brakit 0.8.5 → 0.8.7

package/dist/bin/brakit.js

@@ -9,6 +9,91 @@ var __export = (target, all) => {
     __defProp(target, name, { get: all[name], enumerable: true });
 };
 
+// src/constants/limits.ts
+var PROJECT_HASH_LENGTH, SECRET_SCAN_ARRAY_LIMIT, PII_SCAN_ARRAY_LIMIT, MIN_SECRET_VALUE_LENGTH, FULL_RECORD_MIN_FIELDS, LIST_PII_MIN_ITEMS, MAX_OBJECT_SCAN_DEPTH, ISSUE_PRUNE_TTL_MS;
+var init_limits = __esm({
+  "src/constants/limits.ts"() {
+    "use strict";
+    PROJECT_HASH_LENGTH = 8;
+    SECRET_SCAN_ARRAY_LIMIT = 5;
+    PII_SCAN_ARRAY_LIMIT = 10;
+    MIN_SECRET_VALUE_LENGTH = 8;
+    FULL_RECORD_MIN_FIELDS = 8;
+    LIST_PII_MIN_ITEMS = 2;
+    MAX_OBJECT_SCAN_DEPTH = 5;
+    ISSUE_PRUNE_TTL_MS = 10 * 60 * 1e3;
+  }
+});
+
+// src/utils/log.ts
+function brakitDebug(message) {
+  if (process.env.DEBUG_BRAKIT) {
+    process.stderr.write(`${PREFIX}:debug ${message}
+`);
+  }
+}
+var PREFIX;
+var init_log = __esm({
+  "src/utils/log.ts"() {
+    "use strict";
+    PREFIX = "[brakit]";
+  }
+});
+
+// src/constants/lifecycle.ts
+var VALID_ISSUE_STATES, VALID_AI_FIX_STATUSES, VALID_SECURITY_SEVERITIES;
+var init_lifecycle = __esm({
+  "src/constants/lifecycle.ts"() {
+    "use strict";
+    VALID_ISSUE_STATES = /* @__PURE__ */ new Set(["open", "fixing", "resolved", "stale", "regressed"]);
+    VALID_AI_FIX_STATUSES = /* @__PURE__ */ new Set(["fixed", "wont_fix"]);
+    VALID_SECURITY_SEVERITIES = /* @__PURE__ */ new Set(["critical", "warning"]);
+  }
+});
+
+// src/utils/type-guards.ts
+function isNonEmptyString(val) {
+  return typeof val === "string" && val.trim().length > 0;
+}
+function getErrorMessage(err) {
+  if (err instanceof Error) return err.message;
+  if (typeof err === "string") return err;
+  return String(err);
+}
+function isValidIssueState(val) {
+  return typeof val === "string" && VALID_ISSUE_STATES.has(val);
+}
+function isValidAiFixStatus(val) {
+  return typeof val === "string" && VALID_AI_FIX_STATUSES.has(val);
+}
+var init_type_guards = __esm({
+  "src/utils/type-guards.ts"() {
+    "use strict";
+    init_lifecycle();
+    init_limits();
+  }
+});
+
+// src/constants/metrics.ts
+var METRICS_DIR, PORT_FILE;
+var init_metrics = __esm({
+  "src/constants/metrics.ts"() {
+    "use strict";
+    METRICS_DIR = ".brakit";
+    PORT_FILE = ".brakit/port";
+  }
+});
+
+// src/constants/thresholds.ts
+var OVERFETCH_UNWRAP_MIN_SIZE, STALE_ISSUE_TTL_MS;
+var init_thresholds = __esm({
+  "src/constants/thresholds.ts"() {
+    "use strict";
+    OVERFETCH_UNWRAP_MIN_SIZE = 3;
+    STALE_ISSUE_TTL_MS = 30 * 60 * 1e3;
+  }
+});
+
 // src/constants/routes.ts
 var DASHBOARD_PREFIX, DASHBOARD_API_REQUESTS, DASHBOARD_API_EVENTS, DASHBOARD_API_FLOWS, DASHBOARD_API_CLEAR, DASHBOARD_API_LOGS, DASHBOARD_API_FETCHES, DASHBOARD_API_ERRORS, DASHBOARD_API_QUERIES, DASHBOARD_API_INGEST, DASHBOARD_API_METRICS, DASHBOARD_API_ACTIVITY, DASHBOARD_API_METRICS_LIVE, DASHBOARD_API_INSIGHTS, DASHBOARD_API_SECURITY, DASHBOARD_API_TAB, DASHBOARD_API_FINDINGS, DASHBOARD_API_FINDINGS_REPORT, VALID_TABS_TUPLE, VALID_TABS;
 var init_routes = __esm({
@@ -47,24 +132,6 @@ var init_routes = __esm({
   }
 });
 
-// src/constants/limits.ts
-var FINDING_ID_HASH_LENGTH;
-var init_limits = __esm({
-  "src/constants/limits.ts"() {
-    "use strict";
-    FINDING_ID_HASH_LENGTH = 16;
-  }
-});
-
-// src/constants/thresholds.ts
-var OVERFETCH_UNWRAP_MIN_SIZE;
-var init_thresholds = __esm({
-  "src/constants/thresholds.ts"() {
-    "use strict";
-    OVERFETCH_UNWRAP_MIN_SIZE = 3;
-  }
-});
-
 // src/constants/transport.ts
 var init_transport = __esm({
   "src/constants/transport.ts"() {
@@ -72,16 +139,6 @@ var init_transport = __esm({
   }
 });
 
-// src/constants/metrics.ts
-var METRICS_DIR, PORT_FILE;
-var init_metrics = __esm({
-  "src/constants/metrics.ts"() {
-    "use strict";
-    METRICS_DIR = ".brakit";
-    PORT_FILE = ".brakit/port";
-  }
-});
-
 // src/constants/headers.ts
 var init_headers = __esm({
   "src/constants/headers.ts"() {
@@ -115,7 +172,7 @@ var init_mcp = __esm({
     MAX_TIMELINE_EVENTS = 20;
     MAX_RESOLVED_DISPLAY = 5;
     ENRICHMENT_SEVERITY_FILTER = ["critical", "warning"];
-    MCP_SERVER_VERSION = "0.8.5";
+    MCP_SERVER_VERSION = "0.8.7";
   }
 });
 
@@ -140,14 +197,35 @@ var init_telemetry = __esm({
   }
 });
 
-// src/constants/lifecycle.ts
-var VALID_FINDING_STATES, VALID_AI_FIX_STATUSES, VALID_SECURITY_SEVERITIES;
-var init_lifecycle = __esm({
-  "src/constants/lifecycle.ts"() {
+// src/constants/cli.ts
+var SUPPORTED_SOURCE_EXTENSIONS, BUILD_CACHE_DIRS, FALLBACK_SCAN_DIRS;
+var init_cli = __esm({
+  "src/constants/cli.ts"() {
+    "use strict";
+    SUPPORTED_SOURCE_EXTENSIONS = /* @__PURE__ */ new Set([
+      ".ts",
+      ".tsx",
+      ".js",
+      ".jsx",
+      ".mjs",
+      ".mts"
+    ]);
+    BUILD_CACHE_DIRS = [".next", ".nuxt", ".output"];
+    FALLBACK_SCAN_DIRS = ["src", "."];
+  }
+});
+
+// src/constants/timeline.ts
+var init_timeline = __esm({
+  "src/constants/timeline.ts"() {
+    "use strict";
+  }
+});
+
+// src/constants/sdk-events.ts
+var init_sdk_events = __esm({
+  "src/constants/sdk-events.ts"() {
     "use strict";
-    VALID_FINDING_STATES = /* @__PURE__ */ new Set(["open", "fixing", "resolved"]);
-    VALID_AI_FIX_STATUSES = /* @__PURE__ */ new Set(["fixed", "wont_fix"]);
-    VALID_SECURITY_SEVERITIES = /* @__PURE__ */ new Set(["critical", "warning"]);
   }
 });
 
