npm - brakit - Versions diffs - 0.8.4 → 0.8.5 - Mend

brakit 0.8.4 → 0.8.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/bin/brakit.js CHANGED Viewed

@@ -10,29 +10,49 @@ var __export = (target, all) => {
 };
 // src/constants/routes.ts
-var DASHBOARD_API_REQUESTS, DASHBOARD_API_CLEAR, DASHBOARD_API_FETCHES, DASHBOARD_API_ERRORS, DASHBOARD_API_QUERIES, DASHBOARD_API_ACTIVITY, DASHBOARD_API_METRICS_LIVE, DASHBOARD_API_INSIGHTS, DASHBOARD_API_SECURITY, DASHBOARD_API_FINDINGS;
+var DASHBOARD_PREFIX, DASHBOARD_API_REQUESTS, DASHBOARD_API_EVENTS, DASHBOARD_API_FLOWS, DASHBOARD_API_CLEAR, DASHBOARD_API_LOGS, DASHBOARD_API_FETCHES, DASHBOARD_API_ERRORS, DASHBOARD_API_QUERIES, DASHBOARD_API_INGEST, DASHBOARD_API_METRICS, DASHBOARD_API_ACTIVITY, DASHBOARD_API_METRICS_LIVE, DASHBOARD_API_INSIGHTS, DASHBOARD_API_SECURITY, DASHBOARD_API_TAB, DASHBOARD_API_FINDINGS, DASHBOARD_API_FINDINGS_REPORT, VALID_TABS_TUPLE, VALID_TABS;
 var init_routes = __esm({
   "src/constants/routes.ts"() {
     "use strict";
-    DASHBOARD_API_REQUESTS = "/__brakit/api/requests";
-    DASHBOARD_API_CLEAR = "/__brakit/api/clear";
-    DASHBOARD_API_FETCHES = "/__brakit/api/fetches";
-    DASHBOARD_API_ERRORS = "/__brakit/api/errors";
-    DASHBOARD_API_QUERIES = "/__brakit/api/queries";
-    DASHBOARD_API_ACTIVITY = "/__brakit/api/activity";
-    DASHBOARD_API_METRICS_LIVE = "/__brakit/api/metrics/live";
-    DASHBOARD_API_INSIGHTS = "/__brakit/api/insights";
-    DASHBOARD_API_SECURITY = "/__brakit/api/security";
-    DASHBOARD_API_FINDINGS = "/__brakit/api/findings";
+    DASHBOARD_PREFIX = "/__brakit";
+    DASHBOARD_API_REQUESTS = `${DASHBOARD_PREFIX}/api/requests`;
+    DASHBOARD_API_EVENTS = `${DASHBOARD_PREFIX}/api/events`;
+    DASHBOARD_API_FLOWS = `${DASHBOARD_PREFIX}/api/flows`;
+    DASHBOARD_API_CLEAR = `${DASHBOARD_PREFIX}/api/clear`;
+    DASHBOARD_API_LOGS = `${DASHBOARD_PREFIX}/api/logs`;
+    DASHBOARD_API_FETCHES = `${DASHBOARD_PREFIX}/api/fetches`;
+    DASHBOARD_API_ERRORS = `${DASHBOARD_PREFIX}/api/errors`;
+    DASHBOARD_API_QUERIES = `${DASHBOARD_PREFIX}/api/queries`;
+    DASHBOARD_API_INGEST = `${DASHBOARD_PREFIX}/api/ingest`;
+    DASHBOARD_API_METRICS = `${DASHBOARD_PREFIX}/api/metrics`;
+    DASHBOARD_API_ACTIVITY = `${DASHBOARD_PREFIX}/api/activity`;
+    DASHBOARD_API_METRICS_LIVE = `${DASHBOARD_PREFIX}/api/metrics/live`;
+    DASHBOARD_API_INSIGHTS = `${DASHBOARD_PREFIX}/api/insights`;
+    DASHBOARD_API_SECURITY = `${DASHBOARD_PREFIX}/api/security`;
+    DASHBOARD_API_TAB = `${DASHBOARD_PREFIX}/api/tab`;
+    DASHBOARD_API_FINDINGS = `${DASHBOARD_PREFIX}/api/findings`;
+    DASHBOARD_API_FINDINGS_REPORT = `${DASHBOARD_PREFIX}/api/findings/report`;
+    VALID_TABS_TUPLE = [
+      "overview",
+      "actions",
+      "requests",
+      "fetches",
+      "queries",
+      "errors",
+      "logs",
+      "performance",
+      "security"
+    ];
+    VALID_TABS = new Set(VALID_TABS_TUPLE);
   }
 });
 // src/constants/limits.ts
-var MAX_INGEST_BYTES;
+var FINDING_ID_HASH_LENGTH;
 var init_limits = __esm({
   "src/constants/limits.ts"() {
     "use strict";
-    MAX_INGEST_BYTES = 10 * 1024 * 1024;
+    FINDING_ID_HASH_LENGTH = 16;
   }
 });
@@ -70,19 +90,22 @@ var init_headers = __esm({
 });
 // src/constants/network.ts
+var RECOVERY_WINDOW_MS, PORT_MIN, PORT_MAX;
 var init_network = __esm({
   "src/constants/network.ts"() {
     "use strict";
+    RECOVERY_WINDOW_MS = 5 * 60 * 1e3;
+    PORT_MIN = 1;
+    PORT_MAX = 65535;
   }
 });
 // src/constants/mcp.ts
-var MCP_SERVER_NAME, MCP_SERVER_VERSION, INITIAL_DISCOVERY_TIMEOUT_MS, LAZY_DISCOVERY_TIMEOUT_MS, CLIENT_FETCH_TIMEOUT_MS, HEALTH_CHECK_TIMEOUT_MS, DISCOVERY_POLL_INTERVAL_MS, MAX_DISCOVERY_DEPTH, MAX_TIMELINE_EVENTS, MAX_RESOLVED_DISPLAY, ENRICHMENT_SEVERITY_FILTER;
+var MCP_SERVER_NAME, INITIAL_DISCOVERY_TIMEOUT_MS, LAZY_DISCOVERY_TIMEOUT_MS, CLIENT_FETCH_TIMEOUT_MS, HEALTH_CHECK_TIMEOUT_MS, DISCOVERY_POLL_INTERVAL_MS, MAX_DISCOVERY_DEPTH, MAX_TIMELINE_EVENTS, MAX_RESOLVED_DISPLAY, ENRICHMENT_SEVERITY_FILTER, MCP_SERVER_VERSION;
 var init_mcp = __esm({
   "src/constants/mcp.ts"() {
     "use strict";
     MCP_SERVER_NAME = "brakit";
-    MCP_SERVER_VERSION = "0.8.4";
     INITIAL_DISCOVERY_TIMEOUT_MS = 5e3;
     LAZY_DISCOVERY_TIMEOUT_MS = 2e3;
     CLIENT_FETCH_TIMEOUT_MS = 1e4;
@@ -92,6 +115,7 @@ var init_mcp = __esm({
     MAX_TIMELINE_EVENTS = 20;
     MAX_RESOLVED_DISPLAY = 5;
     ENRICHMENT_SEVERITY_FILTER = ["critical", "warning"];
+    MCP_SERVER_VERSION = "0.8.5";
   }
 });
@@ -103,18 +127,9 @@ var init_encoding = __esm({
 });
 // src/constants/severity.ts
-var SEVERITY_CRITICAL, SEVERITY_WARNING, SEVERITY_INFO, SEVERITY_ICON_MAP;
 var init_severity = __esm({
   "src/constants/severity.ts"() {
     "use strict";
-    SEVERITY_CRITICAL = "critical";
-    SEVERITY_WARNING = "warning";
-    SEVERITY_INFO = "info";
-    SEVERITY_ICON_MAP = {
-      [SEVERITY_CRITICAL]: { icon: "\u2717", cls: "critical" },
-      [SEVERITY_WARNING]: { icon: "\u26A0", cls: "warning" },
-      [SEVERITY_INFO]: { icon: "\u2139", cls: "info" }
-    };
   }
 });
@@ -125,6 +140,17 @@ var init_telemetry = __esm({
   }
 });
+// src/constants/lifecycle.ts
+var VALID_FINDING_STATES, VALID_AI_FIX_STATUSES, VALID_SECURITY_SEVERITIES;
+var init_lifecycle = __esm({
+  "src/constants/lifecycle.ts"() {
+    "use strict";
