npm - brakit - Versions diffs - 0.9.1 → 0.10.0 - Mend

brakit 0.9.1 → 0.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/api.d.ts +142 -0
package/dist/api.js +212 -42
package/dist/bin/brakit.js +138 -19
package/dist/dashboard-client.global.js +587 -276
package/dist/dashboard.html +691 -276
package/dist/mcp/server.js +4 -2
package/dist/runtime/index.js +1103 -74
package/package.json +1 -1

package/dist/bin/brakit.js CHANGED Viewed

@@ -73,7 +73,7 @@ var init_type_guards = __esm({
 });
 // src/constants/labels.ts
-var DASHBOARD_PREFIX, DASHBOARD_API_REQUESTS, DASHBOARD_API_EVENTS, DASHBOARD_API_FLOWS, DASHBOARD_API_CLEAR, DASHBOARD_API_LOGS, DASHBOARD_API_FETCHES, DASHBOARD_API_ERRORS, DASHBOARD_API_QUERIES, DASHBOARD_API_INGEST, DASHBOARD_API_METRICS, DASHBOARD_API_ACTIVITY, DASHBOARD_API_METRICS_LIVE, DASHBOARD_API_INSIGHTS, DASHBOARD_API_SECURITY, DASHBOARD_API_TAB, DASHBOARD_API_FINDINGS, DASHBOARD_API_FINDINGS_REPORT, VALID_TABS_TUPLE, VALID_TABS, POSTHOG_HOST, POSTHOG_CAPTURE_PATH, POSTHOG_REQUEST_TIMEOUT_MS;
+var DASHBOARD_PREFIX, DASHBOARD_API_REQUESTS, DASHBOARD_API_EVENTS, DASHBOARD_API_FLOWS, DASHBOARD_API_CLEAR, DASHBOARD_API_LOGS, DASHBOARD_API_FETCHES, DASHBOARD_API_ERRORS, DASHBOARD_API_QUERIES, DASHBOARD_API_INGEST, DASHBOARD_API_METRICS, DASHBOARD_API_ACTIVITY, DASHBOARD_API_METRICS_LIVE, DASHBOARD_API_INSIGHTS, DASHBOARD_API_SECURITY, DASHBOARD_API_TAB, DASHBOARD_API_FINDINGS, DASHBOARD_API_FINDINGS_REPORT, DASHBOARD_API_GRAPH, VALID_TABS_TUPLE, VALID_TABS, POSTHOG_HOST, POSTHOG_CAPTURE_PATH, POSTHOG_REQUEST_TIMEOUT_MS;
 var init_labels = __esm({
   "src/constants/labels.ts"() {
     "use strict";
@@ -95,6 +95,7 @@ var init_labels = __esm({
     DASHBOARD_API_TAB = `${DASHBOARD_PREFIX}/api/tab`;
     DASHBOARD_API_FINDINGS = `${DASHBOARD_PREFIX}/api/findings`;
     DASHBOARD_API_FINDINGS_REPORT = `${DASHBOARD_PREFIX}/api/findings/report`;
+    DASHBOARD_API_GRAPH = `${DASHBOARD_PREFIX}/api/graph`;
     VALID_TABS_TUPLE = [
       "overview",
       "actions",
@@ -104,7 +105,8 @@ var init_labels = __esm({
       "errors",
       "logs",
       "performance",
-      "security"
+      "security",
+      "graph"
     ];
     VALID_TABS = new Set(VALID_TABS_TUPLE);
     POSTHOG_HOST = "https://us.i.posthog.com";
@@ -138,7 +140,7 @@ var init_features = __esm({
     MAX_TIMELINE_EVENTS = 20;
     MAX_RESOLVED_DISPLAY = 5;
     ENRICHMENT_SEVERITY_FILTER = ["critical", "warning"];
-    MCP_SERVER_VERSION = "0.9.1";
+    MCP_SERVER_VERSION = "0.10.0";
     RECOVERY_WINDOW_MS = 5 * 60 * 1e3;
     PORT_MIN = 1;
     PORT_MAX = 65535;
@@ -1063,7 +1065,7 @@ import { defineCommand } from "citty";
 import { resolve as resolve3, join as join3, dirname } from "path";
 import { readFile as readFile4, writeFile as writeFile3 } from "fs/promises";
 import { execSync } from "child_process";
-import { existsSync as existsSync5 } from "fs";
+import { existsSync as existsSync5, readFileSync as readFileSync3 } from "fs";
 import pc from "picocolors";
 // src/store/issue-store.ts
@@ -1207,7 +1209,8 @@ async function detectPythonFramework(rootDir, hasPyproject, hasRequirements) {
       const content = await readFile3(join2(rootDir, "requirements.txt"), "utf-8");
       const lines = content.toLowerCase().split("\n");
       for (const [dep, fw] of Object.entries(PYTHON_FRAMEWORK_MAP)) {
-        if (lines.some((l) => l.startsWith(dep) && (l.length === dep.length || /[=<>~![]/u.test(l[dep.length])))) {
+        const versionChars = /* @__PURE__ */ new Set(["=", "<", ">", "~", "!", "["]);
+        if (lines.some((l) => l.startsWith(dep) && (l.length === dep.length || versionChars.has(l[dep.length])))) {
           return fw;
         }
       }
@@ -1313,20 +1316,115 @@ init_log();
