mobbdev 1.0.86 → 1.0.87

package/README.md

@@ -30,6 +30,8 @@ Bugsy does not detect any vulnerabilities in your code, it uses findings detecte
 
 ## Usage
 
+### Command Line Interface
+
 You can simply run Bugsy from the command line, using npx:
 
 ```shell
@@ -76,6 +78,88 @@ npx mobbdev scan -h
 npx mobbdev analyze -h
 ```
 
+### Model Context Protocol (MCP) Server
+
+Bugsy can also be used as an MCP server, allowing AI assistants like Claude to automatically scan and fix vulnerabilities in your code repositories.
+
+#### Prerequisites
+
+1. **API Key**: You need a Mobb API key to use the MCP server functionality
+   - Sign up at [mobb.ai](https://app.mobb.ai) to get your API key
+   - Set the `API_KEY` environment variable: `export API_KEY=your_api_key_here`
+
+2. **Local Git Repository**: The MCP server analyzes git repositories with uncommitted changes
+   - Make sure your code is in a local git repository
+   - Have some modified, added, or staged files to analyze
+
+#### Installation
+
+Run mobb-mcp from command line:
+
+```shell
+npx mobbdev mcp
+```
+
+#### Configuration
+
+Add Mobb MCP to your Cursor MCP client configuration:
+`API_URL` is only required if you are not using https://app.mobb.ai
+
+```json
+{
+  "mcpServers": {
+    "mobb-mcp": {
+      "command": "npx",
+      "args": ["mobbdev", "mcp"],
+      "env": {
+        "API_KEY": "your_mobb_api_key_here",
+        "API_URL": "optional__your_mobb_api_url_here"
+      }
+    }
+  }
+}
+```
+
+#### Usage
+
+Once configured, you can use the MCP server through your AI assistant:
+
+1. **Ask Claude to scan for vulnerabilities**:
+   ```
+   run a scan with mobb-mcp
+   ```
+   or
+   ```
+   run fix-vulnerabilities mcp tool
+   ```
+
+2. **The MCP server will**:
+   - Validate the repository path
+   - Check for git changes (modified, added, or staged files)
+   - Upload the changed files for analysis
+   - Generate automated fixes for detected vulnerabilities
+   - Return detailed fix recommendations
+
+#### Available MCP Tools
+
+- **`fix_vulnerabilities`**: Scans the current code changes and returns fixes for potential vulnerabilities
+  - **Parameter**: `path` (string) - The path to the local git repository
+  - **Returns**: Detailed vulnerability fixes with code patches and explanations
+
+#### Example MCP Workflow
+
+1. Make changes to your code
+2. Stage or modify files in git
+3. Ask your AI assistant: "Can you check my code for security vulnerabilities?"
+4. The assistant will use the MCP server to analyze your changes
+5. Receive detailed fix recommendations with code patches
+
+#### Troubleshooting
+
+- **"API_KEY environment variable is not set"**: Make sure you've set your Mobb API key
+- **"Path is not a valid git repository"**: Ensure you're pointing to a valid git repository
+- **"No changed files found"**: Make sure you have modified, added, or staged files in your repository
+
 ## Using Bugsy as part of a CI/CD pipeline
 
 If you utilize SAST scans as part of the CI/CD pipeline, Bugsy can be easiy added and provide immediate fix for every issue detected.

package/dist/index.mjs

@@ -259,7 +259,6 @@ var RepoNoTokenAccessError = class extends Error {
 import { z as z2 } from "zod";
 
