mobbdev 1.2.24 → 1.2.28

package/dist/args/commands/upload_ai_blame.mjs

@@ -237,6 +237,7 @@ var init_client_generates = __esm({
       IssueType_Enum2["DuplicatedStrings"] = "DUPLICATED_STRINGS";
       IssueType_Enum2["ErroneousStringCompare"] = "ERRONEOUS_STRING_COMPARE";
       IssueType_Enum2["ErrorCondtionWithoutAction"] = "ERROR_CONDTION_WITHOUT_ACTION";
+      IssueType_Enum2["ExcessiveSecretsExposure"] = "EXCESSIVE_SECRETS_EXPOSURE";
       IssueType_Enum2["FrameableLoginPage"] = "FRAMEABLE_LOGIN_PAGE";
       IssueType_Enum2["FunctionCallWithoutParentheses"] = "FUNCTION_CALL_WITHOUT_PARENTHESES";
       IssueType_Enum2["GhActionsShellInjection"] = "GH_ACTIONS_SHELL_INJECTION";
@@ -1712,7 +1713,8 @@ var init_getIssueType = __esm({
       ["ACTION_NOT_PINNED_TO_COMMIT_SHA" /* ActionNotPinnedToCommitSha */]: "Action Not Pinned to Commit Sha",
       ["DJANGO_BLANK_FIELD_NEEDS_NULL_OR_DEFAULT" /* DjangoBlankFieldNeedsNullOrDefault */]: "Django Blank Field Needs Null or Default",
       ["REDUNDANT_NIL_ERROR_CHECK" /* RedundantNilErrorCheck */]: "Redundant Nil Error Check",
-      ["MISSING_WORKFLOW_PERMISSIONS" /* MissingWorkflowPermissions */]: "Missing Workflow Permissions"
+      ["MISSING_WORKFLOW_PERMISSIONS" /* MissingWorkflowPermissions */]: "Missing Workflow Permissions",
+      ["EXCESSIVE_SECRETS_EXPOSURE" /* ExcessiveSecretsExposure */]: "Excessive Secrets Exposure"
     };
     issueTypeZ = z5.nativeEnum(IssueType_Enum);
     getIssueTypeFriendlyString = (issueType) => {
@@ -4556,7 +4558,8 @@ var fixDetailsData = {
   ["ACTION_NOT_PINNED_TO_COMMIT_SHA" /* ActionNotPinnedToCommitSha */]: void 0,
   ["DJANGO_BLANK_FIELD_NEEDS_NULL_OR_DEFAULT" /* DjangoBlankFieldNeedsNullOrDefault */]: void 0,
   ["REDUNDANT_NIL_ERROR_CHECK" /* RedundantNilErrorCheck */]: void 0,
-  ["MISSING_WORKFLOW_PERMISSIONS" /* MissingWorkflowPermissions */]: void 0
+  ["MISSING_WORKFLOW_PERMISSIONS" /* MissingWorkflowPermissions */]: void 0,
+  ["EXCESSIVE_SECRETS_EXPOSURE" /* ExcessiveSecretsExposure */]: void 0
 };
 
 // src/features/analysis/scm/shared/src/commitDescriptionMarkup.ts
@@ -7344,8 +7347,8 @@ var openRedaction = new OpenRedaction({
     "MONERO_ADDRESS",
     "RIPPLE_ADDRESS",
     // Medical Data (removed PRESCRIPTION_NUMBER - too broad, matches words containing "ription")
+    // Removed MEDICAL_RECORD_NUMBER - too broad, "MR" prefix matches "Merge Request" in SCM contexts (e.g. "MR branches" → "MR br****es")
     "NHS_NUMBER",
-    "MEDICAL_RECORD_NUMBER",
     "AUSTRALIAN_MEDICARE",
     "HEALTH_PLAN_NUMBER",
     "PATIENT_ID",
@@ -7389,10 +7392,10 @@ var openRedaction = new OpenRedaction({
     "DOCKER_AUTH",
     "KUBERNETES_SECRET",
     // Government & Legal
+    // Removed CLIENT_ID - too broad, "client" is ubiquitous in code (npm packages like @scope/client-*, class names like ClientSdkOptions)
     "POLICE_REPORT_NUMBER",
     "IMMIGRATION_NUMBER",
-    "COURT_REPORTER_LICENSE",
-    "CLIENT_ID"
+    "COURT_REPORTER_LICENSE"
   ]
 });
 function maskString(str, showStart = 2, showEnd = 2) {
@@ -7415,6 +7418,15 @@ async function sanitizeDataWithCounts(obj) {
         ...piiDetections.low
       ];
