mobbdev 1.2.33 → 1.2.35

package/dist/index.mjs

@@ -73,6 +73,12 @@ function getSdk(client, withWrapper = defaultWrapper) {
     FinalizeAIBlameInferencesUpload(variables, requestHeaders, signal) {
       return withWrapper((wrappedRequestHeaders) => client.request({ document: FinalizeAiBlameInferencesUploadDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "FinalizeAIBlameInferencesUpload", "mutation", variables);
     },
+    UploadTracyRecords(variables, requestHeaders, signal) {
+      return withWrapper((wrappedRequestHeaders) => client.request({ document: UploadTracyRecordsDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "UploadTracyRecords", "mutation", variables);
+    },
+    GetTracyRawDataUploadUrls(variables, requestHeaders, signal) {
+      return withWrapper((wrappedRequestHeaders) => client.request({ document: GetTracyRawDataUploadUrlsDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "GetTracyRawDataUploadUrls", "mutation", variables);
+    },
     DigestVulnerabilityReport(variables, requestHeaders, signal) {
       return withWrapper((wrappedRequestHeaders) => client.request({ document: DigestVulnerabilityReportDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "DigestVulnerabilityReport", "mutation", variables);
     },
@@ -126,7 +132,7 @@ function getSdk(client, withWrapper = defaultWrapper) {
     }
   };
 }
-var AiBlameInferenceType, FixQuestionInputType, Language, ManifestAction, Effort_To_Apply_Fix_Enum, Fix_Rating_Tag_Enum, Fix_Report_State_Enum, Fix_State_Enum, IssueLanguage_Enum, IssueType_Enum, Pr_Status_Enum, Project_Role_Type_Enum, Vulnerability_Report_Issue_Category_Enum, Vulnerability_Report_Issue_State_Enum, Vulnerability_Report_Issue_Tag_Enum, Vulnerability_Report_Vendor_Enum, Vulnerability_Severity_Enum, FixDetailsFragmentDoc, FixReportSummaryFieldsFragmentDoc, MeDocument, GetLastOrgAndNamedProjectDocument, GetLastOrgDocument, GetEncryptedApiTokenDocument, FixReportStateDocument, GetVulnerabilityReportPathsDocument, GetAnalysisSubscriptionDocument, GetAnalysisDocument, GetFixesDocument, GetVulByNodesMetadataDocument, GetFalsePositiveDocument, UpdateScmTokenDocument, UploadS3BucketInfoDocument, GetTracyDiffUploadUrlDocument, AnalyzeCommitForExtensionAiBlameDocument, GetAiBlameInferenceDocument, GetAiBlameAttributionPromptDocument, GetPromptSummaryDocument, UploadAiBlameInferencesInitDocument, FinalizeAiBlameInferencesUploadDocument, DigestVulnerabilityReportDocument, SubmitVulnerabilityReportDocument, CreateCommunityUserDocument, CreateCliLoginDocument, PerformCliLoginDocument, CreateProjectDocument, ValidateRepoUrlDocument, GitReferenceDocument, AutoPrAnalysisDocument, GetFixReportsByRepoUrlDocument, GetReportFixesDocument, GetLatestReportByRepoUrlDocument, UpdateDownloadedFixDataDocument, GetUserMvsAutoFixDocument, StreamBlameAiAnalysisRequestsDocument, StreamCommitBlameRequestsDocument, ScanSkillDocument, defaultWrapper;
+var AiBlameInferenceType, FixQuestionInputType, Language, ManifestAction, Effort_To_Apply_Fix_Enum, Fix_Rating_Tag_Enum, Fix_Report_State_Enum, Fix_State_Enum, IssueLanguage_Enum, IssueType_Enum, Pr_Status_Enum, Project_Role_Type_Enum, Vulnerability_Report_Issue_Category_Enum, Vulnerability_Report_Issue_State_Enum, Vulnerability_Report_Issue_Tag_Enum, Vulnerability_Report_Vendor_Enum, Vulnerability_Severity_Enum, FixDetailsFragmentDoc, FixReportSummaryFieldsFragmentDoc, MeDocument, GetLastOrgAndNamedProjectDocument, GetLastOrgDocument, GetEncryptedApiTokenDocument, FixReportStateDocument, GetVulnerabilityReportPathsDocument, GetAnalysisSubscriptionDocument, GetAnalysisDocument, GetFixesDocument, GetVulByNodesMetadataDocument, GetFalsePositiveDocument, UpdateScmTokenDocument, UploadS3BucketInfoDocument, GetTracyDiffUploadUrlDocument, AnalyzeCommitForExtensionAiBlameDocument, GetAiBlameInferenceDocument, GetAiBlameAttributionPromptDocument, GetPromptSummaryDocument, UploadAiBlameInferencesInitDocument, FinalizeAiBlameInferencesUploadDocument, UploadTracyRecordsDocument, GetTracyRawDataUploadUrlsDocument, DigestVulnerabilityReportDocument, SubmitVulnerabilityReportDocument, CreateCommunityUserDocument, CreateCliLoginDocument, PerformCliLoginDocument, CreateProjectDocument, ValidateRepoUrlDocument, GitReferenceDocument, AutoPrAnalysisDocument, GetFixReportsByRepoUrlDocument, GetReportFixesDocument, GetLatestReportByRepoUrlDocument, UpdateDownloadedFixDataDocument, GetUserMvsAutoFixDocument, StreamBlameAiAnalysisRequestsDocument, StreamCommitBlameRequestsDocument, ScanSkillDocument, defaultWrapper;
 var init_client_generates = __esm({
   "src/features/analysis/scm/generates/client_generates.ts"() {
     "use strict";
@@ -962,6 +968,28 @@ var init_client_generates = __esm({
     status
     error
   }
+}
+    `;
+    UploadTracyRecordsDocument = `
+    mutation UploadTracyRecords($records: [TracyRecordInput!]!) {
+  uploadTracyRecords(records: $records) {
+    status
+    error
+  }
+}
+    `;
+    GetTracyRawDataUploadUrlsDocument = `
+    mutation GetTracyRawDataUploadUrls($recordIds: [String!]!) {
+  getTracyRawDataUploadUrls(recordIds: $recordIds) {
+    status
+    error
+    uploads {
+      recordId
+      url
+      uploadFieldsJSON
+      uploadKey
+    }
+  }
 }
     `;
     DigestVulnerabilityReportDocument = `
@@ -2276,20 +2304,20 @@ function computeCanonicalUrl(data) {
   } = data;
   switch (scmType) {
     case "GitHub" /* GitHub */:
-      return `https://${hostname}/${organization}/${repoName}`;
+      return `https://${hostname}/${organization.toLowerCase()}/${repoName.toLowerCase()}`;
     case "GitLab" /* GitLab */:
-      return `https://${hostname}/${projectPath}`;
+      return `https://${hostname}/${projectPath.toLowerCase()}`;
     case "Bitbucket" /* Bitbucket */:
-      return `https://${hostname}/${organization}/${repoName}`;
+      return `https://${hostname}/${organization.toLowerCase()}/${repoName.toLowerCase()}`;
     case "Ado" /* Ado */: {
       const adoHostname = hostname === "ssh.dev.azure.com" ? "dev.azure.com" : hostname;
       if (projectName) {
-        return `https://${adoHostname}/${organization}/${projectName}/_git/${repoName}`;
+        return `https://${adoHostname}/${organization.toLowerCase()}/${projectName.toLowerCase()}/_git/${repoName.toLowerCase()}`;
       }
-      return `https://${adoHostname}/${organization}/_git/${repoName}`;
+      return `https://${adoHostname}/${organization.toLowerCase()}/_git/${repoName.toLowerCase()}`;
     }
     default:
-      return `https://${hostname}/${projectPath}`;
+      return `https://${hostname}/${projectPath.toLowerCase()}`;
   }
 }
 function detectAdoUrl(args) {
@@ -4126,7 +4154,7 @@ ${rootContent}`;
 });
 
 // src/index.ts
-import Debug20 from "debug";
+import Debug22 from "debug";
 import { hideBin } from "yargs/helpers";
 
 // src/args/yargs.ts
@@ -11700,39 +11728,40 @@ var ScanContext = {
 
 // src/args/commands/analyze.ts
 import fs12 from "fs";
-import chalk9 from "chalk";
+import chalk10 from "chalk";
 
 // src/commands/index.ts
-import chalk7 from "chalk";
+import chalk8 from "chalk";
 import chalkAnimation from "chalk-animation";
 
 // src/features/analysis/index.ts
 import fs10 from "fs";
-import fsPromises2 from "fs/promises";
-import path9 from "path";
+import fsPromises3 from "fs/promises";
+import path10 from "path";
 import { env as env2 } from "process";
 import { pipeline } from "stream/promises";
-import chalk6 from "chalk";
-import Debug19 from "debug";
+import chalk7 from "chalk";
+import Debug21 from "debug";
 import extract from "extract-zip";
 import { createSpinner as createSpinner4 } from "nanospinner";
 import fetch4 from "node-fetch";
 import open3 from "open";
 import tmp2 from "tmp";
-import { z as z30 } from "zod";
+import { z as z31 } from "zod";
 
 // src/commands/handleMobbLogin.ts
-import chalk3 from "chalk";
-import Debug7 from "debug";
+import chalk4 from "chalk";
+import Debug10 from "debug";
 
 // src/commands/AuthManager.ts
 import crypto from "crypto";
-import os from "os";
+import os3 from "os";
+import Debug9 from "debug";
 import open from "open";
 
 // src/features/analysis/graphql/gql.ts
 import Debug6 from "debug";
-import { GraphQLClient } from "graphql-request";
+import { ClientError, GraphQLClient } from "graphql-request";
 import { v4 as uuidv4 } from "uuid";
 
 // src/mcp/core/Errors.ts
@@ -11847,8 +11876,7 @@ function getProxyAgent(url) {
     const isHttps = parsedUrl.protocol === "https:";
     const proxy = isHttps ? getHttpProxy() : isHttp ? getHttpProxyOnly() : null;
     if (proxy) {
-      debug6("Using proxy %s", proxy);
-      debug6("Proxy agent %o", proxy);
+      debug6("Using proxy %s for %s", proxy, url);
       return new HttpsProxyAgent(proxy);
     }
   } catch (err) {
@@ -12069,6 +12097,19 @@ var GetVulByNodesMetadataZ = z26.object({
 
 // src/features/analysis/graphql/gql.ts
 var debug7 = Debug6("mobbdev:gql");
+function isAuthError(error) {
+  if (error instanceof ClientError) {
+    const gqlErrors = error.response?.errors;
+    return gqlErrors?.some(
+      (e) => e.extensions?.["code"] === "access-denied" || e.message?.includes("Authentication hook unauthorized")
+    ) ?? false;
+  }
+  return false;
+}
+function isNetworkError(error) {
+  const errorString = error?.toString() ?? "";
+  return errorString.includes("FetchError") || errorString.includes("TypeError") || errorString.includes("ECONNREFUSED") || errorString.includes("ENOTFOUND") || errorString.includes("ETIMEDOUT") || errorString.includes("UND_ERR");
+}
 var API_KEY_HEADER_NAME = "x-mobb-key";
 var REPORT_STATE_CHECK_DELAY = 5 * 1e3;
 var GQLClient = class {
@@ -12128,23 +12169,35 @@ var GQLClient = class {
     try {
       await this.getUserInfo();
     } catch (e) {
-      if (e?.toString().startsWith("FetchError")) {
-        debug7("verify connection failed %o", e);
+      if (isNetworkError(e)) {
+        debug7("verify connection failed (network error) %o", e);
         return false;
       }
+      debug7("verify connection: endpoint reachable but request failed %o", e);
     }
     return true;
   }
   async validateUserToken() {
-    await this.createCommunityUser();
-    let info;
     try {
-      info = await this.getUserInfo();
+      await this.createCommunityUser();
+      const info = await this.getUserInfo();
+      if (!info) {
+        debug7("verify token failed - no user info returned");
+        return false;
+      }
+      return info.email || true;
     } catch (e) {
-      debug7("verify token failed %o", e);
-      return false;
+      if (isAuthError(e)) {
+        debug7("verify token failed - auth error %o", e);
+        return false;
+      }
+      if (isNetworkError(e)) {
+        debug7("verify token failed - network error, rethrowing %o", e);
+        throw e;
+      }
+      debug7("verify token failed - unexpected error, rethrowing %o", e);
+      throw e;
     }
-    return info?.email || true;
   }
   async getLastOrgAndNamedProject(params) {
     const me = await this.getUserInfo();
@@ -12500,6 +12553,12 @@ var GQLClient = class {
   async finalizeAIBlameInferencesUploadRaw(variables) {
     return await this._clientSdk.FinalizeAIBlameInferencesUpload(variables);
   }
+  async uploadTracyRecords(variables) {
+    return await this._clientSdk.UploadTracyRecords(variables);
+  }
+  async getTracyRawDataUploadUrls(variables) {
+    return await this._clientSdk.GetTracyRawDataUploadUrls(variables);
+  }
   async analyzeCommitForExtensionAIBlame(variables) {
     return await this._clientSdk.AnalyzeCommitForExtensionAIBlame(variables);
   }
@@ -12517,38 +12576,76 @@ var GQLClient = class {
   }
 };
 
-// src/mcp/services/types.ts
-function detectIDE() {
-  const env3 = process.env;
-  if (env3["CURSOR_TRACE_ID"] || env3["CURSOR_SESSION_ID"]) return "cursor";
-  if (env3["WINDSURF_IPC_HOOK"] || env3["WINDSURF_PID"]) return "windsurf";
-  if (env3["CLAUDE_DESKTOP"] || env3["ANTHROPIC_CLAUDE"]) return "claude";
-  if (env3["WEBSTORM_VM_OPTIONS"] || env3["IDEA_VM_OPTIONS"] || env3["JETBRAINS_IDE"])
-    return "webstorm";
-  if (env3["VSCODE_IPC_HOOK"] || env3["VSCODE_PID"]) return "vscode";
-  const termProgram = env3["TERM_PROGRAM"]?.toLowerCase();
-  if (termProgram === "windsurf") return "windsurf";
-  if (termProgram === "vscode") return "vscode";
-  return void 0;
-}
-function createMcpLoginContext(trigger) {
-  return {
-    trigger,
-    source: "mcp",
-    ide: detectIDE()
-  };
-}
-function buildLoginUrl(baseUrl, loginId, hostname, context) {
-  const url = new URL(`${baseUrl}/${loginId}`);
-  url.searchParams.set("hostname", hostname);
-  url.searchParams.set("trigger", context.trigger);
-  url.searchParams.set("source", context.source);
-  if (context.ide) {
-    url.searchParams.set("ide", context.ide);
+// src/features/analysis/graphql/tracy-batch-upload.ts
+import { promisify } from "util";
+import { gzip } from "zlib";
+import Debug8 from "debug";
+
+// src/args/commands/upload_ai_blame.ts
+import fsPromises2 from "fs/promises";
+import * as os2 from "os";
+import path7 from "path";
+import chalk3 from "chalk";
+import { withFile } from "tmp-promise";
+import z27 from "zod";
+init_client_generates();
+init_GitService();
+init_urlParser2();
+
+// src/features/analysis/upload-file.ts
+import Debug7 from "debug";
+import fetch3, { File, fileFrom, FormData } from "node-fetch";
+var debug8 = Debug7("mobbdev:upload-file");
+async function uploadFile({
+  file,
+  url,
+  uploadKey,
+  uploadFields,
+  logger: logger2
+}) {
+  const logInfo2 = logger2 || ((_message, _data) => {
+  });
+  logInfo2(`FileUpload: upload file start ${url}`);
+  logInfo2(`FileUpload: upload fields`, uploadFields);
+  logInfo2(`FileUpload: upload key ${uploadKey}`);
+  debug8("upload file start %s", url);
+  debug8("upload fields %o", uploadFields);
+  debug8("upload key %s", uploadKey);
+  const form = new FormData();
+  Object.entries(uploadFields).forEach(([key, value]) => {
+    form.append(key, value);
+  });
+  if (!form.has("key")) {
+    form.append("key", uploadKey);
   }
-  return url.toString();
+  if (typeof file === "string") {
+    debug8("upload file from path %s", file);
+    logInfo2(`FileUpload: upload file from path ${file}`);
+    form.append("file", await fileFrom(file));
+  } else {
+    debug8("upload file from buffer");
+    logInfo2(`FileUpload: upload file from buffer`);
+    form.append("file", new File([new Uint8Array(file)], "file"));
+  }
+  const agent = getProxyAgent(url);
+  const response = await fetch3(url, {
+    method: "POST",
+    body: form,
+    agent
+  });
+  if (!response.ok) {
+    debug8("error from S3 %s %s", response.body, response.status);
+    logInfo2(`FileUpload: error from S3 ${response.body} ${response.status}`);
+    throw new Error(`Failed to upload the file: ${response.status}`);
+  }
+  debug8("upload file done");
+  logInfo2(`FileUpload: upload file done`);
 }
 
+// src/utils/computerName.ts
+import { execSync } from "child_process";
+import os from "os";
+
 // src/utils/ConfigStoreService.ts
 import Configstore from "configstore";
 function createConfigStore(defaultValues = { apiToken: "" }) {
@@ -12568,339 +12665,941 @@ function getConfigStore() {
 }
 var configStore = getConfigStore();
 
