mobbdev 1.2.32 → 1.2.34

package/dist/index.mjs

@@ -73,6 +73,12 @@ function getSdk(client, withWrapper = defaultWrapper) {
     FinalizeAIBlameInferencesUpload(variables, requestHeaders, signal) {
       return withWrapper((wrappedRequestHeaders) => client.request({ document: FinalizeAiBlameInferencesUploadDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "FinalizeAIBlameInferencesUpload", "mutation", variables);
     },
+    UploadTracyRecords(variables, requestHeaders, signal) {
+      return withWrapper((wrappedRequestHeaders) => client.request({ document: UploadTracyRecordsDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "UploadTracyRecords", "mutation", variables);
+    },
+    GetTracyRawDataUploadUrls(variables, requestHeaders, signal) {
+      return withWrapper((wrappedRequestHeaders) => client.request({ document: GetTracyRawDataUploadUrlsDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "GetTracyRawDataUploadUrls", "mutation", variables);
+    },
     DigestVulnerabilityReport(variables, requestHeaders, signal) {
       return withWrapper((wrappedRequestHeaders) => client.request({ document: DigestVulnerabilityReportDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "DigestVulnerabilityReport", "mutation", variables);
     },
@@ -126,7 +132,7 @@ function getSdk(client, withWrapper = defaultWrapper) {
     }
   };
 }
-var AiBlameInferenceType, FixQuestionInputType, Language, ManifestAction, Effort_To_Apply_Fix_Enum, Fix_Rating_Tag_Enum, Fix_Report_State_Enum, Fix_State_Enum, IssueLanguage_Enum, IssueType_Enum, Pr_Status_Enum, Project_Role_Type_Enum, Vulnerability_Report_Issue_Category_Enum, Vulnerability_Report_Issue_State_Enum, Vulnerability_Report_Issue_Tag_Enum, Vulnerability_Report_Vendor_Enum, Vulnerability_Severity_Enum, FixDetailsFragmentDoc, FixReportSummaryFieldsFragmentDoc, MeDocument, GetLastOrgAndNamedProjectDocument, GetLastOrgDocument, GetEncryptedApiTokenDocument, FixReportStateDocument, GetVulnerabilityReportPathsDocument, GetAnalysisSubscriptionDocument, GetAnalysisDocument, GetFixesDocument, GetVulByNodesMetadataDocument, GetFalsePositiveDocument, UpdateScmTokenDocument, UploadS3BucketInfoDocument, GetTracyDiffUploadUrlDocument, AnalyzeCommitForExtensionAiBlameDocument, GetAiBlameInferenceDocument, GetAiBlameAttributionPromptDocument, GetPromptSummaryDocument, UploadAiBlameInferencesInitDocument, FinalizeAiBlameInferencesUploadDocument, DigestVulnerabilityReportDocument, SubmitVulnerabilityReportDocument, CreateCommunityUserDocument, CreateCliLoginDocument, PerformCliLoginDocument, CreateProjectDocument, ValidateRepoUrlDocument, GitReferenceDocument, AutoPrAnalysisDocument, GetFixReportsByRepoUrlDocument, GetReportFixesDocument, GetLatestReportByRepoUrlDocument, UpdateDownloadedFixDataDocument, GetUserMvsAutoFixDocument, StreamBlameAiAnalysisRequestsDocument, StreamCommitBlameRequestsDocument, ScanSkillDocument, defaultWrapper;
+var AiBlameInferenceType, FixQuestionInputType, Language, ManifestAction, Effort_To_Apply_Fix_Enum, Fix_Rating_Tag_Enum, Fix_Report_State_Enum, Fix_State_Enum, IssueLanguage_Enum, IssueType_Enum, Pr_Status_Enum, Project_Role_Type_Enum, Vulnerability_Report_Issue_Category_Enum, Vulnerability_Report_Issue_State_Enum, Vulnerability_Report_Issue_Tag_Enum, Vulnerability_Report_Vendor_Enum, Vulnerability_Severity_Enum, FixDetailsFragmentDoc, FixReportSummaryFieldsFragmentDoc, MeDocument, GetLastOrgAndNamedProjectDocument, GetLastOrgDocument, GetEncryptedApiTokenDocument, FixReportStateDocument, GetVulnerabilityReportPathsDocument, GetAnalysisSubscriptionDocument, GetAnalysisDocument, GetFixesDocument, GetVulByNodesMetadataDocument, GetFalsePositiveDocument, UpdateScmTokenDocument, UploadS3BucketInfoDocument, GetTracyDiffUploadUrlDocument, AnalyzeCommitForExtensionAiBlameDocument, GetAiBlameInferenceDocument, GetAiBlameAttributionPromptDocument, GetPromptSummaryDocument, UploadAiBlameInferencesInitDocument, FinalizeAiBlameInferencesUploadDocument, UploadTracyRecordsDocument, GetTracyRawDataUploadUrlsDocument, DigestVulnerabilityReportDocument, SubmitVulnerabilityReportDocument, CreateCommunityUserDocument, CreateCliLoginDocument, PerformCliLoginDocument, CreateProjectDocument, ValidateRepoUrlDocument, GitReferenceDocument, AutoPrAnalysisDocument, GetFixReportsByRepoUrlDocument, GetReportFixesDocument, GetLatestReportByRepoUrlDocument, UpdateDownloadedFixDataDocument, GetUserMvsAutoFixDocument, StreamBlameAiAnalysisRequestsDocument, StreamCommitBlameRequestsDocument, ScanSkillDocument, defaultWrapper;
 var init_client_generates = __esm({
   "src/features/analysis/scm/generates/client_generates.ts"() {
     "use strict";
@@ -962,6 +968,28 @@ var init_client_generates = __esm({
     status
     error
   }
+}
+    `;
+    UploadTracyRecordsDocument = `
+    mutation UploadTracyRecords($records: [TracyRecordInput!]!) {
+  uploadTracyRecords(records: $records) {
+    status
+    error
+  }
+}
+    `;
+    GetTracyRawDataUploadUrlsDocument = `
+    mutation GetTracyRawDataUploadUrls($recordIds: [String!]!) {
+  getTracyRawDataUploadUrls(recordIds: $recordIds) {
+    status
+    error
+    uploads {
+      recordId
+      url
+      uploadFieldsJSON
+      uploadKey
+    }
+  }
 }
     `;
     DigestVulnerabilityReportDocument = `
@@ -4126,7 +4154,7 @@ ${rootContent}`;
 });
 
 // src/index.ts
-import Debug20 from "debug";
+import Debug22 from "debug";
 import { hideBin } from "yargs/helpers";
 
 // src/args/yargs.ts
@@ -7575,6 +7603,9 @@ var AdoSCMLib = class extends SCMLib {
   async getSubmitRequestMetadata(_submitRequestId) {
     throw new Error("getSubmitRequestMetadata not implemented for ADO");
   }
+  async getPrFiles(_prNumber) {
+    throw new Error("getPrFiles not implemented for ADO");
+  }
   async searchSubmitRequests(_params) {
     throw new Error("searchSubmitRequests not implemented for ADO");
   }
@@ -8154,6 +8185,9 @@ var BitbucketSCMLib = class extends SCMLib {
   async getSubmitRequestMetadata(_submitRequestId) {
     throw new Error("getSubmitRequestMetadata not implemented for Bitbucket");
   }
+  async getPrFiles(_prNumber) {
+    throw new Error("getPrFiles not implemented for Bitbucket");
+  }
   async searchSubmitRequests(_params) {
     throw new Error("searchSubmitRequests not implemented for Bitbucket");
   }
@@ -9355,6 +9389,19 @@ var GithubSCMLib = class extends SCMLib {
       headCommitSha: pr.head.sha
     };
   }
+  async getPrFiles(prNumber) {
+    this._validateAccessTokenAndUrl();
+    const { owner, repo } = parseGithubOwnerAndRepo(this.url);
+    const filesRes = await this.githubSdk.listPRFiles({
+      owner,
+      repo,
+      pull_number: prNumber
+    });
+    return filesRes.data.filter((file) => {
+      const status = file.status;
+      return status === "added" || status === "modified" || status === "renamed" && file.changes > 0 || status === "copied" && file.changes > 0;
+    }).map((file) => file.filename);
+  }
   /**
    * Override searchSubmitRequests to use GitHub's Search API for efficient pagination.
    * This is much faster than fetching all PRs and filtering in-memory.
@@ -10491,6 +10538,9 @@ var GitlabSCMLib = class extends SCMLib {
       headCommitSha: mr.sha
     };
   }
+  async getPrFiles(_prNumber) {
+    throw new Error("getPrFiles not implemented for GitLab");
+  }
   async searchSubmitRequests(params) {
     this._validateAccessTokenAndUrl();
     const page = parseCursorSafe(params.cursor, 1);
@@ -10752,6 +10802,10 @@ var StubSCMLib = class extends SCMLib {
   async getSubmitRequestMetadata(_submitRequestId) {
     throw new Error("getSubmitRequestMetadata() not implemented");
   }
+  async getPrFiles(_prNumber) {
+    console.warn("getPrFiles() returning empty array");
+    return [];
+  }
   async getPullRequestMetrics(_prNumber) {
     console.warn("getPullRequestMetrics() returning empty object");
     throw new Error("getPullRequestMetrics() not implemented");
@@ -11674,34 +11728,35 @@ var ScanContext = {
 
 // src/args/commands/analyze.ts
 import fs12 from "fs";
-import chalk9 from "chalk";
+import chalk10 from "chalk";
 
 // src/commands/index.ts
-import chalk7 from "chalk";
+import chalk8 from "chalk";
 import chalkAnimation from "chalk-animation";
 
 // src/features/analysis/index.ts
 import fs10 from "fs";
-import fsPromises2 from "fs/promises";
-import path9 from "path";
+import fsPromises3 from "fs/promises";
+import path10 from "path";
 import { env as env2 } from "process";
 import { pipeline } from "stream/promises";
-import chalk6 from "chalk";
-import Debug19 from "debug";
+import chalk7 from "chalk";
+import Debug21 from "debug";
 import extract from "extract-zip";
 import { createSpinner as createSpinner4 } from "nanospinner";
 import fetch4 from "node-fetch";
 import open3 from "open";
 import tmp2 from "tmp";
-import { z as z30 } from "zod";
+import { z as z31 } from "zod";
 
 // src/commands/handleMobbLogin.ts
-import chalk3 from "chalk";
-import Debug7 from "debug";
+import chalk4 from "chalk";
+import Debug10 from "debug";
 
 // src/commands/AuthManager.ts
 import crypto from "crypto";
-import os from "os";
+import os3 from "os";
+import Debug9 from "debug";
 import open from "open";
 
 // src/features/analysis/graphql/gql.ts
@@ -11821,8 +11876,7 @@ function getProxyAgent(url) {
     const isHttps = parsedUrl.protocol === "https:";
     const proxy = isHttps ? getHttpProxy() : isHttp ? getHttpProxyOnly() : null;
     if (proxy) {
-      debug6("Using proxy %s", proxy);
-      debug6("Proxy agent %o", proxy);
+      debug6("Using proxy %s for %s", proxy, url);
       return new HttpsProxyAgent(proxy);
     }
   } catch (err) {
@@ -12474,6 +12528,12 @@ var GQLClient = class {
   async finalizeAIBlameInferencesUploadRaw(variables) {
     return await this._clientSdk.FinalizeAIBlameInferencesUpload(variables);
   }
+  async uploadTracyRecords(variables) {
+    return await this._clientSdk.UploadTracyRecords(variables);
+  }
+  async getTracyRawDataUploadUrls(variables) {
+    return await this._clientSdk.GetTracyRawDataUploadUrls(variables);
+  }
   async analyzeCommitForExtensionAIBlame(variables) {
     return await this._clientSdk.AnalyzeCommitForExtensionAIBlame(variables);
   }
@@ -12491,38 +12551,76 @@ var GQLClient = class {
   }
 };
 
-// src/mcp/services/types.ts
-function detectIDE() {
-  const env3 = process.env;
-  if (env3["CURSOR_TRACE_ID"] || env3["CURSOR_SESSION_ID"]) return "cursor";
-  if (env3["WINDSURF_IPC_HOOK"] || env3["WINDSURF_PID"]) return "windsurf";
-  if (env3["CLAUDE_DESKTOP"] || env3["ANTHROPIC_CLAUDE"]) return "claude";
-  if (env3["WEBSTORM_VM_OPTIONS"] || env3["IDEA_VM_OPTIONS"] || env3["JETBRAINS_IDE"])
-    return "webstorm";
-  if (env3["VSCODE_IPC_HOOK"] || env3["VSCODE_PID"]) return "vscode";
-  const termProgram = env3["TERM_PROGRAM"]?.toLowerCase();
-  if (termProgram === "windsurf") return "windsurf";
-  if (termProgram === "vscode") return "vscode";
-  return void 0;
-}
-function createMcpLoginContext(trigger) {
-  return {
-    trigger,
-    source: "mcp",
-    ide: detectIDE()
-  };
-}
-function buildLoginUrl(baseUrl, loginId, hostname, context) {
-  const url = new URL(`${baseUrl}/${loginId}`);
-  url.searchParams.set("hostname", hostname);
-  url.searchParams.set("trigger", context.trigger);
-  url.searchParams.set("source", context.source);
-  if (context.ide) {
-    url.searchParams.set("ide", context.ide);
+// src/features/analysis/graphql/tracy-batch-upload.ts
+import { promisify } from "util";
+import { gzip } from "zlib";
+import Debug8 from "debug";
+
+// src/args/commands/upload_ai_blame.ts
+import fsPromises2 from "fs/promises";
+import * as os2 from "os";
+import path7 from "path";
+import chalk3 from "chalk";
+import { withFile } from "tmp-promise";
+import z27 from "zod";
+init_client_generates();
+init_GitService();
+init_urlParser2();
+
+// src/features/analysis/upload-file.ts
+import Debug7 from "debug";
+import fetch3, { File, fileFrom, FormData } from "node-fetch";
+var debug8 = Debug7("mobbdev:upload-file");
+async function uploadFile({
+  file,
+  url,
+  uploadKey,
+  uploadFields,
+  logger: logger2
+}) {
+  const logInfo2 = logger2 || ((_message, _data) => {
+  });
+  logInfo2(`FileUpload: upload file start ${url}`);
+  logInfo2(`FileUpload: upload fields`, uploadFields);
+  logInfo2(`FileUpload: upload key ${uploadKey}`);
+  debug8("upload file start %s", url);
+  debug8("upload fields %o", uploadFields);
+  debug8("upload key %s", uploadKey);
+  const form = new FormData();
+  Object.entries(uploadFields).forEach(([key, value]) => {
+    form.append(key, value);
+  });
+  if (!form.has("key")) {
+    form.append("key", uploadKey);
   }
-  return url.toString();
+  if (typeof file === "string") {
+    debug8("upload file from path %s", file);
+    logInfo2(`FileUpload: upload file from path ${file}`);
+    form.append("file", await fileFrom(file));
+  } else {
+    debug8("upload file from buffer");
+    logInfo2(`FileUpload: upload file from buffer`);
+    form.append("file", new File([new Uint8Array(file)], "file"));
+  }
+  const agent = getProxyAgent(url);
+  const response = await fetch3(url, {
+    method: "POST",
+    body: form,
+    agent
+  });
+  if (!response.ok) {
+    debug8("error from S3 %s %s", response.body, response.status);
+    logInfo2(`FileUpload: error from S3 ${response.body} ${response.status}`);
+    throw new Error(`Failed to upload the file: ${response.status}`);
+  }
+  debug8("upload file done");
+  logInfo2(`FileUpload: upload file done`);
 }
 
+// src/utils/computerName.ts
+import { execSync } from "child_process";
+import os from "os";
+
 // src/utils/ConfigStoreService.ts
 import Configstore from "configstore";
 function createConfigStore(defaultValues = { apiToken: "" }) {
@@ -12542,340 +12640,942 @@ function getConfigStore() {
 }
 var configStore = getConfigStore();
 