       for (const detection of allDetections) {
+        if (detection.type === "CREDIT_CARD") {
+          const start = detection.position[0];
+          const end = detection.position[1];
+          const charBefore = (start > 0 ? str[start - 1] : "") ?? "";
+          const charAfter = str[end] ?? "";
+          if (charBefore === "." || charBefore >= "0" && charBefore <= "9" || charAfter >= "0" && charAfter <= "9") {
+            continue;
+          }
+        }
         counts.detections.total++;
         if (detection.severity === "high") counts.detections.high++;
         else if (detection.severity === "medium") counts.detections.medium++;

package/dist/index.mjs

@@ -237,6 +237,7 @@ var init_client_generates = __esm({
       IssueType_Enum2["DuplicatedStrings"] = "DUPLICATED_STRINGS";
       IssueType_Enum2["ErroneousStringCompare"] = "ERRONEOUS_STRING_COMPARE";
       IssueType_Enum2["ErrorCondtionWithoutAction"] = "ERROR_CONDTION_WITHOUT_ACTION";
+      IssueType_Enum2["ExcessiveSecretsExposure"] = "EXCESSIVE_SECRETS_EXPOSURE";
       IssueType_Enum2["FrameableLoginPage"] = "FRAMEABLE_LOGIN_PAGE";
       IssueType_Enum2["FunctionCallWithoutParentheses"] = "FUNCTION_CALL_WITHOUT_PARENTHESES";
       IssueType_Enum2["GhActionsShellInjection"] = "GH_ACTIONS_SHELL_INJECTION";
@@ -1412,7 +1413,8 @@ var init_getIssueType = __esm({
       ["ACTION_NOT_PINNED_TO_COMMIT_SHA" /* ActionNotPinnedToCommitSha */]: "Action Not Pinned to Commit Sha",
       ["DJANGO_BLANK_FIELD_NEEDS_NULL_OR_DEFAULT" /* DjangoBlankFieldNeedsNullOrDefault */]: "Django Blank Field Needs Null or Default",
       ["REDUNDANT_NIL_ERROR_CHECK" /* RedundantNilErrorCheck */]: "Redundant Nil Error Check",
-      ["MISSING_WORKFLOW_PERMISSIONS" /* MissingWorkflowPermissions */]: "Missing Workflow Permissions"
+      ["MISSING_WORKFLOW_PERMISSIONS" /* MissingWorkflowPermissions */]: "Missing Workflow Permissions",
+      ["EXCESSIVE_SECRETS_EXPOSURE" /* ExcessiveSecretsExposure */]: "Excessive Secrets Exposure"
     };
     issueTypeZ = z.nativeEnum(IssueType_Enum);
     getIssueTypeFriendlyString = (issueType) => {
@@ -4284,7 +4286,8 @@ var fixDetailsData = {
   ["ACTION_NOT_PINNED_TO_COMMIT_SHA" /* ActionNotPinnedToCommitSha */]: void 0,
   ["DJANGO_BLANK_FIELD_NEEDS_NULL_OR_DEFAULT" /* DjangoBlankFieldNeedsNullOrDefault */]: void 0,
   ["REDUNDANT_NIL_ERROR_CHECK" /* RedundantNilErrorCheck */]: void 0,
-  ["MISSING_WORKFLOW_PERMISSIONS" /* MissingWorkflowPermissions */]: void 0
+  ["MISSING_WORKFLOW_PERMISSIONS" /* MissingWorkflowPermissions */]: void 0,
+  ["EXCESSIVE_SECRETS_EXPOSURE" /* ExcessiveSecretsExposure */]: void 0
 };
 
 // src/features/analysis/scm/shared/src/commitDescriptionMarkup.ts
@@ -6241,6 +6244,23 @@ function parseLinearTicket(url, name) {
   const title = titleSlug.replace(/-/g, " ");
   return { name, title, url };
 }
+function isLinearBotComment(comment) {
+  if (!comment.author) return false;
+  const login = comment.author.login.toLowerCase();
+  if (login === "linear[bot]" || login === "linear") return true;
+  if (comment.author.type === "Bot" && login.includes("linear")) return true;
+  return false;
+}
