npm - brakit - Versions diffs - 0.9.2 → 0.10.0 - Mend

brakit 0.9.2 → 0.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/api.d.ts +142 -0
package/dist/api.js +212 -42
package/dist/bin/brakit.js +112 -14
package/dist/dashboard-client.global.js +587 -276
package/dist/dashboard.html +691 -276
package/dist/mcp/server.js +4 -2
package/dist/runtime/index.js +1103 -74
package/package.json +1 -1

package/dist/runtime/index.js CHANGED Viewed

@@ -15,7 +15,7 @@ var __export = (target, all) => {
 };
 // src/constants/config.ts
-var MAX_REQUEST_ENTRIES, DEFAULT_MAX_BODY_CAPTURE, DEFAULT_API_LIMIT, MAX_TELEMETRY_ENTRIES, MAX_TAB_NAME_LENGTH, MAX_INGEST_BYTES, TERMINAL_TRUNCATE_LENGTH, SENSITIVE_MASK_MIN_LENGTH, SENSITIVE_MASK_VISIBLE_CHARS, MAX_JSON_BODY_BYTES, ANALYSIS_DEBOUNCE_MS, ISSUE_ID_HASH_LENGTH, ISSUES_DATA_VERSION, SENSITIVE_MASK_PLACEHOLDER, PROJECT_HASH_LENGTH, SECRET_SCAN_ARRAY_LIMIT, PII_SCAN_ARRAY_LIMIT, MIN_SECRET_VALUE_LENGTH, FULL_RECORD_MIN_FIELDS, LIST_PII_MIN_ITEMS, MAX_API_LIMIT, MAX_OBJECT_SCAN_DEPTH, MAX_UNIQUE_ENDPOINTS, MAX_ACCUMULATOR_ENTRIES, ISSUE_PRUNE_TTL_MS, FLOW_GAP_MS, SLOW_REQUEST_THRESHOLD_MS, MIN_POLLING_SEQUENCE, ENDPOINT_TRUNCATE_LENGTH, N1_QUERY_THRESHOLD, ERROR_RATE_THRESHOLD_PCT, MIN_REQUESTS_FOR_INSIGHT, HIGH_QUERY_COUNT_PER_REQ, CROSS_ENDPOINT_MIN_ENDPOINTS, CROSS_ENDPOINT_PCT, CROSS_ENDPOINT_MIN_OCCURRENCES, REDUNDANT_QUERY_MIN_COUNT, LARGE_RESPONSE_BYTES, HIGH_ROW_COUNT, OVERFETCH_MIN_REQUESTS, OVERFETCH_MIN_FIELDS, OVERFETCH_MIN_INTERNAL_IDS, OVERFETCH_NULL_RATIO, REGRESSION_PCT_THRESHOLD, REGRESSION_MIN_INCREASE_MS, REGRESSION_MIN_REQUESTS, QUERY_COUNT_REGRESSION_RATIO, OVERFETCH_MANY_FIELDS, OVERFETCH_UNWRAP_MIN_SIZE, MAX_DUPLICATE_INSIGHTS, INSIGHT_WINDOW_PER_ENDPOINT, CLEAN_HITS_FOR_RESOLUTION, STALE_ISSUE_TTL_MS, STRICT_MODE_MAX_GAP_MS, BASELINE_MIN_SESSIONS, BASELINE_MIN_REQUESTS_PER_SESSION, BASELINE_PENDING_POINTS_MIN, METRICS_DIR, METRICS_FILE, PORT_FILE, ISSUES_FILE, METRICS_FLUSH_INTERVAL_MS, METRICS_MAX_SESSIONS, METRICS_MAX_DATA_POINTS, ISSUES_FLUSH_INTERVAL_MS, SSE_HEARTBEAT_INTERVAL_MS, NOISE_HOSTS, NOISE_PATH_PATTERNS, VALID_ISSUE_STATES, VALID_ISSUE_CATEGORIES, VALID_AI_FIX_STATUSES, TELEMETRY_EVENT_SETUP_COMPLETED, TELEMETRY_EVENT_FIRST_REQUEST, TELEMETRY_EVENT_DASHBOARD_VIEWED, TELEMETRY_EVENT_SESSION, EXIT_REASON_CLEAN, EXIT_REASON_SIGINT, EXIT_REASON_SIGTERM, DETAIL_PREVIEW_LENGTH, KNOWN_DEPENDENCY_NAMES;
+var MAX_REQUEST_ENTRIES, DEFAULT_MAX_BODY_CAPTURE, DEFAULT_API_LIMIT, MAX_TELEMETRY_ENTRIES, MAX_TAB_NAME_LENGTH, MAX_INGEST_BYTES, TERMINAL_TRUNCATE_LENGTH, SENSITIVE_MASK_MIN_LENGTH, SENSITIVE_MASK_VISIBLE_CHARS, MAX_JSON_BODY_BYTES, ANALYSIS_DEBOUNCE_MS, ISSUE_ID_HASH_LENGTH, ISSUES_DATA_VERSION, SENSITIVE_MASK_PLACEHOLDER, PROJECT_HASH_LENGTH, SECRET_SCAN_ARRAY_LIMIT, PII_SCAN_ARRAY_LIMIT, MIN_SECRET_VALUE_LENGTH, FULL_RECORD_MIN_FIELDS, LIST_PII_MIN_ITEMS, MAX_API_LIMIT, MAX_OBJECT_SCAN_DEPTH, MAX_UNIQUE_ENDPOINTS, MAX_ACCUMULATOR_ENTRIES, ISSUE_PRUNE_TTL_MS, FLOW_GAP_MS, SLOW_REQUEST_THRESHOLD_MS, MIN_POLLING_SEQUENCE, ENDPOINT_TRUNCATE_LENGTH, N1_QUERY_THRESHOLD, ERROR_RATE_THRESHOLD_PCT, MIN_REQUESTS_FOR_INSIGHT, HIGH_QUERY_COUNT_PER_REQ, CROSS_ENDPOINT_MIN_ENDPOINTS, CROSS_ENDPOINT_PCT, CROSS_ENDPOINT_MIN_OCCURRENCES, REDUNDANT_QUERY_MIN_COUNT, LARGE_RESPONSE_BYTES, HIGH_ROW_COUNT, OVERFETCH_MIN_REQUESTS, OVERFETCH_MIN_FIELDS, OVERFETCH_MIN_INTERNAL_IDS, OVERFETCH_NULL_RATIO, REGRESSION_PCT_THRESHOLD, REGRESSION_MIN_INCREASE_MS, REGRESSION_MIN_REQUESTS, QUERY_COUNT_REGRESSION_RATIO, OVERFETCH_MANY_FIELDS, OVERFETCH_UNWRAP_MIN_SIZE, MAX_DUPLICATE_INSIGHTS, INSIGHT_WINDOW_PER_ENDPOINT, CLEAN_HITS_FOR_RESOLUTION, STALE_ISSUE_TTL_MS, STRICT_MODE_MAX_GAP_MS, BASELINE_MIN_SESSIONS, BASELINE_MIN_REQUESTS_PER_SESSION, BASELINE_PENDING_POINTS_MIN, METRICS_DIR, METRICS_FILE, PORT_FILE, ISSUES_FILE, METRICS_FLUSH_INTERVAL_MS, METRICS_MAX_SESSIONS, METRICS_MAX_DATA_POINTS, ISSUES_FLUSH_INTERVAL_MS, SSE_HEARTBEAT_INTERVAL_MS, NOISE_HOSTS, NOISE_PATH_PATTERNS, VALID_ISSUE_STATES, VALID_ISSUE_CATEGORIES, VALID_AI_FIX_STATUSES, TELEMETRY_EVENT_SETUP_COMPLETED, TELEMETRY_EVENT_FIRST_REQUEST, TELEMETRY_EVENT_DASHBOARD_VIEWED, TELEMETRY_EVENT_SESSION, TELEMETRY_EVENT_GRAPH_FEATURE, EXIT_REASON_CLEAN, EXIT_REASON_SIGINT, EXIT_REASON_SIGTERM, DETAIL_PREVIEW_LENGTH, KNOWN_DEPENDENCY_NAMES;
 var init_config = __esm({
   "src/constants/config.ts"() {
     "use strict";
@@ -94,6 +94,7 @@ var init_config = __esm({
     TELEMETRY_EVENT_FIRST_REQUEST = "first_request";
     TELEMETRY_EVENT_DASHBOARD_VIEWED = "dashboard_viewed";
     TELEMETRY_EVENT_SESSION = "session";
+    TELEMETRY_EVENT_GRAPH_FEATURE = "graph_feature";
     EXIT_REASON_CLEAN = "clean";
     EXIT_REASON_SIGINT = "sigint";
     EXIT_REASON_SIGTERM = "sigterm";
@@ -118,7 +119,7 @@ var init_config = __esm({
 });
 // src/constants/labels.ts
-var DASHBOARD_PREFIX, DASHBOARD_API_REQUESTS, DASHBOARD_API_EVENTS, DASHBOARD_API_FLOWS, DASHBOARD_API_CLEAR, DASHBOARD_API_LOGS, DASHBOARD_API_FETCHES, DASHBOARD_API_ERRORS, DASHBOARD_API_QUERIES, DASHBOARD_API_INGEST, DASHBOARD_API_METRICS, DASHBOARD_API_ACTIVITY, DASHBOARD_API_METRICS_LIVE, DASHBOARD_API_INSIGHTS, DASHBOARD_API_SECURITY, DASHBOARD_API_TAB, DASHBOARD_API_FINDINGS, DASHBOARD_API_FINDINGS_REPORT, VALID_TABS_TUPLE, VALID_TABS, BRAKIT_REQUEST_ID_HEADER, BRAKIT_FETCH_ID_HEADER, SENSITIVE_HEADER_NAMES, HTTP_OK, HTTP_NO_CONTENT, HTTP_BAD_REQUEST, HTTP_NOT_FOUND, HTTP_METHOD_NOT_ALLOWED, HTTP_PAYLOAD_TOO_LARGE, HTTP_INTERNAL_ERROR, SECURITY_HEADERS, CONTENT_ENCODING_GZIP, CONTENT_ENCODING_BR, CONTENT_ENCODING_DEFLATE, SEVERITY_ICON, SSE_EVENT_FETCH, SSE_EVENT_LOG, SSE_EVENT_ERROR, SSE_EVENT_QUERY, SSE_EVENT_ISSUES, SDK_EVENT_REQUEST, SDK_EVENT_DB_QUERY, SDK_EVENT_FETCH, SDK_EVENT_LOG, SDK_EVENT_ERROR, SDK_EVENT_AUTH_CHECK, POSTHOG_HOST, POSTHOG_CAPTURE_PATH, POSTHOG_REQUEST_TIMEOUT_MS, SPEED_BUCKET_THRESHOLDS, TIMELINE_FETCH, TIMELINE_LOG, TIMELINE_ERROR, TIMELINE_QUERY;
+var DASHBOARD_PREFIX, DASHBOARD_API_REQUESTS, DASHBOARD_API_EVENTS, DASHBOARD_API_FLOWS, DASHBOARD_API_CLEAR, DASHBOARD_API_LOGS, DASHBOARD_API_FETCHES, DASHBOARD_API_ERRORS, DASHBOARD_API_QUERIES, DASHBOARD_API_INGEST, DASHBOARD_API_METRICS, DASHBOARD_API_ACTIVITY, DASHBOARD_API_METRICS_LIVE, DASHBOARD_API_INSIGHTS, DASHBOARD_API_SECURITY, DASHBOARD_API_TAB, DASHBOARD_API_FINDINGS, DASHBOARD_API_FINDINGS_REPORT, DASHBOARD_API_GRAPH, VALID_TABS_TUPLE, VALID_TABS, BRAKIT_REQUEST_ID_HEADER, BRAKIT_FETCH_ID_HEADER, SENSITIVE_HEADER_NAMES, HTTP_OK, HTTP_NO_CONTENT, HTTP_BAD_REQUEST, HTTP_NOT_FOUND, HTTP_METHOD_NOT_ALLOWED, HTTP_PAYLOAD_TOO_LARGE, HTTP_INTERNAL_ERROR, SECURITY_HEADERS, CONTENT_ENCODING_GZIP, CONTENT_ENCODING_BR, CONTENT_ENCODING_DEFLATE, SEVERITY_ICON, SSE_EVENT_FETCH, SSE_EVENT_LOG, SSE_EVENT_ERROR, SSE_EVENT_QUERY, SSE_EVENT_ISSUES, SDK_EVENT_REQUEST, SDK_EVENT_DB_QUERY, SDK_EVENT_FETCH, SDK_EVENT_LOG, SDK_EVENT_ERROR, SDK_EVENT_AUTH_CHECK, POSTHOG_HOST, POSTHOG_CAPTURE_PATH, POSTHOG_REQUEST_TIMEOUT_MS, SPEED_BUCKET_THRESHOLDS, TIMELINE_FETCH, TIMELINE_LOG, TIMELINE_ERROR, TIMELINE_QUERY;
 var init_labels = __esm({
   "src/constants/labels.ts"() {
     "use strict";
@@ -140,6 +141,7 @@ var init_labels = __esm({
     DASHBOARD_API_TAB = `${DASHBOARD_PREFIX}/api/tab`;
