npm - brakit - Versions diffs - 0.8.5 → 0.8.7 - Mend

brakit 0.8.5 → 0.8.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/README.md +10 -4
package/dist/api.d.ts +124 -117
package/dist/api.js +417 -363
package/dist/bin/brakit.js +499 -339
package/dist/dashboard-client.global.js +703 -0
package/dist/dashboard.html +895 -2168
package/dist/mcp/server.js +75 -90
package/dist/runtime/index.js +2934 -5028
package/package.json +4 -2

package/dist/api.js CHANGED Viewed

@@ -1,12 +1,54 @@
-// src/store/finding-store.ts
+// src/store/issue-store.ts
 import { readFile as readFile2 } from "fs/promises";
-import { readFileSync as readFileSync2, existsSync as existsSync3 } from "fs";
+import { readFileSync as readFileSync2, existsSync as existsSync3, unlinkSync } from "fs";
 import { resolve as resolve2 } from "path";
 // src/utils/fs.ts
 import { access, readFile, writeFile } from "fs/promises";
 import { existsSync, readFileSync, writeFileSync } from "fs";
-import { resolve } from "path";
+import { createHash } from "crypto";
+import { homedir } from "os";
+import { resolve, join } from "path";
+// src/constants/limits.ts
+var ANALYSIS_DEBOUNCE_MS = 300;
+var ISSUE_ID_HASH_LENGTH = 16;
+var ISSUES_DATA_VERSION = 2;
+var SECRET_SCAN_ARRAY_LIMIT = 5;
+var PII_SCAN_ARRAY_LIMIT = 10;
+var MIN_SECRET_VALUE_LENGTH = 8;
+var FULL_RECORD_MIN_FIELDS = 8;
+var LIST_PII_MIN_ITEMS = 2;
+var MAX_OBJECT_SCAN_DEPTH = 5;
+var ISSUE_PRUNE_TTL_MS = 10 * 60 * 1e3;
+// src/utils/log.ts
+var PREFIX = "[brakit]";
+function brakitWarn(message) {
+  process.stderr.write(`${PREFIX} ${message}
+`);
+}
+function brakitDebug(message) {
+  if (process.env.DEBUG_BRAKIT) {
+    process.stderr.write(`${PREFIX}:debug ${message}
+`);
+  }
+}
+// src/utils/type-guards.ts
+function getErrorMessage(err) {
+  if (err instanceof Error) return err.message;
+  if (typeof err === "string") return err;
+  return String(err);
+}
+function validateIssuesData(parsed) {
+  if (parsed != null && typeof parsed === "object" && !Array.isArray(parsed) && parsed.version === ISSUES_DATA_VERSION && Array.isArray(parsed.issues)) {
+    return parsed;
+  }
+  return null;
+}
+// src/utils/fs.ts
 async function fileExists(path) {
   try {
     await access(path);
@@ -25,7 +67,8 @@ function ensureGitignore(dir, entry) {
     } else {
       writeFileSync(gitignorePath, entry + "\n");
     }
-  } catch {
+  } catch (err) {
+    brakitDebug(`ensureGitignore failed: ${getErrorMessage(err)}`);
   }
 }
 async function ensureGitignoreAsync(dir, entry) {
@@ -38,46 +81,14 @@ async function ensureGitignoreAsync(dir, entry) {
     } else {
       await writeFile(gitignorePath, entry + "\n");
     }
-  } catch {
+  } catch (err) {
+    brakitDebug(`ensureGitignoreAsync failed: ${getErrorMessage(err)}`);
   }
 }
-// src/constants/routes.ts
-var DASHBOARD_PREFIX = "/__brakit";
-var DASHBOARD_API_REQUESTS = `${DASHBOARD_PREFIX}/api/requests`;
-var DASHBOARD_API_EVENTS = `${DASHBOARD_PREFIX}/api/events`;
-var DASHBOARD_API_FLOWS = `${DASHBOARD_PREFIX}/api/flows`;
-var DASHBOARD_API_CLEAR = `${DASHBOARD_PREFIX}/api/clear`;
-var DASHBOARD_API_LOGS = `${DASHBOARD_PREFIX}/api/logs`;
-var DASHBOARD_API_FETCHES = `${DASHBOARD_PREFIX}/api/fetches`;
-var DASHBOARD_API_ERRORS = `${DASHBOARD_PREFIX}/api/errors`;
-var DASHBOARD_API_QUERIES = `${DASHBOARD_PREFIX}/api/queries`;
-var DASHBOARD_API_INGEST = `${DASHBOARD_PREFIX}/api/ingest`;
-var DASHBOARD_API_METRICS = `${DASHBOARD_PREFIX}/api/metrics`;
-var DASHBOARD_API_ACTIVITY = `${DASHBOARD_PREFIX}/api/activity`;
-var DASHBOARD_API_METRICS_LIVE = `${DASHBOARD_PREFIX}/api/metrics/live`;
-var DASHBOARD_API_INSIGHTS = `${DASHBOARD_PREFIX}/api/insights`;
-var DASHBOARD_API_SECURITY = `${DASHBOARD_PREFIX}/api/security`;
-var DASHBOARD_API_TAB = `${DASHBOARD_PREFIX}/api/tab`;
-var DASHBOARD_API_FINDINGS = `${DASHBOARD_PREFIX}/api/findings`;
-var DASHBOARD_API_FINDINGS_REPORT = `${DASHBOARD_PREFIX}/api/findings/report`;
-var VALID_TABS_TUPLE = [
-  "overview",
-  "actions",
-  "requests",
-  "fetches",
-  "queries",
-  "errors",
-  "logs",
-  "performance",
-  "security"
-];
-var VALID_TABS = new Set(VALID_TABS_TUPLE);
-// src/constants/limits.ts
-var ANALYSIS_DEBOUNCE_MS = 300;
-var FINDING_ID_HASH_LENGTH = 16;
-var FINDINGS_DATA_VERSION = 1;
+// src/constants/metrics.ts
+var ISSUES_FILE = "issues.json";
+var ISSUES_FLUSH_INTERVAL_MS = 1e4;
 // src/constants/thresholds.ts
 var FLOW_GAP_MS = 5e3;
@@ -106,17 +117,9 @@ var QUERY_COUNT_REGRESSION_RATIO = 1.5;
 var OVERFETCH_MANY_FIELDS = 12;
 var OVERFETCH_UNWRAP_MIN_SIZE = 3;
 var MAX_DUPLICATE_INSIGHTS = 3;
-var INSIGHT_WINDOW_PER_ENDPOINT = 2;
-var RESOLVE_AFTER_ABSENCES = 3;
-var RESOLVED_INSIGHT_TTL_MS = 18e5;
-// src/constants/metrics.ts
-var METRICS_DIR = ".brakit";
-var FINDINGS_FILE = ".brakit/findings.json";