 init_type_guards();
 // src/analysis/rules/patterns.ts
-var SECRET_KEYS = /^(password|passwd|secret|api_key|apiKey|api_secret|apiSecret|private_key|privateKey|client_secret|clientSecret)$/;
-var TOKEN_PARAMS = /^(token|api_key|apiKey|secret|password|access_token|session_id|sessionId)$/;
-var SAFE_PARAMS = /^(_rsc|__clerk_handshake|__clerk_db_jwt|callback|code|state|nonce|redirect_uri|utm_|fbclid|gclid)$/;
+var SECRET_KEY_SET = /* @__PURE__ */ new Set([
+  "password",
+  "passwd",
+  "secret",
+  "api_key",
+  "apiKey",
+  "api_secret",
+  "apiSecret",
+  "private_key",
+  "privateKey",
+  "client_secret",
+  "clientSecret"
+]);
+var SECRET_KEYS = { test: (s) => SECRET_KEY_SET.has(s) };
+var TOKEN_PARAM_SET = /* @__PURE__ */ new Set([
+  "token",
+  "api_key",
+  "apiKey",
+  "secret",
+  "password",
+  "access_token",
+  "session_id",
+  "sessionId"
+]);
+var TOKEN_PARAMS = { test: (s) => TOKEN_PARAM_SET.has(s) };
+var SAFE_PARAM_SET = /* @__PURE__ */ new Set([
+  "_rsc",
+  "__clerk_handshake",
+  "__clerk_db_jwt",
+  "callback",
+  "code",
+  "state",
+  "nonce",
+  "redirect_uri",
+  "utm_",
+  "fbclid",
+  "gclid"
+]);
+var SAFE_PARAMS = { test: (s) => SAFE_PARAM_SET.has(s) };
+var INTERNAL_ID_KEY_SET = /* @__PURE__ */ new Set([
+  "id",
+  "_id",
+  "userId",
+  "user_id",
+  "createdBy",
+  "updatedBy",
+  "organizationId",
+  "org_id",
+  "tenantId",
+  "tenant_id"
+]);
+var INTERNAL_ID_KEYS = { test: (s) => INTERNAL_ID_KEY_SET.has(s) };
+var INTERNAL_ID_SUFFIX = {
+  test: (s) => s.endsWith("Id") || s.endsWith("_id")
+};
+var SENSITIVE_FIELD_SET = /* @__PURE__ */ new Set([
+  "phone",
+  "phonenumber",
+  "phone_number",
+  "ssn",
+  "socialsecuritynumber",
+  "social_security_number",
+  "dateofbirth",
+  "date_of_birth",
+  "dob",
+  "address",
+  "streetaddress",
+  "street_address",
+  "creditcard",
+  "credit_card",
+  "cardnumber",
+  "card_number",
+  "bankaccount",
+  "bank_account",
+  "passport",
+  "passportnumber",
+  "passport_number",
+  "nationalid",
+  "national_id"
+]);
+var SENSITIVE_FIELD_NAMES = {
+  test: (s) => SENSITIVE_FIELD_SET.has(s.toLowerCase())
+};
+var SELF_SERVICE_SEGMENTS = /* @__PURE__ */ new Set(["me", "account", "profile", "settings", "self"]);
+var SELF_SERVICE_PATH = {
+  test: (path) => {
+    const segments = path.toLowerCase().split(/[/?#]/);
+    return segments.some((seg) => SELF_SERVICE_SEGMENTS.has(seg));
+  }
+};
+var MASKED_LITERALS = ["[REDACTED]", "[FILTERED]", "CHANGE_ME"];
+var MASKED_RE = {
+  test: (s) => {
+    const upper = s.toUpperCase();
+    if (MASKED_LITERALS.some((m) => upper.includes(m))) return true;
+    if (s.length > 0 && s.split("").every((c) => c === "*")) return true;
+    if (s.length >= 3 && s.split("").every((c) => c === "x" || c === "X")) return true;
+    return false;
+  }
+};
+var DB_PROTOCOLS = ["postgres://", "mysql://", "mongodb://", "redis://"];
+var DB_CONN_RE = {
+  test: (s) => DB_PROTOCOLS.some((p) => s.includes(p))
+};
 var STACK_TRACE_RE = /at\s+.+\(.+:\d+:\d+\)|at\s+Module\._compile|at\s+Object\.<anonymous>|at\s+processTicksAndRejections|Traceback \(most recent call last\)|File ".+", line \d+/;
-var DB_CONN_RE = /(postgres|mysql|mongodb|redis):\/\//;
 var SQL_FRAGMENT_RE = /\b(SELECT\s+[\w.*]+\s+FROM|INSERT\s+INTO|UPDATE\s+\w+\s+SET|DELETE\s+FROM)\b/i;
 var SECRET_VAL_RE = /(api_key|apiKey|secret|token)\s*[:=]\s*["']?[A-Za-z0-9_\-.+/]{8,}/;
 var LOG_SECRET_RE = /(password|secret|token|api_key|apiKey)\s*[:=]\s*["']?[A-Za-z0-9_\-.+/]{8,}/i;
-var MASKED_RE = /^\*+$|\[REDACTED\]|\[FILTERED\]|CHANGE_ME|^x{3,}$/i;
 var EMAIL_RE = /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/;
-var INTERNAL_ID_KEYS = /^(id|_id|userId|user_id|createdBy|updatedBy|organizationId|org_id|tenantId|tenant_id)$/;
