mobbdev 1.2.36 → 1.2.45

package/dist/index.mjs

@@ -2696,12 +2696,11 @@ var init_env = __esm({
 });
 
 // src/mcp/core/configs.ts
-var MCP_API_KEY_HEADER_NAME, MCP_LOGIN_MAX_WAIT, MCP_LOGIN_CHECK_DELAY, MCP_VUL_REPORT_DIGEST_TIMEOUT_MS, MCP_MAX_FILE_SIZE, MCP_PERIODIC_CHECK_INTERVAL, MCP_DEFAULT_MAX_FILES_TO_SCAN, MCP_REPORT_ID_EXPIRATION_MS, MCP_TOOLS_BROWSER_COOLDOWN_MS, MCP_DEFAULT_LIMIT, isAutoScan, MVS_AUTO_FIX_OVERRIDE, MCP_AUTO_FIX_DEBUG_MODE, MCP_PERIODIC_TRACK_INTERVAL, MCP_DEFAULT_REST_API_URL, MCP_SYSTEM_FIND_TIMEOUT_MS;
+var MCP_LOGIN_MAX_WAIT, MCP_LOGIN_CHECK_DELAY, MCP_VUL_REPORT_DIGEST_TIMEOUT_MS, MCP_MAX_FILE_SIZE, MCP_PERIODIC_CHECK_INTERVAL, MCP_DEFAULT_MAX_FILES_TO_SCAN, MCP_REPORT_ID_EXPIRATION_MS, MCP_TOOLS_BROWSER_COOLDOWN_MS, MCP_DEFAULT_LIMIT, isAutoScan, MVS_AUTO_FIX_OVERRIDE, MCP_AUTO_FIX_DEBUG_MODE, MCP_PERIODIC_TRACK_INTERVAL, MCP_DEFAULT_REST_API_URL, MCP_SYSTEM_FIND_TIMEOUT_MS;
 var init_configs = __esm({
   "src/mcp/core/configs.ts"() {
     "use strict";
     init_env();
-    MCP_API_KEY_HEADER_NAME = "x-mobb-key";
     MCP_LOGIN_MAX_WAIT = 2 * 60 * 1e3;
     MCP_LOGIN_CHECK_DELAY = 2 * 1e3;
     MCP_VUL_REPORT_DIGEST_TIMEOUT_MS = 30 * 60 * 1e3;
@@ -11013,16 +11012,20 @@ function createGitWithLogging(dirName, logger2 = defaultLogger) {
   }).outputHandler((bin, stdout2, stderr2) => {
     const callID = Math.random();
     logger2.info({ callID, bin }, "Start git CLI call");
-    const errChunks = [];
-    const outChunks = [];
-    let isStdoutClosed = false;
-    let isStderrClosed = false;
-    stderr2.on("data", (data) => errChunks.push(data.toString("utf8")));
-    stdout2.on("data", (data) => outChunks.push(data.toString("utf8")));
-    function logData() {
-      if (!isStderrClosed || !isStdoutClosed) {
+    let errChunks = [];
+    let outChunks = [];
+    let isStdoutDone = false;
+    let isStderrDone = false;
+    const onStderrData = (data) => errChunks.push(data.toString("utf8"));
+    const onStdoutData = (data) => outChunks.push(data.toString("utf8"));
+    stderr2.on("data", onStderrData);
+    stdout2.on("data", onStdoutData);
+    let finalized = false;
+    function finalizeAndCleanup() {
+      if (finalized || !isStderrDone || !isStdoutDone) {
         return;
       }
+      finalized = true;
       const logObj = {
         callID,
         bin,
@@ -11030,14 +11033,25 @@ function createGitWithLogging(dirName, logger2 = defaultLogger) {
         out: `${outChunks.join("").slice(0, 200)}...`
       };
       logger2.info(logObj, "git log output");
-    }
-    stderr2.on("close", () => {
-      isStderrClosed = true;
-      logData();
+      stderr2.removeListener("data", onStderrData);
+      stdout2.removeListener("data", onStdoutData);
+      errChunks = [];
+      outChunks = [];
+    }
+    function markDone(stream) {
+      if (stream === "stderr") isStderrDone = true;
+      else isStdoutDone = true;
+      finalizeAndCleanup();
+    }
+    stderr2.on("close", () => markDone("stderr"));
+    stdout2.on("close", () => markDone("stdout"));
+    stderr2.on("error", (error) => {
+      logger2.info({ callID, error: String(error) }, "git stderr stream error");
+      markDone("stderr");
     });
-    stdout2.on("close", () => {
-      isStdoutClosed = true;
-      logData();
+    stdout2.on("error", (error) => {
+      logger2.info({ callID, error: String(error) }, "git stdout stream error");
+      markDone("stdout");
     });
   });
 }
@@ -11749,14 +11763,10 @@ import open3 from "open";
 import tmp2 from "tmp";
 import { z as z31 } from "zod";
 
