brakit 0.8.6 → 0.9.0

package/dist/bin/brakit.js

@@ -9,19 +9,26 @@ var __export = (target, all) => {
     __defProp(target, name, { get: all[name], enumerable: true });
 };
 
-// src/constants/limits.ts
-var PROJECT_HASH_LENGTH, SECRET_SCAN_ARRAY_LIMIT, PII_SCAN_ARRAY_LIMIT, MIN_SECRET_VALUE_LENGTH, FULL_RECORD_MIN_FIELDS, LIST_PII_MIN_ITEMS, MAX_OBJECT_SCAN_DEPTH, ISSUE_PRUNE_TTL_MS;
-var init_limits = __esm({
-  "src/constants/limits.ts"() {
+// src/constants/config.ts
+var PROJECT_HASH_LENGTH, SECRET_SCAN_ARRAY_LIMIT, PII_SCAN_ARRAY_LIMIT, MIN_SECRET_VALUE_LENGTH, FULL_RECORD_MIN_FIELDS, LIST_PII_MIN_ITEMS, MAX_OBJECT_SCAN_DEPTH, ISSUE_PRUNE_TTL_MS, OVERFETCH_UNWRAP_MIN_SIZE, STALE_ISSUE_TTL_MS, METRICS_DIR, PORT_FILE, VALID_ISSUE_STATES, VALID_AI_FIX_STATUSES, VALID_SECURITY_SEVERITIES;
+var init_config = __esm({
+  "src/constants/config.ts"() {
     "use strict";
     PROJECT_HASH_LENGTH = 8;
     SECRET_SCAN_ARRAY_LIMIT = 5;
     PII_SCAN_ARRAY_LIMIT = 10;
     MIN_SECRET_VALUE_LENGTH = 8;
-    FULL_RECORD_MIN_FIELDS = 5;
+    FULL_RECORD_MIN_FIELDS = 8;
     LIST_PII_MIN_ITEMS = 2;
     MAX_OBJECT_SCAN_DEPTH = 5;
     ISSUE_PRUNE_TTL_MS = 10 * 60 * 1e3;
+    OVERFETCH_UNWRAP_MIN_SIZE = 3;
+    STALE_ISSUE_TTL_MS = 30 * 60 * 1e3;
+    METRICS_DIR = ".brakit";
+    PORT_FILE = ".brakit/port";
+    VALID_ISSUE_STATES = /* @__PURE__ */ new Set(["open", "fixing", "resolved", "stale", "regressed"]);
+    VALID_AI_FIX_STATUSES = /* @__PURE__ */ new Set(["fixed", "wont_fix"]);
+    VALID_SECURITY_SEVERITIES = /* @__PURE__ */ new Set(["critical", "warning"]);
   }
 });
 
@@ -40,17 +47,6 @@ var init_log = __esm({
   }
 });
 
-// src/constants/lifecycle.ts
-var VALID_ISSUE_STATES, VALID_AI_FIX_STATUSES, VALID_SECURITY_SEVERITIES;
-var init_lifecycle = __esm({
-  "src/constants/lifecycle.ts"() {
-    "use strict";
-    VALID_ISSUE_STATES = /* @__PURE__ */ new Set(["open", "fixing", "resolved", "stale", "regressed"]);
-    VALID_AI_FIX_STATUSES = /* @__PURE__ */ new Set(["fixed", "wont_fix"]);
-    VALID_SECURITY_SEVERITIES = /* @__PURE__ */ new Set(["critical", "warning"]);
-  }
-});
-
 // src/utils/type-guards.ts
 function isNonEmptyString(val) {
   return typeof val === "string" && val.trim().length > 0;
@@ -69,35 +65,14 @@ function isValidAiFixStatus(val) {
 var init_type_guards = __esm({
   "src/utils/type-guards.ts"() {
     "use strict";
-    init_lifecycle();
-    init_limits();
+    init_config();
   }
 });
 
-// src/constants/metrics.ts
-var METRICS_DIR, PORT_FILE;
-var init_metrics = __esm({
-  "src/constants/metrics.ts"() {
-    "use strict";
-    METRICS_DIR = ".brakit";
-    PORT_FILE = ".brakit/port";
-  }
-});
-
-// src/constants/thresholds.ts
-var OVERFETCH_UNWRAP_MIN_SIZE, STALE_ISSUE_TTL_MS;
-var init_thresholds = __esm({
-  "src/constants/thresholds.ts"() {
-    "use strict";
-    OVERFETCH_UNWRAP_MIN_SIZE = 3;
-    STALE_ISSUE_TTL_MS = 30 * 60 * 1e3;
-  }
-});
-
-// src/constants/routes.ts
+// src/constants/labels.ts
 var DASHBOARD_PREFIX, DASHBOARD_API_REQUESTS, DASHBOARD_API_EVENTS, DASHBOARD_API_FLOWS, DASHBOARD_API_CLEAR, DASHBOARD_API_LOGS, DASHBOARD_API_FETCHES, DASHBOARD_API_ERRORS, DASHBOARD_API_QUERIES, DASHBOARD_API_INGEST, DASHBOARD_API_METRICS, DASHBOARD_API_ACTIVITY, DASHBOARD_API_METRICS_LIVE, DASHBOARD_API_INSIGHTS, DASHBOARD_API_SECURITY, DASHBOARD_API_TAB, DASHBOARD_API_FINDINGS, DASHBOARD_API_FINDINGS_REPORT, VALID_TABS_TUPLE, VALID_TABS;
-var init_routes = __esm({
-  "src/constants/routes.ts"() {
+var init_labels = __esm({
+  "src/constants/labels.ts"() {
     "use strict";
     DASHBOARD_PREFIX = "/__brakit";
     DASHBOARD_API_REQUESTS = `${DASHBOARD_PREFIX}/api/requests`;
@@ -132,75 +107,10 @@ var init_routes = __esm({
   }
 });
 
