brakit 0.8.5 → 0.8.6

package/dist/runtime/index.js

@@ -47,7 +47,7 @@ var init_routes = __esm({
 });
 
 // src/constants/limits.ts
-var MAX_REQUEST_ENTRIES, DEFAULT_MAX_BODY_CAPTURE, DEFAULT_API_LIMIT, MAX_TELEMETRY_ENTRIES, MAX_TAB_NAME_LENGTH, MAX_INGEST_BYTES, TERMINAL_TRUNCATE_LENGTH, SENSITIVE_MASK_MIN_LENGTH, SENSITIVE_MASK_VISIBLE_CHARS, MAX_JSON_BODY_BYTES, ANALYSIS_DEBOUNCE_MS, FINDING_ID_HASH_LENGTH, FINDINGS_DATA_VERSION, SENSITIVE_MASK_PLACEHOLDER;
+var MAX_REQUEST_ENTRIES, DEFAULT_MAX_BODY_CAPTURE, DEFAULT_API_LIMIT, MAX_TELEMETRY_ENTRIES, MAX_TAB_NAME_LENGTH, MAX_INGEST_BYTES, TERMINAL_TRUNCATE_LENGTH, SENSITIVE_MASK_MIN_LENGTH, SENSITIVE_MASK_VISIBLE_CHARS, MAX_JSON_BODY_BYTES, ANALYSIS_DEBOUNCE_MS, ISSUE_ID_HASH_LENGTH, ISSUES_DATA_VERSION, SENSITIVE_MASK_PLACEHOLDER, PROJECT_HASH_LENGTH, SECRET_SCAN_ARRAY_LIMIT, PII_SCAN_ARRAY_LIMIT, MIN_SECRET_VALUE_LENGTH, FULL_RECORD_MIN_FIELDS, LIST_PII_MIN_ITEMS, MAX_API_LIMIT, MAX_OBJECT_SCAN_DEPTH, MAX_UNIQUE_ENDPOINTS, MAX_ACCUMULATOR_ENTRIES, ISSUE_PRUNE_TTL_MS;
 var init_limits = __esm({
   "src/constants/limits.ts"() {
     "use strict";
@@ -62,14 +62,25 @@ var init_limits = __esm({
     SENSITIVE_MASK_VISIBLE_CHARS = 4;
     MAX_JSON_BODY_BYTES = 65536;
     ANALYSIS_DEBOUNCE_MS = 300;
-    FINDING_ID_HASH_LENGTH = 16;
-    FINDINGS_DATA_VERSION = 1;
+    ISSUE_ID_HASH_LENGTH = 16;
+    ISSUES_DATA_VERSION = 2;
     SENSITIVE_MASK_PLACEHOLDER = "****";
+    PROJECT_HASH_LENGTH = 8;
+    SECRET_SCAN_ARRAY_LIMIT = 5;
+    PII_SCAN_ARRAY_LIMIT = 10;
+    MIN_SECRET_VALUE_LENGTH = 8;
+    FULL_RECORD_MIN_FIELDS = 5;
+    LIST_PII_MIN_ITEMS = 2;
+    MAX_API_LIMIT = 500;
+    MAX_OBJECT_SCAN_DEPTH = 5;
+    MAX_UNIQUE_ENDPOINTS = 500;
+    MAX_ACCUMULATOR_ENTRIES = 1e3;
+    ISSUE_PRUNE_TTL_MS = 10 * 60 * 1e3;
   }
 });
 
 // src/constants/thresholds.ts
-var FLOW_GAP_MS, SLOW_REQUEST_THRESHOLD_MS, MIN_POLLING_SEQUENCE, ENDPOINT_TRUNCATE_LENGTH, N1_QUERY_THRESHOLD, ERROR_RATE_THRESHOLD_PCT, SLOW_ENDPOINT_THRESHOLD_MS, MIN_REQUESTS_FOR_INSIGHT, HIGH_QUERY_COUNT_PER_REQ, CROSS_ENDPOINT_MIN_ENDPOINTS, CROSS_ENDPOINT_PCT, CROSS_ENDPOINT_MIN_OCCURRENCES, REDUNDANT_QUERY_MIN_COUNT, LARGE_RESPONSE_BYTES, HIGH_ROW_COUNT, OVERFETCH_MIN_REQUESTS, OVERFETCH_MIN_FIELDS, OVERFETCH_MIN_INTERNAL_IDS, OVERFETCH_NULL_RATIO, REGRESSION_PCT_THRESHOLD, REGRESSION_MIN_INCREASE_MS, REGRESSION_MIN_REQUESTS, QUERY_COUNT_REGRESSION_RATIO, OVERFETCH_MANY_FIELDS, OVERFETCH_UNWRAP_MIN_SIZE, MAX_DUPLICATE_INSIGHTS, INSIGHT_WINDOW_PER_ENDPOINT, RESOLVE_AFTER_ABSENCES, RESOLVED_INSIGHT_TTL_MS;
+var FLOW_GAP_MS, SLOW_REQUEST_THRESHOLD_MS, MIN_POLLING_SEQUENCE, ENDPOINT_TRUNCATE_LENGTH, N1_QUERY_THRESHOLD, ERROR_RATE_THRESHOLD_PCT, SLOW_ENDPOINT_THRESHOLD_MS, MIN_REQUESTS_FOR_INSIGHT, HIGH_QUERY_COUNT_PER_REQ, CROSS_ENDPOINT_MIN_ENDPOINTS, CROSS_ENDPOINT_PCT, CROSS_ENDPOINT_MIN_OCCURRENCES, REDUNDANT_QUERY_MIN_COUNT, LARGE_RESPONSE_BYTES, HIGH_ROW_COUNT, OVERFETCH_MIN_REQUESTS, OVERFETCH_MIN_FIELDS, OVERFETCH_MIN_INTERNAL_IDS, OVERFETCH_NULL_RATIO, REGRESSION_PCT_THRESHOLD, REGRESSION_MIN_INCREASE_MS, REGRESSION_MIN_REQUESTS, QUERY_COUNT_REGRESSION_RATIO, OVERFETCH_MANY_FIELDS, OVERFETCH_UNWRAP_MIN_SIZE, MAX_DUPLICATE_INSIGHTS, INSIGHT_WINDOW_PER_ENDPOINT, CLEAN_HITS_FOR_RESOLUTION, STALE_ISSUE_TTL_MS;
 var init_thresholds = __esm({
   "src/constants/thresholds.ts"() {
     "use strict";
@@ -99,9 +110,9 @@ var init_thresholds = __esm({
     OVERFETCH_MANY_FIELDS = 12;
     OVERFETCH_UNWRAP_MIN_SIZE = 3;
     MAX_DUPLICATE_INSIGHTS = 3;
-    INSIGHT_WINDOW_PER_ENDPOINT = 2;
-    RESOLVE_AFTER_ABSENCES = 3;
-    RESOLVED_INSIGHT_TTL_MS = 18e5;
+    INSIGHT_WINDOW_PER_ENDPOINT = 20;
+    CLEAN_HITS_FOR_RESOLUTION = 5;
+    STALE_ISSUE_TTL_MS = 30 * 60 * 1e3;
   }
 });
 
@@ -117,18 +128,18 @@ var init_transport = __esm({
 });
 
 // src/constants/metrics.ts
-var METRICS_DIR, METRICS_FILE, PORT_FILE, FINDINGS_FILE, METRICS_FLUSH_INTERVAL_MS, METRICS_MAX_SESSIONS, METRICS_MAX_DATA_POINTS, FINDINGS_FLUSH_INTERVAL_MS;
+var METRICS_DIR, METRICS_FILE, PORT_FILE, ISSUES_FILE, METRICS_FLUSH_INTERVAL_MS, METRICS_MAX_SESSIONS, METRICS_MAX_DATA_POINTS, ISSUES_FLUSH_INTERVAL_MS;
 var init_metrics = __esm({
   "src/constants/metrics.ts"() {
     "use strict";
     METRICS_DIR = ".brakit";
-    METRICS_FILE = ".brakit/metrics.json";
+    METRICS_FILE = "metrics.json";
     PORT_FILE = ".brakit/port";
-    FINDINGS_FILE = ".brakit/findings.json";
+    ISSUES_FILE = "issues.json";
     METRICS_FLUSH_INTERVAL_MS = 3e4;
     METRICS_MAX_SESSIONS = 50;
     METRICS_MAX_DATA_POINTS = 200;
-    FINDINGS_FLUSH_INTERVAL_MS = 1e4;
+    ISSUES_FLUSH_INTERVAL_MS = 1e4;
   }
 });
 
@@ -149,7 +160,7 @@ var init_headers = __esm({
 });
 
 // src/constants/network.ts
-var CLOUD_SIGNALS, MAX_HEALTH_ERRORS, RECOVERY_WINDOW_MS, LOCALHOST_IPS, LOCALHOST_HOSTNAMES, URL_PARSE_BASE;
+var CLOUD_SIGNALS, MAX_HEALTH_ERRORS, RECOVERY_WINDOW_MS, LOCALHOST_IPS, LOCALHOST_HOSTNAMES, URL_PARSE_BASE, DIR_MODE_OWNER_ONLY, FILE_MODE_OWNER_ONLY;
 var init_network = __esm({
   "src/constants/network.ts"() {
     "use strict";
@@ -179,6 +190,8 @@ var init_network = __esm({
     LOCALHOST_IPS = /* @__PURE__ */ new Set(["127.0.0.1", "::1", "::ffff:127.0.0.1"]);
     LOCALHOST_HOSTNAMES = /* @__PURE__ */ new Set(["localhost", "127.0.0.1", "::1"]);
     URL_PARSE_BASE = "http://localhost";
+    DIR_MODE_OWNER_ONLY = 448;
+    FILE_MODE_OWNER_ONLY = 384;
   }
 });
 
@@ -214,26 +227,35 @@ var init_severity = __esm({
 });
 
 // src/constants/telemetry.ts
-var POSTHOG_HOST, POSTHOG_CAPTURE_PATH, POSTHOG_REQUEST_TIMEOUT_MS;
+var POSTHOG_HOST, POSTHOG_CAPTURE_PATH, POSTHOG_REQUEST_TIMEOUT_MS, SPEED_BUCKET_THRESHOLDS;
 var init_telemetry = __esm({
   "src/constants/telemetry.ts"() {
     "use strict";
     POSTHOG_HOST = "https://us.i.posthog.com";
     POSTHOG_CAPTURE_PATH = "/i/v0/e/";
     POSTHOG_REQUEST_TIMEOUT_MS = 3e3;
+    SPEED_BUCKET_THRESHOLDS = [200, 500, 1e3, 2e3, 5e3];
   }
 });
 
 // src/constants/lifecycle.ts
-var VALID_FINDING_STATES, VALID_AI_FIX_STATUSES;
+var VALID_ISSUE_STATES, VALID_ISSUE_CATEGORIES, VALID_AI_FIX_STATUSES;
 var init_lifecycle = __esm({
   "src/constants/lifecycle.ts"() {
     "use strict";
-    VALID_FINDING_STATES = /* @__PURE__ */ new Set(["open", "fixing", "resolved"]);
+    VALID_ISSUE_STATES = /* @__PURE__ */ new Set(["open", "fixing", "resolved", "stale", "regressed"]);
+    VALID_ISSUE_CATEGORIES = /* @__PURE__ */ new Set(["security", "performance", "reliability"]);
     VALID_AI_FIX_STATUSES = /* @__PURE__ */ new Set(["fixed", "wont_fix"]);
   }
 });
 
+// src/constants/cli.ts
+var init_cli = __esm({
+  "src/constants/cli.ts"() {
+    "use strict";
+  }
+});
+
 // src/constants/index.ts
 var init_constants = __esm({
   "src/constants/index.ts"() {
@@ -250,6 +272,7 @@ var init_constants = __esm({
     init_severity();
     init_telemetry();
     init_lifecycle();
+    init_cli();
   }
 });
 
@@ -828,6 +851,22 @@ var init_http = __esm({
   }
 });
 
