brakit 0.8.7 → 0.9.1

package/dist/bin/brakit.js

@@ -9,10 +9,10 @@ var __export = (target, all) => {
     __defProp(target, name, { get: all[name], enumerable: true });
 };
 
-// src/constants/limits.ts
-var PROJECT_HASH_LENGTH, SECRET_SCAN_ARRAY_LIMIT, PII_SCAN_ARRAY_LIMIT, MIN_SECRET_VALUE_LENGTH, FULL_RECORD_MIN_FIELDS, LIST_PII_MIN_ITEMS, MAX_OBJECT_SCAN_DEPTH, ISSUE_PRUNE_TTL_MS;
-var init_limits = __esm({
-  "src/constants/limits.ts"() {
+// src/constants/config.ts
+var PROJECT_HASH_LENGTH, SECRET_SCAN_ARRAY_LIMIT, PII_SCAN_ARRAY_LIMIT, MIN_SECRET_VALUE_LENGTH, FULL_RECORD_MIN_FIELDS, LIST_PII_MIN_ITEMS, MAX_OBJECT_SCAN_DEPTH, ISSUE_PRUNE_TTL_MS, OVERFETCH_UNWRAP_MIN_SIZE, STALE_ISSUE_TTL_MS, METRICS_DIR, PORT_FILE, VALID_ISSUE_STATES, VALID_AI_FIX_STATUSES, VALID_SECURITY_SEVERITIES, TELEMETRY_EVENT_CLI_INVOKED, TELEMETRY_EVENT_CLI_UNINSTALL, DETAIL_PREVIEW_LENGTH;
+var init_config = __esm({
+  "src/constants/config.ts"() {
     "use strict";
     PROJECT_HASH_LENGTH = 8;
     SECRET_SCAN_ARRAY_LIMIT = 5;
@@ -22,6 +22,16 @@ var init_limits = __esm({
     LIST_PII_MIN_ITEMS = 2;
     MAX_OBJECT_SCAN_DEPTH = 5;
     ISSUE_PRUNE_TTL_MS = 10 * 60 * 1e3;
+    OVERFETCH_UNWRAP_MIN_SIZE = 3;
+    STALE_ISSUE_TTL_MS = 30 * 60 * 1e3;
+    METRICS_DIR = ".brakit";
+    PORT_FILE = ".brakit/port";
+    VALID_ISSUE_STATES = /* @__PURE__ */ new Set(["open", "fixing", "resolved", "stale", "regressed"]);
+    VALID_AI_FIX_STATUSES = /* @__PURE__ */ new Set(["fixed", "wont_fix"]);
+    VALID_SECURITY_SEVERITIES = /* @__PURE__ */ new Set(["critical", "warning"]);
+    TELEMETRY_EVENT_CLI_INVOKED = "cli_invoked";
+    TELEMETRY_EVENT_CLI_UNINSTALL = "cli_uninstall";
+    DETAIL_PREVIEW_LENGTH = 120;
   }
 });
 
@@ -40,17 +50,6 @@ var init_log = __esm({
   }
 });
 
-// src/constants/lifecycle.ts
-var VALID_ISSUE_STATES, VALID_AI_FIX_STATUSES, VALID_SECURITY_SEVERITIES;
-var init_lifecycle = __esm({
-  "src/constants/lifecycle.ts"() {
-    "use strict";
-    VALID_ISSUE_STATES = /* @__PURE__ */ new Set(["open", "fixing", "resolved", "stale", "regressed"]);
-    VALID_AI_FIX_STATUSES = /* @__PURE__ */ new Set(["fixed", "wont_fix"]);
-    VALID_SECURITY_SEVERITIES = /* @__PURE__ */ new Set(["critical", "warning"]);
-  }
-});
-
 // src/utils/type-guards.ts
 function isNonEmptyString(val) {
   return typeof val === "string" && val.trim().length > 0;
@@ -69,35 +68,14 @@ function isValidAiFixStatus(val) {
 var init_type_guards = __esm({
   "src/utils/type-guards.ts"() {
     "use strict";
-    init_lifecycle();
-    init_limits();
-  }
-});
-
-// src/constants/metrics.ts
-var METRICS_DIR, PORT_FILE;
-var init_metrics = __esm({
-  "src/constants/metrics.ts"() {
-    "use strict";
-    METRICS_DIR = ".brakit";
-    PORT_FILE = ".brakit/port";
-  }
-});
-
-// src/constants/thresholds.ts
-var OVERFETCH_UNWRAP_MIN_SIZE, STALE_ISSUE_TTL_MS;
-var init_thresholds = __esm({
-  "src/constants/thresholds.ts"() {
-    "use strict";
-    OVERFETCH_UNWRAP_MIN_SIZE = 3;
-    STALE_ISSUE_TTL_MS = 30 * 60 * 1e3;
+    init_config();
   }
 });
 
-// src/constants/routes.ts
-var DASHBOARD_PREFIX, DASHBOARD_API_REQUESTS, DASHBOARD_API_EVENTS, DASHBOARD_API_FLOWS, DASHBOARD_API_CLEAR, DASHBOARD_API_LOGS, DASHBOARD_API_FETCHES, DASHBOARD_API_ERRORS, DASHBOARD_API_QUERIES, DASHBOARD_API_INGEST, DASHBOARD_API_METRICS, DASHBOARD_API_ACTIVITY, DASHBOARD_API_METRICS_LIVE, DASHBOARD_API_INSIGHTS, DASHBOARD_API_SECURITY, DASHBOARD_API_TAB, DASHBOARD_API_FINDINGS, DASHBOARD_API_FINDINGS_REPORT, VALID_TABS_TUPLE, VALID_TABS;
-var init_routes = __esm({
-  "src/constants/routes.ts"() {
+// src/constants/labels.ts
+var DASHBOARD_PREFIX, DASHBOARD_API_REQUESTS, DASHBOARD_API_EVENTS, DASHBOARD_API_FLOWS, DASHBOARD_API_CLEAR, DASHBOARD_API_LOGS, DASHBOARD_API_FETCHES, DASHBOARD_API_ERRORS, DASHBOARD_API_QUERIES, DASHBOARD_API_INGEST, DASHBOARD_API_METRICS, DASHBOARD_API_ACTIVITY, DASHBOARD_API_METRICS_LIVE, DASHBOARD_API_INSIGHTS, DASHBOARD_API_SECURITY, DASHBOARD_API_TAB, DASHBOARD_API_FINDINGS, DASHBOARD_API_FINDINGS_REPORT, VALID_TABS_TUPLE, VALID_TABS, POSTHOG_HOST, POSTHOG_CAPTURE_PATH, POSTHOG_REQUEST_TIMEOUT_MS;
+var init_labels = __esm({
+  "src/constants/labels.ts"() {
     "use strict";
     DASHBOARD_PREFIX = "/__brakit";
     DASHBOARD_API_REQUESTS = `${DASHBOARD_PREFIX}/api/requests`;
@@ -129,78 +107,16 @@ var init_routes = __esm({
       "security"
     ];
     VALID_TABS = new Set(VALID_TABS_TUPLE);
+    POSTHOG_HOST = "https://us.i.posthog.com";
+    POSTHOG_CAPTURE_PATH = "/i/v0/e/";
+    POSTHOG_REQUEST_TIMEOUT_MS = 3e3;
   }
 });
 
