brakit 0.8.0 → 0.8.2

package/dist/api.js

@@ -1,20 +1,12 @@
 // src/store/finding-store.ts
-import {
-  readFileSync as readFileSync2,
-  writeFileSync as writeFileSync2,
-  existsSync as existsSync2,
-  mkdirSync as mkdirSync2,
-  renameSync
-} from "fs";
-import { writeFile as writeFile2, mkdir, rename } from "fs/promises";
+import { readFileSync as readFileSync2, existsSync as existsSync3 } from "fs";
 import { resolve as resolve2 } from "path";
 
 // src/constants/routes.ts
 var DASHBOARD_PREFIX = "/__brakit";
 
 // src/constants/limits.ts
-var MAX_REQUEST_ENTRIES = 1e3;
-var MAX_TELEMETRY_ENTRIES = 1e3;
+var MAX_INGEST_BYTES = 10 * 1024 * 1024;
 
 // src/constants/thresholds.ts
 var FLOW_GAP_MS = 5e3;
@@ -43,12 +35,34 @@ var QUERY_COUNT_REGRESSION_RATIO = 1.5;
 var OVERFETCH_MANY_FIELDS = 12;
 var OVERFETCH_UNWRAP_MIN_SIZE = 3;
 var MAX_DUPLICATE_INSIGHTS = 3;
+var INSIGHT_WINDOW_PER_ENDPOINT = 2;
+var RESOLVE_AFTER_ABSENCES = 3;
+var RESOLVED_INSIGHT_TTL_MS = 18e5;
 
 // src/constants/metrics.ts
 var METRICS_DIR = ".brakit";
 var FINDINGS_FILE = ".brakit/findings.json";
 var FINDINGS_FLUSH_INTERVAL_MS = 1e4;
 
+// src/constants/severity.ts
+var SEVERITY_CRITICAL = "critical";
+var SEVERITY_WARNING = "warning";
+var SEVERITY_INFO = "info";
+var SEVERITY_ICON_MAP = {
+  [SEVERITY_CRITICAL]: { icon: "\u2717", cls: "critical" },
+  [SEVERITY_WARNING]: { icon: "\u26A0", cls: "warning" },
+  [SEVERITY_INFO]: { icon: "\u2139", cls: "info" }
+};
+
+// src/utils/atomic-writer.ts
+import {
+  writeFileSync as writeFileSync2,
+  existsSync as existsSync2,
+  mkdirSync as mkdirSync2,
+  renameSync
+} from "fs";
+import { writeFile as writeFile2, mkdir, rename } from "fs/promises";
+
 // src/utils/fs.ts
 import { access } from "fs/promises";
 import { existsSync, readFileSync, writeFileSync } from "fs";
@@ -75,6 +89,70 @@ function ensureGitignore(dir, entry) {
   }
 }
 