+    VALID_FINDING_STATES = /* @__PURE__ */ new Set(["open", "fixing", "resolved"]);
+    VALID_AI_FIX_STATUSES = /* @__PURE__ */ new Set(["fixed", "wont_fix"]);
+    VALID_SECURITY_SEVERITIES = /* @__PURE__ */ new Set(["critical", "warning"]);
+  }
+});
 // src/constants/index.ts
 var init_constants = __esm({
   "src/constants/index.ts"() {
@@ -140,18 +166,52 @@ var init_constants = __esm({
     init_encoding();
     init_severity();
     init_telemetry();
+    init_lifecycle();
+  }
+});
+// src/utils/log.ts
+function brakitDebug(message) {
+  if (process.env.DEBUG_BRAKIT) {
+    process.stderr.write(`${PREFIX}:debug ${message}
+`);
+  }
+}
+var PREFIX;
+var init_log = __esm({
+  "src/utils/log.ts"() {
+    "use strict";
+    PREFIX = "[brakit]";
+  }
+});
+// src/utils/type-guards.ts
+function isNonEmptyString(val) {
+  return typeof val === "string" && val.trim().length > 0;
+}
+function isValidFindingState(val) {
+  return typeof val === "string" && VALID_FINDING_STATES.has(val);
+}
+function isValidAiFixStatus(val) {
+  return typeof val === "string" && VALID_AI_FIX_STATUSES.has(val);
+}
+var init_type_guards = __esm({
+  "src/utils/type-guards.ts"() {
+    "use strict";
+    init_lifecycle();
   }
 });
 // src/store/finding-id.ts
 import { createHash } from "crypto";
-function computeFindingId(finding) {
-  const key = `${finding.rule}:${finding.endpoint}:${finding.desc}`;
-  return createHash("sha256").update(key).digest("hex").slice(0, 16);
+function computeInsightId(type, endpoint, desc) {
+  const key = `${type}:${endpoint}:${desc}`;
+  return createHash("sha256").update(key).digest("hex").slice(0, FINDING_ID_HASH_LENGTH);
 }
 var init_finding_id = __esm({
   "src/store/finding-id.ts"() {
     "use strict";
+    init_limits();
   }
 });
@@ -221,6 +281,19 @@ var init_client = __esm({
         if (state) url.searchParams.set("state", state);
         return this.fetchJson(url);
       }
+      async reportFix(findingId, status, notes) {
+        const res = await fetch(`${this.baseUrl}${DASHBOARD_API_FINDINGS_REPORT}`, {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({ findingId, status, notes }),
+          signal: AbortSignal.timeout(CLIENT_FETCH_TIMEOUT_MS)
+        });
+        if (!res.ok) return false;
+        const contentType = res.headers.get("content-type") ?? "";
+        if (!contentType.includes("application/json")) return false;
+        const body = await res.json();
+        return body.ok === true;
+      }
       async clearAll() {
         const res = await fetch(`${this.baseUrl}${DASHBOARD_API_CLEAR}`, {
           method: "POST",
@@ -252,50 +325,56 @@ var init_client = __esm({
 });
 // src/mcp/discovery.ts
-import { readFileSync as readFileSync3, existsSync as existsSync5, readdirSync, statSync } from "fs";
-import { resolve as resolve5, dirname } from "path";
-function readPort(portPath) {
-  if (!existsSync5(portPath)) return null;
-  const raw = readFileSync3(portPath, "utf-8").trim();
-  const port = parseInt(raw, 10);
-  return isNaN(port) || port < 1 || port > 65535 ? null : port;
+import { readFile as readFile6, readdir as readdir2, stat } from "fs/promises";
+import { resolve as resolve5, dirname as dirname2 } from "path";
+async function readPort(portPath) {
+  try {
+    const raw = (await readFile6(portPath, "utf-8")).trim();
+    const port = parseInt(raw, 10);
+    return isNaN(port) || port < PORT_MIN || port > PORT_MAX ? null : port;
+  } catch {
+    return null;
+  }
 }
-function portInDir(dir) {
+async function portInDir(dir) {
   return readPort(resolve5(dir, PORT_FILE));
 }
-function portInChildren(dir) {
+async function portInChildren(dir) {
   try {
-    for (const entry of readdirSync(dir)) {
+    const entries = await readdir2(dir);
+    for (const entry of entries) {
       if (entry.startsWith(".") || entry === "node_modules") continue;
       const child = resolve5(dir, entry);
       try {
-        if (!statSync(child).isDirectory()) continue;
-      } catch {
+        if (!(await stat(child)).isDirectory()) continue;
+      } catch (err) {
+        brakitDebug(`discovery: stat failed for ${child}: ${err}`);
         continue;
       }
-      const port = portInDir(child);
+      const port = await portInDir(child);
       if (port) return port;
     }
-  } catch {
+  } catch (err) {
+    brakitDebug(`discovery: readdir failed for ${dir}: ${err}`);
   }
   return null;
 }
-function searchForPort(startDir) {
+async function searchForPort(startDir) {
   const start = resolve5(startDir);
-  const initial = portInDir(start) ?? portInChildren(start);
+  const initial = await portInDir(start) ?? await portInChildren(start);
   if (initial) return initial;
-  let dir = dirname(start);
+  let dir = dirname2(start);
   for (let depth = 0; depth < MAX_DISCOVERY_DEPTH; depth++) {
-    const port = portInDir(dir);
+    const port = await portInDir(dir) ?? await portInChildren(dir);
     if (port) return port;
-    const parent = dirname(dir);
+    const parent = dirname2(dir);
     if (parent === dir) break;
     dir = parent;
   }
   return null;
 }
-function discoverBrakitPort(cwd) {
-  const port = searchForPort(cwd ?? process.cwd());
+async function discoverBrakitPort(cwd) {
+  const port = await searchForPort(cwd ?? process.cwd());
   if (!port) {
     throw new Error(
       "Brakit is not running. Start your app with brakit enabled first."