-// src/constants/transport.ts
-var init_transport = __esm({
-  "src/constants/transport.ts"() {
-    "use strict";
-  }
-});
-
-// src/constants/headers.ts
-var init_headers = __esm({
-  "src/constants/headers.ts"() {
-    "use strict";
-  }
-});
-
-// src/constants/network.ts
-var RECOVERY_WINDOW_MS, PORT_MIN, PORT_MAX;
-var init_network = __esm({
-  "src/constants/network.ts"() {
-    "use strict";
-    RECOVERY_WINDOW_MS = 5 * 60 * 1e3;
-    PORT_MIN = 1;
-    PORT_MAX = 65535;
-  }
-});
-
-// src/constants/mcp.ts
-var MCP_SERVER_NAME, INITIAL_DISCOVERY_TIMEOUT_MS, LAZY_DISCOVERY_TIMEOUT_MS, CLIENT_FETCH_TIMEOUT_MS, HEALTH_CHECK_TIMEOUT_MS, DISCOVERY_POLL_INTERVAL_MS, MAX_DISCOVERY_DEPTH, MAX_TIMELINE_EVENTS, MAX_RESOLVED_DISPLAY, ENRICHMENT_SEVERITY_FILTER, MCP_SERVER_VERSION;
-var init_mcp = __esm({
-  "src/constants/mcp.ts"() {
-    "use strict";
-    MCP_SERVER_NAME = "brakit";
-    INITIAL_DISCOVERY_TIMEOUT_MS = 5e3;
-    LAZY_DISCOVERY_TIMEOUT_MS = 2e3;
-    CLIENT_FETCH_TIMEOUT_MS = 1e4;
-    HEALTH_CHECK_TIMEOUT_MS = 3e3;
-    DISCOVERY_POLL_INTERVAL_MS = 500;
-    MAX_DISCOVERY_DEPTH = 5;
-    MAX_TIMELINE_EVENTS = 20;
-    MAX_RESOLVED_DISPLAY = 5;
-    ENRICHMENT_SEVERITY_FILTER = ["critical", "warning"];
-    MCP_SERVER_VERSION = "0.8.6";
-  }
-});
-
-// src/constants/encoding.ts
-var init_encoding = __esm({
-  "src/constants/encoding.ts"() {
-    "use strict";
-  }
-});
-
-// src/constants/severity.ts
-var init_severity = __esm({
-  "src/constants/severity.ts"() {
-    "use strict";
-  }
-});
-
-// src/constants/telemetry.ts
-var init_telemetry = __esm({
-  "src/constants/telemetry.ts"() {
-    "use strict";
-  }
-});
-
-// src/constants/cli.ts
-var SUPPORTED_SOURCE_EXTENSIONS, BUILD_CACHE_DIRS, FALLBACK_SCAN_DIRS;
-var init_cli = __esm({
-  "src/constants/cli.ts"() {
+// src/constants/features.ts
+var SUPPORTED_SOURCE_EXTENSIONS, BUILD_CACHE_DIRS, FALLBACK_SCAN_DIRS, MCP_SERVER_NAME, INITIAL_DISCOVERY_TIMEOUT_MS, LAZY_DISCOVERY_TIMEOUT_MS, CLIENT_FETCH_TIMEOUT_MS, HEALTH_CHECK_TIMEOUT_MS, DISCOVERY_POLL_INTERVAL_MS, MAX_DISCOVERY_DEPTH, MAX_TIMELINE_EVENTS, MAX_RESOLVED_DISPLAY, ENRICHMENT_SEVERITY_FILTER, MCP_SERVER_VERSION, RECOVERY_WINDOW_MS, PORT_MIN, PORT_MAX;
+var init_features = __esm({
+  "src/constants/features.ts"() {
     "use strict";
     SUPPORTED_SOURCE_EXTENSIONS = /* @__PURE__ */ new Set([
       ".ts",
@@ -212,6 +122,20 @@ var init_cli = __esm({
     ]);
     BUILD_CACHE_DIRS = [".next", ".nuxt", ".output"];
     FALLBACK_SCAN_DIRS = ["src", "."];
+    MCP_SERVER_NAME = "brakit";
+    INITIAL_DISCOVERY_TIMEOUT_MS = 5e3;
+    LAZY_DISCOVERY_TIMEOUT_MS = 2e3;
+    CLIENT_FETCH_TIMEOUT_MS = 1e4;
+    HEALTH_CHECK_TIMEOUT_MS = 3e3;
+    DISCOVERY_POLL_INTERVAL_MS = 500;
+    MAX_DISCOVERY_DEPTH = 5;
+    MAX_TIMELINE_EVENTS = 20;
+    MAX_RESOLVED_DISPLAY = 5;
+    ENRICHMENT_SEVERITY_FILTER = ["critical", "warning"];
+    MCP_SERVER_VERSION = "0.9.0";
+    RECOVERY_WINDOW_MS = 5 * 60 * 1e3;
+    PORT_MIN = 1;
+    PORT_MAX = 65535;
   }
 });
 