-// src/commands/AuthManager.ts
-var LOGIN_MAX_WAIT = 10 * 60 * 1e3;
-var LOGIN_CHECK_DELAY = 5 * 1e3;
-var AuthManager = class {
-  constructor(webAppUrl, apiUrl) {
-    __publicField(this, "publicKey");
-    __publicField(this, "privateKey");
-    __publicField(this, "loginId");
-    __publicField(this, "gqlClient");
-    __publicField(this, "currentBrowserUrl");
-    __publicField(this, "authenticated", null);
-    __publicField(this, "resolvedWebAppUrl");
-    __publicField(this, "resolvedApiUrl");
-    this.resolvedWebAppUrl = webAppUrl || WEB_APP_URL;
-    this.resolvedApiUrl = apiUrl || API_URL;
-  }
-  openUrlInBrowser() {
-    if (this.currentBrowserUrl) {
-      open(this.currentBrowserUrl);
-      return true;
-    }
-    return false;
-  }
-  async waitForAuthentication() {
-    let newApiToken = null;
-    for (let i = 0; i < LOGIN_MAX_WAIT / LOGIN_CHECK_DELAY; i++) {
-      newApiToken = await this.getApiToken();
-      if (newApiToken) {
-        break;
+// src/utils/computerName.ts
+var STABLE_COMPUTER_NAME_CONFIG_KEY = "stableComputerName";
+var HOSTNAME_SUFFIXES = [
+  // Cloud providers (must be first - most specific)
+  ".ec2.internal",
+  ".compute.internal",
+  ".cloudapp.net",
+  // mDNS/Bonjour
+  ".local",
+  ".localhost",
+  ".localdomain",
+  // Home networks
+  ".lan",
+  ".home",
+  ".homelan",
+  // Corporate networks
+  ".corp",
+  ".internal",
+  ".intranet",
+  ".domain",
+  ".work",
+  ".office",
+  // Container environments
+  ".docker",
+  ".kubernetes",
+  ".k8s"
+];
+function getOsSpecificComputerName() {
+  const platform2 = os.platform();
+  try {
+    if (platform2 === "darwin") {
+      const result = execSync("scutil --get LocalHostName", {
+        encoding: "utf-8",
+        timeout: 1e3
+      });
+      return result.trim();
+    } else if (platform2 === "win32") {
+      return process.env["COMPUTERNAME"] || null;
+    } else {
+      try {
+        const result2 = execSync("hostnamectl --static", {
+          encoding: "utf-8",
+          timeout: 1e3
+        });
+        const hostname = result2.trim();
+        if (hostname) return hostname;
+      } catch {
       }
-      await sleep(LOGIN_CHECK_DELAY);
-    }
-    if (!newApiToken) {
-      return false;
-    }
-    this.gqlClient = new GQLClient({
-      apiKey: newApiToken,
-      type: "apiKey",
-      apiUrl: this.resolvedApiUrl
-    });
-    const loginSuccess = await this.gqlClient.validateUserToken();
-    if (loginSuccess) {
-      configStore.set("apiToken", newApiToken);
-      this.authenticated = true;
-      return true;
+      const result = execSync("cat /etc/hostname", {
+        encoding: "utf-8",
+        timeout: 1e3
+      });
+      return result.trim();
     }
-    return false;
+  } catch (error) {
+    return null;
   }
-  /**
-   * Checks if the user is already authenticated
-   */
-  async isAuthenticated() {
-    if (this.authenticated === null) {
-      const result = await this.checkAuthentication();
-      this.authenticated = result.isAuthenticated;
+}
+function stripHostnameSuffixes(hostname) {
+  if (!hostname) return hostname;
+  let normalized = hostname;
+  for (const suffix of HOSTNAME_SUFFIXES) {
+    if (normalized.endsWith(suffix)) {
+      normalized = normalized.slice(0, -suffix.length);
+      break;
     }
-    return this.authenticated;
   }
-  /**
-   * Private function to check if the user is authenticated with the server
-   */
-  async checkAuthentication(apiKey) {
-    try {
-      if (!this.gqlClient) {
-        this.gqlClient = this.getGQLClient(apiKey);
-      }
-      const isConnected = await this.gqlClient.verifyApiConnection();
-      if (!isConnected) {
-        return {
-          isAuthenticated: false,
-          message: "Failed to connect to Mobb server"
-        };
-      }
-      const userVerify = await this.gqlClient.validateUserToken();
-      if (!userVerify) {
-        return {
-          isAuthenticated: false,
-          message: "User token validation failed"
-        };
+  return normalized;
+}
+function generateStableComputerName() {
+  const osSpecificName = getOsSpecificComputerName();
+  if (osSpecificName) {
+    return osSpecificName;
+  }
+  const currentHostname = os.hostname();
+  return stripHostnameSuffixes(currentHostname);
+}
+function getStableComputerName() {
+  const cached = configStore.get(STABLE_COMPUTER_NAME_CONFIG_KEY);
+  if (cached) {
+    return cached;
+  }
+  const currentName = generateStableComputerName();
+  configStore.set(STABLE_COMPUTER_NAME_CONFIG_KEY, currentName);
+  return currentName;
+}
+
+// src/utils/sanitize-sensitive-data.ts
+import { OpenRedaction } from "@openredaction/openredaction";
+var openRedaction = new OpenRedaction({
+  patterns: [
+    // Core Personal Data
+    // Removed EMAIL - causes false positives in code/test snippets (e.g. --author="Eve Author <eve@example.com>")
+    // Prefer false negatives over false positives for this use case.
+    "SSN",
+    "NATIONAL_INSURANCE_UK",
+    "DATE_OF_BIRTH",
+    // Identity Documents
+    "PASSPORT_UK",
+    "PASSPORT_US",
+    "PASSPORT_MRZ_TD1",
+    "PASSPORT_MRZ_TD3",
+    "DRIVING_LICENSE_UK",
+    "DRIVING_LICENSE_US",
+    "VISA_NUMBER",
+    "VISA_MRZ",
+    "TAX_ID",
+    // Financial Data (removed SWIFT_BIC, CARD_AUTH_CODE - too broad, causing false positives with authentication words)
+    // Removed CREDIT_CARD - causes false positives on zero-filled UUIDs (e.g. '00000000-0000-0000-0000-000000000000')
+    // Prefer false negatives over false positives for this use case.
+    "IBAN",
+    "BANK_ACCOUNT_UK",
+    "ROUTING_NUMBER_US",
+    "CARD_TRACK1_DATA",
+    "CARD_TRACK2_DATA",
+    "CARD_EXPIRY",
+    // Cryptocurrency (removed BITCOIN_ADDRESS - too broad, matches hash-like strings)
+    "ETHEREUM_ADDRESS",
+    "LITECOIN_ADDRESS",
+    "CARDANO_ADDRESS",
+    "SOLANA_ADDRESS",
+    "MONERO_ADDRESS",
+    "RIPPLE_ADDRESS",
+    // Medical Data (removed PRESCRIPTION_NUMBER - too broad, matches words containing "ription")
+    // Removed MEDICAL_RECORD_NUMBER - too broad, "MR" prefix matches "Merge Request" in SCM contexts (e.g. "MR branches" → "MR br****es")
+    "NHS_NUMBER",
+    "AUSTRALIAN_MEDICARE",
+    "HEALTH_PLAN_NUMBER",
+    "PATIENT_ID",
+    // Communications (removed EMERGENCY_CONTACT, ADDRESS_PO_BOX, ZIP_CODE_US, PHONE_US, PHONE_INTERNATIONAL - too broad, causing false positives)
+    "PHONE_UK",
+    "PHONE_UK_MOBILE",
+    "PHONE_LINE_NUMBER",
+    "ADDRESS_STREET",
+    "POSTCODE_UK",
+    // Network & Technical
+    "IPV4",
+    "IPV6",
+    "MAC_ADDRESS",
+    "URL_WITH_AUTH",
+    // Security Keys & Tokens
+    "PRIVATE_KEY",
+    "SSH_PRIVATE_KEY",
+    "AWS_SECRET_KEY",
+    "AWS_ACCESS_KEY",
+    "AZURE_STORAGE_KEY",
+    "GCP_SERVICE_ACCOUNT",
+    "JWT_TOKEN",
+    "OAUTH_TOKEN",
+    "OAUTH_CLIENT_SECRET",
+    "BEARER_TOKEN",
+    "PAYMENT_TOKEN",
+    "GENERIC_SECRET",
+    "GENERIC_API_KEY",
+    // Platform-Specific API Keys
+    "GITHUB_TOKEN",
+    "SLACK_TOKEN",
+    "STRIPE_API_KEY",
+    "GOOGLE_API_KEY",
+    "FIREBASE_API_KEY",
+    "HEROKU_API_KEY",
+    "MAILGUN_API_KEY",
+    "SENDGRID_API_KEY",
+    "TWILIO_API_KEY",
+    "NPM_TOKEN",
+    "PYPI_TOKEN",
+    "DOCKER_AUTH",
+    "KUBERNETES_SECRET",
+    // Government & Legal
+    // Removed CLIENT_ID - too broad, "client" is ubiquitous in code (npm packages like @scope/client-*, class names like ClientSdkOptions)
+    "POLICE_REPORT_NUMBER",
+    "IMMIGRATION_NUMBER",
+    "COURT_REPORTER_LICENSE"
+  ]
+});
+function maskString(str, showStart = 2, showEnd = 2) {
+  if (str.length <= showStart + showEnd) {
+    return "*".repeat(str.length);
+  }
+  return str.slice(0, showStart) + "*".repeat(str.length - showStart - showEnd) + str.slice(-showEnd);
+}
+async function sanitizeDataWithCounts(obj) {
+  const counts = {
+    detections: { total: 0, high: 0, medium: 0, low: 0 }
+  };
+  const sanitizeString = async (str) => {
+    let result = str;
+    const piiDetections = openRedaction.scan(str);
+    if (piiDetections && piiDetections.total > 0) {
+      const allDetections = [
+        ...piiDetections.high,
+        ...piiDetections.medium,
+        ...piiDetections.low
+      ];
+      for (const detection of allDetections) {
+        counts.detections.total++;
+        if (detection.severity === "high") counts.detections.high++;
+        else if (detection.severity === "medium") counts.detections.medium++;
+        else if (detection.severity === "low") counts.detections.low++;
+        const masked = maskString(detection.value);
+        result = result.replaceAll(detection.value, masked);
       }
-    } catch (error) {
-      return {
-        isAuthenticated: false,
-        message: error instanceof Error ? error.message : "Unknown authentication error"
-      };
     }
-    return { isAuthenticated: true, message: "Successfully authenticated" };
-  }
-  /**
-   * Generates a login URL for manual authentication
-   */
-  async generateLoginUrl(loginContext) {
-    try {
-      if (!this.gqlClient) {
-        this.gqlClient = this.getGQLClient();
+    return result;
+  };
+  const sanitizeRecursive = async (data) => {
+    if (typeof data === "string") {
+      return sanitizeString(data);
+    } else if (Array.isArray(data)) {
+      return Promise.all(data.map((item) => sanitizeRecursive(item)));
+    } else if (data instanceof Error) {
+      return data;
+    } else if (data instanceof Date) {
+      return data;
+    } else if (typeof data === "object" && data !== null) {
+      const sanitized = {};
+      const record = data;
+      for (const key in record) {
+        if (Object.prototype.hasOwnProperty.call(record, key)) {
+          sanitized[key] = await sanitizeRecursive(record[key]);
+        }
       }
-      const { publicKey, privateKey } = crypto.generateKeyPairSync("rsa", {
-        modulusLength: 2048
-      });
-      this.publicKey = publicKey;
-      this.privateKey = privateKey;
-      this.loginId = await this.gqlClient.createCliLogin({
-        publicKey: this.publicKey.export({ format: "pem", type: "pkcs1" }).toString()
-      });
-      const webLoginUrl = `${this.resolvedWebAppUrl}/cli-login`;
-      const browserUrl = loginContext ? buildLoginUrl(webLoginUrl, this.loginId, os.hostname(), loginContext) : `${webLoginUrl}/${this.loginId}?hostname=${os.hostname()}`;
-      this.currentBrowserUrl = browserUrl;
-      return browserUrl;
-    } catch (error) {
-      console.error("Failed to generate login URL:", error);
-      return null;
+      return sanitized;
+    }
+    return data;
+  };
+  const sanitizedData = await sanitizeRecursive(obj);
+  return { sanitizedData, counts };
+}
+
+// src/args/commands/upload_ai_blame.ts
+var defaultLogger2 = {
+  info: (msg, data) => {
+    if (data !== void 0) {
+      console.log(msg, data);
+    } else {
+      console.log(msg);
+    }
+  },
+  error: (msg, data) => {
+    if (data !== void 0) {
+      console.error(msg, data);
+    } else {
+      console.error(msg);
     }
   }
-  /**
-   * Retrieves and decrypts the API token after authentication
-   */
-  async getApiToken() {
-    if (!this.gqlClient || !this.loginId || !this.privateKey) {
+};
+var PromptItemZ = z27.object({
+  type: z27.enum([
+    "USER_PROMPT",
+    "AI_RESPONSE",
+    "TOOL_EXECUTION",
+    "AI_THINKING",
+    "MCP_TOOL_CALL"
+    // MCP (Model Context Protocol) tool invocation
+  ]),
+  attachedFiles: z27.array(
+    z27.object({
+      relativePath: z27.string(),
+      startLine: z27.number().optional()
+    })
+  ).optional(),
+  tokens: z27.object({
+    inputCount: z27.number(),
+    outputCount: z27.number()
+  }).optional(),
+  text: z27.string().optional(),
+  date: z27.date().optional(),
+  tool: z27.object({
+    name: z27.string(),
+    parameters: z27.string(),
+    result: z27.string(),
+    rawArguments: z27.string().optional(),
+    accepted: z27.boolean().optional(),
+    // MCP-specific fields (only populated for MCP_TOOL_CALL type)
+    mcpServer: z27.string().optional(),
+    // MCP server name (e.g., "datadog", "mobb-mcp")
+    mcpToolName: z27.string().optional()
+    // MCP tool name without prefix (e.g., "scan_and_fix_vulnerabilities")
+  }).optional()
+});
+var PromptItemArrayZ = z27.array(PromptItemZ);
+async function getRepositoryUrl() {
+  try {
+    const gitService = new GitService(process.cwd());
+    const isRepo = await gitService.isGitRepository();
+    if (!isRepo) {
       return null;
     }
-    const encryptedApiToken = await this.gqlClient.getEncryptedApiToken({
-      loginId: this.loginId
-    });
-    if (encryptedApiToken) {
-      return crypto.privateDecrypt(
-        this.privateKey,
-        Buffer.from(encryptedApiToken, "base64")
-      ).toString("utf-8");
-    }
+    const remoteUrl = await gitService.getRemoteUrl();
+    const parsed = parseScmURL(remoteUrl);
+    return parsed?.scmType === "GitHub" /* GitHub */ || parsed?.scmType === "GitLab" /* GitLab */ ? remoteUrl : null;
+  } catch {
     return null;
   }
-  /**
-   * Gets the current GQL client (if authenticated)
-   */
-  getGQLClient(inputApiKey) {
-    if (this.gqlClient === void 0) {
-      this.gqlClient = new GQLClient({
-        apiKey: inputApiKey || configStore.get("apiToken") || "",
-        type: "apiKey",
-        apiUrl: this.resolvedApiUrl
+}
+function getSystemInfo() {
+  let userName;
+  try {
+    userName = os2.userInfo().username;
+  } catch {
+    userName = void 0;
+  }
+  return {
+    computerName: getStableComputerName(),
+    userName
+  };
+}
+function uploadAiBlameBuilder(args) {
+  return args.option("prompt", {
+    type: "string",
+    array: true,
+    demandOption: true,
+    describe: chalk3.bold("Path(s) to prompt artifact(s) (one per session)")
+  }).option("inference", {
+    type: "string",
+    array: true,
+    demandOption: true,
+    describe: chalk3.bold(
+      "Path(s) to inference artifact(s) (one per session)"
+    )
+  }).option("ai-response-at", {
+    type: "string",
+    array: true,
+    describe: chalk3.bold(
+      "ISO timestamp(s) for AI response (one per session, defaults to now)"
+    )
+  }).option("model", {
+    type: "string",
+    array: true,
+    describe: chalk3.bold("AI model name(s) (optional, one per session)")
+  }).option("tool-name", {
+    type: "string",
+    array: true,
+    describe: chalk3.bold("Tool/IDE name(s) (optional, one per session)")
+  }).option("blame-type", {
+    type: "string",
+    array: true,
+    choices: Object.values(AiBlameInferenceType),
+    describe: chalk3.bold(
+      "Blame type(s) (optional, one per session, defaults to CHAT)"
+    )
+  }).strict();
+}
+async function uploadAiBlameHandlerFromExtension(args) {
+  const uploadArgs = {
+    prompt: [],
+    inference: [],
+    model: [],
+    toolName: [],
+    aiResponseAt: [],
+    blameType: [],
+    sessionId: []
+  };
+  let promptsCounts;
+  let inferenceCounts;
+  let promptsUUID;
+  let inferenceUUID;
+  await withFile(async (promptFile) => {
+    const promptsResult = await sanitizeDataWithCounts(args.prompts);
+    promptsCounts = promptsResult.counts;
+    promptsUUID = path7.basename(promptFile.path, path7.extname(promptFile.path));
+    await fsPromises2.writeFile(
+      promptFile.path,
+      JSON.stringify(promptsResult.sanitizedData, null, 2),
+      "utf-8"
+    );
+    uploadArgs.prompt.push(promptFile.path);
+    await withFile(async (inferenceFile) => {
+      const inferenceResult = await sanitizeDataWithCounts(args.inference);
+      inferenceCounts = inferenceResult.counts;
+      inferenceUUID = path7.basename(
+        inferenceFile.path,
+        path7.extname(inferenceFile.path)
+      );
+      await fsPromises2.writeFile(
+        inferenceFile.path,
+        inferenceResult.sanitizedData,
+        "utf-8"
+      );
+      uploadArgs.inference.push(inferenceFile.path);
+      uploadArgs.model.push(args.model);
+      uploadArgs.toolName.push(args.tool);
+      uploadArgs.aiResponseAt.push(args.responseTime);
+      uploadArgs.blameType.push(args.blameType || "CHAT" /* Chat */);
+      if (args.sessionId) {
+        uploadArgs.sessionId.push(args.sessionId);
+      }
+      await uploadAiBlameHandler({
+        args: uploadArgs,
+        exitOnError: false,
+        apiUrl: args.apiUrl,
+        webAppUrl: args.webAppUrl,
+        repositoryUrl: args.repositoryUrl
       });
+    });
+  });
+  return {
+    promptsCounts,
+    inferenceCounts,
+    promptsUUID,
+    inferenceUUID
+  };
+}
+async function uploadAiBlameHandler(options) {
+  const {
+    args,
+    exitOnError = true,
+    apiUrl,
+    webAppUrl,
+    logger: logger2 = defaultLogger2
+  } = options;
+  const prompts = args.prompt || [];
+  const inferences = args.inference || [];
+  const models = args.model || [];
+  const tools = args.toolName || args["tool-name"] || [];
+  const responseTimes = args.aiResponseAt || args["ai-response-at"] || [];
+  const blameTypes = args.blameType || args["blame-type"] || [];
+  const sessionIds = args.sessionId || args["session-id"] || [];
+  if (prompts.length !== inferences.length) {
+    const errorMsg = "prompt and inference must have the same number of entries";
+    logger2.error(chalk3.red(errorMsg));
+    if (exitOnError) {
+      process.exit(1);
     }
-    return this.gqlClient;
-  }
-  /**
-   * Assigns a GQL client instance to the AuthManager, and resets auth state
-   * @param gqlClient The GQL client instance to set
-   */
-  setGQLClient(gqlClient) {
-    this.gqlClient = gqlClient;
-    this.cleanup();
+    throw new Error(errorMsg);
   }
-  /**
-   * Cleans up any active login session
-   */
-  cleanup() {
-    this.publicKey = void 0;
-    this.privateKey = void 0;
-    this.loginId = void 0;
-    this.authenticated = null;
-    this.currentBrowserUrl = null;
+  const nowIso = (/* @__PURE__ */ new Date()).toISOString();
+  const { computerName, userName } = getSystemInfo();
+  const repositoryUrl = options.repositoryUrl !== void 0 ? options.repositoryUrl : await getRepositoryUrl();
+  const sessions = [];
+  for (let i = 0; i < prompts.length; i++) {
+    const promptPath = String(prompts[i]);
+    const inferencePath = String(inferences[i]);
+    try {
+      await Promise.all([
+        fsPromises2.access(promptPath),
+        fsPromises2.access(inferencePath)
+      ]);
+    } catch {
+      const errorMsg = `File not found for session ${i + 1}`;
+      logger2.error(chalk3.red(errorMsg));
+      if (exitOnError) {
+        process.exit(1);
+      }
+      throw new Error(errorMsg);
+    }
+    sessions.push({
+      promptFileName: path7.basename(promptPath),
+      inferenceFileName: path7.basename(inferencePath),
+      aiResponseAt: responseTimes[i] || nowIso,
+      model: models[i],
+      toolName: tools[i],
+      blameType: blameTypes[i] || "CHAT" /* Chat */,
+      computerName,
+      userName,
+      sessionId: sessionIds[i],
+      repositoryUrl
+    });
   }
-};
-
-// src/commands/handleMobbLogin.ts
-var debug8 = Debug7("mobbdev:commands");
-var LOGIN_MAX_WAIT2 = 10 * 60 * 1e3;
-var LOGIN_CHECK_DELAY2 = 5 * 1e3;
-var MOBB_LOGIN_REQUIRED_MSG = `\u{1F513} Login to Mobb is Required, you will be redirected to our login page, once the authorization is complete return to this prompt, ${chalk3.bgBlue(
-  "press any key to continue"
-)};`;
-async function getAuthenticatedGQLClient({
-  inputApiKey = "",
-  isSkipPrompts = true,
-  apiUrl,
-  webAppUrl
-}) {
-  debug8(
-    "getAuthenticatedGQLClient called with: apiUrl=%s, webAppUrl=%s",
-    apiUrl || "undefined",
-    webAppUrl || "undefined"
-  );
-  const authManager = new AuthManager(webAppUrl, apiUrl);
-  let gqlClient = authManager.getGQLClient(inputApiKey);
-  gqlClient = await handleMobbLogin({
-    inGqlClient: gqlClient,
-    skipPrompts: isSkipPrompts,
+  const authenticatedClient = await getAuthenticatedGQLClient({
+    isSkipPrompts: true,
     apiUrl,
     webAppUrl
   });
-  return gqlClient;
-}
-async function handleMobbLogin({
-  inGqlClient,
-  apiKey,
-  skipPrompts,
-  apiUrl,
-  webAppUrl,
-  loginContext
-}) {
-  debug8(
-    "handleMobbLogin: resolved URLs - apiUrl=%s (from param: %s), webAppUrl=%s (from param: %s)",
-    apiUrl || "fallback",
-    apiUrl || "fallback",
-    webAppUrl || "fallback",
-    webAppUrl || "fallback"
+  const initSessions = sessions.map(
+    ({ sessionId: _sessionId, ...rest }) => rest
   );
-  const { createSpinner: createSpinner5 } = Spinner({ ci: skipPrompts });
-  const authManager = new AuthManager(webAppUrl, apiUrl);
-  authManager.setGQLClient(inGqlClient);
-  try {
-    const isAuthenticated = await authManager.isAuthenticated();
-    if (isAuthenticated) {
-      createSpinner5().start().success({
-        text: `\u{1F513} Login to Mobb succeeded. Already authenticated`
-      });
-      return authManager.getGQLClient();
+  const initRes = await authenticatedClient.uploadAIBlameInferencesInitRaw({
+    sessions: initSessions
+  });
+  const uploadSessions = initRes.uploadAIBlameInferencesInit?.uploadSessions ?? [];
+  if (uploadSessions.length !== sessions.length) {
+    const errorMsg = "Init failed to return expected number of sessions";
+    logger2.error(chalk3.red(errorMsg));
+    if (exitOnError) {
+      process.exit(1);
     }
-  } catch (error) {
-    debug8("Authentication check failed:", error);
+    throw new Error(errorMsg);
   }
-  if (apiKey) {
-    createSpinner5().start().error({
-      text: "\u{1F513} Login to Mobb failed: The provided API key does not match any configured API key on the system"
-    });
-    throw new CliError(
-      "Login to Mobb failed: The provided API key does not match any configured API key on the system"
-    );
+  for (let i = 0; i < uploadSessions.length; i++) {
+    const us = uploadSessions[i];
+    const promptPath = String(prompts[i]);
+    const inferencePath = String(inferences[i]);
+    await Promise.all([
+      // Prompt
+      uploadFile({
+        file: promptPath,
+        url: us.prompt.url,
+        uploadFields: JSON.parse(us.prompt.uploadFieldsJSON),
+        uploadKey: us.prompt.uploadKey
+      }),
+      // Inference
+      uploadFile({
+        file: inferencePath,
+        url: us.inference.url,
+        uploadFields: JSON.parse(us.inference.uploadFieldsJSON),
+        uploadKey: us.inference.uploadKey
+      })
+    ]);
   }
-  const loginSpinner = createSpinner5().start();
-  if (!skipPrompts) {
-    loginSpinner.update({ text: MOBB_LOGIN_REQUIRED_MSG });
-    await keypress();
-  }
-  loginSpinner.update({
-    text: "\u{1F513} Waiting for Mobb login..."
+  const finalizeSessions = uploadSessions.map((us, i) => {
+    const s = sessions[i];
+    return {
+      aiBlameInferenceId: us.aiBlameInferenceId,
+      promptKey: us.prompt.uploadKey,
+      inferenceKey: us.inference.uploadKey,
+      aiResponseAt: s.aiResponseAt,
+      model: s.model,
+      toolName: s.toolName,
+      blameType: s.blameType,
+      computerName: s.computerName,
+      userName: s.userName,
+      sessionId: s.sessionId,
+      repositoryUrl: s.repositoryUrl
+    };
   });
   try {
-    const loginUrl = await authManager.generateLoginUrl(loginContext);
-    if (!loginUrl) {
-      loginSpinner.error({
-        text: "Failed to generate login URL"
-      });
-      throw new CliError("Failed to generate login URL");
-    }
-    !skipPrompts && console.log(
-      `If the page does not open automatically, kindly access it through ${loginUrl}.`
+    logger2.info(
+      `[UPLOAD] Calling finalizeAIBlameInferencesUploadRaw with ${finalizeSessions.length} sessions`
     );
-    authManager.openUrlInBrowser();
-    const authSuccess = await authManager.waitForAuthentication();
-    if (!authSuccess) {
-      loginSpinner.error({
-        text: "Login timeout error"
-      });
-      throw new CliError("Login timeout error");
+    const finRes = await authenticatedClient.finalizeAIBlameInferencesUploadRaw(
+      {
+        sessions: finalizeSessions
+      }
+    );
+    logger2.info("[UPLOAD] Finalize response:", JSON.stringify(finRes, null, 2));
+    const status = finRes?.finalizeAIBlameInferencesUpload?.status;
+    if (status !== "OK") {
+      const errorMsg = finRes?.finalizeAIBlameInferencesUpload?.error || "unknown error";
+      logger2.error(
+        chalk3.red(
+          `[UPLOAD] Finalize failed with status: ${status}, error: ${errorMsg}`
+        )
+      );
+      if (exitOnError) {
+        process.exit(1);
+      }
+      throw new Error(errorMsg);
     }
-    loginSpinner.success({
-      text: `\u{1F513} Login to Mobb successful!`
-    });
-    return authManager.getGQLClient();
-  } finally {
-    authManager.cleanup();
+    logger2.info(chalk3.green("[UPLOAD] AI Blame uploads finalized successfully"));
+  } catch (error) {
+    logger2.error("[UPLOAD] Finalize threw error:", error);
+    throw error;
   }
 }
+async function uploadAiBlameCommandHandler(args) {
+  await uploadAiBlameHandler({ args });
+}
 