+// src/utils/log.ts
+var PREFIX = "[brakit]";
+function brakitWarn(message) {
+  process.stderr.write(`${PREFIX} ${message}
+`);
+}
+
+// src/utils/atomic-writer.ts
+var AtomicWriter = class {
+  constructor(opts) {
+    this.opts = opts;
+    this.tmpPath = opts.filePath + ".tmp";
+  }
+  tmpPath;
+  writing = false;
+  pendingContent = null;
+  writeSync(content) {
+    try {
+      this.ensureDir();
+      writeFileSync2(this.tmpPath, content);
+      renameSync(this.tmpPath, this.opts.filePath);
+    } catch (err) {
+      brakitWarn(`failed to save ${this.opts.label}: ${err.message}`);
+    }
+  }
+  async writeAsync(content) {
+    if (this.writing) {
+      this.pendingContent = content;
+      return;
+    }
+    this.writing = true;
+    try {
+      await this.ensureDirAsync();
+      await writeFile2(this.tmpPath, content);
+      await rename(this.tmpPath, this.opts.filePath);
+    } catch (err) {
+      brakitWarn(`failed to save ${this.opts.label}: ${err.message}`);
+    } finally {
+      this.writing = false;
+      if (this.pendingContent !== null) {
+        const next = this.pendingContent;
+        this.pendingContent = null;
+        this.writeAsync(next);
+      }
+    }
+  }
+  ensureDir() {
+    if (!existsSync2(this.opts.dir)) {
+      mkdirSync2(this.opts.dir, { recursive: true });
+      if (this.opts.gitignoreEntry) {
+        ensureGitignore(this.opts.dir, this.opts.gitignoreEntry);
+      }
+    }
+  }
+  async ensureDirAsync() {
+    if (!existsSync2(this.opts.dir)) {
+      await mkdir(this.opts.dir, { recursive: true });
+      if (this.opts.gitignoreEntry) {
+        ensureGitignore(this.opts.dir, this.opts.gitignoreEntry);
+      }
+    }
+  }
+};
+
 // src/store/finding-id.ts
 import { createHash } from "crypto";
 function computeFindingId(finding) {
@@ -86,18 +164,21 @@ function computeFindingId(finding) {
 var FindingStore = class {
   constructor(rootDir) {
     this.rootDir = rootDir;
-    this.metricsDir = resolve2(rootDir, METRICS_DIR);
+    const metricsDir = resolve2(rootDir, METRICS_DIR);
     this.findingsPath = resolve2(rootDir, FINDINGS_FILE);
-    this.tmpPath = this.findingsPath + ".tmp";
+    this.writer = new AtomicWriter({
+      dir: metricsDir,
+      filePath: this.findingsPath,
+      gitignoreEntry: METRICS_DIR,
+      label: "findings"
+    });
     this.load();
   }
   findings = /* @__PURE__ */ new Map();
   flushTimer = null;
   dirty = false;
-  writing = false;
+  writer;
   findingsPath;
-  tmpPath;
-  metricsDir;
   start() {
     this.flushTimer = setInterval(
       () => this.flush(),
@@ -151,6 +232,15 @@ var FindingStore = class {
     this.dirty = true;
     return true;
   }
+  /**
+   * Reconcile passive findings against the current analysis results.
+   *
+   * Passive findings are detected by continuous scanning (not user-triggered).
+   * When a previously-seen finding is absent from the current results, it means
+   * the issue has been fixed — transition it to "resolved" automatically.
+   * Active findings (from MCP verify-fix) are not auto-resolved because they
+   * require explicit verification.
+   */
   reconcilePassive(currentFindings) {
     const currentIds = new Set(currentFindings.map(computeFindingId));
     for (const [id, stateful] of this.findings) {
@@ -176,7 +266,7 @@ var FindingStore = class {
   }
   load() {
     try {
-      if (existsSync2(this.findingsPath)) {
+      if (existsSync3(this.findingsPath)) {
         const raw = readFileSync2(this.findingsPath, "utf-8");
         const parsed = JSON.parse(raw);
         if (parsed?.version === 1 && Array.isArray(parsed.findings)) {
@@ -190,56 +280,20 @@ var FindingStore = class {
   }
   flush() {
     if (!this.dirty) return;
-    this.writeAsync();
+    this.writer.writeAsync(this.serialize());
+    this.dirty = false;
   }
   flushSync() {
     if (!this.dirty) return;
-    try {
-      this.ensureDir();
-      const data = {
-        version: 1,
-        findings: [...this.findings.values()]
-      };
-      writeFileSync2(this.tmpPath, JSON.stringify(data));
-      renameSync(this.tmpPath, this.findingsPath);
-      this.dirty = false;
-    } catch (err) {
-      process.stderr.write(
-        `[brakit] failed to save findings: ${err.message}
-`
-      );
-    }
+    this.writer.writeSync(this.serialize());
+    this.dirty = false;
   }
-  async writeAsync() {
-    if (this.writing) return;
-    this.writing = true;
-    try {
-      if (!existsSync2(this.metricsDir)) {
-        await mkdir(this.metricsDir, { recursive: true });
-        ensureGitignore(this.metricsDir, METRICS_DIR);
-      }
-      const data = {
-        version: 1,
-        findings: [...this.findings.values()]
-      };
-      await writeFile2(this.tmpPath, JSON.stringify(data));
-      await rename(this.tmpPath, this.findingsPath);
-      this.dirty = false;
-    } catch (err) {
-      process.stderr.write(
-        `[brakit] failed to save findings: ${err.message}
-`
-      );
-    } finally {
-      this.writing = false;
-      if (this.dirty) this.writeAsync();
-    }
-  }
-  ensureDir() {
-    if (!existsSync2(this.metricsDir)) {
-      mkdirSync2(this.metricsDir, { recursive: true });
-      ensureGitignore(this.metricsDir, METRICS_DIR);
-    }
+  serialize() {
+    const data = {
+      version: 1,
+      findings: [...this.findings.values()]
+    };
+    return JSON.stringify(data);
   }
 };
 