+// src/utils/http-status.ts
+function isErrorStatus(code) {
+  return code >= 400;
+}
+function isServerError(code) {
+  return code >= 500;
+}
+function isRedirect(code) {
+  return code >= 300 && code < 400;
+}
+var init_http_status = __esm({
+  "src/utils/http-status.ts"() {
+    "use strict";
+  }
+});
+
 // src/analysis/categorize.ts
 function detectCategory(req) {
   const { method, url, statusCode, responseHeaders } = req;
@@ -896,7 +935,7 @@ function labelRequest(req) {
 function generateHumanLabel(req, category) {
   const effectivePath = getEffectivePath(req);
   const endpointName = getEndpointName(effectivePath);
-  const failed = req.statusCode >= 400;
+  const failed = isErrorStatus(req.statusCode);
   switch (category) {
     case "auth-handshake":
       return "Auth handshake";
@@ -991,6 +1030,7 @@ var init_label = __esm({
     "use strict";
     init_constants();
     init_categorize();
+    init_http_status();
   }
 });
 
@@ -1083,7 +1123,7 @@ function detectWarnings(requests) {
   for (const req of slowRequests) {
     warnings.push(`${req.label} took ${(req.durationMs / 1e3).toFixed(1)}s`);
   }
-  const errors = requests.filter((r) => r.statusCode >= 500);
+  const errors = requests.filter((r) => isServerError(r.statusCode));
   for (const req of errors) {
     warnings.push(`${req.label} \u2014 server error (${req.statusCode})`);
   }
@@ -1095,6 +1135,7 @@ var init_transforms = __esm({
     init_constants();
     init_categorize();
     init_label();
+    init_http_status();
   }
 });
 
@@ -1148,7 +1189,7 @@ function buildFlow(rawRequests) {
     requests,
     startTime,
     totalDurationMs: Math.round(endTime - startTime),
-    hasErrors: requests.some((r) => r.statusCode >= 400),
+    hasErrors: requests.some((r) => isErrorStatus(r.statusCode)),
     warnings: detectWarnings(rawRequests),
     sourcePage,
     redundancyPct
@@ -1202,6 +1243,7 @@ var init_group = __esm({
   "src/analysis/group.ts"() {
     "use strict";
     init_constants();
+    init_http_status();
     init_label();
     init_categorize();
     init_transforms();
@@ -1319,11 +1361,9 @@ function createRequestsHandler(registry) {
     const method = url.searchParams.get("method");
     const status = url.searchParams.get("status");
     const search = url.searchParams.get("search");
-    const limit = parseInt(
-      url.searchParams.get("limit") ?? String(DEFAULT_API_LIMIT),
-      10
-    );
-    const offset = parseInt(url.searchParams.get("offset") ?? "0", 10);
+    const rawLimit = parseInt(url.searchParams.get("limit") ?? String(DEFAULT_API_LIMIT), 10);
+    const limit = Math.min(Math.max(rawLimit || DEFAULT_API_LIMIT, 1), MAX_API_LIMIT);
+    const offset = Math.max(parseInt(url.searchParams.get("offset") ?? "0", 10) || 0, 0);
     let results = [...registry.get("request-store").getAll()].reverse();
     if (method) {
       results = results.filter((r) => r.method === method.toUpperCase());
@@ -1373,7 +1413,7 @@ function createClearHandler(registry) {
     registry.get("error-store").clear();
     registry.get("query-store").clear();
     registry.get("metrics-store").reset();
-    if (registry.has("finding-store")) registry.get("finding-store").clear();
+    if (registry.has("issue-store")) registry.get("issue-store").clear();
     registry.get("event-bus").emit("store:cleared", void 0);
     sendJson(req, res, HTTP_OK, { cleared: true });
   };
@@ -1415,16 +1455,32 @@ function getErrorMessage(err) {
   if (typeof err === "string") return err;
   return String(err);
 }
-function isValidFindingState(val) {
-  return typeof val === "string" && VALID_FINDING_STATES.has(val);
+function isValidIssueState(val) {
+  return typeof val === "string" && VALID_ISSUE_STATES.has(val);
+}
+function isValidIssueCategory(val) {
+  return typeof val === "string" && VALID_ISSUE_CATEGORIES.has(val);
 }
 function isValidAiFixStatus(val) {
   return typeof val === "string" && VALID_AI_FIX_STATUSES.has(val);
 }
+function validateIssuesData(parsed) {
+  if (parsed != null && typeof parsed === "object" && !Array.isArray(parsed) && parsed.version === ISSUES_DATA_VERSION && Array.isArray(parsed.issues)) {
+    return parsed;
+  }
+  return null;
+}
+function validateMetricsData(parsed) {
+  if (parsed != null && typeof parsed === "object" && !Array.isArray(parsed) && parsed.version === 1 && Array.isArray(parsed.endpoints)) {
+    return parsed;
+  }
+  return null;
+}
 var init_type_guards = __esm({
   "src/utils/type-guards.ts"() {
     "use strict";
     init_lifecycle();
+    init_limits();
   }
 });
 
@@ -1762,46 +1818,42 @@ var init_api = __esm({
   }
 });
 
-// src/dashboard/api/insights.ts
-function createInsightsHandler(engine) {
-  return (req, res) => {
-    if (!requireGet(req, res)) return;
-    sendJson(req, res, HTTP_OK, { insights: engine.getStatefulInsights() });
-  };
-}
-function createSecurityHandler(engine) {
+// src/dashboard/api/issues.ts
+function createIssuesHandler(issueStore) {
   return (req, res) => {
     if (!requireGet(req, res)) return;
-    sendJson(req, res, HTTP_OK, { findings: engine.getStatefulFindings() });
+    const url = parseRequestUrl(req);
+    const stateParam = url.searchParams.get("state");
+    const categoryParam = url.searchParams.get("category");
+    let issues;
+    if (stateParam && isValidIssueState(stateParam)) {
+      issues = issueStore.getByState(stateParam);
+    } else if (categoryParam && isValidIssueCategory(categoryParam)) {
+      issues = issueStore.getByCategory(categoryParam);
+    } else {
+      issues = issueStore.getAll();
+    }
+    sendJson(req, res, HTTP_OK, { issues });
   };
 }
-var init_insights = __esm({
-  "src/dashboard/api/insights.ts"() {
-    "use strict";
-    init_shared2();
-    init_http();
-  }
-});
-
-// src/dashboard/api/findings.ts
-function createFindingsHandler(findingStore) {
+function createFindingsHandler(issueStore) {
   return (req, res) => {
     if (!requireGet(req, res)) return;
     const url = parseRequestUrl(req);
     const stateParam = url.searchParams.get("state");
-    let findings;
-    if (stateParam && isValidFindingState(stateParam)) {
-      findings = findingStore.getByState(stateParam);
+    let issues;
+    if (stateParam && isValidIssueState(stateParam)) {
+      issues = issueStore.getByState(stateParam);
     } else {
-      findings = findingStore.getAll();
+      issues = issueStore.getAll();
     }
     sendJson(req, res, HTTP_OK, {
-      total: findings.length,
-      findings
+      total: issues.length,
+      findings: issues
     });
   };
 }
-function createFindingsReportHandler(findingStore, eventBus, analysisEngine) {
+function createIssuesReportHandler(issueStore, eventBus) {
   return async (req, res) => {
     if (req.method !== "POST") {
       sendJson(req, res, HTTP_METHOD_NOT_ALLOWED, { error: "Method not allowed" });
@@ -1822,27 +1874,16 @@ function createFindingsReportHandler(findingStore, eventBus, analysisEngine) {
       sendJson(req, res, HTTP_BAD_REQUEST, { error: "notes is required" });
       return;
     }
-    const findingOk = findingStore.reportFix(findingId, status, notes);
-    if (findingOk) {
-      eventBus.emit("findings:changed", findingStore.getAll());
-      sendJson(req, res, HTTP_OK, { ok: true });
-      return;
-    }
-    if (analysisEngine?.reportInsightFix(findingId, status, notes)) {
-      eventBus.emit("analysis:updated", {
-        insights: analysisEngine.getInsights(),
-        findings: analysisEngine.getFindings(),
-        statefulFindings: analysisEngine.getStatefulFindings(),
-        statefulInsights: analysisEngine.getStatefulInsights()
-      });
+    if (issueStore.reportFix(findingId, status, notes)) {
+      eventBus.emit("issues:changed", issueStore.getAll());
       sendJson(req, res, HTTP_OK, { ok: true });
       return;
     }
     sendJson(req, res, HTTP_NOT_FOUND, { error: "Finding not found" });
   };
 }
-var init_findings = __esm({
-  "src/dashboard/api/findings.ts"() {
+var init_issues = __esm({
+  "src/dashboard/api/issues.ts"() {
     "use strict";
     init_shared2();
     init_type_guards();
@@ -1851,7 +1892,7 @@ var init_findings = __esm({
 });
 
 // src/constants/events.ts
-var SSE_EVENT_FETCH, SSE_EVENT_LOG, SSE_EVENT_ERROR, SSE_EVENT_QUERY, SSE_EVENT_INSIGHTS, SSE_EVENT_SECURITY;
+var SSE_EVENT_FETCH, SSE_EVENT_LOG, SSE_EVENT_ERROR, SSE_EVENT_QUERY, SSE_EVENT_ISSUES;
 var init_events = __esm({
   "src/constants/events.ts"() {
     "use strict";
@@ -1859,8 +1900,7 @@ var init_events = __esm({
     SSE_EVENT_LOG = "log";
     SSE_EVENT_ERROR = "error_event";
     SSE_EVENT_QUERY = "query";
-    SSE_EVENT_INSIGHTS = "insights";
-    SSE_EVENT_SECURITY = "security";
+    SSE_EVENT_ISSUES = "issues";
   }
 });
 
@@ -1893,12 +1933,11 @@ data: ${data}
   bus.on("telemetry:log", (e) => broadcast(SSE_EVENT_LOG, JSON.stringify(e)));
   bus.on("telemetry:error", (e) => broadcast(SSE_EVENT_ERROR, JSON.stringify(e)));
   bus.on("telemetry:query", (e) => broadcast(SSE_EVENT_QUERY, JSON.stringify(e)));
-  bus.on("analysis:updated", ({ statefulInsights, statefulFindings }) => {
-    broadcast(SSE_EVENT_INSIGHTS, JSON.stringify(statefulInsights));
-    broadcast(SSE_EVENT_SECURITY, JSON.stringify(statefulFindings));
+  bus.on("analysis:updated", ({ issues }) => {
+    broadcast(SSE_EVENT_ISSUES, JSON.stringify(issues));
   });
-  bus.on("findings:changed", (findings) => {
-    broadcast(SSE_EVENT_SECURITY, JSON.stringify(findings));
+  bus.on("issues:changed", (issues) => {
+    broadcast(SSE_EVENT_ISSUES, JSON.stringify(issues));
   });
   return (req, res) => {
     const headers2 = {
@@ -2531,7 +2570,14 @@ var init_styles = __esm({
 // src/utils/fs.ts
 import { access, readFile, writeFile } from "fs/promises";
 import { existsSync, readFileSync, writeFileSync } from "fs";
-import { resolve } from "path";
+import { createHash } from "crypto";
+import { homedir } from "os";
+import { resolve, join } from "path";
+function getProjectDataDir(projectRoot) {
+  const absolute = resolve(projectRoot);
+  const hash = createHash("sha256").update(absolute).digest("hex").slice(0, PROJECT_HASH_LENGTH);
+  return join(homedir(), ".brakit", "projects", hash);
+}
 async function fileExists(path) {
   try {
     await access(path);
@@ -2550,7 +2596,8 @@ function ensureGitignore(dir, entry) {
     } else {
       writeFileSync(gitignorePath, entry + "\n");
     }
-  } catch {
+  } catch (err) {
+    brakitDebug(`ensureGitignore failed: ${getErrorMessage(err)}`);
   }
 }
 async function ensureGitignoreAsync(dir, entry) {
@@ -2563,12 +2610,16 @@ async function ensureGitignoreAsync(dir, entry) {
     } else {
       await writeFile(gitignorePath, entry + "\n");
     }
-  } catch {
+  } catch (err) {
+    brakitDebug(`ensureGitignoreAsync failed: ${getErrorMessage(err)}`);
   }
 }
 var init_fs = __esm({
   "src/utils/fs.ts"() {
     "use strict";
+    init_limits();
+    init_log();
+    init_type_guards();
   }
 });
 
@@ -2646,60 +2697,57 @@ var init_atomic_writer = __esm({
   }
 });
 