-// src/commands/AuthManager.ts
-var LOGIN_MAX_WAIT = 10 * 60 * 1e3;
-var LOGIN_CHECK_DELAY = 5 * 1e3;
-var AuthManager = class {
-  constructor(webAppUrl, apiUrl) {
-    __publicField(this, "publicKey");
-    __publicField(this, "privateKey");
-    __publicField(this, "loginId");
-    __publicField(this, "gqlClient");
-    __publicField(this, "currentBrowserUrl");
-    __publicField(this, "authenticated", null);
-    __publicField(this, "resolvedWebAppUrl");
-    __publicField(this, "resolvedApiUrl");
-    this.resolvedWebAppUrl = webAppUrl || WEB_APP_URL;
-    this.resolvedApiUrl = apiUrl || API_URL;
-  }
-  openUrlInBrowser() {
-    if (this.currentBrowserUrl) {
-      open(this.currentBrowserUrl);
-      return true;
-    }
-    return false;
-  }
-  async waitForAuthentication() {
-    let newApiToken = null;
-    for (let i = 0; i < LOGIN_MAX_WAIT / LOGIN_CHECK_DELAY; i++) {
-      newApiToken = await this.getApiToken();
-      if (newApiToken) {
-        break;
+// src/utils/computerName.ts
+var STABLE_COMPUTER_NAME_CONFIG_KEY = "stableComputerName";
+var HOSTNAME_SUFFIXES = [
+  // Cloud providers (must be first - most specific)
+  ".ec2.internal",
+  ".compute.internal",
+  ".cloudapp.net",
+  // mDNS/Bonjour
+  ".local",
+  ".localhost",
+  ".localdomain",
+  // Home networks
+  ".lan",
+  ".home",
+  ".homelan",
+  // Corporate networks
+  ".corp",
+  ".internal",
+  ".intranet",
+  ".domain",
+  ".work",
+  ".office",
+  // Container environments
+  ".docker",
+  ".kubernetes",
+  ".k8s"
+];
+function getOsSpecificComputerName() {
+  const platform2 = os.platform();
+  try {
+    if (platform2 === "darwin") {
+      const result = execSync("scutil --get LocalHostName", {
+        encoding: "utf-8",
+        timeout: 1e3
+      });
+      return result.trim();
+    } else if (platform2 === "win32") {
+      return process.env["COMPUTERNAME"] || null;
+    } else {
+      try {
+        const result2 = execSync("hostnamectl --static", {
+          encoding: "utf-8",
+          timeout: 1e3
+        });
+        const hostname = result2.trim();
+        if (hostname) return hostname;
+      } catch {
       }
-      await sleep(LOGIN_CHECK_DELAY);
-    }
-    if (!newApiToken) {
-      return false;
-    }
-    this.gqlClient = new GQLClient({
-      apiKey: newApiToken,
-      type: "apiKey",
-      apiUrl: this.resolvedApiUrl
-    });
-    const loginSuccess = await this.gqlClient.validateUserToken();
-    if (loginSuccess) {
-      configStore.set("apiToken", newApiToken);
-      this.authenticated = true;
-      return true;
+      const result = execSync("cat /etc/hostname", {
+        encoding: "utf-8",
+        timeout: 1e3
+      });
+      return result.trim();
     }
-    return false;
+  } catch (error) {
+    return null;
   }
-  /**
-   * Checks if the user is already authenticated
-   */
-  async isAuthenticated() {
-    if (this.authenticated === null) {
-      const result = await this.checkAuthentication();
-      this.authenticated = result.isAuthenticated;
+}
+function stripHostnameSuffixes(hostname) {
+  if (!hostname) return hostname;
+  let normalized = hostname;
+  for (const suffix of HOSTNAME_SUFFIXES) {
+    if (normalized.endsWith(suffix)) {
+      normalized = normalized.slice(0, -suffix.length);
+      break;
     }
-    return this.authenticated;
   }
-  /**
-   * Private function to check if the user is authenticated with the server
-   */
-  async checkAuthentication(apiKey) {
-    try {
-      if (!this.gqlClient) {
-        this.gqlClient = this.getGQLClient(apiKey);
-      }
-      const isConnected = await this.gqlClient.verifyApiConnection();
-      if (!isConnected) {
-        return {
-          isAuthenticated: false,
-          message: "Failed to connect to Mobb server"
-        };
-      }
-      const userVerify = await this.gqlClient.validateUserToken();
-      if (!userVerify) {
-        return {
-          isAuthenticated: false,
-          message: "User token validation failed"
-        };
+  return normalized;
+}
+function generateStableComputerName() {
+  const osSpecificName = getOsSpecificComputerName();
+  if (osSpecificName) {
+    return osSpecificName;
+  }
+  const currentHostname = os.hostname();
+  return stripHostnameSuffixes(currentHostname);
+}
+function getStableComputerName() {
+  const cached = configStore.get(STABLE_COMPUTER_NAME_CONFIG_KEY);
+  if (cached) {
+    return cached;
+  }
+  const currentName = generateStableComputerName();
+  configStore.set(STABLE_COMPUTER_NAME_CONFIG_KEY, currentName);
+  return currentName;
+}
+
+// src/utils/sanitize-sensitive-data.ts
+import { OpenRedaction } from "@openredaction/openredaction";
+var openRedaction = new OpenRedaction({
+  patterns: [
+    // Core Personal Data
+    // Removed EMAIL - causes false positives in code/test snippets (e.g. --author="Eve Author <eve@example.com>")
+    // Prefer false negatives over false positives for this use case.
+    "SSN",
+    "NATIONAL_INSURANCE_UK",
+    "DATE_OF_BIRTH",
+    // Identity Documents
+    "PASSPORT_UK",
+    "PASSPORT_US",
+    "PASSPORT_MRZ_TD1",
+    "PASSPORT_MRZ_TD3",
+    "DRIVING_LICENSE_UK",
+    "DRIVING_LICENSE_US",
+    "VISA_NUMBER",
+    "VISA_MRZ",
+    "TAX_ID",
+    // Financial Data (removed SWIFT_BIC, CARD_AUTH_CODE - too broad, causing false positives with authentication words)
+    // Removed CREDIT_CARD - causes false positives on zero-filled UUIDs (e.g. '00000000-0000-0000-0000-000000000000')
+    // Prefer false negatives over false positives for this use case.
+    "IBAN",
+    "BANK_ACCOUNT_UK",
+    "ROUTING_NUMBER_US",
+    "CARD_TRACK1_DATA",
+    "CARD_TRACK2_DATA",
+    "CARD_EXPIRY",
+    // Cryptocurrency (removed BITCOIN_ADDRESS - too broad, matches hash-like strings)
+    "ETHEREUM_ADDRESS",
+    "LITECOIN_ADDRESS",
+    "CARDANO_ADDRESS",
+    "SOLANA_ADDRESS",
+    "MONERO_ADDRESS",
+    "RIPPLE_ADDRESS",
+    // Medical Data (removed PRESCRIPTION_NUMBER - too broad, matches words containing "ription")
+    // Removed MEDICAL_RECORD_NUMBER - too broad, "MR" prefix matches "Merge Request" in SCM contexts (e.g. "MR branches" → "MR br****es")
+    "NHS_NUMBER",
+    "AUSTRALIAN_MEDICARE",
+    "HEALTH_PLAN_NUMBER",
+    "PATIENT_ID",
+    // Communications (removed EMERGENCY_CONTACT, ADDRESS_PO_BOX, ZIP_CODE_US, PHONE_US, PHONE_INTERNATIONAL - too broad, causing false positives)
+    "PHONE_UK",
+    "PHONE_UK_MOBILE",
+    "PHONE_LINE_NUMBER",
+    "ADDRESS_STREET",
+    "POSTCODE_UK",
+    // Network & Technical
+    "IPV4",
+    "IPV6",
+    "MAC_ADDRESS",
+    "URL_WITH_AUTH",
+    // Security Keys & Tokens
+    "PRIVATE_KEY",
+    "SSH_PRIVATE_KEY",
+    "AWS_SECRET_KEY",
+    "AWS_ACCESS_KEY",
+    "AZURE_STORAGE_KEY",
+    "GCP_SERVICE_ACCOUNT",
+    "JWT_TOKEN",
+    "OAUTH_TOKEN",
+    "OAUTH_CLIENT_SECRET",
+    "BEARER_TOKEN",
+    "PAYMENT_TOKEN",
+    "GENERIC_SECRET",
+    "GENERIC_API_KEY",
+    // Platform-Specific API Keys
+    "GITHUB_TOKEN",
+    "SLACK_TOKEN",
+    "STRIPE_API_KEY",
+    "GOOGLE_API_KEY",
+    "FIREBASE_API_KEY",
+    "HEROKU_API_KEY",
+    "MAILGUN_API_KEY",
+    "SENDGRID_API_KEY",
+    "TWILIO_API_KEY",
+    "NPM_TOKEN",
+    "PYPI_TOKEN",
+    "DOCKER_AUTH",
+    "KUBERNETES_SECRET",
+    // Government & Legal
+    // Removed CLIENT_ID - too broad, "client" is ubiquitous in code (npm packages like @scope/client-*, class names like ClientSdkOptions)
+    "POLICE_REPORT_NUMBER",
+    "IMMIGRATION_NUMBER",
+    "COURT_REPORTER_LICENSE"
+  ]
+});
+function maskString(str, showStart = 2, showEnd = 2) {
+  if (str.length <= showStart + showEnd) {
+    return "*".repeat(str.length);
+  }
+  return str.slice(0, showStart) + "*".repeat(str.length - showStart - showEnd) + str.slice(-showEnd);
+}
+async function sanitizeDataWithCounts(obj) {
+  const counts = {
+    detections: { total: 0, high: 0, medium: 0, low: 0 }
+  };
+  const sanitizeString = async (str) => {
+    let result = str;
+    const piiDetections = openRedaction.scan(str);
+    if (piiDetections && piiDetections.total > 0) {
+      const allDetections = [
+        ...piiDetections.high,
+        ...piiDetections.medium,
+        ...piiDetections.low
+      ];
+      for (const detection of allDetections) {
+        counts.detections.total++;
+        if (detection.severity === "high") counts.detections.high++;
+        else if (detection.severity === "medium") counts.detections.medium++;
+        else if (detection.severity === "low") counts.detections.low++;
+        const masked = maskString(detection.value);
+        result = result.replaceAll(detection.value, masked);
       }
-    } catch (error) {
-      return {
-        isAuthenticated: false,
-        message: error instanceof Error ? error.message : "Unknown authentication error"
-      };
     }
-    return { isAuthenticated: true, message: "Successfully authenticated" };
-  }
-  /**
-   * Generates a login URL for manual authentication
-   */
-  async generateLoginUrl(loginContext) {
-    try {
-      if (!this.gqlClient) {
-        this.gqlClient = this.getGQLClient();
+    return result;
+  };
+  const sanitizeRecursive = async (data) => {
+    if (typeof data === "string") {
+      return sanitizeString(data);
+    } else if (Array.isArray(data)) {
+      return Promise.all(data.map((item) => sanitizeRecursive(item)));
+    } else if (data instanceof Error) {
+      return data;
+    } else if (data instanceof Date) {
+      return data;
+    } else if (typeof data === "object" && data !== null) {
+      const sanitized = {};
+      const record = data;
+      for (const key in record) {
+        if (Object.prototype.hasOwnProperty.call(record, key)) {
+          sanitized[key] = await sanitizeRecursive(record[key]);
+        }
       }
-      const { publicKey, privateKey } = crypto.generateKeyPairSync("rsa", {
-        modulusLength: 2048
-      });
-      this.publicKey = publicKey;
-      this.privateKey = privateKey;
-      this.loginId = await this.gqlClient.createCliLogin({
-        publicKey: this.publicKey.export({ format: "pem", type: "pkcs1" }).toString()
-      });
-      const webLoginUrl = `${this.resolvedWebAppUrl}/cli-login`;
-      const browserUrl = loginContext ? buildLoginUrl(webLoginUrl, this.loginId, os.hostname(), loginContext) : `${webLoginUrl}/${this.loginId}?hostname=${os.hostname()}`;
-      this.currentBrowserUrl = browserUrl;
-      return browserUrl;
-    } catch (error) {
-      console.error("Failed to generate login URL:", error);
-      return null;
+      return sanitized;
+    }
+    return data;
+  };
+  const sanitizedData = await sanitizeRecursive(obj);
+  return { sanitizedData, counts };
+}
+
+// src/args/commands/upload_ai_blame.ts
+var defaultLogger2 = {
+  info: (msg, data) => {
+    if (data !== void 0) {
+      console.log(msg, data);
+    } else {
+      console.log(msg);
+    }
+  },
+  error: (msg, data) => {
+    if (data !== void 0) {
+      console.error(msg, data);
+    } else {
+      console.error(msg);
     }
   }
-  /**
-   * Retrieves and decrypts the API token after authentication
-   */
-  async getApiToken() {
-    if (!this.gqlClient || !this.loginId || !this.privateKey) {
+};
+var PromptItemZ = z27.object({
+  type: z27.enum([
+    "USER_PROMPT",
+    "AI_RESPONSE",
+    "TOOL_EXECUTION",
+    "AI_THINKING",
+    "MCP_TOOL_CALL"
+    // MCP (Model Context Protocol) tool invocation
+  ]),
+  attachedFiles: z27.array(
+    z27.object({
+      relativePath: z27.string(),
+      startLine: z27.number().optional()
+    })
+  ).optional(),
+  tokens: z27.object({
+    inputCount: z27.number(),
+    outputCount: z27.number()
+  }).optional(),
+  text: z27.string().optional(),
+  date: z27.date().optional(),
+  tool: z27.object({
+    name: z27.string(),
+    parameters: z27.string(),
+    result: z27.string(),
+    rawArguments: z27.string().optional(),
+    accepted: z27.boolean().optional(),
+    // MCP-specific fields (only populated for MCP_TOOL_CALL type)
+    mcpServer: z27.string().optional(),
+    // MCP server name (e.g., "datadog", "mobb-mcp")
+    mcpToolName: z27.string().optional()
+    // MCP tool name without prefix (e.g., "scan_and_fix_vulnerabilities")
+  }).optional()
+});
+var PromptItemArrayZ = z27.array(PromptItemZ);
+async function getRepositoryUrl() {
+  try {
+    const gitService = new GitService(process.cwd());
+    const isRepo = await gitService.isGitRepository();
+    if (!isRepo) {
       return null;
     }
-    const encryptedApiToken = await this.gqlClient.getEncryptedApiToken({
-      loginId: this.loginId
-    });
-    if (encryptedApiToken) {
-      return crypto.privateDecrypt(
-        this.privateKey,
-        Buffer.from(encryptedApiToken, "base64")
-      ).toString("utf-8");
-    }
+    const remoteUrl = await gitService.getRemoteUrl();
+    const parsed = parseScmURL(remoteUrl);
+    return parsed?.scmType === "GitHub" /* GitHub */ || parsed?.scmType === "GitLab" /* GitLab */ ? remoteUrl : null;
+  } catch {
     return null;
   }
-  /**
-   * Gets the current GQL client (if authenticated)
-   */
-  getGQLClient(inputApiKey) {
-    if (this.gqlClient === void 0) {
-      this.gqlClient = new GQLClient({
-        apiKey: inputApiKey || configStore.get("apiToken") || "",
-        type: "apiKey",
-        apiUrl: this.resolvedApiUrl
+}
+function getSystemInfo() {
+  let userName;
+  try {
+    userName = os2.userInfo().username;
+  } catch {
+    userName = void 0;
+  }
+  return {
+    computerName: getStableComputerName(),
+    userName
+  };
+}
+function uploadAiBlameBuilder(args) {
+  return args.option("prompt", {
+    type: "string",
+    array: true,
+    demandOption: true,
+    describe: chalk3.bold("Path(s) to prompt artifact(s) (one per session)")
+  }).option("inference", {
+    type: "string",
+    array: true,
+    demandOption: true,
+    describe: chalk3.bold(
+      "Path(s) to inference artifact(s) (one per session)"
+    )
+  }).option("ai-response-at", {
+    type: "string",
+    array: true,
+    describe: chalk3.bold(
+      "ISO timestamp(s) for AI response (one per session, defaults to now)"
+    )
+  }).option("model", {
+    type: "string",
+    array: true,
+    describe: chalk3.bold("AI model name(s) (optional, one per session)")
+  }).option("tool-name", {
+    type: "string",
+    array: true,
+    describe: chalk3.bold("Tool/IDE name(s) (optional, one per session)")
+  }).option("blame-type", {
+    type: "string",
+    array: true,
+    choices: Object.values(AiBlameInferenceType),
+    describe: chalk3.bold(
+      "Blame type(s) (optional, one per session, defaults to CHAT)"
+    )
+  }).strict();
+}
+async function uploadAiBlameHandlerFromExtension(args) {
+  const uploadArgs = {
+    prompt: [],
+    inference: [],
+    model: [],
+    toolName: [],
+    aiResponseAt: [],
+    blameType: [],
+    sessionId: []
+  };
+  let promptsCounts;
+  let inferenceCounts;
+  let promptsUUID;
+  let inferenceUUID;
+  await withFile(async (promptFile) => {
+    const promptsResult = await sanitizeDataWithCounts(args.prompts);
+    promptsCounts = promptsResult.counts;
+    promptsUUID = path7.basename(promptFile.path, path7.extname(promptFile.path));
+    await fsPromises2.writeFile(
+      promptFile.path,
+      JSON.stringify(promptsResult.sanitizedData, null, 2),
+      "utf-8"
+    );
+    uploadArgs.prompt.push(promptFile.path);
+    await withFile(async (inferenceFile) => {
+      const inferenceResult = await sanitizeDataWithCounts(args.inference);
+      inferenceCounts = inferenceResult.counts;
+      inferenceUUID = path7.basename(
+        inferenceFile.path,
+        path7.extname(inferenceFile.path)
+      );
+      await fsPromises2.writeFile(
+        inferenceFile.path,
+        inferenceResult.sanitizedData,
+        "utf-8"
+      );
+      uploadArgs.inference.push(inferenceFile.path);
+      uploadArgs.model.push(args.model);
+      uploadArgs.toolName.push(args.tool);
+      uploadArgs.aiResponseAt.push(args.responseTime);
+      uploadArgs.blameType.push(args.blameType || "CHAT" /* Chat */);
+      if (args.sessionId) {
+        uploadArgs.sessionId.push(args.sessionId);
+      }
+      await uploadAiBlameHandler({
+        args: uploadArgs,
+        exitOnError: false,
+        apiUrl: args.apiUrl,
+        webAppUrl: args.webAppUrl,
+        repositoryUrl: args.repositoryUrl
       });
+    });
+  });
+  return {
+    promptsCounts,
+    inferenceCounts,
+    promptsUUID,
+    inferenceUUID
+  };
+}
+async function uploadAiBlameHandler(options) {
+  const {
+    args,
+    exitOnError = true,
+    apiUrl,
+    webAppUrl,
+    logger: logger2 = defaultLogger2
+  } = options;
+  const prompts = args.prompt || [];
+  const inferences = args.inference || [];
+  const models = args.model || [];
+  const tools = args.toolName || args["tool-name"] || [];
+  const responseTimes = args.aiResponseAt || args["ai-response-at"] || [];
+  const blameTypes = args.blameType || args["blame-type"] || [];
+  const sessionIds = args.sessionId || args["session-id"] || [];
+  if (prompts.length !== inferences.length) {
+    const errorMsg = "prompt and inference must have the same number of entries";
+    logger2.error(chalk3.red(errorMsg));
+    if (exitOnError) {
+      process.exit(1);
     }
-    return this.gqlClient;
-  }
-  /**
-   * Assigns a GQL client instance to the AuthManager, and resets auth state
-   * @param gqlClient The GQL client instance to set
-   */
-  setGQLClient(gqlClient) {
-    this.gqlClient = gqlClient;
-    this.cleanup();
+    throw new Error(errorMsg);
   }
-  /**
-   * Cleans up any active login session
-   */
-  cleanup() {
-    this.publicKey = void 0;
-    this.privateKey = void 0;
-    this.loginId = void 0;
-    this.authenticated = null;
-    this.currentBrowserUrl = null;
+  const nowIso = (/* @__PURE__ */ new Date()).toISOString();
+  const { computerName, userName } = getSystemInfo();
+  const repositoryUrl = options.repositoryUrl !== void 0 ? options.repositoryUrl : await getRepositoryUrl();
+  const sessions = [];
+  for (let i = 0; i < prompts.length; i++) {
+    const promptPath = String(prompts[i]);
+    const inferencePath = String(inferences[i]);
+    try {
+      await Promise.all([
+        fsPromises2.access(promptPath),
+        fsPromises2.access(inferencePath)
+      ]);
+    } catch {
+      const errorMsg = `File not found for session ${i + 1}`;
+      logger2.error(chalk3.red(errorMsg));
+      if (exitOnError) {
+        process.exit(1);
+      }
+      throw new Error(errorMsg);
+    }
+    sessions.push({
+      promptFileName: path7.basename(promptPath),
+      inferenceFileName: path7.basename(inferencePath),
+      aiResponseAt: responseTimes[i] || nowIso,
+      model: models[i],
+      toolName: tools[i],
+      blameType: blameTypes[i] || "CHAT" /* Chat */,
+      computerName,
+      userName,
+      sessionId: sessionIds[i],
+      repositoryUrl
+    });
   }
-};
-
-// src/commands/handleMobbLogin.ts
-var debug8 = Debug7("mobbdev:commands");
-var LOGIN_MAX_WAIT2 = 10 * 60 * 1e3;
-var LOGIN_CHECK_DELAY2 = 5 * 1e3;
-var MOBB_LOGIN_REQUIRED_MSG = `\u{1F513} Login to Mobb is Required, you will be redirected to our login page, once the authorization is complete return to this prompt, ${chalk3.bgBlue(
-  "press any key to continue"
-)};`;
-async function getAuthenticatedGQLClient({
-  inputApiKey = "",
-  isSkipPrompts = true,
-  apiUrl,
-  webAppUrl
-}) {
-  debug8(
-    "getAuthenticatedGQLClient called with: apiUrl=%s, webAppUrl=%s",
-    apiUrl || "undefined",
-    webAppUrl || "undefined"
-  );
-  const authManager = new AuthManager(webAppUrl, apiUrl);
-  let gqlClient = authManager.getGQLClient(inputApiKey);
-  gqlClient = await handleMobbLogin({
-    inGqlClient: gqlClient,
-    skipPrompts: isSkipPrompts,
+  const authenticatedClient = await getAuthenticatedGQLClient({
+    isSkipPrompts: true,
     apiUrl,
     webAppUrl
   });
-  return gqlClient;
-}
-async function handleMobbLogin({
-  inGqlClient,
-  apiKey,
-  skipPrompts,
-  apiUrl,
-  webAppUrl,
-  loginContext
-}) {
-  debug8(
-    "handleMobbLogin: resolved URLs - apiUrl=%s (from param: %s), webAppUrl=%s (from param: %s)",
-    apiUrl || "fallback",
-    apiUrl || "fallback",
-    webAppUrl || "fallback",
-    webAppUrl || "fallback"
+  const initSessions = sessions.map(
+    ({ sessionId: _sessionId, ...rest }) => rest
   );
-  const { createSpinner: createSpinner5 } = Spinner({ ci: skipPrompts });
-  const authManager = new AuthManager(webAppUrl, apiUrl);
-  authManager.setGQLClient(inGqlClient);
-  try {
-    const isAuthenticated = await authManager.isAuthenticated();
-    if (isAuthenticated) {
-      createSpinner5().start().success({
-        text: `\u{1F513} Login to Mobb succeeded. Already authenticated`
-      });
-      return authManager.getGQLClient();
+  const initRes = await authenticatedClient.uploadAIBlameInferencesInitRaw({
+    sessions: initSessions
+  });
+  const uploadSessions = initRes.uploadAIBlameInferencesInit?.uploadSessions ?? [];
+  if (uploadSessions.length !== sessions.length) {
+    const errorMsg = "Init failed to return expected number of sessions";
+    logger2.error(chalk3.red(errorMsg));
+    if (exitOnError) {
+      process.exit(1);
     }
-  } catch (error) {
-    debug8("Authentication check failed:", error);
+    throw new Error(errorMsg);
   }
-  if (apiKey) {
-    createSpinner5().start().error({
-      text: "\u{1F513} Login to Mobb failed: The provided API key does not match any configured API key on the system"
-    });
-    throw new CliError(
-      "Login to Mobb failed: The provided API key does not match any configured API key on the system"
-    );
+  for (let i = 0; i < uploadSessions.length; i++) {
+    const us = uploadSessions[i];
+    const promptPath = String(prompts[i]);
+    const inferencePath = String(inferences[i]);
+    await Promise.all([
+      // Prompt
+      uploadFile({
+        file: promptPath,
+        url: us.prompt.url,
+        uploadFields: JSON.parse(us.prompt.uploadFieldsJSON),
+        uploadKey: us.prompt.uploadKey
+      }),
+      // Inference
+      uploadFile({
+        file: inferencePath,
+        url: us.inference.url,
+        uploadFields: JSON.parse(us.inference.uploadFieldsJSON),
+        uploadKey: us.inference.uploadKey
+      })
+    ]);
   }
-  const loginSpinner = createSpinner5().start();
-  if (!skipPrompts) {
-    loginSpinner.update({ text: MOBB_LOGIN_REQUIRED_MSG });
-    await keypress();
-  }
-  loginSpinner.update({
-    text: "\u{1F513} Waiting for Mobb login..."
+  const finalizeSessions = uploadSessions.map((us, i) => {
+    const s = sessions[i];
+    return {
+      aiBlameInferenceId: us.aiBlameInferenceId,
+      promptKey: us.prompt.uploadKey,
+      inferenceKey: us.inference.uploadKey,
+      aiResponseAt: s.aiResponseAt,
+      model: s.model,
+      toolName: s.toolName,
+      blameType: s.blameType,
+      computerName: s.computerName,
+      userName: s.userName,
+      sessionId: s.sessionId,
+      repositoryUrl: s.repositoryUrl
+    };
   });
   try {
-    const loginUrl = await authManager.generateLoginUrl(loginContext);
-    if (!loginUrl) {
-      loginSpinner.error({
-        text: "Failed to generate login URL"
-      });
-      throw new CliError("Failed to generate login URL");
-    }
-    !skipPrompts && console.log(
-      `If the page does not open automatically, kindly access it through ${loginUrl}.`
+    logger2.info(
+      `[UPLOAD] Calling finalizeAIBlameInferencesUploadRaw with ${finalizeSessions.length} sessions`
     );
-    authManager.openUrlInBrowser();
-    const authSuccess = await authManager.waitForAuthentication();
-    if (!authSuccess) {
-      loginSpinner.error({
-        text: "Login timeout error"
-      });
-      throw new CliError("Login timeout error");
+    const finRes = await authenticatedClient.finalizeAIBlameInferencesUploadRaw(
+      {
+        sessions: finalizeSessions
+      }
+    );
+    logger2.info("[UPLOAD] Finalize response:", JSON.stringify(finRes, null, 2));
+    const status = finRes?.finalizeAIBlameInferencesUpload?.status;
+    if (status !== "OK") {
+      const errorMsg = finRes?.finalizeAIBlameInferencesUpload?.error || "unknown error";
+      logger2.error(
+        chalk3.red(
+          `[UPLOAD] Finalize failed with status: ${status}, error: ${errorMsg}`
+        )
+      );
+      if (exitOnError) {
+        process.exit(1);
+      }
+      throw new Error(errorMsg);
     }
-    loginSpinner.success({
-      text: `\u{1F513} Login to Mobb successful!`
-    });
-    return authManager.getGQLClient();
-  } finally {
-    authManager.cleanup();
+    logger2.info(chalk3.green("[UPLOAD] AI Blame uploads finalized successfully"));
+  } catch (error) {
+    logger2.error("[UPLOAD] Finalize threw error:", error);
+    throw error;
   }
 }
+async function uploadAiBlameCommandHandler(args) {
+  await uploadAiBlameHandler({ args });
+}
 
-// src/features/analysis/add_fix_comments_for_pr/add_fix_comments_for_pr.ts
-import Debug11 from "debug";
-
-// src/features/analysis/add_fix_comments_for_pr/utils/utils.ts
-import Debug10 from "debug";
-import parseDiff from "parse-diff";
-import { z as z28 } from "zod";
+// src/features/analysis/graphql/tracy-batch-upload.ts
+var gzipAsync = promisify(gzip);
+var debug9 = Debug8("mobbdev:tracy-batch-upload");
+var MAX_BATCH_PAYLOAD_BYTES = 3 * 1024 * 1024;
 
-// src/features/analysis/utils/by_key.ts
-function keyBy(array, keyBy2) {
-  return array.reduce((acc, item) => {
-    return { ...acc, [item[keyBy2]]: item };
-  }, {});
+// src/mcp/services/types.ts
+function detectIDE() {
+  const env3 = process.env;
+  if (env3["CURSOR_TRACE_ID"] || env3["CURSOR_SESSION_ID"]) return "cursor";
+  if (env3["WINDSURF_IPC_HOOK"] || env3["WINDSURF_PID"]) return "windsurf";
+  if (env3["CLAUDE_DESKTOP"] || env3["ANTHROPIC_CLAUDE"]) return "claude";
+  if (env3["WEBSTORM_VM_OPTIONS"] || env3["IDEA_VM_OPTIONS"] || env3["JETBRAINS_IDE"])
+    return "webstorm";
+  if (env3["VSCODE_IPC_HOOK"] || env3["VSCODE_PID"]) return "vscode";
+  const termProgram = env3["TERM_PROGRAM"]?.toLowerCase();
+  if (termProgram === "windsurf") return "windsurf";
+  if (termProgram === "vscode") return "vscode";
+  return void 0;
+}
+function createMcpLoginContext(trigger) {
+  return {
+    trigger,
+    source: "mcp",
+    ide: detectIDE()
+  };
+}
+function buildLoginUrl(baseUrl, loginId, hostname, context) {
+  const url = new URL(`${baseUrl}/${loginId}`);
+  url.searchParams.set("hostname", hostname);
+  url.searchParams.set("trigger", context.trigger);
+  url.searchParams.set("source", context.source);
+  if (context.ide) {
+    url.searchParams.set("ide", context.ide);
+  }
+  return url.toString();
 }
 