@@ -167,51 +245,9 @@ var init_constants = __esm({
     init_severity();
     init_telemetry();
     init_lifecycle();
-  }
-});
-
-// src/utils/log.ts
-function brakitDebug(message) {
-  if (process.env.DEBUG_BRAKIT) {
-    process.stderr.write(`${PREFIX}:debug ${message}
-`);
-  }
-}
-var PREFIX;
-var init_log = __esm({
-  "src/utils/log.ts"() {
-    "use strict";
-    PREFIX = "[brakit]";
-  }
-});
-
-// src/utils/type-guards.ts
-function isNonEmptyString(val) {
-  return typeof val === "string" && val.trim().length > 0;
-}
-function isValidFindingState(val) {
-  return typeof val === "string" && VALID_FINDING_STATES.has(val);
-}
-function isValidAiFixStatus(val) {
-  return typeof val === "string" && VALID_AI_FIX_STATUSES.has(val);
-}
-var init_type_guards = __esm({
-  "src/utils/type-guards.ts"() {
-    "use strict";
-    init_lifecycle();
-  }
-});
-
-// src/store/finding-id.ts
-import { createHash } from "crypto";
-function computeInsightId(type, endpoint, desc) {
-  const key = `${type}:${endpoint}:${desc}`;
-  return createHash("sha256").update(key).digest("hex").slice(0, FINDING_ID_HASH_LENGTH);
-}
-var init_finding_id = __esm({
-  "src/store/finding-id.ts"() {
-    "use strict";
-    init_limits();
+    init_cli();
+    init_timeline();
+    init_sdk_events();
   }
 });
 
@@ -249,11 +285,11 @@ var init_client = __esm({
         if (params?.offset) url.searchParams.set("offset", String(params.offset));
         return this.fetchJson(url);
       }
-      async getSecurityFindings() {
-        return this.fetchJson(`${this.baseUrl}${DASHBOARD_API_SECURITY}`);
-      }
-      async getInsights() {
-        return this.fetchJson(`${this.baseUrl}${DASHBOARD_API_INSIGHTS}`);
+      async getIssues(params) {
+        const url = new URL(`${this.baseUrl}${DASHBOARD_API_INSIGHTS}`);
+        if (params?.state) url.searchParams.set("state", params.state);
+        if (params?.category) url.searchParams.set("category", params.category);
+        return this.fetchJson(url);
       }
       async getQueries(requestId) {
         const url = new URL(`${this.baseUrl}${DASHBOARD_API_QUERIES}`);
@@ -325,7 +361,7 @@ var init_client = __esm({
 });
 
 // src/mcp/discovery.ts
-import { readFile as readFile6, readdir as readdir2, stat } from "fs/promises";
+import { readFile as readFile6, readdir as readdir3, stat } from "fs/promises";
 import { resolve as resolve5, dirname as dirname2 } from "path";
 async function readPort(portPath) {
   try {
@@ -341,7 +377,7 @@ async function portInDir(dir) {
 }
 async function portInChildren(dir) {
   try {
-    const entries = await readdir2(dir);
+    const entries = await readdir3(dir);
     for (const entry of entries) {
       if (entry.startsWith(".") || entry === "node_modules") continue;
       const child = resolve5(dir, entry);
@@ -408,14 +444,16 @@ var init_discovery = __esm({
 
