npm - brakit - Versions diffs - 0.6.0 → 0.6.2 - Mend

brakit 0.6.0 → 0.6.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/bin/brakit.js CHANGED Viewed

@@ -32,6 +32,7 @@ var DASHBOARD_API_ACTIVITY = "/__brakit/api/activity";
 var DASHBOARD_API_METRICS_LIVE = "/__brakit/api/metrics/live";
 var DASHBOARD_API_INSIGHTS = "/__brakit/api/insights";
 var DASHBOARD_API_SECURITY = "/__brakit/api/security";
+var DASHBOARD_API_TAB = "/__brakit/api/tab";
 // src/constants/limits.ts
 var MAX_REQUEST_ENTRIES = 1e3;
@@ -50,7 +51,6 @@ var ERROR_RATE_THRESHOLD_PCT = 20;
 var SLOW_ENDPOINT_THRESHOLD_MS = 1e3;
 var MIN_REQUESTS_FOR_INSIGHT = 2;
 var HIGH_QUERY_COUNT_PER_REQ = 5;
-var AUTH_OVERHEAD_PCT = 30;
 var CROSS_ENDPOINT_MIN_ENDPOINTS = 3;
 var CROSS_ENDPOINT_PCT = 50;
 var CROSS_ENDPOINT_MIN_OCCURRENCES = 5;
@@ -58,6 +58,9 @@ var REDUNDANT_QUERY_MIN_COUNT = 2;
 var LARGE_RESPONSE_BYTES = 51200;
 var HIGH_ROW_COUNT = 100;
 var OVERFETCH_MIN_REQUESTS = 2;
+var OVERFETCH_MIN_FIELDS = 8;
+var OVERFETCH_MIN_INTERNAL_IDS = 2;
+var OVERFETCH_NULL_RATIO = 0.3;
 // src/constants/transport.ts
 var SSE_HEARTBEAT_INTERVAL_MS = 3e4;
@@ -161,7 +164,7 @@ var offRequest = (fn) => defaultStore.offRequest(fn);
 // src/proxy/handler.ts
 function proxyRequest(clientReq, clientRes, config) {
-  const startTime = performance.now();
+  const startTime2 = performance.now();
   const method = clientReq.method ?? "GET";
   const requestId = randomUUID();
   const shouldCaptureBody = method !== "GET" && method !== "HEAD";
@@ -191,7 +194,7 @@ function proxyRequest(clientReq, clientRes, config) {
         clientReq,
         clientRes,
         proxyRes,
-        startTime,
+        startTime2,
         shouldCaptureBody ? bodyChunks : [],
         config,
         requestId
@@ -214,7 +217,7 @@ function proxyRequest(clientReq, clientRes, config) {
   });
   clientReq.pipe(proxyReq);
 }
-function handleProxyResponse(clientReq, clientRes, proxyRes, startTime, bodyChunks, config, requestId) {
+function handleProxyResponse(clientReq, clientRes, proxyRes, startTime2, bodyChunks, config, requestId) {
   const responseChunks = [];
   let responseSize = 0;
   clientRes.writeHead(proxyRes.statusCode ?? 502, proxyRes.headers);
@@ -239,7 +242,7 @@ function handleProxyResponse(clientReq, clientRes, proxyRes, startTime, bodyChun
       responseHeaders: proxyRes.headers,
       responseBody,
       responseContentType: proxyRes.headers["content-type"] ?? "",
-      startTime,
+      startTime: startTime2,
       config
     });
   });
@@ -575,7 +578,7 @@ function buildFlow(rawRequests) {
   markDuplicates(rawRequests);
   const requests = collapsePolling(rawRequests);
   const first = requests[0];
-  const startTime = first.startedAt;
+  const startTime2 = first.startedAt;
   const endTime = Math.max(
     ...requests.map(
       (r) => r.pollingDurationMs ? r.startedAt + r.pollingDurationMs : r.startedAt + r.durationMs
@@ -589,8 +592,8 @@ function buildFlow(rawRequests) {
     id: randomUUID2(),
     label: deriveFlowLabel(requests, sourcePage),
     requests,
-    startTime,
-    totalDurationMs: Math.round(endTime - startTime),
+    startTime: startTime2,
+    totalDurationMs: Math.round(endTime - startTime2),
     hasErrors: requests.some((r) => r.statusCode >= 400),
     warnings: detectWarnings(rawRequests),
     sourcePage,
@@ -1224,62 +1227,70 @@ function createSecurityHandler(engine) {
 }
 // src/dashboard/sse.ts
-function handleSSE(req, res) {
-  res.writeHead(200, {
-    "content-type": "text/event-stream",
-    "cache-control": "no-cache",
-    connection: "keep-alive",
-    "access-control-allow-origin": "*"
-  });
-  res.write(":ok\n\n");
-  const writeEvent = (eventType, data) => {
-    if (res.destroyed) return;
-    if (eventType) {
-      res.write(`event: ${eventType}
+function createSSEHandler(engine) {
+  return (req, res) => {
+    res.writeHead(200, {
+      "content-type": "text/event-stream",
+      "cache-control": "no-cache",
+      connection: "keep-alive",
+      "access-control-allow-origin": "*"
+    });
+    res.write(":ok\n\n");
+    const writeEvent = (eventType, data) => {
+      if (res.destroyed) return;
+      if (eventType) {
+        res.write(`event: ${eventType}
 data: ${data}
 `);
-    } else {
-      res.write(`data: ${data}
+      } else {
+        res.write(`data: ${data}
 `);
-    }
-  };
-  const requestListener = (traced) => {
-    writeEvent(null, JSON.stringify(traced));
-  };
-  const fetchListener = (entry) => {
-    writeEvent("fetch", JSON.stringify(entry));
-  };
-  const logListener = (entry) => {
-    writeEvent("log", JSON.stringify(entry));
-  };
-  const errorListener = (entry) => {
-    writeEvent("error_event", JSON.stringify(entry));
-  };
-  const queryListener = (entry) => {
-    writeEvent("query", JSON.stringify(entry));
-  };
-  onRequest(requestListener);
-  defaultFetchStore.onEntry(fetchListener);
-  defaultLogStore.onEntry(logListener);
-  defaultErrorStore.onEntry(errorListener);
-  defaultQueryStore.onEntry(queryListener);
-  const heartbeat = setInterval(() => {
-    if (res.destroyed) {
+      }
+    };
+    const requestListener = (traced) => {
+      writeEvent(null, JSON.stringify(traced));
+    };
+    const fetchListener = (entry) => {
+      writeEvent("fetch", JSON.stringify(entry));
+    };
+    const logListener = (entry) => {
+      writeEvent("log", JSON.stringify(entry));
+    };
+    const errorListener = (entry) => {
+      writeEvent("error_event", JSON.stringify(entry));
+    };
+    const queryListener = (entry) => {
+      writeEvent("query", JSON.stringify(entry));
+    };
+    const analysisListener = engine ? (insights, findings) => {
+      writeEvent("insights", JSON.stringify(insights));
+      writeEvent("security", JSON.stringify(findings));
+    } : void 0;
+    onRequest(requestListener);
+    defaultFetchStore.onEntry(fetchListener);
+    defaultLogStore.onEntry(logListener);
+    defaultErrorStore.onEntry(errorListener);
+    defaultQueryStore.onEntry(queryListener);
+    if (engine && analysisListener) engine.onUpdate(analysisListener);
+    const heartbeat = setInterval(() => {
+      if (res.destroyed) {
+        clearInterval(heartbeat);
+        return;
+      }
+      res.write(":heartbeat\n\n");
+    }, SSE_HEARTBEAT_INTERVAL_MS);
+    req.on("close", () => {
       clearInterval(heartbeat);
-      return;
-    }
-    res.write(":heartbeat\n\n");
-  }, SSE_HEARTBEAT_INTERVAL_MS);
-  req.on("close", () => {
-    clearInterval(heartbeat);
-    offRequest(requestListener);
-    defaultFetchStore.offEntry(fetchListener);
-    defaultLogStore.offEntry(logListener);
-    defaultErrorStore.offEntry(errorListener);
-    defaultQueryStore.offEntry(queryListener);
-  });
+      offRequest(requestListener);
+      defaultFetchStore.offEntry(fetchListener);
+      defaultLogStore.offEntry(logListener);
+      defaultErrorStore.offEntry(errorListener);
+      defaultQueryStore.offEntry(queryListener);
+      if (engine && analysisListener) engine.offUpdate(analysisListener);
+    });
+  };
 }
 // src/dashboard/styles/base.ts
@@ -1916,7 +1927,6 @@ var HEALTH_GOOD_MS = 300;
 var HEALTH_OK_MS = 800;
 var HEALTH_SLOW_MS = 2e3;
 var SLOW_QUERY_THRESHOLD_MS = 100;
-var AUTH_SLOW_MS = 500;
 var AUTH_SKIP_CATEGORIES = `{ 'auth-handshake': 1, 'auth-check': 1, 'middleware': 1 }`;
 var TIMELINE_CACHE_MAX = 50;
 var TIMELINE_ROOT_MARGIN = "'200px'";
@@ -2116,22 +2126,6 @@ function getSqlUtils() {
   return `
   var QUERY_OP_COLORS = ${QUERY_OP_COLORS};
-  // Extracts operation and table name from raw SQL.
-  // Handles Postgres schema-qualified names ("public"."table") and positional params ($1).
-  function simplifySQL(sql) {
-    if (!sql) return { op: '?', table: '' };
-    var trimmed = sql.trim();
-    var op = trimmed.split(/\\s+/)[0].toUpperCase();
-    if (/SELECT\\s+COUNT/i.test(trimmed)) {
-      var countTable = trimmed.match(/FROM\\s+"?\\w+"?\\."?(\\w+)"?/i);
-      return { op: 'COUNT', table: countTable ? countTable[1] : '' };
-    }
-    var tableMatch = trimmed.match(/(?:FROM|INTO|UPDATE)\\s+"?\\w+"?\\."?(\\w+)"?/i);
-    return { op: op, table: tableMatch ? tableMatch[1] : '' };
-  }
   function truncateSQL(sql, max) {
     if (!sql) return '';
     var clean = sql.replace(/"public"\\./g, '').replace(/"/g, '');
@@ -2143,16 +2137,6 @@ function getSqlUtils() {
     if (ms === 0) return '<1ms';
     return formatDuration(ms);
   }
-  // Normalizes SQL by replacing literal values with placeholders.