-// src/commands/handleMobbLogin.ts
-import chalk4 from "chalk";
-import Debug10 from "debug";
-
 // src/commands/AuthManager.ts
 import crypto from "crypto";
 import os3 from "os";
-import Debug9 from "debug";
+import Debug10 from "debug";
 import open from "open";
 
 // src/features/analysis/graphql/gql.ts
@@ -11771,12 +11781,6 @@ var ApiConnectionError = class extends Error {
     this.name = "ApiConnectionError";
   }
 };
-var CliLoginError = class extends Error {
-  constructor(message = "CLI login failed") {
-    super(message);
-    this.name = "CliLoginError";
-  }
-};
 var AuthenticationError = class extends Error {
   constructor(message = "Authentication failed") {
     super(message);
@@ -12106,9 +12110,19 @@ function isAuthError(error) {
   }
   return false;
 }
-function isNetworkError(error) {
+function isTransientError(error) {
   const errorString = error?.toString() ?? "";
-  return errorString.includes("FetchError") || errorString.includes("TypeError") || errorString.includes("ECONNREFUSED") || errorString.includes("ENOTFOUND") || errorString.includes("ETIMEDOUT") || errorString.includes("UND_ERR");
+  if (errorString.includes("FetchError") || errorString.includes("TypeError") || errorString.includes("ECONNREFUSED") || errorString.includes("ENOTFOUND") || errorString.includes("ETIMEDOUT") || errorString.includes("UND_ERR")) {
+    return true;
+  }
+  if (error instanceof ClientError) {
+    const status = error.response?.status;
+    if (status && status >= 502 && status <= 504) return true;
+  }
+  if (errorString.includes("Gateway Time-out") || errorString.includes("Bad Gateway") || errorString.includes("Service Unavailable")) {
+    return true;
+  }
+  return false;
 }
 var API_KEY_HEADER_NAME = "x-mobb-key";
 var REPORT_STATE_CHECK_DELAY = 5 * 1e3;
@@ -12169,8 +12183,8 @@ var GQLClient = class {
     try {
       await this.getUserInfo();
     } catch (e) {
-      if (isNetworkError(e)) {
-        debug7("verify connection failed (network error) %o", e);
+      if (isTransientError(e)) {
+        debug7("verify connection failed (transient error) %o", e);
         return false;
       }
       debug7("verify connection: endpoint reachable but request failed %o", e);
@@ -12191,11 +12205,7 @@ var GQLClient = class {
         debug7("verify token failed - auth error %o", e);
         return false;
       }
-      if (isNetworkError(e)) {
-        debug7("verify token failed - network error, rethrowing %o", e);
-        throw e;
-      }
-      debug7("verify token failed - unexpected error, rethrowing %o", e);
+      debug7("verify token failed - transient/unknown error, rethrowing %o", e);
       throw e;
     }
   }
@@ -12252,11 +12262,7 @@ var GQLClient = class {
     return res?.cli_login_by_pk?.encryptedApiToken || null;
   }
   async createCommunityUser() {
-    try {
-      await this._clientSdk.CreateCommunityUser();
-    } catch (e) {
-      debug7("create community user failed %o", e);
-    }
+    await this._clientSdk.CreateCommunityUser();
   }
   async updateScmToken(args) {
     const { scmType, url, token, org, refreshToken } = args;
@@ -12579,23 +12585,127 @@ var GQLClient = class {
 // src/features/analysis/graphql/tracy-batch-upload.ts
 import { promisify } from "util";
 import { gzip } from "zlib";
-import Debug8 from "debug";
+import Debug9 from "debug";
 