@@ -307,7 +386,7 @@ async function waitForBrakit(cwd, timeoutMs = 1e4, pollMs = DISCOVERY_POLL_INTER
   const deadline = Date.now() + timeoutMs;
   while (Date.now() < deadline) {
     try {
-      const result = discoverBrakitPort(cwd);
+      const result = await discoverBrakitPort(cwd);
       const res = await fetch(`${result.baseUrl}${DASHBOARD_API_REQUESTS}?limit=1`);
       if (res.ok) return result;
     } catch {
@@ -322,50 +401,52 @@ var init_discovery = __esm({
   "src/mcp/discovery.ts"() {
     "use strict";
     init_constants();
+    init_log();
     init_mcp();
   }
 });
 // src/mcp/enrichment.ts
-import { createHash as createHash2 } from "crypto";
-function computeInsightId(type, endpoint, desc) {
-  const key = `${type}:${endpoint}:${desc}`;
-  return createHash2("sha256").update(key).digest("hex").slice(0, 16);
-}
 async function enrichFindings(client) {
   const [securityData, insightsData] = await Promise.all([
     client.getSecurityFindings(),
     client.getInsights()
   ]);
-  const enriched = [];
-  for (const f of securityData.findings) {
-    let context = "";
-    try {
-      const { path } = parseEndpointKey(f.endpoint);
-      const reqData = await client.getRequests({ search: path, limit: 1 });
-      if (reqData.requests.length > 0) {
-        const req = reqData.requests[0];
-        if (req.id) {
-          const activity = await client.getActivity(req.id);
-          const queryCount = activity.counts?.queries ?? 0;
-          const fetchCount = activity.counts?.fetches ?? 0;
-          context = `Request took ${req.durationMs}ms. ${queryCount} DB queries, ${fetchCount} fetches.`;
+  const contexts = await Promise.all(
+    securityData.findings.map(async (sf) => {
+      try {
+        const { path } = parseEndpointKey(sf.finding.endpoint);
+        const reqData = await client.getRequests({ search: path, limit: 1 });
+        if (reqData.requests.length > 0) {
+          const req = reqData.requests[0];
+          if (req.id) {
+            const activity = await client.getActivity(req.id);
+            const queryCount = activity.counts?.queries ?? 0;
+            const fetchCount = activity.counts?.fetches ?? 0;
+            return `Request took ${req.durationMs}ms. ${queryCount} DB queries, ${fetchCount} fetches.`;
+          }
         }
+      } catch {
+        return "(context unavailable)";
       }
-    } catch {
-      context = "(context unavailable)";
-    }
-    enriched.push({
-      findingId: computeFindingId(f),
+      return "";
+    })
+  );
+  const enriched = securityData.findings.map((sf, i) => {
+    const f = sf.finding;
+    return {
+      findingId: sf.findingId,
       severity: f.severity,
       title: f.title,
       endpoint: f.endpoint,
       description: f.desc,
       hint: f.hint,
       occurrences: f.count,
-      context
-    });
-  }
+      context: contexts[i],
+      aiStatus: sf.aiStatus,
+      aiNotes: sf.aiNotes
+    };
+  });
   for (const si of insightsData.insights) {
     if (si.state === "resolved") continue;
     const i = si.insight;
@@ -379,7 +460,9 @@ async function enrichFindings(client) {
       description: i.desc,
       hint: i.hint,
       occurrences: 1,
-      context: i.detail ?? ""
+      context: i.detail ?? "",
+      aiStatus: si.aiStatus,
+      aiNotes: si.aiNotes
     });
   }
   return enriched;
@@ -441,13 +524,13 @@ var init_enrichment = __esm({
 });
 // src/mcp/tools/get-findings.ts
-var VALID_SEVERITIES, VALID_STATES, getFindings;
+var getFindings;
 var init_get_findings = __esm({
   "src/mcp/tools/get-findings.ts"() {
     "use strict";
     init_enrichment();
-    VALID_SEVERITIES = /* @__PURE__ */ new Set(["critical", "warning"]);
-    VALID_STATES = /* @__PURE__ */ new Set(["open", "fixing", "resolved"]);
+    init_lifecycle();
+    init_type_guards();
     getFindings = {
       name: "get_findings",
       description: "Get all security findings and performance insights from the running app. Returns enriched findings with actionable fix hints, endpoint context, and evidence. Use this to understand what issues exist in the running application.",
@@ -469,10 +552,10 @@ var init_get_findings = __esm({
       async handler(client, args) {
         const severity = args.severity;
         const state = args.state;
-        if (severity && !VALID_SEVERITIES.has(severity)) {
+        if (severity && !VALID_SECURITY_SEVERITIES.has(severity)) {
           return { content: [{ type: "text", text: `Invalid severity "${severity}". Use: critical, warning.` }], isError: true };
         }
-        if (state && !VALID_STATES.has(state)) {
+        if (state && !isValidFindingState(state)) {
           return { content: [{ type: "text", text: `Invalid state "${state}". Use: open, fixing, resolved.` }], isError: true };
         }
         let findings = await enrichFindings(client);
@@ -491,10 +574,18 @@ var init_get_findings = __esm({
 `];
         for (const f of findings) {
           lines.push(`[${f.severity.toUpperCase()}] ${f.title}`);
+          lines.push(`  ID: ${f.findingId}`);
           lines.push(`  Endpoint: ${f.endpoint}`);
           lines.push(`  Issue: ${f.description}`);
           if (f.context) lines.push(`  Context: ${f.context}`);
           lines.push(`  Fix: ${f.hint}`);
+          if (f.aiStatus === "fixed") {
+            lines.push(`  AI Status: fixed (awaiting verification)`);
+            if (f.aiNotes) lines.push(`  AI Notes: ${f.aiNotes}`);
+          } else if (f.aiStatus === "wont_fix") {
+            lines.push(`  AI Status: won't fix`);
+            if (f.aiNotes) lines.push(`  AI Notes: ${f.aiNotes}`);
+          }
           lines.push("");
         }
         return { content: [{ type: "text", text: lines.join("\n") }] };
@@ -823,6 +914,61 @@ var init_clear_findings = __esm({
   }
 });
+// src/mcp/tools/report-fix.ts
+var reportFix;
+var init_report_fix = __esm({
+  "src/mcp/tools/report-fix.ts"() {
+    "use strict";
+    init_type_guards();
+    reportFix = {
+      name: "report_fix",
+      description: "Report the result of fixing a brakit finding. Call this after attempting to fix each finding to update the dashboard with the outcome. Use status 'fixed' when you've applied a fix, or 'wont_fix' when the issue can't be resolved (e.g. third-party library, by design).",
