brakit 0.8.4 → 0.8.6

package/dist/api.js

@@ -1,12 +1,94 @@
-// src/store/finding-store.ts
-import { readFileSync as readFileSync2, existsSync as existsSync3 } from "fs";
+// src/store/issue-store.ts
+import { readFile as readFile2 } from "fs/promises";
+import { readFileSync as readFileSync2, existsSync as existsSync3, unlinkSync } from "fs";
 import { resolve as resolve2 } from "path";
 
-// src/constants/routes.ts
-var DASHBOARD_PREFIX = "/__brakit";
+// src/utils/fs.ts
+import { access, readFile, writeFile } from "fs/promises";
+import { existsSync, readFileSync, writeFileSync } from "fs";
+import { createHash } from "crypto";
+import { homedir } from "os";
+import { resolve, join } from "path";
 
 // src/constants/limits.ts
-var MAX_INGEST_BYTES = 10 * 1024 * 1024;
+var ANALYSIS_DEBOUNCE_MS = 300;
+var ISSUE_ID_HASH_LENGTH = 16;
+var ISSUES_DATA_VERSION = 2;
+var SECRET_SCAN_ARRAY_LIMIT = 5;
+var PII_SCAN_ARRAY_LIMIT = 10;
+var MIN_SECRET_VALUE_LENGTH = 8;
+var FULL_RECORD_MIN_FIELDS = 5;
+var LIST_PII_MIN_ITEMS = 2;
+var MAX_OBJECT_SCAN_DEPTH = 5;
+var ISSUE_PRUNE_TTL_MS = 10 * 60 * 1e3;
+
+// src/utils/log.ts
+var PREFIX = "[brakit]";
+function brakitWarn(message) {
+  process.stderr.write(`${PREFIX} ${message}
+`);
+}
+function brakitDebug(message) {
+  if (process.env.DEBUG_BRAKIT) {
+    process.stderr.write(`${PREFIX}:debug ${message}
+`);
+  }
+}
+
+// src/utils/type-guards.ts
+function getErrorMessage(err) {
+  if (err instanceof Error) return err.message;
+  if (typeof err === "string") return err;
+  return String(err);
+}
+function validateIssuesData(parsed) {
+  if (parsed != null && typeof parsed === "object" && !Array.isArray(parsed) && parsed.version === ISSUES_DATA_VERSION && Array.isArray(parsed.issues)) {
+    return parsed;
+  }
+  return null;
+}
+
+// src/utils/fs.ts
+async function fileExists(path) {
+  try {
+    await access(path);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function ensureGitignore(dir, entry) {
+  try {
+    const gitignorePath = resolve(dir, "../.gitignore");
+    if (existsSync(gitignorePath)) {
+      const content = readFileSync(gitignorePath, "utf-8");
+      if (content.split("\n").some((l) => l.trim() === entry)) return;
+      writeFileSync(gitignorePath, content.trimEnd() + "\n" + entry + "\n");
+    } else {
+      writeFileSync(gitignorePath, entry + "\n");
+    }
+  } catch (err) {
+    brakitDebug(`ensureGitignore failed: ${getErrorMessage(err)}`);
+  }
+}
+async function ensureGitignoreAsync(dir, entry) {
+  try {
+    const gitignorePath = resolve(dir, "../.gitignore");
+    if (await fileExists(gitignorePath)) {
+      const content = await readFile(gitignorePath, "utf-8");
+      if (content.split("\n").some((l) => l.trim() === entry)) return;
+      await writeFile(gitignorePath, content.trimEnd() + "\n" + entry + "\n");
+    } else {
+      await writeFile(gitignorePath, entry + "\n");
+    }
+  } catch (err) {
+    brakitDebug(`ensureGitignoreAsync failed: ${getErrorMessage(err)}`);
+  }
+}
+
+// src/constants/metrics.ts
+var ISSUES_FILE = "issues.json";
+var ISSUES_FLUSH_INTERVAL_MS = 1e4;
 
 // src/constants/thresholds.ts
 var FLOW_GAP_MS = 5e3;
@@ -35,24 +117,9 @@ var QUERY_COUNT_REGRESSION_RATIO = 1.5;
 var OVERFETCH_MANY_FIELDS = 12;
 var OVERFETCH_UNWRAP_MIN_SIZE = 3;
 var MAX_DUPLICATE_INSIGHTS = 3;
-var INSIGHT_WINDOW_PER_ENDPOINT = 2;
-var RESOLVE_AFTER_ABSENCES = 3;
-var RESOLVED_INSIGHT_TTL_MS = 18e5;
-
-// src/constants/metrics.ts
-var METRICS_DIR = ".brakit";
-var FINDINGS_FILE = ".brakit/findings.json";
-var FINDINGS_FLUSH_INTERVAL_MS = 1e4;
-
-// src/constants/severity.ts
-var SEVERITY_CRITICAL = "critical";
-var SEVERITY_WARNING = "warning";
-var SEVERITY_INFO = "info";
-var SEVERITY_ICON_MAP = {
-  [SEVERITY_CRITICAL]: { icon: "\u2717", cls: "critical" },
-  [SEVERITY_WARNING]: { icon: "\u26A0", cls: "warning" },
-  [SEVERITY_INFO]: { icon: "\u2139", cls: "info" }
-};
+var INSIGHT_WINDOW_PER_ENDPOINT = 20;
+var CLEAN_HITS_FOR_RESOLUTION = 5;
+var STALE_ISSUE_TTL_MS = 30 * 60 * 1e3;
 
