npm - brakit - Versions diffs - 0.8.6 → 0.9.0 - Mend

brakit 0.8.6 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/README.md +22 -4
package/dist/api.d.ts +87 -48
package/dist/api.js +820 -788
package/dist/bin/brakit.js +327 -419
package/dist/dashboard-client.global.js +901 -0
package/dist/dashboard.html +1215 -2215
package/dist/mcp/server.js +7 -15
package/dist/runtime/index.js +3364 -5700
package/package.json +4 -2

package/dist/api.js CHANGED Viewed

@@ -10,17 +10,50 @@ import { createHash } from "crypto";
 import { homedir } from "os";
 import { resolve, join } from "path";
-// src/constants/limits.ts
+// src/constants/config.ts
 var ANALYSIS_DEBOUNCE_MS = 300;
 var ISSUE_ID_HASH_LENGTH = 16;
 var ISSUES_DATA_VERSION = 2;
 var SECRET_SCAN_ARRAY_LIMIT = 5;
 var PII_SCAN_ARRAY_LIMIT = 10;
 var MIN_SECRET_VALUE_LENGTH = 8;
-var FULL_RECORD_MIN_FIELDS = 5;
+var FULL_RECORD_MIN_FIELDS = 8;
 var LIST_PII_MIN_ITEMS = 2;
 var MAX_OBJECT_SCAN_DEPTH = 5;
 var ISSUE_PRUNE_TTL_MS = 10 * 60 * 1e3;
+var FLOW_GAP_MS = 5e3;
+var SLOW_REQUEST_THRESHOLD_MS = 2e3;
+var MIN_POLLING_SEQUENCE = 3;
+var ENDPOINT_TRUNCATE_LENGTH = 12;
+var N1_QUERY_THRESHOLD = 5;
+var ERROR_RATE_THRESHOLD_PCT = 20;
+var MIN_REQUESTS_FOR_INSIGHT = 2;
+var HIGH_QUERY_COUNT_PER_REQ = 5;
+var CROSS_ENDPOINT_MIN_ENDPOINTS = 3;
+var CROSS_ENDPOINT_PCT = 50;
+var CROSS_ENDPOINT_MIN_OCCURRENCES = 5;
+var REDUNDANT_QUERY_MIN_COUNT = 2;
+var LARGE_RESPONSE_BYTES = 51200;
+var HIGH_ROW_COUNT = 100;
+var OVERFETCH_MIN_REQUESTS = 2;
+var OVERFETCH_MIN_FIELDS = 8;
+var OVERFETCH_MIN_INTERNAL_IDS = 2;
+var OVERFETCH_NULL_RATIO = 0.3;
+var REGRESSION_PCT_THRESHOLD = 50;
+var REGRESSION_MIN_INCREASE_MS = 200;
+var REGRESSION_MIN_REQUESTS = 5;
+var QUERY_COUNT_REGRESSION_RATIO = 1.5;
+var OVERFETCH_MANY_FIELDS = 12;
+var OVERFETCH_UNWRAP_MIN_SIZE = 3;
+var MAX_DUPLICATE_INSIGHTS = 3;
+var INSIGHT_WINDOW_PER_ENDPOINT = 20;
+var CLEAN_HITS_FOR_RESOLUTION = 5;
+var STALE_ISSUE_TTL_MS = 30 * 60 * 1e3;
+var STRICT_MODE_MAX_GAP_MS = 2e3;
+var BASELINE_MIN_SESSIONS = 2;
+var BASELINE_MIN_REQUESTS_PER_SESSION = 3;
+var ISSUES_FILE = "issues.json";
+var ISSUES_FLUSH_INTERVAL_MS = 1e4;
 // src/utils/log.ts
 var PREFIX = "[brakit]";
@@ -42,7 +75,9 @@ function getErrorMessage(err) {
   return String(err);
 }
 function validateIssuesData(parsed) {
-  if (parsed != null && typeof parsed === "object" && !Array.isArray(parsed) && parsed.version === ISSUES_DATA_VERSION && Array.isArray(parsed.issues)) {
+  if (parsed == null || typeof parsed !== "object" || Array.isArray(parsed)) return null;
+  const obj = parsed;
+  if (obj.version === ISSUES_DATA_VERSION && Array.isArray(obj.issues)) {
     return parsed;
   }
   return null;
@@ -86,41 +121,6 @@ async function ensureGitignoreAsync(dir, entry) {
   }
 }
-// src/constants/metrics.ts
-var ISSUES_FILE = "issues.json";
-var ISSUES_FLUSH_INTERVAL_MS = 1e4;
-// src/constants/thresholds.ts
-var FLOW_GAP_MS = 5e3;
-var SLOW_REQUEST_THRESHOLD_MS = 2e3;
-var MIN_POLLING_SEQUENCE = 3;
-var ENDPOINT_TRUNCATE_LENGTH = 12;
-var N1_QUERY_THRESHOLD = 5;
-var ERROR_RATE_THRESHOLD_PCT = 20;
-var SLOW_ENDPOINT_THRESHOLD_MS = 1e3;
-var MIN_REQUESTS_FOR_INSIGHT = 2;
-var HIGH_QUERY_COUNT_PER_REQ = 5;
-var CROSS_ENDPOINT_MIN_ENDPOINTS = 3;
-var CROSS_ENDPOINT_PCT = 50;
-var CROSS_ENDPOINT_MIN_OCCURRENCES = 5;
-var REDUNDANT_QUERY_MIN_COUNT = 2;
-var LARGE_RESPONSE_BYTES = 51200;
-var HIGH_ROW_COUNT = 100;
-var OVERFETCH_MIN_REQUESTS = 2;
-var OVERFETCH_MIN_FIELDS = 8;
-var OVERFETCH_MIN_INTERNAL_IDS = 2;
-var OVERFETCH_NULL_RATIO = 0.3;
-var REGRESSION_PCT_THRESHOLD = 50;
-var REGRESSION_MIN_INCREASE_MS = 200;
-var REGRESSION_MIN_REQUESTS = 5;
-var QUERY_COUNT_REGRESSION_RATIO = 1.5;
-var OVERFETCH_MANY_FIELDS = 12;
-var OVERFETCH_UNWRAP_MIN_SIZE = 3;
-var MAX_DUPLICATE_INSIGHTS = 3;
-var INSIGHT_WINDOW_PER_ENDPOINT = 20;
-var CLEAN_HITS_FOR_RESOLUTION = 5;
-var STALE_ISSUE_TTL_MS = 30 * 60 * 1e3;
 // src/utils/atomic-writer.ts
 import {
   writeFileSync as writeFileSync2,
@@ -132,11 +132,10 @@ import { writeFile as writeFile2, mkdir, rename } from "fs/promises";
 var AtomicWriter = class {
   constructor(opts) {
     this.opts = opts;
+    this.writing = false;
+    this.pendingContent = null;
     this.tmpPath = opts.filePath + ".tmp";
   }
-  tmpPath;
-  writing = false;
-  pendingContent = null;
   writeSync(content) {
     try {
       this.ensureDir();
@@ -198,6 +197,9 @@ function computeIssueId(issue) {
 var IssueStore = class {
   constructor(dataDir) {
     this.dataDir = dataDir;
+    this.issues = /* @__PURE__ */ new Map();
+    this.flushTimer = null;
+    this.dirty = false;
     this.issuesPath = resolve2(dataDir, ISSUES_FILE);
     this.writer = new AtomicWriter({
       dir: dataDir,
@@ -205,11 +207,6 @@ var IssueStore = class {
       label: "issues"
     });
   }
-  issues = /* @__PURE__ */ new Map();
-  flushTimer = null;
-  dirty = false;
-  writer;
-  issuesPath;
   start() {
     this.loadAsync().catch((err) => brakitDebug(`IssueStore: async load failed: ${err}`));
     this.flushTimer = setInterval(
@@ -429,8 +426,10 @@ function detectFrameworkFromDeps(allDeps) {
 // src/instrument/adapter-registry.ts
 var AdapterRegistry = class {
-  adapters = [];
-  active = [];
+  constructor() {
+    this.adapters = [];
+    this.active = [];
+  }
   register(adapter) {
     this.adapters.push(adapter);
   }
@@ -468,11 +467,12 @@ function tryParseJson(body) {
     return null;
   }
 }
+var MAX_WRAPPER_KEYS = 3;
 function unwrapResponse(parsed) {
   if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) return parsed;
   const obj = parsed;
   const keys = Object.keys(obj);
-  if (keys.length > 3) return parsed;
+  if (keys.length > MAX_WRAPPER_KEYS) return parsed;
   let best = null;
   let bestSize = 0;
   for (const key of keys) {
@@ -504,6 +504,8 @@ var MASKED_RE = /^\*+$|\[REDACTED\]|\[FILTERED\]|CHANGE_ME|^x{3,}$/i;
 var EMAIL_RE = /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/;
 var INTERNAL_ID_KEYS = /^(id|_id|userId|user_id|createdBy|updatedBy|organizationId|org_id|tenantId|tenant_id)$/;
 var INTERNAL_ID_SUFFIX = /Id$|_id$/;
+var SELF_SERVICE_PATH = /\/(?:me|account|profile|settings|self)(?=\/|\?|#|$)/i;
+var SENSITIVE_FIELD_NAMES = /^(phone|phoneNumber|phone_number|ssn|socialSecurityNumber|social_security_number|dateOfBirth|date_of_birth|dob|address|streetAddress|street_address|creditCard|credit_card|cardNumber|card_number|bankAccount|bank_account|passport|passportNumber|passport_number|nationalId|national_id)$/i;
 var SELECT_STAR_RE = /^SELECT\s+\*/i;
 var SELECT_DOT_STAR_RE = /\.\*\s+FROM/i;
 var RULE_HINTS = {
@@ -528,27 +530,87 @@ function isRedirect(code) {
   return code >= 300 && code < 400;
 }
-// src/analysis/rules/exposed-secret.ts
-function findSecretKeys(obj, prefix, depth = 0) {
-  const found = [];
-  if (depth >= MAX_OBJECT_SCAN_DEPTH) return found;
-  if (!obj || typeof obj !== "object") return found;
-  if (Array.isArray(obj)) {
-    for (let i = 0; i < Math.min(obj.length, SECRET_SCAN_ARRAY_LIMIT); i++) {
-      found.push(...findSecretKeys(obj[i], prefix, depth + 1));
+// src/utils/collections.ts
+function getOrCreate(map, key, create) {
+  let value = map.get(key);
+  if (value === void 0) {
+    value = create();
+    map.set(key, value);
+  }
+  return value;
+}
+function deduplicateFindings(items, extract) {
+  const seen = /* @__PURE__ */ new Map();
+  const findings = [];
+  for (const item of items) {
+    const result = extract(item);
+    if (!result) continue;
+    const existing = seen.get(result.key);
+    if (existing) {
+      existing.count++;
+      continue;
+    }
+    seen.set(result.key, result.finding);
+    findings.push(result.finding);
+  }
+  return findings;
+}
+function groupBy(items, keyFn) {
+  const map = /* @__PURE__ */ new Map();
+  for (const item of items) {
+    const key = keyFn(item);
+    if (key == null) continue;
+    let arr = map.get(key);
+    if (!arr) {
+      arr = [];
+      map.set(key, arr);
     }
-    return found;
+    arr.push(item);
   }
-  for (const k of Object.keys(obj)) {
-    const val = obj[k];
-    if (SECRET_KEYS.test(k) && typeof val === "string" && val.length >= MIN_SECRET_VALUE_LENGTH && !MASKED_RE.test(val)) {
-      found.push(k);
+  return map;
+}
+// src/utils/object-scan.ts
+var DEFAULTS = {
+  maxDepth: MAX_OBJECT_SCAN_DEPTH,
+  arrayLimit: SECRET_SCAN_ARRAY_LIMIT
+};
+function walkObject(obj, visitor, options) {
+  const opts = { ...DEFAULTS, ...options };
+  walk(obj, visitor, opts, 0);
+}
+function walk(obj, visitor, opts, depth) {
+  if (depth >= opts.maxDepth) return;
+  if (!obj || typeof obj !== "object") return;
+  if (Array.isArray(obj)) {
+    for (let i = 0; i < Math.min(obj.length, opts.arrayLimit); i++) {
+      walk(obj[i], visitor, opts, depth + 1);
     }
+    return;
+  }
+  for (const key of Object.keys(obj)) {
+    const val = obj[key];
+    visitor(key, val, depth);
     if (typeof val === "object" && val !== null) {
-      found.push(...findSecretKeys(val, prefix + k + ".", depth + 1));
+      walk(val, visitor, opts, depth + 1);
     }
   }
-  return found;
+}
+function collectFromObject(obj, match, options) {
+  const results = [];
+  walkObject(obj, (key, value) => {
+    const result = match(key, value);
+    if (result !== null) results.push(result);
+  }, options);
+  return results;
+}
+// src/analysis/rules/auth-rules.ts
+function findSecretKeys(obj) {
+  return collectFromObject(
+    obj,
+    (key, val) => SECRET_KEYS.test(key) && typeof val === "string" && val.length >= MIN_SECRET_VALUE_LENGTH && !MASKED_RE.test(val) ? key : null
+  );
 }
 var exposedSecretRule = {
   id: "exposed-secret",
@@ -556,50 +618,39 @@ var exposedSecretRule = {
   name: "Exposed Secret in Response",
   hint: RULE_HINTS["exposed-secret"],
   check(ctx) {
-    const findings = [];
-    const seen = /* @__PURE__ */ new Map();
-    for (const r of ctx.requests) {
-      if (isErrorStatus(r.statusCode)) continue;
-      const parsed = ctx.parsedBodies.response.get(r.id);
-      if (!parsed) continue;
-      const keys = findSecretKeys(parsed, "");
-      if (keys.length === 0) continue;
-      const ep = `${r.method} ${r.path}`;
-      const dedupKey = `${ep}:${keys.sort().join(",")}`;
-      const existing = seen.get(dedupKey);
-      if (existing) {
-        existing.count++;
-        continue;
-      }
-      const finding = {
-        severity: "critical",
-        rule: "exposed-secret",
-        title: "Exposed Secret in Response",
-        desc: `${ep} \u2014 response contains ${keys.join(", ")} field${keys.length > 1 ? "s" : ""}`,
-        hint: this.hint,
-        endpoint: ep,
-        count: 1
+    return deduplicateFindings(ctx.requests, (request) => {