+      inputSchema: {
+        type: "object",
+        properties: {
+          finding_id: {
+            type: "string",
+            description: "The finding ID to report on"
+          },
+          status: {
+            type: "string",
+            description: "Whether the fix was applied or can't be fixed",
+            enum: ["fixed", "wont_fix"]
+          },
+          summary: {
+            type: "string",
+            description: "Brief description of what was done or why it can't be fixed"
+          }
+        },
+        required: ["finding_id", "status", "summary"]
+      },
+      async handler(client, args) {
+        const { finding_id, status, summary } = args;
+        if (!isNonEmptyString(finding_id)) {
+          return { content: [{ type: "text", text: "finding_id is required." }], isError: true };
+        }
+        if (!isValidAiFixStatus(status)) {
+          return { content: [{ type: "text", text: "status must be 'fixed' or 'wont_fix'." }], isError: true };
+        }
+        if (!isNonEmptyString(summary)) {
+          return { content: [{ type: "text", text: "summary is required." }], isError: true };
+        }
+        const ok = await client.reportFix(finding_id, status, summary);
+        if (!ok) {
+          return {
+            content: [{ type: "text", text: `Finding ${finding_id} not found. It may have already been resolved.` }],
+            isError: true
+          };
+        }
+        const label = status === "fixed" ? "marked as fixed (awaiting verification)" : "marked as won't fix";
+        return {
+          content: [{ type: "text", text: `Finding ${finding_id} ${label}. Dashboard updated.` }]
+        };
+      }
+    };
+  }
+});
 // src/mcp/tools/index.ts
 function getToolDefinitions() {
   return [...TOOL_MAP.values()].map((t) => ({
@@ -851,17 +997,19 @@ var init_tools = __esm({
     init_verify_fix();
     init_get_report();
     init_clear_findings();
+    init_report_fix();
     TOOL_MAP = new Map(
-      [getFindings, getEndpoints, getRequestDetail, verifyFix, getReport, clearFindings].map((t) => [t.name, t])
+      [getFindings, getEndpoints, getRequestDetail, verifyFix, getReport, clearFindings, reportFix].map((t) => [t.name, t])
     );
   }
 });
 // src/mcp/prompts.ts
-var PROMPTS, PROMPT_MESSAGES;
+var SERVER_INSTRUCTIONS, PROMPTS, PROMPT_MESSAGES;
 var init_prompts = __esm({
   "src/mcp/prompts.ts"() {
     "use strict";
+    SERVER_INSTRUCTIONS = "Brakit is a dev tool that monitors your running app for security vulnerabilities, performance issues, and query problems. IMPORTANT: After fixing any brakit finding, always call the report_fix tool with the finding_id, status ('fixed' or 'wont_fix'), and a brief summary of what you did. This updates the dashboard in real-time so the developer can track AI-driven fixes.";
     PROMPTS = [
       {
         name: "check-app",
@@ -873,18 +1021,8 @@ var init_prompts = __esm({
       }
     ];
     PROMPT_MESSAGES = {
-      "check-app": [
-        "Check my running app for security and performance issues using brakit.",
-        "First get all findings, then get the endpoint summary.",
-        "For any critical or warning findings, get the request detail to understand the root cause.",
-        "Give me a clear report of what's wrong and offer to fix each issue."
-      ].join(" "),
-      "fix-findings": [
-        "Get all open brakit findings.",
-        "For each finding, get the request detail to understand the exact issue.",
-        "Then find the source code responsible and fix it.",
-        "After fixing, ask me to re-trigger the endpoint so you can verify the fix with brakit."
-      ].join(" ")
+      "check-app": "Check my running app for security and performance issues using brakit. First get all findings, then get the endpoint summary. For any critical or warning findings, get the request detail to understand the root cause. Give me a clear report of what's wrong and offer to fix each issue. After fixing any issue, call report_fix with the finding_id, status, and summary.",
+      "fix-findings": "Get all open brakit findings. For each finding:\n1. Get the request detail to understand the exact issue\n2. Find the source code responsible and fix it\n3. Call report_fix with the finding_id, status ('fixed' or 'wont_fix'), and a brief summary of what you did\n4. Move to the next finding\n\nAfter all findings are processed, ask me to re-trigger the endpoints so brakit can verify the fixes."
     };
   }
 });
@@ -912,7 +1050,7 @@ async function startMcpServer() {
   let cachedClient = discovery ? new BrakitClient(discovery.baseUrl) : null;
   const server = new Server(
     { name: MCP_SERVER_NAME, version: MCP_SERVER_VERSION },
-    { capabilities: { tools: {}, prompts: {} } }
+    { capabilities: { tools: {}, prompts: {} }, instructions: SERVER_INSTRUCTIONS }
   );
   server.setRequestHandler(ListPromptsRequestSchema, async () => ({
     prompts: [...PROMPTS]
@@ -990,27 +1128,19 @@ import { runMain } from "citty";
 // src/cli/commands/install.ts
 import { defineCommand } from "citty";
-import { resolve as resolve3, join as join2 } from "path";
-import { readFile as readFile3, writeFile as writeFile3 } from "fs/promises";
+import { resolve as resolve3, join as join2, dirname } from "path";
+import { readFile as readFile4, writeFile as writeFile3 } from "fs/promises";
 import { execSync } from "child_process";
+import { existsSync as existsSync5 } from "fs";
 import pc from "picocolors";
 // src/store/finding-store.ts
-init_constants();
+import { readFile as readFile2 } from "fs/promises";
 import { readFileSync as readFileSync2, existsSync as existsSync3 } from "fs";
 import { resolve as resolve2 } from "path";
-// src/utils/atomic-writer.ts
-import {
-  writeFileSync as writeFileSync2,
-  existsSync as existsSync2,
-  mkdirSync as mkdirSync2,
-  renameSync
-} from "fs";
-import { writeFile as writeFile2, mkdir, rename } from "fs/promises";
 // src/utils/fs.ts
-import { access } from "fs/promises";
+import { access, readFile, writeFile } from "fs/promises";