-// src/features/analysis/add_fix_comments_for_pr/add_fix_comments_for_pr.ts
-import Debug11 from "debug";
-
-// src/features/analysis/add_fix_comments_for_pr/utils/utils.ts
-import Debug10 from "debug";
-import parseDiff from "parse-diff";
-import { z as z28 } from "zod";
+// src/features/analysis/graphql/tracy-batch-upload.ts
+var gzipAsync = promisify(gzip);
+var debug9 = Debug8("mobbdev:tracy-batch-upload");
+var MAX_BATCH_PAYLOAD_BYTES = 3 * 1024 * 1024;
 
-// src/features/analysis/utils/by_key.ts
-function keyBy(array, keyBy2) {
-  return array.reduce((acc, item) => {
-    return { ...acc, [item[keyBy2]]: item };
-  }, {});
+// src/mcp/services/types.ts
+function detectIDE() {
+  const env3 = process.env;
+  if (env3["CURSOR_TRACE_ID"] || env3["CURSOR_SESSION_ID"]) return "cursor";
+  if (env3["WINDSURF_IPC_HOOK"] || env3["WINDSURF_PID"]) return "windsurf";
+  if (env3["CLAUDE_DESKTOP"] || env3["ANTHROPIC_CLAUDE"]) return "claude";
+  if (env3["WEBSTORM_VM_OPTIONS"] || env3["IDEA_VM_OPTIONS"] || env3["JETBRAINS_IDE"])
+    return "webstorm";
+  if (env3["VSCODE_IPC_HOOK"] || env3["VSCODE_PID"]) return "vscode";
+  const termProgram = env3["TERM_PROGRAM"]?.toLowerCase();
+  if (termProgram === "windsurf") return "windsurf";
+  if (termProgram === "vscode") return "vscode";
+  return void 0;
+}
+function createMcpLoginContext(trigger) {
+  return {
+    trigger,
+    source: "mcp",
+    ide: detectIDE()
+  };
+}
+function buildLoginUrl(baseUrl, loginId, hostname, context) {
+  const url = new URL(`${baseUrl}/${loginId}`);
+  url.searchParams.set("hostname", hostname);
+  url.searchParams.set("trigger", context.trigger);
+  url.searchParams.set("source", context.source);
+  if (context.ide) {
+    url.searchParams.set("ide", context.ide);
+  }
+  return url.toString();
 }
 
