mobbdev 1.0.102 → 1.0.104

package/dist/index.mjs

@@ -501,6 +501,7 @@ var Vulnerability_Report_Issue_Tag_Enum = /* @__PURE__ */ ((Vulnerability_Report
   Vulnerability_Report_Issue_Tag_Enum3["AutogeneratedCode"] = "AUTOGENERATED_CODE";
   Vulnerability_Report_Issue_Tag_Enum3["AuxiliaryCode"] = "AUXILIARY_CODE";
   Vulnerability_Report_Issue_Tag_Enum3["FalsePositive"] = "FALSE_POSITIVE";
+  Vulnerability_Report_Issue_Tag_Enum3["Suppressed"] = "SUPPRESSED";
   Vulnerability_Report_Issue_Tag_Enum3["TestCode"] = "TEST_CODE";
   Vulnerability_Report_Issue_Tag_Enum3["Unfixable"] = "UNFIXABLE";
   Vulnerability_Report_Issue_Tag_Enum3["VendorCode"] = "VENDOR_CODE";
@@ -555,6 +556,80 @@ var FixDetailsFragmentDoc = `
   }
 }
     `;
+var FixReportSummaryFieldsFragmentDoc = `
+    fragment FixReportSummaryFields on fixReport {
+  id
+  createdOn
+  repo {
+    originalUrl
+  }
+  issueTypes
+  CRITICAL: fixes_aggregate(
+    where: {_and: [{vulnerabilityReportIssues: {category: {_eq: "Fixable"}}}, {severityText: {_eq: "critical"}}]}
+  ) {
+    aggregate {
+      count
+    }
+  }
+  HIGH: fixes_aggregate(
+    where: {_and: [{vulnerabilityReportIssues: {category: {_eq: "Fixable"}}}, {severityText: {_eq: "high"}}]}
+  ) {
+    aggregate {
+      count
+    }
+  }
+  MEDIUM: fixes_aggregate(
+    where: {_and: [{vulnerabilityReportIssues: {category: {_eq: "Fixable"}}}, {severityText: {_eq: "medium"}}]}
+  ) {
+    aggregate {
+      count
+    }
+  }
+  LOW: fixes_aggregate(
+    where: {_and: [{vulnerabilityReportIssues: {category: {_eq: "Fixable"}}}, {severityText: {_eq: "low"}}]}
+  ) {
+    aggregate {
+      count
+    }
+  }
+  fixes(
+    where: {_and: [{vulnerabilityReportIssues: {category: {_eq: "Fixable"}}}, $filters]}
+    order_by: {severityValue: desc}
+    limit: $limit
+    offset: $offset
+  ) {
+    ...FixDetails
+  }
+  filteredFixesCount: fixes_aggregate(
+    where: {_and: [{vulnerabilityReportIssues: {category: {_eq: "Fixable"}}}, $filters]}
+  ) {
+    aggregate {
+      count
+    }
+  }
+  totalFixesCount: fixes_aggregate {
+    aggregate {
+      count
+    }
+  }
+  vulnerabilityReport {
+    scanDate
+    vendor
+    totalVulnerabilityReportIssuesCount: vulnerabilityReportIssues_aggregate {
+      aggregate {
+        count
+      }
+    }
+    notFixableVulnerabilityReportIssuesCount: vulnerabilityReportIssues_aggregate(
+      where: {category: {_neq: "Fixable"}}
+    ) {
+      aggregate {
+        count
+      }
+    }
+  }
+}
+    ${FixDetailsFragmentDoc}`;
 var MeDocument = `
     query Me {
   me {
@@ -984,80 +1059,24 @@ var AutoPrAnalysisDocument = `
   }
 }
     `;
-var GetMcpFixesDocument = `
-    query GetMCPFixes($fixReportId: uuid!) {
-  fix(where: {fixReportId: {_eq: $fixReportId}}) {
-    ...FixDetails
-  }
-}
-    ${FixDetailsFragmentDoc}`;
 var GetLatestReportByRepoUrlDocument = `
-    query GetLatestReportByRepoUrl($repoUrl: String!, $limit: Int = 3) {
+    query GetLatestReportByRepoUrl($repoUrl: String!, $filters: fix_bool_exp = {}, $limit: Int!, $offset: Int!) {
   fixReport(
     where: {repo: {originalUrl: {_eq: $repoUrl}}}
     order_by: {createdOn: desc}
     limit: 1
   ) {
-    id
-    createdOn
-    repo {
-      originalUrl
-    }
-    issueTypes
-    fixes_aggregate(
-      where: {vulnerabilityReportIssues: {category: {_eq: "Fixable"}}}
-    ) {
-      aggregate {
-        count
-      }
-    }
-    CRITICAL: fixes_aggregate(
-      where: {_and: [{vulnerabilityReportIssues: {category: {_eq: "Fixable"}}}, {severityText: {_eq: "critical"}}]}
-    ) {
-      aggregate {
-        count
-      }
-    }
-    HIGH: fixes_aggregate(
-      where: {_and: [{vulnerabilityReportIssues: {category: {_eq: "Fixable"}}}, {severityText: {_eq: "high"}}]}
-    ) {
-      aggregate {
-        count
-      }
-    }
-    MEDIUM: fixes_aggregate(
-      where: {_and: [{vulnerabilityReportIssues: {category: {_eq: "Fixable"}}}, {severityText: {_eq: "medium"}}]}
-    ) {
-      aggregate {
-        count
-      }
-    }
-    LOW: fixes_aggregate(
-      where: {_and: [{vulnerabilityReportIssues: {category: {_eq: "Fixable"}}}, {severityText: {_eq: "low"}}]}
-    ) {
-      aggregate {
-        count
-      }
-    }
-    fixes(
-      where: {vulnerabilityReportIssues: {category: {_eq: "Fixable"}}}
-      order_by: {severityValue: desc}
-      limit: $limit
-    ) {
-      ...FixDetails
-    }
-    vulnerabilityReport {
-      scanDate
-      vendor
-      vulnerabilityReportIssues_aggregate(where: {category: {_eq: "Fixable"}}) {
-        aggregate {
-          count
-        }
-      }
-    }
+    ...FixReportSummaryFields
   }
 }
-    ${FixDetailsFragmentDoc}`;
+    ${FixReportSummaryFieldsFragmentDoc}`;
+var GetReportFixesDocument = `
+    query GetReportFixes($reportId: uuid!, $filters: fix_bool_exp = {}, $limit: Int!, $offset: Int!) {
+  fixReport(where: {id: {_eq: $reportId}}) {
+    ...FixReportSummaryFields
+  }
+}
+    ${FixReportSummaryFieldsFragmentDoc}`;
 var defaultWrapper = (action, _operationName, _operationType, _variables) => action();
 function getSdk(client, withWrapper = defaultWrapper) {
   return {
@@ -1124,11 +1143,11 @@ function getSdk(client, withWrapper = defaultWrapper) {
     autoPrAnalysis(variables, requestHeaders, signal) {
       return withWrapper((wrappedRequestHeaders) => client.request({ document: AutoPrAnalysisDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "autoPrAnalysis", "mutation", variables);