+      if (isErrorStatus(request.statusCode)) return null;
+      const parsed = ctx.parsedBodies.response.get(request.id);
+      if (!parsed) return null;
+      const keys = findSecretKeys(parsed);
+      if (keys.length === 0) return null;
+      const ep = `${request.method} ${request.path}`;
+      return {
+        key: `${ep}:${keys.sort().join(",")}`,
+        finding: {
+          severity: "critical",
+          rule: "exposed-secret",
+          title: "Exposed Secret in Response",
+          desc: `${ep} \u2014 response contains ${keys.join(", ")} field${keys.length > 1 ? "s" : ""}`,
+          hint: this.hint,
+          detail: `Exposed fields: ${keys.join(", ")}. ${keys.length} unmasked secret value${keys.length !== 1 ? "s" : ""} in response body.`,
+          endpoint: ep,
+          count: 1
+        }
       };
-      seen.set(dedupKey, finding);
-      findings.push(finding);
-    }
-    return findings;
+    });
   }
 };
-// src/analysis/rules/token-in-url.ts
 var tokenInUrlRule = {
   id: "token-in-url",
   severity: "critical",
   name: "Auth Token in URL",
   hint: RULE_HINTS["token-in-url"],
   check(ctx) {
-    const findings = [];
-    const seen = /* @__PURE__ */ new Map();
-    for (const r of ctx.requests) {
-      const qIdx = r.url.indexOf("?");
-      if (qIdx === -1) continue;
-      const params = r.url.substring(qIdx + 1).split("&");
+    return deduplicateFindings(ctx.requests, (request) => {
+      const qIdx = request.url.indexOf("?");
+      if (qIdx === -1) return null;
+      const params = request.url.substring(qIdx + 1).split("&");
       const flagged = [];
       for (const param of params) {
         const [name, ...rest] = param.split("=");
@@ -609,65 +660,128 @@ var tokenInUrlRule = {
           flagged.push(name);
         }
       }
-      if (flagged.length === 0) continue;
-      const ep = `${r.method} ${r.path}`;
-      const dedupKey = `${ep}:${flagged.sort().join(",")}`;
-      const existing = seen.get(dedupKey);
-      if (existing) {
-        existing.count++;
-        continue;
+      if (flagged.length === 0) return null;
+      const ep = `${request.method} ${request.path}`;
+      return {
+        key: `${ep}:${flagged.sort().join(",")}`,
+        finding: {
+          severity: "critical",
+          rule: "token-in-url",
+          title: "Auth Token in URL",
+          desc: `${ep} \u2014 ${flagged.join(", ")} exposed in query string`,
+          hint: this.hint,
+          detail: `Parameters in URL: ${flagged.join(", ")}. Auth tokens in URLs are logged by proxies, browsers, and CDNs.`,
+          endpoint: ep,
+          count: 1
+        }
+      };
+    });
+  }
+};
+function isFrameworkResponse(request) {
+  if (isRedirect(request.statusCode)) return true;
+  if (request.path?.startsWith("/__")) return true;
+  if (request.responseHeaders?.["x-middleware-rewrite"]) return true;
+  return false;
+}
+var insecureCookieRule = {
+  id: "insecure-cookie",
+  severity: "warning",
+  name: "Insecure Cookie",
+  hint: RULE_HINTS["insecure-cookie"],
+  check(ctx) {
+    const cookieEntries = [];
+    for (const request of ctx.requests) {
+      if (!request.responseHeaders) continue;
+      if (isFrameworkResponse(request)) continue;
+      const setCookie = request.responseHeaders["set-cookie"];
+      if (!setCookie) continue;
+      const cookies = setCookie.split(/,(?=\s*[A-Za-z0-9_\-]+=)/);
+      for (const cookie of cookies) {
+        cookieEntries.push({ cookie });
       }
-      const finding = {
-        severity: "critical",
-        rule: "token-in-url",
-        title: "Auth Token in URL",
-        desc: `${ep} \u2014 ${flagged.join(", ")} exposed in query string`,
+    }
+    return deduplicateFindings(cookieEntries, ({ cookie }) => {
+      const cookieName = cookie.trim().split("=")[0].trim();
+      const lower = cookie.toLowerCase();
+      const issues = [];
+      if (!lower.includes("httponly")) issues.push("HttpOnly");
+      if (!lower.includes("samesite")) issues.push("SameSite");
+      if (issues.length === 0) return null;
+      return {
+        key: `${cookieName}:${issues.join(",")}`,
+        finding: {
+          severity: "warning",
+          rule: "insecure-cookie",
+          title: "Insecure Cookie",
+          desc: `${cookieName} \u2014 missing ${issues.join(", ")} flag${issues.length > 1 ? "s" : ""}`,
+          hint: this.hint,
+          detail: `Missing: ${issues.join(", ")}. ${issues.includes("HttpOnly") ? "Cookie accessible via JavaScript (XSS risk). " : ""}${issues.includes("SameSite") ? "Cookie sent on cross-site requests (CSRF risk)." : ""}`,
+          endpoint: cookieName,
+          count: 1
+        }
+      };
+    });
+  }
+};
+var corsCredentialsRule = {
+  id: "cors-credentials",
+  severity: "warning",
+  name: "CORS Credentials with Wildcard",
+  hint: RULE_HINTS["cors-credentials"],
+  check(ctx) {
+    const findings = [];
+    const seen = /* @__PURE__ */ new Set();
+    for (const request of ctx.requests) {
+      if (!request.responseHeaders) continue;
+      const origin = request.responseHeaders["access-control-allow-origin"];
+      const creds = request.responseHeaders["access-control-allow-credentials"];
+      if (origin !== "*" || creds !== "true") continue;
+      const ep = `${request.method} ${request.path}`;
+      if (seen.has(ep)) continue;
+      seen.add(ep);
+      findings.push({
+        severity: "warning",
+        rule: "cors-credentials",
+        title: "CORS Credentials with Wildcard",
+        desc: `${ep} \u2014 credentials:true with origin:* (browser will reject)`,
         hint: this.hint,
         endpoint: ep,
         count: 1
-      };
-      seen.set(dedupKey, finding);
-      findings.push(finding);
+      });
     }
     return findings;
   }
 };
-// src/analysis/rules/stack-trace-leak.ts
+// src/analysis/rules/data-rules.ts
 var stackTraceLeakRule = {
   id: "stack-trace-leak",
   severity: "critical",
   name: "Stack Trace Leaked to Client",
   hint: RULE_HINTS["stack-trace-leak"],
   check(ctx) {
-    const findings = [];
-    const seen = /* @__PURE__ */ new Map();
-    for (const r of ctx.requests) {
-      if (!r.responseBody) continue;
-      if (!STACK_TRACE_RE.test(r.responseBody)) continue;
-      const ep = `${r.method} ${r.path}`;
-      const existing = seen.get(ep);
-      if (existing) {
-        existing.count++;
-        continue;
-      }
-      const finding = {
-        severity: "critical",
-        rule: "stack-trace-leak",
-        title: "Stack Trace Leaked to Client",
-        desc: `${ep} \u2014 response exposes internal stack trace`,
-        hint: this.hint,
-        endpoint: ep,
-        count: 1
+    return deduplicateFindings(ctx.requests, (request) => {
+      if (!request.responseBody) return null;
+      if (!STACK_TRACE_RE.test(request.responseBody)) return null;
+      const ep = `${request.method} ${request.path}`;
+      const firstLine = request.responseBody.split("\n").find((l) => STACK_TRACE_RE.test(l))?.trim() ?? "";
+      return {
+        key: ep,
+        finding: {
+          severity: "critical",
+          rule: "stack-trace-leak",
+          title: "Stack Trace Leaked to Client",
+          desc: `${ep} \u2014 response exposes internal stack trace`,
+          hint: this.hint,
+          detail: firstLine ? `Stack trace: ${firstLine.slice(0, 120)}` : void 0,
+          endpoint: ep,
+          count: 1
+        }
       };
-      seen.set(ep, finding);
-      findings.push(finding);
-    }
-    return findings;
+    });
   }
 };
-// src/analysis/rules/error-info-leak.ts
 var CRITICAL_PATTERNS = [
   { re: DB_CONN_RE, label: "database connection string" },
   { re: SQL_FRAGMENT_RE, label: "SQL query fragment" },
@@ -679,90 +793,35 @@ var errorInfoLeakRule = {
   name: "Sensitive Data in Error Response",
   hint: RULE_HINTS["error-info-leak"],
   check(ctx) {
-    const findings = [];
-    const seen = /* @__PURE__ */ new Map();
-    for (const r of ctx.requests) {
-      if (r.statusCode < 400) continue;
-      if (!r.responseBody) continue;
-      if (r.responseHeaders["x-nextjs-error"] || r.responseHeaders["x-nextjs-matched-path"]) continue;
-      const ep = `${r.method} ${r.path}`;
-      for (const p of CRITICAL_PATTERNS) {
-        if (!p.re.test(r.responseBody)) continue;
-        const dedupKey = `${ep}:${p.label}`;
-        const existing = seen.get(dedupKey);
-        if (existing) {
-          existing.count++;
-          continue;
+    const entries = [];
+    for (const request of ctx.requests) {
+      if (request.statusCode < 400) continue;
+      if (!request.responseBody) continue;
+      if (request.responseHeaders["x-nextjs-error"] || request.responseHeaders["x-nextjs-matched-path"]) continue;
+      const ep = `${request.method} ${request.path}`;
+      for (const pattern of CRITICAL_PATTERNS) {
+        if (pattern.re.test(request.responseBody)) {
+          entries.push({ ep, pattern, body: request.responseBody });
         }
-        const finding = {
+      }
+    }
+    return deduplicateFindings(entries, ({ ep, pattern }) => {
+      return {
+        key: `${ep}:${pattern.label}`,
+        finding: {
           severity: "critical",
           rule: "error-info-leak",
           title: "Sensitive Data in Error Response",
-          desc: `${ep} \u2014 error response exposes ${p.label}`,
+          desc: `${ep} \u2014 error response exposes ${pattern.label}`,
           hint: this.hint,
+          detail: `Detected: ${pattern.label} in error response body`,
           endpoint: ep,
           count: 1
-        };
-        seen.set(dedupKey, finding);
-        findings.push(finding);
-      }
-    }
-    return findings;
-  }
-};
-// src/analysis/rules/insecure-cookie.ts
-function isFrameworkResponse(r) {
-  if (isRedirect(r.statusCode)) return true;
-  if (r.path?.startsWith("/__")) return true;
-  if (r.responseHeaders?.["x-middleware-rewrite"]) return true;
-  return false;
-}
-var insecureCookieRule = {
-  id: "insecure-cookie",
-  severity: "warning",
-  name: "Insecure Cookie",
-  hint: RULE_HINTS["insecure-cookie"],
-  check(ctx) {
-    const findings = [];
-    const seen = /* @__PURE__ */ new Map();
-    for (const r of ctx.requests) {
-      if (!r.responseHeaders) continue;
-      if (isFrameworkResponse(r)) continue;
-      const setCookie = r.responseHeaders["set-cookie"];
-      if (!setCookie) continue;
-      const cookies = setCookie.split(/,(?=\s*[A-Za-z0-9_\-]+=)/);
-      for (const cookie of cookies) {
-        const cookieName = cookie.trim().split("=")[0].trim();
-        const lower = cookie.toLowerCase();
-        const issues = [];
-        if (!lower.includes("httponly")) issues.push("HttpOnly");