     DASHBOARD_API_FINDINGS = `${DASHBOARD_PREFIX}/api/findings`;
     DASHBOARD_API_FINDINGS_REPORT = `${DASHBOARD_PREFIX}/api/findings/report`;
+    DASHBOARD_API_GRAPH = `${DASHBOARD_PREFIX}/api/graph`;
     VALID_TABS_TUPLE = [
       "overview",
       "actions",
@@ -149,7 +151,8 @@ var init_labels = __esm({
       "errors",
       "logs",
       "performance",
-      "security"
+      "security",
+      "graph"
     ];
     VALID_TABS = new Set(VALID_TABS_TUPLE);
     BRAKIT_REQUEST_ID_HEADER = "x-brakit-request-id";
@@ -173,7 +176,7 @@ var init_labels = __esm({
       "x-content-type-options": "nosniff",
       "x-frame-options": "DENY",
       "referrer-policy": "no-referrer",
-      "content-security-policy": "default-src 'none'; script-src 'unsafe-inline'; style-src 'unsafe-inline'; connect-src 'self'; img-src data:"
+      "content-security-policy": "default-src 'none'; script-src 'unsafe-inline'; style-src 'unsafe-inline'; connect-src 'self'; img-src data: blob:"
     };
     CONTENT_ENCODING_GZIP = "gzip";
     CONTENT_ENCODING_BR = "br";
@@ -486,7 +489,15 @@ var init_adapter_registry = __esm({
 function normalizeSQL(sql) {
   if (!sql) return { op: "OTHER", table: "" };
   const trimmed = sql.trim();
-  const keyword = trimmed.split(/\s+/, 1)[0].toUpperCase();
+  let spaceIdx = -1;
+  for (let i = 0; i < trimmed.length; i++) {
+    const c = trimmed[i];
+    if (c === " " || c === "	" || c === "\n" || c === "\r") {
+      spaceIdx = i;
+      break;
+    }
+  }
+  const keyword = (spaceIdx === -1 ? trimmed : trimmed.slice(0, spaceIdx)).toUpperCase();
   const op = VALID_OPS.has(keyword) ? keyword : "OTHER";
   const table = trimmed.match(TABLE_RE)?.[1] ?? "";
   return { op, table };
@@ -865,8 +876,51 @@ var init_adapters = __esm({
 });
 // src/utils/endpoint.ts
+function isUUID(s) {
+  if (s.length !== UUID_LEN) return false;
+  for (let i = 0; i < s.length; i++) {
+    const c = s[i];
+    if (i === 8 || i === 13 || i === 18 || i === 23) {
+      if (c !== "-") return false;
+    } else {
+      if (!isHexChar(c)) return false;
+    }
+  }
+  return true;
+}
+function isHexChar(c) {
+  const code = c.charCodeAt(0);
+  return code >= 48 && code <= 57 || code >= 65 && code <= 70 || code >= 97 && code <= 102;
+}
+function isNumericId(s) {
+  if (s.length === 0) return false;
+  for (let i = 0; i < s.length; i++) {
+    const code = s.charCodeAt(i);
+    if (code < 48 || code > 57) return false;
+  }
+  return true;
+}
+function isHexHash(s) {
+  if (s.length < MIN_HEX_LEN) return false;
+  for (let i = 0; i < s.length; i++) {
+    if (!isHexChar(s[i])) return false;
+  }
+  return true;
+}
+function isAlphanumericToken(s) {
+  if (s.length < MIN_TOKEN_LEN) return false;
+  let hasLetter = false;
+  let hasDigit = false;
+  for (let i = 0; i < s.length; i++) {
+    const code = s.charCodeAt(i);
+    if (code >= 65 && code <= 90 || code >= 97 && code <= 122) hasLetter = true;
+    else if (code >= 48 && code <= 57) hasDigit = true;
+    else if (code !== 95 && code !== 45) return false;
+  }
+  return hasLetter && hasDigit;
+}
 function isDynamicSegment(segment) {
-  return UUID_RE.test(segment) || NUMERIC_ID_RE.test(segment) || HEX_HASH_RE.test(segment) || ALPHA_TOKEN_RE.test(segment);
+  return isUUID(segment) || isNumericId(segment) || isHexHash(segment) || isAlphanumericToken(segment);
 }
 function normalizePath(path) {
   const qIdx = path.indexOf("?");
@@ -877,22 +931,24 @@ function getEndpointKey(method, path) {
   return `${method} ${normalizePath(path)}`;
 }
 function extractEndpointFromDesc(desc) {
-  return desc.match(ENDPOINT_PREFIX_RE)?.[1] ?? null;
+  const spaceIdx = desc.indexOf(" ");
+  if (spaceIdx <= 0) return null;
+  const secondSpace = desc.indexOf(" ", spaceIdx + 1);
+  if (secondSpace === -1) return desc;
+  return desc.slice(0, secondSpace);
 }
 function stripQueryString(path) {
   const i = path.indexOf("?");
   return i === -1 ? path : path.slice(0, i);
 }
-var UUID_RE, NUMERIC_ID_RE, HEX_HASH_RE, ALPHA_TOKEN_RE, DYNAMIC_SEGMENT_PLACEHOLDER, ENDPOINT_PREFIX_RE;
+var UUID_LEN, MIN_HEX_LEN, MIN_TOKEN_LEN, DYNAMIC_SEGMENT_PLACEHOLDER;
 var init_endpoint = __esm({
   "src/utils/endpoint.ts"() {
     "use strict";
-    UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
-    NUMERIC_ID_RE = /^\d+$/;
-    HEX_HASH_RE = /^[0-9a-f]{12,}$/i;
-    ALPHA_TOKEN_RE = /^(?=.*[a-zA-Z])(?=.*\d)[a-zA-Z0-9_-]{8,}$/;
+    UUID_LEN = 36;
+    MIN_HEX_LEN = 12;
+    MIN_TOKEN_LEN = 8;
     DYNAMIC_SEGMENT_PLACEHOLDER = ":id";
-    ENDPOINT_PREFIX_RE = /^(\S+\s+\S+)/;
   }
 });
@@ -913,6 +969,10 @@ var init_http_status = __esm({
 });
 // src/analysis/categorize.ts
+function isAuthPath(path) {
+  const lower = path.toLowerCase();
+  return lower.startsWith("/api/auth") || lower.startsWith("/clerk") || lower.startsWith("/api/clerk");
+}
 function detectCategory(req) {
   const { method, url, statusCode, responseHeaders } = req;
   if (req.isStatic) return "static";
@@ -921,7 +981,7 @@ function detectCategory(req) {
     return "auth-handshake";
   }
   const effectivePath = getEffectivePath(req);
-  if (/^\/api\/auth/i.test(effectivePath) || /^\/(api\/)?clerk/i.test(effectivePath)) {
+  if (isAuthPath(effectivePath)) {
     return "auth-check";
   }
   if (method === "POST" && !effectivePath.startsWith("/api/")) {
@@ -945,6 +1005,13 @@ function detectCategory(req) {
   }
   return "unknown";
 }
+function hasAuthCredentials(req) {
+  if (req.headers["authorization"]) return true;
+  const cookie = (req.headers["cookie"] || "").toLowerCase();
+  if (cookie && AUTH_COOKIE_NAMES.some((name) => cookie.includes(name))) return true;
+  if (req.statusCode === 401) return true;
+  return false;
+}
 function getEffectivePath(req) {
   const rewrite = req.responseHeaders["x-middleware-rewrite"];
   if (!rewrite) return req.path;
@@ -955,9 +1022,21 @@ function getEffectivePath(req) {
     return rewrite.startsWith("/") ? rewrite : req.path;
   }
 }
+var AUTH_COOKIE_NAMES;
 var init_categorize = __esm({
   "src/analysis/categorize.ts"() {
     "use strict";
+    AUTH_COOKIE_NAMES = [
+      "__session=",
+      "__clerk",
+      "__host-next-auth",
+      "next-auth.session-token=",
+      "auth_token=",
+      "session_id=",
+      "access_token=",
+      "_session=",
+      "appsession="
+    ];
   }
 });
@@ -1016,8 +1095,11 @@ function generateHumanLabel(req, category) {
       return failed ? `${req.method} ${req.path} failed` : `${req.method} ${req.path}`;
   }
 }
+function stripApiPrefix(s) {
+  return s.startsWith("/api/") ? s.slice(5) : s;
+}
 function prettifyEndpoint(name) {
-  const cleaned = name.replace(/^\/api\//, "").replace(/\//g, " ").replace(/\.\.\./g, "").trim();
+  const cleaned = stripApiPrefix(name).split("/").join(" ").split("...").join("").trim();
   if (!cleaned) return "data";
   return cleaned.split(" ").map((word) => {
     if (word.endsWith("ses") || word.endsWith("us") || word.endsWith("ss"))
@@ -1029,22 +1111,8 @@ function prettifyEndpoint(name) {
 }
 function deriveActionVerb(method, endpointName) {
   const lower = endpointName.toLowerCase();
-  const VERB_PATTERNS = [
-    [/enhance/, "Enhanced"],
-    [/generate/, "Generated"],
