@debugbundle/cli 1.2.0 → 1.4.0

package/dist/main.cjs

@@ -14771,7 +14771,7 @@ function isIpLikeHost(value) {
   return /^(?:\d{1,3}\.){3}\d{1,3}$/.test(host) || /^\[[0-9a-f:]+\]$/i.test(host) || host.includes(":") && /^[0-9a-f:]+$/i.test(host);
 }
 
-// ../../packages/shared-types/src/capture-rules.ts
+// ../../packages/shared-types/src/capture-rule-schemas.ts
 var CAPTURE_RULE_EVENT_TYPES = [
   "backend_exception",
   "request_event",
@@ -14799,6 +14799,7 @@ var CaptureRuleSampleEventClassSchema = external_exports.enum(CaptureRuleSampleE
 var CaptureRuleRuntimeSchema = external_exports.enum(CAPTURE_RULE_RUNTIME_VALUES);
 var CaptureRuleEventTypeSchema = external_exports.enum(CAPTURE_RULE_EVENT_TYPES);
 var BrowserEventKindSchema = external_exports.enum(["window_error", "resource_error"]);
+var CaptureRuleClientKindSchema = external_exports.enum(["human", "bot", "unknown"]);
 function normalizeOptionalTrimmedString(value) {
   const trimmed = value?.trim();
   return trimmed && trimmed.length > 0 ? trimmed : void 0;
@@ -14876,6 +14877,9 @@ var CaptureRuleMatcherSchema = external_exports.object({
   message_contains: external_exports.string().min(1).max(500).optional(),
   message_equals: external_exports.string().min(1).max(500).optional(),
   browser_event_kind: BrowserEventKindSchema.optional(),
+  browser_event_opaque: external_exports.boolean().optional(),
+  client_kind: CaptureRuleClientKindSchema.optional(),
+  bot_family: external_exports.string().min(1).max(120).optional(),
   resource_url: UrlMatcherSchema.optional(),
   request_url: UrlMatcherSchema.optional(),
   status_codes: external_exports.array(external_exports.number().int().min(100).max(599)).min(1).optional(),
@@ -14890,6 +14894,7 @@ var CaptureRuleMatcherSchema = external_exports.object({
   const errorName = normalizeOptionalTrimmedString(value.error_name);
   const messageContains = normalizeOptionalTrimmedString(value.message_contains);
   const messageEquals = normalizeOptionalTrimmedString(value.message_equals);
+  const botFamily = normalizeOptionalTrimmedString(value.bot_family);
   const statusCodes = normalizeNumberArray(value.status_codes);
   if (eventTypes !== void 0) {
     normalized.event_types = eventTypes;
@@ -14918,6 +14923,15 @@ var CaptureRuleMatcherSchema = external_exports.object({
   if (value.browser_event_kind !== void 0) {
     normalized.browser_event_kind = value.browser_event_kind;
   }
+  if (value.browser_event_opaque !== void 0) {
+    normalized.browser_event_opaque = value.browser_event_opaque;
+  }
+  if (value.client_kind !== void 0) {
+    normalized.client_kind = value.client_kind;
+  }
+  if (botFamily !== void 0) {
+    normalized.bot_family = botFamily;
+  }
   if (value.resource_url !== void 0) {
     normalized.resource_url = value.resource_url;
   }
@@ -14944,6 +14958,9 @@ var CaptureRuleMatcherSchema = external_exports.object({
     "message_contains",
     "message_equals",
     "browser_event_kind",
+    "browser_event_opaque",
+    "client_kind",
+    "bot_family",
     "resource_url",
     "request_url",
     "status_codes",
@@ -15126,6 +15143,8 @@ var CaptureRulesFileSchema = external_exports.object({
   version: external_exports.literal(1),
   rules: external_exports.array(CaptureRuleSchema)
 });
+
+// ../../packages/shared-types/src/capture-rule-evaluation.ts
 var CaptureRuleEvaluationUrlSchema = external_exports.object({
   host: external_exports.string().min(1).transform((value) => value.toLowerCase()).optional(),
   path: external_exports.string().min(1).transform((value) => value.startsWith("/") ? value : `/${value}`)
@@ -15141,11 +15160,40 @@ var CaptureRuleEvaluationContextSchema = external_exports.object({
   error_name: external_exports.string().min(1).optional(),
   message: external_exports.string().min(1).optional(),
   browser_event_kind: BrowserEventKindSchema.optional(),
+  browser_event_opaque: external_exports.boolean().optional(),
+  client_kind: CaptureRuleClientKindSchema.optional(),
+  bot_family: external_exports.string().min(1).max(120).optional(),
   resource_url: CaptureRuleEvaluationUrlSchema.optional(),
   request_url: CaptureRuleEvaluationUrlSchema.optional(),
   status_code: external_exports.number().int().min(0).max(599).optional(),
   fingerprint: CaptureRuleFingerprintSchema.optional()
 });
+function classifyCaptureRuleClientFromUserAgent(userAgent) {
+  if (userAgent === null || userAgent === void 0) {
+    return { client_kind: "unknown" };
+  }
+  const lower = userAgent.toLowerCase();
+  const knownBots = [
+    { family: "Googlebot", markers: ["googlebot", "adsbot-google", "google-inspectiontool"] },
+    { family: "Bingbot", markers: ["bingbot", "msnbot"] },
+    { family: "DuckDuckBot", markers: ["duckduckbot"] },
+    { family: "Applebot", markers: ["applebot"] },
+    { family: "YandexBot", markers: ["yandexbot"] },
+    { family: "Baiduspider", markers: ["baiduspider"] },
+    { family: "FacebookBot", markers: ["facebookexternalhit", "facebot"] },
+    { family: "LinkedInBot", markers: ["linkedinbot"] },
+    { family: "TwitterBot", markers: ["twitterbot"] },
+    { family: "Slackbot", markers: ["slackbot"] }
+  ];
+  const knownBot = knownBots.find((entry) => entry.markers.some((marker) => lower.includes(marker)));
+  if (knownBot !== void 0) {
+    return { client_kind: "bot", bot_family: knownBot.family };
+  }
+  if (["bot", "crawler", "spider", "slurp"].some((marker) => lower.includes(marker))) {
+    return { client_kind: "bot", bot_family: "OtherBot" };