-var FINDINGS_FLUSH_INTERVAL_MS = 1e4;
-// src/constants/network.ts
-var RECOVERY_WINDOW_MS = 5 * 60 * 1e3;
+var INSIGHT_WINDOW_PER_ENDPOINT = 20;
+var CLEAN_HITS_FOR_RESOLUTION = 5;
+var STALE_ISSUE_TTL_MS = 30 * 60 * 1e3;
 // src/utils/atomic-writer.ts
 import {
@@ -126,36 +129,13 @@ import {
   renameSync
 } from "fs";
 import { writeFile as writeFile2, mkdir, rename } from "fs/promises";
-// src/utils/log.ts
-var PREFIX = "[brakit]";
-function brakitWarn(message) {
-  process.stderr.write(`${PREFIX} ${message}
-`);
-}
-function brakitDebug(message) {
-  if (process.env.DEBUG_BRAKIT) {
-    process.stderr.write(`${PREFIX}:debug ${message}
-`);
-  }
-}
-// src/utils/type-guards.ts
-function getErrorMessage(err) {
-  if (err instanceof Error) return err.message;
-  if (typeof err === "string") return err;
-  return String(err);
-}
-// src/utils/atomic-writer.ts
 var AtomicWriter = class {
   constructor(opts) {
     this.opts = opts;
+    this.writing = false;
+    this.pendingContent = null;
     this.tmpPath = opts.filePath + ".tmp";
   }
-  tmpPath;
-  writing = false;
-  pendingContent = null;
   writeSync(content) {
     try {
       this.ensureDir();
@@ -205,41 +185,33 @@ var AtomicWriter = class {
   }
 };
-// src/store/finding-id.ts
-import { createHash } from "crypto";
-function computeFindingId(finding) {
-  const key = `${finding.rule}:${finding.endpoint}:${finding.desc}`;
-  return createHash("sha256").update(key).digest("hex").slice(0, FINDING_ID_HASH_LENGTH);
-}
-function computeInsightId(type, endpoint, desc) {
-  const key = `${type}:${endpoint}:${desc}`;
-  return createHash("sha256").update(key).digest("hex").slice(0, FINDING_ID_HASH_LENGTH);
+// src/utils/issue-id.ts
+import { createHash as createHash2 } from "crypto";
+function computeIssueId(issue) {
+  const stableDesc = issue.desc.replace(/\d[\d,.]*\s*\w*/g, "#");
+  const key = `${issue.rule}:${issue.endpoint ?? "global"}:${stableDesc}`;
+  return createHash2("sha256").update(key).digest("hex").slice(0, ISSUE_ID_HASH_LENGTH);
 }
-// src/store/finding-store.ts
-var FindingStore = class {
-  constructor(rootDir) {
-    this.rootDir = rootDir;
-    const metricsDir = resolve2(rootDir, METRICS_DIR);
-    this.findingsPath = resolve2(rootDir, FINDINGS_FILE);
+// src/store/issue-store.ts
+var IssueStore = class {
+  constructor(dataDir) {
+    this.dataDir = dataDir;
+    this.issues = /* @__PURE__ */ new Map();
+    this.flushTimer = null;
+    this.dirty = false;
+    this.issuesPath = resolve2(dataDir, ISSUES_FILE);
     this.writer = new AtomicWriter({
-      dir: metricsDir,
-      filePath: this.findingsPath,
-      gitignoreEntry: METRICS_DIR,
-      label: "findings"
+      dir: dataDir,
+      filePath: this.issuesPath,
+      label: "issues"
     });
   }
-  findings = /* @__PURE__ */ new Map();
-  flushTimer = null;
-  dirty = false;
-  writer;
-  findingsPath;
   start() {
-    this.loadAsync().catch(() => {
-    });
+    this.loadAsync().catch((err) => brakitDebug(`IssueStore: async load failed: ${err}`));
     this.flushTimer = setInterval(
       () => this.flush(),
-      FINDINGS_FLUSH_INTERVAL_MS
+      ISSUES_FLUSH_INTERVAL_MS
     );
     this.flushTimer.unref();
   }
@@ -250,119 +222,148 @@ var FindingStore = class {
     }
     this.flushSync();
   }
-  upsert(finding, source) {
-    const id = computeFindingId(finding);
-    const existing = this.findings.get(id);
+  upsert(issue, source) {
+    const id = computeIssueId(issue);
+    const existing = this.issues.get(id);
     const now = Date.now();
     if (existing) {
       existing.lastSeenAt = now;
       existing.occurrences++;
-      existing.finding = finding;
-      if (existing.state === "resolved") {
-        existing.state = "open";
+      existing.issue = issue;
+      existing.cleanHitsSinceLastSeen = 0;
+      if (existing.state === "resolved" || existing.state === "stale") {
+        existing.state = "regressed";
         existing.resolvedAt = null;
       }
       this.dirty = true;
       return existing;
     }
     const stateful = {
-      findingId: id,
+      issueId: id,
       state: "open",
       source,
-      finding,
+      category: issue.category,
+      issue,
       firstSeenAt: now,
       lastSeenAt: now,
       resolvedAt: null,
       occurrences: 1,
+      cleanHitsSinceLastSeen: 0,
       aiStatus: null,
       aiNotes: null
     };
-    this.findings.set(id, stateful);
+    this.issues.set(id, stateful);
     this.dirty = true;
     return stateful;
   }
-  transition(findingId, state) {
-    const finding = this.findings.get(findingId);
-    if (!finding) return false;
-    finding.state = state;
+  /**
+   * Reconcile issues against the current analysis results using evidence-based resolution.