-  // Used to group queries by "shape" for N+1 and cross-endpoint detection.
-  function normalizeQueryParams(sql) {
-    if (!sql) return null;
-    var n = sql.replace(/'[^']*'/g, '?');
-    n = n.replace(/\\b\\d+(\\.\\d+)?\\b/g, '?');
-    n = n.replace(/\\$\\d+/g, '?');
-    return n;
-  }
   `;
 }
@@ -2291,7 +2275,6 @@ function getFlowInsights() {
     var warnings = [];
     var duplicates = [];
     var seen = new Map();
-    var authMs = 0;
     var totalMs = 0;
     for (var i = 0; i < reqs.length; i++) {
       var req = reqs[i];
@@ -2300,10 +2283,6 @@ function getFlowInsights() {
       totalMs += dur;
       if (skipCats[req.category]) {
-        authMs += dur;
-        if (dur > ${AUTH_SLOW_MS}) {
-          warnings.push('Slow auth: ' + label + ' took ' + formatDuration(dur));
-        }
         continue;
       }
@@ -2325,13 +2304,6 @@ function getFlowInsights() {
       successes.push(label);
     }
-    if (totalMs > 0 && authMs > 0) {
-      var authPct = Math.round((authMs / totalMs) * 100);
-      if (authPct >= ${AUTH_OVERHEAD_PCT}) {
-        warnings.unshift('Auth overhead: ' + authPct + '% of this action (' + formatDuration(authMs) + ') is spent in auth/middleware');
-      }
-    }
     for (var d of seen.values()) duplicates.push(d);
     var tip = '';
     if (duplicates.length > 0) {
@@ -2822,7 +2794,7 @@ function getQueriesView() {
     var row = document.createElement('div');
     row.className = 'req-row query-row tel-clickable';
-    var info = q.sql ? simplifySQL(q.sql) : { op: q.operation || '?', table: q.model || '' };
+    var info = { op: (q.normalizedOp || q.operation || '?').toUpperCase(), table: q.table || q.model || '' };
     var opColor = QUERY_OP_COLORS[info.op] || 'var(--text-dim)';
     var slowCls = q.durationMs > ${SLOW_QUERY_THRESHOLD_MS} ? ' query-slow' : '';
     var preview = q.sql || (info.op + ' ' + info.table);
@@ -2976,7 +2948,7 @@ function getTimelineView() {
              '<span class="tl-event-dur">' + formatDuration(d.durationMs) + '</span>';
     }
     if (evt.type === 'query') {
-      var info = d.sql ? simplifySQL(d.sql) : { op: d.operation || '?', table: d.model || '' };
+      var info = { op: (d.normalizedOp || d.operation || '?').toUpperCase(), table: d.table || d.model || '' };
       var opColor = QUERY_OP_COLORS[info.op] || 'var(--text-dim)';
       return '<span class="tl-event-summary"><span style="color:' + opColor + ';font-weight:600">' + escHtml(info.op) + '</span> ' + escHtml(info.table) + '</span>' +
              '<span class="tl-event-dur">' + queryDuration(d.durationMs) + '</span>';
@@ -3490,389 +3462,6 @@ function getGraphView() {
   `;
 }
-// src/dashboard/client/views/overview/insights.ts
-function getOverviewInsights() {
-  return `
-  function computeInsights() {
-    var insights = [];
-    var nonStatic = state.requests.filter(function(r) {
-      return !r.isStatic && (!r.path || r.path.indexOf('${DASHBOARD_PREFIX}') !== 0);
-    });
-    // N+1: same query shape with different parameter values in a single request
-    var queriesByReq = {};
-    for (var qi = 0; qi < state.queries.length; qi++) {
-      var q = state.queries[qi];
-      if (!q.parentRequestId) continue;
-      if (!queriesByReq[q.parentRequestId]) queriesByReq[q.parentRequestId] = [];
-      queriesByReq[q.parentRequestId].push(q);
-    }
-    var reqById = {};
-    for (var ri = 0; ri < nonStatic.length; ri++) {
-      reqById[nonStatic[ri].id] = nonStatic[ri];
-    }
-    var n1Seen = {};
-    for (var reqId in queriesByReq) {
-      var reqQueries = queriesByReq[reqId];
-      var req = reqById[reqId];
-      if (!req) continue;
-      var endpoint = req.method + ' ' + req.path;
-      var shapeGroups = {};
-      for (var tqi = 0; tqi < reqQueries.length; tqi++) {
-        var tq = reqQueries[tqi];
-        var normalized = tq.sql ? normalizeQueryParams(tq.sql) : null;
-        var shape = normalized || ((tq.operation || '?') + ':' + (tq.model || ''));
-        if (!shapeGroups[shape]) shapeGroups[shape] = { count: 0, distinctSql: {}, first: tq };
-        shapeGroups[shape].count++;
-        var sqlKey = tq.sql || shape;
-        shapeGroups[shape].distinctSql[sqlKey] = 1;
-      }
-      for (var shape in shapeGroups) {
-        var sg = shapeGroups[shape];
-        var distinctCount = Object.keys(sg.distinctSql).length;
-        if (sg.count > ${N1_QUERY_THRESHOLD} && distinctCount > 1) {
-          var info = sg.first.sql ? simplifySQL(sg.first.sql) : { op: sg.first.operation || '?', table: sg.first.model || '' };
-          var key = endpoint + ':' + info.op + ':' + (info.table || 'unknown');
-          if (!n1Seen[key]) {
-            n1Seen[key] = true;
-            insights.push({
-              severity: 'critical',
-              type: 'n1',
-              title: 'N+1 Query Pattern',
-              desc: '<strong>' + escHtml(endpoint) + '</strong> runs ' + sg.count + 'x <strong>' + escHtml(info.op + ' ' + info.table) + '</strong> with different params in a single request',
-              hint: 'This typically happens when fetching related data in a loop. Use a batch query, JOIN, or include/eager-load to fetch all records at once.',
-              nav: 'queries'
-            });
-          }
-        }
-      }
-    }
-    // Cross-endpoint: same query shape appearing across many distinct endpoints
-    var ceQueryMap = {};
-    var ceAllEndpoints = {};
-    for (var ceReqId in queriesByReq) {
-      var ceReq = reqById[ceReqId];
-      if (!ceReq) continue;
-      var ceEndpoint = ceReq.method + ' ' + ceReq.path;
-      ceAllEndpoints[ceEndpoint] = 1;
-      var ceQueries = queriesByReq[ceReqId];
-      var ceSeenInReq = {};
-      for (var ceqi = 0; ceqi < ceQueries.length; ceqi++) {
-        var ceq = ceQueries[ceqi];
-        var ceNorm = ceq.sql ? normalizeQueryParams(ceq.sql) : null;
-        var ceShape = ceNorm || ((ceq.operation || '?') + ':' + (ceq.model || ''));
-        if (!ceQueryMap[ceShape]) ceQueryMap[ceShape] = { endpoints: {}, count: 0, first: ceq };
-        ceQueryMap[ceShape].count++;
-        if (!ceSeenInReq[ceShape]) {
-          ceSeenInReq[ceShape] = true;
-          ceQueryMap[ceShape].endpoints[ceEndpoint] = 1;
-        }
-      }
-    }
-    var ceTotalEndpoints = Object.keys(ceAllEndpoints).length;
-    if (ceTotalEndpoints >= ${CROSS_ENDPOINT_MIN_ENDPOINTS}) {
-      for (var ceShape in ceQueryMap) {
-        var cem = ceQueryMap[ceShape];
-        var ceEpCount = Object.keys(cem.endpoints).length;
-        if (cem.count < ${CROSS_ENDPOINT_MIN_OCCURRENCES}) continue;
-        if (ceEpCount < ${CROSS_ENDPOINT_MIN_ENDPOINTS}) continue;
-        var cePct = Math.round((ceEpCount / ceTotalEndpoints) * 100);
-        if (cePct < ${CROSS_ENDPOINT_PCT}) continue;
-        var ceInfo = cem.first.sql ? simplifySQL(cem.first.sql) : { op: cem.first.operation || '?', table: cem.first.model || '' };
-        var ceLabel = ceInfo.op + (ceInfo.table ? ' ' + ceInfo.table : '');
-        var ceEpList = Object.keys(cem.endpoints);
-        var ceDetailHtml = '';
-        for (var ceEpi = 0; ceEpi < ceEpList.length; ceEpi++) {
-          ceDetailHtml += '<div class="ov-detail-item">' + escHtml(ceEpList[ceEpi]) + '</div>';
-        }
-        insights.push({
-          severity: 'warning',
-          type: 'cross-endpoint',
-          title: 'Repeated Query Across Endpoints',
-          desc: '<strong>' + escHtml(ceLabel) + '</strong> runs on ' + ceEpCount + ' of ' + ceTotalEndpoints + ' endpoints (' + cePct + '%).',
-          detail: '<div class="ov-detail-label">Affected endpoints:</div>' + ceDetailHtml,
-          hint: 'This query runs on most of your endpoints. Load it once in middleware or cache the result to avoid redundant database calls.',
-          nav: 'queries'
-        });
-      }
-    }
-    // Redundant queries: exact same query (same params) fired 2+ times in one request
-    // Only checks queries with actual SQL \u2014 ORM-only queries (operation:model) can't
-    // distinguish different params, so we'd get false positives on N+1-style calls.