@@ -219,19 +143,9 @@ var init_cli = __esm({
 var init_constants = __esm({
   "src/constants/index.ts"() {
     "use strict";
-    init_routes();
-    init_limits();
-    init_thresholds();
-    init_transport();
-    init_metrics();
-    init_headers();
-    init_network();
-    init_mcp();
-    init_encoding();
-    init_severity();
-    init_telemetry();
-    init_lifecycle();
-    init_cli();
+    init_config();
+    init_labels();
+    init_features();
   }
 });
 
@@ -254,8 +168,8 @@ var BrakitClient;
 var init_client = __esm({
   "src/mcp/client.ts"() {
     "use strict";
-    init_routes();
-    init_mcp();
+    init_labels();
+    init_features();
     BrakitClient = class {
       constructor(baseUrl) {
         this.baseUrl = baseUrl;
@@ -422,7 +336,7 @@ var init_discovery = __esm({
     "use strict";
     init_constants();
     init_log();
-    init_mcp();
+    init_features();
   }
 });
 
@@ -523,7 +437,7 @@ async function buildRequestDetail(client, req) {
 var init_enrichment = __esm({
   "src/mcp/enrichment.ts"() {
     "use strict";
-    init_mcp();
+    init_features();
     init_endpoint();
   }
 });
@@ -534,7 +448,7 @@ var init_get_findings = __esm({
   "src/mcp/tools/get-findings.ts"() {
     "use strict";
     init_enrichment();
-    init_lifecycle();
+    init_config();
     init_type_guards();
     getFindings = {
       name: "get_findings",
@@ -649,7 +563,7 @@ var getRequestDetail;
 var init_get_request_detail = __esm({
   "src/mcp/tools/get-request-detail.ts"() {
     "use strict";
-    init_mcp();
+    init_features();
     init_enrichment();
     getRequestDetail = {
       name: "get_request_detail",
@@ -829,7 +743,7 @@ var getReport;
 var init_get_report = __esm({
   "src/mcp/tools/get-report.ts"() {
     "use strict";
-    init_mcp();
+    init_features();
     getReport = {
       name: "get_report",
       description: "Generate a summary report of all findings: total found, open, resolved. Use this to get a high-level overview of the application's health.",
@@ -1126,7 +1040,7 @@ var init_server = __esm({
     init_client();
     init_discovery();
     init_tools();
-    init_mcp();
+    init_features();
     init_prompts();
   }
 });
@@ -1148,7 +1062,7 @@ import { readFileSync as readFileSync2, existsSync as existsSync3, unlinkSync }
 import { resolve as resolve2 } from "path";
 
 // src/utils/fs.ts
-init_limits();
+init_config();
 init_log();
 init_type_guards();
 import { access, readFile, writeFile } from "fs/promises";
@@ -1171,10 +1085,7 @@ async function fileExists(path) {
 }
 
 // src/store/issue-store.ts
-init_metrics();
-init_limits();
-init_thresholds();
-init_limits();
+init_config();
 
 // src/utils/atomic-writer.ts
 import {
@@ -1192,7 +1103,7 @@ init_log();
 init_type_guards();
 
 // src/utils/issue-id.ts
-init_limits();
+init_config();
 import { createHash as createHash2 } from "crypto";
 
 // src/detect/project.ts
@@ -1362,12 +1273,13 @@ async function detectInDir(dir, rootDir, projects) {
 }
 
 // src/utils/response.ts
-init_thresholds();
+init_config();
+var MAX_WRAPPER_KEYS = 3;
 function unwrapResponse(parsed) {
   if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) return parsed;
   const obj = parsed;
   const keys = Object.keys(obj);
-  if (keys.length > 3) return parsed;
+  if (keys.length > MAX_WRAPPER_KEYS) return parsed;
   let best = null;
   let bestSize = 0;
   for (const key of keys) {
@@ -1386,6 +1298,10 @@ function unwrapResponse(parsed) {
   return best && bestSize >= OVERFETCH_UNWRAP_MIN_SIZE ? best : parsed;
 }
 
+// src/analysis/rules/scanner.ts
+init_log();
+init_type_guards();
+
 // src/analysis/rules/patterns.ts
 var SECRET_KEYS = /^(password|passwd|secret|api_key|apiKey|api_secret|apiSecret|private_key|privateKey|client_secret|clientSecret)$/;
 var TOKEN_PARAMS = /^(token|api_key|apiKey|secret|password|access_token|session_id|sessionId)$/;
@@ -1399,6 +1315,8 @@ var MASKED_RE = /^\*+$|\[REDACTED\]|\[FILTERED\]|CHANGE_ME|^x{3,}$/i;
 var EMAIL_RE = /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/;
 var INTERNAL_ID_KEYS = /^(id|_id|userId|user_id|createdBy|updatedBy|organizationId|org_id|tenantId|tenant_id)$/;
 var INTERNAL_ID_SUFFIX = /Id$|_id$/;
+var SELF_SERVICE_PATH = /\/(?:me|account|profile|settings|self)(?=\/|\?|#|$)/i;
+var SENSITIVE_FIELD_NAMES = /^(phone|phoneNumber|phone_number|ssn|socialSecurityNumber|social_security_number|dateOfBirth|date_of_birth|dob|address|streetAddress|street_address|creditCard|credit_card|cardNumber|card_number|bankAccount|bank_account|passport|passportNumber|passport_number|nationalId|national_id)$/i;
 var RULE_HINTS = {
   "exposed-secret": "Never include secret fields in API responses. Strip sensitive fields before returning.",
   "token-in-url": "Pass tokens in the Authorization header, not URL query parameters.",
@@ -1410,8 +1328,8 @@ var RULE_HINTS = {
   "response-pii-leak": "API responses should return minimal data. Don't echo back full user records \u2014 select only the fields the client needs."
 };
 
