEvent.event_type !== "request_event") {
+      return false;
+    }
+    const threshold = getRequestAnomalyThreshold({
+      responseStatus: normalizeEvent(latestEvent).http_status,
+      capturePreset
+    });
+    return threshold !== null && passesRequestAnomalyThreshold(aggregate.newEvents, threshold);
+  }).sort((left, right) => left.incidentId.localeCompare(right.incidentId));
+}
 function buildBundleContext(incident) {
   return {
     incident_id: incident.incident_id,
@@ -21804,12 +21982,12 @@ function formatServiceSummary(services) {
 }
 function formatProcessOutput(summary) {
   if (!summary.processed) {
-    return summary.message ?? "No new events to process.";
+    return summary.message;
   }
   return [
     `Processed ${summary.events_processed} events from ${summary.files_processed} files into ${summary.incidents_processed} incidents.`,
     ...formatServiceSummary(summary.services),
-    `Last processed event file: ${summary.last_processed_event_file ?? "none"}`
+    `Last processed event file: ${summary.last_processed_event_file}`
   ].join("\n");
 }
 async function pathExists4(path, stat) {
@@ -22049,6 +22227,7 @@ async function processCommand(input, dependencies = {}) {
   const statePath = (0, import_node_path11.join)(rootDirectory, LOCAL_STATE_FILE_PATH);
   const bundleDirectoryPath = (0, import_node_path11.join)(rootDirectory, LOCAL_BUNDLE_DIRECTORY_PATH3);
   const reproductionDirectoryPath = (0, import_node_path11.join)(rootDirectory, LOCAL_REPRODUCTION_DIRECTORY_PATH2);
+  const capturePreset = input.preset ?? "minimal";
   await mkdir((0, import_node_path11.join)(rootDirectory, ".debugbundle", "local"), { recursive: true });
   await mkdir(bundleDirectoryPath, { recursive: true });
   await mkdir(reproductionDirectoryPath, { recursive: true });
@@ -22056,22 +22235,26 @@ async function processCommand(input, dependencies = {}) {
   const eventFileNames = await pathExists4(eventsDirectoryPath, stat) ? (await readdir(eventsDirectoryPath)).filter((fileName) => fileName.endsWith(".events.json")).sort() : [];
   const lastProcessedEventFile = previousState?.last_processed_event_file ?? null;
   const newEventFileNames = lastProcessedEventFile === null ? eventFileNames : eventFileNames.filter((fileName) => fileName > lastProcessedEventFile);
-  if (newEventFileNames.length === 0) {
+  const processAllEventFiles = input.preset !== void 0;
+  const targetEventFileNames = processAllEventFiles ? eventFileNames : newEventFileNames;
+  if (targetEventFileNames.length === 0) {
     const summary2 = buildNoNewEventsSummary(previousState?.last_processed_event_file ?? eventFileNames.at(-1) ?? null);
     return {
       exitCode: 0,
       output: input.json === true ? JSON.stringify(summary2) : formatProcessOutput(summary2)
     };
   }
-  const batches = await readEventBatches(eventsDirectoryPath, newEventFileNames, readFile);
-  const incidents = new Map(Object.entries(previousState?.incidents ?? {}));
+  const batches = await readEventBatches(eventsDirectoryPath, targetEventFileNames, readFile);
+  const incidents = new Map(
+    processAllEventFiles ? [] : Object.entries(previousState?.incidents ?? {})
+  );
   const aggregates = /* @__PURE__ */ new Map();
   const traceCorrelationGroups = /* @__PURE__ */ new Map();
   let eventsProcessed = 0;
   for (const batch of batches) {
     for (const event of batch.events) {
       eventsProcessed += 1;
-      if (!isIncidentSignalEnvelope(event)) {
+      if (!isIncidentSignalEnvelope(event, capturePreset)) {
         continue;
       }
       const normalizedEvent = normalizeEvent(event);
@@ -22088,7 +22271,10 @@ async function processCommand(input, dependencies = {}) {
         newEvents: [],
         mergedIncidentIds: /* @__PURE__ */ new Set([incidentId]),
         signalEventTypes: /* @__PURE__ */ new Set(),
-        traceIds: /* @__PURE__ */ new Set()
