npm - brakit - Versions diffs - 0.8.4 → 0.8.6 - Mend

brakit 0.8.4 → 0.8.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/README.md +3 -3
package/dist/api.d.ts +133 -111
package/dist/api.js +468 -327
package/dist/bin/brakit.js +864 -448
package/dist/dashboard.html +2653 -0
package/dist/mcp/server.js +248 -158
package/dist/runtime/index.js +1357 -783
package/package.json +3 -2

package/dist/runtime/index.js CHANGED Viewed

@@ -9,28 +9,29 @@ var __export = (target, all) => {
 };
 // src/constants/routes.ts
-var DASHBOARD_PREFIX, DASHBOARD_API_REQUESTS, DASHBOARD_API_EVENTS, DASHBOARD_API_FLOWS, DASHBOARD_API_CLEAR, DASHBOARD_API_LOGS, DASHBOARD_API_FETCHES, DASHBOARD_API_ERRORS, DASHBOARD_API_QUERIES, DASHBOARD_API_INGEST, DASHBOARD_API_METRICS, DASHBOARD_API_ACTIVITY, DASHBOARD_API_METRICS_LIVE, DASHBOARD_API_INSIGHTS, DASHBOARD_API_SECURITY, DASHBOARD_API_TAB, DASHBOARD_API_FINDINGS, VALID_TABS;
+var DASHBOARD_PREFIX, DASHBOARD_API_REQUESTS, DASHBOARD_API_EVENTS, DASHBOARD_API_FLOWS, DASHBOARD_API_CLEAR, DASHBOARD_API_LOGS, DASHBOARD_API_FETCHES, DASHBOARD_API_ERRORS, DASHBOARD_API_QUERIES, DASHBOARD_API_INGEST, DASHBOARD_API_METRICS, DASHBOARD_API_ACTIVITY, DASHBOARD_API_METRICS_LIVE, DASHBOARD_API_INSIGHTS, DASHBOARD_API_SECURITY, DASHBOARD_API_TAB, DASHBOARD_API_FINDINGS, DASHBOARD_API_FINDINGS_REPORT, VALID_TABS_TUPLE, VALID_TABS;
 var init_routes = __esm({
   "src/constants/routes.ts"() {
     "use strict";
     DASHBOARD_PREFIX = "/__brakit";
-    DASHBOARD_API_REQUESTS = "/__brakit/api/requests";
-    DASHBOARD_API_EVENTS = "/__brakit/api/events";
-    DASHBOARD_API_FLOWS = "/__brakit/api/flows";
-    DASHBOARD_API_CLEAR = "/__brakit/api/clear";
-    DASHBOARD_API_LOGS = "/__brakit/api/logs";
-    DASHBOARD_API_FETCHES = "/__brakit/api/fetches";
-    DASHBOARD_API_ERRORS = "/__brakit/api/errors";
-    DASHBOARD_API_QUERIES = "/__brakit/api/queries";
-    DASHBOARD_API_INGEST = "/__brakit/api/ingest";
-    DASHBOARD_API_METRICS = "/__brakit/api/metrics";
-    DASHBOARD_API_ACTIVITY = "/__brakit/api/activity";
-    DASHBOARD_API_METRICS_LIVE = "/__brakit/api/metrics/live";
-    DASHBOARD_API_INSIGHTS = "/__brakit/api/insights";
-    DASHBOARD_API_SECURITY = "/__brakit/api/security";
-    DASHBOARD_API_TAB = "/__brakit/api/tab";
-    DASHBOARD_API_FINDINGS = "/__brakit/api/findings";
-    VALID_TABS = /* @__PURE__ */ new Set([
+    DASHBOARD_API_REQUESTS = `${DASHBOARD_PREFIX}/api/requests`;
+    DASHBOARD_API_EVENTS = `${DASHBOARD_PREFIX}/api/events`;
+    DASHBOARD_API_FLOWS = `${DASHBOARD_PREFIX}/api/flows`;
+    DASHBOARD_API_CLEAR = `${DASHBOARD_PREFIX}/api/clear`;
+    DASHBOARD_API_LOGS = `${DASHBOARD_PREFIX}/api/logs`;
+    DASHBOARD_API_FETCHES = `${DASHBOARD_PREFIX}/api/fetches`;
+    DASHBOARD_API_ERRORS = `${DASHBOARD_PREFIX}/api/errors`;
+    DASHBOARD_API_QUERIES = `${DASHBOARD_PREFIX}/api/queries`;
+    DASHBOARD_API_INGEST = `${DASHBOARD_PREFIX}/api/ingest`;
+    DASHBOARD_API_METRICS = `${DASHBOARD_PREFIX}/api/metrics`;
+    DASHBOARD_API_ACTIVITY = `${DASHBOARD_PREFIX}/api/activity`;
+    DASHBOARD_API_METRICS_LIVE = `${DASHBOARD_PREFIX}/api/metrics/live`;
+    DASHBOARD_API_INSIGHTS = `${DASHBOARD_PREFIX}/api/insights`;
+    DASHBOARD_API_SECURITY = `${DASHBOARD_PREFIX}/api/security`;
+    DASHBOARD_API_TAB = `${DASHBOARD_PREFIX}/api/tab`;
+    DASHBOARD_API_FINDINGS = `${DASHBOARD_PREFIX}/api/findings`;
+    DASHBOARD_API_FINDINGS_REPORT = `${DASHBOARD_PREFIX}/api/findings/report`;
+    VALID_TABS_TUPLE = [
       "overview",
       "actions",
       "requests",
@@ -40,12 +41,13 @@ var init_routes = __esm({
       "logs",
       "performance",
       "security"
-    ]);
+    ];
+    VALID_TABS = new Set(VALID_TABS_TUPLE);
   }
 });
 // src/constants/limits.ts
-var MAX_REQUEST_ENTRIES, DEFAULT_MAX_BODY_CAPTURE, DEFAULT_API_LIMIT, MAX_TELEMETRY_ENTRIES, MAX_TAB_NAME_LENGTH, MAX_INGEST_BYTES, TERMINAL_TRUNCATE_LENGTH, SENSITIVE_MASK_MIN_LENGTH, SENSITIVE_MASK_VISIBLE_CHARS;
+var MAX_REQUEST_ENTRIES, DEFAULT_MAX_BODY_CAPTURE, DEFAULT_API_LIMIT, MAX_TELEMETRY_ENTRIES, MAX_TAB_NAME_LENGTH, MAX_INGEST_BYTES, TERMINAL_TRUNCATE_LENGTH, SENSITIVE_MASK_MIN_LENGTH, SENSITIVE_MASK_VISIBLE_CHARS, MAX_JSON_BODY_BYTES, ANALYSIS_DEBOUNCE_MS, ISSUE_ID_HASH_LENGTH, ISSUES_DATA_VERSION, SENSITIVE_MASK_PLACEHOLDER, PROJECT_HASH_LENGTH, SECRET_SCAN_ARRAY_LIMIT, PII_SCAN_ARRAY_LIMIT, MIN_SECRET_VALUE_LENGTH, FULL_RECORD_MIN_FIELDS, LIST_PII_MIN_ITEMS, MAX_API_LIMIT, MAX_OBJECT_SCAN_DEPTH, MAX_UNIQUE_ENDPOINTS, MAX_ACCUMULATOR_ENTRIES, ISSUE_PRUNE_TTL_MS;
 var init_limits = __esm({
   "src/constants/limits.ts"() {
     "use strict";
@@ -54,15 +56,31 @@ var init_limits = __esm({
     DEFAULT_API_LIMIT = 500;
     MAX_TELEMETRY_ENTRIES = 1e3;
     MAX_TAB_NAME_LENGTH = 32;
-    MAX_INGEST_BYTES = 10 * 1024 * 1024;
+    MAX_INGEST_BYTES = 10485760;
     TERMINAL_TRUNCATE_LENGTH = 80;
     SENSITIVE_MASK_MIN_LENGTH = 8;
     SENSITIVE_MASK_VISIBLE_CHARS = 4;
+    MAX_JSON_BODY_BYTES = 65536;
+    ANALYSIS_DEBOUNCE_MS = 300;
+    ISSUE_ID_HASH_LENGTH = 16;
+    ISSUES_DATA_VERSION = 2;
+    SENSITIVE_MASK_PLACEHOLDER = "****";
+    PROJECT_HASH_LENGTH = 8;
+    SECRET_SCAN_ARRAY_LIMIT = 5;
+    PII_SCAN_ARRAY_LIMIT = 10;
+    MIN_SECRET_VALUE_LENGTH = 8;
+    FULL_RECORD_MIN_FIELDS = 5;
+    LIST_PII_MIN_ITEMS = 2;
+    MAX_API_LIMIT = 500;
+    MAX_OBJECT_SCAN_DEPTH = 5;
+    MAX_UNIQUE_ENDPOINTS = 500;
+    MAX_ACCUMULATOR_ENTRIES = 1e3;
+    ISSUE_PRUNE_TTL_MS = 10 * 60 * 1e3;
   }
 });
 // src/constants/thresholds.ts
-var FLOW_GAP_MS, SLOW_REQUEST_THRESHOLD_MS, MIN_POLLING_SEQUENCE, ENDPOINT_TRUNCATE_LENGTH, N1_QUERY_THRESHOLD, ERROR_RATE_THRESHOLD_PCT, SLOW_ENDPOINT_THRESHOLD_MS, MIN_REQUESTS_FOR_INSIGHT, HIGH_QUERY_COUNT_PER_REQ, CROSS_ENDPOINT_MIN_ENDPOINTS, CROSS_ENDPOINT_PCT, CROSS_ENDPOINT_MIN_OCCURRENCES, REDUNDANT_QUERY_MIN_COUNT, LARGE_RESPONSE_BYTES, HIGH_ROW_COUNT, OVERFETCH_MIN_REQUESTS, OVERFETCH_MIN_FIELDS, OVERFETCH_MIN_INTERNAL_IDS, OVERFETCH_NULL_RATIO, REGRESSION_PCT_THRESHOLD, REGRESSION_MIN_INCREASE_MS, REGRESSION_MIN_REQUESTS, QUERY_COUNT_REGRESSION_RATIO, OVERFETCH_MANY_FIELDS, OVERFETCH_UNWRAP_MIN_SIZE, MAX_DUPLICATE_INSIGHTS, INSIGHT_WINDOW_PER_ENDPOINT, RESOLVE_AFTER_ABSENCES, RESOLVED_INSIGHT_TTL_MS;
+var FLOW_GAP_MS, SLOW_REQUEST_THRESHOLD_MS, MIN_POLLING_SEQUENCE, ENDPOINT_TRUNCATE_LENGTH, N1_QUERY_THRESHOLD, ERROR_RATE_THRESHOLD_PCT, SLOW_ENDPOINT_THRESHOLD_MS, MIN_REQUESTS_FOR_INSIGHT, HIGH_QUERY_COUNT_PER_REQ, CROSS_ENDPOINT_MIN_ENDPOINTS, CROSS_ENDPOINT_PCT, CROSS_ENDPOINT_MIN_OCCURRENCES, REDUNDANT_QUERY_MIN_COUNT, LARGE_RESPONSE_BYTES, HIGH_ROW_COUNT, OVERFETCH_MIN_REQUESTS, OVERFETCH_MIN_FIELDS, OVERFETCH_MIN_INTERNAL_IDS, OVERFETCH_NULL_RATIO, REGRESSION_PCT_THRESHOLD, REGRESSION_MIN_INCREASE_MS, REGRESSION_MIN_REQUESTS, QUERY_COUNT_REGRESSION_RATIO, OVERFETCH_MANY_FIELDS, OVERFETCH_UNWRAP_MIN_SIZE, MAX_DUPLICATE_INSIGHTS, INSIGHT_WINDOW_PER_ENDPOINT, CLEAN_HITS_FOR_RESOLUTION, STALE_ISSUE_TTL_MS;
 var init_thresholds = __esm({
   "src/constants/thresholds.ts"() {
     "use strict";
@@ -92,9 +110,9 @@ var init_thresholds = __esm({
     OVERFETCH_MANY_FIELDS = 12;
     OVERFETCH_UNWRAP_MIN_SIZE = 3;
     MAX_DUPLICATE_INSIGHTS = 3;
-    INSIGHT_WINDOW_PER_ENDPOINT = 2;
-    RESOLVE_AFTER_ABSENCES = 3;
-    RESOLVED_INSIGHT_TTL_MS = 18e5;
+    INSIGHT_WINDOW_PER_ENDPOINT = 20;
+    CLEAN_HITS_FOR_RESOLUTION = 5;
+    STALE_ISSUE_TTL_MS = 30 * 60 * 1e3;
   }
 });
@@ -104,32 +122,24 @@ var init_transport = __esm({
   "src/constants/transport.ts"() {
     "use strict";
     SSE_HEARTBEAT_INTERVAL_MS = 3e4;
-    NOISE_HOSTS = [
-      "registry.npmjs.org",
-      "telemetry.nextjs.org",
-      "vitejs.dev"
-    ];
-    NOISE_PATH_PATTERNS = [
-      ".hot-update.",
-      "__webpack",
-      "__vite"
-    ];
+    NOISE_HOSTS = ["registry.npmjs.org", "telemetry.nextjs.org", "vitejs.dev"];
+    NOISE_PATH_PATTERNS = [".hot-update.", "__webpack", "__vite"];
   }
 });
 // src/constants/metrics.ts
-var METRICS_DIR, METRICS_FILE, METRICS_FLUSH_INTERVAL_MS, METRICS_MAX_SESSIONS, METRICS_MAX_DATA_POINTS, PORT_FILE, FINDINGS_FILE, FINDINGS_FLUSH_INTERVAL_MS;
+var METRICS_DIR, METRICS_FILE, PORT_FILE, ISSUES_FILE, METRICS_FLUSH_INTERVAL_MS, METRICS_MAX_SESSIONS, METRICS_MAX_DATA_POINTS, ISSUES_FLUSH_INTERVAL_MS;
 var init_metrics = __esm({
   "src/constants/metrics.ts"() {
     "use strict";
     METRICS_DIR = ".brakit";
-    METRICS_FILE = ".brakit/metrics.json";
+    METRICS_FILE = "metrics.json";
+    PORT_FILE = ".brakit/port";
+    ISSUES_FILE = "issues.json";
     METRICS_FLUSH_INTERVAL_MS = 3e4;
     METRICS_MAX_SESSIONS = 50;
     METRICS_MAX_DATA_POINTS = 200;
-    PORT_FILE = ".brakit/port";
-    FINDINGS_FILE = ".brakit/findings.json";
-    FINDINGS_FLUSH_INTERVAL_MS = 1e4;
+    ISSUES_FLUSH_INTERVAL_MS = 1e4;
   }
 });
@@ -150,38 +160,38 @@ var init_headers = __esm({
 });
 // src/constants/network.ts
-var LOCALHOST_IPS, LOCALHOST_HOSTNAMES, CLOUD_SIGNALS, MAX_HEALTH_ERRORS;
+var CLOUD_SIGNALS, MAX_HEALTH_ERRORS, RECOVERY_WINDOW_MS, LOCALHOST_IPS, LOCALHOST_HOSTNAMES, URL_PARSE_BASE, DIR_MODE_OWNER_ONLY, FILE_MODE_OWNER_ONLY;
 var init_network = __esm({
   "src/constants/network.ts"() {
     "use strict";
-    LOCALHOST_IPS = /* @__PURE__ */ new Set([
-      "127.0.0.1",
-      "::1",
-      "::ffff:127.0.0.1"
-    ]);
-    LOCALHOST_HOSTNAMES = /* @__PURE__ */ new Set([
-      "localhost",
-      "127.0.0.1",
-      "::1"
-    ]);
     CLOUD_SIGNALS = [
       "VERCEL",
       "VERCEL_ENV",
       "NETLIFY",
       "AWS_LAMBDA_FUNCTION_NAME",
       "AWS_EXECUTION_ENV",
+      "ECS_CONTAINER_METADATA_URI",
       "GOOGLE_CLOUD_PROJECT",
       "GCP_PROJECT",
+      "K_SERVICE",
       "AZURE_FUNCTIONS_ENVIRONMENT",
+      "WEBSITE_SITE_NAME",
       "FLY_APP_NAME",
       "RAILWAY_ENVIRONMENT",
       "RENDER",
-      "HEROKU",
+      "HEROKU_APP_NAME",
+      "DYNO",
+      "CF_INSTANCE_GUID",
       "CF_PAGES",
-      "KUBERNETES_SERVICE_HOST",
-      "ECS_CONTAINER_METADATA_URI"
+      "KUBERNETES_SERVICE_HOST"
     ];
     MAX_HEALTH_ERRORS = 10;
+    RECOVERY_WINDOW_MS = 5 * 60 * 1e3;
+    LOCALHOST_IPS = /* @__PURE__ */ new Set(["127.0.0.1", "::1", "::ffff:127.0.0.1"]);
+    LOCALHOST_HOSTNAMES = /* @__PURE__ */ new Set(["localhost", "127.0.0.1", "::1"]);
+    URL_PARSE_BASE = "http://localhost";
+    DIR_MODE_OWNER_ONLY = 448;
+    FILE_MODE_OWNER_ONLY = 384;
   }
 });
@@ -204,7 +214,7 @@ var init_encoding = __esm({
 });
 // src/constants/severity.ts
-var SEVERITY_ICON, SEVERITY_CRITICAL, SEVERITY_WARNING, SEVERITY_INFO, SEVERITY_ICON_MAP;
+var SEVERITY_ICON;
 var init_severity = __esm({
   "src/constants/severity.ts"() {
     "use strict";
@@ -213,28 +223,36 @@ var init_severity = __esm({
       warning: "\u26A0",
       info: "\u2139"
     };
-    SEVERITY_CRITICAL = "critical";
-    SEVERITY_WARNING = "warning";
-    SEVERITY_INFO = "info";
-    SEVERITY_ICON_MAP = {
-      [SEVERITY_CRITICAL]: { icon: "\u2717", cls: "critical" },
-      [SEVERITY_WARNING]: { icon: "\u26A0", cls: "warning" },
-      [SEVERITY_INFO]: { icon: "\u2139", cls: "info" }
-    };
   }
 });
 // src/constants/telemetry.ts
-var POSTHOG_HOST, POSTHOG_CAPTURE_PATH, POSTHOG_REQUEST_TIMEOUT_MS, POSTHOG_SPAWN_TIMEOUT_MS, SIGNAL_EXIT_SIGINT, SIGNAL_EXIT_SIGTERM;
+var POSTHOG_HOST, POSTHOG_CAPTURE_PATH, POSTHOG_REQUEST_TIMEOUT_MS, SPEED_BUCKET_THRESHOLDS;
 var init_telemetry = __esm({
   "src/constants/telemetry.ts"() {
     "use strict";
     POSTHOG_HOST = "https://us.i.posthog.com";
     POSTHOG_CAPTURE_PATH = "/i/v0/e/";
     POSTHOG_REQUEST_TIMEOUT_MS = 3e3;
-    POSTHOG_SPAWN_TIMEOUT_MS = 5e3;
-    SIGNAL_EXIT_SIGINT = 130;
-    SIGNAL_EXIT_SIGTERM = 143;
+    SPEED_BUCKET_THRESHOLDS = [200, 500, 1e3, 2e3, 5e3];
+  }
+});
+// src/constants/lifecycle.ts
+var VALID_ISSUE_STATES, VALID_ISSUE_CATEGORIES, VALID_AI_FIX_STATUSES;
+var init_lifecycle = __esm({
+  "src/constants/lifecycle.ts"() {
+    "use strict";
+    VALID_ISSUE_STATES = /* @__PURE__ */ new Set(["open", "fixing", "resolved", "stale", "regressed"]);
+    VALID_ISSUE_CATEGORIES = /* @__PURE__ */ new Set(["security", "performance", "reliability"]);
+    VALID_AI_FIX_STATUSES = /* @__PURE__ */ new Set(["fixed", "wont_fix"]);
+  }
+});
+// src/constants/cli.ts
+var init_cli = __esm({
+  "src/constants/cli.ts"() {
+    "use strict";
   }
 });
@@ -253,6 +271,8 @@ var init_constants = __esm({
     init_encoding();
     init_severity();
     init_telemetry();
+    init_lifecycle();
+    init_cli();
   }
 });
@@ -419,11 +439,12 @@ function createCaptureError(emit) {
 }
 function setupErrorHook(emit) {
   const captureError = createCaptureError(emit);
-  process.on("uncaughtException", (err) => {
+  const brakitExceptionHandler = (err) => {
     captureError(err);
-    process.removeAllListeners("uncaughtException");
+    process.removeListener("uncaughtException", brakitExceptionHandler);
     throw err;
-  });
+  };
+  process.on("uncaughtException", brakitExceptionHandler);
   process.on("unhandledRejection", (reason) => {
     captureError(reason);
   });
@@ -610,7 +631,10 @@ var init_pg = __esm({
           const result = saved.apply(this, args);
           if (result && typeof result.then === "function") {
             return result.then((res) => {
-              emitQuery(res?.rowCount ?? void 0);
+              try {
+                emitQuery(res?.rowCount ?? void 0);
+              } catch {
+              }
               return res;
             });
           }
@@ -688,7 +712,10 @@ var init_mysql2 = __esm({
             const result = orig.apply(this, args);
             if (result && typeof result.then === "function") {
               return result.then((res) => {
-                emitQuery();
+                try {
+                  emitQuery();
+                } catch {
+                }
                 return res;
               });
             }
@@ -803,6 +830,43 @@ var init_adapters = __esm({
   }
 });
+// src/constants/http.ts
+var HTTP_OK, HTTP_NO_CONTENT, HTTP_BAD_REQUEST, HTTP_NOT_FOUND, HTTP_METHOD_NOT_ALLOWED, HTTP_PAYLOAD_TOO_LARGE, HTTP_INTERNAL_ERROR, SECURITY_HEADERS;
+var init_http = __esm({
+  "src/constants/http.ts"() {
+    "use strict";
+    HTTP_OK = 200;
+    HTTP_NO_CONTENT = 204;
+    HTTP_BAD_REQUEST = 400;
+    HTTP_NOT_FOUND = 404;
+    HTTP_METHOD_NOT_ALLOWED = 405;
+    HTTP_PAYLOAD_TOO_LARGE = 413;
+    HTTP_INTERNAL_ERROR = 500;
+    SECURITY_HEADERS = {
+      "x-content-type-options": "nosniff",
+      "x-frame-options": "DENY",
+      "referrer-policy": "no-referrer",
+      "content-security-policy": "default-src 'none'; script-src 'unsafe-inline'; style-src 'unsafe-inline'; connect-src 'self'; img-src data:"
+    };
+  }
+});
+// src/utils/http-status.ts
+function isErrorStatus(code) {
+  return code >= 400;
+}
+function isServerError(code) {
+  return code >= 500;
+}
+function isRedirect(code) {
+  return code >= 300 && code < 400;
+}
+var init_http_status = __esm({
+  "src/utils/http-status.ts"() {
+    "use strict";
+  }
+});
 // src/analysis/categorize.ts
 function detectCategory(req) {
   const { method, url, statusCode, responseHeaders } = req;
@@ -871,7 +935,7 @@ function labelRequest(req) {
 function generateHumanLabel(req, category) {
   const effectivePath = getEffectivePath(req);
   const endpointName = getEndpointName(effectivePath);
-  const failed = req.statusCode >= 400;
+  const failed = isErrorStatus(req.statusCode);
   switch (category) {
     case "auth-handshake":
       return "Auth handshake";
@@ -966,6 +1030,7 @@ var init_label = __esm({
     "use strict";
     init_constants();
     init_categorize();
+    init_http_status();
   }
 });
@@ -1058,7 +1123,7 @@ function detectWarnings(requests) {
   for (const req of slowRequests) {
