brakit 0.8.4 → 0.8.5

package/dist/api.d.ts

@@ -1,6 +1,6 @@
 import { IncomingHttpHeaders } from 'node:http';
 
-type HttpMethod = "GET" | "POST" | "PUT" | "PATCH" | "DELETE" | "HEAD" | "OPTIONS" | (string & {});
+type HttpMethod = "GET" | "POST" | "PUT" | "PATCH" | "DELETE" | "HEAD" | "OPTIONS";
 type FlatHeaders = Record<string, string>;
 interface TracedRequest {
     id: string;
@@ -19,7 +19,7 @@ interface TracedRequest {
 }
 type RequestListener = (req: TracedRequest) => void;
 
-type Framework = "nextjs" | "remix" | "nuxt" | "vite" | "astro" | "custom" | "unknown";
+type Framework = "nextjs" | "remix" | "nuxt" | "vite" | "astro" | "flask" | "fastapi" | "django" | "custom" | "unknown";
 interface DetectedProject {
     framework: Framework;
     devCommand: string;
@@ -79,7 +79,7 @@ interface TracedError extends TelemetryEntry {
 }
 type NormalizedOp = "SELECT" | "INSERT" | "UPDATE" | "DELETE" | "OTHER";
 interface TracedQuery extends TelemetryEntry {
-    driver: "pg" | "mysql2" | "prisma" | string;
+    driver: "pg" | "mysql2" | "prisma" | "sdk";
     sql?: string;
     model?: string;
     operation?: string;
@@ -160,8 +160,11 @@ interface SecurityFinding {
     count: number;
 }
 
+declare const FINDINGS_DATA_VERSION = 1;
+
 type FindingState = "open" | "fixing" | "resolved";
 type FindingSource = "passive";
+type AiFixStatus = "fixed" | "wont_fix";
 interface StatefulFinding {
     /** Stable ID derived from rule + endpoint + description hash */
     findingId: string;
@@ -172,9 +175,13 @@ interface StatefulFinding {
     lastSeenAt: number;
     resolvedAt: number | null;
     occurrences: number;
+    /** What AI reported after attempting a fix */
+    aiStatus: AiFixStatus | null;
+    /** AI's summary of what was done or why it can't be fixed */
+    aiNotes: string | null;
 }
 interface FindingsData {
-    version: 1;
+    version: typeof FINDINGS_DATA_VERSION;
     findings: StatefulFinding[];
 }
 
@@ -220,7 +227,7 @@ interface PreparedInsightContext extends InsightContext {
     endpointGroups: ReadonlyMap<string, EndpointGroup>;
 }
 
-type InsightState = "open" | "resolved";
+type InsightState = FindingState;
 interface StatefulInsight {
     key: string;
     state: InsightState;
@@ -230,6 +237,8 @@ interface StatefulInsight {
     resolvedAt: number | null;
     /** Consecutive recompute cycles where the insight was not detected. */
     consecutiveAbsences: number;
+    aiStatus: AiFixStatus | null;
+    aiNotes: string | null;
 }
 
 declare class FindingStore {
@@ -244,6 +253,7 @@ declare class FindingStore {
     stop(): void;
     upsert(finding: SecurityFinding, source: FindingSource): StatefulFinding;
     transition(findingId: string, state: FindingState): boolean;
+    reportFix(findingId: string, status: AiFixStatus, notes: string): boolean;
     /**
      * Reconcile passive findings against the current analysis results.
      *
@@ -258,7 +268,9 @@ declare class FindingStore {
     getByState(state: FindingState): readonly StatefulFinding[];
     get(findingId: string): StatefulFinding | undefined;
     clear(): void;
-    private load;
+    private loadAsync;
+    /** Sync load for tests only — not used in production paths. */
+    loadSync(): void;
     private flush;
     private flushSync;
     private serialize;
@@ -317,8 +329,8 @@ declare class AdapterRegistry {
 }
 