-    [/create/, "Created"],
-    [/update/, "Updated"],
-    [/delete|remove/, "Deleted"],
-    [/send/, "Sent"],
-    [/upload/, "Uploaded"],
-    [/save/, "Saved"],
-    [/submit/, "Submitted"],
-    [/login|signin/, "Logged in"],
-    [/logout|signout/, "Logged out"],
-    [/register|signup/, "Registered"]
-  ];
-  for (const [pattern, verb] of VERB_PATTERNS) {
-    if (pattern.test(lower)) return verb;
+  for (const [keyword, verb] of VERB_MAP) {
+    if (lower.includes(keyword)) return verb;
   }
   switch (method) {
     case "POST":
@@ -1059,24 +1127,45 @@ function deriveActionVerb(method, endpointName) {
   }
 }
 function getEndpointName(path) {
-  const parts = path.replace(/^\/api\//, "").split("/");
+  const parts = stripApiPrefix(path).split("/");
   if (parts.length <= 2) return parts.join("/");
   return parts.map((p) => p.length > ENDPOINT_TRUNCATE_LENGTH ? "..." : p).join("/");
 }
 function prettifyPageName(path) {
-  const clean = path.replace(/^\//, "").replace(/\/$/, "");
+  let clean = path;
+  if (clean.startsWith("/")) clean = clean.slice(1);
+  if (clean.endsWith("/")) clean = clean.slice(0, -1);
   if (!clean) return "Home";
-  return clean.split("/").map((s) => capitalize(s.replace(/[-_]/g, " "))).join(" ");
+  return clean.split("/").map((s) => capitalize(s.split("-").join(" ").split("_").join(" "))).join(" ");
 }
 function capitalize(s) {
   return s.charAt(0).toUpperCase() + s.slice(1);
 }
+var VERB_MAP;
 var init_label = __esm({
   "src/analysis/label.ts"() {
     "use strict";
     init_constants();
     init_categorize();
     init_http_status();
+    VERB_MAP = [
+      ["enhance", "Enhanced"],
+      ["generate", "Generated"],
+      ["create", "Created"],
+      ["update", "Updated"],
+      ["delete", "Deleted"],
+      ["remove", "Deleted"],
+      ["send", "Sent"],
+      ["upload", "Uploaded"],
+      ["save", "Saved"],
+      ["submit", "Submitted"],
+      ["login", "Logged in"],
+      ["signin", "Logged in"],
+      ["logout", "Logged out"],
+      ["signout", "Logged out"],
+      ["register", "Registered"],
+      ["signup", "Registered"]
+    ];
   }
 });
@@ -1522,33 +1611,85 @@ var init_handlers = __esm({
 // src/utils/static-patterns.ts
 function isStaticPath(urlPath) {
-  return STATIC_PATTERNS.some((p) => p.test(urlPath));
+  const dotIdx = urlPath.lastIndexOf(".");
+  if (dotIdx !== -1) {
+    const ext = urlPath.slice(dotIdx).toLowerCase();
+    if (STATIC_EXTENSIONS.has(ext)) return true;
+  }
+  return STATIC_PREFIXES.some((p) => urlPath.startsWith(p));
 }
 function isHealthCheckPath(urlPath) {
-  return HEALTH_CHECK_PATTERNS.some((p) => p.test(urlPath));
+  return HEALTH_CHECK_PATHS.has(urlPath.toLowerCase());
 }
-var STATIC_PATTERNS, HEALTH_CHECK_PATTERNS;
+var STATIC_EXTENSIONS, STATIC_PREFIXES, HEALTH_CHECK_PATHS;
 var init_static_patterns = __esm({
   "src/utils/static-patterns.ts"() {
     "use strict";
-    STATIC_PATTERNS = [
-      /\.(?:js|css|map|ico|png|jpg|jpeg|gif|svg|webp|woff2?|ttf|eot)$/,
-      /^\/favicon/,
-      /^\/node_modules\//,
-      // Framework-specific static/internal paths
-      /^\/_next\//,
-      /^\/__nextjs/,
-      /^\/@vite\//,
-      /^\/__vite/
-    ];
-    HEALTH_CHECK_PATTERNS = [
-      /^\/health(z|check)?$/i,
-      /^\/ping$/i,
-      /^\/(ready|readiness|liveness)$/i,
-      /^\/status$/i,
-      /^\/__health$/i,
-      /^\/api\/health(z|check)?$/i
+    STATIC_EXTENSIONS = /* @__PURE__ */ new Set([
+      ".js",
+      ".css",
+      ".map",
+      ".ico",
+      ".png",
+      ".jpg",
+      ".jpeg",
+      ".gif",
+      ".svg",
+      ".webp",
+      ".woff",
+      ".woff2",
+      ".ttf",
+      ".eot"
+    ]);
+    STATIC_PREFIXES = [
+      "/favicon",
+      "/node_modules/",
+      // Next.js
+      "/_next/",
+      "/__nextjs",
+      // Vite (also used by Nuxt, Astro in dev)
+      "/@vite/",
+      "/__vite",
+      "/@fs/",
+      "/@id/",
+      // Remix
+      "/__remix",
+      // Nuxt
+      "/_nuxt/",
+      "/__nuxt",
+      // Astro
+      "/@astro",
+      "/_astro/",
+      // Django
+      "/static/",
+      "/media/",
+      "/__debug__/",
+      // Flask / Werkzeug
+      "/_debugtoolbar/",
+      // FastAPI / Starlette
+      "/openapi.json",
+      "/docs",
+      "/redoc",
+      // Rails
+      "/assets/",
+      "/packs/",
+      // Browser probes
+      "/.well-known/"
     ];
+    HEALTH_CHECK_PATHS = /* @__PURE__ */ new Set([
+      "/health",
+      "/healthz",
+      "/healthcheck",
+      "/ping",
+      "/ready",
+      "/readiness",
+      "/liveness",
+      "/status",
+      "/__health",
+      "/api/health",
+      "/api/healthz",
+      "/api/healthcheck"
+    ]);
   }
 });
@@ -1977,6 +2118,42 @@ var init_issues = __esm({
   }
 });
+// src/dashboard/api/graph.ts
+function createGraphHandler(services) {
+  return (req, res) => {
+    if (!requireGet(req, res)) return;
+    const url = parseRequestUrl(req);
+    const rawCluster = url.searchParams.get("cluster") ?? void 0;
+    const rawNode = url.searchParams.get("node") ?? void 0;
+    const rawLevel = url.searchParams.get("level") ?? void 0;
+    const rawGrouping = url.searchParams.get("grouping") ?? void 0;
+    const cluster = rawCluster && rawCluster.length <= MAX_PARAM_LENGTH ? rawCluster : void 0;
+    const node = rawNode && rawNode.length <= MAX_PARAM_LENGTH ? rawNode : void 0;
+    const level = rawLevel && VALID_LEVELS.has(rawLevel) ? rawLevel : void 0;
+    const grouping = rawGrouping && VALID_GROUPINGS.has(rawGrouping) ? rawGrouping : void 0;
+    const { graphBuilder, metricsStore } = services;
+    graphBuilder.enrichWithMetrics((endpointKey) => {
+      const metrics = metricsStore.getEndpoint(endpointKey);
+      if (!metrics || metrics.sessions.length === 0) return void 0;
+      const latest = metrics.sessions[metrics.sessions.length - 1];
+      return latest.p95DurationMs;
+    });
+    const data = graphBuilder.getApiResponse({ cluster, node, level, grouping });
+    sendJson(req, res, HTTP_OK, data);
+  };
+}
+var VALID_LEVELS, VALID_GROUPINGS, MAX_PARAM_LENGTH;
+var init_graph = __esm({
+  "src/dashboard/api/graph.ts"() {
+    "use strict";
+    init_labels();
+    init_shared2();
+    VALID_LEVELS = /* @__PURE__ */ new Set(["endpoints", "clusters"]);
+    VALID_GROUPINGS = /* @__PURE__ */ new Set(["path", "auth-boundary", "data-domain"]);
+    MAX_PARAM_LENGTH = 200;
+  }
+});
 // src/dashboard/sse.ts
 function createSSEHandler(services) {
   const clients = /* @__PURE__ */ new Set();
@@ -2478,26 +2655,128 @@ var init_response = __esm({
 });
 // src/analysis/rules/patterns.ts
-var SECRET_KEYS, TOKEN_PARAMS, SAFE_PARAMS, STACK_TRACE_RE, DB_CONN_RE, SQL_FRAGMENT_RE, SECRET_VAL_RE, LOG_SECRET_RE, MASKED_RE, EMAIL_RE, INTERNAL_ID_KEYS, INTERNAL_ID_SUFFIX, SELF_SERVICE_PATH, SENSITIVE_FIELD_NAMES, SELECT_STAR_RE, SELECT_DOT_STAR_RE, RULE_HINTS;
+var SECRET_KEY_SET, SECRET_KEYS, TOKEN_PARAM_SET, TOKEN_PARAMS, SAFE_PARAM_SET, SAFE_PARAMS, INTERNAL_ID_KEY_SET, INTERNAL_ID_KEYS, INTERNAL_ID_SUFFIX, SENSITIVE_FIELD_SET, SENSITIVE_FIELD_NAMES, SELF_SERVICE_SEGMENTS, SELF_SERVICE_PATH, MASKED_LITERALS, MASKED_RE, DB_PROTOCOLS, DB_CONN_RE, SELECT_STAR_RE, SELECT_DOT_STAR_RE, STACK_TRACE_RE, SQL_FRAGMENT_RE, SECRET_VAL_RE, LOG_SECRET_RE, EMAIL_RE, RULE_HINTS;