     },
-    GetMCPFixes(variables, requestHeaders, signal) {
-      return withWrapper((wrappedRequestHeaders) => client.request({ document: GetMcpFixesDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "GetMCPFixes", "query", variables);
-    },
     GetLatestReportByRepoUrl(variables, requestHeaders, signal) {
       return withWrapper((wrappedRequestHeaders) => client.request({ document: GetLatestReportByRepoUrlDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "GetLatestReportByRepoUrl", "query", variables);
+    },
+    GetReportFixes(variables, requestHeaders, signal) {
+      return withWrapper((wrappedRequestHeaders) => client.request({ document: GetReportFixesDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "GetReportFixes", "query", variables);
     }
   };
 }
@@ -1534,6 +1553,8 @@ function getTagTooltip(tag) {
       return "Issue found in supporting files that don't impact core functionality";
     case "Filtered":
       return "Issue was filtered by user in the Fix Policy";
+    case "SUPPRESSED":
+      return "Suppressed in the scan report";
     default:
       return tag;
   }
@@ -1544,7 +1565,8 @@ var issueDescription = {
   ["FALSE_POSITIVE" /* FalsePositive */]: "The flagged code **does not represent an actual vulnerability within the application's context.** This categorization indicates that the issue is either misidentified by the scanner or deemed irrelevant to the application's functionality.",
   ["TEST_CODE" /* TestCode */]: "The flagged code resides in a test-specific path or context. This categorization indicates that **it supports testing scenarios and is isolated from production use**.",
   ["UNFIXABLE" /* Unfixable */]: "The flagged code cannot be fixed",
-  ["VENDOR_CODE" /* VendorCode */]: "The flagged code originates from a third-party library or dependency maintained externally. This categorization suggests that **the issue lies outside the application's direct control** and should be addressed by the vendor if necessary."
+  ["VENDOR_CODE" /* VendorCode */]: "The flagged code originates from a third-party library or dependency maintained externally. This categorization suggests that **the issue lies outside the application's direct control** and should be addressed by the vendor if necessary.",
+  ["SUPPRESSED" /* Suppressed */]: "Suppressed in the scan report."
 };
 function replaceKeysWithValues(fixDescription, extraContext) {
   let result = fixDescription;
@@ -3925,7 +3947,7 @@ var GetProjectMembersDataZ = z11.object({
         }),
         user: z11.object({
           id: z11.string().uuid(),
-          picture: z11.string().optional(),
+          picture: z11.string().nullable().optional(),
           name: z11.string().nullish(),
           email: z11.string().email()
         })
@@ -10987,7 +11009,7 @@ async function handleMobbLogin({
   const newGqlClient = new GQLClient({ apiKey: newApiToken, type: "apiKey" });
   const loginSuccess = await newGqlClient.verifyToken();
   if (loginSuccess) {
-    debug18("set api token %s", newApiToken);
+    debug18(`set api token ${newApiToken}`);
     config3.set("apiToken", newApiToken);
     loginSpinner.success({
       text: `\u{1F513} Login to Mobb successful! ${typeof loginSpinner === "string" ? `Logged in as ${loginSuccess}` : ""}`
@@ -11146,24 +11168,96 @@ import {
 // src/mcp/Logger.ts
 var logglerUrl = "http://localhost:4444/log";
 var isTestEnvironment = process.env["VITEST"] || process.env["TEST"];
+var CIRCUIT_BREAKER_TIME = 5e3;
+var URL_CHECK_TIMEOUT = 200;
+var MAX_QUEUE_SIZE = 100;
 var Logger = class {
+  constructor() {
+    __publicField(this, "queue", []);
+    __publicField(this, "isProcessing", false);
+    __publicField(this, "isCircuitBroken", false);
+    __publicField(this, "circuitBreakerTimer", null);
+  }
   log(message, level = "info", data) {
+    if (isTestEnvironment) return;
+    if (this.queue.length >= MAX_QUEUE_SIZE) {
+      this.queue.shift();
+    }
+    this.queue.push({ message, level, data });
+    if (!this.isProcessing && !this.isCircuitBroken) {
+      this.processQueue();
+    }
+  }
+  async isUrlReachable(url) {
+    try {
+      const controller = new AbortController();
+      const timeoutId = setTimeout(() => controller.abort(), URL_CHECK_TIMEOUT);
+      await fetch(url, {
+        method: "HEAD",
+        signal: controller.signal
+      });
+      clearTimeout(timeoutId);
+      return true;
+    } catch (error) {
+      return false;
+    }
+  }
+  async processQueue() {
+    if (this.queue.length === 0 || this.isCircuitBroken) {
+      this.isProcessing = false;
+      return;
+    }
+    this.isProcessing = true;
+    const logEntry = this.queue[0];
+    if (!logEntry) {
+      this.isProcessing = false;
+      return;
+    }
+    const isReachable = await this.isUrlReachable(logglerUrl);
+    if (!isReachable) {
+      this.triggerCircuitBreaker();
+      return;
+    }
     const logMessage = {
       timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-      level,
-      message,
-      data
+      level: logEntry.level,
+      message: logEntry.message,
+      data: logEntry.data
     };
-    if (!isTestEnvironment) {
-      try {
-        fetch(logglerUrl, {
-          method: "POST",
-          headers: { "Content-Type": "application/json" },
-          body: JSON.stringify(logMessage)
-        });
-      } catch (error) {
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => {
+      controller.abort();
+    }, 500);
+    fetch(logglerUrl, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(logMessage),
+      redirect: "error",
+      // do not follow redirects
+      signal: controller.signal
+    }).then((_response) => {
+      this.queue.shift();
+      setTimeout(() => this.processQueue(), 0);
+    }).catch(() => {
+      this.triggerCircuitBreaker();
+    }).finally(() => {
+      clearTimeout(timeoutId);
+    });
+  }
+  triggerCircuitBreaker() {
+    this.isCircuitBroken = true;
+    this.queue = [];
+    this.isProcessing = false;
+    if (this.circuitBreakerTimer) {
+      clearTimeout(this.circuitBreakerTimer);
+    }
+    this.circuitBreakerTimer = setTimeout(() => {
+      this.isCircuitBroken = false;
+      this.circuitBreakerTimer = null;
+      if (this.queue.length > 0 && !this.isProcessing) {
+        this.processQueue();
       }
-    }
+    }, CIRCUIT_BREAKER_TIME);
   }
 };
 var logger = new Logger();
@@ -11171,7 +11265,7 @@ var logInfo = (message, data) => logger.log(message, "info", data);
 var logError = (message, data) => logger.log(message, "error", data);
 var logWarn = (message, data) => logger.log(message, "warn", data);
 var logDebug = (message, data) => logger.log(message, "debug", data);
-var log = logger.log;
+var log = logger.log.bind(logger);
 
 // src/mcp/services/McpGQLClient.ts
 import crypto2 from "crypto";
@@ -11447,24 +11541,6 @@ var McpGQLClient = class {
       throw e;
     }
   }
-  async getReportFixes(fixReportId) {
-    try {
-      logDebug("GraphQL: Calling GetMCPFixes query", { fixReportId });
-      const res = await this.clientSdk.GetMCPFixes({ fixReportId });
-      logInfo("GraphQL: GetMCPFixes successful", {
-        result: res,
-        fixCount: res.fix?.length || 0
-      });
-      return res.fix;
-    } catch (e) {
-      logError("GraphQL: GetMCPFixes failed", {
-        error: e,
-        fixReportId,
-        ...this.getErrorContext()
-      });
-      throw e;
-    }
-  }
   async getUserInfo() {
     const { me } = await this.clientSdk.Me();
     return me;
@@ -11510,15 +11586,21 @@ var McpGQLClient = class {
       return null;
     }
   }
-  async getLatestReportByRepoUrl(repoUrl, limit) {
+  async getLatestReportByRepoUrl({
+    repoUrl,
+    limit = 3,
+    offset = 0
+  }) {
     try {
       logDebug("GraphQL: Calling GetLatestReportByRepoUrl query", {
         repoUrl,
-        limit
+        limit,
+        offset
       });
       const res = await this.clientSdk.GetLatestReportByRepoUrl({
         repoUrl,
-        limit
+        limit,
+        offset
       });
       logInfo("GraphQL: GetLatestReportByRepoUrl successful", {
         result: res,
@@ -11534,6 +11616,56 @@ var McpGQLClient = class {
       throw e;
     }
   }
+  async getReportFixesPaginated({
+    reportId,
+    limit = 3,
+    offset = 0,
+    issueType,
+    severity
+  }) {
+    try {
+      const filters = {};
+      if (issueType && issueType.length > 0) {
+        filters["safeIssueType"] = { _in: issueType };
+      }
+      if (severity && severity.length > 0) {
+        filters["severityText"] = { _in: severity };
+      }
+      logDebug("GraphQL: Calling GetReportFixes query", {
+        reportId,
+        limit,
+        offset,
+        filters,
+        issueType,
+        severity
+      });
+      const res = await this.clientSdk.GetReportFixes({
+        reportId,
+        limit,
+        offset,
+        filters
+      });
+      logInfo("GraphQL: GetReportFixes successful", {
+        result: res,
+        fixCount: res.fixReport?.[0]?.fixes?.length || 0,
+        totalCount: res.fixReport?.[0]?.filteredFixesCount?.aggregate?.count || 0
+      });
+      if (res.fixReport.length === 0) {
+        return null;
+      }
+      return {
+        fixes: res.fixReport?.[0]?.fixes || [],
+        totalCount: res.fixReport?.[0]?.filteredFixesCount?.aggregate?.count || 0
+      };
+    } catch (e) {
+      logError("GraphQL: GetReportFixes failed", {
+        error: e,
+        reportId,
+        ...this.getErrorContext()
+      });
+      throw e;
+    }
+  }
 };
 async function openBrowser(url) {
   const now = Date.now();
@@ -11553,7 +11685,7 @@ async function getMcpGQLClient() {
   });
   const isConnected = await inGqlClient.verifyConnection();
   if (!isConnected) {
-    throw new ApiConnectionError("Error: failed to connect to the API");
+    throw new ApiConnectionError("Error: failed to connect to Mobb API");
   }
   const userVerify = await inGqlClient.verifyToken();
   if (userVerify) {
@@ -11596,10 +11728,10 @@ async function getMcpGQLClient() {
   const newGqlClient = new McpGQLClient({ apiKey: newApiToken, type: "apiKey" });
   const loginSuccess = await newGqlClient.verifyToken();
   if (loginSuccess) {
-    logDebug("set api token %s", newApiToken);
+    logDebug(`set api token ${newApiToken}`);
     config4.set("apiToken", newApiToken);
   } else {
-    throw new AuthenticationError("Something went wrong, API token is invalid.");
+    throw new AuthenticationError("Invalid API token");
   }
   return newGqlClient;
 }
@@ -11618,14 +11750,14 @@ var ToolRegistry = class {
     this.tools.set(tool.name, tool);
     logDebug(`Tool registered: ${tool.name}`, {
       toolName: tool.name,
-      description: tool.definition.description
+      description: tool.description
     });
   }
   getTool(name) {
     return this.tools.get(name);
   }
   getAllTools() {