+  }
+  return { client_kind: "human" };
+}
 
 // ../../packages/shared-types/src/capture-rule-suggestions.ts
 var CaptureRuleSuggestionConfidenceSchema = external_exports.enum(["high", "medium", "low"]);
@@ -15355,6 +15403,12 @@ var BrowserExceptionEventSchema = external_exports.object({
   }).strict().optional(),
   opaque: external_exports.boolean()
 }).strict();
+var FrontendRejectionReasonSchema = external_exports.object({
+  kind: external_exports.enum(["error", "string", "object", "null", "undefined", "unknown"]),
+  name: external_exports.string().min(1).optional(),
+  message: external_exports.string().min(1).optional(),
+  preview: external_exports.string().min(1).optional()
+}).strict();
 var FrontendExceptionPayloadSchema = external_exports.object({
   name: external_exports.string().min(1),
   message: external_exports.string().min(1),
@@ -15367,6 +15421,7 @@ var FrontendExceptionPayloadSchema = external_exports.object({
   breadcrumbs: external_exports.array(FrontendExceptionBreadcrumbSchema).optional(),
   device: DeviceInfoSchema.nullable().optional(),
   browser_event: BrowserExceptionEventSchema.optional(),
+  rejection_reason: FrontendRejectionReasonSchema.optional(),
   dom_context: external_exports.object({
     mode: external_exports.literal("lightweight"),
     html_excerpt: external_exports.string().min(1)
@@ -15818,7 +15873,7 @@ function buildSkill() {
     "2. Inspect the incident bundle and reproduction artifact before proposing a fix.",
     "3. Run `debugbundle analyze --type improvement --local` after local processing when you need a deterministic change plan.",
     "4. Apply the narrowest fix, then validate it with the repository test workflow from `.debugbundle/profile.json`.",
-    "5. When the fix is confirmed, or when the incident was intentionally generated for smoke, verification, or dogfooding, resolve it with `debugbundle resolve <incident-id>` or MCP `resolve_incident` so the open queue stays actionable.",
+    "5. When the fix is confirmed, or when the incident was intentionally generated for smoke, verification, or dogfooding, resolve it with `debugbundle resolve <incident-id> [incident-id ...]` or MCP `resolve_incident` / `resolve_incidents` so the open queue stays actionable.",
     "",
     "## Incident Hygiene",
     "",
@@ -15827,6 +15882,15 @@ function buildSkill() {
     "- Reopen or leave open if the failure is still present, the validation is incomplete, or the incident represents a live unresolved problem.",
     "- If a resolved incident regresses, let the platform move it back to `regressed` through normal incident lifecycle behavior.",
     "",
+    "## Noise Management",
+    "",
+    "When incident evidence shows repeated low-value operational noise rather than a product bug, evaluate whether a scoped capture rule or capture-policy path rule should handle future matches.",
+    "",
+    "- Run `debugbundle capture-rule suggest <incident-id> --json` before creating a manual rule. Apply deterministic suggestions with `debugbundle capture-rule create-from-suggestion <incident-id> --suggestion-id <id>` after confirming the scope is safe.",
+    "- Prefer project capture rules for operational noise because they are centralized, auditable, and enforced by ingestion and processing. Use SDK `beforeSend` only for app-owned local policy such as final redaction or events that must never leave the runtime.",
+    "- Scope frontend noise by structured evidence such as service, environment, `browser_event_kind`, `browser_event_opaque`, `client_kind`, `bot_family`, and message fields. Do not broadly demote generic `Unhandled promise rejection` incidents without bot-scoped or otherwise narrow evidence.",
+    "- For expected or intentionally promoted 4xx responses on known routes, use capture-policy client-error path rules instead of promoting all client errors: `debugbundle capture-policy set --client-error-path-rule <status=/path/*@GET>`.",
+    "",
     "## Profile Validation",
     "",
     "Use this task after setup or whenever architecture changes make the static profile stale.",
@@ -15889,10 +15953,21 @@ function buildCliReference() {
     "- `debugbundle explain <incident-id> [--source <local|cloud>] [--json]`",
     "- `debugbundle bundle <incident-id> [--source <local|cloud>] [--json]`",
     "- `debugbundle reproduce <incident-id> [--source <local|cloud>] [--json]`",
-    "- `debugbundle resolve <incident-id> [--source <local|cloud>] [--json]`",
-    "- `debugbundle reopen <incident-id> [--source <local|cloud>] [--json]`",
+    "- `debugbundle resolve <incident-id> [incident-id ...] [--source <local|cloud>] [--json]`",
+    "- `debugbundle reopen <incident-id> [incident-id ...] [--source <local|cloud>] [--json]`",
     "- `debugbundle analyze --type improvement --local`",
     "",
+    "## Noise Management",
+    "",
+    "- `debugbundle capture-rule suggest <incident-id> [--auth-file <path>] [--json]`",
+    "- `debugbundle capture-rule create-from-suggestion <incident-id> --suggestion-id <id> [--name <name>] [--expires-at <ISO8601>] [--auth-file <path>] [--json]`",
+    "- `debugbundle capture-rule list --project-id <id> [--auth-file <path>] [--json]`",
+    "- `debugbundle capture-rule create --project-id <id> --name <name> --action <demote|sample|drop> --matcher-json <json> [--auth-file <path>] [--json]`",
+    "- `debugbundle capture-policy get [--project <id>] [--json]`",