-// src/analysis/rules/exposed-secret.ts
-init_limits();
+// src/analysis/rules/auth-rules.ts
+init_config();
 
 // src/utils/http-status.ts
 function isErrorStatus(code) {
@@ -1421,27 +1339,66 @@ function isRedirect(code) {
   return code >= 300 && code < 400;
 }
 
-// src/analysis/rules/exposed-secret.ts
-function findSecretKeys(obj, prefix, depth = 0) {
-  const found = [];
-  if (depth >= MAX_OBJECT_SCAN_DEPTH) return found;
-  if (!obj || typeof obj !== "object") return found;
-  if (Array.isArray(obj)) {
-    for (let i = 0; i < Math.min(obj.length, SECRET_SCAN_ARRAY_LIMIT); i++) {
-      found.push(...findSecretKeys(obj[i], prefix, depth + 1));
+// src/utils/collections.ts
+function deduplicateFindings(items, extract) {
+  const seen = /* @__PURE__ */ new Map();
+  const findings = [];
+  for (const item of items) {
+    const result = extract(item);
+    if (!result) continue;
+    const existing = seen.get(result.key);
+    if (existing) {
+      existing.count++;
+      continue;
     }
-    return found;
+    seen.set(result.key, result.finding);
+    findings.push(result.finding);
   }
-  for (const k of Object.keys(obj)) {
-    const val = obj[k];
-    if (SECRET_KEYS.test(k) && typeof val === "string" && val.length >= MIN_SECRET_VALUE_LENGTH && !MASKED_RE.test(val)) {
-      found.push(k);
+  return findings;
+}
+
+// src/utils/object-scan.ts
+init_config();
+var DEFAULTS = {
+  maxDepth: MAX_OBJECT_SCAN_DEPTH,
+  arrayLimit: SECRET_SCAN_ARRAY_LIMIT
+};
+function walkObject(obj, visitor, options) {
+  const opts = { ...DEFAULTS, ...options };
+  walk(obj, visitor, opts, 0);
+}
+function walk(obj, visitor, opts, depth) {
+  if (depth >= opts.maxDepth) return;
+  if (!obj || typeof obj !== "object") return;
+  if (Array.isArray(obj)) {
+    for (let i = 0; i < Math.min(obj.length, opts.arrayLimit); i++) {
+      walk(obj[i], visitor, opts, depth + 1);
     }
+    return;
+  }
+  for (const key of Object.keys(obj)) {
+    const val = obj[key];
+    visitor(key, val, depth);
     if (typeof val === "object" && val !== null) {
-      found.push(...findSecretKeys(val, prefix + k + ".", depth + 1));
+      walk(val, visitor, opts, depth + 1);
     }
   }
-  return found;
+}
+function collectFromObject(obj, match, options) {
+  const results = [];
+  walkObject(obj, (key, value) => {
+    const result = match(key, value);
+    if (result !== null) results.push(result);
+  }, options);
+  return results;
+}
+
+// src/analysis/rules/auth-rules.ts
+function findSecretKeys(obj) {
+  return collectFromObject(
+    obj,
+    (key, val) => SECRET_KEYS.test(key) && typeof val === "string" && val.length >= MIN_SECRET_VALUE_LENGTH && !MASKED_RE.test(val) ? key : null
+  );
 }
 var exposedSecretRule = {
   id: "exposed-secret",
@@ -1449,50 +1406,39 @@ var exposedSecretRule = {
   name: "Exposed Secret in Response",
   hint: RULE_HINTS["exposed-secret"],
   check(ctx) {
-    const findings = [];
-    const seen = /* @__PURE__ */ new Map();
-    for (const r of ctx.requests) {
-      if (isErrorStatus(r.statusCode)) continue;
-      const parsed = ctx.parsedBodies.response.get(r.id);
-      if (!parsed) continue;
-      const keys = findSecretKeys(parsed, "");
-      if (keys.length === 0) continue;
-      const ep = `${r.method} ${r.path}`;
-      const dedupKey = `${ep}:${keys.sort().join(",")}`;
-      const existing = seen.get(dedupKey);
-      if (existing) {
-        existing.count++;
-        continue;
-      }
-      const finding = {
-        severity: "critical",
-        rule: "exposed-secret",
-        title: "Exposed Secret in Response",
-        desc: `${ep} \u2014 response contains ${keys.join(", ")} field${keys.length > 1 ? "s" : ""}`,
-        hint: this.hint,
-        endpoint: ep,
-        count: 1
+    return deduplicateFindings(ctx.requests, (request) => {
+      if (isErrorStatus(request.statusCode)) return null;
+      const parsed = ctx.parsedBodies.response.get(request.id);
+      if (!parsed) return null;
+      const keys = findSecretKeys(parsed);
+      if (keys.length === 0) return null;
+      const ep = `${request.method} ${request.path}`;
+      return {
+        key: `${ep}:${keys.sort().join(",")}`,
+        finding: {
+          severity: "critical",
+          rule: "exposed-secret",
+          title: "Exposed Secret in Response",
+          desc: `${ep} \u2014 response contains ${keys.join(", ")} field${keys.length > 1 ? "s" : ""}`,
+          hint: this.hint,
+          detail: `Exposed fields: ${keys.join(", ")}. ${keys.length} unmasked secret value${keys.length !== 1 ? "s" : ""} in response body.`,
+          endpoint: ep,
+          count: 1
+        }
       };
-      seen.set(dedupKey, finding);
-      findings.push(finding);
-    }
-    return findings;
+    });
   }
 };
-
-// src/analysis/rules/token-in-url.ts