 // src/args/commands/upload_ai_blame.ts
 import fsPromises2 from "fs/promises";
 import * as os2 from "os";
 import path7 from "path";
-import chalk3 from "chalk";
+import chalk4 from "chalk";
 import { withFile } from "tmp-promise";
 import z27 from "zod";
+
+// src/commands/handleMobbLogin.ts
+import chalk3 from "chalk";
+import Debug7 from "debug";
+var debug8 = Debug7("mobbdev:commands");
+var MOBB_LOGIN_REQUIRED_MSG = `\u{1F513} Login to Mobb is Required, you will be redirected to our login page, once the authorization is complete return to this prompt, ${chalk3.bgBlue(
+  "press any key to continue"
+)};`;
+async function getAuthenticatedGQLClient({
+  inputApiKey = "",
+  isSkipPrompts = true,
+  apiUrl,
+  webAppUrl
+}) {
+  debug8(
+    "getAuthenticatedGQLClient called with: apiUrl=%s, webAppUrl=%s",
+    apiUrl || "undefined",
+    webAppUrl || "undefined"
+  );
+  const authManager = new AuthManager(webAppUrl, apiUrl);
+  let gqlClient = authManager.getGQLClient(inputApiKey);
+  gqlClient = await handleMobbLogin({
+    inGqlClient: gqlClient,
+    skipPrompts: isSkipPrompts,
+    apiUrl,
+    webAppUrl
+  });
+  return gqlClient;
+}
+async function handleMobbLogin({
+  inGqlClient,
+  apiKey,
+  skipPrompts,
+  apiUrl,
+  webAppUrl,
+  loginContext,
+  loginPath
+}) {
+  debug8(
+    "handleMobbLogin: resolved URLs - apiUrl=%s (from param: %s), webAppUrl=%s (from param: %s)",
+    apiUrl || "fallback",
+    apiUrl || "fallback",
+    webAppUrl || "fallback",
+    webAppUrl || "fallback"
+  );
+  const { createSpinner: createSpinner5 } = Spinner({ ci: skipPrompts });
+  const authManager = new AuthManager(webAppUrl, apiUrl);
+  authManager.setGQLClient(inGqlClient);
+  const authResult = await authManager.checkAuthentication();
+  if (authResult.isAuthenticated) {
+    createSpinner5().start().success({
+      text: `\u{1F513} Login to Mobb succeeded. Already authenticated`
+    });
+    return authManager.getGQLClient();
+  }
+  if (authResult.reason === "unknown") {
+    debug8("Auth check returned unknown: %s", authResult.message);
+    throw new CliError(`Cannot verify authentication: ${authResult.message}`);
+  }
+  if (apiKey) {
+    createSpinner5().start().error({
+      text: "\u{1F513} Login to Mobb failed: The provided API key does not match any configured API key on the system"
+    });
+    throw new CliError(
+      "Login to Mobb failed: The provided API key does not match any configured API key on the system"
+    );
+  }
+  const loginSpinner = createSpinner5().start();
+  if (!skipPrompts) {
+    loginSpinner.update({ text: MOBB_LOGIN_REQUIRED_MSG });
+    await keypress();
+  }
+  loginSpinner.update({
+    text: "\u{1F513} Waiting for Mobb login..."
+  });
+  try {
+    const loginUrl = await authManager.generateLoginUrl(loginPath, loginContext);
+    if (!loginUrl) {
+      loginSpinner.error({
+        text: "Failed to generate login URL"
+      });
+      throw new CliError("Failed to generate login URL");
+    }
+    !skipPrompts && console.log(
+      `If the page does not open automatically, kindly access it through ${loginUrl}.`
+    );
+    authManager.openUrlInBrowser();
+    const authSuccess = await authManager.waitForAuthentication();
+    if (!authSuccess) {
+      loginSpinner.error({
+        text: "Login timeout error"
+      });
+      throw new CliError("Login timeout error");
+    }
+    loginSpinner.success({
+      text: `\u{1F513} Login to Mobb successful!`
+    });
+    return authManager.getGQLClient();
+  } finally {
+    authManager.cleanup();
+  }
+}
+
+// src/args/commands/upload_ai_blame.ts
 init_client_generates();
 init_GitService();
 init_urlParser2();
 