-    var rqSeen = {};
-    for (var rqReqId in queriesByReq) {
-      var rqReq = reqById[rqReqId];
-      if (!rqReq) continue;
-      var rqEndpoint = rqReq.method + ' ' + rqReq.path;
-      var rqQueries = queriesByReq[rqReqId];
-      var rqExact = {};
-      for (var rqi = 0; rqi < rqQueries.length; rqi++) {
-        var rqq = rqQueries[rqi];
-        if (!rqq.sql) continue;
-        var rqKey = rqq.sql;
-        if (!rqExact[rqKey]) rqExact[rqKey] = { count: 0, first: rqq };
-        rqExact[rqKey].count++;
-      }
-      for (var rqk in rqExact) {
-        var rqe = rqExact[rqk];
-        if (rqe.count < ${REDUNDANT_QUERY_MIN_COUNT}) continue;
-        var rqInfo = rqe.first.sql ? simplifySQL(rqe.first.sql) : { op: rqe.first.operation || '?', table: rqe.first.model || '' };
-        var rqLabel = rqInfo.op + (rqInfo.table ? ' ' + rqInfo.table : '');
-        var rqDedup = rqEndpoint + ':' + rqLabel;
-        if (rqSeen[rqDedup]) continue;
-        rqSeen[rqDedup] = true;
-        insights.push({
-          severity: 'warning',
-          type: 'redundant-query',
-          title: 'Redundant Query',
-          desc: '<strong>' + escHtml(rqLabel) + '</strong> runs ' + rqe.count + 'x with identical params in <strong>' + escHtml(rqEndpoint) + '</strong>.',
-          hint: 'The exact same query with identical parameters runs multiple times in one request. Cache the first result or lift the query to a shared function.',
-          nav: 'queries'
-        });
-      }
-    }
-    if (state.errors.length > 0) {
-      var errGroups = {};
-      for (var ei = 0; ei < state.errors.length; ei++) {
-        var eName = state.errors[ei].name || 'Error';
-        errGroups[eName] = (errGroups[eName] || 0) + 1;
-      }
-      for (var errName in errGroups) {
-        var cnt = errGroups[errName];
-        insights.push({
-          severity: 'critical',
-          type: 'error',
-          title: 'Unhandled Error',
-          desc: '<strong>' + escHtml(errName) + '</strong> \u2014 occurred ' + cnt + ' time' + (cnt !== 1 ? 's' : ''),
-          hint: 'Unhandled errors crash request handlers. Wrap async code in try/catch or add error-handling middleware.',
-          nav: 'errors'
-        });
-      }
-    }
-    var endpointGroups = {};
-    for (var gi = 0; gi < nonStatic.length; gi++) {
-      var r = nonStatic[gi];
-      var ep = r.method + ' ' + r.path;
-      if (!endpointGroups[ep]) endpointGroups[ep] = { total: 0, errors: 0, totalDuration: 0, queryCount: 0 };
-      endpointGroups[ep].total++;
-      if (r.statusCode >= 400) endpointGroups[ep].errors++;
-      endpointGroups[ep].totalDuration += r.durationMs;
-      endpointGroups[ep].queryCount += (queriesByReq[r.id] || []).length;
-    }
-    for (var epKey in endpointGroups) {
-      var g = endpointGroups[epKey];
-      if (g.total < ${MIN_REQUESTS_FOR_INSIGHT}) continue;
-      var errorRate = Math.round((g.errors / g.total) * 100);
-      if (errorRate >= ${ERROR_RATE_THRESHOLD_PCT}) {
-        insights.push({
-          severity: 'critical',
-          type: 'error-hotspot',
-          title: 'Error Hotspot',
-          desc: '<strong>' + escHtml(epKey) + '</strong> \u2014 ' + errorRate + '% error rate (' + g.errors + '/' + g.total + ' requests)',
-          hint: 'This endpoint frequently returns errors. Check the response bodies for error details and stack traces.',
-          nav: 'requests'
-        });
-      }
-    }
-    var dupCounts = {};
-    var flowCount = {};
-    for (var fi = 0; fi < state.flows.length; fi++) {
-      var flow = state.flows[fi];
-      if (!flow.requests) continue;
-      var seenInFlow = {};
-      for (var fri = 0; fri < flow.requests.length; fri++) {
-        var fr = flow.requests[fri];
-        if (!fr.isDuplicate) continue;
-        var dupKey = fr.method + ' ' + (fr.label || fr.path || fr.url);
-        dupCounts[dupKey] = (dupCounts[dupKey] || 0) + 1;
-        if (!seenInFlow[dupKey]) {
-          seenInFlow[dupKey] = true;
-          flowCount[dupKey] = (flowCount[dupKey] || 0) + 1;
-        }
-      }
-    }
-    var dupEntries = [];
-    for (var dk in dupCounts) dupEntries.push({ key: dk, count: dupCounts[dk], flows: flowCount[dk] || 0 });
-    dupEntries.sort(function(a, b) { return b.count - a.count; });
-    for (var di = 0; di < Math.min(dupEntries.length, 3); di++) {
-      var d = dupEntries[di];
-      insights.push({
-        severity: 'warning',
-        type: 'duplicate',
-        title: 'Duplicate API Call',
-        desc: '<strong>' + escHtml(d.key) + '</strong> loaded ' + d.count + 'x as duplicate across ' + d.flows + ' action' + (d.flows !== 1 ? 's' : ''),
-        hint: 'Multiple components independently fetch the same endpoint. Lift the fetch to a parent component, use a data cache, or deduplicate with React Query / SWR.',
-        nav: 'actions'
-      });
-    }
-    for (var sepKey in endpointGroups) {
-      var sg = endpointGroups[sepKey];
-      if (sg.total < ${MIN_REQUESTS_FOR_INSIGHT}) continue;
-      var avgMs = Math.round(sg.totalDuration / sg.total);
-      if (avgMs >= ${SLOW_ENDPOINT_THRESHOLD_MS}) {
-        insights.push({
-          severity: 'warning',
-          type: 'slow',
-          title: 'Slow Endpoint',
-          desc: '<strong>' + escHtml(sepKey) + '</strong> \u2014 avg ' + formatDuration(avgMs) + ' across ' + sg.total + ' request' + (sg.total !== 1 ? 's' : ''),
-          hint: 'Consistently slow responses hurt user experience. Check the Queries tab to see if database queries are the bottleneck.',
-          nav: 'requests'
-        });
-      }
-    }
-    for (var qhKey in endpointGroups) {
-      var qg = endpointGroups[qhKey];
-      if (qg.total < ${MIN_REQUESTS_FOR_INSIGHT}) continue;
-      var avgQueries = Math.round(qg.queryCount / qg.total);
-      if (avgQueries > ${HIGH_QUERY_COUNT_PER_REQ}) {
-        insights.push({
-          severity: 'warning',
-          type: 'query-heavy',
-          title: 'Query-Heavy Endpoint',
-          desc: '<strong>' + escHtml(qhKey) + '</strong> \u2014 avg ' + avgQueries + ' queries/request',
-          hint: 'Too many queries per request increases latency. Combine queries with JOINs, use batch operations, or reduce the number of data fetches.',
-          nav: 'queries'
-        });
-      }
-    }
-    var authCats = ${AUTH_SKIP_CATEGORIES};
-    for (var afi = 0; afi < state.flows.length; afi++) {
-      var af = state.flows[afi];
-      if (!af.requests || af.requests.length < 2) continue;
-      var afAuthMs = 0;
-      var afTotalMs = 0;
-      for (var ari = 0; ari < af.requests.length; ari++) {
-        var ar = af.requests[ari];
-        var arDur = ar.pollingDurationMs || ar.durationMs;
-        afTotalMs += arDur;
-        if (authCats[ar.category]) afAuthMs += arDur;
-      }
-      if (afTotalMs > 0 && afAuthMs > 0) {
-        var afPct = Math.round((afAuthMs / afTotalMs) * 100);
-        if (afPct >= ${AUTH_OVERHEAD_PCT}) {
-          insights.push({
-            severity: 'warning',
-            type: 'auth-overhead',
-            title: 'Auth Overhead',
-            desc: '<strong>' + escHtml(af.label) + '</strong> \\u2014 ' + afPct + '% of time (' + formatDuration(afAuthMs) + ') spent in auth/middleware',
-            hint: 'Auth checks consume a significant portion of this action. If using a third-party auth provider, check if session caching can reduce roundtrips.',
-            nav: 'actions'
-          });
-        }
-      }
-    }
-    var selectStarSeen = {};
-    for (var sqReqId in queriesByReq) {
-      var sqQueries = queriesByReq[sqReqId];
-      for (var sqi = 0; sqi < sqQueries.length; sqi++) {
-        var sq = sqQueries[sqi];
-        if (!sq.sql) continue;
-        var sqlUp = sq.sql.trim();
-        // Matches both "SELECT * FROM ..." and ORM-style "table.* FROM ..." patterns
-        var isSelectStar = /^SELECT\\s+\\*/i.test(sqlUp) || /\\.\\*\\s+FROM/i.test(sqlUp);
-        if (isSelectStar) {
-          var sqInfo = simplifySQL(sq.sql);
-          var sqKey = sqInfo.table || 'unknown';
-          if (!selectStarSeen[sqKey]) {
-            selectStarSeen[sqKey] = 0;
-          }
-          selectStarSeen[sqKey]++;
-        }
-      }
-    }
-    for (var ssKey in selectStarSeen) {
-      if (selectStarSeen[ssKey] >= ${OVERFETCH_MIN_REQUESTS}) {
-        insights.push({
-          severity: 'warning',
-          type: 'select-star',
-          title: 'SELECT * Query',
-          desc: '<strong>SELECT *</strong> on <strong>' + escHtml(ssKey) + '</strong> \\u2014 ' + selectStarSeen[ssKey] + ' occurrence' + (selectStarSeen[ssKey] !== 1 ? 's' : ''),
-          hint: 'SELECT * fetches all columns including ones you don\\u2019t need. Specify only required columns to reduce data transfer and memory usage.',
-          nav: 'queries'
-        });
-      }
-    }
-    var highRowSeen = {};
-    for (var hrReqId in queriesByReq) {
-      var hrQueries = queriesByReq[hrReqId];
-      for (var hri = 0; hri < hrQueries.length; hri++) {
-        var hq = hrQueries[hri];
-        if (hq.rowCount && hq.rowCount > ${HIGH_ROW_COUNT}) {
-          var hrInfo = hq.sql ? simplifySQL(hq.sql) : { op: hq.operation || '?', table: hq.model || '' };
-          var hrKey = hrInfo.op + ' ' + (hrInfo.table || 'unknown');
-          if (!highRowSeen[hrKey]) highRowSeen[hrKey] = { max: 0, count: 0 };
-          highRowSeen[hrKey].count++;