-// src/features/analysis/utils/send_report.ts
-import Debug8 from "debug";
-init_client_generates();
-var debug9 = Debug8("mobbdev:index");
-async function sendReport({
-  spinner,
-  submitVulnerabilityReportVariables,
-  gqlClient,
-  polling
-}) {
-  try {
-    const submitRes = await gqlClient.submitVulnerabilityReport(
-      submitVulnerabilityReportVariables
-    );
-    if (submitRes.submitVulnerabilityReport.__typename !== "VulnerabilityReport") {
-      debug9("error submit vul report %s", submitRes);
-      throw new Error("\u{1F575}\uFE0F\u200D\u2642\uFE0F Mobb analysis failed");
+// src/commands/AuthManager.ts
+var debug10 = Debug9("mobbdev:auth");
+var LOGIN_MAX_WAIT = 10 * 60 * 1e3;
+var LOGIN_CHECK_DELAY = 5 * 1e3;
+var _AuthManager = class _AuthManager {
+  constructor(webAppUrl, apiUrl) {
+    __publicField(this, "publicKey");
+    __publicField(this, "privateKey");
+    __publicField(this, "loginId");
+    __publicField(this, "gqlClient");
+    __publicField(this, "currentBrowserUrl");
+    __publicField(this, "authenticated", null);
+    __publicField(this, "resolvedWebAppUrl");
+    __publicField(this, "resolvedApiUrl");
+    this.resolvedWebAppUrl = webAppUrl || WEB_APP_URL;
+    this.resolvedApiUrl = apiUrl || API_URL;
+  }
+  openUrlInBrowser() {
+    if (this.currentBrowserUrl) {
+      open(this.currentBrowserUrl);
+      return true;
     }
-    spinner.update({ text: progressMassages.processingVulnerabilityReport });
-    const callback = (_analysisId) => spinner.update({
-      text: "\u2699\uFE0F Vulnerability report processed successfully"
+    return false;
+  }
+  async waitForAuthentication() {
+    let newApiToken = null;
+    for (let i = 0; i < _AuthManager.loginMaxWait / LOGIN_CHECK_DELAY; i++) {
+      newApiToken = await this.getApiToken();
+      if (newApiToken) {
+        break;
+      }
+      await sleep(LOGIN_CHECK_DELAY);
+    }
+    if (!newApiToken) {
+      return false;
+    }
+    this.gqlClient = new GQLClient({
+      apiKey: newApiToken,
+      type: "apiKey",
+      apiUrl: this.resolvedApiUrl
     });
-    const callbackStates = [
-      "Digested" /* Digested */,
-      "Finished" /* Finished */
-    ];
-    if (polling) {
-      debug9("[sendReport] Using POLLING mode for analysis state updates");
-      await gqlClient.pollForAnalysisState({
-        analysisId: submitRes.submitVulnerabilityReport.fixReportId,
-        callback,
-        callbackStates,
-        timeoutInMs: VUL_REPORT_DIGEST_TIMEOUT_MS
+    const loginSuccess = await this.gqlClient.validateUserToken();
+    if (loginSuccess) {
+      configStore.set("apiToken", newApiToken);
+      this.authenticated = true;
+      return true;
+    }
+    return false;
+  }
+  /**
+   * Checks if the user is already authenticated
+   */
+  async isAuthenticated() {
+    if (this.authenticated === null) {
+      const result = await this.checkAuthentication();
+      this.authenticated = result.isAuthenticated;
+      if (!result.isAuthenticated) {
+        debug10("isAuthenticated: false \u2014 %s", result.message);
+      }
+    }
+    return this.authenticated;
+  }
+  /**
+   * Private function to check if the user is authenticated with the server
+   */
+  async checkAuthentication(apiKey) {
+    try {
+      if (!this.gqlClient) {
+        this.gqlClient = this.getGQLClient(apiKey);
+      }
+      const isConnected = await this.gqlClient.verifyApiConnection();
+      if (!isConnected) {
+        return {
+          isAuthenticated: false,
+          message: "Failed to connect to Mobb server"
+        };
+      }
+      const userVerify = await this.gqlClient.validateUserToken();
+      if (!userVerify) {
+        return {
+          isAuthenticated: false,
+          message: "User token validation failed"
+        };
+      }
+    } catch (error) {
+      return {
+        isAuthenticated: false,
+        message: error instanceof Error ? error.message : "Unknown authentication error"
+      };
+    }
+    return { isAuthenticated: true, message: "Successfully authenticated" };
+  }
+  /**
+   * Generates a login URL for manual authentication
+   */
+  async generateLoginUrl(loginContext) {
+    try {
+      if (!this.gqlClient) {
+        this.gqlClient = this.getGQLClient();
+      }
+      const { publicKey, privateKey } = crypto.generateKeyPairSync("rsa", {
+        modulusLength: 2048
       });
-    } else {
-      debug9("[sendReport] Using WEBSOCKET mode for analysis state updates");
-      await gqlClient.subscribeToAnalysis({
-        subscribeToAnalysisParams: {
-          analysisId: submitRes.submitVulnerabilityReport.fixReportId
-        },
-        callback,
-        callbackStates,
-        timeoutInMs: VUL_REPORT_DIGEST_TIMEOUT_MS
+      this.publicKey = publicKey;
+      this.privateKey = privateKey;
+      this.loginId = await this.gqlClient.createCliLogin({
+        publicKey: this.publicKey.export({ format: "pem", type: "pkcs1" }).toString()
       });
+      const webLoginUrl = `${this.resolvedWebAppUrl}/cli-login`;
+      const browserUrl = loginContext ? buildLoginUrl(webLoginUrl, this.loginId, os3.hostname(), loginContext) : `${webLoginUrl}/${this.loginId}?hostname=${os3.hostname()}`;
+      this.currentBrowserUrl = browserUrl;
+      return browserUrl;
+    } catch (error) {
+      console.error("Failed to generate login URL:", error);
+      return null;
     }
-    return submitRes;
-  } catch (e) {
-    spinner.error({ text: "\u{1F575}\uFE0F\u200D\u2642\uFE0F Mobb analysis failed" });
-    throw e;
   }
-}
-
-// src/features/analysis/utils/index.ts
-function getFromArraySafe(array) {
+  /**
+   * Retrieves and decrypts the API token after authentication
+   */
+  async getApiToken() {
+    if (!this.gqlClient || !this.loginId || !this.privateKey) {
+      return null;
+    }
+    const encryptedApiToken = await this.gqlClient.getEncryptedApiToken({
+      loginId: this.loginId
+    });
+    if (encryptedApiToken) {
+      return crypto.privateDecrypt(
+        this.privateKey,
+        Buffer.from(encryptedApiToken, "base64")
+      ).toString("utf-8");
+    }
+    return null;
+  }
+  /**
+   * Returns true if a non-empty API token is stored in the configStore.
+   * Used for diagnostics — does NOT validate the token.
+   */
+  hasStoredToken() {
+    const token = configStore.get("apiToken");
+    return typeof token === "string" && token.length > 0;
+  }
+  /**
+   * Gets the current GQL client (if authenticated)
+   */
+  getGQLClient(inputApiKey) {
+    if (this.gqlClient === void 0) {
+      this.gqlClient = new GQLClient({
+        apiKey: inputApiKey || configStore.get("apiToken") || "",
+        type: "apiKey",
+        apiUrl: this.resolvedApiUrl
+      });
+    }
+    return this.gqlClient;
+  }
+  /**
+   * Assigns a GQL client instance to the AuthManager, and resets auth state
+   * @param gqlClient The GQL client instance to set
+   */
+  setGQLClient(gqlClient) {
+    this.gqlClient = gqlClient;
+    this.cleanup();
+  }
+  /**
+   * Cleans up any active login session
+   */
+  cleanup() {
+    this.publicKey = void 0;
+    this.privateKey = void 0;
+    this.loginId = void 0;
+    this.authenticated = null;
+    this.currentBrowserUrl = null;
+  }
+};
+/** Maximum time (ms) to wait for login authentication. Override in tests for faster failures. */
+__publicField(_AuthManager, "loginMaxWait", LOGIN_MAX_WAIT);
+var AuthManager = _AuthManager;
+
+// src/commands/handleMobbLogin.ts
+var debug11 = Debug10("mobbdev:commands");
+var LOGIN_MAX_WAIT2 = 10 * 60 * 1e3;
+var LOGIN_CHECK_DELAY2 = 5 * 1e3;
+var MOBB_LOGIN_REQUIRED_MSG = `\u{1F513} Login to Mobb is Required, you will be redirected to our login page, once the authorization is complete return to this prompt, ${chalk4.bgBlue(
+  "press any key to continue"
+)};`;
+async function getAuthenticatedGQLClient({
+  inputApiKey = "",
+  isSkipPrompts = true,
+  apiUrl,
+  webAppUrl
+}) {
+  debug11(
+    "getAuthenticatedGQLClient called with: apiUrl=%s, webAppUrl=%s",
+    apiUrl || "undefined",
+    webAppUrl || "undefined"
+  );
+  const authManager = new AuthManager(webAppUrl, apiUrl);
+  let gqlClient = authManager.getGQLClient(inputApiKey);
+  gqlClient = await handleMobbLogin({
+    inGqlClient: gqlClient,
+    skipPrompts: isSkipPrompts,
+    apiUrl,
+    webAppUrl
+  });
+  return gqlClient;
+}
+async function handleMobbLogin({
+  inGqlClient,
+  apiKey,
+  skipPrompts,
+  apiUrl,
+  webAppUrl,
+  loginContext
+}) {
+  debug11(
+    "handleMobbLogin: resolved URLs - apiUrl=%s (from param: %s), webAppUrl=%s (from param: %s)",
+    apiUrl || "fallback",
+    apiUrl || "fallback",
+    webAppUrl || "fallback",
+    webAppUrl || "fallback"
+  );
+  const { createSpinner: createSpinner5 } = Spinner({ ci: skipPrompts });
+  const authManager = new AuthManager(webAppUrl, apiUrl);
+  authManager.setGQLClient(inGqlClient);
+  try {
+    const isAuthenticated = await authManager.isAuthenticated();
+    if (isAuthenticated) {
+      createSpinner5().start().success({
+        text: `\u{1F513} Login to Mobb succeeded. Already authenticated`
+      });
+      return authManager.getGQLClient();
+    }
+  } catch (error) {
+    debug11("Authentication check failed:", error);
+  }
+  if (apiKey) {
+    createSpinner5().start().error({
+      text: "\u{1F513} Login to Mobb failed: The provided API key does not match any configured API key on the system"
+    });
+    throw new CliError(
+      "Login to Mobb failed: The provided API key does not match any configured API key on the system"
+    );
+  }
+  const loginSpinner = createSpinner5().start();
+  if (!skipPrompts) {
+    loginSpinner.update({ text: MOBB_LOGIN_REQUIRED_MSG });
+    await keypress();
+  }
+  loginSpinner.update({
+    text: "\u{1F513} Waiting for Mobb login..."
+  });
+  try {
+    const loginUrl = await authManager.generateLoginUrl(loginContext);
+    if (!loginUrl) {
+      loginSpinner.error({
+        text: "Failed to generate login URL"
+      });
+      throw new CliError("Failed to generate login URL");
+    }
+    !skipPrompts && console.log(
+      `If the page does not open automatically, kindly access it through ${loginUrl}.`
+    );
+    authManager.openUrlInBrowser();
+    const authSuccess = await authManager.waitForAuthentication();
+    if (!authSuccess) {
+      loginSpinner.error({
+        text: "Login timeout error"
+      });
+      throw new CliError("Login timeout error");
+    }
+    loginSpinner.success({
+      text: `\u{1F513} Login to Mobb successful!`
+    });
+    return authManager.getGQLClient();
+  } finally {
+    authManager.cleanup();
+  }
+}
+
+// src/features/analysis/add_fix_comments_for_pr/add_fix_comments_for_pr.ts
+import Debug14 from "debug";
+
+// src/features/analysis/add_fix_comments_for_pr/utils/utils.ts
+import Debug13 from "debug";
+import parseDiff from "parse-diff";
+import { z as z29 } from "zod";
+
+// src/features/analysis/utils/by_key.ts
+function keyBy(array, keyBy2) {
+  return array.reduce((acc, item) => {
+    return { ...acc, [item[keyBy2]]: item };
+  }, {});
+}
+
+// src/features/analysis/utils/send_report.ts
+import Debug11 from "debug";
+init_client_generates();
+var debug12 = Debug11("mobbdev:index");
+async function sendReport({
+  spinner,
+  submitVulnerabilityReportVariables,
+  gqlClient,
+  polling
+}) {
+  try {
+    const submitRes = await gqlClient.submitVulnerabilityReport(
+      submitVulnerabilityReportVariables
+    );
+    if (submitRes.submitVulnerabilityReport.__typename !== "VulnerabilityReport") {
+      debug12("error submit vul report %s", submitRes);
+      throw new Error("\u{1F575}\uFE0F\u200D\u2642\uFE0F Mobb analysis failed");
+    }
+    spinner.update({ text: progressMassages.processingVulnerabilityReport });
+    const callback = (_analysisId) => spinner.update({
+      text: "\u2699\uFE0F Vulnerability report processed successfully"
+    });
+    const callbackStates = [
+      "Digested" /* Digested */,
+      "Finished" /* Finished */
+    ];
+    if (polling) {
+      debug12("[sendReport] Using POLLING mode for analysis state updates");
+      await gqlClient.pollForAnalysisState({
+        analysisId: submitRes.submitVulnerabilityReport.fixReportId,
+        callback,
+        callbackStates,
+        timeoutInMs: VUL_REPORT_DIGEST_TIMEOUT_MS
+      });
+    } else {
+      debug12("[sendReport] Using WEBSOCKET mode for analysis state updates");
+      await gqlClient.subscribeToAnalysis({
+        subscribeToAnalysisParams: {
+          analysisId: submitRes.submitVulnerabilityReport.fixReportId
+        },
+        callback,
+        callbackStates,
+        timeoutInMs: VUL_REPORT_DIGEST_TIMEOUT_MS
+      });
+    }
+    return submitRes;
+  } catch (e) {
+    spinner.error({ text: "\u{1F575}\uFE0F\u200D\u2642\uFE0F Mobb analysis failed" });
+    throw e;
+  }
+}
+
+// src/features/analysis/utils/index.ts
+function getFromArraySafe(array) {
   return array.reduce((acc, nullableItem) => {
     if (nullableItem) {
       acc.push(nullableItem);
@@ -12900,10 +13600,10 @@ var scannerToFriendlyString = {
 };
 
 // src/features/analysis/add_fix_comments_for_pr/utils/buildCommentBody.ts
-import Debug9 from "debug";
-import { z as z27 } from "zod";
+import Debug12 from "debug";
+import { z as z28 } from "zod";
 init_client_generates();
-var debug10 = Debug9("mobbdev:handle-finished-analysis");
+var debug13 = Debug12("mobbdev:handle-finished-analysis");
 var getCommitFixButton = (commitUrl) => `<a href="${commitUrl}"><img src=${COMMIT_FIX_SVG}></a>`;
 function buildFixCommentBody({
   fix,
@@ -12955,14 +13655,14 @@ function buildFixCommentBody({
   });
   const issueType = getIssueTypeFriendlyString(fix.safeIssueType);
   const title = `# ${MobbIconMarkdown} ${issueType} fix is ready`;
-  const validFixParseRes = z27.object({
+  const validFixParseRes = z28.object({
     patchAndQuestions: PatchAndQuestionsZ,
-    safeIssueLanguage: z27.nativeEnum(IssueLanguage_Enum),
-    severityText: z27.nativeEnum(Vulnerability_Severity_Enum),
-    safeIssueType: z27.nativeEnum(IssueType_Enum)
+    safeIssueLanguage: z28.nativeEnum(IssueLanguage_Enum),
+    severityText: z28.nativeEnum(Vulnerability_Severity_Enum),
+    safeIssueType: z28.nativeEnum(IssueType_Enum)
   }).safeParse(fix);
   if (!validFixParseRes.success) {
-    debug10(
+    debug13(
       `fix ${fixId} has custom issue type or language, therefore the commit description will not be added`,
       validFixParseRes.error
     );
@@ -13026,7 +13726,7 @@ ${issuePageLink}`;
 }
 
 // src/features/analysis/add_fix_comments_for_pr/utils/utils.ts
-var debug11 = Debug10("mobbdev:handle-finished-analysis");
+var debug14 = Debug13("mobbdev:handle-finished-analysis");
 function calculateRanges(integers) {
   if (integers.length === 0) {
     return [];
@@ -13060,7 +13760,7 @@ function deleteAllPreviousComments({
     try {
       return scm.deleteComment({ comment_id: comment.id });
     } catch (e) {
-      debug11("delete comment failed %s", e);
+      debug14("delete comment failed %s", e);
       return Promise.resolve();
     }
   });
@@ -13076,7 +13776,7 @@ function deleteAllPreviousGeneralPrComments(params) {
     try {
       return scm.deleteGeneralPrComment({ commentId: comment.id });
     } catch (e) {
-      debug11("delete comment failed %s", e);
+      debug14("delete comment failed %s", e);
       return Promise.resolve();
     }
   });
@@ -13193,7 +13893,7 @@ async function getRelevantVulenrabilitiesFromDiff(params) {
     });
     const lineAddedRanges = calculateRanges(fileNumbers);
     const fileFilter = {
-      path: z28.string().parse(file.to),
+      path: z29.string().parse(file.to),
       ranges: lineAddedRanges.map(([startLine, endLine]) => ({
         endLine,
         startLine
@@ -13220,7 +13920,7 @@ async function postAnalysisInsightComment(params) {
     fixablePrVuls,
     nonFixablePrVuls
   } = prVulenrabilities;
-  debug11({
+  debug14({
     fixablePrVuls,
     nonFixablePrVuls,
     vulnerabilitiesOutsidePr,
@@ -13275,7 +13975,7 @@ ${contactUsMarkdown}`;
 }
 
 // src/features/analysis/add_fix_comments_for_pr/add_fix_comments_for_pr.ts
-var debug12 = Debug11("mobbdev:handle-finished-analysis");
+var debug15 = Debug14("mobbdev:handle-finished-analysis");
 async function addFixCommentsForPr({
   analysisId,
   scm: _scm,
@@ -13287,7 +13987,7 @@ async function addFixCommentsForPr({
   }
   const scm = _scm;
   const getAnalysisRes = await gqlClient.getAnalysis(analysisId);
-  debug12("getAnalysis %o", getAnalysisRes);
+  debug15("getAnalysis %o", getAnalysisRes);
   const {
     vulnerabilityReport: {
       projectId,
@@ -13397,8 +14097,8 @@ ${contextString}` : description;
 
 // src/features/analysis/auto_pr_handler.ts
 init_client_generates();
-import Debug12 from "debug";
-var debug13 = Debug12("mobbdev:handleAutoPr");
+import Debug15 from "debug";
+var debug16 = Debug15("mobbdev:handleAutoPr");
 async function handleAutoPr(params) {
   const {
     gqlClient,
@@ -13419,7 +14119,7 @@ async function handleAutoPr(params) {
       prId,
       prStrategy: createOnePr ? "CONDENSE" /* Condense */ : "SPREAD" /* Spread */
     });
-    debug13("auto pr analysis res %o", autoPrAnalysisRes);
+    debug16("auto pr analysis res %o", autoPrAnalysisRes);
     if (autoPrAnalysisRes.autoPrAnalysis?.__typename === "AutoPrError") {
       createAutoPrSpinner.error({
         text: `\u{1F504} Automatic pull request failed - ${autoPrAnalysisRes.autoPrAnalysis.error}`
@@ -13441,14 +14141,14 @@ async function handleAutoPr(params) {
   };
   const callbackStates = ["Finished" /* Finished */];
   if (polling) {
-    debug13("[handleAutoPr] Using POLLING mode for analysis state updates");
+    debug16("[handleAutoPr] Using POLLING mode for analysis state updates");
     return await gqlClient.pollForAnalysisState({
       analysisId,
       callback,
       callbackStates
     });
   } else {
-    debug13("[handleAutoPr] Using WEBSOCKET mode for analysis state updates");
+    debug16("[handleAutoPr] Using WEBSOCKET mode for analysis state updates");
     return await gqlClient.subscribeToAnalysis({
       subscribeToAnalysisParams: {
         analysisId
@@ -13461,15 +14161,15 @@ async function handleAutoPr(params) {
 
 // src/features/analysis/git.ts
 init_GitService();
-import Debug13 from "debug";
-var debug14 = Debug13("mobbdev:git");
+import Debug16 from "debug";
+var debug17 = Debug16("mobbdev:git");
 async function getGitInfo(srcDirPath) {
-  debug14("getting git info for %s", srcDirPath);
+  debug17("getting git info for %s", srcDirPath);
   const gitService = new GitService(srcDirPath);
   try {
     const validationResult = await gitService.validateRepository();
     if (!validationResult.isValid) {
-      debug14("folder is not a git repo");
+      debug17("folder is not a git repo");
       return {
         success: false,
         hash: void 0,
@@ -13484,9 +14184,9 @@ async function getGitInfo(srcDirPath) {
     };
   } catch (e) {
     if (e instanceof Error) {
-      debug14("failed to run git %o", e);
+      debug17("failed to run git %o", e);
       if (e.message.includes(" spawn ")) {
-        debug14("git cli not installed");
+        debug17("git cli not installed");
       } else {
         throw e;
       }
@@ -13498,22 +14198,22 @@ async function getGitInfo(srcDirPath) {
 // src/features/analysis/pack.ts
 init_configs();
 import fs9 from "fs";
-import path7 from "path";
+import path8 from "path";
 import AdmZip from "adm-zip";
-import Debug14 from "debug";
+import Debug17 from "debug";
 import { globby } from "globby";
 import { isBinary as isBinary2 } from "istextorbinary";
 import { simpleGit as simpleGit3 } from "simple-git";
 import { parseStringPromise } from "xml2js";
-import { z as z29 } from "zod";
-var debug15 = Debug14("mobbdev:pack");
-var FPR_SOURCE_CODE_FILE_MAPPING_SCHEMA = z29.object({
-  properties: z29.object({
-    entry: z29.array(
-      z29.object({
-        _: z29.string(),
-        $: z29.object({
-          key: z29.string()
+import { z as z30 } from "zod";
+var debug18 = Debug17("mobbdev:pack");
+var FPR_SOURCE_CODE_FILE_MAPPING_SCHEMA = z30.object({
+  properties: z30.object({
+    entry: z30.array(
+      z30.object({
+        _: z30.string(),
+        $: z30.object({
+          key: z30.string()
         })
       })
     )
@@ -13528,7 +14228,7 @@ function getManifestFilesSuffixes() {
   return ["package.json", "pom.xml"];
 }
 async function pack(srcDirPath, vulnFiles, isIncludeAllFiles = false) {
-  debug15("pack folder %s", srcDirPath);
+  debug18("pack folder %s", srcDirPath);
   let git = void 0;
   try {
     git = simpleGit3({
@@ -13538,13 +14238,13 @@ async function pack(srcDirPath, vulnFiles, isIncludeAllFiles = false) {
     });
     await git.status();
   } catch (e) {
-    debug15("failed to run git %o", e);
+    debug18("failed to run git %o", e);
     git = void 0;
     if (e instanceof Error) {
       if (e.message.includes(" spawn ")) {
-        debug15("git cli not installed");
+        debug18("git cli not installed");
       } else if (e.message.includes("not a git repository")) {
-        debug15("folder is not a git repo");
+        debug18("folder is not a git repo");
       } else {
         throw e;
       }
@@ -13559,23 +14259,23 @@ async function pack(srcDirPath, vulnFiles, isIncludeAllFiles = false) {
     followSymbolicLinks: false,
     dot: true
   });
-  debug15("files found %d", filepaths.length);
+  debug18("files found %d", filepaths.length);
   const zip = new AdmZip();
-  debug15("compressing files");
+  debug18("compressing files");
   for (const filepath of filepaths) {
-    const absFilepath = path7.join(srcDirPath, filepath.toString());
+    const absFilepath = path8.join(srcDirPath, filepath.toString());
     if (!isIncludeAllFiles) {
       vulnFiles = vulnFiles.concat(getManifestFilesSuffixes());
       if (!endsWithAny(
-        absFilepath.toString().replaceAll(path7.win32.sep, path7.posix.sep),
+        absFilepath.toString().replaceAll(path8.win32.sep, path8.posix.sep),
         vulnFiles
       )) {
-        debug15("ignoring %s because it is not a vulnerability file", filepath);
+        debug18("ignoring %s because it is not a vulnerability file", filepath);
         continue;
       }
     }
     if (fs9.lstatSync(absFilepath).size > MCP_MAX_FILE_SIZE) {
-      debug15("ignoring %s because the size is > 5MB", filepath);
+      debug18("ignoring %s because the size is > 5MB", filepath);
       continue;
     }
     let data;
@@ -13589,16 +14289,16 @@ async function pack(srcDirPath, vulnFiles, isIncludeAllFiles = false) {
       data = fs9.readFileSync(absFilepath);
     }
     if (isBinary2(null, data)) {
-      debug15("ignoring %s because is seems to be a binary file", filepath);
+      debug18("ignoring %s because is seems to be a binary file", filepath);
       continue;
     }
     zip.addFile(filepath.toString(), data);
   }
-  debug15("get zip file buffer");
+  debug18("get zip file buffer");
   return zip.toBuffer();
 }
 async function repackFpr(fprPath) {
-  debug15("repack fpr file %s", fprPath);
+  debug18("repack fpr file %s", fprPath);
   const zipIn = new AdmZip(fprPath);
   const zipOut = new AdmZip();
   const mappingXML = zipIn.readAsText("src-archive/index.xml", "utf-8");
@@ -13613,7 +14313,7 @@ async function repackFpr(fprPath) {
       zipOut.addFile(realPath, buf);
     }
   }
-  debug15("get repacked zip file buffer");
+  debug18("get repacked zip file buffer");
   return zipOut.toBuffer();
 }
 