-// src/features/analysis/utils/send_report.ts
-import Debug8 from "debug";
-init_client_generates();
-var debug9 = Debug8("mobbdev:index");
-async function sendReport({
-  spinner,
-  submitVulnerabilityReportVariables,
-  gqlClient,
-  polling
-}) {
-  try {
-    const submitRes = await gqlClient.submitVulnerabilityReport(
-      submitVulnerabilityReportVariables
-    );
-    if (submitRes.submitVulnerabilityReport.__typename !== "VulnerabilityReport") {
-      debug9("error submit vul report %s", submitRes);
-      throw new Error("\u{1F575}\uFE0F\u200D\u2642\uFE0F Mobb analysis failed");
+// src/commands/AuthManager.ts
+var debug10 = Debug9("mobbdev:auth");
+var LOGIN_MAX_WAIT = 10 * 60 * 1e3;
+var LOGIN_CHECK_DELAY = 5 * 1e3;
+var _AuthManager = class _AuthManager {
+  constructor(webAppUrl, apiUrl) {
+    __publicField(this, "publicKey");
+    __publicField(this, "privateKey");
+    __publicField(this, "loginId");
+    __publicField(this, "gqlClient");
+    __publicField(this, "currentBrowserUrl");
+    __publicField(this, "authenticated", null);
+    __publicField(this, "resolvedWebAppUrl");
+    __publicField(this, "resolvedApiUrl");
+    this.resolvedWebAppUrl = webAppUrl || WEB_APP_URL;
+    this.resolvedApiUrl = apiUrl || API_URL;
+  }
+  openUrlInBrowser() {
+    if (this.currentBrowserUrl) {
+      open(this.currentBrowserUrl);
+      return true;
     }
-    spinner.update({ text: progressMassages.processingVulnerabilityReport });
-    const callback = (_analysisId) => spinner.update({
-      text: "\u2699\uFE0F Vulnerability report processed successfully"
+    return false;
+  }
+  async waitForAuthentication() {
+    let newApiToken = null;
+    for (let i = 0; i < _AuthManager.loginMaxWait / LOGIN_CHECK_DELAY; i++) {
+      newApiToken = await this.getApiToken();
+      if (newApiToken) {
+        break;
+      }
+      await sleep(LOGIN_CHECK_DELAY);
+    }
+    if (!newApiToken) {
+      return false;
+    }
+    this.gqlClient = new GQLClient({
+      apiKey: newApiToken,
+      type: "apiKey",
+      apiUrl: this.resolvedApiUrl
     });
-    const callbackStates = [
-      "Digested" /* Digested */,
-      "Finished" /* Finished */
-    ];
-    if (polling) {
-      debug9("[sendReport] Using POLLING mode for analysis state updates");
-      await gqlClient.pollForAnalysisState({
-        analysisId: submitRes.submitVulnerabilityReport.fixReportId,
-        callback,
-        callbackStates,
-        timeoutInMs: VUL_REPORT_DIGEST_TIMEOUT_MS
+    const loginSuccess = await this.gqlClient.validateUserToken();
+    if (loginSuccess) {
+      configStore.set("apiToken", newApiToken);
+      this.authenticated = true;
+      return true;
+    }
+    return false;
+  }
+  /**
+   * Checks if the user is already authenticated
+   */
+  async isAuthenticated() {
+    if (this.authenticated === null) {
+      const result = await this.checkAuthentication();
+      this.authenticated = result.isAuthenticated;
+      if (!result.isAuthenticated) {
+        debug10("isAuthenticated: false \u2014 %s", result.message);
+      }
+    }
+    return this.authenticated;
+  }
+  /**
+   * Private function to check if the user is authenticated with the server
+   */
+  async checkAuthentication(apiKey) {
+    try {
+      if (!this.gqlClient) {
+        this.gqlClient = this.getGQLClient(apiKey);
+      }
+      const isConnected = await this.gqlClient.verifyApiConnection();
+      if (!isConnected) {
+        return {
+          isAuthenticated: false,
+          message: "Failed to connect to Mobb server"
+        };
+      }
+      const userVerify = await this.gqlClient.validateUserToken();
+      if (!userVerify) {
+        return {
+          isAuthenticated: false,
+          message: "User token validation failed"
+        };
+      }
+    } catch (error) {
+      return {
+        isAuthenticated: false,
+        message: error instanceof Error ? error.message : "Unknown authentication error"
+      };
+    }
+    return { isAuthenticated: true, message: "Successfully authenticated" };
+  }
+  /**
+   * Generates a login URL for manual authentication
+   */
+  async generateLoginUrl(loginContext) {
+    try {
+      if (!this.gqlClient) {
+        this.gqlClient = this.getGQLClient();
+      }
+      const { publicKey, privateKey } = crypto.generateKeyPairSync("rsa", {
+        modulusLength: 2048
       });
-    } else {
-      debug9("[sendReport] Using WEBSOCKET mode for analysis state updates");
-      await gqlClient.subscribeToAnalysis({
-        subscribeToAnalysisParams: {
-          analysisId: submitRes.submitVulnerabilityReport.fixReportId
-        },
-        callback,
-        callbackStates,
-        timeoutInMs: VUL_REPORT_DIGEST_TIMEOUT_MS
+      this.publicKey = publicKey;
+      this.privateKey = privateKey;
+      this.loginId = await this.gqlClient.createCliLogin({
+        publicKey: this.publicKey.export({ format: "pem", type: "pkcs1" }).toString()
       });
+      const webLoginUrl = `${this.resolvedWebAppUrl}/cli-login`;
+      const browserUrl = loginContext ? buildLoginUrl(webLoginUrl, this.loginId, os3.hostname(), loginContext) : `${webLoginUrl}/${this.loginId}?hostname=${os3.hostname()}`;
+      this.currentBrowserUrl = browserUrl;
+      return browserUrl;
+    } catch (error) {
+      console.error("Failed to generate login URL:", error);
+      return null;
     }
-    return submitRes;
-  } catch (e) {
-    spinner.error({ text: "\u{1F575}\uFE0F\u200D\u2642\uFE0F Mobb analysis failed" });
-    throw e;
   }
-}
-
-// src/features/analysis/utils/index.ts
+  /**
+   * Retrieves and decrypts the API token after authentication
+   */
+  async getApiToken() {
+    if (!this.gqlClient || !this.loginId || !this.privateKey) {
+      return null;
+    }
+    const encryptedApiToken = await this.gqlClient.getEncryptedApiToken({
+      loginId: this.loginId
+    });
+    if (encryptedApiToken) {
+      return crypto.privateDecrypt(
+        this.privateKey,
+        Buffer.from(encryptedApiToken, "base64")
+      ).toString("utf-8");
+    }
+    return null;
+  }
+  /**
+   * Returns true if a non-empty API token is stored in the configStore.
+   * Used for diagnostics — does NOT validate the token.
+   */
+  hasStoredToken() {
+    const token = configStore.get("apiToken");
+    return typeof token === "string" && token.length > 0;
+  }
+  /**
+   * Gets the current GQL client (if authenticated)
+   */
+  getGQLClient(inputApiKey) {
+    if (this.gqlClient === void 0) {
+      this.gqlClient = new GQLClient({
+        apiKey: inputApiKey || configStore.get("apiToken") || "",
+        type: "apiKey",
+        apiUrl: this.resolvedApiUrl
+      });
+    }
+    return this.gqlClient;
+  }
+  /**
+   * Assigns a GQL client instance to the AuthManager, and resets auth state
+   * @param gqlClient The GQL client instance to set
+   */
+  setGQLClient(gqlClient) {
+    this.gqlClient = gqlClient;
+    this.cleanup();
+  }
+  /**
+   * Cleans up any active login session
+   */
+  cleanup() {
+    this.publicKey = void 0;
+    this.privateKey = void 0;
+    this.loginId = void 0;
+    this.authenticated = null;
+    this.currentBrowserUrl = null;
+  }
+};
+/** Maximum time (ms) to wait for login authentication. Override in tests for faster failures. */
+__publicField(_AuthManager, "loginMaxWait", LOGIN_MAX_WAIT);
+var AuthManager = _AuthManager;
+
+// src/commands/handleMobbLogin.ts
+var debug11 = Debug10("mobbdev:commands");
+var LOGIN_MAX_WAIT2 = 10 * 60 * 1e3;
+var LOGIN_CHECK_DELAY2 = 5 * 1e3;
+var MOBB_LOGIN_REQUIRED_MSG = `\u{1F513} Login to Mobb is Required, you will be redirected to our login page, once the authorization is complete return to this prompt, ${chalk4.bgBlue(
+  "press any key to continue"
+)};`;
+async function getAuthenticatedGQLClient({
+  inputApiKey = "",
+  isSkipPrompts = true,
+  apiUrl,
+  webAppUrl
+}) {
+  debug11(
+    "getAuthenticatedGQLClient called with: apiUrl=%s, webAppUrl=%s",
+    apiUrl || "undefined",
+    webAppUrl || "undefined"
+  );
+  const authManager = new AuthManager(webAppUrl, apiUrl);
+  let gqlClient = authManager.getGQLClient(inputApiKey);
+  gqlClient = await handleMobbLogin({
+    inGqlClient: gqlClient,
+    skipPrompts: isSkipPrompts,
+    apiUrl,
+    webAppUrl
+  });
+  return gqlClient;
+}
+async function handleMobbLogin({
+  inGqlClient,
+  apiKey,
+  skipPrompts,
+  apiUrl,
+  webAppUrl,
+  loginContext
+}) {
+  debug11(
+    "handleMobbLogin: resolved URLs - apiUrl=%s (from param: %s), webAppUrl=%s (from param: %s)",
+    apiUrl || "fallback",
+    apiUrl || "fallback",
+    webAppUrl || "fallback",
+    webAppUrl || "fallback"
+  );
+  const { createSpinner: createSpinner5 } = Spinner({ ci: skipPrompts });
+  const authManager = new AuthManager(webAppUrl, apiUrl);
+  authManager.setGQLClient(inGqlClient);
+  try {
+    const isAuthenticated = await authManager.isAuthenticated();
+    if (isAuthenticated) {
+      createSpinner5().start().success({
+        text: `\u{1F513} Login to Mobb succeeded. Already authenticated`
+      });
+      return authManager.getGQLClient();
+    }
+  } catch (error) {
+    debug11("Authentication check failed:", error);
+  }
+  if (apiKey) {
+    createSpinner5().start().error({
+      text: "\u{1F513} Login to Mobb failed: The provided API key does not match any configured API key on the system"
+    });
+    throw new CliError(
+      "Login to Mobb failed: The provided API key does not match any configured API key on the system"
+    );
+  }
+  const loginSpinner = createSpinner5().start();
+  if (!skipPrompts) {
+    loginSpinner.update({ text: MOBB_LOGIN_REQUIRED_MSG });
+    await keypress();
+  }
+  loginSpinner.update({
+    text: "\u{1F513} Waiting for Mobb login..."
+  });
+  try {
+    const loginUrl = await authManager.generateLoginUrl(loginContext);
+    if (!loginUrl) {
+      loginSpinner.error({
+        text: "Failed to generate login URL"
+      });
+      throw new CliError("Failed to generate login URL");
+    }
+    !skipPrompts && console.log(
+      `If the page does not open automatically, kindly access it through ${loginUrl}.`
+    );
+    authManager.openUrlInBrowser();
+    const authSuccess = await authManager.waitForAuthentication();
+    if (!authSuccess) {
+      loginSpinner.error({
+        text: "Login timeout error"
+      });
+      throw new CliError("Login timeout error");
+    }
+    loginSpinner.success({
+      text: `\u{1F513} Login to Mobb successful!`
+    });
+    return authManager.getGQLClient();
+  } finally {
+    authManager.cleanup();
+  }
+}
+
+// src/features/analysis/add_fix_comments_for_pr/add_fix_comments_for_pr.ts
+import Debug14 from "debug";
+
+// src/features/analysis/add_fix_comments_for_pr/utils/utils.ts
+import Debug13 from "debug";
+import parseDiff from "parse-diff";
+import { z as z29 } from "zod";
+
+// src/features/analysis/utils/by_key.ts
+function keyBy(array, keyBy2) {
+  return array.reduce((acc, item) => {
+    return { ...acc, [item[keyBy2]]: item };
+  }, {});
+}
+
+// src/features/analysis/utils/send_report.ts
+import Debug11 from "debug";
+init_client_generates();
+var debug12 = Debug11("mobbdev:index");
+async function sendReport({
+  spinner,
+  submitVulnerabilityReportVariables,
+  gqlClient,
+  polling
+}) {
+  try {
+    const submitRes = await gqlClient.submitVulnerabilityReport(
+      submitVulnerabilityReportVariables
+    );
+    if (submitRes.submitVulnerabilityReport.__typename !== "VulnerabilityReport") {
+      debug12("error submit vul report %s", submitRes);
+      throw new Error("\u{1F575}\uFE0F\u200D\u2642\uFE0F Mobb analysis failed");
+    }
+    spinner.update({ text: progressMassages.processingVulnerabilityReport });
+    const callback = (_analysisId) => spinner.update({
+      text: "\u2699\uFE0F Vulnerability report processed successfully"
+    });
+    const callbackStates = [
+      "Digested" /* Digested */,
+      "Finished" /* Finished */
+    ];
+    if (polling) {
+      debug12("[sendReport] Using POLLING mode for analysis state updates");
+      await gqlClient.pollForAnalysisState({
+        analysisId: submitRes.submitVulnerabilityReport.fixReportId,
+        callback,
+        callbackStates,
+        timeoutInMs: VUL_REPORT_DIGEST_TIMEOUT_MS
+      });
+    } else {
+      debug12("[sendReport] Using WEBSOCKET mode for analysis state updates");
+      await gqlClient.subscribeToAnalysis({
+        subscribeToAnalysisParams: {
+          analysisId: submitRes.submitVulnerabilityReport.fixReportId
+        },
+        callback,
+        callbackStates,
+        timeoutInMs: VUL_REPORT_DIGEST_TIMEOUT_MS
+      });
+    }
+    return submitRes;
+  } catch (e) {
+    spinner.error({ text: "\u{1F575}\uFE0F\u200D\u2642\uFE0F Mobb analysis failed" });
+    throw e;
+  }
+}
+
+// src/features/analysis/utils/index.ts
 function getFromArraySafe(array) {
   return array.reduce((acc, nullableItem) => {
     if (nullableItem) {
@@ -12926,10 +13625,10 @@ var scannerToFriendlyString = {
 };
 
 // src/features/analysis/add_fix_comments_for_pr/utils/buildCommentBody.ts
-import Debug9 from "debug";
-import { z as z27 } from "zod";
+import Debug12 from "debug";
+import { z as z28 } from "zod";
 init_client_generates();
-var debug10 = Debug9("mobbdev:handle-finished-analysis");
+var debug13 = Debug12("mobbdev:handle-finished-analysis");
 var getCommitFixButton = (commitUrl) => `<a href="${commitUrl}"><img src=${COMMIT_FIX_SVG}></a>`;
 function buildFixCommentBody({
   fix,
@@ -12981,14 +13680,14 @@ function buildFixCommentBody({
   });
   const issueType = getIssueTypeFriendlyString(fix.safeIssueType);
   const title = `# ${MobbIconMarkdown} ${issueType} fix is ready`;
-  const validFixParseRes = z27.object({
+  const validFixParseRes = z28.object({
     patchAndQuestions: PatchAndQuestionsZ,
-    safeIssueLanguage: z27.nativeEnum(IssueLanguage_Enum),
-    severityText: z27.nativeEnum(Vulnerability_Severity_Enum),
-    safeIssueType: z27.nativeEnum(IssueType_Enum)
+    safeIssueLanguage: z28.nativeEnum(IssueLanguage_Enum),
+    severityText: z28.nativeEnum(Vulnerability_Severity_Enum),
+    safeIssueType: z28.nativeEnum(IssueType_Enum)
   }).safeParse(fix);
   if (!validFixParseRes.success) {
-    debug10(
+    debug13(
       `fix ${fixId} has custom issue type or language, therefore the commit description will not be added`,
       validFixParseRes.error
     );
@@ -13052,7 +13751,7 @@ ${issuePageLink}`;
 }
 
 // src/features/analysis/add_fix_comments_for_pr/utils/utils.ts
-var debug11 = Debug10("mobbdev:handle-finished-analysis");
+var debug14 = Debug13("mobbdev:handle-finished-analysis");
 function calculateRanges(integers) {
   if (integers.length === 0) {
     return [];
@@ -13086,7 +13785,7 @@ function deleteAllPreviousComments({
     try {
       return scm.deleteComment({ comment_id: comment.id });
     } catch (e) {
-      debug11("delete comment failed %s", e);
+      debug14("delete comment failed %s", e);
       return Promise.resolve();
     }
   });
@@ -13102,7 +13801,7 @@ function deleteAllPreviousGeneralPrComments(params) {
     try {
       return scm.deleteGeneralPrComment({ commentId: comment.id });
     } catch (e) {
-      debug11("delete comment failed %s", e);
+      debug14("delete comment failed %s", e);
       return Promise.resolve();
     }
   });
@@ -13219,7 +13918,7 @@ async function getRelevantVulenrabilitiesFromDiff(params) {
     });
     const lineAddedRanges = calculateRanges(fileNumbers);
     const fileFilter = {
-      path: z28.string().parse(file.to),
+      path: z29.string().parse(file.to),
       ranges: lineAddedRanges.map(([startLine, endLine]) => ({
         endLine,
         startLine
@@ -13246,7 +13945,7 @@ async function postAnalysisInsightComment(params) {
     fixablePrVuls,
     nonFixablePrVuls
   } = prVulenrabilities;
-  debug11({
+  debug14({
     fixablePrVuls,
     nonFixablePrVuls,
     vulnerabilitiesOutsidePr,
@@ -13301,7 +14000,7 @@ ${contactUsMarkdown}`;
 }
 
 // src/features/analysis/add_fix_comments_for_pr/add_fix_comments_for_pr.ts
-var debug12 = Debug11("mobbdev:handle-finished-analysis");
+var debug15 = Debug14("mobbdev:handle-finished-analysis");
 async function addFixCommentsForPr({
   analysisId,
   scm: _scm,
@@ -13313,7 +14012,7 @@ async function addFixCommentsForPr({
   }
   const scm = _scm;
   const getAnalysisRes = await gqlClient.getAnalysis(analysisId);
-  debug12("getAnalysis %o", getAnalysisRes);
+  debug15("getAnalysis %o", getAnalysisRes);
   const {
     vulnerabilityReport: {
       projectId,
@@ -13423,8 +14122,8 @@ ${contextString}` : description;
 
 // src/features/analysis/auto_pr_handler.ts
 init_client_generates();
-import Debug12 from "debug";
-var debug13 = Debug12("mobbdev:handleAutoPr");
+import Debug15 from "debug";
+var debug16 = Debug15("mobbdev:handleAutoPr");
 async function handleAutoPr(params) {
   const {
     gqlClient,
@@ -13445,7 +14144,7 @@ async function handleAutoPr(params) {
       prId,
       prStrategy: createOnePr ? "CONDENSE" /* Condense */ : "SPREAD" /* Spread */
     });
-    debug13("auto pr analysis res %o", autoPrAnalysisRes);
+    debug16("auto pr analysis res %o", autoPrAnalysisRes);
     if (autoPrAnalysisRes.autoPrAnalysis?.__typename === "AutoPrError") {
       createAutoPrSpinner.error({
         text: `\u{1F504} Automatic pull request failed - ${autoPrAnalysisRes.autoPrAnalysis.error}`
@@ -13467,14 +14166,14 @@ async function handleAutoPr(params) {
   };
   const callbackStates = ["Finished" /* Finished */];
   if (polling) {
-    debug13("[handleAutoPr] Using POLLING mode for analysis state updates");
+    debug16("[handleAutoPr] Using POLLING mode for analysis state updates");
     return await gqlClient.pollForAnalysisState({
       analysisId,
       callback,
       callbackStates
     });
   } else {
-    debug13("[handleAutoPr] Using WEBSOCKET mode for analysis state updates");
+    debug16("[handleAutoPr] Using WEBSOCKET mode for analysis state updates");
     return await gqlClient.subscribeToAnalysis({
       subscribeToAnalysisParams: {
         analysisId
@@ -13487,15 +14186,15 @@ async function handleAutoPr(params) {
 
 // src/features/analysis/git.ts
 init_GitService();
-import Debug13 from "debug";
-var debug14 = Debug13("mobbdev:git");
+import Debug16 from "debug";
+var debug17 = Debug16("mobbdev:git");
 async function getGitInfo(srcDirPath) {
-  debug14("getting git info for %s", srcDirPath);
+  debug17("getting git info for %s", srcDirPath);
   const gitService = new GitService(srcDirPath);
   try {
     const validationResult = await gitService.validateRepository();
     if (!validationResult.isValid) {
-      debug14("folder is not a git repo");
+      debug17("folder is not a git repo");
       return {
         success: false,
         hash: void 0,
@@ -13510,9 +14209,9 @@ async function getGitInfo(srcDirPath) {
     };
   } catch (e) {
     if (e instanceof Error) {
-      debug14("failed to run git %o", e);
+      debug17("failed to run git %o", e);
       if (e.message.includes(" spawn ")) {
-        debug14("git cli not installed");
+        debug17("git cli not installed");
       } else {
         throw e;
       }
@@ -13524,22 +14223,22 @@ async function getGitInfo(srcDirPath) {
 // src/features/analysis/pack.ts
 init_configs();
 import fs9 from "fs";
-import path7 from "path";
+import path8 from "path";
 import AdmZip from "adm-zip";
-import Debug14 from "debug";
+import Debug17 from "debug";
 import { globby } from "globby";
 import { isBinary as isBinary2 } from "istextorbinary";
 import { simpleGit as simpleGit3 } from "simple-git";
 import { parseStringPromise } from "xml2js";
-import { z as z29 } from "zod";
-var debug15 = Debug14("mobbdev:pack");
-var FPR_SOURCE_CODE_FILE_MAPPING_SCHEMA = z29.object({
-  properties: z29.object({
-    entry: z29.array(
-      z29.object({
-        _: z29.string(),
-        $: z29.object({
-          key: z29.string()
+import { z as z30 } from "zod";
+var debug18 = Debug17("mobbdev:pack");
+var FPR_SOURCE_CODE_FILE_MAPPING_SCHEMA = z30.object({
+  properties: z30.object({
+    entry: z30.array(
+      z30.object({
+        _: z30.string(),
+        $: z30.object({
+          key: z30.string()
         })
       })
     )
@@ -13554,7 +14253,7 @@ function getManifestFilesSuffixes() {
   return ["package.json", "pom.xml"];
 }
 async function pack(srcDirPath, vulnFiles, isIncludeAllFiles = false) {
-  debug15("pack folder %s", srcDirPath);
+  debug18("pack folder %s", srcDirPath);
   let git = void 0;
   try {
     git = simpleGit3({
@@ -13564,13 +14263,13 @@ async function pack(srcDirPath, vulnFiles, isIncludeAllFiles = false) {
     });
     await git.status();
   } catch (e) {
-    debug15("failed to run git %o", e);
+    debug18("failed to run git %o", e);
     git = void 0;
     if (e instanceof Error) {
       if (e.message.includes(" spawn ")) {
-        debug15("git cli not installed");
+        debug18("git cli not installed");
       } else if (e.message.includes("not a git repository")) {
-        debug15("folder is not a git repo");
+        debug18("folder is not a git repo");
       } else {
         throw e;
       }
@@ -13585,23 +14284,23 @@ async function pack(srcDirPath, vulnFiles, isIncludeAllFiles = false) {
     followSymbolicLinks: false,
     dot: true
   });
-  debug15("files found %d", filepaths.length);
+  debug18("files found %d", filepaths.length);
   const zip = new AdmZip();
-  debug15("compressing files");
+  debug18("compressing files");
   for (const filepath of filepaths) {
-    const absFilepath = path7.join(srcDirPath, filepath.toString());
+    const absFilepath = path8.join(srcDirPath, filepath.toString());
     if (!isIncludeAllFiles) {
       vulnFiles = vulnFiles.concat(getManifestFilesSuffixes());
       if (!endsWithAny(
-        absFilepath.toString().replaceAll(path7.win32.sep, path7.posix.sep),
+        absFilepath.toString().replaceAll(path8.win32.sep, path8.posix.sep),
         vulnFiles
       )) {
-        debug15("ignoring %s because it is not a vulnerability file", filepath);
+        debug18("ignoring %s because it is not a vulnerability file", filepath);
         continue;
       }
     }
     if (fs9.lstatSync(absFilepath).size > MCP_MAX_FILE_SIZE) {
-      debug15("ignoring %s because the size is > 5MB", filepath);
+      debug18("ignoring %s because the size is > 5MB", filepath);
       continue;
     }
     let data;
@@ -13615,16 +14314,16 @@ async function pack(srcDirPath, vulnFiles, isIncludeAllFiles = false) {
       data = fs9.readFileSync(absFilepath);
     }
     if (isBinary2(null, data)) {
-      debug15("ignoring %s because is seems to be a binary file", filepath);
+      debug18("ignoring %s because is seems to be a binary file", filepath);
       continue;
     }
     zip.addFile(filepath.toString(), data);
   }
-  debug15("get zip file buffer");
+  debug18("get zip file buffer");
   return zip.toBuffer();
 }
 async function repackFpr(fprPath) {
-  debug15("repack fpr file %s", fprPath);
+  debug18("repack fpr file %s", fprPath);
   const zipIn = new AdmZip(fprPath);
   const zipOut = new AdmZip();
   const mappingXML = zipIn.readAsText("src-archive/index.xml", "utf-8");
@@ -13639,7 +14338,7 @@ async function repackFpr(fprPath) {
       zipOut.addFile(realPath, buf);
     }
   }
-  debug15("get repacked zip file buffer");
+  debug18("get repacked zip file buffer");
   return zipOut.toBuffer();
 }
 
