brakit 0.9.2 → 0.10.0

package/dist/api.d.ts

@@ -468,6 +468,147 @@ declare class MetricsStore {
     private getOrCreateEndpoint;
 }
 
+/** LiveGraph data model — runtime dependency graph types. */
+type NodeType = "endpoint" | "cluster" | "table" | "external";
+type EdgeType = "reads" | "writes" | "fetches" | "calls";
+interface GraphNodeStats {
+    requestCount: number;
+    avgLatencyMs: number;
+    errorRate: number;
+    avgQueryCount: number;
+    lastSeenAt: number;
+    firstSeenAt: number;
+}
+interface SecurityFindingSummary {
+    rule: string;
+    severity: string;
+    title: string;
+    count: number;
+}
+interface InsightSummary {
+    type: string;
+    severity: string;
+    title: string;
+}
+interface NodeAnnotations {
+    categories?: string[];
+    hasAuth?: boolean;
+    isMiddleware?: boolean;
+    securityFindings?: SecurityFindingSummary[];
+    insights?: InsightSummary[];
+    openIssueCount?: number;
+    p95Ms?: number;
+}
+interface EdgeAnnotations {
+    hasIssue?: boolean;
+}
+interface GraphNode {
+    id: string;
+    type: NodeType;
+    label: string;
+    children?: string[];
+    stats: GraphNodeStats;
+    annotations?: NodeAnnotations;
+}
+interface GraphEdgeStats {
+    frequency: number;
+    avgLatencyMs: number;
+    lastSeenAt: number;
+    firstSeenAt: number;
+}
+interface GraphEdge {
+    id: string;
+    source: string;
+    target: string;
+    type: EdgeType;
+    stats: GraphEdgeStats;
+    patterns?: string[];
+    annotations?: EdgeAnnotations;
+}
+interface LiveGraph {
+    nodes: Map<string, GraphNode>;
+    edges: Map<string, GraphEdge>;
+    metadata: {
+        totalObservations: number;
+        lastUpdatedAt: number;
+    };
+}
+interface ClusterInfo {
+    id: string;
+    label: string;
+    children: string[];
+    stats: GraphNodeStats;
+}
+interface GraphApiResponse {
+    nodes: GraphNode[];
+    edges: GraphEdge[];
+    clusters: ClusterInfo[];
+    metadata: {
+        totalObservations: number;
+        lastUpdatedAt: number;
+    };
+}
+
+type GroupingStrategy = "path" | "auth-boundary" | "data-domain";
+
+/**
+ * GraphBuilder — listens to EventBus events and incrementally builds
+ * a runtime dependency graph of the application.
+ *
+ * Timing: queries and fetches fire DURING request processing, but
+ * request:completed fires AFTER the response is sent. We buffer
+ * telemetry events by parentRequestId and process them when the
+ * request completes (so we know the endpoint key).
+ */
+
+declare class GraphBuilder {
+    private bus;
+    private requestStore;
+    private graph;
+    /**
+     * Buffered telemetry events waiting for their parent request to complete.
+     * Key = parentRequestId, value = pending queries/fetches.
+     */
+    private pending;
+    /** Accumulated request categories per endpoint node. */
+    private nodeCategories;
+    /** Latest analysis snapshot — refreshed on every analysis:updated event. */
+    private latestAnalysis;
+    private cleanupUnsubs;
+    constructor(bus: EventBus, requestStore: RequestStore);
+    start(): void;
+    stop(): void;
+    getGraph(): LiveGraph;
+    /**
+     * Enrich endpoint nodes with p95 from an external metrics source.
+     * Called by the API handler which has access to MetricsStore.
+     */
+    enrichWithMetrics(getP95: (endpointKey: string) => number | undefined): void;
+    getApiResponse(options?: {
+        cluster?: string;
+        node?: string;
+        level?: string;
+        grouping?: string;
+    }): GraphApiResponse;
+    clear(): void;
+    private handleAnalysisUpdate;
+    private enrichNodesFromAnalysis;
+    private handleRequest;
+    private handleQuery;
+    private handleFetch;
+    private processQuery;
+    private processFetch;
+    computeClusters(strategy?: GroupingStrategy): Map<string, ClusterInfo>;
+    private clusterByPath;
+    private clusterByAuthBoundary;
+    private clusterByDataDomain;
+    private buildCluster;
+    private getEndpointView;
+    private getClusterView;
+    private getClusterExpanded;
+    private getNodeNeighborhood;
+}
+
 interface Services {
     bus: EventBus;
     requestStore: RequestStore;
@@ -478,6 +619,7 @@ interface Services {
     metricsStore: MetricsStore;
     issueStore: IssueStore;
     analysisEngine: AnalysisEngine;
+    graphBuilder: GraphBuilder;
 }
 