@@ -13683,12 +14383,12 @@ async function snykArticlePrompt() {
 
 // src/features/analysis/scanners/checkmarx.ts
 import { createRequire } from "module";
-import chalk4 from "chalk";
-import Debug16 from "debug";
+import chalk5 from "chalk";
+import Debug19 from "debug";
 import { existsSync } from "fs";
 import { createSpinner as createSpinner2 } from "nanospinner";
 import { type } from "os";
-import path8 from "path";
+import path9 from "path";
 
 // src/post_install/constants.mjs
 var cxOperatingSystemSupportMessage = `Your operating system does not support checkmarx.
@@ -13696,7 +14396,7 @@ var cxOperatingSystemSupportMessage = `Your operating system does not support ch
 
 // src/utils/child_process.ts
 import cp from "child_process";
-import Debug15 from "debug";
+import Debug18 from "debug";
 import * as process2 from "process";
 function createFork({ args, processPath, name }, options) {
   const child = cp.fork(processPath, args, {
@@ -13714,16 +14414,16 @@ function createSpawn({ args, processPath, name, cwd }, options) {
   return createChildProcess({ childProcess: child, name }, options);
 }
 function createChildProcess({ childProcess, name }, options) {
-  const debug21 = Debug15(`mobbdev:${name}`);
+  const debug23 = Debug18(`mobbdev:${name}`);
   const { display } = options;
   return new Promise((resolve, reject) => {
     let out = "";
     const onData = (chunk) => {
-      debug21(`chunk received from ${name} std ${chunk}`);
+      debug23(`chunk received from ${name} std ${chunk}`);
       out += chunk;
     };
     if (!childProcess?.stdout || !childProcess?.stderr) {
-      debug21(`unable to fork ${name}`);
+      debug23(`unable to fork ${name}`);
       reject(new Error(`unable to fork ${name}`));
     }
     childProcess.stdout?.on("data", onData);
@@ -13733,18 +14433,18 @@ function createChildProcess({ childProcess, name }, options) {
       childProcess.stderr?.pipe(process2.stderr);
     }
     childProcess.on("exit", (code) => {
-      debug21(`${name} exit code ${code}`);
+      debug23(`${name} exit code ${code}`);
       resolve({ message: out, code });
     });
     childProcess.on("error", (err) => {
-      debug21(`${name} error %o`, err);
+      debug23(`${name} error %o`, err);
       reject(err);
     });
   });
 }
 
 // src/features/analysis/scanners/checkmarx.ts
-var debug16 = Debug16("mobbdev:checkmarx");
+var debug19 = Debug19("mobbdev:checkmarx");
 var moduleUrl;
 if (typeof __filename !== "undefined") {
   moduleUrl = __filename;
@@ -13803,1900 +14503,1283 @@ function validateCheckmarxInstallation() {
   existsSync(getCheckmarxPath());
 }
 async function forkCheckmarx(args, { display }) {
-  debug16("fork checkmarx with args %o %s", args.join(" "), display);
+  debug19("fork checkmarx with args %o %s", args.join(" "), display);
   return createSpawn(
     { args, processPath: getCheckmarxPath(), name: "checkmarx" },
     { display }
   );
 }
 async function getCheckmarxReport({ reportPath, repositoryRoot, branch, projectName }, { skipPrompts = false }) {
-  debug16("get checkmarx report start %s %s", reportPath, repositoryRoot);
+  debug19("get checkmarx report start %s %s", reportPath, repositoryRoot);
   const { code: loginCode } = await forkCheckmarx(VALIDATE_COMMAND, {
-    display: false
-  });
-  if (loginCode !== CHECKMARX_SUCCESS_CODE) {
-    if (skipPrompts) {
-      await throwCheckmarxConfigError();
-    }
-    await startCheckmarxConfigationPrompt();
-    await validateCheckamxCredentials();
-  }
-  const extension = path8.extname(reportPath);
-  const filePath = path8.dirname(reportPath);
-  const fileName = path8.basename(reportPath, extension);
-  const checkmarxCommandArgs = getCheckmarxCommandArgs({
-    repoPath: repositoryRoot,
-    branch,
-    filePath,
-    fileName,
-    projectName
-  });
-  console.log("\u280B \u{1F50D} Initiating Checkmarx Scan ");
-  const { code: scanCode } = await forkCheckmarx(
-    [...SCAN_COMMAND, ...checkmarxCommandArgs],
-    {
-      display: true
-    }
-  );
-  if (scanCode !== CHECKMARX_SUCCESS_CODE) {
-    createSpinner2("\u{1F50D} Something went wrong with the checkmarx scan").start().error();
-    throw new CliError();
-  }
-  await createSpinner2("\u{1F50D} Checkmarx Scan completed").start().success();
-  return true;
-}
-async function throwCheckmarxConfigError() {
-  await createSpinner2("\u{1F513} Checkmarx is not configued correctly").start().error();
-  throw new CliError(
-    `Checkmarx is not configued correctly
- you can configure it by using the ${chalk4.bold(
-      "cx configure"
-    )} command`
-  );
-}
-async function validateCheckamxCredentials() {
-  console.log(`
-        Here's a suggestion for checkmarx configuation: 
-          ${chalk4.bold("AST Base URI:")} https://ast.checkmarx.net
-          ${chalk4.bold("AST Base Auth URI (IAM):")} https://iam.checkmarx.net
-  `);
-  await forkCheckmarx(CONFIGURE_COMMAND, { display: true });
-  const { code: loginCode } = await forkCheckmarx(VALIDATE_COMMAND, {
-    display: false
-  });
-  if (loginCode !== CHECKMARX_SUCCESS_CODE) {
-    const tryAgain = await tryCheckmarxConfiguarationAgain();
-    if (!tryAgain) {
-      await throwCheckmarxConfigError();
-    }
-    await validateCheckamxCredentials();
-    return;
-  }
-  await createSpinner2("\u{1F513} Checkmarx configured successfully!").start().success();
-}
-
-// src/features/analysis/scanners/snyk.ts
-import { createRequire as createRequire2 } from "module";
-import chalk5 from "chalk";
-import Debug17 from "debug";
-import { createSpinner as createSpinner3 } from "nanospinner";
-import open2 from "open";
-var debug17 = Debug17("mobbdev:snyk");
-var moduleUrl2;
-if (typeof __filename !== "undefined") {
-  moduleUrl2 = __filename;
-} else {
-  try {
-    const getImportMetaUrl = new Function("return import.meta.url");
-    moduleUrl2 = getImportMetaUrl();
-  } catch {
-    const err = new Error();
-    const stack = err.stack || "";
-    const match = stack.match(/file:\/\/[^\s)]+/);
-    if (match) {
-      moduleUrl2 = match[0];
-    } else {
-      throw new Error("Unable to determine module URL in this environment");
-    }
-  }
-}
-var costumeRequire2 = createRequire2(moduleUrl2);
-var SNYK_PATH = costumeRequire2.resolve("snyk/bin/snyk");
-var SNYK_ARTICLE_URL = "https://docs.snyk.io/scan-using-snyk/snyk-code/configure-snyk-code#enable-snyk-code";
-debug17("snyk executable path %s", SNYK_PATH);
-async function forkSnyk(args, { display }) {
-  debug17("fork snyk with args %o %s", args, display);
-  return createFork({ args, processPath: SNYK_PATH, name: "snyk" }, { display });
-}
-async function getSnykReport(reportPath, repoRoot, { skipPrompts = false }) {
-  debug17("get snyk report start %s %s", reportPath, repoRoot);
-  const config2 = await forkSnyk(["config"], { display: false });
-  const { message: configMessage } = config2;
-  if (!configMessage.includes("api: ")) {
-    const snykLoginSpinner = createSpinner3().start();
-    if (!skipPrompts) {
-      snykLoginSpinner.update({
-        text: "\u{1F513} Login to Snyk is required, press any key to continue"
-      });
-      await keypress();
-    }
-    snykLoginSpinner.update({
-      text: "\u{1F513} Waiting for Snyk login to complete"
-    });
-    debug17("no token in the config %s", config2);
-    await forkSnyk(["auth"], { display: true });
-    snykLoginSpinner.success({ text: "\u{1F513} Login to Snyk Successful" });
-  }
-  const snykSpinner = createSpinner3("\u{1F50D} Scanning your repo with Snyk ").start();
-  const { message: scanOutput } = await forkSnyk(
-    ["code", "test", `--sarif-file-output=${reportPath}`, repoRoot],
-    { display: true }
-  );
-  if (scanOutput.includes("Snyk Code is not supported for org")) {
-    debug17("snyk code is not enabled %s", scanOutput);
-    snykSpinner.error({ text: "\u{1F50D} Snyk configuration needed" });
-    const answer = await snykArticlePrompt();
-    debug17("answer %s", answer);
-    if (answer) {
-      debug17("opening the browser");
-      await open2(SNYK_ARTICLE_URL);
-    }
-    console.log(
-      chalk5.bgBlue(
-        "\nPlease enable Snyk Code in your Snyk account and try again."
-      )
-    );
-    throw Error("snyk is not enbabled");
-  }
-  snykSpinner.success({ text: "\u{1F50D} Snyk code scan completed" });
-  return true;
-}
-
-// src/features/analysis/index.ts
-init_client_generates();
-
-// src/features/analysis/upload-file.ts
-import Debug18 from "debug";
-import fetch3, { File, fileFrom, FormData } from "node-fetch";
-var debug18 = Debug18("mobbdev:upload-file");
-async function uploadFile({
-  file,
-  url,
-  uploadKey,
-  uploadFields,
-  logger: logger2
-}) {
-  const logInfo2 = logger2 || ((_message, _data) => {
-  });
-  logInfo2(`FileUpload: upload file start ${url}`);
-  logInfo2(`FileUpload: upload fields`, uploadFields);
-  logInfo2(`FileUpload: upload key ${uploadKey}`);
-  debug18("upload file start %s", url);
-  debug18("upload fields %o", uploadFields);
-  debug18("upload key %s", uploadKey);
-  const form = new FormData();
-  Object.entries(uploadFields).forEach(([key, value]) => {
-    form.append(key, value);
-  });
-  if (!form.has("key")) {
-    form.append("key", uploadKey);
-  }
-  if (typeof file === "string") {
-    debug18("upload file from path %s", file);
-    logInfo2(`FileUpload: upload file from path ${file}`);
-    form.append("file", await fileFrom(file));
-  } else {
-    debug18("upload file from buffer");
-    logInfo2(`FileUpload: upload file from buffer`);
-    form.append("file", new File([new Uint8Array(file)], "file"));
-  }
-  const agent = getProxyAgent(url);
-  const response = await fetch3(url, {
-    method: "POST",
-    body: form,
-    agent
-  });
-  if (!response.ok) {
-    debug18("error from S3 %s %s", response.body, response.status);
-    logInfo2(`FileUpload: error from S3 ${response.body} ${response.status}`);
-    throw new Error(`Failed to upload the file: ${response.status}`);
-  }
-  debug18("upload file done");
-  logInfo2(`FileUpload: upload file done`);
-}
-
-// src/features/analysis/index.ts
-var { CliError: CliError2, Spinner: Spinner2 } = utils_exports;
-function _getScanSource(command, ci) {
-  if (command === "review") return "AUTO_FIXER" /* AutoFixer */;
-  const envToCi = [
-    ["GITLAB_CI", "CI_GITLAB" /* CiGitlab */],
-    ["GITHUB_ACTIONS", "CI_GITHUB" /* CiGithub */],
-    ["JENKINS_URL", "CI_JENKINS" /* CiJenkins */],
-    ["CIRCLECI", "CI_CIRCLECI" /* CiCircleci */],
-    ["TF_BUILD", "CI_AZURE" /* CiAzure */],
-    ["bamboo_buildKey", "CI_BAMBOO" /* CiBamboo */]
-  ];
-  for (const [envKey, source] of envToCi) {
-    if (env2[envKey]) {
-      return source;
-    }
-  }
-  if (ci) {
-    return "CI_UNKNOWN" /* CiUnknown */;
-  }
-  return "CLI" /* Cli */;
-}
-async function downloadRepo({
-  repoUrl,
-  authHeaders,
-  downloadUrl,
-  dirname,
-  ci
-}) {
-  const { createSpinner: createSpinner5 } = Spinner2({ ci });
-  const repoSpinner = createSpinner5("\u{1F4BE} Downloading Repo").start();
-  debug19("download repo %s %s %s", repoUrl, dirname);
-  const zipFilePath = path9.join(dirname, "repo.zip");
-  debug19("download URL: %s auth headers: %o", downloadUrl, authHeaders);
-  const response = await fetch4(downloadUrl, {
-    method: "GET",
-    headers: {
-      ...authHeaders
-    }
-  });
-  if (!response.ok) {
-    debug19("SCM zipball request failed %s %s", response.body, response.status);
-    repoSpinner.error({ text: "\u{1F4BE} Repo download failed" });
-    throw new Error(`Can't access ${chalk6.bold(repoUrl)}`);
-  }
-  const fileWriterStream = fs10.createWriteStream(zipFilePath);
-  if (!response.body) {
-    throw new Error("Response body is empty");
-  }
-  await pipeline(response.body, fileWriterStream);
-  await extract(zipFilePath, { dir: dirname });
-  const repoRoot = fs10.readdirSync(dirname, { withFileTypes: true }).filter((dirent) => dirent.isDirectory()).map((dirent) => dirent.name)[0];
-  if (!repoRoot) {
-    throw new Error("Repo root not found");
-  }
-  debug19("repo root %s", repoRoot);
-  repoSpinner.success({ text: "\u{1F4BE} Repo downloaded successfully" });
-  return path9.join(dirname, repoRoot);
-}
-var getReportUrl = ({
-  organizationId,
-  projectId,
-  fixReportId
-}) => `${WEB_APP_URL}/organization/${organizationId}/project/${projectId}/report/${fixReportId}`;
-var debug19 = Debug19("mobbdev:index");
-async function runAnalysis(params, options) {
-  const tmpObj = tmp2.dirSync({
-    unsafeCleanup: true
-  });
-  try {
-    return await _scan(
-      {
-        ...params,
-        dirname: tmpObj.name
-      },
-      options
-    );
-  } finally {
-    tmpObj.removeCallback();
-  }
-}
-function _getUrlForScmType({
-  scmLibType
-}) {
-  const githubAuthUrl = `${WEB_APP_URL}/github-auth`;
-  const gitlabAuthUrl = `${WEB_APP_URL}/gitlab-auth`;
-  const adoAuthUrl = `${WEB_APP_URL}/ado-auth`;
-  switch (scmLibType) {
-    case "GITHUB" /* GITHUB */:
-      return {
-        authUrl: githubAuthUrl
-      };
-    case "GITLAB" /* GITLAB */:
-      return {
-        authUrl: gitlabAuthUrl
-      };
-    case "ADO" /* ADO */:
-      return {
-        authUrl: adoAuthUrl
-      };
-    default:
-      return {
-        authUrl: void 0
-      };
-  }
-}
-function getBrokerHosts(userOrgsAnUserOrgRoles) {
-  const brokerHosts = [];
-  if (!userOrgsAnUserOrgRoles) {
-    return brokerHosts;
-  }
-  userOrgsAnUserOrgRoles.forEach((org) => {
-    org?.organization?.brokerHosts.forEach((brokerHost) => {
-      if (brokerHost) {
-        brokerHosts.push(brokerHost);
-      }
-    });
-  });
-  return brokerHosts;
-}
-async function getScmTokenInfo(params) {
-  const { gqlClient, repo } = params;
-  const userInfo2 = await gqlClient.getUserInfo();
-  if (!userInfo2) {
-    throw new Error("userInfo is null");
-  }
-  const scmConfigs = getFromArraySafe(userInfo2.scmConfigs);
-  return getScmConfig({
-    url: repo,
-    scmConfigs,
-    includeOrgTokens: false,
-    brokerHosts: getBrokerHosts(
-      userInfo2.userOrganizationsAndUserOrganizationRoles
-    )
-  });
-}
-async function getReport(params, { skipPrompts }) {
-  const {
-    scanner,
-    repoUrl,
-    gqlClient,
-    sha,
-    dirname,
-    reference,
-    cxProjectName,
-    ci
-  } = params;
-  const tokenInfo = await getScmTokenInfo({ gqlClient, repo: repoUrl });
-  const scm = await createScmLib(
-    {
-      url: repoUrl,
-      accessToken: tokenInfo.accessToken,
-      scmOrg: tokenInfo.scmOrg,
-      scmType: tokenInfo.scmLibType
-    },
-    { propagateExceptions: true }
-  );
-  const downloadUrl = await scm.getDownloadUrl(sha);
-  const repositoryRoot = await downloadRepo({
-    repoUrl,
-    dirname,
-    ci,
-    authHeaders: scm.getAuthHeaders(),
-    downloadUrl
-  });
-  const reportPath = path9.join(dirname, REPORT_DEFAULT_FILE_NAME);
-  switch (scanner) {
-    case "snyk":
-      await getSnykReport(reportPath, repositoryRoot, { skipPrompts });
-      break;
-    case "checkmarx":
-      if (!cxProjectName) {
-        throw new Error("cxProjectName is required for checkmarx scanner");
-      }
-      await getCheckmarxReport(
-        {
-          reportPath,
-          repositoryRoot,
-          branch: reference,
-          projectName: cxProjectName
-        },
-        { skipPrompts }
-      );
-      break;
-  }
-  return reportPath;
-}
-async function _scan(params, { skipPrompts = false } = {}) {
-  const {
-    dirname,
-    repo,
-    scanFile,
-    apiKey,
-    ci,
-    srcPath,
-    commitHash,
-    ref,
-    experimentalEnabled,
-    scanner,
-    cxProjectName,
-    mobbProjectName,
-    githubToken: githubActionToken,
-    command,
-    organizationId: userOrganizationId,
-    autoPr,
-    createOnePr,
-    commitDirectly,
-    pullRequest,
-    polling
-  } = params;
-  debug19("start %s %s", dirname, repo);
-  const { createSpinner: createSpinner5 } = Spinner2({ ci });
-  skipPrompts = skipPrompts || ci;
-  const gqlClient = await getAuthenticatedGQLClient({
-    inputApiKey: apiKey,
-    isSkipPrompts: skipPrompts
-  });
-  if (!mobbProjectName) {
-    throw new Error("mobbProjectName is required");
-  }
-  const { projectId, organizationId } = await gqlClient.getLastOrgAndNamedProject({
-    projectName: mobbProjectName,
-    userDefinedOrganizationId: userOrganizationId
-  });
-  const {
-    uploadS3BucketInfo: { repoUploadInfo, reportUploadInfo }
-  } = await gqlClient.uploadS3BucketInfo();
-  if (!reportUploadInfo || !repoUploadInfo) {
-    throw new Error("uploadS3BucketInfo is null");
-  }
-  let reportPath = scanFile;
-  if (srcPath) {
-    return await uploadExistingRepo();
-  }
-  if (!repo) {
-    throw new Error("repo is required in case srcPath is not provided");
-  }
-  const tokenInfo = await getScmTokenInfo({ gqlClient, repo });
-  const validateRes = await gqlClient.validateRepoUrl({ repoUrl: repo });
-  const isRepoAvailable = validateRes.validateRepoUrl?.__typename === "RepoValidationSuccess";
-  const cloudScmLibType = getCloudScmLibTypeFromUrl(repo);
-  const { authUrl: scmAuthUrl } = _getUrlForScmType({
-    scmLibType: cloudScmLibType
-  });
-  if (!isRepoAvailable) {
-    if (ci || !cloudScmLibType || !scmAuthUrl) {
-      const errorMessage = scmAuthUrl ? `Cannot access repo ${repo}. Make sure that the repo is accessible and the SCM token configured on Mobb is correct.` : `Cannot access repo ${repo} with the provided token, please visit ${scmAuthUrl} to refresh your source control management system token`;
-      throw new Error(errorMessage);
-    }
-    if (cloudScmLibType && scmAuthUrl) {
-      await handleScmIntegration(tokenInfo.accessToken, scmAuthUrl, repo);
-      const repoValidationResponse = await gqlClient.validateRepoUrl({
-        repoUrl: repo
-      });
-      const isRepoAvailable2 = repoValidationResponse.validateRepoUrl?.__typename === "RepoValidationSuccess";
-      if (!isRepoAvailable2) {
-        throw new Error(
-          `Cannot access repo ${repo} with the provided credentials: ${repoValidationResponse.validateRepoUrl?.__typename}`
-        );
-      }
-    }
-  }
-  const revalidateRes = await gqlClient.validateRepoUrl({ repoUrl: repo });
-  if (revalidateRes.validateRepoUrl?.__typename !== "RepoValidationSuccess") {
-    throw new Error(
-      `could not reach repo ${repo}: ${revalidateRes.validateRepoUrl?.__typename}`
-    );
-  }
-  const reference = ref ?? revalidateRes.validateRepoUrl.defaultBranch;
-  const getReferenceDataRes = await gqlClient.getReferenceData({
-    reference,
-    repoUrl: repo
-  });
-  if (getReferenceDataRes.gitReference?.__typename !== "GitReferenceData") {
-    throw new Error(
-      `Could not get reference data for ${reference}: ${getReferenceDataRes.gitReference?.__typename}`
-    );
-  }
-  const { sha } = getReferenceDataRes.gitReference;
-  debug19("project id %s", projectId);
-  debug19("default branch %s", reference);
-  if (command === "scan") {
-    reportPath = await getReport(
-      {
-        scanner: SupportedScannersZ.parse(scanner),
-        repoUrl: repo,
-        sha,
-        gqlClient,
-        cxProjectName,
-        dirname,
-        reference,
-        ci
-      },
-      { skipPrompts }
-    );
-  }
-  const shouldScan = !reportPath;
-  const uploadReportSpinner = createSpinner5("\u{1F4C1} Uploading Report").start();
-  try {
-    if (reportPath) {
-      await uploadFile({
-        file: reportPath,
-        url: reportUploadInfo.url,
-        uploadFields: JSON.parse(reportUploadInfo.uploadFieldsJSON),
-        uploadKey: reportUploadInfo.uploadKey
-      });
-    }
-  } catch (e) {
-    uploadReportSpinner.error({ text: "\u{1F4C1} Report upload failed" });
-    throw e;
-  }
-  await _digestReport({
-    gqlClient,
-    fixReportId: reportUploadInfo.fixReportId,
-    projectId,
-    command,
-    ci,
-    repoUrl: repo,
-    sha,
-    reference,
-    shouldScan,
-    polling
-  });
-  uploadReportSpinner.success({ text: "\u{1F4C1} Report uploaded successfully" });
-  const mobbSpinner = createSpinner5("\u{1F575}\uFE0F\u200D\u2642\uFE0F Initiating Mobb analysis").start();
-  const sendReportRes = await sendReport({
-    gqlClient,
-    spinner: mobbSpinner,
-    submitVulnerabilityReportVariables: {
-      fixReportId: reportUploadInfo.fixReportId,
-      repoUrl: z30.string().parse(repo),
-      reference,
-      projectId,
-      vulnerabilityReportFileName: shouldScan ? void 0 : REPORT_DEFAULT_FILE_NAME,
-      sha,
-      experimentalEnabled: !!experimentalEnabled,
-      pullRequest: params.pullRequest,
-      scanSource: _getScanSource(command, ci),
-      scanContext: ScanContext.BUGSY
-    },
-    polling
-  });
-  if (sendReportRes.submitVulnerabilityReport.__typename !== "VulnerabilityReport") {
-    mobbSpinner.error({ text: "\u{1F575}\uFE0F\u200D\u2642\uFE0F Mobb analysis failed" });
-    throw new Error("\u{1F575}\uFE0F\u200D\u2642\uFE0F Mobb analysis failed");
-  }
-  mobbSpinner.success({
-    text: "\u{1F575}\uFE0F\u200D\u2642\uFE0F Generating fixes..."
-  });
-  if (autoPr) {
-    await handleAutoPr({
-      gqlClient,
-      analysisId: reportUploadInfo.fixReportId,
-      commitDirectly,
-      prId: pullRequest,
-      createSpinner: createSpinner5,
-      createOnePr,
-      polling
-    });
-  }
-  await askToOpenAnalysis();
-  if (command === "review") {
-    await waitForAnaysisAndReviewPr({
-      repo,
-      githubActionToken,
-      analysisId: reportUploadInfo.fixReportId,
-      scanner,
-      gqlClient,
-      polling
-    });
-  }
-  return reportUploadInfo.fixReportId;
-  async function askToOpenAnalysis() {
-    if (!repoUploadInfo || !reportUploadInfo) {
-      throw new Error("uploadS3BucketInfo is null");
-    }
-    const reportUrl = getReportUrl({
-      organizationId,
-      projectId,
-      fixReportId: reportUploadInfo.fixReportId
-    });
-    !ci && console.log("You can access the analysis at: \n");
-    console.log(chalk6.bold(reportUrl));
-    !skipPrompts && await mobbAnalysisPrompt();
-    !ci && open3(reportUrl);
-    !ci && console.log(
-      chalk6.bgBlue("\n\n  My work here is done for now, see you soon! \u{1F575}\uFE0F\u200D\u2642\uFE0F  ")
-    );
-  }
-  async function handleScmIntegration(oldToken, scmAuthUrl2, repoUrl) {
-    const scmLibType = getCloudScmLibTypeFromUrl(repoUrl);
-    const scmName = scmLibType === "GITHUB" /* GITHUB */ ? "Github" : scmLibType === "GITLAB" /* GITLAB */ ? "Gitlab" : scmLibType === "ADO" /* ADO */ ? "Azure DevOps" : "";
-    const addScmIntegration = skipPrompts ? true : await scmIntegrationPrompt(scmName);
-    const scmSpinner = createSpinner5(
-      `\u{1F517} Waiting for ${scmName} integration...`
-    ).start();
-    if (!addScmIntegration) {
-      scmSpinner.error();
-      throw Error(`Could not reach ${scmName} repo`);
-    }
-    console.log(
-      `If the page does not open automatically, kindly access it through ${scmAuthUrl2}.`
-    );
-    await open3(scmAuthUrl2);
-    for (let i = 0; i < LOGIN_MAX_WAIT2 / LOGIN_CHECK_DELAY2; i++) {
-      const userInfo2 = await gqlClient.getUserInfo();
-      if (!userInfo2) {
-        throw new CliError2("User info not found");
-      }
-      const scmConfigs = getFromArraySafe(userInfo2.scmConfigs);
-      const tokenInfo2 = getScmConfig({
-        url: repoUrl,
-        scmConfigs,
-        brokerHosts: getBrokerHosts(
-          userInfo2.userOrganizationsAndUserOrganizationRoles
-        ),
-        includeOrgTokens: false
-      });
-      if (tokenInfo2.accessToken && tokenInfo2.accessToken !== oldToken) {
-        scmSpinner.success({ text: `\u{1F517} ${scmName} integration successful!` });
-        return tokenInfo2.accessToken;
-      }
-      scmSpinner.spin();
-      await sleep(LOGIN_CHECK_DELAY2);
-    }
-    scmSpinner.error({
-      text: `${scmName} login timeout error`
-    });
-    throw new CliError2(`${scmName} login timeout`);
-  }
-  async function uploadExistingRepo() {
-    if (!repoUploadInfo || !reportUploadInfo) {
-      throw new Error("uploadS3BucketInfo is null");
-    }
-    if (!srcPath) {
-      throw new Error("src path is required");
-    }
-    const shouldScan2 = !reportPath;
-    if (reportPath) {
-      const uploadReportSpinner2 = createSpinner5("\u{1F4C1} Uploading Report").start();
-      try {
-        await uploadFile({
-          file: reportPath,
-          url: reportUploadInfo.url,
-          uploadFields: JSON.parse(reportUploadInfo.uploadFieldsJSON),
-          uploadKey: reportUploadInfo.uploadKey
-        });
-      } catch (e) {
-        uploadReportSpinner2.error({ text: "\u{1F4C1} Report upload failed" });
-        throw e;
-      }
-      uploadReportSpinner2.success({
-        text: "\u{1F4C1} Uploading Report successful!"
-      });
-    }
-    let gitInfo2 = { success: false };
-    if (reportPath) {
-      const vulnFiles = await _digestReport({
-        gqlClient,
-        fixReportId: reportUploadInfo.fixReportId,
-        projectId,
-        command,
-        ci,
-        shouldScan: shouldScan2,
-        polling
-      });
-      const res = await _zipAndUploadRepo({
-        srcPath,
-        vulnFiles,
-        repoUploadInfo,
-        isIncludeAllFiles: false
-      });
-      gitInfo2 = res.gitInfo;
-    } else {
-      const res = await _zipAndUploadRepo({
-        srcPath,
-        vulnFiles: [],
-        repoUploadInfo,
-        isIncludeAllFiles: true
-      });
-      gitInfo2 = res.gitInfo;
-      await _digestReport({
-        gqlClient,
-        fixReportId: reportUploadInfo.fixReportId,
-        projectId,
-        command,
-        ci,
-        shouldScan: shouldScan2,
-        polling
-      });
-    }
-    const mobbSpinner2 = createSpinner5("\u{1F575}\uFE0F\u200D\u2642\uFE0F Initiating Mobb analysis").start();
-    try {
-      await sendReport({
-        gqlClient,
-        spinner: mobbSpinner2,
-        submitVulnerabilityReportVariables: {
-          fixReportId: reportUploadInfo.fixReportId,
-          projectId,
-          repoUrl: repo || gitInfo2.repoUrl || getTopLevelDirName(srcPath),
-          reference: ref || gitInfo2.reference || "no-branch",
-          sha: commitHash || gitInfo2.hash || "0123456789abcdef",
-          scanSource: _getScanSource(command, ci),
-          pullRequest: params.pullRequest,
-          experimentalEnabled: !!experimentalEnabled,
-          scanContext: ScanContext.BUGSY
-        },
-        polling
-      });
-      if (command === "review") {
-        await waitForAnaysisAndReviewPr({
-          repo,
-          githubActionToken,
-          analysisId: reportUploadInfo.fixReportId,
-          scanner,
-          gqlClient,
-          polling
-        });
-      }
-    } catch (e) {
-      mobbSpinner2.error({ text: "\u{1F575}\uFE0F\u200D\u2642\uFE0F Mobb analysis failed" });
-      throw e;
-    }
-    mobbSpinner2.success({
-      text: "\u{1F575}\uFE0F\u200D\u2642\uFE0F Generating fixes..."
-    });
-    if (autoPr) {
-      await handleAutoPr({
-        gqlClient,
-        analysisId: reportUploadInfo.fixReportId,
-        commitDirectly,
-        prId: pullRequest,
-        createSpinner: createSpinner5,
-        createOnePr,
-        polling
-      });
+    display: false
+  });
+  if (loginCode !== CHECKMARX_SUCCESS_CODE) {
+    if (skipPrompts) {
+      await throwCheckmarxConfigError();
     }
-    await askToOpenAnalysis();
-    return reportUploadInfo.fixReportId;
+    await startCheckmarxConfigationPrompt();
+    await validateCheckamxCredentials();
   }
-}
-async function _zipAndUploadRepo({
-  srcPath,
-  vulnFiles,
-  repoUploadInfo,
-  isIncludeAllFiles
-}) {
-  const srcFileStatus = await fsPromises2.lstat(srcPath);
-  const zippingSpinner = createSpinner4("\u{1F4E6} Zipping repo").start();
-  let zipBuffer;
-  let gitInfo2 = { success: false };
-  if (srcFileStatus.isFile() && path9.extname(srcPath).toLowerCase() === ".fpr") {
-    zipBuffer = await repackFpr(srcPath);
-  } else {
-    gitInfo2 = await getGitInfo(srcPath);
-    zipBuffer = await pack(srcPath, vulnFiles, isIncludeAllFiles);
+  const extension = path9.extname(reportPath);
+  const filePath = path9.dirname(reportPath);
+  const fileName = path9.basename(reportPath, extension);
+  const checkmarxCommandArgs = getCheckmarxCommandArgs({
+    repoPath: repositoryRoot,
+    branch,
+    filePath,
+    fileName,
+    projectName
+  });
+  console.log("\u280B \u{1F50D} Initiating Checkmarx Scan ");
+  const { code: scanCode } = await forkCheckmarx(
+    [...SCAN_COMMAND, ...checkmarxCommandArgs],
+    {
+      display: true
+    }
+  );
+  if (scanCode !== CHECKMARX_SUCCESS_CODE) {
+    createSpinner2("\u{1F50D} Something went wrong with the checkmarx scan").start().error();
+    throw new CliError();
   }
-  zippingSpinner.success({ text: "\u{1F4E6} Zipping repo successful!" });
-  const uploadRepoSpinner = createSpinner4("\u{1F4C1} Uploading Repo").start();
-  try {
-    await uploadFile({
-      file: zipBuffer,
-      url: repoUploadInfo.url,
-      uploadFields: JSON.parse(repoUploadInfo.uploadFieldsJSON),
-      uploadKey: repoUploadInfo.uploadKey
-    });
-  } catch (e) {
-    uploadRepoSpinner.error({ text: "\u{1F4C1} Repo upload failed" });
-    throw e;
+  await createSpinner2("\u{1F50D} Checkmarx Scan completed").start().success();
+  return true;
+}
+async function throwCheckmarxConfigError() {
+  await createSpinner2("\u{1F513} Checkmarx is not configued correctly").start().error();
+  throw new CliError(
+    `Checkmarx is not configued correctly
+ you can configure it by using the ${chalk5.bold(
+      "cx configure"
+    )} command`
+  );
+}
+async function validateCheckamxCredentials() {
+  console.log(`
+        Here's a suggestion for checkmarx configuation: 
+          ${chalk5.bold("AST Base URI:")} https://ast.checkmarx.net
+          ${chalk5.bold("AST Base Auth URI (IAM):")} https://iam.checkmarx.net
+  `);
+  await forkCheckmarx(CONFIGURE_COMMAND, { display: true });
+  const { code: loginCode } = await forkCheckmarx(VALIDATE_COMMAND, {
+    display: false
+  });
+  if (loginCode !== CHECKMARX_SUCCESS_CODE) {
+    const tryAgain = await tryCheckmarxConfiguarationAgain();
+    if (!tryAgain) {
+      await throwCheckmarxConfigError();
+    }
+    await validateCheckamxCredentials();
+    return;
   }
-  uploadRepoSpinner.success({ text: "\u{1F4C1} Uploading Repo successful!" });
-  return { gitInfo: gitInfo2 };
+  await createSpinner2("\u{1F513} Checkmarx configured successfully!").start().success();
 }
-async function _digestReport({
-  gqlClient,
-  fixReportId,
-  projectId,
-  command,
-  ci,
-  repoUrl,
-  sha,
-  reference,
-  shouldScan,
-  polling
-}) {
-  const digestSpinner = createSpinner4(
-    progressMassages.processingVulnerabilityReport
-  ).start();
+
+// src/features/analysis/scanners/snyk.ts
+import { createRequire as createRequire2 } from "module";
+import chalk6 from "chalk";
+import Debug20 from "debug";
+import { createSpinner as createSpinner3 } from "nanospinner";
+import open2 from "open";
+var debug20 = Debug20("mobbdev:snyk");
+var moduleUrl2;
+if (typeof __filename !== "undefined") {
+  moduleUrl2 = __filename;
+} else {
   try {
-    const { vulnerabilityReportId } = await gqlClient.digestVulnerabilityReport(
-      {
-        fixReportId,
-        projectId,
-        scanSource: _getScanSource(command, ci),
-        repoUrl,
-        sha,
-        reference,
-        shouldScan
-      }
-    );
-    const callbackStates = [
-      "Digested" /* Digested */,
-      "Finished" /* Finished */
-    ];
-    const callback = (_analysisId) => digestSpinner.update({
-      text: progressMassages.processingVulnerabilityReportSuccess
-    });
-    if (polling) {
-      debug19(
-        "[_digestReport] Using POLLING mode for analysis state updates (--polling flag enabled)"
-      );
-      console.log(
-        chalk6.cyan(
-          "\u{1F504} [Polling Mode] Using HTTP polling instead of WebSocket for status updates"
-        )
-      );
-      await gqlClient.pollForAnalysisState({
-        analysisId: fixReportId,
-        callback,
-        callbackStates,
-        timeoutInMs: VUL_REPORT_DIGEST_TIMEOUT_MS
-      });
+    const getImportMetaUrl = new Function("return import.meta.url");
+    moduleUrl2 = getImportMetaUrl();
+  } catch {
+    const err = new Error();
+    const stack = err.stack || "";
+    const match = stack.match(/file:\/\/[^\s)]+/);
+    if (match) {
+      moduleUrl2 = match[0];
     } else {
-      debug19(
-        "[_digestReport] Using WEBSOCKET mode for analysis state updates (default)"
-      );
-      console.log(
-        chalk6.cyan(
-          "\u{1F50C} [WebSocket Mode] Using WebSocket subscription for status updates"
-        )
-      );
-      await gqlClient.subscribeToAnalysis({
-        subscribeToAnalysisParams: {
-          analysisId: fixReportId
-        },
-        callback,
-        callbackStates,
-        timeoutInMs: VUL_REPORT_DIGEST_TIMEOUT_MS
-      });
+      throw new Error("Unable to determine module URL in this environment");
     }
-    const vulnFiles = await gqlClient.getVulnerabilityReportPaths(
-      vulnerabilityReportId
-    );
-    digestSpinner.success({
-      text: progressMassages.processingVulnerabilityReportSuccess
-    });
-    return vulnFiles;
-  } catch (e) {
-    const errorMessage = e instanceof ReportDigestError ? e.getDisplayMessage() : ReportDigestError.defaultMessage;
-    digestSpinner.error({
-      text: errorMessage
-    });
-    throw e;
   }
 }
-async function waitForAnaysisAndReviewPr({
-  repo,
-  githubActionToken,
-  analysisId,
-  scanner,
-  gqlClient,
-  polling
-}) {
-  const params = z30.object({
-    repo: z30.string().url(),
-    githubActionToken: z30.string()
-  }).parse({ repo, githubActionToken });
-  const scm = await createScmLib(
-    {
-      url: params.repo,
-      accessToken: params.githubActionToken,
-      scmOrg: "",
-      scmType: "GITHUB" /* GITHUB */
-    },
-    {
-      propagateExceptions: true
+var costumeRequire2 = createRequire2(moduleUrl2);
+var SNYK_PATH = costumeRequire2.resolve("snyk/bin/snyk");
+var SNYK_ARTICLE_URL = "https://docs.snyk.io/scan-using-snyk/snyk-code/configure-snyk-code#enable-snyk-code";
+debug20("snyk executable path %s", SNYK_PATH);
+async function forkSnyk(args, { display }) {
+  debug20("fork snyk with args %o %s", args, display);
+  return createFork({ args, processPath: SNYK_PATH, name: "snyk" }, { display });
+}
+async function getSnykReport(reportPath, repoRoot, { skipPrompts = false }) {
+  debug20("get snyk report start %s %s", reportPath, repoRoot);
+  const config2 = await forkSnyk(["config"], { display: false });
+  const { message: configMessage } = config2;
+  if (!configMessage.includes("api: ")) {
+    const snykLoginSpinner = createSpinner3().start();
+    if (!skipPrompts) {
+      snykLoginSpinner.update({
+        text: "\u{1F513} Login to Snyk is required, press any key to continue"
+      });
+      await keypress();
     }
-  );
-  const callback = (analysisId2) => {
-    return addFixCommentsForPr({
-      analysisId: analysisId2,
-      gqlClient,
-      scm,
-      scanner: z30.nativeEnum(SCANNERS).parse(scanner)
-    });
-  };
-  if (polling) {
-    debug19(
-      "[waitForAnaysisAndReviewPr] Using POLLING mode for analysis state updates"
-    );
-    console.log(
-      chalk6.cyan(
-        "\u{1F504} [Polling Mode] Waiting for analysis completion using HTTP polling"
-      )
-    );
-    await gqlClient.pollForAnalysisState({
-      analysisId,
-      callback,
-      callbackStates: ["Finished" /* Finished */]
+    snykLoginSpinner.update({
+      text: "\u{1F513} Waiting for Snyk login to complete"
     });
-  } else {
-    debug19(
-      "[waitForAnaysisAndReviewPr] Using WEBSOCKET mode for analysis state updates"
-    );
+    debug20("no token in the config %s", config2);
+    await forkSnyk(["auth"], { display: true });
+    snykLoginSpinner.success({ text: "\u{1F513} Login to Snyk Successful" });
+  }
+  const snykSpinner = createSpinner3("\u{1F50D} Scanning your repo with Snyk ").start();
+  const { message: scanOutput } = await forkSnyk(
+    ["code", "test", `--sarif-file-output=${reportPath}`, repoRoot],
+    { display: true }
+  );
+  if (scanOutput.includes("Snyk Code is not supported for org")) {
+    debug20("snyk code is not enabled %s", scanOutput);
+    snykSpinner.error({ text: "\u{1F50D} Snyk configuration needed" });
+    const answer = await snykArticlePrompt();
+    debug20("answer %s", answer);
+    if (answer) {
+      debug20("opening the browser");
+      await open2(SNYK_ARTICLE_URL);
+    }
     console.log(
-      chalk6.cyan(
-        "\u{1F50C} [WebSocket Mode] Waiting for analysis completion using WebSocket"
-      )
-    );
-    await gqlClient.subscribeToAnalysis({
-      subscribeToAnalysisParams: {
-        analysisId
-      },
-      callback,
-      callbackStates: ["Finished" /* Finished */]
-    });
+      chalk6.bgBlue(
+        "\nPlease enable Snyk Code in your Snyk account and try again."
+      )
+    );
+    throw Error("snyk is not enbabled");
   }
+  snykSpinner.success({ text: "\u{1F50D} Snyk code scan completed" });
+  return true;
 }
 