-// src/constants/transport.ts
-var init_transport = __esm({
-  "src/constants/transport.ts"() {
-    "use strict";
-  }
-});
-
-// src/constants/headers.ts
-var init_headers = __esm({
-  "src/constants/headers.ts"() {
-    "use strict";
-  }
-});
-
-// src/constants/network.ts
-var RECOVERY_WINDOW_MS, PORT_MIN, PORT_MAX;
-var init_network = __esm({
-  "src/constants/network.ts"() {
-    "use strict";
-    RECOVERY_WINDOW_MS = 5 * 60 * 1e3;
-    PORT_MIN = 1;
-    PORT_MAX = 65535;
-  }
-});
-
-// src/constants/mcp.ts
-var MCP_SERVER_NAME, INITIAL_DISCOVERY_TIMEOUT_MS, LAZY_DISCOVERY_TIMEOUT_MS, CLIENT_FETCH_TIMEOUT_MS, HEALTH_CHECK_TIMEOUT_MS, DISCOVERY_POLL_INTERVAL_MS, MAX_DISCOVERY_DEPTH, MAX_TIMELINE_EVENTS, MAX_RESOLVED_DISPLAY, ENRICHMENT_SEVERITY_FILTER, MCP_SERVER_VERSION;
-var init_mcp = __esm({
-  "src/constants/mcp.ts"() {
-    "use strict";
-    MCP_SERVER_NAME = "brakit";
-    INITIAL_DISCOVERY_TIMEOUT_MS = 5e3;
-    LAZY_DISCOVERY_TIMEOUT_MS = 2e3;
-    CLIENT_FETCH_TIMEOUT_MS = 1e4;
-    HEALTH_CHECK_TIMEOUT_MS = 3e3;
-    DISCOVERY_POLL_INTERVAL_MS = 500;
-    MAX_DISCOVERY_DEPTH = 5;
-    MAX_TIMELINE_EVENTS = 20;
-    MAX_RESOLVED_DISPLAY = 5;
-    ENRICHMENT_SEVERITY_FILTER = ["critical", "warning"];
-    MCP_SERVER_VERSION = "0.8.7";
-  }
-});
-
-// src/constants/encoding.ts
-var init_encoding = __esm({
-  "src/constants/encoding.ts"() {
-    "use strict";
-  }
-});
-
-// src/constants/severity.ts
-var init_severity = __esm({
-  "src/constants/severity.ts"() {
-    "use strict";
-  }
-});
-
-// src/constants/telemetry.ts
-var init_telemetry = __esm({
-  "src/constants/telemetry.ts"() {
-    "use strict";
-  }
-});
-
-// src/constants/cli.ts
-var SUPPORTED_SOURCE_EXTENSIONS, BUILD_CACHE_DIRS, FALLBACK_SCAN_DIRS;
-var init_cli = __esm({
-  "src/constants/cli.ts"() {
+// src/constants/features.ts
+var SUPPORTED_SOURCE_EXTENSIONS, BUILD_CACHE_DIRS, FALLBACK_SCAN_DIRS, MCP_SERVER_NAME, INITIAL_DISCOVERY_TIMEOUT_MS, LAZY_DISCOVERY_TIMEOUT_MS, CLIENT_FETCH_TIMEOUT_MS, HEALTH_CHECK_TIMEOUT_MS, DISCOVERY_POLL_INTERVAL_MS, MAX_DISCOVERY_DEPTH, MAX_TIMELINE_EVENTS, MAX_RESOLVED_DISPLAY, ENRICHMENT_SEVERITY_FILTER, MCP_SERVER_VERSION, RECOVERY_WINDOW_MS, PORT_MIN, PORT_MAX, DIR_MODE_OWNER_ONLY, FILE_MODE_OWNER_ONLY;
+var init_features = __esm({
+  "src/constants/features.ts"() {
     "use strict";
     SUPPORTED_SOURCE_EXTENSIONS = /* @__PURE__ */ new Set([
       ".ts",
@@ -212,20 +128,22 @@ var init_cli = __esm({
     ]);
     BUILD_CACHE_DIRS = [".next", ".nuxt", ".output"];
     FALLBACK_SCAN_DIRS = ["src", "."];
-  }
-});
-
-// src/constants/timeline.ts
-var init_timeline = __esm({
-  "src/constants/timeline.ts"() {
-    "use strict";
-  }
-});
-
-// src/constants/sdk-events.ts
-var init_sdk_events = __esm({
-  "src/constants/sdk-events.ts"() {
-    "use strict";
+    MCP_SERVER_NAME = "brakit";
+    INITIAL_DISCOVERY_TIMEOUT_MS = 5e3;
+    LAZY_DISCOVERY_TIMEOUT_MS = 2e3;
+    CLIENT_FETCH_TIMEOUT_MS = 1e4;
+    HEALTH_CHECK_TIMEOUT_MS = 3e3;
+    DISCOVERY_POLL_INTERVAL_MS = 500;
+    MAX_DISCOVERY_DEPTH = 5;
+    MAX_TIMELINE_EVENTS = 20;
+    MAX_RESOLVED_DISPLAY = 5;
+    ENRICHMENT_SEVERITY_FILTER = ["critical", "warning"];
+    MCP_SERVER_VERSION = "0.9.1";
+    RECOVERY_WINDOW_MS = 5 * 60 * 1e3;
+    PORT_MIN = 1;
+    PORT_MAX = 65535;
+    DIR_MODE_OWNER_ONLY = 448;
+    FILE_MODE_OWNER_ONLY = 384;
   }
 });
 
@@ -233,21 +151,9 @@ var init_sdk_events = __esm({
 var init_constants = __esm({
   "src/constants/index.ts"() {
     "use strict";
-    init_routes();
-    init_limits();
-    init_thresholds();
-    init_transport();
-    init_metrics();
-    init_headers();
-    init_network();
-    init_mcp();
-    init_encoding();
-    init_severity();
-    init_telemetry();
-    init_lifecycle();
-    init_cli();
-    init_timeline();
-    init_sdk_events();
+    init_config();
+    init_labels();
+    init_features();
   }
 });
 