 interface AnalysisUpdate {
-    insights: Insight[];
-    findings: SecurityFinding[];
+    insights: readonly Insight[];
+    findings: readonly SecurityFinding[];
     statefulFindings: readonly StatefulFinding[];
     statefulInsights: readonly StatefulInsight[];
 }
@@ -329,7 +341,8 @@ interface ChannelMap {
     "telemetry:error": Omit<TracedError, "id">;
     "request:completed": TracedRequest;
     "analysis:updated": AnalysisUpdate;
-    "store:cleared": void;
+    "findings:changed": readonly StatefulFinding[];
+    "store:cleared": undefined;
 }
 type Listener<T> = (data: T) => void;
 declare class EventBus {
@@ -362,6 +375,7 @@ interface TelemetryStoreInterface<T extends TelemetryEntry> {
 }
 interface RequestStoreInterface {
     capture(input: CaptureInput): TracedRequest;
+    add(entry: TracedRequest): void;
     getAll(): readonly TracedRequest[];
     clear(): void;
 }
@@ -377,6 +391,7 @@ interface MetricsStoreInterface {
 interface FindingStoreInterface {
     upsert(finding: SecurityFinding, source: FindingSource): StatefulFinding;
     transition(findingId: string, state: FindingState): boolean;
+    reportFix(findingId: string, status: AiFixStatus, notes: string): boolean;
     reconcilePassive(findings: readonly SecurityFinding[]): void;
     getAll(): readonly StatefulFinding[];
     getByState(state: FindingState): readonly StatefulFinding[];
@@ -393,6 +408,7 @@ interface AnalysisEngineInterface {
     getFindings(): readonly SecurityFinding[];
     getStatefulInsights(): readonly StatefulInsight[];
     getStatefulFindings(): readonly StatefulFinding[];
+    reportInsightFix(enrichedId: string, status: AiFixStatus, notes: string): boolean;
 }
 
 interface ServiceMap {
@@ -430,6 +446,7 @@ declare class AnalysisEngine {
     getFindings(): readonly SecurityFinding[];
     getStatefulFindings(): readonly StatefulFinding[];
     getStatefulInsights(): readonly StatefulInsight[];
+    reportInsightFix(enrichedId: string, status: AiFixStatus, notes: string): boolean;
     private scheduleRecompute;
     recompute(): void;
 }

package/dist/api.js

@@ -1,12 +1,83 @@
 // src/store/finding-store.ts
+import { readFile as readFile2 } from "fs/promises";
 import { readFileSync as readFileSync2, existsSync as existsSync3 } from "fs";
 import { resolve as resolve2 } from "path";
 