-// src/commands/scan_skill_input.ts
-import fs11 from "fs";
-import path10 from "path";
-import AdmZip2 from "adm-zip";
-var LOCAL_SKILL_ZIP_DATA_URL_PREFIX = "data:application/zip;base64,";
-var MAX_LOCAL_SKILL_ARCHIVE_BYTES = 2 * 1024 * 1024;
-async function resolveSkillScanInput(skillInput) {
-  const resolvedPath = path10.resolve(skillInput);
-  if (!fs11.existsSync(resolvedPath)) {
-    return skillInput;
+// src/features/analysis/index.ts
+init_client_generates();
+var { CliError: CliError2, Spinner: Spinner2 } = utils_exports;
+function _getScanSource(command, ci) {
+  if (command === "review") return "AUTO_FIXER" /* AutoFixer */;
+  const envToCi = [
+    ["GITLAB_CI", "CI_GITLAB" /* CiGitlab */],
+    ["GITHUB_ACTIONS", "CI_GITHUB" /* CiGithub */],
+    ["JENKINS_URL", "CI_JENKINS" /* CiJenkins */],
+    ["CIRCLECI", "CI_CIRCLECI" /* CiCircleci */],
+    ["TF_BUILD", "CI_AZURE" /* CiAzure */],
+    ["bamboo_buildKey", "CI_BAMBOO" /* CiBamboo */]
+  ];
+  for (const [envKey, source] of envToCi) {
+    if (env2[envKey]) {
+      return source;
+    }
   }
-  const stat = fs11.statSync(resolvedPath);
-  if (!stat.isDirectory()) {
-    throw new CliError(
-      "Local skill input must be a directory containing SKILL.md"
-    );
+  if (ci) {
+    return "CI_UNKNOWN" /* CiUnknown */;
   }
-  return packageLocalSkillDirectory(resolvedPath);
+  return "CLI" /* Cli */;
 }
-function packageLocalSkillDirectory(directoryPath) {
-  const zip = new AdmZip2();
-  const rootPath = path10.resolve(directoryPath);
-  const filePaths = listDirectoryFiles(rootPath);
-  let hasSkillMd = false;
-  for (const relativePath of filePaths) {
-    const fullPath = path10.join(rootPath, relativePath);
-    const normalizedFullPath = path10.resolve(fullPath);
-    if (normalizedFullPath !== rootPath && !normalizedFullPath.startsWith(rootPath + path10.sep)) {
-      continue;
-    }
-    const fileContent = fs11.readFileSync(normalizedFullPath);
-    zip.addFile(relativePath, fileContent);
-    if (path10.basename(relativePath).toLowerCase() === "skill.md") {
-      hasSkillMd = true;
+async function downloadRepo({
+  repoUrl,
+  authHeaders,
+  downloadUrl,
+  dirname,
+  ci
+}) {
+  const { createSpinner: createSpinner5 } = Spinner2({ ci });
+  const repoSpinner = createSpinner5("\u{1F4BE} Downloading Repo").start();
+  debug21("download repo %s %s %s", repoUrl, dirname);
+  const zipFilePath = path10.join(dirname, "repo.zip");
+  debug21("download URL: %s auth headers: %o", downloadUrl, authHeaders);
+  const response = await fetch4(downloadUrl, {
+    method: "GET",
+    headers: {
+      ...authHeaders
     }
+  });
+  if (!response.ok) {
+    debug21("SCM zipball request failed %s %s", response.body, response.status);
+    repoSpinner.error({ text: "\u{1F4BE} Repo download failed" });
+    throw new Error(`Can't access ${chalk7.bold(repoUrl)}`);
   }
-  if (!hasSkillMd) {
-    throw new CliError("Local skill directory must contain a SKILL.md file");
+  const fileWriterStream = fs10.createWriteStream(zipFilePath);
+  if (!response.body) {
+    throw new Error("Response body is empty");
   }
-  const zipBuffer = zip.toBuffer();
-  if (zipBuffer.length > MAX_LOCAL_SKILL_ARCHIVE_BYTES) {
-    throw new CliError(
-      `Local skill directory is too large to scan via CLI (${zipBuffer.length} bytes > ${MAX_LOCAL_SKILL_ARCHIVE_BYTES} bytes)`
+  await pipeline(response.body, fileWriterStream);
+  await extract(zipFilePath, { dir: dirname });
+  const repoRoot = fs10.readdirSync(dirname, { withFileTypes: true }).filter((dirent) => dirent.isDirectory()).map((dirent) => dirent.name)[0];
+  if (!repoRoot) {
+    throw new Error("Repo root not found");
+  }
+  debug21("repo root %s", repoRoot);
+  repoSpinner.success({ text: "\u{1F4BE} Repo downloaded successfully" });
+  return path10.join(dirname, repoRoot);
+}
+var getReportUrl = ({
+  organizationId,
+  projectId,
+  fixReportId
+}) => `${WEB_APP_URL}/organization/${organizationId}/project/${projectId}/report/${fixReportId}`;
+var debug21 = Debug21("mobbdev:index");
+async function runAnalysis(params, options) {
+  const tmpObj = tmp2.dirSync({
+    unsafeCleanup: true
+  });
+  try {
+    return await _scan(
+      {
+        ...params,
+        dirname: tmpObj.name
+      },
+      options
     );
+  } finally {
+    tmpObj.removeCallback();
   }
-  return `${LOCAL_SKILL_ZIP_DATA_URL_PREFIX}${zipBuffer.toString("base64")}`;
 }
-function listDirectoryFiles(rootPath) {
-  const files = [];
-  function walk(relativeDir) {
-    const absoluteDir = path10.join(rootPath, relativeDir);
-    const entries = fs11.readdirSync(absoluteDir, { withFileTypes: true }).sort((left, right) => left.name.localeCompare(right.name));
-    for (const entry of entries) {
-      const safeEntryName = path10.basename(entry.name).replace(/\0/g, "");
-      if (!safeEntryName) {
-        continue;
-      }
-      const relativePath = relativeDir ? path10.posix.join(relativeDir, safeEntryName) : safeEntryName;
-      const absolutePath = path10.join(rootPath, relativePath);
-      const normalizedAbsolutePath = path10.resolve(absolutePath);
-      if (normalizedAbsolutePath !== rootPath && !normalizedAbsolutePath.startsWith(rootPath + path10.sep)) {
-        continue;
-      }
-      if (entry.isSymbolicLink()) {
-        continue;
-      }
-      if (entry.isDirectory()) {
-        walk(relativePath);
-        continue;
-      }
-      if (entry.isFile()) {
-        files.push(relativePath);
+function _getUrlForScmType({
+  scmLibType
+}) {
+  const githubAuthUrl = `${WEB_APP_URL}/github-auth`;
+  const gitlabAuthUrl = `${WEB_APP_URL}/gitlab-auth`;
+  const adoAuthUrl = `${WEB_APP_URL}/ado-auth`;
+  switch (scmLibType) {
+    case "GITHUB" /* GITHUB */:
+      return {
+        authUrl: githubAuthUrl
+      };
+    case "GITLAB" /* GITLAB */:
+      return {
+        authUrl: gitlabAuthUrl
+      };
+    case "ADO" /* ADO */:
+      return {
+        authUrl: adoAuthUrl
+      };
+    default:
+      return {
+        authUrl: void 0
+      };
+  }
+}
+function getBrokerHosts(userOrgsAnUserOrgRoles) {
+  const brokerHosts = [];
+  if (!userOrgsAnUserOrgRoles) {
+    return brokerHosts;
+  }
+  userOrgsAnUserOrgRoles.forEach((org) => {
+    org?.organization?.brokerHosts.forEach((brokerHost) => {
+      if (brokerHost) {
+        brokerHosts.push(brokerHost);
       }
-    }
+    });
+  });
+  return brokerHosts;
+}
+async function getScmTokenInfo(params) {
+  const { gqlClient, repo } = params;
+  const userInfo2 = await gqlClient.getUserInfo();
+  if (!userInfo2) {
+    throw new Error("userInfo is null");
   }
-  walk("");
-  return files;
+  const scmConfigs = getFromArraySafe(userInfo2.scmConfigs);
+  return getScmConfig({
+    url: repo,
+    scmConfigs,
+    includeOrgTokens: false,
+    brokerHosts: getBrokerHosts(
+      userInfo2.userOrganizationsAndUserOrganizationRoles
+    )
+  });
 }
-
-// src/commands/index.ts
-async function review(params, { skipPrompts = true } = {}) {
+async function getReport(params, { skipPrompts }) {
   const {
-    repo,
-    f: scanFile,
-    ref,
-    apiKey,
-    commitHash,
-    mobbProjectName,
-    pullRequest,
-    githubToken,
     scanner,
-    srcPath,
-    polling
+    repoUrl,
+    gqlClient,
+    sha,
+    dirname,
+    reference,
+    cxProjectName,
+    ci
   } = params;
-  await runAnalysis(
-    {
-      repo,
-      scanFile,
-      ref,
-      apiKey,
-      ci: true,
-      commitHash,
-      experimentalEnabled: false,
-      mobbProjectName,
-      pullRequest,
-      githubToken,
-      scanner,
-      command: "review",
-      srcPath,
-      polling
-    },
-    { skipPrompts }
-  );
-}
-async function analyze({
-  repo,
-  f: scanFile,
-  ref,
-  apiKey,
-  ci,
-  commitHash,
-  srcPath,
-  mobbProjectName,
-  organizationId,
-  autoPr,
-  createOnePr,
-  commitDirectly,
-  pullRequest,
-  polling
-}, { skipPrompts = false } = {}) {
-  !ci && await showWelcomeMessage(skipPrompts);
-  await runAnalysis(
+  const tokenInfo = await getScmTokenInfo({ gqlClient, repo: repoUrl });
+  const scm = await createScmLib(
     {
-      repo,
-      scanFile,
-      ref,
-      apiKey,
-      ci,
-      commitHash,
-      mobbProjectName,
-      srcPath,
-      organizationId,
-      command: "analyze",
-      autoPr,
-      commitDirectly,
-      pullRequest,
-      createOnePr,
-      polling
+      url: repoUrl,
+      accessToken: tokenInfo.accessToken,
+      scmOrg: tokenInfo.scmOrg,
+      scmType: tokenInfo.scmLibType
     },
-    { skipPrompts }
+    { propagateExceptions: true }
   );
+  const downloadUrl = await scm.getDownloadUrl(sha);
+  const repositoryRoot = await downloadRepo({
+    repoUrl,
+    dirname,
+    ci,
+    authHeaders: scm.getAuthHeaders(),
+    downloadUrl
+  });
+  const reportPath = path10.join(dirname, REPORT_DEFAULT_FILE_NAME);
+  switch (scanner) {
+    case "snyk":
+      await getSnykReport(reportPath, repositoryRoot, { skipPrompts });
+      break;
+    case "checkmarx":
+      if (!cxProjectName) {
+        throw new Error("cxProjectName is required for checkmarx scanner");
+      }
+      await getCheckmarxReport(
+        {
+          reportPath,
+          repositoryRoot,
+          branch: reference,
+          projectName: cxProjectName
+        },
+        { skipPrompts }
+      );
+      break;
+  }
+  return reportPath;
 }
-async function addScmToken(addScmTokenOptions) {
-  const { apiKey, token, organization, scmType, url, refreshToken, ci } = addScmTokenOptions;
+async function _scan(params, { skipPrompts = false } = {}) {
+  const {
+    dirname,
+    repo,
+    scanFile,
+    apiKey,
+    ci,
+    srcPath,
+    commitHash,
+    ref,
+    experimentalEnabled,
+    scanner,
+    cxProjectName,
+    mobbProjectName,
+    githubToken: githubActionToken,
+    command,
+    organizationId: userOrganizationId,
+    autoPr,
+    createOnePr,
+    commitDirectly,
+    pullRequest,
+    polling
+  } = params;
+  debug21("start %s %s", dirname, repo);
+  const { createSpinner: createSpinner5 } = Spinner2({ ci });
+  skipPrompts = skipPrompts || ci;
   const gqlClient = await getAuthenticatedGQLClient({
     inputApiKey: apiKey,
-    isSkipPrompts: ci
+    isSkipPrompts: skipPrompts
   });
-  if (!scmType) {
-    throw new CliError(errorMessages.invalidScmType);
+  if (!mobbProjectName) {
+    throw new Error("mobbProjectName is required");
   }
-  const resp = await gqlClient.updateScmToken({
-    scmType,
-    url,
-    token,
-    org: organization,
-    refreshToken
+  const { projectId, organizationId } = await gqlClient.getLastOrgAndNamedProject({
+    projectName: mobbProjectName,
+    userDefinedOrganizationId: userOrganizationId
   });
-  if (resp.updateScmToken?.__typename === "RepoUnreachableError") {
-    throw new CliError(
-      "Mobb could not reach the repository. Please try again. If Mobb is connected through a broker, please make sure the broker is connected."
-    );
-  } else if (resp.updateScmToken?.__typename === "BadScmCredentials") {
-    throw new CliError("Invalid SCM credentials. Please try again.");
-  } else if (resp.updateScmToken?.__typename === "ScmAccessTokenUpdateSuccess") {
-    console.log("Token added successfully");
-  } else {
-    throw new CliError("Unexpected error, failed to add token");
+  const {
+    uploadS3BucketInfo: { repoUploadInfo, reportUploadInfo }
+  } = await gqlClient.uploadS3BucketInfo();
+  if (!reportUploadInfo || !repoUploadInfo) {
+    throw new Error("uploadS3BucketInfo is null");
   }
-}
-async function scan(scanOptions, { skipPrompts = false } = {}) {
-  const { scanner, ci } = scanOptions;
-  !ci && await showWelcomeMessage(skipPrompts);
-  const selectedScanner = scanner || await choseScanner();
-  if (selectedScanner !== SCANNERS.Checkmarx && selectedScanner !== SCANNERS.Snyk) {
-    throw new CliError(
-      "Vulnerability scanning via Bugsy is available only with Snyk and Checkmarx at the moment. Additional scanners will follow soon."
-    );
+  let reportPath = scanFile;
+  if (srcPath) {
+    return await uploadExistingRepo();
   }
-  selectedScanner === SCANNERS.Checkmarx && validateCheckmarxInstallation();
-  if (selectedScanner === SCANNERS.Checkmarx && !scanOptions.cxProjectName) {
-    throw new CliError(errorMessages.missingCxProjectName);
+  if (!repo) {
+    throw new Error("repo is required in case srcPath is not provided");
   }
-  await runAnalysis(
-    { ...scanOptions, scanner: selectedScanner, command: "scan" },
-    { skipPrompts }
-  );
-}
-async function showWelcomeMessage(skipPrompts = false) {
-  console.log(mobbAscii);
-  const welcome = chalkAnimation.rainbow("\n			Welcome to Bugsy\n");
-  skipPrompts ? await sleep(100) : await sleep(2e3);
-  welcome.stop();
-}
-var VERDICT_COLORS = {
-  BENIGN: "green",
-  WARNING: "yellow",
-  SUSPICIOUS: "magenta",
-  MALICIOUS: "red"
-};
-var SEVERITY_COLORS = {
-  CRITICAL: "red",
-  HIGH: "magenta",
-  MEDIUM: "yellow",
-  LOW: "cyan"
-};
-async function scanSkill(options) {
-  const { url, apiKey, ci } = options;
-  const gqlClient = await getAuthenticatedGQLClient({
-    inputApiKey: apiKey,
-    isSkipPrompts: ci
+  const tokenInfo = await getScmTokenInfo({ gqlClient, repo });
+  const validateRes = await gqlClient.validateRepoUrl({ repoUrl: repo });
+  const isRepoAvailable = validateRes.validateRepoUrl?.__typename === "RepoValidationSuccess";
+  const cloudScmLibType = getCloudScmLibTypeFromUrl(repo);
+  const { authUrl: scmAuthUrl } = _getUrlForScmType({
+    scmLibType: cloudScmLibType
   });
-  console.log(chalk7.dim(`Scanning skill: ${url}`));
-  console.log();
-  const skillUrl = await resolveSkillScanInput(url);
-  const result = await gqlClient.scanSkill({ skillUrl });
-  const scan2 = result.scanSkill;
-  const verdictColor = VERDICT_COLORS[scan2.verdict] ?? "white";
-  console.log(
-    chalk7.bold(`Verdict: `) + chalk7[verdictColor](
-      scan2.verdict
-    )
-  );
-  console.log(`Skill: ${scan2.skillName}`);
-  if (scan2.skillVersion) {
-    console.log(`Version: ${scan2.skillVersion}`);
-  }
-  console.log(`Hash: ${scan2.skillHash ?? "N/A"}`);
-  console.log(`Findings: ${scan2.findingsCount}`);
-  console.log(`Duration: ${scan2.scanDurationMs}ms`);
-  if (scan2.cached) {
-    console.log(chalk7.dim("(cached result)"));
-  }
-  console.log();
-  if (scan2.findings.length > 0) {
-    console.log(chalk7.bold("Findings:"));
-    console.log();
-    for (const f of scan2.findings) {
-      const sevColor = SEVERITY_COLORS[f.severity] ?? "white";
-      const location = [f.filePath, f.lineNumber].filter(Boolean).join(":");
-      console.log(
-        `  ${chalk7[sevColor](f.severity)} [${f.layer}] ${f.category}${f.ruleId ? ` (${f.ruleId})` : ""}`
-      );
-      if (location) {
-        console.log(`    ${chalk7.dim(location)}`);
-      }
-      console.log(`    ${f.explanation}`);
-      if (f.evidence) {
-        console.log(
-          `    ${String(chalk7.dim("Evidence: " + f.evidence.slice(0, 120))).replace(/\n|\r/g, "")}`
+  if (!isRepoAvailable) {
+    if (ci || !cloudScmLibType || !scmAuthUrl) {
+      const errorMessage = scmAuthUrl ? `Cannot access repo ${repo}. Make sure that the repo is accessible and the SCM token configured on Mobb is correct.` : `Cannot access repo ${repo} with the provided token, please visit ${scmAuthUrl} to refresh your source control management system token`;
+      throw new Error(errorMessage);
+    }
+    if (cloudScmLibType && scmAuthUrl) {
+      await handleScmIntegration(tokenInfo.accessToken, scmAuthUrl, repo);
+      const repoValidationResponse = await gqlClient.validateRepoUrl({
+        repoUrl: repo
+      });
+      const isRepoAvailable2 = repoValidationResponse.validateRepoUrl?.__typename === "RepoValidationSuccess";
+      if (!isRepoAvailable2) {
+        throw new Error(
+          `Cannot access repo ${repo} with the provided credentials: ${repoValidationResponse.validateRepoUrl?.__typename}`
         );
       }
-      console.log();
     }
   }
-  if (scan2.summary) {
-    console.log(chalk7.bold("Analysis:"));
-    console.log(`  ${scan2.summary}`);
-    console.log();
-  }
-  if (scan2.verdict === "MALICIOUS" || scan2.verdict === "SUSPICIOUS") {
-    process.exit(2);
-  }
-}
-
-// src/args/validation.ts
-import chalk8 from "chalk";
-import path11 from "path";
-import { z as z31 } from "zod";
-function throwRepoUrlErrorMessage({
-  error,
-  repoUrl,
-  command
-}) {
-  const errorMessage = error.issues[error.issues.length - 1]?.message;
-  const formattedErrorMessage = `
-Error: ${chalk8.bold(
-    repoUrl
-  )} is ${errorMessage}
-Example: 
-	mobbdev ${command} -r ${chalk8.bold(
-    "https://github.com/WebGoat/WebGoat"
-  )}`;
-  throw new CliError(formattedErrorMessage);
-}
-var UrlZ = z31.string({
-  invalid_type_error: `is not a valid ${Object.values(ScmType).join("/ ")} URL`
-});
-function validateOrganizationId(organizationId) {
-  const orgIdValidation = z31.string().uuid().nullish().safeParse(organizationId);
-  if (!orgIdValidation.success) {
-    throw new CliError(`organizationId: ${organizationId} is not a valid UUID`);
-  }
-}
-function validateRepoUrl(args) {
-  const repoSafeParseResult = UrlZ.safeParse(args.repo);
-  const { success } = repoSafeParseResult;
-  const [command] = args._;
-  if (!command) {
-    throw new CliError("Command not found");
+  const revalidateRes = await gqlClient.validateRepoUrl({ repoUrl: repo });
+  if (revalidateRes.validateRepoUrl?.__typename !== "RepoValidationSuccess") {
+    throw new Error(
+      `could not reach repo ${repo}: ${revalidateRes.validateRepoUrl?.__typename}`
+    );
   }
-  if (!success) {
-    throwRepoUrlErrorMessage({
-      error: repoSafeParseResult.error,
-      repoUrl: args.repo,
-      command
-    });
+  const reference = ref ?? revalidateRes.validateRepoUrl.defaultBranch;
+  const getReferenceDataRes = await gqlClient.getReferenceData({
+    reference,
+    repoUrl: repo
+  });
+  if (getReferenceDataRes.gitReference?.__typename !== "GitReferenceData") {
+    throw new Error(
+      `Could not get reference data for ${reference}: ${getReferenceDataRes.gitReference?.__typename}`
+    );
   }
-}
-var supportExtensions = [".json", ".xml", ".fpr", ".sarif", ".zip"];
-function validateReportFileFormat(reportFile) {
-  if (!supportExtensions.includes(path11.extname(reportFile))) {
-    throw new CliError(
-      `
-${chalk8.bold(
-        reportFile
-      )} is not a supported file extension. Supported extensions are: ${chalk8.bold(
-        supportExtensions.join(", ")
-      )}
-`
+  const { sha } = getReferenceDataRes.gitReference;
+  debug21("project id %s", projectId);
+  debug21("default branch %s", reference);
+  if (command === "scan") {
+    reportPath = await getReport(
+      {
+        scanner: SupportedScannersZ.parse(scanner),
+        repoUrl: repo,
+        sha,
+        gqlClient,
+        cxProjectName,
+        dirname,
+        reference,
+        ci
+      },
+      { skipPrompts }
     );
   }
-}
-
-// src/args/commands/analyze.ts
-function analyzeBuilder(yargs2) {
-  return yargs2.option("f", {
-    alias: "scan-file",
-    type: "string",
-    describe: chalk9.bold(
-      "Select the vulnerability report to analyze (Checkmarx, Snyk, Fortify, CodeQL, Sonarqube, Semgrep, Datadog)"
-    )
-  }).option("repo", repoOption).option("p", {
-    alias: "src-path",
-    describe: chalk9.bold(
-      "Path to the repository folder with the source code; alternatively, you can specify the Fortify FPR file to extract source code out of it"
-    ),
-    type: "string"
-  }).option("ref", refOption).option("ch", {
-    alias: "commit-hash",
-    describe: chalk9.bold("Hash of the commit"),
-    type: "string"
-  }).option("mobb-project-name", mobbProjectNameOption).option("y", yesOption).option("ci", ciOption).option("org", organizationIdOptions).option("api-key", apiKeyOption).option("commit-hash", commitHashOption).option("auto-pr", autoPrOption).option("create-one-pr", createOnePrOption).option("commit-directly", commitDirectlyOption).option("pull-request", {
-    alias: ["pr", "pr-number", "pr-id"],