@@ -270,8 +176,8 @@ var BrakitClient;
 var init_client = __esm({
   "src/mcp/client.ts"() {
     "use strict";
-    init_routes();
-    init_mcp();
+    init_labels();
+    init_features();
     BrakitClient = class {
       constructor(baseUrl) {
         this.baseUrl = baseUrl;
@@ -409,8 +315,8 @@ async function searchForPort(startDir) {
   }
   return null;
 }
-async function discoverBrakitPort(cwd) {
-  const port = await searchForPort(cwd ?? process.cwd());
+async function discoverBrakitPort(cwd2) {
+  const port = await searchForPort(cwd2 ?? process.cwd());
   if (!port) {
     throw new Error(
       "Brakit is not running. Start your app with brakit enabled first."
@@ -418,11 +324,11 @@ async function discoverBrakitPort(cwd) {
   }
   return { port, baseUrl: `http://localhost:${port}` };
 }
-async function waitForBrakit(cwd, timeoutMs = 1e4, pollMs = DISCOVERY_POLL_INTERVAL_MS) {
+async function waitForBrakit(cwd2, timeoutMs = 1e4, pollMs = DISCOVERY_POLL_INTERVAL_MS) {
   const deadline = Date.now() + timeoutMs;
   while (Date.now() < deadline) {
     try {
-      const result = await discoverBrakitPort(cwd);
+      const result = await discoverBrakitPort(cwd2);
       const res = await fetch(`${result.baseUrl}${DASHBOARD_API_REQUESTS}?limit=1`);
       if (res.ok) return result;
     } catch {
@@ -438,7 +344,7 @@ var init_discovery = __esm({
     "use strict";
     init_constants();
     init_log();
-    init_mcp();
+    init_features();
   }
 });
 
@@ -539,7 +445,7 @@ async function buildRequestDetail(client, req) {
 var init_enrichment = __esm({
   "src/mcp/enrichment.ts"() {
     "use strict";
-    init_mcp();
+    init_features();
     init_endpoint();
   }
 });
@@ -550,7 +456,7 @@ var init_get_findings = __esm({
   "src/mcp/tools/get-findings.ts"() {
     "use strict";
     init_enrichment();
-    init_lifecycle();
+    init_config();
     init_type_guards();
     getFindings = {
       name: "get_findings",
@@ -665,7 +571,7 @@ var getRequestDetail;
 var init_get_request_detail = __esm({
   "src/mcp/tools/get-request-detail.ts"() {
     "use strict";
-    init_mcp();
+    init_features();
     init_enrichment();
     getRequestDetail = {
       name: "get_request_detail",
@@ -845,7 +751,7 @@ var getReport;
 var init_get_report = __esm({
   "src/mcp/tools/get-report.ts"() {
     "use strict";
-    init_mcp();
+    init_features();
     getReport = {
       name: "get_report",
       description: "Generate a summary report of all findings: total found, open, resolved. Use this to get a high-level overview of the application's health.",
@@ -1142,13 +1048,15 @@ var init_server = __esm({
     init_client();
     init_discovery();
     init_tools();
-    init_mcp();
+    init_features();
     init_prompts();
   }
 });
 
 // bin/brakit.ts
 import { runMain } from "citty";
+import { existsSync as existsSync7 } from "fs";
+import { resolve as resolve6 } from "path";
 
 // src/cli/commands/install.ts
 import { defineCommand } from "citty";
@@ -1164,7 +1072,7 @@ import { readFileSync as readFileSync2, existsSync as existsSync3, unlinkSync }
 import { resolve as resolve2 } from "path";
 
 // src/utils/fs.ts
-init_limits();
+init_config();
 init_log();
 init_type_guards();
 import { access, readFile, writeFile } from "fs/promises";
@@ -1187,10 +1095,7 @@ async function fileExists(path) {
 }
 
 // src/store/issue-store.ts
-init_metrics();
-init_limits();
-init_thresholds();
-init_limits();
+init_config();
 
 // src/utils/atomic-writer.ts
 import {
@@ -1208,7 +1113,7 @@ init_log();
 init_type_guards();
 
 // src/utils/issue-id.ts
-init_limits();
+init_config();
 import { createHash as createHash2 } from "crypto";
 
 // src/detect/project.ts
@@ -1378,12 +1283,13 @@ async function detectInDir(dir, rootDir, projects) {
 }
 
 // src/utils/response.ts
-init_thresholds();
+init_config();
+var MAX_WRAPPER_KEYS = 3;
 function unwrapResponse(parsed) {
   if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) return parsed;
   const obj = parsed;
   const keys = Object.keys(obj);
-  if (keys.length > 3) return parsed;
+  if (keys.length > MAX_WRAPPER_KEYS) return parsed;
   let best = null;
   let bestSize = 0;
   for (const key of keys) {
@@ -1402,6 +1308,10 @@ function unwrapResponse(parsed) {
   return best && bestSize >= OVERFETCH_UNWRAP_MIN_SIZE ? best : parsed;
 }
 
+// src/analysis/rules/scanner.ts
+init_log();
+init_type_guards();
+
 // src/analysis/rules/patterns.ts
 var SECRET_KEYS = /^(password|passwd|secret|api_key|apiKey|api_secret|apiSecret|private_key|privateKey|client_secret|clientSecret)$/;
 var TOKEN_PARAMS = /^(token|api_key|apiKey|secret|password|access_token|session_id|sessionId)$/;
@@ -1428,8 +1338,8 @@ var RULE_HINTS = {
   "response-pii-leak": "API responses should return minimal data. Don't echo back full user records \u2014 select only the fields the client needs."
 };
 
-// src/analysis/rules/exposed-secret.ts
-init_limits();
+// src/analysis/rules/auth-rules.ts
+init_config();
 
 // src/utils/http-status.ts
 function isErrorStatus(code) {
@@ -1439,27 +1349,66 @@ function isRedirect(code) {
   return code >= 300 && code < 400;
 }
 