-          if (hq.rowCount > highRowSeen[hrKey].max) highRowSeen[hrKey].max = hq.rowCount;
-        }
-      }
-    }
-    for (var hrk in highRowSeen) {
-      var hrs = highRowSeen[hrk];
-      if (hrs.count >= ${OVERFETCH_MIN_REQUESTS}) {
-        insights.push({
-          severity: 'warning',
-          type: 'high-rows',
-          title: 'Large Result Set',
-          desc: '<strong>' + escHtml(hrk) + '</strong> returns ' + hrs.max + '+ rows (' + hrs.count + 'x)',
-          hint: 'Fetching many rows slows responses and wastes memory. Add a LIMIT clause, implement pagination, or filter with a WHERE condition.',
-          nav: 'queries'
-        });
-      }
-    }
-    for (var lrKey in endpointGroups) {
-      var lr = endpointGroups[lrKey];
-      if (lr.total < ${OVERFETCH_MIN_REQUESTS}) continue;
-      var lrTotalSize = 0;
-      for (var lri = 0; lri < nonStatic.length; lri++) {
-        var lrr = nonStatic[lri];
-        if ((lrr.method + ' ' + lrr.path) === lrKey) lrTotalSize += lrr.responseSize || 0;
-      }
-      var lrAvg = Math.round(lrTotalSize / lr.total);
-      if (lrAvg > ${LARGE_RESPONSE_BYTES}) {
-        insights.push({
-          severity: 'info',
-          type: 'large-response',
-          title: 'Large Response',
-          desc: '<strong>' + escHtml(lrKey) + '</strong> \\u2014 avg ' + formatSize(lrAvg) + ' response',
-          hint: 'Large API responses increase network transfer time. Implement pagination, field filtering, or response compression.',
-          nav: 'requests'
-        });
-      }
-    }
-    var secFindings = computeSecurityFindings();
-    for (var si = 0; si < secFindings.length; si++) {
-      insights.push(secFindings[si]);
-    }
-    var severityOrder = { critical: 0, warning: 1, info: 2 };
-    insights.sort(function(a, b) {
-      return (severityOrder[a.severity] || 2) - (severityOrder[b.severity] || 2);
-    });
-    return insights;
-  }
-  `;
-}
 // src/dashboard/client/views/overview/render.ts
 function getOverviewRender() {
   return `
@@ -3908,7 +3497,7 @@ function getOverviewRender() {
       '<div class="ov-stat"><span class="ov-stat-value">' + state.fetches.length + '</span><span class="ov-stat-label">Fetches</span></div>';
     container.appendChild(summary);
-    var insights = computeInsights();
+    var insights = state.insights || [];
     if (insights.length === 0) {
       var clear = document.createElement('div');
@@ -3985,275 +3574,7 @@ function getOverviewRender() {
 // src/dashboard/client/views/overview/index.ts
 function getOverviewView() {
-  return getOverviewInsights() + getOverviewRender();
-}
-// src/dashboard/client/rules/patterns.ts
-function getSecurityPatterns() {
-  return `
-  /** Response JSON keys that indicate secrets (password, api_key, etc.) */
-  var SECRET_KEYS = /^(password|passwd|secret|api_key|apiKey|api_secret|apiSecret|private_key|privateKey|client_secret|clientSecret)$/;
-  /** URL query params that are auth tokens and should be in headers instead */
-  var TOKEN_PARAMS = /^(token|api_key|apiKey|secret|password|access_token|session_id|sessionId)$/;
-  /** Framework-specific query params safe to appear in URLs (Clerk, OAuth, UTM) */
-  var SAFE_PARAMS = /^(_rsc|__clerk_handshake|__clerk_db_jwt|callback|code|state|nonce|redirect_uri|utm_|fbclid|gclid)$/;
-  /** Node.js stack trace signature \u2014 presence in response body means stack trace leak */
-  var STACK_TRACE_RE = /at\\s+.+\\(.+:\\d+:\\d+\\)|at\\s+Module\\._compile|at\\s+Object\\.<anonymous>|at\\s+processTicksAndRejections/;
-  /** Database connection string pattern */
-  var DB_CONN_RE = /(postgres|mysql|mongodb|redis):\\/\\//;
-  /** Raw SQL fragment leak in response body */
-  var SQL_FRAGMENT_RE = /\\b(SELECT\\s+[\\w.*]+\\s+FROM|INSERT\\s+INTO|UPDATE\\s+\\w+\\s+SET|DELETE\\s+FROM)\\b/i;
-  /** Secret value assignment pattern in response body */
-  var SECRET_VAL_RE = /(api_key|apiKey|secret|token)\\s*[:=]\\s*["']?[A-Za-z0-9_\\-\\.\\+\\/]{8,}/;
-  /** Secret value in console log output */
-  var LOG_SECRET_RE = /(password|secret|token|api_key|apiKey)\\s*[:=]\\s*["']?[A-Za-z0-9_\\-\\.\\+\\/]{8,}/i;
-  var RULE_HINTS = {
-    'exposed-secret': 'Never include secret fields in API responses. Strip sensitive fields before returning.',
-    'token-in-url': 'Pass tokens in the Authorization header, not URL query parameters.',
-    'stack-trace-leak': 'Use a custom error handler that returns generic messages in production.',
-    'error-info-leak': 'Sanitize error responses. Return generic messages instead of internal details.',
-    'sensitive-logs': 'Redact PII before logging. Never log passwords or tokens.',
-    'cors-credentials': 'Cannot use credentials:true with origin:*. Specify explicit origins.',
-    'insecure-cookie': 'Set HttpOnly and SameSite flags on all cookies.'
-  };
-  `;
-}
-// src/dashboard/client/rules/helpers.ts
-function getSecurityHelpers() {
-  return `
-  function tryParseJson(body) {
-    if (!body) return null;
-    try { return JSON.parse(body); } catch(e) { return null; }
-  }
-  var MASKED_RE = /^\\*+$|\\[REDACTED\\]|\\[FILTERED\\]|CHANGE_ME|^x{3,}$/i;
-  function findSecretKeys(obj, prefix) {
-    var found = [];
-    if (!obj || typeof obj !== 'object') return found;
-    if (Array.isArray(obj)) {
-      for (var ai = 0; ai < Math.min(obj.length, 5); ai++) {
-        found = found.concat(findSecretKeys(obj[ai], prefix));
-      }
-      return found;
-    }
-    for (var k in obj) {
-      if (SECRET_KEYS.test(k) && obj[k] && typeof obj[k] === 'string' && obj[k].length >= 8 && !MASKED_RE.test(obj[k])) {
-        found.push(k);
-      }
-      if (typeof obj[k] === 'object' && obj[k] !== null) {
-        found = found.concat(findSecretKeys(obj[k], prefix + k + '.'));
-      }
-    }
-    return found;
-  }
-  `;
-}
-// src/dashboard/client/rules/critical.ts
-function getCriticalRules() {
-  return `
-  function ruleExposedSecret(requests, findings) {
-    var seen = {};
-    for (var i = 0; i < requests.length; i++) {
-      var r = requests[i];
-      if (r.statusCode >= 400) continue;
-      var parsed = tryParseJson(r.responseBody);
-      if (!parsed) continue;
-      var keys = findSecretKeys(parsed, '');
-      if (keys.length === 0) continue;
-      var ep = r.method + ' ' + r.path;
-      var key = ep + ':' + keys.sort().join(',');
-      if (seen[key]) { seen[key].count++; continue; }
-      seen[key] = {
-        severity: 'critical', type: 'security', rule: 'exposed-secret',
-        title: 'Exposed Secret in Response',
-        desc: '<strong>' + escHtml(ep) + '</strong> \u2014 response contains <strong>' + escHtml(keys.join(', ')) + '</strong> field' + (keys.length > 1 ? 's' : ''),
-        nav: 'security', hint: RULE_HINTS['exposed-secret'], endpoint: ep, count: 1
-      };
-      findings.push(seen[key]);
-    }
-  }
-  function ruleTokenInUrl(requests, findings) {
-    var seen = {};
-    for (var i = 0; i < requests.length; i++) {
-      var r = requests[i];
-      var qIdx = r.url.indexOf('?');
-      if (qIdx === -1) continue;
-      var params = r.url.substring(qIdx + 1).split('&');
-      var flagged = [];
-      for (var pi = 0; pi < params.length; pi++) {
-        var parts = params[pi].split('=');
-        var name = parts[0];
-        var val = parts.slice(1).join('=');
-        if (SAFE_PARAMS.test(name)) continue;
-        if (TOKEN_PARAMS.test(name) && val && val.length > 0) {
-          flagged.push(name);
-        }
-      }
-      if (flagged.length === 0) continue;
-      var ep = r.method + ' ' + r.path;
-      var key = ep + ':' + flagged.sort().join(',');
-      if (seen[key]) { seen[key].count++; continue; }
-      seen[key] = {
-        severity: 'critical', type: 'security', rule: 'token-in-url',
-        title: 'Auth Token in URL',
-        desc: '<strong>' + escHtml(ep) + '</strong> \u2014 <strong>' + escHtml(flagged.join(', ')) + '</strong> exposed in query string',
-        nav: 'security', hint: RULE_HINTS['token-in-url'], endpoint: ep, count: 1
-      };
-      findings.push(seen[key]);
-    }
-  }
-  function ruleStackTraceLeak(requests, findings) {
-    var seen = {};
-    for (var i = 0; i < requests.length; i++) {
-      var r = requests[i];
-      if (!r.responseBody) continue;
-      if (!STACK_TRACE_RE.test(r.responseBody)) continue;
-      var ep = r.method + ' ' + r.path;
-      if (seen[ep]) { seen[ep].count++; continue; }
-      seen[ep] = {
-        severity: 'critical', type: 'security', rule: 'stack-trace-leak',
-        title: 'Stack Trace Leaked to Client',
-        desc: '<strong>' + escHtml(ep) + '</strong> \u2014 response exposes internal stack trace',
-        nav: 'security', hint: RULE_HINTS['stack-trace-leak'], endpoint: ep, count: 1
-      };
-      findings.push(seen[ep]);
-    }
-  }
-  function ruleErrorInfoLeak(requests, findings) {
-    var seen = {};
-    var criticalPatterns = [
-      { re: DB_CONN_RE, label: 'database connection string' },
-      { re: SQL_FRAGMENT_RE, label: 'SQL query fragment' },
-      { re: SECRET_VAL_RE, label: 'secret value' }
-    ];
-    for (var i = 0; i < requests.length; i++) {
-      var r = requests[i];
-      if (r.statusCode < 400) continue;
-      if (!r.responseBody) continue;
-      if (r.responseHeaders && (r.responseHeaders['x-nextjs-error'] || r.responseHeaders['x-nextjs-matched-path'])) continue;
