brakit 0.8.7 → 0.9.1

package/dist/api.js

@@ -10,7 +10,7 @@ import { createHash } from "crypto";
 import { homedir } from "os";
 import { resolve, join } from "path";
 
-// src/constants/limits.ts
+// src/constants/config.ts
 var ANALYSIS_DEBOUNCE_MS = 300;
 var ISSUE_ID_HASH_LENGTH = 16;
 var ISSUES_DATA_VERSION = 2;
@@ -21,6 +21,40 @@ var FULL_RECORD_MIN_FIELDS = 8;
 var LIST_PII_MIN_ITEMS = 2;
 var MAX_OBJECT_SCAN_DEPTH = 5;
 var ISSUE_PRUNE_TTL_MS = 10 * 60 * 1e3;
+var FLOW_GAP_MS = 5e3;
+var SLOW_REQUEST_THRESHOLD_MS = 2e3;
+var MIN_POLLING_SEQUENCE = 3;
+var ENDPOINT_TRUNCATE_LENGTH = 12;
+var N1_QUERY_THRESHOLD = 5;
+var ERROR_RATE_THRESHOLD_PCT = 20;
+var MIN_REQUESTS_FOR_INSIGHT = 2;
+var HIGH_QUERY_COUNT_PER_REQ = 5;
+var CROSS_ENDPOINT_MIN_ENDPOINTS = 3;
+var CROSS_ENDPOINT_PCT = 50;
+var CROSS_ENDPOINT_MIN_OCCURRENCES = 5;
+var REDUNDANT_QUERY_MIN_COUNT = 2;
+var LARGE_RESPONSE_BYTES = 51200;
+var HIGH_ROW_COUNT = 100;
+var OVERFETCH_MIN_REQUESTS = 2;
+var OVERFETCH_MIN_FIELDS = 8;
+var OVERFETCH_MIN_INTERNAL_IDS = 2;
+var OVERFETCH_NULL_RATIO = 0.3;
+var REGRESSION_PCT_THRESHOLD = 50;
+var REGRESSION_MIN_INCREASE_MS = 200;
+var REGRESSION_MIN_REQUESTS = 5;
+var QUERY_COUNT_REGRESSION_RATIO = 1.5;
+var OVERFETCH_MANY_FIELDS = 12;
+var OVERFETCH_UNWRAP_MIN_SIZE = 3;
+var MAX_DUPLICATE_INSIGHTS = 3;
+var INSIGHT_WINDOW_PER_ENDPOINT = 20;
+var CLEAN_HITS_FOR_RESOLUTION = 5;
+var STALE_ISSUE_TTL_MS = 30 * 60 * 1e3;
+var STRICT_MODE_MAX_GAP_MS = 2e3;
+var BASELINE_MIN_SESSIONS = 2;
+var BASELINE_MIN_REQUESTS_PER_SESSION = 3;
+var ISSUES_FILE = "issues.json";
+var ISSUES_FLUSH_INTERVAL_MS = 1e4;
+var DETAIL_PREVIEW_LENGTH = 120;
 
 // src/utils/log.ts
 var PREFIX = "[brakit]";
@@ -42,7 +76,9 @@ function getErrorMessage(err) {
   return String(err);
 }
 function validateIssuesData(parsed) {
-  if (parsed != null && typeof parsed === "object" && !Array.isArray(parsed) && parsed.version === ISSUES_DATA_VERSION && Array.isArray(parsed.issues)) {
+  if (parsed == null || typeof parsed !== "object" || Array.isArray(parsed)) return null;
+  const obj = parsed;
+  if (obj.version === ISSUES_DATA_VERSION && Array.isArray(obj.issues)) {
     return parsed;
   }
   return null;
@@ -86,41 +122,6 @@ async function ensureGitignoreAsync(dir, entry) {
   }
 }
 
-// src/constants/metrics.ts
-var ISSUES_FILE = "issues.json";
-var ISSUES_FLUSH_INTERVAL_MS = 1e4;
-
-// src/constants/thresholds.ts
-var FLOW_GAP_MS = 5e3;
-var SLOW_REQUEST_THRESHOLD_MS = 2e3;
-var MIN_POLLING_SEQUENCE = 3;
-var ENDPOINT_TRUNCATE_LENGTH = 12;
-var N1_QUERY_THRESHOLD = 5;
-var ERROR_RATE_THRESHOLD_PCT = 20;
-var SLOW_ENDPOINT_THRESHOLD_MS = 1e3;
-var MIN_REQUESTS_FOR_INSIGHT = 2;
-var HIGH_QUERY_COUNT_PER_REQ = 5;
-var CROSS_ENDPOINT_MIN_ENDPOINTS = 3;
-var CROSS_ENDPOINT_PCT = 50;
-var CROSS_ENDPOINT_MIN_OCCURRENCES = 5;
-var REDUNDANT_QUERY_MIN_COUNT = 2;
-var LARGE_RESPONSE_BYTES = 51200;
-var HIGH_ROW_COUNT = 100;
-var OVERFETCH_MIN_REQUESTS = 2;
-var OVERFETCH_MIN_FIELDS = 8;
-var OVERFETCH_MIN_INTERNAL_IDS = 2;
-var OVERFETCH_NULL_RATIO = 0.3;
-var REGRESSION_PCT_THRESHOLD = 50;
-var REGRESSION_MIN_INCREASE_MS = 200;
-var REGRESSION_MIN_REQUESTS = 5;
-var QUERY_COUNT_REGRESSION_RATIO = 1.5;
-var OVERFETCH_MANY_FIELDS = 12;
-var OVERFETCH_UNWRAP_MIN_SIZE = 3;
-var MAX_DUPLICATE_INSIGHTS = 3;
-var INSIGHT_WINDOW_PER_ENDPOINT = 20;
-var CLEAN_HITS_FOR_RESOLUTION = 5;
-var STALE_ISSUE_TTL_MS = 30 * 60 * 1e3;
-
 // src/utils/atomic-writer.ts
 import {
   writeFileSync as writeFileSync2,
@@ -429,6 +430,7 @@ var AdapterRegistry = class {
   constructor() {
     this.adapters = [];
     this.active = [];
+    this.failed = [];
   }
   register(adapter) {
     this.adapters.push(adapter);
@@ -441,6 +443,7 @@ var AdapterRegistry = class {
           this.active.push(adapter);
         }
       } catch {
+        this.failed.push(adapter.name);
       }
     }
   }
@@ -456,6 +459,9 @@ var AdapterRegistry = class {
   getActive() {
     return this.active;
   }
+  getFailed() {
+    return this.failed;
+  }
 };
 
 // src/utils/response.ts
@@ -467,11 +473,12 @@ function tryParseJson(body) {
     return null;
   }
 }
+var MAX_WRAPPER_KEYS = 3;
 function unwrapResponse(parsed) {
   if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) return parsed;
   const obj = parsed;
   const keys = Object.keys(obj);
-  if (keys.length > 3) return parsed;
+  if (keys.length > MAX_WRAPPER_KEYS) return parsed;
   let best = null;
   let bestSize = 0;
   for (const key of keys) {
@@ -529,27 +536,87 @@ function isRedirect(code) {
   return code >= 300 && code < 400;
 }
 
