mobbdev 0.0.108 → 0.0.112

package/dist/index.mjs

@@ -360,9 +360,16 @@ var SubmitVulnerabilityReportDocument = `
 var CreateCommunityUserDocument = `
     mutation CreateCommunityUser {
   initOrganizationAndProject {
-    userId
-    projectId
-    organizationId
+    __typename
+    ... on InitOrganizationAndProjectGoodResponse {
+      projectId
+      userId
+      organizationId
+    }
+    ... on UserAlreadyInProjectError {
+      error
+      status
+    }
   }
 }
     `;
@@ -517,7 +524,7 @@ import fetch3 from "node-fetch";
 import open2 from "open";
 import semver from "semver";
 import tmp2 from "tmp";
-import { z as z11 } from "zod";
+import { z as z12 } from "zod";
 
 // src/features/analysis/git.ts
 import Debug2 from "debug";
@@ -945,35 +952,46 @@ var GQLClient = class {
 import { Octokit as Octokit3 } from "@octokit/core";
 import Debug5 from "debug";
 import parseDiff2 from "parse-diff";
-import { z as z10 } from "zod";
+import { z as z11 } from "zod";
 
 // src/features/analysis/scm/ado.ts
-import querystring2 from "node:querystring";
+import querystring from "node:querystring";
 import * as api from "azure-devops-node-api";
-import { z as z9 } from "zod";
-
-// src/features/analysis/scm/scm.ts
-import { Octokit as Octokit2 } from "@octokit/core";
-import { z as z8 } from "zod";
-
-// src/features/analysis/scm/github/encryptSecret.ts
-import sodium from "libsodium-wrappers";
-async function encryptSecret(secret, key) {
-  await sodium.ready;
-  const binkey = sodium.from_base64(key, sodium.base64_variants.ORIGINAL);
-  const binsec = sodium.from_string(secret);
-  const encBytes = sodium.crypto_box_seal(binsec, binkey);
-  return sodium.to_base64(encBytes, sodium.base64_variants.ORIGINAL);
-}
-
-// src/features/analysis/scm/github/github.ts
-import { RequestError } from "@octokit/request-error";
-import { Octokit } from "octokit";
 import { z as z3 } from "zod";
 
+// src/features/analysis/scm/types.ts
+var ReferenceType = /* @__PURE__ */ ((ReferenceType2) => {
+  ReferenceType2["BRANCH"] = "BRANCH";
+  ReferenceType2["COMMIT"] = "COMMIT";
+  ReferenceType2["TAG"] = "TAG";
+  return ReferenceType2;
+})(ReferenceType || {});
+var ScmLibScmType = /* @__PURE__ */ ((ScmLibScmType2) => {
+  ScmLibScmType2["GITHUB"] = "GITHUB";
+  ScmLibScmType2["GITLAB"] = "GITLAB";
+  ScmLibScmType2["ADO"] = "ADO";
+  ScmLibScmType2["BITBUCKET"] = "BITBUCKET";
+  return ScmLibScmType2;
+})(ScmLibScmType || {});
+var scmCloudUrl = {
+  GitLab: "https://gitlab.com",
+  GitHub: "https://github.com",
+  Ado: "https://dev.azure.com",
+  Bitbucket: "https://bitbucket.org"
+};
+var ScmType = /* @__PURE__ */ ((ScmType2) => {
+  ScmType2["GitHub"] = "GitHub";
+  ScmType2["GitLab"] = "GitLab";
+  ScmType2["Ado"] = "Ado";
+  ScmType2["Bitbucket"] = "Bitbucket";
+  return ScmType2;
+})(ScmType || {});
+
 // src/features/analysis/scm/urlParser.ts
-function getRepoInfo(pathname, hostname, scmType) {
+function detectAdoUrl(args) {
+  const { pathname, hostname, scmType } = args;
   const hostnameParts = hostname.split(".");
+  const adoHostname = new URL(scmCloudUrl.Ado).hostname;
   if (hostnameParts.length === 3 && hostnameParts[1] === "visualstudio" && hostnameParts[2] === "com") {
     if (pathname.length === 2 && pathname[0] === "_git") {
       return {
@@ -990,7 +1008,7 @@ function getRepoInfo(pathname, hostname, scmType) {
       };
     }
   }
-  if (hostname === "dev.azure.com" || scmType === "Ado" /* Ado */) {
+  if (hostname === adoHostname || scmType === "Ado" /* Ado */) {
     if (pathname.length === 3 && pathname[1] === "_git") {
       return {
         organization: pathname[0],
@@ -1006,7 +1024,12 @@ function getRepoInfo(pathname, hostname, scmType) {
       };
     }
   }
-  if (hostname === "github.com" || scmType === "GitHub" /* GitHub */) {
+  return null;
+}
+function detectGithubUrl(args) {
+  const { pathname, hostname, scmType } = args;
+  const githubHostname = new URL(scmCloudUrl.GitHub).hostname;
+  if (hostname === githubHostname || scmType === "GitHub" /* GitHub */) {
     if (pathname.length === 2) {
       return {
         organization: pathname[0],
@@ -1015,7 +1038,12 @@ function getRepoInfo(pathname, hostname, scmType) {
       };
     }
   }
-  if (hostname === "gitlab.com" || scmType === "GitLab" /* GitLab */) {
+  return null;
+}
+function detectGitlabUrl(args) {
+  const { pathname, hostname, scmType } = args;
+  const gitlabHostname = new URL(scmCloudUrl.GitLab).hostname;
+  if (hostname === gitlabHostname || scmType === "GitLab" /* GitLab */) {
     if (pathname.length >= 2) {
       return {
         organization: pathname[0],
@@ -1026,13 +1054,46 @@ function getRepoInfo(pathname, hostname, scmType) {
   }
   return null;
 }
+function detectBitbucketUrl(args) {
+  const { pathname, hostname, scmType } = args;
+  const bitbucketHostname = new URL(scmCloudUrl.Bitbucket).hostname;
+  if (hostname === bitbucketHostname || scmType === "Bitbucket" /* Bitbucket */) {
+    if (pathname.length === 2) {
+      return {
+        organization: pathname[0],
+        projectName: void 0,
+        repoName: pathname[1]
+      };
+    }
+  }
+  return null;
+}
+var getRepoUrlFunctionMap = {
+  ["GitLab" /* GitLab */]: detectGitlabUrl,
+  ["GitHub" /* GitHub */]: detectGithubUrl,
+  ["Ado" /* Ado */]: detectAdoUrl,
+  ["Bitbucket" /* Bitbucket */]: detectBitbucketUrl
+};
+function getRepoInfo(args) {
+  for (const detectUrl of Object.values(getRepoUrlFunctionMap)) {
+    const detectUrlRes = detectUrl(args);
+    if (detectUrlRes) {
+      return detectUrlRes;
+    }
+  }
+  return null;
+}
 var NAME_REGEX = /[a-z0-9\-_.+]+/i;
 var parseScmURL = (scmURL, scmType) => {
   try {
     const url = new URL(scmURL);
     const hostname = url.hostname.toLowerCase();
     const projectPath = url.pathname.substring(1).replace(/.git$/i, "");
-    const repo = getRepoInfo(projectPath.split("/"), hostname, scmType);
+    const repo = getRepoInfo({
+      pathname: projectPath.split("/"),
+      hostname,
+      scmType
+    });
     if (!repo)
       return null;
     const { organization, repoName, projectName } = repo;
@@ -1069,247 +1130,886 @@ var sanityRepoURL = (scmURL) => {
   }
 };
 