 // src/utils/atomic-writer.ts
 import {
@@ -62,41 +129,6 @@ import {
   renameSync
 } from "fs";
 import { writeFile as writeFile2, mkdir, rename } from "fs/promises";
-
-// src/utils/fs.ts
-import { access } from "fs/promises";
-import { existsSync, readFileSync, writeFileSync } from "fs";
-import { resolve } from "path";
-async function fileExists(path) {
-  try {
-    await access(path);
-    return true;
-  } catch {
-    return false;
-  }
-}
-function ensureGitignore(dir, entry) {
-  try {
-    const gitignorePath = resolve(dir, "../.gitignore");
-    if (existsSync(gitignorePath)) {
-      const content = readFileSync(gitignorePath, "utf-8");
-      if (content.split("\n").some((l) => l.trim() === entry)) return;
-      writeFileSync(gitignorePath, content.trimEnd() + "\n" + entry + "\n");
-    } else {
-      writeFileSync(gitignorePath, entry + "\n");
-    }
-  } catch {
-  }
-}
-
-// src/utils/log.ts
-var PREFIX = "[brakit]";
-function brakitWarn(message) {
-  process.stderr.write(`${PREFIX} ${message}
-`);
-}
-
-// src/utils/atomic-writer.ts
 var AtomicWriter = class {
   constructor(opts) {
     this.opts = opts;
@@ -111,7 +143,7 @@ var AtomicWriter = class {
       writeFileSync2(this.tmpPath, content);
       renameSync(this.tmpPath, this.opts.filePath);
     } catch (err) {
-      brakitWarn(`failed to save ${this.opts.label}: ${err.message}`);
+      brakitWarn(`failed to save ${this.opts.label}: ${getErrorMessage(err)}`);
     }
   }
   async writeAsync(content) {
@@ -125,13 +157,14 @@ var AtomicWriter = class {
       await writeFile2(this.tmpPath, content);
       await rename(this.tmpPath, this.opts.filePath);
     } catch (err) {
-      brakitWarn(`failed to save ${this.opts.label}: ${err.message}`);
+      brakitWarn(`failed to save ${this.opts.label}: ${getErrorMessage(err)}`);
     } finally {
       this.writing = false;
       if (this.pendingContent !== null) {
         const next = this.pendingContent;
         this.pendingContent = null;
-        this.writeAsync(next);
+        this.writeAsync(next).catch(() => {
+        });
       }
     }
   }
@@ -144,45 +177,44 @@ var AtomicWriter = class {
     }
   }
   async ensureDirAsync() {
-    if (!existsSync2(this.opts.dir)) {
+    if (!await fileExists(this.opts.dir)) {
       await mkdir(this.opts.dir, { recursive: true });
       if (this.opts.gitignoreEntry) {
-        ensureGitignore(this.opts.dir, this.opts.gitignoreEntry);
+        await ensureGitignoreAsync(this.opts.dir, this.opts.gitignoreEntry);
       }
     }
   }
 };
 
-// src/store/finding-id.ts
-import { createHash } from "crypto";
-function computeFindingId(finding) {
-  const key = `${finding.rule}:${finding.endpoint}:${finding.desc}`;
-  return createHash("sha256").update(key).digest("hex").slice(0, 16);
+// src/utils/issue-id.ts
+import { createHash as createHash2 } from "crypto";
+function computeIssueId(issue) {
+  const stableDesc = issue.desc.replace(/\d[\d,.]*\s*\w*/g, "#");
+  const key = `${issue.rule}:${issue.endpoint ?? "global"}:${stableDesc}`;
+  return createHash2("sha256").update(key).digest("hex").slice(0, ISSUE_ID_HASH_LENGTH);
 }
 