 // src/features/analysis/upload-file.ts
-import Debug7 from "debug";
+import Debug8 from "debug";
 import fetch3, { File, fileFrom, FormData } from "node-fetch";
-var debug8 = Debug7("mobbdev:upload-file");
+var debug9 = Debug8("mobbdev:upload-file");
 async function uploadFile({
   file,
   url,
@@ -12608,9 +12718,9 @@ async function uploadFile({
   logInfo2(`FileUpload: upload file start ${url}`);
   logInfo2(`FileUpload: upload fields`, uploadFields);
   logInfo2(`FileUpload: upload key ${uploadKey}`);
-  debug8("upload file start %s", url);
-  debug8("upload fields %o", uploadFields);
-  debug8("upload key %s", uploadKey);
+  debug9("upload file start %s", url);
+  debug9("upload fields %o", uploadFields);
+  debug9("upload key %s", uploadKey);
   const form = new FormData();
   Object.entries(uploadFields).forEach(([key, value]) => {
     form.append(key, value);
@@ -12619,11 +12729,11 @@ async function uploadFile({
     form.append("key", uploadKey);
   }
   if (typeof file === "string") {
-    debug8("upload file from path %s", file);
+    debug9("upload file from path %s", file);
     logInfo2(`FileUpload: upload file from path ${file}`);
     form.append("file", await fileFrom(file));
   } else {
-    debug8("upload file from buffer");
+    debug9("upload file from buffer");
     logInfo2(`FileUpload: upload file from buffer`);
     form.append("file", new File([new Uint8Array(file)], "file"));
   }
@@ -12634,11 +12744,11 @@ async function uploadFile({
     agent
   });
   if (!response.ok) {
-    debug8("error from S3 %s %s", response.body, response.status);
+    debug9("error from S3 %s %s", response.body, response.status);
     logInfo2(`FileUpload: error from S3 ${response.body} ${response.status}`);
     throw new Error(`Failed to upload the file: ${response.status}`);
   }
-  debug8("upload file done");
+  debug9("upload file done");
   logInfo2(`FileUpload: upload file done`);
 }
 
@@ -12978,33 +13088,33 @@ function uploadAiBlameBuilder(args) {
     type: "string",
     array: true,
     demandOption: true,
-    describe: chalk3.bold("Path(s) to prompt artifact(s) (one per session)")
+    describe: chalk4.bold("Path(s) to prompt artifact(s) (one per session)")
   }).option("inference", {
     type: "string",
     array: true,
     demandOption: true,
-    describe: chalk3.bold(
+    describe: chalk4.bold(
       "Path(s) to inference artifact(s) (one per session)"
     )
   }).option("ai-response-at", {
     type: "string",
     array: true,
-    describe: chalk3.bold(
+    describe: chalk4.bold(
       "ISO timestamp(s) for AI response (one per session, defaults to now)"
     )
   }).option("model", {
     type: "string",
     array: true,
-    describe: chalk3.bold("AI model name(s) (optional, one per session)")
+    describe: chalk4.bold("AI model name(s) (optional, one per session)")
   }).option("tool-name", {
     type: "string",
     array: true,
-    describe: chalk3.bold("Tool/IDE name(s) (optional, one per session)")
+    describe: chalk4.bold("Tool/IDE name(s) (optional, one per session)")
   }).option("blame-type", {
     type: "string",
     array: true,
     choices: Object.values(AiBlameInferenceType),
-    describe: chalk3.bold(
+    describe: chalk4.bold(
       "Blame type(s) (optional, one per session, defaults to CHAT)"
     )
   }).strict();
@@ -13086,7 +13196,7 @@ async function uploadAiBlameHandler(options) {
   const sessionIds = args.sessionId || args["session-id"] || [];
   if (prompts.length !== inferences.length) {
     const errorMsg = "prompt and inference must have the same number of entries";
-    logger2.error(chalk3.red(errorMsg));
+    logger2.error(chalk4.red(errorMsg));
     if (exitOnError) {
       process.exit(1);
     }
@@ -13106,7 +13216,7 @@ async function uploadAiBlameHandler(options) {
       ]);
     } catch {
       const errorMsg = `File not found for session ${i + 1}`;
-      logger2.error(chalk3.red(errorMsg));
+      logger2.error(chalk4.red(errorMsg));
       if (exitOnError) {
         process.exit(1);
       }
@@ -13139,7 +13249,7 @@ async function uploadAiBlameHandler(options) {
   const uploadSessions = initRes.uploadAIBlameInferencesInit?.uploadSessions ?? [];
   if (uploadSessions.length !== sessions.length) {
     const errorMsg = "Init failed to return expected number of sessions";
-    logger2.error(chalk3.red(errorMsg));
+    logger2.error(chalk4.red(errorMsg));
     if (exitOnError) {
       process.exit(1);
     }
@@ -13196,7 +13306,7 @@ async function uploadAiBlameHandler(options) {
     if (status !== "OK") {
       const errorMsg = finRes?.finalizeAIBlameInferencesUpload?.error || "unknown error";
       logger2.error(
-        chalk3.red(
+        chalk4.red(
           `[UPLOAD] Finalize failed with status: ${status}, error: ${errorMsg}`
         )
       );
@@ -13205,7 +13315,7 @@ async function uploadAiBlameHandler(options) {
       }
       throw new Error(errorMsg);
     }
-    logger2.info(chalk3.green("[UPLOAD] AI Blame uploads finalized successfully"));
+    logger2.info(chalk4.green("[UPLOAD] AI Blame uploads finalized successfully"));
   } catch (error) {
     logger2.error("[UPLOAD] Finalize threw error:", error);
     throw error;
@@ -13217,7 +13327,7 @@ async function uploadAiBlameCommandHandler(args) {
 