-// src/features/analysis/scm/github/github.ts
+// src/features/analysis/scm/ado.ts
 function removeTrailingSlash(str) {
   return str.trim().replace(/\/+$/, "");
 }
-var EnvVariablesZod = z3.object({
-  GITHUB_API_TOKEN: z3.string().optional()
-});
-var { GITHUB_API_TOKEN } = EnvVariablesZod.parse(process.env);
-var GetBlameDocument = `
-      query GetBlame(
-        $owner: String!
-        $repo: String!
-        $ref: String!
-        $path: String!
-      ) {
-        repository(name: $repo, owner: $owner) {
-          # branch name
-          object(expression: $ref) {
-            # cast Target to a Commit
-            ... on Commit {
-              # full repo-relative path to blame file
-              blame(path: $path) {
-                ranges {
-                  commit {
-                    author {
-                      user {
-                        name
-                        login
-                      }
-                    }
-                    authoredDate
-                  }
-                  startingLine
-                  endingLine
-                  age
-                }
-              }
-            }
-            
-          }
-        }
+async function _getOrgsForOauthToken({ oauthToken }) {
+  const profileZ = z3.object({
+    displayName: z3.string(),
+    publicAlias: z3.string().min(1),
+    emailAddress: z3.string(),
+    coreRevision: z3.number(),
+    timeStamp: z3.string(),
+    id: z3.string(),
+    revision: z3.number()
+  });
+  const accountsZ = z3.object({
+    count: z3.number(),
+    value: z3.array(
+      z3.object({
+        accountId: z3.string(),
+        accountUri: z3.string(),
+        accountName: z3.string()
+      })
+    )
+  });
+  const profileRes = await fetch(
+    "https://app.vssps.visualstudio.com/_apis/profile/profiles/me?api-version=6.0",
+    {
+      method: "GET",
+      headers: {
+        Authorization: `Bearer ${oauthToken}`
       }
-    `;
-function getOktoKit(options) {
-  const token = options?.githubAuthToken ?? GITHUB_API_TOKEN ?? "";
-  return new Octokit({ auth: token });
+    }
+  );
+  const profileJson = await profileRes.json();
+  const profile = profileZ.parse(profileJson);
+  const accountsRes = await fetch(
+    `https://app.vssps.visualstudio.com/_apis/accounts?memberId=${profile.publicAlias}&api-version=6.0`,
+    {
+      method: "GET",
+      headers: {
+        Authorization: `Bearer ${oauthToken}`
+      }
+    }
+  );
+  const accountsJson = await accountsRes.json();
+  const accounts = accountsZ.parse(accountsJson);
+  const orgs = accounts.value.map((account) => account.accountName).filter((value, index, array) => array.indexOf(value) === index);
+  return orgs;
 }
-async function githubValidateParams(url, accessToken) {
+function _getPublicAdoClient({ orgName }) {
+  const orgUrl = `https://dev.azure.com/${orgName}`;
+  const authHandler = api.getPersonalAccessTokenHandler("");
+  authHandler.canHandleAuthentication = () => false;
+  authHandler.prepareRequest = (_options) => {
+    return;
+  };
+  const connection = new api.WebApi(orgUrl, authHandler);
+  return connection;
+}
+function getAdoTokenType(token) {
+  if (token.includes(".")) {
+    return "OAUTH" /* OAUTH */;
+  }
+  return "PAT" /* PAT */;
+}
+async function getAdoApiClient({
+  accessToken,
+  tokenOrg,
+  orgName
+}) {
+  if (!accessToken || tokenOrg && tokenOrg !== orgName) {
+    return _getPublicAdoClient({ orgName });
+  }
+  const orgUrl = `https://dev.azure.com/${orgName}`;
+  if (getAdoTokenType(accessToken) === "OAUTH" /* OAUTH */) {
+    const connection2 = new api.WebApi(orgUrl, api.getBearerHandler(accessToken));
+    return connection2;
+  }
+  const authHandler = api.getPersonalAccessTokenHandler(accessToken);
+  const connection = new api.WebApi(orgUrl, authHandler);
+  return connection;
+}
+async function adoValidateParams({
+  url,
+  accessToken,
+  tokenOrg
+}) {
   try {
-    const oktoKit = getOktoKit({ githubAuthToken: accessToken });
-    if (accessToken) {
-      await oktoKit.rest.users.getAuthenticated();
+    if (!url && accessToken && getAdoTokenType(accessToken) === "OAUTH" /* OAUTH */) {
+      await _getOrgsForOauthToken({ oauthToken: accessToken });
+      return;
     }
+    let org = tokenOrg;
     if (url) {
-      const { owner, repo } = parseGithubOwnerAndRepo(url);
-      await oktoKit.rest.repos.get({ repo, owner });
+      const { owner } = parseAdoOwnerAndRepo(url);
+      org = owner;
     }
+    if (!org) {
+      throw new InvalidRepoUrlError(`invalid ADO ORG ${org}`);
+    }
+    const api2 = await getAdoApiClient({
+      accessToken,
+      tokenOrg,
+      orgName: org
+    });
+    await api2.connect();
   } catch (e) {
     const error = e;
-    const code = error.status || error.statusCode || error.response?.status || error.response?.statusCode || error.response?.code;
-    if (code === 401 || code === 403) {
-      throw new InvalidAccessTokenError(`invalid github access token`);
+    const code = error.code || error.status || error.statusCode || error.response?.status || error.response?.statusCode || error.response?.code;
+    const description = error.description || `${e}`;
+    if (code === 401 || code === 403 || description.includes("401") || description.includes("403")) {
+      throw new InvalidAccessTokenError(`invalid ADO access token`);
     }
-    if (code === 404) {
-      throw new InvalidRepoUrlError(`invalid github repo Url ${url}`);
+    if (code === 404 || description.includes("404") || description.includes("Not Found")) {
+      throw new InvalidRepoUrlError(`invalid ADO repo URL ${url}`);
     }
     throw e;
   }
 }
-async function getGithubUsername(accessToken) {
-  const oktoKit = getOktoKit({ githubAuthToken: accessToken });
-  const res = await oktoKit.rest.users.getAuthenticated();
-  return res.data.login;
-}
-async function getGithubIsUserCollaborator(username, accessToken, repoUrl) {
+async function getAdoIsUserCollaborator({
+  accessToken,
+  tokenOrg,
+  repoUrl
+}) {
   try {
-    const { owner, repo } = parseGithubOwnerAndRepo(repoUrl);
-    const oktoKit = getOktoKit({ githubAuthToken: accessToken });
-    const res = await oktoKit.rest.repos.checkCollaborator({
-      owner,
-      repo,
-      username
+    const { owner, repo, projectName } = parseAdoOwnerAndRepo(repoUrl);
+    const api2 = await getAdoApiClient({
+      accessToken,
+      tokenOrg,
+      orgName: owner
     });
-    if (res.status === 204) {
-      return true;
+    const git = await api2.getGitApi();
+    const branches = await git.getBranches(repo, projectName);
+    if (!branches || branches.length === 0) {
+      throw new InvalidRepoUrlError("no branches");
     }
+    return true;
   } catch (e) {
     return false;
   }
-  return false;
 }
-async function getGithubPullRequestStatus(accessToken, repoUrl, prNumber) {
-  const { owner, repo } = parseGithubOwnerAndRepo(repoUrl);
-  const oktoKit = getOktoKit({ githubAuthToken: accessToken });
-  const res = await oktoKit.rest.pulls.get({
-    owner,
-    repo,
-    pull_number: prNumber
+var adoStatusNumberToEnumMap = {
+  1: "active" /* active */,
+  2: "abandoned" /* abandoned */,
+  3: "completed" /* completed */,
+  4: "all" /* all */
+};
+async function getAdoPullRequestStatus({
+  accessToken,
+  tokenOrg,
+  repoUrl,
+  prNumber
+}) {
+  const { owner, repo, projectName } = parseAdoOwnerAndRepo(repoUrl);
+  const api2 = await getAdoApiClient({
+    accessToken,
+    tokenOrg,
+    orgName: owner
   });
-  if (res.data.merged) {
-    return "merged";
+  const git = await api2.getGitApi();
+  const res = await git.getPullRequest(repo, prNumber, projectName);
+  if (!res.status || res.status < 1 || res.status > 3) {
+    throw new Error("bad pr status for ADO");
   }
-  if (res.data.draft) {
-    return "draft";
-  }
-  return res.data.state;
+  return adoStatusNumberToEnumMap[res.status];
 }
-async function getGithubIsRemoteBranch(accessToken, repoUrl, branch) {
-  const { owner, repo } = parseGithubOwnerAndRepo(repoUrl);
-  const oktoKit = getOktoKit({ githubAuthToken: accessToken });
+async function getAdoIsRemoteBranch({
+  accessToken,
+  tokenOrg,
+  repoUrl,
+  branch
+}) {
+  const { owner, repo, projectName } = parseAdoOwnerAndRepo(repoUrl);
+  const api2 = await getAdoApiClient({
+    accessToken,
+    tokenOrg,
+    orgName: owner
+  });
+  const git = await api2.getGitApi();
   try {
-    const res = await oktoKit.rest.repos.getBranch({
-      owner,
-      repo,
-      branch
-    });
-    return branch === res.data.name;
+    const branchStatus = await git.getBranch(repo, branch, projectName);
+    if (!branchStatus || !branchStatus.commit) {
+      throw new InvalidRepoUrlError("no branch status");
+    }
+    return branchStatus.name === branch;
   } catch (e) {
     return false;
   }
 }
-async function getGithubRepoList(accessToken) {
-  const oktoKit = getOktoKit({ githubAuthToken: accessToken });
-  try {
-    const githubRepos = await getRepos(oktoKit);
-    return githubRepos.map(
-      (repo) => {
-        const repoLanguages = [];
-        if (repo.language) {
-          repoLanguages.push(repo.language);
+async function getAdoRepoList({
+  orgName,
+  tokenOrg,
+  accessToken
+}) {
+  let orgs = [];
+  if (getAdoTokenType(accessToken) === "OAUTH" /* OAUTH */) {
+    orgs = await _getOrgsForOauthToken({ oauthToken: accessToken });
+  }
+  if (orgs.length === 0 && !orgName) {
+    throw new Error(`no orgs for ADO`);
+  } else if (orgs.length === 0 && orgName) {
+    orgs = [orgName];
+  }
+  const repos = (await Promise.allSettled(
+    orgs.map(async (org) => {
+      const orgApi = await getAdoApiClient({
+        accessToken,
+        tokenOrg,
+        orgName: org
+      });
+      const gitOrg = await orgApi.getGitApi();
+      const orgRepos = await gitOrg.getRepositories();
+      const repoInfoList = (await Promise.allSettled(
+        orgRepos.map(async (repo) => {
+          if (!repo.name || !repo.remoteUrl || !repo.defaultBranch) {
+            throw new InvalidRepoUrlError("bad repo");
+          }
+          const branch = await gitOrg.getBranch(
+            repo.name,
+            repo.defaultBranch.replace(/^refs\/heads\//, ""),
+            repo.project?.name
+          );
+          return {
+            repoName: repo.name,
+            repoUrl: repo.remoteUrl.replace(
+              /^[hH][tT][tT][pP][sS]:\/\/[^/]+@/,
+              "https://"
+            ),
+            repoOwner: org,
+            repoIsPublic: repo.project?.visibility === 2,
+            //2 is public in the ADO API
+            repoLanguages: [],
+            repoUpdatedAt: branch.commit?.committer?.date?.toDateString() || repo.project?.lastUpdateTime?.toDateString() || (/* @__PURE__ */ new Date()).toDateString()
+          };
+        })
+      )).reduce((acc, res) => {
+        if (res.status === "fulfilled") {
+          acc.push(res.value);
         }
-        return {
-          repoName: repo.name,
-          repoUrl: repo.html_url,
-          repoOwner: repo.owner.login,
-          repoLanguages,
-          repoIsPublic: !repo.private,
-          repoUpdatedAt: repo.updated_at
-        };
-      }
-    );
-  } catch (e) {
-    if (e instanceof RequestError && e.status === 401) {
-      return [];
-    }
-    if (e instanceof RequestError && e.status === 404) {
-      return [];
+        return acc;
+      }, []);
+      return repoInfoList;
+    })
+  )).reduce((acc, res) => {
+    if (res.status === "fulfilled") {
+      return acc.concat(res.value);
     }
-    throw e;
-  }
-}
-async function getGithubBranchList(accessToken, repoUrl) {
-  const { owner, repo } = parseGithubOwnerAndRepo(repoUrl);
-  const oktoKit = getOktoKit({ githubAuthToken: accessToken });
-  const res = await oktoKit.rest.repos.listBranches({
-    owner,
-    repo,
-    per_page: 1e3,
-    page: 1
-  });
-  return res.data.map((branch) => branch.name);
+    return acc;
+  }, []);
+  return repos;
 }
-async function createPullRequest(options) {
-  const { owner, repo } = parseGithubOwnerAndRepo(options.repoUrl);
-  const oktoKit = getOktoKit({ githubAuthToken: options.accessToken });
-  const res = await oktoKit.rest.pulls.create({
-    owner,
-    repo,
-    title: options.title,
-    body: options.body,
-    head: options.sourceBranchName,
-    base: options.targetBranchName,
-    draft: false,
-    maintainer_can_modify: true
-  });
-  return res.data.number;
+function getAdoPrUrl({
+  url,
+  prNumber
+}) {
+  return `${url}/pullrequest/${prNumber}`;
 }
-async function forkRepo(options) {
-  const { owner, repo } = parseGithubOwnerAndRepo(options.repoUrl);
-  const oktoKit = getOktoKit({ githubAuthToken: options.accessToken });
-  const res = await oktoKit.rest.repos.createFork({
-    owner,
-    repo,
-    default_branch_only: false
-  });
-  return { url: res.data.html_url ? String(res.data.html_url) : null };
+function getAdoDownloadUrl({
+  repoUrl,
+  branch
+}) {
+  const { owner, repo, projectName } = parseAdoOwnerAndRepo(repoUrl);
+  const url = new URL(repoUrl);
+  const origin = url.origin.toLowerCase().endsWith(".visualstudio.com") ? "https://dev.azure.com" : url.origin.toLowerCase();
+  return `${origin}/${owner}/${projectName}/_apis/git/repositories/${repo}/items/items?path=/&versionDescriptor[versionOptions]=0&versionDescriptor[versionType]=commit&versionDescriptor[version]=${branch}&resolveLfs=true&$format=zip&api-version=5.0&download=true`;
 }
-async function getRepos(oktoKit) {
-  const res = await oktoKit.request("GET /user/repos?sort=updated", {
-    headers: {
-      "X-GitHub-Api-Version": "2022-11-28",
-      per_page: 100
-    }
+async function getAdoBranchList({
+  accessToken,
+  tokenOrg,
+  repoUrl
+}) {
+  const { owner, repo, projectName } = parseAdoOwnerAndRepo(repoUrl);
+  const api2 = await getAdoApiClient({
+    accessToken,
+    tokenOrg,
+    orgName: owner
   });
-  return res.data;
-}
-async function getGithubRepoDefaultBranch(repoUrl, options) {
-  const oktoKit = getOktoKit(options);
-  const { owner, repo } = parseGithubOwnerAndRepo(repoUrl);
-  return (await oktoKit.rest.repos.get({ repo, owner })).data.default_branch;
-}
-async function getGithubReferenceData({ ref, gitHubUrl }, options) {
-  const { owner, repo } = parseGithubOwnerAndRepo(gitHubUrl);
-  let res;
+  const git = await api2.getGitApi();
   try {
-    const oktoKit = getOktoKit(options);
-    res = await Promise.any([
-      getBranch({ owner, repo, branch: ref }, oktoKit).then((result) => ({
-        date: result.data.commit.commit.committer?.date ? new Date(result.data.commit.commit.committer?.date) : void 0,
-        type: "BRANCH" /* BRANCH */,
-        sha: result.data.commit.sha
-      })),
-      getCommit({ commitSha: ref, repo, owner }, oktoKit).then((commit) => ({
-        date: new Date(commit.data.committer.date),
-        type: "COMMIT" /* COMMIT */,
-        sha: commit.data.sha
-      })),
-      getTagDate({ owner, repo, tag: ref }, oktoKit).then((data) => ({
-        date: new Date(data.date),
-        type: "TAG" /* TAG */,
-        sha: data.sha
-      }))
-    ]);
-    return res;
+    const res = await git.getBranches(repo, projectName);
+    res.sort((a, b) => {
+      if (!a.commit?.committer?.date || !b.commit?.committer?.date) {
+        return 0;
+      }
+      return b.commit?.committer?.date.getTime() - a.commit?.committer?.date.getTime();
+    });
+    return res.reduce((acc, branch) => {
+      if (!branch.name) {
+        return acc;
+      }
+      acc.push(branch.name);
+      return acc;
+    }, []);
   } catch (e) {
-    if (e instanceof AggregateError) {
-      throw new RefNotFoundError(`ref: ${ref} does not exist`);
-    }
-    throw e;
+    return [];
   }
 }
-async function getBranch({ branch, owner, repo }, oktoKit) {
-  return oktoKit.rest.repos.getBranch({
-    branch,
-    owner,
-    repo
+async function createAdoPullRequest(options) {
+  const { owner, repo, projectName } = parseAdoOwnerAndRepo(options.repoUrl);
+  const api2 = await getAdoApiClient({
+    accessToken: options.accessToken,
+    tokenOrg: options.tokenOrg,
+    orgName: owner
   });
+  const git = await api2.getGitApi();
+  const res = await git.createPullRequest(
+    {
+      sourceRefName: `refs/heads/${options.sourceBranchName}`,
+      targetRefName: `refs/heads/${options.targetBranchName}`,
+      title: options.title,
+      description: options.body
+    },
+    repo,
+    projectName
+  );
+  return res.pullRequestId;
 }
-async function getTagDate({ tag, owner, repo }, oktoKit) {
-  const refResponse = await oktoKit.rest.git.getRef({
-    ref: `tags/${tag}`,
+async function getAdoRepoDefaultBranch({
+  repoUrl,
+  tokenOrg,
+  accessToken
+}) {
+  const { owner, repo, projectName } = parseAdoOwnerAndRepo(repoUrl);
+  const api2 = await getAdoApiClient({
+    accessToken,
+    tokenOrg,
+    orgName: owner
+  });
+  const git = await api2.getGitApi();
+  const branches = await git.getBranches(repo, projectName);
+  if (!branches || branches.length === 0) {
+    throw new InvalidRepoUrlError("no branches");
+  }
+  const res = branches.find((branch) => branch.isBaseVersion);
+  if (!res || !res.name) {
+    throw new InvalidRepoUrlError("no default branch");
+  }
+  return res.name;
+}
+async function getAdoReferenceData({
+  ref,
+  repoUrl,
+  accessToken,
+  tokenOrg
+}) {
+  const { owner, repo, projectName } = parseAdoOwnerAndRepo(repoUrl);
+  const api2 = await getAdoApiClient({
+    accessToken,
+    tokenOrg,
+    orgName: owner
+  });
+  if (!projectName) {
+    throw new InvalidUrlPatternError("no project name");
+  }
+  const git = await api2.getGitApi();
+  const results = await Promise.allSettled([
+    (async () => {
+      const res = await git.getBranch(repo, ref, projectName);
+      if (!res.commit || !res.commit.commitId) {
+        throw new InvalidRepoUrlError("no commit on branch");
+      }
+      return {
+        sha: res.commit.commitId,
+        type: "BRANCH" /* BRANCH */,
+        date: res.commit.committer?.date || /* @__PURE__ */ new Date()
+      };
+    })(),
+    (async () => {
+      const res = await git.getCommits(
+        repo,
+        {
+          fromCommitId: ref,
+          toCommitId: ref,
+          $top: 1
+        },
+        projectName
+      );
+      const commit = res[0];
+      if (!commit || !commit.commitId) {
+        throw new Error("no commit");
+      }
+      return {
+        sha: commit.commitId,
+        type: "COMMIT" /* COMMIT */,
+        date: commit.committer?.date || /* @__PURE__ */ new Date()
+      };
+    })(),
+    (async () => {
+      const res = await git.getRefs(repo, projectName, `tags/${ref}`);
+      if (!res[0] || !res[0].objectId) {
+        throw new Error("no tag ref");
+      }
+      let objectId = res[0].objectId;
+      try {
+        const tag = await git.getAnnotatedTag(projectName, repo, objectId);
+        if (tag.taggedObject?.objectId) {
+          objectId = tag.taggedObject.objectId;
+        }
+      } catch (e) {
+      }
+      const commitRes2 = await git.getCommits(
+        repo,
+        {
+          fromCommitId: objectId,
+          toCommitId: objectId,
+          $top: 1
+        },
+        projectName
+      );
+      const commit = commitRes2[0];
+      if (!commit) {
+        throw new Error("no commit");
+      }
+      return {
+        sha: objectId,
+        type: "TAG" /* TAG */,
+        date: commit.committer?.date || /* @__PURE__ */ new Date()
+      };
+    })()
+  ]);
+  const [branchRes, commitRes, tagRes] = results;
+  if (tagRes.status === "fulfilled") {
+    return tagRes.value;
+  }
+  if (branchRes.status === "fulfilled") {
+    return branchRes.value;
+  }
+  if (commitRes.status === "fulfilled") {
+    return commitRes.value;
+  }
+  throw new RefNotFoundError(`ref: ${ref} does not exist`);
+}
+function parseAdoOwnerAndRepo(adoUrl) {
+  adoUrl = removeTrailingSlash(adoUrl);
+  const parsingResult = parseScmURL(adoUrl, "Ado" /* Ado */);
+  if (!parsingResult || parsingResult.hostname !== "dev.azure.com" && !parsingResult.hostname.endsWith(".visualstudio.com")) {
+    throw new InvalidUrlPatternError(`invalid ADO repo URL: ${adoUrl}`);
+  }
+  const { organization, repoName, projectName, projectPath, pathElements } = parsingResult;
+  return {
+    owner: organization,
+    repo: repoName,
+    projectName,
+    projectPath,
+    pathElements
+  };
+}
+async function getAdoBlameRanges() {
+  return [];
+}
+var ADO_ACCESS_TOKEN_URL = "https://app.vssps.visualstudio.com/oauth2/token";
+var AdoAuthResultZ = z3.object({
+  access_token: z3.string().min(1),
+  token_type: z3.string().min(1),
+  refresh_token: z3.string().min(1)
+});
+async function getAdoToken({
+  token,
+  adoClientSecret,
+  tokenType,
+  redirectUri
+}) {
+  const res = await fetch(ADO_ACCESS_TOKEN_URL, {
+    method: "POST",
+    headers: {
+      Accept: "application/json",
+      "Content-Type": "application/x-www-form-urlencoded"
+    },
+    body: querystring.stringify({
+      client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
+      client_assertion: adoClientSecret,
+      redirect_uri: redirectUri,
+      assertion: token,
+      grant_type: tokenType === "code" /* CODE */ ? "urn:ietf:params:oauth:grant-type:jwt-bearer" : "refresh_token"
+    })
+  });
+  const authResult = await res.json();
+  return AdoAuthResultZ.parse(authResult);
+}
+var AdoSdk = {
+  getAdoApiClient,
+  adoValidateParams,
+  getAdoIsUserCollaborator,
+  getAdoPullRequestStatus,
+  getAdoIsRemoteBranch,
+  getAdoRepoList,
+  getAdoDownloadUrl,
+  getAdoBranchList,
+  createAdoPullRequest,
+  getAdoRepoDefaultBranch,
+  getAdoReferenceData,
+  parseAdoOwnerAndRepo,
+  getAdoBlameRanges,
+  getAdoToken,
+  getAdoTokenType
+};
+
+// src/features/analysis/scm/bitbucket/bitbucket.ts
+import querystring3 from "node:querystring";
+import * as bitbucketPkg from "bitbucket";
+import { z as z10 } from "zod";
+
+// src/features/analysis/scm/scm.ts
+import { Octokit as Octokit2 } from "@octokit/core";
+import { z as z9 } from "zod";
+
+// src/features/analysis/scm/github/encryptSecret.ts
+import sodium from "libsodium-wrappers";
+async function encryptSecret(secret, key) {
+  await sodium.ready;
+  const binkey = sodium.from_base64(key, sodium.base64_variants.ORIGINAL);
+  const binsec = sodium.from_string(secret);
+  const encBytes = sodium.crypto_box_seal(binsec, binkey);
+  return sodium.to_base64(encBytes, sodium.base64_variants.ORIGINAL);
+}
+
+// src/features/analysis/scm/github/github.ts
+import { RequestError } from "@octokit/request-error";
+import { Octokit } from "octokit";
+import { z as z4 } from "zod";
+
+// src/features/analysis/scm/utils/get_issue_type.ts
+var getIssueType = (issueType) => {
+  switch (issueType) {
+    case "SQL_Injection" /* SqlInjection */:
+      return "SQL Injection";
+    case "CMDi_relative_path_command" /* CmDiRelativePathCommand */:
+      return "Relative Path Command Injection";
+    case "CMDi" /* CmDi */:
+      return "Command Injection";
+    case "XXE" /* Xxe */:
+      return "XXE";
+    case "XSS" /* Xss */:
+      return "XSS";
+    case "PT" /* Pt */:
+      return "Path Traversal";
+    case "ZIP_SLIP" /* ZipSlip */:
+      return "Zip Slip";
+    case "INSECURE_RANDOMNESS" /* InsecureRandomness */:
+      return "Insecure Randomness";
+    case "SSRF" /* Ssrf */:
+      return "Server Side Request Forgery";
+    case "TYPE_CONFUSION" /* TypeConfusion */:
+      return "Type Confusion";
+    case "REGEX_INJECTION" /* RegexInjection */:
+      return "Regular Expression Injection";
+    case "INCOMPLETE_URL_SANITIZATION" /* IncompleteUrlSanitization */:
+      return "Incomplete URL Sanitization";
+    case "LOG_FORGING" /* LogForging */:
+      return "Log Forging";
+    case "LOCALE_DEPENDENT_COMPARISON" /* LocaleDependentComparison */:
+      return "Locale Dependent Comparison";
+    case "MISSING_CHECK_AGAINST_NULL" /* MissingCheckAgainstNull */:
+      return "Missing Check against Null";
+    case "PASSWORD_IN_COMMENT" /* PasswordInComment */:
+      return "Password in Comment";
+    case "OVERLY_BROAD_CATCH" /* OverlyBroadCatch */:
+      return "Poor Error Handling: Overly Broad Catch";
+    case "USE_OF_SYSTEM_OUTPUT_STREAM" /* UseOfSystemOutputStream */:
+      return "Use of System.out/System.err";
+    case "DANGEROUS_FUNCTION_OVERFLOW" /* DangerousFunctionOverflow */:
+      return "Use of dangerous function";
+    case "DOS_STRING_BUILDER" /* DosStringBuilder */:
+      return "Denial of Service: StringBuilder";
+    case "OPEN_REDIRECT" /* OpenRedirect */:
+      return "Open Redirect";
+    case "WEAK_XML_SCHEMA_UNBOUNDED_OCCURRENCES" /* WeakXmlSchemaUnboundedOccurrences */:
+      return "Weak XML Schema: Unbounded Occurrences";
+    case "SYSTEM_INFORMATION_LEAK" /* SystemInformationLeak */:
+      return "System Information Leak";
+    case "HTTP_RESPONSE_SPLITTING" /* HttpResponseSplitting */:
+      return "HTTP response splitting";
+    case "HTTP_ONLY_COOKIE" /* HttpOnlyCookie */:
+      return "Cookie is not HttpOnly";
+    case "INSECURE_COOKIE" /* InsecureCookie */:
+      return "Insecure Cookie";
+    case "TRUST_BOUNDARY_VIOLATION" /* TrustBoundaryViolation */:
+      return "Trust Boundary Violation";
+    case "MISSING_EQUALS_OR_HASHCODE" /* MissingEqualsOrHashcode */:
+      return "Missing equals or hashcode method";
+    default: {
+      return issueType ? issueType.replaceAll("_", " ") : "Other";
+    }
+  }
+};
+
+// src/features/analysis/scm/utils/index.ts
+function getFixUrlWithRedirect(params) {
+  const {
+    fixId,
+    projectId,
+    organizationId,
+    analysisId,
+    redirectUrl,
+    appBaseUrl,
+    commentId
+  } = params;
+  const searchParams = new URLSearchParams();
+  searchParams.append("commit_redirect_url", redirectUrl);
+  searchParams.append("comment_id", commentId.toString());
+  return `${getFixUrl({
+    appBaseUrl,
+    fixId,
+    projectId,
+    organizationId,
+    analysisId
+  })}?${searchParams.toString()}`;
+}
+function getFixUrl({
+  appBaseUrl,
+  fixId,
+  projectId,
+  organizationId,
+  analysisId
+}) {
+  return `${appBaseUrl}/organization/${organizationId}/project/${projectId}/report/${analysisId}/fix/${fixId}`;
+}
+function getCommitUrl(params) {
+  const {
+    fixId,
+    projectId,
+    organizationId,
+    analysisId,
+    redirectUrl,
+    appBaseUrl,
+    commentId
+  } = params;
+  const searchParams = new URLSearchParams();
+  searchParams.append("redirect_url", redirectUrl);
+  searchParams.append("comment_id", commentId.toString());
+  return `${getFixUrl({
+    appBaseUrl,
+    fixId,
+    projectId,
+    organizationId,
+    analysisId
+  })}/commit?${searchParams.toString()}`;
+}
+function removeTrailingSlash2(str) {
+  return str.trim().replace(/\/+$/, "");
+}
+
+// src/features/analysis/scm/github/github.ts
+var EnvVariablesZod = z4.object({
+  GITHUB_API_TOKEN: z4.string().optional()
+});
+var { GITHUB_API_TOKEN } = EnvVariablesZod.parse(process.env);
+var GetBlameDocument = `
+      query GetBlame(
+        $owner: String!
+        $repo: String!
+        $ref: String!
+        $path: String!
+      ) {
+        repository(name: $repo, owner: $owner) {
+          # branch name
+          object(expression: $ref) {
+            # cast Target to a Commit
+            ... on Commit {
+              # full repo-relative path to blame file
+              blame(path: $path) {
+                ranges {
+                  commit {
+                    author {
+                      user {
+                        name
+                        login
+                      }
+                    }
+                    authoredDate
+                  }
+                  startingLine
+                  endingLine
+                  age
+                }
+              }
+            }
+            
+          }
+        }
+      }
+    `;
+function getOktoKit(options) {
+  const token = options?.githubAuthToken ?? GITHUB_API_TOKEN ?? "";
+  return new Octokit({ auth: token });
+}
+async function githubValidateParams(url, accessToken) {
+  try {
+    const oktoKit = getOktoKit({ githubAuthToken: accessToken });
+    if (accessToken) {
+      await oktoKit.rest.users.getAuthenticated();
+    }
+    if (url) {
+      const { owner, repo } = parseGithubOwnerAndRepo(url);
+      await oktoKit.rest.repos.get({ repo, owner });
+    }
+  } catch (e) {
+    const error = e;
+    const code = error.status || error.statusCode || error.response?.status || error.response?.statusCode || error.response?.code;
+    if (code === 401 || code === 403) {
+      throw new InvalidAccessTokenError(`invalid github access token`);
+    }
+    if (code === 404) {
+      throw new InvalidRepoUrlError(`invalid github repo Url ${url}`);
+    }
+    throw e;
+  }
+}
+async function getGithubUsername(accessToken) {
+  const oktoKit = getOktoKit({ githubAuthToken: accessToken });
+  const res = await oktoKit.rest.users.getAuthenticated();
+  return res.data.login;
+}
+async function getGithubIsUserCollaborator(username, accessToken, repoUrl) {
+  try {
+    const { owner, repo } = parseGithubOwnerAndRepo(repoUrl);
+    const oktoKit = getOktoKit({ githubAuthToken: accessToken });
+    const res = await oktoKit.rest.repos.checkCollaborator({
+      owner,
+      repo,
+      username
+    });
+    if (res.status === 204) {
+      return true;
+    }
+  } catch (e) {
+    return false;
+  }
+  return false;
+}
+async function getGithubPullRequestStatus(accessToken, repoUrl, prNumber) {
+  const { owner, repo } = parseGithubOwnerAndRepo(repoUrl);
+  const oktoKit = getOktoKit({ githubAuthToken: accessToken });
+  const res = await oktoKit.rest.pulls.get({
+    owner,
+    repo,
+    pull_number: prNumber
+  });
+  if (res.data.merged) {
+    return "merged";
+  }
+  if (res.data.draft) {
+    return "draft";
+  }
+  return res.data.state;
+}
+async function getGithubIsRemoteBranch(accessToken, repoUrl, branch) {
+  const { owner, repo } = parseGithubOwnerAndRepo(repoUrl);
+  const oktoKit = getOktoKit({ githubAuthToken: accessToken });
+  try {
+    const res = await oktoKit.rest.repos.getBranch({
+      owner,
+      repo,
+      branch
+    });
+    return branch === res.data.name;
+  } catch (e) {
+    return false;
+  }
+}
+async function getGithubRepoList(accessToken) {
+  const oktoKit = getOktoKit({ githubAuthToken: accessToken });
+  try {
+    const githubRepos = await getRepos(oktoKit);
+    return githubRepos.map(
+      (repo) => {
+        const repoLanguages = [];
+        if (repo.language) {
+          repoLanguages.push(repo.language);
+        }
+        return {
+          repoName: repo.name,
+          repoUrl: repo.html_url,
+          repoOwner: repo.owner.login,
+          repoLanguages,
+          repoIsPublic: !repo.private,
+          repoUpdatedAt: repo.updated_at
+        };
+      }
+    );
+  } catch (e) {
+    if (e instanceof RequestError && e.status === 401) {
+      return [];
+    }
+    if (e instanceof RequestError && e.status === 404) {
+      return [];
+    }
+    throw e;
+  }
+}
+async function getGithubBranchList(accessToken, repoUrl) {
+  const { owner, repo } = parseGithubOwnerAndRepo(repoUrl);
+  const oktoKit = getOktoKit({ githubAuthToken: accessToken });
+  const res = await oktoKit.rest.repos.listBranches({
+    owner,
+    repo,
+    per_page: 1e3,
+    page: 1
+  });
+  return res.data.map((branch) => branch.name);
+}
+async function createPullRequest(options) {
+  const { owner, repo } = parseGithubOwnerAndRepo(options.repoUrl);
+  const oktoKit = getOktoKit({ githubAuthToken: options.accessToken });
+  const res = await oktoKit.rest.pulls.create({
+    owner,
+    repo,
+    title: options.title,
+    body: options.body,
+    head: options.sourceBranchName,
+    base: options.targetBranchName,
+    draft: false,
+    maintainer_can_modify: true
+  });
+  return res.data.number;
+}
+async function forkRepo(options) {
+  const { owner, repo } = parseGithubOwnerAndRepo(options.repoUrl);
+  const oktoKit = getOktoKit({ githubAuthToken: options.accessToken });
+  const res = await oktoKit.rest.repos.createFork({
+    owner,
+    repo,
+    default_branch_only: false
+  });
+  return { url: res.data.html_url ? String(res.data.html_url) : null };
+}
+async function getRepos(oktoKit) {
+  const res = await oktoKit.request("GET /user/repos?sort=updated", {
+    headers: {
+      "X-GitHub-Api-Version": "2022-11-28",
+      per_page: 100
+    }
+  });
+  return res.data;
+}
+async function getGithubRepoDefaultBranch(repoUrl, options) {
+  const oktoKit = getOktoKit(options);
+  const { owner, repo } = parseGithubOwnerAndRepo(repoUrl);
+  return (await oktoKit.rest.repos.get({ repo, owner })).data.default_branch;
+}
+async function getGithubReferenceData({ ref, gitHubUrl }, options) {
+  const { owner, repo } = parseGithubOwnerAndRepo(gitHubUrl);
+  let res;
+  try {
+    const oktoKit = getOktoKit(options);
+    res = await Promise.any([
+      getBranch({ owner, repo, branch: ref }, oktoKit).then((result) => ({
+        date: result.data.commit.commit.committer?.date ? new Date(result.data.commit.commit.committer?.date) : void 0,
+        type: "BRANCH" /* BRANCH */,
+        sha: result.data.commit.sha
+      })),
+      getCommit({ commitSha: ref, repo, owner }, oktoKit).then((commit) => ({
+        date: new Date(commit.data.committer.date),
+        type: "COMMIT" /* COMMIT */,
+        sha: commit.data.sha
+      })),
+      getTagDate({ owner, repo, tag: ref }, oktoKit).then((data) => ({
+        date: new Date(data.date),
+        type: "TAG" /* TAG */,
+        sha: data.sha
+      }))
+    ]);
+    return res;
+  } catch (e) {
+    if (e instanceof AggregateError) {
+      throw new RefNotFoundError(`ref: ${ref} does not exist`);
+    }
+    throw e;
+  }
+}
+async function getBranch({ branch, owner, repo }, oktoKit) {
+  return oktoKit.rest.repos.getBranch({
+    branch,
+    owner,
+    repo
+  });
+}
+async function getTagDate({ tag, owner, repo }, oktoKit) {
+  const refResponse = await oktoKit.rest.git.getRef({
+    ref: `tags/${tag}`,
     owner,
     repo
   });
@@ -1347,7 +2047,7 @@ async function getCommit({
   });
 }
 function parseGithubOwnerAndRepo(gitHubUrl) {
-  gitHubUrl = removeTrailingSlash(gitHubUrl);
+  gitHubUrl = removeTrailingSlash2(gitHubUrl);
   const parsingResult = parseScmURL(gitHubUrl, "GitHub" /* GitHub */);
   if (!parsingResult || parsingResult.hostname !== "github.com") {
     throw new InvalidUrlPatternError(`invalid github repo Url ${gitHubUrl}`);
@@ -1551,30 +2251,30 @@ function deleteGeneralPrComment(client, params) {
 }
 
