brakit 0.6.0 → 0.6.2

package/dist/index.d.ts

@@ -142,7 +142,7 @@ declare class SecurityScanner {
 declare function createDefaultScanner(): SecurityScanner;
 
 type InsightSeverity = "critical" | "warning" | "info";
-type InsightType = "n1" | "cross-endpoint" | "redundant-query" | "error" | "error-hotspot" | "duplicate" | "slow" | "query-heavy" | "auth-overhead" | "select-star" | "high-rows" | "large-response" | "security";
+type InsightType = "n1" | "cross-endpoint" | "redundant-query" | "error" | "error-hotspot" | "duplicate" | "slow" | "query-heavy" | "select-star" | "high-rows" | "large-response" | "response-overfetch" | "security";
 interface Insight {
     severity: InsightSeverity;
     type: InsightType;

package/dist/index.js

@@ -24,7 +24,6 @@ var ERROR_RATE_THRESHOLD_PCT = 20;
 var SLOW_ENDPOINT_THRESHOLD_MS = 1e3;
 var MIN_REQUESTS_FOR_INSIGHT = 2;
 var HIGH_QUERY_COUNT_PER_REQ = 5;
-var AUTH_OVERHEAD_PCT = 30;
 var CROSS_ENDPOINT_MIN_ENDPOINTS = 3;
 var CROSS_ENDPOINT_PCT = 50;
 var CROSS_ENDPOINT_MIN_OCCURRENCES = 5;
@@ -32,6 +31,9 @@ var REDUNDANT_QUERY_MIN_COUNT = 2;
 var LARGE_RESPONSE_BYTES = 51200;
 var HIGH_ROW_COUNT = 100;
 var OVERFETCH_MIN_REQUESTS = 2;
+var OVERFETCH_MIN_FIELDS = 8;
+var OVERFETCH_MIN_INTERNAL_IDS = 2;
+var OVERFETCH_NULL_RATIO = 0.3;
 
 // src/constants/headers.ts
 var BRAKIT_REQUEST_ID_HEADER = "x-brakit-request-id";
@@ -699,6 +701,17 @@ var HEALTH_GRADES = `[
   { max: Infinity, label: 'Critical', color: 'var(--red)', bg: 'rgba(220,38,38,0.08)', border: 'rgba(220,38,38,0.2)' }
 ]`;
 
+// src/telemetry/index.ts
+import { platform, release, arch } from "os";
+
+// src/telemetry/config.ts
+import { homedir } from "os";
+import { join } from "path";
+import { existsSync as existsSync3, readFileSync as readFileSync3, writeFileSync as writeFileSync3, mkdirSync as mkdirSync3 } from "fs";
+import { randomUUID as randomUUID5 } from "crypto";
+var CONFIG_DIR = join(homedir(), ".brakit");
+var CONFIG_PATH = join(CONFIG_DIR, "config.json");
+
 // src/dashboard/router.ts
 function isDashboardRequest(url) {
   return url === DASHBOARD_PREFIX || url.startsWith(DASHBOARD_PREFIX + "/");
@@ -721,7 +734,7 @@ function createProxyServer(config, handleDashboard) {
 