-// src/analysis/rules/exposed-secret.ts
-function findSecretKeys(obj, prefix, depth = 0) {
-  const found = [];
-  if (depth >= MAX_OBJECT_SCAN_DEPTH) return found;
-  if (!obj || typeof obj !== "object") return found;
-  if (Array.isArray(obj)) {
-    for (let i = 0; i < Math.min(obj.length, SECRET_SCAN_ARRAY_LIMIT); i++) {
-      found.push(...findSecretKeys(obj[i], prefix, depth + 1));
+// src/utils/collections.ts
+function deduplicateFindings(items, extract) {
+  const seen = /* @__PURE__ */ new Map();
+  const findings = [];
+  for (const item of items) {
+    const result = extract(item);
+    if (!result) continue;
+    const existing = seen.get(result.key);
+    if (existing) {
+      existing.count++;
+      continue;
     }
-    return found;
+    seen.set(result.key, result.finding);
+    findings.push(result.finding);
   }
-  for (const k of Object.keys(obj)) {
-    const val = obj[k];
-    if (SECRET_KEYS.test(k) && typeof val === "string" && val.length >= MIN_SECRET_VALUE_LENGTH && !MASKED_RE.test(val)) {
-      found.push(k);
+  return findings;
+}
+
+// src/utils/object-scan.ts
+init_config();
+var DEFAULTS = {
+  maxDepth: MAX_OBJECT_SCAN_DEPTH,
+  arrayLimit: SECRET_SCAN_ARRAY_LIMIT
+};
+function walkObject(obj, visitor, options) {
+  const opts = { ...DEFAULTS, ...options };
+  walk(obj, visitor, opts, 0);
+}
+function walk(obj, visitor, opts, depth) {
+  if (depth >= opts.maxDepth) return;
+  if (!obj || typeof obj !== "object") return;
+  if (Array.isArray(obj)) {
+    for (let i = 0; i < Math.min(obj.length, opts.arrayLimit); i++) {
+      walk(obj[i], visitor, opts, depth + 1);
     }
+    return;
+  }
+  for (const key of Object.keys(obj)) {
+    const val = obj[key];
+    visitor(key, val, depth);
     if (typeof val === "object" && val !== null) {
-      found.push(...findSecretKeys(val, prefix + k + ".", depth + 1));
+      walk(val, visitor, opts, depth + 1);
     }
   }
-  return found;
+}
+function collectFromObject(obj, match, options) {
+  const results = [];
+  walkObject(obj, (key, value) => {
+    const result = match(key, value);
+    if (result !== null) results.push(result);
+  }, options);
+  return results;
+}
+
+// src/analysis/rules/auth-rules.ts
+function findSecretKeys(obj) {
+  return collectFromObject(
+    obj,
+    (key, val) => SECRET_KEYS.test(key) && typeof val === "string" && val.length >= MIN_SECRET_VALUE_LENGTH && !MASKED_RE.test(val) ? key : null
+  );
 }
 var exposedSecretRule = {
   id: "exposed-secret",
@@ -1467,50 +1416,39 @@ var exposedSecretRule = {
   name: "Exposed Secret in Response",
   hint: RULE_HINTS["exposed-secret"],
   check(ctx) {
-    const findings = [];
-    const seen = /* @__PURE__ */ new Map();
-    for (const r of ctx.requests) {
-      if (isErrorStatus(r.statusCode)) continue;
-      const parsed = ctx.parsedBodies.response.get(r.id);
-      if (!parsed) continue;
-      const keys = findSecretKeys(parsed, "");
-      if (keys.length === 0) continue;
-      const ep = `${r.method} ${r.path}`;
-      const dedupKey = `${ep}:${keys.sort().join(",")}`;
-      const existing = seen.get(dedupKey);
-      if (existing) {
-        existing.count++;
-        continue;
-      }
-      const finding = {
-        severity: "critical",
-        rule: "exposed-secret",
-        title: "Exposed Secret in Response",
-        desc: `${ep} \u2014 response contains ${keys.join(", ")} field${keys.length > 1 ? "s" : ""}`,
-        hint: this.hint,
-        endpoint: ep,
-        count: 1
+    return deduplicateFindings(ctx.requests, (request) => {
+      if (isErrorStatus(request.statusCode)) return null;
+      const parsed = ctx.parsedBodies.response.get(request.id);
+      if (!parsed) return null;
+      const keys = findSecretKeys(parsed);
+      if (keys.length === 0) return null;
+      const ep = `${request.method} ${request.path}`;
+      return {
+        key: `${ep}:${keys.sort().join(",")}`,
+        finding: {
+          severity: "critical",
+          rule: "exposed-secret",
+          title: "Exposed Secret in Response",
+          desc: `${ep} \u2014 response contains ${keys.join(", ")} field${keys.length > 1 ? "s" : ""}`,
+          hint: this.hint,
+          detail: `Exposed fields: ${keys.join(", ")}. ${keys.length} unmasked secret value${keys.length !== 1 ? "s" : ""} in response body.`,
+          endpoint: ep,
+          count: 1
+        }
       };
-      seen.set(dedupKey, finding);
-      findings.push(finding);
-    }
-    return findings;
+    });
   }
 };
-
-// src/analysis/rules/token-in-url.ts
 var tokenInUrlRule = {
   id: "token-in-url",
   severity: "critical",
   name: "Auth Token in URL",
   hint: RULE_HINTS["token-in-url"],
   check(ctx) {
-    const findings = [];
-    const seen = /* @__PURE__ */ new Map();
-    for (const r of ctx.requests) {
-      const qIdx = r.url.indexOf("?");
-      if (qIdx === -1) continue;
-      const params = r.url.substring(qIdx + 1).split("&");
+    return deduplicateFindings(ctx.requests, (request) => {
+      const qIdx = request.url.indexOf("?");
+      if (qIdx === -1) return null;
+      const params = request.url.substring(qIdx + 1).split("&");
       const flagged = [];
       for (const param of params) {
         const [name, ...rest] = param.split("=");
@@ -1520,65 +1458,129 @@ var tokenInUrlRule = {
           flagged.push(name);
         }
       }
-      if (flagged.length === 0) continue;
-      const ep = `${r.method} ${r.path}`;
-      const dedupKey = `${ep}:${flagged.sort().join(",")}`;
-      const existing = seen.get(dedupKey);
-      if (existing) {
-        existing.count++;
-        continue;
+      if (flagged.length === 0) return null;
+      const ep = `${request.method} ${request.path}`;
+      return {
+        key: `${ep}:${flagged.sort().join(",")}`,
+        finding: {
+          severity: "critical",
+          rule: "token-in-url",
+          title: "Auth Token in URL",
+          desc: `${ep} \u2014 ${flagged.join(", ")} exposed in query string`,
+          hint: this.hint,
+          detail: `Parameters in URL: ${flagged.join(", ")}. Auth tokens in URLs are logged by proxies, browsers, and CDNs.`,
+          endpoint: ep,
+          count: 1
+        }
+      };
+    });
+  }
+};
+function isFrameworkResponse(request) {
+  if (isRedirect(request.statusCode)) return true;
+  if (request.path?.startsWith("/__")) return true;
+  if (request.responseHeaders?.["x-middleware-rewrite"]) return true;
+  return false;
+}
+var insecureCookieRule = {
+  id: "insecure-cookie",
+  severity: "warning",
+  name: "Insecure Cookie",
+  hint: RULE_HINTS["insecure-cookie"],
+  check(ctx) {
+    const cookieEntries = [];
+    for (const request of ctx.requests) {
+      if (!request.responseHeaders) continue;
+      if (isFrameworkResponse(request)) continue;
+      const setCookie = request.responseHeaders["set-cookie"];
+      if (!setCookie) continue;
+      const cookies = setCookie.split(/,(?=\s*[A-Za-z0-9_\-]+=)/);
+      for (const cookie of cookies) {
+        cookieEntries.push({ cookie });
       }
-      const finding = {
-        severity: "critical",
-        rule: "token-in-url",
-        title: "Auth Token in URL",
-        desc: `${ep} \u2014 ${flagged.join(", ")} exposed in query string`,
+    }
+    return deduplicateFindings(cookieEntries, ({ cookie }) => {
+      const cookieName = cookie.trim().split("=")[0].trim();
+      const lower = cookie.toLowerCase();
+      const issues = [];
+      if (!lower.includes("httponly")) issues.push("HttpOnly");
+      if (!lower.includes("samesite")) issues.push("SameSite");
+      if (issues.length === 0) return null;
+      return {
+        key: `${cookieName}:${issues.join(",")}`,
+        finding: {
+          severity: "warning",
+          rule: "insecure-cookie",
+          title: "Insecure Cookie",
+          desc: `${cookieName} \u2014 missing ${issues.join(", ")} flag${issues.length > 1 ? "s" : ""}`,
+          hint: this.hint,
+          detail: `Missing: ${issues.join(", ")}. ${issues.includes("HttpOnly") ? "Cookie accessible via JavaScript (XSS risk). " : ""}${issues.includes("SameSite") ? "Cookie sent on cross-site requests (CSRF risk)." : ""}`,
+          endpoint: cookieName,
+          count: 1
+        }
+      };
+    });
+  }
+};
+var corsCredentialsRule = {
+  id: "cors-credentials",
+  severity: "warning",
+  name: "CORS Credentials with Wildcard",
+  hint: RULE_HINTS["cors-credentials"],
+  check(ctx) {
+    const findings = [];
+    const seen = /* @__PURE__ */ new Set();
+    for (const request of ctx.requests) {
+      if (!request.responseHeaders) continue;
+      const origin = request.responseHeaders["access-control-allow-origin"];
+      const creds = request.responseHeaders["access-control-allow-credentials"];
+      if (origin !== "*" || creds !== "true") continue;
+      const ep = `${request.method} ${request.path}`;
+      if (seen.has(ep)) continue;
+      seen.add(ep);
+      findings.push({
+        severity: "warning",
+        rule: "cors-credentials",
+        title: "CORS Credentials with Wildcard",
+        desc: `${ep} \u2014 credentials:true with origin:* (browser will reject)`,
         hint: this.hint,
         endpoint: ep,
         count: 1
-      };
-      seen.set(dedupKey, finding);
-      findings.push(finding);
+      });
     }
     return findings;
   }
 };
 