 declare class AnalysisEngine {

package/dist/api.js

@@ -498,22 +498,124 @@ function unwrapResponse(parsed) {
 }
 
 // src/analysis/rules/patterns.ts
-var SECRET_KEYS = /^(password|passwd|secret|api_key|apiKey|api_secret|apiSecret|private_key|privateKey|client_secret|clientSecret)$/;
-var TOKEN_PARAMS = /^(token|api_key|apiKey|secret|password|access_token|session_id|sessionId)$/;
-var SAFE_PARAMS = /^(_rsc|__clerk_handshake|__clerk_db_jwt|callback|code|state|nonce|redirect_uri|utm_|fbclid|gclid)$/;
+var SECRET_KEY_SET = /* @__PURE__ */ new Set([
+  "password",
+  "passwd",
+  "secret",
+  "api_key",
+  "apiKey",
+  "api_secret",
+  "apiSecret",
+  "private_key",
+  "privateKey",
+  "client_secret",
+  "clientSecret"
+]);
+var SECRET_KEYS = { test: (s) => SECRET_KEY_SET.has(s) };
+var TOKEN_PARAM_SET = /* @__PURE__ */ new Set([
+  "token",
+  "api_key",
+  "apiKey",
+  "secret",
+  "password",
+  "access_token",
+  "session_id",
+  "sessionId"
+]);
+var TOKEN_PARAMS = { test: (s) => TOKEN_PARAM_SET.has(s) };
+var SAFE_PARAM_SET = /* @__PURE__ */ new Set([
+  "_rsc",
+  "__clerk_handshake",
+  "__clerk_db_jwt",
+  "callback",
+  "code",
+  "state",
+  "nonce",
+  "redirect_uri",
+  "utm_",
+  "fbclid",
+  "gclid"
+]);
+var SAFE_PARAMS = { test: (s) => SAFE_PARAM_SET.has(s) };
+var INTERNAL_ID_KEY_SET = /* @__PURE__ */ new Set([
+  "id",
+  "_id",
+  "userId",
+  "user_id",
+  "createdBy",
+  "updatedBy",
+  "organizationId",
+  "org_id",
+  "tenantId",
+  "tenant_id"
+]);
+var INTERNAL_ID_KEYS = { test: (s) => INTERNAL_ID_KEY_SET.has(s) };
+var INTERNAL_ID_SUFFIX = {
+  test: (s) => s.endsWith("Id") || s.endsWith("_id")
+};
+var SENSITIVE_FIELD_SET = /* @__PURE__ */ new Set([
+  "phone",
+  "phonenumber",
+  "phone_number",
+  "ssn",
+  "socialsecuritynumber",
+  "social_security_number",
+  "dateofbirth",
+  "date_of_birth",
+  "dob",
+  "address",
+  "streetaddress",
+  "street_address",
+  "creditcard",
+  "credit_card",
+  "cardnumber",
+  "card_number",
+  "bankaccount",
+  "bank_account",
+  "passport",
+  "passportnumber",
+  "passport_number",
+  "nationalid",
+  "national_id"
+]);
+var SENSITIVE_FIELD_NAMES = {
+  test: (s) => SENSITIVE_FIELD_SET.has(s.toLowerCase())
+};
+var SELF_SERVICE_SEGMENTS = /* @__PURE__ */ new Set(["me", "account", "profile", "settings", "self"]);
+var SELF_SERVICE_PATH = {
+  test: (path) => {
+    const segments = path.toLowerCase().split(/[/?#]/);
+    return segments.some((seg) => SELF_SERVICE_SEGMENTS.has(seg));
+  }
+};
+var MASKED_LITERALS = ["[REDACTED]", "[FILTERED]", "CHANGE_ME"];
+var MASKED_RE = {
+  test: (s) => {
+    const upper = s.toUpperCase();
+    if (MASKED_LITERALS.some((m) => upper.includes(m))) return true;