 // src/detect/project.ts
 import { readFile as readFile2 } from "fs/promises";
-import { join } from "path";
+import { join as join2 } from "path";
 var FRAMEWORKS = [
   { name: "nextjs", dep: "next", devCmd: "next dev", bin: "next", defaultPort: 3e3, devArgs: ["dev", "--port"] },
   { name: "remix", dep: "@remix-run/dev", devCmd: "remix dev", bin: "remix", defaultPort: 3e3, devArgs: ["dev"] },
@@ -730,7 +743,7 @@ var FRAMEWORKS = [
   { name: "astro", dep: "astro", devCmd: "astro dev", bin: "astro", defaultPort: 4321, devArgs: ["dev", "--port"] }
 ];
 async function detectProject(rootDir) {
-  const pkgPath = join(rootDir, "package.json");
+  const pkgPath = join2(rootDir, "package.json");
   const raw = await readFile2(pkgPath, "utf-8");
   const pkg = JSON.parse(raw);
   const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
@@ -742,7 +755,7 @@ async function detectProject(rootDir) {
     if (allDeps[f.dep]) {
       framework = f.name;
       devCommand = f.devCmd;
-      devBin = join(rootDir, "node_modules", ".bin", f.bin);
+      devBin = join2(rootDir, "node_modules", ".bin", f.bin);
       defaultPort = f.defaultPort;
       break;
     }
@@ -751,11 +764,11 @@ async function detectProject(rootDir) {
   return { framework, devCommand, devBin, defaultPort, packageManager };
 }
 async function detectPackageManager(rootDir) {
-  if (await fileExists(join(rootDir, "bun.lockb"))) return "bun";
-  if (await fileExists(join(rootDir, "bun.lock"))) return "bun";
-  if (await fileExists(join(rootDir, "pnpm-lock.yaml"))) return "pnpm";
-  if (await fileExists(join(rootDir, "yarn.lock"))) return "yarn";
-  if (await fileExists(join(rootDir, "package-lock.json"))) return "npm";
+  if (await fileExists(join2(rootDir, "bun.lockb"))) return "bun";
+  if (await fileExists(join2(rootDir, "bun.lock"))) return "bun";
+  if (await fileExists(join2(rootDir, "pnpm-lock.yaml"))) return "pnpm";
+  if (await fileExists(join2(rootDir, "yarn.lock"))) return "yarn";
+  if (await fileExists(join2(rootDir, "package-lock.json"))) return "npm";
   return "unknown";
 }
 
@@ -801,6 +814,9 @@ var SQL_FRAGMENT_RE = /\b(SELECT\s+[\w.*]+\s+FROM|INSERT\s+INTO|UPDATE\s+\w+\s+S
 var SECRET_VAL_RE = /(api_key|apiKey|secret|token)\s*[:=]\s*["']?[A-Za-z0-9_\-\.+\/]{8,}/;
 var LOG_SECRET_RE = /(password|secret|token|api_key|apiKey)\s*[:=]\s*["']?[A-Za-z0-9_\-\.+\/]{8,}/i;
 var MASKED_RE = /^\*+$|\[REDACTED\]|\[FILTERED\]|CHANGE_ME|^x{3,}$/i;
+var EMAIL_RE = /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/;
+var INTERNAL_ID_KEYS = /^(id|_id|userId|user_id|createdBy|updatedBy|organizationId|org_id|tenantId|tenant_id)$/;
+var INTERNAL_ID_SUFFIX = /Id$|_id$/;
 var RULE_HINTS = {
   "exposed-secret": "Never include secret fields in API responses. Strip sensitive fields before returning.",
   "token-in-url": "Pass tokens in the Authorization header, not URL query parameters.",
@@ -808,7 +824,8 @@ var RULE_HINTS = {
   "error-info-leak": "Sanitize error responses. Return generic messages instead of internal details.",
   "sensitive-logs": "Redact PII before logging. Never log passwords or tokens.",
   "cors-credentials": "Cannot use credentials:true with origin:*. Specify explicit origins.",
-  "insecure-cookie": "Set HttpOnly and SameSite flags on all cookies."
+  "insecure-cookie": "Set HttpOnly and SameSite flags on all cookies.",
+  "response-pii-leak": "API responses should return minimal data. Don't echo back full user records \u2014 select only the fields the client needs."
 };
 
 // src/analysis/rules/exposed-secret.ts
@@ -1002,6 +1019,12 @@ var errorInfoLeakRule = {
 };
 