+   *
+   * @param currentIssueIds - IDs of issues detected in the current analysis cycle
+   * @param activeEndpoints - Endpoints that had requests in the current cycle
+   */
+  reconcile(currentIssueIds, activeEndpoints) {
+    const now = Date.now();
+    for (const [, stateful] of this.issues) {
+      const isActive = stateful.state === "open" || stateful.state === "fixing" || stateful.state === "regressed";
+      if (!isActive) continue;
+      if (currentIssueIds.has(stateful.issueId)) continue;
+      const endpoint = stateful.issue.endpoint;
+      if (endpoint && activeEndpoints.has(endpoint)) {
+        stateful.cleanHitsSinceLastSeen++;
+        if (stateful.cleanHitsSinceLastSeen >= CLEAN_HITS_FOR_RESOLUTION) {
+          stateful.state = "resolved";
+          stateful.resolvedAt = now;
+        }
+        this.dirty = true;
+      } else if (now - stateful.lastSeenAt > STALE_ISSUE_TTL_MS) {
+        stateful.state = "stale";
+        this.dirty = true;
+      }
+    }
+    for (const [id, stateful] of this.issues) {
+      if (stateful.state === "resolved" && stateful.resolvedAt && now - stateful.resolvedAt > ISSUE_PRUNE_TTL_MS) {
+        this.issues.delete(id);
+        this.dirty = true;
+      } else if (stateful.state === "stale" && now - stateful.lastSeenAt > STALE_ISSUE_TTL_MS + ISSUE_PRUNE_TTL_MS) {
+        this.issues.delete(id);
+        this.dirty = true;
+      }
+    }
+  }
+  transition(issueId, state) {
+    const issue = this.issues.get(issueId);
+    if (!issue) return false;
+    issue.state = state;
     if (state === "resolved") {
-      finding.resolvedAt = Date.now();
+      issue.resolvedAt = Date.now();
     }
     this.dirty = true;
     return true;
   }
-  reportFix(findingId, status, notes) {
-    const finding = this.findings.get(findingId);
-    if (!finding) return false;
-    finding.aiStatus = status;
-    finding.aiNotes = notes;
+  reportFix(issueId, status, notes) {
+    const issue = this.issues.get(issueId);
+    if (!issue) return false;
+    issue.aiStatus = status;
+    issue.aiNotes = notes;
     if (status === "fixed") {
-      finding.state = "fixing";
+      issue.state = "fixing";
     }
     this.dirty = true;
     return true;
   }
-  /**
-   * Reconcile passive findings against the current analysis results.
-   *
-   * Passive findings are detected by continuous scanning (not user-triggered).
-   * When a previously-seen finding is absent from the current results, it means
-   * the issue has been fixed — transition it to "resolved" automatically.
-   * Active findings (from MCP verify-fix) are not auto-resolved because they
-   * require explicit verification.
-   */
-  reconcilePassive(currentFindings) {
-    const currentIds = new Set(currentFindings.map(computeFindingId));
-    for (const [id, stateful] of this.findings) {
-      if (stateful.source === "passive" && (stateful.state === "open" || stateful.state === "fixing") && !currentIds.has(id)) {
-        stateful.state = "resolved";
-        stateful.resolvedAt = Date.now();
-        this.dirty = true;
-      }
-    }
-  }
   getAll() {
-    return [...this.findings.values()];
+    return [...this.issues.values()];
   }
   getByState(state) {
-    return [...this.findings.values()].filter((f) => f.state === state);
+    return [...this.issues.values()].filter((i) => i.state === state);
+  }
+  getByCategory(category) {
+    return [...this.issues.values()].filter((i) => i.category === category);
   }
-  get(findingId) {
-    return this.findings.get(findingId);
+  get(issueId) {
+    return this.issues.get(issueId);
   }
   clear() {
-    this.findings.clear();
-    this.dirty = true;
+    this.issues.clear();
+    this.dirty = false;
+    try {
+      if (existsSync3(this.issuesPath)) {
+        unlinkSync(this.issuesPath);
+      }
+    } catch {
+    }
+  }
+  isDirty() {
+    return this.dirty;
   }
   async loadAsync() {
     try {
-      if (await fileExists(this.findingsPath)) {
-        const raw = await readFile2(this.findingsPath, "utf-8");
-        const parsed = JSON.parse(raw);
-        if (parsed?.version === FINDINGS_DATA_VERSION && Array.isArray(parsed.findings)) {
-          for (const f of parsed.findings) {
-            this.findings.set(f.findingId, f);
-          }
-        }
+      if (await fileExists(this.issuesPath)) {
+        const raw = await readFile2(this.issuesPath, "utf-8");
+        this.hydrate(raw);
       }
     } catch (err) {
-      brakitDebug(`FindingStore: could not load findings file, starting fresh: ${err}`);
+      brakitDebug(`IssueStore: could not load issues file, starting fresh: ${err}`);
     }
   }
   /** Sync load for tests only — not used in production paths. */
   loadSync() {
     try {
-      if (existsSync3(this.findingsPath)) {
-        const raw = readFileSync2(this.findingsPath, "utf-8");
-        const parsed = JSON.parse(raw);
-        if (parsed?.version === FINDINGS_DATA_VERSION && Array.isArray(parsed.findings)) {
-          for (const f of parsed.findings) {
-            this.findings.set(f.findingId, f);
-          }
-        }
+      if (existsSync3(this.issuesPath)) {
+        const raw = readFileSync2(this.issuesPath, "utf-8");
+        this.hydrate(raw);
       }
     } catch (err) {
-      brakitDebug(`FindingStore: could not load findings file, starting fresh: ${err}`);
+      brakitDebug(`IssueStore: could not load issues file, starting fresh: ${err}`);