 // src/features/analysis/scm/generates/client_generates.ts
-import { graphql } from "msw";
 var FixQuestionInputType = /* @__PURE__ */ ((FixQuestionInputType2) => {
   FixQuestionInputType2["Number"] = "NUMBER";
   FixQuestionInputType2["Select"] = "SELECT";
@@ -4631,7 +4630,7 @@ async function getAdoSdk(params) {
       const url = new URL(repoUrl);
       const origin2 = url.origin.toLowerCase().endsWith(".visualstudio.com") ? DEFUALT_ADO_ORIGIN : url.origin.toLowerCase();
       const params2 = `path=/&versionDescriptor[versionOptions]=0&versionDescriptor[versionType]=commit&versionDescriptor[version]=${branch}&resolveLfs=true&$format=zip&api-version=5.0&download=true`;
-      const path11 = [
+      const path12 = [
         prefixPath,
         owner,
         projectName,
@@ -4642,7 +4641,7 @@ async function getAdoSdk(params) {
         "items",
         "items"
       ].filter(Boolean).join("/");
-      return new URL(`${path11}?${params2}`, origin2).toString();
+      return new URL(`${path12}?${params2}`, origin2).toString();
     },
     async getAdoBranchList({ repoUrl }) {
       try {
@@ -6100,14 +6099,14 @@ function getGithubSdk(params = {}) {
       };
     },
     async getGithubBlameRanges(params2) {
-      const { ref, gitHubUrl, path: path11 } = params2;
+      const { ref, gitHubUrl, path: path12 } = params2;
       const { owner, repo } = parseGithubOwnerAndRepo(gitHubUrl);
       const res = await octokit.graphql(
         GET_BLAME_DOCUMENT,
         {
           owner,
           repo,
-          path: path11,
+          path: path12,
           ref
         }
       );
@@ -6413,11 +6412,11 @@ var GithubSCMLib = class extends SCMLib {
       markdownComment: comment
     });
   }
-  async getRepoBlameRanges(ref, path11) {
+  async getRepoBlameRanges(ref, path12) {
     this._validateUrl();
     return await this.githubSdk.getGithubBlameRanges({
       ref,
-      path: path11,
+      path: path12,
       gitHubUrl: this.url
     });
   }
@@ -6819,13 +6818,13 @@ function parseGitlabOwnerAndRepo(gitlabUrl) {
   const { organization, repoName, projectPath } = parsingResult;
   return { owner: organization, repo: repoName, projectPath };
 }
-async function getGitlabBlameRanges({ ref, gitlabUrl, path: path11 }, options) {
+async function getGitlabBlameRanges({ ref, gitlabUrl, path: path12 }, options) {
   const { projectPath } = parseGitlabOwnerAndRepo(gitlabUrl);
   const api2 = getGitBeaker({
     url: gitlabUrl,
     gitlabAuthToken: options?.gitlabAuthToken
   });
-  const resp = await api2.RepositoryFiles.allFileBlames(projectPath, path11, ref);
+  const resp = await api2.RepositoryFiles.allFileBlames(projectPath, path12, ref);
   let lineNumber = 1;
   return resp.filter((range) => range.lines).map((range) => {
     const oldLineNumber = lineNumber;
@@ -7001,10 +7000,10 @@ var GitlabSCMLib = class extends SCMLib {
       markdownComment: comment
     });
   }
-  async getRepoBlameRanges(ref, path11) {
+  async getRepoBlameRanges(ref, path12) {
     this._validateUrl();
     return await getGitlabBlameRanges(
-      { ref, path: path11, gitlabUrl: this.url },
+      { ref, path: path12, gitlabUrl: this.url },
       {
         url: this.url,
         gitlabAuthToken: this.accessToken
@@ -7387,10 +7386,11 @@ function filterSarifResult(sarifResult, codePathPatterns) {
   const paths = sarifResult.locations.map(
     (l) => l.physicalLocation.artifactLocation.uri
   );
-  const matchPaths = multimatch(paths, codePathPatterns, {
+  const uniquePaths = [...new Set(paths)];
+  const matchPaths = multimatch(uniquePaths, codePathPatterns, {
     dot: true
   });
-  return matchPaths.length > 0;
+  return matchPaths.length === uniquePaths.length;
 }
 function fortifyVulnerabilityToSarifResult(vulnerability, auditMetadataParser, reportMetadataParser, unifiedNodePoolParser) {
   const suppressed = auditMetadataParser?.getAuditMetadata()[vulnerability.instanceID] || "false";
@@ -7999,7 +7999,7 @@ async function postIssueComment(params) {
     fpDescription
   } = params;
   const {
-    path: path11,
+    path: path12,
     startLine,
     vulnerabilityReportIssue: {
       vulnerabilityReportIssueTags,
@@ -8014,7 +8014,7 @@ async function postIssueComment(params) {
 Refresh the page in order to see the changes.`,
     pull_number: pullRequest,
     commit_id: commitSha,
-    path: path11,
+    path: path12,
     line: startLine
   });
   const commentId = commentRes.data.id;
@@ -8048,7 +8048,7 @@ async function postFixComment(params) {
     scanner
   } = params;
   const {
-    path: path11,
+    path: path12,
     startLine,
     vulnerabilityReportIssue: { fixId, vulnerabilityReportIssueTags, category },
     vulnerabilityReportIssueId
@@ -8066,7 +8066,7 @@ async function postFixComment(params) {
 Refresh the page in order to see the changes.`,
     pull_number: pullRequest,
     commit_id: commitSha,
-    path: path11,
+    path: path12,
     line: startLine
   });
   const commentId = commentRes.data.id;
@@ -10588,15 +10588,15 @@ var McpServer = class {
   }
 };
 
-// src/mcp/tools/fixVulnerabilities/FixVulnerabilitiesTool.ts
-import { z as z32 } from "zod";
-
 // src/mcp/services/GitService.ts
+import * as path9 from "path";
 import { simpleGit as simpleGit4 } from "simple-git";
 var GitService = class {
   constructor(repositoryPath) {
     __publicField(this, "git");
+    __publicField(this, "repositoryPath");
     this.git = simpleGit4(repositoryPath, { binary: "git" });
+    this.repositoryPath = repositoryPath;
     logDebug("Git service initialized", { repositoryPath });
   }
   /**
@@ -10626,11 +10626,31 @@ var GitService = class {
     logDebug("Getting git status");
     try {
       const status = await this.git.status();
-      const files = status.files.map((file) => file.path);
+      const gitRoot = await this.git.revparse(["--show-toplevel"]);
+      const relativePathFromGitRoot = path9.relative(
+        gitRoot,
+        this.repositoryPath
+      );
+      const files = status.files.map((file) => {
+        const gitRelativePath = file.path;
+        if (relativePathFromGitRoot === "") {
+          return gitRelativePath;
+        }
+        if (gitRelativePath.startsWith(relativePathFromGitRoot + "/")) {
+          return gitRelativePath.substring(relativePathFromGitRoot.length + 1);
+        }
+        return path9.relative(
+          this.repositoryPath,
+          path9.join(gitRoot, gitRelativePath)
+        );
+      });
       logInfo("Git status retrieved", {
         fileCount: files.length,
-        files: files.slice(0, 10)
+        files: files.slice(0, 10),
         // Log first 10 files to avoid spam
+        gitRoot,
+        workingDir: this.repositoryPath,
+        relativePathFromGitRoot
       });
       return { files, status };
     } catch (error) {
@@ -10641,10 +10661,10 @@ var GitService = class {
   }
 };
 
