brakit 0.9.2 → 0.10.1

package/dist/bin/brakit.js

@@ -73,7 +73,7 @@ var init_type_guards = __esm({
 });
 
 // src/constants/labels.ts
-var DASHBOARD_PREFIX, DASHBOARD_API_REQUESTS, DASHBOARD_API_EVENTS, DASHBOARD_API_FLOWS, DASHBOARD_API_CLEAR, DASHBOARD_API_LOGS, DASHBOARD_API_FETCHES, DASHBOARD_API_ERRORS, DASHBOARD_API_QUERIES, DASHBOARD_API_INGEST, DASHBOARD_API_METRICS, DASHBOARD_API_ACTIVITY, DASHBOARD_API_METRICS_LIVE, DASHBOARD_API_INSIGHTS, DASHBOARD_API_SECURITY, DASHBOARD_API_TAB, DASHBOARD_API_FINDINGS, DASHBOARD_API_FINDINGS_REPORT, VALID_TABS_TUPLE, VALID_TABS, POSTHOG_HOST, POSTHOG_CAPTURE_PATH, POSTHOG_REQUEST_TIMEOUT_MS;
+var DASHBOARD_PREFIX, DASHBOARD_API_REQUESTS, DASHBOARD_API_EVENTS, DASHBOARD_API_FLOWS, DASHBOARD_API_CLEAR, DASHBOARD_API_LOGS, DASHBOARD_API_FETCHES, DASHBOARD_API_ERRORS, DASHBOARD_API_QUERIES, DASHBOARD_API_INGEST, DASHBOARD_API_METRICS, DASHBOARD_API_ACTIVITY, DASHBOARD_API_METRICS_LIVE, DASHBOARD_API_INSIGHTS, DASHBOARD_API_SECURITY, DASHBOARD_API_TAB, DASHBOARD_API_FINDINGS, DASHBOARD_API_FINDINGS_REPORT, DASHBOARD_API_GRAPH, VALID_TABS_TUPLE, VALID_TABS, POSTHOG_HOST, POSTHOG_CAPTURE_PATH, POSTHOG_REQUEST_TIMEOUT_MS;
 var init_labels = __esm({
   "src/constants/labels.ts"() {
     "use strict";
@@ -95,16 +95,14 @@ var init_labels = __esm({
     DASHBOARD_API_TAB = `${DASHBOARD_PREFIX}/api/tab`;
     DASHBOARD_API_FINDINGS = `${DASHBOARD_PREFIX}/api/findings`;
     DASHBOARD_API_FINDINGS_REPORT = `${DASHBOARD_PREFIX}/api/findings/report`;
+    DASHBOARD_API_GRAPH = `${DASHBOARD_PREFIX}/api/graph`;
     VALID_TABS_TUPLE = [
       "overview",
       "actions",
-      "requests",
-      "fetches",
-      "queries",
-      "errors",
-      "logs",
+      "insights",
       "performance",
-      "security"
+      "graph",
+      "explorer"
     ];
     VALID_TABS = new Set(VALID_TABS_TUPLE);
     POSTHOG_HOST = "https://us.i.posthog.com";
@@ -138,7 +136,7 @@ var init_features = __esm({
     MAX_TIMELINE_EVENTS = 20;
     MAX_RESOLVED_DISPLAY = 5;
     ENRICHMENT_SEVERITY_FILTER = ["critical", "warning"];
-    MCP_SERVER_VERSION = "0.9.2";
+    MCP_SERVER_VERSION = "0.10.1";
     RECOVERY_WINDOW_MS = 5 * 60 * 1e3;
     PORT_MIN = 1;
     PORT_MAX = 65535;
@@ -364,10 +362,27 @@ async function enrichFindings(client) {
         if (reqData.requests.length > 0) {
           const req = reqData.requests[0];
           if (req.id) {
-            const activity = await client.getActivity(req.id);
-            const queryCount = activity.counts?.queries ?? 0;
-            const fetchCount = activity.counts?.fetches ?? 0;
-            return `Request took ${req.durationMs}ms. ${queryCount} DB queries, ${fetchCount} fetches.`;
+            const [activity, queries, fetches] = await Promise.all([
+              client.getActivity(req.id),
+              client.getQueries(req.id),
+              client.getFetches(req.id)
+            ]);
+            const lines = [`Request took ${req.durationMs}ms.`];
+            if (queries.entries.length > 0) {
+              lines.push(`DB Queries (${queries.entries.length}):`);
+              for (const q of queries.entries.slice(0, 5)) {
+                const sql = q.sql ?? `${q.operation ?? ""} ${q.table ?? q.model ?? ""}`;
+                lines.push(`  [${q.durationMs}ms] ${sql}`);
+              }
+              if (queries.entries.length > 5) lines.push(`  ... and ${queries.entries.length - 5} more`);
+            }
+            if (fetches.entries.length > 0) {
+              lines.push(`Fetches (${fetches.entries.length}):`);
+              for (const f of fetches.entries.slice(0, 3)) {
+                lines.push(`  [${f.durationMs}ms] ${f.method} ${f.url} \u2192 ${f.statusCode}`);
+              }
+            }
+            return lines.join("\n");
           }
         }
       } catch {
@@ -486,6 +501,9 @@ var init_get_findings = __esm({
           return { content: [{ type: "text", text: `Invalid state "${state}". Use: open, fixing, resolved, stale, regressed.` }], isError: true };