-var INTERNAL_ID_SUFFIX = /Id$|_id$/;
-var SELF_SERVICE_PATH = /\/(?:me|account|profile|settings|self)(?=\/|\?|#|$)/i;
-var SENSITIVE_FIELD_NAMES = /^(phone|phoneNumber|phone_number|ssn|socialSecurityNumber|social_security_number|dateOfBirth|date_of_birth|dob|address|streetAddress|street_address|creditCard|credit_card|cardNumber|card_number|bankAccount|bank_account|passport|passportNumber|passport_number|nationalId|national_id)$/i;
 var RULE_HINTS = {
   "exposed-secret": "Never include secret fields in API responses. Strip sensitive fields before returning.",
   "token-in-url": "Pass tokens in the Authorization header, not URL query parameters.",
@@ -1812,7 +1910,7 @@ init_constants();
 init_endpoint();
 // src/index.ts
-var VERSION = "0.9.1";
+var VERSION = "0.10.0";
 // src/cli/commands/install.ts
 init_constants();
@@ -1915,6 +2013,14 @@ var install_default = defineCommand({
       }
       process.exit(1);
     }
+    const firstNode = nodeProjects[0];
+    if (isFrontendOnly(firstNode.dir)) {
+      console.log(pc.yellow("  \u26A0 This looks like a frontend-only app (React, Vue, etc.)."));
+      console.log(pc.dim("    Brakit instruments your backend server, not the browser."));
+      console.log(pc.dim("    Install brakit in your backend project instead (Express, Fastify, Next.js, etc.)."));
+      console.log();
+      process.exit(1);
+    }
     for (const p of nodeProjects) {
       const node = p.node;
       const suffix = p.relDir === "." ? "" : ` in ${p.relDir}`;
@@ -1951,9 +2057,8 @@ var install_default = defineCommand({
       }
     }
     console.log();
-    const port = nodeProjects[0].node?.defaultPort ?? 3e3;
     console.log(pc.dim("  Start your app and visit:"));
-    console.log(pc.bold(`  http://localhost:${port}/__brakit`));
+    console.log(pc.bold("  http://localhost:<your-port>/__brakit"));
     if (pythonProjects.length > 0) {
       const pyLabel = pythonProjects.map((p) => p.relDir).join(", ");
       console.log();
@@ -2105,6 +2210,20 @@ function findGitRoot(startDir) {
     dir = parent;
   }
 }
+var FRONTEND_ONLY_DEPS = ["react", "vue", "svelte", "@angular/core", "solid-js", "preact"];
+var SERVER_DEPS = ["express", "fastify", "hono", "koa", "nest", "next", "@remix-run/dev", "nuxt", "astro"];
+function isFrontendOnly(rootDir) {
+  try {
+    const raw = readFileSync3(join3(rootDir, "package.json"), "utf-8");
+    const pkg = JSON.parse(raw);
+    const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
+    const hasFrontend = FRONTEND_ONLY_DEPS.some((d) => d in allDeps);
+    const hasServer = SERVER_DEPS.some((d) => d in allDeps);
+    return hasFrontend && !hasServer;
+  } catch {
+    return false;
+  }
+}
 function printManualInstructions(framework) {
   console.log(pc.yellow("  \u26A0 Could not auto-detect entry file."));
   console.log();
@@ -2140,7 +2259,7 @@ import { spawn } from "child_process";
 init_features();
 import { homedir as homedir2, platform } from "os";
 import { join as join4 } from "path";
-import { existsSync as existsSync6, readFileSync as readFileSync3, writeFileSync as writeFileSync3, mkdirSync as mkdirSync3 } from "fs";
+import { existsSync as existsSync6, readFileSync as readFileSync4, writeFileSync as writeFileSync3, mkdirSync as mkdirSync3 } from "fs";
 import { randomUUID as randomUUID2 } from "crypto";
 var IS_WINDOWS = platform() === "win32";
 var CONFIG_DIR = join4(homedir2(), ".brakit");
@@ -2148,7 +2267,7 @@ var CONFIG_PATH = join4(CONFIG_DIR, "config.json");
 function readConfig() {
   try {
     if (!existsSync6(CONFIG_PATH)) return null;
-    return JSON.parse(readFileSync3(CONFIG_PATH, "utf-8"));
+    return JSON.parse(readFileSync4(CONFIG_PATH, "utf-8"));
   } catch {
     return null;
   }