-    return Array.from(this.tools.values()).map((tool) => tool.definition);
+    return Array.from(this.tools.values()).map((tool) => tool.getDefinition());
   }
   getToolNames() {
     return Array.from(this.tools.keys());
@@ -11706,10 +11838,19 @@ var McpServer = class {
   }
   async handleListToolsRequest(request) {
     logInfo("Received list_tools request", { params: request.params });
+    logInfo("Environment", {
+      env: process.env
+    });
+    logInfo("Request", {
+      request: JSON.parse(JSON.stringify(request))
+    });
+    logInfo("Server", {
+      server: this.server
+    });
     void getMcpGQLClient();
-    const tools = this.toolRegistry.getAllTools();
+    const toolsDefinitions = this.toolRegistry.getAllTools();
     const response = {
-      tools: tools.map((tool) => ({
+      tools: toolsDefinitions.map((tool) => ({
         name: tool.name,
         display_name: tool.display_name || tool.name,
         description: tool.description || "",
@@ -11726,6 +11867,15 @@ var McpServer = class {
   async handleCallToolRequest(request) {
     const { name, arguments: args } = request.params;
     logInfo(`Received call tool request for ${name}`, { name, args });
+    logInfo("Environment", {
+      env: process.env
+    });
+    logInfo("Request", {
+      request: JSON.parse(JSON.stringify(request))
+    });
+    logInfo("Server", {
+      server: this.server
+    });
     try {
       const tool = this.toolRegistry.getTool(name);
       if (!tool) {
@@ -11766,11 +11916,7 @@ var McpServer = class {
     logDebug("MCP server handlers registered");
   }
   registerTool(tool) {
-    this.toolRegistry.registerTool({
-      name: tool.name,
-      definition: tool.definition,
-      execute: tool.execute
-    });
+    this.toolRegistry.registerTool(tool);
     logDebug(`Tool registered: ${tool.name}`);
   }
   async start() {
@@ -11848,41 +11994,26 @@ var BaseTool = class {
       name: this.name,
       display_name: this.displayName,
       description: this.description,
-      inputSchema: {
-        type: "object",
-        properties: {
-          path: {
-            type: "string",
-            description: "The path to the local git repository"
-          }
-        },
-        required: ["path"]
-      }
+      inputSchema: this.inputSchema
     };
   }
   async execute(args) {
     logInfo(`Executing tool: ${this.name}`, { args });
+    logInfo(`Authenticating tool: ${this.name}`, { args });
+    const mcpGqlClient = await getMcpGQLClient();
+    const userInfo = await mcpGqlClient.getUserInfo();
+    logDebug("Authenticated", { userInfo });
     const validatedArgs = this.validateInput(args);
     logDebug(`Tool ${this.name} input validation successful`, {
       validatedArgs
     });
-    await this.validateAdditional(validatedArgs);
-    try {
-      const result = await this.executeInternal(validatedArgs);
-      logInfo(`Tool ${this.name} executed successfully`);
-      return result;
-    } catch (error) {
-      const errorMessage = error instanceof Error ? error.message : String(error);
-      logError(`Tool ${this.name} execution failed: ${errorMessage}`, {
-        error,
-        args
-      });
-      return this.createErrorResponse(errorMessage);
-    }
+    const result = await this.executeInternal(validatedArgs);
+    logInfo(`Tool ${this.name} executed successfully`);
+    return result;
   }
   validateInput(args) {
     try {
-      return this.inputSchema.parse(args);
+      return this.inputValidationSchema.parse(args);
     } catch (error) {
       if (error instanceof z31.ZodError) {
         const errorDetails = error.errors.map((e) => {
@@ -11896,12 +12027,6 @@ var BaseTool = class {
       throw error;
     }
   }
-  /**
-   * Additional validation that should bubble up as MCP errors
-   * Override this method in subclasses to add custom validation
-   */
-  async validateAdditional(_validatedArgs) {
-  }
   createSuccessResponse(text) {
     return {
       content: [
@@ -11912,25 +12037,27 @@ var BaseTool = class {
       ]
     };
   }
-  createErrorResponse(error) {
-    return {
-      content: [
-        {
-          type: "text",
-          text: error
-        }
-      ]
-    };
-  }
 };
 
-// src/mcp/tools/base/prompts.ts
+// src/mcp/core/prompts.ts
 function frienlyType(s) {
   const withoutUnderscores = s.replace(/_/g, " ");
   const result = withoutUnderscores.replace(/([a-z])([A-Z])/g, "$1 $2");
   return result.charAt(0).toUpperCase() + result.slice(1);
 }
-var applyFixesPrompt = (fixes) => {
+var noFixesReturnedForParameters = `No fixes returned for the given offset and limit parameters.
+`;
+var applyFixesPrompt = ({
+  fixes,
+  hasMore,
+  totalCount,
+  nextOffset,
+  shownCount,
+  currentTool
+}) => {
+  if (fixes.length === 0) {
+    return noFixesReturnedForParameters;
+  }
   const fixList = fixes.map((fix) => {
     const vulnerabilityType = frienlyType(fix.safeIssueType);
     const vulnerabilityDescription = fix.patchAndQuestions?.__typename === "FixData" ? fix.patchAndQuestions.extraContext?.fixDescription : void 0;
@@ -12007,10 +12134,22 @@ ${fix.patch || "No patch available"}
 - Do NOT ask for permission
 - Explain what you did AFTER applying the patches
 - If any patch fails, continue with the others and report issues at the end
+
+${hasMore ? `---
+
+## More Fixes Available (${totalCount - nextOffset} remaining)
+
+You have viewed ${shownCount} out of ${totalCount} available fixes.
