brakit 0.7.6 → 0.8.0

package/dist/mcp/server.js

@@ -0,0 +1,737 @@
+// src/mcp/server.ts
+import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import {
+  ListToolsRequestSchema,
+  CallToolRequestSchema,
+  ListPromptsRequestSchema,
+  GetPromptRequestSchema
+} from "@modelcontextprotocol/sdk/types.js";
+
+// src/constants/routes.ts
+var DASHBOARD_API_REQUESTS = "/__brakit/api/requests";
+var DASHBOARD_API_CLEAR = "/__brakit/api/clear";
+var DASHBOARD_API_FETCHES = "/__brakit/api/fetches";
+var DASHBOARD_API_ERRORS = "/__brakit/api/errors";
+var DASHBOARD_API_QUERIES = "/__brakit/api/queries";
+var DASHBOARD_API_ACTIVITY = "/__brakit/api/activity";
+var DASHBOARD_API_METRICS_LIVE = "/__brakit/api/metrics/live";
+var DASHBOARD_API_INSIGHTS = "/__brakit/api/insights";
+var DASHBOARD_API_SECURITY = "/__brakit/api/security";
+var DASHBOARD_API_FINDINGS = "/__brakit/api/findings";
+
+// src/constants/mcp.ts
+var MCP_SERVER_NAME = "brakit";
+var MCP_SERVER_VERSION = "0.8.0";
+var INITIAL_DISCOVERY_TIMEOUT_MS = 5e3;
+var LAZY_DISCOVERY_TIMEOUT_MS = 2e3;
+var CLIENT_FETCH_TIMEOUT_MS = 1e4;
+var HEALTH_CHECK_TIMEOUT_MS = 3e3;
+var DISCOVERY_POLL_INTERVAL_MS = 500;
+var MAX_TIMELINE_EVENTS = 20;
+var MAX_RESOLVED_DISPLAY = 5;
+var ENRICHMENT_SEVERITY_FILTER = ["critical", "warning"];
+
+// src/mcp/client.ts
+var BrakitClient = class {
+  constructor(baseUrl) {
+    this.baseUrl = baseUrl;
+  }
+  async getRequests(params) {
+    const url = new URL(`${this.baseUrl}${DASHBOARD_API_REQUESTS}`);
+    if (params?.method) url.searchParams.set("method", params.method);
+    if (params?.status) url.searchParams.set("status", params.status);
+    if (params?.search) url.searchParams.set("search", params.search);
+    if (params?.limit) url.searchParams.set("limit", String(params.limit));
+    if (params?.offset) url.searchParams.set("offset", String(params.offset));
+    return this.fetchJson(url);
+  }
+  async getSecurityFindings() {
+    return this.fetchJson(`${this.baseUrl}${DASHBOARD_API_SECURITY}`);
+  }
+  async getInsights() {
+    return this.fetchJson(`${this.baseUrl}${DASHBOARD_API_INSIGHTS}`);
+  }
+  async getQueries(requestId) {
+    const url = new URL(`${this.baseUrl}${DASHBOARD_API_QUERIES}`);
+    if (requestId) url.searchParams.set("requestId", requestId);
+    return this.fetchJson(url);
+  }
+  async getFetches(requestId) {
+    const url = new URL(`${this.baseUrl}${DASHBOARD_API_FETCHES}`);
+    if (requestId) url.searchParams.set("requestId", requestId);
+    return this.fetchJson(url);
+  }
+  async getErrors() {
+    return this.fetchJson(`${this.baseUrl}${DASHBOARD_API_ERRORS}`);
+  }
+  async getActivity(requestId) {
+    const url = new URL(`${this.baseUrl}${DASHBOARD_API_ACTIVITY}`);
+    url.searchParams.set("requestId", requestId);
+    return this.fetchJson(url);
+  }
+  async getLiveMetrics() {
+    return this.fetchJson(`${this.baseUrl}${DASHBOARD_API_METRICS_LIVE}`);
+  }
+  async getFindings(state) {
+    const url = new URL(`${this.baseUrl}${DASHBOARD_API_FINDINGS}`);
+    if (state) url.searchParams.set("state", state);
+    return this.fetchJson(url);
+  }
+  async clearAll() {
+    const res = await fetch(`${this.baseUrl}${DASHBOARD_API_CLEAR}`, {
+      method: "POST",
+      signal: AbortSignal.timeout(CLIENT_FETCH_TIMEOUT_MS)
+    });
+    return res.ok;
+  }
+  async isAlive() {
+    try {
+      const res = await fetch(`${this.baseUrl}${DASHBOARD_API_REQUESTS}?limit=1`, {
+        signal: AbortSignal.timeout(HEALTH_CHECK_TIMEOUT_MS)
+      });
+      return res.ok;
+    } catch {
+      return false;
+    }
+  }