+        traceIds: /* @__PURE__ */ new Set(),
+        title: normalizedEvent.normalized_message,
+        kind: "immediate",
+        severity: inferSeverity2(event, capturePreset)
       };
       for (const matchedField of inferMatchedFields(normalizedEvent)) {
         aggregate.matchedFields.add(matchedField);
@@ -22155,14 +22341,16 @@ async function processCommand(input, dependencies = {}) {
     mergedAggregatesByRoot.set(rootIncidentId, aggregateGroup);
   }
   const mergedAggregates = [...mergedAggregatesByRoot.values()].map((aggregateGroup) => mergeAggregateGroup(aggregateGroup)).sort((left, right) => left.incidentId.localeCompare(right.incidentId));
+  const requestAnomalyAggregates = input.preset === void 0 ? [] : collectRequestAnomalyAggregates(batches, capturePreset);
+  const finalizedAggregates = [...mergedAggregates, ...requestAnomalyAggregates].sort((left, right) => left.incidentId.localeCompare(right.incidentId));
   const services = /* @__PURE__ */ new Map();
-  for (const aggregate of mergedAggregates) {
+  for (const aggregate of finalizedAggregates) {
     const incidentId = aggregate.incidentId;
     const existingIncidents = [...aggregate.mergedIncidentIds].map((mergedIncidentId) => incidents.get(mergedIncidentId)).filter((incident2) => incident2 !== void 0);
     const existing = existingIncidents.find((incident2) => incident2.incident_id === incidentId) ?? existingIncidents[0];
     const existingSourceEvents = existingIncidents.flatMap((incident2) => incident2.source_events);
     const combinedSourceEvents = mergeSourceEvents(existingSourceEvents, aggregate.newEvents);
-    const signalEvents = combinedSourceEvents.filter(isIncidentSignalEnvelope);
+    const signalEvents = aggregate.kind === "request_anomaly" ? combinedSourceEvents : combinedSourceEvents.filter((event) => isIncidentSignalEnvelope(event, capturePreset));
     if (signalEvents.length === 0) {
       continue;
     }
@@ -22172,8 +22360,7 @@ async function processCommand(input, dependencies = {}) {
       continue;
     }
     const sourceEventTypes = [...new Set(signalEvents.map((event) => event.event_type))].sort();
-    const severity = signalEvents.map((event) => inferSeverity2(event.event_type)).sort((left, right) => severityRank(right) - severityRank(left))[0] ?? "low";
-    const latestNormalizedEvent = normalizeEvent(latestSignalEvent);
+    const severity = signalEvents.map((event) => inferSeverity2(event, capturePreset, aggregate.kind)).sort((left, right) => severityRank(right) - severityRank(left))[0] ?? aggregate.severity;
     const generationNumber = signalEvents.length;
     const bundlePath = `${LOCAL_BUNDLE_DIRECTORY_PATH3}/${incidentId}.bundle.json`;
     const reproductionPath = `${LOCAL_REPRODUCTION_DIRECTORY_PATH2}/${incidentId}.reproduction.json`;
@@ -22188,7 +22375,7 @@ async function processCommand(input, dependencies = {}) {
       environment: aggregate.environment,
       fingerprint: aggregate.fingerprint,
       fingerprint_version: FINGERPRINT_VERSION,
-      title: latestNormalizedEvent.normalized_message,
+      title: aggregate.title,
       severity,
       status: existingIncidents.some((incidentState) => incidentState.status === "resolved") ? "open" : existing?.status ?? "open",
       first_seen_at: firstSignalEvent.occurred_at,
@@ -22249,21 +22436,22 @@ async function processCommand(input, dependencies = {}) {
     incidents.set(incidentId, incident);
     services.set(incident.service_name, (services.get(incident.service_name) ?? 0) + 1);
   }
+  const finalProcessedEventFile = targetEventFileNames[targetEventFileNames.length - 1];
   const nextState = {
     version: 1,
-    last_processed_event_file: newEventFileNames.at(-1) ?? previousState?.last_processed_event_file ?? null,
+    last_processed_event_file: finalProcessedEventFile,
     incidents: Object.fromEntries([...incidents.entries()].sort(([left], [right]) => left.localeCompare(right)))