         }
         let findings = await enrichFindings(client);
+        if (!state) {
+          findings = findings.filter((f) => f.aiStatus !== "wont_fix");
+        }
         if (severity) {
           findings = findings.filter((f) => f.severity === severity);
         }
@@ -497,21 +515,25 @@ var init_get_findings = __esm({
         if (findings.length === 0) {
           return { content: [{ type: "text", text: "No findings detected. The application looks healthy." }] };
         }
-        const lines = [`Found ${findings.length} issue(s):
-`];
+        const lines = [
+          `Found ${findings.length} issue(s). Full context included below \u2014 no need to call get_request_detail separately.`,
+          `After fixing, call report_fixes ONCE with all results.
+`
+        ];
         for (const f of findings) {
           lines.push(`[${f.severity.toUpperCase()}] ${f.title}`);
           lines.push(`  ID: ${f.findingId}`);
           lines.push(`  Endpoint: ${f.endpoint}`);
           lines.push(`  Issue: ${f.description}`);
-          if (f.context) lines.push(`  Context: ${f.context}`);
+          if (f.context) {
+            for (const ctxLine of f.context.split("\n")) {
+              lines.push(`  ${ctxLine}`);
+            }
+          }
           lines.push(`  Fix: ${f.hint}`);
           if (f.aiStatus === "fixed") {
             lines.push(`  AI Status: fixed (awaiting verification)`);
             if (f.aiNotes) lines.push(`  AI Notes: ${f.aiNotes}`);
-          } else if (f.aiStatus === "wont_fix") {
-            lines.push(`  AI Status: won't fix`);
-            if (f.aiNotes) lines.push(`  AI Notes: ${f.aiNotes}`);
           }
           lines.push("");
         }
@@ -899,6 +921,69 @@ var init_report_fix = __esm({
   }
 });
 
+// src/mcp/tools/report-fixes.ts
+var reportFixes;
+var init_report_fixes = __esm({
+  "src/mcp/tools/report-fixes.ts"() {
+    "use strict";
+    init_type_guards();
+    reportFixes = {
+      name: "report_fixes",
+      description: "Report results for multiple findings in a single call. Use this instead of calling report_fix repeatedly \u2014 it's faster and requires only one confirmation. Pass a JSON array string where each item has finding_id, status ('fixed' or 'wont_fix'), and summary.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          fixes: {
+            type: "string",
+            description: 'JSON array of fix reports. Example: [{"finding_id":"abc123","status":"fixed","summary":"Added input validation"}]'
+          }
+        },
+        required: ["fixes"]
+      },
+      async handler(client, args) {
+        let fixes;
+        try {
+          const raw = typeof args.fixes === "string" ? JSON.parse(args.fixes) : args.fixes;
+          if (!Array.isArray(raw) || raw.length === 0) {
+            return { content: [{ type: "text", text: "fixes must be a non-empty JSON array." }], isError: true };
+          }
+          fixes = raw.filter(
+            (item) => typeof item === "object" && item !== null && typeof item.finding_id === "string" && typeof item.status === "string" && typeof item.summary === "string"
+          );
+          if (fixes.length === 0) {
+            return { content: [{ type: "text", text: "No valid fix entries found. Each entry needs finding_id, status, and summary." }], isError: true };
+          }
+        } catch {
+          return { content: [{ type: "text", text: "fixes must be valid JSON." }], isError: true };
+        }
+        const results = [];
+        let errors = 0;
+        for (const fix of fixes) {
+          if (!fix.finding_id || !isValidAiFixStatus(fix.status) || !fix.summary) {
+            results.push(`\u2717 Invalid entry: ${fix.finding_id || "missing ID"}`);
+            errors++;
+            continue;
+          }
+          const ok = await client.reportFix(fix.finding_id, fix.status, fix.summary);