+  async fetchJson(url) {
+    const res = await fetch(url.toString(), {
+      signal: AbortSignal.timeout(CLIENT_FETCH_TIMEOUT_MS)
+    });
+    if (!res.ok) {
+      throw new Error(`Brakit API error: ${res.status} ${res.statusText}`);
+    }
+    return res.json();
+  }
+};
+
+// src/mcp/discovery.ts
+import { readFileSync, existsSync } from "fs";
+import { resolve } from "path";
+
+// src/constants/metrics.ts
+var PORT_FILE = ".brakit/port";
+
+// src/mcp/discovery.ts
+function discoverBrakitPort(cwd) {
+  const root = cwd ?? process.cwd();
+  const portPath = resolve(root, PORT_FILE);
+  if (!existsSync(portPath)) {
+    throw new Error(
+      `Brakit is not running. No port file found at ${portPath}.
+Start your app with brakit enabled first.`
+    );
+  }
+  const raw = readFileSync(portPath, "utf-8").trim();
+  const port = parseInt(raw, 10);
+  if (isNaN(port) || port < 1 || port > 65535) {
+    throw new Error(`Invalid port in ${portPath}: "${raw}"`);
+  }
+  return { port, baseUrl: `http://localhost:${port}` };
+}
+async function waitForBrakit(cwd, timeoutMs = 1e4, pollMs = DISCOVERY_POLL_INTERVAL_MS) {
+  const deadline = Date.now() + timeoutMs;
+  while (Date.now() < deadline) {
+    try {
+      const result = discoverBrakitPort(cwd);
+      const res = await fetch(`${result.baseUrl}${DASHBOARD_API_REQUESTS}?limit=1`);
+      if (res.ok) return result;
+    } catch {
+    }
+    await new Promise((r) => setTimeout(r, pollMs));
+  }
+  throw new Error(
+    "Timed out waiting for Brakit to start. Is your app running with brakit enabled?"
+  );
+}
+
+// src/mcp/enrichment.ts
+import { createHash as createHash2 } from "crypto";
+
+// src/store/finding-id.ts
+import { createHash } from "crypto";
+function computeFindingId(finding) {
+  const key = `${finding.rule}:${finding.endpoint}:${finding.desc}`;
+  return createHash("sha256").update(key).digest("hex").slice(0, 16);
+}
+
+// src/utils/endpoint.ts
+function parseEndpointKey(endpoint) {
+  const spaceIdx = endpoint.indexOf(" ");
+  if (spaceIdx > 0) {
+    return { method: endpoint.slice(0, spaceIdx), path: endpoint.slice(spaceIdx + 1) };
+  }
+  return { path: endpoint };
+}
+
+// src/mcp/enrichment.ts
+function computeInsightId(type, endpoint, desc) {
+  const key = `${type}:${endpoint}:${desc}`;
+  return createHash2("sha256").update(key).digest("hex").slice(0, 16);
+}
+async function enrichFindings(client) {
+  const [securityData, insightsData] = await Promise.all([
+    client.getSecurityFindings(),
+    client.getInsights()
+  ]);
+  const enriched = [];
+  for (const f of securityData.findings) {
+    let context = "";
+    try {
+      const { path } = parseEndpointKey(f.endpoint);
+      const reqData = await client.getRequests({ search: path, limit: 1 });
+      if (reqData.requests.length > 0) {
+        const req = reqData.requests[0];
+        if (req.id) {
+          const activity = await client.getActivity(req.id);
+          const queryCount = activity.counts?.queries ?? 0;
+          const fetchCount = activity.counts?.fetches ?? 0;
+          context = `Request took ${req.durationMs}ms. ${queryCount} DB queries, ${fetchCount} fetches.`;
+        }
+      }
+    } catch {
+      context = "(context unavailable)";
+    }
+    enriched.push({
+      findingId: computeFindingId(f),
+      severity: f.severity,
+      title: f.title,
+      endpoint: f.endpoint,
+      description: f.desc,
+      hint: f.hint,
+      occurrences: f.count,
+      context
+    });
+  }
+  for (const i of insightsData.insights) {
+    if (!ENRICHMENT_SEVERITY_FILTER.includes(i.severity)) continue;