-// src/analysis/rules/stack-trace-leak.ts
+// src/analysis/rules/data-rules.ts
+init_config();
 var stackTraceLeakRule = {
   id: "stack-trace-leak",
   severity: "critical",
   name: "Stack Trace Leaked to Client",
   hint: RULE_HINTS["stack-trace-leak"],
   check(ctx) {
-    const findings = [];
-    const seen = /* @__PURE__ */ new Map();
-    for (const r of ctx.requests) {
-      if (!r.responseBody) continue;
-      if (!STACK_TRACE_RE.test(r.responseBody)) continue;
-      const ep = `${r.method} ${r.path}`;
-      const existing = seen.get(ep);
-      if (existing) {
-        existing.count++;
-        continue;
-      }
-      const finding = {
-        severity: "critical",
-        rule: "stack-trace-leak",
-        title: "Stack Trace Leaked to Client",
-        desc: `${ep} \u2014 response exposes internal stack trace`,
-        hint: this.hint,
-        endpoint: ep,
-        count: 1
+    return deduplicateFindings(ctx.requests, (request) => {
+      if (!request.responseBody) return null;
+      if (!STACK_TRACE_RE.test(request.responseBody)) return null;
+      const ep = `${request.method} ${request.path}`;
+      const firstLine = request.responseBody.split("\n").find((l) => STACK_TRACE_RE.test(l))?.trim() ?? "";
+      return {
+        key: ep,
+        finding: {
+          severity: "critical",
+          rule: "stack-trace-leak",
+          title: "Stack Trace Leaked to Client",
+          desc: `${ep} \u2014 response exposes internal stack trace`,
+          hint: this.hint,
+          detail: firstLine ? `Stack trace: ${firstLine.slice(0, DETAIL_PREVIEW_LENGTH)}` : void 0,
+          endpoint: ep,
+          count: 1
+        }
       };
-      seen.set(ep, finding);
-      findings.push(finding);
-    }
-    return findings;
+    });
   }
 };
-
-// src/analysis/rules/error-info-leak.ts
 var CRITICAL_PATTERNS = [
   { re: DB_CONN_RE, label: "database connection string" },
   { re: SQL_FRAGMENT_RE, label: "SQL query fragment" },
@@ -1590,90 +1592,35 @@ var errorInfoLeakRule = {
   name: "Sensitive Data in Error Response",
   hint: RULE_HINTS["error-info-leak"],
   check(ctx) {
-    const findings = [];
-    const seen = /* @__PURE__ */ new Map();
-    for (const r of ctx.requests) {
-      if (r.statusCode < 400) continue;
-      if (!r.responseBody) continue;
-      if (r.responseHeaders["x-nextjs-error"] || r.responseHeaders["x-nextjs-matched-path"]) continue;
-      const ep = `${r.method} ${r.path}`;
-      for (const p of CRITICAL_PATTERNS) {
-        if (!p.re.test(r.responseBody)) continue;
-        const dedupKey = `${ep}:${p.label}`;
-        const existing = seen.get(dedupKey);
-        if (existing) {
-          existing.count++;
-          continue;
+    const entries = [];
+    for (const request of ctx.requests) {
+      if (request.statusCode < 400) continue;
+      if (!request.responseBody) continue;
+      if (request.responseHeaders["x-nextjs-error"] || request.responseHeaders["x-nextjs-matched-path"]) continue;
+      const ep = `${request.method} ${request.path}`;
+      for (const pattern of CRITICAL_PATTERNS) {
+        if (pattern.re.test(request.responseBody)) {
+          entries.push({ ep, pattern, body: request.responseBody });
         }
-        const finding = {
+      }
+    }
+    return deduplicateFindings(entries, ({ ep, pattern }) => {
+      return {
+        key: `${ep}:${pattern.label}`,
+        finding: {
           severity: "critical",
           rule: "error-info-leak",
           title: "Sensitive Data in Error Response",
-          desc: `${ep} \u2014 error response exposes ${p.label}`,
+          desc: `${ep} \u2014 error response exposes ${pattern.label}`,
           hint: this.hint,
+          detail: `Detected: ${pattern.label} in error response body`,
           endpoint: ep,
           count: 1
-        };
-        seen.set(dedupKey, finding);
-        findings.push(finding);
-      }
-    }
-    return findings;
-  }
-};
-
-// src/analysis/rules/insecure-cookie.ts
-function isFrameworkResponse(r) {
-  if (isRedirect(r.statusCode)) return true;
-  if (r.path?.startsWith("/__")) return true;
-  if (r.responseHeaders?.["x-middleware-rewrite"]) return true;
-  return false;
-}
-var insecureCookieRule = {
-  id: "insecure-cookie",
-  severity: "warning",
-  name: "Insecure Cookie",
-  hint: RULE_HINTS["insecure-cookie"],
-  check(ctx) {
-    const findings = [];
-    const seen = /* @__PURE__ */ new Map();
-    for (const r of ctx.requests) {
-      if (!r.responseHeaders) continue;
-      if (isFrameworkResponse(r)) continue;
-      const setCookie = r.responseHeaders["set-cookie"];
-      if (!setCookie) continue;
-      const cookies = setCookie.split(/,(?=\s*[A-Za-z0-9_\-]+=)/);
-      for (const cookie of cookies) {
-        const cookieName = cookie.trim().split("=")[0].trim();
-        const lower = cookie.toLowerCase();
-        const issues = [];
-        if (!lower.includes("httponly")) issues.push("HttpOnly");
-        if (!lower.includes("samesite")) issues.push("SameSite");
-        if (issues.length === 0) continue;
-        const dedupKey = `${cookieName}:${issues.join(",")}`;
-        const existing = seen.get(dedupKey);