+function extractLinearTicketsFromComments(comments) {
+  const tickets = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const comment of comments) {
+    if (isLinearBotComment(comment)) {
+      tickets.push(...extractLinearTicketsFromBody(comment.body || "", seen));
+    }
+  }
+  return tickets;
+}
 var userNamePattern = /^(https?:\/\/)([^@]+@)?([^/]+\/.+)$/;
 var sshPattern = /^git@([\w.-]+):([\w./-]+)$/;
 function normalizeUrl(repoUrl) {
@@ -7124,11 +7144,11 @@ var SCMLib = class {
   }
   /**
    * Extract Linear ticket links from PR/MR comments.
-   * Default implementation returns empty array - subclasses can override.
+   * Uses shared isLinearBotComment() for unified bot detection across all providers.
    * Public so it can be reused by backend services.
    */
-  extractLinearTicketsFromComments(_comments) {
-    return [];
+  extractLinearTicketsFromComments(comments) {
+    return extractLinearTicketsFromComments(comments);
   }
   _validateAccessTokenAndUrl() {
     this._validateAccessToken();
@@ -8829,7 +8849,7 @@ function determinePrStatus(state, isDraft) {
       return isDraft ? "DRAFT" /* Draft */ : "ACTIVE" /* Active */;
   }
 }
-var GithubSCMLib = class _GithubSCMLib extends SCMLib {
+var GithubSCMLib = class extends SCMLib {
   // we don't always need a url, what's important is that we have an access token
   constructor(url, accessToken, scmOrg) {
     super(url, accessToken, scmOrg);
@@ -9301,27 +9321,6 @@ var GithubSCMLib = class _GithubSCMLib extends SCMLib {
       commentIds
     };
   }
-  /**
-   * Extract Linear ticket links from pre-fetched comments (pure function, no API calls)
-   * Instance method that overrides base class - can also be called statically for backwards compatibility.
-   */
-  extractLinearTicketsFromComments(comments) {
-    return _GithubSCMLib._extractLinearTicketsFromCommentsImpl(comments);
-  }
-  /**
-   * Static implementation for backwards compatibility and reuse.
-   * Called by both the instance method and direct static calls.
-   */
-  static _extractLinearTicketsFromCommentsImpl(comments) {
-    const tickets = [];
-    const seen = /* @__PURE__ */ new Set();
-    for (const comment of comments) {
-      if (comment.author?.login === "linear[bot]" || comment.author?.type === "Bot") {
-        tickets.push(...extractLinearTicketsFromBody(comment.body || "", seen));
-      }
-    }
-    return tickets;
-  }
 };
 
 // src/features/analysis/scm/gitlab/gitlab.ts
@@ -9565,34 +9564,74 @@ async function getGitlabIsRemoteBranch({
     return false;
   }
 }
-async function getGitlabRepoList(url, accessToken) {
+async function searchGitlabProjects({
+  url,
+  accessToken,
+  perPage = 20,
+  page = 1
+}) {
+  if (perPage > GITLAB_MAX_PER_PAGE) {
+    throw new Error(
+      `perPage ${perPage} exceeds GitLab maximum of ${GITLAB_MAX_PER_PAGE}`
+    );
+  }
   const api2 = getGitBeaker({ url, gitlabAuthToken: accessToken });
-  const res = await api2.Projects.all({
-    membership: true,
-    //TODO: a bug in the sorting mechanism of this api call
-    //disallows us to sort by updated_at in descending order
-    //so we have to sort by updated_at in ascending order.