+    }
+  }
+  /** Parse and populate issues from a raw JSON string. */
+  hydrate(raw) {
+    const validated = validateIssuesData(JSON.parse(raw));
+    if (!validated) return;
+    for (const issue of validated.issues) {
+      this.issues.set(issue.issueId, issue);
     }
   }
   flush() {
@@ -377,8 +378,8 @@ var FindingStore = class {
   }
   serialize() {
     const data = {
-      version: FINDINGS_DATA_VERSION,
-      findings: [...this.findings.values()]
+      version: ISSUES_DATA_VERSION,
+      issues: [...this.issues.values()]
     };
     return JSON.stringify(data);
   }
@@ -387,7 +388,7 @@ var FindingStore = class {
 // src/detect/project.ts
 import { readFile as readFile3, readdir } from "fs/promises";
 import { existsSync as existsSync4 } from "fs";
-import { join, relative } from "path";
+import { join as join2, relative } from "path";
 var FRAMEWORKS = [
   { name: "nextjs", dep: "next", devCmd: "next dev", bin: "next", defaultPort: 3e3, devArgs: ["dev", "--port"] },
   { name: "remix", dep: "@remix-run/dev", devCmd: "remix dev", bin: "remix", defaultPort: 3e3, devArgs: ["dev"] },
@@ -396,24 +397,24 @@ var FRAMEWORKS = [
   { name: "astro", dep: "astro", devCmd: "astro dev", bin: "astro", defaultPort: 4321, devArgs: ["dev", "--port"] }
 ];
 async function detectProject(rootDir) {
-  const pkgPath = join(rootDir, "package.json");
+  const pkgPath = join2(rootDir, "package.json");
   const raw = await readFile3(pkgPath, "utf-8");
   const pkg = JSON.parse(raw);
   const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
   const framework = detectFrameworkFromDeps(allDeps);
   const matched = FRAMEWORKS.find((f) => f.name === framework);
   const devCommand = matched?.devCmd ?? "";
-  const devBin = matched ? join(rootDir, "node_modules", ".bin", matched.bin) : "";
+  const devBin = matched ? join2(rootDir, "node_modules", ".bin", matched.bin) : "";
   const defaultPort = matched?.defaultPort ?? 3e3;
   const packageManager = await detectPackageManager(rootDir);
   return { framework, devCommand, devBin, defaultPort, packageManager };
 }
 async function detectPackageManager(rootDir) {
-  if (await fileExists(join(rootDir, "bun.lockb"))) return "bun";
-  if (await fileExists(join(rootDir, "bun.lock"))) return "bun";
-  if (await fileExists(join(rootDir, "pnpm-lock.yaml"))) return "pnpm";
-  if (await fileExists(join(rootDir, "yarn.lock"))) return "yarn";
-  if (await fileExists(join(rootDir, "package-lock.json"))) return "npm";
+  if (await fileExists(join2(rootDir, "bun.lockb"))) return "bun";
+  if (await fileExists(join2(rootDir, "bun.lock"))) return "bun";
+  if (await fileExists(join2(rootDir, "pnpm-lock.yaml"))) return "pnpm";
+  if (await fileExists(join2(rootDir, "yarn.lock"))) return "yarn";
+  if (await fileExists(join2(rootDir, "package-lock.json"))) return "npm";
   return "unknown";
 }
 function detectFrameworkFromDeps(allDeps) {
@@ -425,8 +426,10 @@ function detectFrameworkFromDeps(allDeps) {
 // src/instrument/adapter-registry.ts
 var AdapterRegistry = class {
-  adapters = [];
-  active = [];
+  constructor() {
+    this.adapters = [];
+    this.active = [];
+  }
   register(adapter) {
     this.adapters.push(adapter);
   }
@@ -455,6 +458,38 @@ var AdapterRegistry = class {
   }
 };
+// src/utils/response.ts
+function tryParseJson(body) {
+  if (!body) return null;
+  try {
+    return JSON.parse(body);
+  } catch {
+    return null;
+  }
+}
+function unwrapResponse(parsed) {
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) return parsed;
+  const obj = parsed;
+  const keys = Object.keys(obj);
+  if (keys.length > 3) return parsed;
+  let best = null;
+  let bestSize = 0;
+  for (const key of keys) {
+    const val = obj[key];
+    if (Array.isArray(val) && val.length > bestSize) {
+      best = val;
+      bestSize = val.length;
+    } else if (val && typeof val === "object" && !Array.isArray(val)) {
+      const size = Object.keys(val).length;
+      if (size > bestSize) {
+        best = val;
+        bestSize = size;
+      }
+    }
+  }
+  return best && bestSize >= OVERFETCH_UNWRAP_MIN_SIZE ? best : parsed;
+}
 // src/analysis/rules/patterns.ts
 var SECRET_KEYS = /^(password|passwd|secret|api_key|apiKey|api_secret|apiSecret|private_key|privateKey|client_secret|clientSecret)$/;
 var TOKEN_PARAMS = /^(token|api_key|apiKey|secret|password|access_token|session_id|sessionId)$/;
@@ -468,6 +503,8 @@ var MASKED_RE = /^\*+$|\[REDACTED\]|\[FILTERED\]|CHANGE_ME|^x{3,}$/i;
 var EMAIL_RE = /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/;
 var INTERNAL_ID_KEYS = /^(id|_id|userId|user_id|createdBy|updatedBy|organizationId|org_id|tenantId|tenant_id)$/;
 var INTERNAL_ID_SUFFIX = /Id$|_id$/;
+var SELF_SERVICE_PATH = /\/(?:me|account|profile|settings|self)(?=\/|\?|#|$)/i;
+var SENSITIVE_FIELD_NAMES = /^(phone|phoneNumber|phone_number|ssn|socialSecurityNumber|social_security_number|dateOfBirth|date_of_birth|dob|address|streetAddress|street_address|creditCard|credit_card|cardNumber|card_number|bankAccount|bank_account|passport|passportNumber|passport_number|nationalId|national_id)$/i;
 var SELECT_STAR_RE = /^SELECT\s+\*/i;
 var SELECT_DOT_STAR_RE = /\.\*\s+FROM/i;
 var RULE_HINTS = {
@@ -481,31 +518,35 @@ var RULE_HINTS = {
   "response-pii-leak": "API responses should return minimal data. Don't echo back full user records \u2014 select only the fields the client needs."
