mobbdev 1.1.39 → 1.1.41

package/dist/index.mjs

@@ -12,7 +12,7 @@ var __publicField = (obj, key, value) => __defNormalProp(obj, typeof key !== "sy
 
 // src/features/analysis/scm/env.ts
 import { z as z15 } from "zod";
-var EnvVariablesZod, GITLAB_API_TOKEN, GITHUB_API_TOKEN, GIT_PROXY_HOST, MAX_UPLOAD_FILE_SIZE_MB;
+var EnvVariablesZod, GITLAB_API_TOKEN, GITHUB_API_TOKEN, GIT_PROXY_HOST, MAX_UPLOAD_FILE_SIZE_MB, GITHUB_API_CONCURRENCY;
 var init_env = __esm({
   "src/features/analysis/scm/env.ts"() {
     "use strict";
@@ -20,13 +20,15 @@ var init_env = __esm({
       GITLAB_API_TOKEN: z15.string().optional(),
       GITHUB_API_TOKEN: z15.string().optional(),
       GIT_PROXY_HOST: z15.string().optional().default("http://tinyproxy:8888"),
-      MAX_UPLOAD_FILE_SIZE_MB: z15.coerce.number().gt(0).default(5)
+      MAX_UPLOAD_FILE_SIZE_MB: z15.coerce.number().gt(0).default(5),
+      GITHUB_API_CONCURRENCY: z15.coerce.number().gt(0).optional().default(10)
     });
     ({
       GITLAB_API_TOKEN,
       GITHUB_API_TOKEN,
       GIT_PROXY_HOST,
-      MAX_UPLOAD_FILE_SIZE_MB
+      MAX_UPLOAD_FILE_SIZE_MB,
+      GITHUB_API_CONCURRENCY
     } = EnvVariablesZod.parse(process.env));
   }
 });
@@ -1383,19 +1385,16 @@ import StreamZip from "node-stream-zip";
 import tmp from "tmp";
 
 // src/features/analysis/scm/errors.ts
-var InvalidRepoUrlError = class extends Error {
-  constructor(m) {
-    super(m);
-  }
-};
 var InvalidAccessTokenError = class extends Error {
-  constructor(m) {
+  constructor(m, scmType) {
     super(m);
+    this.scmType = scmType;
   }
 };
 var InvalidUrlPatternError = class extends Error {
-  constructor(m) {
+  constructor(m, scmType) {
     super(m);
+    this.scmType = scmType;
   }
 };
 var RefNotFoundError = class extends Error {
@@ -1403,12 +1402,38 @@ var RefNotFoundError = class extends Error {
     super(m);
   }
 };
+var ScmBadCredentialsError = class extends Error {
+  constructor(m, scmType) {
+    super(m);
+    this.scmType = scmType;
+  }
+};
+var InvalidRepoUrlError = class extends Error {
+  constructor(m, scmType) {
+    super(m);
+    this.scmType = scmType;
+  }
+};
 var RepoNoTokenAccessError = class extends Error {
   constructor(m, scmType) {
     super(m);
     this.scmType = scmType;
   }
 };
+var RateLimitError = class extends Error {
+  constructor(m, scmType, retryAfter) {
+    super(m);
+    this.scmType = scmType;
+    this.retryAfter = retryAfter;
+  }
+};
+var NetworkError = class extends Error {
+  constructor(m, scmType, errorCode) {
+    super(m);
+    this.scmType = scmType;
+    this.errorCode = errorCode;
+  }
+};
 
 // src/features/analysis/scm/utils/index.ts
 import { z as z14 } from "zod";
@@ -6820,6 +6845,35 @@ var SCMLib = class {
       password: accessToken
     });
   }
+  /**
+   * Search for PRs with optional filters and sorting.
+   * IMPORTANT: Sort order must remain consistent across paginated requests
+   * for cursor-based pagination to work correctly.
+   *
+   * Default implementation uses getSubmitRequests and applies filters/sorting in-memory.
+   * Override in subclasses for provider-specific optimizations (e.g., GitHub Search API).
+   *
+   * @param params - Search parameters including filters, sort, and pagination
+   * @returns Paginated search results with cursor
+   */
+  async searchSubmitRequests(_params) {
+    throw new Error(
+      "searchSubmitRequests is not implemented for this SCM provider"
+    );
+  }
+  /**
+   * Search repositories with pagination support.
+   * IMPORTANT: Sort order must remain consistent across paginated requests
+   * for cursor-based pagination to work correctly.
+   *
+   * Must be overridden in subclasses with provider-specific implementations.
+   *
+   * @param params - Search parameters including sort and pagination
+   * @returns Paginated search results with cursor
+   */
+  async searchRepos(_params) {
+    throw new Error("searchRepos is not implemented for this SCM provider");
+  }
   /**
    * Fetches commits for multiple PRs in a single batch request.
    * This is an optimization that not all SCM providers may support efficiently.
@@ -6832,6 +6886,31 @@ var SCMLib = class {
   async getPrCommitsBatch(_repoUrl, _prNumbers) {
     throw new Error("getPrCommitsBatch not implemented for this SCM provider");
   }
+  /**
+   * Fetches additions and deletions counts for multiple PRs in batch.
+   * More efficient than fetching individual PR details.
+   *
+   * @param repoUrl - Repository URL
+   * @param prNumbers - Array of PR numbers to fetch metrics for
+   * @returns Map of PR number to additions/deletions count
+   */
+  async getPrAdditionsDeletionsBatch(_repoUrl, _prNumbers) {
+    throw new Error(
+      "getPrAdditionsDeletionsBatch not implemented for this SCM provider"
+    );
+  }
+  /**
+   * Batch fetch PR data (additions/deletions + comments) for multiple PRs.
+   * Only implemented for GitHub (via GraphQL). Other providers should override if supported.
+   * This is more efficient than calling getPrAdditionsDeletionsBatch separately.
+   *
+   * @param _repoUrl - Repository URL
+   * @param _prNumbers - Array of PR numbers to fetch data for
+   * @returns Map of PR number to { changedLines, comments }
+   */
+  async getPrDataBatch(_repoUrl, _prNumbers) {
+    throw new Error("getPrDataBatch not implemented for this SCM provider");
+  }
   getAccessToken() {
     return this.accessToken || "";
   }
@@ -7070,6 +7149,12 @@ var AdoSCMLib = class extends SCMLib {
   async getSubmitRequests(_repoUrl) {
     throw new Error("getSubmitRequests not implemented for ADO");
   }
+  async searchSubmitRequests(_params) {
+    throw new Error("searchSubmitRequests not implemented for ADO");
+  }
+  async searchRepos(_params) {
+    throw new Error("searchRepos not implemented for ADO");
+  }
   // TODO: Add comprehensive tests for getPullRequestMetrics (ADO)
   // See clients/cli/src/features/analysis/scm/__tests__/github.test.ts:589-648 for reference
   async getPullRequestMetrics(_prNumber) {
@@ -7491,7 +7576,7 @@ var BitbucketSCMLib = class extends SCMLib {
         return String(z20.number().parse(pullRequestRes.id));
       } catch (e) {
         console.warn(
-          `error creating pull request for BB. Try number ${i + 1}`,
+          `error creating pull request for BB. Try number ${String(i + 1).replace(/\n|\r/g, "")}`,
           e
         );
         await setTimeout3(1e3);
@@ -7646,6 +7731,12 @@ var BitbucketSCMLib = class extends SCMLib {
   async getSubmitRequests(_repoUrl) {
     throw new Error("getSubmitRequests not implemented for Bitbucket");
   }
+  async searchSubmitRequests(_params) {
+    throw new Error("searchSubmitRequests not implemented for Bitbucket");
+  }
+  async searchRepos(_params) {
+    throw new Error("searchRepos not implemented for Bitbucket");
+  }
   // TODO: Add comprehensive tests for getPullRequestMetrics (Bitbucket)
   // See clients/cli/src/features/analysis/scm/__tests__/github.test.ts:589-648 for reference
   async getPullRequestMetrics(_prNumber) {
@@ -7662,11 +7753,78 @@ var REPORT_DEFAULT_FILE_NAME = "report.json";
 init_env();
 