 var tokenInUrlRule = {
   id: "token-in-url",
   severity: "critical",
   name: "Auth Token in URL",
   hint: RULE_HINTS["token-in-url"],
   check(ctx) {
-    const findings = [];
-    const seen = /* @__PURE__ */ new Map();
-    for (const r of ctx.requests) {
-      const qIdx = r.url.indexOf("?");
-      if (qIdx === -1) continue;
-      const params = r.url.substring(qIdx + 1).split("&");
+    return deduplicateFindings(ctx.requests, (request) => {
+      const qIdx = request.url.indexOf("?");
+      if (qIdx === -1) return null;
+      const params = request.url.substring(qIdx + 1).split("&");
       const flagged = [];
       for (const param of params) {
         const [name, ...rest] = param.split("=");
@@ -1502,65 +1448,129 @@ var tokenInUrlRule = {
           flagged.push(name);
         }
       }
-      if (flagged.length === 0) continue;
-      const ep = `${r.method} ${r.path}`;
-      const dedupKey = `${ep}:${flagged.sort().join(",")}`;
-      const existing = seen.get(dedupKey);
-      if (existing) {
-        existing.count++;
-        continue;
+      if (flagged.length === 0) return null;
+      const ep = `${request.method} ${request.path}`;
+      return {
+        key: `${ep}:${flagged.sort().join(",")}`,
+        finding: {
+          severity: "critical",
+          rule: "token-in-url",
+          title: "Auth Token in URL",
+          desc: `${ep} \u2014 ${flagged.join(", ")} exposed in query string`,
+          hint: this.hint,
+          detail: `Parameters in URL: ${flagged.join(", ")}. Auth tokens in URLs are logged by proxies, browsers, and CDNs.`,
+          endpoint: ep,
+          count: 1
+        }
+      };
+    });
+  }
+};
+function isFrameworkResponse(request) {
+  if (isRedirect(request.statusCode)) return true;
+  if (request.path?.startsWith("/__")) return true;
+  if (request.responseHeaders?.["x-middleware-rewrite"]) return true;
+  return false;
+}
+var insecureCookieRule = {
+  id: "insecure-cookie",
+  severity: "warning",
+  name: "Insecure Cookie",
+  hint: RULE_HINTS["insecure-cookie"],
+  check(ctx) {
+    const cookieEntries = [];
+    for (const request of ctx.requests) {
+      if (!request.responseHeaders) continue;
+      if (isFrameworkResponse(request)) continue;
+      const setCookie = request.responseHeaders["set-cookie"];
+      if (!setCookie) continue;
+      const cookies = setCookie.split(/,(?=\s*[A-Za-z0-9_\-]+=)/);
+      for (const cookie of cookies) {
+        cookieEntries.push({ cookie });
       }
-      const finding = {
-        severity: "critical",
-        rule: "token-in-url",
-        title: "Auth Token in URL",
-        desc: `${ep} \u2014 ${flagged.join(", ")} exposed in query string`,
+    }
+    return deduplicateFindings(cookieEntries, ({ cookie }) => {
+      const cookieName = cookie.trim().split("=")[0].trim();
+      const lower = cookie.toLowerCase();
+      const issues = [];
+      if (!lower.includes("httponly")) issues.push("HttpOnly");
+      if (!lower.includes("samesite")) issues.push("SameSite");
+      if (issues.length === 0) return null;
+      return {
+        key: `${cookieName}:${issues.join(",")}`,
+        finding: {
+          severity: "warning",
+          rule: "insecure-cookie",
+          title: "Insecure Cookie",
+          desc: `${cookieName} \u2014 missing ${issues.join(", ")} flag${issues.length > 1 ? "s" : ""}`,
+          hint: this.hint,
+          detail: `Missing: ${issues.join(", ")}. ${issues.includes("HttpOnly") ? "Cookie accessible via JavaScript (XSS risk). " : ""}${issues.includes("SameSite") ? "Cookie sent on cross-site requests (CSRF risk)." : ""}`,
+          endpoint: cookieName,
+          count: 1
+        }
+      };
+    });
+  }
+};
+var corsCredentialsRule = {
+  id: "cors-credentials",
+  severity: "warning",
+  name: "CORS Credentials with Wildcard",
+  hint: RULE_HINTS["cors-credentials"],
+  check(ctx) {
+    const findings = [];
+    const seen = /* @__PURE__ */ new Set();
+    for (const request of ctx.requests) {
+      if (!request.responseHeaders) continue;
+      const origin = request.responseHeaders["access-control-allow-origin"];
+      const creds = request.responseHeaders["access-control-allow-credentials"];
+      if (origin !== "*" || creds !== "true") continue;
+      const ep = `${request.method} ${request.path}`;
+      if (seen.has(ep)) continue;
+      seen.add(ep);
+      findings.push({
+        severity: "warning",
+        rule: "cors-credentials",
+        title: "CORS Credentials with Wildcard",
+        desc: `${ep} \u2014 credentials:true with origin:* (browser will reject)`,
         hint: this.hint,
         endpoint: ep,
         count: 1
-      };
-      seen.set(dedupKey, finding);
-      findings.push(finding);
+      });
     }
     return findings;
   }
 };
 