-// src/store/finding-store.ts
-var FindingStore = class {
-  constructor(rootDir) {
-    this.rootDir = rootDir;
-    const metricsDir = resolve2(rootDir, METRICS_DIR);
-    this.findingsPath = resolve2(rootDir, FINDINGS_FILE);
+// src/store/issue-store.ts
+var IssueStore = class {
+  constructor(dataDir) {
+    this.dataDir = dataDir;
+    this.issuesPath = resolve2(dataDir, ISSUES_FILE);
     this.writer = new AtomicWriter({
-      dir: metricsDir,
-      filePath: this.findingsPath,
-      gitignoreEntry: METRICS_DIR,
-      label: "findings"
+      dir: dataDir,
+      filePath: this.issuesPath,
+      label: "issues"
     });
-    this.load();
   }
-  findings = /* @__PURE__ */ new Map();
+  issues = /* @__PURE__ */ new Map();
   flushTimer = null;
   dirty = false;
   writer;
-  findingsPath;
+  issuesPath;
   start() {
+    this.loadAsync().catch((err) => brakitDebug(`IssueStore: async load failed: ${err}`));
     this.flushTimer = setInterval(
       () => this.flush(),
-      FINDINGS_FLUSH_INTERVAL_MS
+      ISSUES_FLUSH_INTERVAL_MS
     );
     this.flushTimer.unref();
   }
@@ -193,91 +225,150 @@ var FindingStore = class {
     }
     this.flushSync();
   }
-  upsert(finding, source) {
-    const id = computeFindingId(finding);
-    const existing = this.findings.get(id);
+  upsert(issue, source) {
+    const id = computeIssueId(issue);
+    const existing = this.issues.get(id);
     const now = Date.now();
     if (existing) {
       existing.lastSeenAt = now;
       existing.occurrences++;
-      existing.finding = finding;
-      if (existing.state === "resolved") {
-        existing.state = "open";
+      existing.issue = issue;
+      existing.cleanHitsSinceLastSeen = 0;
+      if (existing.state === "resolved" || existing.state === "stale") {
+        existing.state = "regressed";
         existing.resolvedAt = null;
       }
       this.dirty = true;
       return existing;
     }
     const stateful = {
-      findingId: id,
+      issueId: id,
       state: "open",
       source,
-      finding,
+      category: issue.category,
+      issue,
       firstSeenAt: now,
       lastSeenAt: now,
       resolvedAt: null,
-      occurrences: 1
+      occurrences: 1,
+      cleanHitsSinceLastSeen: 0,
+      aiStatus: null,
+      aiNotes: null
     };
-    this.findings.set(id, stateful);
+    this.issues.set(id, stateful);
     this.dirty = true;
     return stateful;
   }
-  transition(findingId, state) {
-    const finding = this.findings.get(findingId);
-    if (!finding) return false;
-    finding.state = state;
-    if (state === "resolved") {
-      finding.resolvedAt = Date.now();
-    }
-    this.dirty = true;
-    return true;
-  }
   /**
-   * Reconcile passive findings against the current analysis results.
+   * Reconcile issues against the current analysis results using evidence-based resolution.
    *
-   * Passive findings are detected by continuous scanning (not user-triggered).
-   * When a previously-seen finding is absent from the current results, it means
-   * the issue has been fixed — transition it to "resolved" automatically.
-   * Active findings (from MCP verify-fix) are not auto-resolved because they
-   * require explicit verification.
+   * @param currentIssueIds - IDs of issues detected in the current analysis cycle
+   * @param activeEndpoints - Endpoints that had requests in the current cycle
    */
-  reconcilePassive(currentFindings) {
-    const currentIds = new Set(currentFindings.map(computeFindingId));
-    for (const [id, stateful] of this.findings) {
-      if (stateful.source === "passive" && stateful.state === "open" && !currentIds.has(id)) {
-        stateful.state = "resolved";
-        stateful.resolvedAt = Date.now();
+  reconcile(currentIssueIds, activeEndpoints) {
+    const now = Date.now();
+    for (const [, stateful] of this.issues) {
+      const isActive = stateful.state === "open" || stateful.state === "fixing" || stateful.state === "regressed";
+      if (!isActive) continue;
+      if (currentIssueIds.has(stateful.issueId)) continue;
+      const endpoint = stateful.issue.endpoint;
+      if (endpoint && activeEndpoints.has(endpoint)) {
+        stateful.cleanHitsSinceLastSeen++;
+        if (stateful.cleanHitsSinceLastSeen >= CLEAN_HITS_FOR_RESOLUTION) {
+          stateful.state = "resolved";
+          stateful.resolvedAt = now;
+        }
+        this.dirty = true;
+      } else if (now - stateful.lastSeenAt > STALE_ISSUE_TTL_MS) {
+        stateful.state = "stale";
+        this.dirty = true;
+      }
+    }
+    for (const [id, stateful] of this.issues) {
+      if (stateful.state === "resolved" && stateful.resolvedAt && now - stateful.resolvedAt > ISSUE_PRUNE_TTL_MS) {
+        this.issues.delete(id);
+        this.dirty = true;
+      } else if (stateful.state === "stale" && now - stateful.lastSeenAt > STALE_ISSUE_TTL_MS + ISSUE_PRUNE_TTL_MS) {
+        this.issues.delete(id);
         this.dirty = true;
       }
     }
   }
+  transition(issueId, state) {
+    const issue = this.issues.get(issueId);
+    if (!issue) return false;
+    issue.state = state;
+    if (state === "resolved") {
+      issue.resolvedAt = Date.now();
+    }
+    this.dirty = true;
+    return true;
+  }
+  reportFix(issueId, status, notes) {
+    const issue = this.issues.get(issueId);
+    if (!issue) return false;
+    issue.aiStatus = status;
+    issue.aiNotes = notes;
+    if (status === "fixed") {
+      issue.state = "fixing";
+    }
+    this.dirty = true;
+    return true;
+  }
   getAll() {
-    return [...this.findings.values()];
+    return [...this.issues.values()];
   }
   getByState(state) {
-    return [...this.findings.values()].filter((f) => f.state === state);
+    return [...this.issues.values()].filter((i) => i.state === state);
   }
-  get(findingId) {
-    return this.findings.get(findingId);
+  getByCategory(category) {
+    return [...this.issues.values()].filter((i) => i.category === category);
   }
-  clear() {
-    this.findings.clear();
-    this.dirty = true;
+  get(issueId) {
+    return this.issues.get(issueId);
   }
-  load() {
+  clear() {
+    this.issues.clear();
+    this.dirty = false;
     try {
-      if (existsSync3(this.findingsPath)) {
-        const raw = readFileSync2(this.findingsPath, "utf-8");
-        const parsed = JSON.parse(raw);
-        if (parsed?.version === 1 && Array.isArray(parsed.findings)) {
-          for (const f of parsed.findings) {
-            this.findings.set(f.findingId, f);
-          }
-        }
+      if (existsSync3(this.issuesPath)) {
+        unlinkSync(this.issuesPath);
       }
     } catch {
     }
   }
+  isDirty() {
+    return this.dirty;
+  }
+  async loadAsync() {
+    try {
+      if (await fileExists(this.issuesPath)) {
+        const raw = await readFile2(this.issuesPath, "utf-8");
+        this.hydrate(raw);
+      }
+    } catch (err) {
+      brakitDebug(`IssueStore: could not load issues file, starting fresh: ${err}`);
+    }
+  }
+  /** Sync load for tests only — not used in production paths. */
+  loadSync() {
+    try {
+      if (existsSync3(this.issuesPath)) {
+        const raw = readFileSync2(this.issuesPath, "utf-8");
+        this.hydrate(raw);
+      }
+    } catch (err) {
+      brakitDebug(`IssueStore: could not load issues file, starting fresh: ${err}`);
+    }
+  }
+  /** Parse and populate issues from a raw JSON string. */
+  hydrate(raw) {
+    const validated = validateIssuesData(JSON.parse(raw));
+    if (!validated) return;
+    for (const issue of validated.issues) {
+      this.issues.set(issue.issueId, issue);
+    }
+  }
   flush() {
     if (!this.dirty) return;
     this.writer.writeAsync(this.serialize());
@@ -290,17 +381,17 @@ var FindingStore = class {
   }
   serialize() {
     const data = {
-      version: 1,
-      findings: [...this.findings.values()]
+      version: ISSUES_DATA_VERSION,
+      issues: [...this.issues.values()]
     };
     return JSON.stringify(data);
   }
 };
 