-      var ep = r.method + ' ' + r.path;
-      for (var pi = 0; pi < criticalPatterns.length; pi++) {
-        var p = criticalPatterns[pi];
-        if (!p.re.test(r.responseBody)) continue;
-        var key = ep + ':' + p.label;
-        if (seen[key]) { seen[key].count++; continue; }
-        seen[key] = {
-          severity: 'critical', type: 'security', rule: 'error-info-leak',
-          title: 'Sensitive Data in Error Response',
-          desc: '<strong>' + escHtml(ep) + '</strong> \u2014 error response exposes <strong>' + p.label + '</strong>',
-          nav: 'security', hint: RULE_HINTS['error-info-leak'], endpoint: ep, count: 1
-        };
-        findings.push(seen[key]);
-      }
-    }
-  }
-  function ruleInsecureCookie(requests, findings) {
-    var seen = {};
-    for (var i = 0; i < requests.length; i++) {
-      var r = requests[i];
-      if (!r.responseHeaders) continue;
-      var setCookie = r.responseHeaders['set-cookie'];
-      if (!setCookie) continue;
-      var cookies = setCookie.split(/,(?=\\s*[A-Za-z0-9_\\-]+=)/);
-      for (var ci = 0; ci < cookies.length; ci++) {
-        var cookie = cookies[ci].trim();
-        var cookieName = cookie.split('=')[0].trim();
-        var lower = cookie.toLowerCase();
-        var issues = [];
-        if (lower.indexOf('httponly') === -1) issues.push('HttpOnly');
-        if (lower.indexOf('samesite') === -1) issues.push('SameSite');
-        if (issues.length === 0) continue;
-        var key = cookieName + ':' + issues.join(',');
-        if (seen[key]) { seen[key].count++; continue; }
-        seen[key] = {
-          severity: 'warning', type: 'security', rule: 'insecure-cookie',
-          title: 'Insecure Cookie',
-          desc: '<strong>' + escHtml(cookieName) + '</strong> \u2014 missing <strong>' + issues.join(', ') + '</strong> flag' + (issues.length > 1 ? 's' : ''),
-          nav: 'security', hint: RULE_HINTS['insecure-cookie'], endpoint: cookieName, count: 1
-        };
-        findings.push(seen[key]);
-      }
-    }
-  }
-  `;
-}
-// src/dashboard/client/rules/warnings.ts
-function getWarningRules() {
-  return `
-  function ruleSensitiveLogs(findings) {
-    var count = 0;
-    for (var i = 0; i < state.logs.length; i++) {
-      var msg = state.logs[i].message;
-      if (!msg) continue;
-      if (msg.indexOf('[brakit]') === 0) continue;
-      if (LOG_SECRET_RE.test(msg)) count++;
-    }
-    if (count > 0) {
-      findings.push({
-        severity: 'warning', type: 'security', rule: 'sensitive-logs',
-        title: 'Sensitive Data in Logs',
-        desc: 'Console output contains <strong>secret/token values</strong> \u2014 ' + count + ' occurrence' + (count !== 1 ? 's' : ''),
-        nav: 'security', hint: RULE_HINTS['sensitive-logs'], endpoint: 'console', count: count
-      });
-    }
-  }
-  function ruleCorsCredentials(requests, findings) {
-    var seen = {};
-    for (var i = 0; i < requests.length; i++) {
-      var r = requests[i];
-      if (!r.responseHeaders) continue;
-      var origin = r.responseHeaders['access-control-allow-origin'];
-      var creds = r.responseHeaders['access-control-allow-credentials'];
-      if (origin !== '*' || creds !== 'true') continue;
-      var ep = r.method + ' ' + r.path;
-      if (seen[ep]) continue;
-      seen[ep] = true;
-      findings.push({
-        severity: 'warning', type: 'security', rule: 'cors-credentials',
-        title: 'CORS Credentials with Wildcard',
-        desc: '<strong>' + escHtml(ep) + '</strong> \u2014 credentials:true with origin:* (browser will reject)',
-        nav: 'security', hint: RULE_HINTS['cors-credentials'], endpoint: ep, count: 1
-      });
-    }
-  }
-  `;
-}
-// src/dashboard/client/rules/engine.ts
-function getSecurityEngine() {
-  return `
-  function computeSecurityFindings() {
-    var findings = [];
-    var nonDashboard = state.requests.filter(function(r) {
-      return !r.isStatic && (!r.path || r.path.indexOf('${DASHBOARD_PREFIX}') !== 0);
-    });
-    ruleExposedSecret(nonDashboard, findings);
-    ruleTokenInUrl(nonDashboard, findings);
-    ruleStackTraceLeak(nonDashboard, findings);
-    ruleErrorInfoLeak(nonDashboard, findings);
-    ruleSensitiveLogs(findings);
-    ruleCorsCredentials(nonDashboard, findings);
-    ruleInsecureCookie(nonDashboard, findings);
-    return findings;
-  }
-  `;
-}
-// src/dashboard/client/rules/index.ts
-function getSecurityRules() {
-  return getSecurityPatterns() + getSecurityHelpers() + getCriticalRules() + getWarningRules() + getSecurityEngine();
+  return getOverviewRender();
 }
 // src/dashboard/client/views/security.ts
@@ -4264,7 +3585,7 @@ function getSecurityView() {
     if (!container) return;
     container.innerHTML = '';
-    var findings = computeSecurityFindings();
+    var findings = state.findings || [];
     if (findings.length === 0) {
       var hasData = state.requests.length > 0 || state.logs.length > 0 || state.queries.length > 0;
@@ -4379,6 +3700,18 @@ function getApp() {
     await Promise.all([loadFetches(), loadErrors(), loadLogs(), loadQueries(), loadMetrics()]);
+    try {
+      var res3 = await fetch('${DASHBOARD_API_INSIGHTS}');
+      var data3 = await res3.json();
+      state.insights = data3.insights || [];
+    } catch(e) { console.warn('[brakit]', e); }
+    try {
+      var res4 = await fetch('${DASHBOARD_API_SECURITY}');
+      var data4 = await res4.json();
+      state.findings = data4.findings || [];
+    } catch(e) { console.warn('[brakit]', e); }
     updateStats();
     renderOverview();
@@ -4435,6 +3768,18 @@ function getApp() {
       updateStats();
       if (q.parentRequestId) { invalidateTimelineCache(q.parentRequestId); refreshVisibleTimeline(q.parentRequestId); }
     });
+    events.addEventListener('insights', function(e) {
+      state.insights = JSON.parse(e.data);
+      if (state.activeView === 'overview') renderOverview();
+      updateStats();
+    });
+    events.addEventListener('security', function(e) {
+      state.findings = JSON.parse(e.data);
+      if (state.activeView === 'security') renderSecurity();
+      updateStats();
+    });
   }
   async function reloadFlows() {
@@ -4444,7 +3789,6 @@ function getApp() {
       state.flows = data.flows;
       renderFlows();
       updateStats();
-      renderOverview();
     } catch(e) { console.warn('[brakit]', e); }
   }
@@ -4463,6 +3807,7 @@ function getApp() {
       sidebarItems.forEach(function(i) { i.classList.remove('active'); });
       item.classList.add('active');
       state.activeView = view;
+      fetch('${DASHBOARD_API_TAB}?tab=' + encodeURIComponent(view)).catch(function(){});
       document.getElementById('header-title').textContent = VIEW_TITLES[view] || view;
       document.getElementById('header-sub').textContent = VIEW_SUBTITLES[view] || '';
       document.getElementById('mode-toggle').style.display = view === 'actions' ? 'flex' : 'none';
@@ -4508,9 +3853,9 @@ function getApp() {
     if (queryCount) queryCount.textContent = state.queries.length;
     var secCount = document.getElementById('sidebar-count-security');
     if (secCount) {
-      var secFindings = computeSecurityFindings();
-      secCount.textContent = secFindings.length;
-      secCount.style.display = secFindings.length > 0 ? '' : 'none';
+      var numFindings = (state.findings || []).length;
+      secCount.textContent = numFindings;
+      secCount.style.display = numFindings > 0 ? '' : 'none';
     }
   }
@@ -4528,6 +3873,7 @@ function getApp() {
     if (!confirm('This will clear all data including performance metrics history. Continue?')) return;
     await fetch('${DASHBOARD_API_CLEAR}', {method: 'POST'});
     state.flows = []; state.requests = []; state.fetches = []; state.errors = []; state.logs = []; state.queries = [];
+    state.insights = []; state.findings = [];
     graphData = []; selectedEndpoint = ${ALL_ENDPOINTS_SELECTOR}; timelineCache = {};
     renderFlows(); renderRequests(); renderFetches(); renderErrors(); renderLogs(); renderQueries(); renderGraph(); renderOverview(); renderSecurity(); updateStats();
     showToast('Cleared');
@@ -4542,7 +3888,7 @@ function getClientScript(config) {
   return `
 (function(){
   var PORT = ${config.proxyPort};
-  var state = { flows: [], requests: [], fetches: [], errors: [], logs: [], queries: [], viewMode: 'simple', activeView: 'overview' };
+  var state = { flows: [], requests: [], fetches: [], errors: [], logs: [], queries: [], insights: [], findings: [], viewMode: 'simple', activeView: 'overview' };
   var appEl = document.getElementById('app');
   var flowListEl = document.getElementById('flow-list');
@@ -4561,7 +3907,6 @@ function getClientScript(config) {
   ${getQueriesView()}
   ${getTimelineView()}
   ${getGraphView()}
-  ${getSecurityRules()}
   ${getOverviewView()}
   ${getSecurityView()}
   ${getApp()}
@@ -4586,6 +3931,155 @@ ${getLayoutHtml(config)}
 </html>`;
 }
+// src/telemetry/index.ts
+import { platform, release, arch } from "os";
+// src/telemetry/config.ts
+import { homedir } from "os";
+import { join } from "path";
+import { existsSync as existsSync3, readFileSync as readFileSync3, writeFileSync as writeFileSync3, mkdirSync as mkdirSync3 } from "fs";
+import { randomUUID as randomUUID5 } from "crypto";
+var CONFIG_DIR = join(homedir(), ".brakit");
+var CONFIG_PATH = join(CONFIG_DIR, "config.json");
+function readConfig() {