+// src/utils/fs.ts
+import { access, readFile, writeFile } from "fs/promises";
+import { existsSync, readFileSync, writeFileSync } from "fs";
+import { resolve } from "path";
+async function fileExists(path) {
+  try {
+    await access(path);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function ensureGitignore(dir, entry) {
+  try {
+    const gitignorePath = resolve(dir, "../.gitignore");
+    if (existsSync(gitignorePath)) {
+      const content = readFileSync(gitignorePath, "utf-8");
+      if (content.split("\n").some((l) => l.trim() === entry)) return;
+      writeFileSync(gitignorePath, content.trimEnd() + "\n" + entry + "\n");
+    } else {
+      writeFileSync(gitignorePath, entry + "\n");
+    }
+  } catch {
+  }
+}
+async function ensureGitignoreAsync(dir, entry) {
+  try {
+    const gitignorePath = resolve(dir, "../.gitignore");
+    if (await fileExists(gitignorePath)) {
+      const content = await readFile(gitignorePath, "utf-8");
+      if (content.split("\n").some((l) => l.trim() === entry)) return;
+      await writeFile(gitignorePath, content.trimEnd() + "\n" + entry + "\n");
+    } else {
+      await writeFile(gitignorePath, entry + "\n");
+    }
+  } catch {
+  }
+}
+
 // src/constants/routes.ts
 var DASHBOARD_PREFIX = "/__brakit";
+var DASHBOARD_API_REQUESTS = `${DASHBOARD_PREFIX}/api/requests`;
+var DASHBOARD_API_EVENTS = `${DASHBOARD_PREFIX}/api/events`;
+var DASHBOARD_API_FLOWS = `${DASHBOARD_PREFIX}/api/flows`;
+var DASHBOARD_API_CLEAR = `${DASHBOARD_PREFIX}/api/clear`;
+var DASHBOARD_API_LOGS = `${DASHBOARD_PREFIX}/api/logs`;
+var DASHBOARD_API_FETCHES = `${DASHBOARD_PREFIX}/api/fetches`;
+var DASHBOARD_API_ERRORS = `${DASHBOARD_PREFIX}/api/errors`;
+var DASHBOARD_API_QUERIES = `${DASHBOARD_PREFIX}/api/queries`;
+var DASHBOARD_API_INGEST = `${DASHBOARD_PREFIX}/api/ingest`;
+var DASHBOARD_API_METRICS = `${DASHBOARD_PREFIX}/api/metrics`;
+var DASHBOARD_API_ACTIVITY = `${DASHBOARD_PREFIX}/api/activity`;
+var DASHBOARD_API_METRICS_LIVE = `${DASHBOARD_PREFIX}/api/metrics/live`;
+var DASHBOARD_API_INSIGHTS = `${DASHBOARD_PREFIX}/api/insights`;
+var DASHBOARD_API_SECURITY = `${DASHBOARD_PREFIX}/api/security`;
+var DASHBOARD_API_TAB = `${DASHBOARD_PREFIX}/api/tab`;
+var DASHBOARD_API_FINDINGS = `${DASHBOARD_PREFIX}/api/findings`;
+var DASHBOARD_API_FINDINGS_REPORT = `${DASHBOARD_PREFIX}/api/findings/report`;
+var VALID_TABS_TUPLE = [
+  "overview",
+  "actions",
+  "requests",
+  "fetches",
+  "queries",
+  "errors",
+  "logs",
+  "performance",
+  "security"
+];
+var VALID_TABS = new Set(VALID_TABS_TUPLE);
 
 // src/constants/limits.ts
-var MAX_INGEST_BYTES = 10 * 1024 * 1024;
+var ANALYSIS_DEBOUNCE_MS = 300;
+var FINDING_ID_HASH_LENGTH = 16;
+var FINDINGS_DATA_VERSION = 1;
 
 // src/constants/thresholds.ts
 var FLOW_GAP_MS = 5e3;
@@ -44,15 +115,8 @@ var METRICS_DIR = ".brakit";
 var FINDINGS_FILE = ".brakit/findings.json";
 var FINDINGS_FLUSH_INTERVAL_MS = 1e4;
 
-// src/constants/severity.ts
-var SEVERITY_CRITICAL = "critical";
-var SEVERITY_WARNING = "warning";
-var SEVERITY_INFO = "info";
-var SEVERITY_ICON_MAP = {
-  [SEVERITY_CRITICAL]: { icon: "\u2717", cls: "critical" },
-  [SEVERITY_WARNING]: { icon: "\u26A0", cls: "warning" },
-  [SEVERITY_INFO]: { icon: "\u2139", cls: "info" }
-};
+// src/constants/network.ts
+var RECOVERY_WINDOW_MS = 5 * 60 * 1e3;
 
 // src/utils/atomic-writer.ts
 import {
@@ -63,38 +127,25 @@ import {
 } from "fs";
 import { writeFile as writeFile2, mkdir, rename } from "fs/promises";
 
