mobbdev 1.0.191 → 1.0.194

package/dist/args/commands/upload_ai_blame.mjs

@@ -659,6 +659,9 @@ var GetAnalysisDocument = `
       projectId
       project {
         organizationId
+        organization {
+          ghFixerNoFixComments
+        }
       }
       file {
         signedFile {
@@ -4123,7 +4126,7 @@ var scmTypeToScmLibScmType = {
   ["Ado" /* Ado */]: "ADO" /* ADO */,
   ["Bitbucket" /* Bitbucket */]: "BITBUCKET" /* BITBUCKET */
 };
-var GetRefererenceResultZ = z14.object({
+var GetReferenceResultZ = z14.object({
   date: z14.date().optional(),
   sha: z14.string(),
   type: z14.nativeEnum(ReferenceType)
@@ -4744,6 +4747,8 @@ var VulnerabilityReportSchema = z26.object({
   // GraphQL uses `any` type for timestamp
   vendor: z26.string(),
   // GraphQL generates as string, not enum
+  projectId: z26.any().optional(),
+  // GraphQL uses `any` type for UUID
   project: ProjectSchema,
   totalVulnerabilityReportIssuesCount: VulnerabilityReportIssueAggregateSchema,
   notFixableVulnerabilityReportIssuesCount: VulnerabilityReportIssueAggregateSchema
@@ -5243,7 +5248,7 @@ var McpGQLClient = class {
     const reportMetadata = {
       id: reportData.id,
       organizationId: reportData.vulnerabilityReport?.project?.organizationId,
-      projectId: reportData.vulnerabilityReport?.project?.id
+      projectId: reportData.vulnerabilityReport?.projectId
     };
     const { userFixes = [], fixes = [] } = reportData;
     const fixMap = /* @__PURE__ */ new Map();
@@ -5460,6 +5465,7 @@ var McpGQLClient = class {
         reportData: latestReport,
         limit
       });
+      logDebug("[GraphQL] GetReportFixes response parsed", { fixes });
       return {
         fixes,
         totalCount: res.fixReport?.[0]?.filteredFixesCount?.aggregate?.count || 0,

package/dist/index.mjs

@@ -2094,6 +2094,9 @@ var GetAnalysisDocument = `
       projectId
       project {
         organizationId
+        organization {
+          ghFixerNoFixComments
+        }
       }
       file {
         signedFile {
@@ -5793,7 +5796,7 @@ var scmTypeToScmLibScmType = {
   ["Ado" /* Ado */]: "ADO" /* ADO */,
   ["Bitbucket" /* Bitbucket */]: "BITBUCKET" /* BITBUCKET */
 };
-var GetRefererenceResultZ = z13.object({
+var GetReferenceResultZ = z13.object({
   date: z13.date().optional(),
   sha: z13.string(),
   type: z13.nativeEnum(ReferenceType)
@@ -6764,7 +6767,7 @@ var AdoSCMLib = class extends SCMLib {
         return String(pullRequestId);
       } catch (e) {
         console.warn(
-          `error creating pull request for ADO. Try number ${i + 1}`,
+          `error creating pull request for ADO. Try number ${String(i + 1).replace(/\n|\r/g, "")}`,
           e
         );
         await setTimeout2(1e3);
@@ -6924,6 +6927,12 @@ var AdoSCMLib = class extends SCMLib {
   async getCommitDiff(_commitSha) {
     throw new Error("getCommitDiff not implemented for ADO");
   }
+  async getSubmitRequestDiff(_submitRequestId) {
+    throw new Error("getSubmitRequestDiff not implemented for ADO");
+  }
+  async getSubmitRequests(_repoUrl) {
+    throw new Error("getSubmitRequests not implemented for ADO");
+  }
 };
 
 // src/features/analysis/scm/bitbucket/bitbucket.ts
@@ -6969,15 +6978,15 @@ function parseBitbucketOrganizationAndRepo(bitbucketUrl) {
     repo_slug: validatedBitbucketResult.repoName
   };
 }
-function getBitbucketIntance(params) {
-  const BitbucketContstructor = bitbucketPkg && "Bitbucket" in bitbucketPkg ? bitbucketPkg.Bitbucket : bitbucketPkgNode.Bitbucket;
+function getBitbucketInstance(params) {
+  const BitbucketConstructor = bitbucketPkg && "Bitbucket" in bitbucketPkg ? bitbucketPkg.Bitbucket : bitbucketPkgNode.Bitbucket;
   switch (params.authType) {
     case "public":
-      return new BitbucketContstructor();
+      return new BitbucketConstructor();
     case "token":
-      return new BitbucketContstructor({ auth: { token: params.token } });