 // src/features/analysis/scm/gitlab/gitlab.ts
-import querystring from "node:querystring";
+import querystring2 from "node:querystring";
 import {
   Gitlab
 } from "@gitbeaker/rest";
 import { ProxyAgent } from "undici";
-import { z as z5 } from "zod";
+import { z as z6 } from "zod";
 
 // src/features/analysis/scm/gitlab/types.ts
-import { z as z4 } from "zod";
-var GitlabAuthResultZ = z4.object({
-  access_token: z4.string(),
-  token_type: z4.string(),
-  refresh_token: z4.string()
+import { z as z5 } from "zod";
+var GitlabAuthResultZ = z5.object({
+  access_token: z5.string(),
+  token_type: z5.string(),
+  refresh_token: z5.string()
 });
 
 // src/features/analysis/scm/gitlab/gitlab.ts
-var EnvVariablesZod2 = z5.object({
-  GITLAB_API_TOKEN: z5.string().optional(),
-  BROKERED_HOSTS: z5.string().toLowerCase().transform(
+var EnvVariablesZod2 = z6.object({
+  GITLAB_API_TOKEN: z6.string().optional(),
+  BROKERED_HOSTS: z6.string().toLowerCase().transform(
     (x) => x.split(",").map((url) => url.trim(), []).filter(Boolean)
   ).default("")
 });
 var { GITLAB_API_TOKEN, BROKERED_HOSTS } = EnvVariablesZod2.parse(process.env);
-function removeTrailingSlash2(str) {
+function removeTrailingSlash3(str) {
   return str.trim().replace(/\/+$/, "");
 }
 function getGitBeaker(options) {
@@ -1634,6 +2334,11 @@ async function getGitlabIsUserCollaborator({
     return false;
   }
 }
+var gitlabMergeRequestStatus = {
+  merged: "merged",
+  opened: "opened",
+  closed: "closed"
+};
 async function getGitlabMergeRequestStatus({
   accessToken,
   repoUrl,
@@ -1643,9 +2348,9 @@ async function getGitlabMergeRequestStatus({
   const api2 = getGitBeaker({ url: repoUrl, gitlabAuthToken: accessToken });
   const res = await api2.MergeRequests.show(projectPath, mrNumber);
   switch (res.state) {
-    case "merged" /* merged */:
-    case "opened" /* opened */:
-    case "closed" /* closed */:
+    case gitlabMergeRequestStatus.merged:
+    case gitlabMergeRequestStatus.opened:
+    case gitlabMergeRequestStatus.closed:
       return res.state;
     default:
       throw new Error(`unknown merge request state ${res.state}`);
@@ -1798,7 +2503,7 @@ async function getGitlabReferenceData({ ref, gitlabUrl }, options) {
   throw new RefNotFoundError(`ref: ${ref} does not exist`);
 }
 function parseGitlabOwnerAndRepo(gitlabUrl) {
-  gitlabUrl = removeTrailingSlash2(gitlabUrl);
+  gitlabUrl = removeTrailingSlash3(gitlabUrl);
   const parsingResult = parseScmURL(gitlabUrl, "GitLab" /* GitLab */);
   if (!parsingResult || !parsingResult.repoName) {
     throw new InvalidUrlPatternError(`invalid gitlab repo Url ${gitlabUrl}`);
@@ -1864,84 +2569,84 @@ import parseDiff from "parse-diff";
 import path3 from "path";
 import { simpleGit as simpleGit2 } from "simple-git";
 import tmp from "tmp";
-import { z as z7 } from "zod";
+import { z as z8 } from "zod";
 