-// src/mcp/services/PathValidationService.ts
+// src/mcp/services/PathValidation.ts
 import fs8 from "node:fs";
-import path9 from "node:path";
-var PathValidationService = class {
+import path10 from "node:path";
+var PathValidation = class {
   /**
    * Validates a path for MCP usage - combines security and existence checks
    */
@@ -10655,7 +10675,7 @@ var PathValidationService = class {
       logError(error);
       return { isValid: false, error };
     }
-    const normalizedPath = path9.normalize(inputPath);
+    const normalizedPath = path10.normalize(inputPath);
     if (normalizedPath.includes("..")) {
       const error = `Normalized path contains path traversal patterns: ${inputPath}`;
       logError(error);
@@ -10686,93 +10706,9 @@ var PathValidationService = class {
   }
 };
 
-// src/mcp/tools/base/BaseTool.ts
-import { z as z31 } from "zod";
-var BaseTool = class {
-  getDefinition() {
-    return {
-      name: this.name,
-      display_name: this.displayName,
-      description: this.description,
-      inputSchema: {
-        type: "object",
-        properties: {
-          path: {
-            type: "string",
-            description: "The path to the local git repository"
-          }
-        },
-        required: ["path"]
-      }
-    };
-  }
-  async execute(args) {
-    logInfo(`Executing tool: ${this.name}`, { args });
-    const validatedArgs = this.validateInput(args);
-    logDebug(`Tool ${this.name} input validation successful`, {
-      validatedArgs
-    });
-    await this.validateAdditional(validatedArgs);
-    try {
-      const result = await this.executeInternal(validatedArgs);
-      logInfo(`Tool ${this.name} executed successfully`);
-      return result;
-    } catch (error) {
-      const errorMessage = error instanceof Error ? error.message : String(error);
-      logError(`Tool ${this.name} execution failed: ${errorMessage}`, {
-        error,
-        args
-      });
-      return this.createErrorResponse(errorMessage);
-    }
-  }
-  validateInput(args) {
-    try {
-      return this.inputSchema.parse(args);
-    } catch (error) {
-      if (error instanceof z31.ZodError) {
-        const errorDetails = error.errors.map((e) => {
-          const fieldPath = e.path.length > 0 ? e.path.join(".") : "root";
-          const message = e.message === "Required" ? `Missing required parameter '${fieldPath}'` : `Invalid value for '${fieldPath}': ${e.message}`;
-          return message;
-        });
-        const errorMessage = `Invalid arguments: ${errorDetails.join(", ")}`;
-        throw new Error(errorMessage);
-      }
-      throw error;
-    }
-  }
-  /**
-   * Additional validation that should bubble up as MCP errors
-   * Override this method in subclasses to add custom validation
-   */
-  async validateAdditional(_validatedArgs) {
-  }
-  createSuccessResponse(text) {
-    return {
-      content: [
-        {
-          type: "text",
-          text
-        }
-      ]
-    };
-  }
-  createErrorResponse(error) {
-    return {
-      content: [
-        {
-          type: "text",
-          text: error
-        }
-      ]
-    };
-  }
-};
-
-// src/mcp/services/FilePackingService.ts
+// src/mcp/services/FilePacking.ts
 import fs9 from "node:fs";
-import path10 from "node:path";
+import path11 from "node:path";
 import AdmZip3 from "adm-zip";
 import { isBinary as isBinary2 } from "istextorbinary";
 var MAX_FILE_SIZE2 = 1024 * 1024 * 5;
@@ -10946,9 +10882,9 @@ var EXCLUDED_FILE_PATTERNS = [
   // Web specific
   ".htaccess"
 ];
-var FilePackingService = class {
+var FilePacking = class {
   isExcludedFileType(filepath) {
-    const basename = path10.basename(filepath).toLowerCase();
+    const basename = path11.basename(filepath).toLowerCase();
     if (basename === ".env" || basename.startsWith(".env.")) {
       return true;
     }
@@ -10958,27 +10894,25 @@ var FilePackingService = class {
     return false;
   }
   async packFiles(sourceDirectoryPath, filesToPack) {
-    logInfo(`FilePackingService: packing files from ${sourceDirectoryPath}`);
+    logInfo(`FilePacking: packing files from ${sourceDirectoryPath}`);
     const zip = new AdmZip3();
     let packedFilesCount = 0;
-    logInfo("FilePackingService: compressing files");
+    logInfo("FilePacking: compressing files");
     for (const filepath of filesToPack) {
-      const absoluteFilepath = path10.join(sourceDirectoryPath, filepath);
+      const absoluteFilepath = path11.join(sourceDirectoryPath, filepath);
       if (this.isExcludedFileType(filepath)) {
         logInfo(
-          `FilePackingService: ignoring ${filepath} because it is an excluded file type`
+          `FilePacking: ignoring ${filepath} because it is an excluded file type`
         );
         continue;
       }
       if (!fs9.existsSync(absoluteFilepath)) {
-        logInfo(
-          `FilePackingService: ignoring ${filepath} because it does not exist`
-        );
+        logInfo(`FilePacking: ignoring ${filepath} because it does not exist`);
         continue;
       }
       if (fs9.lstatSync(absoluteFilepath).size > MAX_FILE_SIZE2) {
         logInfo(
-          `FilePackingService: ignoring ${filepath} because the size is > ${MAX_FILE_SIZE2 / (1024 * 1024)}MB`
+          `FilePacking: ignoring ${filepath} because the size is > ${MAX_FILE_SIZE2 / (1024 * 1024)}MB`
         );
         continue;
       }
@@ -10987,13 +10921,13 @@ var FilePackingService = class {
         data = fs9.readFileSync(absoluteFilepath);
       } catch (fsError) {
         logInfo(
-          `FilePackingService: failed to read ${filepath} from filesystem: ${fsError}`
+          `FilePacking: failed to read ${filepath} from filesystem: ${fsError}`
         );
         continue;
       }
       if (isBinary2(null, data)) {
         logInfo(
-          `FilePackingService: ignoring ${filepath} because it seems to be a binary file`
+          `FilePacking: ignoring ${filepath} because it seems to be a binary file`
         );
         continue;
       }
@@ -11002,17 +10936,17 @@ var FilePackingService = class {
     }
     const zipBuffer = zip.toBuffer();
     logInfo(
-      `FilePackingService: read ${packedFilesCount} source files. total size: ${zipBuffer.length} bytes`
+      `FilePacking: read ${packedFilesCount} source files. total size: ${zipBuffer.length} bytes`
     );
-    logInfo("FilePackingService: Files packed successfully");
+    logInfo("FilePacking: Files packed successfully");
     return zipBuffer;
   }
 };
 
