npm - brakit - Versions diffs - 0.6.2 → 0.7.0 - Mend

brakit 0.6.2 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/README.md +2 -2
package/dist/{index.d.ts → api.d.ts} +1 -6
package/dist/{index.js → api.js} +962 -1150
package/dist/bin/brakit.js +437 -4940
package/dist/runtime/index.js +6490 -0
package/package.json +8 -7
package/dist/instrument/preload.js +0 -739
/package/dist/{instrument/preload.d.ts → runtime/index.d.ts} +0 -0

package/dist/{index.js → api.js} RENAMED Viewed

@@ -1,614 +1,711 @@
-// src/proxy/server.ts
-import { createServer } from "http";
-// src/proxy/handler.ts
-import {
-  request as httpRequest
-} from "http";
-import { randomUUID } from "crypto";
-// src/constants/routes.ts
-var DASHBOARD_PREFIX = "/__brakit";
-// src/constants/limits.ts
-var MAX_REQUEST_ENTRIES = 1e3;
-var MAX_TELEMETRY_ENTRIES = 1e3;
-// src/constants/thresholds.ts
-var FLOW_GAP_MS = 5e3;
-var SLOW_REQUEST_THRESHOLD_MS = 2e3;
-var MIN_POLLING_SEQUENCE = 3;
-var ENDPOINT_TRUNCATE_LENGTH = 12;
-var N1_QUERY_THRESHOLD = 5;
-var ERROR_RATE_THRESHOLD_PCT = 20;
-var SLOW_ENDPOINT_THRESHOLD_MS = 1e3;
-var MIN_REQUESTS_FOR_INSIGHT = 2;
-var HIGH_QUERY_COUNT_PER_REQ = 5;
-var CROSS_ENDPOINT_MIN_ENDPOINTS = 3;
-var CROSS_ENDPOINT_PCT = 50;
-var CROSS_ENDPOINT_MIN_OCCURRENCES = 5;
-var REDUNDANT_QUERY_MIN_COUNT = 2;
-var LARGE_RESPONSE_BYTES = 51200;
-var HIGH_ROW_COUNT = 100;
-var OVERFETCH_MIN_REQUESTS = 2;
-var OVERFETCH_MIN_FIELDS = 8;
-var OVERFETCH_MIN_INTERNAL_IDS = 2;
-var OVERFETCH_NULL_RATIO = 0.3;
-// src/constants/headers.ts
-var BRAKIT_REQUEST_ID_HEADER = "x-brakit-request-id";
+// src/detect/project.ts
+import { readFile as readFile2 } from "fs/promises";
+import { join } from "path";
-// src/proxy/static-patterns.ts
-var STATIC_PATTERNS = [
-  /^\/_next\//,
-  /\.(?:js|css|map|ico|png|jpg|jpeg|gif|svg|webp|woff2?|ttf|eot)$/,
-  /^\/favicon/,
-  /^\/__nextjs/
-];
-function isStaticPath(urlPath) {
-  return STATIC_PATTERNS.some((p) => p.test(urlPath));
+// src/utils/fs.ts
+import { access } from "fs/promises";
+import { existsSync, readFileSync, writeFileSync } from "fs";
+import { resolve } from "path";
+async function fileExists(path) {
+  try {
+    await access(path);
+    return true;
+  } catch {
+    return false;
+  }
 }
-// src/store/request-store.ts
-function flattenHeaders(headers) {
-  const flat = {};
-  for (const [key, value] of Object.entries(headers)) {
-    if (value === void 0) continue;
-    flat[key] = Array.isArray(value) ? value.join(", ") : value;
+// src/detect/project.ts
+var FRAMEWORKS = [
+  { name: "nextjs", dep: "next", devCmd: "next dev", bin: "next", defaultPort: 3e3, devArgs: ["dev", "--port"] },
+  { name: "remix", dep: "@remix-run/dev", devCmd: "remix dev", bin: "remix", defaultPort: 3e3, devArgs: ["dev"] },
+  { name: "nuxt", dep: "nuxt", devCmd: "nuxt dev", bin: "nuxt", defaultPort: 3e3, devArgs: ["dev", "--port"] },
+  { name: "vite", dep: "vite", devCmd: "vite", bin: "vite", defaultPort: 5173, devArgs: ["--port"] },
+  { name: "astro", dep: "astro", devCmd: "astro dev", bin: "astro", defaultPort: 4321, devArgs: ["dev", "--port"] }
+];
+async function detectProject(rootDir) {
+  const pkgPath = join(rootDir, "package.json");
+  const raw = await readFile2(pkgPath, "utf-8");
+  const pkg = JSON.parse(raw);
+  const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
+  let framework = "unknown";
+  let devCommand = "";
+  let devBin = "";
+  let defaultPort = 3e3;
+  for (const f of FRAMEWORKS) {
+    if (allDeps[f.dep]) {
+      framework = f.name;
+      devCommand = f.devCmd;
+      devBin = join(rootDir, "node_modules", ".bin", f.bin);
+      defaultPort = f.defaultPort;
+      break;
+    }
   }
-  return flat;
+  const packageManager = await detectPackageManager(rootDir);
+  return { framework, devCommand, devBin, defaultPort, packageManager };
 }
-var RequestStore = class {
-  constructor(maxEntries = MAX_REQUEST_ENTRIES) {
-    this.maxEntries = maxEntries;
+async function detectPackageManager(rootDir) {
+  if (await fileExists(join(rootDir, "bun.lockb"))) return "bun";
+  if (await fileExists(join(rootDir, "bun.lock"))) return "bun";
+  if (await fileExists(join(rootDir, "pnpm-lock.yaml"))) return "pnpm";
+  if (await fileExists(join(rootDir, "yarn.lock"))) return "yarn";
+  if (await fileExists(join(rootDir, "package-lock.json"))) return "npm";
+  return "unknown";
+}
+// src/instrument/adapter-registry.ts
+var AdapterRegistry = class {
+  adapters = [];
+  active = [];
+  register(adapter) {
+    this.adapters.push(adapter);
   }
-  requests = [];
-  listeners = [];
-  capture(input) {
-    const url = input.url;
-    const path = url.split("?")[0];
-    let requestBodyStr = null;
-    if (input.requestBody && input.requestBody.length > 0) {
-      requestBodyStr = input.requestBody.subarray(0, input.config.maxBodyCapture).toString("utf-8");
-    }
-    let responseBodyStr = null;
-    if (input.responseBody && input.responseBody.length > 0) {
-      const ct = input.responseContentType;
-      if (ct.includes("json") || ct.includes("text") || ct.includes("html")) {
-        responseBodyStr = input.responseBody.subarray(0, input.config.maxBodyCapture).toString("utf-8");
+  patchAll(emit) {
+    for (const adapter of this.adapters) {
+      try {
+        if (adapter.detect()) {
+          adapter.patch(emit);
+          this.active.push(adapter);
+        }
+      } catch {
       }
     }
-    const entry = {
-      id: input.requestId,
-      method: input.method,
-      url,
-      path,
-      headers: flattenHeaders(input.requestHeaders),
-      requestBody: requestBodyStr,
-      statusCode: input.statusCode,
-      responseHeaders: flattenHeaders(input.responseHeaders),
-      responseBody: responseBodyStr,
-      startedAt: input.startTime,
-      durationMs: Math.round(performance.now() - input.startTime),
-      responseSize: input.responseBody?.length ?? 0,
-      isStatic: isStaticPath(path)
-    };
-    this.requests.push(entry);
-    if (this.requests.length > this.maxEntries) {
-      this.requests.shift();
-    }
-    for (const fn of this.listeners) {
-      fn(entry);
-    }
-    return entry;
   }
-  getAll() {
-    return this.requests;
-  }
-  clear() {
-    this.requests.length = 0;
-  }
-  onRequest(fn) {
-    this.listeners.push(fn);
+  unpatchAll() {
+    for (const adapter of this.active) {
+      try {
+        adapter.unpatch?.();
+      } catch {
+      }
+    }
+    this.active = [];
   }
-  offRequest(fn) {
-    const idx = this.listeners.indexOf(fn);
-    if (idx !== -1) this.listeners.splice(idx, 1);
+  getActive() {
+    return this.active;
   }
 };
-// src/proxy/request-log.ts
-var defaultStore = new RequestStore();
-var captureRequest = (input) => defaultStore.capture(input);
-var getRequests = () => defaultStore.getAll();
-var onRequest = (fn) => defaultStore.onRequest(fn);
-var offRequest = (fn) => defaultStore.offRequest(fn);
+// src/analysis/rules/patterns.ts
+var SECRET_KEYS = /^(password|passwd|secret|api_key|apiKey|api_secret|apiSecret|private_key|privateKey|client_secret|clientSecret)$/;
+var TOKEN_PARAMS = /^(token|api_key|apiKey|secret|password|access_token|session_id|sessionId)$/;
+var SAFE_PARAMS = /^(_rsc|__clerk_handshake|__clerk_db_jwt|callback|code|state|nonce|redirect_uri|utm_|fbclid|gclid)$/;
+var STACK_TRACE_RE = /at\s+.+\(.+:\d+:\d+\)|at\s+Module\._compile|at\s+Object\.<anonymous>|at\s+processTicksAndRejections/;
+var DB_CONN_RE = /(postgres|mysql|mongodb|redis):\/\//;
+var SQL_FRAGMENT_RE = /\b(SELECT\s+[\w.*]+\s+FROM|INSERT\s+INTO|UPDATE\s+\w+\s+SET|DELETE\s+FROM)\b/i;
+var SECRET_VAL_RE = /(api_key|apiKey|secret|token)\s*[:=]\s*["']?[A-Za-z0-9_\-\.+\/]{8,}/;
+var LOG_SECRET_RE = /(password|secret|token|api_key|apiKey)\s*[:=]\s*["']?[A-Za-z0-9_\-\.+\/]{8,}/i;
+var MASKED_RE = /^\*+$|\[REDACTED\]|\[FILTERED\]|CHANGE_ME|^x{3,}$/i;
+var EMAIL_RE = /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/;
+var INTERNAL_ID_KEYS = /^(id|_id|userId|user_id|createdBy|updatedBy|organizationId|org_id|tenantId|tenant_id)$/;
+var INTERNAL_ID_SUFFIX = /Id$|_id$/;
+var RULE_HINTS = {
+  "exposed-secret": "Never include secret fields in API responses. Strip sensitive fields before returning.",
+  "token-in-url": "Pass tokens in the Authorization header, not URL query parameters.",
+  "stack-trace-leak": "Use a custom error handler that returns generic messages in production.",
+  "error-info-leak": "Sanitize error responses. Return generic messages instead of internal details.",
+  "sensitive-logs": "Redact PII before logging. Never log passwords or tokens.",
+  "cors-credentials": "Cannot use credentials:true with origin:*. Specify explicit origins.",
+  "insecure-cookie": "Set HttpOnly and SameSite flags on all cookies.",
+  "response-pii-leak": "API responses should return minimal data. Don't echo back full user records \u2014 select only the fields the client needs."