 // src/features/analysis/scm/scmSubmit/types.ts
-import { z as z6 } from "zod";
-var BaseSubmitToScmMessageZ = z6.object({
-  submitFixRequestId: z6.string().uuid(),
-  fixes: z6.array(
-    z6.object({
-      fixId: z6.string().uuid(),
-      diff: z6.string()
+import { z as z7 } from "zod";
+var BaseSubmitToScmMessageZ = z7.object({
+  submitFixRequestId: z7.string().uuid(),
+  fixes: z7.array(
+    z7.object({
+      fixId: z7.string().uuid(),
+      diff: z7.string()
     })
   ),
-  commitHash: z6.string(),
-  repoUrl: z6.string()
+  commitHash: z7.string(),
+  repoUrl: z7.string()
 });
 var submitToScmMessageType = {
   commitToSameBranch: "commitToSameBranch",
   submitFixesForDifferentBranch: "submitFixesForDifferentBranch"
 };
 var CommitToSameBranchParamsZ = BaseSubmitToScmMessageZ.merge(
-  z6.object({
-    type: z6.literal(submitToScmMessageType.commitToSameBranch),
-    branch: z6.string(),
-    commitMessage: z6.string(),
-    commitDescription: z6.string().nullish(),
-    githubCommentId: z6.number().nullish()
+  z7.object({
+    type: z7.literal(submitToScmMessageType.commitToSameBranch),
+    branch: z7.string(),
+    commitMessage: z7.string(),
+    commitDescription: z7.string().nullish(),
+    githubCommentId: z7.number().nullish()
   })
 );
-var SubmitFixesToDifferentBranchParamsZ = z6.object({
-  type: z6.literal(submitToScmMessageType.submitFixesForDifferentBranch),
-  submitBranch: z6.string(),
-  baseBranch: z6.string()
+var SubmitFixesToDifferentBranchParamsZ = z7.object({
+  type: z7.literal(submitToScmMessageType.submitFixesForDifferentBranch),
+  submitBranch: z7.string(),
+  baseBranch: z7.string()
 }).merge(BaseSubmitToScmMessageZ);
-var SubmitFixesMessageZ = z6.union([
+var SubmitFixesMessageZ = z7.union([
   CommitToSameBranchParamsZ,
   SubmitFixesToDifferentBranchParamsZ
 ]);
-var FixResponseArrayZ = z6.array(
-  z6.object({
-    fixId: z6.string().uuid()
+var FixResponseArrayZ = z7.array(
+  z7.object({
+    fixId: z7.string().uuid()
   })
 );
-var SubmitFixesBaseResponseMessageZ = z6.object({
-  submitFixRequestId: z6.string().uuid(),
-  submitBranches: z6.array(
-    z6.object({
-      branchName: z6.string(),
+var SubmitFixesBaseResponseMessageZ = z7.object({
+  submitFixRequestId: z7.string().uuid(),
+  submitBranches: z7.array(
+    z7.object({
+      branchName: z7.string(),
       fixes: FixResponseArrayZ
     })
   ),
-  error: z6.object({
-    type: z6.enum([
+  error: z7.object({
+    type: z7.enum([
       "InitialRepoAccessError",
       "PushBranchError",
       "UnknownError"
     ]),
-    info: z6.object({
-      message: z6.string(),
-      pushBranchName: z6.string().optional()
+    info: z7.object({
+      message: z7.string(),
+      pushBranchName: z7.string().optional()
     })
   }).optional()
 });
-var SubmitFixesToSameBranchResponseMessageZ = z6.object({
-  type: z6.literal(submitToScmMessageType.commitToSameBranch),
-  githubCommentId: z6.number().nullish()
+var SubmitFixesToSameBranchResponseMessageZ = z7.object({
+  type: z7.literal(submitToScmMessageType.commitToSameBranch),
+  githubCommentId: z7.number().nullish()
 }).merge(SubmitFixesBaseResponseMessageZ);
-var SubmitFixesToDifferentBranchResponseMessageZ = z6.object({
-  type: z6.literal(submitToScmMessageType.submitFixesForDifferentBranch),
-  githubCommentId: z6.number().optional()
+var SubmitFixesToDifferentBranchResponseMessageZ = z7.object({
+  type: z7.literal(submitToScmMessageType.submitFixesForDifferentBranch),
+  githubCommentId: z7.number().optional()
 }).merge(SubmitFixesBaseResponseMessageZ);
-var SubmitFixesResponseMessageZ = z6.discriminatedUnion("type", [
+var SubmitFixesResponseMessageZ = z7.discriminatedUnion("type", [
   SubmitFixesToSameBranchResponseMessageZ,
   SubmitFixesToDifferentBranchResponseMessageZ
 ]);
 
 // src/features/analysis/scm/scmSubmit/index.ts
-var EnvVariablesZod3 = z7.object({
-  BROKERED_HOSTS: z7.string().toLowerCase().transform(
+var EnvVariablesZod3 = z8.object({
+  BROKERED_HOSTS: z8.string().toLowerCase().transform(
     (x) => x.split(",").map((url) => url.trim(), []).filter(Boolean)
   ).default("")
 });
@@ -1958,49 +2663,59 @@ var isValidBranchName = async (branchName) => {
     return false;
   }
 };
-var FixesZ = z7.array(z7.object({ fixId: z7.string(), diff: z7.string() })).nonempty();
+var FixesZ = z8.array(z8.object({ fixId: z8.string(), diff: z8.string() })).nonempty();
 