+      return new BitbucketConstructor({ auth: { token: params.token } });
     case "basic":
-      return new BitbucketContstructor({
+      return new BitbucketConstructor({
         auth: {
           password: params.password,
           username: params.username
@@ -6986,7 +6995,7 @@ function getBitbucketIntance(params) {
   }
 }
 function getBitbucketSdk(params) {
-  const bitbucketClient = getBitbucketIntance(params);
+  const bitbucketClient = getBitbucketInstance(params);
   return {
     getAuthType() {
       return params.authType;
@@ -6994,12 +7003,11 @@ function getBitbucketSdk(params) {
     async getRepos(params2) {
       const repoRes = params2?.workspaceSlug ? await getRepositoriesByWorkspace(bitbucketClient, {
         workspaceSlug: params2.workspaceSlug
-      }) : await getllUsersrepositories(bitbucketClient);
+      }) : await getAllUsersRepositories(bitbucketClient);
       return repoRes.map((repo) => ({
         repoIsPublic: !repo.is_private,
         repoName: repo.name || "unknown repo name",
         repoOwner: repo.owner?.username || "unknown owner",
-        // language can be empty string
         repoLanguages: repo.language ? [repo.language] : [],
         repoUpdatedAt: repo.updated_on ? repo.updated_on : (/* @__PURE__ */ new Date()).toISOString(),
         repoUrl: repo.links?.html?.href || ""
@@ -7059,7 +7067,7 @@ function getBitbucketSdk(params) {
       });
       return res.data;
     },
-    async getDownloadlink(params2) {
+    async getDownloadLink(params2) {
       const { repo_slug, workspace } = parseBitbucketOrganizationAndRepo(
         params2.repoUrl
       );
@@ -7131,7 +7139,7 @@ function getBitbucketSdk(params) {
         workspace,
         name: tagName
       });
-      return GetRefererenceResultZ.parse({
+      return GetReferenceResultZ.parse({
         sha: tagRes.data.target?.hash,
         type: "TAG" /* TAG */,
         date: new Date(z19.string().parse(tagRes.data.target?.date))
@@ -7139,7 +7147,7 @@ function getBitbucketSdk(params) {
     },
     async getBranchRef(params2) {
       const getBranchRes = await this.getBranch(params2);
-      return GetRefererenceResultZ.parse({
+      return GetReferenceResultZ.parse({
         sha: getBranchRes.target?.hash,
         type: "BRANCH" /* BRANCH */,
         date: new Date(z19.string().parse(getBranchRes.target?.date))
@@ -7147,7 +7155,7 @@ function getBitbucketSdk(params) {
     },
     async getCommitRef(params2) {
       const getCommitRes = await this.getCommit(params2);
-      return GetRefererenceResultZ.parse({
+      return GetReferenceResultZ.parse({
         sha: getCommitRes.hash,
         type: "COMMIT" /* COMMIT */,
         date: new Date(z19.string().parse(getCommitRes.date))
@@ -7177,7 +7185,7 @@ function getBitbucketSdk(params) {
     }) {
       const { repo_slug, workspace } = parseBitbucketOrganizationAndRepo(url);
       const res = await bitbucketClient.pullrequests.createComment({
-        //@ts-expect-error tyep requires _body.type, but it its uses api fails
+        //@ts-expect-error type requires _body.type, but it its uses api fails
         _body: {
           content: {
             raw: markdownComment
@@ -7219,17 +7227,17 @@ async function validateBitbucketParams(params) {
     );
   }
 }
-async function getUsersworkspacesSlugs(bitbucketClient) {
+async function getUsersWorkspacesSlugs(bitbucketClient) {
   const res = await bitbucketClient.workspaces.getWorkspaces({});
   return res.data.values?.map((v) => z19.string().parse(v.slug));
 }
-async function getllUsersrepositories(bitbucketClient) {
-  const userWorspacesSlugs = await getUsersworkspacesSlugs(bitbucketClient);
-  if (!userWorspacesSlugs) {
+async function getAllUsersRepositories(bitbucketClient) {
+  const userWorkspacesSlugs = await getUsersWorkspacesSlugs(bitbucketClient);
+  if (!userWorkspacesSlugs) {