     warnings.push(`${req.label} took ${(req.durationMs / 1e3).toFixed(1)}s`);
   }
-  const errors = requests.filter((r) => r.statusCode >= 500);
+  const errors = requests.filter((r) => isServerError(r.statusCode));
   for (const req of errors) {
     warnings.push(`${req.label} \u2014 server error (${req.statusCode})`);
   }
@@ -1070,6 +1135,7 @@ var init_transforms = __esm({
     init_constants();
     init_categorize();
     init_label();
+    init_http_status();
   }
 });
@@ -1123,7 +1189,7 @@ function buildFlow(rawRequests) {
     requests,
     startTime,
     totalDurationMs: Math.round(endTime - startTime),
-    hasErrors: requests.some((r) => r.statusCode >= 400),
+    hasErrors: requests.some((r) => isErrorStatus(r.statusCode)),
     warnings: detectWarnings(rawRequests),
     sourcePage,
     redundancyPct
@@ -1177,6 +1243,7 @@ var init_group = __esm({
   "src/analysis/group.ts"() {
     "use strict";
     init_constants();
+    init_http_status();
     init_label();
     init_categorize();
     init_transforms();
@@ -1184,12 +1251,12 @@ var init_group = __esm({
 });
 // src/dashboard/api/shared.ts
-function maskSensitiveHeaders(headers) {
+function maskSensitiveHeaders(headers2) {
   const masked = {};
-  for (const [key, value] of Object.entries(headers)) {
+  for (const [key, value] of Object.entries(headers2)) {
     if (SENSITIVE_HEADER_NAMES.has(key.toLowerCase())) {
       const s = String(value);
-      masked[key] = s.length <= SENSITIVE_MASK_MIN_LENGTH ? "****" : s.slice(0, SENSITIVE_MASK_VISIBLE_CHARS) + "..." + s.slice(-SENSITIVE_MASK_VISIBLE_CHARS);
+      masked[key] = s.length <= SENSITIVE_MASK_MIN_LENGTH ? SENSITIVE_MASK_PLACEHOLDER : s.slice(0, SENSITIVE_MASK_VISIBLE_CHARS) + "..." + s.slice(-SENSITIVE_MASK_VISIBLE_CHARS);
     } else {
       masked[key] = value;
     }
@@ -1209,14 +1276,14 @@ function getCorsOrigin(req) {
 }
 function getJsonHeaders(req) {
   const corsOrigin = getCorsOrigin(req);
-  const headers = {
+  const headers2 = {
     "content-type": "application/json",
     "cache-control": "no-cache"
   };
   if (corsOrigin) {
-    headers["access-control-allow-origin"] = corsOrigin;
+    headers2["access-control-allow-origin"] = corsOrigin;
   }
-  return headers;
+  return headers2;
 }
 function sendJson(req, res, status, data) {
   res.writeHead(status, getJsonHeaders(req));
@@ -1224,23 +1291,58 @@ function sendJson(req, res, status, data) {
 }
 function requireGet(req, res) {
   if (req.method !== "GET") {
-    sendJson(req, res, 405, { error: "Method not allowed" });
+    sendJson(req, res, HTTP_METHOD_NOT_ALLOWED, { error: "Method not allowed" });
     return false;
   }
   return true;
 }
+function parseRequestUrl(req) {
+  return new URL(req.url ?? "/", URL_PARSE_BASE);
+}
+function readJsonBody(req, res, maxBytes = MAX_JSON_BODY_BYTES) {
+  return new Promise((resolve5) => {
+    const chunks = [];
+    let size = 0;
+    req.on("data", (chunk) => {
+      size += chunk.length;
+      if (size > maxBytes) {
+        sendJson(req, res, HTTP_PAYLOAD_TOO_LARGE, { error: "Payload too large" });
+        req.destroy();
+        resolve5(null);
+        return;
+      }
+      chunks.push(chunk);
+    });
+    req.on("end", () => {
+      if (size > maxBytes) {
+        resolve5(null);
+        return;
+      }
+      try {
+        resolve5(JSON.parse(Buffer.concat(chunks).toString()));
+      } catch {
+        sendJson(req, res, HTTP_BAD_REQUEST, { error: "Invalid JSON body" });
+        resolve5(null);
+      }
+    });
+    req.on("error", () => {
+      resolve5(null);
+    });
+  });
+}
 function handleTelemetryGet(req, res, store) {
   if (!requireGet(req, res)) return;
-  const url = new URL(req.url ?? "/", "http://localhost");
+  const url = parseRequestUrl(req);
   const requestId = url.searchParams.get("requestId");
   const entries = requestId ? store.getByRequest(requestId) : [...store.getAll()];
-  sendJson(req, res, 200, { total: entries.length, entries: entries.reverse() });
+  sendJson(req, res, HTTP_OK, { total: entries.length, entries: entries.reverse() });
 }
 var init_shared2 = __esm({
   "src/dashboard/api/shared.ts"() {
     "use strict";
     init_constants();
     init_limits();
+    init_http();
   }
 });
@@ -1255,15 +1357,13 @@ function sanitizeRequest(r) {
 function createRequestsHandler(registry) {
   return (req, res) => {
     if (!requireGet(req, res)) return;
-    const url = new URL(req.url ?? "/", "http://localhost");
+    const url = parseRequestUrl(req);
     const method = url.searchParams.get("method");
     const status = url.searchParams.get("status");
     const search = url.searchParams.get("search");
-    const limit = parseInt(
-      url.searchParams.get("limit") ?? String(DEFAULT_API_LIMIT),
-      10
-    );
-    const offset = parseInt(url.searchParams.get("offset") ?? "0", 10);
+    const rawLimit = parseInt(url.searchParams.get("limit") ?? String(DEFAULT_API_LIMIT), 10);
+    const limit = Math.min(Math.max(rawLimit || DEFAULT_API_LIMIT, 1), MAX_API_LIMIT);
+    const offset = Math.max(parseInt(url.searchParams.get("offset") ?? "0", 10) || 0, 0);
     let results = [...registry.get("request-store").getAll()].reverse();
     if (method) {
       results = results.filter((r) => r.method === method.toUpperCase());
@@ -1288,7 +1388,7 @@ function createRequestsHandler(registry) {
     const total = results.length;
     results = results.slice(offset, offset + limit);
     const sanitized = results.map(sanitizeRequest);
-    sendJson(req, res, 200, { total, requests: sanitized });
+    sendJson(req, res, HTTP_OK, { total, requests: sanitized });
   };
 }
 function createFlowsHandler(registry) {
@@ -1298,13 +1398,13 @@ function createFlowsHandler(registry) {
       ...flow,
       requests: flow.requests.map(sanitizeRequest)
     }));
-    sendJson(req, res, 200, { total: flows.length, flows });
+    sendJson(req, res, HTTP_OK, { total: flows.length, flows });
   };
 }
 function createClearHandler(registry) {
   return (req, res) => {
     if (req.method !== "POST") {
-      sendJson(req, res, 405, { error: "Method not allowed" });
+      sendJson(req, res, HTTP_METHOD_NOT_ALLOWED, { error: "Method not allowed" });
       return;
     }
     registry.get("request-store").clear();
@@ -1313,9 +1413,9 @@ function createClearHandler(registry) {
     registry.get("error-store").clear();
     registry.get("query-store").clear();
     registry.get("metrics-store").reset();
-    if (registry.has("finding-store")) registry.get("finding-store").clear();
+    if (registry.has("issue-store")) registry.get("issue-store").clear();
     registry.get("event-bus").emit("store:cleared", void 0);
-    sendJson(req, res, 200, { cleared: true });
+    sendJson(req, res, HTTP_OK, { cleared: true });
   };
 }
 function createFetchesHandler(registry) {
@@ -1335,10 +1435,174 @@ var init_handlers = __esm({
     "use strict";
     init_group();
     init_constants();
+    init_http();
     init_shared2();
   }
 });
+// src/utils/type-guards.ts
+function isString(val) {
+  return typeof val === "string";
+}
+function isNumber(val) {
+  return typeof val === "number" && !isNaN(val);
+}
+function isBoolean(val) {
+  return typeof val === "boolean";
+}
+function getErrorMessage(err) {
+  if (err instanceof Error) return err.message;
+  if (typeof err === "string") return err;
+  return String(err);
+}
+function isValidIssueState(val) {
+  return typeof val === "string" && VALID_ISSUE_STATES.has(val);
+}
+function isValidIssueCategory(val) {
+  return typeof val === "string" && VALID_ISSUE_CATEGORIES.has(val);
+}
+function isValidAiFixStatus(val) {
+  return typeof val === "string" && VALID_AI_FIX_STATUSES.has(val);
+}
+function validateIssuesData(parsed) {
+  if (parsed != null && typeof parsed === "object" && !Array.isArray(parsed) && parsed.version === ISSUES_DATA_VERSION && Array.isArray(parsed.issues)) {
+    return parsed;
+  }
+  return null;
+}
+function validateMetricsData(parsed) {
+  if (parsed != null && typeof parsed === "object" && !Array.isArray(parsed) && parsed.version === 1 && Array.isArray(parsed.endpoints)) {
+    return parsed;
+  }
+  return null;
+}
+var init_type_guards = __esm({
+  "src/utils/type-guards.ts"() {
+    "use strict";
+    init_lifecycle();
+    init_limits();
+  }
+});
+// src/dashboard/api/sdk-event-parser.ts
+import { randomUUID as randomUUID3 } from "crypto";
+function str(val, fallback) {
+  return isString(val) ? val : fallback;
+}
+function strOrUndef(val) {
+  return isString(val) ? val : void 0;
+}
+function num(val, fallback) {
+  return isNumber(val) ? val : fallback;
+}
+function numOrUndef(val) {
+  return isNumber(val) ? val : void 0;
+}
+function headers(val) {
+  if (val && typeof val === "object" && !Array.isArray(val)) {
+    return val;
+  }
+  return {};
+}
+function parseQueryEvent(data, ts, parentRequestId) {
+  return {
+    driver: str(data.source, "sdk"),
+    source: strOrUndef(data.source),
+    sql: strOrUndef(data.sql),
+    model: strOrUndef(data.model),
+    operation: strOrUndef(data.operation),
+    normalizedOp: strOrUndef(data.normalizedOp) ?? strOrUndef(data.operation) ?? "OTHER",
+    table: str(data.table, ""),
+    durationMs: num(data.duration, num(data.durationMs, 0)),
+    rowCount: numOrUndef(data.rowCount),
+    parentRequestId,
+    timestamp: ts
+  };
+}
+function parseFetchEvent(data, ts, parentRequestId) {
+  return {
+    url: str(data.url, ""),
+    method: str(data.method, "GET"),
+    statusCode: num(data.statusCode, 0),
+    durationMs: num(data.duration, num(data.durationMs, 0)),
+    parentRequestId,
+    timestamp: ts
+  };
+}
+function parseLogEvent(data, ts, parentRequestId) {
+  return {
+    level: str(data.level, "log"),
+    message: str(data.message, ""),
+    parentRequestId,
+    timestamp: ts
+  };
+}
+function parseErrorEvent(data, ts, parentRequestId) {
+  return {
+    name: str(data.name, "Error"),
+    message: str(data.message, ""),
+    stack: str(data.stack, ""),
+    parentRequestId,
+    timestamp: ts
+  };
+}
+function parseAuthEvent(data, ts, parentRequestId) {
+  return {
+    level: "info",
+    message: `[auth] ${str(data.provider, "unknown")}: ${str(data.result, "check")}`,
+    parentRequestId,
+    timestamp: ts
+  };
+}
+function parseRequestEvent(data, ts) {
+  const url = str(data.url, "");
+  return {
+    id: str(data.id, randomUUID3()),
+    method: str(data.method, "GET"),
+    url,
+    path: url.split("?")[0],
+    headers: headers(data.headers),
+    requestBody: isString(data.requestBody) ? data.requestBody : null,
+    statusCode: num(data.statusCode, 200),
+    responseHeaders: headers(data.responseHeaders),
+    responseBody: isString(data.responseBody) ? data.responseBody : null,
+    startedAt: ts,
+    durationMs: num(data.durationMs, 0),
+    responseSize: num(data.responseSize, 0),
+    isStatic: isBoolean(data.isStatic) ? data.isStatic : false
+  };
+}
+function routeSDKEvent(event, stores) {
+  const ts = event.timestamp || Date.now();
+  const parentRequestId = event.requestId ?? null;
+  switch (event.type) {
+    case "db.query":
+      stores.addQuery(parseQueryEvent(event.data, ts, parentRequestId));
+      break;
+    case "fetch":
+      stores.addFetch(parseFetchEvent(event.data, ts, parentRequestId));
+      break;
+    case "log":
+      stores.addLog(parseLogEvent(event.data, ts, parentRequestId));
+      break;
+    case "error":
+      stores.addError(parseErrorEvent(event.data, ts, parentRequestId));
+      break;
+    case "auth.check":
+      stores.addLog(parseAuthEvent(event.data, ts, parentRequestId));
+      break;
+    case "request":
+      stores.addRequest(parseRequestEvent(event.data, ts));
+      break;
+  }
+}
+var init_sdk_event_parser = __esm({
+  "src/dashboard/api/sdk-event-parser.ts"() {
+    "use strict";
+    init_type_guards();
+  }
+});
 // src/dashboard/api/ingest.ts
 function isBrakitBatch(msg) {
   return typeof msg === "object" && msg !== null && "_brakit" in msg && msg._brakit === true && !("version" in msg);
@@ -1363,65 +1627,21 @@ function createIngestHandler(registry) {
         break;
     }
   };
-  const routeSDKEvent = (event) => {
-    const ts = event.timestamp || Date.now();
-    const parentRequestId = event.requestId ?? null;
-    switch (event.type) {
-      case "db.query":
-        registry.get("query-store").add({
-          driver: event.data.source ?? "sdk",
-          source: event.data.source ?? "sdk",
-          sql: event.data.sql,
-          model: event.data.model,
-          operation: event.data.operation,
-          normalizedOp: event.data.normalizedOp ?? event.data.operation ?? "OTHER",
-          table: event.data.table ?? "",
-          durationMs: event.data.duration ?? event.data.durationMs ?? 0,
-          rowCount: event.data.rowCount,
-          parentRequestId,
-          timestamp: ts
-        });
-        break;
-      case "fetch":
-        registry.get("fetch-store").add({
-          url: event.data.url ?? "",
-          method: event.data.method ?? "GET",
-          statusCode: event.data.statusCode ?? 0,
-          durationMs: event.data.duration ?? event.data.durationMs ?? 0,
-          parentRequestId,
-          timestamp: ts
-        });
-        break;
-      case "log":
-        registry.get("log-store").add({
-          level: event.data.level ?? "log",
-          message: event.data.message ?? "",
-          parentRequestId,
-          timestamp: ts
-        });
-        break;
-      case "error":
-        registry.get("error-store").add({
-          name: event.data.name ?? "Error",
-          message: event.data.message ?? "",
-          stack: event.data.stack ?? "",
-          parentRequestId,
-          timestamp: ts
-        });
-        break;
-      case "auth.check":
-        registry.get("log-store").add({
-          level: "info",
-          message: `[auth] ${event.data.provider ?? "unknown"}: ${event.data.result ?? "check"}`,
-          parentRequestId,
-          timestamp: ts
-        });
-        break;
-    }
+  const queryStore = registry.get("query-store");
+  const fetchStore = registry.get("fetch-store");
+  const logStore = registry.get("log-store");
+  const errorStore = registry.get("error-store");
+  const requestStore = registry.get("request-store");
+  const stores = {
+    addQuery: (data) => queryStore.add(data),
+    addFetch: (data) => fetchStore.add(data),
+    addLog: (data) => logStore.add(data),
+    addError: (data) => errorStore.add(data),
+    addRequest: (data) => requestStore.add(data)
   };
   return (req, res) => {
     if (req.method !== "POST") {
-      sendJson(req, res, 405, { error: "Method not allowed" });
+      sendJson(req, res, HTTP_METHOD_NOT_ALLOWED, { error: "Method not allowed" });
       return;
     }
     const chunks = [];
@@ -1429,7 +1649,7 @@ function createIngestHandler(registry) {
     req.on("data", (chunk) => {
       totalSize += chunk.length;
       if (totalSize > MAX_INGEST_BYTES) {
-        sendJson(req, res, 413, { error: "Payload too large" });
+        sendJson(req, res, HTTP_PAYLOAD_TOO_LARGE, { error: "Payload too large" });
         req.destroy();
         return;
       }
@@ -1441,9 +1661,9 @@ function createIngestHandler(registry) {
         const body = JSON.parse(Buffer.concat(chunks).toString());
         if (isSDKPayload(body)) {
           for (const event of body.events) {
-            routeSDKEvent(event);
+            routeSDKEvent(event, stores);
           }
-          res.writeHead(204);
+          res.writeHead(HTTP_NO_CONTENT);
           res.end();
           return;
         }
@@ -1451,13 +1671,19 @@ function createIngestHandler(registry) {
           for (const event of body.events) {
             routeEvent(event);
           }
-          res.writeHead(204);