-// src/analysis/rules/exposed-secret.ts
-function findSecretKeys(obj, prefix, depth = 0) {
-  const found = [];
-  if (depth >= MAX_OBJECT_SCAN_DEPTH) return found;
-  if (!obj || typeof obj !== "object") return found;
-  if (Array.isArray(obj)) {
-    for (let i = 0; i < Math.min(obj.length, SECRET_SCAN_ARRAY_LIMIT); i++) {
-      found.push(...findSecretKeys(obj[i], prefix, depth + 1));
+// src/utils/collections.ts
+function getOrCreate(map, key, create) {
+  let value = map.get(key);
+  if (value === void 0) {
+    value = create();
+    map.set(key, value);
+  }
+  return value;
+}
+function deduplicateFindings(items, extract) {
+  const seen = /* @__PURE__ */ new Map();
+  const findings = [];
+  for (const item of items) {
+    const result = extract(item);
+    if (!result) continue;
+    const existing = seen.get(result.key);
+    if (existing) {
+      existing.count++;
+      continue;
+    }
+    seen.set(result.key, result.finding);
+    findings.push(result.finding);
+  }
+  return findings;
+}
+function groupBy(items, keyFn) {
+  const map = /* @__PURE__ */ new Map();
+  for (const item of items) {
+    const key = keyFn(item);
+    if (key == null) continue;
+    let arr = map.get(key);
+    if (!arr) {
+      arr = [];
+      map.set(key, arr);
     }
-    return found;
+    arr.push(item);
   }
-  for (const k of Object.keys(obj)) {
-    const val = obj[k];
-    if (SECRET_KEYS.test(k) && typeof val === "string" && val.length >= MIN_SECRET_VALUE_LENGTH && !MASKED_RE.test(val)) {
-      found.push(k);
+  return map;
+}
+
+// src/utils/object-scan.ts
+var DEFAULTS = {
+  maxDepth: MAX_OBJECT_SCAN_DEPTH,
+  arrayLimit: SECRET_SCAN_ARRAY_LIMIT
+};
+function walkObject(obj, visitor, options) {
+  const opts = { ...DEFAULTS, ...options };
+  walk(obj, visitor, opts, 0);
+}
+function walk(obj, visitor, opts, depth) {
+  if (depth >= opts.maxDepth) return;
+  if (!obj || typeof obj !== "object") return;
+  if (Array.isArray(obj)) {
+    for (let i = 0; i < Math.min(obj.length, opts.arrayLimit); i++) {
+      walk(obj[i], visitor, opts, depth + 1);
     }
+    return;
+  }
+  for (const key of Object.keys(obj)) {
+    const val = obj[key];
+    visitor(key, val, depth);
     if (typeof val === "object" && val !== null) {
-      found.push(...findSecretKeys(val, prefix + k + ".", depth + 1));
+      walk(val, visitor, opts, depth + 1);
     }
   }
-  return found;
+}
+function collectFromObject(obj, match, options) {
+  const results = [];
+  walkObject(obj, (key, value) => {
+    const result = match(key, value);
+    if (result !== null) results.push(result);
+  }, options);
+  return results;
+}
+
+// src/analysis/rules/auth-rules.ts
+function findSecretKeys(obj) {
+  return collectFromObject(
+    obj,
+    (key, val) => SECRET_KEYS.test(key) && typeof val === "string" && val.length >= MIN_SECRET_VALUE_LENGTH && !MASKED_RE.test(val) ? key : null
+  );
 }
 var exposedSecretRule = {
   id: "exposed-secret",
@@ -557,50 +624,39 @@ var exposedSecretRule = {
   name: "Exposed Secret in Response",
   hint: RULE_HINTS["exposed-secret"],
   check(ctx) {
-    const findings = [];
-    const seen = /* @__PURE__ */ new Map();
-    for (const r of ctx.requests) {
-      if (isErrorStatus(r.statusCode)) continue;
-      const parsed = ctx.parsedBodies.response.get(r.id);
-      if (!parsed) continue;
-      const keys = findSecretKeys(parsed, "");
-      if (keys.length === 0) continue;
-      const ep = `${r.method} ${r.path}`;
-      const dedupKey = `${ep}:${keys.sort().join(",")}`;
-      const existing = seen.get(dedupKey);
-      if (existing) {
-        existing.count++;
-        continue;
-      }
-      const finding = {
-        severity: "critical",
-        rule: "exposed-secret",
-        title: "Exposed Secret in Response",
-        desc: `${ep} \u2014 response contains ${keys.join(", ")} field${keys.length > 1 ? "s" : ""}`,
-        hint: this.hint,
-        endpoint: ep,
-        count: 1
+    return deduplicateFindings(ctx.requests, (request) => {
+      if (isErrorStatus(request.statusCode)) return null;
+      const parsed = ctx.parsedBodies.response.get(request.id);
+      if (!parsed) return null;
+      const keys = findSecretKeys(parsed);
+      if (keys.length === 0) return null;
+      const ep = `${request.method} ${request.path}`;
+      return {
+        key: `${ep}:${keys.sort().join(",")}`,
+        finding: {
+          severity: "critical",
+          rule: "exposed-secret",
+          title: "Exposed Secret in Response",
+          desc: `${ep} \u2014 response contains ${keys.join(", ")} field${keys.length > 1 ? "s" : ""}`,
+          hint: this.hint,
+          detail: `Exposed fields: ${keys.join(", ")}. ${keys.length} unmasked secret value${keys.length !== 1 ? "s" : ""} in response body.`,
+          endpoint: ep,
+          count: 1
+        }
       };
-      seen.set(dedupKey, finding);
-      findings.push(finding);
-    }
-    return findings;
+    });
   }
 };
-
-// src/analysis/rules/token-in-url.ts
 var tokenInUrlRule = {
   id: "token-in-url",
   severity: "critical",
   name: "Auth Token in URL",
   hint: RULE_HINTS["token-in-url"],
   check(ctx) {
-    const findings = [];
-    const seen = /* @__PURE__ */ new Map();
-    for (const r of ctx.requests) {
-      const qIdx = r.url.indexOf("?");
-      if (qIdx === -1) continue;
-      const params = r.url.substring(qIdx + 1).split("&");
+    return deduplicateFindings(ctx.requests, (request) => {
+      const qIdx = request.url.indexOf("?");
+      if (qIdx === -1) return null;
+      const params = request.url.substring(qIdx + 1).split("&");
       const flagged = [];
       for (const param of params) {
         const [name, ...rest] = param.split("=");
@@ -610,65 +666,128 @@ var tokenInUrlRule = {
           flagged.push(name);
         }
       }
-      if (flagged.length === 0) continue;
-      const ep = `${r.method} ${r.path}`;
-      const dedupKey = `${ep}:${flagged.sort().join(",")}`;
-      const existing = seen.get(dedupKey);
-      if (existing) {
-        existing.count++;
-        continue;
+      if (flagged.length === 0) return null;
+      const ep = `${request.method} ${request.path}`;
+      return {
+        key: `${ep}:${flagged.sort().join(",")}`,
+        finding: {
+          severity: "critical",
+          rule: "token-in-url",
+          title: "Auth Token in URL",
+          desc: `${ep} \u2014 ${flagged.join(", ")} exposed in query string`,
+          hint: this.hint,
+          detail: `Parameters in URL: ${flagged.join(", ")}. Auth tokens in URLs are logged by proxies, browsers, and CDNs.`,
+          endpoint: ep,
+          count: 1
+        }
+      };
+    });
+  }
+};
+function isFrameworkResponse(request) {
+  if (isRedirect(request.statusCode)) return true;
+  if (request.path?.startsWith("/__")) return true;
+  if (request.responseHeaders?.["x-middleware-rewrite"]) return true;
+  return false;
+}
+var insecureCookieRule = {
+  id: "insecure-cookie",
+  severity: "warning",
+  name: "Insecure Cookie",
+  hint: RULE_HINTS["insecure-cookie"],
+  check(ctx) {
+    const cookieEntries = [];
+    for (const request of ctx.requests) {
+      if (!request.responseHeaders) continue;
+      if (isFrameworkResponse(request)) continue;
+      const setCookie = request.responseHeaders["set-cookie"];
+      if (!setCookie) continue;
+      const cookies = setCookie.split(/,(?=\s*[A-Za-z0-9_\-]+=)/);
+      for (const cookie of cookies) {
+        cookieEntries.push({ cookie });
       }
-      const finding = {
-        severity: "critical",
-        rule: "token-in-url",
-        title: "Auth Token in URL",
-        desc: `${ep} \u2014 ${flagged.join(", ")} exposed in query string`,
+    }
+    return deduplicateFindings(cookieEntries, ({ cookie }) => {
+      const cookieName = cookie.trim().split("=")[0].trim();
+      const lower = cookie.toLowerCase();
+      const issues = [];
+      if (!lower.includes("httponly")) issues.push("HttpOnly");
+      if (!lower.includes("samesite")) issues.push("SameSite");
+      if (issues.length === 0) return null;
+      return {
+        key: `${cookieName}:${issues.join(",")}`,
+        finding: {
+          severity: "warning",
+          rule: "insecure-cookie",
+          title: "Insecure Cookie",
+          desc: `${cookieName} \u2014 missing ${issues.join(", ")} flag${issues.length > 1 ? "s" : ""}`,
+          hint: this.hint,
+          detail: `Missing: ${issues.join(", ")}. ${issues.includes("HttpOnly") ? "Cookie accessible via JavaScript (XSS risk). " : ""}${issues.includes("SameSite") ? "Cookie sent on cross-site requests (CSRF risk)." : ""}`,
+          endpoint: cookieName,
+          count: 1
+        }
+      };
+    });
+  }
+};
+var corsCredentialsRule = {
+  id: "cors-credentials",
+  severity: "warning",
+  name: "CORS Credentials with Wildcard",
+  hint: RULE_HINTS["cors-credentials"],
+  check(ctx) {
+    const findings = [];
+    const seen = /* @__PURE__ */ new Set();
+    for (const request of ctx.requests) {
+      if (!request.responseHeaders) continue;
+      const origin = request.responseHeaders["access-control-allow-origin"];
+      const creds = request.responseHeaders["access-control-allow-credentials"];
+      if (origin !== "*" || creds !== "true") continue;
+      const ep = `${request.method} ${request.path}`;
+      if (seen.has(ep)) continue;
+      seen.add(ep);
+      findings.push({
+        severity: "warning",
+        rule: "cors-credentials",
+        title: "CORS Credentials with Wildcard",
+        desc: `${ep} \u2014 credentials:true with origin:* (browser will reject)`,
         hint: this.hint,
         endpoint: ep,
         count: 1
-      };
-      seen.set(dedupKey, finding);
-      findings.push(finding);
+      });
     }
     return findings;
   }
 };
 