-// src/analysis/rules/stack-trace-leak.ts
+// src/analysis/rules/data-rules.ts
+init_config();
 var stackTraceLeakRule = {
   id: "stack-trace-leak",
   severity: "critical",
   name: "Stack Trace Leaked to Client",
   hint: RULE_HINTS["stack-trace-leak"],
   check(ctx) {
-    const findings = [];
-    const seen = /* @__PURE__ */ new Map();
-    for (const r of ctx.requests) {
-      if (!r.responseBody) continue;
-      if (!STACK_TRACE_RE.test(r.responseBody)) continue;
-      const ep = `${r.method} ${r.path}`;
-      const existing = seen.get(ep);
-      if (existing) {
-        existing.count++;
-        continue;
-      }
-      const finding = {
-        severity: "critical",
-        rule: "stack-trace-leak",
-        title: "Stack Trace Leaked to Client",
-        desc: `${ep} \u2014 response exposes internal stack trace`,
-        hint: this.hint,
-        endpoint: ep,
-        count: 1
+    return deduplicateFindings(ctx.requests, (request) => {
+      if (!request.responseBody) return null;
+      if (!STACK_TRACE_RE.test(request.responseBody)) return null;
+      const ep = `${request.method} ${request.path}`;
+      const firstLine = request.responseBody.split("\n").find((l) => STACK_TRACE_RE.test(l))?.trim() ?? "";
+      return {
+        key: ep,
+        finding: {
+          severity: "critical",
+          rule: "stack-trace-leak",
+          title: "Stack Trace Leaked to Client",
+          desc: `${ep} \u2014 response exposes internal stack trace`,
+          hint: this.hint,
+          detail: firstLine ? `Stack trace: ${firstLine.slice(0, 120)}` : void 0,
+          endpoint: ep,
+          count: 1
+        }
       };
-      seen.set(ep, finding);
-      findings.push(finding);
-    }
-    return findings;
+    });
   }
 };
-
-// src/analysis/rules/error-info-leak.ts
 var CRITICAL_PATTERNS = [
   { re: DB_CONN_RE, label: "database connection string" },
   { re: SQL_FRAGMENT_RE, label: "SQL query fragment" },
@@ -1572,90 +1582,35 @@ var errorInfoLeakRule = {
   name: "Sensitive Data in Error Response",
   hint: RULE_HINTS["error-info-leak"],
   check(ctx) {
-    const findings = [];
-    const seen = /* @__PURE__ */ new Map();
-    for (const r of ctx.requests) {
-      if (r.statusCode < 400) continue;
-      if (!r.responseBody) continue;
-      if (r.responseHeaders["x-nextjs-error"] || r.responseHeaders["x-nextjs-matched-path"]) continue;
-      const ep = `${r.method} ${r.path}`;
-      for (const p of CRITICAL_PATTERNS) {
-        if (!p.re.test(r.responseBody)) continue;
-        const dedupKey = `${ep}:${p.label}`;
-        const existing = seen.get(dedupKey);
-        if (existing) {
-          existing.count++;
-          continue;
+    const entries = [];
+    for (const request of ctx.requests) {
+      if (request.statusCode < 400) continue;
+      if (!request.responseBody) continue;
+      if (request.responseHeaders["x-nextjs-error"] || request.responseHeaders["x-nextjs-matched-path"]) continue;
+      const ep = `${request.method} ${request.path}`;
+      for (const pattern of CRITICAL_PATTERNS) {
+        if (pattern.re.test(request.responseBody)) {
+          entries.push({ ep, pattern, body: request.responseBody });
         }
-        const finding = {
+      }
+    }
+    return deduplicateFindings(entries, ({ ep, pattern }) => {
+      return {
+        key: `${ep}:${pattern.label}`,
+        finding: {
           severity: "critical",
           rule: "error-info-leak",
           title: "Sensitive Data in Error Response",
-          desc: `${ep} \u2014 error response exposes ${p.label}`,
+          desc: `${ep} \u2014 error response exposes ${pattern.label}`,
           hint: this.hint,
+          detail: `Detected: ${pattern.label} in error response body`,
           endpoint: ep,
           count: 1
-        };
-        seen.set(dedupKey, finding);
-        findings.push(finding);
-      }
-    }
-    return findings;
-  }
-};
-
-// src/analysis/rules/insecure-cookie.ts
-function isFrameworkResponse(r) {
-  if (isRedirect(r.statusCode)) return true;
-  if (r.path?.startsWith("/__")) return true;
-  if (r.responseHeaders?.["x-middleware-rewrite"]) return true;
-  return false;
-}
-var insecureCookieRule = {
-  id: "insecure-cookie",
-  severity: "warning",
-  name: "Insecure Cookie",
-  hint: RULE_HINTS["insecure-cookie"],
-  check(ctx) {
-    const findings = [];
-    const seen = /* @__PURE__ */ new Map();
-    for (const r of ctx.requests) {
-      if (!r.responseHeaders) continue;
-      if (isFrameworkResponse(r)) continue;
-      const setCookie = r.responseHeaders["set-cookie"];
-      if (!setCookie) continue;
-      const cookies = setCookie.split(/,(?=\s*[A-Za-z0-9_\-]+=)/);
-      for (const cookie of cookies) {
-        const cookieName = cookie.trim().split("=")[0].trim();
-        const lower = cookie.toLowerCase();
-        const issues = [];
-        if (!lower.includes("httponly")) issues.push("HttpOnly");
-        if (!lower.includes("samesite")) issues.push("SameSite");
-        if (issues.length === 0) continue;
-        const dedupKey = `${cookieName}:${issues.join(",")}`;
-        const existing = seen.get(dedupKey);
-        if (existing) {
-          existing.count++;
-          continue;
         }
-        const finding = {
-          severity: "warning",
-          rule: "insecure-cookie",
-          title: "Insecure Cookie",
-          desc: `${cookieName} \u2014 missing ${issues.join(", ")} flag${issues.length > 1 ? "s" : ""}`,
-          hint: this.hint,
-          endpoint: cookieName,
-          count: 1
-        };
-        seen.set(dedupKey, finding);
-        findings.push(finding);
-      }
-    }
-    return findings;
+      };
+    });
   }
 };
-
-// src/analysis/rules/sensitive-logs.ts
 var sensitiveLogsRule = {
   id: "sensitive-logs",
   severity: "warning",
@@ -1680,59 +1635,13 @@ var sensitiveLogsRule = {
     }];
   }
 };
-
-// src/analysis/rules/cors-credentials.ts
-var corsCredentialsRule = {
-  id: "cors-credentials",
-  severity: "warning",
-  name: "CORS Credentials with Wildcard",
-  hint: RULE_HINTS["cors-credentials"],
-  check(ctx) {
-    const findings = [];
-    const seen = /* @__PURE__ */ new Set();
-    for (const r of ctx.requests) {
-      if (!r.responseHeaders) continue;