 // src/features/analysis/scm/scm.ts
+var GetRefererenceResultZ = z9.object({
+  date: z9.date().optional(),
+  sha: z9.string(),
+  type: z9.nativeEnum(ReferenceType)
+});
 function getCloudScmLibTypeFromUrl(url) {
   if (!url) {
     return void 0;
   }
   const urlObject = new URL(url);
   const hostname = urlObject.hostname.toLowerCase();
-  if (hostname === "gitlab.com") {
+  if (hostname === scmCloudHostname.GitLab) {
     return "GITLAB" /* GITLAB */;
   }
-  if (hostname === "github.com") {
+  if (hostname === scmCloudHostname.GitHub) {
     return "GITHUB" /* GITHUB */;
   }
-  if (hostname === "dev.azure.com" || hostname.endsWith(".visualstudio.com")) {
+  if (hostname === scmCloudHostname.Ado || hostname.endsWith(".visualstudio.com")) {
     return "ADO" /* ADO */;
   }
+  if (hostname === scmCloudHostname.Bitbucket) {
+    return "BITBUCKET" /* BITBUCKET */;
+  }
   return void 0;
 }
+var scmCloudHostname = {
+  GitLab: new URL(scmCloudUrl.GitLab).hostname,
+  GitHub: new URL(scmCloudUrl.GitHub).hostname,
+  Ado: new URL(scmCloudUrl.Ado).hostname,
+  Bitbucket: new URL(scmCloudUrl.Bitbucket).hostname
+};
+var scmLibScmTypeToScmType = {
+  ["GITLAB" /* GITLAB */]: "GitLab" /* GitLab */,
+  ["GITHUB" /* GITHUB */]: "GitHub" /* GitHub */,
+  ["ADO" /* ADO */]: "Ado" /* Ado */,
+  ["BITBUCKET" /* BITBUCKET */]: "Bitbucket" /* Bitbucket */
+};
+var scmTypeToScmLibScmType = {
+  ["GitLab" /* GitLab */]: "GITLAB" /* GITLAB */,
+  ["GitHub" /* GitHub */]: "GITHUB" /* GITHUB */,
+  ["Ado" /* Ado */]: "ADO" /* ADO */,
+  ["Bitbucket" /* Bitbucket */]: "BITBUCKET" /* BITBUCKET */
+};
 function getScmTypeFromScmLibType(scmLibType) {
-  if (scmLibType === "GITLAB" /* GITLAB */) {
-    return "GitLab" /* GitLab */;
-  }
-  if (scmLibType === "GITHUB" /* GITHUB */) {
-    return "GitHub" /* GitHub */;
-  }
-  if (scmLibType === "ADO" /* ADO */) {
-    return "Ado" /* Ado */;
-  }
-  throw new Error(`unknown scm lib type: ${scmLibType}`);
+  const parsedScmLibType = z9.nativeEnum(ScmLibScmType).parse(scmLibType);
+  return scmLibScmTypeToScmType[parsedScmLibType];
 }
 function getScmLibTypeFromScmType(scmType) {
-  if (scmType === "GitLab" /* GitLab */) {
-    return "GITLAB" /* GITLAB */;
-  }
-  if (scmType === "GitHub" /* GitHub */) {
-    return "GITHUB" /* GITHUB */;
-  }
-  if (scmType === "Ado" /* Ado */) {
-    return "ADO" /* ADO */;
-  }
-  throw new Error(`unknown scm type: ${scmType}`);
+  const parsedScmType = z9.nativeEnum(ScmType).parse(scmType);
+  return scmTypeToScmLibScmType[parsedScmType];
 }
 function getScmConfig({
   url,
@@ -2096,6 +2811,19 @@ var RepoNoTokenAccessError = class extends Error {
     super(m);
   }
 };
+function buildAuthrizedRepoUrl(args) {
+  const { url, username, password } = args;
+  const is_http = url.toLowerCase().startsWith("http://");
+  const is_https = url.toLowerCase().startsWith("https://");
+  if (is_http) {
+    return `http://${username}:${password}@${url.toLowerCase().replace("http://", "")}`;
+  } else if (is_https) {
+    return `https://${username}:${password}@${url.toLowerCase().replace("https://", "")}`;
+  } else {
+    console.error(`invalid scm url ${url}`);
+    throw new Error(`invalid scm url ${url}`);
+  }
+}
 var SCMLib = class {
   constructor(url, accessToken, scmOrg) {
     __publicField(this, "url");
@@ -2111,24 +2839,45 @@ var SCMLib = class {
       throw new Error("no url");
     }
     const trimmedUrl = this.url.trim().replace(/\/$/, "");
-    if (!this.accessToken) {
+    const accessToken = this.getAccessToken();
+    if (!accessToken) {
       return trimmedUrl;
     }
+    console.log(
+      "this instanceof BitbucketSCMLib",
+      this instanceof BitbucketSCMLib
+    );
     const scmLibType = this.getScmLibType();
     if (scmLibType === "ADO" /* ADO */) {
-      return `https://${this.accessToken}@${trimmedUrl.toLowerCase().replace("https://", "")}`;
+      return `https://${accessToken}@${trimmedUrl.toLowerCase().replace("https://", "")}`;
     }
-    const is_http = trimmedUrl.toLowerCase().startsWith("http://");
-    const is_https = trimmedUrl.toLowerCase().startsWith("https://");
-    const username = await this._getUsernameForAuthUrl();
-    if (is_http) {
-      return `http://${username}:${this.accessToken}@${trimmedUrl.toLowerCase().replace("http://", "")}`;
-    } else if (is_https) {
-      return `https://${username}:${this.accessToken}@${trimmedUrl.toLowerCase().replace("https://", "")}`;
-    } else {
-      console.error(`invalid scm url ${trimmedUrl}`);
-      throw new Error(`invalid scm url ${trimmedUrl}`);
+    if (this instanceof BitbucketSCMLib) {
+      const authData = this.getAuthData();
+      switch (authData.authType) {
+        case "public": {
+          return trimmedUrl;
+        }
+        case "token": {
+          const { token } = authData;
+          const username2 = await this._getUsernameForAuthUrl();
+          return buildAuthrizedRepoUrl({
+            url: trimmedUrl,
+            username: username2,
+            password: token
+          });
+        }
+        case "basic": {
+          const { username: username2, password } = authData;
+          return buildAuthrizedRepoUrl({ url: trimmedUrl, username: username2, password });
+        }
+      }
     }
+    const username = await this._getUsernameForAuthUrl();
+    return buildAuthrizedRepoUrl({
+      url: trimmedUrl,
+      username,
+      password: accessToken
+    });
   }
   getAccessToken() {
     return this.accessToken || "";
@@ -2142,6 +2891,12 @@ var SCMLib = class {
     }
     return this.url.split("/").at(-1) || "";
   }
+  _validateToken() {
+    if (!this.accessToken) {
+      console.error("no access token");
+      throw new Error("no access token");
+    }
+  }
   static async getIsValidBranchName(branchName) {
     return isValidBranchName(branchName);
   }
@@ -2156,20 +2911,27 @@ var SCMLib = class {
       trimmedUrl = url.trim().replace(/\/$/, "").replace(/.git$/i, "");
     }
     try {
-      if ("GITHUB" /* GITHUB */ === scmType) {
-        const scm = new GithubSCMLib(trimmedUrl, accessToken, scmOrg);
-        await scm.validateParams();
-        return scm;
-      }
-      if ("GITLAB" /* GITLAB */ === scmType) {
-        const scm = new GitlabSCMLib(trimmedUrl, accessToken, scmOrg);
-        await scm.validateParams();
-        return scm;
-      }
-      if ("ADO" /* ADO */ === scmType) {
-        const scm = new AdoSCMLib(trimmedUrl, accessToken, scmOrg);
-        await scm.validateParams();
-        return scm;
+      switch (scmType) {
+        case "GITHUB" /* GITHUB */: {
+          const scm = new GithubSCMLib(trimmedUrl, accessToken, scmOrg);
+          await scm.validateParams();
+          return scm;
+        }
+        case "GITLAB" /* GITLAB */: {
+          const scm = new GitlabSCMLib(trimmedUrl, accessToken, scmOrg);
+          await scm.validateParams();
+          return scm;
+        }
+        case "ADO" /* ADO */: {
+          const scm = new AdoSCMLib(trimmedUrl, accessToken, scmOrg);
+          await scm.validateParams();
+          return scm;
+        }
+        case "BITBUCKET" /* BITBUCKET */: {
+          const scm = new BitbucketSCMLib(trimmedUrl, accessToken, scmOrg);
+          await scm.validateParams();
+          return scm;
+        }
       }
     } catch (e) {
       if (e instanceof InvalidRepoUrlError && url) {
@@ -2180,36 +2942,24 @@ var SCMLib = class {
   }
   _validateAccessTokenAndUrl() {
     if (!this.accessToken) {
+      console.error("no access token");
       throw new InvalidAccessTokenError("no access token");
     }
+    this._validateUrl();
+  }
+  _validateUrl() {
     if (!this.url) {
+      console.error("no url");
       throw new InvalidRepoUrlError("no url");
     }
   }
 };
 var AdoSCMLib = class extends SCMLib {
-  updatePrComment(_params, _oktokit) {
-    throw new Error("updatePrComment not implemented.");
-  }
-  getPrComment(_commentId) {
-    throw new Error("getPrComment not implemented.");
-  }
-  async forkRepo() {
-    throw new Error("forkRepo not supported yet");
-  }
-  async createOrUpdateRepositorySecret() {
-    throw new Error("createOrUpdateRepositorySecret not supported yet");
-  }
-  async createPullRequestWithNewFile(_sourceRepoUrl, _filesPaths, _userRepoUrl, _title, _body) {
-    throw new Error("createPullRequestWithNewFile not supported yet");
-  }
-  async createSubmitRequest(targetBranchName, sourceBranchName, title, body) {
-    if (!this.accessToken || !this.url) {
-      console.error("no access token or no url");
-      throw new Error("no access token or no url");
-    }
+  async createSubmitRequest(params) {
+    this._validateAccessTokenAndUrl();
+    const { targetBranchName, sourceBranchName, title, body } = params;
     return String(
-      await createAdoPullRequest({
+      await AdoSdk.createAdoPullRequest({
         title,
         body,
         targetBranchName,
@@ -2221,7 +2971,7 @@ var AdoSCMLib = class extends SCMLib {
     );
   }
   async validateParams() {
-    return adoValidateParams({
+    return AdoSdk.adoValidateParams({
       url: this.url,
       accessToken: this.accessToken,
       tokenOrg: this.scmOrg
@@ -2232,18 +2982,15 @@ var AdoSCMLib = class extends SCMLib {
       console.error("no access token");
       throw new Error("no access token");
     }
-    return getAdoRepoList({
+    return AdoSdk.getAdoRepoList({
       orgName: scmOrg,
       tokenOrg: this.scmOrg,
       accessToken: this.accessToken
     });
   }
   async getBranchList() {
-    if (!this.accessToken || !this.url) {
-      console.error("no access token or no url");
-      throw new Error("no access token or no url");
-    }
-    return getAdoBranchList({
+    this._validateAccessTokenAndUrl();
+    return AdoSdk.getAdoBranchList({
       accessToken: this.accessToken,
       tokenOrg: this.scmOrg,
       repoUrl: this.url
@@ -2254,7 +3001,7 @@ var AdoSCMLib = class extends SCMLib {
   }
   getAuthHeaders() {
     if (this.accessToken) {
-      if (getAdoTokenType(this.accessToken) === "OAUTH" /* OAUTH */) {
+      if (AdoSdk.getAdoTokenType(this.accessToken) === "OAUTH" /* OAUTH */) {
         return {
           authorization: `Bearer ${this.accessToken}`
         };
@@ -2269,21 +3016,17 @@ var AdoSCMLib = class extends SCMLib {
     return {};
   }
   getDownloadUrl(sha) {
-    if (!this.url) {
-      console.error("no url");
-      throw new Error("no url");
-    }
-    return getAdoDownloadUrl({ repoUrl: this.url, branch: sha });
+    this._validateUrl();
+    return Promise.resolve(
+      AdoSdk.getAdoDownloadUrl({ repoUrl: this.url, branch: sha })
+    );
   }
   async _getUsernameForAuthUrl() {
     throw new Error("_getUsernameForAuthUrl() is not relevant for ADO");
   }
   async getIsRemoteBranch(branch) {
-    if (!this.accessToken || !this.url) {
-      console.error("no access token or no url");
-      throw new Error("no access token or no url");
-    }
-    return getAdoIsRemoteBranch({
+    this._validateAccessTokenAndUrl();
+    return AdoSdk.getAdoIsRemoteBranch({
       accessToken: this.accessToken,
       tokenOrg: this.scmOrg,
       repoUrl: this.url,
@@ -2291,11 +3034,8 @@ var AdoSCMLib = class extends SCMLib {
     });
   }
   async getUserHasAccessToRepo() {
-    if (!this.accessToken || !this.url) {
-      console.error("no access token or no url");
-      throw new Error("no access token or no url");
-    }
-    return getAdoIsUserCollaborator({
+    this._validateAccessTokenAndUrl();
+    return AdoSdk.getAdoIsUserCollaborator({
       accessToken: this.accessToken,
       tokenOrg: this.scmOrg,
       repoUrl: this.url
@@ -2305,11 +3045,8 @@ var AdoSCMLib = class extends SCMLib {
     throw new Error("getUsername() is not relevant for ADO");
   }
   async getSubmitRequestStatus(scmSubmitRequestId) {
-    if (!this.accessToken || !this.url) {
-      console.error("no access token or no url");
-      throw new Error("no access token or no url");
-    }
-    const state = await getAdoPullRequestStatus({
+    this._validateAccessTokenAndUrl();
+    const state = await AdoSdk.getAdoPullRequestStatus({
       accessToken: this.accessToken,
       tokenOrg: this.scmOrg,
       repoUrl: this.url,
@@ -2317,24 +3054,21 @@ var AdoSCMLib = class extends SCMLib {
     });
     switch (state) {
       case "completed" /* completed */:
-        return "MERGED" /* MERGED */;
+        return "merged";
       case "active" /* active */:
-        return "OPEN" /* OPEN */;
+        return "open";
       case "abandoned" /* abandoned */:
-        return "CLOSED" /* CLOSED */;
+        return "closed";
       default:
         throw new Error(`unknown state ${state}`);
     }
   }
   async getRepoBlameRanges(_ref, _path) {
-    return await getAdoBlameRanges();
+    return await AdoSdk.getAdoBlameRanges();
   }
   async getReferenceData(ref) {
-    if (!this.url) {
-      console.error("no url");
-      throw new Error("no url");
-    }
-    return await getAdoReferenceData({
+    this._validateUrl();
+    return await AdoSdk.getAdoReferenceData({
       ref,
       repoUrl: this.url,
       accessToken: this.accessToken,
@@ -2342,11 +3076,8 @@ var AdoSCMLib = class extends SCMLib {
     });
   }
   async getRepoDefaultBranch() {
-    if (!this.url) {
-      console.error("no url");
-      throw new Error("no url");
-    }
-    return await getAdoRepoDefaultBranch({
+    this._validateUrl();
+    return await AdoSdk.getAdoRepoDefaultBranch({
       repoUrl: this.url,
       tokenOrg: this.scmOrg,
       accessToken: this.accessToken
@@ -2356,22 +3087,11 @@ var AdoSCMLib = class extends SCMLib {
     this._validateAccessTokenAndUrl();
     return Promise.resolve(getAdoPrUrl({ prNumber, url: this.url }));
   }
-  postGeneralPrComment() {
-    throw new Error("Method not implemented.");
-  }
-  getGeneralPrComments() {
-    throw new Error("Method not implemented.");
-  }
-  deleteGeneralPrComment() {
-    throw new Error("Method not implemented.");
-  }
 };
 var GitlabSCMLib = class extends SCMLib {
-  async createSubmitRequest(targetBranchName, sourceBranchName, title, body) {
-    if (!this.accessToken || !this.url) {
-      console.error("no access token or no url");
-      throw new Error("no access token or no url");
-    }
+  async createSubmitRequest(params) {
+    this._validateAccessTokenAndUrl();
+    const { targetBranchName, sourceBranchName, title, body } = params;
     return String(
       await createMergeRequest({
         title,
@@ -2389,23 +3109,6 @@ var GitlabSCMLib = class extends SCMLib {
       accessToken: this.accessToken
     });
   }
-  async forkRepo() {
-    if (!this.accessToken) {
-      console.error("no access token");
-      throw new Error("no access token");
-    }
-    throw new Error("not supported yet");
-  }
-  async createOrUpdateRepositorySecret() {
-    if (!this.accessToken) {
-      console.error("no access token");
-      throw new Error("no access token");
-    }
-    throw new Error("not supported yet");
-  }
-  async createPullRequestWithNewFile(_sourceRepoUrl, _filesPaths, _userRepoUrl, _title, _body) {
-    throw new Error("not implemented");
-  }
   async getRepoList(_scmOrg) {
     if (!this.accessToken) {
       console.error("no access token");
@@ -2414,10 +3117,7 @@ var GitlabSCMLib = class extends SCMLib {
     return getGitlabRepoList(this.url, this.accessToken);
   }
   async getBranchList() {
-    if (!this.accessToken || !this.url) {
-      console.error("no access token or no url");
-      throw new Error("no access token or no url");
-    }
+    this._validateAccessTokenAndUrl();
     return getGitlabBranchList({
       accessToken: this.accessToken,
       repoUrl: this.url
@@ -2438,7 +3138,9 @@ var GitlabSCMLib = class extends SCMLib {
   getDownloadUrl(sha) {
     const urlSplit = this.url?.split("/") || [];
     const repoName = urlSplit[urlSplit?.length - 1];
-    return `${this.url}/-/archive/${sha}/${repoName}-${sha}.zip`;
+    return Promise.resolve(
+      `${this.url}/-/archive/${sha}/${repoName}-${sha}.zip`
+    );
   }
   async _getUsernameForAuthUrl() {
     if (this?.accessToken?.startsWith("glpat-")) {
@@ -2448,10 +3150,7 @@ var GitlabSCMLib = class extends SCMLib {
     }
   }
   async getIsRemoteBranch(branch) {
-    if (!this.accessToken || !this.url) {
-      console.error("no access token or no url");
-      throw new Error("no access token or no url");
-    }
+    this._validateAccessTokenAndUrl();
     return getGitlabIsRemoteBranch({
       accessToken: this.accessToken,
       repoUrl: this.url,
@@ -2459,10 +3158,7 @@ var GitlabSCMLib = class extends SCMLib {
     });
   }
   async getUserHasAccessToRepo() {
-    if (!this.accessToken || !this.url) {
-      console.error("no access token or no url");
-      throw new Error("no access token or no url");
-    }
+    this._validateAccessTokenAndUrl();
     const username = await this.getUsername();
     return getGitlabIsUserCollaborator({
       username,
@@ -2471,38 +3167,29 @@ var GitlabSCMLib = class extends SCMLib {
     });
   }
   async getUsername() {
-    if (!this.accessToken) {
-      console.error("no access token");
-      throw new Error("no access token");
-    }
-    return getGitlabUsername(this.url, this.accessToken);
-  }
-  async getSubmitRequestStatus(scmSubmitRequestId) {
-    if (!this.accessToken || !this.url) {
-      console.error("no access token or no url");
-      throw new Error("no access token or no url");
-    }
+    this._validateAccessTokenAndUrl();
+    return getGitlabUsername(this.url, this.accessToken);
+  }
+  async getSubmitRequestStatus(scmSubmitRequestId) {
+    this._validateAccessTokenAndUrl();
     const state = await getGitlabMergeRequestStatus({
       accessToken: this.accessToken,
       repoUrl: this.url,
       mrNumber: Number(scmSubmitRequestId)
     });
     switch (state) {
-      case "merged" /* merged */:
-        return "MERGED" /* MERGED */;
-      case "opened" /* opened */:
-        return "OPEN" /* OPEN */;
-      case "closed" /* closed */:
-        return "CLOSED" /* CLOSED */;
+      case gitlabMergeRequestStatus.merged:
+        return "merged";
+      case gitlabMergeRequestStatus.opened:
+        return "open";
+      case gitlabMergeRequestStatus.closed:
+        return "closed";
       default:
         throw new Error(`unknown state ${state}`);
     }
   }
   async getRepoBlameRanges(ref, path9) {
-    if (!this.url) {
-      console.error("no url");
-      throw new Error("no url");
-    }
+    this._validateUrl();
     return await getGitlabBlameRanges(
       { ref, path: path9, gitlabUrl: this.url },
       {
@@ -2512,10 +3199,7 @@ var GitlabSCMLib = class extends SCMLib {
     );
   }
   async getReferenceData(ref) {
-    if (!this.url) {
-      console.error("no url");
-      throw new Error("no url");
-    }
+    this._validateUrl();
     return await getGitlabReferenceData(
       { ref, gitlabUrl: this.url },
       {
@@ -2525,21 +3209,12 @@ var GitlabSCMLib = class extends SCMLib {
     );
   }
   async getRepoDefaultBranch() {
-    if (!this.url) {
-      console.error("no url");
-      throw new Error("no url");
-    }
+    this._validateUrl();
     return await getGitlabRepoDefaultBranch(this.url, {
       url: this.url,
       gitlabAuthToken: this.accessToken
     });
   }
-  getPrComment(_commentId) {
-    throw new Error("getPrComment not implemented.");
-  }
-  updatePrComment(_params, _oktokit) {
-    throw new Error("updatePrComment not implemented.");
-  }
   async getPrUrl(prNumber) {
     this._validateAccessTokenAndUrl();
     const res = await getGitlabMergeRequest({
@@ -2549,15 +3224,6 @@ var GitlabSCMLib = class extends SCMLib {
     });
     return res.web_url;
   }
-  postGeneralPrComment() {
-    throw new Error("Method not implemented.");
-  }
-  getGeneralPrComments() {
-    throw new Error("Method not implemented.");
-  }
-  deleteGeneralPrComment() {
-    throw new Error("Method not implemented.");
-  }
 };
 var GithubSCMLib = class extends SCMLib {
   // we don't always need a url, what's important is that we have an access token
@@ -2566,11 +3232,9 @@ var GithubSCMLib = class extends SCMLib {
     __publicField(this, "oktokit");
     this.oktokit = new Octokit2({ auth: accessToken });
   }
-  async createSubmitRequest(targetBranchName, sourceBranchName, title, body) {
-    if (!this.accessToken || !this.url) {
-      console.error("no access token or no url");
-      throw new Error("no access token or no url");
-    }
+  async createSubmitRequest(params) {
+    this._validateAccessTokenAndUrl();
+    const { targetBranchName, sourceBranchName, title, body } = params;
     return String(
       await createPullRequest({
         title,
@@ -2583,10 +3247,7 @@ var GithubSCMLib = class extends SCMLib {
     );
   }
   async forkRepo(repoUrl) {
-    if (!this.accessToken) {
-      console.error("no access token");
-      throw new Error("no access token");
-    }
+    this._validateToken();
     return forkRepo({
       repoUrl,
       accessToken: this.accessToken
@@ -2692,7 +3353,7 @@ var GithubSCMLib = class extends SCMLib {
       owner,
       repo
     });
-    return z8.string().parse(prRes.data);
+    return z9.string().parse(prRes.data);
   }
   async getRepoList(_scmOrg) {
     if (!this.accessToken) {
@@ -2702,10 +3363,7 @@ var GithubSCMLib = class extends SCMLib {
     return getGithubRepoList(this.accessToken);
   }
   async getBranchList() {
-    if (!this.accessToken || !this.url) {
-      console.error("no access token or no url");
-      throw new Error("no access token or no url");
-    }
+    this._validateAccessTokenAndUrl();
     return getGithubBranchList(this.accessToken, this.url);
   }
   getScmLibType() {
@@ -2718,16 +3376,13 @@ var GithubSCMLib = class extends SCMLib {
     return {};
   }
   getDownloadUrl(sha) {
-    return `${this.url}/zipball/${sha}`;
+    return Promise.resolve(`${this.url}/zipball/${sha}`);
   }
   async _getUsernameForAuthUrl() {
     return this.getUsername();
   }
   async getIsRemoteBranch(branch) {
-    if (!this.accessToken || !this.url) {
-      console.error("no access token or no url");
-      throw new Error("no access token or no url");
-    }
+    this._validateAccessTokenAndUrl();
     return getGithubIsRemoteBranch(this.accessToken, this.url, branch);
   }
   async getUserHasAccessToRepo() {
@@ -2755,25 +3410,10 @@ var GithubSCMLib = class extends SCMLib {
       this.url,
       Number(scmSubmitRequestId)
     );
-    if (state === "merged") {
-      return "MERGED" /* MERGED */;
-    }
-    if (state === "open") {
-      return "OPEN" /* OPEN */;
-    }
-    if (state === "draft") {
-      return "DRAFT" /* DRAFT */;
-    }
-    if (state === "closed") {
-      return "CLOSED" /* CLOSED */;
-    }
-    throw new Error(`unknown state ${state}`);
+    return state;
   }
   async getRepoBlameRanges(ref, path9) {
-    if (!this.url) {
-      console.error("no url");
-      throw new Error("no url");
-    }
+    this._validateUrl();
     return await getGithubBlameRanges(
       { ref, path: path9, gitHubUrl: this.url },
       {
@@ -2782,10 +3422,7 @@ var GithubSCMLib = class extends SCMLib {
     );
   }
   async getReferenceData(ref) {
-    if (!this.url) {
-      console.error("no url");
-      throw new Error("no url");
-    }
+    this._validateUrl();
     return await getGithubReferenceData(
       { ref, gitHubUrl: this.url },
       {
@@ -2794,10 +3431,7 @@ var GithubSCMLib = class extends SCMLib {
     );
   }
   async getPrComment(commentId) {
-    if (!this.url) {
-      console.error("no url");
-      throw new Error("no url");
-    }
+    this._validateUrl();
     const { owner, repo } = parseGithubOwnerAndRepo(this.url);
     return await getPrComment(this.oktokit, {
       repo,
@@ -2806,10 +3440,7 @@ var GithubSCMLib = class extends SCMLib {
     });
   }
   async getRepoDefaultBranch() {
-    if (!this.url) {
-      console.error("no url");
-      throw new Error("no url");
-    }
+    this._validateUrl();
     return await getGithubRepoDefaultBranch(this.url, {
       githubAuthToken: this.accessToken
     });
@@ -2829,10 +3460,7 @@ var GithubSCMLib = class extends SCMLib {
   }
   async postGeneralPrComment(params, auth) {
     const { prNumber, body } = params;
-    if (!this.url) {
-      console.error("no url");
-      throw new Error("no url");
-    }
+    this._validateUrl();
     const oktoKit = auth ? new Octokit2({ auth: auth.authToken }) : this.oktokit;
     const { owner, repo } = parseGithubOwnerAndRepo(this.url);
     return await postGeneralPrComment(oktoKit, {
@@ -2844,10 +3472,7 @@ var GithubSCMLib = class extends SCMLib {
   }
   async getGeneralPrComments(params, auth) {
     const { prNumber } = params;
-    if (!this.url) {
-      console.error("no url");
-      throw new Error("no url");
-    }
+    this._validateUrl();
     const oktoKit = auth ? new Octokit2({ auth: auth.authToken }) : this.oktokit;
     const { owner, repo } = parseGithubOwnerAndRepo(this.url);
     return await getGeneralPrComments(oktoKit, {
@@ -2857,10 +3482,7 @@ var GithubSCMLib = class extends SCMLib {
     });
   }
   async deleteGeneralPrComment({ commentId }, auth) {
-    if (!this.url) {
-      console.error("no url");
-      throw new Error("no url");
-    }
+    this._validateUrl();
     const oktoKit = auth ? new Octokit2({ auth: auth.authToken }) : this.oktokit;
     const { owner, repo } = parseGithubOwnerAndRepo(this.url);
     return deleteGeneralPrComment(oktoKit, {
@@ -2871,7 +3493,7 @@ var GithubSCMLib = class extends SCMLib {
   }
 };
 var StubSCMLib = class extends SCMLib {
-  async createSubmitRequest(_targetBranchName, _sourceBranchName, _title, _body) {
+  async createSubmitRequest(_params) {
     console.error("createSubmitRequest() not implemented");
     throw new Error("createSubmitRequest() not implemented");
   }
@@ -2887,10 +3509,6 @@ var StubSCMLib = class extends SCMLib {
     console.error("getDownloadUrl() not implemented");
     throw new Error("getDownloadUrl() not implemented");
   }
-  async _getUsernameForAuthUrl() {
-    console.error("_getUsernameForAuthUrl() not implemented");
-    throw new Error("_getUsernameForAuthUrl() not implemented");
-  }
   async getIsRemoteBranch(_branch) {
     console.error("getIsRemoteBranch() not implemented");
     throw new Error("getIsRemoteBranch() not implemented");
@@ -2899,18 +3517,6 @@ var StubSCMLib = class extends SCMLib {
     console.error("validateParams() not implemented");
     throw new Error("validateParams() not implemented");
   }
-  async forkRepo() {
-    console.error("forkRepo() not implemented");
-    throw new Error("forkRepo() not implemented");
-  }
-  async createOrUpdateRepositorySecret() {
-    console.error("forkRepo() not implemented");
-    throw new Error("forkRepo() not implemented");
-  }
-  async createPullRequestWithNewFile(_sourceRepoUrl, _filesPaths, _userRepoUrl, _title, _body) {
-    console.error("createPullRequestWithNewFile() not implemented");
-    throw new Error("createPullRequestWithNewFile() not implemented");
-  }
   async getRepoList(_scmOrg) {
     console.error("getRepoList() not implemented");
     throw new Error("getRepoList() not implemented");
@@ -2943,607 +3549,496 @@ var StubSCMLib = class extends SCMLib {
     console.error("getRepoDefaultBranch() not implemented");
     throw new Error("getRepoDefaultBranch() not implemented");
   }
-  async getPrComment(_commentId) {
-    console.error("getPrComment() not implemented");
-    throw new Error("getPrComment() not implemented");
-  }
-  async updatePrComment() {
-    console.error("updatePrComment() not implemented");
-    throw new Error("updatePrComment() not implemented");
-  }
   async getPrUrl(_prNumber) {
     console.error("getPr() not implemented");
     throw new Error("getPr() not implemented");
   }
-  postGeneralPrComment() {
-    throw new Error("Method not implemented.");
-  }
-  getGeneralPrComments() {
-    throw new Error("Method not implemented.");
-  }
-  deleteGeneralPrComment() {
+  _getUsernameForAuthUrl() {
     throw new Error("Method not implemented.");
   }
 };
-
-// src/features/analysis/scm/ado.ts
-function removeTrailingSlash3(str) {
-  return str.trim().replace(/\/+$/, "");
-}
-async function _getOrgsForOauthToken({ oauthToken }) {
-  const profileZ = z9.object({