+  try {
+    if (!existsSync3(CONFIG_PATH)) return null;
+    return JSON.parse(readFileSync3(CONFIG_PATH, "utf-8"));
+  } catch {
+    return null;
+  }
+}
+function writeConfig(config) {
+  try {
+    if (!existsSync3(CONFIG_DIR)) mkdirSync3(CONFIG_DIR, { recursive: true });
+    writeFileSync3(CONFIG_PATH, JSON.stringify(config, null, 2) + "\n");
+  } catch {
+  }
+}
+function getOrCreateConfig() {
+  const existing = readConfig();
+  if (existing && typeof existing.telemetry === "boolean" && existing.anonymousId) {
+    return existing;
+  }
+  const config = { telemetry: true, anonymousId: randomUUID5() };
+  writeConfig(config);
+  return config;
+}
+function isTelemetryEnabled() {
+  const env = process.env.BRAKIT_TELEMETRY;
+  if (env !== void 0) return env !== "false" && env !== "0" && env !== "off";
+  return readConfig()?.telemetry ?? true;
+}
+function setTelemetryEnabled(enabled) {
+  const config = getOrCreateConfig();
+  config.telemetry = enabled;
+  writeConfig(config);
+}
+// src/telemetry/index.ts
+var POSTHOG_HOST = "https://app.posthog.com";
+var POSTHOG_KEY = "phc_gH8aQFZ2Fn8db9LEdgomOvymLiP6mm6FPTYXffQceR8";
+var startTime = 0;
+var sessionFramework = "";
+var sessionPackageManager = "";
+var sessionIsCustomCommand = false;
+var sessionAdapters = [];
+var requestCount = 0;
+var insightTypes = /* @__PURE__ */ new Set();
+var rulesTriggered = /* @__PURE__ */ new Set();
+var tabsViewed = /* @__PURE__ */ new Set();
+var dashboardOpened = false;
+var explainUsed = false;
+function initSession(framework, packageManager, isCustomCommand, adapters) {
+  startTime = Date.now();
+  sessionFramework = framework;
+  sessionPackageManager = packageManager;
+  sessionIsCustomCommand = isCustomCommand;
+  sessionAdapters = adapters;
+}
+function recordRequestCount(count) {
+  requestCount = count;
+}
+function recordInsightTypes(types) {
+  for (const t of types) insightTypes.add(t);
+}
+function recordRulesTriggered(rules) {
+  for (const r of rules) rulesTriggered.add(r);
+}
+function recordTabViewed(tab) {
+  tabsViewed.add(tab);
+}
+function recordDashboardOpened() {
+  dashboardOpened = true;
+}
+function speedBucket(ms) {
+  if (ms === 0) return "none";
+  if (ms < 200) return "<200ms";
+  if (ms < 500) return "200-500ms";
+  if (ms < 1e3) return "500-1000ms";
+  if (ms < 2e3) return "1000-2000ms";
+  if (ms < 5e3) return "2000-5000ms";
+  return ">5000ms";
+}
+function trackSession(metricsStore, analysisEngine) {
+  if (!isTelemetryEnabled()) return;
+  const isFirstSession = readConfig() === null;
+  const config = getOrCreateConfig();
+  const live = metricsStore.getLiveEndpoints();
+  const insights = analysisEngine.getInsights();
+  const findings = analysisEngine.getFindings();
+  let totalRequests = 0;
+  let totalDuration = 0;
+  let slowestP95 = 0;
+  for (const ep of live) {
+    totalRequests += ep.summary.totalRequests;
+    totalDuration += ep.summary.p95Ms * ep.summary.totalRequests;
+    if (ep.summary.p95Ms > slowestP95) slowestP95 = ep.summary.p95Ms;
+  }
+  const payload = {
+    api_key: POSTHOG_KEY,
+    event: "session",
+    distinct_id: config.anonymousId,
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    properties: {
+      brakit_version: VERSION,
+      node_version: process.version,
+      os: `${platform()}-${release()}`,
+      arch: arch(),
+      framework: sessionFramework,
+      package_manager: sessionPackageManager,
+      is_custom_command: sessionIsCustomCommand,
+      first_session: isFirstSession,
+      adapters_detected: sessionAdapters,
+      request_count: requestCount,
+      error_count: defaultErrorStore.getAll().length,
+      query_count: defaultQueryStore.getAll().length,
+      fetch_count: defaultFetchStore.getAll().length,
+      insight_count: insights.length,
+      finding_count: findings.length,
+      insight_types: [...insightTypes],
+      rules_triggered: [...rulesTriggered],
+      endpoint_count: live.length,
+      avg_duration_ms: totalRequests > 0 ? Math.round(totalDuration / totalRequests) : 0,
+      slowest_endpoint_bucket: speedBucket(slowestP95),
+      tabs_viewed: [...tabsViewed],
+      dashboard_opened: dashboardOpened,
+      explain_used: explainUsed,
+      session_duration_s: Math.round((Date.now() - startTime) / 1e3),
+      $lib: "brakit",
+      $ip: null,
+      $geoip_disable: true
+    }
+  };
+  fetch(`${POSTHOG_HOST}/capture`, {
+    method: "POST",
+    headers: { "content-type": "application/json" },
+    body: JSON.stringify(payload),
+    signal: AbortSignal.timeout(5e3)
+  }).catch(() => {
+  });
+}
 // src/dashboard/router.ts
 function isDashboardRequest(url) {
   return url === DASHBOARD_PREFIX || url.startsWith(DASHBOARD_PREFIX + "/");
@@ -4593,7 +4087,7 @@ function isDashboardRequest(url) {
 function createDashboardHandler(deps) {
   const routes = {
     [DASHBOARD_API_REQUESTS]: handleApiRequests,
-    [DASHBOARD_API_EVENTS]: handleSSE,
+    [DASHBOARD_API_EVENTS]: createSSEHandler(deps.analysisEngine),
     [DASHBOARD_API_FLOWS]: handleApiFlows,
     [DASHBOARD_API_CLEAR]: createClearHandler(deps.metricsStore),
     [DASHBOARD_API_LOGS]: handleApiLogs,
@@ -4609,6 +4103,12 @@ function createDashboardHandler(deps) {
     routes[DASHBOARD_API_INSIGHTS] = createInsightsHandler(deps.analysisEngine);
     routes[DASHBOARD_API_SECURITY] = createSecurityHandler(deps.analysisEngine);
   }
+  routes[DASHBOARD_API_TAB] = (req, res) => {
+    const tab = (req.url ?? "").split("tab=")[1];
+    if (tab && isTelemetryEnabled()) recordTabViewed(decodeURIComponent(tab));
+    res.writeHead(204);
+    res.end();
+  };
   return (req, res, config) => {
     const path = (req.url ?? "/").split("?")[0];
     const handler = routes[path];
@@ -4616,6 +4116,7 @@ function createDashboardHandler(deps) {
       handler(req, res);
       return;
     }
+    if (isTelemetryEnabled()) recordDashboardOpened();
     res.writeHead(200, {
       "content-type": "text/html; charset=utf-8",
       "cache-control": "no-cache"
@@ -4641,7 +4142,7 @@ function createProxyServer(config, handleDashboard) {
 // src/detect/project.ts
 import { readFile as readFile2 } from "fs/promises";
-import { join } from "path";
+import { join as join2 } from "path";
 var FRAMEWORKS = [
   { name: "nextjs", dep: "next", devCmd: "next dev", bin: "next", defaultPort: 3e3, devArgs: ["dev", "--port"] },
   { name: "remix", dep: "@remix-run/dev", devCmd: "remix dev", bin: "remix", defaultPort: 3e3, devArgs: ["dev"] },
@@ -4650,7 +4151,7 @@ var FRAMEWORKS = [
   { name: "astro", dep: "astro", devCmd: "astro dev", bin: "astro", defaultPort: 4321, devArgs: ["dev", "--port"] }
 ];
 async function detectProject(rootDir) {
-  const pkgPath = join(rootDir, "package.json");
+  const pkgPath = join2(rootDir, "package.json");
   const raw = await readFile2(pkgPath, "utf-8");
   const pkg = JSON.parse(raw);
   const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
@@ -4662,7 +4163,7 @@ async function detectProject(rootDir) {
     if (allDeps[f.dep]) {
       framework = f.name;
       devCommand = f.devCmd;
-      devBin = join(rootDir, "node_modules", ".bin", f.bin);
+      devBin = join2(rootDir, "node_modules", ".bin", f.bin);
       defaultPort = f.defaultPort;
       break;
     }
@@ -4671,11 +4172,11 @@ async function detectProject(rootDir) {
   return { framework, devCommand, devBin, defaultPort, packageManager };
 }
 async function detectPackageManager(rootDir) {
-  if (await fileExists(join(rootDir, "bun.lockb"))) return "bun";
-  if (await fileExists(join(rootDir, "bun.lock"))) return "bun";
-  if (await fileExists(join(rootDir, "pnpm-lock.yaml"))) return "pnpm";
-  if (await fileExists(join(rootDir, "yarn.lock"))) return "yarn";
-  if (await fileExists(join(rootDir, "package-lock.json"))) return "npm";
+  if (await fileExists(join2(rootDir, "bun.lockb"))) return "bun";
+  if (await fileExists(join2(rootDir, "bun.lock"))) return "bun";
+  if (await fileExists(join2(rootDir, "pnpm-lock.yaml"))) return "pnpm";
+  if (await fileExists(join2(rootDir, "yarn.lock"))) return "yarn";
+  if (await fileExists(join2(rootDir, "package-lock.json"))) return "npm";
   return "unknown";
 }
@@ -4689,6 +4190,9 @@ var SQL_FRAGMENT_RE = /\b(SELECT\s+[\w.*]+\s+FROM|INSERT\s+INTO|UPDATE\s+\w+\s+S
 var SECRET_VAL_RE = /(api_key|apiKey|secret|token)\s*[:=]\s*["']?[A-Za-z0-9_\-\.+\/]{8,}/;
 var LOG_SECRET_RE = /(password|secret|token|api_key|apiKey)\s*[:=]\s*["']?[A-Za-z0-9_\-\.+\/]{8,}/i;
 var MASKED_RE = /^\*+$|\[REDACTED\]|\[FILTERED\]|CHANGE_ME|^x{3,}$/i;
+var EMAIL_RE = /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/;
+var INTERNAL_ID_KEYS = /^(id|_id|userId|user_id|createdBy|updatedBy|organizationId|org_id|tenantId|tenant_id)$/;
+var INTERNAL_ID_SUFFIX = /Id$|_id$/;
 var RULE_HINTS = {
   "exposed-secret": "Never include secret fields in API responses. Strip sensitive fields before returning.",
   "token-in-url": "Pass tokens in the Authorization header, not URL query parameters.",
@@ -4696,7 +4200,8 @@ var RULE_HINTS = {
   "error-info-leak": "Sanitize error responses. Return generic messages instead of internal details.",
   "sensitive-logs": "Redact PII before logging. Never log passwords or tokens.",
   "cors-credentials": "Cannot use credentials:true with origin:*. Specify explicit origins.",
-  "insecure-cookie": "Set HttpOnly and SameSite flags on all cookies."