-    describe: chalk9.bold("Number of the pull request"),
-    type: "number",
-    demandOption: false
-  }).option("polling", pollingOption).example(
-    "npx mobbdev@latest analyze -r https://github.com/WebGoat/WebGoat -f <your_vulnerability_report_path>",
-    "analyze an existing repository"
-  ).help();
-}
-function validateAnalyzeOptions(argv) {
-  if (argv.f && !fs12.existsSync(argv.f)) {
-    throw new CliError(`
-Can't access ${chalk9.bold(argv.f)}`);
+  const shouldScan = !reportPath;
+  const uploadReportSpinner = createSpinner5("\u{1F4C1} Uploading Report").start();
+  try {
+    if (reportPath) {
+      await uploadFile({
+        file: reportPath,
+        url: reportUploadInfo.url,
+        uploadFields: JSON.parse(reportUploadInfo.uploadFieldsJSON),
+        uploadKey: reportUploadInfo.uploadKey
+      });
+    }
+  } catch (e) {
+    uploadReportSpinner.error({ text: "\u{1F4C1} Report upload failed" });
+    throw e;
   }
-  validateOrganizationId(argv.organizationId);
-  if (!argv.srcPath && !argv.repo) {
-    throw new CliError("You must supply either --src-path or --repo");
+  await _digestReport({
+    gqlClient,
+    fixReportId: reportUploadInfo.fixReportId,
+    projectId,
+    command,
+    ci,
+    repoUrl: repo,
+    sha,
+    reference,
+    shouldScan,
+    polling
+  });
+  uploadReportSpinner.success({ text: "\u{1F4C1} Report uploaded successfully" });
+  const mobbSpinner = createSpinner5("\u{1F575}\uFE0F\u200D\u2642\uFE0F Initiating Mobb analysis").start();
+  const sendReportRes = await sendReport({
+    gqlClient,
+    spinner: mobbSpinner,
+    submitVulnerabilityReportVariables: {
+      fixReportId: reportUploadInfo.fixReportId,
+      repoUrl: z31.string().parse(repo),
+      reference,
+      projectId,
+      vulnerabilityReportFileName: shouldScan ? void 0 : REPORT_DEFAULT_FILE_NAME,
+      sha,
+      experimentalEnabled: !!experimentalEnabled,
+      pullRequest: params.pullRequest,
+      scanSource: _getScanSource(command, ci),
+      scanContext: ScanContext.BUGSY
+    },
+    polling
+  });
+  if (sendReportRes.submitVulnerabilityReport.__typename !== "VulnerabilityReport") {
+    mobbSpinner.error({ text: "\u{1F575}\uFE0F\u200D\u2642\uFE0F Mobb analysis failed" });
+    throw new Error("\u{1F575}\uFE0F\u200D\u2642\uFE0F Mobb analysis failed");
   }
-  if (!argv.srcPath && argv.repo) {
-    validateRepoUrl(argv);
+  mobbSpinner.success({
+    text: "\u{1F575}\uFE0F\u200D\u2642\uFE0F Generating fixes..."
+  });
+  if (autoPr) {
+    await handleAutoPr({
+      gqlClient,
+      analysisId: reportUploadInfo.fixReportId,
+      commitDirectly,
+      prId: pullRequest,
+      createSpinner: createSpinner5,
+      createOnePr,
+      polling
+    });
   }
-  if (argv.ci && !argv.apiKey) {
-    throw new CliError("--ci flag requires --api-key to be provided as well");
+  await askToOpenAnalysis();
+  if (command === "review") {
+    await waitForAnaysisAndReviewPr({
+      repo,
+      githubActionToken,
+      analysisId: reportUploadInfo.fixReportId,
+      scanner,
+      gqlClient,
+      polling
+    });
   }
-  if (argv.commitDirectly && !argv["auto-pr"]) {
-    throw new CliError(
-      "--commit-directly flag requires --auto-pr to be provided as well"
+  return reportUploadInfo.fixReportId;
+  async function askToOpenAnalysis() {
+    if (!repoUploadInfo || !reportUploadInfo) {
+      throw new Error("uploadS3BucketInfo is null");
+    }
+    const reportUrl = getReportUrl({
+      organizationId,
+      projectId,
+      fixReportId: reportUploadInfo.fixReportId
+    });
+    !ci && console.log("You can access the analysis at: \n");
+    console.log(chalk7.bold(reportUrl));
+    !skipPrompts && await mobbAnalysisPrompt();
+    !ci && open3(reportUrl);
+    !ci && console.log(
+      chalk7.bgBlue("\n\n  My work here is done for now, see you soon! \u{1F575}\uFE0F\u200D\u2642\uFE0F  ")
     );
   }
-  if (argv["create-one-pr"] && !argv["auto-pr"]) {
-    throw new CliError(
-      "--create-one-pr flag requires --auto-pr to be provided as well"
+  async function handleScmIntegration(oldToken, scmAuthUrl2, repoUrl) {
+    const scmLibType = getCloudScmLibTypeFromUrl(repoUrl);
+    const scmName = scmLibType === "GITHUB" /* GITHUB */ ? "Github" : scmLibType === "GITLAB" /* GITLAB */ ? "Gitlab" : scmLibType === "ADO" /* ADO */ ? "Azure DevOps" : "";
+    const addScmIntegration = skipPrompts ? true : await scmIntegrationPrompt(scmName);
+    const scmSpinner = createSpinner5(
+      `\u{1F517} Waiting for ${scmName} integration...`
+    ).start();
+    if (!addScmIntegration) {
+      scmSpinner.error();
+      throw Error(`Could not reach ${scmName} repo`);
+    }
+    console.log(
+      `If the page does not open automatically, kindly access it through ${scmAuthUrl2}.`
     );
+    await open3(scmAuthUrl2);
+    for (let i = 0; i < LOGIN_MAX_WAIT2 / LOGIN_CHECK_DELAY2; i++) {
+      const userInfo2 = await gqlClient.getUserInfo();
+      if (!userInfo2) {
+        throw new CliError2("User info not found");
+      }
+      const scmConfigs = getFromArraySafe(userInfo2.scmConfigs);
+      const tokenInfo2 = getScmConfig({
+        url: repoUrl,
+        scmConfigs,
+        brokerHosts: getBrokerHosts(
+          userInfo2.userOrganizationsAndUserOrganizationRoles
+        ),
+        includeOrgTokens: false
+      });
+      if (tokenInfo2.accessToken && tokenInfo2.accessToken !== oldToken) {
+        scmSpinner.success({ text: `\u{1F517} ${scmName} integration successful!` });
+        return tokenInfo2.accessToken;
+      }
+      scmSpinner.spin();
+      await sleep(LOGIN_CHECK_DELAY2);
+    }
+    scmSpinner.error({
+      text: `${scmName} login timeout error`
+    });
+    throw new CliError2(`${scmName} login timeout`);
   }
-  if (argv["create-one-pr"] && argv.commitDirectly) {
-    throw new CliError(
-      "--create-one-pr and --commit-directly cannot be provided at the same time"
-    );
+  async function uploadExistingRepo() {
+    if (!repoUploadInfo || !reportUploadInfo) {
+      throw new Error("uploadS3BucketInfo is null");
+    }
+    if (!srcPath) {
+      throw new Error("src path is required");
+    }
+    const shouldScan2 = !reportPath;
+    if (reportPath) {
+      const uploadReportSpinner2 = createSpinner5("\u{1F4C1} Uploading Report").start();
+      try {
+        await uploadFile({
+          file: reportPath,
+          url: reportUploadInfo.url,
+          uploadFields: JSON.parse(reportUploadInfo.uploadFieldsJSON),
+          uploadKey: reportUploadInfo.uploadKey
+        });
+      } catch (e) {
+        uploadReportSpinner2.error({ text: "\u{1F4C1} Report upload failed" });
+        throw e;
+      }
+      uploadReportSpinner2.success({
+        text: "\u{1F4C1} Uploading Report successful!"
+      });
+    }
+    let gitInfo2 = { success: false };
+    if (reportPath) {
+      const vulnFiles = await _digestReport({
+        gqlClient,
+        fixReportId: reportUploadInfo.fixReportId,
+        projectId,
+        command,
+        ci,
+        shouldScan: shouldScan2,
+        polling
+      });
+      const res = await _zipAndUploadRepo({
+        srcPath,
+        vulnFiles,
+        repoUploadInfo,
+        isIncludeAllFiles: false
+      });
+      gitInfo2 = res.gitInfo;
+    } else {
+      const res = await _zipAndUploadRepo({
+        srcPath,
+        vulnFiles: [],
+        repoUploadInfo,
+        isIncludeAllFiles: true
+      });
+      gitInfo2 = res.gitInfo;
+      await _digestReport({
+        gqlClient,
+        fixReportId: reportUploadInfo.fixReportId,
+        projectId,
+        command,
+        ci,
+        shouldScan: shouldScan2,
+        polling
+      });
+    }
+    const mobbSpinner2 = createSpinner5("\u{1F575}\uFE0F\u200D\u2642\uFE0F Initiating Mobb analysis").start();
+    try {
+      await sendReport({
+        gqlClient,
+        spinner: mobbSpinner2,
+        submitVulnerabilityReportVariables: {
+          fixReportId: reportUploadInfo.fixReportId,
+          projectId,
+          repoUrl: repo || gitInfo2.repoUrl || getTopLevelDirName(srcPath),
+          reference: ref || gitInfo2.reference || "no-branch",
+          sha: commitHash || gitInfo2.hash || "0123456789abcdef",
+          scanSource: _getScanSource(command, ci),
+          pullRequest: params.pullRequest,
+          experimentalEnabled: !!experimentalEnabled,
+          scanContext: ScanContext.BUGSY
+        },
+        polling
+      });
+      if (command === "review") {
+        await waitForAnaysisAndReviewPr({
+          repo,
+          githubActionToken,
+          analysisId: reportUploadInfo.fixReportId,
+          scanner,
+          gqlClient,
+          polling
+        });
+      }
+    } catch (e) {
+      mobbSpinner2.error({ text: "\u{1F575}\uFE0F\u200D\u2642\uFE0F Mobb analysis failed" });
+      throw e;
+    }
+    mobbSpinner2.success({
+      text: "\u{1F575}\uFE0F\u200D\u2642\uFE0F Generating fixes..."
+    });
+    if (autoPr) {
+      await handleAutoPr({
+        gqlClient,
+        analysisId: reportUploadInfo.fixReportId,
+        commitDirectly,
+        prId: pullRequest,
+        createSpinner: createSpinner5,
+        createOnePr,
+        polling
+      });
+    }
+    await askToOpenAnalysis();
+    return reportUploadInfo.fixReportId;
   }
-  if (argv.pullRequest && !argv.commitDirectly) {
-    throw new CliError(
-      "--pull-request flag requires --commit-directly to be provided as well"
-    );
+}
+async function _zipAndUploadRepo({
+  srcPath,
+  vulnFiles,
+  repoUploadInfo,
+  isIncludeAllFiles
+}) {
+  const srcFileStatus = await fsPromises3.lstat(srcPath);
+  const zippingSpinner = createSpinner4("\u{1F4E6} Zipping repo").start();
+  let zipBuffer;
+  let gitInfo2 = { success: false };
+  if (srcFileStatus.isFile() && path10.extname(srcPath).toLowerCase() === ".fpr") {
+    zipBuffer = await repackFpr(srcPath);
+  } else {
+    gitInfo2 = await getGitInfo(srcPath);
+    zipBuffer = await pack(srcPath, vulnFiles, isIncludeAllFiles);
   }
-  if (argv.f) {
-    validateReportFileFormat(argv.f);
+  zippingSpinner.success({ text: "\u{1F4E6} Zipping repo successful!" });
+  const uploadRepoSpinner = createSpinner4("\u{1F4C1} Uploading Repo").start();
+  try {
+    await uploadFile({
+      file: zipBuffer,
+      url: repoUploadInfo.url,
+      uploadFields: JSON.parse(repoUploadInfo.uploadFieldsJSON),
+      uploadKey: repoUploadInfo.uploadKey
+    });
+  } catch (e) {
+    uploadRepoSpinner.error({ text: "\u{1F4C1} Repo upload failed" });
+    throw e;
   }
+  uploadRepoSpinner.success({ text: "\u{1F4C1} Uploading Repo successful!" });
+  return { gitInfo: gitInfo2 };
 }
-async function analyzeHandler(args) {
-  validateAnalyzeOptions(args);
-  await analyze(args, { skipPrompts: args.yes });
-}
-
-// src/features/claude_code/data_collector.ts
-import { z as z33 } from "zod";
-
-// src/args/commands/upload_ai_blame.ts
-import fsPromises3 from "fs/promises";
-import * as os3 from "os";
-import path12 from "path";
-import chalk10 from "chalk";
-import { withFile } from "tmp-promise";
-import z32 from "zod";
-init_client_generates();
-init_GitService();
-init_urlParser2();
-
-// src/utils/computerName.ts
-import { execSync } from "child_process";
-import os2 from "os";
-var STABLE_COMPUTER_NAME_CONFIG_KEY = "stableComputerName";
-var HOSTNAME_SUFFIXES = [
-  // Cloud providers (must be first - most specific)
-  ".ec2.internal",
-  ".compute.internal",
-  ".cloudapp.net",
-  // mDNS/Bonjour
-  ".local",
-  ".localhost",
-  ".localdomain",
-  // Home networks
-  ".lan",
-  ".home",
-  ".homelan",
-  // Corporate networks
-  ".corp",
-  ".internal",
-  ".intranet",
-  ".domain",
-  ".work",
-  ".office",
-  // Container environments
-  ".docker",
-  ".kubernetes",
-  ".k8s"
-];
-function getOsSpecificComputerName() {
-  const platform2 = os2.platform();
+async function _digestReport({
+  gqlClient,
+  fixReportId,
+  projectId,
+  command,
+  ci,
+  repoUrl,
+  sha,
+  reference,
+  shouldScan,
+  polling
+}) {
+  const digestSpinner = createSpinner4(
+    progressMassages.processingVulnerabilityReport
+  ).start();
   try {
-    if (platform2 === "darwin") {
-      const result = execSync("scutil --get LocalHostName", {
-        encoding: "utf-8",
-        timeout: 1e3
+    const { vulnerabilityReportId } = await gqlClient.digestVulnerabilityReport(
+      {
+        fixReportId,
+        projectId,
+        scanSource: _getScanSource(command, ci),
+        repoUrl,
+        sha,
+        reference,
+        shouldScan
+      }
+    );
+    const callbackStates = [
+      "Digested" /* Digested */,
+      "Finished" /* Finished */
+    ];
+    const callback = (_analysisId) => digestSpinner.update({
+      text: progressMassages.processingVulnerabilityReportSuccess
+    });
+    if (polling) {
+      debug21(
+        "[_digestReport] Using POLLING mode for analysis state updates (--polling flag enabled)"
+      );
+      console.log(
+        chalk7.cyan(
+          "\u{1F504} [Polling Mode] Using HTTP polling instead of WebSocket for status updates"
+        )
+      );
+      await gqlClient.pollForAnalysisState({
+        analysisId: fixReportId,
+        callback,
+        callbackStates,
+        timeoutInMs: VUL_REPORT_DIGEST_TIMEOUT_MS
       });
-      return result.trim();
-    } else if (platform2 === "win32") {
-      return process.env["COMPUTERNAME"] || null;
     } else {
-      try {
-        const result2 = execSync("hostnamectl --static", {
-          encoding: "utf-8",
-          timeout: 1e3
-        });
-        const hostname = result2.trim();
-        if (hostname) return hostname;
-      } catch {
-      }
-      const result = execSync("cat /etc/hostname", {
-        encoding: "utf-8",
-        timeout: 1e3
+      debug21(
+        "[_digestReport] Using WEBSOCKET mode for analysis state updates (default)"
+      );
+      console.log(
+        chalk7.cyan(
+          "\u{1F50C} [WebSocket Mode] Using WebSocket subscription for status updates"
+        )
+      );
+      await gqlClient.subscribeToAnalysis({
+        subscribeToAnalysisParams: {
+          analysisId: fixReportId
+        },
+        callback,
+        callbackStates,
+        timeoutInMs: VUL_REPORT_DIGEST_TIMEOUT_MS
       });
-      return result.trim();
     }
-  } catch (error) {
-    return null;
+    const vulnFiles = await gqlClient.getVulnerabilityReportPaths(
+      vulnerabilityReportId
+    );
+    digestSpinner.success({
+      text: progressMassages.processingVulnerabilityReportSuccess
+    });
+    return vulnFiles;
+  } catch (e) {
+    const errorMessage = e instanceof ReportDigestError ? e.getDisplayMessage() : ReportDigestError.defaultMessage;
+    digestSpinner.error({
+      text: errorMessage
+    });
+    throw e;
+  }
+}
+async function waitForAnaysisAndReviewPr({
+  repo,
+  githubActionToken,
+  analysisId,
+  scanner,
+  gqlClient,
+  polling
+}) {
+  const params = z31.object({
+    repo: z31.string().url(),
+    githubActionToken: z31.string()
+  }).parse({ repo, githubActionToken });
+  const scm = await createScmLib(
+    {
+      url: params.repo,
+      accessToken: params.githubActionToken,
+      scmOrg: "",
+      scmType: "GITHUB" /* GITHUB */
+    },
+    {
+      propagateExceptions: true
+    }
+  );
+  const callback = (analysisId2) => {
+    return addFixCommentsForPr({
+      analysisId: analysisId2,
+      gqlClient,
+      scm,
+      scanner: z31.nativeEnum(SCANNERS).parse(scanner)
+    });
+  };
+  if (polling) {
+    debug21(
+      "[waitForAnaysisAndReviewPr] Using POLLING mode for analysis state updates"
+    );
+    console.log(
+      chalk7.cyan(
+        "\u{1F504} [Polling Mode] Waiting for analysis completion using HTTP polling"
+      )
+    );
+    await gqlClient.pollForAnalysisState({
+      analysisId,
+      callback,
+      callbackStates: ["Finished" /* Finished */]
+    });
+  } else {
+    debug21(
+      "[waitForAnaysisAndReviewPr] Using WEBSOCKET mode for analysis state updates"
+    );
+    console.log(
+      chalk7.cyan(
+        "\u{1F50C} [WebSocket Mode] Waiting for analysis completion using WebSocket"
+      )
+    );
+    await gqlClient.subscribeToAnalysis({
+      subscribeToAnalysisParams: {
+        analysisId
+      },
+      callback,
+      callbackStates: ["Finished" /* Finished */]
+    });
   }
 }
-function stripHostnameSuffixes(hostname) {
-  if (!hostname) return hostname;
-  let normalized = hostname;
-  for (const suffix of HOSTNAME_SUFFIXES) {
-    if (normalized.endsWith(suffix)) {
-      normalized = normalized.slice(0, -suffix.length);
-      break;
-    }
+
+// src/commands/scan_skill_input.ts
+import fs11 from "fs";
+import path11 from "path";
+import AdmZip2 from "adm-zip";
+var LOCAL_SKILL_ZIP_DATA_URL_PREFIX = "data:application/zip;base64,";
+var MAX_LOCAL_SKILL_ARCHIVE_BYTES = 2 * 1024 * 1024;
+async function resolveSkillScanInput(skillInput) {
+  const resolvedPath = path11.resolve(skillInput);
+  if (!fs11.existsSync(resolvedPath)) {
+    return skillInput;
   }
-  return normalized;
+  const stat = fs11.statSync(resolvedPath);
+  if (!stat.isDirectory()) {
+    throw new CliError(
+      "Local skill input must be a directory containing SKILL.md"
+    );
+  }
+  return packageLocalSkillDirectory(resolvedPath);
 }
-function generateStableComputerName() {
-  const osSpecificName = getOsSpecificComputerName();
-  if (osSpecificName) {
-    return osSpecificName;
+function packageLocalSkillDirectory(directoryPath) {
+  const zip = new AdmZip2();
+  const rootPath = path11.resolve(directoryPath);
+  const filePaths = listDirectoryFiles(rootPath);
+  let hasSkillMd = false;
+  for (const relativePath of filePaths) {
+    const fullPath = path11.join(rootPath, relativePath);
+    const normalizedFullPath = path11.resolve(fullPath);
+    if (normalizedFullPath !== rootPath && !normalizedFullPath.startsWith(rootPath + path11.sep)) {
+      continue;
+    }
+    const fileContent = fs11.readFileSync(normalizedFullPath);
+    zip.addFile(relativePath, fileContent);
+    if (path11.basename(relativePath).toLowerCase() === "skill.md") {
+      hasSkillMd = true;
+    }
   }
-  const currentHostname = os2.hostname();
-  return stripHostnameSuffixes(currentHostname);
+  if (!hasSkillMd) {
+    throw new CliError("Local skill directory must contain a SKILL.md file");
+  }
+  const zipBuffer = zip.toBuffer();
+  if (zipBuffer.length > MAX_LOCAL_SKILL_ARCHIVE_BYTES) {
+    throw new CliError(
+      `Local skill directory is too large to scan via CLI (${zipBuffer.length} bytes > ${MAX_LOCAL_SKILL_ARCHIVE_BYTES} bytes)`
+    );
+  }
+  return `${LOCAL_SKILL_ZIP_DATA_URL_PREFIX}${zipBuffer.toString("base64")}`;
 }
-function getStableComputerName() {
-  const cached = configStore.get(STABLE_COMPUTER_NAME_CONFIG_KEY);
-  if (cached) {
-    return cached;
+function listDirectoryFiles(rootPath) {
+  const files = [];
+  function walk(relativeDir) {
+    const absoluteDir = path11.join(rootPath, relativeDir);
+    const entries = fs11.readdirSync(absoluteDir, { withFileTypes: true }).sort((left, right) => left.name.localeCompare(right.name));
+    for (const entry of entries) {
+      const safeEntryName = path11.basename(entry.name).replace(/\0/g, "");
+      if (!safeEntryName) {
+        continue;
+      }
+      const relativePath = relativeDir ? path11.posix.join(relativeDir, safeEntryName) : safeEntryName;
+      const absolutePath = path11.join(rootPath, relativePath);
+      const normalizedAbsolutePath = path11.resolve(absolutePath);
+      if (normalizedAbsolutePath !== rootPath && !normalizedAbsolutePath.startsWith(rootPath + path11.sep)) {
+        continue;
+      }
+      if (entry.isSymbolicLink()) {
+        continue;
+      }
+      if (entry.isDirectory()) {
+        walk(relativePath);
+        continue;
+      }
+      if (entry.isFile()) {
+        files.push(relativePath);
+      }
+    }
   }
-  const currentName = generateStableComputerName();
-  configStore.set(STABLE_COMPUTER_NAME_CONFIG_KEY, currentName);
-  return currentName;
+  walk("");
+  return files;
 }
 