+    const endpoint = i.nav ?? "global";
+    enriched.push({
+      findingId: computeInsightId(i.type, endpoint, i.desc),
+      severity: i.severity,
+      title: i.title,
+      endpoint,
+      description: i.desc,
+      hint: i.hint,
+      occurrences: 1,
+      context: i.detail ?? ""
+    });
+  }
+  return enriched;
+}
+async function enrichEndpoints(client, sortBy) {
+  const data = await client.getLiveMetrics();
+  const endpoints = data.endpoints.map((ep) => ({
+    ...ep.summary,
+    endpoint: ep.endpoint
+  }));
+  if (sortBy === "error_rate") {
+    endpoints.sort((a, b) => b.errorRate - a.errorRate);
+  } else if (sortBy === "query_count") {
+    endpoints.sort((a, b) => b.avgQueryCount - a.avgQueryCount);
+  } else if (sortBy === "requests") {
+    endpoints.sort((a, b) => b.totalRequests - a.totalRequests);
+  }
+  return endpoints;
+}
+async function enrichRequestDetail(client, opts) {
+  if (opts.requestId) {
+    const data = await client.getRequests({ search: opts.requestId, limit: 1 });
+    if (data.requests.length > 0) {
+      return buildRequestDetail(client, data.requests[0].id);
+    }
+  } else if (opts.endpoint) {
+    const { method, path } = parseEndpointKey(opts.endpoint);
+    const data = await client.getRequests({ method, search: path, limit: 1 });
+    if (data.requests.length > 0) {
+      return buildRequestDetail(client, data.requests[0].id);
+    }
+  }
+  return null;
+}
+async function buildRequestDetail(client, requestId) {
+  const [reqData, activity, queries, fetches] = await Promise.all([
+    client.getRequests({ search: requestId, limit: 1 }),
+    client.getActivity(requestId),
+    client.getQueries(requestId),
+    client.getFetches(requestId)
+  ]);
+  const req = reqData.requests[0];
+  return {
+    id: requestId,
+    method: req.method,
+    url: req.url,
+    statusCode: req.statusCode,
+    durationMs: req.durationMs,
+    queries: queries.entries,
+    fetches: fetches.entries,
+    timeline: activity.timeline
+  };
+}
+
+// src/mcp/tools/get-findings.ts
+var VALID_SEVERITIES = /* @__PURE__ */ new Set(["critical", "warning"]);
+var VALID_STATES = /* @__PURE__ */ new Set(["open", "fixing", "resolved"]);
+var getFindings = {
+  name: "get_findings",
+  description: "Get all security findings and performance insights from the running app. Returns enriched findings with actionable fix hints, endpoint context, and evidence. Use this to understand what issues exist in the running application.",
+  inputSchema: {
+    type: "object",
+    properties: {
+      severity: {
+        type: "string",
+        enum: ["critical", "warning"],
+        description: "Filter by severity level"
+      },
+      state: {
+        type: "string",
+        enum: ["open", "fixing", "resolved"],
+        description: "Filter by finding state (from finding lifecycle)"
+      }
+    }
+  },
+  async handler(client, args) {
+    const severity = args.severity;
+    const state = args.state;
+    if (severity && !VALID_SEVERITIES.has(severity)) {
+      return { content: [{ type: "text", text: `Invalid severity "${severity}". Use: critical, warning.` }], isError: true };
+    }
+    if (state && !VALID_STATES.has(state)) {
+      return { content: [{ type: "text", text: `Invalid state "${state}". Use: open, fixing, resolved.` }], isError: true };
+    }
+    let findings = await enrichFindings(client);
+    if (severity) {
+      findings = findings.filter((f) => f.severity === severity);
+    }
+    if (state) {
+      const stateful = await client.getFindings(state);