+  "insecure-cookie": "Set HttpOnly and SameSite flags on all cookies.",
+  "response-pii-leak": "API responses should return minimal data. Don't echo back full user records \u2014 select only the fields the client needs."
 };
 // src/analysis/rules/exposed-secret.ts
@@ -4890,6 +4395,12 @@ var errorInfoLeakRule = {
 };
 // src/analysis/rules/insecure-cookie.ts
+function isFrameworkResponse(r) {
+  if (r.statusCode >= 300 && r.statusCode < 400) return true;
+  if (r.path?.startsWith("/__")) return true;
+  if (r.responseHeaders?.["x-middleware-rewrite"]) return true;
+  return false;
+}
 var insecureCookieRule = {
   id: "insecure-cookie",
   severity: "warning",
@@ -4900,6 +4411,7 @@ var insecureCookieRule = {
     const seen = /* @__PURE__ */ new Map();
     for (const r of ctx.requests) {
       if (!r.responseHeaders) continue;
+      if (isFrameworkResponse(r)) continue;
       const setCookie = r.responseHeaders["set-cookie"];
       if (!setCookie) continue;
       const cookies = setCookie.split(/,(?=\s*[A-Za-z0-9_\-]+=)/);
@@ -4990,6 +4502,157 @@ var corsCredentialsRule = {
   }
 };
+// src/analysis/rules/response-pii-leak.ts
+var WRITE_METHODS = /* @__PURE__ */ new Set(["POST", "PUT", "PATCH"]);
+var FULL_RECORD_MIN_FIELDS = 5;
+var LIST_PII_MIN_ITEMS = 2;
+function tryParseJson2(body) {
+  if (!body) return null;
+  try {
+    return JSON.parse(body);
+  } catch {
+    return null;
+  }
+}
+function findEmails(obj) {
+  const emails = [];
+  if (!obj || typeof obj !== "object") return emails;
+  if (Array.isArray(obj)) {
+    for (let i = 0; i < Math.min(obj.length, 10); i++) {
+      emails.push(...findEmails(obj[i]));
+    }
+    return emails;
+  }
+  for (const v of Object.values(obj)) {
+    if (typeof v === "string" && EMAIL_RE.test(v)) {
+      emails.push(v);
+    } else if (typeof v === "object" && v !== null) {
+      emails.push(...findEmails(v));
+    }
+  }
+  return emails;
+}
+function topLevelFieldCount(obj) {
+  if (Array.isArray(obj)) {
+    return obj.length > 0 ? topLevelFieldCount(obj[0]) : 0;
+  }
+  if (obj && typeof obj === "object") return Object.keys(obj).length;
+  return 0;
+}
+function hasInternalIds(obj) {
+  if (!obj || typeof obj !== "object" || Array.isArray(obj)) return false;
+  for (const key of Object.keys(obj)) {
+    if (INTERNAL_ID_KEYS.test(key) || INTERNAL_ID_SUFFIX.test(key)) return true;
+  }
+  return false;
+}
+function unwrapResponse(parsed) {
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) return parsed;
+  const obj = parsed;
+  const keys = Object.keys(obj);
+  if (keys.length > 3) return parsed;
+  let best = null;
+  let bestSize = 0;
+  for (const key of keys) {
+    const val = obj[key];
+    if (Array.isArray(val) && val.length > bestSize) {
+      best = val;
+      bestSize = val.length;
+    } else if (val && typeof val === "object" && !Array.isArray(val)) {
+      const size = Object.keys(val).length;
+      if (size > bestSize) {
+        best = val;
+        bestSize = size;
+      }
+    }
+  }
+  return best && bestSize >= 3 ? best : parsed;
+}
+function detectPII(method, reqBody, resBody) {
+  const target = unwrapResponse(resBody);
+  if (WRITE_METHODS.has(method) && reqBody && typeof reqBody === "object") {
+    const reqEmails = findEmails(reqBody);
+    if (reqEmails.length > 0) {
+      const resEmails = findEmails(target);
+      const echoed = reqEmails.filter((e) => resEmails.includes(e));
+      if (echoed.length > 0) {
+        const inspectObj = Array.isArray(target) && target.length > 0 ? target[0] : target;
+        if (hasInternalIds(inspectObj) || topLevelFieldCount(inspectObj) >= FULL_RECORD_MIN_FIELDS) {
+          return { reason: "echo", emailCount: echoed.length };
+        }
+      }
+    }
+  }
+  if (target && typeof target === "object" && !Array.isArray(target)) {
+    const fields = topLevelFieldCount(target);
+    if (fields >= FULL_RECORD_MIN_FIELDS && hasInternalIds(target)) {
+      const emails = findEmails(target);
+      if (emails.length > 0) {
+        return { reason: "full-record", emailCount: emails.length };
+      }
+    }
+  }
+  if (Array.isArray(target) && target.length >= LIST_PII_MIN_ITEMS) {
+    let itemsWithEmail = 0;
+    for (let i = 0; i < Math.min(target.length, 10); i++) {
+      const item = target[i];
+      if (item && typeof item === "object") {
+        const emails = findEmails(item);
+        if (emails.length > 0) itemsWithEmail++;
+      }
+    }
+    if (itemsWithEmail >= LIST_PII_MIN_ITEMS) {
+      const first = target[0];
+      if (hasInternalIds(first) || topLevelFieldCount(first) >= FULL_RECORD_MIN_FIELDS) {
+        return { reason: "list-pii", emailCount: itemsWithEmail };
+      }
+    }
+  }
+  return null;
+}
+var REASON_LABELS = {
+  echo: "echoes back PII from the request body",
+  "full-record": "returns a full record with email and internal IDs",
+  "list-pii": "returns a list of records containing email addresses"
+};
+var responsePiiLeakRule = {
+  id: "response-pii-leak",
+  severity: "warning",
+  name: "PII Leak in Response",
+  hint: RULE_HINTS["response-pii-leak"],
+  check(ctx) {
+    const findings = [];
+    const seen = /* @__PURE__ */ new Map();
+    for (const r of ctx.requests) {
+      if (r.statusCode >= 400) continue;
+      const resJson = tryParseJson2(r.responseBody);
+      if (!resJson) continue;
+      const reqJson = tryParseJson2(r.requestBody);
+      const detection = detectPII(r.method, reqJson, resJson);
+      if (!detection) continue;
+      const ep = `${r.method} ${r.path}`;
+      const dedupKey = `${ep}:${detection.reason}`;
+      const existing = seen.get(dedupKey);
+      if (existing) {
+        existing.count++;
+        continue;
+      }
+      const finding = {
+        severity: "warning",
+        rule: "response-pii-leak",
+        title: "PII Leak in Response",
+        desc: `${ep} \u2014 ${REASON_LABELS[detection.reason]}`,
+        hint: this.hint,
+        endpoint: ep,
+        count: 1
+      };
+      seen.set(dedupKey, finding);
+      findings.push(finding);
+    }
+    return findings;
+  }
+};
 // src/analysis/rules/scanner.ts
 var SecurityScanner = class {
   rules = [];
@@ -5019,6 +4682,7 @@ function createDefaultScanner() {
   scanner.register(insecureCookieRule);
   scanner.register(sensitiveLogsRule);
   scanner.register(corsCredentialsRule);
+  scanner.register(responsePiiLeakRule);
   return scanner;
 }
@@ -5055,7 +4719,6 @@ function normalizeQueryParams(sql) {
 }
 // src/analysis/insights.ts
-var AUTH_CATEGORIES = /* @__PURE__ */ new Set(["auth-handshake", "auth-check", "middleware"]);
 function getQueryShape(q) {
   if (q.sql) return normalizeQueryParams(q.sql) ?? "";
   return `${q.operation ?? q.normalizedOp ?? "?"}:${q.model ?? q.table ?? ""}`;
@@ -5297,29 +4960,6 @@ function computeInsights(ctx) {
       });
     }
   }
-  for (const flow of ctx.flows) {
-    if (!flow.requests || flow.requests.length < 2) continue;
-    let authMs = 0;
-    let totalMs = 0;
-    for (const r of flow.requests) {
-      const dur = r.pollingDurationMs ?? r.durationMs;
-      totalMs += dur;
-      if (AUTH_CATEGORIES.has(r.category ?? "")) authMs += dur;
-    }
-    if (totalMs > 0 && authMs > 0) {
-      const pct = Math.round(authMs / totalMs * 100);
-      if (pct >= AUTH_OVERHEAD_PCT) {
-        insights.push({
-          severity: "warning",
-          type: "auth-overhead",
-          title: "Auth Overhead",
-          desc: `${flow.label} \u2014 ${pct}% of time (${formatDuration(authMs)}) spent in auth/middleware`,
-          hint: "Auth checks consume a significant portion of this action. If using a third-party auth provider, check if session caching can reduce roundtrips.",
-          nav: "actions"
-        });
-      }
-    }
-  }
   const selectStarSeen = /* @__PURE__ */ new Map();
   for (const [, reqQueries] of queriesByReq) {
     for (const q of reqQueries) {
@@ -5368,6 +5008,69 @@ function computeInsights(ctx) {
       nav: "queries"
     });
   }
+  const overfetchSeen = /* @__PURE__ */ new Set();
+  for (const r of nonStatic) {
+    if (r.statusCode >= 400 || !r.responseBody) continue;
+    const ep = `${r.method} ${r.path}`;
+    if (overfetchSeen.has(ep)) continue;
+    let parsed;
+    try {
+      parsed = JSON.parse(r.responseBody);
+    } catch {
+      continue;
+    }
+    let target = parsed;
+    if (target && typeof target === "object" && !Array.isArray(target)) {
+      const topKeys = Object.keys(target);
+      if (topKeys.length <= 3) {
+        let best = null;
+        let bestSize = 0;
+        for (const k of topKeys) {
+          const val = target[k];
+          if (Array.isArray(val) && val.length > bestSize) {
+            best = val;
+            bestSize = val.length;
+          } else if (val && typeof val === "object" && !Array.isArray(val)) {
+            const size = Object.keys(val).length;
+            if (size > bestSize) {
+              best = val;
+              bestSize = size;
+            }
+          }
+        }
+        if (best && bestSize >= 3) target = best;
+      }
+    }
+    const inspectObj = Array.isArray(target) && target.length > 0 ? target[0] : target;