+    "- `debugbundle capture-policy set [--project <id>] --client-error-path-rule <404=/path/*@GET,POST> [--json]`",
+    "",
+    "Use capture-rule suggestions for repeated operational noise after inspecting an incident bundle. Use capture-policy client-error path rules for route-scoped 4xx incidents instead of promoting all client errors.",
+    "",
     "## Operational Paths",
     "",
     "- `.debugbundle/profile.json` \u2014 committed project map and agent validation state",
@@ -15923,7 +15998,7 @@ function buildCliReference() {
     "```bash",
     "debugbundle incidents --status open --json \\",
     `  | jq -r '.incidents[] | select(.title | test("smoke test|dogfood|verification|synthetic"; "i")) | .incident_id' \\`,
-    "  | xargs -n1 debugbundle resolve",
+    "  | xargs debugbundle resolve",
     "```",
     ""
   ].join("\n");
@@ -15942,19 +16017,28 @@ function buildMcpReference() {
     "- `get_incident_context` \u2014 fetch deterministic explanation context for triage.",
     "- `get_bundle` \u2014 fetch the full debug bundle before proposing a fix.",
     "- `get_reproduction` \u2014 fetch reproduction guidance before editing code.",
-    "- `resolve_incident` / `reopen_incident` \u2014 update lifecycle state after validation.",
+    "- `resolve_incident` / `resolve_incidents` / `reopen_incident` / `reopen_incidents` \u2014 update lifecycle state after validation.",
     "- `analyze` \u2014 run local agent-oriented analysis from local bundles and skill schemas.",
     "",
     "- Prefer bundle retrieval tools before reading raw repository files.",
     "- Use MCP bundle access when the current issue originated in production.",
-    "- Resolve fixed or intentionally generated incidents with `resolve_incident` so open incidents stay actionable.",
+    "- Resolve fixed or intentionally generated incidents with `resolve_incident` or `resolve_incidents` so open incidents stay actionable.",
     "- Fall back to local CLI processing when the project is local-only.",
     "",
+    "## Noise and Capture Policy Tools",
+    "",
+    "- `suggest_capture_rules_from_incident` \u2014 generate deterministic capture-rule suggestions from an incident bundle.",
+    "- `create_capture_rule_from_incident_suggestion` \u2014 apply a confirmed suggestion.",
+    "- `list_capture_rules`, `create_capture_rule`, `update_capture_rule`, `delete_capture_rule` \u2014 manage project capture rules.",
+    "- `get_capture_policy`, `update_capture_policy` \u2014 review or update capture policy, including path-scoped client-error incident rules.",
+    "",
+    "Use these tools for repeated low-value operational noise only after inspecting incident evidence. Keep frontend suppression scoped by structured browser and client signals, and use path-scoped capture policy for known 4xx routes.",
+    "",
     "## Smoke-Test Cleanup Recipe",
     "",
     '1. Call `list_incidents` with `status: "open"`.',
     "2. Filter incidents whose titles show they were intentionally generated for smoke, dogfood, verification, or synthetic checks.",
-    "3. Call `resolve_incident` for each verified synthetic incident.",
+    "3. Call `resolve_incidents` for verified synthetic incidents, or `resolve_incident` for a single incident.",
     "4. Call `list_incidents` again and confirm the open queue only contains actionable failures.",
     ""
   ].join("\n");
@@ -16074,6 +16158,16 @@ function buildSkillEvals() {
             "Leave unresolved incidents open when the failure is still live or unverified."
           ]
         },
+        {
+          name: "noise_management_guidance",
+          prompt: "The same low-value frontend incident keeps reopening. Confirm the skill tells the agent how to evaluate operational noise without hiding real bugs.",
+          expected_behavior: [
+            "Inspect incident evidence before creating a rule.",
+            "Use capture-rule suggestions for repeated operational noise.",
+            "Keep generic frontend suppression narrow with structured browser or bot signals.",
+            "Use capture-policy path rules for known route-scoped 4xx incidents."
+          ]
+        },
         {
           name: "artifact_path_discovery",
           prompt: "The user reports an unknown local runtime error. Confirm the skill tells the agent which DebugBundle paths and commands to inspect first.",
@@ -16736,6 +16830,9 @@ function createRetrievalApi(client) {
       if (input2.severity !== void 0) {
         query.set("severity", input2.severity);
       }
+      if (input2.firstSeenAfter !== void 0) {
+        query.set("first_seen_after", input2.firstSeenAfter);
+      }
       if (input2.cursor !== void 0) {
         query.set("cursor", input2.cursor);
       }
@@ -16992,6 +17089,88 @@ function createRetrievalApi(client) {
   };
 }
 
+// ../../packages/storage/src/account-analytics-store.ts
+var ACCOUNT_METRIC_KEYS = [
+  "account_created",
+  "account_deleted",
+  "project_created",
+  "project_deleted",
+  "raw_events_accepted",
+  "raw_events_rejected",
+  "events_rejected_malformed",
+  "events_rejected_rate_limited",
+  "events_rejected_quota",
+  "events_rejected_capture_policy",
+  "events_rejected_capture_rule",
+  "billable_events_counted",
+  "incident_signal_events_counted",
+  "context_signal_events_counted",
+  "operational_signal_events_counted",
+  "local_verification_events_accepted",
+  "cloud_verification_events_accepted",
+  "incidents_opened",
+  "incidents_resolved",
+  "incidents_reopened",
+  "incidents_regressed",
+  "incident_occurrences",