+      const statefulIds = new Set(stateful.findings.map((f) => f.findingId));
+      findings = findings.filter((f) => statefulIds.has(f.findingId));
+    }
+    if (findings.length === 0) {
+      return { content: [{ type: "text", text: "No findings detected. The application looks healthy." }] };
+    }
+    const lines = [`Found ${findings.length} issue(s):
+`];
+    for (const f of findings) {
+      lines.push(`[${f.severity.toUpperCase()}] ${f.title}`);
+      lines.push(`  Endpoint: ${f.endpoint}`);
+      lines.push(`  Issue: ${f.description}`);
+      if (f.context) lines.push(`  Context: ${f.context}`);
+      lines.push(`  Fix: ${f.hint}`);
+      lines.push("");
+    }
+    return { content: [{ type: "text", text: lines.join("\n") }] };
+  }
+};
+
+// src/mcp/tools/get-endpoints.ts
+var VALID_SORT_KEYS = /* @__PURE__ */ new Set(["p95", "error_rate", "query_count", "requests"]);
+var getEndpoints = {
+  name: "get_endpoints",
+  description: "Get a summary of all observed API endpoints with performance stats. Shows p95 latency, error rate, query count, and time breakdown for each endpoint. Use this to identify which endpoints need attention.",
+  inputSchema: {
+    type: "object",
+    properties: {
+      sort_by: {
+        type: "string",
+        enum: ["p95", "error_rate", "query_count", "requests"],
+        description: "Sort endpoints by this metric (default: p95 latency)"
+      }
+    }
+  },
+  async handler(client, args) {
+    const sortBy = args.sort_by;
+    if (sortBy && !VALID_SORT_KEYS.has(sortBy)) {
+      return { content: [{ type: "text", text: `Invalid sort_by "${sortBy}". Use: p95, error_rate, query_count, requests.` }], isError: true };
+    }
+    const endpoints = await enrichEndpoints(client, sortBy);
+    if (endpoints.length === 0) {
+      return {
+        content: [{ type: "text", text: "No endpoints observed yet. Make some requests to your app first." }]
+      };
+    }
+    const lines = [`${endpoints.length} endpoint(s) observed:
+`];
+    for (const ep of endpoints) {
+      lines.push(`${ep.endpoint}`);
+      lines.push(`  p95: ${ep.p95Ms}ms | Errors: ${(ep.errorRate * 100).toFixed(1)}% | Queries: ${ep.avgQueryCount}/req | Requests: ${ep.totalRequests}`);
+      lines.push(`  Time breakdown: DB ${ep.avgQueryTimeMs}ms + Fetch ${ep.avgFetchTimeMs}ms + App ${ep.avgAppTimeMs}ms`);
+      lines.push("");
+    }
+    return { content: [{ type: "text", text: lines.join("\n") }] };
+  }
+};
+
+// src/mcp/tools/get-request-detail.ts
+var getRequestDetail = {
+  name: "get_request_detail",
+  description: "Get full details of a specific HTTP request including all DB queries it fired, all fetches it made, the response, and a timeline of events. Use this to deeply understand what happens when a specific endpoint is hit.",
+  inputSchema: {
+    type: "object",
+    properties: {
+      request_id: {
+        type: "string",
+        description: "The specific request ID to look up"
+      },
+      endpoint: {
+        type: "string",
+        description: "Alternatively, get the latest request for an endpoint like 'GET /api/users'"
+      }
+    }
+  },
+  async handler(client, args) {
+    const requestId = args.request_id;
+    const endpoint = args.endpoint;
+    if (!requestId && !endpoint) {
+      return {
+        content: [{ type: "text", text: "Please provide either a request_id or an endpoint (e.g. 'GET /api/users')." }]
+      };
+    }
+    const detail = await enrichRequestDetail(client, { requestId, endpoint });
+    if (!detail) {
+      return {
+        content: [{ type: "text", text: `No request found for ${requestId ?? endpoint}.` }]
