mobbdev 1.0.106 → 1.0.107

package/dist/index.mjs

@@ -1062,19 +1062,33 @@ var AutoPrAnalysisDocument = `
 var GetLatestReportByRepoUrlDocument = `
     query GetLatestReportByRepoUrl($repoUrl: String!, $filters: fix_bool_exp = {}, $limit: Int!, $offset: Int!) {
   fixReport(
-    where: {repo: {originalUrl: {_eq: $repoUrl}}}
+    where: {_and: [{repo: {originalUrl: {_eq: $repoUrl}}}, {state: {_eq: Finished}}]}
     order_by: {createdOn: desc}
     limit: 1
   ) {
     ...FixReportSummaryFields
   }
+  expiredReport: fixReport(
+    where: {_and: [{repo: {originalUrl: {_eq: $repoUrl}}}, {state: {_eq: Expired}}]}
+    order_by: {createdOn: desc}
+    limit: 1
+  ) {
+    id
+    expirationOn
+  }
 }
     ${FixReportSummaryFieldsFragmentDoc}`;
 var GetReportFixesDocument = `
     query GetReportFixes($reportId: uuid!, $filters: fix_bool_exp = {}, $limit: Int!, $offset: Int!) {
-  fixReport(where: {id: {_eq: $reportId}}) {
+  fixReport(where: {_and: [{id: {_eq: $reportId}}, {state: {_eq: Finished}}]}) {
     ...FixReportSummaryFields
   }
+  expiredReport: fixReport(
+    where: {_and: [{id: {_eq: $reportId}}, {state: {_eq: Expired}}]}
+  ) {
+    id
+    expirationOn
+  }
 }
     ${FixReportSummaryFieldsFragmentDoc}`;
 var defaultWrapper = (action, _operationName, _operationType, _variables) => action();
@@ -4824,7 +4838,7 @@ async function getAdoSdk(params) {
       const url = new URL(repoUrl);
       const origin2 = url.origin.toLowerCase().endsWith(".visualstudio.com") ? DEFUALT_ADO_ORIGIN : url.origin.toLowerCase();
       const params2 = `path=/&versionDescriptor[versionOptions]=0&versionDescriptor[versionType]=commit&versionDescriptor[version]=${branch}&resolveLfs=true&$format=zip&api-version=5.0&download=true`;
-      const path13 = [
+      const path14 = [
         prefixPath,
         owner,
         projectName,
@@ -4835,7 +4849,7 @@ async function getAdoSdk(params) {
         "items",
         "items"
       ].filter(Boolean).join("/");
-      return new URL(`${path13}?${params2}`, origin2).toString();
+      return new URL(`${path14}?${params2}`, origin2).toString();
     },
     async getAdoBranchList({ repoUrl }) {
       try {
@@ -5492,7 +5506,6 @@ var GitService = class {
           date: "%ai",
           message: "%s",
           //the field name author_name can't follow the naming convention as we are using the git log command
-          // eslint-disable-next-line @typescript-eslint/naming-convention
           author_name: "%an"
         }
       });
@@ -6874,14 +6887,14 @@ function getGithubSdk(params = {}) {
       };
     },
     async getGithubBlameRanges(params2) {
-      const { ref, gitHubUrl, path: path13 } = params2;
+      const { ref, gitHubUrl, path: path14 } = params2;
       const { owner, repo } = parseGithubOwnerAndRepo(gitHubUrl);
       const res = await octokit.graphql(
         GET_BLAME_DOCUMENT,
         {
           owner,
           repo,
-          path: path13,
+          path: path14,
           ref
         }
       );
@@ -7190,11 +7203,11 @@ var GithubSCMLib = class extends SCMLib {
       markdownComment: comment
     });
   }
-  async getRepoBlameRanges(ref, path13) {
+  async getRepoBlameRanges(ref, path14) {
     this._validateUrl();
     return await this.githubSdk.getGithubBlameRanges({
       ref,
-      path: path13,
+      path: path14,
       gitHubUrl: this.url
     });
   }
@@ -7600,13 +7613,13 @@ function parseGitlabOwnerAndRepo(gitlabUrl) {
   const { organization, repoName, projectPath } = parsingResult;
   return { owner: organization, repo: repoName, projectPath };
 }
-async function getGitlabBlameRanges({ ref, gitlabUrl, path: path13 }, options) {
+async function getGitlabBlameRanges({ ref, gitlabUrl, path: path14 }, options) {
   const { projectPath } = parseGitlabOwnerAndRepo(gitlabUrl);
   const api2 = getGitBeaker({
     url: gitlabUrl,
     gitlabAuthToken: options?.gitlabAuthToken
   });
-  const resp = await api2.RepositoryFiles.allFileBlames(projectPath, path13, ref);
+  const resp = await api2.RepositoryFiles.allFileBlames(projectPath, path14, ref);
   let lineNumber = 1;
   return resp.filter((range) => range.lines).map((range) => {
     const oldLineNumber = lineNumber;
@@ -7782,10 +7795,10 @@ var GitlabSCMLib = class extends SCMLib {
       markdownComment: comment
     });
   }
-  async getRepoBlameRanges(ref, path13) {
+  async getRepoBlameRanges(ref, path14) {
     this._validateUrl();
     return await getGitlabBlameRanges(
-      { ref, path: path13, gitlabUrl: this.url },
+      { ref, path: path14, gitlabUrl: this.url },
       {
         url: this.url,
         gitlabAuthToken: this.accessToken
@@ -8784,7 +8797,7 @@ async function postIssueComment(params) {
     fpDescription
   } = params;
   const {
-    path: path13,
+    path: path14,
     startLine,
     vulnerabilityReportIssue: {
       vulnerabilityReportIssueTags,
@@ -8799,7 +8812,7 @@ async function postIssueComment(params) {
 Refresh the page in order to see the changes.`,
     pull_number: pullRequest,
     commit_id: commitSha,
-    path: path13,
+    path: path14,
     line: startLine
   });
   const commentId = commentRes.data.id;
@@ -8833,7 +8846,7 @@ async function postFixComment(params) {
     scanner
   } = params;
   const {
-    path: path13,
+    path: path14,
     startLine,
     vulnerabilityReportIssue: { fixId, vulnerabilityReportIssueTags, category },
     vulnerabilityReportIssueId
@@ -8851,7 +8864,7 @@ async function postFixComment(params) {
 Refresh the page in order to see the changes.`,
     pull_number: pullRequest,
     commit_id: commitSha,
-    path: path13,
+    path: path14,
     line: startLine
   });
   const commentId = commentRes.data.id;
@@ -11222,7 +11235,8 @@ var Logger = class {
       timestamp: (/* @__PURE__ */ new Date()).toISOString(),
       level: logEntry.level,
       message: logEntry.message,
-      data: logEntry.data
+      data: logEntry.data,
+      version: packageJson.version
     };
     const controller = new AbortController();
     const timeoutId = setTimeout(() => {
@@ -11279,7 +11293,7 @@ import { v4 as uuidv42 } from "uuid";
 var DEFAULT_API_URL2 = "https://api.mobb.ai/v1/graphql";
 var API_KEY_HEADER_NAME2 = "x-mobb-key";
 