 };
-// src/analysis/rules/exposed-secret.ts
-function tryParseJson(body) {
-  if (!body) return null;
-  try {
-    return JSON.parse(body);
-  } catch {
-    return null;
-  }
+// src/utils/http-status.ts
+function isErrorStatus(code) {
+  return code >= 400;
+}
+function isServerError(code) {
+  return code >= 500;
+}
+function isRedirect(code) {
+  return code >= 300 && code < 400;
 }
-function findSecretKeys(obj, prefix) {
+// src/analysis/rules/exposed-secret.ts
+function findSecretKeys(obj, prefix, depth = 0) {
   const found = [];
+  if (depth >= MAX_OBJECT_SCAN_DEPTH) return found;
   if (!obj || typeof obj !== "object") return found;
   if (Array.isArray(obj)) {
-    for (let i = 0; i < Math.min(obj.length, 5); i++) {
-      found.push(...findSecretKeys(obj[i], prefix));
+    for (let i = 0; i < Math.min(obj.length, SECRET_SCAN_ARRAY_LIMIT); i++) {
+      found.push(...findSecretKeys(obj[i], prefix, depth + 1));
     }
     return found;
   }
   for (const k of Object.keys(obj)) {
     const val = obj[k];
-    if (SECRET_KEYS.test(k) && typeof val === "string" && val.length >= 8 && !MASKED_RE.test(val)) {
+    if (SECRET_KEYS.test(k) && typeof val === "string" && val.length >= MIN_SECRET_VALUE_LENGTH && !MASKED_RE.test(val)) {
       found.push(k);
     }
     if (typeof val === "object" && val !== null) {
-      found.push(...findSecretKeys(val, prefix + k + "."));
+      found.push(...findSecretKeys(val, prefix + k + ".", depth + 1));
     }
   }
   return found;
@@ -519,8 +560,8 @@ var exposedSecretRule = {
     const findings = [];
     const seen = /* @__PURE__ */ new Map();
     for (const r of ctx.requests) {
-      if (r.statusCode >= 400) continue;
-      const parsed = tryParseJson(r.responseBody);
+      if (isErrorStatus(r.statusCode)) continue;
+      const parsed = ctx.parsedBodies.response.get(r.id);
       if (!parsed) continue;
       const keys = findSecretKeys(parsed, "");
       if (keys.length === 0) continue;
@@ -673,7 +714,7 @@ var errorInfoLeakRule = {
 // src/analysis/rules/insecure-cookie.ts
 function isFrameworkResponse(r) {
-  if (r.statusCode >= 300 && r.statusCode < 400) return true;
+  if (isRedirect(r.statusCode)) return true;
   if (r.path?.startsWith("/__")) return true;
   if (r.responseHeaders?.["x-middleware-rewrite"]) return true;
   return false;
@@ -779,48 +820,15 @@ var corsCredentialsRule = {
   }
 };
-// src/utils/response.ts
-function unwrapResponse(parsed) {
-  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) return parsed;
-  const obj = parsed;
-  const keys = Object.keys(obj);
-  if (keys.length > 3) return parsed;
-  let best = null;
-  let bestSize = 0;
-  for (const key of keys) {
-    const val = obj[key];
-    if (Array.isArray(val) && val.length > bestSize) {
-      best = val;
-      bestSize = val.length;
-    } else if (val && typeof val === "object" && !Array.isArray(val)) {
-      const size = Object.keys(val).length;
-      if (size > bestSize) {
-        best = val;
-        bestSize = size;
-      }
-    }
-  }
-  return best && bestSize >= OVERFETCH_UNWRAP_MIN_SIZE ? best : parsed;
-}
 // src/analysis/rules/response-pii-leak.ts
 var WRITE_METHODS = /* @__PURE__ */ new Set(["POST", "PUT", "PATCH"]);
-var FULL_RECORD_MIN_FIELDS = 5;
-var LIST_PII_MIN_ITEMS = 2;
-function tryParseJson2(body) {
-  if (!body) return null;
-  try {
-    return JSON.parse(body);
-  } catch {
-    return null;
-  }
-}
-function findEmails(obj) {
+function findEmails(obj, depth = 0) {
   const emails = [];
+  if (depth >= MAX_OBJECT_SCAN_DEPTH) return emails;
   if (!obj || typeof obj !== "object") return emails;
   if (Array.isArray(obj)) {
-    for (let i = 0; i < Math.min(obj.length, 10); i++) {
-      emails.push(...findEmails(obj[i]));
+    for (let i = 0; i < Math.min(obj.length, PII_SCAN_ARRAY_LIMIT); i++) {
+      emails.push(...findEmails(obj[i], depth + 1));
     }
     return emails;
   }
@@ -828,7 +836,7 @@ function findEmails(obj) {
     if (typeof v === "string" && EMAIL_RE.test(v)) {
       emails.push(v);
     } else if (typeof v === "object" && v !== null) {
-      emails.push(...findEmails(v));
+      emails.push(...findEmails(v, depth + 1));
     }
   }
   return emails;
@@ -847,6 +855,15 @@ function hasInternalIds(obj) {
   }
   return false;
 }
+function hasSensitiveFieldNames(obj, depth = 0) {
+  if (depth >= MAX_OBJECT_SCAN_DEPTH) return false;
+  if (!obj || typeof obj !== "object") return false;
+  if (Array.isArray(obj)) return obj.length > 0 && hasSensitiveFieldNames(obj[0], depth + 1);
+  for (const key of Object.keys(obj)) {
+    if (SENSITIVE_FIELD_NAMES.test(key)) return true;
+  }
+  return false;
+}
 function detectEchoPII(method, reqBody, target) {
   if (!WRITE_METHODS.has(method) || !reqBody || typeof reqBody !== "object") return null;
   const reqEmails = findEmails(reqBody);
@@ -868,10 +885,17 @@ function detectFullRecordPII(target) {
   if (emails.length === 0) return null;
   return { reason: "full-record", emailCount: emails.length };
 }
+function detectSensitiveFieldPII(target) {
+  const inspect = Array.isArray(target) && target.length > 0 ? target[0] : target;
+  if (!inspect || typeof inspect !== "object" || Array.isArray(inspect)) return null;
+  if (!hasSensitiveFieldNames(inspect)) return null;
+  if (!hasInternalIds(inspect) && topLevelFieldCount(inspect) < FULL_RECORD_MIN_FIELDS) return null;
+  return { reason: "sensitive-fields", emailCount: 0 };
+}
 function detectListPII(target) {
   if (!Array.isArray(target) || target.length < LIST_PII_MIN_ITEMS) return null;
   let itemsWithEmail = 0;
-  for (let i = 0; i < Math.min(target.length, 10); i++) {
+  for (let i = 0; i < Math.min(target.length, PII_SCAN_ARRAY_LIMIT); i++) {
     const item = target[i];
     if (item && typeof item === "object" && findEmails(item).length > 0) {
       itemsWithEmail++;
@@ -886,12 +910,13 @@ function detectListPII(target) {
 }
 function detectPII(method, reqBody, resBody) {
   const target = unwrapResponse(resBody);
-  return detectEchoPII(method, reqBody, target) ?? detectFullRecordPII(target) ?? detectListPII(target);
+  return detectEchoPII(method, reqBody, target) ?? detectFullRecordPII(target) ?? detectListPII(target) ?? detectSensitiveFieldPII(target);
 }
 var REASON_LABELS = {
   echo: "echoes back PII from the request body",
   "full-record": "returns a full record with email and internal IDs",
-  "list-pii": "returns a list of records containing email addresses"
+  "list-pii": "returns a list of records containing email addresses",
+  "sensitive-fields": "contains sensitive personal data fields (phone, SSN, date of birth, address, etc.)"