-// src/store/finding-id.ts
-import { createHash } from "crypto";
-function computeFindingId(finding) {
-  const key = `${finding.rule}:${finding.endpoint}:${finding.desc}`;
-  return createHash("sha256").update(key).digest("hex").slice(0, FINDING_ID_HASH_LENGTH);
-}
-function computeInsightId(type, endpoint, desc) {
-  const key = `${type}:${endpoint}:${desc}`;
-  return createHash("sha256").update(key).digest("hex").slice(0, FINDING_ID_HASH_LENGTH);
+// src/utils/issue-id.ts
+import { createHash as createHash2 } from "crypto";
+function computeIssueId(issue) {
+  const stableDesc = issue.desc.replace(/\d[\d,.]*\s*\w*/g, "#");
+  const key = `${issue.rule}:${issue.endpoint ?? "global"}:${stableDesc}`;
+  return createHash2("sha256").update(key).digest("hex").slice(0, ISSUE_ID_HASH_LENGTH);
 }
-var init_finding_id = __esm({
-  "src/store/finding-id.ts"() {
+var init_issue_id = __esm({
+  "src/utils/issue-id.ts"() {
     "use strict";
     init_limits();
   }
 });
 
-// src/store/finding-store.ts
+// src/store/issue-store.ts
 import { readFile as readFile2 } from "fs/promises";
-import { readFileSync as readFileSync2, existsSync as existsSync3 } from "fs";
+import { readFileSync as readFileSync2, existsSync as existsSync3, unlinkSync } from "fs";
 import { resolve as resolve2 } from "path";
-var FindingStore;
-var init_finding_store = __esm({
-  "src/store/finding-store.ts"() {
+var IssueStore;
+var init_issue_store = __esm({
+  "src/store/issue-store.ts"() {
     "use strict";
     init_fs();
-    init_constants();
+    init_metrics();
+    init_limits();
+    init_thresholds();
     init_limits();
     init_atomic_writer();
     init_log();
-    init_finding_id();
-    FindingStore = class {
-      constructor(rootDir) {
-        this.rootDir = rootDir;
-        const metricsDir = resolve2(rootDir, METRICS_DIR);
-        this.findingsPath = resolve2(rootDir, FINDINGS_FILE);
+    init_type_guards();
+    init_issue_id();
+    IssueStore = class {
+      constructor(dataDir) {
+        this.dataDir = dataDir;
+        this.issuesPath = resolve2(dataDir, ISSUES_FILE);
         this.writer = new AtomicWriter({
-          dir: metricsDir,
-          filePath: this.findingsPath,
-          gitignoreEntry: METRICS_DIR,
-          label: "findings"
+          dir: dataDir,
+          filePath: this.issuesPath,
+          label: "issues"
         });
       }
-      findings = /* @__PURE__ */ new Map();
+      issues = /* @__PURE__ */ new Map();
       flushTimer = null;
       dirty = false;
       writer;
-      findingsPath;
+      issuesPath;
       start() {
-        this.loadAsync().catch(() => {
-        });
+        this.loadAsync().catch((err) => brakitDebug(`IssueStore: async load failed: ${err}`));
         this.flushTimer = setInterval(
           () => this.flush(),
-          FINDINGS_FLUSH_INTERVAL_MS
+          ISSUES_FLUSH_INTERVAL_MS
         );
         this.flushTimer.unref();
       }
@@ -2710,119 +2758,148 @@ var init_finding_store = __esm({
         }
         this.flushSync();
       }
-      upsert(finding, source) {
-        const id = computeFindingId(finding);
-        const existing = this.findings.get(id);
+      upsert(issue, source) {
+        const id = computeIssueId(issue);
+        const existing = this.issues.get(id);
         const now = Date.now();
         if (existing) {
           existing.lastSeenAt = now;
           existing.occurrences++;
-          existing.finding = finding;
-          if (existing.state === "resolved") {
-            existing.state = "open";
+          existing.issue = issue;
+          existing.cleanHitsSinceLastSeen = 0;
+          if (existing.state === "resolved" || existing.state === "stale") {
+            existing.state = "regressed";
             existing.resolvedAt = null;
           }
           this.dirty = true;
           return existing;
         }
         const stateful = {
-          findingId: id,
+          issueId: id,
           state: "open",
           source,
-          finding,
+          category: issue.category,
+          issue,
           firstSeenAt: now,
           lastSeenAt: now,
           resolvedAt: null,
           occurrences: 1,
+          cleanHitsSinceLastSeen: 0,
           aiStatus: null,
           aiNotes: null
         };
-        this.findings.set(id, stateful);
+        this.issues.set(id, stateful);
         this.dirty = true;
         return stateful;
       }
-      transition(findingId, state) {
-        const finding = this.findings.get(findingId);
-        if (!finding) return false;
-        finding.state = state;
+      /**
+       * Reconcile issues against the current analysis results using evidence-based resolution.
+       *
+       * @param currentIssueIds - IDs of issues detected in the current analysis cycle
+       * @param activeEndpoints - Endpoints that had requests in the current cycle
+       */
+      reconcile(currentIssueIds, activeEndpoints) {
+        const now = Date.now();
+        for (const [, stateful] of this.issues) {
+          const isActive = stateful.state === "open" || stateful.state === "fixing" || stateful.state === "regressed";
+          if (!isActive) continue;
+          if (currentIssueIds.has(stateful.issueId)) continue;
+          const endpoint = stateful.issue.endpoint;
+          if (endpoint && activeEndpoints.has(endpoint)) {
+            stateful.cleanHitsSinceLastSeen++;
+            if (stateful.cleanHitsSinceLastSeen >= CLEAN_HITS_FOR_RESOLUTION) {
+              stateful.state = "resolved";
+              stateful.resolvedAt = now;
+            }
+            this.dirty = true;
+          } else if (now - stateful.lastSeenAt > STALE_ISSUE_TTL_MS) {
+            stateful.state = "stale";
+            this.dirty = true;
+          }
+        }
+        for (const [id, stateful] of this.issues) {
+          if (stateful.state === "resolved" && stateful.resolvedAt && now - stateful.resolvedAt > ISSUE_PRUNE_TTL_MS) {
+            this.issues.delete(id);
+            this.dirty = true;
+          } else if (stateful.state === "stale" && now - stateful.lastSeenAt > STALE_ISSUE_TTL_MS + ISSUE_PRUNE_TTL_MS) {
+            this.issues.delete(id);
+            this.dirty = true;
+          }
+        }
+      }
+      transition(issueId, state) {
+        const issue = this.issues.get(issueId);
+        if (!issue) return false;
+        issue.state = state;
         if (state === "resolved") {
-          finding.resolvedAt = Date.now();
+          issue.resolvedAt = Date.now();
         }
         this.dirty = true;
         return true;
       }
-      reportFix(findingId, status, notes) {
-        const finding = this.findings.get(findingId);
-        if (!finding) return false;
-        finding.aiStatus = status;
-        finding.aiNotes = notes;
+      reportFix(issueId, status, notes) {
+        const issue = this.issues.get(issueId);
+        if (!issue) return false;
+        issue.aiStatus = status;
+        issue.aiNotes = notes;
         if (status === "fixed") {
-          finding.state = "fixing";
+          issue.state = "fixing";
         }
         this.dirty = true;
         return true;
       }
-      /**
-       * Reconcile passive findings against the current analysis results.
-       *
-       * Passive findings are detected by continuous scanning (not user-triggered).
-       * When a previously-seen finding is absent from the current results, it means
-       * the issue has been fixed — transition it to "resolved" automatically.
-       * Active findings (from MCP verify-fix) are not auto-resolved because they
-       * require explicit verification.
-       */
-      reconcilePassive(currentFindings) {
-        const currentIds = new Set(currentFindings.map(computeFindingId));
-        for (const [id, stateful] of this.findings) {
-          if (stateful.source === "passive" && (stateful.state === "open" || stateful.state === "fixing") && !currentIds.has(id)) {
-            stateful.state = "resolved";
-            stateful.resolvedAt = Date.now();
-            this.dirty = true;
-          }
-        }
-      }
       getAll() {
-        return [...this.findings.values()];
+        return [...this.issues.values()];
       }
       getByState(state) {
-        return [...this.findings.values()].filter((f) => f.state === state);
+        return [...this.issues.values()].filter((i) => i.state === state);
+      }
+      getByCategory(category) {
+        return [...this.issues.values()].filter((i) => i.category === category);
       }
-      get(findingId) {
-        return this.findings.get(findingId);
+      get(issueId) {
+        return this.issues.get(issueId);
       }
       clear() {
-        this.findings.clear();
-        this.dirty = true;
+        this.issues.clear();
+        this.dirty = false;
+        try {
+          if (existsSync3(this.issuesPath)) {
+            unlinkSync(this.issuesPath);
+          }
+        } catch {
+        }
+      }
+      isDirty() {
+        return this.dirty;
       }
       async loadAsync() {
         try {
-          if (await fileExists(this.findingsPath)) {
-            const raw = await readFile2(this.findingsPath, "utf-8");
-            const parsed = JSON.parse(raw);
-            if (parsed?.version === FINDINGS_DATA_VERSION && Array.isArray(parsed.findings)) {
-              for (const f of parsed.findings) {
-                this.findings.set(f.findingId, f);
-              }
-            }
+          if (await fileExists(this.issuesPath)) {
+            const raw = await readFile2(this.issuesPath, "utf-8");
+            this.hydrate(raw);
           }
         } catch (err) {
-          brakitDebug(`FindingStore: could not load findings file, starting fresh: ${err}`);
+          brakitDebug(`IssueStore: could not load issues file, starting fresh: ${err}`);
         }
       }
       /** Sync load for tests only — not used in production paths. */
       loadSync() {
         try {
-          if (existsSync3(this.findingsPath)) {
-            const raw = readFileSync2(this.findingsPath, "utf-8");
-            const parsed = JSON.parse(raw);
-            if (parsed?.version === FINDINGS_DATA_VERSION && Array.isArray(parsed.findings)) {
-              for (const f of parsed.findings) {
-                this.findings.set(f.findingId, f);
-              }
-            }
+          if (existsSync3(this.issuesPath)) {
+            const raw = readFileSync2(this.issuesPath, "utf-8");
+            this.hydrate(raw);
           }
         } catch (err) {
-          brakitDebug(`FindingStore: could not load findings file, starting fresh: ${err}`);
+          brakitDebug(`IssueStore: could not load issues file, starting fresh: ${err}`);
+        }
+      }
+      /** Parse and populate issues from a raw JSON string. */
+      hydrate(raw) {
+        const validated = validateIssuesData(JSON.parse(raw));
+        if (!validated) return;
+        for (const issue of validated.issues) {
+          this.issues.set(issue.issueId, issue);
         }
       }
       flush() {
@@ -2837,8 +2914,8 @@ var init_finding_store = __esm({
       }
       serialize() {
         const data = {
-          version: FINDINGS_DATA_VERSION,
-          findings: [...this.findings.values()]
+          version: ISSUES_DATA_VERSION,
+          issues: [...this.issues.values()]
         };
         return JSON.stringify(data);
       }
@@ -2849,7 +2926,7 @@ var init_finding_store = __esm({
 // src/detect/project.ts
 import { readFile as readFile3, readdir } from "fs/promises";
 import { existsSync as existsSync4 } from "fs";
-import { join, relative } from "path";
+import { join as join2, relative } from "path";
 function detectFrameworkFromDeps(allDeps) {
   for (const f of FRAMEWORKS) {
     if (allDeps[f.dep]) return f.name;
@@ -2857,10 +2934,10 @@ function detectFrameworkFromDeps(allDeps) {
   return "unknown";
 }
 function detectPackageManagerSync(rootDir) {
-  if (existsSync4(join(rootDir, "bun.lockb")) || existsSync4(join(rootDir, "bun.lock"))) return "bun";
-  if (existsSync4(join(rootDir, "pnpm-lock.yaml"))) return "pnpm";
-  if (existsSync4(join(rootDir, "yarn.lock"))) return "yarn";
-  if (existsSync4(join(rootDir, "package-lock.json"))) return "npm";
+  if (existsSync4(join2(rootDir, "bun.lockb")) || existsSync4(join2(rootDir, "bun.lock"))) return "bun";
+  if (existsSync4(join2(rootDir, "pnpm-lock.yaml"))) return "pnpm";
+  if (existsSync4(join2(rootDir, "yarn.lock"))) return "yarn";
+  if (existsSync4(join2(rootDir, "package-lock.json"))) return "npm";
   return "unknown";
 }
 var FRAMEWORKS;
@@ -2878,6 +2955,44 @@ var init_project = __esm({
   }
 });
 