 import { existsSync, readFileSync, writeFileSync } from "fs";
 import { resolve } from "path";
 async function fileExists(path) {
@@ -1023,12 +1153,28 @@ async function fileExists(path) {
 }
 // src/store/finding-store.ts
+init_constants();
+init_limits();
+// src/utils/atomic-writer.ts
+import {
+  writeFileSync as writeFileSync2,
+  existsSync as existsSync2,
+  mkdirSync as mkdirSync2,
+  renameSync
+} from "fs";
+import { writeFile as writeFile2, mkdir, rename } from "fs/promises";
+init_log();
+init_type_guards();
+// src/store/finding-store.ts
+init_log();
 init_finding_id();
 // src/detect/project.ts
-import { readFile as readFile2 } from "fs/promises";
+import { readFile as readFile3, readdir } from "fs/promises";
 import { existsSync as existsSync4 } from "fs";
-import { join } from "path";
+import { join, relative } from "path";
 var FRAMEWORKS = [
   { name: "nextjs", dep: "next", devCmd: "next dev", bin: "next", defaultPort: 3e3, devArgs: ["dev", "--port"] },
   { name: "remix", dep: "@remix-run/dev", devCmd: "remix dev", bin: "remix", defaultPort: 3e3, devArgs: ["dev"] },
@@ -1038,7 +1184,7 @@ var FRAMEWORKS = [
 ];
 async function detectProject(rootDir) {
   const pkgPath = join(rootDir, "package.json");
-  const raw = await readFile2(pkgPath, "utf-8");
+  const raw = await readFile3(pkgPath, "utf-8");
   const pkg = JSON.parse(raw);
   const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
   const framework = detectFrameworkFromDeps(allDeps);
@@ -1063,16 +1209,143 @@ function detectFrameworkFromDeps(allDeps) {
   }
   return "unknown";
 }
+var PYTHON_ENTRY_CANDIDATES = [
+  "app.py",
+  "main.py",
+  "wsgi.py",
+  "asgi.py",
+  "server.py",
+  "run.py",
+  "manage.py",
+  "app/__init__.py"
+];
+var PYTHON_FRAMEWORK_MAP = {
+  flask: "flask",
+  fastapi: "fastapi",
+  django: "django"
+};
+var PYTHON_DEFAULT_PORTS = {
+  flask: 5e3,
+  fastapi: 8e3,
+  django: 8e3,
+  unknown: 8e3
+};
+async function detectPythonProject(rootDir) {
+  const hasPyproject = await fileExists(join(rootDir, "pyproject.toml"));
+  const hasRequirements = await fileExists(join(rootDir, "requirements.txt"));
+  const hasSetupPy = await fileExists(join(rootDir, "setup.py"));
+  if (!hasPyproject && !hasRequirements && !hasSetupPy) return null;
+  const framework = await detectPythonFramework(rootDir, hasPyproject, hasRequirements);
+  const packageManager = await detectPythonPackageManager(rootDir);
+  const entryFile = await detectPythonEntry(rootDir);
+  return {
+    framework,
+    packageManager,
+    entryFile,
+    defaultPort: PYTHON_DEFAULT_PORTS[framework] ?? 8e3
+  };
+}
+async function detectPythonFramework(rootDir, hasPyproject, hasRequirements) {
+  if (hasPyproject) {
+    try {
+      const content = await readFile3(join(rootDir, "pyproject.toml"), "utf-8");
+      for (const [dep, fw] of Object.entries(PYTHON_FRAMEWORK_MAP)) {
+        if (content.includes(`"${dep}"`) || content.includes(`'${dep}'`) || content.includes(`${dep} `)) {
+          return fw;
+        }
+      }
+    } catch {
+    }
+  }
+  if (hasRequirements) {
+    try {
+      const content = await readFile3(join(rootDir, "requirements.txt"), "utf-8");
+      const lines = content.toLowerCase().split("\n");
+      for (const [dep, fw] of Object.entries(PYTHON_FRAMEWORK_MAP)) {
+        if (lines.some((l) => l.startsWith(dep) && (l.length === dep.length || /[=<>~![]/u.test(l[dep.length])))) {
+          return fw;
+        }
+      }
+    } catch {
+    }
+  }
+  return "unknown";
+}
+async function detectPythonPackageManager(rootDir) {
+  if (await fileExists(join(rootDir, "uv.lock"))) return "uv";
+  if (await fileExists(join(rootDir, "poetry.lock"))) return "poetry";
+  if (await fileExists(join(rootDir, "Pipfile.lock"))) return "pipenv";
+  if (await fileExists(join(rootDir, "Pipfile"))) return "pipenv";
+  if (await fileExists(join(rootDir, "requirements.txt"))) return "pip";
+  try {
+    const content = await readFile3(join(rootDir, "pyproject.toml"), "utf-8");
+    if (content.includes("[tool.poetry]")) return "poetry";
+    if (content.includes("[tool.uv]")) return "uv";
+  } catch {
+  }
+  return "unknown";
+}
+async function detectPythonEntry(rootDir) {
+  for (const candidate of PYTHON_ENTRY_CANDIDATES) {
+    if (await fileExists(join(rootDir, candidate))) {
+      return candidate;
+    }
+  }
+  return null;
+}
+var SKIP_DIRS = /* @__PURE__ */ new Set([
+  "node_modules",
+  ".git",
+  ".brakit",
+  "dist",
+  "build",
+  "__pycache__",
+  ".venv",
+  "venv",
+  ".next",
+  ".nuxt",
+  ".output",
+  ".cache",
+  "coverage"
+]);
+async function scanForProjects(rootDir) {
+  const projects = [];
+  await detectInDir(rootDir, rootDir, projects);
+  try {
+    const entries = await readdir(rootDir, { withFileTypes: true });
+    for (const entry of entries) {
+      if (!entry.isDirectory() || SKIP_DIRS.has(entry.name) || entry.name.startsWith(".")) continue;
+      const childDir = join(rootDir, entry.name);
+      await detectInDir(childDir, rootDir, projects);
+    }
+  } catch {
+  }
+  return projects;
+}
+async function detectInDir(dir, rootDir, projects) {
+  const rel = dir === rootDir ? "." : `./${relative(rootDir, dir)}`;
+  if (await fileExists(join(dir, "package.json"))) {
+    try {
+      const node = await detectProject(dir);
+      projects.push({ dir, relDir: rel, type: "node", node });
+    } catch {
+    }
+  }
+  const python = await detectPythonProject(dir);
+  if (python) {
+    projects.push({ dir, relDir: rel, type: "python", python });
+  }
+}
 // src/analysis/rules/patterns.ts
 var SECRET_KEYS = /^(password|passwd|secret|api_key|apiKey|api_secret|apiSecret|private_key|privateKey|client_secret|clientSecret)$/;
 var TOKEN_PARAMS = /^(token|api_key|apiKey|secret|password|access_token|session_id|sessionId)$/;
 var SAFE_PARAMS = /^(_rsc|__clerk_handshake|__clerk_db_jwt|callback|code|state|nonce|redirect_uri|utm_|fbclid|gclid)$/;
-var STACK_TRACE_RE = /at\s+.+\(.+:\d+:\d+\)|at\s+Module\._compile|at\s+Object\.<anonymous>|at\s+processTicksAndRejections/;
+var STACK_TRACE_RE = /at\s+.+\(.+:\d+:\d+\)|at\s+Module\._compile|at\s+Object\.<anonymous>|at\s+processTicksAndRejections|Traceback \(most recent call last\)|File ".+", line \d+/;