-        if (!lower.includes("samesite")) issues.push("SameSite");
-        if (issues.length === 0) continue;
-        const dedupKey = `${cookieName}:${issues.join(",")}`;
-        const existing = seen.get(dedupKey);
-        if (existing) {
-          existing.count++;
-          continue;
         }
-        const finding = {
-          severity: "warning",
-          rule: "insecure-cookie",
-          title: "Insecure Cookie",
-          desc: `${cookieName} \u2014 missing ${issues.join(", ")} flag${issues.length > 1 ? "s" : ""}`,
-          hint: this.hint,
-          endpoint: cookieName,
-          count: 1
-        };
-        seen.set(dedupKey, finding);
-        findings.push(finding);
-      }
-    }
-    return findings;
+      };
+    });
   }
 };
-// src/analysis/rules/sensitive-logs.ts
 var sensitiveLogsRule = {
   id: "sensitive-logs",
   severity: "warning",
@@ -787,58 +846,13 @@ var sensitiveLogsRule = {
     }];
   }
 };
-// src/analysis/rules/cors-credentials.ts
-var corsCredentialsRule = {
-  id: "cors-credentials",
-  severity: "warning",
-  name: "CORS Credentials with Wildcard",
-  hint: RULE_HINTS["cors-credentials"],
-  check(ctx) {
-    const findings = [];
-    const seen = /* @__PURE__ */ new Set();
-    for (const r of ctx.requests) {
-      if (!r.responseHeaders) continue;
-      const origin = r.responseHeaders["access-control-allow-origin"];
-      const creds = r.responseHeaders["access-control-allow-credentials"];
-      if (origin !== "*" || creds !== "true") continue;
-      const ep = `${r.method} ${r.path}`;
-      if (seen.has(ep)) continue;
-      seen.add(ep);
-      findings.push({
-        severity: "warning",
-        rule: "cors-credentials",
-        title: "CORS Credentials with Wildcard",
-        desc: `${ep} \u2014 credentials:true with origin:* (browser will reject)`,
-        hint: this.hint,
-        endpoint: ep,
-        count: 1
-      });
-    }
-    return findings;
-  }
-};
-// src/analysis/rules/response-pii-leak.ts
 var WRITE_METHODS = /* @__PURE__ */ new Set(["POST", "PUT", "PATCH"]);
-function findEmails(obj, depth = 0) {
-  const emails = [];
-  if (depth >= MAX_OBJECT_SCAN_DEPTH) return emails;
-  if (!obj || typeof obj !== "object") return emails;
-  if (Array.isArray(obj)) {
-    for (let i = 0; i < Math.min(obj.length, PII_SCAN_ARRAY_LIMIT); i++) {
-      emails.push(...findEmails(obj[i], depth + 1));
-    }
-    return emails;
-  }
-  for (const v of Object.values(obj)) {
-    if (typeof v === "string" && EMAIL_RE.test(v)) {
-      emails.push(v);
-    } else if (typeof v === "object" && v !== null) {
-      emails.push(...findEmails(v, depth + 1));
-    }
-  }
-  return emails;
+function findEmails(obj) {
+  return collectFromObject(
+    obj,
+    (_key, val) => typeof val === "string" && EMAIL_RE.test(val) ? val : null,
+    { arrayLimit: PII_SCAN_ARRAY_LIMIT }
+  );
 }
 function topLevelFieldCount(obj) {
   if (Array.isArray(obj)) {
@@ -854,6 +868,15 @@ function hasInternalIds(obj) {
   }
   return false;
 }
+function hasSensitiveFieldNames(obj, depth = 0) {
+  if (depth >= MAX_OBJECT_SCAN_DEPTH) return false;
+  if (!obj || typeof obj !== "object") return false;
+  if (Array.isArray(obj)) return obj.length > 0 && hasSensitiveFieldNames(obj[0], depth + 1);
+  for (const key of Object.keys(obj)) {
+    if (SENSITIVE_FIELD_NAMES.test(key)) return true;
+  }
+  return false;
+}
 function detectEchoPII(method, reqBody, target) {
   if (!WRITE_METHODS.has(method) || !reqBody || typeof reqBody !== "object") return null;
   const reqEmails = findEmails(reqBody);
@@ -875,6 +898,13 @@ function detectFullRecordPII(target) {
   if (emails.length === 0) return null;
   return { reason: "full-record", emailCount: emails.length };
 }
+function detectSensitiveFieldPII(target) {
+  const inspect = Array.isArray(target) && target.length > 0 ? target[0] : target;
+  if (!inspect || typeof inspect !== "object" || Array.isArray(inspect)) return null;
+  if (!hasSensitiveFieldNames(inspect)) return null;
+  if (!hasInternalIds(inspect) && topLevelFieldCount(inspect) < FULL_RECORD_MIN_FIELDS) return null;
+  return { reason: "sensitive-fields", emailCount: 0 };
+}
 function detectListPII(target) {
   if (!Array.isArray(target) || target.length < LIST_PII_MIN_ITEMS) return null;
   let itemsWithEmail = 0;
@@ -893,12 +923,13 @@ function detectListPII(target) {
 }
 function detectPII(method, reqBody, resBody) {
   const target = unwrapResponse(resBody);
-  return detectEchoPII(method, reqBody, target) ?? detectFullRecordPII(target) ?? detectListPII(target);
+  return detectEchoPII(method, reqBody, target) ?? detectFullRecordPII(target) ?? detectListPII(target) ?? detectSensitiveFieldPII(target);
 }
 var REASON_LABELS = {
   echo: "echoes back PII from the request body",
   "full-record": "returns a full record with email and internal IDs",
-  "list-pii": "returns a list of records containing email addresses"
+  "list-pii": "returns a list of records containing email addresses",
+  "sensitive-fields": "contains sensitive personal data fields (phone, SSN, date of birth, address, etc.)"
 };
 var responsePiiLeakRule = {
   id: "response-pii-leak",
@@ -906,35 +937,33 @@ var responsePiiLeakRule = {
   name: "PII Leak in Response",
   hint: RULE_HINTS["response-pii-leak"],
   check(ctx) {
-    const findings = [];
-    const seen = /* @__PURE__ */ new Map();
-    for (const r of ctx.requests) {
-      if (isErrorStatus(r.statusCode)) continue;
-      const resJson = ctx.parsedBodies.response.get(r.id);
-      if (!resJson) continue;
-      const reqJson = ctx.parsedBodies.request.get(r.id) ?? null;
-      const detection = detectPII(r.method, reqJson, resJson);
-      if (!detection) continue;
-      const ep = `${r.method} ${r.path}`;
-      const dedupKey = `${ep}:${detection.reason}`;
-      const existing = seen.get(dedupKey);
-      if (existing) {
-        existing.count++;
-        continue;
-      }
-      const finding = {
-        severity: "warning",
-        rule: "response-pii-leak",
-        title: "PII Leak in Response",
-        desc: `${ep} \u2014 ${REASON_LABELS[detection.reason]}`,
-        hint: this.hint,
-        endpoint: ep,
-        count: 1
+    return deduplicateFindings(ctx.requests, (request) => {
+      if (isErrorStatus(request.statusCode)) return null;
+      if (SELF_SERVICE_PATH.test(request.path)) return null;
+      const resJson = ctx.parsedBodies.response.get(request.id);
+      if (!resJson) return null;
+      const reqJson = ctx.parsedBodies.request.get(request.id) ?? null;
+      const detection = detectPII(request.method, reqJson, resJson);
+      if (!detection) return null;
+      const ep = `${request.method} ${request.path}`;
+      const fieldCount = topLevelFieldCount(resJson);
+      const detailParts = [`Pattern: ${REASON_LABELS[detection.reason]}`];
+      if (detection.emailCount > 0) detailParts.push(`${detection.emailCount} email${detection.emailCount !== 1 ? "s" : ""} detected`);
+      if (fieldCount > 0) detailParts.push(`${fieldCount} fields per record`);
+      return {
+        key: ep,
+        finding: {
+          severity: "warning",
+          rule: "response-pii-leak",
+          title: "PII Leak in Response",
+          desc: `${ep} \u2014 exposes PII in response`,
+          hint: this.hint,
+          detail: detailParts.join(". "),
+          endpoint: ep,
+          count: 1
+        }
       };
-      seen.set(dedupKey, finding);
-      findings.push(finding);
-    }
-    return findings;
+    });
   }
 };
@@ -942,20 +971,22 @@ var responsePiiLeakRule = {
 function buildBodyCache(requests) {
   const response = /* @__PURE__ */ new Map();
   const request = /* @__PURE__ */ new Map();
-  for (const r of requests) {
-    if (r.responseBody) {
-      const parsed = tryParseJson(r.responseBody);
-      if (parsed != null) response.set(r.id, parsed);
+  for (const req of requests) {
+    if (req.responseBody) {
+      const parsed = tryParseJson(req.responseBody);
+      if (parsed != null) response.set(req.id, parsed);
     }
-    if (r.requestBody) {
-      const parsed = tryParseJson(r.requestBody);
-      if (parsed != null) request.set(r.id, parsed);
+    if (req.requestBody) {
+      const parsed = tryParseJson(req.requestBody);
+      if (parsed != null) request.set(req.id, parsed);
     }
   }
   return { response, request };
 }
 var SecurityScanner = class {
-  rules = [];
+  constructor() {
+    this.rules = [];
+  }
   register(rule) {
     this.rules.push(rule);
   }
@@ -968,7 +999,8 @@ var SecurityScanner = class {
     for (const rule of this.rules) {
       try {
         findings.push(...rule.check(ctx));
-      } catch {
+      } catch (e) {
+        brakitDebug(`rule ${rule.id} failed: ${getErrorMessage(e)}`);
       }
     }
     return findings;
@@ -992,7 +1024,9 @@ function createDefaultScanner() {
 // src/core/disposable.ts
 var SubscriptionBag = class {
-  items = [];
+  constructor() {
+    this.items = [];
+  }
   add(teardown) {
     this.items.push(typeof teardown === "function" ? { dispose: teardown } : teardown);
   }
@@ -1005,7 +1039,7 @@ var SubscriptionBag = class {
 // src/analysis/group.ts
 import { randomUUID } from "crypto";
-// src/constants/routes.ts
+// src/constants/labels.ts
 var DASHBOARD_PREFIX = "/__brakit";
 var DASHBOARD_API_REQUESTS = `${DASHBOARD_PREFIX}/api/requests`;
 var DASHBOARD_API_EVENTS = `${DASHBOARD_PREFIX}/api/events`;
@@ -1037,13 +1071,40 @@ var VALID_TABS_TUPLE = [
 ];
 var VALID_TABS = new Set(VALID_TABS_TUPLE);
-// src/constants/network.ts
+// src/constants/features.ts
 var RECOVERY_WINDOW_MS = 5 * 60 * 1e3;
+// src/utils/endpoint.ts
+var UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+var NUMERIC_ID_RE = /^\d+$/;
+var HEX_HASH_RE = /^[0-9a-f]{12,}$/i;
+var ALPHA_TOKEN_RE = /^(?=.*[a-zA-Z])(?=.*\d)[a-zA-Z0-9_-]{8,}$/;
+function isDynamicSegment(segment) {
+  return UUID_RE.test(segment) || NUMERIC_ID_RE.test(segment) || HEX_HASH_RE.test(segment) || ALPHA_TOKEN_RE.test(segment);
+}
+var DYNAMIC_SEGMENT_PLACEHOLDER = ":id";
+function normalizePath(path) {
+  const qIdx = path.indexOf("?");
+  const pathname = qIdx === -1 ? path : path.slice(0, qIdx);
+  return pathname.split("/").map((seg) => seg && isDynamicSegment(seg) ? DYNAMIC_SEGMENT_PLACEHOLDER : seg).join("/");
+}
+function getEndpointKey(method, path) {
+  return `${method} ${normalizePath(path)}`;
+}
+var ENDPOINT_PREFIX_RE = /^(\S+\s+\S+)/;
+function extractEndpointFromDesc(desc) {
+  return desc.match(ENDPOINT_PREFIX_RE)?.[1] ?? null;
+}
+function stripQueryString(path) {
+  const i = path.indexOf("?");
+  return i === -1 ? path : path.slice(0, i);
+}
 // src/analysis/categorize.ts
 function detectCategory(req) {