 // src/features/analysis/scm/github/GithubSCMLib.ts
-import pLimit from "p-limit";
+init_env();
+import pLimit2 from "p-limit";
 import { z as z21 } from "zod";
 
+// src/features/analysis/scm/utils/cursorValidation.ts
+var MAX_CURSOR_VALUE = 1e5;
+function parseCursorSafe(cursor, defaultValue = 0, maxValue = MAX_CURSOR_VALUE) {
+  if (cursor === null || cursor === void 0 || cursor === "") {
+    return defaultValue;
+  }
+  const parsed = parseInt(cursor, 10);
+  if (isNaN(parsed) || parsed < 0 || parsed > maxValue) {
+    return defaultValue;
+  }
+  return parsed;
+}
+
 // src/features/analysis/scm/github/github.ts
 import { RequestError } from "@octokit/request-error";
+import pLimit from "p-limit";
+
+// src/utils/contextLogger.ts
+import debugModule from "debug";
+var debug3 = debugModule("mobb:shared");
+var _contextLogger = null;
+var createContextLogger = async () => {
+  if (_contextLogger) return _contextLogger;
+  try {
+    let logger2;
+    try {
+      let module;
+      try {
+        const buildPath = "../../../../../tscommon/backend/build/src/utils/logger";
+        module = await import(buildPath);
+      } catch (e) {
+        const sourcePath = "../../../../../tscommon/backend/src/utils/logger";
+        module = await import(sourcePath);
+      }
+      logger2 = module.logger;
+    } catch {
+    }
+    if (logger2) {
+      _contextLogger = {
+        info: (message, data) => data ? logger2.info(data, message) : logger2.info(message),
+        debug: (message, data) => data ? logger2.debug(data, message) : logger2.debug(message),
+        error: (message, data) => data ? logger2.error(data, message) : logger2.error(message)
+      };
+      return _contextLogger;
+    }
+  } catch {
+  }
+  _contextLogger = {
+    info: (message, data) => debug3(message, data),
+    debug: (message, data) => debug3(message, data),
+    error: (message, data) => debug3(message, data)
+  };
+  return _contextLogger;
+};
+var contextLogger = {
+  info: async (message, data) => {
+    const logger2 = await createContextLogger();
+    return logger2.info(message, data);
+  },
+  debug: async (message, data) => {
+    const logger2 = await createContextLogger();
+    return logger2.debug(message, data);
+  },
+  error: async (message, data) => {
+    const logger2 = await createContextLogger();
+    return logger2.error(message, data);
+  }
+};
 
 // src/features/analysis/scm/github/consts.ts
 var POST_COMMENT_PATH = "POST /repos/{owner}/{repo}/pulls/{pull_number}/comments";
@@ -7900,6 +8058,55 @@ function getOctoKit(options) {
 function isGithubActionActionToken(token) {
   return token.startsWith("ghs_");
 }
+function handleGitHubError(error, scmType = "GitHub" /* GitHub */) {
+  const errorObj = error;
+  const status = errorObj.status || errorObj.statusCode || errorObj.response?.status || errorObj.response?.statusCode;
+  const headers = errorObj.headers || errorObj.response?.headers;
+  const retryAfter = headers?.["retry-after"] ? Number.parseInt(headers["retry-after"], 10) : headers?.["x-ratelimit-reset"] ? Math.max(
+    0,
+    Math.floor(
+      (Number.parseInt(headers["x-ratelimit-reset"], 10) * 1e3 - Date.now()) / 1e3
+    )
+  ) : void 0;
+  const errorMessage = errorObj.message || (error instanceof Error ? error.message : String(error));
+  if (status === 403 && retryAfter !== void 0 || errorMessage.toLowerCase().includes("rate limit") || errorMessage.toLowerCase().includes("api rate limit exceeded")) {
+    throw new RateLimitError(
+      "GitHub API rate limit exceeded",
+      scmType,
+      retryAfter
+    );
+  }
+  if (status === 401) {
+    throw new InvalidAccessTokenError(
+      "GitHub authentication failed - token may be expired or invalid",
+      scmType
+    );
+  }
+  if (status === 403) {
+    throw new ScmBadCredentialsError(
+      "GitHub access forbidden - insufficient permissions or invalid credentials",
+      scmType
+    );
+  }
+  if (status === 404) {
+    throw new InvalidRepoUrlError(
+      "GitHub repository or resource not found",
+      scmType
+    );
+  }
+  const errorCode = errorObj.code || errorObj.response?.code;
+  if (errorCode === "ECONNREFUSED" || errorCode === "ETIMEDOUT" || errorCode === "ENOTFOUND" || errorCode === "EAI_AGAIN") {
+    throw new NetworkError(
+      `GitHub network error: ${errorMessage}`,
+      scmType,
+      errorCode
+    );
+  }
+  if (error instanceof RateLimitError || error instanceof InvalidAccessTokenError || error instanceof ScmBadCredentialsError || error instanceof InvalidRepoUrlError || error instanceof NetworkError || error instanceof InvalidUrlPatternError) {
+    throw error;
+  }
+  throw new Error(`GitHub API error: ${errorMessage}`);
+}
 async function githubValidateParams(url, accessToken) {
   try {
     const oktoKit = getOctoKit({ auth: accessToken, url });
@@ -7916,23 +8123,118 @@ async function githubValidateParams(url, accessToken) {
     }
   } catch (e) {
     console.log("could not init github scm", e);
-    const error = e;
-    const code = error.status || error.statusCode || error.response?.status || error.response?.statusCode || error.response?.code;
-    if (code === 401 || code === 403) {
-      throw new InvalidAccessTokenError(`invalid github access token`);
-    }
-    if (code === 404) {
-      throw new InvalidRepoUrlError(`invalid github repo Url ${url}`);
-    }
-    console.log("githubValidateParams error", e);
-    throw new InvalidRepoUrlError(
-      `cannot access GH repo URL: ${url} with the provided access token`
-    );
+    handleGitHubError(e, "GitHub" /* GitHub */);
   }
 }
 