@@ -13709,12 +14408,12 @@ async function snykArticlePrompt() {
 
 // src/features/analysis/scanners/checkmarx.ts
 import { createRequire } from "module";
-import chalk4 from "chalk";
-import Debug16 from "debug";
+import chalk5 from "chalk";
+import Debug19 from "debug";
 import { existsSync } from "fs";
 import { createSpinner as createSpinner2 } from "nanospinner";
 import { type } from "os";
-import path8 from "path";
+import path9 from "path";
 
 // src/post_install/constants.mjs
 var cxOperatingSystemSupportMessage = `Your operating system does not support checkmarx.
@@ -13722,7 +14421,7 @@ var cxOperatingSystemSupportMessage = `Your operating system does not support ch
 
 // src/utils/child_process.ts
 import cp from "child_process";
-import Debug15 from "debug";
+import Debug18 from "debug";
 import * as process2 from "process";
 function createFork({ args, processPath, name }, options) {
   const child = cp.fork(processPath, args, {
@@ -13740,16 +14439,16 @@ function createSpawn({ args, processPath, name, cwd }, options) {
   return createChildProcess({ childProcess: child, name }, options);
 }
 function createChildProcess({ childProcess, name }, options) {
-  const debug21 = Debug15(`mobbdev:${name}`);
+  const debug23 = Debug18(`mobbdev:${name}`);
   const { display } = options;
   return new Promise((resolve, reject) => {
     let out = "";
     const onData = (chunk) => {
-      debug21(`chunk received from ${name} std ${chunk}`);
+      debug23(`chunk received from ${name} std ${chunk}`);
       out += chunk;
     };
     if (!childProcess?.stdout || !childProcess?.stderr) {
-      debug21(`unable to fork ${name}`);
+      debug23(`unable to fork ${name}`);
       reject(new Error(`unable to fork ${name}`));
     }
     childProcess.stdout?.on("data", onData);
@@ -13759,18 +14458,18 @@ function createChildProcess({ childProcess, name }, options) {
       childProcess.stderr?.pipe(process2.stderr);
     }
     childProcess.on("exit", (code) => {
-      debug21(`${name} exit code ${code}`);
+      debug23(`${name} exit code ${code}`);
       resolve({ message: out, code });
     });
     childProcess.on("error", (err) => {
-      debug21(`${name} error %o`, err);
+      debug23(`${name} error %o`, err);
       reject(err);
     });
   });
 }
 
 // src/features/analysis/scanners/checkmarx.ts
-var debug16 = Debug16("mobbdev:checkmarx");
+var debug19 = Debug19("mobbdev:checkmarx");
 var moduleUrl;
 if (typeof __filename !== "undefined") {
   moduleUrl = __filename;
@@ -13829,14 +14528,14 @@ function validateCheckmarxInstallation() {
   existsSync(getCheckmarxPath());
 }
 async function forkCheckmarx(args, { display }) {
-  debug16("fork checkmarx with args %o %s", args.join(" "), display);
+  debug19("fork checkmarx with args %o %s", args.join(" "), display);
   return createSpawn(
     { args, processPath: getCheckmarxPath(), name: "checkmarx" },
     { display }
   );
 }
 async function getCheckmarxReport({ reportPath, repositoryRoot, branch, projectName }, { skipPrompts = false }) {
-  debug16("get checkmarx report start %s %s", reportPath, repositoryRoot);
+  debug19("get checkmarx report start %s %s", reportPath, repositoryRoot);
   const { code: loginCode } = await forkCheckmarx(VALIDATE_COMMAND, {
     display: false
   });
@@ -13847,9 +14546,9 @@ async function getCheckmarxReport({ reportPath, repositoryRoot, branch, projectN
     await startCheckmarxConfigationPrompt();
     await validateCheckamxCredentials();
   }
-  const extension = path8.extname(reportPath);
-  const filePath = path8.dirname(reportPath);
-  const fileName = path8.basename(reportPath, extension);
+  const extension = path9.extname(reportPath);
+  const filePath = path9.dirname(reportPath);
+  const fileName = path9.basename(reportPath, extension);
   const checkmarxCommandArgs = getCheckmarxCommandArgs({
     repoPath: repositoryRoot,
     branch,
@@ -13875,7 +14574,7 @@ async function throwCheckmarxConfigError() {
   await createSpinner2("\u{1F513} Checkmarx is not configued correctly").start().error();
   throw new CliError(
     `Checkmarx is not configued correctly
- you can configure it by using the ${chalk4.bold(
+ you can configure it by using the ${chalk5.bold(
       "cx configure"
     )} command`
   );
@@ -13883,8 +14582,8 @@ async function throwCheckmarxConfigError() {
 async function validateCheckamxCredentials() {
   console.log(`
         Here's a suggestion for checkmarx configuation: 
-          ${chalk4.bold("AST Base URI:")} https://ast.checkmarx.net
-          ${chalk4.bold("AST Base Auth URI (IAM):")} https://iam.checkmarx.net
+          ${chalk5.bold("AST Base URI:")} https://ast.checkmarx.net
+          ${chalk5.bold("AST Base Auth URI (IAM):")} https://iam.checkmarx.net
   `);
   await forkCheckmarx(CONFIGURE_COMMAND, { display: true });
   const { code: loginCode } = await forkCheckmarx(VALIDATE_COMMAND, {
@@ -13903,11 +14602,11 @@ async function validateCheckamxCredentials() {
 
 // src/features/analysis/scanners/snyk.ts
 import { createRequire as createRequire2 } from "module";
-import chalk5 from "chalk";
-import Debug17 from "debug";
+import chalk6 from "chalk";
+import Debug20 from "debug";
 import { createSpinner as createSpinner3 } from "nanospinner";
 import open2 from "open";
-var debug17 = Debug17("mobbdev:snyk");
+var debug20 = Debug20("mobbdev:snyk");
 var moduleUrl2;
 if (typeof __filename !== "undefined") {
   moduleUrl2 = __filename;
@@ -13929,13 +14628,13 @@ if (typeof __filename !== "undefined") {
 var costumeRequire2 = createRequire2(moduleUrl2);
 var SNYK_PATH = costumeRequire2.resolve("snyk/bin/snyk");
 var SNYK_ARTICLE_URL = "https://docs.snyk.io/scan-using-snyk/snyk-code/configure-snyk-code#enable-snyk-code";
-debug17("snyk executable path %s", SNYK_PATH);
+debug20("snyk executable path %s", SNYK_PATH);
 async function forkSnyk(args, { display }) {
-  debug17("fork snyk with args %o %s", args, display);
+  debug20("fork snyk with args %o %s", args, display);
   return createFork({ args, processPath: SNYK_PATH, name: "snyk" }, { display });
 }
 async function getSnykReport(reportPath, repoRoot, { skipPrompts = false }) {
-  debug17("get snyk report start %s %s", reportPath, repoRoot);
+  debug20("get snyk report start %s %s", reportPath, repoRoot);
   const config2 = await forkSnyk(["config"], { display: false });
   const { message: configMessage } = config2;
   if (!configMessage.includes("api: ")) {
@@ -13949,7 +14648,7 @@ async function getSnykReport(reportPath, repoRoot, { skipPrompts = false }) {
     snykLoginSpinner.update({
       text: "\u{1F513} Waiting for Snyk login to complete"
     });
-    debug17("no token in the config %s", config2);
+    debug20("no token in the config %s", config2);
     await forkSnyk(["auth"], { display: true });
     snykLoginSpinner.success({ text: "\u{1F513} Login to Snyk Successful" });
   }
@@ -13959,16 +14658,16 @@ async function getSnykReport(reportPath, repoRoot, { skipPrompts = false }) {
     { display: true }
   );
   if (scanOutput.includes("Snyk Code is not supported for org")) {
-    debug17("snyk code is not enabled %s", scanOutput);
+    debug20("snyk code is not enabled %s", scanOutput);
     snykSpinner.error({ text: "\u{1F50D} Snyk configuration needed" });
     const answer = await snykArticlePrompt();
-    debug17("answer %s", answer);
+    debug20("answer %s", answer);
     if (answer) {
-      debug17("opening the browser");
+      debug20("opening the browser");
       await open2(SNYK_ARTICLE_URL);
     }
     console.log(
-      chalk5.bgBlue(
+      chalk6.bgBlue(
         "\nPlease enable Snyk Code in your Snyk account and try again."
       )
     );
@@ -13980,58 +14679,6 @@ async function getSnykReport(reportPath, repoRoot, { skipPrompts = false }) {
 
 // src/features/analysis/index.ts
 init_client_generates();
-
-// src/features/analysis/upload-file.ts
-import Debug18 from "debug";
-import fetch3, { File, fileFrom, FormData } from "node-fetch";
-var debug18 = Debug18("mobbdev:upload-file");
-async function uploadFile({
-  file,
-  url,
-  uploadKey,
-  uploadFields,
-  logger: logger2
-}) {
-  const logInfo2 = logger2 || ((_message, _data) => {
-  });
-  logInfo2(`FileUpload: upload file start ${url}`);
-  logInfo2(`FileUpload: upload fields`, uploadFields);
-  logInfo2(`FileUpload: upload key ${uploadKey}`);
-  debug18("upload file start %s", url);
-  debug18("upload fields %o", uploadFields);
-  debug18("upload key %s", uploadKey);
-  const form = new FormData();
-  Object.entries(uploadFields).forEach(([key, value]) => {
-    form.append(key, value);
-  });
-  if (!form.has("key")) {
-    form.append("key", uploadKey);
-  }
-  if (typeof file === "string") {
-    debug18("upload file from path %s", file);
-    logInfo2(`FileUpload: upload file from path ${file}`);
-    form.append("file", await fileFrom(file));
-  } else {
-    debug18("upload file from buffer");
-    logInfo2(`FileUpload: upload file from buffer`);
-    form.append("file", new File([new Uint8Array(file)], "file"));
-  }
-  const agent = getProxyAgent(url);
-  const response = await fetch3(url, {
-    method: "POST",
-    body: form,
-    agent
-  });
-  if (!response.ok) {
-    debug18("error from S3 %s %s", response.body, response.status);
-    logInfo2(`FileUpload: error from S3 ${response.body} ${response.status}`);
-    throw new Error(`Failed to upload the file: ${response.status}`);
-  }
-  debug18("upload file done");
-  logInfo2(`FileUpload: upload file done`);
-}
-
-// src/features/analysis/index.ts
 var { CliError: CliError2, Spinner: Spinner2 } = utils_exports;
 function _getScanSource(command, ci) {
   if (command === "review") return "AUTO_FIXER" /* AutoFixer */;
@@ -14062,9 +14709,9 @@ async function downloadRepo({
 }) {
   const { createSpinner: createSpinner5 } = Spinner2({ ci });
   const repoSpinner = createSpinner5("\u{1F4BE} Downloading Repo").start();
-  debug19("download repo %s %s %s", repoUrl, dirname);
-  const zipFilePath = path9.join(dirname, "repo.zip");
-  debug19("download URL: %s auth headers: %o", downloadUrl, authHeaders);
+  debug21("download repo %s %s %s", repoUrl, dirname);
+  const zipFilePath = path10.join(dirname, "repo.zip");
+  debug21("download URL: %s auth headers: %o", downloadUrl, authHeaders);
   const response = await fetch4(downloadUrl, {
     method: "GET",
     headers: {
@@ -14072,9 +14719,9 @@ async function downloadRepo({
     }
   });
   if (!response.ok) {
-    debug19("SCM zipball request failed %s %s", response.body, response.status);
+    debug21("SCM zipball request failed %s %s", response.body, response.status);
     repoSpinner.error({ text: "\u{1F4BE} Repo download failed" });
-    throw new Error(`Can't access ${chalk6.bold(repoUrl)}`);
+    throw new Error(`Can't access ${chalk7.bold(repoUrl)}`);
   }
   const fileWriterStream = fs10.createWriteStream(zipFilePath);
   if (!response.body) {
@@ -14086,16 +14733,16 @@ async function downloadRepo({
   if (!repoRoot) {
     throw new Error("Repo root not found");
   }
-  debug19("repo root %s", repoRoot);
+  debug21("repo root %s", repoRoot);
   repoSpinner.success({ text: "\u{1F4BE} Repo downloaded successfully" });
-  return path9.join(dirname, repoRoot);
+  return path10.join(dirname, repoRoot);
 }
 var getReportUrl = ({
   organizationId,
   projectId,
   fixReportId
 }) => `${WEB_APP_URL}/organization/${organizationId}/project/${projectId}/report/${fixReportId}`;
-var debug19 = Debug19("mobbdev:index");
+var debug21 = Debug21("mobbdev:index");
 async function runAnalysis(params, options) {
   const tmpObj = tmp2.dirSync({
     unsafeCleanup: true
@@ -14196,7 +14843,7 @@ async function getReport(params, { skipPrompts }) {
     authHeaders: scm.getAuthHeaders(),
     downloadUrl
   });
-  const reportPath = path9.join(dirname, REPORT_DEFAULT_FILE_NAME);
+  const reportPath = path10.join(dirname, REPORT_DEFAULT_FILE_NAME);
   switch (scanner) {
     case "snyk":
       await getSnykReport(reportPath, repositoryRoot, { skipPrompts });
@@ -14241,7 +14888,7 @@ async function _scan(params, { skipPrompts = false } = {}) {
     pullRequest,
     polling
   } = params;
-  debug19("start %s %s", dirname, repo);
+  debug21("start %s %s", dirname, repo);
   const { createSpinner: createSpinner5 } = Spinner2({ ci });
   skipPrompts = skipPrompts || ci;
   const gqlClient = await getAuthenticatedGQLClient({
@@ -14310,8 +14957,8 @@ async function _scan(params, { skipPrompts = false } = {}) {
     );
   }
   const { sha } = getReferenceDataRes.gitReference;
-  debug19("project id %s", projectId);
-  debug19("default branch %s", reference);
+  debug21("project id %s", projectId);
+  debug21("default branch %s", reference);
   if (command === "scan") {
     reportPath = await getReport(
       {
@@ -14361,7 +15008,7 @@ async function _scan(params, { skipPrompts = false } = {}) {
     spinner: mobbSpinner,
     submitVulnerabilityReportVariables: {
       fixReportId: reportUploadInfo.fixReportId,
-      repoUrl: z30.string().parse(repo),
+      repoUrl: z31.string().parse(repo),
       reference,
       projectId,
       vulnerabilityReportFileName: shouldScan ? void 0 : REPORT_DEFAULT_FILE_NAME,
@@ -14413,11 +15060,11 @@ async function _scan(params, { skipPrompts = false } = {}) {
       fixReportId: reportUploadInfo.fixReportId
     });
     !ci && console.log("You can access the analysis at: \n");
-    console.log(chalk6.bold(reportUrl));
+    console.log(chalk7.bold(reportUrl));
     !skipPrompts && await mobbAnalysisPrompt();
     !ci && open3(reportUrl);
     !ci && console.log(
-      chalk6.bgBlue("\n\n  My work here is done for now, see you soon! \u{1F575}\uFE0F\u200D\u2642\uFE0F  ")
+      chalk7.bgBlue("\n\n  My work here is done for now, see you soon! \u{1F575}\uFE0F\u200D\u2642\uFE0F  ")
     );
   }
   async function handleScmIntegration(oldToken, scmAuthUrl2, repoUrl) {
@@ -14578,11 +15225,11 @@ async function _zipAndUploadRepo({
   repoUploadInfo,
   isIncludeAllFiles
 }) {
-  const srcFileStatus = await fsPromises2.lstat(srcPath);
+  const srcFileStatus = await fsPromises3.lstat(srcPath);
   const zippingSpinner = createSpinner4("\u{1F4E6} Zipping repo").start();
   let zipBuffer;
   let gitInfo2 = { success: false };
-  if (srcFileStatus.isFile() && path9.extname(srcPath).toLowerCase() === ".fpr") {
+  if (srcFileStatus.isFile() && path10.extname(srcPath).toLowerCase() === ".fpr") {
     zipBuffer = await repackFpr(srcPath);
   } else {
     gitInfo2 = await getGitInfo(srcPath);
@@ -14639,11 +15286,11 @@ async function _digestReport({
       text: progressMassages.processingVulnerabilityReportSuccess
     });
     if (polling) {
-      debug19(
+      debug21(
         "[_digestReport] Using POLLING mode for analysis state updates (--polling flag enabled)"
       );
       console.log(
-        chalk6.cyan(
+        chalk7.cyan(
           "\u{1F504} [Polling Mode] Using HTTP polling instead of WebSocket for status updates"
         )
       );
@@ -14654,11 +15301,11 @@ async function _digestReport({
         timeoutInMs: VUL_REPORT_DIGEST_TIMEOUT_MS
       });
     } else {
-      debug19(
+      debug21(
         "[_digestReport] Using WEBSOCKET mode for analysis state updates (default)"
       );
       console.log(
-        chalk6.cyan(
+        chalk7.cyan(
           "\u{1F50C} [WebSocket Mode] Using WebSocket subscription for status updates"
         )
       );
@@ -14694,9 +15341,9 @@ async function waitForAnaysisAndReviewPr({
   gqlClient,
   polling
 }) {
-  const params = z30.object({
-    repo: z30.string().url(),
-    githubActionToken: z30.string()
+  const params = z31.object({
+    repo: z31.string().url(),
+    githubActionToken: z31.string()
   }).parse({ repo, githubActionToken });
   const scm = await createScmLib(
     {
@@ -14714,15 +15361,15 @@ async function waitForAnaysisAndReviewPr({
       analysisId: analysisId2,
       gqlClient,
       scm,
-      scanner: z30.nativeEnum(SCANNERS).parse(scanner)
+      scanner: z31.nativeEnum(SCANNERS).parse(scanner)
     });
   };
   if (polling) {
-    debug19(
+    debug21(
       "[waitForAnaysisAndReviewPr] Using POLLING mode for analysis state updates"
     );
     console.log(
-      chalk6.cyan(
+      chalk7.cyan(
         "\u{1F504} [Polling Mode] Waiting for analysis completion using HTTP polling"
       )
     );
@@ -14732,11 +15379,11 @@ async function waitForAnaysisAndReviewPr({
       callbackStates: ["Finished" /* Finished */]
     });
   } else {
-    debug19(
+    debug21(
       "[waitForAnaysisAndReviewPr] Using WEBSOCKET mode for analysis state updates"
     );
     console.log(
-      chalk6.cyan(
+      chalk7.cyan(
         "\u{1F50C} [WebSocket Mode] Waiting for analysis completion using WebSocket"
       )
     );
@@ -14752,12 +15399,12 @@ async function waitForAnaysisAndReviewPr({
 