+
+To fetch additional fixes, run the \`${currentTool}\` tool again with the following parameters:
+
+- **offset**: ${nextOffset}  _(start index for the next batch)_
+- **limit**:  <number_of_fixes_to_return>  _(optional \u2013 default is 3)_
+
+If you omit both **offset** and **limit**, the command will automatically return the next 3 fixes.
+` : ""}
 `;
 };
-
-// src/mcp/tools/checkForAvailableFixes/helpers/AvailableFixesResponsePrompts.ts
 var noReportFoundPrompt = `\u{1F50D} **MOBB SECURITY SCAN STATUS**
 
 ## No Vulnerability Report Found
@@ -12036,34 +12175,19 @@ We were unable to find a previous vulnerability report for this repository. This
    - Confirm the repository URL matches your remote origin
    - Verify the URL format is correct (e.g., https://github.com/org/repo)
 
-### \u{1F680} Next Steps
-To get started with security scanning:
-1. Run \`fix_vulnerabilities\` to perform a new scan
-2. Review the results and apply any suggested fixes
-3. Set up regular scanning to maintain security
-
-### \u{1F4A1} Additional Information
-- New scans typically take a few minutes to complete
-- You'll receive detailed results including:
-  - Vulnerability types and severities
-  - Specific code locations
-  - Recommended fixes
-  - Security best practices
-
 For assistance, please:
 - Visit our documentation at https://docs.mobb.ai
 - Contact support at support@mobb.ai`;
-var noFixesFoundPrompt = `\u{1F50D} **MOBB SECURITY SCAN STATUS**
-
-## No Available Fixes Found
-
-We've analyzed your repository but found no automated fixes available at this time.
+var noFixesAvailablePrompt = `There are no fixes available for this repository at this time.
 `;
-var fixesFoundPrompt = (fixReport) => {
-  if (fixReport.fixes_aggregate.aggregate?.count === 0) {
-    return noFixesFoundPrompt;
+var fixesFoundPrompt = ({
+  fixReport,
+  offset
+}) => {
+  const totalFixes = fixReport.filteredFixesCount.aggregate?.count || 0;
+  if (totalFixes === 0) {
+    return noFixesAvailablePrompt;
   }
-  const totalFixes = fixReport.fixes_aggregate.aggregate?.count || 0;
   const criticalFixes = fixReport.CRITICAL?.aggregate?.count || 0;
   const highFixes = fixReport.HIGH?.aggregate?.count || 0;
   const mediumFixes = fixReport.MEDIUM?.aggregate?.count || 0;
@@ -12073,6 +12197,9 @@ var fixesFoundPrompt = (fixReport) => {
   ).toLocaleString();
   const vendor = fixReport.vulnerabilityReport?.vendor || "Unknown";
   const reportUrl = "";
+  const shownCount = fixReport.fixes.length;
+  const nextOffset = offset + shownCount;
+  const hasMore = nextOffset < totalFixes;
   return `\u{1F50D} **MOBB SECURITY SCAN RESULTS**
 
 ## \u{1F4CA} Scan Report Summary
@@ -12090,15 +12217,61 @@ Total number of fixes available: **${totalFixes}**
 - \u{1F534} Critical: ${criticalFixes}
 - \u{1F7E0} High: ${highFixes}
 - \u{1F7E1} Medium: ${mediumFixes}
-- \uFFFD\uFFFD Low: ${lowFixes}
+- \u{1F7E2} Low: ${lowFixes}
+
+${applyFixesPrompt({
+    fixes: fixReport.fixes,
+    totalCount: totalFixes,
+    hasMore,
+    nextOffset: 0,
+    shownCount: fixReport.fixes.length,
+    currentTool: "check_for_available_fixes"
+  })}`;
+};
+var noFixesFoundPrompt = `\u{1F50D} **MOBB SECURITY SCAN COMPLETED** 
+
+Mobb security scan completed successfully but found no automated fixes available at this time.
+`;
+var fixesPrompt = ({
+  fixes,
+  totalCount,
+  offset
+}) => {
+  if (totalCount === 0) {
+    return noFixesFoundPrompt;
+  }
+  const shownCount = fixes.length;
+  const nextOffset = offset + shownCount;
+  const hasMore = nextOffset < totalCount;
+  return `Here are the fixes to the vulnerabilities discovered by Mobb MCP
+
+${applyFixesPrompt({
+    fixes,
+    totalCount,
+    hasMore,
+    nextOffset,
+    shownCount,
+    currentTool: "fix_vulnerabilities"
+  })}
+
+### \u{1F504} Running a Fresh Scan
+
+To perform a **rescan** of your repository (fetching a brand-new vulnerability report and updated fixes), include the additional parameter:
+
+- **isRescan**: true
+
+This will start a new analysis, discard any cached results.
+
+\u26A0\uFE0F *Note:* A full rescan may take longer to complete than simply fetching additional fixes because your repository is re-uploaded and re-analyzed from scratch.