 // src/features/analysis/scm/github/github.ts
 var MAX_GH_PR_BODY_LENGTH = 65536;
+var BLAME_LARGE_FILE_THRESHOLD_BYTES = 1e6;
+var BLAME_THRESHOLD_REDUCTION_BYTES = 1e5;
+var BLAME_MIN_THRESHOLD_BYTES = 1e5;
+var GRAPHQL_INPUT_PATTERNS = {
+  // File paths: most printable ASCII chars, unicode letters/numbers
+  // Allows: letters, numbers, spaces, common punctuation, path separators
+  // Disallows: control characters, null bytes
+  path: /^[\p{L}\p{N}\p{Zs}\-._/@+#~%()[\]{}=!,;'&]+$/u,
+  // Git refs: branch/tag names follow git-check-ref-format rules
+  // Allows: letters, numbers, slashes, dots, hyphens, underscores
+  // Can also be "ref:path" format for expressions
+  ref: /^[\p{L}\p{N}\-._/:@]+$/u,
+  // Git SHAs: strictly hexadecimal (short or full)
+  sha: /^[0-9a-fA-F]+$/
+};
+function validateGraphQLInput(value, type2) {
+  const pattern = GRAPHQL_INPUT_PATTERNS[type2];
+  if (!pattern.test(value)) {
+    void contextLogger.info(
+      "[GraphQL] Input contains unexpected characters, proceeding with escaping",
+      {
+        type: type2,
+        valueLength: value.length,
+        // Log first 100 chars to help debug without exposing full value
+        valueSample: value.slice(0, 100)
+      }
+    );
+    return false;
+  }
+  return true;
+}
+function escapeGraphQLString(value) {
+  return value.replace(/\\/g, "\\\\").replace(/"/g, '\\"').replace(/\n/g, "\\n").replace(/\r/g, "\\r").replace(/\t/g, "\\t").replace(/\f/g, "\\f").replace(/[\b]/g, "\\b");
+}
+function safeGraphQLString(value, type2) {
+  validateGraphQLInput(value, type2);
+  return escapeGraphQLString(value);
+}
+function extractBlameRanges(data) {
+  const fileData = data;
+  if (fileData.blame?.ranges) {
+    return fileData.blame.ranges.map((range) => ({
+      startingLine: range.startingLine,
+      endingLine: range.endingLine,
+      commitSha: range.commit.oid
+    }));
+  }
+  return void 0;
+}
+function buildBlameFragment(ref) {
+  const escapedRef = safeGraphQLString(ref, "ref");
+  return (path22, index) => {
+    const escapedPath = safeGraphQLString(path22, "path");
+    return `
+    file${index}: object(expression: "${escapedRef}") {
+      ... on Commit {
+        ${GITHUB_GRAPHQL_FRAGMENTS.BLAME_RANGES.replace("$path", escapedPath)}
+      }
+    }`;
+  };
+}
+function createBatchesByTotalSize(files, threshold) {
+  const batches = [];
+  let currentBatch = [];
+  let currentBatchSize = 0;
+  for (const file of files) {
+    if (currentBatchSize + file.size > threshold && currentBatch.length > 0) {
+      batches.push(currentBatch);
+      currentBatch = [];
+      currentBatchSize = 0;
+    }
+    currentBatch.push(file);
+    currentBatchSize += file.size;
+  }
+  if (currentBatch.length > 0) {
+    batches.push(currentBatch);
+  }
+  return batches;
+}
+async function fetchBlameForBatch(octokit, owner, repo, ref, files) {
+  if (files.length === 0) {
+    return /* @__PURE__ */ new Map();
+  }
+  return executeBatchGraphQL(octokit, owner, repo, {
+    items: files.map((f) => f.path),
+    aliasPrefix: "file",
+    buildFragment: buildBlameFragment(ref),
+    extractResult: extractBlameRanges
+  });
+}
+async function processBlameAttempt(params) {
+  const { octokit, owner, repo, ref, batches, concurrency } = params;
+  const result = /* @__PURE__ */ new Map();
+  const limit = pLimit(concurrency);
+  const batchResults = await Promise.all(
+    batches.map(
+      (batch) => limit(() => fetchBlameForBatch(octokit, owner, repo, ref, batch))
+    )
+  );
+  for (const batchResult of batchResults) {
+    for (const [path22, blameData] of batchResult) {
+      result.set(path22, blameData);
+    }
+  }
+  return result;
+}
 async function executeBatchGraphQL(octokit, owner, repo, config2) {
   const { items, aliasPrefix, buildFragment, extractResult } = config2;
   if (items.length === 0) {
@@ -8520,20 +8822,223 @@ function getGithubSdk(params = {}) {
         }
       });
     },
+    /**
+     * Batch fetch PR data (additions/deletions + comments) for multiple PRs via GraphQL.
+     * Combines PR_CHANGES and PR_COMMENTS fragments into a single API call for efficiency.
+     * This is more efficient than calling getPrAdditionsDeletionsBatch and getPrCommentsBatch separately.
+     */
+    async getPrDataBatch(params2) {
+      return executeBatchGraphQL(octokit, params2.owner, params2.repo, {
+        items: params2.prNumbers,
+        aliasPrefix: "pr",
+        buildFragment: (prNumber, index) => `
+          pr${index}: pullRequest(number: ${prNumber}) {
+            ${GITHUB_GRAPHQL_FRAGMENTS.PR_CHANGES}
+            ${GITHUB_GRAPHQL_FRAGMENTS.PR_COMMENTS}
+          }`,
+        extractResult: (data) => {
+          const prData = data;
+          if (prData.additions !== void 0 && prData.deletions !== void 0) {
+            const comments = prData.comments?.nodes ? prData.comments.nodes.map((node) => ({
+              author: node.author ? { login: node.author.login, type: node.author.__typename } : null,
+              body: node.body
+            })) : [];
+            return {
+              changedLines: {
+                additions: prData.additions,
+                deletions: prData.deletions
+              },
+              comments
+            };
+          }
+          return void 0;
+        }
+      });
+    },
+    /**
+     * Batch fetch blob sizes for multiple files via GraphQL.
+     * Used to determine which files are too large to batch in blame queries.
+     */
+    async getBlobSizesBatch(params2) {
+      return executeBatchGraphQL(octokit, params2.owner, params2.repo, {
+        items: params2.blobShas,
+        aliasPrefix: "blob",
+        buildFragment: (sha, index) => {
+          const escapedSha = safeGraphQLString(sha, "sha");
+          return `
+          blob${index}: object(oid: "${escapedSha}") {
+            ... on Blob {
+              byteSize
+            }
+          }`;
+        },
+        extractResult: (data) => {
+          const blobData = data;
+          if (blobData.byteSize !== void 0) {
+            return blobData.byteSize;
+          }
+          return void 0;
+        }
+      });
+    },
     /**
      * Batch fetch blame data for multiple files via GraphQL.
      * Uses GITHUB_GRAPHQL_FRAGMENTS.BLAME_RANGES for the field selection.
+     *
+     * Optimized to handle large files with retry logic:
+     * - Files above threshold are processed individually with rate limiting
+     * - On failure, retries with reduced threshold (-100KB) and concurrency (-1)
+     * - Continues until success or threshold < 100KB
+     *
+     * @param params.files - Array of files with path and blobSha for size lookup
+     * @param params.concurrency - Max concurrent requests for large files (default: 2)
      */
     async getBlameBatch(params2) {
+      const {
+        owner,
+        repo,
+        ref,
+        files,
+        concurrency: initialConcurrency = 2
+      } = params2;
+      if (files.length === 0) {
+        return /* @__PURE__ */ new Map();
+      }
+      const filesWithSizes = await this.fetchFilesWithSizes(owner, repo, files);
+      return this.executeBlameWithRetries({
+        owner,
+        repo,
+        ref,
+        filesWithSizes,
+        initialConcurrency
+      });
+    },
+    /**
+     * Fetches blob sizes and creates a list of files with their sizes.
+     */
+    async fetchFilesWithSizes(owner, repo, files) {
+      const blobShas = files.map((f) => f.blobSha);