+  "incident_occurrences_high_severity",
+  "incident_occurrences_critical_severity",
+  "incidents_auto_detected_spiking",
+  "failure_bundles_created",
+  "failure_bundles_updated",
+  "failure_bundle_generations_failed",
+  "improvement_bundles_created",
+  "improvement_bundles_updated",
+  "improvement_bundle_generations_failed",
+  "reproductions_created",
+  "reproductions_failed",
+  "retention_bundle_owners_rotated",
+  "improvements_opened",
+  "improvements_resolved",
+  "improvements_reopened",
+  "improvements_snoozed",
+  "recurring_incident_improvements_opened",
+  "post_deploy_regression_improvements_opened",
+  "slow_request_improvements_opened",
+  "request_failure_improvements_opened",
+  "warning_log_improvements_opened",
+  "alert_deliveries_created",
+  "alert_deliveries_delivered",
+  "alert_deliveries_failed",
+  "alert_email_digests_sent",
+  "operational_emails_sent",
+  "weekly_reports_sent",
+  "weekly_reports_failed",
+  "webhook_deliveries_created",
+  "webhook_deliveries_delivered",
+  "webhook_deliveries_failed",
+  "webhooks_auto_disabled",
+  "github_dispatches_created",
+  "github_dispatches_delivered",
+  "github_dispatches_failed",
+  "github_dispatch_rules_created",
+  "github_dispatch_rules_deleted",
+  "remote_probe_activations_created",
+  "remote_probe_activations_expired",
+  "probe_events_accepted",
+  "capture_rules_created",
+  "capture_rules_deleted",
+  "capture_policy_updates",
+  "trial_started",
+  "trial_converted",
+  "trial_expired",
+  "plan_upgraded",
+  "plan_downgraded",
+  "capacity_units_purchased",
+  "capacity_units_reduced",
+  "allowance_warning_emails_sent",
+  "allowance_limit_emails_sent",
+  "projects_existing_at_account_deletion",
+  "open_incidents_existing_at_account_deletion",
+  "open_improvements_existing_at_account_deletion"
+];
+var AccountMetricKeySchema = external_exports.enum(ACCOUNT_METRIC_KEYS);
+
 // ../../packages/storage/src/incident-context.ts
 function isRecord2(value) {
   return typeof value === "object" && value !== null && !Array.isArray(value);
@@ -17088,6 +17267,33 @@ function buildRedactionRecord(bundleBody) {
     notes: readString(redaction["notes"])
   };
 }
+function buildBrowserSignalRecord(bundleBody) {
+  const bundle = isRecord2(bundleBody) ? bundleBody : {};
+  const context = isRecord2(bundle["context"]) ? bundle["context"] : {};
+  const frontend = isRecord2(context["frontend"]) ? context["frontend"] : {};
+  const exceptions = Array.isArray(frontend["exceptions"]) ? frontend["exceptions"] : [];
+  let exception;
+  for (let index = exceptions.length - 1; index >= 0; index -= 1) {
+    const candidate = exceptions[index];
+    if (isRecord2(candidate) && isRecord2(candidate["browser_event"])) {
+      exception = candidate;
+      break;
+    }
+  }
+  const browserEvent = isRecord2(exception) && isRecord2(exception["browser_event"]) ? exception["browser_event"] : null;
+  const device = isRecord2(context["device"]) ? context["device"] : {};
+  const client = classifyCaptureRuleClientFromUserAgent(readString(device["user_agent"]) ?? void 0);
+  if (browserEvent === null && client.client_kind === "unknown") {
+    return null;
+  }
+  return {
+    browser_event_kind: readString(browserEvent?.["kind"]),
+    browser_event_opaque: readBoolean(browserEvent?.["opaque"]),
+    browser_event_message: readString(browserEvent?.["message"]),
+    client_kind: client.client_kind,
+    bot_family: client.bot_family ?? null
+  };
+}
 function buildVisibilityRecord(input2) {
   const routeTarget = input2.primarySignal.route_template ?? input2.primarySignal.request_path;
   const matchedFields = input2.incident.matched_fields.length === 0 ? "none" : input2.incident.matched_fields.join(", ");
@@ -17125,6 +17331,14 @@ function buildSuggestedNextChecks(input2) {
   if (input2.deploy.regression_window === true || input2.incident.status === "regressed") {
     suggestions.push("Compare this incident against the most recent deploy and recent regressions.");
   }
+  if (input2.browserSignal?.browser_event_opaque === true) {
+    suggestions.push("Treat the browser event as opaque; inspect CSP, cross-origin scripts, resource loading, and framework error boundaries before changing application code.");
+  }
+  if (input2.browserSignal?.client_kind === "bot") {
+    suggestions.push(
+      `Review whether ${input2.browserSignal.bot_family ?? "bot"} traffic is operational noise before applying a bot-scoped capture rule.`
+    );
+  }
   if (input2.reproduction.status === "pending") {
     suggestions.push("Recheck reproduction guidance after the reproduction artifact is ready.");
   }
@@ -17145,6 +17359,7 @@ function buildIncidentContextRecord(input2) {
     primarySignal
   });
   const redaction = buildRedactionRecord(bundleBody);
+  const browserSignal = buildBrowserSignalRecord(bundleBody);
   return {
     incident: input2.incident,
     incident_reason: incidentReason,
@@ -17160,13 +17375,15 @@ function buildIncidentContextRecord(input2) {
     },
     visibility,
     redaction,
+    browser_signal: browserSignal,
     suggested_next_checks: buildSuggestedNextChecks({
       incident: input2.incident,
       bundle: input2.bundle,
       reproduction: input2.reproduction,
       logs,
       primarySignal,
-      deploy
+      deploy,
+      browserSignal
     })
   };
 }
@@ -17239,6 +17456,9 @@ function deriveIncidentReasonFromSourceEventTypes(eventTypes) {
 // ../../packages/auth/src/primitives.ts