     return [];
   }
   const allWorkspaceRepos = [];
-  for (const workspaceSlug of userWorspacesSlugs) {
+  for (const workspaceSlug of userWorkspacesSlugs) {
     const repos = await bitbucketClient.repositories.list({
       workspace: workspaceSlug
     });
@@ -7490,6 +7498,12 @@ var BitbucketSCMLib = class extends SCMLib {
   async getCommitDiff(_commitSha) {
     throw new Error("getCommitDiff not implemented for Bitbucket");
   }
+  async getSubmitRequestDiff(_submitRequestId) {
+    throw new Error("getSubmitRequestDiff not implemented for Bitbucket");
+  }
+  async getSubmitRequests(_repoUrl) {
+    throw new Error("getSubmitRequests not implemented for Bitbucket");
+  }
 };
 
 // src/features/analysis/scm/constants.ts
@@ -8084,6 +8098,31 @@ function getGithubSdk(params = {}) {
     },
     async getUserInfo() {
       return octokit.request(GET_USER);
+    },
+    async getPrCommits(params2) {
+      return octokit.rest.pulls.listCommits({
+        owner: params2.owner,
+        repo: params2.repo,
+        pull_number: params2.pull_number
+      });
+    },
+    async getUserRepos() {
+      return octokit.rest.repos.listForAuthenticatedUser({
+        visibility: "all",
+        affiliation: "owner,collaborator,organization_member",
+        sort: "updated",
+        per_page: 100
+      });
+    },
+    async getRepoPullRequests(params2) {
+      return octokit.rest.pulls.list({
+        owner: params2.owner,
+        repo: params2.repo,
+        state: "all",
+        sort: "updated",
+        direction: "desc",
+        per_page: 100
+      });
     }
   };
 }
@@ -8362,6 +8401,284 @@ var GithubSCMLib = class extends SCMLib {
       message: commit.commit.message
     };
   }
+  async getSubmitRequestDiff(submitRequestId) {
+    this._validateAccessTokenAndUrl();
+    const { owner, repo } = parseGithubOwnerAndRepo(this.url);
+    const prNumber = Number(submitRequestId);
+    const prRes = await this.githubSdk.getPr({
+      owner,
+      repo,
+      pull_number: prNumber
+    });
+    const prDiff = await this.getPrDiff({ pull_number: prNumber });
+    const commitsRes = await this.githubSdk.getPrCommits({
+      owner,
+      repo,
+      pull_number: prNumber
+    });
+    const commits = [];
+    for (const commit of commitsRes.data) {
+      const commitDiff = await this.getCommitDiff(commit.sha);
+      commits.push(commitDiff);
+    }
+    const pr = prRes.data;
+    const diffLines = this._calculateDiffLineAttributions(prDiff, commits);
+    return {
+      diff: prDiff,
+      createdAt: new Date(pr.created_at),
+      updatedAt: new Date(pr.updated_at),
+      submitRequestId,
+      submitRequestNumber: prNumber,
+      sourceBranch: pr.head.ref,
+      targetBranch: pr.base.ref,
+      authorName: pr.user?.name || pr.user?.login,
+      authorEmail: pr.user?.email || void 0,
+      title: pr.title,
+      description: pr.body || void 0,
+      commits,
+      diffLines
+    };
+  }
+  async getSubmitRequests(repoUrl) {
+    this._validateAccessToken();
+    const { owner, repo } = parseGithubOwnerAndRepo(repoUrl);
+    const pullsRes = await this.githubSdk.getRepoPullRequests({ owner, repo });
+    const submitRequests = await Promise.all(
+      pullsRes.data.map(async (pr) => {
+        let status = "open";
+        if (pr.state === "closed") {
+          status = pr.merged_at ? "merged" : "closed";
+        } else if (pr.draft) {
+          status = "draft";
+        }
+        const [tickets, changedLines] = await Promise.all([
+          this._extractLinearTicketsFromPR(owner, repo, pr.number),
+          this._calculateChangedLinesFromPR(owner, repo, pr.number)
+        ]);
+        return {
+          submitRequestId: String(pr.number),
+          submitRequestNumber: pr.number,
+          title: pr.title,
+          status,
+          sourceBranch: pr.head.ref,