+};
-// src/proxy/handler.ts
-function proxyRequest(clientReq, clientRes, config) {
-  const startTime = performance.now();
-  const method = clientReq.method ?? "GET";
-  const requestId = randomUUID();
-  const shouldCaptureBody = method !== "GET" && method !== "HEAD";
-  const bodyChunks = [];
-  let bodySize = 0;
-  if (shouldCaptureBody) {
-    clientReq.on("data", (chunk) => {
-      if (bodySize < config.maxBodyCapture) {
-        bodyChunks.push(chunk);
-        bodySize += chunk.length;
-      }
-    });
+// src/analysis/rules/exposed-secret.ts
+function tryParseJson(body) {
+  if (!body) return null;
+  try {
+    return JSON.parse(body);
+  } catch {
+    return null;
   }
-  const proxyHeaders = { ...clientReq.headers };
-  proxyHeaders["accept-encoding"] = "identity";
-  proxyHeaders[BRAKIT_REQUEST_ID_HEADER] = requestId;
-  const proxyReq = httpRequest(
-    {
-      hostname: "127.0.0.1",
-      port: config.targetPort,
-      path: clientReq.url,
-      method,
-      headers: proxyHeaders
-    },
-    (proxyRes) => {
-      handleProxyResponse(
-        clientReq,
-        clientRes,
-        proxyRes,
-        startTime,
-        shouldCaptureBody ? bodyChunks : [],
-        config,
-        requestId
-      );
-    }
-  );
-  proxyReq.on("error", (err) => {
-    if (clientRes.headersSent) return;
-    const code = err.code;
-    if (code === "ECONNREFUSED" || code === "ECONNRESET") {
-      clientRes.writeHead(502, { "content-type": "text/html" });
-      clientRes.end(
-        `<html><body style="font-family:system-ui;padding:40px;text-align:center"><h2>brakit</h2><p>Waiting for dev server on port ${config.targetPort}...</p><script>setTimeout(()=>location.reload(),2000)</script></body></html>`
-      );
-    } else {
-      clientRes.writeHead(502, { "content-type": "text/plain" });
-      clientRes.end(`brakit proxy error: ${err.message}
-`);
-    }
-  });
-  clientReq.pipe(proxyReq);
 }
-function handleProxyResponse(clientReq, clientRes, proxyRes, startTime, bodyChunks, config, requestId) {
-  const responseChunks = [];
-  let responseSize = 0;
-  clientRes.writeHead(proxyRes.statusCode ?? 502, proxyRes.headers);
-  proxyRes.on("data", (chunk) => {
-    clientRes.write(chunk);
-    if (responseSize < config.maxBodyCapture) {
-      responseChunks.push(chunk);
-      responseSize += chunk.length;
+function findSecretKeys(obj, prefix) {
+  const found = [];
+  if (!obj || typeof obj !== "object") return found;
+  if (Array.isArray(obj)) {
+    for (let i = 0; i < Math.min(obj.length, 5); i++) {
+      found.push(...findSecretKeys(obj[i], prefix));
     }
-  });
-  proxyRes.on("end", () => {
-    clientRes.end();
-    const requestBody = bodyChunks.length > 0 ? Buffer.concat(bodyChunks) : null;
-    const responseBody = responseChunks.length > 0 ? Buffer.concat(responseChunks) : null;
-    captureRequest({
-      requestId,
-      method: clientReq.method ?? "GET",
-      url: clientReq.url ?? "/",
-      requestHeaders: clientReq.headers,
-      requestBody,
-      statusCode: proxyRes.statusCode ?? 0,
-      responseHeaders: proxyRes.headers,
-      responseBody,
-      responseContentType: proxyRes.headers["content-type"] ?? "",
-      startTime,
-      config
-    });
-  });
-  proxyRes.on("error", () => {
-    clientRes.end();
-  });
-}
-// src/proxy/websocket.ts
-import {
-  request as httpRequest2
-} from "http";
-function handleUpgrade(req, clientSocket, head, targetPort) {
-  const targetReq = httpRequest2({
-    hostname: "127.0.0.1",
-    port: targetPort,
-    path: req.url,
-    method: req.method,
-    headers: req.headers
-  });
-  targetReq.on("upgrade", (_targetRes, targetSocket, targetHead) => {
-    const statusLine = `HTTP/1.1 101 Switching Protocols`;
-    const headerLines = [statusLine];
-    if (_targetRes.headers) {
-      for (const [key, value] of Object.entries(_targetRes.headers)) {
-        if (value === void 0) continue;
-        const vals = Array.isArray(value) ? value : [value];
-        for (const v of vals) {
-          headerLines.push(`${key}: ${v}`);
-        }
-      }
+    return found;
+  }
+  for (const k of Object.keys(obj)) {
+    const val = obj[k];
+    if (SECRET_KEYS.test(k) && typeof val === "string" && val.length >= 8 && !MASKED_RE.test(val)) {
+      found.push(k);
     }
-    headerLines.push("", "");
-    clientSocket.write(headerLines.join("\r\n"));
-    if (targetHead.length > 0) {
-      clientSocket.write(targetHead);
+    if (typeof val === "object" && val !== null) {
+      found.push(...findSecretKeys(val, prefix + k + "."));
     }
-    targetSocket.pipe(clientSocket);
-    clientSocket.pipe(targetSocket);
-    targetSocket.on("error", () => clientSocket.destroy());
-    clientSocket.on("error", () => targetSocket.destroy());
-  });
-  targetReq.on("error", () => {
-    clientSocket.destroy();
-  });
-  targetReq.write(head);
-  targetReq.end();
-}
-// src/analysis/group.ts
-import { randomUUID as randomUUID2 } from "crypto";
-// src/analysis/categorize.ts
-function detectCategory(req) {
-  const { method, url, statusCode, responseHeaders } = req;
-  if (req.isStatic) return "static";
-  if (statusCode === 307 && (url.includes("__clerk_handshake") || url.includes("__clerk_db_jwt"))) {
-    return "auth-handshake";
-  }
-  const effectivePath = getEffectivePath(req);
-  if (/^\/api\/auth/i.test(effectivePath) || /^\/(api\/)?clerk/i.test(effectivePath)) {
-    return "auth-check";
-  }
-  if (method === "POST" && !effectivePath.startsWith("/api/")) {
-    return "server-action";
-  }
-  if (effectivePath.startsWith("/api/") && method !== "GET" && method !== "HEAD") {
-    return "api-call";
   }
-  if (effectivePath.startsWith("/api/") && method === "GET") {
-    return "data-fetch";
-  }
-  if (url.includes("_rsc=")) {
-    return "navigation";
-  }
-  if (responseHeaders["x-middleware-rewrite"]) {
-    return "middleware";
-  }
-  if (method === "GET") {
-    const ct = responseHeaders["content-type"] ?? "";
-    if (ct.includes("text/html")) return "page-load";
-  }
-  return "unknown";
+  return found;
 }
-function getEffectivePath(req) {
-  const rewrite = req.responseHeaders["x-middleware-rewrite"];
-  if (!rewrite) return req.path;
-  try {
-    const url = new URL(rewrite, "http://localhost");
-    return url.pathname;
-  } catch {
-    return rewrite.startsWith("/") ? rewrite : req.path;
+var exposedSecretRule = {
+  id: "exposed-secret",
+  severity: "critical",
+  name: "Exposed Secret in Response",
+  hint: RULE_HINTS["exposed-secret"],
+  check(ctx) {
+    const findings = [];
+    const seen = /* @__PURE__ */ new Map();
+    for (const r of ctx.requests) {
+      if (r.statusCode >= 400) continue;
+      const parsed = tryParseJson(r.responseBody);
+      if (!parsed) continue;
+      const keys = findSecretKeys(parsed, "");
+      if (keys.length === 0) continue;
+      const ep = `${r.method} ${r.path}`;
+      const dedupKey = `${ep}:${keys.sort().join(",")}`;
+      const existing = seen.get(dedupKey);
+      if (existing) {
+        existing.count++;
+        continue;
+      }
+      const finding = {
+        severity: "critical",
+        rule: "exposed-secret",
+        title: "Exposed Secret in Response",
+        desc: `${ep} \u2014 response contains ${keys.join(", ")} field${keys.length > 1 ? "s" : ""}`,
+        hint: this.hint,
+        endpoint: ep,
+        count: 1
+      };
+      seen.set(dedupKey, finding);
+      findings.push(finding);
+    }
+    return findings;
   }
-}
+};
-// src/analysis/label.ts
-function extractSourcePage(req) {
-  const referer = req.headers["referer"] ?? req.headers["Referer"];
-  if (!referer) return void 0;
-  try {
-    const url = new URL(referer);
-    return url.pathname;
-  } catch {
-    return void 0;
+// src/analysis/rules/token-in-url.ts
+var tokenInUrlRule = {
+  id: "token-in-url",
+  severity: "critical",
+  name: "Auth Token in URL",
+  hint: RULE_HINTS["token-in-url"],
+  check(ctx) {
+    const findings = [];
+    const seen = /* @__PURE__ */ new Map();
+    for (const r of ctx.requests) {
+      const qIdx = r.url.indexOf("?");
+      if (qIdx === -1) continue;
+      const params = r.url.substring(qIdx + 1).split("&");
+      const flagged = [];
+      for (const param of params) {
+        const [name, ...rest] = param.split("=");
+        const val = rest.join("=");
+        if (SAFE_PARAMS.test(name)) continue;
+        if (TOKEN_PARAMS.test(name) && val && val.length > 0) {
+          flagged.push(name);
+        }
+      }
+      if (flagged.length === 0) continue;
+      const ep = `${r.method} ${r.path}`;
+      const dedupKey = `${ep}:${flagged.sort().join(",")}`;
+      const existing = seen.get(dedupKey);
+      if (existing) {
+        existing.count++;
+        continue;
+      }
+      const finding = {
+        severity: "critical",
+        rule: "token-in-url",
+        title: "Auth Token in URL",
+        desc: `${ep} \u2014 ${flagged.join(", ")} exposed in query string`,
+        hint: this.hint,
+        endpoint: ep,
+        count: 1
+      };
+      seen.set(dedupKey, finding);
+      findings.push(finding);
+    }
+    return findings;
   }
-}
-function labelRequest(req) {
-  const category = detectCategory(req);
-  const label = generateHumanLabel(req, category);
-  const sourcePage = extractSourcePage(req);
-  return { ...req, category, label, sourcePage };
-}
-function generateHumanLabel(req, category) {
-  const effectivePath = getEffectivePath(req);
-  const endpointName = getEndpointName(effectivePath);
-  const failed = req.statusCode >= 400;
-  switch (category) {
-    case "auth-handshake":
-      return "Auth handshake";
-    case "auth-check":
-      return failed ? "Auth check failed" : "Checked auth";
-    case "middleware": {
-      const rewritePath = effectivePath !== req.path ? effectivePath : "";
-      return rewritePath ? `Redirected to ${rewritePath}` : "Middleware";
+};
+// src/analysis/rules/stack-trace-leak.ts
+var stackTraceLeakRule = {
+  id: "stack-trace-leak",
+  severity: "critical",
+  name: "Stack Trace Leaked to Client",