-// src/mcp/tools/fixVulnerabilities/errors/VulnerabilityFixErrors.ts
+// src/mcp/core/Errors.ts
 var ApiConnectionError = class extends Error {
   constructor(message = "Failed to connect to the API") {
     super(message);
@@ -11354,6 +11368,7 @@ var McpGQLClient = class {
     __publicField(this, "_auth");
     this._auth = args;
     const API_URL2 = process.env["API_URL"] || DEFAULT_API_URL2;
+    logDebug("creating graphql client", { API_URL: API_URL2, args });
     this.client = new GraphQLClient2(API_URL2, {
       headers: args.type === "apiKey" ? { [API_KEY_HEADER_NAME2]: args.apiKey || "" } : {
         Authorization: `Bearer ${args.token}`
@@ -11385,11 +11400,13 @@ var McpGQLClient = class {
     try {
       logDebug("GraphQL: Calling Me query for connection verification");
       const result = await this.clientSdk.Me();
-      logInfo("GraphQL: Me query successful", { result });
+      logDebug("GraphQL: Me query successful", { result });
       return true;
     } catch (e) {
-      if (e?.toString().includes("FetchError")) {
-        logError("verify connection failed %o", e);
+      const error = e;
+      logDebug(`verify connection failed ${error.toString()}`);
+      if (error?.toString().includes("FetchError")) {
+        logError("verify connection failed", { error });
         return false;
       }
     }
@@ -11606,7 +11623,10 @@ var McpGQLClient = class {
         result: res,
         reportCount: res.fixReport?.length || 0
       });
-      return res.fixReport?.[0] || null;
+      return {
+        fixReport: res.fixReport?.[0] || null,
+        expiredReport: res.expiredReport?.[0] || null
+      };
     } catch (e) {
       logError("GraphQL: GetLatestReportByRepoUrl failed", {
         error: e,
@@ -11655,7 +11675,8 @@ var McpGQLClient = class {
       }
       return {
         fixes: res.fixReport?.[0]?.fixes || [],
-        totalCount: res.fixReport?.[0]?.filteredFixesCount?.aggregate?.count || 0
+        totalCount: res.fixReport?.[0]?.filteredFixesCount?.aggregate?.count || 0,
+        expiredReport: res.expiredReport?.[0] || null
       };
     } catch (e) {
       logError("GraphQL: GetReportFixes failed", {
@@ -11680,17 +11701,21 @@ async function openBrowser(url) {
 async function getMcpGQLClient() {
   logDebug("getting config", { apiToken: config4.get("apiToken") });
   const inGqlClient = new McpGQLClient({
-    apiKey: config4.get("apiToken") || process.env["API_KEY"] || "",
+    apiKey: process.env["MOBB_API_KEY"] || process.env["API_KEY"] || // fallback for backward compatibility
+    config4.get("apiToken") || "",
     type: "apiKey"
   });
   const isConnected = await inGqlClient.verifyConnection();
+  logDebug("isConnected", { isConnected });
   if (!isConnected) {
     throw new ApiConnectionError("Error: failed to connect to Mobb API");
   }
+  logDebug("verifying token");
   const userVerify = await inGqlClient.verifyToken();
   if (userVerify) {
     return inGqlClient;
   }
+  logDebug("verifying token failed");
   const { publicKey, privateKey } = crypto2.generateKeyPairSync("rsa", {
     modulusLength: 2048
   });
@@ -11838,15 +11863,9 @@ var McpServer = class {
   }
   async handleListToolsRequest(request) {
     logInfo("Received list_tools request", { params: request.params });
-    logInfo("Environment", {
-      env: process.env
-    });
     logInfo("Request", {
       request: JSON.parse(JSON.stringify(request))
     });
-    logInfo("Server", {
-      server: this.server
-    });
     void getMcpGQLClient();
     const toolsDefinitions = this.toolRegistry.getAllTools();
     const response = {
@@ -11867,15 +11886,9 @@ var McpServer = class {
   async handleCallToolRequest(request) {
     const { name, arguments: args } = request.params;
     logInfo(`Received call tool request for ${name}`, { name, args });
-    logInfo("Environment", {
-      env: process.env
-    });
     logInfo("Request", {
       request: JSON.parse(JSON.stringify(request))
     });
-    logInfo("Server", {
-      server: this.server
-    });
     try {
       const tool = this.toolRegistry.getTool(name);
       if (!tool) {
@@ -11938,53 +11951,71 @@ var McpServer = class {
   }
 };
 