+          res.writeHead(HTTP_NO_CONTENT);
           res.end();
           return;
         }
-        sendJson(req, res, 400, { error: "Invalid batch" });
+        sendJson(req, res, HTTP_BAD_REQUEST, { error: "Invalid batch" });
       } catch {
-        sendJson(req, res, 400, { error: "Invalid JSON" });
+        sendJson(req, res, HTTP_BAD_REQUEST, { error: "Invalid JSON" });
+      }
+    });
+    req.on("error", () => {
+      if (!res.headersSent) {
+        res.writeHead(HTTP_BAD_REQUEST);
+        res.end();
       }
     });
   };
@@ -1466,7 +1692,9 @@ var init_ingest = __esm({
   "src/dashboard/api/ingest.ts"() {
     "use strict";
     init_limits();
+    init_http();
     init_shared2();
+    init_sdk_event_parser();
   }
 });
@@ -1474,20 +1702,21 @@ var init_ingest = __esm({
 function createMetricsHandler(metricsStore) {
   return (req, res) => {
     if (!requireGet(req, res)) return;
-    const url = new URL(req.url ?? "/", "http://localhost");
+    const url = parseRequestUrl(req);
     const endpoint = url.searchParams.get("endpoint");
     if (endpoint) {
       const ep = metricsStore.getEndpoint(endpoint);
-      sendJson(req, res, 200, { endpoints: ep ? [ep] : [] });
+      sendJson(req, res, HTTP_OK, { endpoints: ep ? [ep] : [] });
       return;
     }
-    sendJson(req, res, 200, { endpoints: metricsStore.getAll() });
+    sendJson(req, res, HTTP_OK, { endpoints: metricsStore.getAll() });
   };
 }
 var init_metrics2 = __esm({
   "src/dashboard/api/metrics.ts"() {
     "use strict";
     init_shared2();
+    init_http();
   }
 });
@@ -1505,15 +1734,34 @@ var init_metrics_live = __esm({
   }
 });
+// src/utils/log.ts
+function brakitWarn(message) {
+  process.stderr.write(`${PREFIX} ${message}
+`);
+}
+function brakitDebug(message) {
+  if (process.env.DEBUG_BRAKIT) {
+    process.stderr.write(`${PREFIX}:debug ${message}
+`);
+  }
+}
+var PREFIX;
+var init_log = __esm({
+  "src/utils/log.ts"() {
+    "use strict";
+    PREFIX = "[brakit]";
+  }
+});
 // src/dashboard/api/activity.ts
 function createActivityHandler(registry) {
   return (req, res) => {
     if (!requireGet(req, res)) return;
     try {
-      const url = new URL(req.url ?? "/", "http://localhost");
+      const url = parseRequestUrl(req);
       const requestId = url.searchParams.get("requestId");
       if (!requestId) {
-        sendJson(req, res, 400, { error: "requestId parameter required" });
+        sendJson(req, res, HTTP_BAD_REQUEST, { error: "requestId parameter required" });
         return;
       }
       const fetches = registry.get("fetch-store").getByRequest(requestId);
@@ -1530,7 +1778,7 @@ function createActivityHandler(registry) {
       for (const q of queries)
         timeline.push({ type: "query", timestamp: q.timestamp, data: { ...q } });
       timeline.sort((a, b) => a.timestamp - b.timestamp);
-      sendJson(req, res, 200, {
+      sendJson(req, res, HTTP_OK, {
         requestId,
         total: timeline.length,
         timeline,
@@ -1542,9 +1790,9 @@ function createActivityHandler(registry) {
         }
       });
     } catch (err) {
-      console.error("[brakit] activity handler error:", err);
+      brakitDebug(`activity handler error: ${err}`);
       if (!res.headersSent) {
-        sendJson(req, res, 500, { error: "Internal error" });
+        sendJson(req, res, HTTP_INTERNAL_ERROR, { error: "Internal error" });
       }
     }
   };
@@ -1553,6 +1801,8 @@ var init_activity = __esm({
   "src/dashboard/api/activity.ts"() {
     "use strict";
     init_shared2();
+    init_http();
+    init_log();
   }
 });
@@ -1568,123 +1818,168 @@ var init_api = __esm({
   }
 });
-// src/dashboard/api/insights.ts
-function createInsightsHandler(engine) {
+// src/dashboard/api/issues.ts
+function createIssuesHandler(issueStore) {
   return (req, res) => {
     if (!requireGet(req, res)) return;
-    sendJson(req, res, 200, { insights: engine.getStatefulInsights() });
-  };
-}
-function createSecurityHandler(engine) {
-  return (req, res) => {
-    if (!requireGet(req, res)) return;
-    sendJson(req, res, 200, { findings: engine.getStatefulFindings() });
+    const url = parseRequestUrl(req);
+    const stateParam = url.searchParams.get("state");
+    const categoryParam = url.searchParams.get("category");
+    let issues;
+    if (stateParam && isValidIssueState(stateParam)) {
+      issues = issueStore.getByState(stateParam);
+    } else if (categoryParam && isValidIssueCategory(categoryParam)) {
+      issues = issueStore.getByCategory(categoryParam);
+    } else {
+      issues = issueStore.getAll();
+    }
+    sendJson(req, res, HTTP_OK, { issues });
   };
 }
-var init_insights = __esm({
-  "src/dashboard/api/insights.ts"() {
-    "use strict";
-    init_shared2();
-  }
-});
-// src/dashboard/api/findings.ts
-function createFindingsHandler(findingStore) {
+function createFindingsHandler(issueStore) {
   return (req, res) => {
     if (!requireGet(req, res)) return;
-    const url = new URL(req.url ?? "/", "http://localhost");
+    const url = parseRequestUrl(req);
     const stateParam = url.searchParams.get("state");
-    let findings;
-    if (stateParam && VALID_STATES.has(stateParam)) {
-      findings = findingStore.getByState(stateParam);
+    let issues;
+    if (stateParam && isValidIssueState(stateParam)) {
+      issues = issueStore.getByState(stateParam);
     } else {
-      findings = findingStore.getAll();
+      issues = issueStore.getAll();
     }
-    sendJson(req, res, 200, {
-      total: findings.length,
-      findings
+    sendJson(req, res, HTTP_OK, {
+      total: issues.length,
+      findings: issues
     });
   };
 }
-var VALID_STATES;
-var init_findings = __esm({
-  "src/dashboard/api/findings.ts"() {
+function createIssuesReportHandler(issueStore, eventBus) {
+  return async (req, res) => {
+    if (req.method !== "POST") {
+      sendJson(req, res, HTTP_METHOD_NOT_ALLOWED, { error: "Method not allowed" });
+      return;
+    }
+    const body = await readJsonBody(req, res);
+    if (!body) return;
+    const { findingId, status, notes } = body;
+    if (!findingId || typeof findingId !== "string") {
+      sendJson(req, res, HTTP_BAD_REQUEST, { error: "findingId is required" });
+      return;
+    }
+    if (!isValidAiFixStatus(status)) {
+      sendJson(req, res, HTTP_BAD_REQUEST, { error: "status must be 'fixed' or 'wont_fix'" });
+      return;
+    }
+    if (!notes || typeof notes !== "string") {
+      sendJson(req, res, HTTP_BAD_REQUEST, { error: "notes is required" });
+      return;
+    }
+    if (issueStore.reportFix(findingId, status, notes)) {
+      eventBus.emit("issues:changed", issueStore.getAll());
+      sendJson(req, res, HTTP_OK, { ok: true });
+      return;
+    }
+    sendJson(req, res, HTTP_NOT_FOUND, { error: "Finding not found" });
+  };
+}
+var init_issues = __esm({
+  "src/dashboard/api/issues.ts"() {
     "use strict";
     init_shared2();
-    VALID_STATES = /* @__PURE__ */ new Set(["open", "fixing", "resolved"]);
+    init_type_guards();
+    init_http();
   }
 });
-// src/core/disposable.ts
-var SubscriptionBag;
-var init_disposable = __esm({
-  "src/core/disposable.ts"() {
+// src/constants/events.ts
+var SSE_EVENT_FETCH, SSE_EVENT_LOG, SSE_EVENT_ERROR, SSE_EVENT_QUERY, SSE_EVENT_ISSUES;
+var init_events = __esm({
+  "src/constants/events.ts"() {
     "use strict";
-    SubscriptionBag = class {
-      items = [];
-      add(teardown) {
-        this.items.push(typeof teardown === "function" ? { dispose: teardown } : teardown);
-      }
-      dispose() {
-        for (const d of this.items) d.dispose();
-        this.items.length = 0;
-      }
-    };
+    SSE_EVENT_FETCH = "fetch";
+    SSE_EVENT_LOG = "log";
+    SSE_EVENT_ERROR = "error_event";
+    SSE_EVENT_QUERY = "query";
+    SSE_EVENT_ISSUES = "issues";
   }
 });
 // src/dashboard/sse.ts
 function createSSEHandler(registry) {
-  return (req, res) => {
-    res.writeHead(200, {
-      "content-type": "text/event-stream",
-      "cache-control": "no-cache",
-      connection: "keep-alive",
-      "access-control-allow-origin": "*"
-    });
-    res.write(":ok\n\n");
-    const writeEvent = (eventType, data) => {
-      if (res.destroyed) return;
-      if (eventType) {
-        res.write(`event: ${eventType}
+  const clients = /* @__PURE__ */ new Set();
+  function broadcast(eventType, data) {
+    if (clients.size === 0) return;
+    const frame = eventType ? `event: ${eventType}
 data: ${data}
-`);
-      } else {
-        res.write(`data: ${data}
+` : `data: ${data}
-`);
+`;
+    for (const client of clients) {
+      if (client.res.destroyed) {
+        clients.delete(client);
+        continue;
       }
+      try {
+        client.res.write(frame);
+      } catch {
+        clients.delete(client);
+      }
+    }
+  }
+  const bus = registry.get("event-bus");
+  bus.on("request:completed", (r) => broadcast(null, JSON.stringify(r)));
+  bus.on("telemetry:fetch", (e) => broadcast(SSE_EVENT_FETCH, JSON.stringify(e)));
+  bus.on("telemetry:log", (e) => broadcast(SSE_EVENT_LOG, JSON.stringify(e)));
+  bus.on("telemetry:error", (e) => broadcast(SSE_EVENT_ERROR, JSON.stringify(e)));
+  bus.on("telemetry:query", (e) => broadcast(SSE_EVENT_QUERY, JSON.stringify(e)));
+  bus.on("analysis:updated", ({ issues }) => {
+    broadcast(SSE_EVENT_ISSUES, JSON.stringify(issues));
+  });
+  bus.on("issues:changed", (issues) => {
+    broadcast(SSE_EVENT_ISSUES, JSON.stringify(issues));
+  });
+  return (req, res) => {
+    const headers2 = {
+      "content-type": "text/event-stream",
+      "cache-control": "no-cache",
+      connection: "keep-alive"
     };
-    const bus = registry.get("event-bus");
-    const subs = new SubscriptionBag();
-    subs.add(bus.on("request:completed", (r) => writeEvent(null, JSON.stringify(r))));
-    subs.add(bus.on("telemetry:fetch", (e) => writeEvent("fetch", JSON.stringify(e))));
-    subs.add(bus.on("telemetry:log", (e) => writeEvent("log", JSON.stringify(e))));
-    subs.add(bus.on("telemetry:error", (e) => writeEvent("error_event", JSON.stringify(e))));
-    subs.add(bus.on("telemetry:query", (e) => writeEvent("query", JSON.stringify(e))));
-    subs.add(bus.on("analysis:updated", ({ statefulInsights, statefulFindings }) => {
-      writeEvent("insights", JSON.stringify(statefulInsights));
-      writeEvent("security", JSON.stringify(statefulFindings));
-    }));
+    const corsOrigin = getCorsOrigin(req);
+    if (corsOrigin) {
+      headers2["access-control-allow-origin"] = corsOrigin;
+    }
+    res.writeHead(HTTP_OK, headers2);
+    res.write(":ok\n\n");
     const heartbeat = setInterval(() => {
       if (res.destroyed) {
         clearInterval(heartbeat);
+        clients.delete(client);
         return;
       }
-      res.write(":heartbeat\n\n");
+      try {
+        res.write(":heartbeat\n\n");
+      } catch {
+        clearInterval(heartbeat);
+        clients.delete(client);
+      }
     }, SSE_HEARTBEAT_INTERVAL_MS);
+    heartbeat.unref();
+    const client = { res, heartbeat };
+    clients.add(client);
     req.on("close", () => {
       clearInterval(heartbeat);
-      subs.dispose();
+      clients.delete(client);
     });
   };
 }
 var init_sse = __esm({
   "src/dashboard/sse.ts"() {
     "use strict";
-    init_disposable();
     init_constants();
+    init_http();
+    init_events();
+    init_shared2();
   }
 });
@@ -2203,6 +2498,13 @@ function getSecurityStyles() {
 .sec-item-resolved{color:var(--text-muted)}
 .sec-item-resolved .sec-item-desc{text-decoration:line-through;text-decoration-color:var(--text-muted)}
 .sec-resolved-item-icon{color:var(--green);font-size:12px;flex-shrink:0;margin-right:8px}
+/* AI status badges */
+.sec-ai-badge{font-size:10px;font-weight:600;padding:2px 8px;border-radius:8px;margin-left:8px;white-space:nowrap}
+.sec-ai-fixing{background:rgba(217,119,6,.1);color:var(--amber)}
+.sec-ai-wontfix{background:rgba(107,114,128,.1);color:var(--text-muted)}
+.sec-ai-verified{background:rgba(22,163,74,.1);color:var(--green)}
+.sec-ai-notes{font-size:11px;color:var(--text-muted);font-style:italic;margin-top:2px;padding-left:0}
 `;
 }
 var init_security = __esm({
@@ -2266,9 +2568,24 @@ var init_styles = __esm({
 });
 // src/utils/fs.ts
-import { access } from "fs/promises";
+import { access, readFile, writeFile } from "fs/promises";
 import { existsSync, readFileSync, writeFileSync } from "fs";
-import { resolve } from "path";
+import { createHash } from "crypto";
+import { homedir } from "os";
+import { resolve, join } from "path";
+function getProjectDataDir(projectRoot) {
+  const absolute = resolve(projectRoot);
+  const hash = createHash("sha256").update(absolute).digest("hex").slice(0, PROJECT_HASH_LENGTH);
+  return join(homedir(), ".brakit", "projects", hash);
+}
+async function fileExists(path) {
+  try {
+    await access(path);
+    return true;
+  } catch {
+    return false;
+  }
+}
 function ensureGitignore(dir, entry) {
   try {
     const gitignorePath = resolve(dir, "../.gitignore");
@@ -2279,31 +2596,30 @@ function ensureGitignore(dir, entry) {
     } else {
       writeFileSync(gitignorePath, entry + "\n");
     }
-  } catch {
-  }
-}
-var init_fs = __esm({
-  "src/utils/fs.ts"() {
-    "use strict";
+  } catch (err) {
+    brakitDebug(`ensureGitignore failed: ${getErrorMessage(err)}`);
   }
-});
-// src/utils/log.ts
-function brakitWarn(message) {
-  process.stderr.write(`${PREFIX} ${message}
-`);
 }
-function brakitDebug(message) {
-  if (process.env.DEBUG_BRAKIT) {
-    process.stderr.write(`${PREFIX}:debug ${message}
-`);
+async function ensureGitignoreAsync(dir, entry) {
+  try {
+    const gitignorePath = resolve(dir, "../.gitignore");
+    if (await fileExists(gitignorePath)) {
+      const content = await readFile(gitignorePath, "utf-8");
+      if (content.split("\n").some((l) => l.trim() === entry)) return;
+      await writeFile(gitignorePath, content.trimEnd() + "\n" + entry + "\n");
+    } else {
+      await writeFile(gitignorePath, entry + "\n");
+    }
+  } catch (err) {
+    brakitDebug(`ensureGitignoreAsync failed: ${getErrorMessage(err)}`);
   }
 }
-var PREFIX;
-var init_log = __esm({
-  "src/utils/log.ts"() {
+var init_fs = __esm({
+  "src/utils/fs.ts"() {
     "use strict";
-    PREFIX = "[brakit]";
+    init_limits();
+    init_log();
+    init_type_guards();
   }
 });
@@ -2321,6 +2637,7 @@ var init_atomic_writer = __esm({
     "use strict";
     init_fs();
     init_log();
+    init_type_guards();
     AtomicWriter = class {
       constructor(opts) {
         this.opts = opts;
@@ -2335,7 +2652,7 @@ var init_atomic_writer = __esm({
           writeFileSync2(this.tmpPath, content);
           renameSync(this.tmpPath, this.opts.filePath);
         } catch (err) {
-          brakitWarn(`failed to save ${this.opts.label}: ${err.message}`);
+          brakitWarn(`failed to save ${this.opts.label}: ${getErrorMessage(err)}`);
         }
       }
       async writeAsync(content) {
@@ -2349,13 +2666,14 @@ var init_atomic_writer = __esm({
           await writeFile2(this.tmpPath, content);
           await rename(this.tmpPath, this.opts.filePath);
         } catch (err) {
-          brakitWarn(`failed to save ${this.opts.label}: ${err.message}`);
+          brakitWarn(`failed to save ${this.opts.label}: ${getErrorMessage(err)}`);
         } finally {
           this.writing = false;
           if (this.pendingContent !== null) {
             const next = this.pendingContent;
             this.pendingContent = null;
-            this.writeAsync(next);
+            this.writeAsync(next).catch(() => {
+            });
           }
         }
       }
@@ -2368,10 +2686,10 @@ var init_atomic_writer = __esm({
         }
       }
       async ensureDirAsync() {