+  hint: RULE_HINTS["stack-trace-leak"],
+  check(ctx) {
+    const findings = [];
+    const seen = /* @__PURE__ */ new Map();
+    for (const r of ctx.requests) {
+      if (!r.responseBody) continue;
+      if (!STACK_TRACE_RE.test(r.responseBody)) continue;
+      const ep = `${r.method} ${r.path}`;
+      const existing = seen.get(ep);
+      if (existing) {
+        existing.count++;
+        continue;
+      }
+      const finding = {
+        severity: "critical",
+        rule: "stack-trace-leak",
+        title: "Stack Trace Leaked to Client",
+        desc: `${ep} \u2014 response exposes internal stack trace`,
+        hint: this.hint,
+        endpoint: ep,
+        count: 1
+      };
+      seen.set(ep, finding);
+      findings.push(finding);
     }
-    case "server-action": {
-      const name = prettifyEndpoint(req.path);
-      return failed ? `${name} failed` : name;
+    return findings;
+  }
+};
+// src/analysis/rules/error-info-leak.ts
+var CRITICAL_PATTERNS = [
+  { re: DB_CONN_RE, label: "database connection string" },
+  { re: SQL_FRAGMENT_RE, label: "SQL query fragment" },
+  { re: SECRET_VAL_RE, label: "secret value" }
+];
+var errorInfoLeakRule = {
+  id: "error-info-leak",
+  severity: "critical",
+  name: "Sensitive Data in Error Response",
+  hint: RULE_HINTS["error-info-leak"],
+  check(ctx) {
+    const findings = [];
+    const seen = /* @__PURE__ */ new Map();
+    for (const r of ctx.requests) {
+      if (r.statusCode < 400) continue;
+      if (!r.responseBody) continue;
+      if (r.responseHeaders["x-nextjs-error"] || r.responseHeaders["x-nextjs-matched-path"]) continue;
+      const ep = `${r.method} ${r.path}`;
+      for (const p of CRITICAL_PATTERNS) {
+        if (!p.re.test(r.responseBody)) continue;
+        const dedupKey = `${ep}:${p.label}`;
+        const existing = seen.get(dedupKey);
+        if (existing) {
+          existing.count++;
+          continue;
+        }
+        const finding = {
+          severity: "critical",
+          rule: "error-info-leak",
+          title: "Sensitive Data in Error Response",
+          desc: `${ep} \u2014 error response exposes ${p.label}`,
+          hint: this.hint,
+          endpoint: ep,
+          count: 1
+        };
+        seen.set(dedupKey, finding);
+        findings.push(finding);
+      }
     }
-    case "api-call": {
-      const action = deriveActionVerb(req.method, endpointName);
-      const name = prettifyEndpoint(endpointName);
-      if (failed) return `${action} ${name} failed`;
-      return `${action} ${name}`;
+    return findings;
+  }
+};
+// src/analysis/rules/insecure-cookie.ts
+function isFrameworkResponse(r) {
+  if (r.statusCode >= 300 && r.statusCode < 400) return true;
+  if (r.path?.startsWith("/__")) return true;
+  if (r.responseHeaders?.["x-middleware-rewrite"]) return true;
+  return false;
+}
+var insecureCookieRule = {
+  id: "insecure-cookie",
+  severity: "warning",
+  name: "Insecure Cookie",
+  hint: RULE_HINTS["insecure-cookie"],
+  check(ctx) {
+    const findings = [];
+    const seen = /* @__PURE__ */ new Map();
+    for (const r of ctx.requests) {
+      if (!r.responseHeaders) continue;
+      if (isFrameworkResponse(r)) continue;
+      const setCookie = r.responseHeaders["set-cookie"];
+      if (!setCookie) continue;
+      const cookies = setCookie.split(/,(?=\s*[A-Za-z0-9_\-]+=)/);
+      for (const cookie of cookies) {
+        const cookieName = cookie.trim().split("=")[0].trim();
+        const lower = cookie.toLowerCase();
+        const issues = [];
+        if (!lower.includes("httponly")) issues.push("HttpOnly");
+        if (!lower.includes("samesite")) issues.push("SameSite");
+        if (issues.length === 0) continue;
+        const dedupKey = `${cookieName}:${issues.join(",")}`;
+        const existing = seen.get(dedupKey);
+        if (existing) {
+          existing.count++;
+          continue;
+        }
+        const finding = {
+          severity: "warning",
+          rule: "insecure-cookie",
+          title: "Insecure Cookie",
+          desc: `${cookieName} \u2014 missing ${issues.join(", ")} flag${issues.length > 1 ? "s" : ""}`,
+          hint: this.hint,
+          endpoint: cookieName,
+          count: 1
+        };
+        seen.set(dedupKey, finding);
+        findings.push(finding);
+      }
     }
-    case "data-fetch": {
-      const name = prettifyEndpoint(endpointName);
-      if (failed) return `Failed to load ${name}`;
-      return `Loaded ${name}`;
+    return findings;
+  }
+};
+// src/analysis/rules/sensitive-logs.ts
+var sensitiveLogsRule = {
+  id: "sensitive-logs",
+  severity: "warning",
+  name: "Sensitive Data in Logs",
+  hint: RULE_HINTS["sensitive-logs"],
+  check(ctx) {
+    let count = 0;
+    for (const log of ctx.logs) {
+      if (!log.message) continue;
+      if (log.message.startsWith("[brakit]")) continue;
+      if (LOG_SECRET_RE.test(log.message)) count++;
     }
-    case "page-load":
-      return failed ? "Page error" : "Loaded page";
-    case "navigation":
-      return "Navigated";
-    case "static":
-      return `Static: ${req.path.split("/").pop() ?? req.path}`;
-    default:
-      return failed ? `${req.method} ${req.path} failed` : `${req.method} ${req.path}`;
+    if (count === 0) return [];
+    return [{
+      severity: "warning",
+      rule: "sensitive-logs",
+      title: "Sensitive Data in Logs",
+      desc: `Console output contains secret/token values \u2014 ${count} occurrence${count !== 1 ? "s" : ""}`,
+      hint: this.hint,
+      endpoint: "console",
+      count
+    }];
   }
-}
-function prettifyEndpoint(name) {
-  const cleaned = name.replace(/^\/api\//, "").replace(/\//g, " ").replace(/\.\.\./g, "").trim();
-  if (!cleaned) return "data";
-  return cleaned.split(" ").map((word) => {
-    if (word.endsWith("ses") || word.endsWith("us") || word.endsWith("ss"))
-      return word;
-    if (word.endsWith("ies")) return word.slice(0, -3) + "y";
-    if (word.endsWith("s") && word.length > 3) return word.slice(0, -1);
-    return word;
-  }).join(" ");
-}
-function deriveActionVerb(method, endpointName) {
-  const lower = endpointName.toLowerCase();
-  const VERB_PATTERNS = [
-    [/enhance/, "Enhanced"],
-    [/generate/, "Generated"],
-    [/create/, "Created"],
-    [/update/, "Updated"],
-    [/delete|remove/, "Deleted"],
-    [/send/, "Sent"],
-    [/upload/, "Uploaded"],
-    [/save/, "Saved"],
-    [/submit/, "Submitted"],
-    [/login|signin/, "Logged in"],
-    [/logout|signout/, "Logged out"],
-    [/register|signup/, "Registered"]
-  ];
-  for (const [pattern, verb] of VERB_PATTERNS) {
-    if (pattern.test(lower)) return verb;
+};
+// src/analysis/rules/cors-credentials.ts
+var corsCredentialsRule = {
+  id: "cors-credentials",
+  severity: "warning",
+  name: "CORS Credentials with Wildcard",
+  hint: RULE_HINTS["cors-credentials"],
+  check(ctx) {
+    const findings = [];
+    const seen = /* @__PURE__ */ new Set();
+    for (const r of ctx.requests) {
+      if (!r.responseHeaders) continue;
+      const origin = r.responseHeaders["access-control-allow-origin"];
+      const creds = r.responseHeaders["access-control-allow-credentials"];
+      if (origin !== "*" || creds !== "true") continue;
+      const ep = `${r.method} ${r.path}`;
+      if (seen.has(ep)) continue;
+      seen.add(ep);
+      findings.push({
+        severity: "warning",
+        rule: "cors-credentials",
+        title: "CORS Credentials with Wildcard",
+        desc: `${ep} \u2014 credentials:true with origin:* (browser will reject)`,
+        hint: this.hint,
+        endpoint: ep,
+        count: 1
+      });
+    }
+    return findings;
   }
-  switch (method) {
-    case "POST":
-      return "Created";
-    case "PUT":
-    case "PATCH":
-      return "Updated";
-    case "DELETE":
-      return "Deleted";
-    default:
-      return "Called";
+};
+// src/analysis/rules/response-pii-leak.ts
+var WRITE_METHODS = /* @__PURE__ */ new Set(["POST", "PUT", "PATCH"]);
+var FULL_RECORD_MIN_FIELDS = 5;
+var LIST_PII_MIN_ITEMS = 2;
+function tryParseJson2(body) {
+  if (!body) return null;
+  try {
+    return JSON.parse(body);
+  } catch {
+    return null;
   }
 }
-function getEndpointName(path) {
-  const parts = path.replace(/^\/api\//, "").split("/");
-  if (parts.length <= 2) return parts.join("/");
-  return parts.map((p) => p.length > ENDPOINT_TRUNCATE_LENGTH ? "..." : p).join("/");
-}
-function prettifyPageName(path) {
-  const clean = path.replace(/^\//, "").replace(/\/$/, "");
-  if (!clean) return "Home";
-  return clean.split("/").map((s) => capitalize(s.replace(/[-_]/g, " "))).join(" ");
+function findEmails(obj) {
+  const emails = [];
+  if (!obj || typeof obj !== "object") return emails;
+  if (Array.isArray(obj)) {
+    for (let i = 0; i < Math.min(obj.length, 10); i++) {
+      emails.push(...findEmails(obj[i]));
+    }
+    return emails;
+  }
+  for (const v of Object.values(obj)) {
+    if (typeof v === "string" && EMAIL_RE.test(v)) {
+      emails.push(v);
+    } else if (typeof v === "object" && v !== null) {
+      emails.push(...findEmails(v));
+    }
+  }
+  return emails;
 }
-function capitalize(s) {
-  return s.charAt(0).toUpperCase() + s.slice(1);
+function topLevelFieldCount(obj) {
+  if (Array.isArray(obj)) {
+    return obj.length > 0 ? topLevelFieldCount(obj[0]) : 0;
+  }
+  if (obj && typeof obj === "object") return Object.keys(obj).length;
+  return 0;
 }
-// src/analysis/transforms.ts
-function markDuplicates(requests) {
-  const counts = /* @__PURE__ */ new Map();
-  for (const req of requests) {
-    if (req.category !== "data-fetch" && req.category !== "auth-check")
-      continue;
-    const key = `${req.method} ${getEffectivePath(req).split("?")[0]}`;
-    counts.set(key, (counts.get(key) ?? 0) + 1);
+function hasInternalIds(obj) {
+  if (!obj || typeof obj !== "object" || Array.isArray(obj)) return false;
+  for (const key of Object.keys(obj)) {
+    if (INTERNAL_ID_KEYS.test(key) || INTERNAL_ID_SUFFIX.test(key)) return true;
   }
-  const isStrictMode = counts.size > 0 && [...counts.values()].every((c) => c === 2);