-// src/mcp/tools/checkForAvailableFixes/AvailableFixesTool.ts
+// src/mcp/tools/fetchAvailableFixes/FetchAvailableFixesTool.ts
 import { z as z32 } from "zod";
 
 // src/mcp/services/PathValidation.ts
 import fs9 from "fs";
 import path11 from "path";
-var PathValidation = class {
-  /**
-   * Validates a path for MCP usage - combines security and existence checks
-   */
-  async validatePath(inputPath) {
-    logDebug("Validating MCP path", { inputPath });
-    if (inputPath.includes("..")) {
-      const error = `Path contains path traversal patterns: ${inputPath}`;
-      logError(error);
-      return { isValid: false, error };
-    }
-    const normalizedPath = path11.normalize(inputPath);
-    if (normalizedPath.includes("..")) {
-      const error = `Normalized path contains path traversal patterns: ${inputPath}`;
-      logError(error);
-      return { isValid: false, error };
-    }
-    const decodedPath = decodeURIComponent(inputPath);
-    if (decodedPath.includes("..") || decodedPath !== inputPath) {
-      const error = `Path contains encoded traversal attempts: ${inputPath}`;
-      logError(error);
-      return { isValid: false, error };
-    }
-    if (inputPath.includes("\0") || inputPath.includes("\0")) {
-      const error = `Path contains dangerous characters: ${inputPath}`;
+async function validatePath(inputPath) {
+  logDebug("Validating MCP path", { inputPath });
+  if (inputPath === ".") {
+    if (process.env["WORKSPACE_FOLDER_PATHS"]) {
+      logDebug("Fallback to workspace folder path", {
+        inputPath,
+        workspaceFolderPaths: process.env["WORKSPACE_FOLDER_PATHS"]
+      });
+      return {
+        isValid: true,
+        path: process.env["WORKSPACE_FOLDER_PATHS"]
+      };
+    } else {
+      const error = `"." is not a valid path, please provide a full localpath to the repository`;
       logError(error);
-      return { isValid: false, error };
-    }
-    logDebug("Path validation successful", { inputPath });
-    logDebug("Checking path existence", { inputPath });
-    try {
-      await fs9.promises.access(inputPath);
-      logDebug("Path exists and is accessible", { inputPath });
-      return { isValid: true };
-    } catch (error) {
-      const errorMessage = `Path does not exist or is not accessible: ${inputPath}`;
-      logError(errorMessage, { error });
-      return { isValid: false, error: errorMessage };
+      return { isValid: false, error, path: inputPath };
     }
   }
-};
+  if (inputPath.includes("..")) {
+    const error = `Path contains path traversal patterns: ${inputPath}`;
+    logError(error);
+    return { isValid: false, error, path: inputPath };
+  }
+  const normalizedPath = path11.normalize(inputPath);
+  if (normalizedPath.includes("..")) {
+    const error = `Normalized path contains path traversal patterns: ${inputPath}`;
+    logError(error);
+    return { isValid: false, error, path: inputPath };
+  }
+  let decodedPath;
+  try {
+    decodedPath = decodeURIComponent(inputPath);
+  } catch (err) {
+    const error = `Failed to decode path: ${inputPath}`;
+    logError(error, { err });
+    return { isValid: false, error, path: inputPath };
+  }
+  if (decodedPath.includes("..") || decodedPath !== inputPath) {
+    const error = `Path contains encoded traversal attempts: ${inputPath}`;
+    logError(error);
+    return { isValid: false, error, path: inputPath };
+  }
+  if (inputPath.includes("\0") || inputPath.includes("\0")) {
+    const error = `Path contains dangerous characters: ${inputPath}`;
+    logError(error);
+    return { isValid: false, error, path: inputPath };
+  }
+  logDebug("Path validation successful", { inputPath });
+  logDebug("Checking path existence", { inputPath });
+  try {
+    await fs9.promises.access(inputPath);
+    logDebug("Path exists and is accessible", { inputPath });
+    return { isValid: true, path: inputPath };
+  } catch (error) {
+    const errorMessage = `Path does not exist or is not accessible: ${inputPath}`;
+    logError(errorMessage, { error });
+    return { isValid: false, error: errorMessage, path: inputPath };
+  }
+}
 