 // src/mcp/enrichment.ts
 async function enrichFindings(client) {
-  const [securityData, insightsData] = await Promise.all([
-    client.getSecurityFindings(),
-    client.getInsights()
-  ]);
+  const issuesData = await client.getIssues();
+  const issues = issuesData.issues.filter(
+    (si) => si.state !== "resolved" && si.state !== "stale"
+  );
   const contexts = await Promise.all(
-    securityData.findings.map(async (sf) => {
+    issues.map(async (si) => {
+      const endpoint = si.issue.endpoint;
+      if (!endpoint) return si.issue.detail ?? "";
       try {
-        const { path } = parseEndpointKey(sf.finding.endpoint);
+        const { path } = parseEndpointKey(endpoint);
         const reqData = await client.getRequests({ search: path, limit: 1 });
         if (reqData.requests.length > 0) {
           const req = reqData.requests[0];
@@ -429,38 +467,22 @@ async function enrichFindings(client) {
       } catch {
         return "(context unavailable)";
       }
-      return "";
+      return si.issue.detail ?? "";
     })
   );
-  const enriched = securityData.findings.map((sf, i) => {
-    const f = sf.finding;
-    return {
-      findingId: sf.findingId,
-      severity: f.severity,
-      title: f.title,
-      endpoint: f.endpoint,
-      description: f.desc,
-      hint: f.hint,
-      occurrences: f.count,
-      context: contexts[i],
-      aiStatus: sf.aiStatus,
-      aiNotes: sf.aiNotes
-    };
-  });
-  for (const si of insightsData.insights) {
-    if (si.state === "resolved") continue;
-    const i = si.insight;
-    if (!ENRICHMENT_SEVERITY_FILTER.includes(i.severity)) continue;
-    const endpoint = i.nav ?? "global";
+  const enriched = [];
+  for (let i = 0; i < issues.length; i++) {
+    const si = issues[i];
+    if (!ENRICHMENT_SEVERITY_FILTER.includes(si.issue.severity)) continue;
     enriched.push({
-      findingId: computeInsightId(i.type, endpoint, i.desc),
-      severity: i.severity,
-      title: i.title,
-      endpoint,
-      description: i.desc,
-      hint: i.hint,
-      occurrences: 1,
-      context: i.detail ?? "",
+      findingId: si.issueId,
+      severity: si.issue.severity,
+      title: si.issue.title,
+      endpoint: si.issue.endpoint ?? "global",
+      description: si.issue.desc,
+      hint: si.issue.hint,
+      occurrences: si.occurrences,
+      context: contexts[i],
       aiStatus: si.aiStatus,
       aiNotes: si.aiNotes
     });
@@ -518,7 +540,6 @@ var init_enrichment = __esm({
   "src/mcp/enrichment.ts"() {
     "use strict";
     init_mcp();
-    init_finding_id();
     init_endpoint();
   }
 });
@@ -544,8 +565,8 @@ var init_get_findings = __esm({
           },
           state: {
             type: "string",
-            enum: ["open", "fixing", "resolved"],
-            description: "Filter by finding state (from finding lifecycle)"
+            enum: ["open", "fixing", "resolved", "stale", "regressed"],
+            description: "Filter by issue state"
           }
         }
       },
@@ -555,17 +576,17 @@ var init_get_findings = __esm({
         if (severity && !VALID_SECURITY_SEVERITIES.has(severity)) {
           return { content: [{ type: "text", text: `Invalid severity "${severity}". Use: critical, warning.` }], isError: true };
         }
-        if (state && !isValidFindingState(state)) {
-          return { content: [{ type: "text", text: `Invalid state "${state}". Use: open, fixing, resolved.` }], isError: true };
+        if (state && !isValidIssueState(state)) {
+          return { content: [{ type: "text", text: `Invalid state "${state}". Use: open, fixing, resolved, stale, regressed.` }], isError: true };
         }
         let findings = await enrichFindings(client);
         if (severity) {
           findings = findings.filter((f) => f.severity === severity);
         }
         if (state) {
-          const stateful = await client.getFindings(state);
-          const statefulIds = new Set(stateful.findings.map((f) => f.findingId));
-          findings = findings.filter((f) => statefulIds.has(f.findingId));
+          const issuesData = await client.getIssues({ state });
+          const issueIds = new Set(issuesData.issues.map((i) => i.issueId));
+          findings = findings.filter((f) => issueIds.has(f.findingId));
         }
         if (findings.length === 0) {
           return { content: [{ type: "text", text: "No findings detected. The application looks healthy." }] };
@@ -744,20 +765,21 @@ var init_verify_fix = __esm({
         }
         if (findingId) {
           const data = await client.getFindings();
-          const finding = data.findings.find((f) => f.findingId === findingId);
+          const finding = data.findings.find((f) => f.issueId === findingId);
           if (!finding) {
             return {
               content: [{
                 type: "text",
                 text: `Finding ${findingId} not found. It may have already been resolved and cleaned up.`
-              }]
+              }],
+              isError: true
             };
           }
           if (finding.state === "resolved") {
             return {
               content: [{
                 type: "text",
-                text: `RESOLVED: "${finding.finding.title}" on ${finding.finding.endpoint} is no longer detected. The fix worked.`
+                text: `RESOLVED: "${finding.issue.title}" on ${finding.issue.endpoint ?? "global"} is no longer detected. The fix worked.`
               }]
             };
           }
@@ -765,12 +787,12 @@ var init_verify_fix = __esm({
             content: [{
               type: "text",
               text: [
-                `STILL PRESENT: "${finding.finding.title}" on ${finding.finding.endpoint}`,
+                `STILL PRESENT: "${finding.issue.title}" on ${finding.issue.endpoint ?? "global"}`,
                 `  State: ${finding.state}`,
                 `  Last seen: ${new Date(finding.lastSeenAt).toISOString()}`,
                 `  Occurrences: ${finding.occurrences}`,
-                `  Issue: ${finding.finding.desc}`,
-                `  Hint: ${finding.finding.hint}`,
+                `  Issue: ${finding.issue.desc}`,
+                `  Hint: ${finding.issue.hint}`,
                 "",
                 "Make sure the user has triggered the endpoint again after the fix, so Brakit can re-analyze."
               ].join("\n")
@@ -780,7 +802,7 @@ var init_verify_fix = __esm({
         if (endpoint) {
           const data = await client.getFindings();
           const endpointFindings = data.findings.filter(
-            (f) => f.finding.endpoint === endpoint || f.finding.endpoint.endsWith(` ${endpoint}`)
+            (f) => f.issue.endpoint === endpoint || f.issue.endpoint && f.issue.endpoint.endsWith(` ${endpoint}`)
           );
           if (endpointFindings.length === 0) {
             return {
@@ -790,7 +812,7 @@ var init_verify_fix = __esm({
               }]
             };
           }
-          const open = endpointFindings.filter((f) => f.state === "open");
+          const open = endpointFindings.filter((f) => f.state === "open" || f.state === "regressed");
           const resolved = endpointFindings.filter((f) => f.state === "resolved");
           const lines = [
             `Endpoint: ${endpoint}`,
@@ -799,10 +821,10 @@ var init_verify_fix = __esm({
             ""
           ];
           for (const f of open) {
-            lines.push(`  [${f.finding.severity}] ${f.finding.title}: ${f.finding.desc}`);
+            lines.push(`  [${f.issue.severity}] ${f.issue.title}: ${f.issue.desc}`);
           }
           for (const f of resolved) {
-            lines.push(`  [resolved] ${f.finding.title}`);
+            lines.push(`  [resolved] ${f.issue.title}`);
           }
           return { content: [{ type: "text", text: lines.join("\n") }] };
         }
@@ -810,7 +832,8 @@ var init_verify_fix = __esm({
           content: [{
             type: "text",
             text: "Please provide either a finding_id or an endpoint to verify."
-          }]
+          }],
+          isError: true
         };
       }
     };
@@ -831,51 +854,52 @@ var init_get_report = __esm({
         properties: {}
       },
       async handler(client, _args) {
-        const [findingsData, securityData, insightsData, metricsData] = await Promise.all([
-          client.getFindings(),
-          client.getSecurityFindings(),
-          client.getInsights(),
+        const [issuesData, metricsData] = await Promise.all([
+          client.getIssues(),
           client.getLiveMetrics()
         ]);
-        const findings = findingsData.findings;
-        const open = findings.filter((f) => f.state === "open");
-        const resolved = findings.filter((f) => f.state === "resolved");
-        const fixing = findings.filter((f) => f.state === "fixing");
-        const criticalOpen = open.filter((f) => f.finding.severity === "critical");
-        const warningOpen = open.filter((f) => f.finding.severity === "warning");
+        const issues = issuesData.issues;
+        const open = issues.filter((f) => f.state === "open" || f.state === "regressed");
+        const resolved = issues.filter((f) => f.state === "resolved");
+        const fixing = issues.filter((f) => f.state === "fixing");
+        const stale = issues.filter((f) => f.state === "stale");
+        const criticalOpen = open.filter((f) => f.issue.severity === "critical");
+        const warningOpen = open.filter((f) => f.issue.severity === "warning");
+        const securityIssues = issues.filter((f) => f.category === "security");
+        const perfIssues = issues.filter((f) => f.category === "performance");
         const totalRequests = metricsData.endpoints.reduce(
           (s, ep) => s + ep.summary.totalRequests,
           0
         );
-        const openInsightCount = insightsData.insights.filter((si) => si.state === "open").length;
         const lines = [
           "=== Brakit Report ===",
           "",
           `Endpoints observed: ${metricsData.endpoints.length}`,
           `Total requests captured: ${totalRequests}`,
-          `Active security rules: ${securityData.findings.length} finding(s)`,
-          `Performance insights: ${openInsightCount} open, ${insightsData.insights.length - openInsightCount} resolved`,
+          `Security issues: ${securityIssues.length}`,
+          `Performance issues: ${perfIssues.length}`,
           "",
-          "--- Finding Summary ---",
-          `Total: ${findings.length}`,
+          "--- Issue Summary ---",
+          `Total: ${issues.length}`,
           `  Open: ${open.length} (${criticalOpen.length} critical, ${warningOpen.length} warning)`,
           `  In progress: ${fixing.length}`,
-          `  Resolved: ${resolved.length}`
+          `  Resolved: ${resolved.length}`,
+          `  Stale: ${stale.length}`
         ];
         if (criticalOpen.length > 0) {
           lines.push("");
           lines.push("--- Critical Issues (fix first) ---");
           for (const f of criticalOpen) {
-            lines.push(`  [CRITICAL] ${f.finding.title} \u2014 ${f.finding.endpoint}`);
-            lines.push(`    ${f.finding.desc}`);
-            lines.push(`    Fix: ${f.finding.hint}`);
+            lines.push(`  [CRITICAL] ${f.issue.title} \u2014 ${f.issue.endpoint ?? "global"}`);
+            lines.push(`    ${f.issue.desc}`);
+            lines.push(`    Fix: ${f.issue.hint}`);
           }
         }
         if (resolved.length > 0) {
           lines.push("");
           lines.push("--- Recently Resolved ---");
           for (const f of resolved.slice(0, MAX_RESOLVED_DISPLAY)) {
-            lines.push(`  \u2713 ${f.finding.title} \u2014 ${f.finding.endpoint}`);
+            lines.push(`  \u2713 ${f.issue.title} \u2014 ${f.issue.endpoint ?? "global"}`);
           }
           if (resolved.length > MAX_RESOLVED_DISPLAY) {
             lines.push(`  ... and ${resolved.length - MAX_RESOLVED_DISPLAY} more`);
@@ -1128,21 +1152,31 @@ import { runMain } from "citty";
 
 // src/cli/commands/install.ts
 import { defineCommand } from "citty";
-import { resolve as resolve3, join as join2, dirname } from "path";
+import { resolve as resolve3, join as join3, dirname } from "path";
 import { readFile as readFile4, writeFile as writeFile3 } from "fs/promises";
 import { execSync } from "child_process";
 import { existsSync as existsSync5 } from "fs";
 import pc from "picocolors";
 
-// src/store/finding-store.ts
+// src/store/issue-store.ts
 import { readFile as readFile2 } from "fs/promises";
-import { readFileSync as readFileSync2, existsSync as existsSync3 } from "fs";
+import { readFileSync as readFileSync2, existsSync as existsSync3, unlinkSync } from "fs";
 import { resolve as resolve2 } from "path";
 
