brakit 0.8.4 → 0.8.5

package/dist/mcp/server.js

@@ -9,20 +9,39 @@ import {
 } from "@modelcontextprotocol/sdk/types.js";
 
 // src/constants/routes.ts
-var DASHBOARD_API_REQUESTS = "/__brakit/api/requests";
-var DASHBOARD_API_CLEAR = "/__brakit/api/clear";
-var DASHBOARD_API_FETCHES = "/__brakit/api/fetches";
-var DASHBOARD_API_ERRORS = "/__brakit/api/errors";
-var DASHBOARD_API_QUERIES = "/__brakit/api/queries";
-var DASHBOARD_API_ACTIVITY = "/__brakit/api/activity";
-var DASHBOARD_API_METRICS_LIVE = "/__brakit/api/metrics/live";
-var DASHBOARD_API_INSIGHTS = "/__brakit/api/insights";
-var DASHBOARD_API_SECURITY = "/__brakit/api/security";
-var DASHBOARD_API_FINDINGS = "/__brakit/api/findings";
+var DASHBOARD_PREFIX = "/__brakit";
+var DASHBOARD_API_REQUESTS = `${DASHBOARD_PREFIX}/api/requests`;
+var DASHBOARD_API_EVENTS = `${DASHBOARD_PREFIX}/api/events`;
+var DASHBOARD_API_FLOWS = `${DASHBOARD_PREFIX}/api/flows`;
+var DASHBOARD_API_CLEAR = `${DASHBOARD_PREFIX}/api/clear`;
+var DASHBOARD_API_LOGS = `${DASHBOARD_PREFIX}/api/logs`;
+var DASHBOARD_API_FETCHES = `${DASHBOARD_PREFIX}/api/fetches`;
+var DASHBOARD_API_ERRORS = `${DASHBOARD_PREFIX}/api/errors`;
+var DASHBOARD_API_QUERIES = `${DASHBOARD_PREFIX}/api/queries`;
+var DASHBOARD_API_INGEST = `${DASHBOARD_PREFIX}/api/ingest`;
+var DASHBOARD_API_METRICS = `${DASHBOARD_PREFIX}/api/metrics`;
+var DASHBOARD_API_ACTIVITY = `${DASHBOARD_PREFIX}/api/activity`;
+var DASHBOARD_API_METRICS_LIVE = `${DASHBOARD_PREFIX}/api/metrics/live`;
+var DASHBOARD_API_INSIGHTS = `${DASHBOARD_PREFIX}/api/insights`;
+var DASHBOARD_API_SECURITY = `${DASHBOARD_PREFIX}/api/security`;
+var DASHBOARD_API_TAB = `${DASHBOARD_PREFIX}/api/tab`;
+var DASHBOARD_API_FINDINGS = `${DASHBOARD_PREFIX}/api/findings`;
+var DASHBOARD_API_FINDINGS_REPORT = `${DASHBOARD_PREFIX}/api/findings/report`;
+var VALID_TABS_TUPLE = [
+  "overview",
+  "actions",
+  "requests",
+  "fetches",
+  "queries",
+  "errors",
+  "logs",
+  "performance",
+  "security"
+];
+var VALID_TABS = new Set(VALID_TABS_TUPLE);
 
 // src/constants/mcp.ts
 var MCP_SERVER_NAME = "brakit";
-var MCP_SERVER_VERSION = "0.8.4";
 var INITIAL_DISCOVERY_TIMEOUT_MS = 5e3;
 var LAZY_DISCOVERY_TIMEOUT_MS = 2e3;
 var CLIENT_FETCH_TIMEOUT_MS = 1e4;
@@ -32,6 +51,7 @@ var MAX_DISCOVERY_DEPTH = 5;
 var MAX_TIMELINE_EVENTS = 20;
 var MAX_RESOLVED_DISPLAY = 5;
 var ENRICHMENT_SEVERITY_FILTER = ["critical", "warning"];
+var MCP_SERVER_VERSION = "0.8.5";
 