-  const seen = /* @__PURE__ */ new Set();
-  for (const req of requests) {
-    if (req.category !== "data-fetch" && req.category !== "auth-check")
-      continue;
-    const key = `${req.method} ${getEffectivePath(req).split("?")[0]}`;
-    if (seen.has(key)) {
-      if (isStrictMode) {
-        req.isStrictModeDupe = true;
-      } else {
-        req.isDuplicate = true;
+  return false;
+}
+function unwrapResponse(parsed) {
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) return parsed;
+  const obj = parsed;
+  const keys = Object.keys(obj);
+  if (keys.length > 3) return parsed;
+  let best = null;
+  let bestSize = 0;
+  for (const key of keys) {
+    const val = obj[key];
+    if (Array.isArray(val) && val.length > bestSize) {
+      best = val;
+      bestSize = val.length;
+    } else if (val && typeof val === "object" && !Array.isArray(val)) {
+      const size = Object.keys(val).length;
+      if (size > bestSize) {
+        best = val;
+        bestSize = size;
       }
-    } else {
-      seen.add(key);
     }
   }
+  return best && bestSize >= 3 ? best : parsed;
 }
-function collapsePolling(requests) {
-  const result = [];
-  let i = 0;
-  while (i < requests.length) {
-    const current = requests[i];
-    const currentEffective = getEffectivePath(current).split("?")[0];
-    if (current.method === "GET" && current.category === "data-fetch") {
-      let j = i + 1;
-      while (j < requests.length && requests[j].method === "GET" && getEffectivePath(requests[j]).split("?")[0] === currentEffective) {
-        j++;
+function detectPII(method, reqBody, resBody) {
+  const target = unwrapResponse(resBody);
+  if (WRITE_METHODS.has(method) && reqBody && typeof reqBody === "object") {
+    const reqEmails = findEmails(reqBody);
+    if (reqEmails.length > 0) {
+      const resEmails = findEmails(target);
+      const echoed = reqEmails.filter((e) => resEmails.includes(e));
+      if (echoed.length > 0) {
+        const inspectObj = Array.isArray(target) && target.length > 0 ? target[0] : target;
+        if (hasInternalIds(inspectObj) || topLevelFieldCount(inspectObj) >= FULL_RECORD_MIN_FIELDS) {
+          return { reason: "echo", emailCount: echoed.length };
+        }
       }
-      const count = j - i;
-      if (count >= MIN_POLLING_SEQUENCE) {
-        const last = requests[j - 1];
-        const pollingDuration = last.startedAt + last.durationMs - current.startedAt;
-        const endpointName = prettifyEndpoint(currentEffective);
-        result.push({
-          ...current,
-          category: "polling",
-          label: `Polling ${endpointName} (${count}x, ${formatDurationLabel(pollingDuration)})`,
-          pollingCount: count,
-          pollingDurationMs: pollingDuration,
-          isDuplicate: false
-        });
-        i = j;
-        continue;
+    }
+  }
+  if (target && typeof target === "object" && !Array.isArray(target)) {
+    const fields = topLevelFieldCount(target);
+    if (fields >= FULL_RECORD_MIN_FIELDS && hasInternalIds(target)) {
+      const emails = findEmails(target);
+      if (emails.length > 0) {
+        return { reason: "full-record", emailCount: emails.length };
       }
     }
-    result.push(current);
-    i++;
   }
-  return result;
-}
-function formatDurationLabel(ms) {
-  if (ms < 1e3) return `${ms}ms`;
-  return `${(ms / 1e3).toFixed(1)}s`;
+  if (Array.isArray(target) && target.length >= LIST_PII_MIN_ITEMS) {
+    let itemsWithEmail = 0;
+    for (let i = 0; i < Math.min(target.length, 10); i++) {
+      const item = target[i];
+      if (item && typeof item === "object") {
+        const emails = findEmails(item);
+        if (emails.length > 0) itemsWithEmail++;
+      }
+    }
+    if (itemsWithEmail >= LIST_PII_MIN_ITEMS) {
+      const first = target[0];
+      if (hasInternalIds(first) || topLevelFieldCount(first) >= FULL_RECORD_MIN_FIELDS) {
+        return { reason: "list-pii", emailCount: itemsWithEmail };
+      }
+    }
+  }
+  return null;
 }
-function detectWarnings(requests) {
-  const warnings = [];
-  const duplicateCount = requests.filter((r) => r.isDuplicate).length;
-  if (duplicateCount > 0) {
-    const unique = new Set(
-      requests.filter((r) => r.isDuplicate).map((r) => `${r.method} ${getEffectivePath(r).split("?")[0]}`)
-    );
-    const endpoints = unique.size;
-    const sameData = requests.filter((r) => r.isDuplicate).every((r) => {
-      const key = `${r.method} ${getEffectivePath(r).split("?")[0]}`;
-      const first = requests.find(
-        (o) => !o.isDuplicate && `${o.method} ${getEffectivePath(o).split("?")[0]}` === key
-      );
-      return first && first.responseBody === r.responseBody;
-    });
-    const suffix = sameData ? " \u2014 same data loaded twice" : "";
-    warnings.push(
-      `${duplicateCount} request${duplicateCount > 1 ? "s" : ""} duplicated across ${endpoints} endpoint${endpoints > 1 ? "s" : ""}${suffix}`
-    );
+var REASON_LABELS = {
+  echo: "echoes back PII from the request body",
+  "full-record": "returns a full record with email and internal IDs",
+  "list-pii": "returns a list of records containing email addresses"
+};
+var responsePiiLeakRule = {
+  id: "response-pii-leak",
+  severity: "warning",
+  name: "PII Leak in Response",
+  hint: RULE_HINTS["response-pii-leak"],
+  check(ctx) {
+    const findings = [];
+    const seen = /* @__PURE__ */ new Map();
+    for (const r of ctx.requests) {
+      if (r.statusCode >= 400) continue;
+      const resJson = tryParseJson2(r.responseBody);
+      if (!resJson) continue;
+      const reqJson = tryParseJson2(r.requestBody);
+      const detection = detectPII(r.method, reqJson, resJson);
+      if (!detection) continue;
+      const ep = `${r.method} ${r.path}`;
+      const dedupKey = `${ep}:${detection.reason}`;
+      const existing = seen.get(dedupKey);
+      if (existing) {
+        existing.count++;
+        continue;
+      }
+      const finding = {
+        severity: "warning",
+        rule: "response-pii-leak",
+        title: "PII Leak in Response",
+        desc: `${ep} \u2014 ${REASON_LABELS[detection.reason]}`,
+        hint: this.hint,
+        endpoint: ep,
+        count: 1
+      };
+      seen.set(dedupKey, finding);
+      findings.push(finding);
+    }
+    return findings;
   }
-  const slowRequests = requests.filter(
-    (r) => r.durationMs > SLOW_REQUEST_THRESHOLD_MS && r.category !== "polling"
-  );
-  for (const req of slowRequests) {
-    warnings.push(`${req.label} took ${(req.durationMs / 1e3).toFixed(1)}s`);
+};
+// src/analysis/rules/scanner.ts
+var SecurityScanner = class {
+  rules = [];
+  register(rule) {
+    this.rules.push(rule);
   }
-  const errors = requests.filter((r) => r.statusCode >= 500);
-  for (const req of errors) {
-    warnings.push(`${req.label} \u2014 server error (${req.statusCode})`);
+  scan(ctx) {
+    const findings = [];
+    for (const rule of this.rules) {
+      try {
+        findings.push(...rule.check(ctx));
+      } catch {
+      }
+    }
+    return findings;
   }
-  return warnings;
+  getRules() {
+    return this.rules;
+  }
+};
+function createDefaultScanner() {
+  const scanner = new SecurityScanner();
+  scanner.register(exposedSecretRule);
+  scanner.register(tokenInUrlRule);
+  scanner.register(stackTraceLeakRule);
+  scanner.register(errorInfoLeakRule);
+  scanner.register(insecureCookieRule);
+  scanner.register(sensitiveLogsRule);
+  scanner.register(corsCredentialsRule);
+  scanner.register(responsePiiLeakRule);
+  return scanner;
+}
+// src/constants/routes.ts
+var DASHBOARD_PREFIX = "/__brakit";
+// src/constants/limits.ts
+var MAX_REQUEST_ENTRIES = 1e3;
+var MAX_TELEMETRY_ENTRIES = 1e3;
+// src/constants/thresholds.ts
+var FLOW_GAP_MS = 5e3;
+var SLOW_REQUEST_THRESHOLD_MS = 2e3;
+var MIN_POLLING_SEQUENCE = 3;
+var ENDPOINT_TRUNCATE_LENGTH = 12;
+var N1_QUERY_THRESHOLD = 5;
+var ERROR_RATE_THRESHOLD_PCT = 20;
+var SLOW_ENDPOINT_THRESHOLD_MS = 1e3;
+var MIN_REQUESTS_FOR_INSIGHT = 2;
+var HIGH_QUERY_COUNT_PER_REQ = 5;
+var CROSS_ENDPOINT_MIN_ENDPOINTS = 3;
+var CROSS_ENDPOINT_PCT = 50;
+var CROSS_ENDPOINT_MIN_OCCURRENCES = 5;
+var REDUNDANT_QUERY_MIN_COUNT = 2;
+var LARGE_RESPONSE_BYTES = 51200;
+var HIGH_ROW_COUNT = 100;
+var OVERFETCH_MIN_REQUESTS = 2;
+var OVERFETCH_MIN_FIELDS = 8;
+var OVERFETCH_MIN_INTERNAL_IDS = 2;
+var OVERFETCH_NULL_RATIO = 0.3;
+// src/utils/static-patterns.ts
+var STATIC_PATTERNS = [
+  /^\/_next\//,
+  /\.(?:js|css|map|ico|png|jpg|jpeg|gif|svg|webp|woff2?|ttf|eot)$/,
+  /^\/favicon/,
+  /^\/__nextjs/
+];
+function isStaticPath(urlPath) {
+  return STATIC_PATTERNS.some((p) => p.test(urlPath));
 }
-// src/analysis/group.ts
-function groupRequestsIntoFlows(requests) {
-  if (requests.length === 0) return [];
-  const flows = [];
-  let currentRequests = [];
-  let currentSourcePage;
-  let lastEndTime = 0;
-  for (const req of requests) {
-    if (req.path.startsWith(DASHBOARD_PREFIX)) continue;
-    const labeled = labelRequest(req);
-    if (labeled.category === "static") continue;
-    const sourcePage = labeled.sourcePage;
-    const gap = currentRequests.length > 0 ? req.startedAt - lastEndTime : 0;
-    const isNewPage = currentRequests.length > 0 && sourcePage !== void 0 && currentSourcePage !== void 0 && sourcePage !== currentSourcePage;
-    const isPageLoad = labeled.category === "page-load" || labeled.category === "navigation";
-    const isTimeGap = currentRequests.length > 0 && gap > FLOW_GAP_MS;
-    if (currentRequests.length > 0 && (isNewPage || isTimeGap || isPageLoad)) {
-      flows.push(buildFlow(currentRequests));
-      currentRequests = [];
-    }
-    currentRequests.push(labeled);
-    currentSourcePage = sourcePage ?? currentSourcePage;
-    lastEndTime = Math.max(lastEndTime, req.startedAt + req.durationMs);
-  }
-  if (currentRequests.length > 0) {
-    flows.push(buildFlow(currentRequests));
+// src/store/request-store.ts
+function flattenHeaders(headers) {
+  const flat = {};
+  for (const [key, value] of Object.entries(headers)) {
+    if (value === void 0) continue;
+    flat[key] = Array.isArray(value) ? value.join(", ") : value;