+    if (s.length > 0 && s.split("").every((c) => c === "*")) return true;
+    if (s.length >= 3 && s.split("").every((c) => c === "x" || c === "X")) return true;
+    return false;
+  }
+};
+var DB_PROTOCOLS = ["postgres://", "mysql://", "mongodb://", "redis://"];
+var DB_CONN_RE = {
+  test: (s) => DB_PROTOCOLS.some((p) => s.includes(p))
+};
+var SELECT_STAR_RE = {
+  test: (s) => {
+    const t = s.trimStart().toUpperCase();
+    return t.startsWith("SELECT *") || t.startsWith("SELECT	*");
+  }
+};
+var SELECT_DOT_STAR_RE = {
+  test: (s) => s.toUpperCase().includes(".* FROM")
+};
 var STACK_TRACE_RE = /at\s+.+\(.+:\d+:\d+\)|at\s+Module\._compile|at\s+Object\.<anonymous>|at\s+processTicksAndRejections|Traceback \(most recent call last\)|File ".+", line \d+/;
-var DB_CONN_RE = /(postgres|mysql|mongodb|redis):\/\//;
 var SQL_FRAGMENT_RE = /\b(SELECT\s+[\w.*]+\s+FROM|INSERT\s+INTO|UPDATE\s+\w+\s+SET|DELETE\s+FROM)\b/i;
 var SECRET_VAL_RE = /(api_key|apiKey|secret|token)\s*[:=]\s*["']?[A-Za-z0-9_\-.+/]{8,}/;
 var LOG_SECRET_RE = /(password|secret|token|api_key|apiKey)\s*[:=]\s*["']?[A-Za-z0-9_\-.+/]{8,}/i;
-var MASKED_RE = /^\*+$|\[REDACTED\]|\[FILTERED\]|CHANGE_ME|^x{3,}$/i;
 var EMAIL_RE = /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/;
-var INTERNAL_ID_KEYS = /^(id|_id|userId|user_id|createdBy|updatedBy|organizationId|org_id|tenantId|tenant_id)$/;
-var INTERNAL_ID_SUFFIX = /Id$|_id$/;
-var SELF_SERVICE_PATH = /\/(?:me|account|profile|settings|self)(?=\/|\?|#|$)/i;
-var SENSITIVE_FIELD_NAMES = /^(phone|phoneNumber|phone_number|ssn|socialSecurityNumber|social_security_number|dateOfBirth|date_of_birth|dob|address|streetAddress|street_address|creditCard|credit_card|cardNumber|card_number|bankAccount|bank_account|passport|passportNumber|passport_number|nationalId|national_id)$/i;
-var SELECT_STAR_RE = /^SELECT\s+\*/i;
-var SELECT_DOT_STAR_RE = /\.\*\s+FROM/i;
 var RULE_HINTS = {
   "exposed-secret": "Never include secret fields in API responses. Strip sensitive fields before returning.",
   "token-in-url": "Pass tokens in the Authorization header, not URL query parameters.",
@@ -1064,6 +1166,7 @@ var DASHBOARD_API_SECURITY = `${DASHBOARD_PREFIX}/api/security`;
 var DASHBOARD_API_TAB = `${DASHBOARD_PREFIX}/api/tab`;
 var DASHBOARD_API_FINDINGS = `${DASHBOARD_PREFIX}/api/findings`;
 var DASHBOARD_API_FINDINGS_REPORT = `${DASHBOARD_PREFIX}/api/findings/report`;
+var DASHBOARD_API_GRAPH = `${DASHBOARD_PREFIX}/api/graph`;
 var VALID_TABS_TUPLE = [
   "overview",
   "actions",
@@ -1073,7 +1176,8 @@ var VALID_TABS_TUPLE = [
   "errors",
   "logs",
   "performance",
-  "security"
+  "security",
+  "graph"
 ];
 var VALID_TABS = new Set(VALID_TABS_TUPLE);
 