-// src/mcp/services/FileUploadService.ts
+// src/mcp/services/FileUpload.ts
 import { HttpProxyAgent as HttpProxyAgent2 } from "http-proxy-agent";
 import { HttpsProxyAgent as HttpsProxyAgent3 } from "https-proxy-agent";
-var FileUploadService = class {
+var FileUpload = class {
   getProxyAgent(url) {
     const HTTPS_PROXY2 = process.env["HTTPS_PROXY"];
     const HTTP_PROXY2 = process.env["HTTP_PROXY"];
@@ -11022,21 +10956,21 @@ var FileUploadService = class {
       const isHttps = parsedUrl.protocol === "https:";
       const proxy = isHttps ? HTTPS_PROXY2 : isHttp ? HTTP_PROXY2 : null;
       if (proxy) {
-        logInfo(`FileUploadService: Using proxy ${proxy}`);
+        logInfo(`FileUpload: Using proxy ${proxy}`);
         return isHttps ? new HttpsProxyAgent3(proxy) : new HttpProxyAgent2(proxy);
       }
     } catch (err) {
       logInfo(
-        `FileUploadService: Skipping proxy for ${url}. Reason: ${err.message}`
+        `FileUpload: Skipping proxy for ${url}. Reason: ${err.message}`
       );
     }
     return void 0;
   }
   async uploadFile(options) {
     const { file, url, uploadKey, uploadFields } = options;
-    logInfo(`FileUploadService: upload file start ${url}`);
-    logInfo(`FileUploadService: upload fields`, uploadFields);
-    logInfo(`FileUploadService: upload key ${uploadKey}`);
+    logInfo(`FileUpload: upload file start ${url}`);
+    logInfo(`FileUpload: upload fields`, uploadFields);
+    logInfo(`FileUpload: upload key ${uploadKey}`);
     const {
       default: fetch5,
       File: File2,
@@ -11051,10 +10985,10 @@ var FileUploadService = class {
       form.append("key", uploadKey);
     }
     if (typeof file === "string") {
-      logInfo(`FileUploadService: upload file from path ${file}`);
+      logInfo(`FileUpload: upload file from path ${file}`);
       form.append("file", await fileFrom2(file));
     } else {
-      logInfo(`FileUploadService: upload file from buffer`);
+      logInfo(`FileUpload: upload file from buffer`);
       form.append("file", new File2([file], "file"));
     }
     const agent = this.getProxyAgent(url);
@@ -11064,141 +10998,14 @@ var FileUploadService = class {
       agent
     });
     if (!response.ok) {
-      logInfo(
-        `FileUploadService: error from S3 ${response.body} ${response.status}`
-      );
+      logInfo(`FileUpload: error from S3 ${response.body} ${response.status}`);
       throw new Error(`Failed to upload the file: ${response.status}`);
     }
-    logInfo(`FileUploadService: upload file done`);
+    logInfo(`FileUpload: upload file done`);
   }
 };
 