-// src/utils/sanitize-sensitive-data.ts
-import { OpenRedaction } from "@openredaction/openredaction";
-var openRedaction = new OpenRedaction({
-  patterns: [
-    // Core Personal Data
-    // Removed EMAIL - causes false positives in code/test snippets (e.g. --author="Eve Author <eve@example.com>")
-    // Prefer false negatives over false positives for this use case.
-    "SSN",
-    "NATIONAL_INSURANCE_UK",
-    "DATE_OF_BIRTH",
-    // Identity Documents
-    "PASSPORT_UK",
-    "PASSPORT_US",
-    "PASSPORT_MRZ_TD1",
-    "PASSPORT_MRZ_TD3",
-    "DRIVING_LICENSE_UK",
-    "DRIVING_LICENSE_US",
-    "VISA_NUMBER",
-    "VISA_MRZ",
-    "TAX_ID",
-    // Financial Data (removed SWIFT_BIC, CARD_AUTH_CODE - too broad, causing false positives with authentication words)
-    // Removed CREDIT_CARD - causes false positives on zero-filled UUIDs (e.g. '00000000-0000-0000-0000-000000000000')
-    // Prefer false negatives over false positives for this use case.
-    "IBAN",
-    "BANK_ACCOUNT_UK",
-    "ROUTING_NUMBER_US",
-    "CARD_TRACK1_DATA",
-    "CARD_TRACK2_DATA",
-    "CARD_EXPIRY",
-    // Cryptocurrency (removed BITCOIN_ADDRESS - too broad, matches hash-like strings)
-    "ETHEREUM_ADDRESS",
-    "LITECOIN_ADDRESS",
-    "CARDANO_ADDRESS",
-    "SOLANA_ADDRESS",
-    "MONERO_ADDRESS",
-    "RIPPLE_ADDRESS",
-    // Medical Data (removed PRESCRIPTION_NUMBER - too broad, matches words containing "ription")
-    // Removed MEDICAL_RECORD_NUMBER - too broad, "MR" prefix matches "Merge Request" in SCM contexts (e.g. "MR branches" → "MR br****es")
-    "NHS_NUMBER",
-    "AUSTRALIAN_MEDICARE",
-    "HEALTH_PLAN_NUMBER",
-    "PATIENT_ID",
-    // Communications (removed EMERGENCY_CONTACT, ADDRESS_PO_BOX, ZIP_CODE_US, PHONE_US, PHONE_INTERNATIONAL - too broad, causing false positives)
-    "PHONE_UK",
-    "PHONE_UK_MOBILE",
-    "PHONE_LINE_NUMBER",
-    "ADDRESS_STREET",
-    "POSTCODE_UK",
-    // Network & Technical
-    "IPV4",
-    "IPV6",
-    "MAC_ADDRESS",
-    "URL_WITH_AUTH",
-    // Security Keys & Tokens
-    "PRIVATE_KEY",
-    "SSH_PRIVATE_KEY",
-    "AWS_SECRET_KEY",
-    "AWS_ACCESS_KEY",
-    "AZURE_STORAGE_KEY",
-    "GCP_SERVICE_ACCOUNT",
-    "JWT_TOKEN",
-    "OAUTH_TOKEN",
-    "OAUTH_CLIENT_SECRET",
-    "BEARER_TOKEN",
-    "PAYMENT_TOKEN",
-    "GENERIC_SECRET",
-    "GENERIC_API_KEY",
-    // Platform-Specific API Keys
-    "GITHUB_TOKEN",
-    "SLACK_TOKEN",
-    "STRIPE_API_KEY",
-    "GOOGLE_API_KEY",
-    "FIREBASE_API_KEY",
-    "HEROKU_API_KEY",
-    "MAILGUN_API_KEY",
-    "SENDGRID_API_KEY",
-    "TWILIO_API_KEY",
-    "NPM_TOKEN",
-    "PYPI_TOKEN",
-    "DOCKER_AUTH",
-    "KUBERNETES_SECRET",
-    // Government & Legal
-    // Removed CLIENT_ID - too broad, "client" is ubiquitous in code (npm packages like @scope/client-*, class names like ClientSdkOptions)
-    "POLICE_REPORT_NUMBER",
-    "IMMIGRATION_NUMBER",
-    "COURT_REPORTER_LICENSE"
-  ]
-});
-function maskString(str, showStart = 2, showEnd = 2) {
-  if (str.length <= showStart + showEnd) {
-    return "*".repeat(str.length);
+// src/commands/index.ts
+async function review(params, { skipPrompts = true } = {}) {
+  const {
+    repo,
+    f: scanFile,
+    ref,
+    apiKey,
+    commitHash,
+    mobbProjectName,
+    pullRequest,
+    githubToken,
+    scanner,
+    srcPath,
+    polling
+  } = params;
+  await runAnalysis(
+    {
+      repo,
+      scanFile,
+      ref,
+      apiKey,
+      ci: true,
+      commitHash,
+      experimentalEnabled: false,
+      mobbProjectName,
+      pullRequest,
+      githubToken,
+      scanner,
+      command: "review",
+      srcPath,
+      polling
+    },
+    { skipPrompts }
+  );
+}
+async function analyze({
+  repo,
+  f: scanFile,
+  ref,
+  apiKey,
+  ci,
+  commitHash,
+  srcPath,
+  mobbProjectName,
+  organizationId,
+  autoPr,
+  createOnePr,
+  commitDirectly,
+  pullRequest,
+  polling
+}, { skipPrompts = false } = {}) {
+  !ci && await showWelcomeMessage(skipPrompts);
+  await runAnalysis(
+    {
+      repo,
+      scanFile,
+      ref,
+      apiKey,
+      ci,
+      commitHash,
+      mobbProjectName,
+      srcPath,
+      organizationId,
+      command: "analyze",
+      autoPr,
+      commitDirectly,
+      pullRequest,
+      createOnePr,
+      polling
+    },
+    { skipPrompts }
+  );
+}
+async function addScmToken(addScmTokenOptions) {
+  const { apiKey, token, organization, scmType, url, refreshToken, ci } = addScmTokenOptions;
+  const gqlClient = await getAuthenticatedGQLClient({
+    inputApiKey: apiKey,
+    isSkipPrompts: ci
+  });
+  if (!scmType) {
+    throw new CliError(errorMessages.invalidScmType);
+  }
+  const resp = await gqlClient.updateScmToken({
+    scmType,
+    url,
+    token,
+    org: organization,
+    refreshToken
+  });
+  if (resp.updateScmToken?.__typename === "RepoUnreachableError") {
+    throw new CliError(
+      "Mobb could not reach the repository. Please try again. If Mobb is connected through a broker, please make sure the broker is connected."
+    );
+  } else if (resp.updateScmToken?.__typename === "BadScmCredentials") {
+    throw new CliError("Invalid SCM credentials. Please try again.");
+  } else if (resp.updateScmToken?.__typename === "ScmAccessTokenUpdateSuccess") {
+    console.log("Token added successfully");
+  } else {
+    throw new CliError("Unexpected error, failed to add token");
   }
-  return str.slice(0, showStart) + "*".repeat(str.length - showStart - showEnd) + str.slice(-showEnd);
 }
-async function sanitizeDataWithCounts(obj) {
-  const counts = {
-    detections: { total: 0, high: 0, medium: 0, low: 0 }
-  };
-  const sanitizeString = async (str) => {
-    let result = str;
-    const piiDetections = openRedaction.scan(str);
-    if (piiDetections && piiDetections.total > 0) {
-      const allDetections = [
-        ...piiDetections.high,
-        ...piiDetections.medium,
-        ...piiDetections.low
-      ];
-      for (const detection of allDetections) {
-        counts.detections.total++;
-        if (detection.severity === "high") counts.detections.high++;
-        else if (detection.severity === "medium") counts.detections.medium++;
-        else if (detection.severity === "low") counts.detections.low++;
-        const masked = maskString(detection.value);
-        result = result.replaceAll(detection.value, masked);
+async function scan(scanOptions, { skipPrompts = false } = {}) {
+  const { scanner, ci } = scanOptions;
+  !ci && await showWelcomeMessage(skipPrompts);
+  const selectedScanner = scanner || await choseScanner();
+  if (selectedScanner !== SCANNERS.Checkmarx && selectedScanner !== SCANNERS.Snyk) {
+    throw new CliError(
+      "Vulnerability scanning via Bugsy is available only with Snyk and Checkmarx at the moment. Additional scanners will follow soon."
+    );
+  }
+  selectedScanner === SCANNERS.Checkmarx && validateCheckmarxInstallation();
+  if (selectedScanner === SCANNERS.Checkmarx && !scanOptions.cxProjectName) {
+    throw new CliError(errorMessages.missingCxProjectName);
+  }
+  await runAnalysis(
+    { ...scanOptions, scanner: selectedScanner, command: "scan" },
+    { skipPrompts }
+  );
+}
+async function showWelcomeMessage(skipPrompts = false) {
+  console.log(mobbAscii);
+  const welcome = chalkAnimation.rainbow("\n			Welcome to Bugsy\n");
+  skipPrompts ? await sleep(100) : await sleep(2e3);
+  welcome.stop();
+}
+var VERDICT_COLORS = {
+  BENIGN: "green",
+  WARNING: "yellow",
+  SUSPICIOUS: "magenta",
+  MALICIOUS: "red"
+};
+var SEVERITY_COLORS = {
+  CRITICAL: "red",
+  HIGH: "magenta",
+  MEDIUM: "yellow",
+  LOW: "cyan"
+};
+async function scanSkill(options) {
+  const { url, apiKey, ci } = options;
+  const gqlClient = await getAuthenticatedGQLClient({
+    inputApiKey: apiKey,
+    isSkipPrompts: ci
+  });
+  console.log(chalk8.dim(`Scanning skill: ${url}`));
+  console.log();
+  const skillUrl = await resolveSkillScanInput(url);
+  const result = await gqlClient.scanSkill({ skillUrl });
+  const scan2 = result.scanSkill;
+  const verdictColor = VERDICT_COLORS[scan2.verdict] ?? "white";
+  console.log(
+    chalk8.bold(`Verdict: `) + chalk8[verdictColor](
+      scan2.verdict
+    )
+  );
+  console.log(`Skill: ${scan2.skillName}`);
+  if (scan2.skillVersion) {
+    console.log(`Version: ${scan2.skillVersion}`);
+  }
+  console.log(`Hash: ${scan2.skillHash ?? "N/A"}`);
+  console.log(`Findings: ${scan2.findingsCount}`);
+  console.log(`Duration: ${scan2.scanDurationMs}ms`);
+  if (scan2.cached) {
+    console.log(chalk8.dim("(cached result)"));
+  }
+  console.log();
+  if (scan2.findings.length > 0) {
+    console.log(chalk8.bold("Findings:"));
+    console.log();
+    for (const f of scan2.findings) {
+      const sevColor = SEVERITY_COLORS[f.severity] ?? "white";
+      const location = [f.filePath, f.lineNumber].filter(Boolean).join(":");
+      console.log(
+        `  ${chalk8[sevColor](f.severity)} [${f.layer}] ${f.category}${f.ruleId ? ` (${f.ruleId})` : ""}`
+      );
+      if (location) {
+        console.log(`    ${chalk8.dim(location)}`);
       }
-    }
-    return result;
-  };
-  const sanitizeRecursive = async (data) => {
-    if (typeof data === "string") {
-      return sanitizeString(data);
-    } else if (Array.isArray(data)) {
-      return Promise.all(data.map((item) => sanitizeRecursive(item)));
-    } else if (data instanceof Error) {
-      return data;
-    } else if (data instanceof Date) {
-      return data;
-    } else if (typeof data === "object" && data !== null) {
-      const sanitized = {};
-      const record = data;
-      for (const key in record) {
-        if (Object.prototype.hasOwnProperty.call(record, key)) {
-          sanitized[key] = await sanitizeRecursive(record[key]);
-        }
+      console.log(`    ${f.explanation}`);
+      if (f.evidence) {
+        console.log(
+          `    ${String(chalk8.dim("Evidence: " + f.evidence.slice(0, 120))).replace(/\n|\r/g, "")}`
+        );
       }
-      return sanitized;
+      console.log();
     }
-    return data;
-  };
-  const sanitizedData = await sanitizeRecursive(obj);
-  return { sanitizedData, counts };
+  }
+  if (scan2.summary) {
+    console.log(chalk8.bold("Analysis:"));
+    console.log(`  ${scan2.summary}`);
+    console.log();
+  }
+  if (scan2.verdict === "MALICIOUS" || scan2.verdict === "SUSPICIOUS") {
+    process.exit(2);
+  }
 }
 