@@ -1081,12 +1185,54 @@ var VALID_TABS = new Set(VALID_TABS_TUPLE);
 var RECOVERY_WINDOW_MS = 5 * 60 * 1e3;
 
 // src/utils/endpoint.ts
-var UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
-var NUMERIC_ID_RE = /^\d+$/;
-var HEX_HASH_RE = /^[0-9a-f]{12,}$/i;
-var ALPHA_TOKEN_RE = /^(?=.*[a-zA-Z])(?=.*\d)[a-zA-Z0-9_-]{8,}$/;
+var UUID_LEN = 36;
+var MIN_HEX_LEN = 12;
+var MIN_TOKEN_LEN = 8;
+function isUUID(s) {
+  if (s.length !== UUID_LEN) return false;
+  for (let i = 0; i < s.length; i++) {
+    const c = s[i];
+    if (i === 8 || i === 13 || i === 18 || i === 23) {
+      if (c !== "-") return false;
+    } else {
+      if (!isHexChar(c)) return false;
+    }
+  }
+  return true;
+}
+function isHexChar(c) {
+  const code = c.charCodeAt(0);
+  return code >= 48 && code <= 57 || code >= 65 && code <= 70 || code >= 97 && code <= 102;
+}
+function isNumericId(s) {
+  if (s.length === 0) return false;
+  for (let i = 0; i < s.length; i++) {
+    const code = s.charCodeAt(i);
+    if (code < 48 || code > 57) return false;
+  }
+  return true;
+}
+function isHexHash(s) {
+  if (s.length < MIN_HEX_LEN) return false;
+  for (let i = 0; i < s.length; i++) {
+    if (!isHexChar(s[i])) return false;
+  }
+  return true;
+}
+function isAlphanumericToken(s) {
+  if (s.length < MIN_TOKEN_LEN) return false;
+  let hasLetter = false;
+  let hasDigit = false;
+  for (let i = 0; i < s.length; i++) {
+    const code = s.charCodeAt(i);
+    if (code >= 65 && code <= 90 || code >= 97 && code <= 122) hasLetter = true;
+    else if (code >= 48 && code <= 57) hasDigit = true;
+    else if (code !== 95 && code !== 45) return false;
+  }
+  return hasLetter && hasDigit;
+}
 function isDynamicSegment(segment) {
-  return UUID_RE.test(segment) || NUMERIC_ID_RE.test(segment) || HEX_HASH_RE.test(segment) || ALPHA_TOKEN_RE.test(segment);
+  return isUUID(segment) || isNumericId(segment) || isHexHash(segment) || isAlphanumericToken(segment);
 }
 var DYNAMIC_SEGMENT_PLACEHOLDER = ":id";
 function normalizePath(path) {
@@ -1097,9 +1243,12 @@ function normalizePath(path) {
 function getEndpointKey(method, path) {
   return `${method} ${normalizePath(path)}`;
 }
-var ENDPOINT_PREFIX_RE = /^(\S+\s+\S+)/;
 function extractEndpointFromDesc(desc) {
-  return desc.match(ENDPOINT_PREFIX_RE)?.[1] ?? null;
+  const spaceIdx = desc.indexOf(" ");
+  if (spaceIdx <= 0) return null;
+  const secondSpace = desc.indexOf(" ", spaceIdx + 1);
+  if (secondSpace === -1) return desc;
+  return desc.slice(0, secondSpace);
 }
 function stripQueryString(path) {
   const i = path.indexOf("?");
@@ -1107,6 +1256,10 @@ function stripQueryString(path) {
 }
 