@@ -825,166 +879,20 @@ function createDefaultScanner() {
   return scanner;
 }
 
-// src/utils/static-patterns.ts
-var STATIC_PATTERNS = [
-  /^\/_next\//,
-  /\.(?:js|css|map|ico|png|jpg|jpeg|gif|svg|webp|woff2?|ttf|eot)$/,
-  /^\/favicon/,
-  /^\/__nextjs/
-];
-function isStaticPath(urlPath) {
-  return STATIC_PATTERNS.some((p) => p.test(urlPath));
-}
-
-// src/store/request-store.ts
-function flattenHeaders(headers) {
-  const flat = {};
-  for (const [key, value] of Object.entries(headers)) {
-    if (value === void 0) continue;
-    flat[key] = Array.isArray(value) ? value.join(", ") : value;
-  }
-  return flat;
-}
-var RequestStore = class {
-  constructor(maxEntries = MAX_REQUEST_ENTRIES) {
-    this.maxEntries = maxEntries;
-  }
-  requests = [];
-  listeners = [];
-  capture(input) {
-    const url = input.url;
-    const path = url.split("?")[0];
-    let requestBodyStr = null;
-    if (input.requestBody && input.requestBody.length > 0) {
-      requestBodyStr = input.requestBody.subarray(0, input.config.maxBodyCapture).toString("utf-8");
-    }
-    let responseBodyStr = null;
-    if (input.responseBody && input.responseBody.length > 0) {
-      const ct = input.responseContentType;
-      if (ct.includes("json") || ct.includes("text") || ct.includes("html")) {
-        responseBodyStr = input.responseBody.subarray(0, input.config.maxBodyCapture).toString("utf-8");
-      }
-    }
-    const entry = {
-      id: input.requestId,
-      method: input.method,
-      url,
-      path,
-      headers: flattenHeaders(input.requestHeaders),
-      requestBody: requestBodyStr,
-      statusCode: input.statusCode,
-      responseHeaders: flattenHeaders(input.responseHeaders),
-      responseBody: responseBodyStr,
-      startedAt: input.startTime,
-      durationMs: Math.round((input.endTime ?? performance.now()) - input.startTime),
-      responseSize: input.responseBody?.length ?? 0,
-      isStatic: isStaticPath(path)
-    };
-    this.requests.push(entry);
-    if (this.requests.length > this.maxEntries) {
-      this.requests.shift();
-    }
-    for (const fn of this.listeners) {
-      fn(entry);
-    }
-    return entry;
-  }
-  getAll() {
-    return this.requests;
-  }
-  clear() {
-    this.requests.length = 0;
+// src/core/disposable.ts
+var SubscriptionBag = class {
+  items = [];
+  add(teardown) {
+    this.items.push(typeof teardown === "function" ? { dispose: teardown } : teardown);
   }
-  onRequest(fn) {
-    this.listeners.push(fn);
-  }
-  offRequest(fn) {
-    const idx = this.listeners.indexOf(fn);
-    if (idx !== -1) this.listeners.splice(idx, 1);
+  dispose() {
+    for (const d of this.items) d.dispose();
+    this.items.length = 0;
   }
 };
 