 // src/mcp/client.ts
 var BrakitClient = class {
@@ -79,6 +99,19 @@ var BrakitClient = class {
     if (state) url.searchParams.set("state", state);
     return this.fetchJson(url);
   }
+  async reportFix(findingId, status, notes) {
+    const res = await fetch(`${this.baseUrl}${DASHBOARD_API_FINDINGS_REPORT}`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ findingId, status, notes }),
+      signal: AbortSignal.timeout(CLIENT_FETCH_TIMEOUT_MS)
+    });
+    if (!res.ok) return false;
+    const contentType = res.headers.get("content-type") ?? "";
+    if (!contentType.includes("application/json")) return false;
+    const body = await res.json();
+    return body.ok === true;
+  }
   async clearAll() {
     const res = await fetch(`${this.baseUrl}${DASHBOARD_API_CLEAR}`, {
       method: "POST",
@@ -108,59 +141,74 @@ var BrakitClient = class {
 };
 
 // src/mcp/discovery.ts
-import { readFileSync, existsSync, readdirSync, statSync } from "fs";
+import { readFile, readdir, stat } from "fs/promises";
 import { resolve, dirname } from "path";
 
 // src/constants/limits.ts
-var MAX_INGEST_BYTES = 10 * 1024 * 1024;
+var FINDING_ID_HASH_LENGTH = 16;
 
 // src/constants/metrics.ts
 var PORT_FILE = ".brakit/port";
 
-// src/constants/severity.ts
-var SEVERITY_CRITICAL = "critical";
-var SEVERITY_WARNING = "warning";
-var SEVERITY_INFO = "info";
-var SEVERITY_ICON_MAP = {
-  [SEVERITY_CRITICAL]: { icon: "\u2717", cls: "critical" },
-  [SEVERITY_WARNING]: { icon: "\u26A0", cls: "warning" },
-  [SEVERITY_INFO]: { icon: "\u2139", cls: "info" }
-};
+// src/constants/network.ts
+var RECOVERY_WINDOW_MS = 5 * 60 * 1e3;
+var PORT_MIN = 1;
+var PORT_MAX = 65535;
+
+// src/constants/lifecycle.ts
+var VALID_FINDING_STATES = /* @__PURE__ */ new Set(["open", "fixing", "resolved"]);
+var VALID_AI_FIX_STATUSES = /* @__PURE__ */ new Set(["fixed", "wont_fix"]);
+var VALID_SECURITY_SEVERITIES = /* @__PURE__ */ new Set(["critical", "warning"]);
+
+// src/utils/log.ts
+var PREFIX = "[brakit]";
+function brakitDebug(message) {
+  if (process.env.DEBUG_BRAKIT) {
+    process.stderr.write(`${PREFIX}:debug ${message}
+`);
+  }
+}
 
 // src/mcp/discovery.ts
-function readPort(portPath) {
-  if (!existsSync(portPath)) return null;
-  const raw = readFileSync(portPath, "utf-8").trim();
-  const port = parseInt(raw, 10);
-  return isNaN(port) || port < 1 || port > 65535 ? null : port;
+async function readPort(portPath) {
+  try {
+    const raw = (await readFile(portPath, "utf-8")).trim();
+    const port = parseInt(raw, 10);
+    return isNaN(port) || port < PORT_MIN || port > PORT_MAX ? null : port;
+  } catch {
+    return null;
+  }
 }
-function portInDir(dir) {
+async function portInDir(dir) {
   return readPort(resolve(dir, PORT_FILE));
 }
-function portInChildren(dir) {
+async function portInChildren(dir) {
   try {
-    for (const entry of readdirSync(dir)) {
+    const entries = await readdir(dir);
+    for (const entry of entries) {
       if (entry.startsWith(".") || entry === "node_modules") continue;
       const child = resolve(dir, entry);
       try {
-        if (!statSync(child).isDirectory()) continue;
-      } catch {
+        if (!(await stat(child)).isDirectory()) continue;
+      } catch (err) {
+        brakitDebug(`discovery: stat failed for ${child}: ${err}`);
         continue;
       }
-      const port = portInDir(child);
+      const port = await portInDir(child);
       if (port) return port;
     }
-  } catch {
+  } catch (err) {
+    brakitDebug(`discovery: readdir failed for ${dir}: ${err}`);
   }
   return null;
 }
-function searchForPort(startDir) {
+async function searchForPort(startDir) {
   const start = resolve(startDir);
-  const initial = portInDir(start) ?? portInChildren(start);
+  const initial = await portInDir(start) ?? await portInChildren(start);
   if (initial) return initial;
   let dir = dirname(start);
   for (let depth = 0; depth < MAX_DISCOVERY_DEPTH; depth++) {
-    const port = portInDir(dir);
+    const port = await portInDir(dir) ?? await portInChildren(dir);
     if (port) return port;
     const parent = dirname(dir);
     if (parent === dir) break;
@@ -168,8 +216,8 @@ function searchForPort(startDir) {
   }
   return null;
 }
-function discoverBrakitPort(cwd) {
-  const port = searchForPort(cwd ?? process.cwd());
+async function discoverBrakitPort(cwd) {
+  const port = await searchForPort(cwd ?? process.cwd());
   if (!port) {
     throw new Error(
       "Brakit is not running. Start your app with brakit enabled first."
@@ -181,7 +229,7 @@ async function waitForBrakit(cwd, timeoutMs = 1e4, pollMs = DISCOVERY_POLL_INTER
   const deadline = Date.now() + timeoutMs;
   while (Date.now() < deadline) {
     try {
-      const result = discoverBrakitPort(cwd);
+      const result = await discoverBrakitPort(cwd);
       const res = await fetch(`${result.baseUrl}${DASHBOARD_API_REQUESTS}?limit=1`);
       if (res.ok) return result;
     } catch {
@@ -193,14 +241,11 @@ async function waitForBrakit(cwd, timeoutMs = 1e4, pollMs = DISCOVERY_POLL_INTER
   );
 }
 