-// src/analysis/rules/stack-trace-leak.ts
+// src/analysis/rules/data-rules.ts
 var stackTraceLeakRule = {
   id: "stack-trace-leak",
   severity: "critical",
   name: "Stack Trace Leaked to Client",
   hint: RULE_HINTS["stack-trace-leak"],
   check(ctx) {
-    const findings = [];
-    const seen = /* @__PURE__ */ new Map();
-    for (const r of ctx.requests) {
-      if (!r.responseBody) continue;
-      if (!STACK_TRACE_RE.test(r.responseBody)) continue;
-      const ep = `${r.method} ${r.path}`;
-      const existing = seen.get(ep);
-      if (existing) {
-        existing.count++;
-        continue;
-      }
-      const finding = {
-        severity: "critical",
-        rule: "stack-trace-leak",
-        title: "Stack Trace Leaked to Client",
-        desc: `${ep} \u2014 response exposes internal stack trace`,
-        hint: this.hint,
-        endpoint: ep,
-        count: 1
+    return deduplicateFindings(ctx.requests, (request) => {
+      if (!request.responseBody) return null;
+      if (!STACK_TRACE_RE.test(request.responseBody)) return null;
+      const ep = `${request.method} ${request.path}`;
+      const firstLine = request.responseBody.split("\n").find((l) => STACK_TRACE_RE.test(l))?.trim() ?? "";
+      return {
+        key: ep,
+        finding: {
+          severity: "critical",
+          rule: "stack-trace-leak",
+          title: "Stack Trace Leaked to Client",
+          desc: `${ep} \u2014 response exposes internal stack trace`,
+          hint: this.hint,
+          detail: firstLine ? `Stack trace: ${firstLine.slice(0, DETAIL_PREVIEW_LENGTH)}` : void 0,
+          endpoint: ep,
+          count: 1
+        }
       };
-      seen.set(ep, finding);
-      findings.push(finding);
-    }
-    return findings;
+    });
   }
 };
-
-// src/analysis/rules/error-info-leak.ts
 var CRITICAL_PATTERNS = [
   { re: DB_CONN_RE, label: "database connection string" },
   { re: SQL_FRAGMENT_RE, label: "SQL query fragment" },
@@ -680,90 +799,35 @@ var errorInfoLeakRule = {
   name: "Sensitive Data in Error Response",
   hint: RULE_HINTS["error-info-leak"],
   check(ctx) {
-    const findings = [];
-    const seen = /* @__PURE__ */ new Map();
-    for (const r of ctx.requests) {
-      if (r.statusCode < 400) continue;
-      if (!r.responseBody) continue;
-      if (r.responseHeaders["x-nextjs-error"] || r.responseHeaders["x-nextjs-matched-path"]) continue;
-      const ep = `${r.method} ${r.path}`;
-      for (const p of CRITICAL_PATTERNS) {
-        if (!p.re.test(r.responseBody)) continue;
-        const dedupKey = `${ep}:${p.label}`;
-        const existing = seen.get(dedupKey);
-        if (existing) {
-          existing.count++;
-          continue;
+    const entries = [];
+    for (const request of ctx.requests) {
+      if (request.statusCode < 400) continue;
+      if (!request.responseBody) continue;
+      if (request.responseHeaders["x-nextjs-error"] || request.responseHeaders["x-nextjs-matched-path"]) continue;
+      const ep = `${request.method} ${request.path}`;
+      for (const pattern of CRITICAL_PATTERNS) {
+        if (pattern.re.test(request.responseBody)) {
+          entries.push({ ep, pattern, body: request.responseBody });
         }
-        const finding = {
+      }
+    }
+    return deduplicateFindings(entries, ({ ep, pattern }) => {
+      return {
+        key: `${ep}:${pattern.label}`,
+        finding: {
           severity: "critical",
           rule: "error-info-leak",
           title: "Sensitive Data in Error Response",
-          desc: `${ep} \u2014 error response exposes ${p.label}`,
+          desc: `${ep} \u2014 error response exposes ${pattern.label}`,
           hint: this.hint,
+          detail: `Detected: ${pattern.label} in error response body`,
           endpoint: ep,
           count: 1
-        };
-        seen.set(dedupKey, finding);
-        findings.push(finding);
-      }
-    }
-    return findings;
-  }
-};
-
-// src/analysis/rules/insecure-cookie.ts
-function isFrameworkResponse(r) {
-  if (isRedirect(r.statusCode)) return true;
-  if (r.path?.startsWith("/__")) return true;
-  if (r.responseHeaders?.["x-middleware-rewrite"]) return true;
-  return false;
-}
-var insecureCookieRule = {
-  id: "insecure-cookie",
-  severity: "warning",
-  name: "Insecure Cookie",
-  hint: RULE_HINTS["insecure-cookie"],
-  check(ctx) {
-    const findings = [];
-    const seen = /* @__PURE__ */ new Map();
-    for (const r of ctx.requests) {
-      if (!r.responseHeaders) continue;
-      if (isFrameworkResponse(r)) continue;
-      const setCookie = r.responseHeaders["set-cookie"];
-      if (!setCookie) continue;
-      const cookies = setCookie.split(/,(?=\s*[A-Za-z0-9_\-]+=)/);
-      for (const cookie of cookies) {
-        const cookieName = cookie.trim().split("=")[0].trim();
-        const lower = cookie.toLowerCase();
-        const issues = [];
-        if (!lower.includes("httponly")) issues.push("HttpOnly");
-        if (!lower.includes("samesite")) issues.push("SameSite");
-        if (issues.length === 0) continue;
-        const dedupKey = `${cookieName}:${issues.join(",")}`;
-        const existing = seen.get(dedupKey);
-        if (existing) {
-          existing.count++;
-          continue;
         }
-        const finding = {
-          severity: "warning",
-          rule: "insecure-cookie",
-          title: "Insecure Cookie",
-          desc: `${cookieName} \u2014 missing ${issues.join(", ")} flag${issues.length > 1 ? "s" : ""}`,
-          hint: this.hint,
-          endpoint: cookieName,
-          count: 1
-        };
-        seen.set(dedupKey, finding);
-        findings.push(finding);
-      }
-    }
-    return findings;
+      };
+    });
   }
 };
-
-// src/analysis/rules/sensitive-logs.ts
 var sensitiveLogsRule = {
   id: "sensitive-logs",
   severity: "warning",
@@ -788,58 +852,13 @@ var sensitiveLogsRule = {
     }];
   }
 };
-
-// src/analysis/rules/cors-credentials.ts
-var corsCredentialsRule = {
-  id: "cors-credentials",
-  severity: "warning",
-  name: "CORS Credentials with Wildcard",
-  hint: RULE_HINTS["cors-credentials"],
-  check(ctx) {
-    const findings = [];
-    const seen = /* @__PURE__ */ new Set();
-    for (const r of ctx.requests) {
-      if (!r.responseHeaders) continue;
-      const origin = r.responseHeaders["access-control-allow-origin"];
-      const creds = r.responseHeaders["access-control-allow-credentials"];
-      if (origin !== "*" || creds !== "true") continue;
-      const ep = `${r.method} ${r.path}`;
-      if (seen.has(ep)) continue;
-      seen.add(ep);
-      findings.push({
-        severity: "warning",
-        rule: "cors-credentials",
-        title: "CORS Credentials with Wildcard",
-        desc: `${ep} \u2014 credentials:true with origin:* (browser will reject)`,
-        hint: this.hint,
-        endpoint: ep,
-        count: 1
-      });
-    }
-    return findings;
-  }
-};
-
-// src/analysis/rules/response-pii-leak.ts
 var WRITE_METHODS = /* @__PURE__ */ new Set(["POST", "PUT", "PATCH"]);
-function findEmails(obj, depth = 0) {
-  const emails = [];
-  if (depth >= MAX_OBJECT_SCAN_DEPTH) return emails;
-  if (!obj || typeof obj !== "object") return emails;
-  if (Array.isArray(obj)) {
-    for (let i = 0; i < Math.min(obj.length, PII_SCAN_ARRAY_LIMIT); i++) {
-      emails.push(...findEmails(obj[i], depth + 1));
-    }
-    return emails;
-  }
-  for (const v of Object.values(obj)) {
-    if (typeof v === "string" && EMAIL_RE.test(v)) {
-      emails.push(v);
-    } else if (typeof v === "object" && v !== null) {
-      emails.push(...findEmails(v, depth + 1));
-    }
-  }
-  return emails;
+function findEmails(obj) {
+  return collectFromObject(
+    obj,
+    (_key, val) => typeof val === "string" && EMAIL_RE.test(val) ? val : null,
+    { arrayLimit: PII_SCAN_ARRAY_LIMIT }
+  );
 }
 function topLevelFieldCount(obj) {
   if (Array.isArray(obj)) {
@@ -924,35 +943,33 @@ var responsePiiLeakRule = {
   name: "PII Leak in Response",
   hint: RULE_HINTS["response-pii-leak"],
   check(ctx) {
-    const findings = [];
-    const seen = /* @__PURE__ */ new Map();
-    for (const r of ctx.requests) {
-      if (isErrorStatus(r.statusCode)) continue;
-      if (SELF_SERVICE_PATH.test(r.path)) continue;
-      const resJson = ctx.parsedBodies.response.get(r.id);
-      if (!resJson) continue;
-      const reqJson = ctx.parsedBodies.request.get(r.id) ?? null;
-      const detection = detectPII(r.method, reqJson, resJson);
-      if (!detection) continue;
-      const ep = `${r.method} ${r.path}`;
-      const existing = seen.get(ep);
-      if (existing) {
-        existing.count++;
-        continue;
-      }
-      const finding = {
-        severity: "warning",
-        rule: "response-pii-leak",
-        title: "PII Leak in Response",
-        desc: `${ep} \u2014 exposes PII in response`,
-        hint: `Detection: ${REASON_LABELS[detection.reason]}. ${this.hint}`,
-        endpoint: ep,
-        count: 1
+    return deduplicateFindings(ctx.requests, (request) => {
+      if (isErrorStatus(request.statusCode)) return null;
+      if (SELF_SERVICE_PATH.test(request.path)) return null;
+      const resJson = ctx.parsedBodies.response.get(request.id);
+      if (!resJson) return null;
+      const reqJson = ctx.parsedBodies.request.get(request.id) ?? null;
+      const detection = detectPII(request.method, reqJson, resJson);
+      if (!detection) return null;
+      const ep = `${request.method} ${request.path}`;
+      const fieldCount = topLevelFieldCount(resJson);
+      const detailParts = [`Pattern: ${REASON_LABELS[detection.reason]}`];
+      if (detection.emailCount > 0) detailParts.push(`${detection.emailCount} email${detection.emailCount !== 1 ? "s" : ""} detected`);
+      if (fieldCount > 0) detailParts.push(`${fieldCount} fields per record`);
+      return {
+        key: ep,
+        finding: {
+          severity: "warning",
+          rule: "response-pii-leak",
+          title: "PII Leak in Response",
+          desc: `${ep} \u2014 exposes PII in response`,
+          hint: this.hint,
+          detail: detailParts.join(". "),
+          endpoint: ep,
+          count: 1
+        }
       };
-      seen.set(ep, finding);
-      findings.push(finding);
-    }
-    return findings;
+    });
   }
 };
 
@@ -960,14 +977,14 @@ var responsePiiLeakRule = {
 function buildBodyCache(requests) {
   const response = /* @__PURE__ */ new Map();
   const request = /* @__PURE__ */ new Map();
-  for (const r of requests) {
-    if (r.responseBody) {
-      const parsed = tryParseJson(r.responseBody);
-      if (parsed != null) response.set(r.id, parsed);
+  for (const req of requests) {
+    if (req.responseBody) {
+      const parsed = tryParseJson(req.responseBody);
+      if (parsed != null) response.set(req.id, parsed);
     }
-    if (r.requestBody) {
-      const parsed = tryParseJson(r.requestBody);
-      if (parsed != null) request.set(r.id, parsed);
+    if (req.requestBody) {
+      const parsed = tryParseJson(req.requestBody);
+      if (parsed != null) request.set(req.id, parsed);
     }
   }
   return { response, request };
@@ -988,7 +1005,8 @@ var SecurityScanner = class {
     for (const rule of this.rules) {
       try {
         findings.push(...rule.check(ctx));
-      } catch {
+      } catch (e) {
+        brakitDebug(`rule ${rule.id} failed: ${getErrorMessage(e)}`);
       }
     }
     return findings;
@@ -1027,7 +1045,7 @@ var SubscriptionBag = class {
 // src/analysis/group.ts
 import { randomUUID } from "crypto";
 
-// src/constants/routes.ts
+// src/constants/labels.ts
 var DASHBOARD_PREFIX = "/__brakit";
 var DASHBOARD_API_REQUESTS = `${DASHBOARD_PREFIX}/api/requests`;
 var DASHBOARD_API_EVENTS = `${DASHBOARD_PREFIX}/api/events`;
@@ -1059,13 +1077,40 @@ var VALID_TABS_TUPLE = [
 ];
 var VALID_TABS = new Set(VALID_TABS_TUPLE);
 
-// src/constants/network.ts
+// src/constants/features.ts
 var RECOVERY_WINDOW_MS = 5 * 60 * 1e3;
 
+// src/utils/endpoint.ts
+var UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+var NUMERIC_ID_RE = /^\d+$/;
+var HEX_HASH_RE = /^[0-9a-f]{12,}$/i;
+var ALPHA_TOKEN_RE = /^(?=.*[a-zA-Z])(?=.*\d)[a-zA-Z0-9_-]{8,}$/;
+function isDynamicSegment(segment) {
+  return UUID_RE.test(segment) || NUMERIC_ID_RE.test(segment) || HEX_HASH_RE.test(segment) || ALPHA_TOKEN_RE.test(segment);
+}
+var DYNAMIC_SEGMENT_PLACEHOLDER = ":id";
+function normalizePath(path) {
+  const qIdx = path.indexOf("?");
+  const pathname = qIdx === -1 ? path : path.slice(0, qIdx);
+  return pathname.split("/").map((seg) => seg && isDynamicSegment(seg) ? DYNAMIC_SEGMENT_PLACEHOLDER : seg).join("/");
+}
+function getEndpointKey(method, path) {
+  return `${method} ${normalizePath(path)}`;
+}
+var ENDPOINT_PREFIX_RE = /^(\S+\s+\S+)/;
+function extractEndpointFromDesc(desc) {
+  return desc.match(ENDPOINT_PREFIX_RE)?.[1] ?? null;
+}
+function stripQueryString(path) {
+  const i = path.indexOf("?");
+  return i === -1 ? path : path.slice(0, i);
+}
+
 // src/analysis/categorize.ts
 function detectCategory(req) {
   const { method, url, statusCode, responseHeaders } = req;
   if (req.isStatic) return "static";
+  if (req.isHealthCheck) return "health-check";
   if (statusCode === 307 && (url.includes("__clerk_handshake") || url.includes("__clerk_db_jwt"))) {
     return "auth-handshake";
   }
@@ -1217,20 +1262,42 @@ function capitalize(s) {
 }
 