-        if (!existsSync2(this.opts.dir)) {
+        if (!await fileExists(this.opts.dir)) {
           await mkdir(this.opts.dir, { recursive: true });
           if (this.opts.gitignoreEntry) {
-            ensureGitignore(this.opts.dir, this.opts.gitignoreEntry);
+            await ensureGitignoreAsync(this.opts.dir, this.opts.gitignoreEntry);
           }
         }
       }
@@ -2379,50 +2697,57 @@ var init_atomic_writer = __esm({
   }
 });
-// src/store/finding-id.ts
-import { createHash } from "crypto";
-function computeFindingId(finding) {
-  const key = `${finding.rule}:${finding.endpoint}:${finding.desc}`;
-  return createHash("sha256").update(key).digest("hex").slice(0, 16);
+// src/utils/issue-id.ts
+import { createHash as createHash2 } from "crypto";
+function computeIssueId(issue) {
+  const stableDesc = issue.desc.replace(/\d[\d,.]*\s*\w*/g, "#");
+  const key = `${issue.rule}:${issue.endpoint ?? "global"}:${stableDesc}`;
+  return createHash2("sha256").update(key).digest("hex").slice(0, ISSUE_ID_HASH_LENGTH);
 }
-var init_finding_id = __esm({
-  "src/store/finding-id.ts"() {
+var init_issue_id = __esm({
+  "src/utils/issue-id.ts"() {
     "use strict";
+    init_limits();
   }
 });
-// src/store/finding-store.ts
-import { readFileSync as readFileSync2, existsSync as existsSync3 } from "fs";
+// src/store/issue-store.ts
+import { readFile as readFile2 } from "fs/promises";
+import { readFileSync as readFileSync2, existsSync as existsSync3, unlinkSync } from "fs";
 import { resolve as resolve2 } from "path";
-var FindingStore;
-var init_finding_store = __esm({
-  "src/store/finding-store.ts"() {
+var IssueStore;
+var init_issue_store = __esm({
+  "src/store/issue-store.ts"() {
     "use strict";
-    init_constants();
+    init_fs();
+    init_metrics();
+    init_limits();
+    init_thresholds();
+    init_limits();
     init_atomic_writer();
-    init_finding_id();
-    FindingStore = class {
-      constructor(rootDir) {
-        this.rootDir = rootDir;
-        const metricsDir = resolve2(rootDir, METRICS_DIR);
-        this.findingsPath = resolve2(rootDir, FINDINGS_FILE);
+    init_log();
+    init_type_guards();
+    init_issue_id();
+    IssueStore = class {
+      constructor(dataDir) {
+        this.dataDir = dataDir;
+        this.issuesPath = resolve2(dataDir, ISSUES_FILE);
         this.writer = new AtomicWriter({
-          dir: metricsDir,
-          filePath: this.findingsPath,
-          gitignoreEntry: METRICS_DIR,
-          label: "findings"
+          dir: dataDir,
+          filePath: this.issuesPath,
+          label: "issues"
         });
-        this.load();
       }
-      findings = /* @__PURE__ */ new Map();
+      issues = /* @__PURE__ */ new Map();
       flushTimer = null;
       dirty = false;
       writer;
-      findingsPath;
+      issuesPath;
       start() {
+        this.loadAsync().catch((err) => brakitDebug(`IssueStore: async load failed: ${err}`));
         this.flushTimer = setInterval(
           () => this.flush(),
-          FINDINGS_FLUSH_INTERVAL_MS
+          ISSUES_FLUSH_INTERVAL_MS
         );
         this.flushTimer.unref();
       }
@@ -2433,91 +2758,150 @@ var init_finding_store = __esm({
         }
         this.flushSync();
       }
-      upsert(finding, source) {
-        const id = computeFindingId(finding);
-        const existing = this.findings.get(id);
+      upsert(issue, source) {
+        const id = computeIssueId(issue);
+        const existing = this.issues.get(id);
         const now = Date.now();
         if (existing) {
           existing.lastSeenAt = now;
           existing.occurrences++;
-          existing.finding = finding;
-          if (existing.state === "resolved") {
-            existing.state = "open";
+          existing.issue = issue;
+          existing.cleanHitsSinceLastSeen = 0;
+          if (existing.state === "resolved" || existing.state === "stale") {
+            existing.state = "regressed";
             existing.resolvedAt = null;
           }
           this.dirty = true;
           return existing;
         }
         const stateful = {
-          findingId: id,
+          issueId: id,
           state: "open",
           source,
-          finding,
+          category: issue.category,
+          issue,
           firstSeenAt: now,
           lastSeenAt: now,
           resolvedAt: null,
-          occurrences: 1
+          occurrences: 1,
+          cleanHitsSinceLastSeen: 0,
+          aiStatus: null,
+          aiNotes: null
         };
-        this.findings.set(id, stateful);
+        this.issues.set(id, stateful);
         this.dirty = true;
         return stateful;
       }
-      transition(findingId, state) {
-        const finding = this.findings.get(findingId);
-        if (!finding) return false;
-        finding.state = state;
-        if (state === "resolved") {
-          finding.resolvedAt = Date.now();
-        }
-        this.dirty = true;
-        return true;
-      }
       /**
-       * Reconcile passive findings against the current analysis results.
+       * Reconcile issues against the current analysis results using evidence-based resolution.
        *
-       * Passive findings are detected by continuous scanning (not user-triggered).
-       * When a previously-seen finding is absent from the current results, it means
-       * the issue has been fixed — transition it to "resolved" automatically.
-       * Active findings (from MCP verify-fix) are not auto-resolved because they
-       * require explicit verification.
+       * @param currentIssueIds - IDs of issues detected in the current analysis cycle
+       * @param activeEndpoints - Endpoints that had requests in the current cycle
        */
-      reconcilePassive(currentFindings) {
-        const currentIds = new Set(currentFindings.map(computeFindingId));
-        for (const [id, stateful] of this.findings) {
-          if (stateful.source === "passive" && stateful.state === "open" && !currentIds.has(id)) {
-            stateful.state = "resolved";
-            stateful.resolvedAt = Date.now();
+      reconcile(currentIssueIds, activeEndpoints) {
+        const now = Date.now();
+        for (const [, stateful] of this.issues) {
+          const isActive = stateful.state === "open" || stateful.state === "fixing" || stateful.state === "regressed";
+          if (!isActive) continue;
+          if (currentIssueIds.has(stateful.issueId)) continue;
+          const endpoint = stateful.issue.endpoint;
+          if (endpoint && activeEndpoints.has(endpoint)) {
+            stateful.cleanHitsSinceLastSeen++;
+            if (stateful.cleanHitsSinceLastSeen >= CLEAN_HITS_FOR_RESOLUTION) {
+              stateful.state = "resolved";
+              stateful.resolvedAt = now;
+            }
+            this.dirty = true;
+          } else if (now - stateful.lastSeenAt > STALE_ISSUE_TTL_MS) {
+            stateful.state = "stale";
+            this.dirty = true;
+          }
+        }
+        for (const [id, stateful] of this.issues) {
+          if (stateful.state === "resolved" && stateful.resolvedAt && now - stateful.resolvedAt > ISSUE_PRUNE_TTL_MS) {
+            this.issues.delete(id);
+            this.dirty = true;
+          } else if (stateful.state === "stale" && now - stateful.lastSeenAt > STALE_ISSUE_TTL_MS + ISSUE_PRUNE_TTL_MS) {
+            this.issues.delete(id);
             this.dirty = true;
           }
         }
       }
+      transition(issueId, state) {
+        const issue = this.issues.get(issueId);
+        if (!issue) return false;
+        issue.state = state;
+        if (state === "resolved") {
+          issue.resolvedAt = Date.now();
+        }
+        this.dirty = true;
+        return true;
+      }
+      reportFix(issueId, status, notes) {
+        const issue = this.issues.get(issueId);
+        if (!issue) return false;
+        issue.aiStatus = status;
+        issue.aiNotes = notes;
+        if (status === "fixed") {
+          issue.state = "fixing";
+        }
+        this.dirty = true;
+        return true;
+      }
       getAll() {
-        return [...this.findings.values()];
+        return [...this.issues.values()];
       }
       getByState(state) {
-        return [...this.findings.values()].filter((f) => f.state === state);
+        return [...this.issues.values()].filter((i) => i.state === state);
       }
-      get(findingId) {
-        return this.findings.get(findingId);
+      getByCategory(category) {
+        return [...this.issues.values()].filter((i) => i.category === category);
       }
-      clear() {
-        this.findings.clear();
-        this.dirty = true;
+      get(issueId) {
+        return this.issues.get(issueId);
       }
-      load() {
+      clear() {
+        this.issues.clear();
+        this.dirty = false;
         try {
-          if (existsSync3(this.findingsPath)) {
-            const raw = readFileSync2(this.findingsPath, "utf-8");
-            const parsed = JSON.parse(raw);
-            if (parsed?.version === 1 && Array.isArray(parsed.findings)) {
-              for (const f of parsed.findings) {
-                this.findings.set(f.findingId, f);
-              }
-            }
+          if (existsSync3(this.issuesPath)) {
+            unlinkSync(this.issuesPath);
           }
         } catch {
         }
       }
+      isDirty() {
+        return this.dirty;
+      }
+      async loadAsync() {
+        try {
+          if (await fileExists(this.issuesPath)) {
+            const raw = await readFile2(this.issuesPath, "utf-8");
+            this.hydrate(raw);
+          }
+        } catch (err) {
+          brakitDebug(`IssueStore: could not load issues file, starting fresh: ${err}`);
+        }
+      }
+      /** Sync load for tests only — not used in production paths. */
+      loadSync() {
+        try {
+          if (existsSync3(this.issuesPath)) {
+            const raw = readFileSync2(this.issuesPath, "utf-8");
+            this.hydrate(raw);
+          }
+        } catch (err) {
+          brakitDebug(`IssueStore: could not load issues file, starting fresh: ${err}`);
+        }
+      }
+      /** Parse and populate issues from a raw JSON string. */
+      hydrate(raw) {
+        const validated = validateIssuesData(JSON.parse(raw));
+        if (!validated) return;
+        for (const issue of validated.issues) {
+          this.issues.set(issue.issueId, issue);
+        }
+      }
       flush() {
         if (!this.dirty) return;
         this.writer.writeAsync(this.serialize());
@@ -2530,8 +2914,8 @@ var init_finding_store = __esm({
       }
       serialize() {
         const data = {
-          version: 1,
-          findings: [...this.findings.values()]
+          version: ISSUES_DATA_VERSION,
+          issues: [...this.issues.values()]
         };
         return JSON.stringify(data);
       }
@@ -2540,9 +2924,9 @@ var init_finding_store = __esm({
 });
 // src/detect/project.ts
-import { readFile as readFile2 } from "fs/promises";
+import { readFile as readFile3, readdir } from "fs/promises";
 import { existsSync as existsSync4 } from "fs";
-import { join } from "path";
+import { join as join2, relative } from "path";
 function detectFrameworkFromDeps(allDeps) {
   for (const f of FRAMEWORKS) {
     if (allDeps[f.dep]) return f.name;
@@ -2550,10 +2934,10 @@ function detectFrameworkFromDeps(allDeps) {
   return "unknown";
 }
 function detectPackageManagerSync(rootDir) {
-  if (existsSync4(join(rootDir, "bun.lockb")) || existsSync4(join(rootDir, "bun.lock"))) return "bun";
-  if (existsSync4(join(rootDir, "pnpm-lock.yaml"))) return "pnpm";
-  if (existsSync4(join(rootDir, "yarn.lock"))) return "yarn";
-  if (existsSync4(join(rootDir, "package-lock.json"))) return "npm";
+  if (existsSync4(join2(rootDir, "bun.lockb")) || existsSync4(join2(rootDir, "bun.lock"))) return "bun";
+  if (existsSync4(join2(rootDir, "pnpm-lock.yaml"))) return "pnpm";
+  if (existsSync4(join2(rootDir, "yarn.lock"))) return "yarn";
+  if (existsSync4(join2(rootDir, "package-lock.json"))) return "npm";
   return "unknown";
 }
 var FRAMEWORKS;
@@ -2571,6 +2955,44 @@ var init_project = __esm({
   }
 });
+// src/utils/response.ts
+function tryParseJson(body) {
+  if (!body) return null;
+  try {
+    return JSON.parse(body);
+  } catch {
+    return null;
+  }
+}
+function unwrapResponse(parsed) {
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) return parsed;
+  const obj = parsed;
+  const keys = Object.keys(obj);
+  if (keys.length > 3) return parsed;
+  let best = null;
+  let bestSize = 0;
+  for (const key of keys) {
+    const val = obj[key];
+    if (Array.isArray(val) && val.length > bestSize) {
+      best = val;
+      bestSize = val.length;
+    } else if (val && typeof val === "object" && !Array.isArray(val)) {
+      const size = Object.keys(val).length;
+      if (size > bestSize) {
+        best = val;
+        bestSize = size;
+      }
+    }
+  }
+  return best && bestSize >= OVERFETCH_UNWRAP_MIN_SIZE ? best : parsed;
+}
+var init_response = __esm({
+  "src/utils/response.ts"() {
+    "use strict";
+    init_thresholds();
+  }
+});
 // src/analysis/rules/patterns.ts
 var SECRET_KEYS, TOKEN_PARAMS, SAFE_PARAMS, STACK_TRACE_RE, DB_CONN_RE, SQL_FRAGMENT_RE, SECRET_VAL_RE, LOG_SECRET_RE, MASKED_RE, EMAIL_RE, INTERNAL_ID_KEYS, INTERNAL_ID_SUFFIX, SELECT_STAR_RE, SELECT_DOT_STAR_RE, RULE_HINTS;
 var init_patterns = __esm({
@@ -2579,11 +3001,11 @@ var init_patterns = __esm({
     SECRET_KEYS = /^(password|passwd|secret|api_key|apiKey|api_secret|apiSecret|private_key|privateKey|client_secret|clientSecret)$/;
     TOKEN_PARAMS = /^(token|api_key|apiKey|secret|password|access_token|session_id|sessionId)$/;
     SAFE_PARAMS = /^(_rsc|__clerk_handshake|__clerk_db_jwt|callback|code|state|nonce|redirect_uri|utm_|fbclid|gclid)$/;
-    STACK_TRACE_RE = /at\s+.+\(.+:\d+:\d+\)|at\s+Module\._compile|at\s+Object\.<anonymous>|at\s+processTicksAndRejections/;
+    STACK_TRACE_RE = /at\s+.+\(.+:\d+:\d+\)|at\s+Module\._compile|at\s+Object\.<anonymous>|at\s+processTicksAndRejections|Traceback \(most recent call last\)|File ".+", line \d+/;
     DB_CONN_RE = /(postgres|mysql|mongodb|redis):\/\//;
     SQL_FRAGMENT_RE = /\b(SELECT\s+[\w.*]+\s+FROM|INSERT\s+INTO|UPDATE\s+\w+\s+SET|DELETE\s+FROM)\b/i;
-    SECRET_VAL_RE = /(api_key|apiKey|secret|token)\s*[:=]\s*["']?[A-Za-z0-9_\-\.+\/]{8,}/;
-    LOG_SECRET_RE = /(password|secret|token|api_key|apiKey)\s*[:=]\s*["']?[A-Za-z0-9_\-\.+\/]{8,}/i;
+    SECRET_VAL_RE = /(api_key|apiKey|secret|token)\s*[:=]\s*["']?[A-Za-z0-9_\-.+/]{8,}/;
+    LOG_SECRET_RE = /(password|secret|token|api_key|apiKey)\s*[:=]\s*["']?[A-Za-z0-9_\-.+/]{8,}/i;
     MASKED_RE = /^\*+$|\[REDACTED\]|\[FILTERED\]|CHANGE_ME|^x{3,}$/i;
     EMAIL_RE = /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/;
     INTERNAL_ID_KEYS = /^(id|_id|userId|user_id|createdBy|updatedBy|organizationId|org_id|tenantId|tenant_id)$/;
@@ -2595,39 +3017,32 @@ var init_patterns = __esm({
       "token-in-url": "Pass tokens in the Authorization header, not URL query parameters.",
       "stack-trace-leak": "Use a custom error handler that returns generic messages in production.",
       "error-info-leak": "Sanitize error responses. Return generic messages instead of internal details.",
+      "insecure-cookie": "Set HttpOnly and SameSite flags on all cookies.",
       "sensitive-logs": "Redact PII before logging. Never log passwords or tokens.",
       "cors-credentials": "Cannot use credentials:true with origin:*. Specify explicit origins.",
-      "insecure-cookie": "Set HttpOnly and SameSite flags on all cookies.",
       "response-pii-leak": "API responses should return minimal data. Don't echo back full user records \u2014 select only the fields the client needs."