   }
-  return flows;
-}
-function buildFlow(rawRequests) {
-  markDuplicates(rawRequests);
-  const requests = collapsePolling(rawRequests);
-  const first = requests[0];
-  const startTime = first.startedAt;
-  const endTime = Math.max(
-    ...requests.map(
-      (r) => r.pollingDurationMs ? r.startedAt + r.pollingDurationMs : r.startedAt + r.durationMs
-    )
-  );
-  const duplicateCount = rawRequests.filter((r) => r.isDuplicate).length;
-  const nonStaticCount = rawRequests.length;
-  const redundancyPct = nonStaticCount > 0 ? Math.round(duplicateCount / nonStaticCount * 100) : 0;
-  const sourcePage = getDominantSourcePage(rawRequests);
-  return {
-    id: randomUUID2(),
-    label: deriveFlowLabel(requests, sourcePage),
-    requests,
-    startTime,
-    totalDurationMs: Math.round(endTime - startTime),
-    hasErrors: requests.some((r) => r.statusCode >= 400),
-    warnings: detectWarnings(rawRequests),
-    sourcePage,
-    redundancyPct
-  };
+  return flat;
 }
-function getDominantSourcePage(requests) {
-  const counts = /* @__PURE__ */ new Map();
-  for (const req of requests) {
-    if (req.sourcePage) {
-      counts.set(req.sourcePage, (counts.get(req.sourcePage) ?? 0) + 1);
-    }
+var RequestStore = class {
+  constructor(maxEntries = MAX_REQUEST_ENTRIES) {
+    this.maxEntries = maxEntries;
   }
-  let best = "";
-  let bestCount = 0;
-  for (const [page, count] of counts) {
-    if (count > bestCount) {
-      best = page;
-      bestCount = count;
+  requests = [];
+  listeners = [];
+  capture(input) {
+    const url = input.url;
+    const path = url.split("?")[0];
+    let requestBodyStr = null;
+    if (input.requestBody && input.requestBody.length > 0) {
+      requestBodyStr = input.requestBody.subarray(0, input.config.maxBodyCapture).toString("utf-8");
+    }
+    let responseBodyStr = null;
+    if (input.responseBody && input.responseBody.length > 0) {
+      const ct = input.responseContentType;
+      if (ct.includes("json") || ct.includes("text") || ct.includes("html")) {
+        responseBodyStr = input.responseBody.subarray(0, input.config.maxBodyCapture).toString("utf-8");
+      }
+    }
+    const entry = {
+      id: input.requestId,
+      method: input.method,
+      url,
+      path,
+      headers: flattenHeaders(input.requestHeaders),
+      requestBody: requestBodyStr,
+      statusCode: input.statusCode,
+      responseHeaders: flattenHeaders(input.responseHeaders),
+      responseBody: responseBodyStr,
+      startedAt: input.startTime,
+      durationMs: Math.round(performance.now() - input.startTime),
+      responseSize: input.responseBody?.length ?? 0,
+      isStatic: isStaticPath(path)
+    };
+    this.requests.push(entry);
+    if (this.requests.length > this.maxEntries) {
+      this.requests.shift();
     }
+    for (const fn of this.listeners) {
+      fn(entry);
+    }
+    return entry;
   }
-  return best || requests[0]?.path?.split("?")[0] || "/";
-}
-function deriveFlowLabel(requests, sourcePage) {
-  const trigger = requests.find((r) => r.category === "api-call") ?? requests.find((r) => r.category === "server-action") ?? requests.find((r) => r.category === "page-load") ?? requests.find((r) => r.category === "navigation") ?? requests.find((r) => r.category === "data-fetch") ?? requests[0];
-  if (trigger.category === "page-load" || trigger.category === "navigation") {
-    const pageName = prettifyPageName(trigger.path.split("?")[0]);
-    return `${pageName} Page`;
+  getAll() {
+    return this.requests;
   }
-  if (trigger.category === "api-call") {
-    const effectivePath = getEffectivePath(trigger);
-    const parts = effectivePath.replace(/^\/api\//, "").split("/");
-    const endpointName = parts.length <= 2 ? parts.join("/") : parts.map((p) => p.length > 12 ? "..." : p).join("/");
-    const action = deriveActionVerb(trigger.method, endpointName);
-    const name = prettifyEndpoint(endpointName);
-    return `${action} ${capitalize(name)}`;
+  clear() {
+    this.requests.length = 0;
   }
-  if (trigger.category === "server-action") {
-    const name = prettifyEndpoint(trigger.path);
-    return capitalize(name);
+  onRequest(fn) {
+    this.listeners.push(fn);
   }
-  if (trigger.category === "data-fetch" || trigger.category === "polling") {
-    if (sourcePage && sourcePage !== "/") {
-      const pageName = prettifyPageName(sourcePage);
-      return `${pageName} Page`;
-    }
-    return trigger.label;
+  offRequest(fn) {
+    const idx = this.listeners.indexOf(fn);
+    if (idx !== -1) this.listeners.splice(idx, 1);
   }
-  return trigger.label;
-}
+};
+// src/store/request-log.ts
+var defaultStore = new RequestStore();
+var getRequests = () => defaultStore.getAll();
+var onRequest = (fn) => defaultStore.onRequest(fn);
+var offRequest = (fn) => defaultStore.offRequest(fn);
 // src/store/telemetry-store.ts
-import { randomUUID as randomUUID3 } from "crypto";
+import { randomUUID } from "crypto";
 var TelemetryStore = class {
   constructor(maxEntries = MAX_TELEMETRY_ENTRIES) {
     this.maxEntries = maxEntries;
@@ -616,7 +713,7 @@ var TelemetryStore = class {
   entries = [];
   listeners = [];
   add(data) {
-    const entry = { id: randomUUID3(), ...data };
+    const entry = { id: randomUUID(), ...data };
     this.entries.push(entry);
     if (this.entries.length > this.maxEntries) this.entries.shift();
     for (const fn of this.listeners) fn(entry);
@@ -661,7 +758,7 @@ var QueryStore = class extends TelemetryStore {
 var defaultQueryStore = new QueryStore();
 // src/store/metrics/metrics-store.ts
-import { randomUUID as randomUUID4 } from "crypto";
+import { randomUUID as randomUUID2 } from "crypto";
 // src/store/metrics/persistence.ts
 import {
@@ -673,641 +770,357 @@ import {
 } from "fs";
 import { resolve as resolve2 } from "path";
-// src/utils/fs.ts
-import { access } from "fs/promises";
-import { existsSync, readFileSync, writeFileSync } from "fs";
-import { resolve } from "path";
-async function fileExists(path) {
-  try {
-    await access(path);
-    return true;
-  } catch {
-    return false;
-  }
-}
-// src/dashboard/client/constants/thresholds.ts
-var HEALTH_FAST_MS = 100;
-var HEALTH_GOOD_MS = 300;
-var HEALTH_OK_MS = 800;
-var HEALTH_SLOW_MS = 2e3;
-// src/dashboard/client/constants/display.ts
-var HEALTH_GRADES = `[
-  { max: ${HEALTH_FAST_MS}, label: 'Fast', color: 'var(--green)', bg: 'rgba(22,163,74,0.08)', border: 'rgba(22,163,74,0.2)' },
-  { max: ${HEALTH_GOOD_MS}, label: 'Good', color: 'var(--green)', bg: 'rgba(22,163,74,0.06)', border: 'rgba(22,163,74,0.15)' },
-  { max: ${HEALTH_OK_MS}, label: 'OK', color: 'var(--amber)', bg: 'rgba(217,119,6,0.06)', border: 'rgba(217,119,6,0.15)' },
-  { max: ${HEALTH_SLOW_MS}, label: 'Slow', color: 'var(--red)', bg: 'rgba(220,38,38,0.06)', border: 'rgba(220,38,38,0.15)' },
-  { max: Infinity, label: 'Critical', color: 'var(--red)', bg: 'rgba(220,38,38,0.08)', border: 'rgba(220,38,38,0.2)' }
-]`;
-// src/telemetry/index.ts
-import { platform, release, arch } from "os";
-// src/telemetry/config.ts
-import { homedir } from "os";
-import { join } from "path";
-import { existsSync as existsSync3, readFileSync as readFileSync3, writeFileSync as writeFileSync3, mkdirSync as mkdirSync3 } from "fs";
-import { randomUUID as randomUUID5 } from "crypto";
-var CONFIG_DIR = join(homedir(), ".brakit");
-var CONFIG_PATH = join(CONFIG_DIR, "config.json");
-// src/dashboard/router.ts
-function isDashboardRequest(url) {
-  return url === DASHBOARD_PREFIX || url.startsWith(DASHBOARD_PREFIX + "/");
-}
-// src/proxy/server.ts
-function createProxyServer(config, handleDashboard) {
-  const server = createServer((clientReq, clientRes) => {
-    if (isDashboardRequest(clientReq.url ?? "")) {
-      handleDashboard(clientReq, clientRes, config);
-      return;
-    }
-    proxyRequest(clientReq, clientRes, config);
-  });
-  server.on("upgrade", (req, socket, head) => {
-    handleUpgrade(req, socket, head, config.targetPort);
-  });
-  return server;
-}
+// src/analysis/group.ts
+import { randomUUID as randomUUID3 } from "crypto";
-// src/detect/project.ts
-import { readFile as readFile2 } from "fs/promises";
-import { join as join2 } from "path";
-var FRAMEWORKS = [
-  { name: "nextjs", dep: "next", devCmd: "next dev", bin: "next", defaultPort: 3e3, devArgs: ["dev", "--port"] },
-  { name: "remix", dep: "@remix-run/dev", devCmd: "remix dev", bin: "remix", defaultPort: 3e3, devArgs: ["dev"] },
-  { name: "nuxt", dep: "nuxt", devCmd: "nuxt dev", bin: "nuxt", defaultPort: 3e3, devArgs: ["dev", "--port"] },
-  { name: "vite", dep: "vite", devCmd: "vite", bin: "vite", defaultPort: 5173, devArgs: ["--port"] },
-  { name: "astro", dep: "astro", devCmd: "astro dev", bin: "astro", defaultPort: 4321, devArgs: ["dev", "--port"] }
-];
-async function detectProject(rootDir) {
-  const pkgPath = join2(rootDir, "package.json");
-  const raw = await readFile2(pkgPath, "utf-8");
-  const pkg = JSON.parse(raw);
-  const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
-  let framework = "unknown";
-  let devCommand = "";
-  let devBin = "";
-  let defaultPort = 3e3;
-  for (const f of FRAMEWORKS) {
-    if (allDeps[f.dep]) {
-      framework = f.name;
-      devCommand = f.devCmd;
-      devBin = join2(rootDir, "node_modules", ".bin", f.bin);
-      defaultPort = f.defaultPort;
-      break;
-    }
+// src/analysis/categorize.ts
+function detectCategory(req) {
+  const { method, url, statusCode, responseHeaders } = req;
+  if (req.isStatic) return "static";
+  if (statusCode === 307 && (url.includes("__clerk_handshake") || url.includes("__clerk_db_jwt"))) {
+    return "auth-handshake";
   }
-  const packageManager = await detectPackageManager(rootDir);
-  return { framework, devCommand, devBin, defaultPort, packageManager };
-}
-async function detectPackageManager(rootDir) {
-  if (await fileExists(join2(rootDir, "bun.lockb"))) return "bun";
-  if (await fileExists(join2(rootDir, "bun.lock"))) return "bun";
-  if (await fileExists(join2(rootDir, "pnpm-lock.yaml"))) return "pnpm";
-  if (await fileExists(join2(rootDir, "yarn.lock"))) return "yarn";