 // src/features/analysis/graphql/tracy-batch-upload.ts
 var gzipAsync = promisify(gzip);
-var debug9 = Debug8("mobbdev:tracy-batch-upload");
+var debug10 = Debug9("mobbdev:tracy-batch-upload");
 var MAX_BATCH_PAYLOAD_BYTES = 3 * 1024 * 1024;
 
 // src/mcp/services/types.ts
@@ -13253,9 +13363,9 @@ function buildLoginUrl(baseUrl, loginId, hostname, context) {
 }
 
 // src/commands/AuthManager.ts
-var debug10 = Debug9("mobbdev:auth");
-var LOGIN_MAX_WAIT = 10 * 60 * 1e3;
-var LOGIN_CHECK_DELAY = 5 * 1e3;
+var debug11 = Debug10("mobbdev:auth");
+var LOGIN_MAX_WAIT = 2 * 60 * 1e3;
+var LOGIN_CHECK_DELAY = 2 * 1e3;
 var _AuthManager = class _AuthManager {
   constructor(webAppUrl, apiUrl) {
     __publicField(this, "publicKey");
@@ -13269,22 +13379,33 @@ var _AuthManager = class _AuthManager {
     this.resolvedWebAppUrl = webAppUrl || WEB_APP_URL;
     this.resolvedApiUrl = apiUrl || API_URL;
   }
+  /** Set the minimum interval between browser opens (MCP sets this to 24h) */
+  static setBrowserCooldown(ms) {
+    _AuthManager.browserCooldownMs = ms;
+  }
+  /** Reset cooldown state. Used by tests to ensure isolation. */
+  static resetCooldown() {
+    _AuthManager.lastBrowserOpenTime = 0;
+    _AuthManager.browserCooldownMs = 0;
+  }
   openUrlInBrowser() {
-    if (this.currentBrowserUrl) {
-      open(this.currentBrowserUrl);
-      return true;
+    if (!this.currentBrowserUrl) {
+      return false;
     }
-    return false;
+    if (_AuthManager.browserCooldownMs > 0 && Date.now() - _AuthManager.lastBrowserOpenTime < _AuthManager.browserCooldownMs) {
+      debug11("browser cooldown active, skipping open");
+      return false;
+    }
+    open(this.currentBrowserUrl);
+    _AuthManager.lastBrowserOpenTime = Date.now();
+    return true;
   }
+  /**
+   * Polls for the encrypted API token, decrypts it, validates it, and stores it.
+   * Returns true if login succeeded.
+   */
   async waitForAuthentication() {
-    let newApiToken = null;
-    for (let i = 0; i < _AuthManager.loginMaxWait / LOGIN_CHECK_DELAY; i++) {
-      newApiToken = await this.getApiToken();
-      if (newApiToken) {
-        break;
-      }
-      await sleep(LOGIN_CHECK_DELAY);
-    }
+    const newApiToken = await this.waitForApiToken();
     if (!newApiToken) {
       return false;
     }
@@ -13302,52 +13423,75 @@ var _AuthManager = class _AuthManager {
     return false;
   }
   /**
-   * Checks if the user is already authenticated
+   * Polls for the encrypted API token and decrypts it.
+   * Does NOT validate or store the token — use this when the caller
+   * needs to validate on a specific client type (e.g. McpGQLClient).
+   */
+  async waitForApiToken() {
+    for (let i = 0; i < _AuthManager.loginMaxWait / LOGIN_CHECK_DELAY; i++) {
+      const token = await this.getApiToken();
+      if (token) {
+        return token;
+      }
+      await sleep(LOGIN_CHECK_DELAY);
+    }
+    return null;
+  }
+  /**
+   * Checks if the user is already authenticated.
+   * Returns the full AuthResult so callers can distinguish 'invalid' from 'unknown'.
    */
   async isAuthenticated() {
     if (this.authenticated === null) {
       const result = await this.checkAuthentication();
       this.authenticated = result.isAuthenticated;
       if (!result.isAuthenticated) {
-        debug10("isAuthenticated: false \u2014 %s", result.message);
+        debug11("isAuthenticated: false \u2014 %s (%s)", result.message, result.reason);
       }
     }
     return this.authenticated;
   }
   /**
-   * Private function to check if the user is authenticated with the server
+   * Full 3-state auth check returning an {@link AuthResult}.
+   *
+   * - `isAuthenticated: true` — token is valid.
+   * - `reason: 'invalid'` — definitive auth failure (access-denied). Caller should trigger login.
+   * - `reason: 'unknown'` — transient/network error. Caller should NOT trigger login.
    */
   async checkAuthentication(apiKey) {