-// src/store/request-log.ts
-var defaultStore = new RequestStore();
-var getRequests = () => defaultStore.getAll();
-var onRequest = (fn) => defaultStore.onRequest(fn);
-var offRequest = (fn) => defaultStore.offRequest(fn);
-
-// src/store/telemetry-store.ts
-import { randomUUID } from "crypto";
-var TelemetryStore = class {
-  constructor(maxEntries = MAX_TELEMETRY_ENTRIES) {
-    this.maxEntries = maxEntries;
-  }
-  entries = [];
-  listeners = [];
-  add(data) {
-    const entry = { id: randomUUID(), ...data };
-    this.entries.push(entry);
-    if (this.entries.length > this.maxEntries) this.entries.shift();
-    for (const fn of this.listeners) fn(entry);
-    return entry;
-  }
-  getAll() {
-    return this.entries;
-  }
-  getByRequest(requestId) {
-    return this.entries.filter((e) => e.parentRequestId === requestId);
-  }
-  clear() {
-    this.entries.length = 0;
-  }
-  onEntry(fn) {
-    this.listeners.push(fn);
-  }
-  offEntry(fn) {
-    const idx = this.listeners.indexOf(fn);
-    if (idx !== -1) this.listeners.splice(idx, 1);
-  }
-};
-
-// src/store/fetch-store.ts
-var FetchStore = class extends TelemetryStore {
-};
-var defaultFetchStore = new FetchStore();
-
-// src/store/log-store.ts
-var LogStore = class extends TelemetryStore {
-};
-var defaultLogStore = new LogStore();
-
-// src/store/error-store.ts
-var ErrorStore = class extends TelemetryStore {
-};
-var defaultErrorStore = new ErrorStore();
-
-// src/store/query-store.ts
-var QueryStore = class extends TelemetryStore {
-};
-var defaultQueryStore = new QueryStore();
-
-// src/store/metrics/metrics-store.ts
-import { randomUUID as randomUUID2 } from "crypto";
-
-// src/utils/endpoint.ts
-function getEndpointKey(method, path) {
-  return `${method} ${path}`;
-}
-
-// src/store/metrics/persistence.ts
-import {
-  readFileSync as readFileSync3,
-  writeFileSync as writeFileSync3,
-  mkdirSync as mkdirSync3,
-  existsSync as existsSync3,
-  unlinkSync,
-  renameSync as renameSync2
-} from "fs";
-import { writeFile as writeFile3, mkdir as mkdir2, rename as rename2 } from "fs/promises";
-import { resolve as resolve3 } from "path";
-
 // src/analysis/group.ts
-import { randomUUID as randomUUID3 } from "crypto";
+import { randomUUID } from "crypto";
 
 // src/analysis/categorize.ts
 function detectCategory(req) {
@@ -1280,7 +1188,7 @@ function buildFlow(rawRequests) {
   const redundancyPct = nonStaticCount > 0 ? Math.round(duplicateCount / nonStaticCount * 100) : 0;
   const sourcePage = getDominantSourcePage(rawRequests);
   return {
-    id: randomUUID3(),
+    id: randomUUID(),
     label: deriveFlowLabel(requests, sourcePage),
     requests,
     startTime,
@@ -1352,6 +1260,15 @@ function groupBy(items, keyFn) {
   return map;
 }
 