-// src/mcp/enrichment.ts
-import { createHash as createHash2 } from "crypto";
-
 // src/store/finding-id.ts
 import { createHash } from "crypto";
-function computeFindingId(finding) {
-  const key = `${finding.rule}:${finding.endpoint}:${finding.desc}`;
-  return createHash("sha256").update(key).digest("hex").slice(0, 16);
+function computeInsightId(type, endpoint, desc) {
+  const key = `${type}:${endpoint}:${desc}`;
+  return createHash("sha256").update(key).digest("hex").slice(0, FINDING_ID_HASH_LENGTH);
 }
 
 // src/utils/endpoint.ts
@@ -213,44 +258,46 @@ function parseEndpointKey(endpoint) {
 }
 
 // src/mcp/enrichment.ts
-function computeInsightId(type, endpoint, desc) {
-  const key = `${type}:${endpoint}:${desc}`;
-  return createHash2("sha256").update(key).digest("hex").slice(0, 16);
-}
 async function enrichFindings(client) {
   const [securityData, insightsData] = await Promise.all([
     client.getSecurityFindings(),
     client.getInsights()
   ]);
-  const enriched = [];
-  for (const f of securityData.findings) {
-    let context = "";
-    try {
-      const { path } = parseEndpointKey(f.endpoint);
-      const reqData = await client.getRequests({ search: path, limit: 1 });
-      if (reqData.requests.length > 0) {
-        const req = reqData.requests[0];
-        if (req.id) {
-          const activity = await client.getActivity(req.id);
-          const queryCount = activity.counts?.queries ?? 0;
-          const fetchCount = activity.counts?.fetches ?? 0;
-          context = `Request took ${req.durationMs}ms. ${queryCount} DB queries, ${fetchCount} fetches.`;
+  const contexts = await Promise.all(
+    securityData.findings.map(async (sf) => {
+      try {
+        const { path } = parseEndpointKey(sf.finding.endpoint);
+        const reqData = await client.getRequests({ search: path, limit: 1 });
+        if (reqData.requests.length > 0) {
+          const req = reqData.requests[0];
+          if (req.id) {
+            const activity = await client.getActivity(req.id);
+            const queryCount = activity.counts?.queries ?? 0;
+            const fetchCount = activity.counts?.fetches ?? 0;
+            return `Request took ${req.durationMs}ms. ${queryCount} DB queries, ${fetchCount} fetches.`;
+          }
         }
+      } catch {
+        return "(context unavailable)";
       }
-    } catch {
-      context = "(context unavailable)";
-    }
-    enriched.push({
-      findingId: computeFindingId(f),
+      return "";
+    })
+  );
+  const enriched = securityData.findings.map((sf, i) => {
+    const f = sf.finding;
+    return {
+      findingId: sf.findingId,
       severity: f.severity,
       title: f.title,
       endpoint: f.endpoint,
       description: f.desc,
       hint: f.hint,
       occurrences: f.count,
-      context
-    });
-  }
+      context: contexts[i],
+      aiStatus: sf.aiStatus,
+      aiNotes: sf.aiNotes
+    };
+  });
   for (const si of insightsData.insights) {
     if (si.state === "resolved") continue;
     const i = si.insight;
@@ -264,7 +311,9 @@ async function enrichFindings(client) {
       description: i.desc,
       hint: i.hint,
       occurrences: 1,
-      context: i.detail ?? ""
+      context: i.detail ?? "",
+      aiStatus: si.aiStatus,
+      aiNotes: si.aiNotes
     });
   }
   return enriched;
@@ -317,9 +366,18 @@ async function buildRequestDetail(client, req) {
   };
 }
 