 // src/detect/project.ts
-import { readFile as readFile2 } from "fs/promises";
+import { readFile as readFile3, readdir } from "fs/promises";
 import { existsSync as existsSync4 } from "fs";
-import { join } from "path";
+import { join as join2, relative } from "path";
 var FRAMEWORKS = [
   { name: "nextjs", dep: "next", devCmd: "next dev", bin: "next", defaultPort: 3e3, devArgs: ["dev", "--port"] },
   { name: "remix", dep: "@remix-run/dev", devCmd: "remix dev", bin: "remix", defaultPort: 3e3, devArgs: ["dev"] },
@@ -309,24 +400,24 @@ var FRAMEWORKS = [
   { name: "astro", dep: "astro", devCmd: "astro dev", bin: "astro", defaultPort: 4321, devArgs: ["dev", "--port"] }
 ];
 async function detectProject(rootDir) {
-  const pkgPath = join(rootDir, "package.json");
-  const raw = await readFile2(pkgPath, "utf-8");
+  const pkgPath = join2(rootDir, "package.json");
+  const raw = await readFile3(pkgPath, "utf-8");
   const pkg = JSON.parse(raw);
   const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
   const framework = detectFrameworkFromDeps(allDeps);
   const matched = FRAMEWORKS.find((f) => f.name === framework);
   const devCommand = matched?.devCmd ?? "";
-  const devBin = matched ? join(rootDir, "node_modules", ".bin", matched.bin) : "";
+  const devBin = matched ? join2(rootDir, "node_modules", ".bin", matched.bin) : "";
   const defaultPort = matched?.defaultPort ?? 3e3;
   const packageManager = await detectPackageManager(rootDir);
   return { framework, devCommand, devBin, defaultPort, packageManager };
 }
 async function detectPackageManager(rootDir) {
-  if (await fileExists(join(rootDir, "bun.lockb"))) return "bun";
-  if (await fileExists(join(rootDir, "bun.lock"))) return "bun";
-  if (await fileExists(join(rootDir, "pnpm-lock.yaml"))) return "pnpm";
-  if (await fileExists(join(rootDir, "yarn.lock"))) return "yarn";
-  if (await fileExists(join(rootDir, "package-lock.json"))) return "npm";
+  if (await fileExists(join2(rootDir, "bun.lockb"))) return "bun";
+  if (await fileExists(join2(rootDir, "bun.lock"))) return "bun";
+  if (await fileExists(join2(rootDir, "pnpm-lock.yaml"))) return "pnpm";
+  if (await fileExists(join2(rootDir, "yarn.lock"))) return "yarn";
+  if (await fileExists(join2(rootDir, "package-lock.json"))) return "npm";
   return "unknown";
 }
 function detectFrameworkFromDeps(allDeps) {
@@ -368,15 +459,47 @@ var AdapterRegistry = class {
   }
 };
 
+// src/utils/response.ts
+function tryParseJson(body) {
+  if (!body) return null;
+  try {
+    return JSON.parse(body);
+  } catch {
+    return null;
+  }
+}
+function unwrapResponse(parsed) {
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) return parsed;
+  const obj = parsed;
+  const keys = Object.keys(obj);
+  if (keys.length > 3) return parsed;
+  let best = null;
+  let bestSize = 0;
+  for (const key of keys) {
+    const val = obj[key];
+    if (Array.isArray(val) && val.length > bestSize) {
+      best = val;
+      bestSize = val.length;
+    } else if (val && typeof val === "object" && !Array.isArray(val)) {
+      const size = Object.keys(val).length;
+      if (size > bestSize) {
+        best = val;
+        bestSize = size;
+      }
+    }
+  }
+  return best && bestSize >= OVERFETCH_UNWRAP_MIN_SIZE ? best : parsed;
+}
+
 // src/analysis/rules/patterns.ts
 var SECRET_KEYS = /^(password|passwd|secret|api_key|apiKey|api_secret|apiSecret|private_key|privateKey|client_secret|clientSecret)$/;
 var TOKEN_PARAMS = /^(token|api_key|apiKey|secret|password|access_token|session_id|sessionId)$/;
 var SAFE_PARAMS = /^(_rsc|__clerk_handshake|__clerk_db_jwt|callback|code|state|nonce|redirect_uri|utm_|fbclid|gclid)$/;
-var STACK_TRACE_RE = /at\s+.+\(.+:\d+:\d+\)|at\s+Module\._compile|at\s+Object\.<anonymous>|at\s+processTicksAndRejections/;
+var STACK_TRACE_RE = /at\s+.+\(.+:\d+:\d+\)|at\s+Module\._compile|at\s+Object\.<anonymous>|at\s+processTicksAndRejections|Traceback \(most recent call last\)|File ".+", line \d+/;
 var DB_CONN_RE = /(postgres|mysql|mongodb|redis):\/\//;
 var SQL_FRAGMENT_RE = /\b(SELECT\s+[\w.*]+\s+FROM|INSERT\s+INTO|UPDATE\s+\w+\s+SET|DELETE\s+FROM)\b/i;
-var SECRET_VAL_RE = /(api_key|apiKey|secret|token)\s*[:=]\s*["']?[A-Za-z0-9_\-\.+\/]{8,}/;
-var LOG_SECRET_RE = /(password|secret|token|api_key|apiKey)\s*[:=]\s*["']?[A-Za-z0-9_\-\.+\/]{8,}/i;
+var SECRET_VAL_RE = /(api_key|apiKey|secret|token)\s*[:=]\s*["']?[A-Za-z0-9_\-.+/]{8,}/;
+var LOG_SECRET_RE = /(password|secret|token|api_key|apiKey)\s*[:=]\s*["']?[A-Za-z0-9_\-.+/]{8,}/i;
 var MASKED_RE = /^\*+$|\[REDACTED\]|\[FILTERED\]|CHANGE_ME|^x{3,}$/i;
 var EMAIL_RE = /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/;
 var INTERNAL_ID_KEYS = /^(id|_id|userId|user_id|createdBy|updatedBy|organizationId|org_id|tenantId|tenant_id)$/;
@@ -388,37 +511,41 @@ var RULE_HINTS = {
   "token-in-url": "Pass tokens in the Authorization header, not URL query parameters.",
   "stack-trace-leak": "Use a custom error handler that returns generic messages in production.",
   "error-info-leak": "Sanitize error responses. Return generic messages instead of internal details.",
+  "insecure-cookie": "Set HttpOnly and SameSite flags on all cookies.",
   "sensitive-logs": "Redact PII before logging. Never log passwords or tokens.",
   "cors-credentials": "Cannot use credentials:true with origin:*. Specify explicit origins.",
-  "insecure-cookie": "Set HttpOnly and SameSite flags on all cookies.",
   "response-pii-leak": "API responses should return minimal data. Don't echo back full user records \u2014 select only the fields the client needs."
 };
 