-    //We can wait for the bug to be fixed or call the api
-    //directly with fetch()
-    sort: "asc",
-    orderBy: "updated_at",
-    perPage: 100
-  });
-  return Promise.all(
-    res.map(async (project) => {
-      const proj = await api2.Projects.show(project.id);
-      const owner = proj.namespace.name;
-      const repoLanguages = await api2.Projects.showLanguages(project.id);
-      return {
-        repoName: project.path,
-        repoUrl: project.web_url,
-        repoOwner: owner,
-        repoLanguages: Object.keys(repoLanguages),
-        repoIsPublic: project.visibility === "public",
-        repoUpdatedAt: project.last_activity_at
-      };
-    })
-  );
+  let response;
+  try {
+    response = await api2.Projects.all({
+      membership: true,
+      orderBy: "last_activity_at",
+      sort: "desc",
+      pagination: "offset",
+      perPage,
+      page,
+      showExpanded: true
+    });
+  } catch (e) {
+    debug4(
+      "[searchGitlabProjects] order_by=last_activity_at failed, falling back to created_at: %s",
+      e instanceof Error ? e.message : String(e)
+    );
+    response = await api2.Projects.all({
+      membership: true,
+      orderBy: "created_at",
+      sort: "desc",
+      pagination: "offset",
+      perPage,
+      page,
+      showExpanded: true
+    });
+  }
+  const projects = response.data.map((p) => ({
+    id: p.id,
+    path: p.path,
+    web_url: p.web_url,
+    namespace_name: p.namespace?.name ?? "",
+    visibility: p.visibility,
+    last_activity_at: p.last_activity_at
+  }));
+  return {
+    projects,
+    hasMore: response.paginationInfo.next !== null
+  };
+}
+async function getGitlabProjectLanguages({
+  url,
+  accessToken,
+  projectId
+}) {
+  try {
+    const api2 = getGitBeaker({ url, gitlabAuthToken: accessToken });
+    const languages3 = await api2.Projects.showLanguages(projectId);
+    return Object.keys(languages3);
+  } catch (e) {
+    debug4(
+      "[getGitlabProjectLanguages] Failed for project %d: %s",
+      projectId,
+      e instanceof Error ? e.message : String(e)
+    );
+    return [];
+  }
 }
 async function getGitlabBranchList({
   accessToken,
@@ -9662,6 +9701,11 @@ async function searchGitlabMergeRequests({
   perPage = GITLAB_PER_PAGE,
   page = 1
 }) {
+  if (perPage > GITLAB_MAX_PER_PAGE) {
+    throw new Error(
+      `perPage ${perPage} exceeds GitLab maximum of ${GITLAB_MAX_PER_PAGE}`
+    );
+  }
   const { projectPath } = parseGitlabOwnerAndRepo(repoUrl);
   debug4(
     "[searchGitlabMergeRequests] Fetching MRs for %s (page=%d, perPage=%d)",
@@ -9673,16 +9717,17 @@ async function searchGitlabMergeRequests({
     url: repoUrl,
     gitlabAuthToken: accessToken
   });
-  const mergeRequests = await api2.MergeRequests.all({
+  const response = await api2.MergeRequests.all({
     projectId: projectPath,
     state: state === "all" ? void 0 : state,
     updatedAfter: updatedAfter?.toISOString(),
     orderBy,
     sort,
     perPage,
-    page
+    page,
+    showExpanded: true
   });
-  const items = mergeRequests.map((mr) => ({
+  const items = response.data.map((mr) => ({
     iid: mr.iid,
     title: mr.title,
     state: mr.state,
@@ -9700,7 +9745,7 @@ async function searchGitlabMergeRequests({
   );
   return {
     items,
-    hasMore: mergeRequests.length === perPage
+    hasMore: response.paginationInfo.next !== null
   };
 }
 var GITLAB_API_CONCURRENCY = 5;
@@ -9765,7 +9810,7 @@ async function getGitlabMrDataBatch({
           const comments = notes.map((note) => ({
             author: note.author ? {
               login: note.author.username,
-              type: note.author.username.endsWith("[bot]") || note.author.username.toLowerCase() === "linear" ? "Bot" : "User"
+              type: note.author.username.endsWith("[bot]") ? "Bot" : "User"
             } : null,
             body: note.body
           }));
@@ -9897,7 +9942,8 @@ function parseGitlabOwnerAndRepo(gitlabUrl) {