 // src/analysis/categorize.ts
+function isAuthPath(path) {
+  const lower = path.toLowerCase();
+  return lower.startsWith("/api/auth") || lower.startsWith("/clerk") || lower.startsWith("/api/clerk");
+}
 function detectCategory(req) {
   const { method, url, statusCode, responseHeaders } = req;
   if (req.isStatic) return "static";
@@ -1115,7 +1268,7 @@ function detectCategory(req) {
     return "auth-handshake";
   }
   const effectivePath = getEffectivePath(req);
-  if (/^\/api\/auth/i.test(effectivePath) || /^\/(api\/)?clerk/i.test(effectivePath)) {
+  if (isAuthPath(effectivePath)) {
     return "auth-check";
   }
   if (method === "POST" && !effectivePath.startsWith("/api/")) {
@@ -1205,8 +1358,11 @@ function generateHumanLabel(req, category) {
       return failed ? `${req.method} ${req.path} failed` : `${req.method} ${req.path}`;
   }
 }
+function stripApiPrefix(s) {
+  return s.startsWith("/api/") ? s.slice(5) : s;
+}
 function prettifyEndpoint(name) {
-  const cleaned = name.replace(/^\/api\//, "").replace(/\//g, " ").replace(/\.\.\./g, "").trim();
+  const cleaned = stripApiPrefix(name).split("/").join(" ").split("...").join("").trim();
   if (!cleaned) return "data";
   return cleaned.split(" ").map((word) => {
     if (word.endsWith("ses") || word.endsWith("us") || word.endsWith("ss"))
@@ -1216,24 +1372,28 @@ function prettifyEndpoint(name) {
     return word;
   }).join(" ");
 }
+var VERB_MAP = [
+  ["enhance", "Enhanced"],
+  ["generate", "Generated"],
+  ["create", "Created"],
+  ["update", "Updated"],
+  ["delete", "Deleted"],
+  ["remove", "Deleted"],
+  ["send", "Sent"],
+  ["upload", "Uploaded"],
+  ["save", "Saved"],
+  ["submit", "Submitted"],
+  ["login", "Logged in"],
+  ["signin", "Logged in"],
+  ["logout", "Logged out"],
+  ["signout", "Logged out"],
+  ["register", "Registered"],
+  ["signup", "Registered"]
+];
 function deriveActionVerb(method, endpointName) {
   const lower = endpointName.toLowerCase();
-  const VERB_PATTERNS = [
-    [/enhance/, "Enhanced"],
-    [/generate/, "Generated"],
-    [/create/, "Created"],
-    [/update/, "Updated"],
-    [/delete|remove/, "Deleted"],
-    [/send/, "Sent"],
-    [/upload/, "Uploaded"],
-    [/save/, "Saved"],
-    [/submit/, "Submitted"],
-    [/login|signin/, "Logged in"],
-    [/logout|signout/, "Logged out"],
-    [/register|signup/, "Registered"]
-  ];
-  for (const [pattern, verb] of VERB_PATTERNS) {
-    if (pattern.test(lower)) return verb;
+  for (const [keyword, verb] of VERB_MAP) {
+    if (lower.includes(keyword)) return verb;
   }
   switch (method) {
     case "POST":
@@ -1248,14 +1408,16 @@ function deriveActionVerb(method, endpointName) {
   }
 }
 function getEndpointName(path) {
-  const parts = path.replace(/^\/api\//, "").split("/");
+  const parts = stripApiPrefix(path).split("/");
   if (parts.length <= 2) return parts.join("/");
   return parts.map((p) => p.length > ENDPOINT_TRUNCATE_LENGTH ? "..." : p).join("/");
 }
 function prettifyPageName(path) {
-  const clean = path.replace(/^\//, "").replace(/\/$/, "");
+  let clean = path;
+  if (clean.startsWith("/")) clean = clean.slice(1);
+  if (clean.endsWith("/")) clean = clean.slice(0, -1);
   if (!clean) return "Home";
-  return clean.split("/").map((s) => capitalize(s.replace(/[-_]/g, " "))).join(" ");
+  return clean.split("/").map((s) => capitalize(s.split("-").join(" ").split("_").join(" "))).join(" ");
 }
 function capitalize(s) {
   return s.charAt(0).toUpperCase() + s.slice(1);
@@ -1488,7 +1650,15 @@ var TABLE_RE = /(?:FROM|INTO|UPDATE)\s+(?:"?\w+"?\.)?"?(\w+)"?/i;
 function normalizeSQL(sql) {
   if (!sql) return { op: "OTHER", table: "" };
   const trimmed = sql.trim();
-  const keyword = trimmed.split(/\s+/, 1)[0].toUpperCase();
+  let spaceIdx = -1;
+  for (let i = 0; i < trimmed.length; i++) {
+    const c = trimmed[i];
+    if (c === " " || c === "	" || c === "\n" || c === "\r") {
+      spaceIdx = i;
+      break;
+    }
+  }
+  const keyword = (spaceIdx === -1 ? trimmed : trimmed.slice(0, spaceIdx)).toUpperCase();
   const op = VALID_OPS.has(keyword) ? keyword : "OTHER";
   const table = trimmed.match(TABLE_RE)?.[1] ?? "";
   return { op, table };
@@ -2241,7 +2411,7 @@ var AnalysisEngine = class {
 };
 