-// src/analysis/rules/exposed-secret.ts
-function tryParseJson(body) {
-  if (!body) return null;
-  try {
-    return JSON.parse(body);
-  } catch {
-    return null;
-  }
+// src/utils/http-status.ts
+function isErrorStatus(code) {
+  return code >= 400;
+}
+function isServerError(code) {
+  return code >= 500;
+}
+function isRedirect(code) {
+  return code >= 300 && code < 400;
 }
-function findSecretKeys(obj, prefix) {
+
+// src/analysis/rules/exposed-secret.ts
+function findSecretKeys(obj, prefix, depth = 0) {
   const found = [];
+  if (depth >= MAX_OBJECT_SCAN_DEPTH) return found;
   if (!obj || typeof obj !== "object") return found;
   if (Array.isArray(obj)) {
-    for (let i = 0; i < Math.min(obj.length, 5); i++) {
-      found.push(...findSecretKeys(obj[i], prefix));
+    for (let i = 0; i < Math.min(obj.length, SECRET_SCAN_ARRAY_LIMIT); i++) {
+      found.push(...findSecretKeys(obj[i], prefix, depth + 1));
     }
     return found;
   }
   for (const k of Object.keys(obj)) {
     const val = obj[k];
-    if (SECRET_KEYS.test(k) && typeof val === "string" && val.length >= 8 && !MASKED_RE.test(val)) {
+    if (SECRET_KEYS.test(k) && typeof val === "string" && val.length >= MIN_SECRET_VALUE_LENGTH && !MASKED_RE.test(val)) {
       found.push(k);
     }
     if (typeof val === "object" && val !== null) {
-      found.push(...findSecretKeys(val, prefix + k + "."));
+      found.push(...findSecretKeys(val, prefix + k + ".", depth + 1));
     }
   }
   return found;
@@ -432,8 +559,8 @@ var exposedSecretRule = {
     const findings = [];
     const seen = /* @__PURE__ */ new Map();
     for (const r of ctx.requests) {
-      if (r.statusCode >= 400) continue;
-      const parsed = tryParseJson(r.responseBody);
+      if (isErrorStatus(r.statusCode)) continue;
+      const parsed = ctx.parsedBodies.response.get(r.id);
       if (!parsed) continue;
       const keys = findSecretKeys(parsed, "");
       if (keys.length === 0) continue;
@@ -586,7 +713,7 @@ var errorInfoLeakRule = {
 
 // src/analysis/rules/insecure-cookie.ts
 function isFrameworkResponse(r) {
-  if (r.statusCode >= 300 && r.statusCode < 400) return true;
+  if (isRedirect(r.statusCode)) return true;
   if (r.path?.startsWith("/__")) return true;
   if (r.responseHeaders?.["x-middleware-rewrite"]) return true;
   return false;
@@ -692,48 +819,15 @@ var corsCredentialsRule = {
   }
 };
 