 // src/analysis/transforms.ts
-function markDuplicates(requests) {
+var DUPLICATE_CATEGORIES = /* @__PURE__ */ new Set(["data-fetch", "auth-check"]);
+function isDuplicateCandidate(req) {
+  return DUPLICATE_CATEGORIES.has(req.category);
+}
+function buildRequestKey(req) {
+  return `${req.method} ${stripQueryString(getEffectivePath(req))}`;
+}
+function isStrictModePattern(requests, counts) {
+  if (counts.size === 0 || ![...counts.values()].every((c) => c === 2)) {
+    return false;
+  }
+  const firstByKey = /* @__PURE__ */ new Map();
+  for (const req of requests) {
+    if (!isDuplicateCandidate(req)) continue;
+    const key = buildRequestKey(req);
+    const first = firstByKey.get(key);
+    if (!first) {
+      firstByKey.set(key, req);
+    } else if (Math.abs(req.startedAt - first.startedAt) > STRICT_MODE_MAX_GAP_MS) {
+      return false;
+    }
+  }
+  return true;
+}
+function flagDuplicateRequests(requests) {
   const counts = /* @__PURE__ */ new Map();
   for (const req of requests) {
-    if (req.category !== "data-fetch" && req.category !== "auth-check")
-      continue;
-    const key = `${req.method} ${getEffectivePath(req).split("?")[0]}`;
+    if (!isDuplicateCandidate(req)) continue;
+    const key = buildRequestKey(req);
     counts.set(key, (counts.get(key) ?? 0) + 1);
   }
-  const isStrictMode = counts.size > 0 && [...counts.values()].every((c) => c === 2);
+  const isStrictMode = isStrictModePattern(requests, counts);
   const seen = /* @__PURE__ */ new Set();
   for (const req of requests) {
-    if (req.category !== "data-fetch" && req.category !== "auth-check")
-      continue;
-    const key = `${req.method} ${getEffectivePath(req).split("?")[0]}`;
+    if (!isDuplicateCandidate(req)) continue;
+    const key = buildRequestKey(req);
     if (seen.has(key)) {
       if (isStrictMode) {
         req.isStrictModeDupe = true;
@@ -1242,20 +1309,20 @@ function markDuplicates(requests) {
     }
   }
 }
-function collapsePolling(requests) {
+function mergePollingSequences(requests) {
   const result = [];
   let i = 0;
   while (i < requests.length) {
     const current = requests[i];
-    const currentEffective = getEffectivePath(current).split("?")[0];
+    const currentEffective = stripQueryString(getEffectivePath(current));
     if (current.method === "GET" && current.category === "data-fetch") {
-      let j = i + 1;
-      while (j < requests.length && requests[j].method === "GET" && getEffectivePath(requests[j]).split("?")[0] === currentEffective) {
-        j++;
+      let nextIndex = i + 1;
+      while (nextIndex < requests.length && requests[nextIndex].method === "GET" && stripQueryString(getEffectivePath(requests[nextIndex])) === currentEffective) {
+        nextIndex++;
       }
-      const count = j - i;
+      const count = nextIndex - i;
       if (count >= MIN_POLLING_SEQUENCE) {
-        const last = requests[j - 1];
+        const last = requests[nextIndex - 1];
         const pollingDuration = last.startedAt + last.durationMs - current.startedAt;
         const endpointName = prettifyEndpoint(currentEffective);
         result.push({
@@ -1266,7 +1333,7 @@ function collapsePolling(requests) {
           pollingDurationMs: pollingDuration,
           isDuplicate: false
         });
-        i = j;
+        i = nextIndex;
         continue;
       }
     }
@@ -1279,18 +1346,18 @@ function formatDurationLabel(ms) {
   if (ms < 1e3) return `${ms}ms`;
   return `${(ms / 1e3).toFixed(1)}s`;
 }
-function detectWarnings(requests) {
+function collectRequestWarnings(requests) {
   const warnings = [];
   const duplicateCount = requests.filter((r) => r.isDuplicate).length;
   if (duplicateCount > 0) {
     const unique = new Set(
-      requests.filter((r) => r.isDuplicate).map((r) => `${r.method} ${getEffectivePath(r).split("?")[0]}`)
+      requests.filter((r) => r.isDuplicate).map((r) => buildRequestKey(r))
     );
     const endpoints = unique.size;
     const sameData = requests.filter((r) => r.isDuplicate).every((r) => {
-      const key = `${r.method} ${getEffectivePath(r).split("?")[0]}`;
+      const key = buildRequestKey(r);
       const first = requests.find(
-        (o) => !o.isDuplicate && `${o.method} ${getEffectivePath(o).split("?")[0]}` === key
+        (o) => !o.isDuplicate && buildRequestKey(o) === key
       );
       return first && first.responseBody === r.responseBody;
     });
@@ -1313,6 +1380,14 @@ function detectWarnings(requests) {
 }
 
 // src/analysis/group.ts
+function shouldStartNewFlow(labeled, currentRequests, lastEndTime, currentSourcePage, startedAt) {
+  if (currentRequests.length === 0) return false;
+  const sourcePage = labeled.sourcePage;
+  const isNewPage = sourcePage !== void 0 && currentSourcePage !== void 0 && sourcePage !== currentSourcePage;
+  const isTimeGap = startedAt - lastEndTime > FLOW_GAP_MS;
+  const isPageLoad = labeled.category === "page-load" || labeled.category === "navigation";
+  return isNewPage || isTimeGap || isPageLoad;
+}
 function groupRequestsIntoFlows(requests) {
   if (requests.length === 0) return [];
   const flows = [];
@@ -1323,17 +1398,12 @@ function groupRequestsIntoFlows(requests) {
     if (req.path.startsWith(DASHBOARD_PREFIX)) continue;
     const labeled = labelRequest(req);
     if (labeled.category === "static") continue;
-    const sourcePage = labeled.sourcePage;
-    const gap = currentRequests.length > 0 ? req.startedAt - lastEndTime : 0;
-    const isNewPage = currentRequests.length > 0 && sourcePage !== void 0 && currentSourcePage !== void 0 && sourcePage !== currentSourcePage;
-    const isPageLoad = labeled.category === "page-load" || labeled.category === "navigation";
-    const isTimeGap = currentRequests.length > 0 && gap > FLOW_GAP_MS;
-    if (currentRequests.length > 0 && (isNewPage || isTimeGap || isPageLoad)) {
+    if (shouldStartNewFlow(labeled, currentRequests, lastEndTime, currentSourcePage, req.startedAt)) {
       flows.push(buildFlow(currentRequests));
       currentRequests = [];
     }
     currentRequests.push(labeled);
-    currentSourcePage = sourcePage ?? currentSourcePage;
+    currentSourcePage = labeled.sourcePage ?? currentSourcePage;
     lastEndTime = Math.max(lastEndTime, req.startedAt + req.durationMs);
   }
   if (currentRequests.length > 0) {
@@ -1342,8 +1412,8 @@ function groupRequestsIntoFlows(requests) {
   return flows;
 }
 function buildFlow(rawRequests) {
-  markDuplicates(rawRequests);
-  const requests = collapsePolling(rawRequests);
+  flagDuplicateRequests(rawRequests);
+  const requests = mergePollingSequences(rawRequests);
   const first = requests[0];
   const startTime = first.startedAt;
   const endTime = Math.max(
@@ -1362,7 +1432,7 @@ function buildFlow(rawRequests) {
     startTime,
     totalDurationMs: Math.round(endTime - startTime),
     hasErrors: requests.some((r) => isErrorStatus(r.statusCode)),
-    warnings: detectWarnings(rawRequests),
+    warnings: collectRequestWarnings(rawRequests),
     sourcePage,
     redundancyPct
   };
@@ -1374,20 +1444,20 @@ function getDominantSourcePage(requests) {
       counts.set(req.sourcePage, (counts.get(req.sourcePage) ?? 0) + 1);
     }
   }
-  let best = "";
-  let bestCount = 0;
+  let mostCommonPage = "";
+  let highestCount = 0;
   for (const [page, count] of counts) {
-    if (count > bestCount) {
-      best = page;
-      bestCount = count;
+    if (count > highestCount) {
+      mostCommonPage = page;
+      highestCount = count;
     }
   }
-  return best || requests[0]?.path?.split("?")[0] || "/";
+  return mostCommonPage || (requests[0]?.path ? stripQueryString(requests[0].path) : "") || "/";
 }
 function deriveFlowLabel(requests, sourcePage) {
   const trigger = requests.find((r) => r.category === "api-call") ?? requests.find((r) => r.category === "server-action") ?? requests.find((r) => r.category === "page-load") ?? requests.find((r) => r.category === "navigation") ?? requests.find((r) => r.category === "data-fetch") ?? requests[0];
   if (trigger.category === "page-load" || trigger.category === "navigation") {
-    const pageName = prettifyPageName(trigger.path.split("?")[0]);
+    const pageName = prettifyPageName(stripQueryString(trigger.path));
     return `${pageName} Page`;
   }
   if (trigger.category === "api-call") {
@@ -1412,67 +1482,23 @@ function deriveFlowLabel(requests, sourcePage) {
   return trigger.label;
 }
 
-// src/utils/collections.ts
-function groupBy(items, keyFn) {
-  const map = /* @__PURE__ */ new Map();
-  for (const item of items) {
-    const key = keyFn(item);
-    if (key == null) continue;
-    let arr = map.get(key);
-    if (!arr) {
-      arr = [];
-      map.set(key, arr);
-    }
-    arr.push(item);
-  }
-  return map;
-}
-
-// src/utils/endpoint.ts
-var DYNAMIC_SEGMENT_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^\d+$|^[0-9a-f]{12,}$|^(?=.*[a-zA-Z])(?=.*\d)[a-zA-Z0-9_-]{8,}$/i;
-function normalizePath(path) {
-  const qIdx = path.indexOf("?");
-  const pathname = qIdx === -1 ? path : path.slice(0, qIdx);
-  return pathname.split("/").map((seg) => seg && DYNAMIC_SEGMENT_RE.test(seg) ? ":id" : seg).join("/");
-}
-function getEndpointKey(method, path) {
-  return `${method} ${normalizePath(path)}`;
-}
-var ENDPOINT_PREFIX_RE = /^(\S+\s+\S+)/;
-function extractEndpointFromDesc(desc) {
-  return desc.match(ENDPOINT_PREFIX_RE)?.[1] ?? null;
-}
-
 // src/instrument/adapters/normalize.ts
+var VALID_OPS = /* @__PURE__ */ new Set(["SELECT", "INSERT", "UPDATE", "DELETE"]);
+var TABLE_RE = /(?:FROM|INTO|UPDATE)\s+(?:"?\w+"?\.)?"?(\w+)"?/i;
 function normalizeSQL(sql) {
   if (!sql) return { op: "OTHER", table: "" };
   const trimmed = sql.trim();
-  const op = trimmed.split(/\s+/)[0].toUpperCase();
-  if (/SELECT\s+COUNT/i.test(trimmed)) {
-    const match = trimmed.match(/FROM\s+"?\w+"?\."?(\w+)"?/i);
-    return { op: "SELECT", table: match?.[1] ?? "" };
-  }
-  const tableMatch = trimmed.match(/(?:FROM|INTO|UPDATE)\s+"?\w+"?\."?(\w+)"?/i);
-  const table = tableMatch?.[1] ?? "";
-  switch (op) {
-    case "SELECT":
-      return { op: "SELECT", table };
-    case "INSERT":
-      return { op: "INSERT", table };
-    case "UPDATE":
-      return { op: "UPDATE", table };
-    case "DELETE":
-      return { op: "DELETE", table };
-    default:
-      return { op: "OTHER", table };
-  }
-}
+  const keyword = trimmed.split(/\s+/, 1)[0].toUpperCase();
+  const op = VALID_OPS.has(keyword) ? keyword : "OTHER";
+  const table = trimmed.match(TABLE_RE)?.[1] ?? "";
+  return { op, table };
+}
+var SQL_PARAM_MARKER = /\$\d+/g;
+var SQL_STRING_LITERAL = /'[^']*'/g;
+var SQL_NUMBER_LITERAL = /\b\d+(\.\d+)?\b/g;
 function normalizeQueryParams(sql) {
   if (!sql) return null;
-  let n = sql.replace(/'[^']*'/g, "?");
-  n = n.replace(/\b\d+(\.\d+)?\b/g, "?");
-  n = n.replace(/\$\d+/g, "?");
-  return n;
+  return sql.replace(SQL_PARAM_MARKER, "?").replace(SQL_STRING_LITERAL, "?").replace(SQL_NUMBER_LITERAL, "?");
 }
 