+          targetBranch: pr.base.ref,
+          authorName: pr.user?.name || pr.user?.login,
+          authorEmail: pr.user?.email || void 0,
+          createdAt: new Date(pr.created_at),
+          updatedAt: new Date(pr.updated_at),
+          description: pr.body || void 0,
+          tickets,
+          changedLines
+        };
+      })
+    );
+    return submitRequests;
+  }
+  async _extractLinearTicketsFromPR(owner, repo, prNumber) {
+    try {
+      const commentsRes = await this.githubSdk.getGeneralPrComments({
+        owner,
+        repo,
+        issue_number: prNumber
+      });
+      const tickets = [];
+      for (const comment of commentsRes.data) {
+        if (comment.user?.login === "linear[bot]" || comment.user?.type === "Bot") {
+          const htmlLinkPattern = /<a href="(https:\/\/linear\.app\/[^"]+)">([A-Z]+-\d+)<\/a>/g;
+          let match;
+          while ((match = htmlLinkPattern.exec(comment.body || "")) !== null) {
+            const url = match[1];
+            const name = match[2];
+            if (!name || !url) {
+              continue;
+            }
+            const urlParts = url.split("/");
+            const titleSlug = urlParts[urlParts.length - 1] || "";
+            const title = titleSlug.replace(/-/g, " ");
+            tickets.push({ name, title, url });
+          }
+          const markdownLinkPattern = /\[([A-Z]+-\d+)\]\((https:\/\/linear\.app\/[^)]+)\)/g;
+          while ((match = markdownLinkPattern.exec(comment.body || "")) !== null) {
+            const name = match[1];
+            const url = match[2];
+            if (tickets.some((t) => t.name === name && t.url === url)) {
+              continue;
+            }
+            if (!name || !url) {
+              continue;
+            }
+            const urlParts = url.split("/");
+            const titleSlug = urlParts[urlParts.length - 1] || "";
+            const title = titleSlug.replace(/-/g, " ");
+            tickets.push({ name, title, url });
+          }
+        }
+      }
+      return tickets;
+    } catch (error) {
+      return [];
+    }
+  }
+  async _calculateChangedLinesFromPR(owner, repo, prNumber) {
+    try {
+      const diffRes = await this.githubSdk.getPrDiff({
+        owner,
+        repo,
+        pull_number: prNumber
+      });
+      const diff = z21.string().parse(diffRes.data);
+      let added = 0;
+      let removed = 0;
+      const lines = diff.split("\n");
+      for (const line of lines) {
+        if (line.startsWith("+") && !line.startsWith("+++")) {
+          added++;
+        } else if (line.startsWith("-") && !line.startsWith("---")) {
+          removed++;
+        }
+      }
+      return { added, removed };
+    } catch (error) {
+      return { added: 0, removed: 0 };
+    }
+  }
+  _calculateDiffLineAttributions(prDiff, commits) {
+    const attributions = [];
+    const prDiffLines = prDiff.split("\n");
+    let currentFile = "";
+    let currentLineNumber = 0;
+    for (const line of prDiffLines) {
+      if (line.startsWith("+++")) {
+        const match = line.match(/^\+\+\+ b\/(.+)$/);
+        currentFile = match?.[1] || "";
+        currentLineNumber = 0;
+        continue;
+      }
+      if (line.startsWith("@@")) {
+        const match = line.match(/^@@ -\d+(?:,\d+)? \+(\d+)/);
+        if (match?.[1]) {
+          currentLineNumber = parseInt(match[1], 10);
+        }
+        continue;
+      }
+      if (line.startsWith("+") && !line.startsWith("+++")) {
+        const commitSha = this._findCommitForLine(
+          currentFile,
+          currentLineNumber,
+          line.substring(1),
+          // Remove the '+' prefix
+          commits
+        );
+        if (commitSha && currentFile) {
+          attributions.push({
+            file: currentFile,
+            line: currentLineNumber,
+            commitSha
+          });
+        }
+        currentLineNumber++;