 var import_argon2 = require("@node-rs/argon2");
 
+// ../../packages/auth/src/account-deletion-auth.ts
+var DEFAULT_ACCOUNT_DELETION_CODE_LIFETIME_MS = 1e3 * 60 * 10;
+
 // ../../packages/auth/src/web-session-auth.ts
 var DEFAULT_SESSION_LIFETIME_MS = 1e3 * 60 * 60 * 24 * 7;
 var DEFAULT_EMAIL_AUTH_CODE_LIFETIME_MS = 1e3 * 60 * 10;
@@ -17950,6 +18170,26 @@ var STORAGE_BOOTSTRAP_STATEMENTS = [
     CREATE INDEX email_auth_challenges_code_hash_idx
     ON email_auth_challenges (code_hash)
   `,
+  `
+    CREATE TABLE account_deletion_challenges (
+      id uuid PRIMARY KEY,
+      organization_id uuid NOT NULL REFERENCES organizations(id) ON DELETE CASCADE,
+      user_id uuid NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+      email text NOT NULL,
+      code_hash text NOT NULL,
+      created_at timestamptz NOT NULL DEFAULT now(),
+      expires_at timestamptz NOT NULL,
+      used_at timestamptz
+    )
+  `,
+  `
+    CREATE INDEX account_deletion_challenges_scope_idx
+    ON account_deletion_challenges (organization_id, user_id, lower(email), created_at DESC)
+  `,
+  `
+    CREATE INDEX account_deletion_challenges_code_hash_idx
+    ON account_deletion_challenges (code_hash)
+  `,
   `
     CREATE TABLE github_device_authorizations (
       id uuid PRIMARY KEY,
@@ -18660,6 +18900,103 @@ var STORAGE_BOOTSTRAP_STATEMENTS = [
       PRIMARY KEY (organization_id, period_starts_at)
     )
   `,
+  `
+    CREATE TABLE project_usage_counters (
+      project_id uuid NOT NULL REFERENCES projects(id) ON DELETE CASCADE,
+      period_starts_at timestamptz NOT NULL,
+      raw_ingested_events integer NOT NULL DEFAULT 0,
+      updated_at timestamptz NOT NULL DEFAULT now(),
+      PRIMARY KEY (project_id, period_starts_at)
+    )
+  `,
+  `
+    CREATE TABLE account_analytics_accounts (
+      analytics_account_id uuid PRIMARY KEY,
+      organization_id uuid UNIQUE,
+      organization_id_hash text NOT NULL UNIQUE,
+      created_at timestamptz NOT NULL,
+      first_seen_at timestamptz NOT NULL,
+      metrics_collection_started_at timestamptz NOT NULL,
+      backfilled_from_retained_rows_at timestamptz,
+      deleted_at timestamptz,
+      initial_plan text,
+      latest_known_plan text,
+      latest_capacity_units integer,
+      account_deleted boolean NOT NULL DEFAULT false,
+      metrics_schema_version integer NOT NULL DEFAULT 1,
+      updated_at timestamptz NOT NULL DEFAULT now()
+    )
+  `,
+  `
+    CREATE TABLE account_metric_periods (
+      analytics_account_id uuid NOT NULL REFERENCES account_analytics_accounts(analytics_account_id),
+      period_grain text NOT NULL CHECK (period_grain IN ('day', 'month', 'year', 'lifetime')),
+      period_starts_at timestamptz NOT NULL,
+      metric_key text NOT NULL,
+      metric_value bigint NOT NULL DEFAULT 0,
+      updated_at timestamptz NOT NULL DEFAULT now(),
+      PRIMARY KEY (analytics_account_id, period_grain, period_starts_at, metric_key)
+    )
+  `,
+  `
+    CREATE INDEX account_metric_periods_grain_period_metric_idx
+    ON account_metric_periods (period_grain, period_starts_at, metric_key)
+  `,
+  `
+    CREATE INDEX account_metric_periods_account_grain_period_idx
+    ON account_metric_periods (analytics_account_id, period_grain, period_starts_at)
+  `,
+  `
+    CREATE TABLE account_metric_events (
+      dedupe_key_hash text PRIMARY KEY,
+      analytics_account_id uuid NOT NULL REFERENCES account_analytics_accounts(analytics_account_id),
+      metric_source text NOT NULL,
+      occurred_at timestamptz NOT NULL,
+      recorded_at timestamptz NOT NULL DEFAULT now(),
+      metric_deltas jsonb NOT NULL
+    )
+  `,
+  `
+    CREATE TABLE account_payment_retention_records (
+      id uuid PRIMARY KEY,
+      analytics_account_id uuid NOT NULL REFERENCES account_analytics_accounts(analytics_account_id),
+      organization_id_hash text NOT NULL,
+      provider text NOT NULL,
+      plan text,
+      billing_state text,
+      stripe_customer_id text,
+      stripe_subscription_id text,
+      billing_period_starts_at timestamptz,
+      billing_period_ends_at timestamptz,
+      additional_capacity_units integer,
+      last_billing_event_id text,
+      account_deleted_at timestamptz NOT NULL,
+      recorded_at timestamptz NOT NULL DEFAULT now(),
+      updated_at timestamptz NOT NULL DEFAULT now(),
+      UNIQUE (analytics_account_id, provider)
+    )
+  `,
+  `
+    CREATE INDEX account_payment_retention_records_provider_idx
+    ON account_payment_retention_records (provider, account_deleted_at DESC)
+  `,
+  `
+    CREATE TABLE account_payment_provider_events (
+      provider_event_key text PRIMARY KEY,
+      analytics_account_id uuid NOT NULL REFERENCES account_analytics_accounts(analytics_account_id),
+      organization_id_hash text NOT NULL,
+      provider text NOT NULL,
+      provider_event_id text NOT NULL,
+      provider_event_type text NOT NULL,
+      processed_at timestamptz NOT NULL,
+      account_deleted_at timestamptz NOT NULL,
+      recorded_at timestamptz NOT NULL DEFAULT now()
+    )
+  `,
+  `
+    CREATE UNIQUE INDEX account_payment_provider_events_provider_event_key
+    ON account_payment_provider_events (provider, provider_event_id)
+  `,
   `
     CREATE TABLE operational_email_deliveries (
       id uuid PRIMARY KEY,
@@ -19428,6 +19765,141 @@ var STORAGE_SCHEMA_MIGRATIONS = [
     statements: [
       "ALTER TABLE capture_policies ADD COLUMN IF NOT EXISTS immediate_client_error_path_rules jsonb"
     ]
+  }),