 // src/analysis/insights/query-helpers.ts
@@ -1489,7 +1515,7 @@ function getQueryInfo(q) {
 }
 
 // src/analysis/insights/prepare.ts
-function createEndpointGroup() {
+function emptyEndpointGroup() {
   return {
     total: 0,
     errors: 0,
@@ -1501,16 +1527,12 @@ function createEndpointGroup() {
     queryShapeDurations: /* @__PURE__ */ new Map()
   };
 }
-function windowByEndpoint(requests) {
+function keepRecentPerEndpoint(requests) {
   const byEndpoint = /* @__PURE__ */ new Map();
-  for (const r of requests) {
-    const ep = getEndpointKey(r.method, r.path);
-    let list = byEndpoint.get(ep);
-    if (!list) {
-      list = [];
-      byEndpoint.set(ep, list);
-    }
-    list.push(r);
+  for (const request of requests) {
+    const endpointKey = getEndpointKey(request.method, request.path);
+    const list = getOrCreate(byEndpoint, endpointKey, () => []);
+    list.push(request);
   }
   const windowed = [];
   for (const [, reqs] of byEndpoint) {
@@ -1518,54 +1540,67 @@ function windowByEndpoint(requests) {
   }
   return windowed;
 }
+function filterUserRequests(requests) {
+  return requests.filter(
+    (request) => !request.isStatic && !request.isHealthCheck && (!request.path || !request.path.startsWith(DASHBOARD_PREFIX))
+  );
+}
 function extractActiveEndpoints(requests) {
   const endpoints = /* @__PURE__ */ new Set();
-  for (const r of requests) {
-    if (!r.isStatic && (!r.path || !r.path.startsWith(DASHBOARD_PREFIX))) {
-      endpoints.add(getEndpointKey(r.method, r.path));
-    }
+  for (const request of filterUserRequests(requests)) {
+    endpoints.add(getEndpointKey(request.method, request.path));
   }
   return endpoints;
 }
-function prepareContext(ctx) {
-  const nonStatic = ctx.requests.filter(
-    (r) => !r.isStatic && (!r.path || !r.path.startsWith(DASHBOARD_PREFIX))
-  );
-  const queriesByReq = groupBy(ctx.queries, (q) => q.parentRequestId);
-  const fetchesByReq = groupBy(ctx.fetches, (f) => f.parentRequestId);
-  const reqById = new Map(nonStatic.map((r) => [r.id, r]));
-  const recent = windowByEndpoint(nonStatic);
+function aggregateEndpointMetrics(recent, queriesByReq, fetchesByReq) {
   const endpointGroups = /* @__PURE__ */ new Map();
-  for (const r of recent) {
-    const ep = getEndpointKey(r.method, r.path);
-    let g = endpointGroups.get(ep);
-    if (!g) {
-      g = createEndpointGroup();
-      endpointGroups.set(ep, g);
-    }
-    g.total++;
-    if (isErrorStatus(r.statusCode)) g.errors++;
-    g.totalDuration += r.durationMs;
-    g.totalSize += r.responseSize ?? 0;
-    const reqQueries = queriesByReq.get(r.id) ?? [];
-    g.queryCount += reqQueries.length;
-    for (const q of reqQueries) {
-      g.totalQueryTimeMs += q.durationMs;
-      const shape = getQueryShape(q);
-      const info = getQueryInfo(q);
-      let sd = g.queryShapeDurations.get(shape);
-      if (!sd) {
-        sd = { totalMs: 0, count: 0, label: info.op + (info.table ? ` ${info.table}` : "") };
-        g.queryShapeDurations.set(shape, sd);
-      }
-      sd.totalMs += q.durationMs;
-      sd.count++;
-    }
-    const reqFetches = fetchesByReq.get(r.id) ?? [];
-    for (const f of reqFetches) {
-      g.totalFetchTimeMs += f.durationMs;
-    }
-  }
+  for (const request of recent) {
+    const endpointKey = getEndpointKey(request.method, request.path);
+    const group = getOrCreate(endpointGroups, endpointKey, emptyEndpointGroup);
+    group.total++;
+    if (isErrorStatus(request.statusCode)) group.errors++;
+    group.totalDuration += request.durationMs;
+    group.totalSize += request.responseSize ?? 0;
+    const reqQueries = queriesByReq.get(request.id) ?? [];
+    group.queryCount += reqQueries.length;
+    for (const query of reqQueries) {
+      group.totalQueryTimeMs += query.durationMs;
+      const shape = getQueryShape(query);
+      const info = getQueryInfo(query);
+      const shapeDuration = getOrCreate(group.queryShapeDurations, shape, () => ({
+        totalMs: 0,
+        count: 0,
+        label: info.op + (info.table ? ` ${info.table}` : "")
+      }));
+      shapeDuration.totalMs += query.durationMs;
+      shapeDuration.count++;
+    }
+    const reqFetches = fetchesByReq.get(request.id) ?? [];
+    for (const fetch of reqFetches) {
+      group.totalFetchTimeMs += fetch.durationMs;
+    }
+  }
+  return endpointGroups;
+}
+function collectStrictModeDupeIds(ctx) {
+  const ids = /* @__PURE__ */ new Set();
+  for (const flow of ctx.flows) {
+    for (const req of flow.requests) {
+      if (req.isStrictModeDupe) ids.add(req.id);
+    }
+  }
+  return ids;
+}
+function buildInsightContext(ctx) {
+  const strictModeDupeIds = collectStrictModeDupeIds(ctx);
+  const nonStatic = filterUserRequests(ctx.requests).filter((req) => !strictModeDupeIds.has(req.id));
+  const filteredQueries = strictModeDupeIds.size > 0 ? ctx.queries.filter((q) => !q.parentRequestId || !strictModeDupeIds.has(q.parentRequestId)) : ctx.queries;
+  const filteredFetches = strictModeDupeIds.size > 0 ? ctx.fetches.filter((f) => !f.parentRequestId || !strictModeDupeIds.has(f.parentRequestId)) : ctx.fetches;
+  const queriesByReq = groupBy(filteredQueries, (query) => query.parentRequestId);
+  const fetchesByReq = groupBy(filteredFetches, (fetch) => fetch.parentRequestId);
+  const reqById = new Map(nonStatic.map((request) => [request.id, request]));
+  const recent = keepRecentPerEndpoint(nonStatic);
+  const endpointGroups = aggregateEndpointMetrics(recent, queriesByReq, fetchesByReq);
   return {
     ...ctx,
     nonStatic,
@@ -1586,12 +1621,13 @@ var InsightRunner = class {
     this.rules.push(rule);
   }
   run(ctx) {
-    const prepared = prepareContext(ctx);
+    const prepared = buildInsightContext(ctx);
     const insights = [];
     for (const rule of this.rules) {
       try {
         insights.push(...rule.check(prepared));
-      } catch {
+      } catch (e) {
+        brakitDebug(`insight rule ${rule.id} failed: ${getErrorMessage(e)}`);
       }
     }
     insights.sort(
@@ -1601,338 +1637,121 @@ var InsightRunner = class {
   }
 };
 