+// src/utils/response.ts
+function tryParseJson(body) {
+  if (!body) return null;
+  try {
+    return JSON.parse(body);
+  } catch {
+    return null;
+  }
+}
+function unwrapResponse(parsed) {
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) return parsed;
+  const obj = parsed;
+  const keys = Object.keys(obj);
+  if (keys.length > 3) return parsed;
+  let best = null;
+  let bestSize = 0;
+  for (const key of keys) {
+    const val = obj[key];
+    if (Array.isArray(val) && val.length > bestSize) {
+      best = val;
+      bestSize = val.length;
+    } else if (val && typeof val === "object" && !Array.isArray(val)) {
+      const size = Object.keys(val).length;
+      if (size > bestSize) {
+        best = val;
+        bestSize = size;
+      }
+    }
+  }
+  return best && bestSize >= OVERFETCH_UNWRAP_MIN_SIZE ? best : parsed;
+}
+var init_response = __esm({
+  "src/utils/response.ts"() {
+    "use strict";
+    init_thresholds();
+  }
+});
+
 // src/analysis/rules/patterns.ts
 var SECRET_KEYS, TOKEN_PARAMS, SAFE_PARAMS, STACK_TRACE_RE, DB_CONN_RE, SQL_FRAGMENT_RE, SECRET_VAL_RE, LOG_SECRET_RE, MASKED_RE, EMAIL_RE, INTERNAL_ID_KEYS, INTERNAL_ID_SUFFIX, SELECT_STAR_RE, SELECT_DOT_STAR_RE, RULE_HINTS;
 var init_patterns = __esm({
@@ -2911,30 +3026,23 @@ var init_patterns = __esm({
 });
 
 // src/analysis/rules/exposed-secret.ts
-function tryParseJson(body) {
-  if (!body) return null;
-  try {
-    return JSON.parse(body);
-  } catch {
-    return null;
-  }
-}
-function findSecretKeys(obj, prefix) {
+function findSecretKeys(obj, prefix, depth = 0) {
   const found = [];
+  if (depth >= MAX_OBJECT_SCAN_DEPTH) return found;
   if (!obj || typeof obj !== "object") return found;
   if (Array.isArray(obj)) {
-    for (let i = 0; i < Math.min(obj.length, 5); i++) {
-      found.push(...findSecretKeys(obj[i], prefix));
+    for (let i = 0; i < Math.min(obj.length, SECRET_SCAN_ARRAY_LIMIT); i++) {
+      found.push(...findSecretKeys(obj[i], prefix, depth + 1));
     }
     return found;
   }
   for (const k of Object.keys(obj)) {
     const val = obj[k];
-    if (SECRET_KEYS.test(k) && typeof val === "string" && val.length >= 8 && !MASKED_RE.test(val)) {
+    if (SECRET_KEYS.test(k) && typeof val === "string" && val.length >= MIN_SECRET_VALUE_LENGTH && !MASKED_RE.test(val)) {
       found.push(k);
     }
     if (typeof val === "object" && val !== null) {
-      found.push(...findSecretKeys(val, prefix + k + "."));
+      found.push(...findSecretKeys(val, prefix + k + ".", depth + 1));
     }
   }
   return found;
@@ -2944,6 +3052,8 @@ var init_exposed_secret = __esm({
   "src/analysis/rules/exposed-secret.ts"() {
     "use strict";
     init_patterns();
+    init_limits();
+    init_http_status();
     exposedSecretRule = {
       id: "exposed-secret",
       severity: "critical",
@@ -2953,8 +3063,8 @@ var init_exposed_secret = __esm({
         const findings = [];
         const seen = /* @__PURE__ */ new Map();
         for (const r of ctx.requests) {
-          if (r.statusCode >= 400) continue;
-          const parsed = tryParseJson(r.responseBody);
+          if (isErrorStatus(r.statusCode)) continue;
+          const parsed = ctx.parsedBodies.response.get(r.id);
           if (!parsed) continue;
           const keys = findSecretKeys(parsed, "");
           if (keys.length === 0) continue;
@@ -3130,7 +3240,7 @@ var init_error_info_leak = __esm({
 
 // src/analysis/rules/insecure-cookie.ts
 function isFrameworkResponse(r) {
-  if (r.statusCode >= 300 && r.statusCode < 400) return true;
+  if (isRedirect(r.statusCode)) return true;
   if (r.path?.startsWith("/__")) return true;
   if (r.responseHeaders?.["x-middleware-rewrite"]) return true;
   return false;
@@ -3140,6 +3250,7 @@ var init_insecure_cookie = __esm({
   "src/analysis/rules/insecure-cookie.ts"() {
     "use strict";
     init_patterns();
+    init_http_status();
     insecureCookieRule = {
       id: "insecure-cookie",
       severity: "warning",
@@ -3257,51 +3368,14 @@ var init_cors_credentials = __esm({
   }
 });
 
-// src/utils/response.ts
-function unwrapResponse(parsed) {
-  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) return parsed;
-  const obj = parsed;
-  const keys = Object.keys(obj);
-  if (keys.length > 3) return parsed;
-  let best = null;
-  let bestSize = 0;
-  for (const key of keys) {
-    const val = obj[key];
-    if (Array.isArray(val) && val.length > bestSize) {
-      best = val;
-      bestSize = val.length;
-    } else if (val && typeof val === "object" && !Array.isArray(val)) {
-      const size = Object.keys(val).length;
-      if (size > bestSize) {
-        best = val;
-        bestSize = size;
-      }
-    }
-  }
-  return best && bestSize >= OVERFETCH_UNWRAP_MIN_SIZE ? best : parsed;
-}
-var init_response = __esm({
-  "src/utils/response.ts"() {
-    "use strict";
-    init_thresholds();
-  }
-});
-
 // src/analysis/rules/response-pii-leak.ts
-function tryParseJson2(body) {
-  if (!body) return null;
-  try {
-    return JSON.parse(body);
-  } catch {
-    return null;
-  }
-}
-function findEmails(obj) {
+function findEmails(obj, depth = 0) {
   const emails = [];
+  if (depth >= MAX_OBJECT_SCAN_DEPTH) return emails;
   if (!obj || typeof obj !== "object") return emails;
   if (Array.isArray(obj)) {
-    for (let i = 0; i < Math.min(obj.length, 10); i++) {
-      emails.push(...findEmails(obj[i]));
+    for (let i = 0; i < Math.min(obj.length, PII_SCAN_ARRAY_LIMIT); i++) {
+      emails.push(...findEmails(obj[i], depth + 1));
     }
     return emails;
   }
@@ -3309,7 +3383,7 @@ function findEmails(obj) {
     if (typeof v === "string" && EMAIL_RE.test(v)) {
       emails.push(v);
     } else if (typeof v === "object" && v !== null) {
-      emails.push(...findEmails(v));
+      emails.push(...findEmails(v, depth + 1));
     }
   }
   return emails;
@@ -3352,7 +3426,7 @@ function detectFullRecordPII(target) {
 function detectListPII(target) {
   if (!Array.isArray(target) || target.length < LIST_PII_MIN_ITEMS) return null;
   let itemsWithEmail = 0;
-  for (let i = 0; i < Math.min(target.length, 10); i++) {
+  for (let i = 0; i < Math.min(target.length, PII_SCAN_ARRAY_LIMIT); i++) {
     const item = target[i];
     if (item && typeof item === "object" && findEmails(item).length > 0) {
       itemsWithEmail++;
@@ -3369,15 +3443,15 @@ function detectPII(method, reqBody, resBody) {
   const target = unwrapResponse(resBody);
   return detectEchoPII(method, reqBody, target) ?? detectFullRecordPII(target) ?? detectListPII(target);
 }
-var WRITE_METHODS, FULL_RECORD_MIN_FIELDS, LIST_PII_MIN_ITEMS, REASON_LABELS, responsePiiLeakRule;
+var WRITE_METHODS, REASON_LABELS, responsePiiLeakRule;
 var init_response_pii_leak = __esm({
   "src/analysis/rules/response-pii-leak.ts"() {
     "use strict";
     init_patterns();
     init_response();
+    init_limits();
+    init_http_status();
     WRITE_METHODS = /* @__PURE__ */ new Set(["POST", "PUT", "PATCH"]);
-    FULL_RECORD_MIN_FIELDS = 5;
-    LIST_PII_MIN_ITEMS = 2;
     REASON_LABELS = {
       echo: "echoes back PII from the request body",
       "full-record": "returns a full record with email and internal IDs",
@@ -3392,10 +3466,10 @@ var init_response_pii_leak = __esm({
         const findings = [];
         const seen = /* @__PURE__ */ new Map();
         for (const r of ctx.requests) {
-          if (r.statusCode >= 400) continue;
-          const resJson = tryParseJson2(r.responseBody);
+          if (isErrorStatus(r.statusCode)) continue;
+          const resJson = ctx.parsedBodies.response.get(r.id);
           if (!resJson) continue;
-          const reqJson = tryParseJson2(r.requestBody);
+          const reqJson = ctx.parsedBodies.request.get(r.id) ?? null;
           const detection = detectPII(r.method, reqJson, resJson);
           if (!detection) continue;
           const ep = `${r.method} ${r.path}`;
@@ -3424,6 +3498,21 @@ var init_response_pii_leak = __esm({
 });
 
 // src/analysis/rules/scanner.ts
+function buildBodyCache(requests) {
+  const response = /* @__PURE__ */ new Map();
+  const request = /* @__PURE__ */ new Map();
+  for (const r of requests) {
+    if (r.responseBody) {
+      const parsed = tryParseJson(r.responseBody);
+      if (parsed != null) response.set(r.id, parsed);
+    }
+    if (r.requestBody) {
+      const parsed = tryParseJson(r.requestBody);
+      if (parsed != null) request.set(r.id, parsed);
+    }
+  }
+  return { response, request };
+}
 function createDefaultScanner() {
   const scanner = new SecurityScanner();
   scanner.register(exposedSecretRule);
@@ -3440,6 +3529,7 @@ var SecurityScanner;
 var init_scanner = __esm({
   "src/analysis/rules/scanner.ts"() {
     "use strict";
+    init_response();
     init_exposed_secret();
     init_token_in_url();
     init_stack_trace_leak();
@@ -3453,7 +3543,11 @@ var init_scanner = __esm({
       register(rule) {
         this.rules.push(rule);
       }
-      scan(ctx) {
+      scan(input) {
+        const ctx = {
+          ...input,
+          parsedBodies: buildBodyCache(input.requests)
+        };
         const findings = [];
         for (const rule of this.rules) {
           try {
@@ -3526,16 +3620,22 @@ var init_collections = __esm({
 });
 