   const { method, url, statusCode, responseHeaders } = req;
   if (req.isStatic) return "static";
+  if (req.isHealthCheck) return "health-check";
   if (statusCode === 307 && (url.includes("__clerk_handshake") || url.includes("__clerk_db_jwt"))) {
     return "auth-handshake";
   }
@@ -1195,20 +1256,42 @@ function capitalize(s) {
 }
 // src/analysis/transforms.ts
-function markDuplicates(requests) {
+var DUPLICATE_CATEGORIES = /* @__PURE__ */ new Set(["data-fetch", "auth-check"]);
+function isDuplicateCandidate(req) {
+  return DUPLICATE_CATEGORIES.has(req.category);
+}
+function buildRequestKey(req) {
+  return `${req.method} ${stripQueryString(getEffectivePath(req))}`;
+}
+function isStrictModePattern(requests, counts) {
+  if (counts.size === 0 || ![...counts.values()].every((c) => c === 2)) {
+    return false;
+  }
+  const firstByKey = /* @__PURE__ */ new Map();
+  for (const req of requests) {
+    if (!isDuplicateCandidate(req)) continue;
+    const key = buildRequestKey(req);
+    const first = firstByKey.get(key);
+    if (!first) {
+      firstByKey.set(key, req);
+    } else if (Math.abs(req.startedAt - first.startedAt) > STRICT_MODE_MAX_GAP_MS) {
+      return false;
+    }
+  }
+  return true;
+}
+function flagDuplicateRequests(requests) {
   const counts = /* @__PURE__ */ new Map();
   for (const req of requests) {
-    if (req.category !== "data-fetch" && req.category !== "auth-check")
-      continue;
-    const key = `${req.method} ${getEffectivePath(req).split("?")[0]}`;
+    if (!isDuplicateCandidate(req)) continue;
+    const key = buildRequestKey(req);
     counts.set(key, (counts.get(key) ?? 0) + 1);
   }
-  const isStrictMode = counts.size > 0 && [...counts.values()].every((c) => c === 2);
+  const isStrictMode = isStrictModePattern(requests, counts);
   const seen = /* @__PURE__ */ new Set();
   for (const req of requests) {
-    if (req.category !== "data-fetch" && req.category !== "auth-check")
-      continue;
-    const key = `${req.method} ${getEffectivePath(req).split("?")[0]}`;
+    if (!isDuplicateCandidate(req)) continue;
+    const key = buildRequestKey(req);
     if (seen.has(key)) {
       if (isStrictMode) {
         req.isStrictModeDupe = true;
@@ -1220,20 +1303,20 @@ function markDuplicates(requests) {
     }
   }
 }
-function collapsePolling(requests) {
+function mergePollingSequences(requests) {
   const result = [];
   let i = 0;
   while (i < requests.length) {
     const current = requests[i];
-    const currentEffective = getEffectivePath(current).split("?")[0];
+    const currentEffective = stripQueryString(getEffectivePath(current));
     if (current.method === "GET" && current.category === "data-fetch") {
-      let j = i + 1;
-      while (j < requests.length && requests[j].method === "GET" && getEffectivePath(requests[j]).split("?")[0] === currentEffective) {
-        j++;
+      let nextIndex = i + 1;
+      while (nextIndex < requests.length && requests[nextIndex].method === "GET" && stripQueryString(getEffectivePath(requests[nextIndex])) === currentEffective) {
+        nextIndex++;
       }
-      const count = j - i;
+      const count = nextIndex - i;
       if (count >= MIN_POLLING_SEQUENCE) {
-        const last = requests[j - 1];
+        const last = requests[nextIndex - 1];
         const pollingDuration = last.startedAt + last.durationMs - current.startedAt;
         const endpointName = prettifyEndpoint(currentEffective);
         result.push({
@@ -1244,7 +1327,7 @@ function collapsePolling(requests) {
           pollingDurationMs: pollingDuration,
           isDuplicate: false
         });
-        i = j;
+        i = nextIndex;
         continue;
       }
     }
@@ -1257,18 +1340,18 @@ function formatDurationLabel(ms) {
   if (ms < 1e3) return `${ms}ms`;
   return `${(ms / 1e3).toFixed(1)}s`;
 }
-function detectWarnings(requests) {
+function collectRequestWarnings(requests) {
   const warnings = [];
   const duplicateCount = requests.filter((r) => r.isDuplicate).length;
   if (duplicateCount > 0) {
     const unique = new Set(
-      requests.filter((r) => r.isDuplicate).map((r) => `${r.method} ${getEffectivePath(r).split("?")[0]}`)
+      requests.filter((r) => r.isDuplicate).map((r) => buildRequestKey(r))
     );
     const endpoints = unique.size;
     const sameData = requests.filter((r) => r.isDuplicate).every((r) => {
-      const key = `${r.method} ${getEffectivePath(r).split("?")[0]}`;
+      const key = buildRequestKey(r);
       const first = requests.find(
-        (o) => !o.isDuplicate && `${o.method} ${getEffectivePath(o).split("?")[0]}` === key
+        (o) => !o.isDuplicate && buildRequestKey(o) === key
       );
       return first && first.responseBody === r.responseBody;
     });
@@ -1291,6 +1374,14 @@ function detectWarnings(requests) {
 }
 // src/analysis/group.ts
+function shouldStartNewFlow(labeled, currentRequests, lastEndTime, currentSourcePage, startedAt) {
+  if (currentRequests.length === 0) return false;
+  const sourcePage = labeled.sourcePage;
+  const isNewPage = sourcePage !== void 0 && currentSourcePage !== void 0 && sourcePage !== currentSourcePage;
+  const isTimeGap = startedAt - lastEndTime > FLOW_GAP_MS;
+  const isPageLoad = labeled.category === "page-load" || labeled.category === "navigation";
+  return isNewPage || isTimeGap || isPageLoad;
+}
 function groupRequestsIntoFlows(requests) {
   if (requests.length === 0) return [];
   const flows = [];
@@ -1301,17 +1392,12 @@ function groupRequestsIntoFlows(requests) {
     if (req.path.startsWith(DASHBOARD_PREFIX)) continue;
     const labeled = labelRequest(req);
     if (labeled.category === "static") continue;
-    const sourcePage = labeled.sourcePage;
-    const gap = currentRequests.length > 0 ? req.startedAt - lastEndTime : 0;
-    const isNewPage = currentRequests.length > 0 && sourcePage !== void 0 && currentSourcePage !== void 0 && sourcePage !== currentSourcePage;
-    const isPageLoad = labeled.category === "page-load" || labeled.category === "navigation";
-    const isTimeGap = currentRequests.length > 0 && gap > FLOW_GAP_MS;
-    if (currentRequests.length > 0 && (isNewPage || isTimeGap || isPageLoad)) {
+    if (shouldStartNewFlow(labeled, currentRequests, lastEndTime, currentSourcePage, req.startedAt)) {
       flows.push(buildFlow(currentRequests));
       currentRequests = [];
     }
     currentRequests.push(labeled);
-    currentSourcePage = sourcePage ?? currentSourcePage;
+    currentSourcePage = labeled.sourcePage ?? currentSourcePage;
     lastEndTime = Math.max(lastEndTime, req.startedAt + req.durationMs);
   }
   if (currentRequests.length > 0) {
@@ -1320,8 +1406,8 @@ function groupRequestsIntoFlows(requests) {
   return flows;
 }
 function buildFlow(rawRequests) {
-  markDuplicates(rawRequests);
-  const requests = collapsePolling(rawRequests);
+  flagDuplicateRequests(rawRequests);
+  const requests = mergePollingSequences(rawRequests);
   const first = requests[0];
   const startTime = first.startedAt;
   const endTime = Math.max(
@@ -1340,7 +1426,7 @@ function buildFlow(rawRequests) {
     startTime,
     totalDurationMs: Math.round(endTime - startTime),
     hasErrors: requests.some((r) => isErrorStatus(r.statusCode)),
-    warnings: detectWarnings(rawRequests),
+    warnings: collectRequestWarnings(rawRequests),
     sourcePage,
     redundancyPct
   };
@@ -1352,20 +1438,20 @@ function getDominantSourcePage(requests) {
       counts.set(req.sourcePage, (counts.get(req.sourcePage) ?? 0) + 1);
     }
   }
-  let best = "";
-  let bestCount = 0;
+  let mostCommonPage = "";
+  let highestCount = 0;
   for (const [page, count] of counts) {
-    if (count > bestCount) {
-      best = page;
-      bestCount = count;
+    if (count > highestCount) {
+      mostCommonPage = page;
+      highestCount = count;
     }
   }
-  return best || requests[0]?.path?.split("?")[0] || "/";
+  return mostCommonPage || (requests[0]?.path ? stripQueryString(requests[0].path) : "") || "/";
 }
 function deriveFlowLabel(requests, sourcePage) {
   const trigger = requests.find((r) => r.category === "api-call") ?? requests.find((r) => r.category === "server-action") ?? requests.find((r) => r.category === "page-load") ?? requests.find((r) => r.category === "navigation") ?? requests.find((r) => r.category === "data-fetch") ?? requests[0];
   if (trigger.category === "page-load" || trigger.category === "navigation") {
-    const pageName = prettifyPageName(trigger.path.split("?")[0]);
+    const pageName = prettifyPageName(stripQueryString(trigger.path));
     return `${pageName} Page`;
   }
   if (trigger.category === "api-call") {
@@ -1390,67 +1476,23 @@ function deriveFlowLabel(requests, sourcePage) {
   return trigger.label;
 }
-// src/utils/collections.ts
-function groupBy(items, keyFn) {
-  const map = /* @__PURE__ */ new Map();
-  for (const item of items) {
-    const key = keyFn(item);
-    if (key == null) continue;
-    let arr = map.get(key);
-    if (!arr) {
-      arr = [];
-      map.set(key, arr);
-    }
-    arr.push(item);
-  }
-  return map;
-}
-// src/utils/endpoint.ts
-var DYNAMIC_SEGMENT_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^\d+$|^[0-9a-f]{12,}$|^(?=.*[a-zA-Z])(?=.*\d)[a-zA-Z0-9_-]{8,}$/i;
-function normalizePath(path) {
-  const qIdx = path.indexOf("?");
-  const pathname = qIdx === -1 ? path : path.slice(0, qIdx);
-  return pathname.split("/").map((seg) => seg && DYNAMIC_SEGMENT_RE.test(seg) ? ":id" : seg).join("/");
-}
-function getEndpointKey(method, path) {
-  return `${method} ${normalizePath(path)}`;
-}
-var ENDPOINT_PREFIX_RE = /^(\S+\s+\S+)/;
-function extractEndpointFromDesc(desc) {
-  return desc.match(ENDPOINT_PREFIX_RE)?.[1] ?? null;
-}
 // src/instrument/adapters/normalize.ts
+var VALID_OPS = /* @__PURE__ */ new Set(["SELECT", "INSERT", "UPDATE", "DELETE"]);
+var TABLE_RE = /(?:FROM|INTO|UPDATE)\s+(?:"?\w+"?\.)?"?(\w+)"?/i;
 function normalizeSQL(sql) {
   if (!sql) return { op: "OTHER", table: "" };
   const trimmed = sql.trim();
-  const op = trimmed.split(/\s+/)[0].toUpperCase();
-  if (/SELECT\s+COUNT/i.test(trimmed)) {
-    const match = trimmed.match(/FROM\s+"?\w+"?\."?(\w+)"?/i);
-    return { op: "SELECT", table: match?.[1] ?? "" };
-  }
-  const tableMatch = trimmed.match(/(?:FROM|INTO|UPDATE)\s+"?\w+"?\."?(\w+)"?/i);
-  const table = tableMatch?.[1] ?? "";
-  switch (op) {
-    case "SELECT":
-      return { op: "SELECT", table };
-    case "INSERT":
-      return { op: "INSERT", table };
-    case "UPDATE":
-      return { op: "UPDATE", table };
-    case "DELETE":
-      return { op: "DELETE", table };
-    default:
-      return { op: "OTHER", table };
-  }
-}
+  const keyword = trimmed.split(/\s+/, 1)[0].toUpperCase();