 };
 var responsePiiLeakRule = {
   id: "response-pii-leak",
@@ -902,15 +927,15 @@ var responsePiiLeakRule = {
     const findings = [];
     const seen = /* @__PURE__ */ new Map();
     for (const r of ctx.requests) {
-      if (r.statusCode >= 400) continue;
-      const resJson = tryParseJson2(r.responseBody);
+      if (isErrorStatus(r.statusCode)) continue;
+      if (SELF_SERVICE_PATH.test(r.path)) continue;
+      const resJson = ctx.parsedBodies.response.get(r.id);
       if (!resJson) continue;
-      const reqJson = tryParseJson2(r.requestBody);
+      const reqJson = ctx.parsedBodies.request.get(r.id) ?? null;
       const detection = detectPII(r.method, reqJson, resJson);
       if (!detection) continue;
       const ep = `${r.method} ${r.path}`;
-      const dedupKey = `${ep}:${detection.reason}`;
-      const existing = seen.get(dedupKey);
+      const existing = seen.get(ep);
       if (existing) {
         existing.count++;
         continue;
@@ -919,12 +944,12 @@ var responsePiiLeakRule = {
         severity: "warning",
         rule: "response-pii-leak",
         title: "PII Leak in Response",
-        desc: `${ep} \u2014 ${REASON_LABELS[detection.reason]}`,
-        hint: this.hint,
+        desc: `${ep} \u2014 exposes PII in response`,
+        hint: `Detection: ${REASON_LABELS[detection.reason]}. ${this.hint}`,
         endpoint: ep,
         count: 1
       };
-      seen.set(dedupKey, finding);
+      seen.set(ep, finding);
       findings.push(finding);
     }
     return findings;
@@ -932,12 +957,33 @@ var responsePiiLeakRule = {
 };
 // src/analysis/rules/scanner.ts
+function buildBodyCache(requests) {
+  const response = /* @__PURE__ */ new Map();
+  const request = /* @__PURE__ */ new Map();
+  for (const r of requests) {
+    if (r.responseBody) {
+      const parsed = tryParseJson(r.responseBody);
+      if (parsed != null) response.set(r.id, parsed);
+    }
+    if (r.requestBody) {
+      const parsed = tryParseJson(r.requestBody);
+      if (parsed != null) request.set(r.id, parsed);
+    }
+  }
+  return { response, request };
+}
 var SecurityScanner = class {
-  rules = [];
+  constructor() {
+    this.rules = [];
+  }
   register(rule) {
     this.rules.push(rule);
   }
-  scan(ctx) {
+  scan(input) {
+    const ctx = {
+      ...input,
+      parsedBodies: buildBodyCache(input.requests)
+    };
     const findings = [];
     for (const rule of this.rules) {
       try {
@@ -966,7 +1012,9 @@ function createDefaultScanner() {
 // src/core/disposable.ts
 var SubscriptionBag = class {
-  items = [];
+  constructor() {
+    this.items = [];
+  }
   add(teardown) {
     this.items.push(typeof teardown === "function" ? { dispose: teardown } : teardown);
   }
@@ -979,6 +1027,41 @@ var SubscriptionBag = class {
 // src/analysis/group.ts
 import { randomUUID } from "crypto";
+// src/constants/routes.ts
+var DASHBOARD_PREFIX = "/__brakit";
+var DASHBOARD_API_REQUESTS = `${DASHBOARD_PREFIX}/api/requests`;
+var DASHBOARD_API_EVENTS = `${DASHBOARD_PREFIX}/api/events`;
+var DASHBOARD_API_FLOWS = `${DASHBOARD_PREFIX}/api/flows`;
+var DASHBOARD_API_CLEAR = `${DASHBOARD_PREFIX}/api/clear`;
+var DASHBOARD_API_LOGS = `${DASHBOARD_PREFIX}/api/logs`;
+var DASHBOARD_API_FETCHES = `${DASHBOARD_PREFIX}/api/fetches`;
+var DASHBOARD_API_ERRORS = `${DASHBOARD_PREFIX}/api/errors`;
+var DASHBOARD_API_QUERIES = `${DASHBOARD_PREFIX}/api/queries`;
+var DASHBOARD_API_INGEST = `${DASHBOARD_PREFIX}/api/ingest`;
+var DASHBOARD_API_METRICS = `${DASHBOARD_PREFIX}/api/metrics`;
+var DASHBOARD_API_ACTIVITY = `${DASHBOARD_PREFIX}/api/activity`;
+var DASHBOARD_API_METRICS_LIVE = `${DASHBOARD_PREFIX}/api/metrics/live`;
+var DASHBOARD_API_INSIGHTS = `${DASHBOARD_PREFIX}/api/insights`;
+var DASHBOARD_API_SECURITY = `${DASHBOARD_PREFIX}/api/security`;
+var DASHBOARD_API_TAB = `${DASHBOARD_PREFIX}/api/tab`;
+var DASHBOARD_API_FINDINGS = `${DASHBOARD_PREFIX}/api/findings`;
+var DASHBOARD_API_FINDINGS_REPORT = `${DASHBOARD_PREFIX}/api/findings/report`;
+var VALID_TABS_TUPLE = [
+  "overview",
+  "actions",
+  "requests",
+  "fetches",
+  "queries",
+  "errors",
+  "logs",
+  "performance",
+  "security"
+];
+var VALID_TABS = new Set(VALID_TABS_TUPLE);
+// src/constants/network.ts
+var RECOVERY_WINDOW_MS = 5 * 60 * 1e3;
 // src/analysis/categorize.ts
 function detectCategory(req) {
   const { method, url, statusCode, responseHeaders } = req;
@@ -1042,7 +1125,7 @@ function labelRequest(req) {
 function generateHumanLabel(req, category) {
   const effectivePath = getEffectivePath(req);
   const endpointName = getEndpointName(effectivePath);
-  const failed = req.statusCode >= 400;
+  const failed = isErrorStatus(req.statusCode);
   switch (category) {
     case "auth-handshake":
       return "Auth handshake";
@@ -1222,7 +1305,7 @@ function detectWarnings(requests) {
   for (const req of slowRequests) {
     warnings.push(`${req.label} took ${(req.durationMs / 1e3).toFixed(1)}s`);
   }
-  const errors = requests.filter((r) => r.statusCode >= 500);
+  const errors = requests.filter((r) => isServerError(r.statusCode));
   for (const req of errors) {