-// src/utils/fs.ts
-import { access } from "fs/promises";
-import { existsSync, readFileSync, writeFileSync } from "fs";
-import { resolve } from "path";
-async function fileExists(path) {
-  try {
-    await access(path);
-    return true;
-  } catch {
-    return false;
-  }
-}
-function ensureGitignore(dir, entry) {
-  try {
-    const gitignorePath = resolve(dir, "../.gitignore");
-    if (existsSync(gitignorePath)) {
-      const content = readFileSync(gitignorePath, "utf-8");
-      if (content.split("\n").some((l) => l.trim() === entry)) return;
-      writeFileSync(gitignorePath, content.trimEnd() + "\n" + entry + "\n");
-    } else {
-      writeFileSync(gitignorePath, entry + "\n");
-    }
-  } catch {
-  }
-}
-
 // src/utils/log.ts
 var PREFIX = "[brakit]";
 function brakitWarn(message) {
   process.stderr.write(`${PREFIX} ${message}
 `);
 }
+function brakitDebug(message) {
+  if (process.env.DEBUG_BRAKIT) {
+    process.stderr.write(`${PREFIX}:debug ${message}
+`);
+  }
+}
+
+// src/utils/type-guards.ts
+function getErrorMessage(err) {
+  if (err instanceof Error) return err.message;
+  if (typeof err === "string") return err;
+  return String(err);
+}
 
 // src/utils/atomic-writer.ts
 var AtomicWriter = class {
@@ -111,7 +162,7 @@ var AtomicWriter = class {
       writeFileSync2(this.tmpPath, content);
       renameSync(this.tmpPath, this.opts.filePath);
     } catch (err) {
-      brakitWarn(`failed to save ${this.opts.label}: ${err.message}`);
+      brakitWarn(`failed to save ${this.opts.label}: ${getErrorMessage(err)}`);
     }
   }
   async writeAsync(content) {
@@ -125,13 +176,14 @@ var AtomicWriter = class {
       await writeFile2(this.tmpPath, content);
       await rename(this.tmpPath, this.opts.filePath);
     } catch (err) {
-      brakitWarn(`failed to save ${this.opts.label}: ${err.message}`);
+      brakitWarn(`failed to save ${this.opts.label}: ${getErrorMessage(err)}`);
     } finally {
       this.writing = false;
       if (this.pendingContent !== null) {
         const next = this.pendingContent;
         this.pendingContent = null;
-        this.writeAsync(next);
+        this.writeAsync(next).catch(() => {
+        });
       }
     }
   }
@@ -144,10 +196,10 @@ var AtomicWriter = class {
     }
   }
   async ensureDirAsync() {
-    if (!existsSync2(this.opts.dir)) {
+    if (!await fileExists(this.opts.dir)) {
       await mkdir(this.opts.dir, { recursive: true });
       if (this.opts.gitignoreEntry) {
-        ensureGitignore(this.opts.dir, this.opts.gitignoreEntry);
+        await ensureGitignoreAsync(this.opts.dir, this.opts.gitignoreEntry);
       }
     }
   }
@@ -157,7 +209,11 @@ var AtomicWriter = class {
 import { createHash } from "crypto";
 function computeFindingId(finding) {
   const key = `${finding.rule}:${finding.endpoint}:${finding.desc}`;
-  return createHash("sha256").update(key).digest("hex").slice(0, 16);
+  return createHash("sha256").update(key).digest("hex").slice(0, FINDING_ID_HASH_LENGTH);
+}
+function computeInsightId(type, endpoint, desc) {
+  const key = `${type}:${endpoint}:${desc}`;
+  return createHash("sha256").update(key).digest("hex").slice(0, FINDING_ID_HASH_LENGTH);
 }
 