 var init_patterns = __esm({
   "src/analysis/rules/patterns.ts"() {
     "use strict";
-    SECRET_KEYS = /^(password|passwd|secret|api_key|apiKey|api_secret|apiSecret|private_key|privateKey|client_secret|clientSecret)$/;
-    TOKEN_PARAMS = /^(token|api_key|apiKey|secret|password|access_token|session_id|sessionId)$/;
-    SAFE_PARAMS = /^(_rsc|__clerk_handshake|__clerk_db_jwt|callback|code|state|nonce|redirect_uri|utm_|fbclid|gclid)$/;
+    SECRET_KEY_SET = /* @__PURE__ */ new Set([
+      "password",
+      "passwd",
+      "secret",
+      "api_key",
+      "apiKey",
+      "api_secret",
+      "apiSecret",
+      "private_key",
+      "privateKey",
+      "client_secret",
+      "clientSecret"
+    ]);
+    SECRET_KEYS = { test: (s) => SECRET_KEY_SET.has(s) };
+    TOKEN_PARAM_SET = /* @__PURE__ */ new Set([
+      "token",
+      "api_key",
+      "apiKey",
+      "secret",
+      "password",
+      "access_token",
+      "session_id",
+      "sessionId"
+    ]);
+    TOKEN_PARAMS = { test: (s) => TOKEN_PARAM_SET.has(s) };
+    SAFE_PARAM_SET = /* @__PURE__ */ new Set([
+      "_rsc",
+      "__clerk_handshake",
+      "__clerk_db_jwt",
+      "callback",
+      "code",
+      "state",
+      "nonce",
+      "redirect_uri",
+      "utm_",
+      "fbclid",
+      "gclid"
+    ]);
+    SAFE_PARAMS = { test: (s) => SAFE_PARAM_SET.has(s) };
+    INTERNAL_ID_KEY_SET = /* @__PURE__ */ new Set([
+      "id",
+      "_id",
+      "userId",
+      "user_id",
+      "createdBy",
+      "updatedBy",
+      "organizationId",
+      "org_id",
+      "tenantId",
+      "tenant_id"
+    ]);
+    INTERNAL_ID_KEYS = { test: (s) => INTERNAL_ID_KEY_SET.has(s) };
+    INTERNAL_ID_SUFFIX = {
+      test: (s) => s.endsWith("Id") || s.endsWith("_id")
+    };
+    SENSITIVE_FIELD_SET = /* @__PURE__ */ new Set([
+      "phone",
+      "phonenumber",
+      "phone_number",
+      "ssn",
+      "socialsecuritynumber",
+      "social_security_number",
+      "dateofbirth",
+      "date_of_birth",
+      "dob",
+      "address",
+      "streetaddress",
+      "street_address",
+      "creditcard",
+      "credit_card",
+      "cardnumber",
+      "card_number",
+      "bankaccount",
+      "bank_account",
+      "passport",
+      "passportnumber",
+      "passport_number",
+      "nationalid",
+      "national_id"
+    ]);
+    SENSITIVE_FIELD_NAMES = {
+      test: (s) => SENSITIVE_FIELD_SET.has(s.toLowerCase())
+    };
+    SELF_SERVICE_SEGMENTS = /* @__PURE__ */ new Set(["me", "account", "profile", "settings", "self"]);
+    SELF_SERVICE_PATH = {
+      test: (path) => {
+        const segments = path.toLowerCase().split(/[/?#]/);
+        return segments.some((seg) => SELF_SERVICE_SEGMENTS.has(seg));
+      }
+    };
+    MASKED_LITERALS = ["[REDACTED]", "[FILTERED]", "CHANGE_ME"];
+    MASKED_RE = {
+      test: (s) => {
+        const upper = s.toUpperCase();
+        if (MASKED_LITERALS.some((m) => upper.includes(m))) return true;
+        if (s.length > 0 && s.split("").every((c) => c === "*")) return true;
+        if (s.length >= 3 && s.split("").every((c) => c === "x" || c === "X")) return true;
+        return false;
+      }
+    };
+    DB_PROTOCOLS = ["postgres://", "mysql://", "mongodb://", "redis://"];
+    DB_CONN_RE = {
+      test: (s) => DB_PROTOCOLS.some((p) => s.includes(p))
+    };
+    SELECT_STAR_RE = {
+      test: (s) => {
+        const t = s.trimStart().toUpperCase();
+        return t.startsWith("SELECT *") || t.startsWith("SELECT	*");
+      }
+    };
+    SELECT_DOT_STAR_RE = {
+      test: (s) => s.toUpperCase().includes(".* FROM")
+    };
     STACK_TRACE_RE = /at\s+.+\(.+:\d+:\d+\)|at\s+Module\._compile|at\s+Object\.<anonymous>|at\s+processTicksAndRejections|Traceback \(most recent call last\)|File ".+", line \d+/;
-    DB_CONN_RE = /(postgres|mysql|mongodb|redis):\/\//;
     SQL_FRAGMENT_RE = /\b(SELECT\s+[\w.*]+\s+FROM|INSERT\s+INTO|UPDATE\s+\w+\s+SET|DELETE\s+FROM)\b/i;
     SECRET_VAL_RE = /(api_key|apiKey|secret|token)\s*[:=]\s*["']?[A-Za-z0-9_\-.+/]{8,}/;
     LOG_SECRET_RE = /(password|secret|token|api_key|apiKey)\s*[:=]\s*["']?[A-Za-z0-9_\-.+/]{8,}/i;
-    MASKED_RE = /^\*+$|\[REDACTED\]|\[FILTERED\]|CHANGE_ME|^x{3,}$/i;
     EMAIL_RE = /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/;
-    INTERNAL_ID_KEYS = /^(id|_id|userId|user_id|createdBy|updatedBy|organizationId|org_id|tenantId|tenant_id)$/;
-    INTERNAL_ID_SUFFIX = /Id$|_id$/;
-    SELF_SERVICE_PATH = /\/(?:me|account|profile|settings|self)(?=\/|\?|#|$)/i;
-    SENSITIVE_FIELD_NAMES = /^(phone|phoneNumber|phone_number|ssn|socialSecurityNumber|social_security_number|dateOfBirth|date_of_birth|dob|address|streetAddress|street_address|creditCard|credit_card|cardNumber|card_number|bankAccount|bank_account|passport|passportNumber|passport_number|nationalId|national_id)$/i;
-    SELECT_STAR_RE = /^SELECT\s+\*/i;
-    SELECT_DOT_STAR_RE = /\.\*\s+FROM/i;
     RULE_HINTS = {
       "exposed-secret": "Never include secret fields in API responses. Strip sensitive fields before returning.",
       "token-in-url": "Pass tokens in the Authorization header, not URL query parameters.",
@@ -3956,7 +4235,7 @@ var init_src = __esm({
     init_engine();
     init_insights2();
     init_insights();
-    VERSION = "0.9.2";
+    VERSION = "0.10.0";
   }
 });
@@ -4041,6 +4320,7 @@ function getLayoutStyles() {
 .sidebar-item:hover .item-icon{opacity:.8}
 .sidebar-item .item-label{flex:1}
 .sidebar-item .item-count{font-size:12px;font-family:var(--mono);color:var(--text-muted);background:var(--bg-muted);padding:2px 8px;border-radius:10px;min-width:24px;text-align:center}
+.sidebar-beta{font-size:9px;color:#6366f1;background:#eef2ff;border:1px solid #e0e7ff;border-radius:4px;padding:0 5px;margin-left:auto;line-height:16px}
 .sidebar-item.disabled{opacity:.35;cursor:default;pointer-events:none}
 .sidebar-item .coming-soon{font-size:10px;color:var(--text-muted);background:var(--bg-muted);padding:2px 8px;border-radius:10px;font-weight:600;letter-spacing:.3px}
 .sidebar-footer{padding:16px 24px;border-top:1px solid var(--border-subtle);font-size:12px;color:var(--text-muted);font-family:var(--mono)}
@@ -4066,6 +4346,7 @@ function getLayoutStyles() {
 .main-content{flex:1;overflow-y:auto}
 bk-dashboard{display:contents}
 bk-overview-view,bk-flows-view,bk-requests-view,bk-fetches-view,bk-queries-view,bk-errors-view,bk-logs-view,bk-security-view,bk-performance-view,bk-timeline-panel,bk-empty-state{display:block}
+bk-graph-view{display:block}
 bk-method-badge,bk-status-pill,bk-duration-label,bk-copy-button{display:inline-flex;flex-shrink:0}
 bk-stat-card{display:inline-flex}
 bk-toast{display:block;position:fixed;top:0;left:0;right:0;z-index:100;pointer-events:none}
@@ -4442,7 +4723,7 @@ span.perf-breakdown-dot.perf-breakdown-app{background:var(--breakdown-app)}
 .perf-trend-faster{color:var(--green)}
 `;
 }
-var init_graph = __esm({
+var init_graph2 = __esm({
   "src/dashboard/styles/graph.ts"() {
     "use strict";
   }
@@ -4779,9 +5060,121 @@ var init_timeline = __esm({
   }
 });
+// src/dashboard/styles/graph-view.ts
+function getGraphViewStyles() {
+  return `