     };
   }
 });
 // src/analysis/rules/exposed-secret.ts
-function tryParseJson(body) {
-  if (!body) return null;
-  try {
-    return JSON.parse(body);
-  } catch {
-    return null;
-  }
-}
-function findSecretKeys(obj, prefix) {
+function findSecretKeys(obj, prefix, depth = 0) {
   const found = [];
+  if (depth >= MAX_OBJECT_SCAN_DEPTH) return found;
   if (!obj || typeof obj !== "object") return found;
   if (Array.isArray(obj)) {
-    for (let i = 0; i < Math.min(obj.length, 5); i++) {
-      found.push(...findSecretKeys(obj[i], prefix));
+    for (let i = 0; i < Math.min(obj.length, SECRET_SCAN_ARRAY_LIMIT); i++) {
+      found.push(...findSecretKeys(obj[i], prefix, depth + 1));
     }
     return found;
   }
   for (const k of Object.keys(obj)) {
     const val = obj[k];
-    if (SECRET_KEYS.test(k) && typeof val === "string" && val.length >= 8 && !MASKED_RE.test(val)) {
+    if (SECRET_KEYS.test(k) && typeof val === "string" && val.length >= MIN_SECRET_VALUE_LENGTH && !MASKED_RE.test(val)) {
       found.push(k);
     }
     if (typeof val === "object" && val !== null) {
-      found.push(...findSecretKeys(val, prefix + k + "."));
+      found.push(...findSecretKeys(val, prefix + k + ".", depth + 1));
     }
   }
   return found;
@@ -2637,6 +3052,8 @@ var init_exposed_secret = __esm({
   "src/analysis/rules/exposed-secret.ts"() {
     "use strict";
     init_patterns();
+    init_limits();
+    init_http_status();
     exposedSecretRule = {
       id: "exposed-secret",
       severity: "critical",
@@ -2646,8 +3063,8 @@ var init_exposed_secret = __esm({
         const findings = [];
         const seen = /* @__PURE__ */ new Map();
         for (const r of ctx.requests) {
-          if (r.statusCode >= 400) continue;
-          const parsed = tryParseJson(r.responseBody);
+          if (isErrorStatus(r.statusCode)) continue;
+          const parsed = ctx.parsedBodies.response.get(r.id);
           if (!parsed) continue;
           const keys = findSecretKeys(parsed, "");
           if (keys.length === 0) continue;
@@ -2823,7 +3240,7 @@ var init_error_info_leak = __esm({
 // src/analysis/rules/insecure-cookie.ts
 function isFrameworkResponse(r) {
-  if (r.statusCode >= 300 && r.statusCode < 400) return true;
+  if (isRedirect(r.statusCode)) return true;
   if (r.path?.startsWith("/__")) return true;
   if (r.responseHeaders?.["x-middleware-rewrite"]) return true;
   return false;
@@ -2833,6 +3250,7 @@ var init_insecure_cookie = __esm({
   "src/analysis/rules/insecure-cookie.ts"() {
     "use strict";
     init_patterns();
+    init_http_status();
     insecureCookieRule = {
       id: "insecure-cookie",
       severity: "warning",
@@ -2927,74 +3345,37 @@ var init_cors_credentials = __esm({
         const findings = [];
         const seen = /* @__PURE__ */ new Set();
         for (const r of ctx.requests) {
-          if (!r.responseHeaders) continue;
-          const origin = r.responseHeaders["access-control-allow-origin"];
-          const creds = r.responseHeaders["access-control-allow-credentials"];
-          if (origin !== "*" || creds !== "true") continue;
-          const ep = `${r.method} ${r.path}`;
-          if (seen.has(ep)) continue;
-          seen.add(ep);
-          findings.push({
-            severity: "warning",
-            rule: "cors-credentials",
-            title: "CORS Credentials with Wildcard",
-            desc: `${ep} \u2014 credentials:true with origin:* (browser will reject)`,
-            hint: this.hint,
-            endpoint: ep,
-            count: 1
-          });
-        }
-        return findings;
-      }
-    };
-  }
-});
-// src/utils/response.ts
-function unwrapResponse(parsed) {
-  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) return parsed;
-  const obj = parsed;
-  const keys = Object.keys(obj);
-  if (keys.length > 3) return parsed;
-  let best = null;
-  let bestSize = 0;
-  for (const key of keys) {
-    const val = obj[key];
-    if (Array.isArray(val) && val.length > bestSize) {
-      best = val;
-      bestSize = val.length;
-    } else if (val && typeof val === "object" && !Array.isArray(val)) {
-      const size = Object.keys(val).length;
-      if (size > bestSize) {
-        best = val;
-        bestSize = size;
+          if (!r.responseHeaders) continue;
+          const origin = r.responseHeaders["access-control-allow-origin"];
+          const creds = r.responseHeaders["access-control-allow-credentials"];
+          if (origin !== "*" || creds !== "true") continue;
+          const ep = `${r.method} ${r.path}`;
+          if (seen.has(ep)) continue;
+          seen.add(ep);
+          findings.push({
+            severity: "warning",
+            rule: "cors-credentials",
+            title: "CORS Credentials with Wildcard",
+            desc: `${ep} \u2014 credentials:true with origin:* (browser will reject)`,
+            hint: this.hint,
+            endpoint: ep,
+            count: 1
+          });
+        }
+        return findings;
       }
-    }
-  }
-  return best && bestSize >= OVERFETCH_UNWRAP_MIN_SIZE ? best : parsed;
-}
-var init_response = __esm({
-  "src/utils/response.ts"() {
-    "use strict";
-    init_thresholds();
+    };
   }
 });
 // src/analysis/rules/response-pii-leak.ts
-function tryParseJson2(body) {
-  if (!body) return null;
-  try {
-    return JSON.parse(body);
-  } catch {
-    return null;
-  }
-}
-function findEmails(obj) {
+function findEmails(obj, depth = 0) {
   const emails = [];
+  if (depth >= MAX_OBJECT_SCAN_DEPTH) return emails;
   if (!obj || typeof obj !== "object") return emails;
   if (Array.isArray(obj)) {
-    for (let i = 0; i < Math.min(obj.length, 10); i++) {
-      emails.push(...findEmails(obj[i]));
+    for (let i = 0; i < Math.min(obj.length, PII_SCAN_ARRAY_LIMIT); i++) {
+      emails.push(...findEmails(obj[i], depth + 1));
     }
     return emails;
   }
@@ -3002,7 +3383,7 @@ function findEmails(obj) {
     if (typeof v === "string" && EMAIL_RE.test(v)) {
       emails.push(v);
     } else if (typeof v === "object" && v !== null) {
-      emails.push(...findEmails(v));
+      emails.push(...findEmails(v, depth + 1));
     }
   }
   return emails;
@@ -3021,57 +3402,56 @@ function hasInternalIds(obj) {
   }
   return false;
 }
-function detectPII(method, reqBody, resBody) {
-  const target = unwrapResponse(resBody);
-  if (WRITE_METHODS.has(method) && reqBody && typeof reqBody === "object") {
-    const reqEmails = findEmails(reqBody);
-    if (reqEmails.length > 0) {
-      const resEmails = findEmails(target);
-      const echoed = reqEmails.filter((e) => resEmails.includes(e));
-      if (echoed.length > 0) {
-        const inspectObj = Array.isArray(target) && target.length > 0 ? target[0] : target;
-        if (hasInternalIds(inspectObj) || topLevelFieldCount(inspectObj) >= FULL_RECORD_MIN_FIELDS) {
-          return { reason: "echo", emailCount: echoed.length };
-        }
-      }
-    }
+function detectEchoPII(method, reqBody, target) {
+  if (!WRITE_METHODS.has(method) || !reqBody || typeof reqBody !== "object") return null;
+  const reqEmails = findEmails(reqBody);
+  if (reqEmails.length === 0) return null;
+  const resEmails = findEmails(target);
+  const echoed = reqEmails.filter((e) => resEmails.includes(e));
+  if (echoed.length === 0) return null;
+  const inspectObj = Array.isArray(target) && target.length > 0 ? target[0] : target;
+  if (hasInternalIds(inspectObj) || topLevelFieldCount(inspectObj) >= FULL_RECORD_MIN_FIELDS) {
+    return { reason: "echo", emailCount: echoed.length };
   }
-  if (target && typeof target === "object" && !Array.isArray(target)) {
-    const fields = topLevelFieldCount(target);
-    if (fields >= FULL_RECORD_MIN_FIELDS && hasInternalIds(target)) {
-      const emails = findEmails(target);
-      if (emails.length > 0) {
-        return { reason: "full-record", emailCount: emails.length };
-      }
+  return null;
+}
+function detectFullRecordPII(target) {
+  if (!target || typeof target !== "object" || Array.isArray(target)) return null;
+  const fields = topLevelFieldCount(target);
+  if (fields < FULL_RECORD_MIN_FIELDS || !hasInternalIds(target)) return null;
+  const emails = findEmails(target);
+  if (emails.length === 0) return null;
+  return { reason: "full-record", emailCount: emails.length };
+}
+function detectListPII(target) {
+  if (!Array.isArray(target) || target.length < LIST_PII_MIN_ITEMS) return null;
+  let itemsWithEmail = 0;
+  for (let i = 0; i < Math.min(target.length, PII_SCAN_ARRAY_LIMIT); i++) {
+    const item = target[i];
+    if (item && typeof item === "object" && findEmails(item).length > 0) {
+      itemsWithEmail++;
     }
   }
-  if (Array.isArray(target) && target.length >= LIST_PII_MIN_ITEMS) {
-    let itemsWithEmail = 0;
-    for (let i = 0; i < Math.min(target.length, 10); i++) {
-      const item = target[i];
-      if (item && typeof item === "object") {
-        const emails = findEmails(item);
-        if (emails.length > 0) itemsWithEmail++;
-      }
-    }
-    if (itemsWithEmail >= LIST_PII_MIN_ITEMS) {
-      const first = target[0];
-      if (hasInternalIds(first) || topLevelFieldCount(first) >= FULL_RECORD_MIN_FIELDS) {
-        return { reason: "list-pii", emailCount: itemsWithEmail };
-      }
-    }
+  if (itemsWithEmail < LIST_PII_MIN_ITEMS) return null;
+  const first = target[0];
+  if (hasInternalIds(first) || topLevelFieldCount(first) >= FULL_RECORD_MIN_FIELDS) {
+    return { reason: "list-pii", emailCount: itemsWithEmail };
   }
   return null;
 }
-var WRITE_METHODS, FULL_RECORD_MIN_FIELDS, LIST_PII_MIN_ITEMS, REASON_LABELS, responsePiiLeakRule;
+function detectPII(method, reqBody, resBody) {
+  const target = unwrapResponse(resBody);
+  return detectEchoPII(method, reqBody, target) ?? detectFullRecordPII(target) ?? detectListPII(target);
+}
+var WRITE_METHODS, REASON_LABELS, responsePiiLeakRule;
 var init_response_pii_leak = __esm({
   "src/analysis/rules/response-pii-leak.ts"() {
     "use strict";
     init_patterns();
     init_response();
+    init_limits();
+    init_http_status();
     WRITE_METHODS = /* @__PURE__ */ new Set(["POST", "PUT", "PATCH"]);
-    FULL_RECORD_MIN_FIELDS = 5;
-    LIST_PII_MIN_ITEMS = 2;
     REASON_LABELS = {
       echo: "echoes back PII from the request body",
       "full-record": "returns a full record with email and internal IDs",
@@ -3086,10 +3466,10 @@ var init_response_pii_leak = __esm({
         const findings = [];
         const seen = /* @__PURE__ */ new Map();
         for (const r of ctx.requests) {
-          if (r.statusCode >= 400) continue;
-          const resJson = tryParseJson2(r.responseBody);
+          if (isErrorStatus(r.statusCode)) continue;
+          const resJson = ctx.parsedBodies.response.get(r.id);
           if (!resJson) continue;
-          const reqJson = tryParseJson2(r.requestBody);
+          const reqJson = ctx.parsedBodies.request.get(r.id) ?? null;
           const detection = detectPII(r.method, reqJson, resJson);
           if (!detection) continue;
           const ep = `${r.method} ${r.path}`;
@@ -3118,6 +3498,21 @@ var init_response_pii_leak = __esm({
 });
 // src/analysis/rules/scanner.ts
+function buildBodyCache(requests) {
+  const response = /* @__PURE__ */ new Map();
+  const request = /* @__PURE__ */ new Map();
+  for (const r of requests) {
+    if (r.responseBody) {
+      const parsed = tryParseJson(r.responseBody);
+      if (parsed != null) response.set(r.id, parsed);
+    }
+    if (r.requestBody) {
+      const parsed = tryParseJson(r.requestBody);
+      if (parsed != null) request.set(r.id, parsed);
+    }
+  }
+  return { response, request };
+}
 function createDefaultScanner() {
   const scanner = new SecurityScanner();
   scanner.register(exposedSecretRule);
@@ -3134,6 +3529,7 @@ var SecurityScanner;
 var init_scanner = __esm({
   "src/analysis/rules/scanner.ts"() {
     "use strict";
+    init_response();
     init_exposed_secret();
     init_token_in_url();
     init_stack_trace_leak();
@@ -3147,7 +3543,11 @@ var init_scanner = __esm({
       register(rule) {
         this.rules.push(rule);
       }
-      scan(ctx) {
+      scan(input) {
+        const ctx = {
+          ...input,
+          parsedBodies: buildBodyCache(input.requests)
+        };
         const findings = [];
         for (const rule of this.rules) {
           try {
@@ -3180,6 +3580,24 @@ var init_rules = __esm({
   }
 });
+// src/core/disposable.ts
+var SubscriptionBag;
+var init_disposable = __esm({
+  "src/core/disposable.ts"() {
+    "use strict";
+    SubscriptionBag = class {
+      items = [];
+      add(teardown) {
+        this.items.push(typeof teardown === "function" ? { dispose: teardown } : teardown);
+      }
+      dispose() {
+        for (const d of this.items) d.dispose();
+        this.items.length = 0;
+      }
+    };
+  }
+});
 // src/utils/collections.ts
 function groupBy(items, keyFn) {
   const map = /* @__PURE__ */ new Map();
@@ -3202,16 +3620,22 @@ var init_collections = __esm({
 });
 // src/utils/endpoint.ts
+function normalizePath(path) {
+  const qIdx = path.indexOf("?");
+  const pathname = qIdx === -1 ? path : path.slice(0, qIdx);
+  return pathname.split("/").map((seg) => seg && DYNAMIC_SEGMENT_RE.test(seg) ? ":id" : seg).join("/");
+}
 function getEndpointKey(method, path) {
-  return `${method} ${path}`;
+  return `${method} ${normalizePath(path)}`;
 }
 function extractEndpointFromDesc(desc) {
   return desc.match(ENDPOINT_PREFIX_RE)?.[1] ?? null;
 }
-var ENDPOINT_PREFIX_RE;
+var DYNAMIC_SEGMENT_RE, ENDPOINT_PREFIX_RE;
 var init_endpoint = __esm({
   "src/utils/endpoint.ts"() {
     "use strict";
+    DYNAMIC_SEGMENT_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^\d+$|^[0-9a-f]{12,}$|^(?=.*[a-zA-Z])(?=.*\d)[a-zA-Z0-9_-]{8,}$/i;
     ENDPOINT_PREFIX_RE = /^(\S+\s+\S+)/;
   }
 });
@@ -3265,6 +3689,15 @@ function windowByEndpoint(requests) {
   }
   return windowed;
 }
+function extractActiveEndpoints(requests) {
+  const endpoints = /* @__PURE__ */ new Set();
+  for (const r of requests) {
+    if (!r.isStatic && (!r.path || !r.path.startsWith(DASHBOARD_PREFIX))) {
+      endpoints.add(getEndpointKey(r.method, r.path));
+    }
+  }
+  return endpoints;
+}
 function prepareContext(ctx) {
   const nonStatic = ctx.requests.filter(
     (r) => !r.isStatic && (!r.path || !r.path.startsWith(DASHBOARD_PREFIX))
@@ -3282,7 +3715,7 @@ function prepareContext(ctx) {
       endpointGroups.set(ep, g);
     }
     g.total++;
-    if (r.statusCode >= 400) g.errors++;
+    if (isErrorStatus(r.statusCode)) g.errors++;
     g.totalDuration += r.durationMs;
     g.totalSize += r.responseSize ?? 0;
     const reqQueries = queriesByReq.get(r.id) ?? [];
@@ -3319,6 +3752,7 @@ var init_prepare = __esm({
     init_collections();
     init_endpoint();
     init_constants();
+    init_http_status();
     init_thresholds();
     init_query_helpers();
   }
@@ -3803,6 +4237,7 @@ var init_response_overfetch = __esm({
     "use strict";
     init_endpoint();
     init_response();
+    init_http_status();
     init_patterns();
     init_constants();
     responseOverfetchRule = {
@@ -3811,7 +4246,7 @@ var init_response_overfetch = __esm({
         const insights = [];
         const seen = /* @__PURE__ */ new Set();
         for (const r of ctx.nonStatic) {
-          if (r.statusCode >= 400 || !r.responseBody) continue;
+          if (isErrorStatus(r.statusCode) || !r.responseBody) continue;
           const ep = getEndpointKey(r.method, r.path);
           if (seen.has(ep)) continue;
           let parsed;
@@ -3999,7 +4434,7 @@ function createDefaultInsightRunner() {
 function computeInsights(ctx) {
   return createDefaultInsightRunner().run(ctx);
 }
-var init_insights2 = __esm({
+var init_insights = __esm({
   "src/analysis/insights/index.ts"() {
     "use strict";
     init_runner();
@@ -4009,73 +4444,48 @@ var init_insights2 = __esm({
 });
 // src/analysis/insights.ts
-var init_insights3 = __esm({
+var init_insights2 = __esm({
   "src/analysis/insights.ts"() {
     "use strict";
-    init_insights2();
+    init_insights();
   }
 });
-// src/analysis/insight-tracker.ts
-function computeInsightKey(insight) {
-  const identifier = extractEndpointFromDesc(insight.desc) ?? insight.title;
-  return `${insight.type}:${identifier}`;
+// src/analysis/issue-mappers.ts
+function categorizeInsight(type) {
+  if (type === "security") return "security";
+  if (type === "error" || type === "error-hotspot") return "reliability";
+  return "performance";
 }
-var InsightTracker;
-var init_insight_tracker = __esm({
-  "src/analysis/insight-tracker.ts"() {
+function insightToIssue(insight) {
+  return {
+    category: categorizeInsight(insight.type),
+    rule: insight.type,
+    severity: insight.severity,
+    title: insight.title,
+    desc: insight.desc,
+    hint: insight.hint,
+    detail: insight.detail,
+    endpoint: extractEndpointFromDesc(insight.desc) ?? void 0,
+    nav: insight.nav
+  };
+}
+function securityFindingToIssue(finding) {
+  return {
+    category: "security",
+    rule: finding.rule,
+    severity: finding.severity,
+    title: finding.title,
+    desc: finding.desc,
+    hint: finding.hint,
+    endpoint: finding.endpoint,
+    nav: "security"
+  };
+}
+var init_issue_mappers = __esm({
+  "src/analysis/issue-mappers.ts"() {
     "use strict";
     init_endpoint();
-    init_thresholds();
-    InsightTracker = class {
-      tracked = /* @__PURE__ */ new Map();
-      reconcile(current) {
-        const currentKeys = /* @__PURE__ */ new Set();
-        const now = Date.now();
-        for (const insight of current) {
-          const key = computeInsightKey(insight);