+          if (ok) {
+            const label = fix.status === "fixed" ? "fixed" : "won't fix";
+            results.push(`\u2713 ${fix.finding_id} \u2192 ${label}`);
+          } else {
+            results.push(`\u2717 ${fix.finding_id} \u2192 not found`);
+            errors++;
+          }
+        }
+        const errorSuffix = errors > 0 ? ` (${errors} error${errors !== 1 ? "s" : ""})` : "";
+        const summary = `Processed ${fixes.length} finding(s)${errorSuffix}. Dashboard updated.`;
+        return {
+          content: [{ type: "text", text: summary + "\n\n" + results.join("\n") }],
+          ...errors > 0 ? { isError: true } : {}
+        };
+      }
+    };
+  }
+});
+
 // src/mcp/tools/index.ts
 function getToolDefinitions() {
   return [...TOOL_MAP.values()].map((t) => ({
@@ -928,8 +1013,9 @@ var init_tools = __esm({
     init_get_report();
     init_clear_findings();
     init_report_fix();
+    init_report_fixes();
     TOOL_MAP = new Map(
-      [getFindings, getEndpoints, getRequestDetail, verifyFix, getReport, clearFindings, reportFix].map((t) => [t.name, t])
+      [getFindings, getEndpoints, getRequestDetail, verifyFix, getReport, clearFindings, reportFix, reportFixes].map((t) => [t.name, t])
     );
   }
 });
@@ -939,7 +1025,7 @@ var SERVER_INSTRUCTIONS, PROMPTS, PROMPT_MESSAGES;
 var init_prompts = __esm({
   "src/mcp/prompts.ts"() {
     "use strict";
-    SERVER_INSTRUCTIONS = "Brakit is a dev tool that monitors your running app for security vulnerabilities, performance issues, and query problems. IMPORTANT: After fixing any brakit finding, always call the report_fix tool with the finding_id, status ('fixed' or 'wont_fix'), and a brief summary of what you did. This updates the dashboard in real-time so the developer can track AI-driven fixes.";
+    SERVER_INSTRUCTIONS = "Brakit is a dev tool that monitors your running app for security vulnerabilities, performance issues, and query problems. IMPORTANT: After fixing brakit findings, call report_fixes (batch) with all results at once instead of calling report_fix individually. This is faster and requires only one confirmation.";
     PROMPTS = [
       {
         name: "check-app",
@@ -951,8 +1037,8 @@ var init_prompts = __esm({
       }
     ];
     PROMPT_MESSAGES = {
-      "check-app": "Check my running app for security and performance issues using brakit. First get all findings, then get the endpoint summary. For any critical or warning findings, get the request detail to understand the root cause. Give me a clear report of what's wrong and offer to fix each issue. After fixing any issue, call report_fix with the finding_id, status, and summary.",
-      "fix-findings": "Get all open brakit findings. For each finding:\n1. Get the request detail to understand the exact issue\n2. Find the source code responsible and fix it\n3. Call report_fix with the finding_id, status ('fixed' or 'wont_fix'), and a brief summary of what you did\n4. Move to the next finding\n\nAfter all findings are processed, ask me to re-trigger the endpoints so brakit can verify the fixes."
+      "check-app": "Check my running app for security and performance issues using brakit. First get all findings, then get the endpoint summary. For any critical or warning findings, get the request detail to understand the root cause. Give me a clear report of what's wrong and offer to fix each issue. After fixing issues, call report_fixes once with all results.",
+      "fix-findings": "Get all open brakit findings. For each finding:\n1. Get the request detail to understand the exact issue\n2. Find the source code responsible and fix it\n3. Track the finding_id, status ('fixed' or 'wont_fix'), and a brief summary\n\nAfter processing ALL findings, call report_fixes ONCE with the full array of results. Do not call report_fix individually for each finding.\n\nAfter reporting, ask me to re-trigger the endpoints so brakit can verify the fixes."