+  defineStorageSchemaMigration({
+    id: "202606100001_add_project_usage_counters",
+    description: "Add durable project-level raw ingestion counters for project dashboard metrics.",
+    statements: [
+      `
+        CREATE TABLE IF NOT EXISTS project_usage_counters (
+          project_id uuid NOT NULL REFERENCES projects(id) ON DELETE CASCADE,
+          period_starts_at timestamptz NOT NULL,
+          raw_ingested_events integer NOT NULL DEFAULT 0,
+          updated_at timestamptz NOT NULL DEFAULT now(),
+          PRIMARY KEY (project_id, period_starts_at)
+        )
+      `
+    ]
+  }),
+  defineStorageSchemaMigration({
+    id: "202606100002_add_account_deletion_challenges",
+    description: "Add scoped OTP challenges for account deletion confirmation.",
+    statements: [
+      `
+        CREATE TABLE IF NOT EXISTS account_deletion_challenges (
+          id uuid PRIMARY KEY,
+          organization_id uuid NOT NULL REFERENCES organizations(id) ON DELETE CASCADE,
+          user_id uuid NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+          email text NOT NULL,
+          code_hash text NOT NULL,
+          created_at timestamptz NOT NULL DEFAULT now(),
+          expires_at timestamptz NOT NULL,
+          used_at timestamptz
+        )
+      `,
+      `
+        CREATE INDEX IF NOT EXISTS account_deletion_challenges_scope_idx
+        ON account_deletion_challenges (organization_id, user_id, lower(email), created_at DESC)
+      `,
+      `
+        CREATE INDEX IF NOT EXISTS account_deletion_challenges_code_hash_idx
+        ON account_deletion_challenges (code_hash)
+      `
+    ]
+  }),
+  defineStorageSchemaMigration({
+    id: "202606100003_add_account_analytics_and_payment_retention",
+    description: "Add deletion-safe account analytics and payment retention ledgers.",
+    statements: [
+      `
+        CREATE TABLE IF NOT EXISTS account_analytics_accounts (
+          analytics_account_id uuid PRIMARY KEY,
+          organization_id uuid UNIQUE,
+          organization_id_hash text NOT NULL UNIQUE,
+          created_at timestamptz NOT NULL,
+          first_seen_at timestamptz NOT NULL,
+          metrics_collection_started_at timestamptz NOT NULL,
+          backfilled_from_retained_rows_at timestamptz,
+          deleted_at timestamptz,
+          initial_plan text,
+          latest_known_plan text,
+          latest_capacity_units integer,
+          account_deleted boolean NOT NULL DEFAULT false,
+          metrics_schema_version integer NOT NULL DEFAULT 1,
+          updated_at timestamptz NOT NULL DEFAULT now()
+        )
+      `,
+      `
+        CREATE TABLE IF NOT EXISTS account_metric_periods (
+          analytics_account_id uuid NOT NULL REFERENCES account_analytics_accounts(analytics_account_id),
+          period_grain text NOT NULL CHECK (period_grain IN ('day', 'month', 'year', 'lifetime')),
+          period_starts_at timestamptz NOT NULL,
+          metric_key text NOT NULL,
+          metric_value bigint NOT NULL DEFAULT 0,
+          updated_at timestamptz NOT NULL DEFAULT now(),
+          PRIMARY KEY (analytics_account_id, period_grain, period_starts_at, metric_key)
+        )
+      `,
+      `
+        CREATE INDEX IF NOT EXISTS account_metric_periods_grain_period_metric_idx
+        ON account_metric_periods (period_grain, period_starts_at, metric_key)
+      `,
+      `
+        CREATE INDEX IF NOT EXISTS account_metric_periods_account_grain_period_idx
+        ON account_metric_periods (analytics_account_id, period_grain, period_starts_at)
+      `,
+      `
+        CREATE TABLE IF NOT EXISTS account_metric_events (
+          dedupe_key_hash text PRIMARY KEY,
+          analytics_account_id uuid NOT NULL REFERENCES account_analytics_accounts(analytics_account_id),
+          metric_source text NOT NULL,
+          occurred_at timestamptz NOT NULL,
+          recorded_at timestamptz NOT NULL DEFAULT now(),
+          metric_deltas jsonb NOT NULL
+        )
+      `,
+      `
+        CREATE TABLE IF NOT EXISTS account_payment_retention_records (
+          id uuid PRIMARY KEY,
+          analytics_account_id uuid NOT NULL REFERENCES account_analytics_accounts(analytics_account_id),
+          organization_id_hash text NOT NULL,
+          provider text NOT NULL,
+          plan text,
+          billing_state text,
+          stripe_customer_id text,
+          stripe_subscription_id text,
+          billing_period_starts_at timestamptz,
+          billing_period_ends_at timestamptz,
+          additional_capacity_units integer,
+          last_billing_event_id text,
+          account_deleted_at timestamptz NOT NULL,
+          recorded_at timestamptz NOT NULL DEFAULT now(),
+          updated_at timestamptz NOT NULL DEFAULT now(),
+          UNIQUE (analytics_account_id, provider)
+        )
+      `,
+      `
+        CREATE INDEX IF NOT EXISTS account_payment_retention_records_provider_idx
+        ON account_payment_retention_records (provider, account_deleted_at DESC)
+      `,
+      `
+        CREATE TABLE IF NOT EXISTS account_payment_provider_events (
+          provider_event_key text PRIMARY KEY,
+          analytics_account_id uuid NOT NULL REFERENCES account_analytics_accounts(analytics_account_id),
+          organization_id_hash text NOT NULL,
+          provider text NOT NULL,
+          provider_event_id text NOT NULL,
+          provider_event_type text NOT NULL,
+          processed_at timestamptz NOT NULL,