 // src/utils/fs.ts
+init_limits();
+init_log();
+init_type_guards();
 import { access, readFile, writeFile } from "fs/promises";
 import { existsSync, readFileSync, writeFileSync } from "fs";
-import { resolve } from "path";
+import { createHash } from "crypto";
+import { homedir } from "os";
+import { resolve, join } from "path";
+function getProjectDataDir(projectRoot) {
+  const absolute = resolve(projectRoot);
+  const hash = createHash("sha256").update(absolute).digest("hex").slice(0, PROJECT_HASH_LENGTH);
+  return join(homedir(), ".brakit", "projects", hash);
+}
 async function fileExists(path) {
   try {
     await access(path);
@@ -1152,8 +1186,10 @@ async function fileExists(path) {
   }
 }
 
-// src/store/finding-store.ts
-init_constants();
+// src/store/issue-store.ts
+init_metrics();
+init_limits();
+init_thresholds();
 init_limits();
 
 // src/utils/atomic-writer.ts
@@ -1167,14 +1203,18 @@ import { writeFile as writeFile2, mkdir, rename } from "fs/promises";
 init_log();
 init_type_guards();
 
-// src/store/finding-store.ts
+// src/store/issue-store.ts
 init_log();
-init_finding_id();
+init_type_guards();
+
+// src/utils/issue-id.ts
+init_limits();
+import { createHash as createHash2 } from "crypto";
 
 // src/detect/project.ts
 import { readFile as readFile3, readdir } from "fs/promises";
 import { existsSync as existsSync4 } from "fs";
-import { join, relative } from "path";
+import { join as join2, relative } from "path";
 var FRAMEWORKS = [
   { name: "nextjs", dep: "next", devCmd: "next dev", bin: "next", defaultPort: 3e3, devArgs: ["dev", "--port"] },
   { name: "remix", dep: "@remix-run/dev", devCmd: "remix dev", bin: "remix", defaultPort: 3e3, devArgs: ["dev"] },
@@ -1183,24 +1223,24 @@ var FRAMEWORKS = [
   { name: "astro", dep: "astro", devCmd: "astro dev", bin: "astro", defaultPort: 4321, devArgs: ["dev", "--port"] }
 ];
 async function detectProject(rootDir) {
-  const pkgPath = join(rootDir, "package.json");
+  const pkgPath = join2(rootDir, "package.json");
   const raw = await readFile3(pkgPath, "utf-8");
   const pkg = JSON.parse(raw);
   const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
   const framework = detectFrameworkFromDeps(allDeps);
   const matched = FRAMEWORKS.find((f) => f.name === framework);
   const devCommand = matched?.devCmd ?? "";
-  const devBin = matched ? join(rootDir, "node_modules", ".bin", matched.bin) : "";
+  const devBin = matched ? join2(rootDir, "node_modules", ".bin", matched.bin) : "";
   const defaultPort = matched?.defaultPort ?? 3e3;
   const packageManager = await detectPackageManager(rootDir);
   return { framework, devCommand, devBin, defaultPort, packageManager };
 }
 async function detectPackageManager(rootDir) {
-  if (await fileExists(join(rootDir, "bun.lockb"))) return "bun";
-  if (await fileExists(join(rootDir, "bun.lock"))) return "bun";
-  if (await fileExists(join(rootDir, "pnpm-lock.yaml"))) return "pnpm";
-  if (await fileExists(join(rootDir, "yarn.lock"))) return "yarn";
-  if (await fileExists(join(rootDir, "package-lock.json"))) return "npm";
+  if (await fileExists(join2(rootDir, "bun.lockb"))) return "bun";
+  if (await fileExists(join2(rootDir, "bun.lock"))) return "bun";
+  if (await fileExists(join2(rootDir, "pnpm-lock.yaml"))) return "pnpm";
+  if (await fileExists(join2(rootDir, "yarn.lock"))) return "yarn";
+  if (await fileExists(join2(rootDir, "package-lock.json"))) return "npm";
   return "unknown";
 }
 function detectFrameworkFromDeps(allDeps) {
@@ -1231,9 +1271,9 @@ var PYTHON_DEFAULT_PORTS = {
   unknown: 8e3
 };
 async function detectPythonProject(rootDir) {
-  const hasPyproject = await fileExists(join(rootDir, "pyproject.toml"));
-  const hasRequirements = await fileExists(join(rootDir, "requirements.txt"));
-  const hasSetupPy = await fileExists(join(rootDir, "setup.py"));
+  const hasPyproject = await fileExists(join2(rootDir, "pyproject.toml"));
+  const hasRequirements = await fileExists(join2(rootDir, "requirements.txt"));
+  const hasSetupPy = await fileExists(join2(rootDir, "setup.py"));
   if (!hasPyproject && !hasRequirements && !hasSetupPy) return null;
   const framework = await detectPythonFramework(rootDir, hasPyproject, hasRequirements);
   const packageManager = await detectPythonPackageManager(rootDir);
@@ -1248,7 +1288,7 @@ async function detectPythonProject(rootDir) {
 async function detectPythonFramework(rootDir, hasPyproject, hasRequirements) {
   if (hasPyproject) {
     try {
-      const content = await readFile3(join(rootDir, "pyproject.toml"), "utf-8");
+      const content = await readFile3(join2(rootDir, "pyproject.toml"), "utf-8");
       for (const [dep, fw] of Object.entries(PYTHON_FRAMEWORK_MAP)) {
         if (content.includes(`"${dep}"`) || content.includes(`'${dep}'`) || content.includes(`${dep} `)) {
           return fw;
@@ -1259,7 +1299,7 @@ async function detectPythonFramework(rootDir, hasPyproject, hasRequirements) {
   }
   if (hasRequirements) {
     try {
-      const content = await readFile3(join(rootDir, "requirements.txt"), "utf-8");
+      const content = await readFile3(join2(rootDir, "requirements.txt"), "utf-8");
       const lines = content.toLowerCase().split("\n");
       for (const [dep, fw] of Object.entries(PYTHON_FRAMEWORK_MAP)) {
         if (lines.some((l) => l.startsWith(dep) && (l.length === dep.length || /[=<>~![]/u.test(l[dep.length])))) {
@@ -1272,13 +1312,13 @@ async function detectPythonFramework(rootDir, hasPyproject, hasRequirements) {
   return "unknown";
 }
 async function detectPythonPackageManager(rootDir) {
-  if (await fileExists(join(rootDir, "uv.lock"))) return "uv";
-  if (await fileExists(join(rootDir, "poetry.lock"))) return "poetry";
-  if (await fileExists(join(rootDir, "Pipfile.lock"))) return "pipenv";
-  if (await fileExists(join(rootDir, "Pipfile"))) return "pipenv";
-  if (await fileExists(join(rootDir, "requirements.txt"))) return "pip";
+  if (await fileExists(join2(rootDir, "uv.lock"))) return "uv";
+  if (await fileExists(join2(rootDir, "poetry.lock"))) return "poetry";
+  if (await fileExists(join2(rootDir, "Pipfile.lock"))) return "pipenv";
+  if (await fileExists(join2(rootDir, "Pipfile"))) return "pipenv";
+  if (await fileExists(join2(rootDir, "requirements.txt"))) return "pip";
   try {
-    const content = await readFile3(join(rootDir, "pyproject.toml"), "utf-8");
+    const content = await readFile3(join2(rootDir, "pyproject.toml"), "utf-8");
     if (content.includes("[tool.poetry]")) return "poetry";
     if (content.includes("[tool.uv]")) return "uv";
   } catch {
@@ -1287,7 +1327,7 @@ async function detectPythonPackageManager(rootDir) {
 }
 async function detectPythonEntry(rootDir) {
   for (const candidate of PYTHON_ENTRY_CANDIDATES) {
-    if (await fileExists(join(rootDir, candidate))) {
+    if (await fileExists(join2(rootDir, candidate))) {
       return candidate;
     }
   }
@@ -1315,7 +1355,7 @@ async function scanForProjects(rootDir) {
     const entries = await readdir(rootDir, { withFileTypes: true });
     for (const entry of entries) {
       if (!entry.isDirectory() || SKIP_DIRS.has(entry.name) || entry.name.startsWith(".")) continue;
-      const childDir = join(rootDir, entry.name);
+      const childDir = join2(rootDir, entry.name);
       await detectInDir(childDir, rootDir, projects);
     }
   } catch {
@@ -1324,7 +1364,7 @@ async function scanForProjects(rootDir) {
 }
 async function detectInDir(dir, rootDir, projects) {
   const rel = dir === rootDir ? "." : `./${relative(rootDir, dir)}`;
-  if (await fileExists(join(dir, "package.json"))) {
+  if (await fileExists(join2(dir, "package.json"))) {
     try {
       const node = await detectProject(dir);
       projects.push({ dir, relDir: rel, type: "node", node });
@@ -1337,6 +1377,31 @@ async function detectInDir(dir, rootDir, projects) {
   }
 }
 