+      } else if (!line.startsWith("-")) {
+        currentLineNumber++;
+      }
+    }
+    return attributions;
+  }
+  _findCommitForLine(file, lineNumber, lineContent, commits) {
+    const normalizedContent = lineContent.trim();
+    for (let i = commits.length - 1; i >= 0; i--) {
+      const commit = commits[i];
+      if (!commit) {
+        continue;
+      }
+      const commitLines = commit.diff.split("\n");
+      let commitCurrentFile = "";
+      for (const commitLine of commitLines) {
+        if (commitLine.startsWith("+++")) {
+          const match = commitLine.match(/^\+\+\+ b\/(.+)$/);
+          commitCurrentFile = match?.[1] || "";
+          continue;
+        }
+        if (commitLine.startsWith("@@")) {
+          continue;
+        }
+        if (commitCurrentFile === file && commitLine.startsWith("+") && !commitLine.startsWith("+++")) {
+          const commitLineContent = commitLine.substring(1).trim();
+          if (commitLineContent === normalizedContent) {
+            return commit.commitSha;
+          }
+        }
+      }
+    }
+    for (let i = commits.length - 1; i >= 0; i--) {
+      const commit = commits[i];
+      if (!commit) {
+        continue;
+      }
+      const addedLinesInFile = this._getAddedLinesFromCommit(commit, file);
+      for (const { lineNum, content } of addedLinesInFile) {
+        if (Math.abs(lineNum - lineNumber) <= 10 && this._contentSimilarity(content, normalizedContent) > 0.9) {
+          return commit.commitSha;
+        }
+      }
+    }
+    const lastCommit = commits[commits.length - 1];
+    return lastCommit ? lastCommit.commitSha : null;
+  }
+  _getAddedLinesFromCommit(commit, targetFile) {
+    const addedLines = [];
+    const commitLines = commit.diff.split("\n");
+    let currentFile = "";
+    let currentLineNumber = 0;
+    for (const line of commitLines) {
+      if (line.startsWith("+++")) {
+        const match = line.match(/^\+\+\+ b\/(.+)$/);
+        currentFile = match?.[1] || "";
+        currentLineNumber = 0;
+        continue;
+      }
+      if (line.startsWith("@@")) {
+        const match = line.match(/^@@ -\d+(?:,\d+)? \+(\d+)/);
+        if (match?.[1]) {
+          currentLineNumber = parseInt(match[1], 10);
+        }
+        continue;
+      }
+      if (currentFile === targetFile && line.startsWith("+") && !line.startsWith("+++")) {
+        addedLines.push({
+          lineNum: currentLineNumber,
+          content: line.substring(1).trim()
+        });
+        currentLineNumber++;
+      } else if (!line.startsWith("-")) {
+        if (currentFile === targetFile) {
+          currentLineNumber++;
+        }
+      }
+    }
+    return addedLines;
+  }
+  _contentSimilarity(content1, content2) {
+    if (content1 === content2) {
+      return 1;
+    }
+    const normalized1 = content1.replace(/\s+/g, " ");
+    const normalized2 = content2.replace(/\s+/g, " ");
+    if (normalized1 === normalized2) {
+      return 0.95;
+    }
+    const longer = normalized1.length > normalized2.length ? normalized1 : normalized2;
+    const shorter = normalized1.length > normalized2.length ? normalized2 : normalized1;
+    if (longer.length === 0) {
+      return 1;
+    }
+    if (longer.includes(shorter)) {
+      return shorter.length / longer.length;
+    }
+    const set1 = new Set(normalized1.split(""));
+    const set2 = new Set(normalized2.split(""));
+    const intersection = new Set([...set1].filter((x) => set2.has(x)));
+    return intersection.size / Math.max(set1.size, set2.size);
+  }
 };
 
 // src/features/analysis/scm/gitlab/gitlab.ts
@@ -8930,6 +9247,12 @@ var GitlabSCMLib = class extends SCMLib {
   async getCommitDiff(_commitSha) {
     throw new Error("getCommitDiff not implemented for GitLab");
   }
+  async getSubmitRequestDiff(_submitRequestId) {
+    throw new Error("getSubmitRequestDiff not implemented for GitLab");