+          account_deleted_at timestamptz NOT NULL,
+          recorded_at timestamptz NOT NULL DEFAULT now()
+        )
+      `,
+      `
+        CREATE UNIQUE INDEX IF NOT EXISTS account_payment_provider_events_provider_event_key
+        ON account_payment_provider_events (provider, provider_event_id)
+      `
+    ]
   })
 ];
 
@@ -19631,7 +20103,7 @@ async function listLocalIncidents(input2, dependencies) {
       return true;
     }
     return incident.status === input2.status;
-  }).filter((incident) => input2.severity === void 0 ? true : incident.severity === input2.severity).sort(sortIncidentsDescending);
+  }).filter((incident) => input2.severity === void 0 ? true : incident.severity === input2.severity).filter((incident) => input2.firstSeenAfter === void 0 ? true : incident.first_seen_at >= input2.firstSeenAfter).sort(sortIncidentsDescending);
   const startIndex = input2.cursor === void 0 ? 0 : incidents.findIndex((incident) => buildCursor(incident) === input2.cursor) + 1;
   const pagedIncidents = input2.limit === void 0 ? incidents.slice(startIndex) : incidents.slice(startIndex, startIndex + input2.limit);
   const hasMore = input2.limit !== void 0 && startIndex + input2.limit < incidents.length;
@@ -20175,6 +20647,10 @@ var import_node_path9 = require("node:path");
 
 // ../../packages/project-management-client/src/index.ts
 var ProjectMetricsSchema = external_exports.object({
+  open_incidents: external_exports.number().int().nonnegative().default(0),
+  regressed_incidents: external_exports.number().int().nonnegative().default(0),
+  opened_incidents_today: external_exports.number().int().nonnegative().default(0),
+  opened_incidents_month: external_exports.number().int().nonnegative().default(0),
   monthly_bundle_requests: external_exports.number().int().nonnegative(),
   monthly_raw_ingested_events: external_exports.number().int().nonnegative(),
   retained_bundles: external_exports.number().int().nonnegative(),
@@ -27189,6 +27665,7 @@ async function listAllCloudIncidents(input2, api) {
       ...input2.service === void 0 ? {} : { service: input2.service },
       ...input2.status === void 0 ? {} : { status: input2.status },
       ...input2.severity === void 0 ? {} : { severity: input2.severity },
+      ...input2.firstSeenAfter === void 0 ? {} : { firstSeenAfter: input2.firstSeenAfter },
       ...cursor === void 0 ? {} : { cursor }
     });
     incidents.push(
@@ -27209,7 +27686,8 @@ async function mapCombinedIncidentListResult(input2, api, dependencies) {
       ...input2.environment === void 0 ? {} : { environment: input2.environment },
       ...input2.service === void 0 ? {} : { service: input2.service },
       ...input2.status === void 0 ? {} : { status: input2.status },
-      ...input2.severity === void 0 ? {} : { severity: input2.severity }
+      ...input2.severity === void 0 ? {} : { severity: input2.severity },
+      ...input2.firstSeenAfter === void 0 ? {} : { firstSeenAfter: input2.firstSeenAfter }
     },
     dependencies
   );
@@ -27220,7 +27698,8 @@ async function mapCombinedIncidentListResult(input2, api, dependencies) {
       ...input2.environment === void 0 ? {} : { environment: input2.environment },
       ...input2.service === void 0 ? {} : { service: input2.service },
       ...input2.status === void 0 ? {} : { status: input2.status },
-      ...input2.severity === void 0 ? {} : { severity: input2.severity }
+      ...input2.severity === void 0 ? {} : { severity: input2.severity },
+      ...input2.firstSeenAfter === void 0 ? {} : { firstSeenAfter: input2.firstSeenAfter }
     },
     api
   );
@@ -27259,6 +27738,9 @@ async function listIncidentsCommand(input2, api) {
     if (input2.severity !== void 0) {
       requestInput.severity = input2.severity;
     }
+    if (input2.firstSeenAfter !== void 0) {
+      requestInput.firstSeenAfter = input2.firstSeenAfter;
+    }
     if (input2.cursor !== void 0) {
       requestInput.cursor = input2.cursor;
     }
@@ -27290,6 +27772,7 @@ async function listIncidentsWithAuthCommand(input2, dependencies) {
           ...input2.service === void 0 ? {} : { service: input2.service },
           ...input2.status === void 0 ? {} : { status: input2.status },
           ...input2.severity === void 0 ? {} : { severity: input2.severity },
+          ...input2.firstSeenAfter === void 0 ? {} : { firstSeenAfter: input2.firstSeenAfter },
           ...input2.cursor === void 0 ? {} : { cursor: input2.cursor },
           ...input2.limit === void 0 ? {} : { limit: input2.limit }
         },
@@ -27314,6 +27797,7 @@ async function listIncidentsWithAuthCommand(input2, dependencies) {
           ...input2.service === void 0 ? {} : { service: input2.service },
           ...input2.status === void 0 ? {} : { status: input2.status },
           ...input2.severity === void 0 ? {} : { severity: input2.severity },
+          ...input2.firstSeenAfter === void 0 ? {} : { firstSeenAfter: input2.firstSeenAfter },
           ...input2.cursor === void 0 ? {} : { cursor: input2.cursor },
           ...input2.limit === void 0 ? {} : { limit: input2.limit },
           ...input2.json === void 0 ? {} : { json: input2.json }
@@ -27349,6 +27833,9 @@ async function listIncidentsWithAuthCommand(input2, dependencies) {
       if (input2.severity !== void 0) {
         commandInput.severity = input2.severity;
       }
+      if (input2.firstSeenAfter !== void 0) {
+        commandInput.firstSeenAfter = input2.firstSeenAfter;
+      }
       if (input2.cursor !== void 0) {