+// src/utils/response.ts
+init_thresholds();
+function unwrapResponse(parsed) {
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) return parsed;
+  const obj = parsed;
+  const keys = Object.keys(obj);
+  if (keys.length > 3) return parsed;
+  let best = null;
+  let bestSize = 0;
+  for (const key of keys) {
+    const val = obj[key];
+    if (Array.isArray(val) && val.length > bestSize) {
+      best = val;
+      bestSize = val.length;
+    } else if (val && typeof val === "object" && !Array.isArray(val)) {
+      const size = Object.keys(val).length;
+      if (size > bestSize) {
+        best = val;
+        bestSize = size;
+      }
+    }
+  }
+  return best && bestSize >= OVERFETCH_UNWRAP_MIN_SIZE ? best : parsed;
+}
+
 // src/analysis/rules/patterns.ts
 var SECRET_KEYS = /^(password|passwd|secret|api_key|apiKey|api_secret|apiSecret|private_key|privateKey|client_secret|clientSecret)$/;
 var TOKEN_PARAMS = /^(token|api_key|apiKey|secret|password|access_token|session_id|sessionId)$/;
@@ -1350,6 +1415,8 @@ var MASKED_RE = /^\*+$|\[REDACTED\]|\[FILTERED\]|CHANGE_ME|^x{3,}$/i;
 var EMAIL_RE = /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/;
 var INTERNAL_ID_KEYS = /^(id|_id|userId|user_id|createdBy|updatedBy|organizationId|org_id|tenantId|tenant_id)$/;
 var INTERNAL_ID_SUFFIX = /Id$|_id$/;
+var SELF_SERVICE_PATH = /\/(?:me|account|profile|settings|self)(?=\/|\?|#|$)/i;
+var SENSITIVE_FIELD_NAMES = /^(phone|phoneNumber|phone_number|ssn|socialSecurityNumber|social_security_number|dateOfBirth|date_of_birth|dob|address|streetAddress|street_address|creditCard|credit_card|cardNumber|card_number|bankAccount|bank_account|passport|passportNumber|passport_number|nationalId|national_id)$/i;
 var RULE_HINTS = {
   "exposed-secret": "Never include secret fields in API responses. Strip sensitive fields before returning.",
   "token-in-url": "Pass tokens in the Authorization header, not URL query parameters.",
@@ -1362,30 +1429,34 @@ var RULE_HINTS = {
 };
 
 // src/analysis/rules/exposed-secret.ts
-function tryParseJson(body) {
-  if (!body) return null;
-  try {
-    return JSON.parse(body);
-  } catch {
-    return null;
-  }
+init_limits();
+
+// src/utils/http-status.ts
+function isErrorStatus(code) {
+  return code >= 400;
+}
+function isRedirect(code) {
+  return code >= 300 && code < 400;
 }
-function findSecretKeys(obj, prefix) {
+
+// src/analysis/rules/exposed-secret.ts
+function findSecretKeys(obj, prefix, depth = 0) {
   const found = [];
+  if (depth >= MAX_OBJECT_SCAN_DEPTH) return found;
   if (!obj || typeof obj !== "object") return found;
   if (Array.isArray(obj)) {
-    for (let i = 0; i < Math.min(obj.length, 5); i++) {
-      found.push(...findSecretKeys(obj[i], prefix));
+    for (let i = 0; i < Math.min(obj.length, SECRET_SCAN_ARRAY_LIMIT); i++) {
+      found.push(...findSecretKeys(obj[i], prefix, depth + 1));
     }
     return found;
   }
   for (const k of Object.keys(obj)) {
     const val = obj[k];
-    if (SECRET_KEYS.test(k) && typeof val === "string" && val.length >= 8 && !MASKED_RE.test(val)) {
+    if (SECRET_KEYS.test(k) && typeof val === "string" && val.length >= MIN_SECRET_VALUE_LENGTH && !MASKED_RE.test(val)) {
       found.push(k);
     }
     if (typeof val === "object" && val !== null) {
-      found.push(...findSecretKeys(val, prefix + k + "."));
+      found.push(...findSecretKeys(val, prefix + k + ".", depth + 1));
     }
   }
   return found;
@@ -1399,8 +1470,8 @@ var exposedSecretRule = {
     const findings = [];
     const seen = /* @__PURE__ */ new Map();
     for (const r of ctx.requests) {
-      if (r.statusCode >= 400) continue;
-      const parsed = tryParseJson(r.responseBody);
+      if (isErrorStatus(r.statusCode)) continue;
+      const parsed = ctx.parsedBodies.response.get(r.id);
       if (!parsed) continue;
       const keys = findSecretKeys(parsed, "");
       if (keys.length === 0) continue;
@@ -1553,7 +1624,7 @@ var errorInfoLeakRule = {
 
 // src/analysis/rules/insecure-cookie.ts
 function isFrameworkResponse(r) {
-  if (r.statusCode >= 300 && r.statusCode < 400) return true;
+  if (isRedirect(r.statusCode)) return true;
   if (r.path?.startsWith("/__")) return true;
   if (r.responseHeaders?.["x-middleware-rewrite"]) return true;
   return false;
@@ -1659,49 +1730,16 @@ var corsCredentialsRule = {
   }
 };
 