+      const blobSizes = await this.getBlobSizesBatch({ owner, repo, blobShas });
+      return files.map((file) => ({
+        ...file,
+        size: blobSizes.get(file.blobSha) ?? 0
+      }));
+    },
+    /**
+     * Executes blame fetching with retry logic on failure.
+     * Reduces threshold and concurrency on each retry attempt.
+     */
+    async executeBlameWithRetries(params2) {
+      const { owner, repo, ref, filesWithSizes, initialConcurrency } = params2;
+      let threshold = BLAME_LARGE_FILE_THRESHOLD_BYTES;
+      let concurrency = initialConcurrency;
+      let attempt = 1;
+      let lastError = null;
+      while (threshold >= BLAME_MIN_THRESHOLD_BYTES) {
+        const batches = createBatchesByTotalSize(filesWithSizes, threshold);
+        this.logBlameAttemptStart(
+          attempt,
+          threshold,
+          concurrency,
+          filesWithSizes.length,
+          batches.length,
+          owner,
+          repo,
+          ref
+        );
+        try {
+          const result = await processBlameAttempt({
+            octokit,
+            owner,
+            repo,
+            ref,
+            batches,
+            concurrency
+          });
+          this.logBlameAttemptSuccess(attempt, result.size, owner, repo);
+          return result;
+        } catch (error) {
+          lastError = error instanceof Error ? error : new Error(String(error));
+          this.logBlameAttemptFailure(
+            attempt,
+            threshold,
+            concurrency,
+            lastError.message,
+            owner,
+            repo
+          );
+          threshold -= BLAME_THRESHOLD_REDUCTION_BYTES;
+          concurrency = Math.max(1, concurrency - 1);
+          attempt++;
+        }
+      }
+      void contextLogger.error("[getBlameBatch] Exhausted all retries", {
+        attempts: attempt - 1,
+        repo: `${owner}/${repo}`,
+        ref,
+        error: lastError?.message || "unknown"
+      });
+      throw lastError || new Error("getBlameBatch failed after all retries");
+    },
+    /**
+     * Logs the start of a blame batch attempt.
+     */
+    logBlameAttemptStart(attempt, threshold, concurrency, totalFiles, batchCount, owner, repo, ref) {
+      void contextLogger.debug("[getBlameBatch] Processing attempt", {
+        attempt,
+        threshold,
+        concurrency,
+        totalFiles,
+        batchCount,
+        repo: `${owner}/${repo}`,
+        ref
+      });
+    },
+    /**
+     * Logs a successful blame batch attempt.
+     */
+    logBlameAttemptSuccess(attempt, filesProcessed, owner, repo) {
+      void contextLogger.debug("[getBlameBatch] Successfully processed batch", {
+        attempt,
+        filesProcessed,
+        repo: `${owner}/${repo}`
+      });
+    },
+    /**
+     * Logs a failed blame batch attempt.
+     */
+    logBlameAttemptFailure(attempt, threshold, concurrency, errorMessage, owner, repo) {
+      void contextLogger.debug(
+        "[getBlameBatch] Attempt failed, retrying with reduced threshold",
+        {
+          attempt,
+          threshold,
+          concurrency,
+          error: errorMessage,
+          repo: `${owner}/${repo}`
+        }
+      );
+    },
+    /**
+     * Batch fetch blame data for multiple files via GraphQL (legacy interface).
+     * This is a convenience wrapper that accepts file paths without blob SHAs.
+     * Note: This does NOT perform size-based optimization. Use getBlameBatch with
+     * files array including blobSha for optimized large file handling.
+     */
+    async getBlameBatchByPaths(params2) {
+      const escapedRef = safeGraphQLString(params2.ref, "ref");
       return executeBatchGraphQL(octokit, params2.owner, params2.repo, {
         items: params2.filePaths,
         aliasPrefix: "file",
-        buildFragment: (path22, index) => `
-          file${index}: object(expression: "${params2.ref}") {
+        buildFragment: (path22, index) => {
+          const escapedPath = safeGraphQLString(path22, "path");
+          return `
+          file${index}: object(expression: "${escapedRef}") {
             ... on Commit {
-              ${GITHUB_GRAPHQL_FRAGMENTS.BLAME_RANGES.replace("$path", path22)}
+              ${GITHUB_GRAPHQL_FRAGMENTS.BLAME_RANGES.replace("$path", escapedPath)}
             }
-          }`,
+          }`;
+        },
         extractResult: (data) => {
           const fileData = data;
           if (fileData.blame?.ranges) {
@@ -8555,12 +9060,15 @@ function getGithubSdk(params = {}) {
       return executeBatchGraphQL(octokit, params2.owner, params2.repo, {
         items: params2.commitShas,
         aliasPrefix: "commit",
-        buildFragment: (sha, index) => `
-          commit${index}: object(oid: "${sha}") {
+        buildFragment: (sha, index) => {
+          const escapedSha = safeGraphQLString(sha, "sha");
+          return `
+          commit${index}: object(oid: "${escapedSha}") {
             ... on Commit {
               ${GITHUB_GRAPHQL_FRAGMENTS.COMMIT_TIMESTAMP}
             }
-          }`,
+          }`;
+        },
         extractResult: (data) => {
           const commitData = data;
           if (commitData.oid && commitData.committedDate) {
@@ -8583,12 +9091,76 @@ function getGithubSdk(params = {}) {
         }
       );
       return res;
+    },
+    /**
+     * Search PRs using GitHub's Search API with sorting
+     * https://docs.github.com/en/rest/search/search?apiVersion=2022-11-28#search-issues-and-pull-requests
+     */
+    async searchPullRequests(params2) {
+      const {
+        owner,
+        repo,
+        updatedAfter,
+        state = "all",
+        sort = { field: "updated", order: "desc" },
+        perPage = 10,
+        page = 1
+      } = params2;
+      let query = `repo:${owner}/${repo} is:pr`;
+      if (updatedAfter) {
+        const dateStr = updatedAfter.toISOString().split("T")[0];
+        query += ` updated:>=${dateStr}`;
+      }
+      if (state !== "all") {
+        query += ` is:${state}`;
+      }
+      const githubSortField = sort.field === "updated" || sort.field === "created" ? sort.field : "comments";
+      const response = await octokit.rest.search.issuesAndPullRequests({
+        q: query,
+        sort: githubSortField,
+        order: sort.order,
+        per_page: perPage,
+        page
+      });
+      return {
+        items: response.data.items,
+        totalCount: response.data.total_count,
+        hasMore: page * perPage < response.data.total_count
+      };
+    },
+    /**
+     * Search repositories using GitHub's Search API.
+     * Docs: https://docs.github.com/en/rest/search/search?apiVersion=2022-11-28#search-repositories
+     */
+    async searchRepositories(params2) {
+      const {
+        org,
+        sort = { field: "updated", order: "desc" },
+        perPage = 10,
+        page = 1
+      } = params2;
+      if (!org) {
+        throw new Error("Organization is required for repository search");
+      }
+      const query = `org:${org}`;
+      const githubSortField = sort.field === "name" ? void 0 : "updated";
+      const response = await octokit.rest.search.repos({
+        q: query,
+        sort: githubSortField,
+        order: sort.order,
+        per_page: perPage,
+        page
+      });
+      return {
+        items: response.data.items,
+        totalCount: response.data.total_count,
+        hasMore: page * perPage < response.data.total_count
+      };
     }
   };
 }
 