+      };
+    }
+    const lines = [
+      `Request: ${detail.method} ${detail.url}`,
+      `Status: ${detail.statusCode}`,
+      `Duration: ${detail.durationMs}ms`,
+      ""
+    ];
+    if (detail.queries.length > 0) {
+      lines.push(`DB Queries (${detail.queries.length}):`);
+      for (const q of detail.queries) {
+        const sql = q.sql ?? `${q.operation} ${q.table ?? q.model ?? ""}`;
+        lines.push(`  [${q.durationMs}ms] ${sql}`);
+      }
+      lines.push("");
+    }
+    if (detail.fetches.length > 0) {
+      lines.push(`Outgoing Fetches (${detail.fetches.length}):`);
+      for (const f of detail.fetches) {
+        lines.push(`  [${f.durationMs}ms] ${f.method} ${f.url} \u2192 ${f.statusCode}`);
+      }
+      lines.push("");
+    }
+    if (detail.timeline.length > 0) {
+      lines.push(`Timeline (${detail.timeline.length} events):`);
+      for (const event of detail.timeline.slice(0, MAX_TIMELINE_EVENTS)) {
+        lines.push(`  ${event.type}: ${JSON.stringify(event.data)}`);
+      }
+      if (detail.timeline.length > MAX_TIMELINE_EVENTS) {
+        lines.push(`  ... and ${detail.timeline.length - MAX_TIMELINE_EVENTS} more events`);
+      }
+    }
+    return { content: [{ type: "text", text: lines.join("\n") }] };
+  }
+};
+
+// src/mcp/tools/verify-fix.ts
+var verifyFix = {
+  name: "verify_fix",
+  description: "Verify whether a previously found security or performance issue has been resolved. After you fix code, the user should trigger the endpoint again, then call this tool to check if the finding still appears in Brakit's analysis.",
+  inputSchema: {
+    type: "object",
+    properties: {
+      finding_id: {
+        type: "string",
+        description: "The finding ID to verify"
+      },
+      endpoint: {
+        type: "string",
+        description: "Alternatively, check if a specific endpoint still has issues (e.g. 'GET /api/users')"
+      }
+    }
+  },
+  async handler(client, args) {
+    const findingId = args.finding_id;
+    const endpoint = args.endpoint;
+    if (findingId !== void 0 && findingId.trim() === "") {
+      return { content: [{ type: "text", text: "finding_id cannot be empty." }], isError: true };
+    }
+    if (endpoint !== void 0 && endpoint.trim() === "") {
+      return { content: [{ type: "text", text: "endpoint cannot be empty." }], isError: true };
+    }
+    if (findingId) {
+      const data = await client.getFindings();
+      const finding = data.findings.find((f) => f.findingId === findingId);
+      if (!finding) {
+        return {
+          content: [{
+            type: "text",
+            text: `Finding ${findingId} not found. It may have already been resolved and cleaned up.`
+          }]
+        };
+      }
+      if (finding.state === "resolved") {
+        return {
+          content: [{
+            type: "text",
+            text: `RESOLVED: "${finding.finding.title}" on ${finding.finding.endpoint} is no longer detected. The fix worked.`
+          }]
+        };
+      }
+      return {
+        content: [{
+          type: "text",
+          text: [
+            `STILL PRESENT: "${finding.finding.title}" on ${finding.finding.endpoint}`,
+            `  State: ${finding.state}`,
+            `  Last seen: ${new Date(finding.lastSeenAt).toISOString()}`,
+            `  Occurrences: ${finding.occurrences}`,
+            `  Issue: ${finding.finding.desc}`,
+            `  Hint: ${finding.finding.hint}`,
+            "",
+            "Make sure the user has triggered the endpoint again after the fix, so Brakit can re-analyze."