-  if (await fileExists(join2(rootDir, "package-lock.json"))) return "npm";
-  return "unknown";
-}
-// src/instrument/adapter-registry.ts
-var AdapterRegistry = class {
-  adapters = [];
-  active = [];
-  register(adapter) {
-    this.adapters.push(adapter);
+  const effectivePath = getEffectivePath(req);
+  if (/^\/api\/auth/i.test(effectivePath) || /^\/(api\/)?clerk/i.test(effectivePath)) {
+    return "auth-check";
   }
-  patchAll(emit) {
-    for (const adapter of this.adapters) {
-      try {
-        if (adapter.detect()) {
-          adapter.patch(emit);
-          this.active.push(adapter);
-        }
-      } catch {
-      }
-    }
+  if (method === "POST" && !effectivePath.startsWith("/api/")) {
+    return "server-action";
+  }
+  if (effectivePath.startsWith("/api/") && method !== "GET" && method !== "HEAD") {
+    return "api-call";
+  }
+  if (effectivePath.startsWith("/api/") && method === "GET") {
+    return "data-fetch";
+  }
+  if (url.includes("_rsc=")) {
+    return "navigation";
+  }
+  if (responseHeaders["x-middleware-rewrite"]) {
+    return "middleware";
   }
-  unpatchAll() {
-    for (const adapter of this.active) {
-      try {
-        adapter.unpatch?.();
-      } catch {
-      }
-    }
-    this.active = [];
+  if (method === "GET") {
+    const ct = responseHeaders["content-type"] ?? "";
+    if (ct.includes("text/html")) return "page-load";
   }
-  getActive() {
-    return this.active;
+  return "unknown";
+}
+function getEffectivePath(req) {
+  const rewrite = req.responseHeaders["x-middleware-rewrite"];
+  if (!rewrite) return req.path;
+  try {
+    const url = new URL(rewrite, "http://localhost");
+    return url.pathname;
+  } catch {
+    return rewrite.startsWith("/") ? rewrite : req.path;
   }
-};
-// src/analysis/rules/patterns.ts
-var SECRET_KEYS = /^(password|passwd|secret|api_key|apiKey|api_secret|apiSecret|private_key|privateKey|client_secret|clientSecret)$/;
-var TOKEN_PARAMS = /^(token|api_key|apiKey|secret|password|access_token|session_id|sessionId)$/;
-var SAFE_PARAMS = /^(_rsc|__clerk_handshake|__clerk_db_jwt|callback|code|state|nonce|redirect_uri|utm_|fbclid|gclid)$/;
-var STACK_TRACE_RE = /at\s+.+\(.+:\d+:\d+\)|at\s+Module\._compile|at\s+Object\.<anonymous>|at\s+processTicksAndRejections/;
-var DB_CONN_RE = /(postgres|mysql|mongodb|redis):\/\//;
-var SQL_FRAGMENT_RE = /\b(SELECT\s+[\w.*]+\s+FROM|INSERT\s+INTO|UPDATE\s+\w+\s+SET|DELETE\s+FROM)\b/i;
-var SECRET_VAL_RE = /(api_key|apiKey|secret|token)\s*[:=]\s*["']?[A-Za-z0-9_\-\.+\/]{8,}/;
-var LOG_SECRET_RE = /(password|secret|token|api_key|apiKey)\s*[:=]\s*["']?[A-Za-z0-9_\-\.+\/]{8,}/i;
-var MASKED_RE = /^\*+$|\[REDACTED\]|\[FILTERED\]|CHANGE_ME|^x{3,}$/i;
-var EMAIL_RE = /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/;
-var INTERNAL_ID_KEYS = /^(id|_id|userId|user_id|createdBy|updatedBy|organizationId|org_id|tenantId|tenant_id)$/;
-var INTERNAL_ID_SUFFIX = /Id$|_id$/;
-var RULE_HINTS = {
-  "exposed-secret": "Never include secret fields in API responses. Strip sensitive fields before returning.",
-  "token-in-url": "Pass tokens in the Authorization header, not URL query parameters.",
-  "stack-trace-leak": "Use a custom error handler that returns generic messages in production.",
-  "error-info-leak": "Sanitize error responses. Return generic messages instead of internal details.",
-  "sensitive-logs": "Redact PII before logging. Never log passwords or tokens.",
-  "cors-credentials": "Cannot use credentials:true with origin:*. Specify explicit origins.",
-  "insecure-cookie": "Set HttpOnly and SameSite flags on all cookies.",
-  "response-pii-leak": "API responses should return minimal data. Don't echo back full user records \u2014 select only the fields the client needs."
-};
+}
-// src/analysis/rules/exposed-secret.ts
-function tryParseJson(body) {
-  if (!body) return null;
+// src/analysis/label.ts
+function extractSourcePage(req) {
+  const referer = req.headers["referer"] ?? req.headers["Referer"];
+  if (!referer) return void 0;
   try {
-    return JSON.parse(body);
+    const url = new URL(referer);
+    return url.pathname;
   } catch {
-    return null;
+    return void 0;
   }
 }
-function findSecretKeys(obj, prefix) {
-  const found = [];
-  if (!obj || typeof obj !== "object") return found;
-  if (Array.isArray(obj)) {
-    for (let i = 0; i < Math.min(obj.length, 5); i++) {
-      found.push(...findSecretKeys(obj[i], prefix));
-    }
-    return found;
-  }
-  for (const k of Object.keys(obj)) {
-    const val = obj[k];
-    if (SECRET_KEYS.test(k) && typeof val === "string" && val.length >= 8 && !MASKED_RE.test(val)) {
-      found.push(k);
-    }
-    if (typeof val === "object" && val !== null) {
-      found.push(...findSecretKeys(val, prefix + k + "."));
-    }
-  }
-  return found;
+function labelRequest(req) {
+  const category = detectCategory(req);
+  const label = generateHumanLabel(req, category);
+  const sourcePage = extractSourcePage(req);
+  return { ...req, category, label, sourcePage };
 }
-var exposedSecretRule = {
-  id: "exposed-secret",
-  severity: "critical",
-  name: "Exposed Secret in Response",
-  hint: RULE_HINTS["exposed-secret"],
-  check(ctx) {
-    const findings = [];
-    const seen = /* @__PURE__ */ new Map();
-    for (const r of ctx.requests) {
-      if (r.statusCode >= 400) continue;
-      const parsed = tryParseJson(r.responseBody);
-      if (!parsed) continue;
-      const keys = findSecretKeys(parsed, "");
-      if (keys.length === 0) continue;
-      const ep = `${r.method} ${r.path}`;
-      const dedupKey = `${ep}:${keys.sort().join(",")}`;
-      const existing = seen.get(dedupKey);
-      if (existing) {
-        existing.count++;
-        continue;
-      }
-      const finding = {
-        severity: "critical",
-        rule: "exposed-secret",
-        title: "Exposed Secret in Response",
-        desc: `${ep} \u2014 response contains ${keys.join(", ")} field${keys.length > 1 ? "s" : ""}`,
-        hint: this.hint,
-        endpoint: ep,
-        count: 1
-      };
-      seen.set(dedupKey, finding);
-      findings.push(finding);
-    }
-    return findings;
-  }
-};
-// src/analysis/rules/token-in-url.ts
-var tokenInUrlRule = {
-  id: "token-in-url",
-  severity: "critical",
-  name: "Auth Token in URL",
-  hint: RULE_HINTS["token-in-url"],
-  check(ctx) {
-    const findings = [];
-    const seen = /* @__PURE__ */ new Map();
-    for (const r of ctx.requests) {
-      const qIdx = r.url.indexOf("?");
-      if (qIdx === -1) continue;
-      const params = r.url.substring(qIdx + 1).split("&");
-      const flagged = [];
-      for (const param of params) {
-        const [name, ...rest] = param.split("=");
-        const val = rest.join("=");
-        if (SAFE_PARAMS.test(name)) continue;
-        if (TOKEN_PARAMS.test(name) && val && val.length > 0) {
-          flagged.push(name);
-        }
-      }
-      if (flagged.length === 0) continue;
-      const ep = `${r.method} ${r.path}`;
-      const dedupKey = `${ep}:${flagged.sort().join(",")}`;
-      const existing = seen.get(dedupKey);
-      if (existing) {
-        existing.count++;
-        continue;
-      }
-      const finding = {
-        severity: "critical",
-        rule: "token-in-url",
-        title: "Auth Token in URL",
-        desc: `${ep} \u2014 ${flagged.join(", ")} exposed in query string`,
-        hint: this.hint,
-        endpoint: ep,
-        count: 1
-      };
-      seen.set(dedupKey, finding);
-      findings.push(finding);
+function generateHumanLabel(req, category) {
+  const effectivePath = getEffectivePath(req);
+  const endpointName = getEndpointName(effectivePath);
+  const failed = req.statusCode >= 400;
+  switch (category) {
+    case "auth-handshake":
+      return "Auth handshake";
+    case "auth-check":
+      return failed ? "Auth check failed" : "Checked auth";
+    case "middleware": {
+      const rewritePath = effectivePath !== req.path ? effectivePath : "";
+      return rewritePath ? `Redirected to ${rewritePath}` : "Middleware";
     }
-    return findings;
-  }
-};
-// src/analysis/rules/stack-trace-leak.ts
-var stackTraceLeakRule = {
-  id: "stack-trace-leak",
-  severity: "critical",
-  name: "Stack Trace Leaked to Client",
-  hint: RULE_HINTS["stack-trace-leak"],
-  check(ctx) {
-    const findings = [];
-    const seen = /* @__PURE__ */ new Map();
-    for (const r of ctx.requests) {
-      if (!r.responseBody) continue;
-      if (!STACK_TRACE_RE.test(r.responseBody)) continue;
-      const ep = `${r.method} ${r.path}`;
-      const existing = seen.get(ep);
-      if (existing) {
-        existing.count++;
-        continue;
-      }
-      const finding = {
-        severity: "critical",
-        rule: "stack-trace-leak",
-        title: "Stack Trace Leaked to Client",
-        desc: `${ep} \u2014 response exposes internal stack trace`,
-        hint: this.hint,
-        endpoint: ep,
-        count: 1
-      };
-      seen.set(ep, finding);
-      findings.push(finding);
+    case "server-action": {
+      const name = prettifyEndpoint(req.path);
+      return failed ? `${name} failed` : name;
     }
-    return findings;
-  }
-};
-// src/analysis/rules/error-info-leak.ts
-var CRITICAL_PATTERNS = [
-  { re: DB_CONN_RE, label: "database connection string" },
-  { re: SQL_FRAGMENT_RE, label: "SQL query fragment" },
-  { re: SECRET_VAL_RE, label: "secret value" }
-];
-var errorInfoLeakRule = {
-  id: "error-info-leak",
-  severity: "critical",
-  name: "Sensitive Data in Error Response",
-  hint: RULE_HINTS["error-info-leak"],
-  check(ctx) {
-    const findings = [];
-    const seen = /* @__PURE__ */ new Map();
-    for (const r of ctx.requests) {
-      if (r.statusCode < 400) continue;
-      if (!r.responseBody) continue;
-      if (r.responseHeaders["x-nextjs-error"] || r.responseHeaders["x-nextjs-matched-path"]) continue;
-      const ep = `${r.method} ${r.path}`;
-      for (const p of CRITICAL_PATTERNS) {
-        if (!p.re.test(r.responseBody)) continue;
-        const dedupKey = `${ep}:${p.label}`;
-        const existing = seen.get(dedupKey);