+// src/utils/type-guards.ts
+function isNonEmptyString(val) {
+  return typeof val === "string" && val.trim().length > 0;
+}
+function isValidFindingState(val) {
+  return typeof val === "string" && VALID_FINDING_STATES.has(val);
+}
+function isValidAiFixStatus(val) {
+  return typeof val === "string" && VALID_AI_FIX_STATUSES.has(val);
+}
+
 // src/mcp/tools/get-findings.ts
-var VALID_SEVERITIES = /* @__PURE__ */ new Set(["critical", "warning"]);
-var VALID_STATES = /* @__PURE__ */ new Set(["open", "fixing", "resolved"]);
 var getFindings = {
   name: "get_findings",
   description: "Get all security findings and performance insights from the running app. Returns enriched findings with actionable fix hints, endpoint context, and evidence. Use this to understand what issues exist in the running application.",
@@ -341,10 +399,10 @@ var getFindings = {
   async handler(client, args) {
     const severity = args.severity;
     const state = args.state;
-    if (severity && !VALID_SEVERITIES.has(severity)) {
+    if (severity && !VALID_SECURITY_SEVERITIES.has(severity)) {
       return { content: [{ type: "text", text: `Invalid severity "${severity}". Use: critical, warning.` }], isError: true };
     }
-    if (state && !VALID_STATES.has(state)) {
+    if (state && !isValidFindingState(state)) {
       return { content: [{ type: "text", text: `Invalid state "${state}". Use: open, fixing, resolved.` }], isError: true };
     }
     let findings = await enrichFindings(client);
@@ -363,10 +421,18 @@ var getFindings = {
 `];
     for (const f of findings) {
       lines.push(`[${f.severity.toUpperCase()}] ${f.title}`);
+      lines.push(`  ID: ${f.findingId}`);
       lines.push(`  Endpoint: ${f.endpoint}`);
       lines.push(`  Issue: ${f.description}`);
       if (f.context) lines.push(`  Context: ${f.context}`);
       lines.push(`  Fix: ${f.hint}`);
+      if (f.aiStatus === "fixed") {
+        lines.push(`  AI Status: fixed (awaiting verification)`);
+        if (f.aiNotes) lines.push(`  AI Notes: ${f.aiNotes}`);
+      } else if (f.aiStatus === "wont_fix") {
+        lines.push(`  AI Status: won't fix`);
+        if (f.aiNotes) lines.push(`  AI Notes: ${f.aiNotes}`);
+      }
       lines.push("");
     }
     return { content: [{ type: "text", text: lines.join("\n") }] };
@@ -659,9 +725,57 @@ var clearFindings = {
   }
 };
 