 var DB_CONN_RE = /(postgres|mysql|mongodb|redis):\/\//;
 var SQL_FRAGMENT_RE = /\b(SELECT\s+[\w.*]+\s+FROM|INSERT\s+INTO|UPDATE\s+\w+\s+SET|DELETE\s+FROM)\b/i;
-var SECRET_VAL_RE = /(api_key|apiKey|secret|token)\s*[:=]\s*["']?[A-Za-z0-9_\-\.+\/]{8,}/;
-var LOG_SECRET_RE = /(password|secret|token|api_key|apiKey)\s*[:=]\s*["']?[A-Za-z0-9_\-\.+\/]{8,}/i;
+var SECRET_VAL_RE = /(api_key|apiKey|secret|token)\s*[:=]\s*["']?[A-Za-z0-9_\-.+/]{8,}/;
+var LOG_SECRET_RE = /(password|secret|token|api_key|apiKey)\s*[:=]\s*["']?[A-Za-z0-9_\-.+/]{8,}/i;
 var MASKED_RE = /^\*+$|\[REDACTED\]|\[FILTERED\]|CHANGE_ME|^x{3,}$/i;
 var EMAIL_RE = /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/;
 var INTERNAL_ID_KEYS = /^(id|_id|userId|user_id|createdBy|updatedBy|organizationId|org_id|tenantId|tenant_id)$/;
@@ -1082,9 +1355,9 @@ var RULE_HINTS = {
   "token-in-url": "Pass tokens in the Authorization header, not URL query parameters.",
   "stack-trace-leak": "Use a custom error handler that returns generic messages in production.",
   "error-info-leak": "Sanitize error responses. Return generic messages instead of internal details.",
+  "insecure-cookie": "Set HttpOnly and SameSite flags on all cookies.",
   "sensitive-logs": "Redact PII before logging. Never log passwords or tokens.",
   "cors-credentials": "Cannot use credentials:true with origin:*. Specify explicit origins.",
-  "insecure-cookie": "Set HttpOnly and SameSite flags on all cookies.",
   "response-pii-leak": "API responses should return minimal data. Don't echo back full user records \u2014 select only the fields the client needs."
 };
@@ -1455,48 +1728,47 @@ function hasInternalIds(obj) {
   }
   return false;
 }
-function detectPII(method, reqBody, resBody) {
-  const target = unwrapResponse(resBody);
-  if (WRITE_METHODS.has(method) && reqBody && typeof reqBody === "object") {
-    const reqEmails = findEmails(reqBody);
-    if (reqEmails.length > 0) {
-      const resEmails = findEmails(target);
-      const echoed = reqEmails.filter((e) => resEmails.includes(e));
-      if (echoed.length > 0) {
-        const inspectObj = Array.isArray(target) && target.length > 0 ? target[0] : target;
-        if (hasInternalIds(inspectObj) || topLevelFieldCount(inspectObj) >= FULL_RECORD_MIN_FIELDS) {
-          return { reason: "echo", emailCount: echoed.length };
-        }
-      }
-    }
+function detectEchoPII(method, reqBody, target) {
+  if (!WRITE_METHODS.has(method) || !reqBody || typeof reqBody !== "object") return null;
+  const reqEmails = findEmails(reqBody);
+  if (reqEmails.length === 0) return null;
+  const resEmails = findEmails(target);
+  const echoed = reqEmails.filter((e) => resEmails.includes(e));
+  if (echoed.length === 0) return null;
+  const inspectObj = Array.isArray(target) && target.length > 0 ? target[0] : target;
+  if (hasInternalIds(inspectObj) || topLevelFieldCount(inspectObj) >= FULL_RECORD_MIN_FIELDS) {
+    return { reason: "echo", emailCount: echoed.length };
   }
-  if (target && typeof target === "object" && !Array.isArray(target)) {
-    const fields = topLevelFieldCount(target);
-    if (fields >= FULL_RECORD_MIN_FIELDS && hasInternalIds(target)) {
-      const emails = findEmails(target);
-      if (emails.length > 0) {
-        return { reason: "full-record", emailCount: emails.length };
-      }
+  return null;
+}
+function detectFullRecordPII(target) {
+  if (!target || typeof target !== "object" || Array.isArray(target)) return null;
+  const fields = topLevelFieldCount(target);
+  if (fields < FULL_RECORD_MIN_FIELDS || !hasInternalIds(target)) return null;
+  const emails = findEmails(target);
+  if (emails.length === 0) return null;
+  return { reason: "full-record", emailCount: emails.length };
+}
+function detectListPII(target) {
+  if (!Array.isArray(target) || target.length < LIST_PII_MIN_ITEMS) return null;
+  let itemsWithEmail = 0;
+  for (let i = 0; i < Math.min(target.length, 10); i++) {
+    const item = target[i];
+    if (item && typeof item === "object" && findEmails(item).length > 0) {
+      itemsWithEmail++;
     }
   }
-  if (Array.isArray(target) && target.length >= LIST_PII_MIN_ITEMS) {
-    let itemsWithEmail = 0;
-    for (let i = 0; i < Math.min(target.length, 10); i++) {
-      const item = target[i];
-      if (item && typeof item === "object") {
-        const emails = findEmails(item);
-        if (emails.length > 0) itemsWithEmail++;
-      }
-    }
-    if (itemsWithEmail >= LIST_PII_MIN_ITEMS) {
-      const first = target[0];
-      if (hasInternalIds(first) || topLevelFieldCount(first) >= FULL_RECORD_MIN_FIELDS) {
-        return { reason: "list-pii", emailCount: itemsWithEmail };
-      }
-    }
+  if (itemsWithEmail < LIST_PII_MIN_ITEMS) return null;
+  const first = target[0];
+  if (hasInternalIds(first) || topLevelFieldCount(first) >= FULL_RECORD_MIN_FIELDS) {
+    return { reason: "list-pii", emailCount: itemsWithEmail };
   }
   return null;
 }
+function detectPII(method, reqBody, resBody) {
+  const target = unwrapResponse(resBody);
+  return detectEchoPII(method, reqBody, target) ?? detectFullRecordPII(target) ?? detectListPII(target);
+}
 var REASON_LABELS = {
   echo: "echoes back PII from the request body",
   "full-record": "returns a full record with email and internal IDs",
@@ -1540,6 +1812,9 @@ var responsePiiLeakRule = {
   }
 };
+// src/analysis/engine.ts
+init_limits();
 // src/analysis/group.ts
 init_constants();
 import { randomUUID } from "crypto";
@@ -1597,10 +1872,11 @@ init_constants();
 // src/analysis/insight-tracker.ts
 init_endpoint();
+init_finding_id();
 init_thresholds();
 // src/index.ts
-var VERSION = "0.8.4";
+var VERSION = "0.8.5";
 // src/cli/commands/install.ts
 init_constants();
@@ -1628,7 +1904,6 @@ var ENTRY_CANDIDATES = [
   "index.js"
 ];
 var BRAKIT_TEMPLATES = {
-  /** Next.js instrumentation.ts — standalone file created by install */
   nextjs: [
     `export async function register() {`,
     `  if (process.env.NODE_ENV !== "production") {`,
@@ -1636,7 +1911,6 @@ var BRAKIT_TEMPLATES = {
     `  }`,
     `}`
   ].join("\n"),
-  /** Nuxt server/plugins/brakit.ts — standalone file created by install */