-    displayName: z9.string(),
-    publicAlias: z9.string().min(1),
-    emailAddress: z9.string(),
-    coreRevision: z9.number(),
-    timeStamp: z9.string(),
-    id: z9.string(),
-    revision: z9.number()
-  });
-  const accountsZ = z9.object({
-    count: z9.number(),
-    value: z9.array(
-      z9.object({
-        accountId: z9.string(),
-        accountUri: z9.string(),
-        accountName: z9.string()
-      })
-    )
-  });
-  const profileRes = await fetch(
-    "https://app.vssps.visualstudio.com/_apis/profile/profiles/me?api-version=6.0",
-    {
-      method: "GET",
-      headers: {
-        Authorization: `Bearer ${oauthToken}`
-      }
-    }
-  );
-  const profileJson = await profileRes.json();
-  const profile = profileZ.parse(profileJson);
-  const accountsRes = await fetch(
-    `https://app.vssps.visualstudio.com/_apis/accounts?memberId=${profile.publicAlias}&api-version=6.0`,
-    {
-      method: "GET",
-      headers: {
-        Authorization: `Bearer ${oauthToken}`
-      }
-    }
-  );
-  const accountsJson = await accountsRes.json();
-  const accounts = accountsZ.parse(accountsJson);
-  const orgs = accounts.value.map((account) => account.accountName).filter((value, index, array) => array.indexOf(value) === index);
-  return orgs;
-}
-function _getPublicAdoClient({ orgName }) {
-  const orgUrl = `https://dev.azure.com/${orgName}`;
-  const authHandler = api.getPersonalAccessTokenHandler("");
-  authHandler.canHandleAuthentication = () => false;
-  authHandler.prepareRequest = (_options) => {
-    return;
+function getUserAndPassword(token) {
+  const [username, password] = token.split(":");
+  const safePasswordAndUsername = z9.object({ username: z9.string(), password: z9.string() }).parse({ username, password });
+  return {
+    username: safePasswordAndUsername.username,
+    password: safePasswordAndUsername.password
   };
-  const connection = new api.WebApi(orgUrl, authHandler);
-  return connection;
-}
-function getAdoTokenType(token) {
-  if (token.includes(".")) {
-    return "OAUTH" /* OAUTH */;
-  }
-  return "PAT" /* PAT */;
 }
-async function getAdoApiClient({
-  accessToken,
-  tokenOrg,
-  orgName
-}) {
-  if (!accessToken || tokenOrg && tokenOrg !== orgName) {
-    return _getPublicAdoClient({ orgName });
-  }
-  const orgUrl = `https://dev.azure.com/${orgName}`;
-  if (getAdoTokenType(accessToken) === "OAUTH" /* OAUTH */) {
-    const connection2 = new api.WebApi(orgUrl, api.getBearerHandler(accessToken));
-    return connection2;
+function createBitbucketSdk(token) {
+  if (!token) {
+    return getBitbucketSdk({ authType: "public" });
   }
-  const authHandler = api.getPersonalAccessTokenHandler(accessToken);
-  const connection = new api.WebApi(orgUrl, authHandler);
-  return connection;
-}
-async function adoValidateParams({
-  url,
-  accessToken,
-  tokenOrg
-}) {
-  try {
-    if (!url && accessToken && getAdoTokenType(accessToken) === "OAUTH" /* OAUTH */) {
-      await _getOrgsForOauthToken({ oauthToken: accessToken });
-      return;
-    }
-    let org = tokenOrg;
-    if (url) {
-      const { owner } = parseAdoOwnerAndRepo(url);
-      org = owner;
-    }
-    if (!org) {
-      throw new InvalidRepoUrlError(`invalid ADO ORG ${org}`);
-    }
-    const api2 = await getAdoApiClient({
-      accessToken,
-      tokenOrg,
-      orgName: org
+  if (token.includes(":")) {
+    const { password, username } = getUserAndPassword(token);
+    return getBitbucketSdk({
+      authType: "basic",
+      username,
+      password
     });
-    await api2.connect();
-  } catch (e) {
-    const error = e;
-    const code = error.code || error.status || error.statusCode || error.response?.status || error.response?.statusCode || error.response?.code;
-    const description = error.description || `${e}`;
-    if (code === 401 || code === 403 || description.includes("401") || description.includes("403")) {
-      throw new InvalidAccessTokenError(`invalid ADO access token`);
-    }
-    if (code === 404 || description.includes("404") || description.includes("Not Found")) {
-      throw new InvalidRepoUrlError(`invalid ADO repo URL ${url}`);
-    }
-    throw e;
   }
+  return getBitbucketSdk({ authType: "token", token });
 }
-async function getAdoIsUserCollaborator({
-  accessToken,
-  tokenOrg,
-  repoUrl
-}) {
-  try {
-    const { owner, repo, projectName } = parseAdoOwnerAndRepo(repoUrl);
-    const api2 = await getAdoApiClient({
-      accessToken,
-      tokenOrg,
-      orgName: owner
-    });
-    const git = await api2.getGitApi();
-    const branches = await git.getBranches(repo, projectName);
-    if (!branches || branches.length === 0) {
-      throw new InvalidRepoUrlError("no branches");
+var BitbucketSCMLib = class extends SCMLib {
+  constructor(url, accessToken, scmOrg) {
+    super(url, accessToken, scmOrg);
+    __publicField(this, "bitbucketSdk");
+    const bitbucketSdk = createBitbucketSdk(accessToken);
+    this.bitbucketSdk = bitbucketSdk;
+  }
+  getAuthData() {
+    const authType = this.bitbucketSdk.getAuthType();
+    switch (authType) {
+      case "basic": {
+        this._validateToken();
+        const { username, password } = getUserAndPassword(this.accessToken);
+        return { username, password, authType };
+      }
+      case "token": {
+        return { authType, token: z9.string().parse(this.accessToken) };
+      }
+      case "public":
+        return { authType };
     }
-    return true;
-  } catch (e) {
-    return false;
   }
-}
-var adoStatusNumberToEnumMap = {
-  1: "active" /* active */,
-  2: "abandoned" /* abandoned */,
-  3: "completed" /* completed */,
-  4: "all" /* all */
-};
-async function getAdoPullRequestStatus({
-  accessToken,
-  tokenOrg,
-  repoUrl,
-  prNumber
-}) {
-  const { owner, repo, projectName } = parseAdoOwnerAndRepo(repoUrl);
-  const api2 = await getAdoApiClient({
-    accessToken,
-    tokenOrg,
-    orgName: owner
-  });
-  const git = await api2.getGitApi();
-  const res = await git.getPullRequest(repo, prNumber, projectName);
-  if (!res.status || res.status < 1 || res.status > 3) {
-    throw new Error("bad pr status for ADO");
+  async createSubmitRequest(params) {
+    this._validateAccessTokenAndUrl();
+    const pullRequestRes = await this.bitbucketSdk.createPullRequest({
+      ...params,
+      repoUrl: this.url
+    });
+    return String(z9.number().parse(pullRequestRes.id));
   }
-  return adoStatusNumberToEnumMap[res.status];
-}
-async function getAdoIsRemoteBranch({
-  accessToken,
-  tokenOrg,
-  repoUrl,
-  branch
-}) {
-  const { owner, repo, projectName } = parseAdoOwnerAndRepo(repoUrl);
-  const api2 = await getAdoApiClient({
-    accessToken,
-    tokenOrg,
-    orgName: owner
-  });
-  const git = await api2.getGitApi();
-  try {
-    const branchStatus = await git.getBranch(repo, branch, projectName);
-    if (!branchStatus || !branchStatus.commit) {
-      throw new InvalidRepoUrlError("no branch status");
+  async validateParams() {
+    return validateBitbucketParams({
+      bitbucketClient: this.bitbucketSdk,
+      url: this.url
+    });
+  }
+  async getRepoList(scmOrg) {
+    this._validateToken();
+    return this.bitbucketSdk.getRepos({
+      workspaceSlug: scmOrg
+    });
+  }
+  async getBranchList() {
+    this._validateAccessTokenAndUrl();
+    return this.bitbucketSdk.getBranchList({
+      repoUrl: this.url
+    });
+  }
+  getScmLibType() {
+    return "BITBUCKET" /* BITBUCKET */;
+  }
+  getAuthHeaders() {
+    const authType = this.bitbucketSdk.getAuthType();
+    switch (authType) {
+      case "public":
+        return {};
+      case "token":
+        return { authorization: `Bearer ${this.accessToken}` };
+      case "basic": {
+        this._validateToken();
+        const { username, password } = getUserAndPassword(this.accessToken);
+        return {
+          authorization: `Basic ${Buffer.from(
+            username + ":" + password
+          ).toString("base64")}`
+        };
+      }
     }
-    return branchStatus.name === branch;
-  } catch (e) {
-    return false;
   }
-}
-async function getAdoRepoList({
-  orgName,
-  tokenOrg,
-  accessToken
-}) {
-  let orgs = [];
-  if (getAdoTokenType(accessToken) === "OAUTH" /* OAUTH */) {
-    orgs = await _getOrgsForOauthToken({ oauthToken: accessToken });
+  async getDownloadUrl(sha) {
+    this._validateUrl();
+    return this.bitbucketSdk.getDownloadUrl({ url: this.url, sha });
   }
-  if (orgs.length === 0 && !orgName) {
-    throw new Error(`no orgs for ADO`);
-  } else if (orgs.length === 0 && orgName) {
-    orgs = [orgName];
+  async _getUsernameForAuthUrl() {
+    this._validateAccessTokenAndUrl();
+    const user = await this.bitbucketSdk.getUser();
+    if (!user.username) {
+      throw new Error("no username found");
+    }
+    return user.username;
   }
-  const repos = (await Promise.allSettled(
-    orgs.map(async (org) => {
-      const orgApi = await getAdoApiClient({
-        accessToken,
-        tokenOrg,
-        orgName: org
+  async getIsRemoteBranch(branch) {
+    this._validateAccessTokenAndUrl();
+    try {
+      const res = await this.bitbucketSdk.getBranch({
+        branchName: branch,
+        repoUrl: this.url
       });
-      const gitOrg = await orgApi.getGitApi();
-      const orgRepos = await gitOrg.getRepositories();
-      const repoInfoList = (await Promise.allSettled(
-        orgRepos.map(async (repo) => {
-          if (!repo.name || !repo.remoteUrl || !repo.defaultBranch) {
-            throw new InvalidRepoUrlError("bad repo");
-          }
-          const branch = await gitOrg.getBranch(
-            repo.name,
-            repo.defaultBranch.replace(/^refs\/heads\//, ""),
-            repo.project?.name
-          );
-          return {
-            repoName: repo.name,
-            repoUrl: repo.remoteUrl.replace(
-              /^[hH][tT][tT][pP][sS]:\/\/[^/]+@/,
-              "https://"
-            ),
-            repoOwner: org,
-            repoIsPublic: repo.project?.visibility === 2,
-            //2 is public in the ADO API
-            repoLanguages: [],
-            repoUpdatedAt: branch.commit?.committer?.date?.toDateString() || repo.project?.lastUpdateTime?.toDateString() || (/* @__PURE__ */ new Date()).toDateString()
-          };
-        })
-      )).reduce((acc, res) => {
-        if (res.status === "fulfilled") {
-          acc.push(res.value);
-        }
-        return acc;
-      }, []);
-      return repoInfoList;
-    })
-  )).reduce((acc, res) => {
-    if (res.status === "fulfilled") {
-      return acc.concat(res.value);
+      return res.name === branch;
+    } catch (e) {
+      return false;
     }
-    return acc;
-  }, []);
-  return repos;
-}
-function getAdoPrUrl({
-  url,
-  prNumber
-}) {
-  return `${url}/pullrequest/${prNumber}`;
-}
-function getAdoDownloadUrl({
-  repoUrl,
-  branch
-}) {
-  const { owner, repo, projectName } = parseAdoOwnerAndRepo(repoUrl);
-  const url = new URL(repoUrl);
-  const origin = url.origin.toLowerCase().endsWith(".visualstudio.com") ? "https://dev.azure.com" : url.origin.toLowerCase();
-  return `${origin}/${owner}/${projectName}/_apis/git/repositories/${repo}/items/items?path=/&versionDescriptor[versionOptions]=0&versionDescriptor[versionType]=commit&versionDescriptor[version]=${branch}&resolveLfs=true&$format=zip&api-version=5.0&download=true`;
-}
-async function getAdoBranchList({
-  accessToken,
-  tokenOrg,
-  repoUrl
-}) {
-  const { owner, repo, projectName } = parseAdoOwnerAndRepo(repoUrl);
-  const api2 = await getAdoApiClient({
-    accessToken,
-    tokenOrg,
-    orgName: owner
-  });
-  const git = await api2.getGitApi();
-  try {
-    const res = await git.getBranches(repo, projectName);
-    res.sort((a, b) => {
-      if (!a.commit?.committer?.date || !b.commit?.committer?.date) {
-        return 0;
-      }
-      return b.commit?.committer?.date.getTime() - a.commit?.committer?.date.getTime();
+  }
+  async getUserHasAccessToRepo() {
+    this._validateAccessTokenAndUrl();
+    return this.bitbucketSdk.getIsUserCollaborator({ repoUrl: this.url });
+  }
+  async getUsername() {
+    this._validateToken();
+    const res = await this.bitbucketSdk.getUser();
+    return z9.string().parse(res.username);
+  }
+  async getSubmitRequestStatus(_scmSubmitRequestId) {
+    this._validateAccessTokenAndUrl();
+    const pullRequestRes = await this.bitbucketSdk.getPullRequest({
+      prNumber: Number(_scmSubmitRequestId),
+      url: this.url
     });
-    return res.reduce((acc, branch) => {
-      if (!branch.name) {
-        return acc;
-      }
-      acc.push(branch.name);
-      return acc;
-    }, []);
-  } catch (e) {
+    switch (pullRequestRes.state) {
+      case "OPEN":
+        return "open";
+      case "MERGED":
+        return "merged";
+      case "DECLINED":
+        return "closed";
+      default:
+        throw new Error(`unknown state ${pullRequestRes.state} `);
+    }
+  }
+  async getRepoBlameRanges(_ref, _path) {
     return [];
   }
-}
-async function createAdoPullRequest(options) {
-  const { owner, repo, projectName } = parseAdoOwnerAndRepo(options.repoUrl);
-  const api2 = await getAdoApiClient({
-    accessToken: options.accessToken,
-    tokenOrg: options.tokenOrg,
-    orgName: owner
-  });
-  const git = await api2.getGitApi();
-  const res = await git.createPullRequest(
-    {
-      sourceRefName: `refs/heads/${options.sourceBranchName}`,
-      targetRefName: `refs/heads/${options.targetBranchName}`,
-      title: options.title,
-      description: options.body
-    },
-    repo,
-    projectName
-  );
-  return res.pullRequestId;
-}
-async function getAdoRepoDefaultBranch({
-  repoUrl,
-  tokenOrg,
-  accessToken
-}) {
-  const { owner, repo, projectName } = parseAdoOwnerAndRepo(repoUrl);
-  const api2 = await getAdoApiClient({
-    accessToken,
-    tokenOrg,
-    orgName: owner
-  });
-  const git = await api2.getGitApi();
-  const branches = await git.getBranches(repo, projectName);
-  if (!branches || branches.length === 0) {
-    throw new InvalidRepoUrlError("no branches");
+  async getReferenceData(ref) {
+    this._validateUrl();
+    return this.bitbucketSdk.getReferenceData({ url: this.url, ref });
   }
-  const res = branches.find((branch) => branch.isBaseVersion);
-  if (!res || !res.name) {
-    throw new InvalidRepoUrlError("no default branch");
+  async getRepoDefaultBranch() {
+    this._validateUrl();
+    const repoRes = await this.bitbucketSdk.getRepo({ repoUrl: this.url });
+    return z9.string().parse(repoRes.mainbranch?.name);
   }
-  return res.name;
-}
-async function getAdoReferenceData({
-  ref,
-  repoUrl,
-  accessToken,
-  tokenOrg
-}) {
-  const { owner, repo, projectName } = parseAdoOwnerAndRepo(repoUrl);
-  const api2 = await getAdoApiClient({
-    accessToken,
-    tokenOrg,
-    orgName: owner
-  });
-  if (!projectName) {
-    throw new InvalidUrlPatternError("no project name");
+  getPrUrl(prNumber) {
+    this._validateUrl();
+    const { repoSlug, workspace } = parseBitbucketOrganizationAndRepo(this.url);
+    return Promise.resolve(
+      `https://bitbucket.org/${workspace}/${repoSlug}/pull-requests/${prNumber}`
+    );
   }
-  const git = await api2.getGitApi();
-  const results = await Promise.allSettled([
-    (async () => {
-      const res = await git.getBranch(repo, ref, projectName);
-      if (!res.commit || !res.commit.commitId) {
-        throw new InvalidRepoUrlError("no commit on branch");
-      }
-      return {
-        sha: res.commit.commitId,
-        type: "BRANCH" /* BRANCH */,
-        date: res.commit.committer?.date || /* @__PURE__ */ new Date()
-      };
-    })(),
-    (async () => {
-      const res = await git.getCommits(
-        repo,
-        {
-          fromCommitId: ref,
-          toCommitId: ref,
-          $top: 1
-        },
-        projectName
-      );
-      const commit = res[0];
-      if (!commit || !commit.commitId) {
-        throw new Error("no commit");
+  async refreshToken(params) {
+    const getBitbucketTokenResponse = await getBitbucketToken({
+      authType: "refresh_token",
+      ...params
+    });
+    return {
+      accessToken: getBitbucketTokenResponse.access_token,
+      refreshToken: getBitbucketTokenResponse.refresh_token
+    };
+  }
+};
+
+// src/features/analysis/scm/bitbucket/bitbucket.ts
+var { Bitbucket } = bitbucketPkg;
+var BITBUCKET_HOSTNAME = "bitbucket.org";
+var TokenExpiredErrorZ = z10.object({
+  status: z10.number(),
+  error: z10.object({
+    type: z10.string(),
+    error: z10.object({
+      message: z10.string()
+    })
+  })
+});
+var BITBUCKET_ACCESS_TOKEN_URL = `https://${BITBUCKET_HOSTNAME}/site/oauth2/access_token`;
+var BitbucketAuthResultZ = z10.object({
+  access_token: z10.string(),
+  token_type: z10.string(),
+  refresh_token: z10.string()
+});
+var BitbucketParseResultZ = z10.object({
+  organization: z10.string(),
+  repoName: z10.string(),
+  hostname: z10.literal(BITBUCKET_HOSTNAME)
+});
+function parseBitbucketOrganizationAndRepo(bitbucketUrl) {
+  const parsedGitHubUrl = removeTrailingSlash2(bitbucketUrl);
+  const parsingResult = parseScmURL(parsedGitHubUrl, "Bitbucket" /* Bitbucket */);
+  const validatedBitbucketResult = BitbucketParseResultZ.parse(parsingResult);
+  return {
+    workspace: validatedBitbucketResult.organization,
+    repoSlug: validatedBitbucketResult.repoName
+  };
+}
+async function getBitbucketToken(params) {
+  const { bitbucketClientId, bitbucketClientSecret, authType } = params;
+  const res = await fetch(BITBUCKET_ACCESS_TOKEN_URL, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+      Authorization: "Basic " + btoa(`${bitbucketClientId}:${bitbucketClientSecret}`)
+    },
+    body: querystring3.stringify(
+      authType === "refresh_token" ? {
+        grant_type: authType,
+        refresh_token: params.refreshToken
+      } : {
+        grant_type: authType,
+        code: params.code
       }
-      return {
-        sha: commit.commitId,
-        type: "COMMIT" /* COMMIT */,
-        date: commit.committer?.date || /* @__PURE__ */ new Date()
-      };
-    })(),
-    (async () => {
-      const res = await git.getRefs(repo, projectName, `tags/${ref}`);
-      if (!res[0] || !res[0].objectId) {
-        throw new Error("no tag ref");
+    )
+  });
+  const authResult = await res.json();
+  return BitbucketAuthResultZ.parse(authResult);
+}
+function getBitbucketIntance(params) {
+  switch (params.authType) {
+    case "public":
+      return new Bitbucket();
+    case "token":
+      return new Bitbucket({ auth: { token: params.token } });
+    case "basic":
+      return new Bitbucket({
+        auth: {
+          password: params.password,
+          username: params.username
+        }
+      });
+  }
+}
+function getBitbucketSdk(params) {
+  const bitbucketClient = getBitbucketIntance(params);
+  return {
+    getAuthType() {
+      return params.authType;
+    },
+    async getRepos(params2) {
+      const repoRes = params2?.workspaceSlug ? await getRepositoriesByWorkspace(bitbucketClient, {
+        workspaceSlug: params2.workspaceSlug
+      }) : await getllUsersrepositories(bitbucketClient);
+      return repoRes.map((repo) => ({
+        repoIsPublic: !repo.is_private,
+        repoName: repo.name || "unknown repo name",
+        repoOwner: repo.owner?.username || "unknown owner",
+        // language can be empty string
+        repoLanguages: repo.language ? [repo.language] : [],
+        repoUpdatedAt: repo.updated_on ? repo.updated_on : (/* @__PURE__ */ new Date()).toISOString(),
+        repoUrl: repo.links?.html?.href || ""
+      }));
+    },
+    async getBranchList(params2) {
+      const { workspace, repoSlug } = parseBitbucketOrganizationAndRepo(
+        params2.repoUrl
+      );
+      const res = await bitbucketClient.refs.listBranches({
+        repo_slug: repoSlug,
+        workspace
+      });
+      if (!res.data.values) {
+        return [];
       }
-      let objectId = res[0].objectId;
-      try {
-        const tag = await git.getAnnotatedTag(projectName, repo, objectId);
-        if (tag.taggedObject?.objectId) {
-          objectId = tag.taggedObject.objectId;
+      return res.data.values.filter((branch) => !!branch.name).map((branch) => z10.string().parse(branch.name));
+    },
+    async getIsUserCollaborator(params2) {
+      const { repoUrl } = params2;
+      const { repoSlug, workspace } = parseBitbucketOrganizationAndRepo(repoUrl);
+      const fullRepoName = `${workspace}/${repoSlug}`;
+      const res = await bitbucketClient.user.listPermissionsForRepos({
+        q: `repository.full_name~"${fullRepoName}"`
+      });
+      return res.data.values?.some(
+        (res2) => res2.repository?.full_name === fullRepoName
+      ) ?? false;
+    },
+    async createPullRequest(params2) {
+      const { repoSlug, workspace } = parseBitbucketOrganizationAndRepo(
+        params2.repoUrl
+      );
+      const res = await bitbucketClient.pullrequests.create({
+        repo_slug: repoSlug,
+        workspace,
+        _body: {
+          type: "pullrequest",
+          title: params2.title,
+          summary: {
+            raw: params2.body
+          },
+          source: {
+            branch: {
+              name: params2.sourceBranchName
+            }
+          },
+          destination: {
+            branch: {
+              name: params2.targetBranchName
+            }
+          }
         }
+      });
+      return res.data;
+    },
+    async getDownloadlink(params2) {
+      const { repoSlug, workspace } = parseBitbucketOrganizationAndRepo(
+        params2.repoUrl
+      );
+      const res = await bitbucketClient.downloads.list({
+        repo_slug: repoSlug,
+        workspace
+      });
+      return res.data;
+    },
+    async getBranch(params2) {
+      const { repoSlug, workspace } = parseBitbucketOrganizationAndRepo(
+        params2.repoUrl
+      );
+      const res = await bitbucketClient.refs.getBranch({
+        name: params2.branchName,
+        repo_slug: repoSlug,
+        workspace
+      });
+      return res.data;
+    },
+    async getRepo(params2) {
+      const { repoSlug, workspace } = parseBitbucketOrganizationAndRepo(
+        params2.repoUrl
+      );
+      const res = await bitbucketClient.repositories.get({
+        repo_slug: repoSlug,
+        workspace
+      });
+      return res.data;
+    },
+    async getCommit(params2) {
+      const { repoSlug, workspace } = parseBitbucketOrganizationAndRepo(
+        params2.repoUrl
+      );
+      const res = await bitbucketClient.commits.get({
+        commit: params2.commitSha,
+        repo_slug: repoSlug,
+        workspace
+      });
+      return res.data;
+    },
+    async getUser() {
+      const res = await bitbucketClient.user.get({});
+      return res.data;
+    },
+    async getReferenceData({
+      ref,
+      url
+    }) {
+      try {
+        return await Promise.any([
+          this.getBranchRef({ repoUrl: url, branchName: ref }),
+          this.getTagRef({ repoUrl: url, tagName: ref }),
+          this.getCommitRef({ repoUrl: url, commitSha: ref })
+        ]);
       } catch (e) {
+        console.log("e", e);
+        if (e instanceof AggregateError) {
+          throw new RefNotFoundError(`Invalid reference ${ref} for ${url}`);
+        }
+        throw e;
       }
-      const commitRes2 = await git.getCommits(
-        repo,
-        {
-          fromCommitId: objectId,
-          toCommitId: objectId,
-          $top: 1
-        },
-        projectName
+    },
+    async getTagRef(params2) {
+      const { tagName, repoUrl } = params2;
+      const { repoSlug, workspace } = parseBitbucketOrganizationAndRepo(repoUrl);
+      const tagRes = await bitbucketClient.refs.getTag({
+        repo_slug: repoSlug,
+        workspace,
+        name: tagName
+      });
+      return GetRefererenceResultZ.parse({
+        sha: tagRes.data.target?.hash,
+        type: "TAG" /* TAG */,
+        date: new Date(z10.string().parse(tagRes.data.target?.date))
+      });
+    },
+    async getBranchRef(params2) {
+      const getBranchRes = await this.getBranch(params2);
+      return GetRefererenceResultZ.parse({
+        sha: getBranchRes.target?.hash,
+        type: "BRANCH" /* BRANCH */,
+        date: new Date(z10.string().parse(getBranchRes.target?.date))
+      });
+    },
+    async getCommitRef(params2) {
+      const getCommitRes = await this.getCommit(params2);
+      return GetRefererenceResultZ.parse({
+        sha: getCommitRes.hash,
+        type: "COMMIT" /* COMMIT */,
+        date: new Date(z10.string().parse(getCommitRes.date))
+      });
+    },
+    async getDownloadUrl({ url, sha }) {
+      this.getReferenceData({ ref: sha, url });
+      const repoRes = await this.getRepo({ repoUrl: url });
+      const parsedRepoUrl = z10.string().url().parse(repoRes.links?.html?.href);
+      return `${parsedRepoUrl}/get/${sha}.zip`;
+    },
+    async getPullRequest(params2) {
+      const { repoSlug, workspace } = parseBitbucketOrganizationAndRepo(
+        params2.url
       );
-      const commit = commitRes2[0];
-      if (!commit) {
-        throw new Error("no commit");
+      const res = await bitbucketClient.pullrequests.get({
+        pull_request_id: params2.prNumber,
+        repo_slug: repoSlug,
+        workspace
+      });
+      return res.data;
+    }
+  };
+}
+async function validateBitbucketParams(params) {
+  const { bitbucketClient } = params;
+  const authType = bitbucketClient.getAuthType();
+  console.log("authType", authType, params.url);
+  try {
+    if (authType !== "public") {
+      await bitbucketClient.getUser();
+    }
+    if (params.url) {
+      await bitbucketClient.getRepo({ repoUrl: params.url });
+    }
+  } catch (e) {
+    const safeParseError = TokenExpiredErrorZ.safeParse(e);
+    if (safeParseError.success) {
+      switch (safeParseError.data.status) {
+        case 401:
+          throw new InvalidAccessTokenError(
+            safeParseError.data.error.error.message
+          );
+        case 404:
+          throw new InvalidRepoUrlError(safeParseError.data.error.error.message);
       }
-      return {
-        sha: objectId,
-        type: "TAG" /* TAG */,
-        date: commit.committer?.date || /* @__PURE__ */ new Date()
-      };
-    })()
-  ]);
-  const [branchRes, commitRes, tagRes] = results;
-  if (tagRes.status === "fulfilled") {
-    return tagRes.value;
-  }
-  if (branchRes.status === "fulfilled") {
-    return branchRes.value;
-  }
-  if (commitRes.status === "fulfilled") {
-    return commitRes.value;
+    }
+    throw e;
   }
-  throw new RefNotFoundError(`ref: ${ref} does not exist`);
 }
-function parseAdoOwnerAndRepo(adoUrl) {
-  adoUrl = removeTrailingSlash3(adoUrl);
-  const parsingResult = parseScmURL(adoUrl, "Ado" /* Ado */);
-  if (!parsingResult || parsingResult.hostname !== "dev.azure.com" && !parsingResult.hostname.endsWith(".visualstudio.com")) {
-    throw new InvalidUrlPatternError(`invalid ADO repo URL: ${adoUrl}`);
+async function getUsersworkspacesSlugs(bitbucketClient) {
+  const res = await bitbucketClient.workspaces.getWorkspaces({});
+  return res.data.values?.map((v) => z10.string().parse(v.slug));
+}
+async function getllUsersrepositories(bitbucketClient) {
+  const userWorspacesSlugs = await getUsersworkspacesSlugs(bitbucketClient);
+  if (!userWorspacesSlugs) {
+    return [];
   }
-  const { organization, repoName, projectName, projectPath, pathElements } = parsingResult;
-  return {
-    owner: organization,
-    repo: repoName,
-    projectName,
-    projectPath,
-    pathElements
-  };
+  const allWorkspaceRepos = [];
+  for (const workspaceSlug of userWorspacesSlugs) {
+    const repos = await bitbucketClient.repositories.list({
+      workspace: workspaceSlug
+    });
+    if (!repos.data.values) {
+      continue;
+    }
+    allWorkspaceRepos.push(...repos.data.values);
+  }
+  return allWorkspaceRepos;
 }
-async function getAdoBlameRanges() {
-  return [];
+async function getRepositoriesByWorkspace(bitbucketClient, { workspaceSlug }) {
+  const res = await bitbucketClient.repositories.list({
+    workspace: workspaceSlug
+  });
+  return res.data.values ?? [];
 }
-var AdoAuthResultZ = z9.object({
-  access_token: z9.string().min(1),
-  token_type: z9.string().min(1),
-  refresh_token: z9.string().min(1)
-});
 