-// src/utils/response.ts
-function unwrapResponse(parsed) {
-  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) return parsed;
-  const obj = parsed;
-  const keys = Object.keys(obj);
-  if (keys.length > 3) return parsed;
-  let best = null;
-  let bestSize = 0;
-  for (const key of keys) {
-    const val = obj[key];
-    if (Array.isArray(val) && val.length > bestSize) {
-      best = val;
-      bestSize = val.length;
-    } else if (val && typeof val === "object" && !Array.isArray(val)) {
-      const size = Object.keys(val).length;
-      if (size > bestSize) {
-        best = val;
-        bestSize = size;
-      }
-    }
-  }
-  return best && bestSize >= OVERFETCH_UNWRAP_MIN_SIZE ? best : parsed;
-}
-
 // src/analysis/rules/response-pii-leak.ts
 var WRITE_METHODS = /* @__PURE__ */ new Set(["POST", "PUT", "PATCH"]);
-var FULL_RECORD_MIN_FIELDS = 5;
-var LIST_PII_MIN_ITEMS = 2;
-function tryParseJson2(body) {
-  if (!body) return null;
-  try {
-    return JSON.parse(body);
-  } catch {
-    return null;
-  }
-}
-function findEmails(obj) {
+function findEmails(obj, depth = 0) {
   const emails = [];
+  if (depth >= MAX_OBJECT_SCAN_DEPTH) return emails;
   if (!obj || typeof obj !== "object") return emails;
   if (Array.isArray(obj)) {
-    for (let i = 0; i < Math.min(obj.length, 10); i++) {
-      emails.push(...findEmails(obj[i]));
+    for (let i = 0; i < Math.min(obj.length, PII_SCAN_ARRAY_LIMIT); i++) {
+      emails.push(...findEmails(obj[i], depth + 1));
     }
     return emails;
   }
@@ -741,7 +835,7 @@ function findEmails(obj) {
     if (typeof v === "string" && EMAIL_RE.test(v)) {
       emails.push(v);
     } else if (typeof v === "object" && v !== null) {
-      emails.push(...findEmails(v));
+      emails.push(...findEmails(v, depth + 1));
     }
   }
   return emails;
@@ -760,48 +854,47 @@ function hasInternalIds(obj) {
   }
   return false;
 }
-function detectPII(method, reqBody, resBody) {
-  const target = unwrapResponse(resBody);
-  if (WRITE_METHODS.has(method) && reqBody && typeof reqBody === "object") {
-    const reqEmails = findEmails(reqBody);
-    if (reqEmails.length > 0) {
-      const resEmails = findEmails(target);
-      const echoed = reqEmails.filter((e) => resEmails.includes(e));
-      if (echoed.length > 0) {
-        const inspectObj = Array.isArray(target) && target.length > 0 ? target[0] : target;
-        if (hasInternalIds(inspectObj) || topLevelFieldCount(inspectObj) >= FULL_RECORD_MIN_FIELDS) {
-          return { reason: "echo", emailCount: echoed.length };
-        }
-      }
-    }
+function detectEchoPII(method, reqBody, target) {
+  if (!WRITE_METHODS.has(method) || !reqBody || typeof reqBody !== "object") return null;
+  const reqEmails = findEmails(reqBody);
+  if (reqEmails.length === 0) return null;
+  const resEmails = findEmails(target);
+  const echoed = reqEmails.filter((e) => resEmails.includes(e));
+  if (echoed.length === 0) return null;
+  const inspectObj = Array.isArray(target) && target.length > 0 ? target[0] : target;
+  if (hasInternalIds(inspectObj) || topLevelFieldCount(inspectObj) >= FULL_RECORD_MIN_FIELDS) {
+    return { reason: "echo", emailCount: echoed.length };
   }
-  if (target && typeof target === "object" && !Array.isArray(target)) {
-    const fields = topLevelFieldCount(target);
-    if (fields >= FULL_RECORD_MIN_FIELDS && hasInternalIds(target)) {
-      const emails = findEmails(target);
-      if (emails.length > 0) {
-        return { reason: "full-record", emailCount: emails.length };
-      }
+  return null;
+}
+function detectFullRecordPII(target) {
+  if (!target || typeof target !== "object" || Array.isArray(target)) return null;
+  const fields = topLevelFieldCount(target);
+  if (fields < FULL_RECORD_MIN_FIELDS || !hasInternalIds(target)) return null;
+  const emails = findEmails(target);
+  if (emails.length === 0) return null;
+  return { reason: "full-record", emailCount: emails.length };
+}
+function detectListPII(target) {
+  if (!Array.isArray(target) || target.length < LIST_PII_MIN_ITEMS) return null;
+  let itemsWithEmail = 0;
+  for (let i = 0; i < Math.min(target.length, PII_SCAN_ARRAY_LIMIT); i++) {
+    const item = target[i];
+    if (item && typeof item === "object" && findEmails(item).length > 0) {
+      itemsWithEmail++;
     }
   }
-  if (Array.isArray(target) && target.length >= LIST_PII_MIN_ITEMS) {
-    let itemsWithEmail = 0;
-    for (let i = 0; i < Math.min(target.length, 10); i++) {
-      const item = target[i];
-      if (item && typeof item === "object") {
-        const emails = findEmails(item);
-        if (emails.length > 0) itemsWithEmail++;
-      }
-    }
-    if (itemsWithEmail >= LIST_PII_MIN_ITEMS) {
-      const first = target[0];
-      if (hasInternalIds(first) || topLevelFieldCount(first) >= FULL_RECORD_MIN_FIELDS) {
-        return { reason: "list-pii", emailCount: itemsWithEmail };
-      }
-    }
+  if (itemsWithEmail < LIST_PII_MIN_ITEMS) return null;
+  const first = target[0];
+  if (hasInternalIds(first) || topLevelFieldCount(first) >= FULL_RECORD_MIN_FIELDS) {
+    return { reason: "list-pii", emailCount: itemsWithEmail };
   }
   return null;
 }
+function detectPII(method, reqBody, resBody) {
+  const target = unwrapResponse(resBody);
+  return detectEchoPII(method, reqBody, target) ?? detectFullRecordPII(target) ?? detectListPII(target);
+}
 var REASON_LABELS = {
   echo: "echoes back PII from the request body",
   "full-record": "returns a full record with email and internal IDs",
@@ -816,10 +909,10 @@ var responsePiiLeakRule = {
     const findings = [];
     const seen = /* @__PURE__ */ new Map();
     for (const r of ctx.requests) {
-      if (r.statusCode >= 400) continue;
-      const resJson = tryParseJson2(r.responseBody);
+      if (isErrorStatus(r.statusCode)) continue;
+      const resJson = ctx.parsedBodies.response.get(r.id);
       if (!resJson) continue;
-      const reqJson = tryParseJson2(r.requestBody);
+      const reqJson = ctx.parsedBodies.request.get(r.id) ?? null;
       const detection = detectPII(r.method, reqJson, resJson);
       if (!detection) continue;
       const ep = `${r.method} ${r.path}`;
@@ -846,12 +939,31 @@ var responsePiiLeakRule = {
 };
 
 // src/analysis/rules/scanner.ts
+function buildBodyCache(requests) {
+  const response = /* @__PURE__ */ new Map();
+  const request = /* @__PURE__ */ new Map();
+  for (const r of requests) {
+    if (r.responseBody) {
+      const parsed = tryParseJson(r.responseBody);
+      if (parsed != null) response.set(r.id, parsed);
+    }
+    if (r.requestBody) {
+      const parsed = tryParseJson(r.requestBody);
+      if (parsed != null) request.set(r.id, parsed);
+    }
+  }
+  return { response, request };
+}
 var SecurityScanner = class {
   rules = [];
   register(rule) {
     this.rules.push(rule);
   }
-  scan(ctx) {
+  scan(input) {
+    const ctx = {
+      ...input,
+      parsedBodies: buildBodyCache(input.requests)
+    };
     const findings = [];
     for (const rule of this.rules) {
       try {
@@ -893,6 +1005,41 @@ var SubscriptionBag = class {
 // src/analysis/group.ts
 import { randomUUID } from "crypto";
 