-        if (existing) {
-          existing.count++;
-          continue;
-        }
-        const finding = {
-          severity: "critical",
-          rule: "error-info-leak",
-          title: "Sensitive Data in Error Response",
-          desc: `${ep} \u2014 error response exposes ${p.label}`,
-          hint: this.hint,
-          endpoint: ep,
-          count: 1
-        };
-        seen.set(dedupKey, finding);
-        findings.push(finding);
-      }
+    case "api-call": {
+      const action = deriveActionVerb(req.method, endpointName);
+      const name = prettifyEndpoint(endpointName);
+      if (failed) return `${action} ${name} failed`;
+      return `${action} ${name}`;
     }
-    return findings;
+    case "data-fetch": {
+      const name = prettifyEndpoint(endpointName);
+      if (failed) return `Failed to load ${name}`;
+      return `Loaded ${name}`;
+    }
+    case "page-load":
+      return failed ? "Page error" : "Loaded page";
+    case "navigation":
+      return "Navigated";
+    case "static":
+      return `Static: ${req.path.split("/").pop() ?? req.path}`;
+    default:
+      return failed ? `${req.method} ${req.path} failed` : `${req.method} ${req.path}`;
   }
-};
-// src/analysis/rules/insecure-cookie.ts
-function isFrameworkResponse(r) {
-  if (r.statusCode >= 300 && r.statusCode < 400) return true;
-  if (r.path?.startsWith("/__")) return true;
-  if (r.responseHeaders?.["x-middleware-rewrite"]) return true;
-  return false;
 }
-var insecureCookieRule = {
-  id: "insecure-cookie",
-  severity: "warning",
-  name: "Insecure Cookie",
-  hint: RULE_HINTS["insecure-cookie"],
-  check(ctx) {
-    const findings = [];
-    const seen = /* @__PURE__ */ new Map();
-    for (const r of ctx.requests) {
-      if (!r.responseHeaders) continue;
-      if (isFrameworkResponse(r)) continue;
-      const setCookie = r.responseHeaders["set-cookie"];
-      if (!setCookie) continue;
-      const cookies = setCookie.split(/,(?=\s*[A-Za-z0-9_\-]+=)/);
-      for (const cookie of cookies) {
-        const cookieName = cookie.trim().split("=")[0].trim();
-        const lower = cookie.toLowerCase();
-        const issues = [];
-        if (!lower.includes("httponly")) issues.push("HttpOnly");
-        if (!lower.includes("samesite")) issues.push("SameSite");
-        if (issues.length === 0) continue;
-        const dedupKey = `${cookieName}:${issues.join(",")}`;
-        const existing = seen.get(dedupKey);
-        if (existing) {
-          existing.count++;
-          continue;
-        }
-        const finding = {
-          severity: "warning",
-          rule: "insecure-cookie",
-          title: "Insecure Cookie",
-          desc: `${cookieName} \u2014 missing ${issues.join(", ")} flag${issues.length > 1 ? "s" : ""}`,
-          hint: this.hint,
-          endpoint: cookieName,
-          count: 1
-        };
-        seen.set(dedupKey, finding);
-        findings.push(finding);
-      }
-    }
-    return findings;
+function prettifyEndpoint(name) {
+  const cleaned = name.replace(/^\/api\//, "").replace(/\//g, " ").replace(/\.\.\./g, "").trim();
+  if (!cleaned) return "data";
+  return cleaned.split(" ").map((word) => {
+    if (word.endsWith("ses") || word.endsWith("us") || word.endsWith("ss"))
+      return word;
+    if (word.endsWith("ies")) return word.slice(0, -3) + "y";
+    if (word.endsWith("s") && word.length > 3) return word.slice(0, -1);
+    return word;
+  }).join(" ");
+}
+function deriveActionVerb(method, endpointName) {
+  const lower = endpointName.toLowerCase();
+  const VERB_PATTERNS = [
+    [/enhance/, "Enhanced"],
+    [/generate/, "Generated"],
+    [/create/, "Created"],
+    [/update/, "Updated"],
+    [/delete|remove/, "Deleted"],
+    [/send/, "Sent"],
+    [/upload/, "Uploaded"],
+    [/save/, "Saved"],
+    [/submit/, "Submitted"],
+    [/login|signin/, "Logged in"],
+    [/logout|signout/, "Logged out"],
+    [/register|signup/, "Registered"]
+  ];
+  for (const [pattern, verb] of VERB_PATTERNS) {
+    if (pattern.test(lower)) return verb;
   }
-};
+  switch (method) {
+    case "POST":
+      return "Created";
+    case "PUT":
+    case "PATCH":
+      return "Updated";
+    case "DELETE":
+      return "Deleted";
+    default:
+      return "Called";
+  }
+}
+function getEndpointName(path) {
+  const parts = path.replace(/^\/api\//, "").split("/");
+  if (parts.length <= 2) return parts.join("/");
+  return parts.map((p) => p.length > ENDPOINT_TRUNCATE_LENGTH ? "..." : p).join("/");
+}
+function prettifyPageName(path) {
+  const clean = path.replace(/^\//, "").replace(/\/$/, "");
+  if (!clean) return "Home";
+  return clean.split("/").map((s) => capitalize(s.replace(/[-_]/g, " "))).join(" ");
+}
+function capitalize(s) {
+  return s.charAt(0).toUpperCase() + s.slice(1);
+}
-// src/analysis/rules/sensitive-logs.ts
-var sensitiveLogsRule = {
-  id: "sensitive-logs",
-  severity: "warning",
-  name: "Sensitive Data in Logs",
-  hint: RULE_HINTS["sensitive-logs"],
-  check(ctx) {
-    let count = 0;
-    for (const log of ctx.logs) {
-      if (!log.message) continue;
-      if (log.message.startsWith("[brakit]")) continue;
-      if (LOG_SECRET_RE.test(log.message)) count++;
+// src/analysis/transforms.ts
+function markDuplicates(requests) {
+  const counts = /* @__PURE__ */ new Map();
+  for (const req of requests) {
+    if (req.category !== "data-fetch" && req.category !== "auth-check")
+      continue;
+    const key = `${req.method} ${getEffectivePath(req).split("?")[0]}`;
+    counts.set(key, (counts.get(key) ?? 0) + 1);
+  }
+  const isStrictMode = counts.size > 0 && [...counts.values()].every((c) => c === 2);
+  const seen = /* @__PURE__ */ new Set();
+  for (const req of requests) {
+    if (req.category !== "data-fetch" && req.category !== "auth-check")
+      continue;
+    const key = `${req.method} ${getEffectivePath(req).split("?")[0]}`;
+    if (seen.has(key)) {
+      if (isStrictMode) {
+        req.isStrictModeDupe = true;
+      } else {
+        req.isDuplicate = true;
+      }
+    } else {
+      seen.add(key);
     }
-    if (count === 0) return [];
-    return [{
-      severity: "warning",
-      rule: "sensitive-logs",
-      title: "Sensitive Data in Logs",
-      desc: `Console output contains secret/token values \u2014 ${count} occurrence${count !== 1 ? "s" : ""}`,
-      hint: this.hint,
-      endpoint: "console",
-      count
-    }];
   }
-};
-// src/analysis/rules/cors-credentials.ts
-var corsCredentialsRule = {
-  id: "cors-credentials",
-  severity: "warning",
-  name: "CORS Credentials with Wildcard",
-  hint: RULE_HINTS["cors-credentials"],
-  check(ctx) {
-    const findings = [];
-    const seen = /* @__PURE__ */ new Set();
-    for (const r of ctx.requests) {
-      if (!r.responseHeaders) continue;
-      const origin = r.responseHeaders["access-control-allow-origin"];
-      const creds = r.responseHeaders["access-control-allow-credentials"];
-      if (origin !== "*" || creds !== "true") continue;
-      const ep = `${r.method} ${r.path}`;
-      if (seen.has(ep)) continue;
-      seen.add(ep);
-      findings.push({
-        severity: "warning",
-        rule: "cors-credentials",
-        title: "CORS Credentials with Wildcard",
-        desc: `${ep} \u2014 credentials:true with origin:* (browser will reject)`,
-        hint: this.hint,
-        endpoint: ep,
-        count: 1
-      });
+}
+function collapsePolling(requests) {
+  const result = [];
+  let i = 0;
+  while (i < requests.length) {
+    const current = requests[i];
+    const currentEffective = getEffectivePath(current).split("?")[0];
+    if (current.method === "GET" && current.category === "data-fetch") {
+      let j = i + 1;
+      while (j < requests.length && requests[j].method === "GET" && getEffectivePath(requests[j]).split("?")[0] === currentEffective) {
+        j++;
+      }
+      const count = j - i;
+      if (count >= MIN_POLLING_SEQUENCE) {
+        const last = requests[j - 1];
+        const pollingDuration = last.startedAt + last.durationMs - current.startedAt;
+        const endpointName = prettifyEndpoint(currentEffective);
+        result.push({
+          ...current,
+          category: "polling",
+          label: `Polling ${endpointName} (${count}x, ${formatDurationLabel(pollingDuration)})`,
+          pollingCount: count,
+          pollingDurationMs: pollingDuration,
+          isDuplicate: false
+        });
+        i = j;
+        continue;
+      }
     }
-    return findings;
+    result.push(current);
+    i++;
   }
-};
-// src/analysis/rules/response-pii-leak.ts
-var WRITE_METHODS = /* @__PURE__ */ new Set(["POST", "PUT", "PATCH"]);
-var FULL_RECORD_MIN_FIELDS = 5;
-var LIST_PII_MIN_ITEMS = 2;
-function tryParseJson2(body) {
-  if (!body) return null;
-  try {
-    return JSON.parse(body);
-  } catch {
-    return null;
+  return result;
+}
+function formatDurationLabel(ms) {
+  if (ms < 1e3) return `${ms}ms`;
+  return `${(ms / 1e3).toFixed(1)}s`;
+}
+function detectWarnings(requests) {
+  const warnings = [];
+  const duplicateCount = requests.filter((r) => r.isDuplicate).length;
+  if (duplicateCount > 0) {
+    const unique = new Set(
+      requests.filter((r) => r.isDuplicate).map((r) => `${r.method} ${getEffectivePath(r).split("?")[0]}`)
+    );
+    const endpoints = unique.size;
+    const sameData = requests.filter((r) => r.isDuplicate).every((r) => {
+      const key = `${r.method} ${getEffectivePath(r).split("?")[0]}`;
+      const first = requests.find(
+        (o) => !o.isDuplicate && `${o.method} ${getEffectivePath(o).split("?")[0]}` === key
+      );
+      return first && first.responseBody === r.responseBody;
+    });
+    const suffix = sameData ? " \u2014 same data loaded twice" : "";
+    warnings.push(
+      `${duplicateCount} request${duplicateCount > 1 ? "s" : ""} duplicated across ${endpoints} endpoint${endpoints > 1 ? "s" : ""}${suffix}`
+    );
   }
-}
-function findEmails(obj) {
-  const emails = [];
-  if (!obj || typeof obj !== "object") return emails;
-  if (Array.isArray(obj)) {