 // src/store/finding-store.ts
@@ -172,7 +228,6 @@ var FindingStore = class {
       gitignoreEntry: METRICS_DIR,
       label: "findings"
     });
-    this.load();
   }
   findings = /* @__PURE__ */ new Map();
   flushTimer = null;
@@ -180,6 +235,8 @@ var FindingStore = class {
   writer;
   findingsPath;
   start() {
+    this.loadAsync().catch(() => {
+    });
     this.flushTimer = setInterval(
       () => this.flush(),
       FINDINGS_FLUSH_INTERVAL_MS
@@ -216,7 +273,9 @@ var FindingStore = class {
       firstSeenAt: now,
       lastSeenAt: now,
       resolvedAt: null,
-      occurrences: 1
+      occurrences: 1,
+      aiStatus: null,
+      aiNotes: null
     };
     this.findings.set(id, stateful);
     this.dirty = true;
@@ -232,6 +291,17 @@ var FindingStore = class {
     this.dirty = true;
     return true;
   }
+  reportFix(findingId, status, notes) {
+    const finding = this.findings.get(findingId);
+    if (!finding) return false;
+    finding.aiStatus = status;
+    finding.aiNotes = notes;
+    if (status === "fixed") {
+      finding.state = "fixing";
+    }
+    this.dirty = true;
+    return true;
+  }
   /**
    * Reconcile passive findings against the current analysis results.
    *
@@ -244,7 +314,7 @@ var FindingStore = class {
   reconcilePassive(currentFindings) {
     const currentIds = new Set(currentFindings.map(computeFindingId));
     for (const [id, stateful] of this.findings) {
-      if (stateful.source === "passive" && stateful.state === "open" && !currentIds.has(id)) {
+      if (stateful.source === "passive" && (stateful.state === "open" || stateful.state === "fixing") && !currentIds.has(id)) {
         stateful.state = "resolved";
         stateful.resolvedAt = Date.now();
         this.dirty = true;
@@ -264,18 +334,35 @@ var FindingStore = class {
     this.findings.clear();
     this.dirty = true;
   }
-  load() {
+  async loadAsync() {
+    try {
+      if (await fileExists(this.findingsPath)) {
+        const raw = await readFile2(this.findingsPath, "utf-8");
+        const parsed = JSON.parse(raw);
+        if (parsed?.version === FINDINGS_DATA_VERSION && Array.isArray(parsed.findings)) {
+          for (const f of parsed.findings) {
+            this.findings.set(f.findingId, f);
+          }
+        }
+      }
+    } catch (err) {
+      brakitDebug(`FindingStore: could not load findings file, starting fresh: ${err}`);
+    }
+  }
+  /** Sync load for tests only — not used in production paths. */
+  loadSync() {
     try {
       if (existsSync3(this.findingsPath)) {
         const raw = readFileSync2(this.findingsPath, "utf-8");
         const parsed = JSON.parse(raw);
-        if (parsed?.version === 1 && Array.isArray(parsed.findings)) {
+        if (parsed?.version === FINDINGS_DATA_VERSION && Array.isArray(parsed.findings)) {
           for (const f of parsed.findings) {
             this.findings.set(f.findingId, f);
           }
         }
       }
-    } catch {
+    } catch (err) {
+      brakitDebug(`FindingStore: could not load findings file, starting fresh: ${err}`);
     }
   }
   flush() {
@@ -290,7 +377,7 @@ var FindingStore = class {
   }
   serialize() {
     const data = {
-      version: 1,
+      version: FINDINGS_DATA_VERSION,
       findings: [...this.findings.values()]
     };
     return JSON.stringify(data);
@@ -298,9 +385,9 @@ var FindingStore = class {
 };
 