 // src/commands/scan_skill_input.ts
 import fs11 from "fs";
-import path10 from "path";
+import path11 from "path";
 import AdmZip2 from "adm-zip";
 var LOCAL_SKILL_ZIP_DATA_URL_PREFIX = "data:application/zip;base64,";
 var MAX_LOCAL_SKILL_ARCHIVE_BYTES = 2 * 1024 * 1024;
 async function resolveSkillScanInput(skillInput) {
-  const resolvedPath = path10.resolve(skillInput);
+  const resolvedPath = path11.resolve(skillInput);
   if (!fs11.existsSync(resolvedPath)) {
     return skillInput;
   }
@@ -14771,18 +15418,18 @@ async function resolveSkillScanInput(skillInput) {
 }
 function packageLocalSkillDirectory(directoryPath) {
   const zip = new AdmZip2();
-  const rootPath = path10.resolve(directoryPath);
+  const rootPath = path11.resolve(directoryPath);
   const filePaths = listDirectoryFiles(rootPath);
   let hasSkillMd = false;
   for (const relativePath of filePaths) {
-    const fullPath = path10.join(rootPath, relativePath);
-    const normalizedFullPath = path10.resolve(fullPath);
-    if (normalizedFullPath !== rootPath && !normalizedFullPath.startsWith(rootPath + path10.sep)) {
+    const fullPath = path11.join(rootPath, relativePath);
+    const normalizedFullPath = path11.resolve(fullPath);
+    if (normalizedFullPath !== rootPath && !normalizedFullPath.startsWith(rootPath + path11.sep)) {
       continue;
     }
     const fileContent = fs11.readFileSync(normalizedFullPath);
     zip.addFile(relativePath, fileContent);
-    if (path10.basename(relativePath).toLowerCase() === "skill.md") {
+    if (path11.basename(relativePath).toLowerCase() === "skill.md") {
       hasSkillMd = true;
     }
   }
@@ -14800,17 +15447,17 @@ function packageLocalSkillDirectory(directoryPath) {
 function listDirectoryFiles(rootPath) {
   const files = [];
   function walk(relativeDir) {
-    const absoluteDir = path10.join(rootPath, relativeDir);
+    const absoluteDir = path11.join(rootPath, relativeDir);
     const entries = fs11.readdirSync(absoluteDir, { withFileTypes: true }).sort((left, right) => left.name.localeCompare(right.name));
     for (const entry of entries) {
-      const safeEntryName = path10.basename(entry.name).replace(/\0/g, "");
+      const safeEntryName = path11.basename(entry.name).replace(/\0/g, "");
       if (!safeEntryName) {
         continue;
       }
-      const relativePath = relativeDir ? path10.posix.join(relativeDir, safeEntryName) : safeEntryName;
-      const absolutePath = path10.join(rootPath, relativePath);
-      const normalizedAbsolutePath = path10.resolve(absolutePath);
-      if (normalizedAbsolutePath !== rootPath && !normalizedAbsolutePath.startsWith(rootPath + path10.sep)) {
+      const relativePath = relativeDir ? path11.posix.join(relativeDir, safeEntryName) : safeEntryName;
+      const absolutePath = path11.join(rootPath, relativePath);
+      const normalizedAbsolutePath = path11.resolve(absolutePath);
+      if (normalizedAbsolutePath !== rootPath && !normalizedAbsolutePath.startsWith(rootPath + path11.sep)) {
         continue;
       }
       if (entry.isSymbolicLink()) {
@@ -14898,831 +15545,266 @@ async function analyze({
       pullRequest,
       createOnePr,
       polling
-    },
-    { skipPrompts }
-  );
-}
-async function addScmToken(addScmTokenOptions) {
-  const { apiKey, token, organization, scmType, url, refreshToken, ci } = addScmTokenOptions;
-  const gqlClient = await getAuthenticatedGQLClient({
-    inputApiKey: apiKey,
-    isSkipPrompts: ci
-  });
-  if (!scmType) {
-    throw new CliError(errorMessages.invalidScmType);
-  }
-  const resp = await gqlClient.updateScmToken({
-    scmType,
-    url,
-    token,
-    org: organization,
-    refreshToken
-  });
-  if (resp.updateScmToken?.__typename === "RepoUnreachableError") {
-    throw new CliError(
-      "Mobb could not reach the repository. Please try again. If Mobb is connected through a broker, please make sure the broker is connected."
-    );
-  } else if (resp.updateScmToken?.__typename === "BadScmCredentials") {
-    throw new CliError("Invalid SCM credentials. Please try again.");
-  } else if (resp.updateScmToken?.__typename === "ScmAccessTokenUpdateSuccess") {
-    console.log("Token added successfully");
-  } else {
-    throw new CliError("Unexpected error, failed to add token");
-  }
-}
-async function scan(scanOptions, { skipPrompts = false } = {}) {
-  const { scanner, ci } = scanOptions;
-  !ci && await showWelcomeMessage(skipPrompts);
-  const selectedScanner = scanner || await choseScanner();
-  if (selectedScanner !== SCANNERS.Checkmarx && selectedScanner !== SCANNERS.Snyk) {
-    throw new CliError(
-      "Vulnerability scanning via Bugsy is available only with Snyk and Checkmarx at the moment. Additional scanners will follow soon."
-    );
-  }
-  selectedScanner === SCANNERS.Checkmarx && validateCheckmarxInstallation();
-  if (selectedScanner === SCANNERS.Checkmarx && !scanOptions.cxProjectName) {
-    throw new CliError(errorMessages.missingCxProjectName);
-  }
-  await runAnalysis(
-    { ...scanOptions, scanner: selectedScanner, command: "scan" },
-    { skipPrompts }
-  );
-}
-async function showWelcomeMessage(skipPrompts = false) {
-  console.log(mobbAscii);
-  const welcome = chalkAnimation.rainbow("\n			Welcome to Bugsy\n");
-  skipPrompts ? await sleep(100) : await sleep(2e3);
-  welcome.stop();
-}
-var VERDICT_COLORS = {
-  BENIGN: "green",
-  WARNING: "yellow",
-  SUSPICIOUS: "magenta",
-  MALICIOUS: "red"
-};
-var SEVERITY_COLORS = {
-  CRITICAL: "red",
-  HIGH: "magenta",
-  MEDIUM: "yellow",
-  LOW: "cyan"
-};
-async function scanSkill(options) {
-  const { url, apiKey, ci } = options;
-  const gqlClient = await getAuthenticatedGQLClient({
-    inputApiKey: apiKey,
-    isSkipPrompts: ci
-  });
-  console.log(chalk7.dim(`Scanning skill: ${url}`));
-  console.log();
-  const skillUrl = await resolveSkillScanInput(url);
-  const result = await gqlClient.scanSkill({ skillUrl });
-  const scan2 = result.scanSkill;
-  const verdictColor = VERDICT_COLORS[scan2.verdict] ?? "white";
-  console.log(
-    chalk7.bold(`Verdict: `) + chalk7[verdictColor](
-      scan2.verdict
-    )
-  );
-  console.log(`Skill: ${scan2.skillName}`);
-  if (scan2.skillVersion) {
-    console.log(`Version: ${scan2.skillVersion}`);
-  }
-  console.log(`Hash: ${scan2.skillHash ?? "N/A"}`);
-  console.log(`Findings: ${scan2.findingsCount}`);
-  console.log(`Duration: ${scan2.scanDurationMs}ms`);
-  if (scan2.cached) {
-    console.log(chalk7.dim("(cached result)"));
-  }
-  console.log();
-  if (scan2.findings.length > 0) {
-    console.log(chalk7.bold("Findings:"));
-    console.log();
-    for (const f of scan2.findings) {
-      const sevColor = SEVERITY_COLORS[f.severity] ?? "white";
-      const location = [f.filePath, f.lineNumber].filter(Boolean).join(":");
-      console.log(
-        `  ${chalk7[sevColor](f.severity)} [${f.layer}] ${f.category}${f.ruleId ? ` (${f.ruleId})` : ""}`
-      );
-      if (location) {
-        console.log(`    ${chalk7.dim(location)}`);
-      }
-      console.log(`    ${f.explanation}`);
-      if (f.evidence) {
-        console.log(
-          `    ${String(chalk7.dim("Evidence: " + f.evidence.slice(0, 120))).replace(/\n|\r/g, "")}`
-        );
-      }
-      console.log();
-    }
-  }
-  if (scan2.summary) {
-    console.log(chalk7.bold("Analysis:"));
-    console.log(`  ${scan2.summary}`);
-    console.log();
-  }
-  if (scan2.verdict === "MALICIOUS" || scan2.verdict === "SUSPICIOUS") {
-    process.exit(2);
-  }
-}
-
-// src/args/validation.ts
-import chalk8 from "chalk";
-import path11 from "path";
-import { z as z31 } from "zod";
-function throwRepoUrlErrorMessage({
-  error,
-  repoUrl,
-  command
-}) {
-  const errorMessage = error.issues[error.issues.length - 1]?.message;
-  const formattedErrorMessage = `
-Error: ${chalk8.bold(
-    repoUrl
-  )} is ${errorMessage}
-Example: 
-	mobbdev ${command} -r ${chalk8.bold(
-    "https://github.com/WebGoat/WebGoat"
-  )}`;
-  throw new CliError(formattedErrorMessage);
-}
-var UrlZ = z31.string({
-  invalid_type_error: `is not a valid ${Object.values(ScmType).join("/ ")} URL`
-});
-function validateOrganizationId(organizationId) {
-  const orgIdValidation = z31.string().uuid().nullish().safeParse(organizationId);
-  if (!orgIdValidation.success) {
-    throw new CliError(`organizationId: ${organizationId} is not a valid UUID`);
-  }
-}
-function validateRepoUrl(args) {
-  const repoSafeParseResult = UrlZ.safeParse(args.repo);
-  const { success } = repoSafeParseResult;
-  const [command] = args._;
-  if (!command) {
-    throw new CliError("Command not found");
-  }
-  if (!success) {
-    throwRepoUrlErrorMessage({
-      error: repoSafeParseResult.error,
-      repoUrl: args.repo,
-      command
-    });
-  }
-}
-var supportExtensions = [".json", ".xml", ".fpr", ".sarif", ".zip"];
-function validateReportFileFormat(reportFile) {
-  if (!supportExtensions.includes(path11.extname(reportFile))) {
-    throw new CliError(
-      `
-${chalk8.bold(
-        reportFile
-      )} is not a supported file extension. Supported extensions are: ${chalk8.bold(
-        supportExtensions.join(", ")
-      )}
-`
-    );
-  }
-}
-
-// src/args/commands/analyze.ts
-function analyzeBuilder(yargs2) {
-  return yargs2.option("f", {
-    alias: "scan-file",
-    type: "string",
-    describe: chalk9.bold(
-      "Select the vulnerability report to analyze (Checkmarx, Snyk, Fortify, CodeQL, Sonarqube, Semgrep, Datadog)"
-    )
-  }).option("repo", repoOption).option("p", {
-    alias: "src-path",
-    describe: chalk9.bold(
-      "Path to the repository folder with the source code; alternatively, you can specify the Fortify FPR file to extract source code out of it"
-    ),
-    type: "string"
-  }).option("ref", refOption).option("ch", {
-    alias: "commit-hash",
-    describe: chalk9.bold("Hash of the commit"),
-    type: "string"
-  }).option("mobb-project-name", mobbProjectNameOption).option("y", yesOption).option("ci", ciOption).option("org", organizationIdOptions).option("api-key", apiKeyOption).option("commit-hash", commitHashOption).option("auto-pr", autoPrOption).option("create-one-pr", createOnePrOption).option("commit-directly", commitDirectlyOption).option("pull-request", {
-    alias: ["pr", "pr-number", "pr-id"],
-    describe: chalk9.bold("Number of the pull request"),
-    type: "number",
-    demandOption: false
-  }).option("polling", pollingOption).example(
-    "npx mobbdev@latest analyze -r https://github.com/WebGoat/WebGoat -f <your_vulnerability_report_path>",
-    "analyze an existing repository"
-  ).help();
-}
-function validateAnalyzeOptions(argv) {
-  if (argv.f && !fs12.existsSync(argv.f)) {
-    throw new CliError(`
-Can't access ${chalk9.bold(argv.f)}`);
-  }
-  validateOrganizationId(argv.organizationId);
-  if (!argv.srcPath && !argv.repo) {
-    throw new CliError("You must supply either --src-path or --repo");
-  }
-  if (!argv.srcPath && argv.repo) {
-    validateRepoUrl(argv);
-  }
-  if (argv.ci && !argv.apiKey) {
-    throw new CliError("--ci flag requires --api-key to be provided as well");
-  }
-  if (argv.commitDirectly && !argv["auto-pr"]) {
-    throw new CliError(
-      "--commit-directly flag requires --auto-pr to be provided as well"
-    );
-  }
-  if (argv["create-one-pr"] && !argv["auto-pr"]) {
-    throw new CliError(
-      "--create-one-pr flag requires --auto-pr to be provided as well"
-    );
-  }
-  if (argv["create-one-pr"] && argv.commitDirectly) {
-    throw new CliError(
-      "--create-one-pr and --commit-directly cannot be provided at the same time"
-    );
-  }
-  if (argv.pullRequest && !argv.commitDirectly) {
-    throw new CliError(
-      "--pull-request flag requires --commit-directly to be provided as well"
-    );
-  }
-  if (argv.f) {
-    validateReportFileFormat(argv.f);
-  }
-}
-async function analyzeHandler(args) {
-  validateAnalyzeOptions(args);
-  await analyze(args, { skipPrompts: args.yes });
-}
-
-// src/features/claude_code/data_collector.ts
-import { z as z33 } from "zod";
-
-// src/args/commands/upload_ai_blame.ts
-import fsPromises3 from "fs/promises";
-import * as os3 from "os";
-import path12 from "path";
-import chalk10 from "chalk";
-import { withFile } from "tmp-promise";
-import z32 from "zod";
-init_client_generates();
-init_GitService();
-init_urlParser2();
-
-// src/utils/computerName.ts
-import { execSync } from "child_process";
-import os2 from "os";
-var STABLE_COMPUTER_NAME_CONFIG_KEY = "stableComputerName";
-var HOSTNAME_SUFFIXES = [
-  // Cloud providers (must be first - most specific)
-  ".ec2.internal",
-  ".compute.internal",
-  ".cloudapp.net",
-  // mDNS/Bonjour
-  ".local",
-  ".localhost",
-  ".localdomain",
-  // Home networks
-  ".lan",
-  ".home",
-  ".homelan",
-  // Corporate networks
-  ".corp",
-  ".internal",
-  ".intranet",
-  ".domain",
-  ".work",
-  ".office",
-  // Container environments
-  ".docker",
-  ".kubernetes",
-  ".k8s"
-];
-function getOsSpecificComputerName() {
-  const platform2 = os2.platform();
-  try {
-    if (platform2 === "darwin") {
-      const result = execSync("scutil --get LocalHostName", {
-        encoding: "utf-8",
-        timeout: 1e3
-      });
-      return result.trim();
-    } else if (platform2 === "win32") {
-      return process.env["COMPUTERNAME"] || null;
-    } else {
-      try {
-        const result2 = execSync("hostnamectl --static", {
-          encoding: "utf-8",
-          timeout: 1e3
-        });
-        const hostname = result2.trim();
-        if (hostname) return hostname;
-      } catch {
-      }
-      const result = execSync("cat /etc/hostname", {
-        encoding: "utf-8",
-        timeout: 1e3
-      });
-      return result.trim();
-    }
-  } catch (error) {
-    return null;
-  }
-}
-function stripHostnameSuffixes(hostname) {
-  if (!hostname) return hostname;
-  let normalized = hostname;
-  for (const suffix of HOSTNAME_SUFFIXES) {
-    if (normalized.endsWith(suffix)) {
-      normalized = normalized.slice(0, -suffix.length);
-      break;
-    }
-  }
-  return normalized;
-}
-function generateStableComputerName() {
-  const osSpecificName = getOsSpecificComputerName();
-  if (osSpecificName) {
-    return osSpecificName;
-  }
-  const currentHostname = os2.hostname();
-  return stripHostnameSuffixes(currentHostname);
-}
-function getStableComputerName() {
-  const cached = configStore.get(STABLE_COMPUTER_NAME_CONFIG_KEY);
-  if (cached) {
-    return cached;
-  }
-  const currentName = generateStableComputerName();
-  configStore.set(STABLE_COMPUTER_NAME_CONFIG_KEY, currentName);
-  return currentName;
-}
-
-// src/utils/sanitize-sensitive-data.ts
-import { OpenRedaction } from "@openredaction/openredaction";
-var openRedaction = new OpenRedaction({
-  patterns: [
-    // Core Personal Data
-    // Removed EMAIL - causes false positives in code/test snippets (e.g. --author="Eve Author <eve@example.com>")
-    // Prefer false negatives over false positives for this use case.
-    "SSN",
-    "NATIONAL_INSURANCE_UK",
-    "DATE_OF_BIRTH",
-    // Identity Documents
-    "PASSPORT_UK",
-    "PASSPORT_US",
-    "PASSPORT_MRZ_TD1",
-    "PASSPORT_MRZ_TD3",
-    "DRIVING_LICENSE_UK",
-    "DRIVING_LICENSE_US",
-    "VISA_NUMBER",
-    "VISA_MRZ",
-    "TAX_ID",
-    // Financial Data (removed SWIFT_BIC, CARD_AUTH_CODE - too broad, causing false positives with authentication words)
-    // Removed CREDIT_CARD - causes false positives on zero-filled UUIDs (e.g. '00000000-0000-0000-0000-000000000000')
-    // Prefer false negatives over false positives for this use case.
-    "IBAN",
-    "BANK_ACCOUNT_UK",
-    "ROUTING_NUMBER_US",
-    "CARD_TRACK1_DATA",
-    "CARD_TRACK2_DATA",
-    "CARD_EXPIRY",
-    // Cryptocurrency (removed BITCOIN_ADDRESS - too broad, matches hash-like strings)
-    "ETHEREUM_ADDRESS",
-    "LITECOIN_ADDRESS",
-    "CARDANO_ADDRESS",
-    "SOLANA_ADDRESS",
-    "MONERO_ADDRESS",
-    "RIPPLE_ADDRESS",
-    // Medical Data (removed PRESCRIPTION_NUMBER - too broad, matches words containing "ription")
-    // Removed MEDICAL_RECORD_NUMBER - too broad, "MR" prefix matches "Merge Request" in SCM contexts (e.g. "MR branches" → "MR br****es")
-    "NHS_NUMBER",
-    "AUSTRALIAN_MEDICARE",
-    "HEALTH_PLAN_NUMBER",
-    "PATIENT_ID",
-    // Communications (removed EMERGENCY_CONTACT, ADDRESS_PO_BOX, ZIP_CODE_US, PHONE_US, PHONE_INTERNATIONAL - too broad, causing false positives)
-    "PHONE_UK",
-    "PHONE_UK_MOBILE",
-    "PHONE_LINE_NUMBER",
-    "ADDRESS_STREET",
-    "POSTCODE_UK",
-    // Network & Technical
-    "IPV4",
-    "IPV6",
-    "MAC_ADDRESS",
-    "URL_WITH_AUTH",
-    // Security Keys & Tokens
-    "PRIVATE_KEY",
-    "SSH_PRIVATE_KEY",
-    "AWS_SECRET_KEY",
-    "AWS_ACCESS_KEY",
-    "AZURE_STORAGE_KEY",
-    "GCP_SERVICE_ACCOUNT",
-    "JWT_TOKEN",
-    "OAUTH_TOKEN",
-    "OAUTH_CLIENT_SECRET",
-    "BEARER_TOKEN",
-    "PAYMENT_TOKEN",
-    "GENERIC_SECRET",
-    "GENERIC_API_KEY",
-    // Platform-Specific API Keys
-    "GITHUB_TOKEN",
-    "SLACK_TOKEN",
-    "STRIPE_API_KEY",
-    "GOOGLE_API_KEY",
-    "FIREBASE_API_KEY",
-    "HEROKU_API_KEY",
-    "MAILGUN_API_KEY",
-    "SENDGRID_API_KEY",
-    "TWILIO_API_KEY",
-    "NPM_TOKEN",
-    "PYPI_TOKEN",
-    "DOCKER_AUTH",
-    "KUBERNETES_SECRET",
-    // Government & Legal
-    // Removed CLIENT_ID - too broad, "client" is ubiquitous in code (npm packages like @scope/client-*, class names like ClientSdkOptions)
-    "POLICE_REPORT_NUMBER",
-    "IMMIGRATION_NUMBER",
-    "COURT_REPORTER_LICENSE"
-  ]
-});
-function maskString(str, showStart = 2, showEnd = 2) {
-  if (str.length <= showStart + showEnd) {
-    return "*".repeat(str.length);
-  }
-  return str.slice(0, showStart) + "*".repeat(str.length - showStart - showEnd) + str.slice(-showEnd);
-}
-async function sanitizeDataWithCounts(obj) {
-  const counts = {
-    detections: { total: 0, high: 0, medium: 0, low: 0 }
-  };
-  const sanitizeString = async (str) => {
-    let result = str;
-    const piiDetections = openRedaction.scan(str);
-    if (piiDetections && piiDetections.total > 0) {
-      const allDetections = [
-        ...piiDetections.high,
-        ...piiDetections.medium,
-        ...piiDetections.low
-      ];
-      for (const detection of allDetections) {
-        counts.detections.total++;
-        if (detection.severity === "high") counts.detections.high++;
-        else if (detection.severity === "medium") counts.detections.medium++;
-        else if (detection.severity === "low") counts.detections.low++;
-        const masked = maskString(detection.value);
-        result = result.replaceAll(detection.value, masked);
-      }
-    }
-    return result;
-  };
-  const sanitizeRecursive = async (data) => {
-    if (typeof data === "string") {
-      return sanitizeString(data);
-    } else if (Array.isArray(data)) {
-      return Promise.all(data.map((item) => sanitizeRecursive(item)));
-    } else if (data instanceof Error) {
-      return data;
-    } else if (data instanceof Date) {
-      return data;