 // src/analysis/rules/insecure-cookie.ts
+function isFrameworkResponse(r) {
+  if (r.statusCode >= 300 && r.statusCode < 400) return true;
+  if (r.path?.startsWith("/__")) return true;
+  if (r.responseHeaders?.["x-middleware-rewrite"]) return true;
+  return false;
+}
 var insecureCookieRule = {
   id: "insecure-cookie",
   severity: "warning",
@@ -1012,6 +1035,7 @@ var insecureCookieRule = {
     const seen = /* @__PURE__ */ new Map();
     for (const r of ctx.requests) {
       if (!r.responseHeaders) continue;
+      if (isFrameworkResponse(r)) continue;
       const setCookie = r.responseHeaders["set-cookie"];
       if (!setCookie) continue;
       const cookies = setCookie.split(/,(?=\s*[A-Za-z0-9_\-]+=)/);
@@ -1102,6 +1126,157 @@ var corsCredentialsRule = {
   }
 };
 
+// src/analysis/rules/response-pii-leak.ts
+var WRITE_METHODS = /* @__PURE__ */ new Set(["POST", "PUT", "PATCH"]);
+var FULL_RECORD_MIN_FIELDS = 5;
+var LIST_PII_MIN_ITEMS = 2;
+function tryParseJson2(body) {
+  if (!body) return null;
+  try {
+    return JSON.parse(body);
+  } catch {
+    return null;
+  }
+}
+function findEmails(obj) {
+  const emails = [];
+  if (!obj || typeof obj !== "object") return emails;
+  if (Array.isArray(obj)) {
+    for (let i = 0; i < Math.min(obj.length, 10); i++) {
+      emails.push(...findEmails(obj[i]));
+    }
+    return emails;
+  }
+  for (const v of Object.values(obj)) {
+    if (typeof v === "string" && EMAIL_RE.test(v)) {
+      emails.push(v);
+    } else if (typeof v === "object" && v !== null) {
+      emails.push(...findEmails(v));
+    }
+  }
+  return emails;
+}
+function topLevelFieldCount(obj) {
+  if (Array.isArray(obj)) {
+    return obj.length > 0 ? topLevelFieldCount(obj[0]) : 0;
+  }
+  if (obj && typeof obj === "object") return Object.keys(obj).length;
+  return 0;
+}
+function hasInternalIds(obj) {
+  if (!obj || typeof obj !== "object" || Array.isArray(obj)) return false;
+  for (const key of Object.keys(obj)) {
+    if (INTERNAL_ID_KEYS.test(key) || INTERNAL_ID_SUFFIX.test(key)) return true;
+  }
+  return false;
+}
+function unwrapResponse(parsed) {
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) return parsed;
+  const obj = parsed;
+  const keys = Object.keys(obj);
+  if (keys.length > 3) return parsed;
+  let best = null;
+  let bestSize = 0;
+  for (const key of keys) {
+    const val = obj[key];
+    if (Array.isArray(val) && val.length > bestSize) {
+      best = val;
+      bestSize = val.length;
+    } else if (val && typeof val === "object" && !Array.isArray(val)) {
+      const size = Object.keys(val).length;
+      if (size > bestSize) {
+        best = val;
+        bestSize = size;
+      }
+    }
+  }
+  return best && bestSize >= 3 ? best : parsed;
+}
+function detectPII(method, reqBody, resBody) {
+  const target = unwrapResponse(resBody);
+  if (WRITE_METHODS.has(method) && reqBody && typeof reqBody === "object") {
+    const reqEmails = findEmails(reqBody);
+    if (reqEmails.length > 0) {
+      const resEmails = findEmails(target);