+    if (!this.gqlClient) {
+      this.gqlClient = this.getGQLClient(apiKey);
+    }
+    const isConnected = await this.gqlClient.verifyApiConnection();
+    if (!isConnected) {
+      return {
+        isAuthenticated: false,
+        reason: "unknown",
+        message: "Failed to connect to Mobb server"
+      };
+    }
     try {
-      if (!this.gqlClient) {
-        this.gqlClient = this.getGQLClient(apiKey);
-      }
-      const isConnected = await this.gqlClient.verifyApiConnection();
-      if (!isConnected) {
-        return {
-          isAuthenticated: false,
-          message: "Failed to connect to Mobb server"
-        };
-      }
       const userVerify = await this.gqlClient.validateUserToken();
       if (!userVerify) {
         return {
           isAuthenticated: false,
+          reason: "invalid",
           message: "User token validation failed"
         };
       }
     } catch (error) {
       return {
         isAuthenticated: false,
+        reason: "unknown",
         message: error instanceof Error ? error.message : "Unknown authentication error"
       };
     }
-    return { isAuthenticated: true, message: "Successfully authenticated" };
+    return { isAuthenticated: true };
   }
   /**
    * Generates a login URL for manual authentication
    */
-  async generateLoginUrl(loginContext) {
+  async generateLoginUrl(loginPath, loginContext) {
     try {
       if (!this.gqlClient) {
         this.gqlClient = this.getGQLClient();
@@ -13360,7 +13504,7 @@ var _AuthManager = class _AuthManager {
       this.loginId = await this.gqlClient.createCliLogin({
         publicKey: this.publicKey.export({ format: "pem", type: "pkcs1" }).toString()
       });
-      const webLoginUrl = `${this.resolvedWebAppUrl}/cli-login`;
+      const webLoginUrl = `${this.resolvedWebAppUrl}${loginPath || "/cli-login"}`;
       const browserUrl = loginContext ? buildLoginUrl(webLoginUrl, this.loginId, os3.hostname(), loginContext) : `${webLoginUrl}/${this.loginId}?hostname=${os3.hostname()}`;
       this.currentBrowserUrl = browserUrl;
       return browserUrl;
@@ -13370,22 +13514,32 @@ var _AuthManager = class _AuthManager {
     }
   }
   /**
-   * Retrieves and decrypts the API token after authentication
+   * Retrieves and decrypts the API token after authentication.
+   * Returns null if the token is not yet available or on transient errors.
    */
   async getApiToken() {
     if (!this.gqlClient || !this.loginId || !this.privateKey) {
       return null;
     }
-    const encryptedApiToken = await this.gqlClient.getEncryptedApiToken({
-      loginId: this.loginId
-    });
-    if (encryptedApiToken) {
-      return crypto.privateDecrypt(
-        this.privateKey,
-        Buffer.from(encryptedApiToken, "base64")
-      ).toString("utf-8");
+    try {
+      const encryptedApiToken = await this.gqlClient.getEncryptedApiToken({
+        loginId: this.loginId
+      });
+      if (encryptedApiToken) {
+        return crypto.privateDecrypt(
+          this.privateKey,
+          Buffer.from(encryptedApiToken, "base64")
+        ).toString("utf-8");
+      }
+      return null;
+    } catch (error) {
+      if (isTransientError(error)) {
+        debug11("getApiToken: transient error, will retry");
+      } else {
+        debug11("getApiToken: unexpected error: %O", error);
+      }
+      return null;
     }
-    return null;
   }
   /**
    * Returns true if a non-empty API token is stored in the configStore.
@@ -13429,109 +13583,11 @@ var _AuthManager = class _AuthManager {
 };
 /** Maximum time (ms) to wait for login authentication. Override in tests for faster failures. */
 __publicField(_AuthManager, "loginMaxWait", LOGIN_MAX_WAIT);
+/** Browser cooldown: minimum ms between browser opens (0 = no cooldown) */
+__publicField(_AuthManager, "browserCooldownMs", 0);
+__publicField(_AuthManager, "lastBrowserOpenTime", 0);
 var AuthManager = _AuthManager;
 