 // src/mcp/tools/base/BaseTool.ts
 import { z as z31 } from "zod";
@@ -12053,7 +12084,8 @@ var applyFixesPrompt = ({
   totalCount,
   nextOffset,
   shownCount,
-  currentTool
+  currentTool,
+  offset = 0
 }) => {
   if (fixes.length === 0) {
     return noFixesReturnedForParameters;
@@ -12111,7 +12143,7 @@ If you cannot apply a patch:
 
 ${fixList.map(
     (fix, index) => `
-## Fix ${index + 1}: ${fix.vulnerabilityType}
+## Fix ${offset + index + 1}: ${fix.vulnerabilityType}
 
 **\u{1F3AF} Target:** Apply this patch to fix a ${fix.vulnerabilityType.toLowerCase()} vulnerability
 
@@ -12164,7 +12196,7 @@ We were unable to find a previous vulnerability report for this repository. This
 
 ### \u{1F3AF} Recommended Actions
 1. **Run a new security scan** to analyze your codebase
-   - Use the \`fix_vulnerabilities\` tool to start a fresh scan
+   - Use the \`scan_and_fix_vulnerabilities\` tool to start a fresh scan
    - This will analyze your current code for security issues
 
 2. **Verify repository access**
@@ -12178,6 +12210,27 @@ We were unable to find a previous vulnerability report for this repository. This
 For assistance, please:
 - Visit our documentation at https://docs.mobb.ai
 - Contact support at support@mobb.ai`;
+var expiredReportPrompt = ({
+  lastReportDate
+}) => `\u{1F50D} **MOBB SECURITY SCAN STATUS**
+
+## Out-of-Date Vulnerability Report
+
+Your most recent vulnerability report for this repository **expired on ${lastReportDate}** and is no longer available for fetching automated fixes.
+
+### \u{1F4CB} Why Did This Happen?
+- Reports are automatically purged after a retention period for security and storage optimisation.
+- No new scans have been run since the last report expired.
+
+### \u{1F3AF} Recommended Actions
+1. **Run a fresh security scan** to generate an up-to-date vulnerability report.
+   - Use the \`scan_and_fix_vulnerabilities\` tool.
+2. **Verify repository access** if scans fail to run or the repository has moved.
+3. **Review your CI/CD pipeline** to ensure regular scans are triggered.
+
+For more help:
+- Documentation: https://docs.mobb.ai
+- Support: support@mobb.ai`;
 var noFixesAvailablePrompt = `There are no fixes available for this repository at this time.
 `;
 var fixesFoundPrompt = ({
@@ -12225,7 +12278,8 @@ ${applyFixesPrompt({
     hasMore,
     nextOffset: 0,
     shownCount: fixReport.fixes.length,
-    currentTool: "check_for_available_fixes"
+    currentTool: "fetch_available_fixes",
+    offset
   })}`;
 };
 var noFixesFoundPrompt = `\u{1F50D} **MOBB SECURITY SCAN COMPLETED** 
@@ -12235,7 +12289,8 @@ Mobb security scan completed successfully but found no automated fixes available
 var fixesPrompt = ({
   fixes,
   totalCount,
-  offset
+  offset,
+  scannedFiles
 }) => {
   if (totalCount === 0) {
     return noFixesFoundPrompt;
@@ -12251,9 +12306,13 @@ ${applyFixesPrompt({
     hasMore,
     nextOffset,
     shownCount,
-    currentTool: "fix_vulnerabilities"
+    currentTool: "scan_and_fix_vulnerabilities",
+    offset
   })}
 
+### \u{1F4C1} Scanned Files
+${scannedFiles.map((file) => `- ${file}`).join("\n")}
+
 ### \u{1F504} Running a Fresh Scan
 
 To perform a **rescan** of your repository (fetching a brand-new vulnerability report and updated fixes), include the additional parameter:
@@ -12267,12 +12326,21 @@ This will start a new analysis, discard any cached results.
 `;
 };
 