   return { owner: organization, repo: repoName, projectPath };
 }
 var GITLAB_MAX_RESULTS_LIMIT = 1024;
-var GITLAB_PER_PAGE = 128;
+var GITLAB_MAX_PER_PAGE = 100;
+var GITLAB_PER_PAGE = GITLAB_MAX_PER_PAGE;
 async function getGitlabRecentCommits({
   repoUrl,
   accessToken,
@@ -9906,14 +9952,17 @@ async function getGitlabRecentCommits({
   const { projectPath } = parseGitlabOwnerAndRepo(repoUrl);
   const api2 = getGitBeaker({ url: repoUrl, gitlabAuthToken: accessToken });
   const allCommits = [];
+  const perPage = GITLAB_PER_PAGE;
   let page = 1;
   let hasMore = true;
   while (hasMore && allCommits.length < GITLAB_MAX_RESULTS_LIMIT) {
-    const commits = await api2.Commits.all(projectPath, {
+    const response = await api2.Commits.all(projectPath, {
       since,
-      perPage: GITLAB_PER_PAGE,
-      page
+      perPage,
+      page,
+      showExpanded: true
     });
+    const commits = response.data;
     if (commits.length === 0) {
       hasMore = false;
       break;
@@ -9935,11 +9984,8 @@ async function getGitlabRecentCommits({
         parents: commit.parent_ids?.map((sha) => ({ sha })) || []
       });
     }
-    if (commits.length < GITLAB_PER_PAGE) {
-      hasMore = false;
-    } else {
-      page++;
-    }
+    hasMore = response.paginationInfo.next !== null;
+    page++;
   }
   if (allCommits.length >= GITLAB_MAX_RESULTS_LIMIT) {
     contextLogger.warn("[getGitlabRecentCommits] Hit commit pagination limit", {
@@ -10064,7 +10110,20 @@ var GitlabSCMLib = class extends SCMLib {
       contextLogger.warn("[GitlabSCMLib.getRepoList] No access token provided");
       throw new Error("no access token");
     }
-    return getGitlabRepoList(this.url, this.accessToken);
+    const allRepos = [];
+    let cursor;
+    let hasMore = true;
+    while (hasMore) {
+      const page = await this.searchRepos({
+        scmOrg: _scmOrg,
+        limit: 100,
+        cursor
+      });
+      allRepos.push(...page.results);
+      hasMore = page.hasMore;
+      cursor = page.nextCursor;
+    }
+    return allRepos;
   }
   async getBranchList() {
     this._validateAccessTokenAndUrl();
@@ -10294,8 +10353,47 @@ var GitlabSCMLib = class extends SCMLib {
       mrNumbers: prNumbers
     });
   }
-  async searchRepos(_params) {
-    throw new Error("searchRepos not implemented for GitLab");
+  async searchRepos(params) {
+    if (!this.accessToken) {
+      throw new Error("no access token");
+    }
+    const page = parseCursorSafe(params.cursor, 1);
+    const perPage = params.limit || 10;
+    const { projects, hasMore } = await searchGitlabProjects({
+      url: this.url,
+      accessToken: this.accessToken,
+      perPage,
+      page
+    });
+    const includeLanguages = params.includeLanguages !== false;
+    const languageMap = /* @__PURE__ */ new Map();
+    if (includeLanguages && projects.length > 0) {
+      const languageResults = await Promise.all(
+        projects.map(
+          (p) => getGitlabProjectLanguages({
+            url: this.url,
+            accessToken: this.accessToken,
+            projectId: p.id
+          }).then((langs) => [p.id, langs])
+        )
+      );
+      for (const [id, langs] of languageResults) {
+        languageMap.set(id, langs);
+      }
+    }
+    const results = projects.map((p) => ({
+      repoName: p.path,
+      repoUrl: p.web_url,
+      repoOwner: p.namespace_name,
+      repoLanguages: languageMap.get(p.id) || [],
+      repoIsPublic: p.visibility === "public",
+      repoUpdatedAt: p.last_activity_at
+    }));
+    return {
+      results,
+      nextCursor: hasMore ? String(page + 1) : void 0,
+      hasMore
+    };
   }
   async getPullRequestMetrics(prNumber) {
     this._validateAccessTokenAndUrl();
@@ -10341,23 +10439,6 @@ var GitlabSCMLib = class extends SCMLib {
       accessToken: this.accessToken
     });
   }
-  /**
-   * Extract Linear ticket links from pre-fetched comments (pure function, no API calls).