 // src/features/analysis/scm/constants.ts
 var MOBB_ICON_IMG = "https://app.mobb.ai/gh-action/Logo_Rounded_Icon.svg";
 var COMMIT_FIX_SVG = `https://app.mobb.ai/gh-action/commit-button.svg`;
 
-// src/features/analysis/scm/utils/get_issue_type.ts
-var getIssueType = (issueType) => {
-  switch (issueType) {
-    case "SQL_Injection" /* SqlInjection */:
-      return "SQL Injection";
-    case "CMDi_relative_path_command" /* CmDiRelativePathCommand */:
-      return "Relative Path Command Injection";
-    case "CMDi" /* CmDi */:
-      return "Command Injection";
-    case "XXE" /* Xxe */:
-      return "XXE";
-    case "XSS" /* Xss */:
-      return "XSS";
-    case "PT" /* Pt */:
-      return "Path Traversal";
-    case "ZIP_SLIP" /* ZipSlip */:
-      return "Zip Slip";
-    case "INSECURE_RANDOMNESS" /* InsecureRandomness */:
-      return "Insecure Randomness";
-    case "SSRF" /* Ssrf */:
-      return "Server Side Request Forgery";
-    case "TYPE_CONFUSION" /* TypeConfusion */:
-      return "Type Confusion";
-    case "REGEX_INJECTION" /* RegexInjection */:
-      return "Regular Expression Injection";
-    case "INCOMPLETE_URL_SANITIZATION" /* IncompleteUrlSanitization */:
-      return "Incomplete URL Sanitization";
-    case "LOG_FORGING" /* LogForging */:
-      return "Log Forging";
-    case "LOCALE_DEPENDENT_COMPARISON" /* LocaleDependentComparison */:
-      return "Locale Dependent Comparison";
-    case "MISSING_CHECK_AGAINST_NULL" /* MissingCheckAgainstNull */:
-      return "Missing Check against Null";
-    case "PASSWORD_IN_COMMENT" /* PasswordInComment */:
-      return "Password in Comment";
-    case "OVERLY_BROAD_CATCH" /* OverlyBroadCatch */:
-      return "Poor Error Handling: Overly Broad Catch";
-    case "USE_OF_SYSTEM_OUTPUT_STREAM" /* UseOfSystemOutputStream */:
-      return "Use of System.out/System.err";
-    case "DANGEROUS_FUNCTION_OVERFLOW" /* DangerousFunctionOverflow */:
-      return "Use of dangerous function";
-    case "DOS_STRING_BUILDER" /* DosStringBuilder */:
-      return "Denial of Service: StringBuilder";
-    case "OPEN_REDIRECT" /* OpenRedirect */:
-      return "Open Redirect";
-    case "WEAK_XML_SCHEMA_UNBOUNDED_OCCURRENCES" /* WeakXmlSchemaUnboundedOccurrences */:
-      return "Weak XML Schema: Unbounded Occurrences";
-    case "SYSTEM_INFORMATION_LEAK" /* SystemInformationLeak */:
-      return "System Information Leak";
-    case "HTTP_RESPONSE_SPLITTING" /* HttpResponseSplitting */:
-      return "HTTP response splitting";
-    case "HTTP_ONLY_COOKIE" /* HttpOnlyCookie */:
-      return "Cookie is not HttpOnly";
-    case "INSECURE_COOKIE" /* InsecureCookie */:
-      return "Insecure Cookie";
-    case "TRUST_BOUNDARY_VIOLATION" /* TrustBoundaryViolation */:
-      return "Trust Boundary Violation";
-    case "MISSING_EQUALS_OR_HASHCODE" /* MissingEqualsOrHashcode */:
-      return "Missing equals or hashcode method";
-    default: {
-      return issueType ? issueType.replaceAll("_", " ") : "Other";
-    }
-  }
-};
-
-// src/features/analysis/scm/utils/index.ts
-function getFixUrlWithRedirect(params) {
-  const {
-    fixId,
-    projectId,
-    organizationId,
-    analysisId,
-    redirectUrl,
-    appBaseUrl,
-    commentId
-  } = params;
-  const searchParams = new URLSearchParams();
-  searchParams.append("commit_redirect_url", redirectUrl);
-  searchParams.append("comment_id", commentId.toString());
-  return `${getFixUrl({
-    appBaseUrl,
-    fixId,
-    projectId,
-    organizationId,
-    analysisId
-  })}?${searchParams.toString()}`;
-}
-function getFixUrl({
-  appBaseUrl,
-  fixId,
-  projectId,
-  organizationId,
-  analysisId
-}) {
-  return `${appBaseUrl}/organization/${organizationId}/project/${projectId}/report/${analysisId}/fix/${fixId}`;
-}
-function getCommitUrl(params) {
-  const {
-    fixId,
-    projectId,
-    organizationId,
-    analysisId,
-    redirectUrl,
-    appBaseUrl,
-    commentId
-  } = params;
-  const searchParams = new URLSearchParams();
-  searchParams.append("redirect_url", redirectUrl);
-  searchParams.append("comment_id", commentId.toString());
-  return `${getFixUrl({
-    appBaseUrl,
-    fixId,
-    projectId,
-    organizationId,
-    analysisId
-  })}/commit?${searchParams.toString()}`;
-}
-
 // src/features/analysis/utils/by_key.ts
 function keyBy(array, keyBy2) {
   return array.reduce((acc, item) => {
@@ -3613,6 +4108,16 @@ async function sendReport({
   }
 }
 