+      const echoed = reqEmails.filter((e) => resEmails.includes(e));
+      if (echoed.length > 0) {
+        const inspectObj = Array.isArray(target) && target.length > 0 ? target[0] : target;
+        if (hasInternalIds(inspectObj) || topLevelFieldCount(inspectObj) >= FULL_RECORD_MIN_FIELDS) {
+          return { reason: "echo", emailCount: echoed.length };
+        }
+      }
+    }
+  }
+  if (target && typeof target === "object" && !Array.isArray(target)) {
+    const fields = topLevelFieldCount(target);
+    if (fields >= FULL_RECORD_MIN_FIELDS && hasInternalIds(target)) {
+      const emails = findEmails(target);
+      if (emails.length > 0) {
+        return { reason: "full-record", emailCount: emails.length };
+      }
+    }
+  }
+  if (Array.isArray(target) && target.length >= LIST_PII_MIN_ITEMS) {
+    let itemsWithEmail = 0;
+    for (let i = 0; i < Math.min(target.length, 10); i++) {
+      const item = target[i];
+      if (item && typeof item === "object") {
+        const emails = findEmails(item);
+        if (emails.length > 0) itemsWithEmail++;
+      }
+    }
+    if (itemsWithEmail >= LIST_PII_MIN_ITEMS) {
+      const first = target[0];
+      if (hasInternalIds(first) || topLevelFieldCount(first) >= FULL_RECORD_MIN_FIELDS) {
+        return { reason: "list-pii", emailCount: itemsWithEmail };
+      }
+    }
+  }
+  return null;
+}
+var REASON_LABELS = {
+  echo: "echoes back PII from the request body",
+  "full-record": "returns a full record with email and internal IDs",
+  "list-pii": "returns a list of records containing email addresses"
+};
+var responsePiiLeakRule = {
+  id: "response-pii-leak",
+  severity: "warning",
+  name: "PII Leak in Response",
+  hint: RULE_HINTS["response-pii-leak"],
+  check(ctx) {
+    const findings = [];
+    const seen = /* @__PURE__ */ new Map();
+    for (const r of ctx.requests) {
+      if (r.statusCode >= 400) continue;
+      const resJson = tryParseJson2(r.responseBody);
+      if (!resJson) continue;
+      const reqJson = tryParseJson2(r.requestBody);
+      const detection = detectPII(r.method, reqJson, resJson);
+      if (!detection) continue;
+      const ep = `${r.method} ${r.path}`;
+      const dedupKey = `${ep}:${detection.reason}`;
+      const existing = seen.get(dedupKey);
+      if (existing) {
+        existing.count++;
+        continue;
+      }
+      const finding = {
+        severity: "warning",
+        rule: "response-pii-leak",
+        title: "PII Leak in Response",
+        desc: `${ep} \u2014 ${REASON_LABELS[detection.reason]}`,
+        hint: this.hint,
+        endpoint: ep,
+        count: 1
+      };
+      seen.set(dedupKey, finding);
+      findings.push(finding);
+    }
+    return findings;
+  }
+};
+
 // src/analysis/rules/scanner.ts
 var SecurityScanner = class {
   rules = [];
@@ -1131,6 +1306,7 @@ function createDefaultScanner() {
   scanner.register(insecureCookieRule);
   scanner.register(sensitiveLogsRule);
   scanner.register(corsCredentialsRule);
+  scanner.register(responsePiiLeakRule);
   return scanner;
 }
 