   };
   await writeFile(statePath, serializeState(nextState));
   const summary = buildProcessedSummary({
     filesProcessed: newEventFileNames.length,
     eventsProcessed,
-    incidentsProcessed: mergedAggregates.length,
+    incidentsProcessed: finalizedAggregates.length,
     services: [...services.entries()].sort(([left], [right]) => left.localeCompare(right)).map(([service, count]) => ({
       service,
       incidents: count
     })),
-    lastProcessedEventFile: nextState.last_processed_event_file
+    lastProcessedEventFile: finalProcessedEventFile
   });
   return {
     exitCode: 0,
@@ -24248,14 +24436,14 @@ function localFailureStepName(checks) {
 function cloudVerificationRunId(now) {
   return now.toISOString().replace(/[-:.TZ]/g, "").slice(0, 14);
 }
-function requestFailure5xxReason() {
+function requestFailureReason() {
   const incidentReason = deriveIncidentReasonFromSignal({
     event_type: "request_event",
     event_class: "incident_signal",
     response_status: 503
   });
   if (incidentReason === null) {
-    throw new Error("request_failure_5xx_reason_unavailable");
+    throw new Error("request_failure_reason_unavailable");
   }
   return incidentReason;
 }
@@ -24530,7 +24718,7 @@ async function verifyCloudCommand(input, dependencies = {}) {
     const verification = {
       mode: "active_5xx",
       bundle_status: "unknown",
-      classification_reason: requestFailure5xxReason()
+      classification_reason: requestFailureReason()
     };
     const errors = [];
     let exitCode = 0;
@@ -24582,7 +24770,7 @@ async function verifyCloudCommand(input, dependencies = {}) {
         if (candidate !== void 0) {
           incidentId = candidate.incident_id;
           verification.incident_id = candidate.incident_id;
-          verification.classification_reason = candidate.incident_reason ?? requestFailure5xxReason();
+          verification.classification_reason = candidate.incident_reason ?? requestFailureReason();
           break;
         }
         if (attempt < pollAttempts) {
@@ -24857,7 +25045,7 @@ var CLI_USAGE_LINES = [
   "  debugbundle connect [--auth-file <path>] [--json]",
   "  debugbundle ingest <file> --format <debugbundle-ndjson|php-error|apache-error> [--json]",
   "  debugbundle watch [--cloud] --log <file> --format <debugbundle-ndjson|php-error|apache-error> [--json]",
-  "  debugbundle process [--json]",
+  "  debugbundle process [--preset <minimal|balanced|investigative>] [--json]",
   "  debugbundle clean [--events] [--bundles] [--all] [--older-than <Nd>] [--json]",
   "  debugbundle validate [--fix] [--json]",
   "  debugbundle verify local [--json]",
@@ -28761,10 +28949,17 @@ ${formatUsage()}`
       });
     }
     if (command === "process") {
-      expectNoUnknownOptions(parsedArgv, ["json"]);
+      expectNoUnknownOptions(parsedArgv, ["json", "preset"]);
       ensureNoExtraPositionals(parsedArgv, 1);
       const json = readBooleanOption(parsedArgv, "json");
-      return await (dependencies.processCommand ?? processCommand)(json === true ? { json: true } : {});
+      const preset = readStringOption(parsedArgv, "preset");
+      if (preset !== void 0 && !CapturePresetSchema.safeParse(preset).success) {
+        throw new CliInputError("Invalid value for --preset.");
+      }
+      return await (dependencies.processCommand ?? processCommand)({
+        ...json === true ? { json: true } : {},
+        ...preset !== void 0 ? { preset } : {}
+      });
     }
     if (command === "clean") {
       expectNoUnknownOptions(parsedArgv, ["events", "bundles", "all", "older-than", "json"]);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@debugbundle/cli",
-  "version": "0.1.2",
+  "version": "0.1.3",
   "private": false,
   "description": "Command-line interface for DebugBundle",
   "license": "AGPL-3.0-only",