-// src/mcp/tools/checkForAvailableFixes/AvailableFixesService.ts
-var AvailableFixesService = class {
+// src/mcp/tools/fetchAvailableFixes/FetchAvailableFixesService.ts
+var _FetchAvailableFixesService = class _FetchAvailableFixesService {
   constructor() {
     __publicField(this, "gqlClient", null);
     __publicField(this, "currentOffset", 0);
   }
+  static getInstance() {
+    if (!_FetchAvailableFixesService.instance) {
+      _FetchAvailableFixesService.instance = new _FetchAvailableFixesService();
+    }
+    return _FetchAvailableFixesService.instance;
+  }
+  reset() {
+    this.currentOffset = 0;
+  }
   async initializeGqlClient() {
     if (!this.gqlClient) {
       this.gqlClient = await getMcpGQLClient();
@@ -12282,40 +12350,44 @@ var AvailableFixesService = class {
   async checkForAvailableFixes({
     repoUrl,
     limit = 3,
-    offset = 0
+    offset
   }) {
     try {
       logDebug("Checking for available fixes", { repoUrl, limit });
       const gqlClient = await this.initializeGqlClient();
       logDebug("GQL client initialized");
       logDebug("querying for latest report", { repoUrl, limit });
-      let effectiveOffset;
-      if (offset !== void 0) {
-        effectiveOffset = offset;
-      } else if (this.currentOffset) {
-        effectiveOffset = this.currentOffset ?? 0;
-      } else {
-        effectiveOffset = 0;
-      }
-      logDebug("effectiveOffset", { test: "j", effectiveOffset });
-      const result = await gqlClient.getLatestReportByRepoUrl({
+      const effectiveOffset = offset ?? (this.currentOffset || 0);
+      logDebug("effectiveOffset", { effectiveOffset });
+      const { fixReport, expiredReport } = await gqlClient.getLatestReportByRepoUrl({
         repoUrl,
         limit,
         offset: effectiveOffset
       });
-      logDebug("received latest report result", { result });
-      if (!result) {
-        logInfo("No report found for repository", { repoUrl });
+      logDebug("received latest report result", { fixReport, expiredReport });
+      if (!fixReport) {
+        if (expiredReport) {
+          const lastReportDate = expiredReport.expirationOn ? new Date(expiredReport.expirationOn).toLocaleString() : "Unknown date";
+          logInfo("Expired report found", {
+            repoUrl,
+            expirationOn: expiredReport.expirationOn
+          });
+          return expiredReportPrompt({ lastReportDate });
+        }
+        logInfo("No report (active or expired) found for repository", {
+          repoUrl
+        });
         return noReportFoundPrompt;
       }
       logInfo("Successfully retrieved available fixes", {
         reportFound: true
       });
-      this.currentOffset = effectiveOffset + (result.fixes?.length || 0);
-      return fixesFoundPrompt({
-        fixReport: result,
-        offset: this.currentOffset
+      const prompt = fixesFoundPrompt({
+        fixReport,
+        offset: effectiveOffset
       });
+      this.currentOffset = effectiveOffset + (fixReport.fixes?.length || 0);
+      return prompt;
     } catch (error) {
       logError("Failed to check for available fixes", {
         error,
@@ -12325,20 +12397,40 @@ var AvailableFixesService = class {
     }
   }
 };
+__publicField(_FetchAvailableFixesService, "instance");
+var FetchAvailableFixesService = _FetchAvailableFixesService;
 
-// src/mcp/tools/checkForAvailableFixes/AvailableFixesTool.ts
-var CheckForAvailableFixesTool = class extends BaseTool {
+// src/mcp/tools/fetchAvailableFixes/FetchAvailableFixesTool.ts
+var FetchAvailableFixesTool = class extends BaseTool {
   constructor() {
-    super(...arguments);
-    __publicField(this, "name", "check_for_available_fixes");
-    __publicField(this, "displayName", "Check for Available Fixes");
-    __publicField(this, "description", "Checks if there are any available fixes for vulnerabilities in the project");
+    super();
+    __publicField(this, "name", "fetch_available_fixes");
+    __publicField(this, "displayName", "Fetch Available Fixes");
+    __publicField(this, "description", `Check the MOBB backend for pre-generated fixes (patch sets) that correspond to vulnerabilities detected in the supplied Git repository.
+
+Use when:
+\u2022 You already have a local clone of a Git repository and want to know if MOBB has fixes available for it.
+\u2022 A vulnerability scan has been run previously and uploaded to the MOBB backend and you want to fetch the list or count of ready-to-apply fixes before triggering a full scan-and-fix flow.
+
+Required argument:
+\u2022 path \u2013 absolute path to the local Git repository clone.
+
+Optional arguments:
+\u2022 offset \u2013 pagination offset (integer).
+\u2022 limit  \u2013 maximum number of fixes to return (integer).
+
+The tool will:
+1. Validate that the provided path is secure and exists.
+2. Verify that the directory is a valid Git repository with an "origin" remote.
+3. Query the MOBB service by the origin remote URL and return a textual summary of available fixes (total and by severity) or a message if none are found.
+
+Call this tool instead of scan_and_fix_vulnerabilities when you only need a fixes summary and do NOT want to perform scanning or code modifications.`);
     __publicField(this, "inputSchema", {
       type: "object",
       properties: {
         path: {
           type: "string",
-          description: "Path to the local git repository to check for available fixes"
+          description: "Full local path to the cloned git repository to check for available fixes"
         },
         offset: {
           type: "number",
@@ -12353,21 +12445,24 @@ var CheckForAvailableFixesTool = class extends BaseTool {
     });
     __publicField(this, "inputValidationSchema", z32.object({
       path: z32.string().describe(
-        "Path to the local git repository to check for available fixes"
+        "Full local path to the cloned git repository to check for available fixes"
       ),
       offset: z32.number().optional().describe("Optional offset for pagination"),
       limit: z32.number().optional().describe("Optional maximum number of fixes to return")
     }));
+    __publicField(this, "availableFixesService");
+    this.availableFixesService = FetchAvailableFixesService.getInstance();
+    this.availableFixesService.reset();
   }
   async executeInternal(args) {
-    const pathValidation = new PathValidation();
-    const pathValidationResult = await pathValidation.validatePath(args.path);
+    const pathValidationResult = await validatePath(args.path);
     if (!pathValidationResult.isValid) {
       throw new Error(
         `Invalid path: potential security risk detected in path: ${pathValidationResult.error}`
       );
     }
-    const gitService = new GitService(args.path, log);
+    const path14 = pathValidationResult.path;
+    const gitService = new GitService(path14, log);
     const gitValidation = await gitService.validateRepository();
     if (!gitValidation.isValid) {
       throw new Error(`Invalid git repository: ${gitValidation.error}`);
@@ -12380,13 +12475,12 @@ var CheckForAvailableFixesTool = class extends BaseTool {
     if (!originUrl) {
       throw new Error("No origin URL found for the repository");
     }
-    const availableFixesService = new AvailableFixesService();
-    const fixResult = await availableFixesService.checkForAvailableFixes({
+    const fixResult = await this.availableFixesService.checkForAvailableFixes({
       repoUrl: originUrl,
       limit: args.limit,
       offset: args.offset
     });
-    logInfo("CheckForAvailableFixesTool execution completed successfully", {
+    logInfo("FetchAvailableFixesTool execution completed successfully", {
       fixResult
     });
     return {
@@ -12400,9 +12494,12 @@ var CheckForAvailableFixesTool = class extends BaseTool {
   }
 };
 