-    for (let i = 0; i < Math.min(obj.length, 10); i++) {
-      emails.push(...findEmails(obj[i]));
-    }
-    return emails;
+  const slowRequests = requests.filter(
+    (r) => r.durationMs > SLOW_REQUEST_THRESHOLD_MS && r.category !== "polling"
+  );
+  for (const req of slowRequests) {
+    warnings.push(`${req.label} took ${(req.durationMs / 1e3).toFixed(1)}s`);
   }
-  for (const v of Object.values(obj)) {
-    if (typeof v === "string" && EMAIL_RE.test(v)) {
-      emails.push(v);
-    } else if (typeof v === "object" && v !== null) {
-      emails.push(...findEmails(v));
-    }
+  const errors = requests.filter((r) => r.statusCode >= 500);
+  for (const req of errors) {
+    warnings.push(`${req.label} \u2014 server error (${req.statusCode})`);
   }
-  return emails;
+  return warnings;
 }
-function topLevelFieldCount(obj) {
-  if (Array.isArray(obj)) {
-    return obj.length > 0 ? topLevelFieldCount(obj[0]) : 0;
+// src/analysis/group.ts
+function groupRequestsIntoFlows(requests) {
+  if (requests.length === 0) return [];
+  const flows = [];
+  let currentRequests = [];
+  let currentSourcePage;
+  let lastEndTime = 0;
+  for (const req of requests) {
+    if (req.path.startsWith(DASHBOARD_PREFIX)) continue;
+    const labeled = labelRequest(req);
+    if (labeled.category === "static") continue;
+    const sourcePage = labeled.sourcePage;
+    const gap = currentRequests.length > 0 ? req.startedAt - lastEndTime : 0;
+    const isNewPage = currentRequests.length > 0 && sourcePage !== void 0 && currentSourcePage !== void 0 && sourcePage !== currentSourcePage;
+    const isPageLoad = labeled.category === "page-load" || labeled.category === "navigation";
+    const isTimeGap = currentRequests.length > 0 && gap > FLOW_GAP_MS;
+    if (currentRequests.length > 0 && (isNewPage || isTimeGap || isPageLoad)) {
+      flows.push(buildFlow(currentRequests));
+      currentRequests = [];
+    }
+    currentRequests.push(labeled);
+    currentSourcePage = sourcePage ?? currentSourcePage;
+    lastEndTime = Math.max(lastEndTime, req.startedAt + req.durationMs);
   }
-  if (obj && typeof obj === "object") return Object.keys(obj).length;
-  return 0;
-}
-function hasInternalIds(obj) {
-  if (!obj || typeof obj !== "object" || Array.isArray(obj)) return false;
-  for (const key of Object.keys(obj)) {
-    if (INTERNAL_ID_KEYS.test(key) || INTERNAL_ID_SUFFIX.test(key)) return true;
+  if (currentRequests.length > 0) {
+    flows.push(buildFlow(currentRequests));
   }
-  return false;
+  return flows;
 }
-function unwrapResponse(parsed) {
-  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) return parsed;
-  const obj = parsed;
-  const keys = Object.keys(obj);
-  if (keys.length > 3) return parsed;
-  let best = null;
-  let bestSize = 0;
-  for (const key of keys) {
-    const val = obj[key];
-    if (Array.isArray(val) && val.length > bestSize) {
-      best = val;
-      bestSize = val.length;
-    } else if (val && typeof val === "object" && !Array.isArray(val)) {
-      const size = Object.keys(val).length;
-      if (size > bestSize) {
-        best = val;
-        bestSize = size;
-      }
-    }
-  }
-  return best && bestSize >= 3 ? best : parsed;
+function buildFlow(rawRequests) {
+  markDuplicates(rawRequests);
+  const requests = collapsePolling(rawRequests);
+  const first = requests[0];
+  const startTime = first.startedAt;
+  const endTime = Math.max(
+    ...requests.map(
+      (r) => r.pollingDurationMs ? r.startedAt + r.pollingDurationMs : r.startedAt + r.durationMs
+    )
+  );
+  const duplicateCount = rawRequests.filter((r) => r.isDuplicate).length;
+  const nonStaticCount = rawRequests.length;
+  const redundancyPct = nonStaticCount > 0 ? Math.round(duplicateCount / nonStaticCount * 100) : 0;
+  const sourcePage = getDominantSourcePage(rawRequests);
+  return {
+    id: randomUUID3(),
+    label: deriveFlowLabel(requests, sourcePage),
+    requests,
+    startTime,
+    totalDurationMs: Math.round(endTime - startTime),
+    hasErrors: requests.some((r) => r.statusCode >= 400),
+    warnings: detectWarnings(rawRequests),
+    sourcePage,
+    redundancyPct
+  };
 }
-function detectPII(method, reqBody, resBody) {
-  const target = unwrapResponse(resBody);
-  if (WRITE_METHODS.has(method) && reqBody && typeof reqBody === "object") {
-    const reqEmails = findEmails(reqBody);
-    if (reqEmails.length > 0) {
-      const resEmails = findEmails(target);
-      const echoed = reqEmails.filter((e) => resEmails.includes(e));
-      if (echoed.length > 0) {
-        const inspectObj = Array.isArray(target) && target.length > 0 ? target[0] : target;
-        if (hasInternalIds(inspectObj) || topLevelFieldCount(inspectObj) >= FULL_RECORD_MIN_FIELDS) {
-          return { reason: "echo", emailCount: echoed.length };
-        }
-      }
-    }
-  }
-  if (target && typeof target === "object" && !Array.isArray(target)) {
-    const fields = topLevelFieldCount(target);
-    if (fields >= FULL_RECORD_MIN_FIELDS && hasInternalIds(target)) {
-      const emails = findEmails(target);
-      if (emails.length > 0) {
-        return { reason: "full-record", emailCount: emails.length };
-      }
+function getDominantSourcePage(requests) {
+  const counts = /* @__PURE__ */ new Map();
+  for (const req of requests) {
+    if (req.sourcePage) {
+      counts.set(req.sourcePage, (counts.get(req.sourcePage) ?? 0) + 1);
     }
   }
-  if (Array.isArray(target) && target.length >= LIST_PII_MIN_ITEMS) {
-    let itemsWithEmail = 0;
-    for (let i = 0; i < Math.min(target.length, 10); i++) {
-      const item = target[i];
-      if (item && typeof item === "object") {
-        const emails = findEmails(item);
-        if (emails.length > 0) itemsWithEmail++;
-      }
-    }
-    if (itemsWithEmail >= LIST_PII_MIN_ITEMS) {
-      const first = target[0];
-      if (hasInternalIds(first) || topLevelFieldCount(first) >= FULL_RECORD_MIN_FIELDS) {
-        return { reason: "list-pii", emailCount: itemsWithEmail };
-      }
+  let best = "";
+  let bestCount = 0;
+  for (const [page, count] of counts) {
+    if (count > bestCount) {
+      best = page;
+      bestCount = count;
     }
   }
-  return null;
+  return best || requests[0]?.path?.split("?")[0] || "/";
 }
-var REASON_LABELS = {
-  echo: "echoes back PII from the request body",
-  "full-record": "returns a full record with email and internal IDs",
-  "list-pii": "returns a list of records containing email addresses"
-};
-var responsePiiLeakRule = {
-  id: "response-pii-leak",
-  severity: "warning",
-  name: "PII Leak in Response",
-  hint: RULE_HINTS["response-pii-leak"],
-  check(ctx) {
-    const findings = [];
-    const seen = /* @__PURE__ */ new Map();
-    for (const r of ctx.requests) {
-      if (r.statusCode >= 400) continue;
-      const resJson = tryParseJson2(r.responseBody);
-      if (!resJson) continue;
-      const reqJson = tryParseJson2(r.requestBody);
-      const detection = detectPII(r.method, reqJson, resJson);
-      if (!detection) continue;
-      const ep = `${r.method} ${r.path}`;
-      const dedupKey = `${ep}:${detection.reason}`;
-      const existing = seen.get(dedupKey);
-      if (existing) {
-        existing.count++;
-        continue;
-      }
-      const finding = {
-        severity: "warning",
-        rule: "response-pii-leak",
-        title: "PII Leak in Response",
-        desc: `${ep} \u2014 ${REASON_LABELS[detection.reason]}`,
-        hint: this.hint,
-        endpoint: ep,
-        count: 1
-      };
-      seen.set(dedupKey, finding);
-      findings.push(finding);
-    }
-    return findings;
+function deriveFlowLabel(requests, sourcePage) {
+  const trigger = requests.find((r) => r.category === "api-call") ?? requests.find((r) => r.category === "server-action") ?? requests.find((r) => r.category === "page-load") ?? requests.find((r) => r.category === "navigation") ?? requests.find((r) => r.category === "data-fetch") ?? requests[0];
+  if (trigger.category === "page-load" || trigger.category === "navigation") {
+    const pageName = prettifyPageName(trigger.path.split("?")[0]);
+    return `${pageName} Page`;
   }
-};
-// src/analysis/rules/scanner.ts
-var SecurityScanner = class {
-  rules = [];
-  register(rule) {
-    this.rules.push(rule);
+  if (trigger.category === "api-call") {
+    const effectivePath = getEffectivePath(trigger);
+    const parts = effectivePath.replace(/^\/api\//, "").split("/");
+    const endpointName = parts.length <= 2 ? parts.join("/") : parts.map((p) => p.length > 12 ? "..." : p).join("/");
+    const action = deriveActionVerb(trigger.method, endpointName);
+    const name = prettifyEndpoint(endpointName);
+    return `${action} ${capitalize(name)}`;
   }
-  scan(ctx) {
-    const findings = [];
-    for (const rule of this.rules) {
-      try {
-        findings.push(...rule.check(ctx));
-      } catch {
-      }
-    }
-    return findings;
+  if (trigger.category === "server-action") {
+    const name = prettifyEndpoint(trigger.path);
+    return capitalize(name);
   }
-  getRules() {
-    return this.rules;
+  if (trigger.category === "data-fetch" || trigger.category === "polling") {
+    if (sourcePage && sourcePage !== "/") {
+      const pageName = prettifyPageName(sourcePage);
+      return `${pageName} Page`;
+    }
+    return trigger.label;
   }
-};
-function createDefaultScanner() {
-  const scanner = new SecurityScanner();
-  scanner.register(exposedSecretRule);
-  scanner.register(tokenInUrlRule);
-  scanner.register(stackTraceLeakRule);
-  scanner.register(errorInfoLeakRule);
-  scanner.register(insecureCookieRule);
-  scanner.register(sensitiveLogsRule);
-  scanner.register(corsCredentialsRule);
-  scanner.register(responsePiiLeakRule);
-  return scanner;
+  return trigger.label;
 }
 // src/instrument/adapters/normalize.ts
@@ -1805,7 +1618,7 @@ var AnalysisEngine = class {
 };
 // src/index.ts
-var VERSION = "0.6.2";
+var VERSION = "0.7.0";
 export {
   AdapterRegistry,
   AnalysisEngine,
@@ -1813,6 +1626,5 @@ export {
   VERSION,
   computeInsights,
   createDefaultScanner,
-  createProxyServer,
   detectProject
 };