+  const op = VALID_OPS.has(keyword) ? keyword : "OTHER";
+  const table = trimmed.match(TABLE_RE)?.[1] ?? "";
+  return { op, table };
+}
+var SQL_PARAM_MARKER = /\$\d+/g;
+var SQL_STRING_LITERAL = /'[^']*'/g;
+var SQL_NUMBER_LITERAL = /\b\d+(\.\d+)?\b/g;
 function normalizeQueryParams(sql) {
   if (!sql) return null;
-  let n = sql.replace(/'[^']*'/g, "?");
-  n = n.replace(/\b\d+(\.\d+)?\b/g, "?");
-  n = n.replace(/\$\d+/g, "?");
-  return n;
+  return sql.replace(SQL_PARAM_MARKER, "?").replace(SQL_STRING_LITERAL, "?").replace(SQL_NUMBER_LITERAL, "?");
 }
 // src/analysis/insights/query-helpers.ts
@@ -1467,7 +1509,7 @@ function getQueryInfo(q) {
 }
 // src/analysis/insights/prepare.ts
-function createEndpointGroup() {
+function emptyEndpointGroup() {
   return {
     total: 0,
     errors: 0,
@@ -1479,16 +1521,12 @@ function createEndpointGroup() {
     queryShapeDurations: /* @__PURE__ */ new Map()
   };
 }
-function windowByEndpoint(requests) {
+function keepRecentPerEndpoint(requests) {
   const byEndpoint = /* @__PURE__ */ new Map();
-  for (const r of requests) {
-    const ep = getEndpointKey(r.method, r.path);
-    let list = byEndpoint.get(ep);
-    if (!list) {
-      list = [];
-      byEndpoint.set(ep, list);
-    }
-    list.push(r);
+  for (const request of requests) {
+    const endpointKey = getEndpointKey(request.method, request.path);
+    const list = getOrCreate(byEndpoint, endpointKey, () => []);
+    list.push(request);
   }
   const windowed = [];
   for (const [, reqs] of byEndpoint) {
@@ -1496,54 +1534,67 @@ function windowByEndpoint(requests) {
   }
   return windowed;
 }
+function filterUserRequests(requests) {
+  return requests.filter(
+    (request) => !request.isStatic && !request.isHealthCheck && (!request.path || !request.path.startsWith(DASHBOARD_PREFIX))
+  );
+}
 function extractActiveEndpoints(requests) {
   const endpoints = /* @__PURE__ */ new Set();
-  for (const r of requests) {
-    if (!r.isStatic && (!r.path || !r.path.startsWith(DASHBOARD_PREFIX))) {
-      endpoints.add(getEndpointKey(r.method, r.path));
-    }
+  for (const request of filterUserRequests(requests)) {
+    endpoints.add(getEndpointKey(request.method, request.path));
   }
   return endpoints;
 }
-function prepareContext(ctx) {
-  const nonStatic = ctx.requests.filter(
-    (r) => !r.isStatic && (!r.path || !r.path.startsWith(DASHBOARD_PREFIX))
-  );
-  const queriesByReq = groupBy(ctx.queries, (q) => q.parentRequestId);
-  const fetchesByReq = groupBy(ctx.fetches, (f) => f.parentRequestId);
-  const reqById = new Map(nonStatic.map((r) => [r.id, r]));
-  const recent = windowByEndpoint(nonStatic);
+function aggregateEndpointMetrics(recent, queriesByReq, fetchesByReq) {
   const endpointGroups = /* @__PURE__ */ new Map();
-  for (const r of recent) {
-    const ep = getEndpointKey(r.method, r.path);
-    let g = endpointGroups.get(ep);
-    if (!g) {
-      g = createEndpointGroup();
-      endpointGroups.set(ep, g);
-    }
-    g.total++;
-    if (isErrorStatus(r.statusCode)) g.errors++;
-    g.totalDuration += r.durationMs;
-    g.totalSize += r.responseSize ?? 0;
-    const reqQueries = queriesByReq.get(r.id) ?? [];
-    g.queryCount += reqQueries.length;
-    for (const q of reqQueries) {
-      g.totalQueryTimeMs += q.durationMs;
-      const shape = getQueryShape(q);
-      const info = getQueryInfo(q);
-      let sd = g.queryShapeDurations.get(shape);
-      if (!sd) {
-        sd = { totalMs: 0, count: 0, label: info.op + (info.table ? ` ${info.table}` : "") };
-        g.queryShapeDurations.set(shape, sd);
-      }
-      sd.totalMs += q.durationMs;
-      sd.count++;
-    }
-    const reqFetches = fetchesByReq.get(r.id) ?? [];
-    for (const f of reqFetches) {
-      g.totalFetchTimeMs += f.durationMs;
-    }
-  }
+  for (const request of recent) {
+    const endpointKey = getEndpointKey(request.method, request.path);
+    const group = getOrCreate(endpointGroups, endpointKey, emptyEndpointGroup);
+    group.total++;
+    if (isErrorStatus(request.statusCode)) group.errors++;
+    group.totalDuration += request.durationMs;
+    group.totalSize += request.responseSize ?? 0;
+    const reqQueries = queriesByReq.get(request.id) ?? [];
+    group.queryCount += reqQueries.length;
+    for (const query of reqQueries) {
+      group.totalQueryTimeMs += query.durationMs;
+      const shape = getQueryShape(query);
+      const info = getQueryInfo(query);
+      const shapeDuration = getOrCreate(group.queryShapeDurations, shape, () => ({
+        totalMs: 0,
+        count: 0,
+        label: info.op + (info.table ? ` ${info.table}` : "")
+      }));
+      shapeDuration.totalMs += query.durationMs;
+      shapeDuration.count++;
+    }
+    const reqFetches = fetchesByReq.get(request.id) ?? [];
+    for (const fetch of reqFetches) {
+      group.totalFetchTimeMs += fetch.durationMs;
+    }
+  }
+  return endpointGroups;
+}
+function collectStrictModeDupeIds(ctx) {
+  const ids = /* @__PURE__ */ new Set();
+  for (const flow of ctx.flows) {
+    for (const req of flow.requests) {
+      if (req.isStrictModeDupe) ids.add(req.id);
+    }
+  }
+  return ids;
+}
+function buildInsightContext(ctx) {
+  const strictModeDupeIds = collectStrictModeDupeIds(ctx);
+  const nonStatic = filterUserRequests(ctx.requests).filter((req) => !strictModeDupeIds.has(req.id));
+  const filteredQueries = strictModeDupeIds.size > 0 ? ctx.queries.filter((q) => !q.parentRequestId || !strictModeDupeIds.has(q.parentRequestId)) : ctx.queries;
+  const filteredFetches = strictModeDupeIds.size > 0 ? ctx.fetches.filter((f) => !f.parentRequestId || !strictModeDupeIds.has(f.parentRequestId)) : ctx.fetches;
+  const queriesByReq = groupBy(filteredQueries, (query) => query.parentRequestId);
+  const fetchesByReq = groupBy(filteredFetches, (fetch) => fetch.parentRequestId);
+  const reqById = new Map(nonStatic.map((request) => [request.id, request]));
+  const recent = keepRecentPerEndpoint(nonStatic);
+  const endpointGroups = aggregateEndpointMetrics(recent, queriesByReq, fetchesByReq);
   return {
     ...ctx,
     nonStatic,
@@ -1557,17 +1608,20 @@ function prepareContext(ctx) {
 // src/analysis/insights/runner.ts
 var SEVERITY_ORDER = { critical: 0, warning: 1, info: 2 };
 var InsightRunner = class {
-  rules = [];
+  constructor() {
+    this.rules = [];
+  }
   register(rule) {
     this.rules.push(rule);
   }
   run(ctx) {
-    const prepared = prepareContext(ctx);
+    const prepared = buildInsightContext(ctx);
     const insights = [];
     for (const rule of this.rules) {
       try {
         insights.push(...rule.check(prepared));
-      } catch {
+      } catch (e) {
+        brakitDebug(`insight rule ${rule.id} failed: ${getErrorMessage(e)}`);
       }
     }
     insights.sort(
@@ -1577,338 +1631,121 @@ var InsightRunner = class {
   }
 };
-// src/analysis/insights/rules/n1.ts
+// src/analysis/insights/rules/query-rules.ts
 var n1Rule = {
   id: "n1",
   check(ctx) {
     const insights = [];
-    const seen = /* @__PURE__ */ new Set();
+    const reportedKeys = /* @__PURE__ */ new Set();
     for (const [reqId, reqQueries] of ctx.queriesByReq) {
       const req = ctx.reqById.get(reqId);
       if (!req) continue;
       const endpoint = getEndpointKey(req.method, req.path);
       const shapeGroups = /* @__PURE__ */ new Map();
-      for (const q of reqQueries) {
-        const shape = getQueryShape(q);
+      for (const query of reqQueries) {
+        const shape = getQueryShape(query);
         let group = shapeGroups.get(shape);
         if (!group) {
-          group = { count: 0, distinctSql: /* @__PURE__ */ new Set(), first: q };
+          group = { count: 0, distinctSql: /* @__PURE__ */ new Set(), first: query };
           shapeGroups.set(shape, group);
         }
         group.count++;
-        group.distinctSql.add(q.sql ?? shape);
+        group.distinctSql.add(query.sql ?? shape);
       }
-      for (const [, sg] of shapeGroups) {
-        if (sg.count <= N1_QUERY_THRESHOLD || sg.distinctSql.size <= 1) continue;
-        const info = getQueryInfo(sg.first);
+      for (const [, shapeGroup] of shapeGroups) {
+        if (shapeGroup.count <= N1_QUERY_THRESHOLD || shapeGroup.distinctSql.size <= 1) continue;
+        const info = getQueryInfo(shapeGroup.first);
         const key = `${endpoint}:${info.op}:${info.table || "unknown"}`;
-        if (seen.has(key)) continue;
-        seen.add(key);
+        if (reportedKeys.has(key)) continue;
+        reportedKeys.add(key);
         insights.push({
           severity: "critical",
           type: "n1",
           title: "N+1 Query Pattern",
-          desc: `${endpoint} runs ${sg.count}x ${info.op} ${info.table} with different params in a single request`,
+          desc: `${endpoint} runs ${shapeGroup.count}x ${info.op} ${info.table} with different params in a single request`,
           hint: "This typically happens when fetching related data in a loop. Use a batch query, JOIN, or include/eager-load to fetch all records at once.",
-          nav: "queries"
-        });
-      }
-    }
-    return insights;
-  }
-};
-// src/analysis/insights/rules/cross-endpoint.ts
-var crossEndpointRule = {
-  id: "cross-endpoint",
-  check(ctx) {
-    const insights = [];
-    const queryMap = /* @__PURE__ */ new Map();
-    const allEndpoints = /* @__PURE__ */ new Set();
-    for (const [reqId, reqQueries] of ctx.queriesByReq) {
-      const req = ctx.reqById.get(reqId);
-      if (!req) continue;
-      const endpoint = getEndpointKey(req.method, req.path);
-      allEndpoints.add(endpoint);
-      const seenInReq = /* @__PURE__ */ new Set();
-      for (const q of reqQueries) {
-        const shape = getQueryShape(q);
-        let entry = queryMap.get(shape);
-        if (!entry) {
-          entry = { endpoints: /* @__PURE__ */ new Set(), count: 0, first: q };
-          queryMap.set(shape, entry);
-        }
-        entry.count++;
-        if (!seenInReq.has(shape)) {
-          seenInReq.add(shape);
-          entry.endpoints.add(endpoint);
-        }
-      }
-    }
-    if (allEndpoints.size >= CROSS_ENDPOINT_MIN_ENDPOINTS) {
-      for (const [, cem] of queryMap) {
-        if (cem.count < CROSS_ENDPOINT_MIN_OCCURRENCES) continue;
-        if (cem.endpoints.size < CROSS_ENDPOINT_MIN_ENDPOINTS) continue;
-        const p = Math.round(cem.endpoints.size / allEndpoints.size * 100);
-        if (p < CROSS_ENDPOINT_PCT) continue;
-        const info = getQueryInfo(cem.first);
-        const label = info.op + (info.table ? ` ${info.table}` : "");
-        insights.push({
-          severity: "warning",
-          type: "cross-endpoint",
-          title: "Repeated Query Across Endpoints",