 // src/detect/project.ts
-import { readFile as readFile2 } from "fs/promises";
+import { readFile as readFile3, readdir } from "fs/promises";
 import { existsSync as existsSync4 } from "fs";
-import { join } from "path";
+import { join, relative } from "path";
 var FRAMEWORKS = [
   { name: "nextjs", dep: "next", devCmd: "next dev", bin: "next", defaultPort: 3e3, devArgs: ["dev", "--port"] },
   { name: "remix", dep: "@remix-run/dev", devCmd: "remix dev", bin: "remix", defaultPort: 3e3, devArgs: ["dev"] },
@@ -310,7 +397,7 @@ var FRAMEWORKS = [
 ];
 async function detectProject(rootDir) {
   const pkgPath = join(rootDir, "package.json");
-  const raw = await readFile2(pkgPath, "utf-8");
+  const raw = await readFile3(pkgPath, "utf-8");
   const pkg = JSON.parse(raw);
   const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
   const framework = detectFrameworkFromDeps(allDeps);
@@ -372,11 +459,11 @@ var AdapterRegistry = class {
 var SECRET_KEYS = /^(password|passwd|secret|api_key|apiKey|api_secret|apiSecret|private_key|privateKey|client_secret|clientSecret)$/;
 var TOKEN_PARAMS = /^(token|api_key|apiKey|secret|password|access_token|session_id|sessionId)$/;
 var SAFE_PARAMS = /^(_rsc|__clerk_handshake|__clerk_db_jwt|callback|code|state|nonce|redirect_uri|utm_|fbclid|gclid)$/;
-var STACK_TRACE_RE = /at\s+.+\(.+:\d+:\d+\)|at\s+Module\._compile|at\s+Object\.<anonymous>|at\s+processTicksAndRejections/;
+var STACK_TRACE_RE = /at\s+.+\(.+:\d+:\d+\)|at\s+Module\._compile|at\s+Object\.<anonymous>|at\s+processTicksAndRejections|Traceback \(most recent call last\)|File ".+", line \d+/;
 var DB_CONN_RE = /(postgres|mysql|mongodb|redis):\/\//;
 var SQL_FRAGMENT_RE = /\b(SELECT\s+[\w.*]+\s+FROM|INSERT\s+INTO|UPDATE\s+\w+\s+SET|DELETE\s+FROM)\b/i;
-var SECRET_VAL_RE = /(api_key|apiKey|secret|token)\s*[:=]\s*["']?[A-Za-z0-9_\-\.+\/]{8,}/;
-var LOG_SECRET_RE = /(password|secret|token|api_key|apiKey)\s*[:=]\s*["']?[A-Za-z0-9_\-\.+\/]{8,}/i;
+var SECRET_VAL_RE = /(api_key|apiKey|secret|token)\s*[:=]\s*["']?[A-Za-z0-9_\-.+/]{8,}/;
+var LOG_SECRET_RE = /(password|secret|token|api_key|apiKey)\s*[:=]\s*["']?[A-Za-z0-9_\-.+/]{8,}/i;
 var MASKED_RE = /^\*+$|\[REDACTED\]|\[FILTERED\]|CHANGE_ME|^x{3,}$/i;
 var EMAIL_RE = /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/;
 var INTERNAL_ID_KEYS = /^(id|_id|userId|user_id|createdBy|updatedBy|organizationId|org_id|tenantId|tenant_id)$/;
@@ -388,9 +475,9 @@ var RULE_HINTS = {
   "token-in-url": "Pass tokens in the Authorization header, not URL query parameters.",
   "stack-trace-leak": "Use a custom error handler that returns generic messages in production.",
   "error-info-leak": "Sanitize error responses. Return generic messages instead of internal details.",
+  "insecure-cookie": "Set HttpOnly and SameSite flags on all cookies.",
   "sensitive-logs": "Redact PII before logging. Never log passwords or tokens.",
   "cors-credentials": "Cannot use credentials:true with origin:*. Specify explicit origins.",
-  "insecure-cookie": "Set HttpOnly and SameSite flags on all cookies.",
   "response-pii-leak": "API responses should return minimal data. Don't echo back full user records \u2014 select only the fields the client needs."
 };
 