     };
   }
 });
@@ -1121,11 +1207,22 @@ import { readFile as readFile3, readdir } from "fs/promises";
 import { existsSync as existsSync4 } from "fs";
 import { join as join2, relative } from "path";
 var FRAMEWORKS = [
+  // Meta-frameworks first (they bundle Express/Vite internally)
   { name: "nextjs", dep: "next", devCmd: "next dev", bin: "next", defaultPort: 3e3, devArgs: ["dev", "--port"] },
   { name: "remix", dep: "@remix-run/dev", devCmd: "remix dev", bin: "remix", defaultPort: 3e3, devArgs: ["dev"] },
   { name: "nuxt", dep: "nuxt", devCmd: "nuxt dev", bin: "nuxt", defaultPort: 3e3, devArgs: ["dev", "--port"] },
-  { name: "vite", dep: "vite", devCmd: "vite", bin: "vite", defaultPort: 5173, devArgs: ["--port"] },
-  { name: "astro", dep: "astro", devCmd: "astro dev", bin: "astro", defaultPort: 4321, devArgs: ["dev", "--port"] }
+  { name: "astro", dep: "astro", devCmd: "astro dev", bin: "astro", defaultPort: 4321, devArgs: ["dev", "--port"] },
+  { name: "nestjs", dep: "@nestjs/core", devCmd: "nest start", bin: "nest", defaultPort: 3e3, devArgs: ["--watch"] },
+  { name: "adonis", dep: "@adonisjs/core", devCmd: "node ace serve", bin: "ace", defaultPort: 3333, devArgs: ["serve", "--watch"] },
+  { name: "sails", dep: "sails", devCmd: "sails lift", bin: "sails", defaultPort: 1337, devArgs: ["lift"] },
+  // Server frameworks
+  { name: "hono", dep: "hono", devCmd: "node", bin: "node", defaultPort: 3e3 },
+  { name: "fastify", dep: "fastify", devCmd: "node", bin: "node", defaultPort: 3e3 },
+  { name: "koa", dep: "koa", devCmd: "node", bin: "node", defaultPort: 3e3 },
+  { name: "hapi", dep: "@hapi/hapi", devCmd: "node", bin: "node", defaultPort: 3e3 },
+  { name: "express", dep: "express", devCmd: "node", bin: "node", defaultPort: 3e3 },
+  // Bundlers (last — likely used alongside a framework above)
+  { name: "vite", dep: "vite", devCmd: "vite", bin: "vite", defaultPort: 5173, devArgs: ["--port"] }
 ];
 async function detectProject(rootDir) {
   const pkgPath = join2(rootDir, "package.json");
@@ -1207,7 +1304,8 @@ async function detectPythonFramework(rootDir, hasPyproject, hasRequirements) {
       const content = await readFile3(join2(rootDir, "requirements.txt"), "utf-8");
       const lines = content.toLowerCase().split("\n");
       for (const [dep, fw] of Object.entries(PYTHON_FRAMEWORK_MAP)) {
-        if (lines.some((l) => l.startsWith(dep) && (l.length === dep.length || /[=<>~![]/u.test(l[dep.length])))) {
+        const versionChars = /* @__PURE__ */ new Set(["=", "<", ">", "~", "!", "["]);
+        if (lines.some((l) => l.startsWith(dep) && (l.length === dep.length || versionChars.has(l[dep.length])))) {
           return fw;
         }
       }
@@ -1313,20 +1411,115 @@ init_log();
 init_type_guards();
 
 // src/analysis/rules/patterns.ts
-var SECRET_KEYS = /^(password|passwd|secret|api_key|apiKey|api_secret|apiSecret|private_key|privateKey|client_secret|clientSecret)$/;
-var TOKEN_PARAMS = /^(token|api_key|apiKey|secret|password|access_token|session_id|sessionId)$/;
-var SAFE_PARAMS = /^(_rsc|__clerk_handshake|__clerk_db_jwt|callback|code|state|nonce|redirect_uri|utm_|fbclid|gclid)$/;
+var SECRET_KEY_SET = /* @__PURE__ */ new Set([
+  "password",
+  "passwd",
+  "secret",
+  "api_key",
+  "apiKey",
+  "api_secret",
+  "apiSecret",
+  "private_key",
+  "privateKey",
+  "client_secret",
+  "clientSecret"
+]);
+var SECRET_KEYS = { test: (s) => SECRET_KEY_SET.has(s) };
+var TOKEN_PARAM_SET = /* @__PURE__ */ new Set([
+  "token",
+  "api_key",
+  "apiKey",
+  "secret",
+  "password",
+  "access_token",
+  "session_id",
+  "sessionId"
+]);
+var TOKEN_PARAMS = { test: (s) => TOKEN_PARAM_SET.has(s) };