   nuxt: `import "brakit";`
 };
 var ALL_TEMPLATES = Object.values(BRAKIT_TEMPLATES);
@@ -1668,53 +1942,45 @@ var install_default = defineCommand({
   },
   async run({ args }) {
     const rootDir = resolve3(args.dir);
-    const pkgPath = join2(rootDir, "package.json");
-    if (!await fileExists(pkgPath)) {
-      console.error(pc.red("  No project found. Run this from your project directory."));
-      process.exit(1);
-    }
-    let pkg;
-    try {
-      pkg = JSON.parse(await readFile3(pkgPath, "utf-8"));
-    } catch {
-      console.error(pc.red("  Failed to read package.json."));
-      process.exit(1);
-    }
-    if (!pkg.name || typeof pkg.name !== "string") {
-      console.error(pc.red("  No project found. Run this from your project directory."));
-      process.exit(1);
-    }
-    let project;
-    try {
-      project = await detectProject(rootDir);
-    } catch {
-      console.error(pc.red("  Failed to read package.json."));
-      process.exit(1);
-    }
     console.log();
     console.log(pc.bold("  \u25C6 brakit install"));
     console.log();
-    const installed = await installPackage(rootDir, project.packageManager);
-    if (installed) {
-      console.log(pc.green("  \u2713 Added brakit to devDependencies"));
-    } else {
-      console.log(pc.dim("  \u2713 brakit already in dependencies"));
-    }
-    const result = await setupInstrumentation(rootDir, project.framework);
-    if (result.action === "created") {
-      console.log(pc.green(`  \u2713 Created ${result.file}`));
-      if (result.content) {
+    const projects = await scanForProjects(rootDir);
+    const nodeProjects = projects.filter((p) => p.type === "node");
+    const pythonProjects = projects.filter((p) => p.type === "python");
+    if (nodeProjects.length === 0) {
+      if (pythonProjects.length > 0) {
+        console.log(pc.dim("  Python project detected. To add brakit:"));
         console.log();
-        for (const line of result.content.split("\n")) {
-          console.log(pc.dim(`    ${line}`));
-        }
+        console.log(pc.bold("  pip install brakit"));
+        console.log(pc.dim("  Then add to the top of your entry file:"));
+        console.log(pc.bold("  import brakit  # noqa: F401"));
+        console.log();
+      } else {
+        console.error(pc.red("  No project found. Run this from your project directory."));
+      }
+      process.exit(1);
+    }
+    for (const p of nodeProjects) {
+      const node = p.node;
+      const suffix = p.relDir === "." ? "" : ` in ${p.relDir}`;
+      const installed = await installPackage(p.dir, node.packageManager);
+      if (installed) {
+        console.log(pc.green(`  \u2713 Added brakit to devDependencies${suffix}`));
+      } else {
+        console.log(pc.dim(`  \u2713 brakit already in dependencies${suffix}`));
+      }
+      const result = await setupInstrumentation(p.dir, node.framework);
+      const prefix = p.relDir === "." ? "" : `${p.relDir}/`;
+      if (result.action === "created") {
+        console.log(pc.green(`  \u2713 Created ${prefix}${result.file}`));
+      } else if (result.action === "prepended") {
+        console.log(pc.green(`  \u2713 Added import to ${prefix}${result.file}`));
+      } else if (result.action === "exists") {
+        console.log(pc.dim(`  \u2713 ${prefix}${result.file} already has brakit import`));
+      } else {
+        printManualInstructions(node.framework);
       }
-    } else if (result.action === "prepended") {
-      console.log(pc.green(`  \u2713 Added import to ${result.file}`));
-    } else if (result.action === "exists") {
-      console.log(pc.dim(`  \u2713 ${result.file} already has brakit import`));
-    } else {
-      printManualInstructions(project.framework);
     }
     await ensureGitignoreEntry(rootDir, METRICS_DIR);
     const mcpResult = await setupMcp(rootDir);
@@ -1723,14 +1989,30 @@ var install_default = defineCommand({
     } else if (mcpResult === "exists") {
       console.log(pc.dim("  \u2713 MCP already configured"));
     }
+    const gitRoot = findGitRoot(rootDir);
+    if (gitRoot && gitRoot !== rootDir) {
+      const parentMcpResult = await setupMcp(gitRoot);
+      if (parentMcpResult === "created" || parentMcpResult === "updated") {
+        console.log(pc.green("  \u2713 Configured MCP at project root"));
+      }
+    }
     console.log();
+    const port = nodeProjects[0].node?.defaultPort ?? 3e3;
     console.log(pc.dim("  Start your app and visit:"));
-    console.log(pc.bold("  http://localhost:<port>/__brakit"));
+    console.log(pc.bold(`  http://localhost:${port}/__brakit`));
+    if (pythonProjects.length > 0) {
+      const pyLabel = pythonProjects.map((p) => p.relDir).join(", ");
+      console.log();
+      console.log(pc.dim(`  Python backend detected (${pyLabel}). To capture telemetry:`));
+      console.log(pc.bold("  pip install brakit"));
+      console.log(pc.dim("  Then add to the top of your entry file:"));
+      console.log(pc.bold("  import brakit  # noqa: F401"));
+    }
     console.log();
   }
 });
 async function installPackage(rootDir, pm) {
-  const pkgRaw = await readFile3(join2(rootDir, "package.json"), "utf-8");
+  const pkgRaw = await readFile4(join2(rootDir, "package.json"), "utf-8");
   const pkg = JSON.parse(pkgRaw);
   const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
   if (allDeps["brakit"]) return false;
@@ -1766,7 +2048,7 @@ async function setupNextjs(rootDir) {
   const relPath = hasSrc ? "src/instrumentation.ts" : "instrumentation.ts";
   const absPath = join2(rootDir, relPath);
   if (await fileExists(absPath)) {
-    const content2 = await readFile3(absPath, "utf-8");
+    const content2 = await readFile4(absPath, "utf-8");
     if (content2.includes(IMPORT_MARKER)) {
       return { action: "exists", file: relPath };
     }
@@ -1780,7 +2062,7 @@ async function setupNuxt(rootDir) {
   const relPath = "server/plugins/brakit.ts";
   const absPath = join2(rootDir, relPath);
   if (await fileExists(absPath)) {
-    const content2 = await readFile3(absPath, "utf-8");
+    const content2 = await readFile4(absPath, "utf-8");
     if (content2.includes(IMPORT_MARKER)) {