-// src/mcp/tools/fixVulnerabilities/FixVulnerabilitiesTool.ts
+// src/mcp/tools/scanAndFixVulnerabilities/ScanAndFixVulnerabilitiesTool.ts
 import z33 from "zod";
 
+// src/mcp/tools/scanAndFixVulnerabilities/ScanAndFixVulnerabilitiesService.ts
+import path13 from "path";
+
 // src/mcp/services/FilePacking.ts
 import fs10 from "fs";
 import path12 from "path";
@@ -12443,9 +12540,9 @@ var FilePacking = class {
   }
 };
 
-// src/mcp/tools/fixVulnerabilities/FixVulnerabilitiesService.ts
+// src/mcp/tools/scanAndFixVulnerabilities/ScanAndFixVulnerabilitiesService.ts
 var VUL_REPORT_DIGEST_TIMEOUT_MS2 = 1e3 * 60 * 5;
-var VulnerabilityFixService = class {
+var _ScanAndFixVulnerabilitiesService = class _ScanAndFixVulnerabilitiesService {
   constructor() {
     __publicField(this, "gqlClient");
     __publicField(this, "filePacking");
@@ -12458,6 +12555,16 @@ var VulnerabilityFixService = class {
     __publicField(this, "currentOffset", 0);
     this.filePacking = new FilePacking();
   }
+  static getInstance() {
+    if (!_ScanAndFixVulnerabilitiesService.instance) {
+      _ScanAndFixVulnerabilitiesService.instance = new _ScanAndFixVulnerabilitiesService();
+    }
+    return _ScanAndFixVulnerabilitiesService.instance;
+  }
+  reset() {
+    this.storedFixReportId = void 0;
+    this.currentOffset = void 0;
+  }
   async processVulnerabilities({
     fileList,
     repositoryPath,
@@ -12467,8 +12574,13 @@ var VulnerabilityFixService = class {
   }) {
     try {
       this.gqlClient = await this.initializeGqlClient();
+      logInfo("storedFixReportId", {
+        storedFixReportId: this.storedFixReportId,
+        currentOffset: this.currentOffset
+      });
       let fixReportId = this.storedFixReportId;
       if (!fixReportId || isRescan) {
+        this.reset();
         this.validateFiles(fileList);
         const repoUploadInfo = await this.initializeReport();
         fixReportId = repoUploadInfo.fixReportId;
@@ -12478,26 +12590,21 @@ var VulnerabilityFixService = class {
         const projectId = await this.getProjectId();
         await this.runScan({ fixReportId, projectId });
       }
-      let effectiveOffset;
-      if (offset !== void 0) {
-        effectiveOffset = offset;
-      } else if (fixReportId) {
-        effectiveOffset = this.currentOffset ?? 0;
-      } else {
-        effectiveOffset = 0;
-      }
+      const effectiveOffset = offset ?? (this.currentOffset || 0);
       logDebug("effectiveOffset", { effectiveOffset });
       const fixes = await this.getReportFixes(
         fixReportId,
         effectiveOffset,
         limit
       );
-      this.currentOffset = effectiveOffset + (fixes.fixes?.length || 0);
-      return fixesPrompt({
+      const prompt = fixesPrompt({
         fixes: fixes.fixes,
         totalCount: fixes.totalCount,
-        offset: effectiveOffset
+        offset: effectiveOffset,
+        scannedFiles: fileList.map((file) => path13.basename(file))
       });
+      this.currentOffset = effectiveOffset + (fixes.fixes?.length || 0);
+      return prompt;
     } catch (error) {
       const message = error.message;
       logError("Vulnerability processing failed", { error: message });
@@ -12514,7 +12621,7 @@ var VulnerabilityFixService = class {
     const isConnected = await gqlClient.verifyConnection();
     if (!isConnected) {
       throw new ApiConnectionError(
-        "Failed to connect to the API. Please check your API_KEY"
+        "Failed to connect to the API. Please check your MOBB_API_KEY"
       );
     }
     return gqlClient;
@@ -12631,17 +12738,50 @@ var VulnerabilityFixService = class {
     };
   }
 };
+__publicField(_ScanAndFixVulnerabilitiesService, "instance");
+var ScanAndFixVulnerabilitiesService = _ScanAndFixVulnerabilitiesService;
 