-          desc: `${label} runs on ${cem.endpoints.size} of ${allEndpoints.size} endpoints (${p}%).`,
-          hint: "This query runs on most of your endpoints. Load it once in middleware or cache the result to avoid redundant database calls.",
-          nav: "queries"
+          detail: `${shapeGroup.count} queries with ${shapeGroup.distinctSql.size} distinct param variations. Example: ${[...shapeGroup.distinctSql][0]?.slice(0, 100) ?? info.op + " " + info.table}`
         });
       }
     }
     return insights;
   }
 };
-// src/analysis/insights/rules/redundant-query.ts
 var redundantQueryRule = {
   id: "redundant-query",
   check(ctx) {
     const insights = [];
-    const seen = /* @__PURE__ */ new Set();
+    const reportedKeys = /* @__PURE__ */ new Set();
     for (const [reqId, reqQueries] of ctx.queriesByReq) {
       const req = ctx.reqById.get(reqId);
       if (!req) continue;
       const endpoint = getEndpointKey(req.method, req.path);
-      const exact = /* @__PURE__ */ new Map();
-      for (const q of reqQueries) {
-        if (!q.sql) continue;
-        let entry = exact.get(q.sql);
+      const identicalQueryMap = /* @__PURE__ */ new Map();
+      for (const query of reqQueries) {
+        if (!query.sql) continue;
+        let entry = identicalQueryMap.get(query.sql);
         if (!entry) {
-          entry = { count: 0, first: q };
-          exact.set(q.sql, entry);
+          entry = { count: 0, first: query };
+          identicalQueryMap.set(query.sql, entry);
         }
         entry.count++;
       }
-      for (const [, e] of exact) {
-        if (e.count < REDUNDANT_QUERY_MIN_COUNT) continue;
-        const info = getQueryInfo(e.first);
+      for (const [, entry] of identicalQueryMap) {
+        if (entry.count < REDUNDANT_QUERY_MIN_COUNT) continue;
+        const info = getQueryInfo(entry.first);
         const label = info.op + (info.table ? ` ${info.table}` : "");
-        const dedupKey = `${endpoint}:${label}`;
-        if (seen.has(dedupKey)) continue;
-        seen.add(dedupKey);
+        const deduplicationKey = `${endpoint}:${label}`;
+        if (reportedKeys.has(deduplicationKey)) continue;
+        reportedKeys.add(deduplicationKey);
         insights.push({
           severity: "warning",
           type: "redundant-query",
           title: "Redundant Query",
-          desc: `${label} runs ${e.count}x with identical params in ${endpoint}.`,
+          desc: `${label} runs ${entry.count}x with identical params in ${endpoint}.`,
           hint: "The exact same query with identical parameters runs multiple times in one request. Cache the first result or lift the query to a shared function.",
-          nav: "queries"
-        });
-      }
-    }
-    return insights;
-  }
-};
-// src/analysis/insights/rules/error.ts
-var errorRule = {
-  id: "error",
-  check(ctx) {
-    if (ctx.errors.length === 0) return [];
-    const insights = [];
-    const groups = /* @__PURE__ */ new Map();
-    for (const e of ctx.errors) {
-      const name = e.name || "Error";
-      groups.set(name, (groups.get(name) ?? 0) + 1);
-    }
-    for (const [name, cnt] of groups) {
-      insights.push({
-        severity: "critical",
-        type: "error",
-        title: "Unhandled Error",
-        desc: `${name} \u2014 occurred ${cnt} time${cnt !== 1 ? "s" : ""}`,
-        hint: "Unhandled errors crash request handlers. Wrap async code in try/catch or add error-handling middleware.",
-        nav: "errors"
-      });
-    }
-    return insights;
-  }
-};
-// src/analysis/insights/rules/error-hotspot.ts
-var errorHotspotRule = {
-  id: "error-hotspot",
-  check(ctx) {
-    const insights = [];
-    for (const [ep, g] of ctx.endpointGroups) {
-      if (g.total < MIN_REQUESTS_FOR_INSIGHT) continue;
-      const errorRate = Math.round(g.errors / g.total * 100);
-      if (errorRate >= ERROR_RATE_THRESHOLD_PCT) {
-        insights.push({
-          severity: "critical",
-          type: "error-hotspot",
-          title: "Error Hotspot",
-          desc: `${ep} \u2014 ${errorRate}% error rate (${g.errors}/${g.total} requests)`,
-          hint: "This endpoint frequently returns errors. Check the response bodies for error details and stack traces.",
-          nav: "requests"
-        });
-      }
-    }
-    return insights;
-  }
-};
-// src/analysis/insights/rules/duplicate.ts
-var duplicateRule = {
-  id: "duplicate",
-  check(ctx) {
-    const dupCounts = /* @__PURE__ */ new Map();
-    const flowCount = /* @__PURE__ */ new Map();
-    for (const flow of ctx.flows) {
-      if (!flow.requests) continue;
-      const seenInFlow = /* @__PURE__ */ new Set();
-      for (const fr of flow.requests) {
-        if (!fr.isDuplicate) continue;
-        const dupKey = `${fr.method} ${fr.label ?? fr.path ?? fr.url}`;
-        dupCounts.set(dupKey, (dupCounts.get(dupKey) ?? 0) + 1);
-        if (!seenInFlow.has(dupKey)) {
-          seenInFlow.add(dupKey);
-          flowCount.set(dupKey, (flowCount.get(dupKey) ?? 0) + 1);
-        }
-      }
-    }
-    const dupEntries = [...dupCounts.entries()].map(([key, count]) => ({ key, count, flows: flowCount.get(key) ?? 0 })).sort((a, b) => b.count - a.count);
-    const insights = [];
-    for (let i = 0; i < Math.min(dupEntries.length, MAX_DUPLICATE_INSIGHTS); i++) {
-      const d = dupEntries[i];
-      insights.push({
-        severity: "warning",
-        type: "duplicate",
-        title: "Duplicate API Call",
-        desc: `${d.key} loaded ${d.count}x as duplicate across ${d.flows} action${d.flows !== 1 ? "s" : ""}`,
-        hint: "Multiple components independently fetch the same endpoint. Lift the fetch to a parent component, use a data cache, or deduplicate with React Query / SWR.",
-        nav: "actions"
-      });
-    }
-    return insights;
-  }
-};
-// src/utils/format.ts
-function formatDuration(ms) {
-  if (ms < 1e3) return `${ms}ms`;
-  return `${(ms / 1e3).toFixed(1)}s`;
-}
-function formatSize(bytes) {
-  if (bytes < 1024) return `${bytes}B`;
-  if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(1)}KB`;
-  return `${(bytes / (1024 * 1024)).toFixed(1)}MB`;
-}
-function pct(part, total) {
-  return total > 0 ? Math.round(part / total * 100) : 0;
-}
-// src/analysis/insights/rules/slow.ts
-var slowRule = {
-  id: "slow",
-  check(ctx) {
-    const insights = [];
-    for (const [ep, g] of ctx.endpointGroups) {
-      if (g.total < MIN_REQUESTS_FOR_INSIGHT) continue;
-      const avgMs = Math.round(g.totalDuration / g.total);
-      if (avgMs < SLOW_ENDPOINT_THRESHOLD_MS) continue;
-      const avgQueryMs = Math.round(g.totalQueryTimeMs / g.total);
-      const avgFetchMs = Math.round(g.totalFetchTimeMs / g.total);
-      const avgAppMs = Math.max(0, avgMs - avgQueryMs - avgFetchMs);
-      const parts = [];
-      if (avgQueryMs > 0) parts.push(`DB ${formatDuration(avgQueryMs)} ${pct(avgQueryMs, avgMs)}%`);
-      if (avgFetchMs > 0) parts.push(`Fetch ${formatDuration(avgFetchMs)} ${pct(avgFetchMs, avgMs)}%`);
-      if (avgAppMs > 0) parts.push(`App ${formatDuration(avgAppMs)} ${pct(avgAppMs, avgMs)}%`);
-      const breakdown = parts.length > 0 ? ` [${parts.join(" \xB7 ")}]` : "";
-      let detail;
-      let slowestMs = 0;
-      for (const [, sd] of g.queryShapeDurations) {
-        const avgShapeMs = sd.totalMs / sd.count;
-        if (avgShapeMs > slowestMs) {
-          slowestMs = avgShapeMs;
-          detail = `Slowest query: ${sd.label} \u2014 avg ${formatDuration(Math.round(avgShapeMs))} (${sd.count}x)`;
-        }
-      }
-      insights.push({
-        severity: "warning",
-        type: "slow",
-        title: "Slow Endpoint",
-        desc: `${ep} \u2014 avg ${formatDuration(avgMs)}${breakdown}`,
-        hint: avgQueryMs >= avgFetchMs && avgQueryMs >= avgAppMs ? "Most time is in database queries. Check the Queries tab for slow or redundant queries." : avgFetchMs >= avgQueryMs && avgFetchMs >= avgAppMs ? "Most time is in outbound HTTP calls. Check if upstream services are slow or if calls can be parallelized." : "Most time is in application code. Profile the handler for CPU-heavy operations or blocking calls.",
-        detail,
-        nav: "requests"
-      });
-    }
-    return insights;
-  }
-};
-// src/analysis/insights/rules/query-heavy.ts
-var queryHeavyRule = {
-  id: "query-heavy",
-  check(ctx) {
-    const insights = [];
-    for (const [ep, g] of ctx.endpointGroups) {
-      if (g.total < MIN_REQUESTS_FOR_INSIGHT) continue;
-      const avgQueries = Math.round(g.queryCount / g.total);
-      if (avgQueries > HIGH_QUERY_COUNT_PER_REQ) {
-        insights.push({
-          severity: "warning",
-          type: "query-heavy",
-          title: "Query-Heavy Endpoint",
-          desc: `${ep} \u2014 avg ${avgQueries} queries/request`,
-          hint: "Too many queries per request increases latency. Combine queries with JOINs, use batch operations, or reduce the number of data fetches.",
-          nav: "queries"
+          detail: entry.first.sql ? `Query: ${entry.first.sql.slice(0, 120)}` : void 0
         });
       }
     }
     return insights;
   }
 };
-// src/analysis/insights/rules/select-star.ts
 var selectStarRule = {
   id: "select-star",
   check(ctx) {
-    const seen = /* @__PURE__ */ new Map();
+    const tableCounts = /* @__PURE__ */ new Map();
     for (const [, reqQueries] of ctx.queriesByReq) {
-      for (const q of reqQueries) {
-        if (!q.sql) continue;
-        const isSelectStar = SELECT_STAR_RE.test(q.sql.trim()) || SELECT_DOT_STAR_RE.test(q.sql);
+      for (const query of reqQueries) {
+        if (!query.sql) continue;
+        const isSelectStar = SELECT_STAR_RE.test(query.sql.trim()) || SELECT_DOT_STAR_RE.test(query.sql);
         if (!isSelectStar) continue;
-        const info = getQueryInfo(q);
-        const key = info.table || "unknown";
-        seen.set(key, (seen.get(key) ?? 0) + 1);
+        const info = getQueryInfo(query);
+        const table = info.table || "unknown";
+        tableCounts.set(table, (tableCounts.get(table) ?? 0) + 1);
       }
     }
     const insights = [];
-    for (const [table, count] of seen) {
+    for (const [table, count] of tableCounts) {
       if (count < OVERFETCH_MIN_REQUESTS) continue;
       insights.push({
         severity: "warning",
         type: "select-star",
         title: "SELECT * Query",
         desc: `SELECT * on ${table} \u2014 ${count} occurrence${count !== 1 ? "s" : ""}`,
-        hint: "SELECT * fetches all columns including ones you don\u2019t need. Specify only required columns to reduce data transfer and memory usage.",
-        nav: "queries"
+        hint: "SELECT * fetches all columns including ones you don\u2019t need. Specify only required columns to reduce data transfer and memory usage."