@@ -760,48 +847,47 @@ function hasInternalIds(obj) {
   }
   return false;
 }
-function detectPII(method, reqBody, resBody) {
-  const target = unwrapResponse(resBody);
-  if (WRITE_METHODS.has(method) && reqBody && typeof reqBody === "object") {
-    const reqEmails = findEmails(reqBody);
-    if (reqEmails.length > 0) {
-      const resEmails = findEmails(target);
-      const echoed = reqEmails.filter((e) => resEmails.includes(e));
-      if (echoed.length > 0) {
-        const inspectObj = Array.isArray(target) && target.length > 0 ? target[0] : target;
-        if (hasInternalIds(inspectObj) || topLevelFieldCount(inspectObj) >= FULL_RECORD_MIN_FIELDS) {
-          return { reason: "echo", emailCount: echoed.length };
-        }
-      }
-    }
+function detectEchoPII(method, reqBody, target) {
+  if (!WRITE_METHODS.has(method) || !reqBody || typeof reqBody !== "object") return null;
+  const reqEmails = findEmails(reqBody);
+  if (reqEmails.length === 0) return null;
+  const resEmails = findEmails(target);
+  const echoed = reqEmails.filter((e) => resEmails.includes(e));
+  if (echoed.length === 0) return null;
+  const inspectObj = Array.isArray(target) && target.length > 0 ? target[0] : target;
+  if (hasInternalIds(inspectObj) || topLevelFieldCount(inspectObj) >= FULL_RECORD_MIN_FIELDS) {
+    return { reason: "echo", emailCount: echoed.length };
   }
-  if (target && typeof target === "object" && !Array.isArray(target)) {
-    const fields = topLevelFieldCount(target);
-    if (fields >= FULL_RECORD_MIN_FIELDS && hasInternalIds(target)) {
-      const emails = findEmails(target);
-      if (emails.length > 0) {
-        return { reason: "full-record", emailCount: emails.length };
-      }
+  return null;
+}
+function detectFullRecordPII(target) {
+  if (!target || typeof target !== "object" || Array.isArray(target)) return null;
+  const fields = topLevelFieldCount(target);
+  if (fields < FULL_RECORD_MIN_FIELDS || !hasInternalIds(target)) return null;
+  const emails = findEmails(target);
+  if (emails.length === 0) return null;
+  return { reason: "full-record", emailCount: emails.length };
+}
+function detectListPII(target) {
+  if (!Array.isArray(target) || target.length < LIST_PII_MIN_ITEMS) return null;
+  let itemsWithEmail = 0;
+  for (let i = 0; i < Math.min(target.length, 10); i++) {
+    const item = target[i];
+    if (item && typeof item === "object" && findEmails(item).length > 0) {
+      itemsWithEmail++;
     }
   }
-  if (Array.isArray(target) && target.length >= LIST_PII_MIN_ITEMS) {
-    let itemsWithEmail = 0;
-    for (let i = 0; i < Math.min(target.length, 10); i++) {
-      const item = target[i];
-      if (item && typeof item === "object") {
-        const emails = findEmails(item);
-        if (emails.length > 0) itemsWithEmail++;
-      }
-    }
-    if (itemsWithEmail >= LIST_PII_MIN_ITEMS) {
-      const first = target[0];
-      if (hasInternalIds(first) || topLevelFieldCount(first) >= FULL_RECORD_MIN_FIELDS) {
-        return { reason: "list-pii", emailCount: itemsWithEmail };
-      }
-    }
+  if (itemsWithEmail < LIST_PII_MIN_ITEMS) return null;
+  const first = target[0];
+  if (hasInternalIds(first) || topLevelFieldCount(first) >= FULL_RECORD_MIN_FIELDS) {
+    return { reason: "list-pii", emailCount: itemsWithEmail };
   }
   return null;
 }
+function detectPII(method, reqBody, resBody) {
+  const target = unwrapResponse(resBody);
+  return detectEchoPII(method, reqBody, target) ?? detectFullRecordPII(target) ?? detectListPII(target);