-        if (existing) {
-          existing.count++;
-          continue;
         }
-        const finding = {
-          severity: "warning",
-          rule: "insecure-cookie",
-          title: "Insecure Cookie",
-          desc: `${cookieName} \u2014 missing ${issues.join(", ")} flag${issues.length > 1 ? "s" : ""}`,
-          hint: this.hint,
-          endpoint: cookieName,
-          count: 1
-        };
-        seen.set(dedupKey, finding);
-        findings.push(finding);
-      }
-    }
-    return findings;
+      };
+    });
   }
 };
-
-// src/analysis/rules/sensitive-logs.ts
 var sensitiveLogsRule = {
   id: "sensitive-logs",
   severity: "warning",
@@ -1698,59 +1645,13 @@ var sensitiveLogsRule = {
     }];
   }
 };
-
-// src/analysis/rules/cors-credentials.ts
-var corsCredentialsRule = {
-  id: "cors-credentials",
-  severity: "warning",
-  name: "CORS Credentials with Wildcard",
-  hint: RULE_HINTS["cors-credentials"],
-  check(ctx) {
-    const findings = [];
-    const seen = /* @__PURE__ */ new Set();
-    for (const r of ctx.requests) {
-      if (!r.responseHeaders) continue;
-      const origin = r.responseHeaders["access-control-allow-origin"];
-      const creds = r.responseHeaders["access-control-allow-credentials"];
-      if (origin !== "*" || creds !== "true") continue;
-      const ep = `${r.method} ${r.path}`;
-      if (seen.has(ep)) continue;
-      seen.add(ep);
-      findings.push({
-        severity: "warning",
-        rule: "cors-credentials",
-        title: "CORS Credentials with Wildcard",
-        desc: `${ep} \u2014 credentials:true with origin:* (browser will reject)`,
-        hint: this.hint,
-        endpoint: ep,
-        count: 1
-      });
-    }
-    return findings;
-  }
-};
-
-// src/analysis/rules/response-pii-leak.ts
-init_limits();
 var WRITE_METHODS = /* @__PURE__ */ new Set(["POST", "PUT", "PATCH"]);
-function findEmails(obj, depth = 0) {
-  const emails = [];
-  if (depth >= MAX_OBJECT_SCAN_DEPTH) return emails;
-  if (!obj || typeof obj !== "object") return emails;
-  if (Array.isArray(obj)) {
-    for (let i = 0; i < Math.min(obj.length, PII_SCAN_ARRAY_LIMIT); i++) {
-      emails.push(...findEmails(obj[i], depth + 1));
-    }
-    return emails;
-  }
-  for (const v of Object.values(obj)) {
-    if (typeof v === "string" && EMAIL_RE.test(v)) {
-      emails.push(v);
-    } else if (typeof v === "object" && v !== null) {
-      emails.push(...findEmails(v, depth + 1));
-    }
-  }
-  return emails;
+function findEmails(obj) {
+  return collectFromObject(
+    obj,
+    (_key, val) => typeof val === "string" && EMAIL_RE.test(val) ? val : null,
+    { arrayLimit: PII_SCAN_ARRAY_LIMIT }
+  );
 }
 function topLevelFieldCount(obj) {
   if (Array.isArray(obj)) {
@@ -1835,101 +1736,83 @@ var responsePiiLeakRule = {
   name: "PII Leak in Response",
   hint: RULE_HINTS["response-pii-leak"],
   check(ctx) {
-    const findings = [];
-    const seen = /* @__PURE__ */ new Map();
-    for (const r of ctx.requests) {
-      if (isErrorStatus(r.statusCode)) continue;
-      if (SELF_SERVICE_PATH.test(r.path)) continue;
-      const resJson = ctx.parsedBodies.response.get(r.id);
-      if (!resJson) continue;
-      const reqJson = ctx.parsedBodies.request.get(r.id) ?? null;
-      const detection = detectPII(r.method, reqJson, resJson);
-      if (!detection) continue;
-      const ep = `${r.method} ${r.path}`;
-      const existing = seen.get(ep);
-      if (existing) {
-        existing.count++;
-        continue;
-      }
-      const finding = {
-        severity: "warning",
-        rule: "response-pii-leak",
-        title: "PII Leak in Response",
-        desc: `${ep} \u2014 exposes PII in response`,
-        hint: `Detection: ${REASON_LABELS[detection.reason]}. ${this.hint}`,
-        endpoint: ep,
-        count: 1
+    return deduplicateFindings(ctx.requests, (request) => {
+      if (isErrorStatus(request.statusCode)) return null;
+      if (SELF_SERVICE_PATH.test(request.path)) return null;
+      const resJson = ctx.parsedBodies.response.get(request.id);
+      if (!resJson) return null;
+      const reqJson = ctx.parsedBodies.request.get(request.id) ?? null;
+      const detection = detectPII(request.method, reqJson, resJson);
+      if (!detection) return null;
+      const ep = `${request.method} ${request.path}`;
+      const fieldCount = topLevelFieldCount(resJson);
+      const detailParts = [`Pattern: ${REASON_LABELS[detection.reason]}`];
+      if (detection.emailCount > 0) detailParts.push(`${detection.emailCount} email${detection.emailCount !== 1 ? "s" : ""} detected`);
+      if (fieldCount > 0) detailParts.push(`${fieldCount} fields per record`);
+      return {
+        key: ep,
+        finding: {
+          severity: "warning",
+          rule: "response-pii-leak",
+          title: "PII Leak in Response",
+          desc: `${ep} \u2014 exposes PII in response`,
+          hint: this.hint,
+          detail: detailParts.join(". "),
+          endpoint: ep,
+          count: 1
+        }
       };
-      seen.set(ep, finding);
-      findings.push(finding);
-    }
-    return findings;
+    });
   }
 };
 