       });
     }
     return insights;
   }
 };
-// src/analysis/insights/rules/high-rows.ts
 var highRowsRule = {
   id: "high-rows",
   check(ctx) {
     const seen = /* @__PURE__ */ new Map();
     for (const [, reqQueries] of ctx.queriesByReq) {
-      for (const q of reqQueries) {
-        if (!q.rowCount || q.rowCount <= HIGH_ROW_COUNT) continue;
-        const info = getQueryInfo(q);
+      for (const query of reqQueries) {
+        if (!query.rowCount || query.rowCount <= HIGH_ROW_COUNT) continue;
+        const info = getQueryInfo(query);
         const key = `${info.op} ${info.table || "unknown"}`;
         let entry = seen.get(key);
         if (!entry) {
@@ -1916,7 +1753,7 @@ var highRowsRule = {
           seen.set(key, entry);
         }
         entry.count++;
-        if (q.rowCount > entry.max) entry.max = q.rowCount;
+        if (query.rowCount > entry.max) entry.max = query.rowCount;
       }
     }
     const insights = [];
@@ -1927,28 +1764,62 @@ var highRowsRule = {
         type: "high-rows",
         title: "Large Result Set",
         desc: `${key} returns ${hrs.max}+ rows (${hrs.count}x)`,
-        hint: "Fetching many rows slows responses and wastes memory. Add a LIMIT clause, implement pagination, or filter with a WHERE condition.",
-        nav: "queries"
+        hint: "Fetching many rows slows responses and wastes memory. Add a LIMIT clause, implement pagination, or filter with a WHERE condition."
       });
     }
     return insights;
   }
 };
+var queryHeavyRule = {
+  id: "query-heavy",
+  check(ctx) {
+    const insights = [];
+    for (const [endpointKey, group] of ctx.endpointGroups) {
+      if (group.total < MIN_REQUESTS_FOR_INSIGHT) continue;
+      const avgQueries = Math.round(group.queryCount / group.total);
+      if (avgQueries > HIGH_QUERY_COUNT_PER_REQ) {
+        insights.push({
+          severity: "warning",
+          type: "query-heavy",
+          title: "Query-Heavy Endpoint",
+          desc: `${endpointKey} \u2014 avg ${avgQueries} queries/request`,
+          hint: "Too many queries per request increases latency. Combine queries with JOINs, use batch operations, or reduce the number of data fetches."
+        });
+      }
+    }
+    return insights;
+  }
+};
+// src/utils/format.ts
+function formatDuration(ms) {
+  if (ms < 1e3) return `${ms}ms`;
+  return `${(ms / 1e3).toFixed(1)}s`;
+}
+function formatSize(bytes) {
+  if (bytes < 1024) return `${bytes}B`;
+  if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(1)}KB`;
+  return `${(bytes / (1024 * 1024)).toFixed(1)}MB`;
+}
+function pct(part, total) {
+  return total > 0 ? Math.round(part / total * 100) : 0;
+}
-// src/analysis/insights/rules/response-overfetch.ts
+// src/analysis/insights/rules/response-rules.ts
 var responseOverfetchRule = {
   id: "response-overfetch",
   check(ctx) {
     const insights = [];
     const seen = /* @__PURE__ */ new Set();
-    for (const r of ctx.nonStatic) {
-      if (isErrorStatus(r.statusCode) || !r.responseBody) continue;
-      const ep = getEndpointKey(r.method, r.path);
-      if (seen.has(ep)) continue;
+    for (const request of ctx.nonStatic) {
+      if (isErrorStatus(request.statusCode) || !request.responseBody) continue;
+      const endpointKey = getEndpointKey(request.method, request.path);
+      if (seen.has(endpointKey)) continue;
       let parsed;
       try {
-        parsed = JSON.parse(r.responseBody);
-      } catch {
+        parsed = JSON.parse(request.responseBody);
+      } catch (e) {
+        brakitDebug(`json parse: ${getErrorMessage(e)}`);
         continue;
       }
       const target = unwrapResponse(parsed);
@@ -1971,37 +1842,33 @@ var responseOverfetchRule = {
         reasons.push(`${fields.length} fields returned`);
       }
       if (reasons.length > 0) {
-        seen.add(ep);
+        seen.add(endpointKey);
         insights.push({
           severity: "info",
           type: "response-overfetch",
           title: "Response Overfetch",
-          desc: `${ep} \u2014 ${reasons.join(", ")}`,
-          hint: "This response returns more data than the client likely needs. Use a DTO or select only required fields to reduce payload size and avoid leaking internal structure.",
-          nav: "requests"
+          desc: `${endpointKey} \u2014 ${reasons.join(", ")}`,
+          hint: "This response returns more data than the client likely needs. Use a DTO or select only required fields to reduce payload size and avoid leaking internal structure."
         });
       }
     }
     return insights;
   }
 };
-// src/analysis/insights/rules/large-response.ts
 var largeResponseRule = {
   id: "large-response",
   check(ctx) {
     const insights = [];
-    for (const [ep, g] of ctx.endpointGroups) {
-      if (g.total < OVERFETCH_MIN_REQUESTS) continue;
-      const avgSize = Math.round(g.totalSize / g.total);
+    for (const [endpointKey, group] of ctx.endpointGroups) {
+      if (group.total < OVERFETCH_MIN_REQUESTS) continue;
+      const avgSize = Math.round(group.totalSize / group.total);
       if (avgSize > LARGE_RESPONSE_BYTES) {
         insights.push({
           severity: "info",
           type: "large-response",
           title: "Large Response",
-          desc: `${ep} \u2014 avg ${formatSize(avgSize)} response`,
-          hint: "Large API responses increase network transfer time. Implement pagination, field filtering, or response compression.",
-          nav: "requests"
+          desc: `${endpointKey} \u2014 avg ${formatSize(avgSize)} response`,
+          hint: "Large API responses increase network transfer time. Implement pagination, field filtering, or response compression."
         });
       }
     }
@@ -2009,7 +1876,50 @@ var largeResponseRule = {
   }
 };
-// src/analysis/insights/rules/regression.ts
+// src/analysis/insights/rules/reliability-rules.ts
+var errorRule = {
+  id: "error",
+  check(ctx) {
+    if (ctx.errors.length === 0) return [];
+    const insights = [];
+    const groups = /* @__PURE__ */ new Map();
+    for (const error of ctx.errors) {
+      const name = error.name || "Error";
+      groups.set(name, (groups.get(name) ?? 0) + 1);
+    }
+    for (const [name, cnt] of groups) {
+      insights.push({
+        severity: "critical",
+        type: "error",
+        title: "Unhandled Error",
+        desc: `${name} \u2014 occurred ${cnt} time${cnt !== 1 ? "s" : ""}`,
+        hint: "Unhandled errors crash request handlers. Wrap async code in try/catch or add error-handling middleware.",
+        detail: ctx.errors.find((e) => e.name === name)?.message
+      });
+    }
+    return insights;
+  }
+};
+var errorHotspotRule = {
+  id: "error-hotspot",
+  check(ctx) {
+    const insights = [];
+    for (const [endpointKey, group] of ctx.endpointGroups) {
+      if (group.total < MIN_REQUESTS_FOR_INSIGHT) continue;
+      const errorRate = Math.round(group.errors / group.total * 100);
+      if (errorRate >= ERROR_RATE_THRESHOLD_PCT) {
+        insights.push({
+          severity: "critical",
+          type: "error-hotspot",
+          title: "Error Hotspot",
+          desc: `${endpointKey} \u2014 ${errorRate}% error rate (${group.errors}/${group.total} requests)`,
+          hint: "This endpoint frequently returns errors. Check the response bodies for error details and stack traces."
+        });
+      }
+    }
+    return insights;
+  }
+};
 var regressionRule = {
   id: "regression",
   check(ctx) {
@@ -2028,8 +1938,7 @@ var regressionRule = {
           type: "regression",
           title: "Performance Regression",
           desc: `${epMetrics.endpoint} p95 degraded ${formatDuration(prev.p95DurationMs)} \u2192 ${formatDuration(current.p95DurationMs)} (+${p95PctChange}%)`,
-          hint: "This endpoint is slower than the previous session. Check if recent code changes added queries or processing.",
-          nav: "graph"
+          hint: "This endpoint is slower than the previous session. Check if recent code changes added queries or processing."
         });
       }
       if (prev.avgQueryCount > 0 && current.avgQueryCount > prev.avgQueryCount * QUERY_COUNT_REGRESSION_RATIO) {
@@ -2038,8 +1947,137 @@ var regressionRule = {
           type: "regression",
           title: "Query Count Regression",
           desc: `${epMetrics.endpoint} queries/request increased ${prev.avgQueryCount} \u2192 ${current.avgQueryCount}`,
-          hint: "This endpoint is making more database queries than before. Check for new N+1 patterns or removed query optimizations.",
-          nav: "queries"
+          hint: "This endpoint is making more database queries than before. Check for new N+1 patterns or removed query optimizations."