 // src/features/analysis/scm/github/GithubSCMLib.ts
-var GITHUB_COMMIT_FETCH_CONCURRENCY = parseInt(process.env["GITHUB_COMMIT_CONCURRENCY"] || "10", 10) || 10;
 function determinePrStatus(state, isDraft) {
   switch (state) {
     case "CLOSED":
@@ -8599,7 +9171,7 @@ function determinePrStatus(state, isDraft) {
       return isDraft ? "DRAFT" /* Draft */ : "ACTIVE" /* Active */;
   }
 }
-var GithubSCMLib = class extends SCMLib {
+var GithubSCMLib = class _GithubSCMLib extends SCMLib {
   // we don't always need a url, what's important is that we have an access token
   constructor(url, accessToken, scmOrg) {
     super(url, accessToken, scmOrg);
@@ -8955,7 +9527,7 @@ var GithubSCMLib = class extends SCMLib {
       }),
       this.getPrDiff({ pull_number: prNumber })
     ]);
-    const limit = pLimit(GITHUB_COMMIT_FETCH_CONCURRENCY);
+    const limit = pLimit2(GITHUB_API_CONCURRENCY);
     const commits = await Promise.all(
       commitsRes.data.map(
         (commit) => limit(
@@ -9009,7 +9581,7 @@ var GithubSCMLib = class extends SCMLib {
         removed: changedLinesData.deletions
       } : { added: 0, removed: 0 };
       const comments = commentsMap.get(pr.number) || [];
-      const tickets = this._extractLinearTicketsFromComments(comments);
+      const tickets = _GithubSCMLib.extractLinearTicketsFromComments(comments);
       return {
         submitRequestId: String(pr.number),
         submitRequestNumber: pr.number,
@@ -9028,6 +9600,59 @@ var GithubSCMLib = class extends SCMLib {
     });
     return submitRequests;
   }
+  /**
+   * Override searchSubmitRequests to use GitHub's Search API for efficient pagination.
+   * This is much faster than fetching all PRs and filtering in-memory.
+   */
+  async searchSubmitRequests(params) {
+    this._validateAccessToken();
+    const { owner, repo } = parseGithubOwnerAndRepo(params.repoUrl);
+    const page = parseCursorSafe(params.cursor, 1);
+    const perPage = params.limit || 10;
+    const sort = params.sort || { field: "updated", order: "desc" };
+    const searchResult = await this.githubSdk.searchPullRequests({
+      owner,
+      repo,
+      updatedAfter: params.filters?.updatedAfter,
+      state: params.filters?.state,
+      sort,
+      perPage,
+      page
+    });
+    const results = searchResult.items.map((issue) => {
+      let status = "open";
+      if (issue.state === "closed") {
+        status = issue.pull_request?.merged_at ? "merged" : "closed";
+      } else if (issue.draft) {
+        status = "draft";
+      }
+      return {
+        submitRequestId: String(issue.number),
+        submitRequestNumber: issue.number,
+        title: issue.title,
+        status,
+        sourceBranch: "",
+        // Not available in search API
+        targetBranch: "",
+        // Not available in search API
+        authorName: issue.user?.login,
+        authorEmail: void 0,
+        // Not available in search API
+        createdAt: new Date(issue.created_at),
+        updatedAt: new Date(issue.updated_at),
+        description: issue.body || void 0,
+        tickets: [],
+        // Would need separate parsing
+        changedLines: { added: 0, removed: 0 }
+        // Not available in search API
+      };
+    });
+    return {
+      results,
+      nextCursor: searchResult.hasMore ? String(page + 1) : void 0,
+      hasMore: searchResult.hasMore
+    };
+  }
   /**
    * Fetches commits for multiple PRs in a single GraphQL request.
    * Much more efficient than calling getSubmitRequestDiff for each PR.
@@ -9041,6 +9666,109 @@ var GithubSCMLib = class extends SCMLib {
     const { owner, repo } = parseGithubOwnerAndRepo(repoUrl);
     return this.githubSdk.getPrCommitsBatch({ owner, repo, prNumbers });
   }
+  /**
+   * Fetches additions and deletions counts for multiple PRs in a single GraphQL request.
+   * Used to enrich search results with changed lines data.
+   *
+   * @param repoUrl - Repository URL
+   * @param prNumbers - Array of PR numbers to fetch metrics for
+   * @returns Map of PR number to additions/deletions count
+   */
+  async getPrAdditionsDeletionsBatch(repoUrl, prNumbers) {
+    this._validateAccessToken();
+    const { owner, repo } = parseGithubOwnerAndRepo(repoUrl);
+    return this.githubSdk.getPrAdditionsDeletionsBatch({
+      owner,
+      repo,
+      prNumbers
+    });
+  }
+  /**
+   * Batch fetch PR data (additions/deletions + comments) for multiple PRs.
+   * Combines both metrics into a single GraphQL call for efficiency.
+   *
+   * @param repoUrl - Repository URL
+   * @param prNumbers - Array of PR numbers to fetch data for
+   * @returns Map of PR number to { changedLines, comments }
+   */
+  async getPrDataBatch(repoUrl, prNumbers) {
+    this._validateAccessToken();
+    const { owner, repo } = parseGithubOwnerAndRepo(repoUrl);
+    return this.githubSdk.getPrDataBatch({
+      owner,
+      repo,
+      prNumbers
+    });
+  }
+  /**
+   * Override searchRepos to use GitHub's Search API for efficient pagination.
+   * This is much faster than fetching all repos and filtering in-memory.
+   *
+   * Note: GitHub Search API doesn't support sorting by name, so when name sorting
+   * is requested, we fall back to fetching all repos and sorting in-memory.
+   */
+  async searchRepos(params) {
+    this._validateAccessToken();
+    const sort = params.sort || { field: "updated", order: "desc" };
+    if (!params.scmOrg || sort.field === "name") {
+      return this.searchReposInMemory(params);
+    }
+    return this.searchReposWithApi(params);
+  }
+  /**
+   * Search repos by fetching all and sorting/paginating in-memory.
+   * Used when name sorting is requested or no organization is provided.