-          currentKeys.add(key);
-          const existing = this.tracked.get(key);
-          if (existing) {
-            existing.insight = insight;
-            existing.lastSeenAt = now;
-            existing.consecutiveAbsences = 0;
-            if (existing.state === "resolved") {
-              existing.state = "open";
-              existing.resolvedAt = null;
-            }
-          } else {
-            this.tracked.set(key, {
-              key,
-              state: "open",
-              insight,
-              firstSeenAt: now,
-              lastSeenAt: now,
-              resolvedAt: null,
-              consecutiveAbsences: 0
-            });
-          }
-        }
-        for (const [key, stateful] of this.tracked) {
-          if (stateful.state === "open" && !currentKeys.has(stateful.key)) {
-            stateful.consecutiveAbsences++;
-            if (stateful.consecutiveAbsences >= RESOLVE_AFTER_ABSENCES) {
-              stateful.state = "resolved";
-              stateful.resolvedAt = now;
-            }
-          } else if (stateful.state === "resolved" && stateful.resolvedAt !== null && now - stateful.resolvedAt > RESOLVED_INSIGHT_TTL_MS) {
-            this.tracked.delete(key);
-          }
-        }
-        return [...this.tracked.values()];
-      }
-      getAll() {
-        return [...this.tracked.values()];
-      }
-      clear() {
-        this.tracked.clear();
-      }
-    };
   }
 });
@@ -4084,22 +4494,23 @@ var AnalysisEngine;
 var init_engine = __esm({
   "src/analysis/engine.ts"() {
     "use strict";
+    init_limits();
     init_disposable();
     init_group();
     init_rules();
-    init_insights3();
-    init_insight_tracker();
+    init_insights2();
+    init_issue_mappers();
+    init_issue_id();
+    init_prepare();
     AnalysisEngine = class {
-      constructor(registry, debounceMs = 300) {
+      constructor(registry, debounceMs = ANALYSIS_DEBOUNCE_MS) {
         this.registry = registry;
         this.debounceMs = debounceMs;
         this.scanner = createDefaultScanner();
       }
       scanner;
-      insightTracker = new InsightTracker();
       cachedInsights = [];
       cachedFindings = [];
-      cachedStatefulInsights = [];
       debounceTimer = null;
       subs = new SubscriptionBag();
       start() {
@@ -4122,12 +4533,6 @@ var init_engine = __esm({
       getFindings() {
         return this.cachedFindings;
       }
-      getStatefulFindings() {
-        return this.registry.has("finding-store") ? this.registry.get("finding-store").getAll() : [];
-      }
-      getStatefulInsights() {
-        return this.cachedStatefulInsights;
-      }
       scheduleRecompute() {
         if (this.debounceTimer) return;
         this.debounceTimer = setTimeout(() => {
@@ -4136,20 +4541,14 @@ var init_engine = __esm({
         }, this.debounceMs);
       }
       recompute() {
-        const requests = this.registry.get("request-store").getAll();
+        const allRequests = this.registry.get("request-store").getAll();
         const queries = this.registry.get("query-store").getAll();
         const errors = this.registry.get("error-store").getAll();
         const logs = this.registry.get("log-store").getAll();
         const fetches = this.registry.get("fetch-store").getAll();
+        const requests = windowByEndpoint(allRequests);
         const flows = groupRequestsIntoFlows(requests);
         this.cachedFindings = this.scanner.scan({ requests, logs });
-        if (this.registry.has("finding-store")) {
-          const findingStore = this.registry.get("finding-store");
-          for (const finding of this.cachedFindings) {
-            findingStore.upsert(finding, "passive");
-          }
-          findingStore.reconcilePassive(this.cachedFindings);
-        }
         this.cachedInsights = computeInsights({
           requests,
           queries,
@@ -4159,14 +4558,30 @@ var init_engine = __esm({
           previousMetrics: this.registry.get("metrics-store").getAll(),
           securityFindings: this.cachedFindings
         });
-        this.cachedStatefulInsights = this.insightTracker.reconcile(this.cachedInsights);
-        const update = {
-          insights: this.cachedInsights,
-          findings: this.cachedFindings,
-          statefulFindings: this.getStatefulFindings(),
-          statefulInsights: this.cachedStatefulInsights
-        };
-        this.registry.get("event-bus").emit("analysis:updated", update);
+        if (this.registry.has("issue-store")) {
+          const issueStore = this.registry.get("issue-store");
+          for (const finding of this.cachedFindings) {
+            issueStore.upsert(securityFindingToIssue(finding), "passive");
+          }
+          for (const insight of this.cachedInsights) {
+            issueStore.upsert(insightToIssue(insight), "passive");
+          }
+          const currentIssueIds = /* @__PURE__ */ new Set();
+          for (const finding of this.cachedFindings) {
+            currentIssueIds.add(computeIssueId(securityFindingToIssue(finding)));
+          }
+          for (const insight of this.cachedInsights) {
+            currentIssueIds.add(computeIssueId(insightToIssue(insight)));
+          }
+          const activeEndpoints = extractActiveEndpoints(allRequests);
+          issueStore.reconcile(currentIssueIds, activeEndpoints);
+          const update = {
+            insights: this.cachedInsights,
+            findings: this.cachedFindings,
+            issues: issueStore.getAll()
+          };
+          this.registry.get("event-bus").emit("analysis:updated", update);
+        }
       }
     };
   }
@@ -4177,14 +4592,14 @@ var VERSION;
 var init_src = __esm({
   "src/index.ts"() {
     "use strict";
-    init_finding_store();
+    init_issue_store();
     init_project();
     init_adapter_registry();
     init_rules();
     init_engine();
-    init_insights3();
     init_insights2();
-    VERSION = "0.8.4";
+    init_insights();
+    VERSION = "0.8.6";
   }
 });
@@ -4798,7 +5213,7 @@ function getFlowInsights() {
   }
   `;
 }
-var init_insights4 = __esm({
+var init_insights3 = __esm({
   "src/dashboard/client/views/flows/insights.ts"() {
     "use strict";
     init_constants();
@@ -4873,7 +5288,7 @@ function getFlowDetail() {
     h += '<span>' + req.durationMs + 'ms</span>';
     if (req.responseSize) h += '<span>' + formatSize(req.responseSize) + '</span>';
     h += '</div>';
-    h += '<div class="request-timeline tl-hidden" data-request-id="' + req.id + '" data-request-started="' + req.startedAt + '"></div>';
+    h += '<div class="request-timeline tl-hidden" data-request-id="' + escHtml(req.id) + '" data-request-started="' + escHtml(String(req.startedAt)) + '"></div>';
     h += '<div class="detail-grid">';
     h += '<div class="detail-section"><h4>Request Headers</h4><pre>' + formatHeaders(req.headers) + '</pre></div>';
     h += '<div class="detail-section"><h4>Response Headers</h4><pre>' + formatHeaders(req.responseHeaders) + '</pre></div>';
@@ -4990,7 +5405,7 @@ function getFlowsView() {
 var init_flows2 = __esm({
   "src/dashboard/client/views/flows.ts"() {
     "use strict";
-    init_insights4();
+    init_insights3();
     init_detail();
   }
 });
@@ -6130,8 +6545,8 @@ function getOverviewRender() {
       '<div class="ov-stat"><span class="ov-stat-value">' + state.fetches.length + '</span><span class="ov-stat-label">Fetches</span></div>';
     container.appendChild(summary);
-    var all = state.insights || [];
-    var open = all.filter(function(si) { return si.state === 'open'; });
+    var all = state.issues || [];
+    var open = all.filter(function(si) { return si.state === 'open' || si.state === 'fixing' || si.state === 'regressed'; });
     var resolved = all.filter(function(si) { return si.state === 'resolved'; });
     if (open.length === 0 && resolved.length === 0) {
@@ -6163,24 +6578,35 @@ function getOverviewRender() {
       for (var i = 0; i < open.length; i++) {
         (function(si) {
-          var insight = si.insight;
+          var issue = si.issue;
           var card = document.createElement('div');
           card.className = 'ov-card';
-          var sevCfg = SEV[insight.severity];
+          var sevCfg = SEV[issue.severity];
           var iconCls = sevCfg.cls;
           var iconChar = sevCfg.icon;
           var expandHtml = '';
-          if (insight.detail) expandHtml += insight.detail;
-          if (insight.hint) expandHtml += '<div class="ov-card-hint">' + escHtml(insight.hint) + '</div>';
-          expandHtml += '<span class="ov-card-link" data-nav="' + insight.nav + '">View in ' + (NAV_LABELS[insight.nav] || insight.nav) + ' \\u2192</span>';
+          if (issue.detail) expandHtml += issue.detail;
+          if (issue.hint) expandHtml += '<div class="ov-card-hint">' + escHtml(issue.hint) + '</div>';
+          if (issue.nav) expandHtml += '<span class="ov-card-link" data-nav="' + issue.nav + '">View in ' + (NAV_LABELS[issue.nav] || issue.nav) + ' \\u2192</span>';
+          var aiBadge = '';
+          if (si.state === 'fixing' && si.aiStatus === 'fixed') {
+            aiBadge = '<span class="sec-ai-badge sec-ai-fixing">AI fixed \\u2014 awaiting verification</span>';
+          } else if (si.aiStatus === 'wont_fix') {
+            aiBadge = '<span class="sec-ai-badge sec-ai-wontfix">AI: won\\u2019t fix</span>';
+          } else if (si.state === 'regressed') {
+            aiBadge = '<span class="sec-ai-badge sec-ai-fixing" style="background:var(--red)">regressed</span>';
+          }
+          var occBadge = si.occurrences > 1 ? ' <span class="sec-item-count">' + si.occurrences + 'x</span>' : '';
           card.innerHTML =
             '<span class="ov-card-icon ' + iconCls + '">' + iconChar + '</span>' +
             '<div class="ov-card-body">' +
-              '<div class="ov-card-title">' + escHtml(insight.title) + '</div>' +
-              '<div class="ov-card-desc">' + insight.desc + '</div>' +
+              '<div class="ov-card-title">' + escHtml(issue.title) + occBadge + aiBadge + '</div>' +
+              '<div class="ov-card-desc">' + issue.desc + '</div>' +
               '<div class="ov-card-expand">' + expandHtml + '</div>' +
             '</div>' +
             '<span class="ov-card-arrow">\\u2192</span>';
@@ -6226,14 +6652,14 @@ function getOverviewRender() {
       resolvedCards.className = 'ov-cards';
       for (var ri = 0; ri < resolved.length; ri++) {
-        var rInsight = resolved[ri].insight;
+        var rIssue = resolved[ri].issue;
         var rCard = document.createElement('div');
         rCard.className = 'ov-card ov-card-resolved';
         rCard.innerHTML =
           '<span class="ov-card-icon resolved">\\u2713</span>' +
           '<div class="ov-card-body">' +
-            '<div class="ov-card-title" style="text-decoration:line-through;color:var(--text-muted)">' + escHtml(rInsight.title) + '</div>' +
-            '<div class="ov-card-desc">' + rInsight.desc + '</div>' +
+            '<div class="ov-card-title" style="text-decoration:line-through;color:var(--text-muted)">' + escHtml(rIssue.title) + '</div>' +
+            '<div class="ov-card-desc">' + rIssue.desc + '</div>' +
           '</div>';
         resolvedCards.appendChild(rCard);
       }
@@ -6271,11 +6697,12 @@ function getSecurityView() {
     container.innerHTML = '';
     var SEV = ${SEVERITY_MAP};
-    var all = state.findings || [];
-    var open = all.filter(function(f) { return f.state === 'open' || f.state === 'fixing'; });
+    var all = (state.issues || []).slice();
+    var open = all.filter(function(f) { return f.state === 'open' || f.state === 'fixing' || f.state === 'regressed'; });
     var resolved = all.filter(function(f) { return f.state === 'resolved'; });
+    var stale = all.filter(function(f) { return f.state === 'stale'; });
-    if (open.length === 0 && resolved.length === 0) {
+    if (open.length === 0 && resolved.length === 0 && stale.length === 0) {
       var hasData = state.requests.length > 0 || state.logs.length > 0 || state.queries.length > 0;
       if (!hasData) {
         container.innerHTML = '<div class="empty"><span class="empty-title">Waiting for requests...</span><span class="empty-sub">Start using your app to see security findings here</span></div>';
@@ -6287,7 +6714,7 @@ function getSecurityView() {
     var critCount = 0, warnCount = 0, infoCount = 0;
     for (var ci = 0; ci < open.length; ci++) {
-      var sev = open[ci].finding.severity;
+      var sev = open[ci].issue.severity;
       if (sev === 'critical') critCount++;
       else if (sev === 'info') infoCount++;
       else warnCount++;
@@ -6319,12 +6746,13 @@ function getSecurityView() {
       var groups = {};
       var groupOrder = [];
       for (var gi = 0; gi < open.length; gi++) {
-        var f = open[gi].finding;
+        var sf = open[gi];
+        var f = sf.issue;
         if (!groups[f.rule]) {
           groups[f.rule] = { rule: f.rule, title: f.title, severity: f.severity, hint: f.hint, items: [] };
           groupOrder.push(f.rule);
         }
-        groups[f.rule].items.push(f);
+        groups[f.rule].items.push(sf);
       }
       groupOrder.sort(function(a, b) {
@@ -6361,12 +6789,24 @@ function getSecurityView() {
         var list = document.createElement('div');
         list.className = 'sec-items';
         for (var ii = 0; ii < group.items.length; ii++) {
-          var item = group.items[ii];
+          var sf2 = group.items[ii];
+          var item = sf2.issue;
           var row = document.createElement('div');
           row.className = 'sec-item';
+          var aiBadge = '';
+          if (sf2.state === 'fixing' && sf2.aiStatus === 'fixed') {
+            aiBadge = '<span class="sec-ai-badge sec-ai-fixing">AI fixed \\u2014 awaiting verification</span>';
+          } else if (sf2.aiStatus === 'wont_fix') {
+            aiBadge = '<span class="sec-ai-badge sec-ai-wontfix">AI: won\\u2019t fix</span>';
+          } else if (sf2.state === 'regressed') {
+            aiBadge = '<span class="sec-ai-badge sec-ai-fixing" style="background:var(--red)">regressed</span>';
+          }
+          var aiNotes = sf2.aiNotes ? '<div class="sec-ai-notes">' + escHtml(sf2.aiNotes) + '</div>' : '';
+          var occBadge = sf2.occurrences > 1 ? '<span class="sec-item-count">' + sf2.occurrences + 'x</span>' : '';
           row.innerHTML =
             '<div class="sec-item-desc">' + escHtml(item.desc) + '</div>' +
-            (item.count > 1 ? '<span class="sec-item-count">' + item.count + 'x</span>' : '');
+            occBadge +
+            aiBadge + aiNotes;
           list.appendChild(row);
         }
         section.appendChild(list);
@@ -6385,17 +6825,45 @@ function getSecurityView() {
       var resolvedItems = document.createElement('div');
       resolvedItems.className = 'sec-items';
       for (var ri = 0; ri < resolved.length; ri++) {
-        var rf = resolved[ri].finding;
+        var rsf = resolved[ri];
+        var rf = rsf.issue;
         var rRow = document.createElement('div');
         rRow.className = 'sec-item sec-item-resolved';
+        var verifiedBadge = rsf.aiStatus === 'fixed' ? '<span class="sec-ai-badge sec-ai-verified">Verified fix</span>' : '';
+        var rNotes = rsf.aiNotes ? '<div class="sec-ai-notes">' + escHtml(rsf.aiNotes) + '</div>' : '';
         rRow.innerHTML =
           '<span class="sec-resolved-item-icon">\\u2713</span>' +
-          '<div class="sec-item-desc">' + escHtml(rf.title) + ' \\u2014 ' + escHtml(rf.endpoint) + '</div>';
+          '<div class="sec-item-desc">' + escHtml(rf.title) + ' \\u2014 ' + escHtml(rf.endpoint || 'global') + '</div>' +
+          verifiedBadge + rNotes;
         resolvedItems.appendChild(rRow);
       }
       resolvedGroup.appendChild(resolvedItems);
       container.appendChild(resolvedGroup);
     }
+    if (stale.length > 0) {
+      var staleTitle = document.createElement('div');
+      staleTitle.className = 'sec-resolved-title';
+      staleTitle.innerHTML = '<span style="color:var(--text-muted)">\\u23F8</span> Stale <span class="sec-resolved-count">' + stale.length + '</span>';
+      container.appendChild(staleTitle);
+      var staleGroup = document.createElement('div');
+      staleGroup.className = 'sec-group sec-group-resolved';
+      var staleItems = document.createElement('div');
+      staleItems.className = 'sec-items';
+      for (var sti = 0; sti < stale.length; sti++) {
+        var ssf = stale[sti];
+        var sf3 = ssf.issue;
+        var sRow = document.createElement('div');
+        sRow.className = 'sec-item sec-item-resolved';
+        sRow.innerHTML =
+          '<span style="color:var(--text-muted)">\\u23F8</span>' +
+          '<div class="sec-item-desc" style="color:var(--text-muted)">' + escHtml(sf3.title) + ' \\u2014 endpoint inactive</div>';
+        staleItems.appendChild(sRow);
+      }
+      staleGroup.appendChild(staleItems);
+      container.appendChild(staleGroup);
+    }
   }
   `;
 }
@@ -6433,13 +6901,7 @@ function getApp() {
     try {
       var res3 = await fetch('${DASHBOARD_API_INSIGHTS}');
       var data3 = await res3.json();
-      state.insights = data3.insights || [];
-    } catch(e) { console.warn('[brakit]', e); }
-    try {
-      var res4 = await fetch('${DASHBOARD_API_SECURITY}');
-      var data4 = await res4.json();
-      state.findings = data4.findings || [];
+      state.issues = data3.issues || [];
     } catch(e) { console.warn('[brakit]', e); }
     updateStats();
@@ -6478,14 +6940,9 @@ function getApp() {
     registerTelemetryListener('error_event', 'errors', prependErrorRow);
     registerTelemetryListener('query', 'queries', prependQueryRow);