 // src/analysis/engine.ts
-init_limits();
+init_config();
 
 // src/analysis/group.ts
 init_constants();
 import { randomUUID } from "crypto";
+init_endpoint();
 
 // src/analysis/label.ts
 init_constants();
 
 // src/analysis/transforms.ts
 init_constants();
+init_config();
+init_endpoint();
 
 // src/analysis/insights/prepare.ts
 init_endpoint();
 init_constants();
-init_thresholds();
+init_config();
 
-// src/analysis/insights/rules/n1.ts
-init_endpoint();
-init_constants();
+// src/analysis/insights/runner.ts
+init_log();
+init_type_guards();
 
-// src/analysis/insights/rules/cross-endpoint.ts
+// src/analysis/insights/rules/query-rules.ts
 init_endpoint();
 init_constants();
 
-// src/analysis/insights/rules/redundant-query.ts
+// src/analysis/insights/rules/response-rules.ts
 init_endpoint();
+init_log();
+init_type_guards();
 init_constants();
 
-// src/analysis/insights/rules/error-hotspot.ts
-init_constants();
-
-// src/analysis/insights/rules/duplicate.ts
-init_constants();
-
-// src/analysis/insights/rules/slow.ts
-init_constants();
-
-// src/analysis/insights/rules/query-heavy.ts
-init_constants();
-
-// src/analysis/insights/rules/select-star.ts
-init_constants();
-
-// src/analysis/insights/rules/high-rows.ts
+// src/analysis/insights/rules/reliability-rules.ts
 init_constants();
 
-// src/analysis/insights/rules/response-overfetch.ts
+// src/analysis/insights/rules/pattern-rules.ts
 init_endpoint();
 init_constants();
 
-// src/analysis/insights/rules/large-response.ts
-init_constants();
-
-// src/analysis/insights/rules/regression.ts
-init_constants();
-
 // src/analysis/issue-mappers.ts
 init_endpoint();
 
 // src/index.ts
-var VERSION = "0.8.7";
+var VERSION = "0.9.1";
 
 // src/cli/commands/install.ts
 init_constants();
@@ -2141,8 +2024,8 @@ async function setupNuxt(rootDir) {
   }
   const content = BRAKIT_TEMPLATES.nuxt + "\n";
   const dir = join3(rootDir, "server/plugins");
-  const { mkdirSync: mkdirSync3 } = await import("fs");
-  mkdirSync3(dir, { recursive: true });
+  const { mkdirSync: mkdirSync4 } = await import("fs");
+  mkdirSync4(dir, { recursive: true });
   await writeFile3(absPath, content);
   return { action: "created", file: relPath, content };
 }
@@ -2241,13 +2124,118 @@ function printManualInstructions(framework) {
 