+          ].join("\n")
+        }]
+      };
+    }
+    if (endpoint) {
+      const data = await client.getFindings();
+      const endpointFindings = data.findings.filter(
+        (f) => f.finding.endpoint === endpoint || f.finding.endpoint.endsWith(` ${endpoint}`)
+      );
+      if (endpointFindings.length === 0) {
+        return {
+          content: [{
+            type: "text",
+            text: `No findings found for endpoint "${endpoint}". Either it's clean or it hasn't been analyzed yet.`
+          }]
+        };
+      }
+      const open = endpointFindings.filter((f) => f.state === "open");
+      const resolved = endpointFindings.filter((f) => f.state === "resolved");
+      const lines = [
+        `Endpoint: ${endpoint}`,
+        `Open issues: ${open.length}`,
+        `Resolved: ${resolved.length}`,
+        ""
+      ];
+      for (const f of open) {
+        lines.push(`  [${f.finding.severity}] ${f.finding.title}: ${f.finding.desc}`);
+      }
+      for (const f of resolved) {
+        lines.push(`  [resolved] ${f.finding.title}`);
+      }
+      return { content: [{ type: "text", text: lines.join("\n") }] };
+    }
+    return {
+      content: [{
+        type: "text",
+        text: "Please provide either a finding_id or an endpoint to verify."
+      }]
+    };
+  }
+};
+
+// src/mcp/tools/get-report.ts
+var getReport = {
+  name: "get_report",
+  description: "Generate a summary report of all findings: total found, open, resolved. Use this to get a high-level overview of the application's health.",
+  inputSchema: {
+    type: "object",
+    properties: {}
+  },
+  async handler(client, _args) {
+    const [findingsData, securityData, insightsData, metricsData] = await Promise.all([
+      client.getFindings(),
+      client.getSecurityFindings(),
+      client.getInsights(),
+      client.getLiveMetrics()
+    ]);
+    const findings = findingsData.findings;
+    const open = findings.filter((f) => f.state === "open");
+    const resolved = findings.filter((f) => f.state === "resolved");
+    const fixing = findings.filter((f) => f.state === "fixing");
+    const criticalOpen = open.filter((f) => f.finding.severity === "critical");
+    const warningOpen = open.filter((f) => f.finding.severity === "warning");
+    const totalRequests = metricsData.endpoints.reduce(
+      (s, ep) => s + ep.summary.totalRequests,
+      0
+    );
+    const lines = [
+      "=== Brakit Report ===",
+      "",
+      `Endpoints observed: ${metricsData.endpoints.length}`,
+      `Total requests captured: ${totalRequests}`,
+      `Active security rules: ${securityData.findings.length} finding(s)`,
+      `Performance insights: ${insightsData.insights.length} insight(s)`,
+      "",
+      "--- Finding Summary ---",
+      `Total: ${findings.length}`,
+      `  Open: ${open.length} (${criticalOpen.length} critical, ${warningOpen.length} warning)`,
+      `  In progress: ${fixing.length}`,
+      `  Resolved: ${resolved.length}`
+    ];
+    if (criticalOpen.length > 0) {
+      lines.push("");
+      lines.push("--- Critical Issues (fix first) ---");
+      for (const f of criticalOpen) {
+        lines.push(`  [CRITICAL] ${f.finding.title} \u2014 ${f.finding.endpoint}`);
+        lines.push(`    ${f.finding.desc}`);
+        lines.push(`    Fix: ${f.finding.hint}`);
+      }
+    }
+    if (resolved.length > 0) {
+      lines.push("");
+      lines.push("--- Recently Resolved ---");
+      for (const f of resolved.slice(0, MAX_RESOLVED_DISPLAY)) {
+        lines.push(`  \u2713 ${f.finding.title} \u2014 ${f.finding.endpoint}`);
+      }
+      if (resolved.length > MAX_RESOLVED_DISPLAY) {
+        lines.push(`  ... and ${resolved.length - MAX_RESOLVED_DISPLAY} more`);
+      }
+    }
+    return { content: [{ type: "text", text: lines.join("\n") }] };
+  }
+};
+
+// src/mcp/tools/clear-findings.ts
+var clearFindings = {
+  name: "clear_findings",
+  description: "Reset finding history for a fresh session. Use this when you want to start tracking findings from scratch.",
+  inputSchema: {
+    type: "object",
+    properties: {}
+  },
+  async handler(client, _args) {
+    const ok = await client.clearAll();