 
-${applyFixesPrompt(fixReport.fixes)}`;
+`;
 };
 
 // src/mcp/tools/checkForAvailableFixes/AvailableFixesService.ts
 var AvailableFixesService = class {
   constructor() {
     __publicField(this, "gqlClient", null);
+    __publicField(this, "currentOffset", 0);
   }
   async initializeGqlClient() {
     if (!this.gqlClient) {
@@ -12106,13 +12279,30 @@ var AvailableFixesService = class {
     }
     return this.gqlClient;
   }
-  async checkForAvailableFixes(repoUrl, limit) {
+  async checkForAvailableFixes({
+    repoUrl,
+    limit = 3,
+    offset = 0
+  }) {
     try {
       logDebug("Checking for available fixes", { repoUrl, limit });
       const gqlClient = await this.initializeGqlClient();
       logDebug("GQL client initialized");
       logDebug("querying for latest report", { repoUrl, limit });
-      const result = await gqlClient.getLatestReportByRepoUrl(repoUrl, limit);
+      let effectiveOffset;
+      if (offset !== void 0) {
+        effectiveOffset = offset;
+      } else if (this.currentOffset) {
+        effectiveOffset = this.currentOffset ?? 0;
+      } else {
+        effectiveOffset = 0;
+      }
+      logDebug("effectiveOffset", { test: "j", effectiveOffset });
+      const result = await gqlClient.getLatestReportByRepoUrl({
+        repoUrl,
+        limit,
+        offset: effectiveOffset
+      });
       logDebug("received latest report result", { result });
       if (!result) {
         logInfo("No report found for repository", { repoUrl });
@@ -12121,7 +12311,11 @@ var AvailableFixesService = class {
       logInfo("Successfully retrieved available fixes", {
         reportFound: true
       });
-      return fixesFoundPrompt(result);
+      this.currentOffset = effectiveOffset + (result.fixes?.length || 0);
+      return fixesFoundPrompt({
+        fixReport: result,
+        offset: this.currentOffset
+      });
     } catch (error) {
       logError("Failed to check for available fixes", {
         error,
@@ -12139,29 +12333,31 @@ var CheckForAvailableFixesTool = class extends BaseTool {
     __publicField(this, "name", "check_for_available_fixes");
     __publicField(this, "displayName", "Check for Available Fixes");
     __publicField(this, "description", "Checks if there are any available fixes for vulnerabilities in the project");
-    __publicField(this, "inputSchema", z32.object({
-      path: z32.string().describe("Path to the project directory to check for available fixes"),
-      files: z32.array(z32.string()).optional().describe("Optional list of specific files to check"),
-      severity: z32.array(z32.string()).optional().describe("Optional list of severity levels to filter by"),
-      issueTypes: z32.array(z32.string()).optional().describe("Optional list of issue types to filter by"),
-      limit: z32.number().optional().describe("Optional maximum number of results to return")
-    }));
-  }
-  getJsonSchema() {
-    return {
+    __publicField(this, "inputSchema", {
       type: "object",
       properties: {
         path: {
           type: "string",
-          description: "Path to the project directory to check for available fixes"
+          description: "Path to the local git repository to check for available fixes"
+        },
+        offset: {
+          type: "number",
+          description: "[Optional] offset for pagination"
         },
         limit: {
           type: "number",
-          description: "Optional maximum number of results to return"
+          description: "[Optional] maximum number of results to return"
         }
       },
       required: ["path"]
-    };
+    });
+    __publicField(this, "inputValidationSchema", z32.object({
+      path: z32.string().describe(
+        "Path to the local git repository to check for available fixes"
+      ),
+      offset: z32.number().optional().describe("Optional offset for pagination"),
+      limit: z32.number().optional().describe("Optional maximum number of fixes to return")
+    }));
   }
   async executeInternal(args) {
     const pathValidation = new PathValidation();
@@ -12185,10 +12381,11 @@ var CheckForAvailableFixesTool = class extends BaseTool {
       throw new Error("No origin URL found for the repository");
     }
     const availableFixesService = new AvailableFixesService();
-    const fixResult = await availableFixesService.checkForAvailableFixes(
-      originUrl,
-      args.limit
-    );
+    const fixResult = await availableFixesService.checkForAvailableFixes({
+      repoUrl: originUrl,
+      limit: args.limit,
+      offset: args.offset
+    });
     logInfo("CheckForAvailableFixesTool execution completed successfully", {
       fixResult
     });
@@ -12203,6 +12400,9 @@ var CheckForAvailableFixesTool = class extends BaseTool {
   }
 };
 
+// src/mcp/tools/fixVulnerabilities/FixVulnerabilitiesTool.ts
+import z33 from "zod";
+
 // src/mcp/services/FilePacking.ts
 import fs10 from "fs";
 import path12 from "path";
@@ -12243,158 +12443,62 @@ var FilePacking = class {
   }
 };
 
-// src/mcp/tools/fixVulnerabilities/helpers/FixVulnerabilitiesResponsePrompts.ts
-var noFixesFoundPrompt2 = `\u{1F389} **MOBB SECURITY SCAN COMPLETED SUCCESSFULLY** \u{1F389}
-
-## Congratulations! No Vulnerabilities Found
-
-Your code has been thoroughly analyzed by Mobb's advanced security scanning engine, and we're pleased to report that **no security vulnerabilities were detected** in your codebase.