-    } else if (typeof data === "object" && data !== null) {
-      const sanitized = {};
-      const record = data;
-      for (const key in record) {
-        if (Object.prototype.hasOwnProperty.call(record, key)) {
-          sanitized[key] = await sanitizeRecursive(record[key]);
-        }
-      }
-      return sanitized;
-    }
-    return data;
-  };
-  const sanitizedData = await sanitizeRecursive(obj);
-  return { sanitizedData, counts };
+    },
+    { skipPrompts }
+  );
 }
-
-// src/args/commands/upload_ai_blame.ts
-var defaultLogger2 = {
-  info: (msg, data) => {
-    if (data !== void 0) {
-      console.log(msg, data);
-    } else {
-      console.log(msg);
-    }
-  },
-  error: (msg, data) => {
-    if (data !== void 0) {
-      console.error(msg, data);
-    } else {
-      console.error(msg);
-    }
+async function addScmToken(addScmTokenOptions) {
+  const { apiKey, token, organization, scmType, url, refreshToken, ci } = addScmTokenOptions;
+  const gqlClient = await getAuthenticatedGQLClient({
+    inputApiKey: apiKey,
+    isSkipPrompts: ci
+  });
+  if (!scmType) {
+    throw new CliError(errorMessages.invalidScmType);
   }
-};
-var PromptItemZ = z32.object({
-  type: z32.enum([
-    "USER_PROMPT",
-    "AI_RESPONSE",
-    "TOOL_EXECUTION",
-    "AI_THINKING",
-    "MCP_TOOL_CALL"
-    // MCP (Model Context Protocol) tool invocation
-  ]),
-  attachedFiles: z32.array(
-    z32.object({
-      relativePath: z32.string(),
-      startLine: z32.number().optional()
-    })
-  ).optional(),
-  tokens: z32.object({
-    inputCount: z32.number(),
-    outputCount: z32.number()
-  }).optional(),
-  text: z32.string().optional(),
-  date: z32.date().optional(),
-  tool: z32.object({
-    name: z32.string(),
-    parameters: z32.string(),
-    result: z32.string(),
-    rawArguments: z32.string().optional(),
-    accepted: z32.boolean().optional(),
-    // MCP-specific fields (only populated for MCP_TOOL_CALL type)
-    mcpServer: z32.string().optional(),
-    // MCP server name (e.g., "datadog", "mobb-mcp")
-    mcpToolName: z32.string().optional()
-    // MCP tool name without prefix (e.g., "scan_and_fix_vulnerabilities")
-  }).optional()
-});
-var PromptItemArrayZ = z32.array(PromptItemZ);
-async function getRepositoryUrl() {
-  try {
-    const gitService = new GitService(process.cwd());
-    const isRepo = await gitService.isGitRepository();
-    if (!isRepo) {
-      return null;
-    }
-    const remoteUrl = await gitService.getRemoteUrl();
-    const parsed = parseScmURL(remoteUrl);
-    return parsed?.scmType === "GitHub" /* GitHub */ || parsed?.scmType === "GitLab" /* GitLab */ ? remoteUrl : null;
-  } catch {
-    return null;
+  const resp = await gqlClient.updateScmToken({
+    scmType,
+    url,
+    token,
+    org: organization,
+    refreshToken
+  });
+  if (resp.updateScmToken?.__typename === "RepoUnreachableError") {
+    throw new CliError(
+      "Mobb could not reach the repository. Please try again. If Mobb is connected through a broker, please make sure the broker is connected."
+    );
+  } else if (resp.updateScmToken?.__typename === "BadScmCredentials") {
+    throw new CliError("Invalid SCM credentials. Please try again.");
+  } else if (resp.updateScmToken?.__typename === "ScmAccessTokenUpdateSuccess") {
+    console.log("Token added successfully");
+  } else {
+    throw new CliError("Unexpected error, failed to add token");
   }
 }
-function getSystemInfo() {
-  let userName;
-  try {
-    userName = os3.userInfo().username;
-  } catch {
-    userName = void 0;
+async function scan(scanOptions, { skipPrompts = false } = {}) {
+  const { scanner, ci } = scanOptions;
+  !ci && await showWelcomeMessage(skipPrompts);
+  const selectedScanner = scanner || await choseScanner();
+  if (selectedScanner !== SCANNERS.Checkmarx && selectedScanner !== SCANNERS.Snyk) {
+    throw new CliError(
+      "Vulnerability scanning via Bugsy is available only with Snyk and Checkmarx at the moment. Additional scanners will follow soon."
+    );
   }
-  return {
-    computerName: getStableComputerName(),
-    userName
-  };
+  selectedScanner === SCANNERS.Checkmarx && validateCheckmarxInstallation();
+  if (selectedScanner === SCANNERS.Checkmarx && !scanOptions.cxProjectName) {
+    throw new CliError(errorMessages.missingCxProjectName);
+  }
+  await runAnalysis(
+    { ...scanOptions, scanner: selectedScanner, command: "scan" },
+    { skipPrompts }
+  );
 }
-function uploadAiBlameBuilder(args) {
-  return args.option("prompt", {
-    type: "string",
-    array: true,
-    demandOption: true,
-    describe: chalk10.bold("Path(s) to prompt artifact(s) (one per session)")
-  }).option("inference", {
-    type: "string",
-    array: true,
-    demandOption: true,
-    describe: chalk10.bold(
-      "Path(s) to inference artifact(s) (one per session)"
-    )
-  }).option("ai-response-at", {
-    type: "string",
-    array: true,
-    describe: chalk10.bold(
-      "ISO timestamp(s) for AI response (one per session, defaults to now)"
-    )
-  }).option("model", {
-    type: "string",
-    array: true,
-    describe: chalk10.bold("AI model name(s) (optional, one per session)")
-  }).option("tool-name", {
-    type: "string",
-    array: true,
-    describe: chalk10.bold("Tool/IDE name(s) (optional, one per session)")
-  }).option("blame-type", {
-    type: "string",
-    array: true,
-    choices: Object.values(AiBlameInferenceType),
-    describe: chalk10.bold(
-      "Blame type(s) (optional, one per session, defaults to CHAT)"
-    )
-  }).strict();
+async function showWelcomeMessage(skipPrompts = false) {
+  console.log(mobbAscii);
+  const welcome = chalkAnimation.rainbow("\n			Welcome to Bugsy\n");
+  skipPrompts ? await sleep(100) : await sleep(2e3);
+  welcome.stop();
 }
-async function uploadAiBlameHandlerFromExtension(args) {
-  const uploadArgs = {
-    prompt: [],
-    inference: [],
-    model: [],
-    toolName: [],
-    aiResponseAt: [],
-    blameType: [],
-    sessionId: []
-  };
-  let promptsCounts;
-  let inferenceCounts;
-  let promptsUUID;
-  let inferenceUUID;
-  await withFile(async (promptFile) => {
-    const promptsResult = await sanitizeDataWithCounts(args.prompts);
-    promptsCounts = promptsResult.counts;
-    promptsUUID = path12.basename(promptFile.path, path12.extname(promptFile.path));
-    await fsPromises3.writeFile(
-      promptFile.path,
-      JSON.stringify(promptsResult.sanitizedData, null, 2),
-      "utf-8"
-    );
-    uploadArgs.prompt.push(promptFile.path);
-    await withFile(async (inferenceFile) => {
-      const inferenceResult = await sanitizeDataWithCounts(args.inference);
-      inferenceCounts = inferenceResult.counts;
-      inferenceUUID = path12.basename(
-        inferenceFile.path,
-        path12.extname(inferenceFile.path)
-      );
-      await fsPromises3.writeFile(
-        inferenceFile.path,
-        inferenceResult.sanitizedData,
-        "utf-8"
-      );
-      uploadArgs.inference.push(inferenceFile.path);
-      uploadArgs.model.push(args.model);
-      uploadArgs.toolName.push(args.tool);
-      uploadArgs.aiResponseAt.push(args.responseTime);
-      uploadArgs.blameType.push(args.blameType || "CHAT" /* Chat */);
-      if (args.sessionId) {
-        uploadArgs.sessionId.push(args.sessionId);
-      }
-      await uploadAiBlameHandler({
-        args: uploadArgs,
-        exitOnError: false,
-        apiUrl: args.apiUrl,
-        webAppUrl: args.webAppUrl,
-        repositoryUrl: args.repositoryUrl
-      });
-    });
+var VERDICT_COLORS = {
+  BENIGN: "green",
+  WARNING: "yellow",
+  SUSPICIOUS: "magenta",
+  MALICIOUS: "red"
+};
+var SEVERITY_COLORS = {
+  CRITICAL: "red",
+  HIGH: "magenta",
+  MEDIUM: "yellow",
+  LOW: "cyan"
+};
+async function scanSkill(options) {
+  const { url, apiKey, ci } = options;
+  const gqlClient = await getAuthenticatedGQLClient({
+    inputApiKey: apiKey,
+    isSkipPrompts: ci
   });
-  return {
-    promptsCounts,
-    inferenceCounts,
-    promptsUUID,
-    inferenceUUID
-  };
-}
-async function uploadAiBlameHandler(options) {
-  const {
-    args,
-    exitOnError = true,
-    apiUrl,
-    webAppUrl,
-    logger: logger2 = defaultLogger2
-  } = options;
-  const prompts = args.prompt || [];
-  const inferences = args.inference || [];
-  const models = args.model || [];
-  const tools = args.toolName || args["tool-name"] || [];
-  const responseTimes = args.aiResponseAt || args["ai-response-at"] || [];
-  const blameTypes = args.blameType || args["blame-type"] || [];
-  const sessionIds = args.sessionId || args["session-id"] || [];
-  if (prompts.length !== inferences.length) {
-    const errorMsg = "prompt and inference must have the same number of entries";
-    logger2.error(chalk10.red(errorMsg));
-    if (exitOnError) {
-      process.exit(1);
-    }
-    throw new Error(errorMsg);
+  console.log(chalk8.dim(`Scanning skill: ${url}`));
+  console.log();
+  const skillUrl = await resolveSkillScanInput(url);
+  const result = await gqlClient.scanSkill({ skillUrl });
+  const scan2 = result.scanSkill;
+  const verdictColor = VERDICT_COLORS[scan2.verdict] ?? "white";
+  console.log(
+    chalk8.bold(`Verdict: `) + chalk8[verdictColor](
+      scan2.verdict
+    )
+  );
+  console.log(`Skill: ${scan2.skillName}`);
+  if (scan2.skillVersion) {
+    console.log(`Version: ${scan2.skillVersion}`);
   }
-  const nowIso = (/* @__PURE__ */ new Date()).toISOString();
-  const { computerName, userName } = getSystemInfo();
-  const repositoryUrl = options.repositoryUrl !== void 0 ? options.repositoryUrl : await getRepositoryUrl();
-  const sessions = [];
-  for (let i = 0; i < prompts.length; i++) {
-    const promptPath = String(prompts[i]);
-    const inferencePath = String(inferences[i]);
-    try {
-      await Promise.all([
-        fsPromises3.access(promptPath),
-        fsPromises3.access(inferencePath)
-      ]);
-    } catch {
-      const errorMsg = `File not found for session ${i + 1}`;
-      logger2.error(chalk10.red(errorMsg));
-      if (exitOnError) {
-        process.exit(1);
+  console.log(`Hash: ${scan2.skillHash ?? "N/A"}`);
+  console.log(`Findings: ${scan2.findingsCount}`);
+  console.log(`Duration: ${scan2.scanDurationMs}ms`);
+  if (scan2.cached) {
+    console.log(chalk8.dim("(cached result)"));
+  }
+  console.log();
+  if (scan2.findings.length > 0) {
+    console.log(chalk8.bold("Findings:"));
+    console.log();
+    for (const f of scan2.findings) {
+      const sevColor = SEVERITY_COLORS[f.severity] ?? "white";
+      const location = [f.filePath, f.lineNumber].filter(Boolean).join(":");
+      console.log(
+        `  ${chalk8[sevColor](f.severity)} [${f.layer}] ${f.category}${f.ruleId ? ` (${f.ruleId})` : ""}`
+      );
+      if (location) {
+        console.log(`    ${chalk8.dim(location)}`);
       }
-      throw new Error(errorMsg);
+      console.log(`    ${f.explanation}`);
+      if (f.evidence) {
+        console.log(
+          `    ${String(chalk8.dim("Evidence: " + f.evidence.slice(0, 120))).replace(/\n|\r/g, "")}`
+        );
+      }
+      console.log();
     }
-    sessions.push({
-      promptFileName: path12.basename(promptPath),
-      inferenceFileName: path12.basename(inferencePath),
-      aiResponseAt: responseTimes[i] || nowIso,
-      model: models[i],
-      toolName: tools[i],
-      blameType: blameTypes[i] || "CHAT" /* Chat */,
-      computerName,
-      userName,
-      sessionId: sessionIds[i],
-      repositoryUrl
+  }
+  if (scan2.summary) {
+    console.log(chalk8.bold("Analysis:"));
+    console.log(`  ${scan2.summary}`);
+    console.log();
+  }
+  if (scan2.verdict === "MALICIOUS" || scan2.verdict === "SUSPICIOUS") {
+    process.exit(2);
+  }
+}
+
+// src/args/validation.ts
+import chalk9 from "chalk";
+import path12 from "path";
+import { z as z32 } from "zod";
+function throwRepoUrlErrorMessage({
+  error,
+  repoUrl,
+  command
+}) {
+  const errorMessage = error.issues[error.issues.length - 1]?.message;
+  const formattedErrorMessage = `
+Error: ${chalk9.bold(
+    repoUrl
+  )} is ${errorMessage}
+Example: 
+	mobbdev ${command} -r ${chalk9.bold(
+    "https://github.com/WebGoat/WebGoat"
+  )}`;
+  throw new CliError(formattedErrorMessage);
+}
+var UrlZ = z32.string({
+  invalid_type_error: `is not a valid ${Object.values(ScmType).join("/ ")} URL`
+});
+function validateOrganizationId(organizationId) {
+  const orgIdValidation = z32.string().uuid().nullish().safeParse(organizationId);
+  if (!orgIdValidation.success) {
+    throw new CliError(`organizationId: ${organizationId} is not a valid UUID`);
+  }
+}
+function validateRepoUrl(args) {
+  const repoSafeParseResult = UrlZ.safeParse(args.repo);
+  const { success } = repoSafeParseResult;
+  const [command] = args._;
+  if (!command) {
+    throw new CliError("Command not found");
+  }
+  if (!success) {
+    throwRepoUrlErrorMessage({
+      error: repoSafeParseResult.error,
+      repoUrl: args.repo,
+      command
     });
   }
-  const authenticatedClient = await getAuthenticatedGQLClient({
-    isSkipPrompts: true,
-    apiUrl,
-    webAppUrl
-  });
-  const initSessions = sessions.map(
-    ({ sessionId: _sessionId, ...rest }) => rest
-  );
-  const initRes = await authenticatedClient.uploadAIBlameInferencesInitRaw({
-    sessions: initSessions
-  });
-  const uploadSessions = initRes.uploadAIBlameInferencesInit?.uploadSessions ?? [];
-  if (uploadSessions.length !== sessions.length) {
-    const errorMsg = "Init failed to return expected number of sessions";
-    logger2.error(chalk10.red(errorMsg));
-    if (exitOnError) {
-      process.exit(1);
-    }
-    throw new Error(errorMsg);
+}
+var supportExtensions = [".json", ".xml", ".fpr", ".sarif", ".zip"];
+function validateReportFileFormat(reportFile) {
+  if (!supportExtensions.includes(path12.extname(reportFile))) {
+    throw new CliError(
+      `
+${chalk9.bold(
+        reportFile
+      )} is not a supported file extension. Supported extensions are: ${chalk9.bold(
+        supportExtensions.join(", ")
+      )}
+`
+    );
   }
-  for (let i = 0; i < uploadSessions.length; i++) {
-    const us = uploadSessions[i];
-    const promptPath = String(prompts[i]);
-    const inferencePath = String(inferences[i]);
-    await Promise.all([
-      // Prompt
-      uploadFile({
-        file: promptPath,
-        url: us.prompt.url,
-        uploadFields: JSON.parse(us.prompt.uploadFieldsJSON),
-        uploadKey: us.prompt.uploadKey
-      }),
-      // Inference
-      uploadFile({
-        file: inferencePath,
-        url: us.inference.url,
-        uploadFields: JSON.parse(us.inference.uploadFieldsJSON),
-        uploadKey: us.inference.uploadKey
-      })
-    ]);
+}
+
+// src/args/commands/analyze.ts
+function analyzeBuilder(yargs2) {
+  return yargs2.option("f", {
+    alias: "scan-file",
+    type: "string",
+    describe: chalk10.bold(
+      "Select the vulnerability report to analyze (Checkmarx, Snyk, Fortify, CodeQL, Sonarqube, Semgrep, Datadog)"
+    )
+  }).option("repo", repoOption).option("p", {
+    alias: "src-path",
+    describe: chalk10.bold(
+      "Path to the repository folder with the source code; alternatively, you can specify the Fortify FPR file to extract source code out of it"
+    ),
+    type: "string"
+  }).option("ref", refOption).option("ch", {
+    alias: "commit-hash",
+    describe: chalk10.bold("Hash of the commit"),
+    type: "string"
+  }).option("mobb-project-name", mobbProjectNameOption).option("y", yesOption).option("ci", ciOption).option("org", organizationIdOptions).option("api-key", apiKeyOption).option("commit-hash", commitHashOption).option("auto-pr", autoPrOption).option("create-one-pr", createOnePrOption).option("commit-directly", commitDirectlyOption).option("pull-request", {
+    alias: ["pr", "pr-number", "pr-id"],
+    describe: chalk10.bold("Number of the pull request"),
+    type: "number",
+    demandOption: false
+  }).option("polling", pollingOption).example(
+    "npx mobbdev@latest analyze -r https://github.com/WebGoat/WebGoat -f <your_vulnerability_report_path>",
+    "analyze an existing repository"
+  ).help();
+}
+function validateAnalyzeOptions(argv) {
+  if (argv.f && !fs12.existsSync(argv.f)) {
+    throw new CliError(`
+Can't access ${chalk10.bold(argv.f)}`);
   }
-  const finalizeSessions = uploadSessions.map((us, i) => {
-    const s = sessions[i];
-    return {
-      aiBlameInferenceId: us.aiBlameInferenceId,
-      promptKey: us.prompt.uploadKey,
-      inferenceKey: us.inference.uploadKey,
-      aiResponseAt: s.aiResponseAt,
-      model: s.model,
-      toolName: s.toolName,
-      blameType: s.blameType,
-      computerName: s.computerName,
-      userName: s.userName,
-      sessionId: s.sessionId,
-      repositoryUrl: s.repositoryUrl
-    };
-  });
-  try {
-    logger2.info(
-      `[UPLOAD] Calling finalizeAIBlameInferencesUploadRaw with ${finalizeSessions.length} sessions`
+  validateOrganizationId(argv.organizationId);
+  if (!argv.srcPath && !argv.repo) {
+    throw new CliError("You must supply either --src-path or --repo");
+  }
+  if (!argv.srcPath && argv.repo) {
+    validateRepoUrl(argv);
+  }
+  if (argv.ci && !argv.apiKey) {
+    throw new CliError("--ci flag requires --api-key to be provided as well");
+  }
+  if (argv.commitDirectly && !argv["auto-pr"]) {
+    throw new CliError(
+      "--commit-directly flag requires --auto-pr to be provided as well"
     );
-    const finRes = await authenticatedClient.finalizeAIBlameInferencesUploadRaw(
-      {
-        sessions: finalizeSessions
-      }
+  }
+  if (argv["create-one-pr"] && !argv["auto-pr"]) {
+    throw new CliError(
+      "--create-one-pr flag requires --auto-pr to be provided as well"
     );
-    logger2.info("[UPLOAD] Finalize response:", JSON.stringify(finRes, null, 2));
-    const status = finRes?.finalizeAIBlameInferencesUpload?.status;
-    if (status !== "OK") {
-      const errorMsg = finRes?.finalizeAIBlameInferencesUpload?.error || "unknown error";
-      logger2.error(
-        chalk10.red(
-          `[UPLOAD] Finalize failed with status: ${status}, error: ${errorMsg}`
-        )
-      );
-      if (exitOnError) {
-        process.exit(1);
-      }
-      throw new Error(errorMsg);
-    }
-    logger2.info(chalk10.green("[UPLOAD] AI Blame uploads finalized successfully"));
-  } catch (error) {
-    logger2.error("[UPLOAD] Finalize threw error:", error);
-    throw error;
+  }
+  if (argv["create-one-pr"] && argv.commitDirectly) {
+    throw new CliError(
+      "--create-one-pr and --commit-directly cannot be provided at the same time"
+    );
+  }
+  if (argv.pullRequest && !argv.commitDirectly) {
+    throw new CliError(
+      "--pull-request flag requires --commit-directly to be provided as well"
+    );
+  }
+  if (argv.f) {
+    validateReportFileFormat(argv.f);
   }
 }
-async function uploadAiBlameCommandHandler(args) {
-  await uploadAiBlameHandler({ args });
+async function analyzeHandler(args) {
+  validateAnalyzeOptions(args);
+  await analyze(args, { skipPrompts: args.yes });
 }
 