+// src/constants/routes.ts
+var DASHBOARD_PREFIX = "/__brakit";
+var DASHBOARD_API_REQUESTS = `${DASHBOARD_PREFIX}/api/requests`;
+var DASHBOARD_API_EVENTS = `${DASHBOARD_PREFIX}/api/events`;
+var DASHBOARD_API_FLOWS = `${DASHBOARD_PREFIX}/api/flows`;
+var DASHBOARD_API_CLEAR = `${DASHBOARD_PREFIX}/api/clear`;
+var DASHBOARD_API_LOGS = `${DASHBOARD_PREFIX}/api/logs`;
+var DASHBOARD_API_FETCHES = `${DASHBOARD_PREFIX}/api/fetches`;
+var DASHBOARD_API_ERRORS = `${DASHBOARD_PREFIX}/api/errors`;
+var DASHBOARD_API_QUERIES = `${DASHBOARD_PREFIX}/api/queries`;
+var DASHBOARD_API_INGEST = `${DASHBOARD_PREFIX}/api/ingest`;
+var DASHBOARD_API_METRICS = `${DASHBOARD_PREFIX}/api/metrics`;
+var DASHBOARD_API_ACTIVITY = `${DASHBOARD_PREFIX}/api/activity`;
+var DASHBOARD_API_METRICS_LIVE = `${DASHBOARD_PREFIX}/api/metrics/live`;
+var DASHBOARD_API_INSIGHTS = `${DASHBOARD_PREFIX}/api/insights`;
+var DASHBOARD_API_SECURITY = `${DASHBOARD_PREFIX}/api/security`;
+var DASHBOARD_API_TAB = `${DASHBOARD_PREFIX}/api/tab`;
+var DASHBOARD_API_FINDINGS = `${DASHBOARD_PREFIX}/api/findings`;
+var DASHBOARD_API_FINDINGS_REPORT = `${DASHBOARD_PREFIX}/api/findings/report`;
+var VALID_TABS_TUPLE = [
+  "overview",
+  "actions",
+  "requests",
+  "fetches",
+  "queries",
+  "errors",
+  "logs",
+  "performance",
+  "security"
+];
+var VALID_TABS = new Set(VALID_TABS_TUPLE);
+
+// src/constants/network.ts
+var RECOVERY_WINDOW_MS = 5 * 60 * 1e3;
+
 // src/analysis/categorize.ts
 function detectCategory(req) {
   const { method, url, statusCode, responseHeaders } = req;
@@ -956,7 +1103,7 @@ function labelRequest(req) {
 function generateHumanLabel(req, category) {
   const effectivePath = getEffectivePath(req);
   const endpointName = getEndpointName(effectivePath);
-  const failed = req.statusCode >= 400;
+  const failed = isErrorStatus(req.statusCode);
   switch (category) {
     case "auth-handshake":
       return "Auth handshake";
@@ -1136,7 +1283,7 @@ function detectWarnings(requests) {
   for (const req of slowRequests) {
     warnings.push(`${req.label} took ${(req.durationMs / 1e3).toFixed(1)}s`);
   }
-  const errors = requests.filter((r) => r.statusCode >= 500);
+  const errors = requests.filter((r) => isServerError(r.statusCode));
   for (const req of errors) {
     warnings.push(`${req.label} \u2014 server error (${req.statusCode})`);
   }
@@ -1192,7 +1339,7 @@ function buildFlow(rawRequests) {
     requests,
     startTime,
     totalDurationMs: Math.round(endTime - startTime),
-    hasErrors: requests.some((r) => r.statusCode >= 400),
+    hasErrors: requests.some((r) => isErrorStatus(r.statusCode)),
     warnings: detectWarnings(rawRequests),
     sourcePage,
     redundancyPct
@@ -1260,8 +1407,14 @@ function groupBy(items, keyFn) {
 }
 
 // src/utils/endpoint.ts
+var DYNAMIC_SEGMENT_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^\d+$|^[0-9a-f]{12,}$|^(?=.*[a-zA-Z])(?=.*\d)[a-zA-Z0-9_-]{8,}$/i;
+function normalizePath(path) {
+  const qIdx = path.indexOf("?");
+  const pathname = qIdx === -1 ? path : path.slice(0, qIdx);
+  return pathname.split("/").map((seg) => seg && DYNAMIC_SEGMENT_RE.test(seg) ? ":id" : seg).join("/");
+}
 function getEndpointKey(method, path) {
-  return `${method} ${path}`;
+  return `${method} ${normalizePath(path)}`;
 }
 var ENDPOINT_PREFIX_RE = /^(\S+\s+\S+)/;
 function extractEndpointFromDesc(desc) {
@@ -1343,6 +1496,15 @@ function windowByEndpoint(requests) {
   }
   return windowed;
 }
+function extractActiveEndpoints(requests) {
+  const endpoints = /* @__PURE__ */ new Set();
+  for (const r of requests) {
+    if (!r.isStatic && (!r.path || !r.path.startsWith(DASHBOARD_PREFIX))) {
+      endpoints.add(getEndpointKey(r.method, r.path));
+    }
+  }
+  return endpoints;
+}
 function prepareContext(ctx) {
   const nonStatic = ctx.requests.filter(
     (r) => !r.isStatic && (!r.path || !r.path.startsWith(DASHBOARD_PREFIX))
@@ -1360,7 +1522,7 @@ function prepareContext(ctx) {
       endpointGroups.set(ep, g);
     }
     g.total++;
-    if (r.statusCode >= 400) g.errors++;
+    if (isErrorStatus(r.statusCode)) g.errors++;
     g.totalDuration += r.durationMs;
     g.totalSize += r.responseSize ?? 0;
     const reqQueries = queriesByReq.get(r.id) ?? [];
@@ -1780,7 +1942,7 @@ var responseOverfetchRule = {
     const insights = [];
     const seen = /* @__PURE__ */ new Set();
     for (const r of ctx.nonStatic) {
-      if (r.statusCode >= 400 || !r.responseBody) continue;
+      if (isErrorStatus(r.statusCode) || !r.responseBody) continue;
       const ep = getEndpointKey(r.method, r.path);
       if (seen.has(ep)) continue;
       let parsed;
@@ -1924,73 +2086,48 @@ function computeInsights(ctx) {
   return createDefaultInsightRunner().run(ctx);
 }
 