-
-### \u{1F6E1}\uFE0F What This Means
-- Your code follows secure coding practices
-- No immediate security risks were identified
-- Your application appears to be well-protected against common vulnerabilities
-
-### \u2705 Scan Summary
-- **Status:** Complete
-- **Vulnerabilities Found:** 0
-- **Security Rating:** Excellent
-- **Action Required:** None
-
-### \u{1F680} Next Steps
-While no vulnerabilities were found in this scan:
-1. **Keep up the great work** with secure coding practices
-2. **Run regular scans** as your codebase evolves
-3. **Stay updated** with the latest security best practices
-4. **Consider periodic security reviews** for ongoing protection
-
-### \u{1F4CA} Scan Details
-This scan analyzed your code for common security issues including:
-- SQL Injection vulnerabilities
-- Cross-Site Scripting (XSS) flaws
-- Authentication and authorization issues
-- Input validation problems
-- And many other security concerns
-
-**Well done on maintaining a secure codebase!** \u{1F3C6}`;
-var fixesPrompt = (fixes) => {
-  const fix = fixes[0];
-  if (!fix) {
-    return noFixesFoundPrompt2;
-  }
-  return `Here are the fixes to the vulnerabilities discovered by Mobb MCP
-
-${applyFixesPrompt(fixes)}  `;
-};
-var failedToConnectToApiPrompt = `# CONNECTION ERROR: FAILED TO REACH MOBB API
-
-## ANALYSIS SUMMARY
-- **Status:** \u274C Failed
-- **Issue Type:** Connection Error
-- **Error Details:** Unable to establish connection to the Mobb API service
-
-## TROUBLESHOOTING STEPS FOR THE USER
-
-The Mobb security scanning service is currently not reachable. This may be due to:
-
-1. **Missing or invalid authentication credentials**
-   - Ensure the \`API_KEY\` environment variable is properly set with your valid Mobb authentication token
-   - Example: \`export API_KEY=your_mobb_api_key_here\`
-
-2. **Incorrect API endpoint configuration**
-   - Check if the \`API_URL\` environment variable needs to be set to the correct Mobb service endpoint
-   - Example: \`export API_URL=https://api.mobb.ai/graphql\`
-
-3. **Network connectivity issues**
-   - Verify your internet connection is working properly
-   - Check if any firewall or proxy settings might be blocking the connection
-
-4. **Service outage**
-   - The Mobb service might be temporarily unavailable
-   - Please try again later or check the Mobb status page
-
-## NEXT STEPS
-
-Please resolve the connection issue using the steps above and try running the security scan again.
-
-For additional assistance, please:
-- Visit the Mobb documentation at https://docs.mobb.ai
-- Contact Mobb support at support@mobb.ai
-
-`;
-var failedToAuthenticatePrompt = `# AUTHENTICATION ERROR: MOBB LOGIN REQUIRED
-
-## ANALYSIS SUMMARY
-- **Status:** \u274C Failed
-- **Issue Type:** Authentication Error
-- **Error Details:** Unable to authenticate with the Mobb service
-
-## AUTHENTICATION REQUIRED
-
-The Mobb security scanning service requires authentication before it can analyze your code for vulnerabilities. You need to:
-
-1. **Login and authorize access to Mobb**
-   - A browser window should have opened to complete the authentication process
-   - If no browser window opened, please run the command again
-
-2. **Create a Mobb account if you don't have one**
-   - If you don't already have a Mobb account, you'll need to sign up
-   - Visit https://app.mobb.ai/auth/signup to create your free account
-   - Use your work email for easier team collaboration
-
-3. **Authorization flow**
-   - After logging in, you'll be asked to authorize the CLI tool
-   - This creates a secure token that allows the CLI to access Mobb services
-   - You only need to do this once per device
-
-## TROUBLESHOOTING
-
-If you're experiencing issues with authentication:
-
-- Ensure you have an active internet connection
-- Check that you can access https://app.mobb.ai in your browser
-- Try running the command again with the \`--debug\` flag for more detailed output
-- Make sure your browser isn't blocking pop-ups from the authentication window
-
-## NEXT STEPS
-
-Please complete the authentication process and try running the security scan again.
-
-For additional assistance, please:
-- Visit the Mobb documentation at https://docs.mobb.ai/cli/authentication
-- Contact Mobb support at support@mobb.ai
-
-`;
-
 // src/mcp/tools/fixVulnerabilities/FixVulnerabilitiesService.ts
 var VUL_REPORT_DIGEST_TIMEOUT_MS2 = 1e3 * 60 * 5;
 var VulnerabilityFixService = class {
   constructor() {
     __publicField(this, "gqlClient");
     __publicField(this, "filePacking");
+    /**
+     * Stores the fix report id that is created on the first run so that subsequent
+     * calls can skip the expensive packing/uploading/scan flow and directly fetch
+     * the analysis results.
+     */
+    __publicField(this, "storedFixReportId");
+    __publicField(this, "currentOffset", 0);
     this.filePacking = new FilePacking();
   }
-  async processVulnerabilities(fileList, repositoryPath) {
+  async processVulnerabilities({
+    fileList,
+    repositoryPath,
+    offset,
+    limit,
+    isRescan = false
+  }) {
     try {
-      this.validateFiles(fileList);
       this.gqlClient = await this.initializeGqlClient();
-      const repoUploadInfo = await this.initializeReport();
-      const zipBuffer = await this.packFiles(fileList, repositoryPath);
-      await this.uploadFiles(zipBuffer, repoUploadInfo);
-      const projectId = await this.getProjectId();
-      await this.runScan({
-        fixReportId: repoUploadInfo.fixReportId,
-        projectId
-      });
-      const fixes = await this.getReportFixes(repoUploadInfo.fixReportId);
-      return fixesPrompt(fixes);
-    } catch (error) {
-      if (error instanceof ApiConnectionError || error instanceof CliLoginError) {
-        return failedToConnectToApiPrompt;
+      let fixReportId = this.storedFixReportId;
+      if (!fixReportId || isRescan) {
+        this.validateFiles(fileList);
+        const repoUploadInfo = await this.initializeReport();
+        fixReportId = repoUploadInfo.fixReportId;
+        this.storedFixReportId = fixReportId;
+        const zipBuffer = await this.packFiles(fileList, repositoryPath);
+        await this.uploadFiles(zipBuffer, repoUploadInfo);
+        const projectId = await this.getProjectId();
+        await this.runScan({ fixReportId, projectId });
       }
-      if (error instanceof AuthenticationError || error instanceof FailedToGetApiTokenError) {