-    events.addEventListener('insights', function(e) {
-      state.insights = JSON.parse(e.data);
+    events.addEventListener('issues', function(e) {
+      state.issues = JSON.parse(e.data);
       if (state.activeView === 'overview') renderOverview();
-      updateStats();
-    });
-    events.addEventListener('security', function(e) {
-      state.findings = JSON.parse(e.data);
       if (state.activeView === 'security') renderSecurity();
       updateStats();
     });
@@ -6568,9 +7025,9 @@ function getApp() {
     if (queryCount) queryCount.textContent = state.queries.length;
     var secCount = document.getElementById('sidebar-count-security');
     if (secCount) {
-      var numFindings = (state.findings || []).filter(function(f) { return f.state !== 'resolved'; }).length;
-      secCount.textContent = numFindings;
-      secCount.style.display = numFindings > 0 ? '' : 'none';
+      var numIssues = (state.issues || []).filter(function(f) { return f.state !== 'resolved' && f.state !== 'stale'; }).length;
+      secCount.textContent = numIssues;
+      secCount.style.display = numIssues > 0 ? '' : 'none';
     }
   }
@@ -6588,7 +7045,7 @@ function getApp() {
     if (!confirm('This will clear all data including performance metrics history. Continue?')) return;
     await fetch('${DASHBOARD_API_CLEAR}', {method: 'POST'});
     state.flows = []; state.requests = []; state.fetches = []; state.errors = []; state.logs = []; state.queries = [];
-    state.insights = []; state.findings = [];
+    state.issues = [];
     graphData = []; selectedEndpoint = ${ALL_ENDPOINTS_SELECTOR}; timelineCache = {};
     renderFlows(); renderRequests(); renderFetches(); renderErrors(); renderLogs(); renderQueries(); renderGraph(); renderOverview(); renderSecurity(); updateStats();
     showToast('Cleared');
@@ -6681,10 +7138,10 @@ var init_page = __esm({
 });
 // src/telemetry/config.ts
-import { homedir } from "os";
-import { join as join2 } from "path";
+import { homedir as homedir2 } from "os";
+import { join as join3 } from "path";
 import { existsSync as existsSync5, readFileSync as readFileSync3, writeFileSync as writeFileSync3, mkdirSync as mkdirSync3 } from "fs";
-import { randomUUID as randomUUID3 } from "crypto";
+import { randomUUID as randomUUID4 } from "crypto";
 function readConfig() {
   try {
     if (!existsSync5(CONFIG_PATH)) return null;
@@ -6696,9 +7153,9 @@ function readConfig() {
 function writeConfig(config) {
   try {
     if (!existsSync5(CONFIG_DIR))
-      mkdirSync3(CONFIG_DIR, { recursive: true, mode: 448 });
+      mkdirSync3(CONFIG_DIR, { recursive: true, mode: DIR_MODE_OWNER_ONLY });
     writeFileSync3(CONFIG_PATH, JSON.stringify(config, null, 2) + "\n", {
-      mode: 384
+      mode: FILE_MODE_OWNER_ONLY
     });
   } catch {
   }
@@ -6708,27 +7165,34 @@ function getOrCreateConfig() {
   if (existing && typeof existing.telemetry === "boolean" && existing.anonymousId) {
     return existing;
   }
-  const config = { telemetry: true, anonymousId: randomUUID3() };
+  const config = { telemetry: true, anonymousId: randomUUID4() };
   writeConfig(config);
   return config;
 }
 function isTelemetryEnabled() {
+  if (cachedEnabled !== null) return cachedEnabled;
   const env = process.env.BRAKIT_TELEMETRY;
-  if (env !== void 0) return env !== "false" && env !== "0" && env !== "off";
-  return readConfig()?.telemetry ?? true;
+  if (env !== void 0) {
+    cachedEnabled = env !== "false" && env !== "0" && env !== "off";
+    return cachedEnabled;
+  }
+  cachedEnabled = readConfig()?.telemetry ?? true;
+  return cachedEnabled;
 }
-var CONFIG_DIR, CONFIG_PATH;
+var CONFIG_DIR, CONFIG_PATH, cachedEnabled;
 var init_config = __esm({
   "src/telemetry/config.ts"() {
     "use strict";
-    CONFIG_DIR = join2(homedir(), ".brakit");
-    CONFIG_PATH = join2(CONFIG_DIR, "config.json");
+    init_network();
+    CONFIG_DIR = join3(homedir2(), ".brakit");
+    CONFIG_PATH = join3(CONFIG_DIR, "config.json");
+    cachedEnabled = null;
   }
 });
 // src/telemetry/index.ts
 import { platform, release, arch } from "os";
-import { spawnSync } from "child_process";
+import { spawn } from "child_process";
 function initSession(framework, packageManager, isCustomCommand, adapters) {
   session.startTime = Date.now();
   session.framework = framework;
@@ -6753,12 +7217,12 @@ function recordDashboardOpened() {
 }
 function speedBucket(ms) {
   if (ms === 0) return "none";
-  if (ms < 200) return "<200ms";
-  if (ms < 500) return "200-500ms";
-  if (ms < 1e3) return "500-1000ms";
-  if (ms < 2e3) return "1000-2000ms";
-  if (ms < 5e3) return "2000-5000ms";
-  return ">5000ms";
+  const t = SPEED_BUCKET_THRESHOLDS;
+  if (ms < t[0]) return `<${t[0]}ms`;
+  for (let i = 1; i < t.length; i++) {
+    if (ms < t[i]) return `${t[i - 1]}-${t[i]}ms`;
+  }
+  return `>${t[t.length - 1]}ms`;
 }
 function trackSession(registry) {
   if (!isTelemetryEnabled()) return;
@@ -6815,14 +7279,15 @@ function trackSession(registry) {
   try {
     const body = JSON.stringify(payload);
     const url = `${POSTHOG_HOST}${POSTHOG_CAPTURE_PATH}`;
-    spawnSync(
+    const child = spawn(
       process.execPath,
       [
         "-e",
         `fetch(${JSON.stringify(url)},{method:"POST",headers:{"content-type":"application/json"},body:${JSON.stringify(body)},signal:AbortSignal.timeout(${POSTHOG_REQUEST_TIMEOUT_MS})}).catch(()=>{})`
       ],
-      { timeout: POSTHOG_SPAWN_TIMEOUT_MS, stdio: "ignore" }
+      { detached: true, stdio: "ignore" }
     );
+    child.unref();
   } catch {
   }
 }
@@ -6857,7 +7322,6 @@ function isDashboardRequest(url) {
 }
 function createDashboardHandler(registry) {
   const metricsStore = registry.get("metrics-store");
-  const analysisEngine = registry.has("analysis-engine") ? registry.get("analysis-engine") : void 0;
   const routes = {
     [DASHBOARD_API_REQUESTS]: createRequestsHandler(registry),
     [DASHBOARD_API_EVENTS]: createSSEHandler(registry),
@@ -6872,12 +7336,15 @@ function createDashboardHandler(registry) {
     [DASHBOARD_API_INGEST]: createIngestHandler(registry),
     [DASHBOARD_API_ACTIVITY]: createActivityHandler(registry)
   };
-  if (analysisEngine) {
-    routes[DASHBOARD_API_INSIGHTS] = createInsightsHandler(analysisEngine);
-    routes[DASHBOARD_API_SECURITY] = createSecurityHandler(analysisEngine);
-  }
-  if (registry.has("finding-store")) {
-    routes[DASHBOARD_API_FINDINGS] = createFindingsHandler(registry.get("finding-store"));
+  if (registry.has("issue-store")) {
+    const issueStore = registry.get("issue-store");
+    routes[DASHBOARD_API_INSIGHTS] = createIssuesHandler(issueStore);
+    routes[DASHBOARD_API_SECURITY] = createIssuesHandler(issueStore);
+    routes[DASHBOARD_API_FINDINGS] = createFindingsHandler(issueStore);
+    routes[DASHBOARD_API_FINDINGS_REPORT] = createIssuesReportHandler(
+      issueStore,
+      registry.get("event-bus")
+    );
   }
   routes[DASHBOARD_API_TAB] = (req, res) => {
     const raw = (req.url ?? "").split("tab=")[1];
@@ -6885,7 +7352,7 @@ function createDashboardHandler(registry) {
       const tab = decodeURIComponent(raw).slice(0, MAX_TAB_NAME_LENGTH);
       if (VALID_TABS.has(tab) && isTelemetryEnabled()) recordTabViewed(tab);
     }
-    res.writeHead(204);
+    res.writeHead(HTTP_NO_CONTENT);
     res.end();
   };
   return (req, res, config) => {
@@ -6896,7 +7363,7 @@ function createDashboardHandler(registry) {
       return;
     }
     if (isTelemetryEnabled()) recordDashboardOpened();
-    res.writeHead(200, {
+    res.writeHead(HTTP_OK, {
       "content-type": "text/html; charset=utf-8",
       "cache-control": "no-cache",
       ...SECURITY_HEADERS
@@ -6904,23 +7371,16 @@ function createDashboardHandler(registry) {
     res.end(getDashboardHtml(config));
   };
 }
-var SECURITY_HEADERS;
 var init_router = __esm({
   "src/dashboard/router.ts"() {
     "use strict";
     init_constants();
+    init_http();
     init_api();
-    init_insights();
-    init_findings();
+    init_issues();
     init_sse();
     init_page();
     init_telemetry2();
-    SECURITY_HEADERS = {
-      "x-content-type-options": "nosniff",
-      "x-frame-options": "DENY",
-      "referrer-policy": "no-referrer",
-      "content-security-policy": "default-src 'none'; script-src 'unsafe-inline'; style-src 'unsafe-inline'; connect-src 'self'; img-src data:"
-    };
   }
 });
@@ -6929,6 +7389,7 @@ var EventBus;
 var init_event_bus = __esm({
   "src/core/event-bus.ts"() {
     "use strict";
+    init_log();
     EventBus = class {
       listeners = /* @__PURE__ */ new Map();
       emit(channel, data) {
@@ -6937,7 +7398,8 @@ var init_event_bus = __esm({
         for (const fn of set) {
           try {
             fn(data);
-          } catch {
+          } catch (err) {
+            brakitDebug(`EventBus listener threw on channel "${channel}": ${err}`);
           }
         }
       }
@@ -7001,9 +7463,9 @@ var init_static_patterns = __esm({
 });
 // src/store/request-store.ts
-function flattenHeaders(headers) {
+function flattenHeaders(headers2) {
   const flat = {};
-  for (const [key, value] of Object.entries(headers)) {
+  for (const [key, value] of Object.entries(headers2)) {
     if (value === void 0) continue;
     flat[key] = Array.isArray(value) ? value.join(", ") : value;
   }
@@ -7059,6 +7521,15 @@ var init_request_store = __esm({
         }
         return entry;
       }
+      add(entry) {
+        this.requests.push(entry);
+        if (this.requests.length > this.maxEntries) {
+          this.requests.shift();
+        }
+        for (const fn of this.listeners) {
+          fn(entry);
+        }
+      }
       getAll() {
         return this.requests;
       }
@@ -7077,7 +7548,7 @@ var init_request_store = __esm({
 });
 // src/store/telemetry-store.ts
-import { randomUUID as randomUUID4 } from "crypto";
+import { randomUUID as randomUUID5 } from "crypto";
 var TelemetryStore;
 var init_telemetry_store = __esm({
   "src/store/telemetry-store.ts"() {
@@ -7090,7 +7561,7 @@ var init_telemetry_store = __esm({
       entries = [];
       listeners = [];
       add(data) {
-        const entry = { id: randomUUID4(), ...data };
+        const entry = { id: randomUUID5(), ...data };
         this.entries.push(entry);
         if (this.entries.length > this.maxEntries) this.entries.shift();
         for (const fn of this.listeners) fn(entry);
@@ -7174,7 +7645,7 @@ var init_math = __esm({
 });
 // src/store/metrics/metrics-store.ts
-import { randomUUID as randomUUID5 } from "crypto";
+import { randomUUID as randomUUID6 } from "crypto";
 function createAccumulator() {
   return {
     durations: [],
@@ -7194,23 +7665,29 @@ var init_metrics_store = __esm({
     "use strict";
     init_constants();
     init_math();
+    init_http_status();
     init_endpoint();
     MetricsStore = class {
       constructor(persistence) {
         this.persistence = persistence;
-        this.data = persistence.load();
-        for (const ep of this.data.endpoints) {
-          this.endpointIndex.set(ep.endpoint, ep);
-        }
+        this.data = { version: 1, endpoints: [] };
       }
       data;
       endpointIndex = /* @__PURE__ */ new Map();
-      sessionId = randomUUID5();
+      sessionId = randomUUID6();
       sessionStart = Date.now();
       flushTimer = null;
+      dirty = false;
       accumulators = /* @__PURE__ */ new Map();
       pendingPoints = /* @__PURE__ */ new Map();
       start() {
+        this.persistence.loadAsync().then((data) => {
+          this.data = data;
+          for (const ep of this.data.endpoints) {
+            this.endpointIndex.set(ep.endpoint, ep);
+          }
+        }).catch(() => {
+        });
         this.flushTimer = setInterval(
           () => this.flush(),
           METRICS_FLUSH_INTERVAL_MS
@@ -7226,21 +7703,27 @@ var init_metrics_store = __esm({
       }
       recordRequest(req, metrics) {
         if (req.isStatic) return;
+        this.dirty = true;
         const key = getEndpointKey(req.method, req.path);
         let acc = this.accumulators.get(key);
         if (!acc) {
+          if (this.accumulators.size >= MAX_UNIQUE_ENDPOINTS) return;
           acc = createAccumulator();
           this.accumulators.set(key, acc);
         }
-        acc.durations.push(req.durationMs);
-        acc.queryCounts.push(metrics.queryCount);
-        if (req.statusCode >= 400) acc.errorCount++;
+        if (acc.durations.length < MAX_ACCUMULATOR_ENTRIES) {
+          acc.durations.push(req.durationMs);
+        }
+        if (acc.queryCounts.length < MAX_ACCUMULATOR_ENTRIES) {
+          acc.queryCounts.push(metrics.queryCount);
+        }
+        if (isErrorStatus(req.statusCode)) acc.errorCount++;
         acc.totalDurationSum += req.durationMs;
         acc.totalRequestCount++;
         acc.totalQuerySum += metrics.queryCount;
         acc.totalQueryTimeMs += metrics.queryTimeMs;
         acc.totalFetchTimeMs += metrics.fetchTimeMs;
-        if (req.statusCode >= 400) acc.totalErrorCount++;
+        if (isErrorStatus(req.statusCode)) acc.totalErrorCount++;
         const timestamp = Math.round(
           Date.now() - (performance.now() - req.startedAt)
         );
@@ -7254,10 +7737,13 @@ var init_metrics_store = __esm({
         };
         let pending2 = this.pendingPoints.get(key);
         if (!pending2) {
+          if (this.pendingPoints.size >= MAX_UNIQUE_ENDPOINTS) return;
           pending2 = [];
           this.pendingPoints.set(key, pending2);
         }
-        pending2.push(point);
+        if (pending2.length < MAX_ACCUMULATOR_ENTRIES) {
+          pending2.push(point);
+        }
       }
       getAll() {
         return this.data.endpoints;
@@ -7280,7 +7766,7 @@ var init_metrics_store = __esm({
         for (const [endpoint, requests] of merged) {
           if (requests.length === 0) continue;
           const durations = requests.map((r) => r.durationMs);
-          const errors = requests.filter((r) => r.statusCode >= 400).length;
+          const errors = requests.filter((r) => isErrorStatus(r.statusCode)).length;
           const totalQueries = requests.reduce((s, r) => s + r.queryCount, 0);
           const totalQueryTime = requests.reduce((s, r) => s + (r.queryTimeMs ?? 0), 0);
           const totalFetchTime = requests.reduce((s, r) => s + (r.fetchTimeMs ?? 0), 0);
@@ -7310,6 +7796,7 @@ var init_metrics_store = __esm({
         this.endpointIndex.clear();
         this.accumulators.clear();
         this.pendingPoints.clear();
+        this.dirty = false;
         this.persistence.remove();
       }
       flush(sync = false) {
@@ -7350,11 +7837,13 @@ var init_metrics_store = __esm({
           epMetrics.dataPoints = existing.concat(points).slice(-METRICS_MAX_DATA_POINTS);
         }
         this.pendingPoints.clear();
+        if (!this.dirty) return;
         if (sync) {
           this.persistence.saveSync(this.data);
         } else {
           this.persistence.save(this.data);
         }
+        this.dirty = false;
       }
       getOrCreateEndpoint(endpoint) {
         let ep = this.endpointIndex.get(endpoint);
@@ -7370,40 +7859,53 @@ var init_metrics_store = __esm({
 });
 // src/store/metrics/persistence.ts
-import { readFileSync as readFileSync4, existsSync as existsSync6, unlinkSync } from "fs";
+import { readFile as readFile4 } from "fs/promises";
+import { readFileSync as readFileSync4, existsSync as existsSync6, unlinkSync as unlinkSync2 } from "fs";
 import { resolve as resolve3 } from "path";
-var FileMetricsPersistence;
+var DEFAULT_METRICS, FileMetricsPersistence;
 var init_persistence = __esm({
   "src/store/metrics/persistence.ts"() {
     "use strict";
     init_constants();
     init_atomic_writer();
+    init_fs();
     init_log();
+    init_type_guards();
+    DEFAULT_METRICS = { version: 1, endpoints: [] };
     FileMetricsPersistence = class {
       metricsPath;
       writer;
-      constructor(rootDir) {
-        this.metricsPath = resolve3(rootDir, METRICS_FILE);
+      constructor(dataDir) {
+        this.metricsPath = resolve3(dataDir, METRICS_FILE);
         this.writer = new AtomicWriter({
-          dir: resolve3(rootDir, METRICS_DIR),
+          dir: dataDir,
           filePath: this.metricsPath,
-          gitignoreEntry: METRICS_DIR,
           label: "metrics"
         });
       }
       load() {
         try {
           if (existsSync6(this.metricsPath)) {
-            const raw = readFileSync4(this.metricsPath, "utf-8");
-            const parsed = JSON.parse(raw);
-            if (parsed?.version === 1 && Array.isArray(parsed.endpoints)) {
-              return parsed;
-            }
+            return this.parseMetrics(readFileSync4(this.metricsPath, "utf-8"));
+          }
+        } catch (err) {
+          brakitWarn(`failed to load ${this.metricsPath}: ${getErrorMessage(err)}`);
+        }
+        return { ...DEFAULT_METRICS };
+      }
+      async loadAsync() {
+        try {
+          if (await fileExists(this.metricsPath)) {
+            return this.parseMetrics(await readFile4(this.metricsPath, "utf-8"));
           }
         } catch (err) {
-          brakitWarn(`failed to load metrics: ${err.message}`);
+          brakitWarn(`failed to load ${this.metricsPath}: ${getErrorMessage(err)}`);
         }
-        return { version: 1, endpoints: [] };
+        return { ...DEFAULT_METRICS };
+      }
+      /** Parse and validate metrics JSON, returning default empty data on invalid input. */
+      parseMetrics(raw) {
+        return validateMetricsData(JSON.parse(raw)) ?? { ...DEFAULT_METRICS };
       }
       save(data) {
         this.writer.writeAsync(JSON.stringify(data));
@@ -7414,9 +7916,10 @@ var init_persistence = __esm({