+}
 var REASON_LABELS = {
   echo: "echoes back PII from the request body",
   "full-record": "returns a full record with email and internal IDs",
@@ -1929,8 +2015,12 @@ function computeInsightKey(insight) {
   const identifier = extractEndpointFromDesc(insight.desc) ?? insight.title;
   return `${insight.type}:${identifier}`;
 }
+function enrichedIdFromInsight(insight) {
+  return computeInsightId(insight.type, insight.nav ?? "global", insight.desc);
+}
 var InsightTracker = class {
   tracked = /* @__PURE__ */ new Map();
+  enrichedIndex = /* @__PURE__ */ new Map();
   reconcile(current) {
     const currentKeys = /* @__PURE__ */ new Set();
     const now = Date.now();
@@ -1938,6 +2028,7 @@ var InsightTracker = class {
       const key = computeInsightKey(insight);
       currentKeys.add(key);
       const existing = this.tracked.get(key);
+      this.enrichedIndex.set(enrichedIdFromInsight(insight), key);
       if (existing) {
         existing.insight = insight;
         existing.lastSeenAt = now;
@@ -1954,34 +2045,50 @@ var InsightTracker = class {
           firstSeenAt: now,
           lastSeenAt: now,
           resolvedAt: null,
-          consecutiveAbsences: 0
+          consecutiveAbsences: 0,
+          aiStatus: null,
+          aiNotes: null
         });
       }
     }
-    for (const [key, stateful] of this.tracked) {
-      if (stateful.state === "open" && !currentKeys.has(stateful.key)) {
+    for (const [, stateful] of this.tracked) {
+      if ((stateful.state === "open" || stateful.state === "fixing") && !currentKeys.has(stateful.key)) {
         stateful.consecutiveAbsences++;
         if (stateful.consecutiveAbsences >= RESOLVE_AFTER_ABSENCES) {
           stateful.state = "resolved";
           stateful.resolvedAt = now;
         }
       } else if (stateful.state === "resolved" && stateful.resolvedAt !== null && now - stateful.resolvedAt > RESOLVED_INSIGHT_TTL_MS) {
-        this.tracked.delete(key);
+        this.tracked.delete(stateful.key);
+        this.enrichedIndex.delete(enrichedIdFromInsight(stateful.insight));
       }
     }
     return [...this.tracked.values()];
   }
+  reportFix(enrichedId, status, notes) {
+    const key = this.enrichedIndex.get(enrichedId);
+    if (!key) return false;
+    const stateful = this.tracked.get(key);
+    if (!stateful) return false;
+    stateful.aiStatus = status;
+    stateful.aiNotes = notes;
+    if (status === "fixed") {
+      stateful.state = "fixing";
+    }
+    return true;
+  }
   getAll() {
     return [...this.tracked.values()];
   }
   clear() {
     this.tracked.clear();
+    this.enrichedIndex.clear();
   }
 };
 
 // src/analysis/engine.ts
 var AnalysisEngine = class {
-  constructor(registry, debounceMs = 300) {
+  constructor(registry, debounceMs = ANALYSIS_DEBOUNCE_MS) {
     this.registry = registry;
     this.debounceMs = debounceMs;
     this.scanner = createDefaultScanner();
@@ -2017,7 +2124,10 @@ var AnalysisEngine = class {
     return this.registry.has("finding-store") ? this.registry.get("finding-store").getAll() : [];
   }
   getStatefulInsights() {
-    return this.cachedStatefulInsights;
+    return this.insightTracker.getAll();
+  }
+  reportInsightFix(enrichedId, status, notes) {
+    return this.insightTracker.reportFix(enrichedId, status, notes);
   }
   scheduleRecompute() {
     if (this.debounceTimer) return;
@@ -2062,7 +2172,7 @@ var AnalysisEngine = class {
 };
 
 // src/index.ts
-var VERSION = "0.8.4";
+var VERSION = "0.8.5";
 export {
   AdapterRegistry,
   AnalysisEngine,