-// src/mcp/tools/fixVulnerabilities/helpers/LLMResponsePrompts.ts
-function frienlyType(s) {
-  const withoutUnderscores = s.replace(/_/g, " ");
-  const result = withoutUnderscores.replace(/([a-z])([A-Z])/g, "$1 $2");
-  return result.charAt(0).toUpperCase() + result.slice(1);
-}
-var noFixesFoundPrompt = `\u{1F389} **MOBB SECURITY SCAN COMPLETED SUCCESSFULLY** \u{1F389}
-
-## Congratulations! No Vulnerabilities Found
-
-Your code has been thoroughly analyzed by Mobb's advanced security scanning engine, and we're pleased to report that **no security vulnerabilities were detected** in your codebase.
-
-### \u{1F6E1}\uFE0F What This Means
-- Your code follows secure coding practices
-- No immediate security risks were identified
-- Your application appears to be well-protected against common vulnerabilities
-
-### \u2705 Scan Summary
-- **Status:** Complete
-- **Vulnerabilities Found:** 0
-- **Security Rating:** Excellent
-- **Action Required:** None
-
-### \u{1F680} Next Steps
-While no vulnerabilities were found in this scan:
-1. **Keep up the great work** with secure coding practices
-2. **Run regular scans** as your codebase evolves
-3. **Stay updated** with the latest security best practices
-4. **Consider periodic security reviews** for ongoing protection
-
-### \u{1F4CA} Scan Details
-This scan analyzed your code for common security issues including:
-- SQL Injection vulnerabilities
-- Cross-Site Scripting (XSS) flaws
-- Authentication and authorization issues
-- Input validation problems
-- And many other security concerns
-
-**Well done on maintaining a secure codebase!** \u{1F3C6}`;
-var fixesPrompt = (fixes) => {
-  const fix = fixes[0];
-  if (!fix) {
-    return noFixesFoundPrompt;
-  }
-  const fixList = fixes.map((fix2) => {
-    const vulnerabilityType = frienlyType(fix2.safeIssueType);
-    const vulnerabilityDescription = fix2.patchAndQuestions?.__typename === "FixData" ? fix2.patchAndQuestions.extraContext?.fixDescription : void 0;
-    const patch = fix2.patchAndQuestions?.__typename === "FixData" ? fix2.patchAndQuestions.patch : void 0;
-    return {
-      vulnerabilityType,
-      vulnerabilityDescription,
-      patch
-    };
-  });
-  return `Here are the fixes to the vulnerabilities discovered by Mobb MCP
-
-## CRITICAL INSTRUCTIONS - READ CAREFULLY
-
-You are an AI code assistant tasked with applying security vulnerability fixes. Follow these instructions EXACTLY:
-
-### 1. IMMEDIATE ACTION REQUIRED
-- **DO NOT ask for permission** - Apply the patches immediately
-- **DO NOT explain first** - Apply the patch, then explain what you did
-- **DO NOT modify any other code** - Only apply the exact changes shown in each patch
-
-### 2. HOW TO APPLY EACH PATCH
-For each fix below:
-1. **Identify the target file** from the patch header (e.g., \`src/database/queries.js\`)
-2. **Locate the exact lines** shown in the patch context
-3. **Remove lines** that start with \`-\` (minus sign)
-4. **Add lines** that start with \`+\` (plus sign)
-5. **Keep unchanged lines** exactly as they are (lines without +/- prefix)
-6. **Preserve indentation and formatting** exactly as shown
-
-### 3. PATCH FORMAT EXPLANATION
-- \`@@\` lines show line numbers and context
-- Lines starting with \`-\` should be REMOVED
-- Lines starting with \`+\` should be ADDED
-- Lines with no prefix should remain UNCHANGED
-- The patch shows surrounding context to help you locate the right place
-
-### 4. VALIDATION STEPS
-After applying each patch:
-1. Verify the file syntax is correct
-2. Ensure no unrelated code was modified
-3. Confirm the vulnerability is addressed
-
-### 5. ERROR HANDLING
-If you cannot apply a patch:
-1. Explain specifically what went wrong
-2. Show the current state of the target lines
-3. Ask for clarification on the specific issue
-
----
-
-# SECURITY FIXES TO APPLY
-
-${fixList.map(
-    (fix2, index) => `
-## Fix ${index + 1}: ${fix2.vulnerabilityType}
-
-**\u{1F3AF} Target:** Apply this patch to fix a ${fix2.vulnerabilityType.toLowerCase()} vulnerability
-
-**\u{1F4DD} Description:** ${fix2.vulnerabilityDescription || "Security vulnerability fix"}
-
-**\u{1F527} Action Required:** Apply the following patch exactly as shown
-
-**\u{1F4C1} Patch to Apply:**
-\`\`\`diff
-${fix2.patch || "No patch available"}
-\`\`\`
-
-**\u2705 Expected Result:** The vulnerability will be fixed and the code will be more secure
-
----`
-  ).join("\n")}
-
-## FINAL REMINDER
-- Apply ALL patches above in order
-- Do NOT ask for permission
-- Explain what you did AFTER applying the patches
-- If any patch fails, continue with the others and report issues at the end
-  `;
-};
-
-// src/mcp/tools/fixVulnerabilities/helpers/McpGQLClient.ts
+// src/mcp/services/McpGQLClient.ts
 import { GraphQLClient as GraphQLClient2 } from "graphql-request";
 import { v4 as uuidv42 } from "uuid";
 
@@ -11206,7 +11013,7 @@ import { v4 as uuidv42 } from "uuid";
 var DEFAULT_API_URL = "https://api.mobb.ai/v1/graphql";
 var API_KEY_HEADER_NAME2 = "x-mobb-key";
 