+// src/utils/endpoint.ts
+function getEndpointKey(method, path) {
+  return `${method} ${path}`;
+}
+var ENDPOINT_PREFIX_RE = /^(\S+\s+\S+)/;
+function extractEndpointFromDesc(desc) {
+  return desc.match(ENDPOINT_PREFIX_RE)?.[1] ?? null;
+}
+
 // src/instrument/adapters/normalize.ts
 function normalizeSQL(sql) {
   if (!sql) return { op: "OTHER", table: "" };
@@ -1410,6 +1327,23 @@ function createEndpointGroup() {
     queryShapeDurations: /* @__PURE__ */ new Map()
   };
 }
+function windowByEndpoint(requests) {
+  const byEndpoint = /* @__PURE__ */ new Map();
+  for (const r of requests) {
+    const ep = getEndpointKey(r.method, r.path);
+    let list = byEndpoint.get(ep);
+    if (!list) {
+      list = [];
+      byEndpoint.set(ep, list);
+    }
+    list.push(r);
+  }
+  const windowed = [];
+  for (const [, reqs] of byEndpoint) {
+    windowed.push(...reqs.slice(-INSIGHT_WINDOW_PER_ENDPOINT));
+  }
+  return windowed;
+}
 function prepareContext(ctx) {
   const nonStatic = ctx.requests.filter(
     (r) => !r.isStatic && (!r.path || !r.path.startsWith(DASHBOARD_PREFIX))
@@ -1417,8 +1351,9 @@ function prepareContext(ctx) {
   const queriesByReq = groupBy(ctx.queries, (q) => q.parentRequestId);
   const fetchesByReq = groupBy(ctx.fetches, (f) => f.parentRequestId);
   const reqById = new Map(nonStatic.map((r) => [r.id, r]));
+  const recent = windowByEndpoint(nonStatic);
   const endpointGroups = /* @__PURE__ */ new Map();
-  for (const r of nonStatic) {
+  for (const r of recent) {
     const ep = getEndpointKey(r.method, r.path);
     let g = endpointGroups.get(ep);
     if (!g) {
@@ -1990,56 +1925,101 @@ function computeInsights(ctx) {
   return createDefaultInsightRunner().run(ctx);
 }
 