-// src/analysis/insights/rules/n1.ts
+// src/analysis/insights/rules/query-rules.ts
 var n1Rule = {
   id: "n1",
   check(ctx) {
     const insights = [];
-    const seen = /* @__PURE__ */ new Set();
+    const reportedKeys = /* @__PURE__ */ new Set();
     for (const [reqId, reqQueries] of ctx.queriesByReq) {
       const req = ctx.reqById.get(reqId);
       if (!req) continue;
       const endpoint = getEndpointKey(req.method, req.path);
       const shapeGroups = /* @__PURE__ */ new Map();
-      for (const q of reqQueries) {
-        const shape = getQueryShape(q);
+      for (const query of reqQueries) {
+        const shape = getQueryShape(query);
         let group = shapeGroups.get(shape);
         if (!group) {
-          group = { count: 0, distinctSql: /* @__PURE__ */ new Set(), first: q };
+          group = { count: 0, distinctSql: /* @__PURE__ */ new Set(), first: query };
           shapeGroups.set(shape, group);
         }
         group.count++;
-        group.distinctSql.add(q.sql ?? shape);
+        group.distinctSql.add(query.sql ?? shape);
       }
-      for (const [, sg] of shapeGroups) {
-        if (sg.count <= N1_QUERY_THRESHOLD || sg.distinctSql.size <= 1) continue;
-        const info = getQueryInfo(sg.first);
+      for (const [, shapeGroup] of shapeGroups) {
+        if (shapeGroup.count <= N1_QUERY_THRESHOLD || shapeGroup.distinctSql.size <= 1) continue;
+        const info = getQueryInfo(shapeGroup.first);
         const key = `${endpoint}:${info.op}:${info.table || "unknown"}`;
-        if (seen.has(key)) continue;
-        seen.add(key);
+        if (reportedKeys.has(key)) continue;
+        reportedKeys.add(key);
         insights.push({
           severity: "critical",
           type: "n1",
           title: "N+1 Query Pattern",
-          desc: `${endpoint} runs ${sg.count}x ${info.op} ${info.table} with different params in a single request`,
+          desc: `${endpoint} runs ${shapeGroup.count}x ${info.op} ${info.table} with different params in a single request`,
           hint: "This typically happens when fetching related data in a loop. Use a batch query, JOIN, or include/eager-load to fetch all records at once.",
-          nav: "queries"
+          detail: `${shapeGroup.count} queries with ${shapeGroup.distinctSql.size} distinct param variations. Example: ${[...shapeGroup.distinctSql][0]?.slice(0, DETAIL_PREVIEW_LENGTH) ?? info.op + " " + info.table}`
         });
       }
     }
     return insights;
   }
 };
-
-// src/analysis/insights/rules/cross-endpoint.ts
-var crossEndpointRule = {
-  id: "cross-endpoint",
-  check(ctx) {
-    const insights = [];
-    const queryMap = /* @__PURE__ */ new Map();
-    const allEndpoints = /* @__PURE__ */ new Set();
-    for (const [reqId, reqQueries] of ctx.queriesByReq) {
-      const req = ctx.reqById.get(reqId);
-      if (!req) continue;
-      const endpoint = getEndpointKey(req.method, req.path);
-      allEndpoints.add(endpoint);
-      const seenInReq = /* @__PURE__ */ new Set();
-      for (const q of reqQueries) {
-        const shape = getQueryShape(q);
-        let entry = queryMap.get(shape);
-        if (!entry) {
-          entry = { endpoints: /* @__PURE__ */ new Set(), count: 0, first: q };
-          queryMap.set(shape, entry);
-        }
-        entry.count++;
-        if (!seenInReq.has(shape)) {
-          seenInReq.add(shape);
-          entry.endpoints.add(endpoint);
-        }
-      }
-    }
-    if (allEndpoints.size >= CROSS_ENDPOINT_MIN_ENDPOINTS) {
-      for (const [, cem] of queryMap) {
-        if (cem.count < CROSS_ENDPOINT_MIN_OCCURRENCES) continue;
-        if (cem.endpoints.size < CROSS_ENDPOINT_MIN_ENDPOINTS) continue;
-        const p = Math.round(cem.endpoints.size / allEndpoints.size * 100);
-        if (p < CROSS_ENDPOINT_PCT) continue;
-        const info = getQueryInfo(cem.first);
-        const label = info.op + (info.table ? ` ${info.table}` : "");
-        insights.push({
-          severity: "warning",
-          type: "cross-endpoint",
-          title: "Repeated Query Across Endpoints",
-          desc: `${label} runs on ${cem.endpoints.size} of ${allEndpoints.size} endpoints (${p}%).`,
-          hint: "This query runs on most of your endpoints. Load it once in middleware or cache the result to avoid redundant database calls.",
-          nav: "queries"
-        });
-      }
-    }
-    return insights;
-  }
-};
-
-// src/analysis/insights/rules/redundant-query.ts
 var redundantQueryRule = {
   id: "redundant-query",
   check(ctx) {
     const insights = [];
-    const seen = /* @__PURE__ */ new Set();
+    const reportedKeys = /* @__PURE__ */ new Set();
     for (const [reqId, reqQueries] of ctx.queriesByReq) {
       const req = ctx.reqById.get(reqId);
       if (!req) continue;
       const endpoint = getEndpointKey(req.method, req.path);
-      const exact = /* @__PURE__ */ new Map();
-      for (const q of reqQueries) {
-        if (!q.sql) continue;
-        let entry = exact.get(q.sql);
+      const identicalQueryMap = /* @__PURE__ */ new Map();
+      for (const query of reqQueries) {
+        if (!query.sql) continue;
+        let entry = identicalQueryMap.get(query.sql);
         if (!entry) {
-          entry = { count: 0, first: q };
-          exact.set(q.sql, entry);
+          entry = { count: 0, first: query };
+          identicalQueryMap.set(query.sql, entry);
         }
         entry.count++;
       }
-      for (const [, e] of exact) {
-        if (e.count < REDUNDANT_QUERY_MIN_COUNT) continue;
-        const info = getQueryInfo(e.first);
+      for (const [, entry] of identicalQueryMap) {
+        if (entry.count < REDUNDANT_QUERY_MIN_COUNT) continue;
+        const info = getQueryInfo(entry.first);
         const label = info.op + (info.table ? ` ${info.table}` : "");
-        const dedupKey = `${endpoint}:${label}`;
-        if (seen.has(dedupKey)) continue;
-        seen.add(dedupKey);
+        const deduplicationKey = `${endpoint}:${label}`;
+        if (reportedKeys.has(deduplicationKey)) continue;
+        reportedKeys.add(deduplicationKey);
         insights.push({
           severity: "warning",
           type: "redundant-query",
           title: "Redundant Query",
-          desc: `${label} runs ${e.count}x with identical params in ${endpoint}.`,
+          desc: `${label} runs ${entry.count}x with identical params in ${endpoint}.`,
           hint: "The exact same query with identical parameters runs multiple times in one request. Cache the first result or lift the query to a shared function.",
-          nav: "queries"
+          detail: entry.first.sql ? `Query: ${entry.first.sql.slice(0, DETAIL_PREVIEW_LENGTH)}` : void 0
         });
       }
     }
     return insights;
   }
 };
-
-// src/analysis/insights/rules/error.ts
-var errorRule = {
-  id: "error",
-  check(ctx) {
-    if (ctx.errors.length === 0) return [];
-    const insights = [];
-    const groups = /* @__PURE__ */ new Map();
-    for (const e of ctx.errors) {
-      const name = e.name || "Error";
-      groups.set(name, (groups.get(name) ?? 0) + 1);
-    }
-    for (const [name, cnt] of groups) {
-      insights.push({
-        severity: "critical",
-        type: "error",
-        title: "Unhandled Error",
-        desc: `${name} \u2014 occurred ${cnt} time${cnt !== 1 ? "s" : ""}`,
-        hint: "Unhandled errors crash request handlers. Wrap async code in try/catch or add error-handling middleware.",
-        nav: "errors"
-      });
-    }
-    return insights;
-  }
-};
-
-// src/analysis/insights/rules/error-hotspot.ts
-var errorHotspotRule = {
-  id: "error-hotspot",
-  check(ctx) {
-    const insights = [];
-    for (const [ep, g] of ctx.endpointGroups) {
-      if (g.total < MIN_REQUESTS_FOR_INSIGHT) continue;
-      const errorRate = Math.round(g.errors / g.total * 100);
-      if (errorRate >= ERROR_RATE_THRESHOLD_PCT) {
-        insights.push({
-          severity: "critical",
-          type: "error-hotspot",
-          title: "Error Hotspot",
-          desc: `${ep} \u2014 ${errorRate}% error rate (${g.errors}/${g.total} requests)`,
-          hint: "This endpoint frequently returns errors. Check the response bodies for error details and stack traces.",
-          nav: "requests"
-        });
-      }
-    }
-    return insights;
-  }
-};
-
-// src/analysis/insights/rules/duplicate.ts
-var duplicateRule = {
-  id: "duplicate",
-  check(ctx) {
-    const dupCounts = /* @__PURE__ */ new Map();
-    const flowCount = /* @__PURE__ */ new Map();
-    for (const flow of ctx.flows) {
-      if (!flow.requests) continue;
-      const seenInFlow = /* @__PURE__ */ new Set();
-      for (const fr of flow.requests) {
-        if (!fr.isDuplicate) continue;
-        const dupKey = `${fr.method} ${fr.label ?? fr.path ?? fr.url}`;
-        dupCounts.set(dupKey, (dupCounts.get(dupKey) ?? 0) + 1);
-        if (!seenInFlow.has(dupKey)) {
-          seenInFlow.add(dupKey);
-          flowCount.set(dupKey, (flowCount.get(dupKey) ?? 0) + 1);
-        }
-      }
-    }
-    const dupEntries = [...dupCounts.entries()].map(([key, count]) => ({ key, count, flows: flowCount.get(key) ?? 0 })).sort((a, b) => b.count - a.count);
-    const insights = [];
-    for (let i = 0; i < Math.min(dupEntries.length, MAX_DUPLICATE_INSIGHTS); i++) {
-      const d = dupEntries[i];
-      insights.push({
-        severity: "warning",
-        type: "duplicate",
-        title: "Duplicate API Call",
-        desc: `${d.key} loaded ${d.count}x as duplicate across ${d.flows} action${d.flows !== 1 ? "s" : ""}`,
-        hint: "Multiple components independently fetch the same endpoint. Lift the fetch to a parent component, use a data cache, or deduplicate with React Query / SWR.",
-        nav: "actions"
-      });
-    }
-    return insights;
-  }
-};
-
-// src/utils/format.ts
-function formatDuration(ms) {
-  if (ms < 1e3) return `${ms}ms`;
-  return `${(ms / 1e3).toFixed(1)}s`;
-}
-function formatSize(bytes) {
-  if (bytes < 1024) return `${bytes}B`;
-  if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(1)}KB`;
-  return `${(bytes / (1024 * 1024)).toFixed(1)}MB`;
-}
-function pct(part, total) {
-  return total > 0 ? Math.round(part / total * 100) : 0;
-}
-
-// src/analysis/insights/rules/slow.ts
-var slowRule = {
-  id: "slow",
-  check(ctx) {
-    const insights = [];
-    for (const [ep, g] of ctx.endpointGroups) {
-      if (g.total < MIN_REQUESTS_FOR_INSIGHT) continue;
-      const avgMs = Math.round(g.totalDuration / g.total);
-      if (avgMs < SLOW_ENDPOINT_THRESHOLD_MS) continue;
-      const avgQueryMs = Math.round(g.totalQueryTimeMs / g.total);
-      const avgFetchMs = Math.round(g.totalFetchTimeMs / g.total);
-      const avgAppMs = Math.max(0, avgMs - avgQueryMs - avgFetchMs);
-      const parts = [];
-      if (avgQueryMs > 0) parts.push(`DB ${formatDuration(avgQueryMs)} ${pct(avgQueryMs, avgMs)}%`);
-      if (avgFetchMs > 0) parts.push(`Fetch ${formatDuration(avgFetchMs)} ${pct(avgFetchMs, avgMs)}%`);
-      if (avgAppMs > 0) parts.push(`App ${formatDuration(avgAppMs)} ${pct(avgAppMs, avgMs)}%`);
-      const breakdown = parts.length > 0 ? ` [${parts.join(" \xB7 ")}]` : "";
-      let detail;
-      let slowestMs = 0;
-      for (const [, sd] of g.queryShapeDurations) {
-        const avgShapeMs = sd.totalMs / sd.count;
-        if (avgShapeMs > slowestMs) {
-          slowestMs = avgShapeMs;
-          detail = `Slowest query: ${sd.label} \u2014 avg ${formatDuration(Math.round(avgShapeMs))} (${sd.count}x)`;
-        }
-      }
-      insights.push({
-        severity: "warning",
-        type: "slow",
-        title: "Slow Endpoint",
-        desc: `${ep} \u2014 avg ${formatDuration(avgMs)}${breakdown}`,
-        hint: avgQueryMs >= avgFetchMs && avgQueryMs >= avgAppMs ? "Most time is in database queries. Check the Queries tab for slow or redundant queries." : avgFetchMs >= avgQueryMs && avgFetchMs >= avgAppMs ? "Most time is in outbound HTTP calls. Check if upstream services are slow or if calls can be parallelized." : "Most time is in application code. Profile the handler for CPU-heavy operations or blocking calls.",
-        detail,
-        nav: "requests"
-      });
-    }
-    return insights;
-  }
-};
-
-// src/analysis/insights/rules/query-heavy.ts
-var queryHeavyRule = {
-  id: "query-heavy",
-  check(ctx) {
-    const insights = [];
-    for (const [ep, g] of ctx.endpointGroups) {
-      if (g.total < MIN_REQUESTS_FOR_INSIGHT) continue;
-      const avgQueries = Math.round(g.queryCount / g.total);
-      if (avgQueries > HIGH_QUERY_COUNT_PER_REQ) {
-        insights.push({
-          severity: "warning",
-          type: "query-heavy",
-          title: "Query-Heavy Endpoint",
-          desc: `${ep} \u2014 avg ${avgQueries} queries/request`,
-          hint: "Too many queries per request increases latency. Combine queries with JOINs, use batch operations, or reduce the number of data fetches.",
-          nav: "queries"
-        });
-      }
-    }
-    return insights;
-  }
-};
-
-// src/analysis/insights/rules/select-star.ts
 var selectStarRule = {
   id: "select-star",
   check(ctx) {
-    const seen = /* @__PURE__ */ new Map();
+    const tableCounts = /* @__PURE__ */ new Map();
     for (const [, reqQueries] of ctx.queriesByReq) {
-      for (const q of reqQueries) {
-        if (!q.sql) continue;
-        const isSelectStar = SELECT_STAR_RE.test(q.sql.trim()) || SELECT_DOT_STAR_RE.test(q.sql);
+      for (const query of reqQueries) {
+        if (!query.sql) continue;
+        const isSelectStar = SELECT_STAR_RE.test(query.sql.trim()) || SELECT_DOT_STAR_RE.test(query.sql);
         if (!isSelectStar) continue;
-        const info = getQueryInfo(q);
-        const key = info.table || "unknown";
-        seen.set(key, (seen.get(key) ?? 0) + 1);
+        const info = getQueryInfo(query);
+        const table = info.table || "unknown";
+        tableCounts.set(table, (tableCounts.get(table) ?? 0) + 1);
       }
     }
     const insights = [];
-    for (const [table, count] of seen) {
+    for (const [table, count] of tableCounts) {
       if (count < OVERFETCH_MIN_REQUESTS) continue;
       insights.push({
         severity: "warning",
         type: "select-star",
         title: "SELECT * Query",
         desc: `SELECT * on ${table} \u2014 ${count} occurrence${count !== 1 ? "s" : ""}`,
-        hint: "SELECT * fetches all columns including ones you don\u2019t need. Specify only required columns to reduce data transfer and memory usage.",
-        nav: "queries"
+        hint: "SELECT * fetches all columns including ones you don\u2019t need. Specify only required columns to reduce data transfer and memory usage."
       });
     }
     return insights;
   }
 };
-
-// src/analysis/insights/rules/high-rows.ts
 var highRowsRule = {
   id: "high-rows",
   check(ctx) {
     const seen = /* @__PURE__ */ new Map();
     for (const [, reqQueries] of ctx.queriesByReq) {
-      for (const q of reqQueries) {
-        if (!q.rowCount || q.rowCount <= HIGH_ROW_COUNT) continue;
-        const info = getQueryInfo(q);
+      for (const query of reqQueries) {
+        if (!query.rowCount || query.rowCount <= HIGH_ROW_COUNT) continue;
+        const info = getQueryInfo(query);
         const key = `${info.op} ${info.table || "unknown"}`;
         let entry = seen.get(key);
         if (!entry) {
@@ -1940,7 +1759,7 @@ var highRowsRule = {
           seen.set(key, entry);
         }
         entry.count++;
-        if (q.rowCount > entry.max) entry.max = q.rowCount;
+        if (query.rowCount > entry.max) entry.max = query.rowCount;
       }
     }
     const insights = [];
@@ -1951,28 +1770,62 @@ var highRowsRule = {
         type: "high-rows",
         title: "Large Result Set",
         desc: `${key} returns ${hrs.max}+ rows (${hrs.count}x)`,
-        hint: "Fetching many rows slows responses and wastes memory. Add a LIMIT clause, implement pagination, or filter with a WHERE condition.",
-        nav: "queries"
+        hint: "Fetching many rows slows responses and wastes memory. Add a LIMIT clause, implement pagination, or filter with a WHERE condition."
       });
     }
     return insights;
   }
 };
+var queryHeavyRule = {
+  id: "query-heavy",
+  check(ctx) {
+    const insights = [];
+    for (const [endpointKey, group] of ctx.endpointGroups) {
+      if (group.total < MIN_REQUESTS_FOR_INSIGHT) continue;
+      const avgQueries = Math.round(group.queryCount / group.total);
+      if (avgQueries > HIGH_QUERY_COUNT_PER_REQ) {
+        insights.push({
+          severity: "warning",
+          type: "query-heavy",
+          title: "Query-Heavy Endpoint",
+          desc: `${endpointKey} \u2014 avg ${avgQueries} queries/request`,
+          hint: "Too many queries per request increases latency. Combine queries with JOINs, use batch operations, or reduce the number of data fetches."
+        });
+      }
+    }
+    return insights;
+  }
+};
 