 // src/features/claude_code/data_collector.ts
+import { z as z33 } from "zod";
 init_client_generates();
 init_GitService();
 init_urlParser2();
@@ -16348,7 +16430,7 @@ var log = logger.log.bind(logger);
 
 // src/mcp/services/McpGQLClient.ts
 import crypto3 from "crypto";
-import { GraphQLClient as GraphQLClient2 } from "graphql-request";
+import { ClientError as ClientError2, GraphQLClient as GraphQLClient2 } from "graphql-request";
 import { v4 as uuidv42 } from "uuid";
 init_client_generates();
 init_configs();
@@ -16487,12 +16569,15 @@ import crypto2 from "crypto";
 import os5 from "os";
 import open4 from "open";
 init_configs();
-var McpAuthService = class {
+var _McpAuthService = class _McpAuthService {
   constructor(client) {
     __publicField(this, "client");
-    __publicField(this, "lastBrowserOpenTime", 0);
     this.client = client;
   }
+  /** Reset cooldown state. Used by tests to ensure isolation. */
+  static resetCooldown() {
+    _McpAuthService.lastBrowserOpenTime = 0;
+  }
   /**
    * Opens a browser window for authentication
    * @param url URL to open in browser
@@ -16501,14 +16586,15 @@ var McpAuthService = class {
   async openBrowser(url, isBackgoundCall) {
     if (isBackgoundCall) {
       const now = Date.now();
-      if (now - this.lastBrowserOpenTime < MCP_TOOLS_BROWSER_COOLDOWN_MS) {
+      if (now - _McpAuthService.lastBrowserOpenTime < MCP_TOOLS_BROWSER_COOLDOWN_MS) {
         logDebug(`browser cooldown active, skipping open for ${url}`);
-        return;
+        return false;
       }
     }
     logDebug(`opening browser url ${url}`);
     await open4(url);
-    this.lastBrowserOpenTime = Date.now();
+    _McpAuthService.lastBrowserOpenTime = Date.now();
+    return true;
   }
   /**
    * Handles the complete authentication flow
@@ -16530,7 +16616,12 @@ var McpAuthService = class {
     logDebug(`cli login created ${loginId}`);
     const webLoginUrl = `${WEB_APP_URL}/mvs-login`;
     const browserUrl = loginContext ? buildLoginUrl(webLoginUrl, loginId, os5.hostname(), loginContext) : `${webLoginUrl}/${loginId}?hostname=${os5.hostname()}`;
-    await this.openBrowser(browserUrl, isBackgoundCall);
+    const browserOpened = await this.openBrowser(browserUrl, isBackgoundCall);
+    if (!browserOpened) {
+      throw new AuthenticationError(
+        "Authentication required but browser cooldown is active"
+      );
+    }
     logDebug(`waiting for login to complete`);
     let newApiToken = null;
     for (let i = 0; i < MCP_LOGIN_MAX_WAIT / MCP_LOGIN_CHECK_DELAY; i++) {
@@ -16561,8 +16652,24 @@ var McpAuthService = class {
     return newApiToken;
   }
 };
+// Static so cooldown persists across McpAuthService instances
+__publicField(_McpAuthService, "lastBrowserOpenTime", 0);
+var McpAuthService = _McpAuthService;
 
 // src/mcp/services/McpGQLClient.ts
+function isAuthError2(error) {
+  if (error instanceof ClientError2) {
+    const gqlErrors = error.response?.errors;
+    return gqlErrors?.some(
+      (e) => e.extensions?.["code"] === "access-denied" || e.message?.includes("Authentication hook unauthorized")
+    ) ?? false;
+  }
+  return false;
+}
+function isNetworkError2(error) {
+  const errorString = error?.toString() ?? "";
+  return errorString.includes("FetchError") || errorString.includes("TypeError") || errorString.includes("ECONNREFUSED") || errorString.includes("ENOTFOUND") || errorString.includes("ETIMEDOUT") || errorString.includes("UND_ERR");
+}
 var McpGQLClient = class {
   constructor(args) {
     __publicField(this, "client");
@@ -16616,14 +16723,16 @@ var McpGQLClient = class {
       logDebug("[GraphQL] Me query successful", { result });
       return true;
     } catch (e) {
-      const error = e;
-      logDebug(`[GraphQL] API connection verification failed`, { error });
-      if (error?.toString().includes("FetchError")) {
-        logError("[GraphQL] API connection verification failed", { error });
+      logDebug("[GraphQL] API connection verification failed", { error: e });
+      if (isNetworkError2(e)) {
+        logError("[GraphQL] API endpoint unreachable (network error)", {
+          error: e
+        });
         return false;
       }
+      logDebug("[GraphQL] API endpoint is reachable (non-network error)");
+      return true;
     }
-    return true;
   }
   /**
    * Verifies both API endpoint reachability and user authentication
@@ -16894,11 +17003,27 @@ var McpGQLClient = class {
     try {
       await this.clientSdk.CreateCommunityUser();
       const info = await this.getUserInfo();
+      if (!info) {
+        logDebug("[GraphQL] User token is invalid (no user info returned)");
+        return false;
+      }
       logDebug("[GraphQL] User token validated successfully");
-      return info?.email || true;
+      return info.email || true;
     } catch (e) {
-      logError("[GraphQL] User token validation failed");
-      return false;
+      if (isAuthError2(e)) {
+        logDebug("[GraphQL] User token is invalid (auth error from server)");
+        return false;
+      }
+      if (isNetworkError2(e)) {
+        logError("[GraphQL] Token validation failed due to network error", {
+          error: e
+        });
+        throw e;
+      }
+      logError("[GraphQL] Token validation failed with unexpected error", {
+        error: e
+      });
+      throw e;
     }
   }
   async createCliLogin(variables) {
@@ -17206,7 +17331,15 @@ async function createAuthenticatedMcpGQLClient({
     throw new ApiConnectionError("Error: failed to reach Mobb GraphQL endpoint");
   }
   logDebug("[GraphQL] Validating user token");
-  const userVerify = await initialClient.validateUserToken();
+  let userVerify;
+  try {
+    userVerify = await initialClient.validateUserToken();
+  } catch (e) {
+    logError("[GraphQL] Token validation failed due to transient error", {
+      error: e
+    });
+    throw e;
+  }
   if (userVerify) {
     return initialClient;
   }
@@ -20157,13 +20290,7 @@ var BaseTool = class {
   }
   async execute(args) {
     if (this.hasAuthentication) {
-      logDebug(`Authenticating tool: ${this.name}`, { args });
-      const loginContext = createMcpLoginContext(this.name);
-      const mcpGqlClient = await createAuthenticatedMcpGQLClient({
-        loginContext
-      });
-      const userInfo2 = await mcpGqlClient.getUserInfo();
-      logDebug("User authenticated successfully", { userInfo: userInfo2 });
+      logDebug(`Tool ${this.name} requires authentication (handled by service)`);
     }
     const validatedArgs = this.validateInput(args);
     logDebug(`Tool ${this.name} input validation successful`, {
@@ -24963,13 +25090,13 @@ var parseArgs = async (args) => {
 };
 
 // src/index.ts
-var debug20 = Debug20("mobbdev:index");
+var debug22 = Debug22("mobbdev:index");
 async function run() {
   return parseArgs(hideBin(process.argv));
 }
 (async () => {
   try {
-    debug20("Bugsy CLI v%s running...", packageJson.version);
+    debug22("Bugsy CLI v%s running...", packageJson.version);
     await run();
     process.exit(0);
   } catch (err) {