 // src/utils/endpoint.ts
+function normalizePath(path) {
+  const qIdx = path.indexOf("?");
+  const pathname = qIdx === -1 ? path : path.slice(0, qIdx);
+  return pathname.split("/").map((seg) => seg && DYNAMIC_SEGMENT_RE.test(seg) ? ":id" : seg).join("/");
+}
 function getEndpointKey(method, path) {
-  return `${method} ${path}`;
+  return `${method} ${normalizePath(path)}`;
 }
 function extractEndpointFromDesc(desc) {
   return desc.match(ENDPOINT_PREFIX_RE)?.[1] ?? null;
 }
-var ENDPOINT_PREFIX_RE;
+var DYNAMIC_SEGMENT_RE, ENDPOINT_PREFIX_RE;
 var init_endpoint = __esm({
   "src/utils/endpoint.ts"() {
     "use strict";
+    DYNAMIC_SEGMENT_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^\d+$|^[0-9a-f]{12,}$|^(?=.*[a-zA-Z])(?=.*\d)[a-zA-Z0-9_-]{8,}$/i;
     ENDPOINT_PREFIX_RE = /^(\S+\s+\S+)/;
   }
 });
@@ -3589,6 +3689,15 @@ function windowByEndpoint(requests) {
   }
   return windowed;
 }
+function extractActiveEndpoints(requests) {
+  const endpoints = /* @__PURE__ */ new Set();
+  for (const r of requests) {
+    if (!r.isStatic && (!r.path || !r.path.startsWith(DASHBOARD_PREFIX))) {
+      endpoints.add(getEndpointKey(r.method, r.path));
+    }
+  }
+  return endpoints;
+}
 function prepareContext(ctx) {
   const nonStatic = ctx.requests.filter(
     (r) => !r.isStatic && (!r.path || !r.path.startsWith(DASHBOARD_PREFIX))
@@ -3606,7 +3715,7 @@ function prepareContext(ctx) {
       endpointGroups.set(ep, g);
     }
     g.total++;
-    if (r.statusCode >= 400) g.errors++;
+    if (isErrorStatus(r.statusCode)) g.errors++;
     g.totalDuration += r.durationMs;
     g.totalSize += r.responseSize ?? 0;
     const reqQueries = queriesByReq.get(r.id) ?? [];
@@ -3643,6 +3752,7 @@ var init_prepare = __esm({
     init_collections();
     init_endpoint();
     init_constants();
+    init_http_status();
     init_thresholds();
     init_query_helpers();
   }
@@ -4127,6 +4237,7 @@ var init_response_overfetch = __esm({
     "use strict";
     init_endpoint();
     init_response();
+    init_http_status();
     init_patterns();
     init_constants();
     responseOverfetchRule = {
@@ -4135,7 +4246,7 @@ var init_response_overfetch = __esm({
         const insights = [];
         const seen = /* @__PURE__ */ new Set();
         for (const r of ctx.nonStatic) {
-          if (r.statusCode >= 400 || !r.responseBody) continue;
+          if (isErrorStatus(r.statusCode) || !r.responseBody) continue;
           const ep = getEndpointKey(r.method, r.path);
           if (seen.has(ep)) continue;
           let parsed;
@@ -4323,7 +4434,7 @@ function createDefaultInsightRunner() {
 function computeInsights(ctx) {
   return createDefaultInsightRunner().run(ctx);
 }
-var init_insights2 = __esm({
+var init_insights = __esm({
   "src/analysis/insights/index.ts"() {
     "use strict";
     init_runner();
@@ -4333,95 +4444,48 @@ var init_insights2 = __esm({
 });
 
 // src/analysis/insights.ts
-var init_insights3 = __esm({
+var init_insights2 = __esm({
   "src/analysis/insights.ts"() {
     "use strict";
-    init_insights2();
+    init_insights();
   }
 });
 
-// src/analysis/insight-tracker.ts
-function computeInsightKey(insight) {
-  const identifier = extractEndpointFromDesc(insight.desc) ?? insight.title;
-  return `${insight.type}:${identifier}`;
+// src/analysis/issue-mappers.ts
+function categorizeInsight(type) {
+  if (type === "security") return "security";
+  if (type === "error" || type === "error-hotspot") return "reliability";
+  return "performance";
 }
-function enrichedIdFromInsight(insight) {
-  return computeInsightId(insight.type, insight.nav ?? "global", insight.desc);
+function insightToIssue(insight) {
+  return {
+    category: categorizeInsight(insight.type),
+    rule: insight.type,
+    severity: insight.severity,
+    title: insight.title,
+    desc: insight.desc,
+    hint: insight.hint,
+    detail: insight.detail,
+    endpoint: extractEndpointFromDesc(insight.desc) ?? void 0,
+    nav: insight.nav
+  };
 }
-var InsightTracker;
-var init_insight_tracker = __esm({
-  "src/analysis/insight-tracker.ts"() {
+function securityFindingToIssue(finding) {
+  return {
+    category: "security",
+    rule: finding.rule,
+    severity: finding.severity,
+    title: finding.title,
+    desc: finding.desc,
+    hint: finding.hint,
+    endpoint: finding.endpoint,
+    nav: "security"
+  };
+}
+var init_issue_mappers = __esm({
+  "src/analysis/issue-mappers.ts"() {
     "use strict";
     init_endpoint();
-    init_finding_id();
-    init_thresholds();
-    InsightTracker = class {
-      tracked = /* @__PURE__ */ new Map();
-      enrichedIndex = /* @__PURE__ */ new Map();
-      reconcile(current) {
-        const currentKeys = /* @__PURE__ */ new Set();
-        const now = Date.now();
-        for (const insight of current) {
-          const key = computeInsightKey(insight);
-          currentKeys.add(key);
-          const existing = this.tracked.get(key);
-          this.enrichedIndex.set(enrichedIdFromInsight(insight), key);
-          if (existing) {
-            existing.insight = insight;
-            existing.lastSeenAt = now;
-            existing.consecutiveAbsences = 0;
-            if (existing.state === "resolved") {
-              existing.state = "open";
-              existing.resolvedAt = null;
-            }
-          } else {
-            this.tracked.set(key, {
-              key,
-              state: "open",
-              insight,
-              firstSeenAt: now,
-              lastSeenAt: now,
-              resolvedAt: null,
-              consecutiveAbsences: 0,
-              aiStatus: null,
-              aiNotes: null
-            });
-          }
-        }
-        for (const [, stateful] of this.tracked) {
-          if ((stateful.state === "open" || stateful.state === "fixing") && !currentKeys.has(stateful.key)) {
-            stateful.consecutiveAbsences++;
-            if (stateful.consecutiveAbsences >= RESOLVE_AFTER_ABSENCES) {
-              stateful.state = "resolved";
-              stateful.resolvedAt = now;
-            }
-          } else if (stateful.state === "resolved" && stateful.resolvedAt !== null && now - stateful.resolvedAt > RESOLVED_INSIGHT_TTL_MS) {
-            this.tracked.delete(stateful.key);
-            this.enrichedIndex.delete(enrichedIdFromInsight(stateful.insight));
-          }
-        }
-        return [...this.tracked.values()];
-      }
-      reportFix(enrichedId, status, notes) {
-        const key = this.enrichedIndex.get(enrichedId);
-        if (!key) return false;
-        const stateful = this.tracked.get(key);
-        if (!stateful) return false;
-        stateful.aiStatus = status;
-        stateful.aiNotes = notes;
-        if (status === "fixed") {
-          stateful.state = "fixing";
-        }
-        return true;
-      }
-      getAll() {
-        return [...this.tracked.values()];
-      }
-      clear() {
-        this.tracked.clear();
-        this.enrichedIndex.clear();
-      }
-    };
   }
 });
 
@@ -4434,8 +4498,10 @@ var init_engine = __esm({
     init_disposable();
     init_group();
     init_rules();
-    init_insights3();
-    init_insight_tracker();
+    init_insights2();
+    init_issue_mappers();
+    init_issue_id();
+    init_prepare();
     AnalysisEngine = class {
       constructor(registry, debounceMs = ANALYSIS_DEBOUNCE_MS) {
         this.registry = registry;
@@ -4443,10 +4509,8 @@ var init_engine = __esm({
         this.scanner = createDefaultScanner();
       }
       scanner;
-      insightTracker = new InsightTracker();
       cachedInsights = [];
       cachedFindings = [];
-      cachedStatefulInsights = [];
       debounceTimer = null;
       subs = new SubscriptionBag();
       start() {
@@ -4469,15 +4533,6 @@ var init_engine = __esm({
       getFindings() {
         return this.cachedFindings;
       }
-      getStatefulFindings() {
-        return this.registry.has("finding-store") ? this.registry.get("finding-store").getAll() : [];
-      }
-      getStatefulInsights() {
-        return this.insightTracker.getAll();
-      }
-      reportInsightFix(enrichedId, status, notes) {
-        return this.insightTracker.reportFix(enrichedId, status, notes);
-      }
       scheduleRecompute() {
         if (this.debounceTimer) return;
         this.debounceTimer = setTimeout(() => {
@@ -4486,20 +4541,14 @@ var init_engine = __esm({
         }, this.debounceMs);
       }
       recompute() {
-        const requests = this.registry.get("request-store").getAll();
+        const allRequests = this.registry.get("request-store").getAll();
         const queries = this.registry.get("query-store").getAll();
         const errors = this.registry.get("error-store").getAll();
         const logs = this.registry.get("log-store").getAll();
         const fetches = this.registry.get("fetch-store").getAll();
+        const requests = windowByEndpoint(allRequests);
         const flows = groupRequestsIntoFlows(requests);
         this.cachedFindings = this.scanner.scan({ requests, logs });
-        if (this.registry.has("finding-store")) {
-          const findingStore = this.registry.get("finding-store");
-          for (const finding of this.cachedFindings) {
-            findingStore.upsert(finding, "passive");
-          }
-          findingStore.reconcilePassive(this.cachedFindings);
-        }
         this.cachedInsights = computeInsights({
           requests,
           queries,
@@ -4509,14 +4558,30 @@ var init_engine = __esm({
           previousMetrics: this.registry.get("metrics-store").getAll(),
           securityFindings: this.cachedFindings
         });
-        this.cachedStatefulInsights = this.insightTracker.reconcile(this.cachedInsights);
-        const update = {
-          insights: this.cachedInsights,
-          findings: this.cachedFindings,
-          statefulFindings: this.getStatefulFindings(),
-          statefulInsights: this.cachedStatefulInsights
-        };
-        this.registry.get("event-bus").emit("analysis:updated", update);
+        if (this.registry.has("issue-store")) {
+          const issueStore = this.registry.get("issue-store");
+          for (const finding of this.cachedFindings) {
+            issueStore.upsert(securityFindingToIssue(finding), "passive");
+          }
+          for (const insight of this.cachedInsights) {
+            issueStore.upsert(insightToIssue(insight), "passive");
+          }
+          const currentIssueIds = /* @__PURE__ */ new Set();
+          for (const finding of this.cachedFindings) {
+            currentIssueIds.add(computeIssueId(securityFindingToIssue(finding)));
+          }
+          for (const insight of this.cachedInsights) {
+            currentIssueIds.add(computeIssueId(insightToIssue(insight)));
+          }
+          const activeEndpoints = extractActiveEndpoints(allRequests);
+          issueStore.reconcile(currentIssueIds, activeEndpoints);
+          const update = {
+            insights: this.cachedInsights,
+            findings: this.cachedFindings,
+            issues: issueStore.getAll()
+          };
+          this.registry.get("event-bus").emit("analysis:updated", update);
+        }
       }
     };
   }
@@ -4527,14 +4592,14 @@ var VERSION;
 var init_src = __esm({
   "src/index.ts"() {
     "use strict";
-    init_finding_store();
+    init_issue_store();
     init_project();
     init_adapter_registry();
     init_rules();
     init_engine();
-    init_insights3();
     init_insights2();
-    VERSION = "0.8.5";
+    init_insights();
+    VERSION = "0.8.6";
   }
 });
 
@@ -5148,7 +5213,7 @@ function getFlowInsights() {
   }
   `;
 }
-var init_insights4 = __esm({
+var init_insights3 = __esm({
   "src/dashboard/client/views/flows/insights.ts"() {
     "use strict";
     init_constants();
@@ -5340,7 +5405,7 @@ function getFlowsView() {
 var init_flows2 = __esm({
   "src/dashboard/client/views/flows.ts"() {
     "use strict";
-    init_insights4();
+    init_insights3();
     init_detail();
   }
 });
@@ -6480,8 +6545,8 @@ function getOverviewRender() {
       '<div class="ov-stat"><span class="ov-stat-value">' + state.fetches.length + '</span><span class="ov-stat-label">Fetches</span></div>';
     container.appendChild(summary);
 
-    var all = state.insights || [];
-    var open = all.filter(function(si) { return si.state === 'open' || si.state === 'fixing'; });
+    var all = state.issues || [];
+    var open = all.filter(function(si) { return si.state === 'open' || si.state === 'fixing' || si.state === 'regressed'; });
     var resolved = all.filter(function(si) { return si.state === 'resolved'; });
 
     if (open.length === 0 && resolved.length === 0) {
@@ -6513,31 +6578,35 @@ function getOverviewRender() {
 
       for (var i = 0; i < open.length; i++) {
         (function(si) {
-          var insight = si.insight;
+          var issue = si.issue;
           var card = document.createElement('div');
           card.className = 'ov-card';
 