 // src/index.ts
-var VERSION = "0.9.2";
+var VERSION = "0.10.0";
 export {
   AdapterRegistry,
   AnalysisEngine,

package/dist/bin/brakit.js

@@ -73,7 +73,7 @@ var init_type_guards = __esm({
 });
 
 // src/constants/labels.ts
-var DASHBOARD_PREFIX, DASHBOARD_API_REQUESTS, DASHBOARD_API_EVENTS, DASHBOARD_API_FLOWS, DASHBOARD_API_CLEAR, DASHBOARD_API_LOGS, DASHBOARD_API_FETCHES, DASHBOARD_API_ERRORS, DASHBOARD_API_QUERIES, DASHBOARD_API_INGEST, DASHBOARD_API_METRICS, DASHBOARD_API_ACTIVITY, DASHBOARD_API_METRICS_LIVE, DASHBOARD_API_INSIGHTS, DASHBOARD_API_SECURITY, DASHBOARD_API_TAB, DASHBOARD_API_FINDINGS, DASHBOARD_API_FINDINGS_REPORT, VALID_TABS_TUPLE, VALID_TABS, POSTHOG_HOST, POSTHOG_CAPTURE_PATH, POSTHOG_REQUEST_TIMEOUT_MS;
+var DASHBOARD_PREFIX, DASHBOARD_API_REQUESTS, DASHBOARD_API_EVENTS, DASHBOARD_API_FLOWS, DASHBOARD_API_CLEAR, DASHBOARD_API_LOGS, DASHBOARD_API_FETCHES, DASHBOARD_API_ERRORS, DASHBOARD_API_QUERIES, DASHBOARD_API_INGEST, DASHBOARD_API_METRICS, DASHBOARD_API_ACTIVITY, DASHBOARD_API_METRICS_LIVE, DASHBOARD_API_INSIGHTS, DASHBOARD_API_SECURITY, DASHBOARD_API_TAB, DASHBOARD_API_FINDINGS, DASHBOARD_API_FINDINGS_REPORT, DASHBOARD_API_GRAPH, VALID_TABS_TUPLE, VALID_TABS, POSTHOG_HOST, POSTHOG_CAPTURE_PATH, POSTHOG_REQUEST_TIMEOUT_MS;
 var init_labels = __esm({
   "src/constants/labels.ts"() {
     "use strict";
@@ -95,6 +95,7 @@ var init_labels = __esm({
     DASHBOARD_API_TAB = `${DASHBOARD_PREFIX}/api/tab`;
     DASHBOARD_API_FINDINGS = `${DASHBOARD_PREFIX}/api/findings`;
     DASHBOARD_API_FINDINGS_REPORT = `${DASHBOARD_PREFIX}/api/findings/report`;
+    DASHBOARD_API_GRAPH = `${DASHBOARD_PREFIX}/api/graph`;
     VALID_TABS_TUPLE = [
       "overview",
       "actions",
@@ -104,7 +105,8 @@ var init_labels = __esm({
       "errors",
       "logs",
       "performance",
-      "security"
+      "security",
+      "graph"
     ];
     VALID_TABS = new Set(VALID_TABS_TUPLE);
     POSTHOG_HOST = "https://us.i.posthog.com";
@@ -138,7 +140,7 @@ var init_features = __esm({
     MAX_TIMELINE_EVENTS = 20;
     MAX_RESOLVED_DISPLAY = 5;
     ENRICHMENT_SEVERITY_FILTER = ["critical", "warning"];
-    MCP_SERVER_VERSION = "0.9.2";
+    MCP_SERVER_VERSION = "0.10.0";
     RECOVERY_WINDOW_MS = 5 * 60 * 1e3;
     PORT_MIN = 1;
     PORT_MAX = 65535;
@@ -1207,7 +1209,8 @@ async function detectPythonFramework(rootDir, hasPyproject, hasRequirements) {
       const content = await readFile3(join2(rootDir, "requirements.txt"), "utf-8");
       const lines = content.toLowerCase().split("\n");
       for (const [dep, fw] of Object.entries(PYTHON_FRAMEWORK_MAP)) {
-        if (lines.some((l) => l.startsWith(dep) && (l.length === dep.length || /[=<>~![]/u.test(l[dep.length])))) {
+        const versionChars = /* @__PURE__ */ new Set(["=", "<", ">", "~", "!", "["]);
+        if (lines.some((l) => l.startsWith(dep) && (l.length === dep.length || versionChars.has(l[dep.length])))) {
           return fw;
         }
       }
@@ -1313,20 +1316,115 @@ init_log();
 init_type_guards();
 