     warnings.push(`${req.label} \u2014 server error (${req.statusCode})`);
   }
@@ -1278,7 +1361,7 @@ function buildFlow(rawRequests) {
     requests,
     startTime,
     totalDurationMs: Math.round(endTime - startTime),
-    hasErrors: requests.some((r) => r.statusCode >= 400),
+    hasErrors: requests.some((r) => isErrorStatus(r.statusCode)),
     warnings: detectWarnings(rawRequests),
     sourcePage,
     redundancyPct
@@ -1346,8 +1429,14 @@ function groupBy(items, keyFn) {
 }
 // src/utils/endpoint.ts
+var DYNAMIC_SEGMENT_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^\d+$|^[0-9a-f]{12,}$|^(?=.*[a-zA-Z])(?=.*\d)[a-zA-Z0-9_-]{8,}$/i;
+function normalizePath(path) {
+  const qIdx = path.indexOf("?");
+  const pathname = qIdx === -1 ? path : path.slice(0, qIdx);
+  return pathname.split("/").map((seg) => seg && DYNAMIC_SEGMENT_RE.test(seg) ? ":id" : seg).join("/");
+}
 function getEndpointKey(method, path) {
-  return `${method} ${path}`;
+  return `${method} ${normalizePath(path)}`;
 }
 var ENDPOINT_PREFIX_RE = /^(\S+\s+\S+)/;
 function extractEndpointFromDesc(desc) {
@@ -1429,6 +1518,15 @@ function windowByEndpoint(requests) {
   }
   return windowed;
 }
+function extractActiveEndpoints(requests) {
+  const endpoints = /* @__PURE__ */ new Set();
+  for (const r of requests) {
+    if (!r.isStatic && (!r.path || !r.path.startsWith(DASHBOARD_PREFIX))) {
+      endpoints.add(getEndpointKey(r.method, r.path));
+    }
+  }
+  return endpoints;
+}
 function prepareContext(ctx) {
   const nonStatic = ctx.requests.filter(
     (r) => !r.isStatic && (!r.path || !r.path.startsWith(DASHBOARD_PREFIX))
@@ -1446,7 +1544,7 @@ function prepareContext(ctx) {
       endpointGroups.set(ep, g);
     }
     g.total++;
-    if (r.statusCode >= 400) g.errors++;
+    if (isErrorStatus(r.statusCode)) g.errors++;
     g.totalDuration += r.durationMs;
     g.totalSize += r.responseSize ?? 0;
     const reqQueries = queriesByReq.get(r.id) ?? [];
@@ -1481,7 +1579,9 @@ function prepareContext(ctx) {
 // src/analysis/insights/runner.ts
 var SEVERITY_ORDER = { critical: 0, warning: 1, info: 2 };
 var InsightRunner = class {
-  rules = [];
+  constructor() {
+    this.rules = [];
+  }
   register(rule) {
     this.rules.push(rule);
   }
@@ -1866,7 +1966,7 @@ var responseOverfetchRule = {
     const insights = [];
     const seen = /* @__PURE__ */ new Set();
     for (const r of ctx.nonStatic) {
-      if (r.statusCode >= 400 || !r.responseBody) continue;
+      if (isErrorStatus(r.statusCode) || !r.responseBody) continue;
       const ep = getEndpointKey(r.method, r.path);
       if (seen.has(ep)) continue;
       let parsed;
@@ -2010,96 +2110,49 @@ function computeInsights(ctx) {
   return createDefaultInsightRunner().run(ctx);
 }
-// src/analysis/insight-tracker.ts
-function computeInsightKey(insight) {
-  const identifier = extractEndpointFromDesc(insight.desc) ?? insight.title;
-  return `${insight.type}:${identifier}`;
-}
-function enrichedIdFromInsight(insight) {
-  return computeInsightId(insight.type, insight.nav ?? "global", insight.desc);
-}
-var InsightTracker = class {
-  tracked = /* @__PURE__ */ new Map();
-  enrichedIndex = /* @__PURE__ */ new Map();
-  reconcile(current) {
-    const currentKeys = /* @__PURE__ */ new Set();
-    const now = Date.now();
-    for (const insight of current) {
-      const key = computeInsightKey(insight);
-      currentKeys.add(key);
-      const existing = this.tracked.get(key);
-      this.enrichedIndex.set(enrichedIdFromInsight(insight), key);
-      if (existing) {
-        existing.insight = insight;
-        existing.lastSeenAt = now;
-        existing.consecutiveAbsences = 0;
-        if (existing.state === "resolved") {
-          existing.state = "open";
-          existing.resolvedAt = null;
-        }
-      } else {
-        this.tracked.set(key, {
-          key,
-          state: "open",
-          insight,
-          firstSeenAt: now,
-          lastSeenAt: now,
-          resolvedAt: null,
-          consecutiveAbsences: 0,
-          aiStatus: null,
-          aiNotes: null
-        });
-      }
-    }
-    for (const [, stateful] of this.tracked) {
-      if ((stateful.state === "open" || stateful.state === "fixing") && !currentKeys.has(stateful.key)) {
-        stateful.consecutiveAbsences++;
-        if (stateful.consecutiveAbsences >= RESOLVE_AFTER_ABSENCES) {
-          stateful.state = "resolved";
-          stateful.resolvedAt = now;
-        }
-      } else if (stateful.state === "resolved" && stateful.resolvedAt !== null && now - stateful.resolvedAt > RESOLVED_INSIGHT_TTL_MS) {
-        this.tracked.delete(stateful.key);
-        this.enrichedIndex.delete(enrichedIdFromInsight(stateful.insight));
-      }
-    }
-    return [...this.tracked.values()];
-  }
-  reportFix(enrichedId, status, notes) {
-    const key = this.enrichedIndex.get(enrichedId);
-    if (!key) return false;
-    const stateful = this.tracked.get(key);
-    if (!stateful) return false;
-    stateful.aiStatus = status;
-    stateful.aiNotes = notes;
-    if (status === "fixed") {
-      stateful.state = "fixing";