+    if (!inspectObj || typeof inspectObj !== "object" || Array.isArray(inspectObj)) continue;
+    const fields = Object.keys(inspectObj);
+    if (fields.length < OVERFETCH_MIN_FIELDS) continue;
+    let internalIdCount = 0;
+    let nullCount = 0;
+    for (const key of fields) {
+      if (INTERNAL_ID_SUFFIX.test(key) || key === "id" || key === "_id") internalIdCount++;
+      const val = inspectObj[key];
+      if (val === null || val === void 0) nullCount++;
+    }
+    const nullRatio = nullCount / fields.length;
+    const reasons = [];
+    if (internalIdCount >= OVERFETCH_MIN_INTERNAL_IDS) reasons.push(`${internalIdCount} internal ID fields`);
+    if (nullRatio >= OVERFETCH_NULL_RATIO) reasons.push(`${Math.round(nullRatio * 100)}% null fields`);
+    if (fields.length >= OVERFETCH_MIN_FIELDS && reasons.length === 0 && fields.length >= 12) {
+      reasons.push(`${fields.length} fields returned`);
+    }
+    if (reasons.length > 0) {
+      overfetchSeen.add(ep);
+      insights.push({
+        severity: "info",
+        type: "response-overfetch",
+        title: "Response Overfetch",
+        desc: `${ep} \u2014 ${reasons.join(", ")}`,
+        hint: "This response returns more data than the client likely needs. Use a DTO or select only required fields to reduce payload size and avoid leaking internal structure.",
+        nav: "requests"
+      });
+    }
+  }
   for (const [ep, g] of endpointGroups) {
     if (g.total < OVERFETCH_MIN_REQUESTS) continue;
     const avgSize = Math.round(g.totalSize / g.total);
@@ -5478,7 +5181,7 @@ var AnalysisEngine = class {
 };
 // src/index.ts
-var VERSION = "0.6.0";
+var VERSION = "0.6.2";
 // src/lifecycle/startup.ts
 import pc2 from "picocolors";
@@ -5500,6 +5203,53 @@ function printBanner(proxyPort, targetPort) {
   );
   console.log();
 }
+function severityIcon(severity) {
+  if (severity === "critical") return pc.red("\u2717");
+  if (severity === "warning") return pc.yellow("\u26A0");
+  return pc.dim("\u25CB");
+}
+function colorTitle(severity, text) {
+  if (severity === "critical") return pc.red(pc.bold(text));
+  if (severity === "warning") return pc.yellow(pc.bold(text));
+  return pc.dim(text);
+}
+function truncate(s, max = 80) {
+  return s.length <= max ? s : s.slice(0, max - 1) + "\u2026";
+}
+function formatConsoleLine(insight, dashboardUrl, suffix) {
+  const icon = severityIcon(insight.severity);
+  const title = colorTitle(insight.severity, insight.title);
+  const desc = pc.dim(truncate(insight.desc) + (suffix ?? ""));
+  const link = pc.dim(`\u2192  ${dashboardUrl}`);
+  return `  ${icon} ${title} \u2014 ${desc}  ${link}`;
+}
+function createConsoleInsightListener(proxyPort, metricsStore) {
+  const printedKeys = /* @__PURE__ */ new Set();
+  const dashUrl = `localhost:${proxyPort}${DASHBOARD_PREFIX}`;
+  return (insights) => {
+    const lines = [];
+    for (const insight of insights) {
+      if (insight.severity === "info") continue;
+      const endpoint = insight.desc.match(/^(\S+\s+\S+)/)?.[1] ?? insight.desc;
+      const key = `${insight.type}:${endpoint}`;
+      if (printedKeys.has(key)) continue;
+      printedKeys.add(key);
+      let suffix;
+      if (insight.type === "slow") {
+        const ep = metricsStore.getAll().find((e) => e.endpoint === endpoint);
+        if (ep && ep.sessions.length > 1) {
+          const prev = ep.sessions[ep.sessions.length - 2];
+          suffix = ` (\u2191 from ${prev.p95DurationMs < 1e3 ? prev.p95DurationMs + "ms" : (prev.p95DurationMs / 1e3).toFixed(1) + "s"})`;
+        }
+      }
+      lines.push(formatConsoleLine(insight, dashUrl, suffix));
+    }
+    if (lines.length > 0) {
+      console.log();
+      for (const line of lines) console.log(line);
+    }
+  };
+}
 // src/process/spawn.ts
 import { spawn } from "child_process";
@@ -5546,9 +5296,44 @@ function spawnCustomCommand(command, targetPort, proxyPort, cwd) {
   });
 }
+// src/process/port.ts
+import { createServer as createServer2 } from "net";
+function isPortFree(port) {
+  return new Promise((resolve5) => {
+    const server = createServer2();
+    server.once("error", () => resolve5(false));
+    server.once("listening", () => {
+      server.close(() => resolve5(true));
+    });
+    server.listen(port);
+  });
+}
+async function findFreePortPair(startPort, maxAttempts = 10) {
+  for (let i = 0; i < maxAttempts; i++) {
+    const port = startPort + i;
+    const proxyFree = await isPortFree(port);
+    if (!proxyFree) continue;
+    const targetFree = await isPortFree(port + 1);
+    if (!targetFree) continue;
+    return port;
+  }
+  throw new Error(`Could not find a free port pair starting from ${startPort}`);
+}
 // src/lifecycle/startup.ts
 async function startBrakit(opts) {
-  const { rootDir, proxyPort, showStatic, customCommand } = opts;
+  const { rootDir, showStatic, customCommand } = opts;
+  let proxyPort;
+  try {
+    proxyPort = await findFreePortPair(opts.proxyPort);
+  } catch {
+    console.error(pc2.red(`
+  Could not find a free port starting from ${opts.proxyPort}.`));
+    process.exit(1);
+  }
+  if (proxyPort !== opts.proxyPort) {
+    console.log(pc2.yellow(`  Port ${opts.proxyPort} is in use, using ${proxyPort} instead.`));
+  }
   const targetPort = proxyPort + 1;
   let project;
   if (customCommand) {
@@ -5584,25 +5369,33 @@ async function startBrakit(opts) {
   metricsStore.start();
   const analysisEngine = new AnalysisEngine();
   analysisEngine.start();
+  analysisEngine.onUpdate(createConsoleInsightListener(proxyPort, metricsStore));
+  if (isTelemetryEnabled()) {
+    initSession(project.framework, project.packageManager, !!customCommand, []);
+    analysisEngine.onUpdate((insights, findings) => {
+      recordInsightTypes(insights.map((i) => i.type));
+      recordRulesTriggered(findings.map((f) => f.rule));
+    });
+  }
   const handleDashboard = createDashboardHandler({ metricsStore, analysisEngine });
   console.log(pc2.dim(`  Starting ${project.devCommand} on port ${targetPort}...`));
   const devProcess = customCommand ? spawnCustomCommand(customCommand, targetPort, proxyPort, rootDir) : spawnDevServer(project.devBin, targetPort, proxyPort, rootDir);
   const proxy = createProxyServer(config, handleDashboard);
   proxy.on("error", (err) => {
-    if (err.code === "EADDRINUSE") {
-      console.error(pc2.red(`
-  Port ${proxyPort} is already in use.`));
-      console.error(pc2.dim(`  Try: npx brakit --port ${proxyPort + 2}`));
-      devProcess.kill("SIGTERM");
-      process.exit(1);
-    }
+    devProcess.kill("SIGTERM");
+    console.error(pc2.red(`
+  Proxy failed to start: ${err.message}`));
+    process.exit(1);
   });
   proxy.listen(proxyPort, () => {
     printBanner(proxyPort, targetPort);
   });
+  let reqCount = 0;
   onRequest((req) => {
     const queryCount = defaultQueryStore.getByRequest(req.id).length;
     metricsStore.recordRequest(req, queryCount);
+    reqCount++;
+    recordRequestCount(reqCount);
   });
   return { proxy, devProcess, metricsStore, analysisEngine, config, project };
 }
@@ -5615,6 +5408,7 @@ function createShutdownHandler(instance) {
     if (shuttingDown) return;
     shuttingDown = true;
     console.log(pc3.dim("\n  Shutting down..."));
+    trackSession(instance.metricsStore, instance.analysisEngine);
     instance.analysisEngine.stop();
     instance.metricsStore.stop();
     instance.proxy.close();
@@ -5675,5 +5469,54 @@ var dev_default = defineCommand({
   }
 });
+// src/cli/commands/telemetry.ts
+import { defineCommand as defineCommand2 } from "citty";
+import pc5 from "picocolors";
+var telemetry_default = defineCommand2({
+  meta: {
+    name: "telemetry",
+    description: "Manage anonymous telemetry settings"
+  },
+  args: {
+    action: {
+      type: "positional",
+      description: "on | off | status",
+      required: false
+    }
+  },
+  run({ args }) {
+    const action = args.action?.toLowerCase();
+    if (action === "on") {
+      setTelemetryEnabled(true);
+      console.log(pc5.green("  Telemetry enabled."));
+      return;
+    }
+    if (action === "off") {
+      setTelemetryEnabled(false);
+      console.log(pc5.yellow("  Telemetry disabled. No data will be collected."));
+      return;
+    }
+    const enabled = isTelemetryEnabled();
+    console.log();
+    console.log(`  ${pc5.bold("Telemetry")}: ${enabled ? pc5.green("enabled") : pc5.yellow("disabled")}`);
+    console.log();
+    console.log(pc5.dim("  brakit collects anonymous usage data to improve the tool."));
+    console.log(pc5.dim("  No URLs, queries, bodies, or source code are ever sent."));
+    console.log();
+    console.log(pc5.dim("  Opt out:     ") + pc5.bold("brakit telemetry off"));
+    console.log(pc5.dim("  Opt in:      ") + pc5.bold("brakit telemetry on"));
+    console.log(pc5.dim("  Env override: BRAKIT_TELEMETRY=false"));
+    console.log();
+  }
+});
 // bin/brakit.ts
-runMain(dev_default);
+if (process.argv[2] === "telemetry") {
+  process.argv.splice(2, 1);
+  runMain(telemetry_default);
+} else {
+  if (process.argv[2] === "dev") {
+    process.argv.splice(2, 1);
+  }
+  runMain(dev_default);
+}