-// src/mcp/tools/fixVulnerabilities/FixVulnerabilitiesTool.ts
-var FixVulnerabilitiesTool = class extends BaseTool {
+// src/mcp/tools/scanAndFixVulnerabilities/ScanAndFixVulnerabilitiesTool.ts
+var ScanAndFixVulnerabilitiesTool = class extends BaseTool {
   constructor() {
-    super(...arguments);
-    __publicField(this, "name", "fix_vulnerabilities");
-    __publicField(this, "displayName", "Fix Vulnerabilities");
-    __publicField(this, "description", "Scans the current code changes and returns fixes for potential vulnerabilities");
+    super();
+    __publicField(this, "name", "scan_and_fix_vulnerabilities");
+    __publicField(this, "displayName", "Scan and Fix Vulnerabilities");
+    // A detailed description to guide the LLM on when and how to invoke this tool.
+    __publicField(this, "description", `Scans a given local repository for security vulnerabilities and returns auto-generated code fixes.
+
+When to invoke:
+\u2022 Use when the user explicitly asks to "scan for vulnerabilities", "run a security check", or "test for security issues" in a local repository.
+\u2022 The repository must exist on disk; supply its absolute path with the required "path" argument.
+\u2022 Ideal after the user makes code changes (added/modified/staged files) but before committing, or whenever they request a full rescan.
+
+How to invoke:
+\u2022 Required argument:
+  \u2013 path (string): absolute path to the repository root.
+\u2022 Optional arguments:
+  \u2013 offset (number): pagination offset used when the result set is large.
+  \u2013 limit (number): maximum number of fixes to include in the response.
+  \u2013 rescan (boolean): true to force a complete rescan even if cached results exist.
+
+Behaviour:
+\u2022 If the directory is not a valid Git repository, the tool falls back to scanning recently changed files in the folder.
+\u2022 By default, only new, modified, or staged files are scanned; if none are found, it checks recently changed files.
+\u2022 The tool NEVER commits or pushes changes; it only returns proposed diffs/fixes as text.
+
+Return value:
+The response is an object with a single "content" array containing one text element. The text is either:
+\u2022 A human-readable summary of the fixes / patches, or
+\u2022 A diagnostic or error message if the scan fails or finds nothing to fix.
+
+Example payload:
+{
+  "path": "/home/user/my-project",
+  "limit": 20,
+  "rescan": false
+}`);
     __publicField(this, "inputValidationSchema", z33.object({
       path: z33.string().describe(
-        "Path to the local git repository to check for available fixes"
+        "Full local path to repository to scan and fix vulnerabilities"
       ),
       offset: z33.number().optional().describe("Optional offset for pagination"),
       limit: z33.number().optional().describe("Optional maximum number of results to return"),
@@ -12652,7 +12792,7 @@ var FixVulnerabilitiesTool = class extends BaseTool {
       properties: {
         path: {
           type: "string",
-          description: "Path to the project directory to check for available fixes"
+          description: "Full local path to repository to scan and fix vulnerabilities"
         },
         offset: {
           type: "number",
@@ -12669,30 +12809,33 @@ var FixVulnerabilitiesTool = class extends BaseTool {
       },
       required: ["path"]
     });
+    __publicField(this, "vulnerabilityFixService");
+    this.vulnerabilityFixService = ScanAndFixVulnerabilitiesService.getInstance();
+    this.vulnerabilityFixService.reset();
   }
   async executeInternal(args) {
-    logInfo("Executing tool: fix_vulnerabilities", { path: args.path });
+    logInfo("Executing tool: scan_and_fix_vulnerabilities", { path: args.path });
     if (!args.path) {
       throw new Error("Invalid arguments: Missing required parameter 'path'");
     }
-    const pathValidation = new PathValidation();
-    const pathValidationResult = await pathValidation.validatePath(args.path);
+    const pathValidationResult = await validatePath(args.path);
     if (!pathValidationResult.isValid) {
       throw new Error(
         `Invalid path: potential security risk detected in path: ${pathValidationResult.error}`
       );
     }
-    const gitService = new GitService(args.path, log);
+    const path14 = pathValidationResult.path;