       return { action: "exists", file: relPath };
     }
@@ -1797,7 +2079,7 @@ async function setupPrepend(rootDir, ...candidates) {
   for (const relPath of candidates) {
     const absPath = join2(rootDir, relPath);
     if (!await fileExists(absPath)) continue;
-    const content = await readFile3(absPath, "utf-8");
+    const content = await readFile4(absPath, "utf-8");
     if (content.includes(IMPORT_MARKER)) {
       return { action: "exists", file: relPath };
     }
@@ -1809,7 +2091,7 @@ ${content}`);
 }
 async function setupGeneric(rootDir) {
   try {
-    const pkgRaw = await readFile3(join2(rootDir, "package.json"), "utf-8");
+    const pkgRaw = await readFile4(join2(rootDir, "package.json"), "utf-8");
     const pkg = JSON.parse(pkgRaw);
     if (pkg.main && typeof pkg.main === "string") {
       const result2 = await setupPrepend(rootDir, pkg.main);
@@ -1829,21 +2111,21 @@ var MCP_CONFIG = {
     }
   }
 };
-async function setupMcp(rootDir) {
+async function setupMcp(rootDir, config = MCP_CONFIG) {
   const mcpPath = join2(rootDir, ".mcp.json");
   if (await fileExists(mcpPath)) {
-    const raw = await readFile3(mcpPath, "utf-8");
+    const raw = await readFile4(mcpPath, "utf-8");
     try {
-      const config = JSON.parse(raw);
-      if (config?.mcpServers?.brakit) return "exists";
-      config.mcpServers = { ...config.mcpServers, ...MCP_CONFIG.mcpServers };
-      await writeFile3(mcpPath, JSON.stringify(config, null, 2) + "\n");
+      const existing = JSON.parse(raw);
+      if (existing?.mcpServers?.brakit) return "exists";
+      existing.mcpServers = { ...existing.mcpServers, ...config.mcpServers };
+      await writeFile3(mcpPath, JSON.stringify(existing, null, 2) + "\n");
       await ensureGitignoreEntry(rootDir, ".mcp.json");
       return "updated";
     } catch {
     }
   }
-  await writeFile3(mcpPath, JSON.stringify(MCP_CONFIG, null, 2) + "\n");
+  await writeFile3(mcpPath, JSON.stringify(config, null, 2) + "\n");
   await ensureGitignoreEntry(rootDir, ".mcp.json");
   return "created";
 }
@@ -1851,7 +2133,7 @@ async function ensureGitignoreEntry(rootDir, entry) {
   const gitignorePath = join2(rootDir, ".gitignore");
   try {
     if (await fileExists(gitignorePath)) {
-      const content = await readFile3(gitignorePath, "utf-8");
+      const content = await readFile4(gitignorePath, "utf-8");
       if (content.split("\n").some((l) => l.trim() === entry)) return;
       await writeFile3(gitignorePath, content.trimEnd() + "\n" + entry + "\n");
     } else {
@@ -1860,6 +2142,15 @@ async function ensureGitignoreEntry(rootDir, entry) {
   } catch {
   }
 }
+function findGitRoot(startDir) {
+  let dir = resolve3(startDir);
+  while (true) {
+    if (existsSync5(join2(dir, ".git"))) return dir;
+    const parent = dirname(dir);
+    if (parent === dir) return null;
+    dir = parent;
+  }
+}
 function printManualInstructions(framework) {
   console.log(pc.yellow("  \u26A0 Could not auto-detect entry file."));
   console.log();
@@ -1880,7 +2171,7 @@ function printManualInstructions(framework) {
 // src/cli/commands/uninstall.ts
 import { defineCommand as defineCommand2 } from "citty";
 import { resolve as resolve4, join as join3 } from "path";
-import { readFile as readFile4, writeFile as writeFile4, unlink, rm } from "fs/promises";
+import { readFile as readFile5, writeFile as writeFile4, unlink, rm } from "fs/promises";
 import { execSync as execSync2 } from "child_process";
 import pc2 from "picocolors";
 init_constants();
@@ -1917,7 +2208,7 @@ var uninstall_default = defineCommand2({
     for (const relPath of CREATED_FILES) {
       const absPath = join3(rootDir, relPath);
       if (!await fileExists(absPath)) continue;
-      const content = await readFile4(absPath, "utf-8");
+      const content = await readFile5(absPath, "utf-8");
       if (!content.includes("brakit")) continue;
       if (isExactBrakitTemplate(content)) {
         await unlink(absPath);
@@ -1939,7 +2230,7 @@ var uninstall_default = defineCommand2({
     if (!removed) {
       const candidates = [...PREPENDED_FILES];
       try {
-        const pkgRaw = await readFile4(join3(rootDir, "package.json"), "utf-8");
+        const pkgRaw = await readFile5(join3(rootDir, "package.json"), "utf-8");
         const pkg = JSON.parse(pkgRaw);
         if (pkg.main) candidates.unshift(pkg.main);
       } catch {
@@ -1947,7 +2238,7 @@ var uninstall_default = defineCommand2({
       for (const relPath of candidates) {
         const absPath = join3(rootDir, relPath);
         if (!await fileExists(absPath)) continue;
-        const content = await readFile4(absPath, "utf-8");
+        const content = await readFile5(absPath, "utf-8");
         if (!content.includes(IMPORT_LINE)) continue;
         const updated = content.split("\n").filter((line) => line.trim() !== IMPORT_LINE.trim()).join("\n");
         await writeFile4(absPath, updated);
@@ -1983,7 +2274,7 @@ async function removeMcpConfig(rootDir) {
   const mcpPath = join3(rootDir, ".mcp.json");
   if (!await fileExists(mcpPath)) return false;
   try {
-    const raw = await readFile4(mcpPath, "utf-8");
+    const raw = await readFile5(mcpPath, "utf-8");
     const config = JSON.parse(raw);
     if (!config?.mcpServers?.brakit) return false;
     delete config.mcpServers.brakit;
@@ -1999,7 +2290,7 @@ async function removeMcpConfig(rootDir) {
 }
 async function uninstallPackage(rootDir, pm) {
   try {
-    const pkgRaw = await readFile4(join3(rootDir, "package.json"), "utf-8");
+    const pkgRaw = await readFile5(join3(rootDir, "package.json"), "utf-8");
     const pkg = JSON.parse(pkgRaw);
     if (!pkg.devDependencies?.brakit && !pkg.dependencies?.brakit) return false;
   } catch {
@@ -2033,7 +2324,7 @@ async function cleanGitignore(rootDir) {
   const gitignorePath = join3(rootDir, ".gitignore");
   if (!await fileExists(gitignorePath)) return false;
   try {
-    const content = await readFile4(gitignorePath, "utf-8");
+    const content = await readFile5(gitignorePath, "utf-8");
     const lines = content.split("\n");
     const filtered = lines.filter((line) => line.trim() !== METRICS_DIR);
     if (filtered.length === lines.length) return false;