+.graph-wrapper{display:flex;flex-direction:column;height:calc(100vh - 120px);outline:none}
+/* Toolbar \u2014 centered search, layers left, flow picker right */
+.graph-toolbar{display:flex;align-items:center;gap:10px;padding:8px 16px;border-bottom:1px solid var(--border)}
+/* Layer toggles */
+.graph-layer-toggles{display:flex;gap:4px;flex-shrink:0}
+.graph-layer-btn{display:flex;align-items:center;gap:3px;font-size:10px;font-weight:500;padding:3px 8px;border:1px solid var(--border);border-radius:12px;background:var(--bg);color:var(--text-muted);cursor:pointer;transition:all .15s;white-space:nowrap}
+.graph-layer-btn:hover{border-color:var(--text-muted);color:var(--text)}
+.graph-layer-btn.active{background:var(--bg-card);font-weight:600}
+/* Search \u2014 takes remaining space, centered */
+.graph-search{flex:1;position:relative;display:flex;align-items:center;max-width:360px;margin:0 auto}
+.graph-search-icon{position:absolute;left:10px;color:var(--text-muted);font-size:13px;pointer-events:none;opacity:0.5}
+.graph-search-input{width:100%;font-size:11px;padding:6px 28px 6px 28px;border:1px solid var(--border);border-radius:8px;background:var(--bg);color:var(--text);font-family:var(--mono);outline:none;transition:border-color .15s,box-shadow .15s}
+.graph-search-input:focus{border-color:#6366f1;box-shadow:0 0 0 3px rgba(99,102,241,.1)}
+.graph-search-input::placeholder{color:var(--text-muted);opacity:0.5}
+.graph-search-clear{position:absolute;right:8px;background:none;border:none;color:var(--text-muted);cursor:pointer;font-size:11px;padding:0 4px;line-height:1;border-radius:3px}
+.graph-search-clear:hover{color:var(--text);background:var(--bg-card)}
+/* Flow picker */
+.graph-flow-picker{font-size:10px;padding:4px 8px;border:1px solid var(--border);border-radius:8px;background:var(--bg);color:var(--text);cursor:pointer;font-family:var(--mono);max-width:200px;flex-shrink:0}
+/* Auth legend \u2014 inline in toolbar */
+.graph-auth-legend{display:flex;gap:8px;align-items:center;font-size:10px;color:var(--text-muted);flex-shrink:0}
+.graph-auth-legend-item{display:flex;align-items:center;gap:3px;white-space:nowrap}
+/* Canvas */
+.graph-body{display:flex;flex:1;min-height:0}
+.graph-canvas{flex:1;overflow:hidden;padding:0;position:relative;min-height:0}
+.graph-svg{display:block}
+.graph-col-header{fill:#c4c4cc;font-size:9px;font-weight:600;font-family:'Inter',system-ui,sans-serif;letter-spacing:1.5px}
+/* Floating controls \u2014 bottom-center pill */
+.graph-float{position:absolute;top:12px;right:12px;display:flex;align-items:center;gap:2px;background:var(--bg-card);border:1px solid var(--border);border-radius:10px;padding:4px 6px;box-shadow:0 2px 12px rgba(0,0,0,.08);z-index:10}
+.graph-float-btn{background:none;border:none;color:var(--text-muted);cursor:pointer;font-size:13px;padding:4px 8px;line-height:1;border-radius:6px;transition:all .12s;white-space:nowrap}
+.graph-float-btn:hover{background:var(--bg);color:var(--text)}
+.graph-float-btn-accent{font-size:11px;font-weight:600;color:#6366f1}
+.graph-float-btn-accent:hover{background:rgba(99,102,241,.08);color:#4f46e5}
+.graph-float-zoom{font-size:10px;color:var(--text-muted);font-family:var(--mono);min-width:36px;text-align:center;user-select:none}
+.graph-float-sep{width:1px;height:16px;background:var(--border);margin:0 2px;flex-shrink:0}
+/* Empty & loading states */
+.graph-empty{display:flex;flex-direction:column;align-items:center;justify-content:center;min-height:400px;color:var(--text-muted);text-align:center;padding:40px}
+.graph-empty-icon{font-size:40px;opacity:0.25;margin-bottom:12px}
+.graph-empty-title{font-size:15px;font-weight:600;color:var(--text);margin-bottom:6px}
+.graph-empty-desc{font-size:12px;max-width:320px;line-height:1.5}
+.graph-loading{display:flex;align-items:center;justify-content:center;min-height:400px;color:var(--text-muted);font-size:13px}
+/* Detail panel */
+.graph-detail{width:320px;border-left:1px solid var(--border);overflow-y:auto;padding:16px;background:var(--bg-card);flex-shrink:0;max-height:calc(100vh - 160px)}
+.graph-detail-head{display:flex;justify-content:space-between;align-items:flex-start;margin-bottom:12px}
+.graph-detail-badge{font-size:11px;font-weight:500;text-transform:uppercase;letter-spacing:0.5px;margin-bottom:4px}
+.graph-detail-name{font-size:14px;font-weight:700;color:var(--text);word-break:break-all;font-family:var(--mono)}
+.graph-detail-close{background:none;border:none;color:var(--text-muted);cursor:pointer;font-size:16px;padding:0 4px;line-height:1}
+.graph-detail-close:hover{color:var(--text)}
+.graph-detail-auth-badge{display:inline-block;font-size:10px;font-weight:500;color:#059669;background:#ecfdf5;border:1px solid #a7f3d0;border-radius:4px;padding:1px 6px;margin-top:4px}
+.graph-detail-mw-badge{display:inline-block;font-size:10px;font-weight:500;color:#6b7280;background:#f3f4f6;border:1px solid #d1d5db;border-radius:4px;padding:1px 6px;margin-top:4px;margin-left:4px}
+/* Detail tabs */
+.graph-detail-tabs{display:flex;gap:2px;margin-bottom:12px;border-bottom:1px solid var(--border);padding-bottom:0}
+.graph-detail-tab{background:none;border:none;border-bottom:2px solid transparent;color:var(--text-muted);cursor:pointer;font-size:11px;font-weight:500;padding:6px 10px;transition:all .12s}
+.graph-detail-tab:hover{color:var(--text)}
+.graph-detail-tab.active{color:#6366f1;border-bottom-color:#6366f1}
+/* Detail stats */
+.graph-detail-stats{display:grid;grid-template-columns:1fr 1fr;gap:8px;margin-bottom:12px}
+.graph-detail-stat{background:var(--bg);border-radius:var(--radius-sm);padding:10px 12px}
+.graph-detail-val{font-size:20px;font-weight:700;font-family:var(--mono);color:var(--text);line-height:1.2}
+.graph-detail-lbl{font-size:9px;color:var(--text-muted);text-transform:uppercase;letter-spacing:0.6px;margin-top:2px}
+/* Detail sections */
+.graph-detail-sec{font-size:10px;color:var(--text-muted);text-transform:uppercase;letter-spacing:0.8px;margin:12px 0 8px;padding-top:10px;border-top:1px solid var(--border)}
+.graph-detail-conn{display:flex;align-items:center;gap:6px;font-size:12px;color:var(--text);padding:6px 8px;background:var(--bg);border-radius:var(--radius-sm);margin-bottom:4px;font-family:var(--mono)}
+.graph-detail-edge-dot{width:6px;height:6px;border-radius:50%;flex-shrink:0}
+.graph-detail-edge-type{font-size:10px;font-weight:600;text-transform:uppercase;min-width:42px}
+.graph-detail-dim{color:var(--text-muted);font-size:10px;margin-left:auto;white-space:nowrap}
+.graph-detail-sql{font-size:10px;color:var(--text-muted);padding:8px 10px;background:var(--bg);border-radius:var(--radius-sm);font-family:var(--mono);word-break:break-all;line-height:1.5;margin:0 0 4px;white-space:pre-wrap;border:1px solid var(--border)}
+/* Security findings in detail */
+.graph-detail-finding{padding:8px 10px;background:var(--bg);border-radius:var(--radius-sm);margin-bottom:6px;border:1px solid var(--border)}
+.graph-detail-finding-title{font-size:12px;font-weight:600;color:var(--text);margin-top:4px}
+.graph-detail-finding-meta{font-size:10px;color:var(--text-muted);margin-top:2px;font-family:var(--mono)}