-    }
-    return true;
-  }
-  getAll() {
-    return [...this.tracked.values()];
-  }
-  clear() {
-    this.tracked.clear();
-    this.enrichedIndex.clear();
-  }
-};
+// src/analysis/issue-mappers.ts
+function categorizeInsight(type) {
+  if (type === "security") return "security";
+  if (type === "error" || type === "error-hotspot") return "reliability";
+  return "performance";
+}
+function insightToIssue(insight) {
+  return {
+    category: categorizeInsight(insight.type),
+    rule: insight.type,
+    severity: insight.severity,
+    title: insight.title,
+    desc: insight.desc,
+    hint: insight.hint,
+    detail: insight.detail,
+    endpoint: extractEndpointFromDesc(insight.desc) ?? void 0,
+    nav: insight.nav
+  };
+}
+function securityFindingToIssue(finding) {
+  return {
+    category: "security",
+    rule: finding.rule,
+    severity: finding.severity,
+    title: finding.title,
+    desc: finding.desc,
+    hint: finding.hint,
+    endpoint: finding.endpoint,
+    nav: "security"
+  };
+}
 // src/analysis/engine.ts
 var AnalysisEngine = class {
   constructor(registry, debounceMs = ANALYSIS_DEBOUNCE_MS) {
     this.registry = registry;
     this.debounceMs = debounceMs;
+    this.cachedInsights = [];
+    this.cachedFindings = [];
+    this.debounceTimer = null;
+    this.subs = new SubscriptionBag();
     this.scanner = createDefaultScanner();
   }
-  scanner;
-  insightTracker = new InsightTracker();
-  cachedInsights = [];
-  cachedFindings = [];
-  cachedStatefulInsights = [];
-  debounceTimer = null;
-  subs = new SubscriptionBag();
   start() {
     const bus = this.registry.get("event-bus");
     this.subs.add(bus.on("request:completed", () => this.scheduleRecompute()));
@@ -2120,15 +2173,6 @@ var AnalysisEngine = class {
   getFindings() {
     return this.cachedFindings;
   }
-  getStatefulFindings() {
-    return this.registry.has("finding-store") ? this.registry.get("finding-store").getAll() : [];
-  }
-  getStatefulInsights() {
-    return this.insightTracker.getAll();
-  }
-  reportInsightFix(enrichedId, status, notes) {
-    return this.insightTracker.reportFix(enrichedId, status, notes);
-  }
   scheduleRecompute() {
     if (this.debounceTimer) return;
     this.debounceTimer = setTimeout(() => {
@@ -2137,20 +2181,14 @@ var AnalysisEngine = class {
     }, this.debounceMs);
   }
   recompute() {
-    const requests = this.registry.get("request-store").getAll();
+    const allRequests = this.registry.get("request-store").getAll();
     const queries = this.registry.get("query-store").getAll();
     const errors = this.registry.get("error-store").getAll();
     const logs = this.registry.get("log-store").getAll();
     const fetches = this.registry.get("fetch-store").getAll();
+    const requests = windowByEndpoint(allRequests);
     const flows = groupRequestsIntoFlows(requests);
     this.cachedFindings = this.scanner.scan({ requests, logs });
-    if (this.registry.has("finding-store")) {
-      const findingStore = this.registry.get("finding-store");
-      for (const finding of this.cachedFindings) {
-        findingStore.upsert(finding, "passive");
-      }
-      findingStore.reconcilePassive(this.cachedFindings);
-    }
     this.cachedInsights = computeInsights({
       requests,
       queries,
@@ -2160,24 +2198,40 @@ var AnalysisEngine = class {
       previousMetrics: this.registry.get("metrics-store").getAll(),
       securityFindings: this.cachedFindings
     });
-    this.cachedStatefulInsights = this.insightTracker.reconcile(this.cachedInsights);
-    const update = {
-      insights: this.cachedInsights,
-      findings: this.cachedFindings,
-      statefulFindings: this.getStatefulFindings(),
-      statefulInsights: this.cachedStatefulInsights
-    };
-    this.registry.get("event-bus").emit("analysis:updated", update);
+    if (this.registry.has("issue-store")) {
+      const issueStore = this.registry.get("issue-store");
+      for (const finding of this.cachedFindings) {
+        issueStore.upsert(securityFindingToIssue(finding), "passive");
+      }
+      for (const insight of this.cachedInsights) {
+        issueStore.upsert(insightToIssue(insight), "passive");
+      }
+      const currentIssueIds = /* @__PURE__ */ new Set();
+      for (const finding of this.cachedFindings) {
+        currentIssueIds.add(computeIssueId(securityFindingToIssue(finding)));
+      }
+      for (const insight of this.cachedInsights) {
+        currentIssueIds.add(computeIssueId(insightToIssue(insight)));
+      }
+      const activeEndpoints = extractActiveEndpoints(allRequests);
+      issueStore.reconcile(currentIssueIds, activeEndpoints);
+      const update = {
+        insights: this.cachedInsights,
+        findings: this.cachedFindings,
+        issues: issueStore.getAll()
+      };
+      this.registry.get("event-bus").emit("analysis:updated", update);
+    }
   }
 };
 // src/index.ts
-var VERSION = "0.8.5";
+var VERSION = "0.8.7";
 export {
   AdapterRegistry,
   AnalysisEngine,
-  FindingStore,
   InsightRunner,
+  IssueStore,
   SecurityScanner,
   VERSION,
   computeInsights,