+// src/mcp/tools/report-fix.ts
+var reportFix = {
+  name: "report_fix",
+  description: "Report the result of fixing a brakit finding. Call this after attempting to fix each finding to update the dashboard with the outcome. Use status 'fixed' when you've applied a fix, or 'wont_fix' when the issue can't be resolved (e.g. third-party library, by design).",
+  inputSchema: {
+    type: "object",
+    properties: {
+      finding_id: {
+        type: "string",
+        description: "The finding ID to report on"
+      },
+      status: {
+        type: "string",
+        description: "Whether the fix was applied or can't be fixed",
+        enum: ["fixed", "wont_fix"]
+      },
+      summary: {
+        type: "string",
+        description: "Brief description of what was done or why it can't be fixed"
+      }
+    },
+    required: ["finding_id", "status", "summary"]
+  },
+  async handler(client, args) {
+    const { finding_id, status, summary } = args;
+    if (!isNonEmptyString(finding_id)) {
+      return { content: [{ type: "text", text: "finding_id is required." }], isError: true };
+    }
+    if (!isValidAiFixStatus(status)) {
+      return { content: [{ type: "text", text: "status must be 'fixed' or 'wont_fix'." }], isError: true };
+    }
+    if (!isNonEmptyString(summary)) {
+      return { content: [{ type: "text", text: "summary is required." }], isError: true };
+    }
+    const ok = await client.reportFix(finding_id, status, summary);
+    if (!ok) {
+      return {
+        content: [{ type: "text", text: `Finding ${finding_id} not found. It may have already been resolved.` }],
+        isError: true
+      };
+    }
+    const label = status === "fixed" ? "marked as fixed (awaiting verification)" : "marked as won't fix";
+    return {
+      content: [{ type: "text", text: `Finding ${finding_id} ${label}. Dashboard updated.` }]
+    };
+  }
+};
+
 // src/mcp/tools/index.ts
 var TOOL_MAP = new Map(
-  [getFindings, getEndpoints, getRequestDetail, verifyFix, getReport, clearFindings].map((t) => [t.name, t])
+  [getFindings, getEndpoints, getRequestDetail, verifyFix, getReport, clearFindings, reportFix].map((t) => [t.name, t])
 );
 function getToolDefinitions() {
   return [...TOOL_MAP.values()].map((t) => ({
@@ -682,6 +796,7 @@ function handleToolCall(client, name, args) {
 }
 
 // src/mcp/prompts.ts
+var SERVER_INSTRUCTIONS = "Brakit is a dev tool that monitors your running app for security vulnerabilities, performance issues, and query problems. IMPORTANT: After fixing any brakit finding, always call the report_fix tool with the finding_id, status ('fixed' or 'wont_fix'), and a brief summary of what you did. This updates the dashboard in real-time so the developer can track AI-driven fixes.";
 var PROMPTS = [
   {
     name: "check-app",
@@ -693,18 +808,8 @@ var PROMPTS = [
   }
 ];
 var PROMPT_MESSAGES = {
-  "check-app": [
-    "Check my running app for security and performance issues using brakit.",
-    "First get all findings, then get the endpoint summary.",
-    "For any critical or warning findings, get the request detail to understand the root cause.",
-    "Give me a clear report of what's wrong and offer to fix each issue."
-  ].join(" "),
-  "fix-findings": [
-    "Get all open brakit findings.",
-    "For each finding, get the request detail to understand the exact issue.",
-    "Then find the source code responsible and fix it.",
-    "After fixing, ask me to re-trigger the endpoint so you can verify the fix with brakit."
-  ].join(" ")
+  "check-app": "Check my running app for security and performance issues using brakit. First get all findings, then get the endpoint summary. For any critical or warning findings, get the request detail to understand the root cause. Give me a clear report of what's wrong and offer to fix each issue. After fixing any issue, call report_fix with the finding_id, status, and summary.",
+  "fix-findings": "Get all open brakit findings. For each finding:\n1. Get the request detail to understand the exact issue\n2. Find the source code responsible and fix it\n3. Call report_fix with the finding_id, status ('fixed' or 'wont_fix'), and a brief summary of what you did\n4. Move to the next finding\n\nAfter all findings are processed, ask me to re-trigger the endpoints so brakit can verify the fixes."
 };
 
 // src/mcp/server.ts
@@ -718,7 +823,7 @@ async function startMcpServer() {
   let cachedClient = discovery ? new BrakitClient(discovery.baseUrl) : null;
   const server = new Server(
     { name: MCP_SERVER_NAME, version: MCP_SERVER_VERSION },
-    { capabilities: { tools: {}, prompts: {} } }
+    { capabilities: { tools: {}, prompts: {} }, instructions: SERVER_INSTRUCTIONS }
   );
   server.setRequestHandler(ListPromptsRequestSchema, async () => ({
     prompts: [...PROMPTS]