+  }
+  async getSubmitRequests(_repoUrl) {
+    throw new Error("getSubmitRequests not implemented for GitLab");
+  }
 };
 
 // src/features/analysis/scm/scmFactory.ts
@@ -9037,6 +9360,28 @@ var StubSCMLib = class extends SCMLib {
       message: void 0
     };
   }
+  async getSubmitRequestDiff(_submitRequestId) {
+    console.warn("getSubmitRequestDiff() returning stub diff");
+    return {
+      diff: "",
+      createdAt: /* @__PURE__ */ new Date(),
+      updatedAt: /* @__PURE__ */ new Date(),
+      submitRequestId: _submitRequestId,
+      submitRequestNumber: parseInt(_submitRequestId) || 0,
+      sourceBranch: "",
+      targetBranch: "",
+      authorName: void 0,
+      authorEmail: void 0,
+      title: void 0,
+      description: void 0,
+      commits: [],
+      diffLines: []
+    };
+  }
+  async getSubmitRequests(_repoUrl) {
+    console.warn("getSubmitRequests() returning empty array");
+    return [];
+  }
 };
 
 // src/features/analysis/scm/scmFactory.ts
@@ -10176,7 +10521,10 @@ async function addFixCommentsForPr({
   const {
     vulnerabilityReport: {
       projectId,
-      project: { organizationId }
+      project: {
+        organizationId,
+        organization: { ghFixerNoFixComments }
+      }
     }
   } = getAnalysisRes;
   if (!getAnalysisRes.repo?.commitSha || !getAnalysisRes.repo.pullRequest) {
@@ -10205,74 +10553,76 @@ async function addFixCommentsForPr({
     ...deleteAllPreviousComments({ comments, scm }),
     ...deleteAllPreviousGeneralPrComments({ generalPrComments, scm })
   ]);
-  await Promise.all([
-    ...prVulenrabilities.vulnerabilityReportIssueCodeNodes.map(
-      (vulnerabilityReportIssueCodeNode) => {
-        return postFixComment({
-          vulnerabilityReportIssueCodeNode,
-          projectId,
-          analysisId,
-          organizationId,
-          fixesById,
-          scm,
-          pullRequest,
-          scanner,
-          commitSha
-        });
-      }
-    ),
-    ...irrelevantVulnerabilityReportIssues.map(
-      async (vulnerabilityReportIssue) => {
-        let fpDescription = null;
-        if (vulnerabilityReportIssue.fpId) {
-          const fpRes = await gqlClient.getFalsePositive({
-            fpId: vulnerabilityReportIssue.fpId
+  await Promise.all(
+    [
+      ...prVulenrabilities.vulnerabilityReportIssueCodeNodes.map(
+        (vulnerabilityReportIssueCodeNode) => {
+          return postFixComment({
+            vulnerabilityReportIssueCodeNode,
+            projectId,
+            analysisId,
+            organizationId,
+            fixesById,
+            scm,
+            pullRequest,
+            scanner,
+            commitSha
           });
-          const parsedFpRes = await FalsePositivePartsZ.parseAsync(
-            fpRes?.getFalsePositive
-          );
-          const { description, contextString } = getParsedFalsePositiveMessage(parsedFpRes);
-          fpDescription = contextString ? `${description}
+        }
+      ),
+      ...irrelevantVulnerabilityReportIssues.map(
+        async (vulnerabilityReportIssue) => {
+          let fpDescription = null;
+          if (vulnerabilityReportIssue.fpId) {
+            const fpRes = await gqlClient.getFalsePositive({
+              fpId: vulnerabilityReportIssue.fpId
+            });
+            const parsedFpRes = await FalsePositivePartsZ.parseAsync(
+              fpRes?.getFalsePositive
+            );
+            const { description, contextString } = getParsedFalsePositiveMessage(parsedFpRes);
+            fpDescription = contextString ? `${description}
 
 ${contextString}` : description;
-        }
-        return await Promise.all(
-          vulnerabilityReportIssue.codeNodes.map(
-            async (vulnerabilityReportIssueCodeNode) => {
-              return await postIssueComment({
-                vulnerabilityReportIssueCodeNode: {