+// src/analysis/insight-tracker.ts
+function computeInsightKey(insight) {
+  const identifier = extractEndpointFromDesc(insight.desc) ?? insight.title;
+  return `${insight.type}:${identifier}`;
+}
+var InsightTracker = class {
+  tracked = /* @__PURE__ */ new Map();
+  reconcile(current) {
+    const currentKeys = /* @__PURE__ */ new Set();
+    const now = Date.now();
+    for (const insight of current) {
+      const key = computeInsightKey(insight);
+      currentKeys.add(key);
+      const existing = this.tracked.get(key);
+      if (existing) {
+        existing.insight = insight;
+        existing.lastSeenAt = now;
+        existing.consecutiveAbsences = 0;
+        if (existing.state === "resolved") {
+          existing.state = "open";
+          existing.resolvedAt = null;
+        }
+      } else {
+        this.tracked.set(key, {
+          key,
+          state: "open",
+          insight,
+          firstSeenAt: now,
+          lastSeenAt: now,
+          resolvedAt: null,
+          consecutiveAbsences: 0
+        });
+      }
+    }
+    for (const [key, stateful] of this.tracked) {
+      if (stateful.state === "open" && !currentKeys.has(stateful.key)) {
+        stateful.consecutiveAbsences++;
+        if (stateful.consecutiveAbsences >= RESOLVE_AFTER_ABSENCES) {
+          stateful.state = "resolved";
+          stateful.resolvedAt = now;
+        }
+      } else if (stateful.state === "resolved" && stateful.resolvedAt !== null && now - stateful.resolvedAt > RESOLVED_INSIGHT_TTL_MS) {
+        this.tracked.delete(key);
+      }
+    }
+    return [...this.tracked.values()];
+  }
+  getAll() {
+    return [...this.tracked.values()];
+  }
+  clear() {
+    this.tracked.clear();
+  }
+};
+
 // src/analysis/engine.ts
 var AnalysisEngine = class {
-  constructor(metricsStore, findingStore, debounceMs = 300) {
-    this.metricsStore = metricsStore;
-    this.findingStore = findingStore;
+  constructor(registry, debounceMs = 300) {
+    this.registry = registry;
     this.debounceMs = debounceMs;
     this.scanner = createDefaultScanner();
-    this.boundRequestListener = () => this.scheduleRecompute();
-    this.boundQueryListener = () => this.scheduleRecompute();
-    this.boundErrorListener = () => this.scheduleRecompute();
-    this.boundLogListener = () => this.scheduleRecompute();
   }
   scanner;
+  insightTracker = new InsightTracker();
   cachedInsights = [];
   cachedFindings = [];
+  cachedStatefulInsights = [];
   debounceTimer = null;
-  listeners = [];
-  boundRequestListener;
-  boundQueryListener;
-  boundErrorListener;
-  boundLogListener;
+  subs = new SubscriptionBag();
   start() {
-    onRequest(this.boundRequestListener);
-    defaultQueryStore.onEntry(this.boundQueryListener);
-    defaultErrorStore.onEntry(this.boundErrorListener);
-    defaultLogStore.onEntry(this.boundLogListener);
+    const bus = this.registry.get("event-bus");
+    this.subs.add(bus.on("request:completed", () => this.scheduleRecompute()));
+    this.subs.add(bus.on("telemetry:query", () => this.scheduleRecompute()));
+    this.subs.add(bus.on("telemetry:error", () => this.scheduleRecompute()));
+    this.subs.add(bus.on("telemetry:log", () => this.scheduleRecompute()));
   }
   stop() {
-    offRequest(this.boundRequestListener);
-    defaultQueryStore.offEntry(this.boundQueryListener);
-    defaultErrorStore.offEntry(this.boundErrorListener);
-    defaultLogStore.offEntry(this.boundLogListener);
+    this.subs.dispose();
     if (this.debounceTimer) {
       clearTimeout(this.debounceTimer);
       this.debounceTimer = null;
     }
   }
-  onUpdate(fn) {
-    this.listeners.push(fn);
-  }
-  offUpdate(fn) {
-    const idx = this.listeners.indexOf(fn);
-    if (idx !== -1) this.listeners.splice(idx, 1);
-  }
   getInsights() {
     return this.cachedInsights;
   }
   getFindings() {
     return this.cachedFindings;
   }
+  getStatefulFindings() {
+    return this.registry.has("finding-store") ? this.registry.get("finding-store").getAll() : [];
+  }
+  getStatefulInsights() {
+    return this.cachedStatefulInsights;
+  }
   scheduleRecompute() {
     if (this.debounceTimer) return;
     this.debounceTimer = setTimeout(() => {
@@ -2048,18 +2028,19 @@ var AnalysisEngine = class {
     }, this.debounceMs);
   }
   recompute() {
-    const requests = getRequests();
-    const queries = defaultQueryStore.getAll();
-    const errors = defaultErrorStore.getAll();
-    const logs = defaultLogStore.getAll();
-    const fetches = defaultFetchStore.getAll();
+    const requests = this.registry.get("request-store").getAll();
+    const queries = this.registry.get("query-store").getAll();
+    const errors = this.registry.get("error-store").getAll();
+    const logs = this.registry.get("log-store").getAll();
+    const fetches = this.registry.get("fetch-store").getAll();
     const flows = groupRequestsIntoFlows(requests);
     this.cachedFindings = this.scanner.scan({ requests, logs });
-    if (this.findingStore) {
+    if (this.registry.has("finding-store")) {
+      const findingStore = this.registry.get("finding-store");
       for (const finding of this.cachedFindings) {
-        this.findingStore.upsert(finding, "passive");
+        findingStore.upsert(finding, "passive");
       }
-      this.findingStore.reconcilePassive(this.cachedFindings);
+      findingStore.reconcilePassive(this.cachedFindings);
     }
     this.cachedInsights = computeInsights({
       requests,
@@ -2067,20 +2048,22 @@ var AnalysisEngine = class {
       errors,
       flows,
       fetches,
-      previousMetrics: this.metricsStore.getAll(),
+      previousMetrics: this.registry.get("metrics-store").getAll(),
       securityFindings: this.cachedFindings
     });
-    for (const fn of this.listeners) {
-      try {
-        fn(this.cachedInsights, this.cachedFindings);
-      } catch {
-      }
-    }
+    this.cachedStatefulInsights = this.insightTracker.reconcile(this.cachedInsights);
+    const update = {
+      insights: this.cachedInsights,
+      findings: this.cachedFindings,
+      statefulFindings: this.getStatefulFindings(),
+      statefulInsights: this.cachedStatefulInsights
+    };
+    this.registry.get("event-bus").emit("analysis:updated", update);
   }
 };
 
 // src/index.ts
-var VERSION = "0.8.0";
+var VERSION = "0.8.2";
 export {
   AdapterRegistry,
   AnalysisEngine,