-      const origin = r.responseHeaders["access-control-allow-origin"];
-      const creds = r.responseHeaders["access-control-allow-credentials"];
-      if (origin !== "*" || creds !== "true") continue;
-      const ep = `${r.method} ${r.path}`;
-      if (seen.has(ep)) continue;
-      seen.add(ep);
-      findings.push({
-        severity: "warning",
-        rule: "cors-credentials",
-        title: "CORS Credentials with Wildcard",
-        desc: `${ep} \u2014 credentials:true with origin:* (browser will reject)`,
-        hint: this.hint,
-        endpoint: ep,
-        count: 1
-      });
-    }
-    return findings;
-  }
-};
-
-// src/analysis/rules/response-pii-leak.ts
-init_limits();
 var WRITE_METHODS = /* @__PURE__ */ new Set(["POST", "PUT", "PATCH"]);
-function findEmails(obj, depth = 0) {
-  const emails = [];
-  if (depth >= MAX_OBJECT_SCAN_DEPTH) return emails;
-  if (!obj || typeof obj !== "object") return emails;
-  if (Array.isArray(obj)) {
-    for (let i = 0; i < Math.min(obj.length, PII_SCAN_ARRAY_LIMIT); i++) {
-      emails.push(...findEmails(obj[i], depth + 1));
-    }
-    return emails;
-  }
-  for (const v of Object.values(obj)) {
-    if (typeof v === "string" && EMAIL_RE.test(v)) {
-      emails.push(v);
-    } else if (typeof v === "object" && v !== null) {
-      emails.push(...findEmails(v, depth + 1));
-    }
-  }
-  return emails;
+function findEmails(obj) {
+  return collectFromObject(
+    obj,
+    (_key, val) => typeof val === "string" && EMAIL_RE.test(val) ? val : null,
+    { arrayLimit: PII_SCAN_ARRAY_LIMIT }
+  );
 }
 function topLevelFieldCount(obj) {
   if (Array.isArray(obj)) {
@@ -1748,6 +1657,15 @@ function hasInternalIds(obj) {
   }
   return false;
 }
+function hasSensitiveFieldNames(obj, depth = 0) {
+  if (depth >= MAX_OBJECT_SCAN_DEPTH) return false;
+  if (!obj || typeof obj !== "object") return false;
+  if (Array.isArray(obj)) return obj.length > 0 && hasSensitiveFieldNames(obj[0], depth + 1);
+  for (const key of Object.keys(obj)) {
+    if (SENSITIVE_FIELD_NAMES.test(key)) return true;
+  }
+  return false;
+}
 function detectEchoPII(method, reqBody, target) {
   if (!WRITE_METHODS.has(method) || !reqBody || typeof reqBody !== "object") return null;
   const reqEmails = findEmails(reqBody);
@@ -1769,6 +1687,13 @@ function detectFullRecordPII(target) {
   if (emails.length === 0) return null;
   return { reason: "full-record", emailCount: emails.length };
 }
+function detectSensitiveFieldPII(target) {
+  const inspect = Array.isArray(target) && target.length > 0 ? target[0] : target;
+  if (!inspect || typeof inspect !== "object" || Array.isArray(inspect)) return null;
+  if (!hasSensitiveFieldNames(inspect)) return null;
+  if (!hasInternalIds(inspect) && topLevelFieldCount(inspect) < FULL_RECORD_MIN_FIELDS) return null;
+  return { reason: "sensitive-fields", emailCount: 0 };
+}
 function detectListPII(target) {
   if (!Array.isArray(target) || target.length < LIST_PII_MIN_ITEMS) return null;
   let itemsWithEmail = 0;
@@ -1787,12 +1712,13 @@ function detectListPII(target) {
 }
 function detectPII(method, reqBody, resBody) {
   const target = unwrapResponse(resBody);
-  return detectEchoPII(method, reqBody, target) ?? detectFullRecordPII(target) ?? detectListPII(target);
+  return detectEchoPII(method, reqBody, target) ?? detectFullRecordPII(target) ?? detectListPII(target) ?? detectSensitiveFieldPII(target);
 }
 var REASON_LABELS = {
   echo: "echoes back PII from the request body",
   "full-record": "returns a full record with email and internal IDs",
-  "list-pii": "returns a list of records containing email addresses"
+  "list-pii": "returns a list of records containing email addresses",
+  "sensitive-fields": "contains sensitive personal data fields (phone, SSN, date of birth, address, etc.)"
 };
 var responsePiiLeakRule = {
   id: "response-pii-leak",
@@ -1800,101 +1726,83 @@ var responsePiiLeakRule = {
   name: "PII Leak in Response",
   hint: RULE_HINTS["response-pii-leak"],
   check(ctx) {
-    const findings = [];
-    const seen = /* @__PURE__ */ new Map();
-    for (const r of ctx.requests) {
-      if (isErrorStatus(r.statusCode)) continue;
-      const resJson = ctx.parsedBodies.response.get(r.id);
-      if (!resJson) continue;
-      const reqJson = ctx.parsedBodies.request.get(r.id) ?? null;
-      const detection = detectPII(r.method, reqJson, resJson);
-      if (!detection) continue;
-      const ep = `${r.method} ${r.path}`;
-      const dedupKey = `${ep}:${detection.reason}`;
-      const existing = seen.get(dedupKey);
-      if (existing) {
-        existing.count++;
-        continue;
-      }
-      const finding = {
-        severity: "warning",
-        rule: "response-pii-leak",
-        title: "PII Leak in Response",
-        desc: `${ep} \u2014 ${REASON_LABELS[detection.reason]}`,
-        hint: this.hint,
-        endpoint: ep,
-        count: 1
+    return deduplicateFindings(ctx.requests, (request) => {
+      if (isErrorStatus(request.statusCode)) return null;
+      if (SELF_SERVICE_PATH.test(request.path)) return null;
+      const resJson = ctx.parsedBodies.response.get(request.id);
+      if (!resJson) return null;
+      const reqJson = ctx.parsedBodies.request.get(request.id) ?? null;
+      const detection = detectPII(request.method, reqJson, resJson);
+      if (!detection) return null;
+      const ep = `${request.method} ${request.path}`;
+      const fieldCount = topLevelFieldCount(resJson);
+      const detailParts = [`Pattern: ${REASON_LABELS[detection.reason]}`];
+      if (detection.emailCount > 0) detailParts.push(`${detection.emailCount} email${detection.emailCount !== 1 ? "s" : ""} detected`);
+      if (fieldCount > 0) detailParts.push(`${fieldCount} fields per record`);
+      return {
+        key: ep,
+        finding: {
+          severity: "warning",
+          rule: "response-pii-leak",
+          title: "PII Leak in Response",
+          desc: `${ep} \u2014 exposes PII in response`,
+          hint: this.hint,
+          detail: detailParts.join(". "),
+          endpoint: ep,
+          count: 1
+        }
       };
-      seen.set(dedupKey, finding);
-      findings.push(finding);
-    }
-    return findings;
+    });
   }
 };
 