+   */
+  async searchReposInMemory(params) {
+    const repos = await this.getRepoList(params.scmOrg);
+    const sort = params.sort || { field: "updated", order: "desc" };
+    const sortOrder = sort.order === "asc" ? 1 : -1;
+    const sortedRepos = [...repos].sort((a, b) => {
+      if (sort.field === "name") {
+        return a.repoName.localeCompare(b.repoName) * sortOrder;
+      }
+      const aDate = a.repoUpdatedAt ? Date.parse(a.repoUpdatedAt) : 0;
+      const bDate = b.repoUpdatedAt ? Date.parse(b.repoUpdatedAt) : 0;
+      return (aDate - bDate) * sortOrder;
+    });
+    const limit = params.limit || 10;
+    const offset = parseCursorSafe(params.cursor, 0);
+    const paged = sortedRepos.slice(offset, offset + limit);
+    const nextOffset = offset + limit;
+    return {
+      results: paged,
+      nextCursor: nextOffset < sortedRepos.length ? String(nextOffset) : void 0,
+      hasMore: nextOffset < sortedRepos.length
+    };
+  }
+  /**
+   * Search repos using GitHub Search API for efficient server-side pagination.
+   * Only supports date-based sorting (updated/created).
+   */
+  async searchReposWithApi(params) {
+    const page = parseCursorSafe(params.cursor, 1);
+    const perPage = params.limit || 10;
+    const sort = params.sort || { field: "updated", order: "desc" };
+    const searchResult = await this.githubSdk.searchRepositories({
+      org: params.scmOrg,
+      sort,
+      perPage,
+      page
+    });
+    const results = searchResult.items.map((repo) => ({
+      repoName: repo.name,
+      repoUrl: repo.html_url || repo.url,
+      repoOwner: repo.owner?.login || "",
+      repoLanguages: repo.language ? [repo.language] : [],
+      repoIsPublic: !repo.private,
+      repoUpdatedAt: repo.updated_at || null
+    }));
+    return {
+      results,
+      nextCursor: searchResult.hasMore ? String(page + 1) : void 0,
+      hasMore: searchResult.hasMore
+    };
+  }
   async getPullRequestMetrics(prNumber) {
     this._validateAccessTokenAndUrl();
     const { owner, repo } = parseGithubOwnerAndRepo(this.url);
@@ -9093,7 +9821,7 @@ var GithubSCMLib = class extends SCMLib {
    * Parse a Linear ticket from URL and name
    * Returns null if invalid or missing data
    */
-  _parseLinearTicket(url, name) {
+  static _parseLinearTicket(url, name) {
     if (!name || !url) {
       return null;
     }
@@ -9104,8 +9832,9 @@ var GithubSCMLib = class extends SCMLib {
   }
   /**
    * Extract Linear ticket links from pre-fetched comments (pure function, no API calls)
+   * Public static method so it can be reused by backend services.
    */
-  _extractLinearTicketsFromComments(comments) {
+  static extractLinearTicketsFromComments(comments) {
     const tickets = [];
     const seen = /* @__PURE__ */ new Set();
     for (const comment of comments) {
@@ -9114,7 +9843,7 @@ var GithubSCMLib = class extends SCMLib {
         const htmlPattern = /<a href="(https:\/\/linear\.app\/[^"]+)">([A-Z]+-\d+)<\/a>/g;
         let match;
         while ((match = htmlPattern.exec(body)) !== null) {
-          const ticket = this._parseLinearTicket(match[1], match[2]);
+          const ticket = _GithubSCMLib._parseLinearTicket(match[1], match[2]);
           if (ticket && !seen.has(`${ticket.name}|${ticket.url}`)) {
             seen.add(`${ticket.name}|${ticket.url}`);
             tickets.push(ticket);
@@ -9122,7 +9851,7 @@ var GithubSCMLib = class extends SCMLib {
         }
         const markdownPattern = /\[([A-Z]+-\d+)\]\((https:\/\/linear\.app\/[^)]+)\)/g;
         while ((match = markdownPattern.exec(body)) !== null) {
-          const ticket = this._parseLinearTicket(match[2], match[1]);
+          const ticket = _GithubSCMLib._parseLinearTicket(match[2], match[1]);
           if (ticket && !seen.has(`${ticket.name}|${ticket.url}`)) {
             seen.add(`${ticket.name}|${ticket.url}`);
             tickets.push(ticket);
@@ -9184,6 +9913,11 @@ var GithubSCMLib = class extends SCMLib {
   /**
    * Optimized helper to attribute PR lines to commits using blame API
    * Batch blame queries for minimal API call time (1 call instead of M calls)
+   *
+   * Uses size-based batching to handle large files:
+   * - Files > 1MB are processed individually with rate limiting
+   * - Smaller files are batched together in a single request
+   * This prevents GitHub API timeouts (~10s) on large generated files.
    */
   async _attributeLinesViaBlame(params) {
     const { headSha, changedFiles, prCommits } = params;
@@ -9192,19 +9926,25 @@ var GithubSCMLib = class extends SCMLib {
       if (!file.patch || file.patch.trim().length === 0) {
         return false;
       }
+      if (!file.sha) {
+        return false;
+      }
       return true;
     });
     if (filesWithAdditions.length === 0) {
       return [];
     }
     const { owner, repo } = parseGithubOwnerAndRepo(this.url);
-    const refToUse = headSha;
     const blameMap = await this.githubSdk.getBlameBatch({
       owner,
       repo,
-      ref: refToUse,
+      ref: headSha,
       // Use commit SHA directly from PR.head.sha
-      filePaths: filesWithAdditions.map((f) => f.filename)
+      files: filesWithAdditions.map((f) => ({
+        path: f.filename,
+        blobSha: f.sha
+      })),
+      concurrency: GITHUB_API_CONCURRENCY
     });
     const allAttributions = [];
     for (const file of filesWithAdditions) {
@@ -9235,12 +9975,6 @@ import {
   fetch as undiciFetch,
   ProxyAgent as ProxyAgent2
 } from "undici";
-
-// src/utils/contextLogger.ts
-import debugModule from "debug";
-var debug3 = debugModule("mobb:shared");
-
-// src/features/analysis/scm/gitlab/gitlab.ts
 init_env();
 