-// src/analysis/insights/rules/response-overfetch.ts
+// src/utils/format.ts
+function formatDuration(ms) {
+  if (ms < 1e3) return `${ms}ms`;
+  return `${(ms / 1e3).toFixed(1)}s`;
+}
+function formatSize(bytes) {
+  if (bytes < 1024) return `${bytes}B`;
+  if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(1)}KB`;
+  return `${(bytes / (1024 * 1024)).toFixed(1)}MB`;
+}
+function pct(part, total) {
+  return total > 0 ? Math.round(part / total * 100) : 0;
+}
+
+// src/analysis/insights/rules/response-rules.ts
 var responseOverfetchRule = {
   id: "response-overfetch",
   check(ctx) {
     const insights = [];
     const seen = /* @__PURE__ */ new Set();
-    for (const r of ctx.nonStatic) {
-      if (isErrorStatus(r.statusCode) || !r.responseBody) continue;
-      const ep = getEndpointKey(r.method, r.path);
-      if (seen.has(ep)) continue;
+    for (const request of ctx.nonStatic) {
+      if (isErrorStatus(request.statusCode) || !request.responseBody) continue;
+      const endpointKey = getEndpointKey(request.method, request.path);
+      if (seen.has(endpointKey)) continue;
       let parsed;
       try {
-        parsed = JSON.parse(r.responseBody);
-      } catch {
+        parsed = JSON.parse(request.responseBody);
+      } catch (e) {
+        brakitDebug(`json parse: ${getErrorMessage(e)}`);
         continue;
       }
       const target = unwrapResponse(parsed);
@@ -1995,37 +1848,33 @@ var responseOverfetchRule = {
         reasons.push(`${fields.length} fields returned`);
       }
       if (reasons.length > 0) {
-        seen.add(ep);
+        seen.add(endpointKey);
         insights.push({
           severity: "info",
           type: "response-overfetch",
           title: "Response Overfetch",
-          desc: `${ep} \u2014 ${reasons.join(", ")}`,
-          hint: "This response returns more data than the client likely needs. Use a DTO or select only required fields to reduce payload size and avoid leaking internal structure.",
-          nav: "requests"
+          desc: `${endpointKey} \u2014 ${reasons.join(", ")}`,
+          hint: "This response returns more data than the client likely needs. Use a DTO or select only required fields to reduce payload size and avoid leaking internal structure."
         });
       }
     }
     return insights;
   }
 };
-
-// src/analysis/insights/rules/large-response.ts
 var largeResponseRule = {
   id: "large-response",
   check(ctx) {
     const insights = [];
-    for (const [ep, g] of ctx.endpointGroups) {
-      if (g.total < OVERFETCH_MIN_REQUESTS) continue;
-      const avgSize = Math.round(g.totalSize / g.total);
+    for (const [endpointKey, group] of ctx.endpointGroups) {
+      if (group.total < OVERFETCH_MIN_REQUESTS) continue;
+      const avgSize = Math.round(group.totalSize / group.total);
       if (avgSize > LARGE_RESPONSE_BYTES) {
         insights.push({
           severity: "info",
           type: "large-response",
           title: "Large Response",
-          desc: `${ep} \u2014 avg ${formatSize(avgSize)} response`,
-          hint: "Large API responses increase network transfer time. Implement pagination, field filtering, or response compression.",
-          nav: "requests"
+          desc: `${endpointKey} \u2014 avg ${formatSize(avgSize)} response`,
+          hint: "Large API responses increase network transfer time. Implement pagination, field filtering, or response compression."
         });
       }
     }
@@ -2033,7 +1882,50 @@ var largeResponseRule = {
   }
 };
 