 // src/analysis/engine.ts
-init_limits();
+init_config();
 
 // src/analysis/group.ts
 init_constants();
 import { randomUUID } from "crypto";
+init_endpoint();
 
 // src/analysis/label.ts
 init_constants();
 
 // src/analysis/transforms.ts
 init_constants();
+init_config();
+init_endpoint();
 
 // src/analysis/insights/prepare.ts
 init_endpoint();
 init_constants();
-init_thresholds();
+init_config();
 
-// src/analysis/insights/rules/n1.ts
-init_endpoint();
-init_constants();
+// src/analysis/insights/runner.ts
+init_log();
+init_type_guards();
 
-// src/analysis/insights/rules/cross-endpoint.ts
+// src/analysis/insights/rules/query-rules.ts
 init_endpoint();
 init_constants();
 
-// src/analysis/insights/rules/redundant-query.ts
+// src/analysis/insights/rules/response-rules.ts
 init_endpoint();
+init_log();
+init_type_guards();
 init_constants();
 
-// src/analysis/insights/rules/error-hotspot.ts
-init_constants();
-
-// src/analysis/insights/rules/duplicate.ts
-init_constants();
-
-// src/analysis/insights/rules/slow.ts
-init_constants();
-
-// src/analysis/insights/rules/query-heavy.ts
-init_constants();
-
-// src/analysis/insights/rules/select-star.ts
-init_constants();
-
-// src/analysis/insights/rules/high-rows.ts
+// src/analysis/insights/rules/reliability-rules.ts
 init_constants();
 
-// src/analysis/insights/rules/response-overfetch.ts
+// src/analysis/insights/rules/pattern-rules.ts
 init_endpoint();
 init_constants();
 
-// src/analysis/insights/rules/large-response.ts
-init_constants();
-
-// src/analysis/insights/rules/regression.ts
-init_constants();
-
 // src/analysis/issue-mappers.ts
 init_endpoint();
 
 // src/index.ts
-var VERSION = "0.8.6";
+var VERSION = "0.9.0";
 
 // src/cli/commands/install.ts
 init_constants();