-// src/utils/response.ts
-init_thresholds();
-function unwrapResponse(parsed) {
-  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) return parsed;
-  const obj = parsed;
-  const keys = Object.keys(obj);
-  if (keys.length > 3) return parsed;
-  let best = null;
-  let bestSize = 0;
-  for (const key of keys) {
-    const val = obj[key];
-    if (Array.isArray(val) && val.length > bestSize) {
-      best = val;
-      bestSize = val.length;
-    } else if (val && typeof val === "object" && !Array.isArray(val)) {
-      const size = Object.keys(val).length;
-      if (size > bestSize) {
-        best = val;
-        bestSize = size;
-      }
-    }
-  }
-  return best && bestSize >= OVERFETCH_UNWRAP_MIN_SIZE ? best : parsed;
-}
-
 // src/analysis/rules/response-pii-leak.ts
+init_limits();
 var WRITE_METHODS = /* @__PURE__ */ new Set(["POST", "PUT", "PATCH"]);
-var FULL_RECORD_MIN_FIELDS = 5;
-var LIST_PII_MIN_ITEMS = 2;
-function tryParseJson2(body) {
-  if (!body) return null;
-  try {
-    return JSON.parse(body);
-  } catch {
-    return null;
-  }
-}
-function findEmails(obj) {
+function findEmails(obj, depth = 0) {
   const emails = [];
+  if (depth >= MAX_OBJECT_SCAN_DEPTH) return emails;
   if (!obj || typeof obj !== "object") return emails;
   if (Array.isArray(obj)) {
-    for (let i = 0; i < Math.min(obj.length, 10); i++) {
-      emails.push(...findEmails(obj[i]));
+    for (let i = 0; i < Math.min(obj.length, PII_SCAN_ARRAY_LIMIT); i++) {
+      emails.push(...findEmails(obj[i], depth + 1));
     }
     return emails;
   }
@@ -1709,7 +1747,7 @@ function findEmails(obj) {
     if (typeof v === "string" && EMAIL_RE.test(v)) {
       emails.push(v);
     } else if (typeof v === "object" && v !== null) {
-      emails.push(...findEmails(v));
+      emails.push(...findEmails(v, depth + 1));
     }
   }
   return emails;
@@ -1728,6 +1766,15 @@ function hasInternalIds(obj) {
   }
   return false;
 }
+function hasSensitiveFieldNames(obj, depth = 0) {
+  if (depth >= MAX_OBJECT_SCAN_DEPTH) return false;
+  if (!obj || typeof obj !== "object") return false;
+  if (Array.isArray(obj)) return obj.length > 0 && hasSensitiveFieldNames(obj[0], depth + 1);
+  for (const key of Object.keys(obj)) {
+    if (SENSITIVE_FIELD_NAMES.test(key)) return true;
+  }
+  return false;
+}
 function detectEchoPII(method, reqBody, target) {
   if (!WRITE_METHODS.has(method) || !reqBody || typeof reqBody !== "object") return null;
   const reqEmails = findEmails(reqBody);
@@ -1749,10 +1796,17 @@ function detectFullRecordPII(target) {
   if (emails.length === 0) return null;
   return { reason: "full-record", emailCount: emails.length };
 }
+function detectSensitiveFieldPII(target) {
+  const inspect = Array.isArray(target) && target.length > 0 ? target[0] : target;
+  if (!inspect || typeof inspect !== "object" || Array.isArray(inspect)) return null;
+  if (!hasSensitiveFieldNames(inspect)) return null;
+  if (!hasInternalIds(inspect) && topLevelFieldCount(inspect) < FULL_RECORD_MIN_FIELDS) return null;
+  return { reason: "sensitive-fields", emailCount: 0 };
+}
 function detectListPII(target) {
   if (!Array.isArray(target) || target.length < LIST_PII_MIN_ITEMS) return null;
   let itemsWithEmail = 0;
-  for (let i = 0; i < Math.min(target.length, 10); i++) {
+  for (let i = 0; i < Math.min(target.length, PII_SCAN_ARRAY_LIMIT); i++) {
     const item = target[i];
     if (item && typeof item === "object" && findEmails(item).length > 0) {
       itemsWithEmail++;
@@ -1767,12 +1821,13 @@ function detectListPII(target) {
 }
 function detectPII(method, reqBody, resBody) {
   const target = unwrapResponse(resBody);
-  return detectEchoPII(method, reqBody, target) ?? detectFullRecordPII(target) ?? detectListPII(target);
+  return detectEchoPII(method, reqBody, target) ?? detectFullRecordPII(target) ?? detectListPII(target) ?? detectSensitiveFieldPII(target);
 }
 var REASON_LABELS = {
   echo: "echoes back PII from the request body",
   "full-record": "returns a full record with email and internal IDs",
-  "list-pii": "returns a list of records containing email addresses"
+  "list-pii": "returns a list of records containing email addresses",
+  "sensitive-fields": "contains sensitive personal data fields (phone, SSN, date of birth, address, etc.)"
 };
 var responsePiiLeakRule = {
   id: "response-pii-leak",
@@ -1783,15 +1838,15 @@ var responsePiiLeakRule = {
     const findings = [];
     const seen = /* @__PURE__ */ new Map();
     for (const r of ctx.requests) {
-      if (r.statusCode >= 400) continue;
-      const resJson = tryParseJson2(r.responseBody);
+      if (isErrorStatus(r.statusCode)) continue;
+      if (SELF_SERVICE_PATH.test(r.path)) continue;
+      const resJson = ctx.parsedBodies.response.get(r.id);
       if (!resJson) continue;
-      const reqJson = tryParseJson2(r.requestBody);
+      const reqJson = ctx.parsedBodies.request.get(r.id) ?? null;
       const detection = detectPII(r.method, reqJson, resJson);
       if (!detection) continue;
       const ep = `${r.method} ${r.path}`;
-      const dedupKey = `${ep}:${detection.reason}`;
-      const existing = seen.get(dedupKey);
+      const existing = seen.get(ep);
       if (existing) {
         existing.count++;
         continue;
@@ -1800,12 +1855,12 @@ var responsePiiLeakRule = {
         severity: "warning",
         rule: "response-pii-leak",
         title: "PII Leak in Response",
-        desc: `${ep} \u2014 ${REASON_LABELS[detection.reason]}`,
-        hint: this.hint,
+        desc: `${ep} \u2014 exposes PII in response`,
+        hint: `Detection: ${REASON_LABELS[detection.reason]}. ${this.hint}`,
         endpoint: ep,
         count: 1
       };
-      seen.set(dedupKey, finding);
+      seen.set(ep, finding);
       findings.push(finding);
     }
     return findings;
@@ -1870,13 +1925,11 @@ init_constants();
 // src/analysis/insights/rules/regression.ts
 init_constants();
 
-// src/analysis/insight-tracker.ts
+// src/analysis/issue-mappers.ts
 init_endpoint();
-init_finding_id();
-init_thresholds();
 
 // src/index.ts
-var VERSION = "0.8.5";
+var VERSION = "0.8.7";
 