@@ -1167,7 +1343,6 @@ function normalizeQueryParams(sql) {
 }
 
 // src/analysis/insights.ts
-var AUTH_CATEGORIES = /* @__PURE__ */ new Set(["auth-handshake", "auth-check", "middleware"]);
 function getQueryShape(q) {
   if (q.sql) return normalizeQueryParams(q.sql) ?? "";
   return `${q.operation ?? q.normalizedOp ?? "?"}:${q.model ?? q.table ?? ""}`;
@@ -1409,29 +1584,6 @@ function computeInsights(ctx) {
       });
     }
   }
-  for (const flow of ctx.flows) {
-    if (!flow.requests || flow.requests.length < 2) continue;
-    let authMs = 0;
-    let totalMs = 0;
-    for (const r of flow.requests) {
-      const dur = r.pollingDurationMs ?? r.durationMs;
-      totalMs += dur;
-      if (AUTH_CATEGORIES.has(r.category ?? "")) authMs += dur;
-    }
-    if (totalMs > 0 && authMs > 0) {
-      const pct = Math.round(authMs / totalMs * 100);
-      if (pct >= AUTH_OVERHEAD_PCT) {
-        insights.push({
-          severity: "warning",
-          type: "auth-overhead",
-          title: "Auth Overhead",
-          desc: `${flow.label} \u2014 ${pct}% of time (${formatDuration(authMs)}) spent in auth/middleware`,
-          hint: "Auth checks consume a significant portion of this action. If using a third-party auth provider, check if session caching can reduce roundtrips.",
-          nav: "actions"
-        });
-      }
-    }
-  }
   const selectStarSeen = /* @__PURE__ */ new Map();
   for (const [, reqQueries] of queriesByReq) {
     for (const q of reqQueries) {
@@ -1480,6 +1632,69 @@ function computeInsights(ctx) {
       nav: "queries"
     });
   }
+  const overfetchSeen = /* @__PURE__ */ new Set();
+  for (const r of nonStatic) {
+    if (r.statusCode >= 400 || !r.responseBody) continue;
+    const ep = `${r.method} ${r.path}`;
+    if (overfetchSeen.has(ep)) continue;
+    let parsed;
+    try {
+      parsed = JSON.parse(r.responseBody);
+    } catch {
+      continue;
+    }
+    let target = parsed;
+    if (target && typeof target === "object" && !Array.isArray(target)) {
+      const topKeys = Object.keys(target);
+      if (topKeys.length <= 3) {
+        let best = null;
+        let bestSize = 0;
+        for (const k of topKeys) {
+          const val = target[k];
+          if (Array.isArray(val) && val.length > bestSize) {
+            best = val;
+            bestSize = val.length;
+          } else if (val && typeof val === "object" && !Array.isArray(val)) {
+            const size = Object.keys(val).length;
+            if (size > bestSize) {
+              best = val;
+              bestSize = size;
+            }
+          }
+        }
+        if (best && bestSize >= 3) target = best;
+      }
+    }
+    const inspectObj = Array.isArray(target) && target.length > 0 ? target[0] : target;
+    if (!inspectObj || typeof inspectObj !== "object" || Array.isArray(inspectObj)) continue;
+    const fields = Object.keys(inspectObj);
+    if (fields.length < OVERFETCH_MIN_FIELDS) continue;
+    let internalIdCount = 0;
+    let nullCount = 0;
+    for (const key of fields) {
+      if (INTERNAL_ID_SUFFIX.test(key) || key === "id" || key === "_id") internalIdCount++;
+      const val = inspectObj[key];
+      if (val === null || val === void 0) nullCount++;
+    }
+    const nullRatio = nullCount / fields.length;
+    const reasons = [];
+    if (internalIdCount >= OVERFETCH_MIN_INTERNAL_IDS) reasons.push(`${internalIdCount} internal ID fields`);
+    if (nullRatio >= OVERFETCH_NULL_RATIO) reasons.push(`${Math.round(nullRatio * 100)}% null fields`);
+    if (fields.length >= OVERFETCH_MIN_FIELDS && reasons.length === 0 && fields.length >= 12) {
+      reasons.push(`${fields.length} fields returned`);
+    }
+    if (reasons.length > 0) {
+      overfetchSeen.add(ep);
+      insights.push({
+        severity: "info",
+        type: "response-overfetch",
+        title: "Response Overfetch",
+        desc: `${ep} \u2014 ${reasons.join(", ")}`,
+        hint: "This response returns more data than the client likely needs. Use a DTO or select only required fields to reduce payload size and avoid leaking internal structure.",
+        nav: "requests"
+      });
+    }
+  }
   for (const [ep, g] of endpointGroups) {
     if (g.total < OVERFETCH_MIN_REQUESTS) continue;
     const avgSize = Math.round(g.totalSize / g.total);
@@ -1590,7 +1805,7 @@ var AnalysisEngine = class {
 };
 
 // src/index.ts
-var VERSION = "0.6.0";
+var VERSION = "0.6.2";
 export {
   AdapterRegistry,
   AnalysisEngine,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "brakit",
-  "version": "0.6.0",
+  "version": "0.6.2",
   "description": "See what your API is really doing. Security scanning, N+1 detection, duplicate calls, DB queries — one command, zero config.",
   "type": "module",
   "bin": {