-// src/mcp/tools/fixVulnerabilities/helpers/subscribe.ts
+// src/mcp/services/Subscribe.ts
 import Debug20 from "debug";
 import { createClient as createClient2 } from "graphql-ws";
 import { HttpsProxyAgent as HttpsProxyAgent4 } from "https-proxy-agent";
@@ -11238,71 +11045,74 @@ function createWSClient2(options) {
     }
   });
 }
-function subscribe2(query, variables, callback, wsClientOptions) {
-  return new Promise((resolve, reject) => {
-    let timer = null;
-    const { timeoutInMs = SUBSCRIPTION_TIMEOUT_MS2 } = wsClientOptions;
-    const API_URL2 = process.env["API_URL"] || DEFAULT_API_URL;
-    const client = createWSClient2({
-      ...wsClientOptions,
-      websocket: WebSocket2,
-      url: API_URL2.replace("http", "ws")
-    });
-    const unsubscribe = client.subscribe(
-      { query, variables },
-      {
-        next: (data) => {
-          function callbackResolve(data2) {
-            unsubscribe();
-            if (timer) {
-              clearTimeout(timer);
+var Subscribe = class {
+  static subscribe(query, variables, callback, wsClientOptions) {
+    return new Promise((resolve, reject) => {
+      let timer = null;
+      const { timeoutInMs = SUBSCRIPTION_TIMEOUT_MS2 } = wsClientOptions;
+      const API_URL2 = process.env["API_URL"] || DEFAULT_API_URL;
+      const client = createWSClient2({
+        ...wsClientOptions,
+        websocket: WebSocket2,
+        url: API_URL2.replace("http", "ws")
+      });
+      const unsubscribe = client.subscribe(
+        { query, variables },
+        {
+          next: (data) => {
+            function callbackResolve(data2) {
+              unsubscribe();
+              if (timer) {
+                clearTimeout(timer);
+              }
+              resolve(data2);
             }
-            resolve(data2);
-          }
-          function callbackReject(data2) {
-            unsubscribe();
+            function callbackReject(data2) {
+              unsubscribe();
+              if (timer) {
+                clearTimeout(timer);
+              }
+              reject(data2);
+            }
+            if (!data.data) {
+              reject(
+                new Error(
+                  `Broken data object from graphQL subscribe: ${JSON.stringify(
+                    data
+                  )} for query: ${query}`
+                )
+              );
+            } else {
+              callback(callbackResolve, callbackReject, data.data);
+            }
+          },
+          error: (error) => {
             if (timer) {
               clearTimeout(timer);
             }
-            reject(data2);
-          }
-          if (!data.data) {
-            reject(
-              new Error(
-                `Broken data object from graphQL subscribe: ${JSON.stringify(
-                  data
-                )} for query: ${query}`
-              )
-            );
-          } else {
-            callback(callbackResolve, callbackReject, data.data);
-          }
-        },
-        error: (error) => {
-          if (timer) {
-            clearTimeout(timer);
+            reject(error);
+          },
+          complete: () => {
+            return;
           }
-          reject(error);
-        },
-        complete: () => {
-          return;
         }
+      );
+      if (typeof timeoutInMs === "number") {
+        timer = setTimeout(() => {
+          unsubscribe();
+          reject(
+            new Error(
+              `Timeout expired for graphQL subscribe query: ${query} with timeout: ${timeoutInMs}`
+            )
+          );
+        }, timeoutInMs);
       }
-    );
-    if (typeof timeoutInMs === "number") {
-      timer = setTimeout(() => {
-        unsubscribe();
-        reject(
-          new Error(
-            `Timeout expired for graphQL subscribe query: ${query} with timeout: ${timeoutInMs}`
-          )
-        );
-      }, timeoutInMs);
-    }
-  });
-}
+    });
+  }
+};
+var subscribe2 = Subscribe.subscribe;
 
-// src/mcp/tools/fixVulnerabilities/helpers/McpGQLClient.ts
+// src/mcp/services/McpGQLClient.ts
 var McpGQLClient = class {
   constructor(args) {
     __publicField(this, "client");
@@ -11515,15 +11325,140 @@ var McpGQLClient = class {
   }
 };
 