-   * Linear bot uses the same comment format on GitLab as on GitHub.
-   * Bot username may be 'linear' or 'linear[bot]' on GitLab.
-   */
-  extractLinearTicketsFromComments(comments) {
-    const tickets = [];
-    const seen = /* @__PURE__ */ new Set();
-    for (const comment of comments) {
-      const authorLogin = comment.author?.login?.toLowerCase() || "";
-      const isLinearBot = authorLogin === "linear" || authorLogin === "linear[bot]" || comment.author?.type === "Bot" && authorLogin.includes("linear");
-      if (isLinearBot) {
-        tickets.push(...extractLinearTicketsFromBody(comment.body || "", seen));
-      }
-    }
-    return tickets;
-  }
 };
 
 // src/features/analysis/scm/scmFactory.ts
@@ -14948,8 +15029,8 @@ var openRedaction = new OpenRedaction({
     "MONERO_ADDRESS",
     "RIPPLE_ADDRESS",
     // Medical Data (removed PRESCRIPTION_NUMBER - too broad, matches words containing "ription")
+    // Removed MEDICAL_RECORD_NUMBER - too broad, "MR" prefix matches "Merge Request" in SCM contexts (e.g. "MR branches" → "MR br****es")
     "NHS_NUMBER",
-    "MEDICAL_RECORD_NUMBER",
     "AUSTRALIAN_MEDICARE",
     "HEALTH_PLAN_NUMBER",
     "PATIENT_ID",
@@ -14993,10 +15074,10 @@ var openRedaction = new OpenRedaction({
     "DOCKER_AUTH",
     "KUBERNETES_SECRET",
     // Government & Legal
+    // Removed CLIENT_ID - too broad, "client" is ubiquitous in code (npm packages like @scope/client-*, class names like ClientSdkOptions)
     "POLICE_REPORT_NUMBER",
     "IMMIGRATION_NUMBER",
-    "COURT_REPORTER_LICENSE",
-    "CLIENT_ID"
+    "COURT_REPORTER_LICENSE"
   ]
 });
 function maskString(str, showStart = 2, showEnd = 2) {
@@ -15019,6 +15100,15 @@ async function sanitizeDataWithCounts(obj) {
         ...piiDetections.low
       ];
       for (const detection of allDetections) {
+        if (detection.type === "CREDIT_CARD") {
+          const start = detection.position[0];
+          const end = detection.position[1];
+          const charBefore = (start > 0 ? str[start - 1] : "") ?? "";
+          const charAfter = str[end] ?? "";
+          if (charBefore === "." || charBefore >= "0" && charBefore <= "9" || charAfter >= "0" && charAfter <= "9") {
+            continue;
+          }
+        }
         counts.detections.total++;
         if (detection.severity === "high") counts.detections.high++;
         else if (detection.severity === "medium") counts.detections.medium++;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mobbdev",
-  "version": "1.2.24",
+  "version": "1.2.28",
   "description": "Automated secure code remediation tool",
   "repository": "git+https://github.com/mobb-dev/bugsy.git",
   "main": "dist/index.mjs",