+var SAFE_PARAM_SET = /* @__PURE__ */ new Set([
+  "_rsc",
+  "__clerk_handshake",
+  "__clerk_db_jwt",
+  "callback",
+  "code",
+  "state",
+  "nonce",
+  "redirect_uri",
+  "utm_",
+  "fbclid",
+  "gclid"
+]);
+var SAFE_PARAMS = { test: (s) => SAFE_PARAM_SET.has(s) };
+var INTERNAL_ID_KEY_SET = /* @__PURE__ */ new Set([
+  "id",
+  "_id",
+  "userId",
+  "user_id",
+  "createdBy",
+  "updatedBy",
+  "organizationId",
+  "org_id",
+  "tenantId",
+  "tenant_id"
+]);
+var INTERNAL_ID_KEYS = { test: (s) => INTERNAL_ID_KEY_SET.has(s) };
+var INTERNAL_ID_SUFFIX = {
+  test: (s) => s.endsWith("Id") || s.endsWith("_id")
+};
+var SENSITIVE_FIELD_SET = /* @__PURE__ */ new Set([
+  "phone",
+  "phonenumber",
+  "phone_number",
+  "ssn",
+  "socialsecuritynumber",
+  "social_security_number",
+  "dateofbirth",
+  "date_of_birth",
+  "dob",
+  "address",
+  "streetaddress",
+  "street_address",
+  "creditcard",
+  "credit_card",
+  "cardnumber",
+  "card_number",
+  "bankaccount",
+  "bank_account",
+  "passport",
+  "passportnumber",
+  "passport_number",
+  "nationalid",
+  "national_id"
+]);
+var SENSITIVE_FIELD_NAMES = {
+  test: (s) => SENSITIVE_FIELD_SET.has(s.toLowerCase())
+};
+var SELF_SERVICE_SEGMENTS = /* @__PURE__ */ new Set(["me", "account", "profile", "settings", "self"]);
+var SELF_SERVICE_PATH = {
+  test: (path) => {
+    const segments = path.toLowerCase().split(/[/?#]/);
+    return segments.some((seg) => SELF_SERVICE_SEGMENTS.has(seg));
+  }
+};
+var MASKED_LITERALS = ["[REDACTED]", "[FILTERED]", "CHANGE_ME"];
+var MASKED_RE = {
+  test: (s) => {
+    const upper = s.toUpperCase();
+    if (MASKED_LITERALS.some((m) => upper.includes(m))) return true;
+    if (s.length > 0 && s.split("").every((c) => c === "*")) return true;
+    if (s.length >= 3 && s.split("").every((c) => c === "x" || c === "X")) return true;
+    return false;
+  }
+};
+var DB_PROTOCOLS = ["postgres://", "mysql://", "mongodb://", "redis://"];
+var DB_CONN_RE = {
+  test: (s) => DB_PROTOCOLS.some((p) => s.includes(p))
+};
 var STACK_TRACE_RE = /at\s+.+\(.+:\d+:\d+\)|at\s+Module\._compile|at\s+Object\.<anonymous>|at\s+processTicksAndRejections|Traceback \(most recent call last\)|File ".+", line \d+/;
-var DB_CONN_RE = /(postgres|mysql|mongodb|redis):\/\//;
 var SQL_FRAGMENT_RE = /\b(SELECT\s+[\w.*]+\s+FROM|INSERT\s+INTO|UPDATE\s+\w+\s+SET|DELETE\s+FROM)\b/i;
 var SECRET_VAL_RE = /(api_key|apiKey|secret|token)\s*[:=]\s*["']?[A-Za-z0-9_\-.+/]{8,}/;
 var LOG_SECRET_RE = /(password|secret|token|api_key|apiKey)\s*[:=]\s*["']?[A-Za-z0-9_\-.+/]{8,}/i;
-var MASKED_RE = /^\*+$|\[REDACTED\]|\[FILTERED\]|CHANGE_ME|^x{3,}$/i;
 var EMAIL_RE = /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/;
-var INTERNAL_ID_KEYS = /^(id|_id|userId|user_id|createdBy|updatedBy|organizationId|org_id|tenantId|tenant_id)$/;
-var INTERNAL_ID_SUFFIX = /Id$|_id$/;
-var SELF_SERVICE_PATH = /\/(?:me|account|profile|settings|self)(?=\/|\?|#|$)/i;
-var SENSITIVE_FIELD_NAMES = /^(phone|phoneNumber|phone_number|ssn|socialSecurityNumber|social_security_number|dateOfBirth|date_of_birth|dob|address|streetAddress|street_address|creditCard|credit_card|cardNumber|card_number|bankAccount|bank_account|passport|passportNumber|passport_number|nationalId|national_id)$/i;
 var RULE_HINTS = {
   "exposed-secret": "Never include secret fields in API responses. Strip sensitive fields before returning.",
   "token-in-url": "Pass tokens in the Authorization header, not URL query parameters.",
@@ -1812,7 +2005,7 @@ init_constants();
 init_endpoint();
 
 // src/index.ts
-var VERSION = "0.9.2";
+var VERSION = "0.10.1";
 
 // src/cli/commands/install.ts
 init_constants();