 // src/analysis/rules/patterns.ts
-var SECRET_KEYS = /^(password|passwd|secret|api_key|apiKey|api_secret|apiSecret|private_key|privateKey|client_secret|clientSecret)$/;
-var TOKEN_PARAMS = /^(token|api_key|apiKey|secret|password|access_token|session_id|sessionId)$/;
-var SAFE_PARAMS = /^(_rsc|__clerk_handshake|__clerk_db_jwt|callback|code|state|nonce|redirect_uri|utm_|fbclid|gclid)$/;
+var SECRET_KEY_SET = /* @__PURE__ */ new Set([
+  "password",
+  "passwd",
+  "secret",
+  "api_key",
+  "apiKey",
+  "api_secret",
+  "apiSecret",
+  "private_key",
+  "privateKey",
+  "client_secret",
+  "clientSecret"
+]);
+var SECRET_KEYS = { test: (s) => SECRET_KEY_SET.has(s) };
+var TOKEN_PARAM_SET = /* @__PURE__ */ new Set([
+  "token",
+  "api_key",
+  "apiKey",
+  "secret",
+  "password",
+  "access_token",
+  "session_id",
+  "sessionId"
+]);
+var TOKEN_PARAMS = { test: (s) => TOKEN_PARAM_SET.has(s) };
+var SAFE_PARAM_SET = /* @__PURE__ */ new Set([
+  "_rsc",
+  "__clerk_handshake",
+  "__clerk_db_jwt",
+  "callback",
+  "code",
+  "state",
+  "nonce",
+  "redirect_uri",
+  "utm_",
+  "fbclid",
+  "gclid"
+]);
+var SAFE_PARAMS = { test: (s) => SAFE_PARAM_SET.has(s) };
+var INTERNAL_ID_KEY_SET = /* @__PURE__ */ new Set([
+  "id",
+  "_id",
+  "userId",
+  "user_id",
+  "createdBy",
+  "updatedBy",
+  "organizationId",
+  "org_id",
+  "tenantId",
+  "tenant_id"
+]);
+var INTERNAL_ID_KEYS = { test: (s) => INTERNAL_ID_KEY_SET.has(s) };
+var INTERNAL_ID_SUFFIX = {
+  test: (s) => s.endsWith("Id") || s.endsWith("_id")
+};
+var SENSITIVE_FIELD_SET = /* @__PURE__ */ new Set([
+  "phone",
+  "phonenumber",
+  "phone_number",
+  "ssn",
+  "socialsecuritynumber",
+  "social_security_number",
+  "dateofbirth",
+  "date_of_birth",
+  "dob",
+  "address",
+  "streetaddress",
+  "street_address",
+  "creditcard",
+  "credit_card",
+  "cardnumber",
+  "card_number",
+  "bankaccount",
+  "bank_account",
+  "passport",
+  "passportnumber",
+  "passport_number",
+  "nationalid",
+  "national_id"
+]);
+var SENSITIVE_FIELD_NAMES = {
+  test: (s) => SENSITIVE_FIELD_SET.has(s.toLowerCase())
+};
+var SELF_SERVICE_SEGMENTS = /* @__PURE__ */ new Set(["me", "account", "profile", "settings", "self"]);
+var SELF_SERVICE_PATH = {
+  test: (path) => {
+    const segments = path.toLowerCase().split(/[/?#]/);