-          var sevCfg = SEV[insight.severity];
+          var sevCfg = SEV[issue.severity];
           var iconCls = sevCfg.cls;
           var iconChar = sevCfg.icon;
 
           var expandHtml = '';
-          if (insight.detail) expandHtml += insight.detail;
-          if (insight.hint) expandHtml += '<div class="ov-card-hint">' + escHtml(insight.hint) + '</div>';
-          expandHtml += '<span class="ov-card-link" data-nav="' + insight.nav + '">View in ' + (NAV_LABELS[insight.nav] || insight.nav) + ' \\u2192</span>';
+          if (issue.detail) expandHtml += issue.detail;
+          if (issue.hint) expandHtml += '<div class="ov-card-hint">' + escHtml(issue.hint) + '</div>';
+          if (issue.nav) expandHtml += '<span class="ov-card-link" data-nav="' + issue.nav + '">View in ' + (NAV_LABELS[issue.nav] || issue.nav) + ' \\u2192</span>';
 
           var aiBadge = '';
           if (si.state === 'fixing' && si.aiStatus === 'fixed') {
             aiBadge = '<span class="sec-ai-badge sec-ai-fixing">AI fixed \\u2014 awaiting verification</span>';
           } else if (si.aiStatus === 'wont_fix') {
             aiBadge = '<span class="sec-ai-badge sec-ai-wontfix">AI: won\\u2019t fix</span>';
+          } else if (si.state === 'regressed') {
+            aiBadge = '<span class="sec-ai-badge sec-ai-fixing" style="background:var(--red)">regressed</span>';
           }
 
+          var occBadge = si.occurrences > 1 ? ' <span class="sec-item-count">' + si.occurrences + 'x</span>' : '';
+
           card.innerHTML =
             '<span class="ov-card-icon ' + iconCls + '">' + iconChar + '</span>' +
             '<div class="ov-card-body">' +
-              '<div class="ov-card-title">' + escHtml(insight.title) + aiBadge + '</div>' +
-              '<div class="ov-card-desc">' + insight.desc + '</div>' +
+              '<div class="ov-card-title">' + escHtml(issue.title) + occBadge + aiBadge + '</div>' +
+              '<div class="ov-card-desc">' + issue.desc + '</div>' +
               '<div class="ov-card-expand">' + expandHtml + '</div>' +
             '</div>' +
             '<span class="ov-card-arrow">\\u2192</span>';
@@ -6583,14 +6652,14 @@ function getOverviewRender() {
       resolvedCards.className = 'ov-cards';
 
       for (var ri = 0; ri < resolved.length; ri++) {
-        var rInsight = resolved[ri].insight;
+        var rIssue = resolved[ri].issue;
         var rCard = document.createElement('div');
         rCard.className = 'ov-card ov-card-resolved';
         rCard.innerHTML =
           '<span class="ov-card-icon resolved">\\u2713</span>' +
           '<div class="ov-card-body">' +
-            '<div class="ov-card-title" style="text-decoration:line-through;color:var(--text-muted)">' + escHtml(rInsight.title) + '</div>' +
-            '<div class="ov-card-desc">' + rInsight.desc + '</div>' +
+            '<div class="ov-card-title" style="text-decoration:line-through;color:var(--text-muted)">' + escHtml(rIssue.title) + '</div>' +
+            '<div class="ov-card-desc">' + rIssue.desc + '</div>' +
           '</div>';
         resolvedCards.appendChild(rCard);
       }
@@ -6628,30 +6697,12 @@ function getSecurityView() {
     container.innerHTML = '';
     var SEV = ${SEVERITY_MAP};
 
-    var all = (state.findings || []).slice();
-    var insightsList = state.insights || [];
-    for (var ix = 0; ix < insightsList.length; ix++) {
-      var si = insightsList[ix];
-      all.push({
-        findingId: si.key,
-        state: si.state,
-        aiStatus: si.aiStatus,
-        aiNotes: si.aiNotes,
-        finding: {
-          severity: si.insight.severity,
-          rule: 'insight-' + si.insight.type,
-          title: si.insight.title,
-          desc: si.insight.desc,
-          hint: si.insight.hint,
-          endpoint: si.insight.nav || 'global',
-          count: 1
-        }
-      });
-    }
-    var open = all.filter(function(f) { return f.state === 'open' || f.state === 'fixing'; });
+    var all = (state.issues || []).slice();
+    var open = all.filter(function(f) { return f.state === 'open' || f.state === 'fixing' || f.state === 'regressed'; });
     var resolved = all.filter(function(f) { return f.state === 'resolved'; });
+    var stale = all.filter(function(f) { return f.state === 'stale'; });
 
-    if (open.length === 0 && resolved.length === 0) {
+    if (open.length === 0 && resolved.length === 0 && stale.length === 0) {
       var hasData = state.requests.length > 0 || state.logs.length > 0 || state.queries.length > 0;
       if (!hasData) {
         container.innerHTML = '<div class="empty"><span class="empty-title">Waiting for requests...</span><span class="empty-sub">Start using your app to see security findings here</span></div>';
@@ -6663,7 +6714,7 @@ function getSecurityView() {
 
     var critCount = 0, warnCount = 0, infoCount = 0;
     for (var ci = 0; ci < open.length; ci++) {
-      var sev = open[ci].finding.severity;
+      var sev = open[ci].issue.severity;
       if (sev === 'critical') critCount++;
       else if (sev === 'info') infoCount++;
       else warnCount++;
@@ -6696,7 +6747,7 @@ function getSecurityView() {
       var groupOrder = [];
       for (var gi = 0; gi < open.length; gi++) {
         var sf = open[gi];
-        var f = sf.finding;
+        var f = sf.issue;
         if (!groups[f.rule]) {
           groups[f.rule] = { rule: f.rule, title: f.title, severity: f.severity, hint: f.hint, items: [] };
           groupOrder.push(f.rule);
@@ -6739,7 +6790,7 @@ function getSecurityView() {
         list.className = 'sec-items';
         for (var ii = 0; ii < group.items.length; ii++) {
           var sf2 = group.items[ii];
-          var item = sf2.finding;
+          var item = sf2.issue;
           var row = document.createElement('div');
           row.className = 'sec-item';
           var aiBadge = '';
@@ -6747,11 +6798,14 @@ function getSecurityView() {
             aiBadge = '<span class="sec-ai-badge sec-ai-fixing">AI fixed \\u2014 awaiting verification</span>';
           } else if (sf2.aiStatus === 'wont_fix') {
             aiBadge = '<span class="sec-ai-badge sec-ai-wontfix">AI: won\\u2019t fix</span>';
+          } else if (sf2.state === 'regressed') {
+            aiBadge = '<span class="sec-ai-badge sec-ai-fixing" style="background:var(--red)">regressed</span>';
           }
           var aiNotes = sf2.aiNotes ? '<div class="sec-ai-notes">' + escHtml(sf2.aiNotes) + '</div>' : '';
+          var occBadge = sf2.occurrences > 1 ? '<span class="sec-item-count">' + sf2.occurrences + 'x</span>' : '';
           row.innerHTML =
             '<div class="sec-item-desc">' + escHtml(item.desc) + '</div>' +
-            (item.count > 1 ? '<span class="sec-item-count">' + item.count + 'x</span>' : '') +
+            occBadge +
             aiBadge + aiNotes;
           list.appendChild(row);
         }
@@ -6772,20 +6826,44 @@ function getSecurityView() {
       resolvedItems.className = 'sec-items';
       for (var ri = 0; ri < resolved.length; ri++) {
         var rsf = resolved[ri];
-        var rf = rsf.finding;
+        var rf = rsf.issue;
         var rRow = document.createElement('div');
         rRow.className = 'sec-item sec-item-resolved';
         var verifiedBadge = rsf.aiStatus === 'fixed' ? '<span class="sec-ai-badge sec-ai-verified">Verified fix</span>' : '';
         var rNotes = rsf.aiNotes ? '<div class="sec-ai-notes">' + escHtml(rsf.aiNotes) + '</div>' : '';
         rRow.innerHTML =
           '<span class="sec-resolved-item-icon">\\u2713</span>' +
-          '<div class="sec-item-desc">' + escHtml(rf.title) + ' \\u2014 ' + escHtml(rf.endpoint) + '</div>' +
+          '<div class="sec-item-desc">' + escHtml(rf.title) + ' \\u2014 ' + escHtml(rf.endpoint || 'global') + '</div>' +
           verifiedBadge + rNotes;
         resolvedItems.appendChild(rRow);
       }
       resolvedGroup.appendChild(resolvedItems);
       container.appendChild(resolvedGroup);
     }
+
+    if (stale.length > 0) {
+      var staleTitle = document.createElement('div');
+      staleTitle.className = 'sec-resolved-title';
+      staleTitle.innerHTML = '<span style="color:var(--text-muted)">\\u23F8</span> Stale <span class="sec-resolved-count">' + stale.length + '</span>';
+      container.appendChild(staleTitle);
+
+      var staleGroup = document.createElement('div');
+      staleGroup.className = 'sec-group sec-group-resolved';
+      var staleItems = document.createElement('div');
+      staleItems.className = 'sec-items';
+      for (var sti = 0; sti < stale.length; sti++) {
+        var ssf = stale[sti];
+        var sf3 = ssf.issue;
+        var sRow = document.createElement('div');
+        sRow.className = 'sec-item sec-item-resolved';
+        sRow.innerHTML =
+          '<span style="color:var(--text-muted)">\\u23F8</span>' +
+          '<div class="sec-item-desc" style="color:var(--text-muted)">' + escHtml(sf3.title) + ' \\u2014 endpoint inactive</div>';
+        staleItems.appendChild(sRow);
+      }
+      staleGroup.appendChild(staleItems);
+      container.appendChild(staleGroup);
+    }
   }
   `;
 }
@@ -6823,13 +6901,7 @@ function getApp() {
     try {
       var res3 = await fetch('${DASHBOARD_API_INSIGHTS}');
       var data3 = await res3.json();
-      state.insights = data3.insights || [];
-    } catch(e) { console.warn('[brakit]', e); }
-
-    try {
-      var res4 = await fetch('${DASHBOARD_API_SECURITY}');
-      var data4 = await res4.json();
-      state.findings = data4.findings || [];
+      state.issues = data3.issues || [];
     } catch(e) { console.warn('[brakit]', e); }
 
     updateStats();
@@ -6868,19 +6940,13 @@ function getApp() {
     registerTelemetryListener('error_event', 'errors', prependErrorRow);
     registerTelemetryListener('query', 'queries', prependQueryRow);
 
-    events.addEventListener('insights', function(e) {
-      state.insights = JSON.parse(e.data);
+    events.addEventListener('issues', function(e) {
+      state.issues = JSON.parse(e.data);
       if (state.activeView === 'overview') renderOverview();
       if (state.activeView === 'security') renderSecurity();
       updateStats();
     });
 
-    events.addEventListener('security', function(e) {
-      state.findings = JSON.parse(e.data);
-      if (state.activeView === 'security') renderSecurity();
-      updateStats();
-    });
-
     window.addEventListener('beforeunload', function() {
       events.close();
       clearTimeout(reloadTimer);
@@ -6959,9 +7025,9 @@ function getApp() {
     if (queryCount) queryCount.textContent = state.queries.length;
     var secCount = document.getElementById('sidebar-count-security');
     if (secCount) {
-      var numFindings = (state.findings || []).filter(function(f) { return f.state !== 'resolved'; }).length;
-      secCount.textContent = numFindings;
-      secCount.style.display = numFindings > 0 ? '' : 'none';
+      var numIssues = (state.issues || []).filter(function(f) { return f.state !== 'resolved' && f.state !== 'stale'; }).length;
+      secCount.textContent = numIssues;
+      secCount.style.display = numIssues > 0 ? '' : 'none';
     }
   }
 
@@ -6979,7 +7045,7 @@ function getApp() {
     if (!confirm('This will clear all data including performance metrics history. Continue?')) return;
     await fetch('${DASHBOARD_API_CLEAR}', {method: 'POST'});
     state.flows = []; state.requests = []; state.fetches = []; state.errors = []; state.logs = []; state.queries = [];
-    state.insights = []; state.findings = [];
+    state.issues = [];
     graphData = []; selectedEndpoint = ${ALL_ENDPOINTS_SELECTOR}; timelineCache = {};
     renderFlows(); renderRequests(); renderFetches(); renderErrors(); renderLogs(); renderQueries(); renderGraph(); renderOverview(); renderSecurity(); updateStats();
     showToast('Cleared');
@@ -7072,8 +7138,8 @@ var init_page = __esm({
 });
 