 // src/cli/commands/install.ts
 init_constants();
@@ -1884,10 +1937,28 @@ init_constants();
 // src/cli/templates.ts
 var IMPORT_LINE = `import "brakit";`;
 var IMPORT_MARKER = "brakit";
+var BRAKIT_IMPORT_PATTERNS = [
+  'import("brakit")',
+  'import "brakit"',
+  "import 'brakit'",
+  'require("brakit")',
+  "require('brakit')"
+];
+function containsBrakitImport(content) {
+  return BRAKIT_IMPORT_PATTERNS.some((p) => content.includes(p));
+}
+function removeBrakitImportLines(lines) {
+  return lines.filter(
+    (line) => !BRAKIT_IMPORT_PATTERNS.some((p) => line.includes(p))
+  );
+}
 var CREATED_FILES = [
   "src/instrumentation.ts",
+  "src/instrumentation.js",
   "instrumentation.ts",
-  "server/plugins/brakit.ts"
+  "instrumentation.js",
+  "server/plugins/brakit.ts",
+  "server/plugins/brakit.js"
 ];
 var ENTRY_CANDIDATES = [
   "src/index.ts",
@@ -2012,7 +2083,7 @@ var install_default = defineCommand({
   }
 });
 async function installPackage(rootDir, pm) {
-  const pkgRaw = await readFile4(join2(rootDir, "package.json"), "utf-8");
+  const pkgRaw = await readFile4(join3(rootDir, "package.json"), "utf-8");
   const pkg = JSON.parse(pkgRaw);
   const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
   if (allDeps["brakit"]) return false;
@@ -2044,9 +2115,9 @@ async function setupInstrumentation(rootDir, framework) {
   }
 }
 async function setupNextjs(rootDir) {
-  const hasSrc = await fileExists(join2(rootDir, "src"));
+  const hasSrc = await fileExists(join3(rootDir, "src"));
   const relPath = hasSrc ? "src/instrumentation.ts" : "instrumentation.ts";
-  const absPath = join2(rootDir, relPath);
+  const absPath = join3(rootDir, relPath);
   if (await fileExists(absPath)) {
     const content2 = await readFile4(absPath, "utf-8");
     if (content2.includes(IMPORT_MARKER)) {
@@ -2060,7 +2131,7 @@ async function setupNextjs(rootDir) {
 }
 async function setupNuxt(rootDir) {
   const relPath = "server/plugins/brakit.ts";
-  const absPath = join2(rootDir, relPath);
+  const absPath = join3(rootDir, relPath);
   if (await fileExists(absPath)) {
     const content2 = await readFile4(absPath, "utf-8");
     if (content2.includes(IMPORT_MARKER)) {
@@ -2069,7 +2140,7 @@ async function setupNuxt(rootDir) {
     return { action: "manual", file: relPath };
   }
   const content = BRAKIT_TEMPLATES.nuxt + "\n";
-  const dir = join2(rootDir, "server/plugins");
+  const dir = join3(rootDir, "server/plugins");
   const { mkdirSync: mkdirSync3 } = await import("fs");
   mkdirSync3(dir, { recursive: true });
   await writeFile3(absPath, content);
@@ -2077,7 +2148,7 @@ async function setupNuxt(rootDir) {
 }
 async function setupPrepend(rootDir, ...candidates) {
   for (const relPath of candidates) {
-    const absPath = join2(rootDir, relPath);
+    const absPath = join3(rootDir, relPath);
     if (!await fileExists(absPath)) continue;
     const content = await readFile4(absPath, "utf-8");
     if (content.includes(IMPORT_MARKER)) {
@@ -2091,7 +2162,7 @@ ${content}`);
 }
 async function setupGeneric(rootDir) {
   try {
-    const pkgRaw = await readFile4(join2(rootDir, "package.json"), "utf-8");
+    const pkgRaw = await readFile4(join3(rootDir, "package.json"), "utf-8");
     const pkg = JSON.parse(pkgRaw);
     if (pkg.main && typeof pkg.main === "string") {
       const result2 = await setupPrepend(rootDir, pkg.main);
@@ -2112,7 +2183,7 @@ var MCP_CONFIG = {
   }
 };
 async function setupMcp(rootDir, config = MCP_CONFIG) {
-  const mcpPath = join2(rootDir, ".mcp.json");
+  const mcpPath = join3(rootDir, ".mcp.json");
   if (await fileExists(mcpPath)) {
     const raw = await readFile4(mcpPath, "utf-8");
     try {
@@ -2130,7 +2201,7 @@ async function setupMcp(rootDir, config = MCP_CONFIG) {
   return "created";
 }
 async function ensureGitignoreEntry(rootDir, entry) {
-  const gitignorePath = join2(rootDir, ".gitignore");
+  const gitignorePath = join3(rootDir, ".gitignore");
   try {
     if (await fileExists(gitignorePath)) {
       const content = await readFile4(gitignorePath, "utf-8");
@@ -2145,7 +2216,7 @@ async function ensureGitignoreEntry(rootDir, entry) {
 function findGitRoot(startDir) {
   let dir = resolve3(startDir);
   while (true) {
-    if (existsSync5(join2(dir, ".git"))) return dir;
+    if (existsSync5(join3(dir, ".git"))) return dir;
     const parent = dirname(dir);
     if (parent === dir) return null;
     dir = parent;
@@ -2170,11 +2241,13 @@ function printManualInstructions(framework) {
 