 // src/features/analysis/scm/gitlab/types.ts
@@ -9790,6 +10524,12 @@ var GitlabSCMLib = class extends SCMLib {
   async getSubmitRequests(_repoUrl) {
     throw new Error("getSubmitRequests not implemented for GitLab");
   }
+  async searchSubmitRequests(_params) {
+    throw new Error("searchSubmitRequests not implemented for GitLab");
+  }
+  async searchRepos(_params) {
+    throw new Error("searchRepos not implemented for GitLab");
+  }
   // TODO: Add comprehensive tests for getPullRequestMetrics (GitLab)
   // See clients/cli/src/features/analysis/scm/__tests__/github.test.ts:589-648 for reference
   async getPullRequestMetrics(_prNumber) {
@@ -10847,10 +11587,12 @@ import tmp2 from "tmp";
 import { z as z29 } from "zod";
 
 // src/commands/handleMobbLogin.ts
-import crypto from "crypto";
-import os from "os";
 import chalk3 from "chalk";
 import Debug6 from "debug";
+
+// src/commands/AuthManager.ts
+import crypto from "crypto";
+import os from "os";
 import open from "open";
 
 // src/features/analysis/graphql/gql.ts
@@ -11606,10 +12348,174 @@ function getConfigStore() {
 }
 var configStore = getConfigStore();
 
-// src/commands/handleMobbLogin.ts
-var debug7 = Debug6("mobbdev:commands");
+// src/commands/AuthManager.ts
 var LOGIN_MAX_WAIT = 10 * 60 * 1e3;
 var LOGIN_CHECK_DELAY = 5 * 1e3;
+var AuthManager = class {
+  constructor(webAppUrl, apiUrl) {
+    __publicField(this, "publicKey");
+    __publicField(this, "privateKey");
+    __publicField(this, "loginId");
+    __publicField(this, "gqlClient");
+    __publicField(this, "currentBrowserUrl");
+    __publicField(this, "authenticated", null);
+    __publicField(this, "resolvedWebAppUrl");
+    __publicField(this, "resolvedApiUrl");
+    this.resolvedWebAppUrl = webAppUrl || WEB_APP_URL;
+    this.resolvedApiUrl = apiUrl || API_URL;
+  }
+  openUrlInBrowser() {
+    if (this.currentBrowserUrl) {
+      open(this.currentBrowserUrl);
+      return true;
+    }
+    return false;
+  }
+  async waitForAuthentication() {
+    let newApiToken = null;
+    for (let i = 0; i < LOGIN_MAX_WAIT / LOGIN_CHECK_DELAY; i++) {
+      newApiToken = await this.getApiToken();
+      if (newApiToken) {
+        break;
+      }
+      await sleep(LOGIN_CHECK_DELAY);
+    }
+    if (!newApiToken) {
+      return false;
+    }
+    this.gqlClient = new GQLClient({
+      apiKey: newApiToken,
+      type: "apiKey",
+      apiUrl: this.resolvedApiUrl
+    });
+    const loginSuccess = await this.gqlClient.validateUserToken();
+    if (loginSuccess) {
+      configStore.set("apiToken", newApiToken);
+      this.authenticated = true;
+      return true;
+    }
+    return false;
+  }
+  /**
+   * Checks if the user is already authenticated
+   */
+  async isAuthenticated() {
+    if (this.authenticated === null) {
+      const result = await this.checkAuthentication();
+      this.authenticated = result.isAuthenticated;
+    }
+    return this.authenticated;
+  }
+  /**
+   * Private function to check if the user is authenticated with the server
+   */
+  async checkAuthentication(apiKey) {
+    try {
+      if (!this.gqlClient) {
+        this.gqlClient = this.getGQLClient(apiKey);
+      }
+      const isConnected = await this.gqlClient.verifyApiConnection();
+      if (!isConnected) {
+        return {
+          isAuthenticated: false,
+          message: "Failed to connect to Mobb server"
+        };
+      }
+      const userVerify = await this.gqlClient.validateUserToken();
+      if (!userVerify) {
+        return {
+          isAuthenticated: false,
+          message: "User token validation failed"
+        };
+      }
+    } catch (error) {
+      return {
+        isAuthenticated: false,
+        message: error instanceof Error ? error.message : "Unknown authentication error"
+      };
+    }
+    return { isAuthenticated: true, message: "Successfully authenticated" };
+  }
+  /**
+   * Generates a login URL for manual authentication
+   */
+  async generateLoginUrl(loginContext) {
+    try {
+      if (!this.gqlClient) {
+        this.gqlClient = this.getGQLClient();
+      }
+      const { publicKey, privateKey } = crypto.generateKeyPairSync("rsa", {
+        modulusLength: 2048
+      });
+      this.publicKey = publicKey;
+      this.privateKey = privateKey;
+      this.loginId = await this.gqlClient.createCliLogin({
+        publicKey: this.publicKey.export({ format: "pem", type: "pkcs1" }).toString()
+      });
+      const webLoginUrl = `${this.resolvedWebAppUrl}/cli-login`;
+      const browserUrl = loginContext ? buildLoginUrl(webLoginUrl, this.loginId, os.hostname(), loginContext) : `${webLoginUrl}/${this.loginId}?hostname=${os.hostname()}`;
+      this.currentBrowserUrl = browserUrl;
+      return browserUrl;
+    } catch (error) {
+      console.error("Failed to generate login URL:", error);
+      return null;
+    }
+  }
+  /**
+   * Retrieves and decrypts the API token after authentication
+   */
+  async getApiToken() {
+    if (!this.gqlClient || !this.loginId || !this.privateKey) {
+      return null;
+    }
+    const encryptedApiToken = await this.gqlClient.getEncryptedApiToken({
+      loginId: this.loginId
+    });
+    if (encryptedApiToken) {
+      return crypto.privateDecrypt(
+        this.privateKey,
+        Buffer.from(encryptedApiToken, "base64")
+      ).toString("utf-8");
+    }
+    return null;
+  }
+  /**
+   * Gets the current GQL client (if authenticated)
+   */
+  getGQLClient(inputApiKey) {
+    if (this.gqlClient === void 0) {
+      this.gqlClient = new GQLClient({
+        apiKey: inputApiKey || configStore.get("apiToken") || "",
+        type: "apiKey",
+        apiUrl: this.resolvedApiUrl
+      });
+    }
+    return this.gqlClient;
+  }
+  /**
+   * Assigns a GQL client instance to the AuthManager, and resets auth state
+   * @param gqlClient The GQL client instance to set
+   */
+  setGQLClient(gqlClient) {
+    this.gqlClient = gqlClient;
+    this.cleanup();
+  }
+  /**
+   * Cleans up any active login session
+   */
+  cleanup() {
+    this.publicKey = void 0;
+    this.privateKey = void 0;
+    this.loginId = void 0;
+    this.authenticated = null;
+    this.currentBrowserUrl = null;
+  }
+};
+
+// src/commands/handleMobbLogin.ts
+var debug7 = Debug6("mobbdev:commands");
+var LOGIN_MAX_WAIT2 = 10 * 60 * 1e3;