 // src/telemetry/config.ts
-import { homedir } from "os";
-import { join as join2 } from "path";
+import { homedir as homedir2 } from "os";
+import { join as join3 } from "path";
 import { existsSync as existsSync5, readFileSync as readFileSync3, writeFileSync as writeFileSync3, mkdirSync as mkdirSync3 } from "fs";
 import { randomUUID as randomUUID4 } from "crypto";
 function readConfig() {
@@ -7087,9 +7153,9 @@ function readConfig() {
 function writeConfig(config) {
   try {
     if (!existsSync5(CONFIG_DIR))
-      mkdirSync3(CONFIG_DIR, { recursive: true, mode: 448 });
+      mkdirSync3(CONFIG_DIR, { recursive: true, mode: DIR_MODE_OWNER_ONLY });
     writeFileSync3(CONFIG_PATH, JSON.stringify(config, null, 2) + "\n", {
-      mode: 384
+      mode: FILE_MODE_OWNER_ONLY
     });
   } catch {
   }
@@ -7117,8 +7183,9 @@ var CONFIG_DIR, CONFIG_PATH, cachedEnabled;
 var init_config = __esm({
   "src/telemetry/config.ts"() {
     "use strict";
-    CONFIG_DIR = join2(homedir(), ".brakit");
-    CONFIG_PATH = join2(CONFIG_DIR, "config.json");
+    init_network();
+    CONFIG_DIR = join3(homedir2(), ".brakit");
+    CONFIG_PATH = join3(CONFIG_DIR, "config.json");
     cachedEnabled = null;
   }
 });
@@ -7150,12 +7217,12 @@ function recordDashboardOpened() {
 }
 function speedBucket(ms) {
   if (ms === 0) return "none";
-  if (ms < 200) return "<200ms";
-  if (ms < 500) return "200-500ms";
-  if (ms < 1e3) return "500-1000ms";
-  if (ms < 2e3) return "1000-2000ms";
-  if (ms < 5e3) return "2000-5000ms";
-  return ">5000ms";
+  const t = SPEED_BUCKET_THRESHOLDS;
+  if (ms < t[0]) return `<${t[0]}ms`;
+  for (let i = 1; i < t.length; i++) {
+    if (ms < t[i]) return `${t[i - 1]}-${t[i]}ms`;
+  }
+  return `>${t[t.length - 1]}ms`;
 }
 function trackSession(registry) {
   if (!isTelemetryEnabled()) return;
@@ -7255,7 +7322,6 @@ function isDashboardRequest(url) {
 }
 function createDashboardHandler(registry) {
   const metricsStore = registry.get("metrics-store");
-  const analysisEngine = registry.has("analysis-engine") ? registry.get("analysis-engine") : void 0;
   const routes = {
     [DASHBOARD_API_REQUESTS]: createRequestsHandler(registry),
     [DASHBOARD_API_EVENTS]: createSSEHandler(registry),
@@ -7270,17 +7336,14 @@ function createDashboardHandler(registry) {
     [DASHBOARD_API_INGEST]: createIngestHandler(registry),
     [DASHBOARD_API_ACTIVITY]: createActivityHandler(registry)
   };
-  if (analysisEngine) {
-    routes[DASHBOARD_API_INSIGHTS] = createInsightsHandler(analysisEngine);
-    routes[DASHBOARD_API_SECURITY] = createSecurityHandler(analysisEngine);
-  }
-  if (registry.has("finding-store")) {
-    const findingStore = registry.get("finding-store");
-    routes[DASHBOARD_API_FINDINGS] = createFindingsHandler(findingStore);
-    routes[DASHBOARD_API_FINDINGS_REPORT] = createFindingsReportHandler(
-      findingStore,
-      registry.get("event-bus"),
-      analysisEngine
+  if (registry.has("issue-store")) {
+    const issueStore = registry.get("issue-store");
+    routes[DASHBOARD_API_INSIGHTS] = createIssuesHandler(issueStore);
+    routes[DASHBOARD_API_SECURITY] = createIssuesHandler(issueStore);
+    routes[DASHBOARD_API_FINDINGS] = createFindingsHandler(issueStore);
+    routes[DASHBOARD_API_FINDINGS_REPORT] = createIssuesReportHandler(
+      issueStore,
+      registry.get("event-bus")
     );
   }
   routes[DASHBOARD_API_TAB] = (req, res) => {
@@ -7314,8 +7377,7 @@ var init_router = __esm({
     init_constants();
     init_http();
     init_api();
-    init_insights();
-    init_findings();
+    init_issues();
     init_sse();
     init_page();
     init_telemetry2();
@@ -7603,6 +7665,7 @@ var init_metrics_store = __esm({
     "use strict";
     init_constants();
     init_math();
+    init_http_status();
     init_endpoint();
     MetricsStore = class {
       constructor(persistence) {
@@ -7614,6 +7677,7 @@ var init_metrics_store = __esm({
       sessionId = randomUUID6();
       sessionStart = Date.now();
       flushTimer = null;
+      dirty = false;
       accumulators = /* @__PURE__ */ new Map();
       pendingPoints = /* @__PURE__ */ new Map();
       start() {
@@ -7639,21 +7703,27 @@ var init_metrics_store = __esm({
       }
       recordRequest(req, metrics) {
         if (req.isStatic) return;
+        this.dirty = true;
         const key = getEndpointKey(req.method, req.path);
         let acc = this.accumulators.get(key);
         if (!acc) {
+          if (this.accumulators.size >= MAX_UNIQUE_ENDPOINTS) return;
           acc = createAccumulator();
           this.accumulators.set(key, acc);
         }
-        acc.durations.push(req.durationMs);
-        acc.queryCounts.push(metrics.queryCount);
-        if (req.statusCode >= 400) acc.errorCount++;
+        if (acc.durations.length < MAX_ACCUMULATOR_ENTRIES) {
+          acc.durations.push(req.durationMs);
+        }
+        if (acc.queryCounts.length < MAX_ACCUMULATOR_ENTRIES) {
+          acc.queryCounts.push(metrics.queryCount);
+        }
+        if (isErrorStatus(req.statusCode)) acc.errorCount++;
         acc.totalDurationSum += req.durationMs;
         acc.totalRequestCount++;
         acc.totalQuerySum += metrics.queryCount;
         acc.totalQueryTimeMs += metrics.queryTimeMs;
         acc.totalFetchTimeMs += metrics.fetchTimeMs;
-        if (req.statusCode >= 400) acc.totalErrorCount++;
+        if (isErrorStatus(req.statusCode)) acc.totalErrorCount++;
         const timestamp = Math.round(
           Date.now() - (performance.now() - req.startedAt)
         );
@@ -7667,10 +7737,13 @@ var init_metrics_store = __esm({
         };
         let pending2 = this.pendingPoints.get(key);
         if (!pending2) {
+          if (this.pendingPoints.size >= MAX_UNIQUE_ENDPOINTS) return;
           pending2 = [];
           this.pendingPoints.set(key, pending2);
         }
-        pending2.push(point);
+        if (pending2.length < MAX_ACCUMULATOR_ENTRIES) {
+          pending2.push(point);
+        }
       }
       getAll() {
         return this.data.endpoints;
@@ -7693,7 +7766,7 @@ var init_metrics_store = __esm({
         for (const [endpoint, requests] of merged) {
           if (requests.length === 0) continue;
           const durations = requests.map((r) => r.durationMs);
-          const errors = requests.filter((r) => r.statusCode >= 400).length;
+          const errors = requests.filter((r) => isErrorStatus(r.statusCode)).length;
           const totalQueries = requests.reduce((s, r) => s + r.queryCount, 0);
           const totalQueryTime = requests.reduce((s, r) => s + (r.queryTimeMs ?? 0), 0);
           const totalFetchTime = requests.reduce((s, r) => s + (r.fetchTimeMs ?? 0), 0);
@@ -7723,6 +7796,7 @@ var init_metrics_store = __esm({
         this.endpointIndex.clear();
         this.accumulators.clear();
         this.pendingPoints.clear();
+        this.dirty = false;
         this.persistence.remove();
       }
       flush(sync = false) {
@@ -7763,11 +7837,13 @@ var init_metrics_store = __esm({
           epMetrics.dataPoints = existing.concat(points).slice(-METRICS_MAX_DATA_POINTS);
         }
         this.pendingPoints.clear();
+        if (!this.dirty) return;
         if (sync) {
           this.persistence.saveSync(this.data);
         } else {
           this.persistence.save(this.data);
         }
+        this.dirty = false;
       }
       getOrCreateEndpoint(endpoint) {
         let ep = this.endpointIndex.get(endpoint);
@@ -7784,9 +7860,9 @@ var init_metrics_store = __esm({
 