+    const gitService = new GitService(path14, log);
     const gitValidation = await gitService.validateRepository();
     let files = [];
     if (!gitValidation.isValid) {
       logDebug(
         "Git repository validation failed, using all files in the repository",
         {
-          path: args.path
+          path: path14
         }
       );
-      files = FileUtils.getLastChangedFiles(args.path);
+      files = FileUtils.getLastChangedFiles(path14);
       logDebug("Found files in the repository", {
         files,
         fileCount: files.length
@@ -12729,10 +12872,9 @@ var FixVulnerabilitiesTool = class extends BaseTool {
       };
     }
     try {
-      const vulnerabilityFixService = new VulnerabilityFixService();
-      const fixResult = await vulnerabilityFixService.processVulnerabilities({
+      const fixResult = await this.vulnerabilityFixService.processVulnerabilities({
         fileList: files,
-        repositoryPath: args.path,
+        repositoryPath: path14,
         offset: args.offset,
         limit: args.limit,
         isRescan: args.rescan
@@ -12774,7 +12916,7 @@ function createMcpServer() {
   logDebug("Creating MCP server");
   const server = new McpServer({
     name: "mobb-mcp",
-    version: "1.0.0"
+    version: packageJson.version
   });
   const enabledToolsEnv = process.env["TOOLS_ENABLED"];
   const enabledToolsSet = enabledToolsEnv ? new Set(
@@ -12788,10 +12930,10 @@ function createMcpServer() {
       logDebug(`Skipping tool (disabled): ${tool.name}`);
     }
   };
-  const fixVulnerabilitiesTool = new FixVulnerabilitiesTool();
-  const checkForAvailableFixesTool = new CheckForAvailableFixesTool();
-  registerIfEnabled(fixVulnerabilitiesTool);
-  registerIfEnabled(checkForAvailableFixesTool);
+  const scanAndFixVulnerabilitiesTool = new ScanAndFixVulnerabilitiesTool();
+  const fetchAvailableFixesTool = new FetchAvailableFixesTool();
+  registerIfEnabled(scanAndFixVulnerabilitiesTool);
+  registerIfEnabled(fetchAvailableFixesTool);
   logInfo("MCP server created and configured");
   return server;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mobbdev",
-  "version": "1.0.106",
+  "version": "1.0.107",
   "description": "Automated secure code remediation tool",
   "repository": "git+https://github.com/mobb-dev/bugsy.git",
   "main": "dist/index.js",
@@ -15,6 +15,7 @@
     "test:mcp": "pnpm run build && pnpm run test:mcp:unit",
     "test:mcp:watch": "vitest watch __tests__/mcp/mcp.unit.test.ts",
     "test:mcp:verbose": "pnpm run build && NODE_ENV=test VERBOSE=true vitest run __tests__/mcp/",
+    "test:mcp:integration": "pnpm run build && GIT_PROXY_HOST=http://tinyproxy:8888 TOKEN=$(../../scripts/login_auth0.sh) VERBOSE=1  vitest run __tests__/mcp/mcp.integration.test.ts",
     "test:unit": "GIT_PROXY_HOST=http://tinyproxy:8888 TOKEN=$(../../scripts/login_auth0.sh) vitest run --exclude='**/__tests__/integration.test.ts' --exclude='**/__tests__/mcp/**'",
     "test:integration": "GIT_PROXY_HOST=http://tinyproxy:8888 TOKEN=$(../../scripts/login_auth0.sh) vitest run __tests__/integration.test.ts",
     "test:integration:watch": "GIT_PROXY_HOST=http://tinyproxy:8888 TOKEN=$(../../scripts/login_auth0.sh) vitest watch run __tests__/integration.test.ts",
@@ -34,7 +35,8 @@
     "dev:mcp": "pnpm run build && node dist/index.mjs mcp",
     "debug:mcp": "pnpm run build && node dist/index.mjs mcp --debug",
     "generate": "pnpm run env -- graphql-codegen -r dotenv/config --config client_codegen.ts",
-    "test:e2e": "cd ./__e2e__ && npm i && npm run test"
+    "test:e2e": "cd ./__e2e__ && npm i && npm run test && npm run test:mcp",
+    "test:e2e:mcp": "cd ./__e2e__ && npm i && npm run test:mcp"
   },
   "bin": {
     "mobbdev": "bin/cli.mjs"
@@ -47,7 +49,6 @@
     "@modelcontextprotocol/sdk": "1.12.1",
     "@octokit/core": "5.2.0",
     "@octokit/request-error": "5.1.1",
-    "@types/libsodium-wrappers": "0.7.14",
     "adm-zip": "0.5.16",
     "axios": "1.9.0",
     "azure-devops-node-api": "12.1.0",
@@ -118,11 +119,11 @@
     "eslint-plugin-simple-import-sort": "10.0.0",
     "msw": "2.8.5",
     "nock": "14.0.5",
-    "pino-pretty": "13.0.0",
     "prettier": "3.5.3",
     "tsup": "8.5.0",
     "typescript": "4.9.5",
-    "vitest": "3.2.3"
+    "vitest": "3.2.3",
+    "@types/libsodium-wrappers": "0.7.14"
   },
   "engines": {
     "node": ">=18.20.0"