 // src/cli/commands/uninstall.ts
 import { defineCommand as defineCommand2 } from "citty";
-import { resolve as resolve4, join as join4, relative as relative2 } from "path";
+import { resolve as resolve4, join as join5, relative as relative2 } from "path";
 import { readFile as readFile5, writeFile as writeFile4, unlink, rm, readdir as readdir2 } from "fs/promises";
 import { execSync as execSync2 } from "child_process";
 import pc2 from "picocolors";
 init_constants();
 init_log();
 init_type_guards();
+
+// src/telemetry/index.ts
+import { platform as platform2, release, arch } from "os";
+import { spawn } from "child_process";
+
+// src/telemetry/config.ts
+init_features();
+import { homedir as homedir2, platform } from "os";
+import { join as join4 } from "path";
+import { existsSync as existsSync6, readFileSync as readFileSync3, writeFileSync as writeFileSync3, mkdirSync as mkdirSync3 } from "fs";
+import { randomUUID as randomUUID2 } from "crypto";
+var IS_WINDOWS = platform() === "win32";
+var CONFIG_DIR = join4(homedir2(), ".brakit");
+var CONFIG_PATH = join4(CONFIG_DIR, "config.json");
+function readConfig() {
+  try {
+    if (!existsSync6(CONFIG_PATH)) return null;
+    return JSON.parse(readFileSync3(CONFIG_PATH, "utf-8"));
+  } catch {
+    return null;
+  }
+}
+function writeConfig(config) {
+  try {
+    if (!existsSync6(CONFIG_DIR))
+      mkdirSync3(CONFIG_DIR, { recursive: true, ...IS_WINDOWS ? {} : { mode: DIR_MODE_OWNER_ONLY } });
+    writeFileSync3(
+      CONFIG_PATH,
+      JSON.stringify(config, null, 2) + "\n",
+      IS_WINDOWS ? {} : { mode: FILE_MODE_OWNER_ONLY }
+    );
+  } catch (err) {
+    if (process.env.BRAKIT_DEBUG) {
+      process.stderr.write(`[brakit] config write failed: ${err?.message ?? err}
+`);
+    }
+  }
+}
+function getOrCreateConfig() {
+  const existing = readConfig();
+  if (existing && typeof existing.telemetry === "boolean" && existing.anonymousId) {
+    return existing;
+  }
+  const config = { telemetry: true, anonymousId: randomUUID2() };
+  writeConfig(config);
+  return config;
+}
+var cachedEnabled = null;
+function isTelemetryEnabled() {
+  if (cachedEnabled !== null) return cachedEnabled;
+  const env = process.env.BRAKIT_TELEMETRY;
+  if (env !== void 0) {
+    cachedEnabled = env !== "false" && env !== "0" && env !== "off";
+    return cachedEnabled;
+  }
+  cachedEnabled = readConfig()?.telemetry ?? true;
+  return cachedEnabled;
+}
+
+// src/telemetry/index.ts
+init_labels();
+init_config();
+var POSTHOG_KEY = "phc_E9TwydCGnSfPLIUhNxChpeg32TSowjk31KiPhnLPP0x";
+function commonProperties() {
+  return {
+    brakit_version: VERSION,
+    node_version: process.version,
+    os: `${platform2()}-${release()}`,
+    arch: arch(),
+    $lib: "brakit",
+    $process_person_profile: false,
+    $geoip_disable: true
+  };
+}
+function sendToPosthog(event, properties) {
+  if (!isTelemetryEnabled()) return;
+  const config = getOrCreateConfig();
+  const payload = {
+    api_key: POSTHOG_KEY,
+    event,
+    distinct_id: config.anonymousId,
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    properties: { ...commonProperties(), ...properties }
+  };
+  try {
+    const body = JSON.stringify(payload);
+    const url = `${POSTHOG_HOST}${POSTHOG_CAPTURE_PATH}`;
+    const child = spawn(
+      process.execPath,
+      [
+        "-e",
+        `fetch(${JSON.stringify(url)},{method:"POST",headers:{"content-type":"application/json"},body:${JSON.stringify(body)},signal:AbortSignal.timeout(${POSTHOG_REQUEST_TIMEOUT_MS})}).catch(()=>{})`
+      ],
+      { detached: true, stdio: "ignore" }
+    );
+    child.unref();
+  } catch {
+  }
+}
+function trackEvent(event, properties) {
+  sendToPosthog(event, { sdk: "node", ...properties });
+}
+
+// src/cli/commands/uninstall.ts
+init_config();
 var PREPENDED_FILES = [
   "app/entry.server.tsx",
   "app/entry.server.ts",
@@ -2282,16 +2270,20 @@ var uninstall_default = defineCommand2({
     console.log();
     console.log(pc2.bold("  \u25C6 brakit uninstall"));
     console.log();
+    let anyInstrumentationRemoved = false;
+    let anyPackageRemoved = false;
     for (const project of projects) {
       const suffix = projects.length > 1 ? ` in ${relative2(rootDir, project.dir) || "."}` : "";
       const removed = await removeInstrumentation(project.dir);
       if (removed) {
+        anyInstrumentationRemoved = true;
         console.log(pc2.green(`  \u2713 ${removed}${suffix}`));
       } else {
         console.log(pc2.dim(`  No brakit instrumentation files found${suffix}.`));
       }
       const uninstalled = await uninstallPackage(project.dir, project.pm);
       if (uninstalled === true) {
+        anyPackageRemoved = true;
         console.log(pc2.green(`  \u2713 Removed brakit from devDependencies${suffix}`));
       } else if (uninstalled === "failed") {
       }
@@ -2312,6 +2304,12 @@ var uninstall_default = defineCommand2({
     if (cacheCleared) {
       console.log(pc2.green("  \u2713 Cleared build cache"));
     }
+    trackEvent(TELEMETRY_EVENT_CLI_UNINSTALL, {
+      instrumentation_removed: anyInstrumentationRemoved,
+      package_removed: anyPackageRemoved,
+      mcp_removed: mcpRemoved,
+      data_removed: dataRemoved
+    });
     console.log();
   }
 });
@@ -2322,7 +2320,7 @@ async function removeInstrumentation(projectDir) {
   }
   const candidates = [...PREPENDED_FILES];
   try {
-    const pkgRaw = await readFile5(join4(projectDir, "package.json"), "utf-8");
+    const pkgRaw = await readFile5(join5(projectDir, "package.json"), "utf-8");
     const pkg = JSON.parse(pkgRaw);
     if (pkg.main) candidates.unshift(pkg.main);
   } catch (err) {
@@ -2337,7 +2335,7 @@ async function removeInstrumentation(projectDir) {
   return null;
 }
 async function tryRemoveBrakitFromFile(projectDir, relPath) {
-  const absPath = join4(projectDir, relPath);
+  const absPath = join5(projectDir, relPath);
   if (!await fileExists(absPath)) return null;
   const content = await readFile5(absPath, "utf-8");
   if (!content.includes("brakit")) return null;
@@ -2354,7 +2352,7 @@ async function tryRemoveBrakitFromFile(projectDir, relPath) {
   return null;
 }
 async function tryRemoveImportLine(projectDir, relPath) {
-  const absPath = join4(projectDir, relPath);
+  const absPath = join5(projectDir, relPath);
   if (!await fileExists(absPath)) return null;
   const content = await readFile5(absPath, "utf-8");
   if (!content.includes(IMPORT_LINE)) return null;
@@ -2365,7 +2363,7 @@ async function tryRemoveImportLine(projectDir, relPath) {
 async function fallbackSearchAndRemove(projectDir) {
   const dirsToScan = FALLBACK_SCAN_DIRS;
   for (const dir of dirsToScan) {
-    const absDir = join4(projectDir, dir);
+    const absDir = join5(projectDir, dir);
     if (!await fileExists(absDir)) continue;
     let entries;
     try {
@@ -2378,7 +2376,7 @@ async function fallbackSearchAndRemove(projectDir) {
       const ext = entry.slice(entry.lastIndexOf("."));
       if (!SUPPORTED_SOURCE_EXTENSIONS.has(ext)) continue;
       const relPath = dir === "." ? entry : `${dir}/${entry}`;
-      const absPath = join4(projectDir, relPath);
+      const absPath = join5(projectDir, relPath);
       try {
         const content = await readFile5(absPath, "utf-8");
         if (!containsBrakitImport(content)) continue;
@@ -2401,7 +2399,7 @@ async function fallbackSearchAndRemove(projectDir) {
   return null;
 }
 async function removeMcpConfig(rootDir) {
-  const mcpPath = join4(rootDir, ".mcp.json");
+  const mcpPath = join5(rootDir, ".mcp.json");
   if (!await fileExists(mcpPath)) return false;
   try {
     const raw = await readFile5(mcpPath, "utf-8");
@@ -2421,7 +2419,7 @@ async function removeMcpConfig(rootDir) {
 }
 async function uninstallPackage(rootDir, pm) {
   try {
-    const pkgRaw = await readFile5(join4(rootDir, "package.json"), "utf-8");
+    const pkgRaw = await readFile5(join5(rootDir, "package.json"), "utf-8");
     const pkg = JSON.parse(pkgRaw);
     if (!pkg.devDependencies?.brakit && !pkg.dependencies?.brakit) return false;
   } catch (err) {
@@ -2445,7 +2443,7 @@ async function uninstallPackage(rootDir, pm) {
 }
 async function removeBrakitData(rootDir) {
   let removed = false;
-  const projectDir = join4(rootDir, METRICS_DIR);
+  const projectDir = join5(rootDir, METRICS_DIR);
   if (await fileExists(projectDir)) {
     try {
       await rm(projectDir, { recursive: true, force: true });
@@ -2466,7 +2464,7 @@ async function removeBrakitData(rootDir) {
   return removed;
 }
 async function cleanGitignore(rootDir) {
-  const gitignorePath = join4(rootDir, ".gitignore");
+  const gitignorePath = join5(rootDir, ".gitignore");
   if (!await fileExists(gitignorePath)) return false;
   try {
     const content = await readFile5(gitignorePath, "utf-8");
@@ -2483,7 +2481,7 @@ async function cleanGitignore(rootDir) {
 async function clearBuildCaches(rootDir) {
   let cleared = false;
   for (const dir of BUILD_CACHE_DIRS) {
-    const absDir = join4(rootDir, dir);
+    const absDir = join5(rootDir, dir);
     if (!await fileExists(absDir)) continue;
     try {
       await rm(absDir, { recursive: true, force: true });
@@ -2496,7 +2494,15 @@ async function clearBuildCaches(rootDir) {
 }
 
 // bin/brakit.ts
+init_config();
 var sub = process.argv[2];
+var command = sub === "uninstall" ? "uninstall" : sub === "mcp" ? "mcp" : "install";
+var cwd = process.cwd();
+trackEvent(TELEMETRY_EVENT_CLI_INVOKED, {
+  command,
+  has_package_json: existsSync7(resolve6(cwd, "package.json")),
+  cwd_has_node_modules: existsSync7(resolve6(cwd, "node_modules"))
+});
 if (sub === "uninstall") {
   process.argv.splice(2, 1);
   runMain(uninstall_default);