+// src/features/analysis/utils/index.ts
+function getFromArraySafe(array) {
+  return array.reduce((acc, nullableItem) => {
+    if (nullableItem) {
+      acc.push(nullableItem);
+    }
+    return acc;
+  }, []);
+}
+
 // src/features/analysis/handle_finished_analysis.ts
 var debug5 = Debug5("mobbdev:handle-finished-analysis");
 var contactUsMarkdown = `For specific requests [contact us](https://mobb.ai/contact) and we'll do the most to answer your need quickly.`;
@@ -3641,7 +4146,7 @@ async function getRelevantVulenrabilitiesFromDiff(params) {
     });
     const lineAddedRanges = calculateRanges(fileNumbers);
     const fileFilter = {
-      path: z10.string().parse(file.to),
+      path: z11.string().parse(file.to),
       ranges: lineAddedRanges.map(([startLine, endLine]) => ({
         endLine,
         startLine
@@ -4439,9 +4944,7 @@ async function _scan(params, { skipPrompts = false } = {}) {
     apiKey: apiKey || config2.get("apiToken")
   });
   await handleMobbLogin();
-  const { projectId, organizationId } = await gqlClient.getOrgAndProjectId(
-    mobbProjectName
-  );
+  const { projectId, organizationId } = await gqlClient.getOrgAndProjectId(mobbProjectName);
   const {
     uploadS3BucketInfo: { repoUploadInfo, reportUploadInfo }
   } = await gqlClient.uploadS3BucketInfo();
@@ -4456,12 +4959,10 @@ async function _scan(params, { skipPrompts = false } = {}) {
     throw new Error("repo is required in case srcPath is not provided");
   }
   const userInfo = await gqlClient.getUserInfo();
-  const scmConfigs = [];
-  for (const scmConfig of userInfo?.scmConfigs || []) {
-    if (scmConfig?.__typename === "ScmConfig") {
-      scmConfigs.push(scmConfig);
-    }
+  if (!userInfo) {
+    throw new Error("userInfo is null");
   }
+  const scmConfigs = getFromArraySafe(userInfo.scmConfigs);
   const tokenInfo = getScmConfig({
     url: repo,
     scmConfigs,
@@ -4506,6 +5007,7 @@ async function _scan(params, { skipPrompts = false } = {}) {
   });
   const reference = ref ?? await scm.getRepoDefaultBranch();
   const { sha } = await scm.getReferenceData(reference);
+  const downloadUrl = await scm.getDownloadUrl(sha);
   debug10("org id %s", organizationId);
   debug10("project id %s", projectId);
   debug10("default branch %s", reference);
@@ -4514,7 +5016,7 @@ async function _scan(params, { skipPrompts = false } = {}) {
     dirname,
     ci,
     authHeaders: scm.getAuthHeaders(),
-    downloadUrl: scm.getDownloadUrl(sha)
+    downloadUrl
   });
   if (command === "scan") {
     reportPath = await getReport(SupportedScannersZ.parse(scanner));
@@ -4541,7 +5043,7 @@ async function _scan(params, { skipPrompts = false } = {}) {
     spinner: mobbSpinner,
     submitVulnerabilityReportVariables: {
       fixReportId: reportUploadInfo.fixReportId,
-      repoUrl: z11.string().parse(repo),
+      repoUrl: z12.string().parse(repo),
       reference,
       projectId,
       vulnerabilityReportFileName: "report.json",
@@ -4563,8 +5065,8 @@ async function _scan(params, { skipPrompts = false } = {}) {
         analysisId,
         gqlClient,
         scm,
-        githubActionToken: z11.string().parse(githubActionToken),
-        scanner: z11.nativeEnum(SCANNERS).parse(scanner)
+        githubActionToken: z12.string().parse(githubActionToken),
+        scanner: z12.nativeEnum(SCANNERS).parse(scanner)
       }),
       callbackStates: ["Finished" /* Finished */]
     });
@@ -4693,12 +5195,10 @@ async function _scan(params, { skipPrompts = false } = {}) {
     await open2(scmAuthUrl2);
     for (let i = 0; i < LOGIN_MAX_WAIT / LOGIN_CHECK_DELAY; i++) {
       const userInfo2 = await gqlClient.getUserInfo();
-      const scmConfigs2 = [];
-      for (const scmConfig of userInfo2?.scmConfigs || []) {
-        if (scmConfig?.__typename === "ScmConfig") {
-          scmConfigs2.push(scmConfig);
-        }
+      if (!userInfo2) {
+        throw new CliError2("User info not found");
       }
+      const scmConfigs2 = getFromArraySafe(userInfo2.scmConfigs);
       const tokenInfo2 = getScmConfig({
         url: repoUrl,
         scmConfigs: scmConfigs2,
@@ -4974,21 +5474,22 @@ var commitHashOption = {
 };
 var scmTypeOption = {
   demandOption: true,
-  describe: chalk5.bold("SCM type (GitHub, GitLab, Ado)"),
+  describe: chalk5.bold("SCM type (GitHub, GitLab, Ado, Bitbucket)"),
   type: "string"
 };
 var urlOption = {
   describe: chalk5.bold(
-    "URL of the repository (used in GitHub, GitLab, Azure DevOps)"
+    "URL of the repository (used in GitHub, GitLab, Azure DevOps, Bitbucket)"
   ),
-  type: "string"
+  type: "string",
+  demandOption: true
 };
 var scmOrgOption = {
   describe: chalk5.bold("Organization name in SCM (used in Azure DevOps)"),
   type: "string"
 };
 var scmUsernameOption = {
-  describe: chalk5.bold("Username in SCM (used in GitHub)"),
+  describe: chalk5.bold("Username in SCM (used in GitHub, Bitbucket)"),
   type: "string"
 };
 var scmRefreshTokenOption = {
@@ -4997,13 +5498,14 @@ var scmRefreshTokenOption = {
 };
 var scmTokenOption = {
   describe: chalk5.bold("SCM API token"),
-  type: "string"
+  type: "string",
+  demandOption: true
 };
 
 // src/args/validation.ts
 import chalk6 from "chalk";
 import path8 from "path";
-import { z as z12 } from "zod";
+import { z as z13 } from "zod";
 function throwRepoUrlErrorMessage({
   error,
   repoUrl,
@@ -5020,7 +5522,7 @@ Example:
   )}`;
   throw new CliError(formattedErrorMessage);
 }
-var UrlZ = z12.string({
+var UrlZ = z13.string({
   invalid_type_error: "is not a valid GitHub / GitLab / ADO URL"
 }).refine((data) => !!sanityRepoURL(data), {
   message: "is not a valid GitHub / GitLab / ADO URL"
@@ -5168,6 +5670,7 @@ async function scanHandler(args) {
 }
 
 // src/args/commands/token.ts
+import { z as z14 } from "zod";
 function addScmTokenBuilder(args) {
   return args.option("scm-type", scmTypeOption).option("url", urlOption).option("token", scmTokenOption).option("organization", scmOrgOption).option("username", scmUsernameOption).option("refresh-token", scmRefreshTokenOption).option("api-key", apiKeyOption).example(
     "$0 add-scm-token --scm-type Ado --url https://dev.azure.com/adoorg/test/_git/repo --token abcdef0123456 --organization myOrg",
@@ -5175,22 +5678,36 @@ function addScmTokenBuilder(args) {
   ).help().demandOption(["url", "token"]);
 }
 function validateAddScmTokenOptions(argv) {
-  if (!argv.url) {
-    throw new CliError(errorMessages.missingUrl);
-  }
-  if (!argv.token) {
-    throw new CliError(errorMessages.missingToken);
-  }
-  if ("GitHub" /* GitHub */ !== argv.scmType && "Ado" /* Ado */ !== argv.scmType && "GitLab" /* GitLab */ !== argv.scmType) {
+  if (!z14.nativeEnum(ScmType).safeParse(argv.scmType).success) {
     throw new CliError(
-      "\nError: --scm-type must reference a valid SCM type (GitHub, GitLab, Ado)"
+      "\nError: --scm-type must reference a valid SCM type (GitHub, GitLab, Ado, Bitbutcket)"
     );
   }
+  Object.values(scmValidationMap).forEach((validate) => validate(argv));
+}
+var scmValidationMap = {
+  ["GitHub" /* GitHub */]: validateGithub,
+  ["GitLab" /* GitLab */]: () => {
+    return;
+  },
+  ["Ado" /* Ado */]: validateAdo,
+  ["Bitbucket" /* Bitbucket */]: validateBitbucket
+};
+function validateBitbucket(argv) {
+  const urlObj = new URL(argv.url);
+  if (urlObj.hostname.toLowerCase() === scmCloudHostname.Bitbucket && !argv.username) {
+    throw new CliError("\nError: --username flag is required for Bitbucket");
+  }
+}
+function validateGithub(argv) {
   const urlObj = new URL(argv.url);
-  if (urlObj.hostname.toLowerCase() === "github.com" && !argv.username) {
+  if (urlObj.hostname.toLowerCase() === scmCloudHostname.GitHub && !argv.username) {
     throw new CliError("\nError: --username flag is required for GitHub");
   }
-  if ((urlObj.hostname.toLowerCase() === "dev.azure.com" || urlObj.hostname.toLowerCase().endsWith(".visualstudio.com")) && !argv.organization) {
+}
+function validateAdo(argv) {
+  const urlObj = new URL(argv.url);
+  if ((urlObj.hostname.toLowerCase() === scmCloudHostname.Ado || urlObj.hostname.toLowerCase().endsWith(".visualstudio.com")) && !argv.organization) {
     throw new CliError(
       "\nError: --organization flag is required for Azure DevOps"
     );