-// src/commands/handleMobbLogin.ts
-var debug11 = Debug10("mobbdev:commands");
-var LOGIN_MAX_WAIT2 = 10 * 60 * 1e3;
-var LOGIN_CHECK_DELAY2 = 5 * 1e3;
-var MOBB_LOGIN_REQUIRED_MSG = `\u{1F513} Login to Mobb is Required, you will be redirected to our login page, once the authorization is complete return to this prompt, ${chalk4.bgBlue(
-  "press any key to continue"
-)};`;
-async function getAuthenticatedGQLClient({
-  inputApiKey = "",
-  isSkipPrompts = true,
-  apiUrl,
-  webAppUrl
-}) {
-  debug11(
-    "getAuthenticatedGQLClient called with: apiUrl=%s, webAppUrl=%s",
-    apiUrl || "undefined",
-    webAppUrl || "undefined"
-  );
-  const authManager = new AuthManager(webAppUrl, apiUrl);
-  let gqlClient = authManager.getGQLClient(inputApiKey);
-  gqlClient = await handleMobbLogin({
-    inGqlClient: gqlClient,
-    skipPrompts: isSkipPrompts,
-    apiUrl,
-    webAppUrl
-  });
-  return gqlClient;
-}
-async function handleMobbLogin({
-  inGqlClient,
-  apiKey,
-  skipPrompts,
-  apiUrl,
-  webAppUrl,
-  loginContext
-}) {
-  debug11(
-    "handleMobbLogin: resolved URLs - apiUrl=%s (from param: %s), webAppUrl=%s (from param: %s)",
-    apiUrl || "fallback",
-    apiUrl || "fallback",
-    webAppUrl || "fallback",
-    webAppUrl || "fallback"
-  );
-  const { createSpinner: createSpinner5 } = Spinner({ ci: skipPrompts });
-  const authManager = new AuthManager(webAppUrl, apiUrl);
-  authManager.setGQLClient(inGqlClient);
-  try {
-    const isAuthenticated = await authManager.isAuthenticated();
-    if (isAuthenticated) {
-      createSpinner5().start().success({
-        text: `\u{1F513} Login to Mobb succeeded. Already authenticated`
-      });
-      return authManager.getGQLClient();
-    }
-  } catch (error) {
-    debug11("Authentication check failed:", error);
-  }
-  if (apiKey) {
-    createSpinner5().start().error({
-      text: "\u{1F513} Login to Mobb failed: The provided API key does not match any configured API key on the system"
-    });
-    throw new CliError(
-      "Login to Mobb failed: The provided API key does not match any configured API key on the system"
-    );
-  }
-  const loginSpinner = createSpinner5().start();
-  if (!skipPrompts) {
-    loginSpinner.update({ text: MOBB_LOGIN_REQUIRED_MSG });
-    await keypress();
-  }
-  loginSpinner.update({
-    text: "\u{1F513} Waiting for Mobb login..."
-  });
-  try {
-    const loginUrl = await authManager.generateLoginUrl(loginContext);
-    if (!loginUrl) {
-      loginSpinner.error({
-        text: "Failed to generate login URL"
-      });
-      throw new CliError("Failed to generate login URL");
-    }
-    !skipPrompts && console.log(
-      `If the page does not open automatically, kindly access it through ${loginUrl}.`
-    );
-    authManager.openUrlInBrowser();
-    const authSuccess = await authManager.waitForAuthentication();
-    if (!authSuccess) {
-      loginSpinner.error({
-        text: "Login timeout error"
-      });
-      throw new CliError("Login timeout error");
-    }
-    loginSpinner.success({
-      text: `\u{1F513} Login to Mobb successful!`
-    });
-    return authManager.getGQLClient();
-  } finally {
-    authManager.cleanup();
-  }
-}
-
 // src/features/analysis/add_fix_comments_for_pr/add_fix_comments_for_pr.ts
 import Debug14 from "debug";
 