-// src/analysis/insight-tracker.ts
-function computeInsightKey(insight) {
-  const identifier = extractEndpointFromDesc(insight.desc) ?? insight.title;
-  return `${insight.type}:${identifier}`;
-}
-var InsightTracker = class {
-  tracked = /* @__PURE__ */ new Map();
-  reconcile(current) {
-    const currentKeys = /* @__PURE__ */ new Set();
-    const now = Date.now();
-    for (const insight of current) {
-      const key = computeInsightKey(insight);
-      currentKeys.add(key);
-      const existing = this.tracked.get(key);
-      if (existing) {
-        existing.insight = insight;
-        existing.lastSeenAt = now;
-        existing.consecutiveAbsences = 0;
-        if (existing.state === "resolved") {
-          existing.state = "open";
-          existing.resolvedAt = null;
-        }
-      } else {
-        this.tracked.set(key, {
-          key,
-          state: "open",
-          insight,
-          firstSeenAt: now,
-          lastSeenAt: now,
-          resolvedAt: null,
-          consecutiveAbsences: 0
-        });
-      }
-    }
-    for (const [key, stateful] of this.tracked) {
-      if (stateful.state === "open" && !currentKeys.has(stateful.key)) {
-        stateful.consecutiveAbsences++;
-        if (stateful.consecutiveAbsences >= RESOLVE_AFTER_ABSENCES) {
-          stateful.state = "resolved";
-          stateful.resolvedAt = now;
-        }
-      } else if (stateful.state === "resolved" && stateful.resolvedAt !== null && now - stateful.resolvedAt > RESOLVED_INSIGHT_TTL_MS) {
-        this.tracked.delete(key);
-      }
-    }
-    return [...this.tracked.values()];
-  }
-  getAll() {
-    return [...this.tracked.values()];
-  }
-  clear() {
-    this.tracked.clear();
-  }
-};
+// src/analysis/issue-mappers.ts
+function categorizeInsight(type) {
+  if (type === "security") return "security";
+  if (type === "error" || type === "error-hotspot") return "reliability";
+  return "performance";
+}
+function insightToIssue(insight) {
+  return {
+    category: categorizeInsight(insight.type),
+    rule: insight.type,
+    severity: insight.severity,
+    title: insight.title,
+    desc: insight.desc,
+    hint: insight.hint,
+    detail: insight.detail,
+    endpoint: extractEndpointFromDesc(insight.desc) ?? void 0,
+    nav: insight.nav
+  };
+}
+function securityFindingToIssue(finding) {
+  return {
+    category: "security",
+    rule: finding.rule,
+    severity: finding.severity,
+    title: finding.title,
+    desc: finding.desc,
+    hint: finding.hint,
+    endpoint: finding.endpoint,
+    nav: "security"
+  };
+}
 
 // src/analysis/engine.ts
 var AnalysisEngine = class {
-  constructor(registry, debounceMs = 300) {
+  constructor(registry, debounceMs = ANALYSIS_DEBOUNCE_MS) {
     this.registry = registry;
     this.debounceMs = debounceMs;
     this.scanner = createDefaultScanner();
   }
   scanner;
-  insightTracker = new InsightTracker();
   cachedInsights = [];
   cachedFindings = [];
-  cachedStatefulInsights = [];
   debounceTimer = null;
   subs = new SubscriptionBag();
   start() {
@@ -2013,12 +2150,6 @@ var AnalysisEngine = class {
   getFindings() {
     return this.cachedFindings;
   }
-  getStatefulFindings() {
-    return this.registry.has("finding-store") ? this.registry.get("finding-store").getAll() : [];
-  }
-  getStatefulInsights() {
-    return this.cachedStatefulInsights;
-  }
   scheduleRecompute() {
     if (this.debounceTimer) return;
     this.debounceTimer = setTimeout(() => {
@@ -2027,20 +2158,14 @@ var AnalysisEngine = class {
     }, this.debounceMs);
   }
   recompute() {
-    const requests = this.registry.get("request-store").getAll();
+    const allRequests = this.registry.get("request-store").getAll();
     const queries = this.registry.get("query-store").getAll();
     const errors = this.registry.get("error-store").getAll();
     const logs = this.registry.get("log-store").getAll();
     const fetches = this.registry.get("fetch-store").getAll();
+    const requests = windowByEndpoint(allRequests);
     const flows = groupRequestsIntoFlows(requests);
     this.cachedFindings = this.scanner.scan({ requests, logs });
-    if (this.registry.has("finding-store")) {
-      const findingStore = this.registry.get("finding-store");
-      for (const finding of this.cachedFindings) {
-        findingStore.upsert(finding, "passive");
-      }
-      findingStore.reconcilePassive(this.cachedFindings);
-    }
     this.cachedInsights = computeInsights({
       requests,
       queries,
@@ -2050,24 +2175,40 @@ var AnalysisEngine = class {
       previousMetrics: this.registry.get("metrics-store").getAll(),
       securityFindings: this.cachedFindings
     });
-    this.cachedStatefulInsights = this.insightTracker.reconcile(this.cachedInsights);
-    const update = {
-      insights: this.cachedInsights,
-      findings: this.cachedFindings,
-      statefulFindings: this.getStatefulFindings(),
-      statefulInsights: this.cachedStatefulInsights
-    };
-    this.registry.get("event-bus").emit("analysis:updated", update);
+    if (this.registry.has("issue-store")) {
+      const issueStore = this.registry.get("issue-store");
+      for (const finding of this.cachedFindings) {
+        issueStore.upsert(securityFindingToIssue(finding), "passive");
+      }
+      for (const insight of this.cachedInsights) {
+        issueStore.upsert(insightToIssue(insight), "passive");
+      }
+      const currentIssueIds = /* @__PURE__ */ new Set();
+      for (const finding of this.cachedFindings) {
+        currentIssueIds.add(computeIssueId(securityFindingToIssue(finding)));
+      }
+      for (const insight of this.cachedInsights) {
+        currentIssueIds.add(computeIssueId(insightToIssue(insight)));
+      }
+      const activeEndpoints = extractActiveEndpoints(allRequests);
+      issueStore.reconcile(currentIssueIds, activeEndpoints);
+      const update = {
+        insights: this.cachedInsights,
+        findings: this.cachedFindings,
+        issues: issueStore.getAll()
+      };
+      this.registry.get("event-bus").emit("analysis:updated", update);
+    }
   }
 };
 
 // src/index.ts
-var VERSION = "0.8.4";
+var VERSION = "0.8.6";
 export {
   AdapterRegistry,
   AnalysisEngine,
-  FindingStore,
   InsightRunner,
+  IssueStore,
   SecurityScanner,
   VERSION,
   computeInsights,