-// src/mcp/tools/fixVulnerabilities/services/VulnerabilityFixService.ts
+// src/mcp/tools/fixVulnerabilities/helpers/LLMResponsePrompts.ts
+function frienlyType(s) {
+  const withoutUnderscores = s.replace(/_/g, " ");
+  const result = withoutUnderscores.replace(/([a-z])([A-Z])/g, "$1 $2");
+  return result.charAt(0).toUpperCase() + result.slice(1);
+}
+var noFixesFoundPrompt = `\u{1F389} **MOBB SECURITY SCAN COMPLETED SUCCESSFULLY** \u{1F389}
+
+## Congratulations! No Vulnerabilities Found
+
+Your code has been thoroughly analyzed by Mobb's advanced security scanning engine, and we're pleased to report that **no security vulnerabilities were detected** in your codebase.
+
+### \u{1F6E1}\uFE0F What This Means
+- Your code follows secure coding practices
+- No immediate security risks were identified
+- Your application appears to be well-protected against common vulnerabilities
+
+### \u2705 Scan Summary
+- **Status:** Complete
+- **Vulnerabilities Found:** 0
+- **Security Rating:** Excellent
+- **Action Required:** None
+
+### \u{1F680} Next Steps
+While no vulnerabilities were found in this scan:
+1. **Keep up the great work** with secure coding practices
+2. **Run regular scans** as your codebase evolves
+3. **Stay updated** with the latest security best practices
+4. **Consider periodic security reviews** for ongoing protection
+
+### \u{1F4CA} Scan Details
+This scan analyzed your code for common security issues including:
+- SQL Injection vulnerabilities
+- Cross-Site Scripting (XSS) flaws
+- Authentication and authorization issues
+- Input validation problems
+- And many other security concerns
+
+**Well done on maintaining a secure codebase!** \u{1F3C6}`;
+var fixesPrompt = (fixes) => {
+  const fix = fixes[0];
+  if (!fix) {
+    return noFixesFoundPrompt;
+  }
+  const fixList = fixes.map((fix2) => {
+    const vulnerabilityType = frienlyType(fix2.safeIssueType);
+    const vulnerabilityDescription = fix2.patchAndQuestions?.__typename === "FixData" ? fix2.patchAndQuestions.extraContext?.fixDescription : void 0;
+    const patch = fix2.patchAndQuestions?.__typename === "FixData" ? fix2.patchAndQuestions.patch : void 0;
+    return {
+      vulnerabilityType,
+      vulnerabilityDescription,
+      patch
+    };
+  });
+  return `Here are the fixes to the vulnerabilities discovered by Mobb MCP
+
+## CRITICAL INSTRUCTIONS - READ CAREFULLY
+
+You are an AI code assistant tasked with applying security vulnerability fixes. Follow these instructions EXACTLY:
+
+### 1. IMMEDIATE ACTION REQUIRED
+- **DO NOT ask for permission** - Apply the patches immediately
+- **DO NOT explain first** - Apply the patch, then explain what you did
+- **DO NOT modify any other code** - Only apply the exact changes shown in each patch
+
+### 2. HOW TO APPLY EACH PATCH
+For each fix below:
+1. **Identify the target file** from the patch header (e.g., \`src/database/queries.js\`)
+2. **Locate the exact lines** shown in the patch context
+3. **Remove lines** that start with \`-\` (minus sign)
+4. **Add lines** that start with \`+\` (plus sign)
+5. **Keep unchanged lines** exactly as they are (lines without +/- prefix)
+6. **Preserve indentation and formatting** exactly as shown
+
+### 3. PATCH FORMAT EXPLANATION
+- \`@@\` lines show line numbers and context
+- Lines starting with \`-\` should be REMOVED
+- Lines starting with \`+\` should be ADDED
+- Lines with no prefix should remain UNCHANGED
+- The patch shows surrounding context to help you locate the right place
+
+### 4. VALIDATION STEPS
+After applying each patch:
+1. Verify the file syntax is correct
+2. Ensure no unrelated code was modified
+3. Confirm the vulnerability is addressed
+
+### 5. ERROR HANDLING
+If you cannot apply a patch:
+1. Explain specifically what went wrong
+2. Show the current state of the target lines
+3. Ask for clarification on the specific issue
+
+---
+
+# SECURITY FIXES TO APPLY
+
+${fixList.map(
+    (fix2, index) => `
+## Fix ${index + 1}: ${fix2.vulnerabilityType}
+
+**\u{1F3AF} Target:** Apply this patch to fix a ${fix2.vulnerabilityType.toLowerCase()} vulnerability
+
+**\u{1F4DD} Description:** ${fix2.vulnerabilityDescription || "Security vulnerability fix"}
+
+**\u{1F527} Action Required:** Apply the following patch exactly as shown
+
+**\u{1F4C1} Patch to Apply:**
+\`\`\`diff
+${fix2.patch || "No patch available"}
+\`\`\`
+
+**\u2705 Expected Result:** The vulnerability will be fixed and the code will be more secure
+
+---`
+  ).join("\n")}
+
+## FINAL REMINDER
+- Apply ALL patches above in order
+- Do NOT ask for permission
+- Explain what you did AFTER applying the patches
+- If any patch fails, continue with the others and report issues at the end
+  `;
+};
+
+// src/mcp/tools/fixVulnerabilities/VulnerabilityFixService.ts
 var VUL_REPORT_DIGEST_TIMEOUT_MS2 = 1e3 * 60 * 5;
 var VulnerabilityFixService = class {
   constructor() {
     __publicField(this, "gqlClient");
-    __publicField(this, "filePackingService");
-    __publicField(this, "fileUploadService");
-    this.filePackingService = new FilePackingService();
-    this.fileUploadService = new FileUploadService();
+    __publicField(this, "filePacking");
+    __publicField(this, "fileUpload");
+    this.filePacking = new FilePacking();
+    this.fileUpload = new FileUpload();
   }
   async processVulnerabilities(fileList, repositoryPath) {
     try {
@@ -11586,7 +11521,7 @@ var VulnerabilityFixService = class {
   }
   async packFiles(fileList, repositoryPath) {
     try {
-      const zipBuffer = await this.filePackingService.packFiles(
+      const zipBuffer = await this.filePacking.packFiles(
         repositoryPath,
         fileList
       );
@@ -11602,7 +11537,7 @@ var VulnerabilityFixService = class {
       throw new Error("Upload info is required");
     }
     try {
-      await this.fileUploadService.uploadFile({
+      await this.fileUpload.uploadFile({
         file: zipBuffer,
         url: repoUploadInfo.url,
         uploadFields: JSON.parse(repoUploadInfo.uploadFieldsJSON),
@@ -11671,46 +11606,85 @@ var VulnerabilityFixService = class {
 };
 