+        });
+      }
+    }
+    return insights;
+  }
+};
+function getAdaptiveSlowThreshold(endpointKey, previousMetrics) {
+  if (!previousMetrics) return null;
+  const ep = previousMetrics.find((m) => m.endpoint === endpointKey);
+  if (!ep || ep.sessions.length < BASELINE_MIN_SESSIONS) return null;
+  const valid = ep.sessions.filter((s) => s.requestCount >= BASELINE_MIN_REQUESTS_PER_SESSION);
+  if (valid.length < BASELINE_MIN_SESSIONS) return null;
+  const p95s = valid.map((s) => s.p95DurationMs).sort((a, b) => a - b);
+  const medianP95 = p95s[Math.floor(p95s.length / 2)];
+  return medianP95 * 2;
+}
+var slowRule = {
+  id: "slow",
+  check(ctx) {
+    const insights = [];
+    for (const [endpointKey, group] of ctx.endpointGroups) {
+      if (group.total < MIN_REQUESTS_FOR_INSIGHT) continue;
+      const avgMs = Math.round(group.totalDuration / group.total);
+      const threshold = getAdaptiveSlowThreshold(endpointKey, ctx.previousMetrics);
+      if (threshold === null || avgMs < threshold) continue;
+      const avgQueryMs = Math.round(group.totalQueryTimeMs / group.total);
+      const avgFetchMs = Math.round(group.totalFetchTimeMs / group.total);
+      const avgAppMs = Math.max(0, avgMs - avgQueryMs - avgFetchMs);
+      const parts = [];
+      if (avgQueryMs > 0) parts.push(`DB ${formatDuration(avgQueryMs)} ${pct(avgQueryMs, avgMs)}%`);
+      if (avgFetchMs > 0) parts.push(`Fetch ${formatDuration(avgFetchMs)} ${pct(avgFetchMs, avgMs)}%`);
+      if (avgAppMs > 0) parts.push(`App ${formatDuration(avgAppMs)} ${pct(avgAppMs, avgMs)}%`);
+      const breakdown = parts.length > 0 ? ` [${parts.join(" \xB7 ")}]` : "";
+      let detail;
+      let slowestMs = 0;
+      for (const [, shapeDuration] of group.queryShapeDurations) {
+        const avgShapeMs = shapeDuration.totalMs / shapeDuration.count;
+        if (avgShapeMs > slowestMs) {
+          slowestMs = avgShapeMs;
+          detail = `Slowest query: ${shapeDuration.label} \u2014 avg ${formatDuration(Math.round(avgShapeMs))} (${shapeDuration.count}x)`;
+        }
+      }
+      insights.push({
+        severity: "warning",
+        type: "slow",
+        title: "Slow Endpoint",
+        desc: `${endpointKey} \u2014 avg ${formatDuration(avgMs)}${breakdown}`,
+        hint: avgQueryMs >= avgFetchMs && avgQueryMs >= avgAppMs ? "Most time is in database queries. Check the Queries tab for slow or redundant queries." : avgFetchMs >= avgQueryMs && avgFetchMs >= avgAppMs ? "Most time is in outbound HTTP calls. Check if upstream services are slow or if calls can be parallelized." : "Most time is in application code. Profile the handler for CPU-heavy operations or blocking calls.",
+        detail
+      });
+    }
+    return insights;
+  }
+};
+// src/analysis/insights/rules/pattern-rules.ts
+var duplicateRule = {
+  id: "duplicate",
+  check(ctx) {
+    const dupCounts = /* @__PURE__ */ new Map();
+    const flowCount = /* @__PURE__ */ new Map();
+    for (const flow of ctx.flows) {
+      if (!flow.requests) continue;
+      const seenInFlow = /* @__PURE__ */ new Set();
+      for (const request of flow.requests) {
+        if (!request.isDuplicate) continue;
+        const deduplicationKey = `${request.method} ${request.label ?? request.path ?? request.url}`;
+        dupCounts.set(deduplicationKey, (dupCounts.get(deduplicationKey) ?? 0) + 1);
+        if (!seenInFlow.has(deduplicationKey)) {
+          seenInFlow.add(deduplicationKey);
+          flowCount.set(deduplicationKey, (flowCount.get(deduplicationKey) ?? 0) + 1);
+        }
+      }
+    }
+    const dupEntries = [...dupCounts.entries()].map(([key, count]) => ({ key, count, flows: flowCount.get(key) ?? 0 })).sort((a, b) => b.count - a.count);
+    const insights = [];
+    for (let i = 0; i < Math.min(dupEntries.length, MAX_DUPLICATE_INSIGHTS); i++) {
+      const duplicate = dupEntries[i];
+      insights.push({
+        severity: "warning",
+        type: "duplicate",
+        title: "Duplicate API Call",
+        desc: `${duplicate.key} loaded ${duplicate.count}x as duplicate across ${duplicate.flows} action${duplicate.flows !== 1 ? "s" : ""}`,
+        hint: "Multiple components independently fetch the same endpoint. Lift the fetch to a parent component, use a data cache, or deduplicate with React Query / SWR."
+      });
+    }
+    return insights;
+  }
+};
+var crossEndpointRule = {
+  id: "cross-endpoint",
+  check(ctx) {
+    const insights = [];
+    const queryMap = /* @__PURE__ */ new Map();
+    const allEndpoints = /* @__PURE__ */ new Set();
+    for (const [reqId, reqQueries] of ctx.queriesByReq) {
+      const req = ctx.reqById.get(reqId);
+      if (!req) continue;
+      const endpoint = getEndpointKey(req.method, req.path);
+      allEndpoints.add(endpoint);
+      const seenInReq = /* @__PURE__ */ new Set();
+      for (const query of reqQueries) {
+        const shape = getQueryShape(query);
+        let entry = queryMap.get(shape);
+        if (!entry) {
+          entry = { endpoints: /* @__PURE__ */ new Set(), count: 0, first: query };
+          queryMap.set(shape, entry);
+        }
+        entry.count++;
+        if (!seenInReq.has(shape)) {
+          seenInReq.add(shape);
+          entry.endpoints.add(endpoint);
+        }
+      }
+    }
+    if (allEndpoints.size >= CROSS_ENDPOINT_MIN_ENDPOINTS) {
+      for (const [, queryMetric] of queryMap) {
+        if (queryMetric.count < CROSS_ENDPOINT_MIN_OCCURRENCES) continue;
+        if (queryMetric.endpoints.size < CROSS_ENDPOINT_MIN_ENDPOINTS) continue;
+        const coveragePct = Math.round(queryMetric.endpoints.size / allEndpoints.size * 100);
+        if (coveragePct < CROSS_ENDPOINT_PCT) continue;
+        const info = getQueryInfo(queryMetric.first);
+        const label = info.op + (info.table ? ` ${info.table}` : "");
+        insights.push({
+          severity: "warning",
+          type: "cross-endpoint",
+          title: "Repeated Query Across Endpoints",
+          desc: `${label} runs on ${queryMetric.endpoints.size} of ${allEndpoints.size} endpoints (${coveragePct}%).`,
+          hint: "This query runs on most of your endpoints. Load it once in middleware or cache the result to avoid redundant database calls.",
+          detail: `Endpoints: ${[...queryMetric.endpoints].slice(0, 5).join(", ")}${queryMetric.endpoints.size > 5 ? ` +${queryMetric.endpoints.size - 5} more` : ""}. Total: ${queryMetric.count} executions.`
         });
       }
     }
@@ -2052,13 +2090,13 @@ var securityRule = {
   id: "security",
   check(ctx) {
     if (!ctx.securityFindings) return [];
-    return ctx.securityFindings.map((f) => ({
-      severity: f.severity,
+    return ctx.securityFindings.map((finding) => ({
+      severity: finding.severity,
       type: "security",
-      title: f.title,
-      desc: f.desc,
-      hint: f.hint,
-      nav: "security"
+      title: finding.title,
+      desc: finding.desc,
+      hint: finding.hint,
+      detail: finding.detail
     }));
   }
 };
@@ -2101,8 +2139,7 @@ function insightToIssue(insight) {
     desc: insight.desc,
     hint: insight.hint,
     detail: insight.detail,
-    endpoint: extractEndpointFromDesc(insight.desc) ?? void 0,
-    nav: insight.nav
+    endpoint: extractEndpointFromDesc(insight.desc) ?? void 0
   };
 }
 function securityFindingToIssue(finding) {
@@ -2113,25 +2150,24 @@ function securityFindingToIssue(finding) {
     title: finding.title,
     desc: finding.desc,
     hint: finding.hint,
-    endpoint: finding.endpoint,
-    nav: "security"
+    detail: finding.detail,
+    endpoint: finding.endpoint
   };
 }
 // src/analysis/engine.ts
 var AnalysisEngine = class {
-  constructor(registry, debounceMs = ANALYSIS_DEBOUNCE_MS) {
-    this.registry = registry;
+  constructor(services, debounceMs = ANALYSIS_DEBOUNCE_MS) {
+    this.services = services;
     this.debounceMs = debounceMs;
+    this.cachedInsights = [];
+    this.cachedFindings = [];
+    this.debounceTimer = null;
+    this.subs = new SubscriptionBag();
     this.scanner = createDefaultScanner();
   }
-  scanner;
-  cachedInsights = [];
-  cachedFindings = [];
-  debounceTimer = null;
-  subs = new SubscriptionBag();
   start() {
-    const bus = this.registry.get("event-bus");
+    const bus = this.services.bus;
     this.subs.add(bus.on("request:completed", () => this.scheduleRecompute()));
     this.subs.add(bus.on("telemetry:query", () => this.scheduleRecompute()));
     this.subs.add(bus.on("telemetry:error", () => this.scheduleRecompute()));
@@ -2158,12 +2194,12 @@ var AnalysisEngine = class {
     }, this.debounceMs);
   }
   recompute() {
-    const allRequests = this.registry.get("request-store").getAll();
-    const queries = this.registry.get("query-store").getAll();
-    const errors = this.registry.get("error-store").getAll();
-    const logs = this.registry.get("log-store").getAll();
-    const fetches = this.registry.get("fetch-store").getAll();
-    const requests = windowByEndpoint(allRequests);
+    const allRequests = this.services.requestStore.getAll();
+    const queries = this.services.queryStore.getAll();
+    const errors = this.services.errorStore.getAll();
+    const logs = this.services.logStore.getAll();
+    const fetches = this.services.fetchStore.getAll();
+    const requests = keepRecentPerEndpoint(allRequests);
     const flows = groupRequestsIntoFlows(requests);
     this.cachedFindings = this.scanner.scan({ requests, logs });
     this.cachedInsights = computeInsights({
@@ -2172,38 +2208,34 @@ var AnalysisEngine = class {
       errors,
       flows,
       fetches,
-      previousMetrics: this.registry.get("metrics-store").getAll(),
+      previousMetrics: this.services.metricsStore.getAll(),
       securityFindings: this.cachedFindings
     });
-    if (this.registry.has("issue-store")) {
-      const issueStore = this.registry.get("issue-store");
-      for (const finding of this.cachedFindings) {
-        issueStore.upsert(securityFindingToIssue(finding), "passive");
-      }
-      for (const insight of this.cachedInsights) {
-        issueStore.upsert(insightToIssue(insight), "passive");
-      }
-      const currentIssueIds = /* @__PURE__ */ new Set();
-      for (const finding of this.cachedFindings) {
-        currentIssueIds.add(computeIssueId(securityFindingToIssue(finding)));
-      }
-      for (const insight of this.cachedInsights) {
-        currentIssueIds.add(computeIssueId(insightToIssue(insight)));
-      }
-      const activeEndpoints = extractActiveEndpoints(allRequests);
-      issueStore.reconcile(currentIssueIds, activeEndpoints);
-      const update = {
-        insights: this.cachedInsights,
-        findings: this.cachedFindings,
-        issues: issueStore.getAll()
-      };
-      this.registry.get("event-bus").emit("analysis:updated", update);
-    }
+    const issueStore = this.services.issueStore;
+    const currentIssueIds = /* @__PURE__ */ new Set();
+    for (const finding of this.cachedFindings) {
+      const issue = securityFindingToIssue(finding);
+      issueStore.upsert(issue, "passive");
+      currentIssueIds.add(computeIssueId(issue));
+    }
+    for (const insight of this.cachedInsights) {
+      const issue = insightToIssue(insight);
+      issueStore.upsert(issue, "passive");
+      currentIssueIds.add(computeIssueId(issue));
+    }
+    const activeEndpoints = extractActiveEndpoints(allRequests);
+    issueStore.reconcile(currentIssueIds, activeEndpoints);
+    const update = {
+      insights: this.cachedInsights,
+      findings: this.cachedFindings,
+      issues: issueStore.getAll()
+    };
+    this.services.bus.emit("analysis:updated", update);
   }
 };
 // src/index.ts
-var VERSION = "0.8.6";
+var VERSION = "0.9.0";
 export {
   AdapterRegistry,
   AnalysisEngine,