-// src/analysis/insights/rules/regression.ts
+// src/analysis/insights/rules/reliability-rules.ts
+var errorRule = {
+  id: "error",
+  check(ctx) {
+    if (ctx.errors.length === 0) return [];
+    const insights = [];
+    const groups = /* @__PURE__ */ new Map();
+    for (const error of ctx.errors) {
+      const name = error.name || "Error";
+      groups.set(name, (groups.get(name) ?? 0) + 1);
+    }
+    for (const [name, cnt] of groups) {
+      insights.push({
+        severity: "critical",
+        type: "error",
+        title: "Unhandled Error",
+        desc: `${name} \u2014 occurred ${cnt} time${cnt !== 1 ? "s" : ""}`,
+        hint: "Unhandled errors crash request handlers. Wrap async code in try/catch or add error-handling middleware.",
+        detail: ctx.errors.find((e) => e.name === name)?.message
+      });
+    }
+    return insights;
+  }
+};
+var errorHotspotRule = {
+  id: "error-hotspot",
+  check(ctx) {
+    const insights = [];
+    for (const [endpointKey, group] of ctx.endpointGroups) {
+      if (group.total < MIN_REQUESTS_FOR_INSIGHT) continue;
+      const errorRate = Math.round(group.errors / group.total * 100);
+      if (errorRate >= ERROR_RATE_THRESHOLD_PCT) {
+        insights.push({
+          severity: "critical",
+          type: "error-hotspot",
+          title: "Error Hotspot",
+          desc: `${endpointKey} \u2014 ${errorRate}% error rate (${group.errors}/${group.total} requests)`,
+          hint: "This endpoint frequently returns errors. Check the response bodies for error details and stack traces."
+        });
+      }
+    }
+    return insights;
+  }
+};
 var regressionRule = {
   id: "regression",
   check(ctx) {
@@ -2052,8 +1944,7 @@ var regressionRule = {
           type: "regression",
           title: "Performance Regression",
           desc: `${epMetrics.endpoint} p95 degraded ${formatDuration(prev.p95DurationMs)} \u2192 ${formatDuration(current.p95DurationMs)} (+${p95PctChange}%)`,
-          hint: "This endpoint is slower than the previous session. Check if recent code changes added queries or processing.",
-          nav: "graph"
+          hint: "This endpoint is slower than the previous session. Check if recent code changes added queries or processing."
         });
       }
       if (prev.avgQueryCount > 0 && current.avgQueryCount > prev.avgQueryCount * QUERY_COUNT_REGRESSION_RATIO) {
@@ -2062,8 +1953,137 @@ var regressionRule = {
           type: "regression",
           title: "Query Count Regression",
           desc: `${epMetrics.endpoint} queries/request increased ${prev.avgQueryCount} \u2192 ${current.avgQueryCount}`,
-          hint: "This endpoint is making more database queries than before. Check for new N+1 patterns or removed query optimizations.",
-          nav: "queries"
+          hint: "This endpoint is making more database queries than before. Check for new N+1 patterns or removed query optimizations."
+        });
+      }
+    }
+    return insights;
+  }
+};
+function getAdaptiveSlowThreshold(endpointKey, previousMetrics) {
+  if (!previousMetrics) return null;
+  const ep = previousMetrics.find((m) => m.endpoint === endpointKey);
+  if (!ep || ep.sessions.length < BASELINE_MIN_SESSIONS) return null;
+  const valid = ep.sessions.filter((s) => s.requestCount >= BASELINE_MIN_REQUESTS_PER_SESSION);
+  if (valid.length < BASELINE_MIN_SESSIONS) return null;
+  const p95s = valid.map((s) => s.p95DurationMs).sort((a, b) => a - b);
+  const medianP95 = p95s[Math.floor(p95s.length / 2)];
+  return medianP95 * 2;
+}
+var slowRule = {
+  id: "slow",
+  check(ctx) {
+    const insights = [];
+    for (const [endpointKey, group] of ctx.endpointGroups) {
+      if (group.total < MIN_REQUESTS_FOR_INSIGHT) continue;
+      const avgMs = Math.round(group.totalDuration / group.total);
+      const threshold = getAdaptiveSlowThreshold(endpointKey, ctx.previousMetrics);
+      if (threshold === null || avgMs < threshold) continue;
+      const avgQueryMs = Math.round(group.totalQueryTimeMs / group.total);
+      const avgFetchMs = Math.round(group.totalFetchTimeMs / group.total);
+      const avgAppMs = Math.max(0, avgMs - avgQueryMs - avgFetchMs);
+      const parts = [];
+      if (avgQueryMs > 0) parts.push(`DB ${formatDuration(avgQueryMs)} ${pct(avgQueryMs, avgMs)}%`);
+      if (avgFetchMs > 0) parts.push(`Fetch ${formatDuration(avgFetchMs)} ${pct(avgFetchMs, avgMs)}%`);
+      if (avgAppMs > 0) parts.push(`App ${formatDuration(avgAppMs)} ${pct(avgAppMs, avgMs)}%`);
+      const breakdown = parts.length > 0 ? ` [${parts.join(" \xB7 ")}]` : "";
+      let detail;
+      let slowestMs = 0;
+      for (const [, shapeDuration] of group.queryShapeDurations) {
+        const avgShapeMs = shapeDuration.totalMs / shapeDuration.count;
+        if (avgShapeMs > slowestMs) {
+          slowestMs = avgShapeMs;
+          detail = `Slowest query: ${shapeDuration.label} \u2014 avg ${formatDuration(Math.round(avgShapeMs))} (${shapeDuration.count}x)`;
+        }
+      }
+      insights.push({
+        severity: "warning",
+        type: "slow",
+        title: "Slow Endpoint",
+        desc: `${endpointKey} \u2014 avg ${formatDuration(avgMs)}${breakdown}`,
+        hint: avgQueryMs >= avgFetchMs && avgQueryMs >= avgAppMs ? "Most time is in database queries. Check the Queries tab for slow or redundant queries." : avgFetchMs >= avgQueryMs && avgFetchMs >= avgAppMs ? "Most time is in outbound HTTP calls. Check if upstream services are slow or if calls can be parallelized." : "Most time is in application code. Profile the handler for CPU-heavy operations or blocking calls.",
+        detail
+      });
+    }
+    return insights;
+  }
+};
+
+// src/analysis/insights/rules/pattern-rules.ts
+var duplicateRule = {
+  id: "duplicate",
+  check(ctx) {
+    const dupCounts = /* @__PURE__ */ new Map();
+    const flowCount = /* @__PURE__ */ new Map();
+    for (const flow of ctx.flows) {
+      if (!flow.requests) continue;
+      const seenInFlow = /* @__PURE__ */ new Set();
+      for (const request of flow.requests) {
+        if (!request.isDuplicate) continue;
+        const deduplicationKey = `${request.method} ${request.label ?? request.path ?? request.url}`;
+        dupCounts.set(deduplicationKey, (dupCounts.get(deduplicationKey) ?? 0) + 1);
+        if (!seenInFlow.has(deduplicationKey)) {
+          seenInFlow.add(deduplicationKey);
+          flowCount.set(deduplicationKey, (flowCount.get(deduplicationKey) ?? 0) + 1);
+        }
+      }
+    }
+    const dupEntries = [...dupCounts.entries()].map(([key, count]) => ({ key, count, flows: flowCount.get(key) ?? 0 })).sort((a, b) => b.count - a.count);
+    const insights = [];
+    for (let i = 0; i < Math.min(dupEntries.length, MAX_DUPLICATE_INSIGHTS); i++) {
+      const duplicate = dupEntries[i];
+      insights.push({
+        severity: "warning",
+        type: "duplicate",
+        title: "Duplicate API Call",
+        desc: `${duplicate.key} loaded ${duplicate.count}x as duplicate across ${duplicate.flows} action${duplicate.flows !== 1 ? "s" : ""}`,
+        hint: "Multiple components independently fetch the same endpoint. Lift the fetch to a parent component, use a data cache, or deduplicate with React Query / SWR."
+      });
+    }
+    return insights;
+  }
+};
+var crossEndpointRule = {
+  id: "cross-endpoint",
+  check(ctx) {
+    const insights = [];
+    const queryMap = /* @__PURE__ */ new Map();
+    const allEndpoints = /* @__PURE__ */ new Set();
+    for (const [reqId, reqQueries] of ctx.queriesByReq) {
+      const req = ctx.reqById.get(reqId);
+      if (!req) continue;
+      const endpoint = getEndpointKey(req.method, req.path);
+      allEndpoints.add(endpoint);
+      const seenInReq = /* @__PURE__ */ new Set();
+      for (const query of reqQueries) {
+        const shape = getQueryShape(query);
+        let entry = queryMap.get(shape);
+        if (!entry) {
+          entry = { endpoints: /* @__PURE__ */ new Set(), count: 0, first: query };
+          queryMap.set(shape, entry);
+        }
+        entry.count++;
+        if (!seenInReq.has(shape)) {
+          seenInReq.add(shape);
+          entry.endpoints.add(endpoint);
+        }
+      }
+    }
+    if (allEndpoints.size >= CROSS_ENDPOINT_MIN_ENDPOINTS) {
+      for (const [, queryMetric] of queryMap) {
+        if (queryMetric.count < CROSS_ENDPOINT_MIN_OCCURRENCES) continue;
+        if (queryMetric.endpoints.size < CROSS_ENDPOINT_MIN_ENDPOINTS) continue;
+        const coveragePct = Math.round(queryMetric.endpoints.size / allEndpoints.size * 100);
+        if (coveragePct < CROSS_ENDPOINT_PCT) continue;
+        const info = getQueryInfo(queryMetric.first);
+        const label = info.op + (info.table ? ` ${info.table}` : "");
+        insights.push({
+          severity: "warning",
+          type: "cross-endpoint",
+          title: "Repeated Query Across Endpoints",
+          desc: `${label} runs on ${queryMetric.endpoints.size} of ${allEndpoints.size} endpoints (${coveragePct}%).`,
+          hint: "This query runs on most of your endpoints. Load it once in middleware or cache the result to avoid redundant database calls.",
+          detail: `Endpoints: ${[...queryMetric.endpoints].slice(0, 5).join(", ")}${queryMetric.endpoints.size > 5 ? ` +${queryMetric.endpoints.size - 5} more` : ""}. Total: ${queryMetric.count} executions.`
         });
       }
     }
@@ -2076,13 +2096,13 @@ var securityRule = {
   id: "security",
   check(ctx) {
     if (!ctx.securityFindings) return [];
-    return ctx.securityFindings.map((f) => ({
-      severity: f.severity,
+    return ctx.securityFindings.map((finding) => ({
+      severity: finding.severity,
       type: "security",
-      title: f.title,
-      desc: f.desc,
-      hint: f.hint,
-      nav: "security"
+      title: finding.title,
+      desc: finding.desc,
+      hint: finding.hint,
+      detail: finding.detail
     }));
   }
 };
@@ -2125,8 +2145,7 @@ function insightToIssue(insight) {
     desc: insight.desc,
     hint: insight.hint,
     detail: insight.detail,
-    endpoint: extractEndpointFromDesc(insight.desc) ?? void 0,
-    nav: insight.nav
+    endpoint: extractEndpointFromDesc(insight.desc) ?? void 0
   };
 }
 function securityFindingToIssue(finding) {
@@ -2137,15 +2156,15 @@ function securityFindingToIssue(finding) {
     title: finding.title,
     desc: finding.desc,
     hint: finding.hint,
-    endpoint: finding.endpoint,
-    nav: "security"
+    detail: finding.detail,
+    endpoint: finding.endpoint
   };
 }
 
 // src/analysis/engine.ts
 var AnalysisEngine = class {
-  constructor(registry, debounceMs = ANALYSIS_DEBOUNCE_MS) {
-    this.registry = registry;
+  constructor(services, debounceMs = ANALYSIS_DEBOUNCE_MS) {
+    this.services = services;
     this.debounceMs = debounceMs;
     this.cachedInsights = [];
     this.cachedFindings = [];
@@ -2154,7 +2173,7 @@ var AnalysisEngine = class {
     this.scanner = createDefaultScanner();
   }
   start() {
-    const bus = this.registry.get("event-bus");
+    const bus = this.services.bus;
     this.subs.add(bus.on("request:completed", () => this.scheduleRecompute()));
     this.subs.add(bus.on("telemetry:query", () => this.scheduleRecompute()));
     this.subs.add(bus.on("telemetry:error", () => this.scheduleRecompute()));
@@ -2181,12 +2200,12 @@ var AnalysisEngine = class {
     }, this.debounceMs);
   }
   recompute() {
-    const allRequests = this.registry.get("request-store").getAll();
-    const queries = this.registry.get("query-store").getAll();
-    const errors = this.registry.get("error-store").getAll();
-    const logs = this.registry.get("log-store").getAll();
-    const fetches = this.registry.get("fetch-store").getAll();
-    const requests = windowByEndpoint(allRequests);
+    const allRequests = this.services.requestStore.getAll();
+    const queries = this.services.queryStore.getAll();
+    const errors = this.services.errorStore.getAll();
+    const logs = this.services.logStore.getAll();
+    const fetches = this.services.fetchStore.getAll();
+    const requests = keepRecentPerEndpoint(allRequests);
     const flows = groupRequestsIntoFlows(requests);
     this.cachedFindings = this.scanner.scan({ requests, logs });
     this.cachedInsights = computeInsights({
@@ -2195,38 +2214,34 @@ var AnalysisEngine = class {
       errors,
       flows,
       fetches,
-      previousMetrics: this.registry.get("metrics-store").getAll(),
+      previousMetrics: this.services.metricsStore.getAll(),
       securityFindings: this.cachedFindings
     });
-    if (this.registry.has("issue-store")) {
-      const issueStore = this.registry.get("issue-store");
-      for (const finding of this.cachedFindings) {
-        issueStore.upsert(securityFindingToIssue(finding), "passive");
-      }
-      for (const insight of this.cachedInsights) {
-        issueStore.upsert(insightToIssue(insight), "passive");
-      }
-      const currentIssueIds = /* @__PURE__ */ new Set();
-      for (const finding of this.cachedFindings) {
-        currentIssueIds.add(computeIssueId(securityFindingToIssue(finding)));
-      }
-      for (const insight of this.cachedInsights) {
-        currentIssueIds.add(computeIssueId(insightToIssue(insight)));
-      }
-      const activeEndpoints = extractActiveEndpoints(allRequests);
-      issueStore.reconcile(currentIssueIds, activeEndpoints);
-      const update = {
-        insights: this.cachedInsights,
-        findings: this.cachedFindings,
-        issues: issueStore.getAll()
-      };
-      this.registry.get("event-bus").emit("analysis:updated", update);
-    }
+    const issueStore = this.services.issueStore;
+    const currentIssueIds = /* @__PURE__ */ new Set();
+    for (const finding of this.cachedFindings) {
+      const issue = securityFindingToIssue(finding);
+      issueStore.upsert(issue, "passive");
+      currentIssueIds.add(computeIssueId(issue));
+    }
+    for (const insight of this.cachedInsights) {
+      const issue = insightToIssue(insight);
+      issueStore.upsert(issue, "passive");
+      currentIssueIds.add(computeIssueId(issue));
+    }
+    const activeEndpoints = extractActiveEndpoints(allRequests);
+    issueStore.reconcile(currentIssueIds, activeEndpoints);
+    const update = {
+      insights: this.cachedInsights,
+      findings: this.cachedFindings,
+      issues: issueStore.getAll()
+    };
+    this.services.bus.emit("analysis:updated", update);
   }
 };
 
 // src/index.ts
-var VERSION = "0.8.7";
+var VERSION = "0.9.1";
 export {
   AdapterRegistry,
   AnalysisEngine,