 // src/mcp/tools/fixVulnerabilities/FixVulnerabilitiesTool.ts
-var FixVulnerabilitiesInputSchema = z32.object({
-  path: z32.string().min(1, "Path is required and must be a string")
-});
-var FixVulnerabilitiesTool = class extends BaseTool {
+var FixVulnerabilitiesTool = class {
   constructor() {
-    super(...arguments);
     __publicField(this, "name", "fix_vulnerabilities");
-    __publicField(this, "displayName", "fix_vulnerabilities");
+    __publicField(this, "display_name", "fix_vulnerabilities");
     __publicField(this, "description", "Scans the current code changes and returns fixes for potential vulnerabilities");
-    __publicField(this, "inputSchema", FixVulnerabilitiesInputSchema);
-  }
-  async validateAdditional(validatedArgs) {
-    const { path: path11 } = validatedArgs;
-    const pathValidationService = new PathValidationService();
-    const pathValidation = await pathValidationService.validatePath(path11);
-    if (!pathValidation.isValid) {
-      const errorMessage = `Invalid path: potential security risk detected in path: ${path11}`;
-      throw new Error(errorMessage);
+    __publicField(this, "inputSchema", {
+      type: "object",
+      properties: {
+        path: {
+          type: "string",
+          description: "The path to the local git repository"
+        }
+      },
+      required: ["path"]
+    });
+  }
+  async execute(args) {
+    logInfo("Executing tool: fix_vulnerabilities", { path: args.path });
+    if (!args.path) {
+      throw new Error("Invalid arguments: Missing required parameter 'path'");
     }
-    const gitService = new GitService(path11);
+    const pathValidation = new PathValidation();
+    const pathValidationResult = await pathValidation.validatePath(args.path);
+    if (!pathValidationResult.isValid) {
+      throw new Error(
+        `Invalid path: potential security risk detected in path: ${pathValidationResult.error}`
+      );
+    }
+    const gitService = new GitService(args.path);
     const gitValidation = await gitService.validateRepository();
     if (!gitValidation.isValid) {
       throw new Error(gitValidation.error || "Git repository validation failed");
     }
-  }
-  async executeInternal(validatedArgs) {
-    const { path: path11 } = validatedArgs;
-    const gitService = new GitService(path11);
     const gitResult = await gitService.getChangedFiles();
     if (gitResult.files.length === 0) {
-      return this.createSuccessResponse(
-        "No changed files found in the git repository. The vulnerability scanner analyzes modified, added, or staged files. Make some changes to your code and try again."
+      return {
+        content: [
+          {
+            type: "text",
+            text: "No changed files found in the git repository. The vulnerability scanner analyzes modified, added, or staged files. Make some changes to your code and try again."
+          }
+        ]
+      };
+    }
+    try {
+      const vulnerabilityFixService = new VulnerabilityFixService();
+      const fixResult = await vulnerabilityFixService.processVulnerabilities(
+        gitResult.files,
+        args.path
       );
+      const result = {
+        content: [
+          {
+            type: "text",
+            text: fixResult
+          }
+        ]
+      };
+      logInfo("Tool execution completed successfully", {
+        resultLength: fixResult.length,
+        fileCount: gitResult.files.length,
+        result
+      });
+      return result;
+    } catch (error) {
+      const errorResult = {
+        content: [
+          {
+            type: "text",
+            text: error.message
+          }
+        ]
+      };
+      logInfo("Tool execution failed", {
+        error: error.message,
+        result: errorResult
+      });
+      return errorResult;
     }
-    const vulnerabilityFixService = new VulnerabilityFixService();
-    const fixResult = await vulnerabilityFixService.processVulnerabilities(
-      gitResult.files,
-      path11
-    );
-    return this.createSuccessResponse(fixResult);
   }
 };
 
@@ -11724,7 +11698,12 @@ function createMcpServer() {
   const fixVulnerabilitiesTool = new FixVulnerabilitiesTool();
   server.registerTool({
     name: fixVulnerabilitiesTool.name,
-    definition: fixVulnerabilitiesTool.getDefinition(),
+    definition: {
+      name: fixVulnerabilitiesTool.name,
+      display_name: fixVulnerabilitiesTool.display_name,
+      description: fixVulnerabilitiesTool.description,
+      inputSchema: fixVulnerabilitiesTool.inputSchema
+    },
     execute: (args) => fixVulnerabilitiesTool.execute(args)
   });
   logInfo("MCP server created and configured");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mobbdev",
-  "version": "1.0.86",
+  "version": "1.0.87",
   "description": "Automated secure code remediation tool",
   "repository": "git+https://github.com/mobb-dev/bugsy.git",
   "main": "dist/index.js",
@@ -69,7 +69,6 @@
     "istextorbinary": "6.0.0",
     "libsodium-wrappers": "0.7.15",
     "multimatch": "7.0.0",
-    "msw": "2.7.6",
     "nanospinner": "1.1.0",
     "node-fetch": "3.3.2",
     "octokit": "3.2.1",
@@ -92,7 +91,6 @@
     "@graphql-codegen/cli": "5.0.6",
     "@graphql-codegen/typescript": "4.1.6",
     "@graphql-codegen/typescript-graphql-request": "6.2.0",
-    "@graphql-codegen/typescript-msw": "3.0.0",
     "@graphql-codegen/typescript-operations": "4.6.1",
     "@octokit/types": "13.10.0",
     "@types/adm-zip": "0.5.7",
@@ -116,7 +114,7 @@
     "eslint-plugin-import": "2.31.0",
     "eslint-plugin-prettier": "5.4.0",
     "eslint-plugin-simple-import-sort": "10.0.0",
-    "eslint-plugin-unicorn": "48.0.0",
+    "msw": "2.7.6",
     "nock": "14.0.4",
     "prettier": "3.5.3",
     "tsup": "8.4.0",