+    if (!ok) {
+      return {
+        content: [{ type: "text", text: "Failed to clear findings. Is the app still running?" }]
+      };
+    }
+    return {
+      content: [{ type: "text", text: "All findings and captured data have been cleared. Start making requests to capture fresh data." }]
+    };
+  }
+};
+
+// src/mcp/tools/index.ts
+var TOOL_MAP = new Map(
+  [getFindings, getEndpoints, getRequestDetail, verifyFix, getReport, clearFindings].map((t) => [t.name, t])
+);
+function getToolDefinitions() {
+  return [...TOOL_MAP.values()].map((t) => ({
+    name: t.name,
+    description: t.description,
+    inputSchema: t.inputSchema
+  }));
+}
+function handleToolCall(client, name, args) {
+  const tool = TOOL_MAP.get(name);
+  if (!tool) {
+    return Promise.resolve({
+      content: [{ type: "text", text: `Unknown tool: ${name}` }],
+      isError: true
+    });
+  }
+  return tool.handler(client, args);
+}
+
+// src/mcp/prompts.ts
+var PROMPTS = [
+  {
+    name: "check-app",
+    description: "Check your running app for security vulnerabilities and performance issues"
+  },
+  {
+    name: "fix-findings",
+    description: "Find all open brakit findings and fix them one by one"
+  }
+];
+var PROMPT_MESSAGES = {
+  "check-app": [
+    "Check my running app for security and performance issues using brakit.",
+    "First get all findings, then get the endpoint summary.",
+    "For any critical or warning findings, get the request detail to understand the root cause.",
+    "Give me a clear report of what's wrong and offer to fix each issue."
+  ].join(" "),
+  "fix-findings": [
+    "Get all open brakit findings.",
+    "For each finding, get the request detail to understand the exact issue.",
+    "Then find the source code responsible and fix it.",
+    "After fixing, ask me to re-trigger the endpoint so you can verify the fix with brakit."
+  ].join(" ")
+};
+
+// src/mcp/server.ts
+async function startMcpServer() {
+  let discovery;
+  try {
+    discovery = await waitForBrakit(void 0, INITIAL_DISCOVERY_TIMEOUT_MS);
+  } catch {
+    discovery = null;
+  }
+  let cachedClient = discovery ? new BrakitClient(discovery.baseUrl) : null;
+  const server = new Server(
+    { name: MCP_SERVER_NAME, version: MCP_SERVER_VERSION },
+    { capabilities: { tools: {}, prompts: {} } }
+  );
+  server.setRequestHandler(ListPromptsRequestSchema, async () => ({
+    prompts: [...PROMPTS]
+  }));
+  server.setRequestHandler(GetPromptRequestSchema, async (request) => ({
+    description: PROMPTS.find((p) => p.name === request.params.name)?.description,
+    messages: [{
+      role: "user",
+      content: {
+        type: "text",
+        text: PROMPT_MESSAGES[request.params.name] ?? "Check my app for issues."
+      }
+    }]
+  }));
+  server.setRequestHandler(ListToolsRequestSchema, async () => ({
+    tools: getToolDefinitions()
+  }));
+  server.setRequestHandler(CallToolRequestSchema, async (request) => {
+    const { name, arguments: args } = request.params;
+    let activeClient = cachedClient;
+    if (!activeClient) {
+      try {
+        const disc = await waitForBrakit(void 0, LAZY_DISCOVERY_TIMEOUT_MS);
+        activeClient = new BrakitClient(disc.baseUrl);
+        cachedClient = activeClient;
+      } catch {
+        return {
+          content: [{
+            type: "text",
+            text: "Brakit is not running. Start your app with brakit enabled first."
+          }],
+          isError: true
+        };
+      }
+    }
+    const alive = await activeClient.isAlive();
+    if (!alive) {
+      return {
+        content: [{
+          type: "text",
+          text: "Brakit appears to be down. Is your app still running?"
+        }],
+        isError: true
+      };
+    }
+    try {
+      return await handleToolCall(activeClient, name, args ?? {});
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      return {
+        content: [{
+          type: "text",
+          text: `Error calling ${name}: ${message}`
+        }],
+        isError: true
+      };
+    }
+  });
+  const transport = new StdioServerTransport();
+  await server.connect(transport);
+}
+export {
+  startMcpServer
+};