         commandInput.cursor = input2.cursor;
       }
@@ -29073,7 +29560,7 @@ var CLI_USAGE_LINES = [
   "  debugbundle login --github-device [--label <label>] [--base-url <url>] [--auth-file <path>] [--json]",
   "  debugbundle profile validate [--json]",
   "  debugbundle whoami [--auth-file <path>] [--json]",
-  "  debugbundle incidents [--source <local|cloud>] [--project-id <id>] [--environment <name>] [--service <name>] [--status <status>] [--severity <severity>] [--cursor <cursor>] [--limit <n>] [--auth-file <path>] [--json]",
+  "  debugbundle incidents [--source <local|cloud>] [--project-id <id>] [--environment <name>] [--service <name>] [--status <status>] [--severity <severity>] [--first-seen-after <ISO8601>] [--cursor <cursor>] [--limit <n>] [--auth-file <path>] [--json]",
   "  debugbundle inspect <incident-id> [--source <local|cloud>] [--auth-file <path>] [--json]",
   "  debugbundle explain <incident-id> [--source <local|cloud>] [--auth-file <path>] [--json]",
   "  debugbundle resolve <incident-id> [incident-id ...] [--source <local|cloud>] [--auth-file <path>] [--json]",
@@ -32379,18 +32866,44 @@ function mapErrorToExitCode12(error) {
   }
   return 1;
 }
-function formatMatcher(rule) {
+function formatMatcherFromValue(matcher) {
   const parts = [];
-  const matcher = rule.matcher;
   if (matcher.event_types !== void 0) {
     parts.push(`event_types=${matcher.event_types.join(",")}`);
   }
   if (matcher.browser_event_kind !== void 0) {
     parts.push(`browser_event_kind=${matcher.browser_event_kind}`);
   }
+  if (matcher.browser_event_opaque !== void 0) {
+    parts.push(`browser_event_opaque=${String(matcher.browser_event_opaque)}`);
+  }
+  if (matcher.client_kind !== void 0) {
+    parts.push(`client_kind=${matcher.client_kind}`);
+  }
+  if (matcher.bot_family !== void 0) {
+    parts.push(`bot_family=${matcher.bot_family}`);
+  }
+  if (matcher.services !== void 0) {
+    parts.push(`services=${matcher.services.join(",")}`);
+  }
+  if (matcher.environments !== void 0) {
+    parts.push(`environments=${matcher.environments.join(",")}`);
+  }
+  if (matcher.message_equals !== void 0) {
+    parts.push(`message_equals=${JSON.stringify(matcher.message_equals)}`);
+  }
+  if (matcher.message_contains !== void 0) {
+    parts.push(`message_contains=${JSON.stringify(matcher.message_contains)}`);
+  }
+  if (matcher.error_name !== void 0) {
+    parts.push(`error_name=${matcher.error_name}`);
+  }
   if (matcher.resource_url?.host !== void 0) {
     parts.push(`resource_host=${matcher.resource_url.host}`);
   }
+  if (matcher.resource_url?.path_equals !== void 0) {
+    parts.push(`resource_path=${matcher.resource_url.path_equals}`);
+  }
   if (matcher.request_url?.path_equals !== void 0) {
     parts.push(`request_path=${matcher.request_url.path_equals}`);
   }
@@ -32402,6 +32915,9 @@ function formatMatcher(rule) {
   }
   return parts.length > 0 ? parts.join(" ") : "matcher=custom";
 }
+function formatMatcher(rule) {
+  return formatMatcherFromValue(rule.matcher);
+}
 function formatRule(rule) {
   const action = rule.action === "sample" ? `${rule.action}:${rule.sample_rate ?? "?"}:${rule.sample_event_class ?? "?"}` : rule.action;
   return [
@@ -32422,7 +32938,10 @@ function formatSuggestionResponse(response) {
   return response.suggestions.map(
     (suggestion) => [
       `${suggestion.suggestion_id} ${suggestion.recommended_action} ${suggestion.confidence} ${suggestion.label}`,
-      suggestion.reason
+      suggestion.reason,
+      `matcher: ${formatMatcherFromValue(suggestion.rule.matcher)}`,
+      `requires_confirmation: ${String(suggestion.requires_confirmation)}`,
+      `apply: debugbundle capture-rule create-from-suggestion <incident-id> --suggestion-id ${suggestion.suggestion_id}`
     ].join("\n")
   ).join("\n\n");
 }
@@ -34739,7 +35258,7 @@ async function handleCaptureRuleCommand2(parsedArgv, dependencies) {
 // package.json
 var package_default = {
   name: "@debugbundle/cli",
-  version: "1.2.0",
+  version: "1.4.0",
   private: false,
   description: "Command-line interface for DebugBundle",
   license: "AGPL-3.0-only",
@@ -35030,7 +35549,7 @@ ${formatUsage()}`
       return await (dependencies.whoamiCommand ?? whoamiCommand)(appendCommonAuthOptions(parsedArgv, {}));
     }
     if (command === "incidents") {
-      expectNoUnknownOptions(parsedArgv, ["auth-file", "json", "source", "project-id", "environment", "service", "status", "severity", "cursor", "limit"]);
+      expectNoUnknownOptions(parsedArgv, ["auth-file", "json", "source", "project-id", "environment", "service", "status", "severity", "first-seen-after", "cursor", "limit"]);
       ensureNoExtraPositionals(parsedArgv, 1);
       const input2 = appendCommonAuthOptions(parsedArgv, {});
       const source = readRetrievalSource(parsedArgv);
@@ -35057,6 +35576,10 @@ ${formatUsage()}`
       if (severity !== void 0) {
         input2.severity = severity;
       }
+      const firstSeenAfter = readStringOption(parsedArgv, "first-seen-after");
+      if (firstSeenAfter !== void 0) {
+        input2.firstSeenAfter = firstSeenAfter;
+      }
       const cursor = readStringOption(parsedArgv, "cursor");
       if (cursor !== void 0) {
         input2.cursor = cursor;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@debugbundle/cli",
-  "version": "1.2.0",
+  "version": "1.4.0",
   "private": false,
   "description": "Command-line interface for DebugBundle",
   "license": "AGPL-3.0-only",