+    return segments.some((seg) => SELF_SERVICE_SEGMENTS.has(seg));
+  }
+};
+var MASKED_LITERALS = ["[REDACTED]", "[FILTERED]", "CHANGE_ME"];
+var MASKED_RE = {
+  test: (s) => {
+    const upper = s.toUpperCase();
+    if (MASKED_LITERALS.some((m) => upper.includes(m))) return true;
+    if (s.length > 0 && s.split("").every((c) => c === "*")) return true;
+    if (s.length >= 3 && s.split("").every((c) => c === "x" || c === "X")) return true;
+    return false;
+  }
+};
+var DB_PROTOCOLS = ["postgres://", "mysql://", "mongodb://", "redis://"];
+var DB_CONN_RE = {
+  test: (s) => DB_PROTOCOLS.some((p) => s.includes(p))
+};
 var STACK_TRACE_RE = /at\s+.+\(.+:\d+:\d+\)|at\s+Module\._compile|at\s+Object\.<anonymous>|at\s+processTicksAndRejections|Traceback \(most recent call last\)|File ".+", line \d+/;
-var DB_CONN_RE = /(postgres|mysql|mongodb|redis):\/\//;
 var SQL_FRAGMENT_RE = /\b(SELECT\s+[\w.*]+\s+FROM|INSERT\s+INTO|UPDATE\s+\w+\s+SET|DELETE\s+FROM)\b/i;
 var SECRET_VAL_RE = /(api_key|apiKey|secret|token)\s*[:=]\s*["']?[A-Za-z0-9_\-.+/]{8,}/;
 var LOG_SECRET_RE = /(password|secret|token|api_key|apiKey)\s*[:=]\s*["']?[A-Za-z0-9_\-.+/]{8,}/i;
-var MASKED_RE = /^\*+$|\[REDACTED\]|\[FILTERED\]|CHANGE_ME|^x{3,}$/i;
 var EMAIL_RE = /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/;
-var INTERNAL_ID_KEYS = /^(id|_id|userId|user_id|createdBy|updatedBy|organizationId|org_id|tenantId|tenant_id)$/;
-var INTERNAL_ID_SUFFIX = /Id$|_id$/;
-var SELF_SERVICE_PATH = /\/(?:me|account|profile|settings|self)(?=\/|\?|#|$)/i;
-var SENSITIVE_FIELD_NAMES = /^(phone|phoneNumber|phone_number|ssn|socialSecurityNumber|social_security_number|dateOfBirth|date_of_birth|dob|address|streetAddress|street_address|creditCard|credit_card|cardNumber|card_number|bankAccount|bank_account|passport|passportNumber|passport_number|nationalId|national_id)$/i;
 var RULE_HINTS = {
   "exposed-secret": "Never include secret fields in API responses. Strip sensitive fields before returning.",
   "token-in-url": "Pass tokens in the Authorization header, not URL query parameters.",
@@ -1812,7 +1910,7 @@ init_constants();
 init_endpoint();
 
 // src/index.ts
-var VERSION = "0.9.2";
+var VERSION = "0.10.0";
 
 // src/cli/commands/install.ts
 init_constants();