 // src/cli/commands/uninstall.ts
 import { defineCommand as defineCommand2 } from "citty";
-import { resolve as resolve4, join as join3 } from "path";
-import { readFile as readFile5, writeFile as writeFile4, unlink, rm } from "fs/promises";
+import { resolve as resolve4, join as join4, relative as relative2 } from "path";
+import { readFile as readFile5, writeFile as writeFile4, unlink, rm, readdir as readdir2 } from "fs/promises";
 import { execSync as execSync2 } from "child_process";
 import pc2 from "picocolors";
 init_constants();
+init_log();
+init_type_guards();
 var PREPENDED_FILES = [
   "app/entry.server.tsx",
   "app/entry.server.ts",
@@ -2196,82 +2269,139 @@ var uninstall_default = defineCommand2({
   },
   async run({ args }) {
     const rootDir = resolve4(args.dir);
-    let project = null;
+    let projects = [];
     try {
-      project = await detectProject(rootDir);
-    } catch {
+      const scanned = await scanForProjects(rootDir);
+      projects = scanned.filter((p) => p.type === "node" && p.node).map((p) => ({ dir: p.dir, pm: p.node.packageManager }));
+    } catch (err) {
+      brakitDebug(`uninstall: project scan failed: ${getErrorMessage(err)}`);
+    }
+    if (projects.length === 0) {
+      projects = [{ dir: rootDir, pm: "npm" }];
     }
     console.log();
     console.log(pc2.bold("  \u25C6 brakit uninstall"));
     console.log();
-    let removed = false;
-    for (const relPath of CREATED_FILES) {
-      const absPath = join3(rootDir, relPath);
-      if (!await fileExists(absPath)) continue;
-      const content = await readFile5(absPath, "utf-8");
-      if (!content.includes("brakit")) continue;
-      if (isExactBrakitTemplate(content)) {
-        await unlink(absPath);
-        console.log(pc2.green(`  \u2713 Removed ${relPath}`));
-        removed = true;
-        break;
-      }
-      const lines = content.split("\n");
-      const cleaned = lines.filter(
-        (line) => !line.includes('import("brakit")') && !line.includes('import "brakit"')
-      );
-      if (cleaned.length < lines.length) {
-        await writeFile4(absPath, cleaned.join("\n"));
-        console.log(pc2.green(`  \u2713 Removed brakit lines from ${relPath}`));
-        removed = true;
-        break;
-      }
-    }
-    if (!removed) {
-      const candidates = [...PREPENDED_FILES];
-      try {
-        const pkgRaw = await readFile5(join3(rootDir, "package.json"), "utf-8");
-        const pkg = JSON.parse(pkgRaw);
-        if (pkg.main) candidates.unshift(pkg.main);
-      } catch {
+    for (const project of projects) {
+      const suffix = projects.length > 1 ? ` in ${relative2(rootDir, project.dir) || "."}` : "";
+      const removed = await removeInstrumentation(project.dir);
+      if (removed) {
+        console.log(pc2.green(`  \u2713 ${removed}${suffix}`));
+      } else {
+        console.log(pc2.dim(`  No brakit instrumentation files found${suffix}.`));
       }
-      for (const relPath of candidates) {
-        const absPath = join3(rootDir, relPath);
-        if (!await fileExists(absPath)) continue;
-        const content = await readFile5(absPath, "utf-8");
-        if (!content.includes(IMPORT_LINE)) continue;
-        const updated = content.split("\n").filter((line) => line.trim() !== IMPORT_LINE.trim()).join("\n");
-        await writeFile4(absPath, updated);
-        console.log(pc2.green(`  \u2713 Removed brakit import from ${relPath}`));
-        removed = true;
-        break;
+      const uninstalled = await uninstallPackage(project.dir, project.pm);
+      if (uninstalled === true) {
+        console.log(pc2.green(`  \u2713 Removed brakit from devDependencies${suffix}`));
+      } else if (uninstalled === "failed") {
       }
     }
-    if (!removed) {
-      console.log(pc2.dim("  No brakit instrumentation files found."));
-    }
     const mcpRemoved = await removeMcpConfig(rootDir);
     if (mcpRemoved) {
       console.log(pc2.green("  \u2713 Removed brakit MCP configuration"));
     }
     const dataRemoved = await removeBrakitData(rootDir);
     if (dataRemoved) {
-      console.log(pc2.green("  \u2713 Removed .brakit directory"));
+      console.log(pc2.green("  \u2713 Removed .brakit data"));
     }
     const gitignoreCleaned = await cleanGitignore(rootDir);
     if (gitignoreCleaned) {
       console.log(pc2.green("  \u2713 Removed .brakit from .gitignore"));
     }
-    const pm = project?.packageManager ?? "npm";
-    const uninstalled = await uninstallPackage(rootDir, pm);
-    if (uninstalled) {
-      console.log(pc2.green("  \u2713 Removed brakit from devDependencies"));
+    const cacheCleared = await clearBuildCaches(rootDir);
+    if (cacheCleared) {
+      console.log(pc2.green("  \u2713 Cleared build cache"));
     }
     console.log();
   }
 });
+async function removeInstrumentation(projectDir) {
+  for (const relPath of CREATED_FILES) {
+    const result2 = await tryRemoveBrakitFromFile(projectDir, relPath);
+    if (result2) return result2;
+  }
+  const candidates = [...PREPENDED_FILES];
+  try {
+    const pkgRaw = await readFile5(join4(projectDir, "package.json"), "utf-8");
+    const pkg = JSON.parse(pkgRaw);
+    if (pkg.main) candidates.unshift(pkg.main);
+  } catch (err) {
+    brakitDebug(`uninstall: no package.json main: ${getErrorMessage(err)}`);
+  }
+  for (const relPath of candidates) {
+    const result2 = await tryRemoveImportLine(projectDir, relPath);
+    if (result2) return result2;
+  }
+  const result = await fallbackSearchAndRemove(projectDir);
+  if (result) return result;
+  return null;
+}
+async function tryRemoveBrakitFromFile(projectDir, relPath) {
+  const absPath = join4(projectDir, relPath);
+  if (!await fileExists(absPath)) return null;
+  const content = await readFile5(absPath, "utf-8");
+  if (!content.includes("brakit")) return null;
+  if (isExactBrakitTemplate(content)) {
+    await unlink(absPath);
+    return `Removed ${relPath}`;
+  }
+  const lines = content.split("\n");
+  const cleaned = removeBrakitImportLines(lines);
+  if (cleaned.length < lines.length) {
+    await writeFile4(absPath, cleaned.join("\n"));
+    return `Removed brakit lines from ${relPath}`;
+  }
+  return null;
+}
+async function tryRemoveImportLine(projectDir, relPath) {
+  const absPath = join4(projectDir, relPath);
+  if (!await fileExists(absPath)) return null;
+  const content = await readFile5(absPath, "utf-8");
+  if (!content.includes(IMPORT_LINE)) return null;
+  const updated = content.split("\n").filter((line) => line.trim() !== IMPORT_LINE.trim()).join("\n");
+  await writeFile4(absPath, updated);
+  return `Removed brakit import from ${relPath}`;
+}
+async function fallbackSearchAndRemove(projectDir) {
+  const dirsToScan = FALLBACK_SCAN_DIRS;
+  for (const dir of dirsToScan) {
+    const absDir = join4(projectDir, dir);
+    if (!await fileExists(absDir)) continue;
+    let entries;
+    try {
+      entries = await readdir2(absDir);
+    } catch (err) {
+      brakitDebug(`uninstall: could not read ${absDir}: ${getErrorMessage(err)}`);
+      continue;
+    }
+    for (const entry of entries) {
+      const ext = entry.slice(entry.lastIndexOf("."));
+      if (!SUPPORTED_SOURCE_EXTENSIONS.has(ext)) continue;
+      const relPath = dir === "." ? entry : `${dir}/${entry}`;
+      const absPath = join4(projectDir, relPath);
+      try {
+        const content = await readFile5(absPath, "utf-8");
+        if (!containsBrakitImport(content)) continue;
+        if (isExactBrakitTemplate(content)) {
+          await unlink(absPath);
+          return `Removed ${relPath}`;
+        }
+        const lines = content.split("\n");
+        const cleaned = removeBrakitImportLines(lines);
+        if (cleaned.length < lines.length) {
+          await writeFile4(absPath, cleaned.join("\n"));
+          return `Removed brakit import from ${relPath}`;
+        }
+      } catch (err) {
+        brakitDebug(`uninstall: fallback scan failed for ${relPath}: ${getErrorMessage(err)}`);
+        continue;
+      }
+    }
+  }
+  return null;
+}
 async function removeMcpConfig(rootDir) {
-  const mcpPath = join3(rootDir, ".mcp.json");
+  const mcpPath = join4(rootDir, ".mcp.json");
   if (!await fileExists(mcpPath)) return false;
   try {
     const raw = await readFile5(mcpPath, "utf-8");
@@ -2284,16 +2414,18 @@ async function removeMcpConfig(rootDir) {
       await writeFile4(mcpPath, JSON.stringify(config, null, 2) + "\n");
     }
     return true;
-  } catch {
+  } catch (err) {
+    brakitDebug(`uninstall: MCP config cleanup failed: ${getErrorMessage(err)}`);
     return false;
   }
 }
 async function uninstallPackage(rootDir, pm) {
   try {
-    const pkgRaw = await readFile5(join3(rootDir, "package.json"), "utf-8");
+    const pkgRaw = await readFile5(join4(rootDir, "package.json"), "utf-8");
     const pkg = JSON.parse(pkgRaw);
     if (!pkg.devDependencies?.brakit && !pkg.dependencies?.brakit) return false;
-  } catch {
+  } catch (err) {
+    brakitDebug(`uninstall: could not read package.json: ${getErrorMessage(err)}`);
     return false;
   }
   const cmds = {
@@ -2305,23 +2437,36 @@ async function uninstallPackage(rootDir, pm) {
   const cmd = cmds[pm] ?? cmds.npm;
   try {
     execSync2(cmd, { cwd: rootDir, stdio: "pipe" });
+    return true;
   } catch {
     console.warn(pc2.yellow(`  \u26A0 Failed to run "${cmd}". Remove brakit manually.`));
+    return "failed";
   }
-  return true;
 }
 async function removeBrakitData(rootDir) {
-  const dataDir = join3(rootDir, METRICS_DIR);
-  if (!await fileExists(dataDir)) return false;
-  try {
-    await rm(dataDir, { recursive: true, force: true });
-    return true;
-  } catch {
-    return false;
+  let removed = false;
+  const projectDir = join4(rootDir, METRICS_DIR);
+  if (await fileExists(projectDir)) {
+    try {
+      await rm(projectDir, { recursive: true, force: true });
+      removed = true;
+    } catch (err) {
+      brakitDebug(`uninstall: could not remove ${projectDir}: ${getErrorMessage(err)}`);
+    }
   }
+  const homeDataDir = getProjectDataDir(rootDir);
+  if (await fileExists(homeDataDir)) {
+    try {
+      await rm(homeDataDir, { recursive: true, force: true });
+      removed = true;
+    } catch (err) {
+      brakitDebug(`uninstall: could not remove ${homeDataDir}: ${getErrorMessage(err)}`);
+    }
+  }
+  return removed;
 }
 async function cleanGitignore(rootDir) {
-  const gitignorePath = join3(rootDir, ".gitignore");
+  const gitignorePath = join4(rootDir, ".gitignore");
   if (!await fileExists(gitignorePath)) return false;
   try {
     const content = await readFile5(gitignorePath, "utf-8");
@@ -2330,10 +2475,25 @@ async function cleanGitignore(rootDir) {
     if (filtered.length === lines.length) return false;
     await writeFile4(gitignorePath, filtered.join("\n"));
     return true;
-  } catch {
+  } catch (err) {
+    brakitDebug(`uninstall: gitignore cleanup failed: ${getErrorMessage(err)}`);
     return false;
   }
 }
+async function clearBuildCaches(rootDir) {
+  let cleared = false;
+  for (const dir of BUILD_CACHE_DIRS) {
+    const absDir = join4(rootDir, dir);
+    if (!await fileExists(absDir)) continue;
+    try {
+      await rm(absDir, { recursive: true, force: true });
+      cleared = true;
+    } catch (err) {
+      brakitDebug(`uninstall: could not clear cache ${absDir}: ${getErrorMessage(err)}`);
+    }
+  }
+  return cleared;
+}
 
 // bin/brakit.ts
 var sub = process.argv[2];