+.graph-detail-severity{font-size:9px;font-weight:700;text-transform:uppercase;letter-spacing:0.5px;padding:1px 6px;border-radius:3px}
+.graph-detail-severity-critical{background:#fef2f2;color:#dc2626;border:1px solid #fecaca}
+.graph-detail-severity-warning{background:#fffbeb;color:#d97706;border:1px solid #fde68a}
+.graph-detail-severity-info{background:#eff6ff;color:#2563eb;border:1px solid #bfdbfe}
+/* Issues in detail */
+.graph-detail-issue-summary{margin-bottom:12px}
+.graph-detail-hint{font-size:11px;color:var(--text-muted);line-height:1.5;margin:0}
+.graph-detail-empty{font-size:12px;color:var(--text-muted);padding:16px;text-align:center}
+/* Pulse animation for critical security badges */
+@keyframes graph-pulse{0%,100%{opacity:1}50%{opacity:0.5}}
+.graph-pulse{animation:graph-pulse 2s ease-in-out infinite}
+/* Flow edge animation */
+@keyframes graph-flow-dash{to{stroke-dashoffset:-24}}
+.graph-flow-edge{animation:graph-flow-dash 1s linear infinite}
+`;
+}
+var init_graph_view = __esm({
+  "src/dashboard/styles/graph-view.ts"() {
+    "use strict";
+  }
+});
 // src/dashboard/styles.ts
 function getStyles() {
-  return getBaseStyles() + getLayoutStyles() + getFlowStyles() + getRequestStyles() + getPerformanceStyles() + getOverviewStyles() + getSecurityStyles() + getTimelineStyles();
+  return getBaseStyles() + getLayoutStyles() + getFlowStyles() + getRequestStyles() + getPerformanceStyles() + getOverviewStyles() + getSecurityStyles() + getTimelineStyles() + getGraphViewStyles();
 }
 var init_styles = __esm({
   "src/dashboard/styles.ts"() {
@@ -4790,10 +5183,11 @@ var init_styles = __esm({
     init_layout();
     init_flows();
     init_requests();
-    init_graph();
+    init_graph2();
     init_overview();
     init_security2();
     init_timeline();
+    init_graph_view();
   }
 });
@@ -4976,6 +5370,12 @@ function recordDashboardOpened() {
     request_count_at_open: session.requestCount
   });
 }
+function recordGraphFeature(feature, detail) {
+  trackEvent(TELEMETRY_EVENT_GRAPH_FEATURE, {
+    feature,
+    ...detail ? { detail } : {}
+  });
+}
 function recordSetupCompleted(info) {
   session.frameworkCandidates = info.frameworkCandidates;
   session.adaptersFailed = info.adaptersFailed;
@@ -5108,11 +5508,19 @@ function createDashboardHandler(services) {
     issueStore,
     services.bus
   );
+  routes[DASHBOARD_API_GRAPH] = createGraphHandler(services);
   routes[DASHBOARD_API_TAB] = (req, res) => {
-    const raw = (req.url ?? "").split("tab=")[1];
-    if (raw) {
-      const tab = decodeURIComponent(raw).slice(0, MAX_TAB_NAME_LENGTH);
-      if (VALID_TABS.has(tab) && isTelemetryEnabled()) recordTabViewed(tab);
+    if (isTelemetryEnabled()) {
+      const url = new URL(req.url ?? "/", "http://localhost");
+      const tab = url.searchParams.get("tab");
+      if (tab && tab.length <= MAX_TAB_NAME_LENGTH && VALID_TABS.has(tab)) {
+        recordTabViewed(tab);
+      }
+      const event = url.searchParams.get("event");
+      if (event && event.length <= MAX_TAB_NAME_LENGTH) {
+        const detail = url.searchParams.get("detail") ?? void 0;
+        recordGraphFeature(event, detail?.slice(0, MAX_TAB_NAME_LENGTH));
+      }
     }
     res.writeHead(HTTP_NO_CONTENT);
     res.end();
@@ -5141,6 +5549,7 @@ var init_router = __esm({
     init_labels();
     init_api();
     init_issues();
+    init_graph();
     init_sse();
     init_page();
     init_telemetry();
@@ -5667,6 +6076,622 @@ var init_store = __esm({
   }
 });
+// src/graph/constants.ts
+var MAX_PATTERNS_PER_EDGE, CLUSTER_SPLIT_THRESHOLD, COMMON_PATH_PREFIXES, PENDING_BUFFER_MAX, PENDING_EVICTION_TARGET, PENDING_TTL_MS;
+var init_constants2 = __esm({
+  "src/graph/constants.ts"() {
+    "use strict";
+    MAX_PATTERNS_PER_EDGE = 10;
+    CLUSTER_SPLIT_THRESHOLD = 15;
+    COMMON_PATH_PREFIXES = /* @__PURE__ */ new Set(["api", "v1", "v2", "v3", "v4"]);
+    PENDING_BUFFER_MAX = 500;
+    PENDING_EVICTION_TARGET = 200;
+    PENDING_TTL_MS = 6e4;
+  }
+});
+// src/graph/graph-builder.ts
+function shouldSkipRequest(req) {
+  if (req.isStatic || req.isHealthCheck) return true;
+  if (isDashboardRequest(req.path)) return true;
+  return false;
+}
+function extractHostname(url) {
+  try {
+    const parsed = new URL(url);
+    const host = parsed.hostname;
+    if (host === "localhost" || host === "127.0.0.1" || host === "::1")
+      return null;
+    return host;
+  } catch {
+    return null;
+  }
+}
+function makeEdgeId(source, target) {
+  return `${source} -> ${target}`;
+}
+function upsertNode(graph, id, type, label, now) {
+  let node = graph.nodes.get(id);
+  if (!node) {
+    node = {
+      id,
+      type,
+      label,
+      stats: {
+        requestCount: 0,
+        avgLatencyMs: 0,
+        errorRate: 0,
+        avgQueryCount: 0,
+        lastSeenAt: now,
+        firstSeenAt: now
+      }
+    };
+    graph.nodes.set(id, node);
+  }
+  node.stats.lastSeenAt = now;
+  return node;
+}
+function upsertEdge(graph, source, target, type, now) {
+  const id = makeEdgeId(source, target);
+  let edge = graph.edges.get(id);
+  if (!edge) {
+    edge = {
+      id,
+      source,
+      target,
+      type,
+      stats: {
+        frequency: 0,
+        avgLatencyMs: 0,
+        lastSeenAt: now,
+        firstSeenAt: now
+      }
+    };
+    graph.edges.set(id, edge);
+  }
+  edge.stats.lastSeenAt = now;
+  return edge;
+}
+function updateRollingAvg(current, newValue, count) {
+  return Math.round(current + (newValue - current) / count);
+}
+var GraphBuilder;
+var init_graph_builder = __esm({
+  "src/graph/graph-builder.ts"() {
+    "use strict";
+    init_endpoint();
+    init_normalize();
+    init_router();
+    init_categorize();
+    init_constants2();
+    GraphBuilder = class {
+      constructor(bus, requestStore) {
+        this.bus = bus;
+        this.requestStore = requestStore;
+        this.graph = {
+          nodes: /* @__PURE__ */ new Map(),
+          edges: /* @__PURE__ */ new Map(),
+          metadata: { totalObservations: 0, lastUpdatedAt: Date.now() }
+        };
+        /**
+         * Buffered telemetry events waiting for their parent request to complete.
+         * Key = parentRequestId, value = pending queries/fetches.
+         */
+        this.pending = /* @__PURE__ */ new Map();
+        /** Accumulated request categories per endpoint node. */
+        this.nodeCategories = /* @__PURE__ */ new Map();
+        /** Latest analysis snapshot — refreshed on every analysis:updated event. */
+        this.latestAnalysis = null;
+        this.cleanupUnsubs = [];
+      }
+      start() {
+        this.cleanupUnsubs.push(
+          this.bus.on("request:completed", (req) => this.handleRequest(req)),
+          this.bus.on("telemetry:query", (q) => this.handleQuery(q)),
+          this.bus.on("telemetry:fetch", (f) => this.handleFetch(f)),
+          this.bus.on(
+            "analysis:updated",
+            (update) => this.handleAnalysisUpdate(update)
+          )
+        );
+      }
+      stop() {
+        for (const unsub of this.cleanupUnsubs) unsub();
+        this.cleanupUnsubs.length = 0;
+      }
+      getGraph() {
+        return this.graph;
+      }
+      /**
+       * Enrich endpoint nodes with p95 from an external metrics source.