+var LOGIN_CHECK_DELAY2 = 5 * 1e3;
 var MOBB_LOGIN_REQUIRED_MSG = `\u{1F513} Login to Mobb is Required, you will be redirected to our login page, once the authorization is complete return to this prompt, ${chalk3.bgBlue(
   "press any key to continue"
 )};`;
@@ -11624,11 +12530,8 @@ async function getAuthenticatedGQLClient({
     apiUrl || "undefined",
     webAppUrl || "undefined"
   );
-  let gqlClient = new GQLClient({
-    apiKey: inputApiKey || configStore.get("apiToken") || "",
-    type: "apiKey",
-    apiUrl
-  });
+  const authManager = new AuthManager(webAppUrl, apiUrl);
+  let gqlClient = authManager.getGQLClient(inputApiKey);
   gqlClient = await handleMobbLogin({
     inGqlClient: gqlClient,
     skipPrompts: isSkipPrompts,
@@ -11645,35 +12548,28 @@ async function handleMobbLogin({
   webAppUrl,
   loginContext
 }) {
-  const resolvedWebAppUrl = webAppUrl || WEB_APP_URL;
-  const resolvedApiUrl = apiUrl || API_URL;
   debug7(
     "handleMobbLogin: resolved URLs - apiUrl=%s (from param: %s), webAppUrl=%s (from param: %s)",
-    resolvedApiUrl,
     apiUrl || "fallback",
-    resolvedWebAppUrl,
+    apiUrl || "fallback",
+    webAppUrl || "fallback",
     webAppUrl || "fallback"
   );
   const { createSpinner: createSpinner5 } = Spinner({ ci: skipPrompts });
-  const isConnected = await inGqlClient.verifyApiConnection();
-  if (!isConnected) {
-    createSpinner5().start().error({
-      text: "\u{1F513} Connection to Mobb: failed to connect to the Mobb server"
-    });
-    throw new CliError(
-      "Connection to Mobb: failed to connect to the Mobb server"
-    );
+  const authManager = new AuthManager(webAppUrl, apiUrl);
+  authManager.setGQLClient(inGqlClient);
+  try {
+    const isAuthenticated = await authManager.isAuthenticated();
+    if (isAuthenticated) {
+      createSpinner5().start().success({
+        text: `\u{1F513} Login to Mobb succeeded. Already authenticated`
+      });
+      return authManager.getGQLClient();
+    }
+  } catch (error) {
+    debug7("Authentication check failed:", error);
   }
-  createSpinner5().start().success({
-    text: `\u{1F513} Connection to Mobb: succeeded`
-  });
-  const userVerify = await inGqlClient.validateUserToken();
-  if (userVerify) {
-    createSpinner5().start().success({
-      text: `\u{1F513} Login to Mobb succeeded. ${typeof userVerify === "string" ? `Logged in as ${userVerify}` : ""}`
-    });
-    return inGqlClient;
-  } else if (apiKey) {
+  if (apiKey) {
     createSpinner5().start().error({
       text: "\u{1F513} Login to Mobb failed: The provided API key does not match any configured API key on the system"
     });
@@ -11689,57 +12585,32 @@ async function handleMobbLogin({
   loginSpinner.update({
     text: "\u{1F513} Waiting for Mobb login..."
   });
-  const { publicKey, privateKey } = crypto.generateKeyPairSync("rsa", {
-    modulusLength: 2048
-  });
-  const loginId = await inGqlClient.createCliLogin({
-    publicKey: publicKey.export({ format: "pem", type: "pkcs1" }).toString()
-  });
-  const webLoginUrl = `${resolvedWebAppUrl}/cli-login`;
-  const browserUrl = loginContext ? buildLoginUrl(webLoginUrl, loginId, os.hostname(), loginContext) : `${webLoginUrl}/${loginId}?hostname=${os.hostname()}`;
-  !skipPrompts && console.log(
-    `If the page does not open automatically, kindly access it through ${browserUrl}.`
-  );
-  await open(browserUrl);
-  let newApiToken = null;
-  for (let i = 0; i < LOGIN_MAX_WAIT / LOGIN_CHECK_DELAY; i++) {
-    const encryptedApiToken = await inGqlClient.getEncryptedApiToken({
-      loginId
-    });
-    loginSpinner.spin();
-    if (encryptedApiToken) {
-      debug7("encrypted API token received %s", encryptedApiToken);
-      newApiToken = crypto.privateDecrypt(privateKey, Buffer.from(encryptedApiToken, "base64")).toString("utf-8");
-      debug7("API token decrypted");
-      break;
+  try {
+    const loginUrl = await authManager.generateLoginUrl(loginContext);
+    if (!loginUrl) {
+      loginSpinner.error({
+        text: "Failed to generate login URL"
+      });
+      throw new CliError("Failed to generate login URL");
+    }
+    !skipPrompts && console.log(
+      `If the page does not open automatically, kindly access it through ${loginUrl}.`
+    );
+    authManager.openUrlInBrowser();
+    const authSuccess = await authManager.waitForAuthentication();
+    if (!authSuccess) {
+      loginSpinner.error({
+        text: "Login timeout error"
+      });
+      throw new CliError("Login timeout error");
     }
-    await sleep(LOGIN_CHECK_DELAY);
-  }
-  if (!newApiToken) {
-    loginSpinner.error({
-      text: "Login timeout error"
-    });
-    throw new CliError();
-  }
-  const newGqlClient = new GQLClient({
-    apiKey: newApiToken,
-    type: "apiKey",
-    apiUrl: resolvedApiUrl
-  });
-  const loginSuccess = await newGqlClient.validateUserToken();
-  if (loginSuccess) {
-    debug7(`set api token ${newApiToken}`);
-    configStore.set("apiToken", newApiToken);
     loginSpinner.success({
-      text: `\u{1F513} Login to Mobb successful! ${typeof loginSpinner === "string" ? `Logged in as ${loginSuccess}` : ""}`
+      text: `\u{1F513} Login to Mobb successful!`
     });
-  } else {
-    loginSpinner.error({
-      text: "Something went wrong, API token is invalid."
-    });
-    throw new CliError();
+    return authManager.getGQLClient();
+  } finally {
+    authManager.cleanup();
   }
-  return newGqlClient;
 }
 
 // src/features/analysis/add_fix_comments_for_pr/add_fix_comments_for_pr.ts
@@ -13306,7 +14177,7 @@ async function _scan(params, { skipPrompts = false } = {}) {
       `If the page does not open automatically, kindly access it through ${scmAuthUrl2}.`
     );
     await open3(scmAuthUrl2);
-    for (let i = 0; i < LOGIN_MAX_WAIT / LOGIN_CHECK_DELAY; i++) {
+    for (let i = 0; i < LOGIN_MAX_WAIT2 / LOGIN_CHECK_DELAY2; i++) {
       const userInfo2 = await gqlClient.getUserInfo();
       if (!userInfo2) {
         throw new CliError2("User info not found");
@@ -13325,7 +14196,7 @@ async function _scan(params, { skipPrompts = false } = {}) {
         return tokenInfo2.accessToken;
       }
       scmSpinner.spin();
-      await sleep(LOGIN_CHECK_DELAY);
+      await sleep(LOGIN_CHECK_DELAY2);
     }
     scmSpinner.error({
       text: `${scmName} login timeout error`