-        return failedToAuthenticatePrompt;
+      let effectiveOffset;
+      if (offset !== void 0) {
+        effectiveOffset = offset;
+      } else if (fixReportId) {
+        effectiveOffset = this.currentOffset ?? 0;
+      } else {
+        effectiveOffset = 0;
       }
+      logDebug("effectiveOffset", { effectiveOffset });
+      const fixes = await this.getReportFixes(
+        fixReportId,
+        effectiveOffset,
+        limit
+      );
+      this.currentOffset = effectiveOffset + (fixes.fixes?.length || 0);
+      return fixesPrompt({
+        fixes: fixes.fixes,
+        totalCount: fixes.totalCount,
+        offset: effectiveOffset
+      });
+    } catch (error) {
       const message = error.message;
       logError("Vulnerability processing failed", { error: message });
       throw error;
@@ -12483,7 +12587,7 @@ var VulnerabilityFixService = class {
       projectId,
       repoUrl: "",
       reference: "no-branch",
-      scanSource: "CLI" /* Cli */
+      scanSource: "MCP" /* Mcp */
     };
     logInfo("Submitting vulnerability report");
     const submitRes = await this.gqlClient.submitVulnerabilityReport(
@@ -12510,34 +12614,63 @@ var VulnerabilityFixService = class {
     });
     logInfo("Analysis subscription completed");
   }
-  async getReportFixes(fixReportId) {
+  async getReportFixes(fixReportId, offset, limit) {
+    logDebug("getReportFixes", { fixReportId, offset, limit });
     if (!this.gqlClient) {
       throw new GqlClientError();
     }
-    const fixes = await this.gqlClient.getReportFixes(fixReportId);
-    logInfo("Fixes retrieved", { fixCount: fixes.length });
-    return fixes;
+    const fixes = await this.gqlClient.getReportFixesPaginated({
+      reportId: fixReportId,
+      offset,
+      limit
+    });
+    logInfo("Fixes retrieved", { fixCount: fixes?.fixes?.length });
+    return {
+      fixes: fixes?.fixes || [],
+      totalCount: fixes?.totalCount || 0
+    };
   }
 };
 
 // src/mcp/tools/fixVulnerabilities/FixVulnerabilitiesTool.ts
-var FixVulnerabilitiesTool = class {
+var FixVulnerabilitiesTool = class extends BaseTool {
   constructor() {
+    super(...arguments);
     __publicField(this, "name", "fix_vulnerabilities");
-    __publicField(this, "display_name", "fix_vulnerabilities");
+    __publicField(this, "displayName", "Fix Vulnerabilities");
     __publicField(this, "description", "Scans the current code changes and returns fixes for potential vulnerabilities");
+    __publicField(this, "inputValidationSchema", z33.object({
+      path: z33.string().describe(
+        "Path to the local git repository to check for available fixes"
+      ),
+      offset: z33.number().optional().describe("Optional offset for pagination"),
+      limit: z33.number().optional().describe("Optional maximum number of results to return"),
+      rescan: z33.boolean().optional().describe("Optional whether to rescan the repository")
+    }));
     __publicField(this, "inputSchema", {
       type: "object",
       properties: {
         path: {
           type: "string",
-          description: "The path to the local git repository"
+          description: "Path to the project directory to check for available fixes"
+        },
+        offset: {
+          type: "number",
+          description: "[Optional] offset for pagination"
+        },
+        limit: {
+          type: "number",
+          description: "[Optional] maximum number of results to return"
+        },
+        rescan: {
+          type: "boolean",
+          description: "[Optional] whether to rescan the repository"
         }
       },
       required: ["path"]
     });
   }
-  async execute(args) {
+  async executeInternal(args) {
     logInfo("Executing tool: fix_vulnerabilities", { path: args.path });
     if (!args.path) {
       throw new Error("Invalid arguments: Missing required parameter 'path'");
@@ -12597,10 +12730,13 @@ var FixVulnerabilitiesTool = class {
     }
     try {
       const vulnerabilityFixService = new VulnerabilityFixService();
-      const fixResult = await vulnerabilityFixService.processVulnerabilities(
-        files,
-        args.path
-      );
+      const fixResult = await vulnerabilityFixService.processVulnerabilities({
+        fileList: files,
+        repositoryPath: args.path,
+        offset: args.offset,
+        limit: args.limit,
+        isRescan: args.rescan
+      });
       const result = {
         content: [
           {
@@ -12640,28 +12776,22 @@ function createMcpServer() {
     name: "mobb-mcp",
     version: "1.0.0"
   });
+  const enabledToolsEnv = process.env["TOOLS_ENABLED"];
+  const enabledToolsSet = enabledToolsEnv ? new Set(
+    enabledToolsEnv.split(",").map((t) => t.trim()).filter((t) => t.length > 0)
+  ) : null;
+  const registerIfEnabled = (tool) => {
+    if (!enabledToolsSet || enabledToolsSet.has(tool.name)) {
+      server.registerTool(tool);
+      logDebug(`Registered tool: ${tool.name}`);
+    } else {
+      logDebug(`Skipping tool (disabled): ${tool.name}`);
+    }
+  };
   const fixVulnerabilitiesTool = new FixVulnerabilitiesTool();
   const checkForAvailableFixesTool = new CheckForAvailableFixesTool();
-  server.registerTool({
-    name: fixVulnerabilitiesTool.name,
-    definition: {
-      name: fixVulnerabilitiesTool.name,
-      display_name: fixVulnerabilitiesTool.display_name,
-      description: fixVulnerabilitiesTool.description,
-      inputSchema: fixVulnerabilitiesTool.inputSchema
-    },
-    execute: (args) => fixVulnerabilitiesTool.execute(args)
-  });
-  server.registerTool({
-    name: checkForAvailableFixesTool.name,
-    definition: {
-      name: checkForAvailableFixesTool.name,
-      display_name: checkForAvailableFixesTool.displayName,
-      description: checkForAvailableFixesTool.description,
-      inputSchema: checkForAvailableFixesTool.getJsonSchema()
-    },
-    execute: (args) => checkForAvailableFixesTool.execute(args)
-  });
+  registerIfEnabled(fixVulnerabilitiesTool);
+  registerIfEnabled(checkForAvailableFixesTool);
   logInfo("MCP server created and configured");
   return server;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mobbdev",
-  "version": "1.0.102",
+  "version": "1.0.104",
   "description": "Automated secure code remediation tool",
   "repository": "git+https://github.com/mobb-dev/bugsy.git",
   "main": "dist/index.js",