+       * Called by the API handler which has access to MetricsStore.
+       */
+      enrichWithMetrics(getP95) {
+        for (const node of this.graph.nodes.values()) {
+          if (node.type !== "endpoint") continue;
+          const key = node.label;
+          const p95 = getP95(key);
+          if (p95 !== void 0) {
+            if (!node.annotations) node.annotations = {};
+            node.annotations.p95Ms = Math.round(p95);
+          }
+        }
+      }
+      getApiResponse(options) {
+        const grouping = options?.grouping ?? "path";
+        const clusters = this.computeClusters(grouping);
+        if (options?.level === "endpoints") {
+          return this.getEndpointView();
+        }
+        if (options?.node) {
+          return this.getNodeNeighborhood(options.node, clusters);
+        }
+        if (options?.cluster) {
+          return this.getClusterExpanded(options.cluster, clusters);
+        }
+        return this.getClusterView(clusters);
+      }
+      clear() {
+        this.graph.nodes.clear();
+        this.graph.edges.clear();
+        this.graph.metadata.totalObservations = 0;
+        this.pending.clear();
+        this.nodeCategories.clear();
+        this.latestAnalysis = null;
+      }
+      handleAnalysisUpdate(update) {
+        this.latestAnalysis = update;
+        this.enrichNodesFromAnalysis();
+      }
+      enrichNodesFromAnalysis() {
+        if (!this.latestAnalysis) return;
+        const { findings, insights, issues } = this.latestAnalysis;
+        for (const node of this.graph.nodes.values()) {
+          if (node.type !== "endpoint") continue;
+          if (node.annotations) {
+            node.annotations.securityFindings = void 0;
+            node.annotations.insights = void 0;
+            node.annotations.openIssueCount = void 0;
+          }
+        }
+        for (const f of findings) {
+          if (!f.endpoint) continue;
+          const nodeId = `endpoint:${f.endpoint}`;
+          const node = this.graph.nodes.get(nodeId);
+          if (!node) continue;
+          if (!node.annotations) node.annotations = {};
+          if (!node.annotations.securityFindings)
+            node.annotations.securityFindings = [];
+          const existing = node.annotations.securityFindings.find(
+            (s) => s.rule === f.rule
+          );
+          if (existing) {
+            existing.count = f.count;
+          } else {
+            node.annotations.securityFindings.push({
+              rule: f.rule,
+              severity: f.severity,
+              title: f.title,
+              count: f.count
+            });
+          }
+        }
+        const endpointNodesByLabel = /* @__PURE__ */ new Map();
+        for (const node of this.graph.nodes.values()) {
+          if (node.type === "endpoint") endpointNodesByLabel.set(node.label, node);
+        }
+        for (const insight of insights) {
+          if (!insight.nav) continue;
+          for (const [label, node] of endpointNodesByLabel) {
+            if (insight.title.includes(label) || insight.desc.includes(label)) {
+              if (!node.annotations) node.annotations = {};
+              if (!node.annotations.insights) node.annotations.insights = [];
+              if (!node.annotations.insights.some(
+                (i) => i.type === insight.type && i.title === insight.title
+              )) {
+                node.annotations.insights.push({
+                  type: insight.type,
+                  severity: insight.severity,
+                  title: insight.title
+                });
+              }
+            }
+          }
+        }
+        for (const si of issues) {
+          if (!si.issue.endpoint) continue;
+          const nodeId = `endpoint:${si.issue.endpoint}`;
+          const node = this.graph.nodes.get(nodeId);
+          if (!node) continue;
+          if (si.state === "open" || si.state === "regressed") {
+            if (!node.annotations) node.annotations = {};
+            node.annotations.openIssueCount = (node.annotations.openIssueCount ?? 0) + 1;
+          }
+        }
+        for (const insight of insights) {
+          if (insight.type !== "n1" && insight.type !== "redundant-query") continue;
+          for (const edge of this.graph.edges.values()) {
+            if (edge.type !== "reads" && edge.type !== "writes") continue;
+            const sourceNode = this.graph.nodes.get(edge.source);
+            if (sourceNode?.annotations?.insights?.some(
+              (i) => i.type === insight.type
+            )) {
+              if (!edge.annotations) edge.annotations = {};
+              edge.annotations.hasIssue = true;
+            }
+          }
+        }
+      }
+      handleRequest(req) {
+        if (shouldSkipRequest(req)) return;
+        const now = Date.now();
+        const endpointKey = getEndpointKey(req.method, req.path);
+        const nodeId = `endpoint:${endpointKey}`;
+        const node = upsertNode(this.graph, nodeId, "endpoint", endpointKey, now);
+        node.stats.requestCount++;
+        const category = detectCategory(req);
+        let cats = this.nodeCategories.get(nodeId);
+        if (!cats) {
+          cats = /* @__PURE__ */ new Set();
+          this.nodeCategories.set(nodeId, cats);
+        }
+        cats.add(category);
+        if (!node.annotations) node.annotations = {};
+        node.annotations.categories = [...cats];
+        node.annotations.isMiddleware = cats.has("middleware");
+        if (!node.annotations.hasAuth) {
+          node.annotations.hasAuth = cats.has("auth-check") || cats.has("auth-handshake") || hasAuthCredentials(req);
+        }
+        node.stats.avgLatencyMs = updateRollingAvg(
+          node.stats.avgLatencyMs,
+          req.durationMs,
+          node.stats.requestCount
+        );
+        const isError = req.statusCode >= 400 ? 1 : 0;
+        node.stats.errorRate = node.stats.errorRate + (isError - node.stats.errorRate) / node.stats.requestCount;
+        this.graph.metadata.totalObservations++;
+        this.graph.metadata.lastUpdatedAt = now;
+        const buffered = this.pending.get(req.id);
+        if (buffered) {
+          let queryCount = 0;
+          for (const query of buffered.queries) {
+            this.processQuery(query, nodeId, now);
+            queryCount++;
+          }
+          for (const fetch of buffered.fetches) {
+            this.processFetch(fetch, nodeId, now);
+          }
+          this.pending.delete(req.id);
+          if (queryCount > 0) {
+            node.stats.avgQueryCount = updateRollingAvg(
+              node.stats.avgQueryCount,
+              queryCount,
+              node.stats.requestCount
+            );
+          }
+        }
+        const now2 = Date.now();
+        for (const [key, entry] of this.pending) {
+          if (now2 - entry.createdAt > PENDING_TTL_MS) this.pending.delete(key);
+        }
+        if (this.pending.size > PENDING_BUFFER_MAX) {
+          const keys = [...this.pending.keys()];
+          for (let i = 0; i < keys.length - PENDING_EVICTION_TARGET; i++) {
+            this.pending.delete(keys[i]);
+          }
+        }
+      }
+      handleQuery(query) {
+        if (!query.parentRequestId || !query.table) return;
+        let pending2 = this.pending.get(query.parentRequestId);
+        if (!pending2) {
+          pending2 = { queries: [], fetches: [], createdAt: Date.now() };
+          this.pending.set(query.parentRequestId, pending2);
+        }
+        pending2.queries.push(query);
+      }
+      handleFetch(fetch) {
+        if (!fetch.parentRequestId) return;
+        const hostname = extractHostname(fetch.url);
+        if (!hostname) return;
+        let pending2 = this.pending.get(fetch.parentRequestId);
+        if (!pending2) {
+          pending2 = { queries: [], fetches: [], createdAt: Date.now() };
+          this.pending.set(fetch.parentRequestId, pending2);
+        }
+        pending2.fetches.push(fetch);
+      }
+      // ── Process buffered events (called after request completes) ──
+      processQuery(query, endpointNodeId, now) {
+        if (!query.table) return;
+        const tableNodeId = `table:${query.table}`;
+        upsertNode(this.graph, tableNodeId, "table", query.table, now);
+        const edgeType = query.normalizedOp === "SELECT" ? "reads" : "writes";
+        const edge = upsertEdge(
+          this.graph,
+          endpointNodeId,
+          tableNodeId,
+          edgeType,
+          now
+        );
+        edge.stats.frequency++;
+        edge.stats.avgLatencyMs = updateRollingAvg(
+          edge.stats.avgLatencyMs,
+          query.durationMs,
+          edge.stats.frequency
+        );
+        if (query.sql) {
+          const normalized = normalizeQueryParams(query.sql);
+          if (normalized) {
+            if (!edge.patterns) edge.patterns = [];
+            if (!edge.patterns.includes(normalized) && edge.patterns.length < MAX_PATTERNS_PER_EDGE) {
+              edge.patterns.push(normalized);
+            }
+          }
+        }
+      }
+      processFetch(fetch, endpointNodeId, now) {
+        const hostname = extractHostname(fetch.url);
+        if (!hostname) return;
+        const externalNodeId = `external:${hostname}`;
+        upsertNode(this.graph, externalNodeId, "external", hostname, now);
+        const edge = upsertEdge(
+          this.graph,
+          endpointNodeId,
+          externalNodeId,
+          "fetches",
+          now
+        );
+        edge.stats.frequency++;
+        edge.stats.avgLatencyMs = updateRollingAvg(
+          edge.stats.avgLatencyMs,
+          fetch.durationMs,
+          edge.stats.frequency
+        );
+      }
+      // ── Clustering ──
+      computeClusters(strategy = "path") {
+        const endpointNodes = [...this.graph.nodes.values()].filter(
+          (n) => n.type === "endpoint"
+        );
+        if (strategy === "auth-boundary") {
+          return this.clusterByAuthBoundary(endpointNodes);