-// src/args/commands/upload_ai_blame.ts
-var defaultLogger2 = {
-  info: (msg, data) => {
-    if (data !== void 0) {
-      console.log(msg, data);
-    } else {
-      console.log(msg);
-    }
-  },
-  error: (msg, data) => {
-    if (data !== void 0) {
-      console.error(msg, data);
-    } else {
-      console.error(msg);
-    }
-  }
-};
-var PromptItemZ = z32.object({
-  type: z32.enum([
-    "USER_PROMPT",
-    "AI_RESPONSE",
-    "TOOL_EXECUTION",
-    "AI_THINKING",
-    "MCP_TOOL_CALL"
-    // MCP (Model Context Protocol) tool invocation
-  ]),
-  attachedFiles: z32.array(
-    z32.object({
-      relativePath: z32.string(),
-      startLine: z32.number().optional()
-    })
-  ).optional(),
-  tokens: z32.object({
-    inputCount: z32.number(),
-    outputCount: z32.number()
-  }).optional(),
-  text: z32.string().optional(),
-  date: z32.date().optional(),
-  tool: z32.object({
-    name: z32.string(),
-    parameters: z32.string(),
-    result: z32.string(),
-    rawArguments: z32.string().optional(),
-    accepted: z32.boolean().optional(),
-    // MCP-specific fields (only populated for MCP_TOOL_CALL type)
-    mcpServer: z32.string().optional(),
-    // MCP server name (e.g., "datadog", "mobb-mcp")
-    mcpToolName: z32.string().optional()
-    // MCP tool name without prefix (e.g., "scan_and_fix_vulnerabilities")
-  }).optional()
+// src/args/validation.ts
+import chalk9 from "chalk";
+import path12 from "path";
+import { z as z32 } from "zod";
+function throwRepoUrlErrorMessage({
+  error,
+  repoUrl,
+  command
+}) {
+  const errorMessage = error.issues[error.issues.length - 1]?.message;
+  const formattedErrorMessage = `
+Error: ${chalk9.bold(
+    repoUrl
+  )} is ${errorMessage}
+Example: 
+	mobbdev ${command} -r ${chalk9.bold(
+    "https://github.com/WebGoat/WebGoat"
+  )}`;
+  throw new CliError(formattedErrorMessage);
+}
+var UrlZ = z32.string({
+  invalid_type_error: `is not a valid ${Object.values(ScmType).join("/ ")} URL`
 });
-var PromptItemArrayZ = z32.array(PromptItemZ);
-async function getRepositoryUrl() {
-  try {
-    const gitService = new GitService(process.cwd());
-    const isRepo = await gitService.isGitRepository();
-    if (!isRepo) {
-      return null;
-    }
-    const remoteUrl = await gitService.getRemoteUrl();
-    const parsed = parseScmURL(remoteUrl);
-    return parsed?.scmType === "GitHub" /* GitHub */ || parsed?.scmType === "GitLab" /* GitLab */ ? remoteUrl : null;
-  } catch {
-    return null;
+function validateOrganizationId(organizationId) {
+  const orgIdValidation = z32.string().uuid().nullish().safeParse(organizationId);
+  if (!orgIdValidation.success) {
+    throw new CliError(`organizationId: ${organizationId} is not a valid UUID`);
   }
 }
-function getSystemInfo() {
-  let userName;
-  try {
-    userName = os3.userInfo().username;
-  } catch {
-    userName = void 0;
+function validateRepoUrl(args) {
+  const repoSafeParseResult = UrlZ.safeParse(args.repo);
+  const { success } = repoSafeParseResult;
+  const [command] = args._;
+  if (!command) {
+    throw new CliError("Command not found");
+  }
+  if (!success) {
+    throwRepoUrlErrorMessage({
+      error: repoSafeParseResult.error,
+      repoUrl: args.repo,
+      command
+    });
   }
-  return {
-    computerName: getStableComputerName(),
-    userName
-  };
 }
-function uploadAiBlameBuilder(args) {
-  return args.option("prompt", {
-    type: "string",
-    array: true,
-    demandOption: true,
-    describe: chalk10.bold("Path(s) to prompt artifact(s) (one per session)")
-  }).option("inference", {
-    type: "string",
-    array: true,
-    demandOption: true,
-    describe: chalk10.bold(
-      "Path(s) to inference artifact(s) (one per session)"
-    )
-  }).option("ai-response-at", {
+var supportExtensions = [".json", ".xml", ".fpr", ".sarif", ".zip"];
+function validateReportFileFormat(reportFile) {
+  if (!supportExtensions.includes(path12.extname(reportFile))) {
+    throw new CliError(
+      `
+${chalk9.bold(
+        reportFile
+      )} is not a supported file extension. Supported extensions are: ${chalk9.bold(
+        supportExtensions.join(", ")
+      )}
+`
+    );
+  }
+}
+
+// src/args/commands/analyze.ts
+function analyzeBuilder(yargs2) {
+  return yargs2.option("f", {
+    alias: "scan-file",
     type: "string",
-    array: true,
     describe: chalk10.bold(
-      "ISO timestamp(s) for AI response (one per session, defaults to now)"
+      "Select the vulnerability report to analyze (Checkmarx, Snyk, Fortify, CodeQL, Sonarqube, Semgrep, Datadog)"
     )
-  }).option("model", {
-    type: "string",
-    array: true,
-    describe: chalk10.bold("AI model name(s) (optional, one per session)")
-  }).option("tool-name", {
-    type: "string",
-    array: true,
-    describe: chalk10.bold("Tool/IDE name(s) (optional, one per session)")
-  }).option("blame-type", {
-    type: "string",
-    array: true,
-    choices: Object.values(AiBlameInferenceType),
+  }).option("repo", repoOption).option("p", {
+    alias: "src-path",
     describe: chalk10.bold(
-      "Blame type(s) (optional, one per session, defaults to CHAT)"
-    )
-  }).strict();
-}
-async function uploadAiBlameHandlerFromExtension(args) {
-  const uploadArgs = {
-    prompt: [],
-    inference: [],
-    model: [],
-    toolName: [],
-    aiResponseAt: [],
-    blameType: [],
-    sessionId: []
-  };
-  let promptsCounts;
-  let inferenceCounts;
-  let promptsUUID;
-  let inferenceUUID;
-  await withFile(async (promptFile) => {
-    const promptsResult = await sanitizeDataWithCounts(args.prompts);
-    promptsCounts = promptsResult.counts;
-    promptsUUID = path12.basename(promptFile.path, path12.extname(promptFile.path));
-    await fsPromises3.writeFile(
-      promptFile.path,
-      JSON.stringify(promptsResult.sanitizedData, null, 2),
-      "utf-8"
-    );
-    uploadArgs.prompt.push(promptFile.path);
-    await withFile(async (inferenceFile) => {
-      const inferenceResult = await sanitizeDataWithCounts(args.inference);
-      inferenceCounts = inferenceResult.counts;
-      inferenceUUID = path12.basename(
-        inferenceFile.path,
-        path12.extname(inferenceFile.path)
-      );
-      await fsPromises3.writeFile(
-        inferenceFile.path,
-        inferenceResult.sanitizedData,
-        "utf-8"
-      );
-      uploadArgs.inference.push(inferenceFile.path);
-      uploadArgs.model.push(args.model);
-      uploadArgs.toolName.push(args.tool);
-      uploadArgs.aiResponseAt.push(args.responseTime);
-      uploadArgs.blameType.push(args.blameType || "CHAT" /* Chat */);
-      if (args.sessionId) {
-        uploadArgs.sessionId.push(args.sessionId);
-      }
-      await uploadAiBlameHandler({
-        args: uploadArgs,
-        exitOnError: false,
-        apiUrl: args.apiUrl,
-        webAppUrl: args.webAppUrl,
-        repositoryUrl: args.repositoryUrl
-      });
-    });
-  });
-  return {
-    promptsCounts,
-    inferenceCounts,
-    promptsUUID,
-    inferenceUUID
-  };
+      "Path to the repository folder with the source code; alternatively, you can specify the Fortify FPR file to extract source code out of it"
+    ),
+    type: "string"
+  }).option("ref", refOption).option("ch", {
+    alias: "commit-hash",
+    describe: chalk10.bold("Hash of the commit"),
+    type: "string"
+  }).option("mobb-project-name", mobbProjectNameOption).option("y", yesOption).option("ci", ciOption).option("org", organizationIdOptions).option("api-key", apiKeyOption).option("commit-hash", commitHashOption).option("auto-pr", autoPrOption).option("create-one-pr", createOnePrOption).option("commit-directly", commitDirectlyOption).option("pull-request", {
+    alias: ["pr", "pr-number", "pr-id"],
+    describe: chalk10.bold("Number of the pull request"),
+    type: "number",
+    demandOption: false
+  }).option("polling", pollingOption).example(
+    "npx mobbdev@latest analyze -r https://github.com/WebGoat/WebGoat -f <your_vulnerability_report_path>",
+    "analyze an existing repository"
+  ).help();
 }
-async function uploadAiBlameHandler(options) {
-  const {
-    args,
-    exitOnError = true,
-    apiUrl,
-    webAppUrl,
-    logger: logger2 = defaultLogger2
-  } = options;
-  const prompts = args.prompt || [];
-  const inferences = args.inference || [];
-  const models = args.model || [];
-  const tools = args.toolName || args["tool-name"] || [];
-  const responseTimes = args.aiResponseAt || args["ai-response-at"] || [];
-  const blameTypes = args.blameType || args["blame-type"] || [];
-  const sessionIds = args.sessionId || args["session-id"] || [];
-  if (prompts.length !== inferences.length) {
-    const errorMsg = "prompt and inference must have the same number of entries";
-    logger2.error(chalk10.red(errorMsg));
-    if (exitOnError) {
-      process.exit(1);
-    }
-    throw new Error(errorMsg);
+function validateAnalyzeOptions(argv) {
+  if (argv.f && !fs12.existsSync(argv.f)) {
+    throw new CliError(`
+Can't access ${chalk10.bold(argv.f)}`);
   }
-  const nowIso = (/* @__PURE__ */ new Date()).toISOString();
-  const { computerName, userName } = getSystemInfo();
-  const repositoryUrl = options.repositoryUrl !== void 0 ? options.repositoryUrl : await getRepositoryUrl();
-  const sessions = [];
-  for (let i = 0; i < prompts.length; i++) {
-    const promptPath = String(prompts[i]);
-    const inferencePath = String(inferences[i]);
-    try {
-      await Promise.all([
-        fsPromises3.access(promptPath),
-        fsPromises3.access(inferencePath)
-      ]);
-    } catch {
-      const errorMsg = `File not found for session ${i + 1}`;
-      logger2.error(chalk10.red(errorMsg));
-      if (exitOnError) {
-        process.exit(1);
-      }
-      throw new Error(errorMsg);
-    }
-    sessions.push({
-      promptFileName: path12.basename(promptPath),
-      inferenceFileName: path12.basename(inferencePath),
-      aiResponseAt: responseTimes[i] || nowIso,
-      model: models[i],
-      toolName: tools[i],
-      blameType: blameTypes[i] || "CHAT" /* Chat */,
-      computerName,
-      userName,
-      sessionId: sessionIds[i],
-      repositoryUrl
-    });
+  validateOrganizationId(argv.organizationId);
+  if (!argv.srcPath && !argv.repo) {
+    throw new CliError("You must supply either --src-path or --repo");
   }
-  const authenticatedClient = await getAuthenticatedGQLClient({
-    isSkipPrompts: true,
-    apiUrl,
-    webAppUrl
-  });
-  const initSessions = sessions.map(
-    ({ sessionId: _sessionId, ...rest }) => rest
-  );
-  const initRes = await authenticatedClient.uploadAIBlameInferencesInitRaw({
-    sessions: initSessions
-  });
-  const uploadSessions = initRes.uploadAIBlameInferencesInit?.uploadSessions ?? [];
-  if (uploadSessions.length !== sessions.length) {
-    const errorMsg = "Init failed to return expected number of sessions";
-    logger2.error(chalk10.red(errorMsg));
-    if (exitOnError) {
-      process.exit(1);
-    }
-    throw new Error(errorMsg);
+  if (!argv.srcPath && argv.repo) {
+    validateRepoUrl(argv);
   }
-  for (let i = 0; i < uploadSessions.length; i++) {
-    const us = uploadSessions[i];
-    const promptPath = String(prompts[i]);
-    const inferencePath = String(inferences[i]);
-    await Promise.all([
-      // Prompt
-      uploadFile({
-        file: promptPath,
-        url: us.prompt.url,
-        uploadFields: JSON.parse(us.prompt.uploadFieldsJSON),
-        uploadKey: us.prompt.uploadKey
-      }),
-      // Inference
-      uploadFile({
-        file: inferencePath,
-        url: us.inference.url,
-        uploadFields: JSON.parse(us.inference.uploadFieldsJSON),
-        uploadKey: us.inference.uploadKey
-      })
-    ]);
+  if (argv.ci && !argv.apiKey) {
+    throw new CliError("--ci flag requires --api-key to be provided as well");
   }
-  const finalizeSessions = uploadSessions.map((us, i) => {
-    const s = sessions[i];
-    return {
-      aiBlameInferenceId: us.aiBlameInferenceId,
-      promptKey: us.prompt.uploadKey,
-      inferenceKey: us.inference.uploadKey,
-      aiResponseAt: s.aiResponseAt,
-      model: s.model,
-      toolName: s.toolName,
-      blameType: s.blameType,
-      computerName: s.computerName,
-      userName: s.userName,
-      sessionId: s.sessionId,
-      repositoryUrl: s.repositoryUrl
-    };
-  });
-  try {
-    logger2.info(
-      `[UPLOAD] Calling finalizeAIBlameInferencesUploadRaw with ${finalizeSessions.length} sessions`
+  if (argv.commitDirectly && !argv["auto-pr"]) {
+    throw new CliError(
+      "--commit-directly flag requires --auto-pr to be provided as well"
     );
-    const finRes = await authenticatedClient.finalizeAIBlameInferencesUploadRaw(
-      {
-        sessions: finalizeSessions
-      }
+  }
+  if (argv["create-one-pr"] && !argv["auto-pr"]) {
+    throw new CliError(
+      "--create-one-pr flag requires --auto-pr to be provided as well"
     );
-    logger2.info("[UPLOAD] Finalize response:", JSON.stringify(finRes, null, 2));
-    const status = finRes?.finalizeAIBlameInferencesUpload?.status;
-    if (status !== "OK") {
-      const errorMsg = finRes?.finalizeAIBlameInferencesUpload?.error || "unknown error";
-      logger2.error(
-        chalk10.red(
-          `[UPLOAD] Finalize failed with status: ${status}, error: ${errorMsg}`
-        )
-      );
-      if (exitOnError) {
-        process.exit(1);
-      }
-      throw new Error(errorMsg);
-    }
-    logger2.info(chalk10.green("[UPLOAD] AI Blame uploads finalized successfully"));
-  } catch (error) {
-    logger2.error("[UPLOAD] Finalize threw error:", error);
-    throw error;
+  }
+  if (argv["create-one-pr"] && argv.commitDirectly) {
+    throw new CliError(
+      "--create-one-pr and --commit-directly cannot be provided at the same time"
+    );
+  }
+  if (argv.pullRequest && !argv.commitDirectly) {
+    throw new CliError(
+      "--pull-request flag requires --commit-directly to be provided as well"
+    );
+  }
+  if (argv.f) {
+    validateReportFileFormat(argv.f);
   }
 }
-async function uploadAiBlameCommandHandler(args) {
-  await uploadAiBlameHandler({ args });
+async function analyzeHandler(args) {
+  validateAnalyzeOptions(args);
+  await analyze(args, { skipPrompts: args.yes });
 }
 
 // src/features/claude_code/data_collector.ts
+import { z as z33 } from "zod";
 init_client_generates();
 init_GitService();
 init_urlParser2();
@@ -24636,7 +24719,7 @@ async function processChat(client, cascadeId) {
   let repositoryUrl;
   if (repoOrigin) {
     const parsed = parseScmURL(repoOrigin);
-    if (parsed?.scmType === "GitHub" /* GitHub */) {
+    if (parsed?.scmType === "GitHub" /* GitHub */ || parsed?.scmType === "GitLab" /* GitLab */) {
       repositoryUrl = parsed.canonicalUrl;
     }
   }
@@ -24937,13 +25020,13 @@ var parseArgs = async (args) => {
 };
 
 // src/index.ts
-var debug20 = Debug20("mobbdev:index");
+var debug22 = Debug22("mobbdev:index");
 async function run() {
   return parseArgs(hideBin(process.argv));
 }
 (async () => {
   try {
-    debug20("Bugsy CLI v%s running...", packageJson.version);
+    debug22("Bugsy CLI v%s running...", packageJson.version);
     await run();
     process.exit(0);
   } catch (err) {