       remove() {
         try {
           if (existsSync6(this.metricsPath)) {
-            unlinkSync(this.metricsPath);
+            unlinkSync2(this.metricsPath);
           }
-        } catch {
+        } catch (err) {
+          brakitDebug(`failed to remove metrics file: ${getErrorMessage(err)}`);
         }
       }
     };
@@ -7453,14 +7956,14 @@ function colorTitle(severity, text) {
 function truncate(s, max = TERMINAL_TRUNCATE_LENGTH) {
   return s.length <= max ? s : s.slice(0, max - 1) + "\u2026";
 }
-function formatConsoleLine(insight, suffix) {
-  const icon = severityIcon(insight.severity);
-  const title = colorTitle(insight.severity, insight.title);
-  const desc = pc.dim(truncate(insight.desc) + (suffix ?? ""));
+function formatConsoleLine(issue, suffix) {
+  const icon = severityIcon(issue.severity);
+  const title = colorTitle(issue.severity, issue.title);
+  const desc = pc.dim(truncate(issue.desc) + (suffix ?? ""));
   let line = `  ${icon} ${title} \u2014 ${desc}`;
-  if (insight.detail) {
+  if (issue.detail) {
     line += `
-    ${pc.dim("\u2514 " + insight.detail)}`;
+    ${pc.dim("\u2514 " + issue.detail)}`;
   }
   return line;
 }
@@ -7470,26 +7973,37 @@ function startTerminalInsights(registry, proxyPort) {
   const printedKeys = /* @__PURE__ */ new Set();
   const resolvedKeys = /* @__PURE__ */ new Set();
   const dashUrl = `localhost:${proxyPort}${DASHBOARD_PREFIX}`;
-  return bus.on("analysis:updated", ({ statefulInsights }) => {
+  return bus.on("analysis:updated", ({ issues }) => {
     const newLines = [];
     const resolvedLines = [];
-    for (const si of statefulInsights) {
+    const regressedLines = [];
+    for (const si of issues) {
       if (si.state === "resolved") {
-        if (resolvedKeys.has(si.key)) continue;
-        resolvedKeys.add(si.key);
-        printedKeys.delete(si.key);
-        const title = pc.green(pc.bold(`\u2713 ${si.insight.title}`));
-        const desc = pc.dim(truncate(si.insight.desc));
+        if (resolvedKeys.has(si.issueId)) continue;
+        resolvedKeys.add(si.issueId);
+        printedKeys.delete(si.issueId);
+        const title = pc.green(pc.bold(`\u2713 ${si.issue.title}`));
+        const desc = pc.dim(truncate(si.issue.desc));
         resolvedLines.push(`  ${title} \u2014 ${desc} ${pc.green("resolved")}`);
         continue;
       }
-      resolvedKeys.delete(si.key);
-      if (si.insight.severity === "info") continue;
-      if (printedKeys.has(si.key)) continue;
-      printedKeys.add(si.key);
+      if (si.state === "regressed") {
+        if (!printedKeys.has(si.issueId)) {
+          printedKeys.add(si.issueId);
+          resolvedKeys.delete(si.issueId);
+          const title = pc.red(pc.bold(`\u26A0 ${si.issue.title}`));
+          const desc = pc.dim(truncate(si.issue.desc));
+          regressedLines.push(`  ${title} \u2014 ${desc} ${pc.red("regressed")}`);
+        }
+        continue;
+      }
+      resolvedKeys.delete(si.issueId);
+      if (si.issue.severity === "info") continue;
+      if (printedKeys.has(si.issueId)) continue;
+      printedKeys.add(si.issueId);
       let suffix;
-      if (si.insight.type === "slow") {
-        const endpoint = extractEndpointFromDesc(si.insight.desc);
+      if (si.issue.rule === "slow") {
+        const endpoint = si.issue.endpoint;
         if (endpoint) {
           const ep = metricsStore.getEndpoint(endpoint);
           if (ep && ep.sessions.length > 1) {
@@ -7498,7 +8012,7 @@ function startTerminalInsights(registry, proxyPort) {
           }
         }
       }
-      newLines.push(formatConsoleLine(si.insight, suffix));
+      newLines.push(formatConsoleLine(si.issue, suffix));
     }
     if (newLines.length > 0) {
       print("");
@@ -7506,6 +8020,12 @@ function startTerminalInsights(registry, proxyPort) {
       print("");
       print(`  ${pc.magenta(pc.bold("brakit"))} ${pc.dim("\u2192")} ${pc.dim("Dashboard:")} ${pc.underline(`http://${dashUrl}`)}  ${pc.dim("or ask your AI:")} ${pc.bold('"Fix brakit findings"')}`);
     }
+    if (regressedLines.length > 0) {
+      print("");
+      for (const line of regressedLines) print(line);
+      print("");
+      print(`  ${pc.magenta(pc.bold("brakit"))} ${pc.dim("\u2192")} ${pc.red("Issues came back after being resolved!")}`);
+    }
     if (resolvedLines.length > 0) {
       print("");
       for (const line of resolvedLines) print(line);
@@ -7522,7 +8042,6 @@ var init_terminal = __esm({
     init_constants();
     init_limits();
     init_severity();
-    init_endpoint();
     SEVERITY_COLOR = {
       critical: pc.red,
       warning: pc.yellow,
@@ -7540,17 +8059,28 @@ var init_health2 = __esm({
     BrakitHealth = class {
       errorCount = 0;
       disabled = false;
+      disabledAt = 0;
       teardownFn = null;
       reportError() {
         this.errorCount++;
         if (this.errorCount >= MAX_HEALTH_ERRORS && !this.disabled) {
           this.disabled = true;
-          console.warn("brakit: too many errors, disabling for this session.");
+          this.disabledAt = Date.now();
+          try {
+            process.stderr.write("brakit: too many errors, disabling temporarily.\n");
+          } catch {
+          }
           this.teardownFn?.();
         }
       }
       isActive() {
-        return !this.disabled;
+        if (!this.disabled) return true;
+        if (Date.now() - this.disabledAt > RECOVERY_WINDOW_MS) {
+          this.disabled = false;
+          this.errorCount = 0;
+          return true;
+        }
+        return false;
       }
       setTeardown(fn) {
         this.teardownFn = fn;
@@ -7591,10 +8121,10 @@ var init_guard = __esm({
 });
 // src/runtime/capture.ts
-import { gunzipSync, brotliDecompressSync, inflateSync } from "zlib";
-function outgoingToIncoming(headers) {
+import { gunzip, brotliDecompress, inflate } from "zlib";
+function outgoingToIncoming(headers2) {
   const result = {};
-  for (const [key, value] of Object.entries(headers)) {
+  for (const [key, value] of Object.entries(headers2)) {
     if (value === void 0) continue;
     if (Array.isArray(value)) {
       result[key] = value.map(String);
@@ -7604,15 +8134,14 @@ function outgoingToIncoming(headers) {
   }
   return result;
 }
-function decompress(body, encoding) {
-  try {
-    if (encoding === CONTENT_ENCODING_GZIP) return gunzipSync(body);
-    if (encoding === CONTENT_ENCODING_BR) return brotliDecompressSync(body);
-    if (encoding === CONTENT_ENCODING_DEFLATE) return inflateSync(body);
-  } catch (e) {
-    brakitDebug(`decompress failed: ${e.message}`);
-  }
-  return body;
+function decompressAsync(body, encoding) {
+  const decompressor = encoding === CONTENT_ENCODING_GZIP ? gunzip : encoding === CONTENT_ENCODING_BR ? brotliDecompress : encoding === CONTENT_ENCODING_DEFLATE ? inflate : null;
+  if (!decompressor) return Promise.resolve(body);
+  return new Promise((resolve5) => {
+    decompressor(body, (err, result) => {
+      resolve5(err ? body : result);
+    });
+  });
 }
 function toBuffer(chunk) {
   if (Buffer.isBuffer(chunk)) return chunk;
@@ -7627,18 +8156,23 @@ function captureInProcess(req, res, requestId, requestStore) {
   let resSize = 0;
   const originalWrite = res.write;
   const originalEnd = res.end;
+  let truncated = false;
   res.write = function(...args) {
     try {
       const chunk = args[0];
-      if (chunk != null && typeof chunk !== "function" && resSize < DEFAULT_MAX_BODY_CAPTURE) {
-        const buf = toBuffer(chunk);
-        if (buf) {
-          resChunks.push(buf);
-          resSize += buf.length;
+      if (chunk != null && typeof chunk !== "function") {
+        if (resSize < DEFAULT_MAX_BODY_CAPTURE) {
+          const buf = toBuffer(chunk);
+          if (buf) {
+            resChunks.push(buf);
+            resSize += buf.length;
+          }
+        } else {
+          truncated = true;
         }
       }
     } catch (e) {
-      brakitDebug(`capture write: ${e.message}`);
+      brakitDebug(`capture write: ${getErrorMessage(e)}`);
     }
     return originalWrite.apply(this, args);
   };
@@ -7652,33 +8186,39 @@ function captureInProcess(req, res, requestId, requestStore) {
         }
       }
     } catch (e) {
-      brakitDebug(`capture end: ${e.message}`);
+      brakitDebug(`capture end: ${getErrorMessage(e)}`);
     }
     const result = originalEnd.apply(this, args);
     const endTime = performance.now();
-    try {
-      const encoding = String(res.getHeader("content-encoding") ?? "").toLowerCase();
-      let body = resChunks.length > 0 ? Buffer.concat(resChunks) : null;
-      if (body && encoding) {
-        body = decompress(body, encoding);
+    const encoding = String(res.getHeader("content-encoding") ?? "").toLowerCase();
+    const statusCode = res.statusCode;
+    const responseHeaders = outgoingToIncoming(res.getHeaders());
+    const responseContentType = String(res.getHeader("content-type") ?? "");
+    const capturedChunks = resChunks.slice();
+    void (async () => {
+      try {
+        let body = capturedChunks.length > 0 ? Buffer.concat(capturedChunks) : null;
+        if (body && encoding && !truncated) {
+          body = await decompressAsync(body, encoding);
+        }
+        requestStore.capture({
+          requestId,
+          method,
+          url: req.url ?? "/",
+          requestHeaders: req.headers,
+          requestBody: null,
+          statusCode,
+          responseHeaders,
+          responseBody: body,
+          responseContentType,
+          startTime,
+          endTime,
+          config: { maxBodyCapture: DEFAULT_MAX_BODY_CAPTURE }
+        });
+      } catch (e) {
+        brakitDebug(`capture store: ${getErrorMessage(e)}`);
       }
-      requestStore.capture({
-        requestId,
-        method,
-        url: req.url ?? "/",
-        requestHeaders: req.headers,
-        requestBody: null,
-        statusCode: res.statusCode,
-        responseHeaders: outgoingToIncoming(res.getHeaders()),
-        responseBody: body,
-        responseContentType: String(res.getHeader("content-type") ?? ""),
-        startTime,
-        endTime,
-        config: { maxBodyCapture: DEFAULT_MAX_BODY_CAPTURE }
-      });
-    } catch (e) {
-      brakitDebug(`capture store: ${e.message}`);
-    }
+    })();
     return result;
   };
 }
@@ -7687,12 +8227,13 @@ var init_capture = __esm({
     "use strict";
     init_constants();
     init_log();
+    init_type_guards();
   }
 });
 // src/runtime/interceptor.ts
 import http from "http";
-import { randomUUID as randomUUID6 } from "crypto";
+import { randomUUID as randomUUID7 } from "crypto";
 function installInterceptor(deps) {
   originalEmit = http.Server.prototype.emit;
   const saved = originalEmit;
@@ -7718,14 +8259,14 @@ function installInterceptor(deps) {
       }
       if (isDashboardRequest(url)) {
         if (!isLocalRequest(req)) {
-          res.writeHead(404);
+          res.writeHead(HTTP_NOT_FOUND);
           res.end("Not Found");
           return true;
         }
         deps.handleDashboard(req, res, deps.config);
         return true;
       }
-      const requestId = randomUUID6();
+      const requestId = randomUUID7();
       const ctx = {
         requestId,
         url,
@@ -7754,6 +8295,7 @@ var init_interceptor = __esm({
     init_safe_wrap();
     init_guard();
     init_capture();
+    init_http();
     originalEmit = null;
   }
 });
@@ -7763,11 +8305,16 @@ var setup_exports = {};
 __export(setup_exports, {
   setup: () => setup
 });
-import { writeFileSync as writeFileSync4, readFileSync as readFileSync5, mkdirSync as mkdirSync4, existsSync as existsSync7, unlinkSync as unlinkSync2 } from "fs";
+import { readFile as readFile5, mkdir as mkdir2, writeFile as writeFile3 } from "fs/promises";
+import { existsSync as existsSync7, unlinkSync as unlinkSync3 } from "fs";
 import { resolve as resolve4 } from "path";
 function setup() {
-  if (initialized) return;
-  initialized = true;
+  if (initPromise) return initPromise;
+  initPromise = doSetup();
+  return initPromise;
+}
+async function doSetup() {
+  brakitDebug(`[setup] doSetup called at ${(/* @__PURE__ */ new Date()).toISOString()}`);
   const bus = new EventBus();
   const registry = new ServiceRegistry();
   const requestStore = new RequestStore();
@@ -7798,7 +8345,9 @@ function setup() {
   const cwd = process.cwd();
   let framework = "unknown";
   try {
-    const pkg = JSON.parse(readFileSync5(resolve4(cwd, "package.json"), "utf-8"));
+    const pkg = JSON.parse(
+      await readFile5(resolve4(cwd, "package.json"), "utf-8")
+    );
     const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
     framework = detectFrameworkFromDeps(allDeps);
   } catch {
@@ -7809,12 +8358,13 @@ function setup() {
     false,
     adapterRegistry.getActive().map((a) => a.name)
   );
-  const metricsStore = new MetricsStore(new FileMetricsPersistence(cwd));
+  const dataDir = getProjectDataDir(cwd);
+  const metricsStore = new MetricsStore(new FileMetricsPersistence(dataDir));
   metricsStore.start();
   registry.register("metrics-store", metricsStore);
-  const findingStore = new FindingStore(cwd);
-  findingStore.start();
-  registry.register("finding-store", findingStore);
+  const issueStore = new IssueStore(dataDir);
+  issueStore.start();
+  registry.register("issue-store", issueStore);
   const analysisEngine = new AnalysisEngine(registry);
   analysisEngine.start();
   registry.register("analysis-engine", analysisEngine);
@@ -7841,51 +8391,74 @@ function setup() {
     requestStore,
     onFirstRequest(port) {
       setBrakitPort(port);
-      const dir = resolve4(cwd, METRICS_DIR);
-      if (!existsSync7(dir)) mkdirSync4(dir, { recursive: true });
-      const portPath = resolve4(cwd, PORT_FILE);
-      if (existsSync7(portPath)) {
-        const old = readFileSync5(portPath, "utf-8").trim();
-        if (old && old !== String(port)) {
-          brakitDebug(`Overwriting stale port file (was ${old}, now ${port})`);
+      brakitDebug(`[setup] onFirstRequest fired, port=${port}`);
+      void (async () => {
+        try {
+          const dir = resolve4(cwd, METRICS_DIR);
+          await mkdir2(dir, { recursive: true });
+          const portPath = resolve4(cwd, PORT_FILE);
+          try {
+            const old = await readFile5(portPath, "utf-8");
+            if (old.trim() === String(port)) {
+              brakitDebug(`[setup] port file already correct, skipping write`);
+              return;
+            }
+            if (old.trim()) {
+              brakitDebug(
+                `Overwriting stale port file (was ${old.trim()}, now ${port})`
+              );
+            }
+          } catch {
+            brakitDebug(`[setup] no existing port file, will create`);
+          }
+          await writeFile3(portPath, String(port));
+          brakitDebug(`[setup] wrote port file: ${portPath}`);
+        } catch (err) {
+          brakitDebug(`port file write failed: ${getErrorMessage(err)}`);
         }
-      }
-      writeFileSync4(portPath, String(port));
+      })();
       terminalDispose = startTerminalInsights(registry, port);
-      process.stdout.write(`  brakit v${VERSION} \u2014 http://localhost:${port}${DASHBOARD_PREFIX}
-`);
+      process.stdout.write(
+        `  brakit v${VERSION} \u2014 http://localhost:${port}${DASHBOARD_PREFIX}
+`
+      );
     }
   });
-  let teardownCalled = false;
-  const runTeardown = () => {
-    if (teardownCalled) return;
-    teardownCalled = true;
+  let telemetrySent = false;
+  const sendTelemetry = () => {
+    if (telemetrySent) return;
+    telemetrySent = true;
     recordRequestCount(requestStore.getAll().length);
     recordInsightTypes(analysisEngine.getInsights().map((i) => i.type));
     recordRulesTriggered(analysisEngine.getFindings().map((f) => f.rule));
     trackSession(registry);
+  };
+  let teardownCalled = false;
+  const runTeardown = () => {
+    if (teardownCalled) return;
+    teardownCalled = true;
+    sendTelemetry();
     uninstallInterceptor();
     terminalDispose?.();
     analysisEngine.stop();
-    findingStore.stop();
+    issueStore.stop();
     metricsStore.stop();
     try {
       const portPath = resolve4(cwd, PORT_FILE);
-      if (existsSync7(portPath)) unlinkSync2(portPath);
-    } catch {
+      if (existsSync7(portPath)) unlinkSync3(portPath);
+    } catch (err) {
+      brakitDebug(`[setup] port file cleanup failed: ${getErrorMessage(err)}`);
     }
   };
   health.setTeardown(runTeardown);
-  process.once("SIGINT", () => {
-    runTeardown();
-    process.exit(SIGNAL_EXIT_SIGINT);
+  process.on("beforeExit", () => {
+    sendTelemetry();
   });
-  process.once("SIGTERM", () => {
+  process.on("exit", () => {
     runTeardown();
-    process.exit(SIGNAL_EXIT_SIGTERM);
   });
 }
-var initialized;
+var initPromise;
 var init_setup = __esm({
   "src/runtime/setup.ts"() {
     "use strict";
@@ -7902,18 +8475,19 @@ var init_setup = __esm({
     init_error_store();
     init_query_store();
     init_store();
-    init_finding_store();
+    init_issue_store();
     init_engine();
     init_terminal();
     init_src();
     init_constants();
-    init_telemetry();
     init_health2();
     init_interceptor();
     init_log();
+    init_type_guards();
+    init_fs();
     init_project();
     init_telemetry2();
-    initialized = false;
+    initPromise = null;
   }
 });
@@ -7932,7 +8506,7 @@ function shouldActivate() {
 if (shouldActivate()) {
   try {
     const { setup: setup2 } = await Promise.resolve().then(() => (init_setup(), setup_exports));
-    setup2();
+    await setup2();
   } catch (err) {
     console.warn("brakit: failed to start \u2014", err?.message);
   }