+        }
+        if (strategy === "data-domain") {
+          return this.clusterByDataDomain(endpointNodes);
+        }
+        return this.clusterByPath(endpointNodes);
+      }
+      clusterByPath(endpointNodes) {
+        const groups = /* @__PURE__ */ new Map();
+        for (const node of endpointNodes) {
+          const parts = node.label.split(" ");
+          const path = parts[1] || parts[0];
+          const segments = path.split("/").filter(Boolean);
+          let i = 0;
+          while (i < segments.length && COMMON_PATH_PREFIXES.has(segments[i])) {
+            i++;
+          }
+          const groupKey = segments[i] || segments[0] || "root";
+          if (!groups.has(groupKey)) groups.set(groupKey, []);
+          groups.get(groupKey).push(node.id);
+        }
+        const clusters = /* @__PURE__ */ new Map();
+        for (const [key, children] of groups) {
+          if (children.length > CLUSTER_SPLIT_THRESHOLD) {
+            const subGroups = /* @__PURE__ */ new Map();
+            for (const childId of children) {
+              const node = this.graph.nodes.get(childId);
+              const parts = node.label.split(" ");
+              const path = parts[1] || parts[0];
+              const segments = path.split("/").filter(Boolean);
+              let idx = segments.indexOf(key);
+              if (idx === -1) idx = 0;
+              const subKey = `${key}/${segments[idx + 1] || "root"}`;
+              if (!subGroups.has(subKey)) subGroups.set(subKey, []);
+              subGroups.get(subKey).push(childId);
+            }
+            for (const [subKey, subChildren] of subGroups) {
+              clusters.set(subKey, this.buildCluster(subKey, subChildren));
+            }
+          } else {
+            clusters.set(key, this.buildCluster(key, children));
+          }
+        }
+        return clusters;
+      }
+      clusterByAuthBoundary(endpointNodes) {
+        const authed = [];
+        const unauthed = [];
+        for (const node of endpointNodes) {
+          if (node.annotations?.hasAuth) {
+            authed.push(node.id);
+          } else {
+            unauthed.push(node.id);
+          }
+        }
+        const clusters = /* @__PURE__ */ new Map();
+        if (authed.length > 0)
+          clusters.set("authenticated", this.buildCluster("authenticated", authed));
+        if (unauthed.length > 0)
+          clusters.set(
+            "unauthenticated",
+            this.buildCluster("unauthenticated", unauthed)
+          );
+        return clusters;
+      }
+      clusterByDataDomain(endpointNodes) {
+        const endpointTables = /* @__PURE__ */ new Map();
+        for (const edge of this.graph.edges.values()) {
+          if (edge.type !== "reads" && edge.type !== "writes") continue;
+          const tableLabel = this.graph.nodes.get(edge.target)?.label;
+          if (!tableLabel) continue;
+          let tables = endpointTables.get(edge.source);
+          if (!tables) {
+            tables = /* @__PURE__ */ new Set();
+            endpointTables.set(edge.source, tables);
+          }
+          tables.add(tableLabel);
+        }
+        const groups = /* @__PURE__ */ new Map();
+        for (const node of endpointNodes) {
+          const tables = endpointTables.get(node.id);
+          const groupKey = tables && tables.size > 0 ? [...tables].sort().join("+") : "no-db";
+          if (!groups.has(groupKey)) groups.set(groupKey, []);
+          groups.get(groupKey).push(node.id);
+        }
+        const clusters = /* @__PURE__ */ new Map();
+        for (const [key, children] of groups) {
+          clusters.set(key, this.buildCluster(key, children));
+        }
+        return clusters;
+      }
+      buildCluster(key, children) {
+        let totalLatency = 0;
+        let totalRequests = 0;
+        let totalErrors = 0;
+        let totalQueries = 0;
+        let firstSeen = Infinity;
+        let lastSeen = 0;
+        for (const childId of children) {
+          const node = this.graph.nodes.get(childId);
+          if (!node) continue;
+          totalRequests += node.stats.requestCount;
+          totalLatency += node.stats.avgLatencyMs * node.stats.requestCount;
+          totalErrors += node.stats.errorRate * node.stats.requestCount;
+          totalQueries += node.stats.avgQueryCount * node.stats.requestCount;
+          firstSeen = Math.min(firstSeen, node.stats.firstSeenAt);
+          lastSeen = Math.max(lastSeen, node.stats.lastSeenAt);
+        }
+        return {
+          id: `cluster:${key}`,
+          label: key,
+          children,
+          stats: {
+            requestCount: totalRequests,
+            avgLatencyMs: totalRequests > 0 ? Math.round(totalLatency / totalRequests) : 0,
+            errorRate: totalRequests > 0 ? totalErrors / totalRequests : 0,
+            avgQueryCount: totalRequests > 0 ? Math.round(totalQueries / totalRequests * 10) / 10 : 0,
+            lastSeenAt: lastSeen || Date.now(),
+            firstSeenAt: firstSeen === Infinity ? Date.now() : firstSeen
+          }
+        };
+      }
+      // ── API response builders ──
+      getEndpointView() {
+        const allNodes = [...this.graph.nodes.values()];
+        const allEdges = [...this.graph.edges.values()];
+        return {
+          nodes: allNodes,
+          edges: allEdges,
+          clusters: [],
+          metadata: this.graph.metadata
+        };
+      }
+      getClusterView(clusters) {
+        const clusterArr = [...clusters.values()];
+        const otherNodes = [...this.graph.nodes.values()].filter(
+          (n) => n.type !== "endpoint"
+        );
+        const endpointToCluster = /* @__PURE__ */ new Map();
+        for (const c of clusterArr) {
+          for (const childId of c.children) {
+            endpointToCluster.set(childId, c.id);
+          }
+        }
+        const edgeAgg = /* @__PURE__ */ new Map();
+        for (const edge of this.graph.edges.values()) {
+          const sourceCluster = endpointToCluster.get(edge.source) ?? edge.source;
+          const target = edge.target;
+          const aggId = makeEdgeId(sourceCluster, target);
+          let agg = edgeAgg.get(aggId);
+          if (!agg) {
+            agg = {
+              id: aggId,
+              source: sourceCluster,
+              target,
+              type: edge.type,
+              stats: { ...edge.stats },
+              patterns: edge.patterns ? [...edge.patterns] : void 0
+            };
+            edgeAgg.set(aggId, agg);
+          } else {
+            agg.stats.frequency += edge.stats.frequency;
+            agg.stats.avgLatencyMs = Math.round(
+              (agg.stats.avgLatencyMs + edge.stats.avgLatencyMs) / 2
+            );
+            agg.stats.lastSeenAt = Math.max(
+              agg.stats.lastSeenAt,
+              edge.stats.lastSeenAt
+            );
+            agg.stats.firstSeenAt = Math.min(
+              agg.stats.firstSeenAt,
+              edge.stats.firstSeenAt
+            );
+          }
+        }
+        return {
+          nodes: otherNodes,
+          edges: [...edgeAgg.values()],
+          clusters: clusterArr,
+          metadata: this.graph.metadata
+        };
+      }
+      getClusterExpanded(clusterId, clusters) {
+        const clusterKey = clusterId.startsWith("cluster:") ? clusterId.slice(8) : clusterId;
+        const cluster = clusters.get(clusterKey);
+        if (!cluster) return this.getClusterView(clusters);
+        const childNodes = [];
+        const connectedNodeIds = /* @__PURE__ */ new Set();
+        const relevantEdges = [];
+        for (const childId of cluster.children) {
+          const node = this.graph.nodes.get(childId);
+          if (node) childNodes.push(node);
+          for (const edge of this.graph.edges.values()) {
+            if (edge.source === childId || edge.target === childId) {
+              relevantEdges.push(edge);
+              if (edge.source !== childId) connectedNodeIds.add(edge.source);
+              if (edge.target !== childId) connectedNodeIds.add(edge.target);
+            }
+          }
+        }
+        for (const nodeId of connectedNodeIds) {
+          if (!cluster.children.includes(nodeId)) {
+            const node = this.graph.nodes.get(nodeId);
+            if (node) childNodes.push(node);
+          }
+        }
+        return {
+          nodes: childNodes,
+          edges: relevantEdges,
+          clusters: [cluster],
+          metadata: this.graph.metadata
+        };
+      }
+      getNodeNeighborhood(nodeId, clusters) {
+        const centerNode = this.graph.nodes.get(nodeId);
+        if (!centerNode) return this.getClusterView(clusters);
+        const nodes = [centerNode];
+        const edges = [];
+        for (const edge of this.graph.edges.values()) {
+          if (edge.source === nodeId || edge.target === nodeId) {
+            edges.push(edge);
+            const otherId = edge.source === nodeId ? edge.target : edge.source;
+            const otherNode = this.graph.nodes.get(otherId);
+            if (otherNode) nodes.push(otherNode);
+          }
+        }
+        return {
+          nodes,
+          edges,
+          clusters: [],
+          metadata: this.graph.metadata
+        };
+      }
+    };
+  }
+});
 // src/output/terminal.ts
 import pc from "picocolors";
 function print(line) {
@@ -6182,6 +7207,9 @@ async function doSetup() {
     hooks_installed: ["fetch", "console", "error"],
     setup_duration_ms: setupDurationMs
   });
+  const graphBuilder = new GraphBuilder(bus, stores.requestStore);
+  graphBuilder.start();
+  services.graphBuilder = graphBuilder;
   const dataDir = getProjectDataDir(cwd);
   const analysisServices = startAnalysis(bus, stores, dataDir, services);
   const config = {
@@ -6252,6 +7280,7 @@ var init_setup = __esm({
     init_store();
     init_issue_store();
     init_engine();
+    init_graph_builder();
     init_terminal();
     init_src();
     init_constants();