-                  path: vulnerabilityReportIssueCodeNode.path,
-                  startLine: vulnerabilityReportIssueCodeNode.startLine,
-                  vulnerabilityReportIssue: {
-                    fixId: "",
-                    safeIssueType: vulnerabilityReportIssue.safeIssueType,
-                    vulnerabilityReportIssueTags: vulnerabilityReportIssue.vulnerabilityReportIssueTags,
-                    category: vulnerabilityReportIssue.category
+          }
+          return await Promise.all(
+            vulnerabilityReportIssue.codeNodes.map(
+              async (vulnerabilityReportIssueCodeNode) => {
+                return await postIssueComment({
+                  vulnerabilityReportIssueCodeNode: {
+                    path: vulnerabilityReportIssueCodeNode.path,
+                    startLine: vulnerabilityReportIssueCodeNode.startLine,
+                    vulnerabilityReportIssue: {
+                      fixId: "",
+                      safeIssueType: vulnerabilityReportIssue.safeIssueType,
+                      vulnerabilityReportIssueTags: vulnerabilityReportIssue.vulnerabilityReportIssueTags,
+                      category: vulnerabilityReportIssue.category
+                    },
+                    vulnerabilityReportIssueId: vulnerabilityReportIssue.id
                   },
-                  vulnerabilityReportIssueId: vulnerabilityReportIssue.id
-                },
-                projectId,
-                analysisId,
-                organizationId,
-                fixesById,
-                scm,
-                pullRequest,
-                scanner,
-                commitSha,
-                fpDescription
-              });
-            }
-          )
-        );
-      }
-    ),
-    postAnalysisInsightComment({
-      prVulenrabilities,
-      pullRequest,
-      scanner,
-      scm
-    })
-  ]);
+                  projectId,
+                  analysisId,
+                  organizationId,
+                  fixesById,
+                  scm,
+                  pullRequest,
+                  scanner,
+                  commitSha,
+                  fpDescription
+                });
+              }
+            )
+          );
+        }
+      ),
+      !ghFixerNoFixComments && postAnalysisInsightComment({
+        prVulenrabilities,
+        pullRequest,
+        scanner,
+        scm
+      })
+    ].filter(Boolean)
+  );
 }
 
 // src/features/analysis/auto_pr_handler.ts
@@ -12637,6 +12987,8 @@ var VulnerabilityReportSchema = z31.object({
   // GraphQL uses `any` type for timestamp
   vendor: z31.string(),
   // GraphQL generates as string, not enum
+  projectId: z31.any().optional(),
+  // GraphQL uses `any` type for UUID
   project: ProjectSchema,
   totalVulnerabilityReportIssuesCount: VulnerabilityReportIssueAggregateSchema,
   notFixableVulnerabilityReportIssuesCount: VulnerabilityReportIssueAggregateSchema
@@ -13136,7 +13488,7 @@ var McpGQLClient = class {
     const reportMetadata = {
       id: reportData.id,
       organizationId: reportData.vulnerabilityReport?.project?.organizationId,
-      projectId: reportData.vulnerabilityReport?.project?.id
+      projectId: reportData.vulnerabilityReport?.projectId
     };
     const { userFixes = [], fixes = [] } = reportData;
     const fixMap = /* @__PURE__ */ new Map();
@@ -13353,6 +13705,7 @@ var McpGQLClient = class {
         reportData: latestReport,
         limit
       });
+      logDebug("[GraphQL] GetReportFixes response parsed", { fixes });
       return {
         fixes,
         totalCount: res.fixReport?.[0]?.filteredFixesCount?.aggregate?.count || 0,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mobbdev",
-  "version": "1.0.191",
+  "version": "1.0.194",
   "description": "Automated secure code remediation tool",
   "repository": "git+https://github.com/mobb-dev/bugsy.git",
   "main": "dist/index.mjs",