 // src/store/metrics/persistence.ts
 import { readFile as readFile4 } from "fs/promises";
-import { readFileSync as readFileSync4, existsSync as existsSync6, unlinkSync } from "fs";
+import { readFileSync as readFileSync4, existsSync as existsSync6, unlinkSync as unlinkSync2 } from "fs";
 import { resolve as resolve3 } from "path";
-var FileMetricsPersistence;
+var DEFAULT_METRICS, FileMetricsPersistence;
 var init_persistence = __esm({
   "src/store/metrics/persistence.ts"() {
     "use strict";
@@ -7795,45 +7871,41 @@ var init_persistence = __esm({
     init_fs();
     init_log();
     init_type_guards();
+    DEFAULT_METRICS = { version: 1, endpoints: [] };
     FileMetricsPersistence = class {
       metricsPath;
       writer;
-      constructor(rootDir) {
-        this.metricsPath = resolve3(rootDir, METRICS_FILE);
+      constructor(dataDir) {
+        this.metricsPath = resolve3(dataDir, METRICS_FILE);
         this.writer = new AtomicWriter({
-          dir: resolve3(rootDir, METRICS_DIR),
+          dir: dataDir,
           filePath: this.metricsPath,
-          gitignoreEntry: METRICS_DIR,
           label: "metrics"
         });
       }
       load() {
         try {
           if (existsSync6(this.metricsPath)) {
-            const raw = readFileSync4(this.metricsPath, "utf-8");
-            const parsed = JSON.parse(raw);
-            if (parsed?.version === 1 && Array.isArray(parsed.endpoints)) {
-              return parsed;
-            }
+            return this.parseMetrics(readFileSync4(this.metricsPath, "utf-8"));
           }
         } catch (err) {
-          brakitWarn(`failed to load metrics: ${getErrorMessage(err)}`);
+          brakitWarn(`failed to load ${this.metricsPath}: ${getErrorMessage(err)}`);
         }
-        return { version: 1, endpoints: [] };
+        return { ...DEFAULT_METRICS };
       }
       async loadAsync() {
         try {
           if (await fileExists(this.metricsPath)) {
-            const raw = await readFile4(this.metricsPath, "utf-8");
-            const parsed = JSON.parse(raw);
-            if (parsed?.version === 1 && Array.isArray(parsed.endpoints)) {
-              return parsed;
-            }
+            return this.parseMetrics(await readFile4(this.metricsPath, "utf-8"));
           }
         } catch (err) {
-          brakitWarn(`failed to load metrics: ${getErrorMessage(err)}`);
+          brakitWarn(`failed to load ${this.metricsPath}: ${getErrorMessage(err)}`);
         }
-        return { version: 1, endpoints: [] };
+        return { ...DEFAULT_METRICS };
+      }
+      /** Parse and validate metrics JSON, returning default empty data on invalid input. */
+      parseMetrics(raw) {
+        return validateMetricsData(JSON.parse(raw)) ?? { ...DEFAULT_METRICS };
       }
       save(data) {
         this.writer.writeAsync(JSON.stringify(data));
@@ -7844,9 +7916,10 @@ var init_persistence = __esm({
       remove() {
         try {
           if (existsSync6(this.metricsPath)) {
-            unlinkSync(this.metricsPath);
+            unlinkSync2(this.metricsPath);
           }
-        } catch {
+        } catch (err) {
+          brakitDebug(`failed to remove metrics file: ${getErrorMessage(err)}`);
         }
       }
     };
@@ -7883,14 +7956,14 @@ function colorTitle(severity, text) {
 function truncate(s, max = TERMINAL_TRUNCATE_LENGTH) {
   return s.length <= max ? s : s.slice(0, max - 1) + "\u2026";
 }
-function formatConsoleLine(insight, suffix) {
-  const icon = severityIcon(insight.severity);
-  const title = colorTitle(insight.severity, insight.title);
-  const desc = pc.dim(truncate(insight.desc) + (suffix ?? ""));
+function formatConsoleLine(issue, suffix) {
+  const icon = severityIcon(issue.severity);
+  const title = colorTitle(issue.severity, issue.title);
+  const desc = pc.dim(truncate(issue.desc) + (suffix ?? ""));
   let line = `  ${icon} ${title} \u2014 ${desc}`;
-  if (insight.detail) {
+  if (issue.detail) {
     line += `
-    ${pc.dim("\u2514 " + insight.detail)}`;
+    ${pc.dim("\u2514 " + issue.detail)}`;
   }
   return line;
 }
@@ -7900,26 +7973,37 @@ function startTerminalInsights(registry, proxyPort) {
   const printedKeys = /* @__PURE__ */ new Set();
   const resolvedKeys = /* @__PURE__ */ new Set();
   const dashUrl = `localhost:${proxyPort}${DASHBOARD_PREFIX}`;
-  return bus.on("analysis:updated", ({ statefulInsights }) => {
+  return bus.on("analysis:updated", ({ issues }) => {
     const newLines = [];
     const resolvedLines = [];
-    for (const si of statefulInsights) {
+    const regressedLines = [];
+    for (const si of issues) {
       if (si.state === "resolved") {
-        if (resolvedKeys.has(si.key)) continue;
-        resolvedKeys.add(si.key);
-        printedKeys.delete(si.key);
-        const title = pc.green(pc.bold(`\u2713 ${si.insight.title}`));
-        const desc = pc.dim(truncate(si.insight.desc));
+        if (resolvedKeys.has(si.issueId)) continue;
+        resolvedKeys.add(si.issueId);
+        printedKeys.delete(si.issueId);
+        const title = pc.green(pc.bold(`\u2713 ${si.issue.title}`));
+        const desc = pc.dim(truncate(si.issue.desc));
         resolvedLines.push(`  ${title} \u2014 ${desc} ${pc.green("resolved")}`);
         continue;
       }
-      resolvedKeys.delete(si.key);
-      if (si.insight.severity === "info") continue;
-      if (printedKeys.has(si.key)) continue;
-      printedKeys.add(si.key);
+      if (si.state === "regressed") {
+        if (!printedKeys.has(si.issueId)) {
+          printedKeys.add(si.issueId);
+          resolvedKeys.delete(si.issueId);
+          const title = pc.red(pc.bold(`\u26A0 ${si.issue.title}`));
+          const desc = pc.dim(truncate(si.issue.desc));
+          regressedLines.push(`  ${title} \u2014 ${desc} ${pc.red("regressed")}`);
+        }
+        continue;
+      }
+      resolvedKeys.delete(si.issueId);
+      if (si.issue.severity === "info") continue;
+      if (printedKeys.has(si.issueId)) continue;
+      printedKeys.add(si.issueId);
       let suffix;
-      if (si.insight.type === "slow") {
-        const endpoint = extractEndpointFromDesc(si.insight.desc);
+      if (si.issue.rule === "slow") {
+        const endpoint = si.issue.endpoint;
         if (endpoint) {
           const ep = metricsStore.getEndpoint(endpoint);
           if (ep && ep.sessions.length > 1) {
@@ -7928,7 +8012,7 @@ function startTerminalInsights(registry, proxyPort) {
           }
         }
       }
-      newLines.push(formatConsoleLine(si.insight, suffix));
+      newLines.push(formatConsoleLine(si.issue, suffix));
     }
     if (newLines.length > 0) {
       print("");
@@ -7936,6 +8020,12 @@ function startTerminalInsights(registry, proxyPort) {
       print("");
       print(`  ${pc.magenta(pc.bold("brakit"))} ${pc.dim("\u2192")} ${pc.dim("Dashboard:")} ${pc.underline(`http://${dashUrl}`)}  ${pc.dim("or ask your AI:")} ${pc.bold('"Fix brakit findings"')}`);
     }
+    if (regressedLines.length > 0) {
+      print("");
+      for (const line of regressedLines) print(line);
+      print("");
+      print(`  ${pc.magenta(pc.bold("brakit"))} ${pc.dim("\u2192")} ${pc.red("Issues came back after being resolved!")}`);
+    }
     if (resolvedLines.length > 0) {
       print("");
       for (const line of resolvedLines) print(line);
@@ -7952,7 +8042,6 @@ var init_terminal = __esm({
     init_constants();
     init_limits();
     init_severity();
-    init_endpoint();
     SEVERITY_COLOR = {
       critical: pc.red,
       warning: pc.yellow,
@@ -8050,12 +8139,7 @@ function decompressAsync(body, encoding) {
   if (!decompressor) return Promise.resolve(body);
   return new Promise((resolve5) => {
     decompressor(body, (err, result) => {
-      if (err) {
-        brakitDebug(`decompress failed: ${err.message}`);
-        resolve5(body);
-      } else {
-        resolve5(result);
-      }
+      resolve5(err ? body : result);
     });
   });
 }
@@ -8072,18 +8156,23 @@ function captureInProcess(req, res, requestId, requestStore) {
   let resSize = 0;
   const originalWrite = res.write;
   const originalEnd = res.end;
+  let truncated = false;
   res.write = function(...args) {
     try {
       const chunk = args[0];
-      if (chunk != null && typeof chunk !== "function" && resSize < DEFAULT_MAX_BODY_CAPTURE) {
-        const buf = toBuffer(chunk);
-        if (buf) {
-          resChunks.push(buf);
-          resSize += buf.length;
+      if (chunk != null && typeof chunk !== "function") {
+        if (resSize < DEFAULT_MAX_BODY_CAPTURE) {
+          const buf = toBuffer(chunk);
+          if (buf) {
+            resChunks.push(buf);
+            resSize += buf.length;
+          }
+        } else {
+          truncated = true;
         }
       }
     } catch (e) {
-      brakitDebug(`capture write: ${e.message}`);
+      brakitDebug(`capture write: ${getErrorMessage(e)}`);
     }
     return originalWrite.apply(this, args);
   };
@@ -8097,7 +8186,7 @@ function captureInProcess(req, res, requestId, requestStore) {
         }
       }
     } catch (e) {
-      brakitDebug(`capture end: ${e.message}`);
+      brakitDebug(`capture end: ${getErrorMessage(e)}`);
     }
     const result = originalEnd.apply(this, args);
     const endTime = performance.now();
@@ -8109,7 +8198,7 @@ function captureInProcess(req, res, requestId, requestStore) {
     void (async () => {
       try {
         let body = capturedChunks.length > 0 ? Buffer.concat(capturedChunks) : null;
-        if (body && encoding) {
+        if (body && encoding && !truncated) {
           body = await decompressAsync(body, encoding);
         }
         requestStore.capture({
@@ -8127,7 +8216,7 @@ function captureInProcess(req, res, requestId, requestStore) {
           config: { maxBodyCapture: DEFAULT_MAX_BODY_CAPTURE }
         });
       } catch (e) {
-        brakitDebug(`capture store: ${e.message}`);
+        brakitDebug(`capture store: ${getErrorMessage(e)}`);
       }
     })();
     return result;
@@ -8138,6 +8227,7 @@ var init_capture = __esm({
     "use strict";
     init_constants();
     init_log();
+    init_type_guards();
   }
 });
 
@@ -8216,7 +8306,7 @@ __export(setup_exports, {
   setup: () => setup
 });
 import { readFile as readFile5, mkdir as mkdir2, writeFile as writeFile3 } from "fs/promises";
-import { existsSync as existsSync7, unlinkSync as unlinkSync2 } from "fs";
+import { existsSync as existsSync7, unlinkSync as unlinkSync3 } from "fs";
 import { resolve as resolve4 } from "path";
 function setup() {
   if (initPromise) return initPromise;
@@ -8224,6 +8314,7 @@ function setup() {
   return initPromise;
 }
 async function doSetup() {
+  brakitDebug(`[setup] doSetup called at ${(/* @__PURE__ */ new Date()).toISOString()}`);
   const bus = new EventBus();
   const registry = new ServiceRegistry();
   const requestStore = new RequestStore();
@@ -8254,7 +8345,9 @@ async function doSetup() {
   const cwd = process.cwd();
   let framework = "unknown";
   try {
-    const pkg = JSON.parse(await readFile5(resolve4(cwd, "package.json"), "utf-8"));
+    const pkg = JSON.parse(
+      await readFile5(resolve4(cwd, "package.json"), "utf-8")
+    );
     const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
     framework = detectFrameworkFromDeps(allDeps);
   } catch {
@@ -8265,12 +8358,13 @@ async function doSetup() {
     false,
     adapterRegistry.getActive().map((a) => a.name)
   );
-  const metricsStore = new MetricsStore(new FileMetricsPersistence(cwd));
+  const dataDir = getProjectDataDir(cwd);
+  const metricsStore = new MetricsStore(new FileMetricsPersistence(dataDir));
   metricsStore.start();
   registry.register("metrics-store", metricsStore);
-  const findingStore = new FindingStore(cwd);
-  findingStore.start();
-  registry.register("finding-store", findingStore);
+  const issueStore = new IssueStore(dataDir);
+  issueStore.start();
+  registry.register("issue-store", issueStore);
   const analysisEngine = new AnalysisEngine(registry);
   analysisEngine.start();
   registry.register("analysis-engine", analysisEngine);
@@ -8297,6 +8391,7 @@ async function doSetup() {
     requestStore,
     onFirstRequest(port) {
       setBrakitPort(port);
+      brakitDebug(`[setup] onFirstRequest fired, port=${port}`);
       void (async () => {
         try {
           const dir = resolve4(cwd, METRICS_DIR);
@@ -8304,19 +8399,29 @@ async function doSetup() {
           const portPath = resolve4(cwd, PORT_FILE);
           try {
             const old = await readFile5(portPath, "utf-8");
-            if (old.trim() && old.trim() !== String(port)) {
-              brakitDebug(`Overwriting stale port file (was ${old.trim()}, now ${port})`);
+            if (old.trim() === String(port)) {
+              brakitDebug(`[setup] port file already correct, skipping write`);
+              return;
+            }
+            if (old.trim()) {
+              brakitDebug(
+                `Overwriting stale port file (was ${old.trim()}, now ${port})`
+              );
             }
           } catch {
+            brakitDebug(`[setup] no existing port file, will create`);
           }
           await writeFile3(portPath, String(port));
+          brakitDebug(`[setup] wrote port file: ${portPath}`);
         } catch (err) {
-          brakitDebug(`port file write failed: ${err.message}`);
+          brakitDebug(`port file write failed: ${getErrorMessage(err)}`);
         }
       })();
       terminalDispose = startTerminalInsights(registry, port);
-      process.stdout.write(`  brakit v${VERSION} \u2014 http://localhost:${port}${DASHBOARD_PREFIX}
-`);
+      process.stdout.write(
+        `  brakit v${VERSION} \u2014 http://localhost:${port}${DASHBOARD_PREFIX}
+`
+      );
     }
   });
   let telemetrySent = false;
@@ -8336,12 +8441,13 @@ async function doSetup() {
     uninstallInterceptor();
     terminalDispose?.();
     analysisEngine.stop();
-    findingStore.stop();
+    issueStore.stop();
     metricsStore.stop();
     try {
       const portPath = resolve4(cwd, PORT_FILE);
-      if (existsSync7(portPath)) unlinkSync2(portPath);
-    } catch {
+      if (existsSync7(portPath)) unlinkSync3(portPath);
+    } catch (err) {
+      brakitDebug(`[setup] port file cleanup failed: ${getErrorMessage(err)}`);
     }
   };
   health.setTeardown(runTeardown);
@@ -8369,7 +8475,7 @@ var init_setup = __esm({
     init_error_store();
     init_query_store();
     init_store();
-    init_finding_store();
+    init_issue_store();
     init_engine();
     init_terminal();
     init_src();
@@ -8377,6 +8483,8 @@ var init_setup = __esm({
     init_health2();
     init_interceptor();
     init_log();
+    init_type_guards();
+    init_fs();
     init_project();
     init_telemetry2();
     initPromise = null;