@@ -14490,8 +14546,8 @@ if (typeof __filename !== "undefined") {
 }
 var costumeRequire = createRequire(moduleUrl);
 var getCheckmarxPath = () => {
-  const os14 = type();
-  const cxFileName = os14 === "Windows_NT" ? "cx.exe" : "cx";
+  const os13 = type();
+  const cxFileName = os13 === "Windows_NT" ? "cx.exe" : "cx";
   try {
     return costumeRequire.resolve(`.bin/${cxFileName}`);
   } catch (e) {
@@ -15082,7 +15138,7 @@ async function _scan(params, { skipPrompts = false } = {}) {
       `If the page does not open automatically, kindly access it through ${scmAuthUrl2}.`
     );
     await open3(scmAuthUrl2);
-    for (let i = 0; i < LOGIN_MAX_WAIT2 / LOGIN_CHECK_DELAY2; i++) {
+    for (let i = 0; i < LOGIN_MAX_WAIT / LOGIN_CHECK_DELAY; i++) {
       const userInfo2 = await gqlClient.getUserInfo();
       if (!userInfo2) {
         throw new CliError2("User info not found");
@@ -15101,7 +15157,7 @@ async function _scan(params, { skipPrompts = false } = {}) {
         return tokenInfo2.accessToken;
       }
       scmSpinner.spin();
-      await sleep(LOGIN_CHECK_DELAY2);
+      await sleep(LOGIN_CHECK_DELAY);
     }
     scmSpinner.error({
       text: `${scmName} login timeout error`
@@ -16429,9 +16485,7 @@ var logDebug = (message, data) => logger.log(message, "debug", data);
 var log = logger.log.bind(logger);
 
 // src/mcp/services/McpGQLClient.ts
-import crypto3 from "crypto";
-import { ClientError as ClientError2, GraphQLClient as GraphQLClient2 } from "graphql-request";
-import { v4 as uuidv42 } from "uuid";
+import crypto2 from "crypto";
 init_client_generates();
 init_configs();
 
@@ -16564,197 +16618,37 @@ var GetLatestReportByRepoUrlResponseSchema = z34.object({
   expiredReport: z34.array(ExpiredReportSchema)
 });
 
-// src/mcp/services/McpAuthService.ts
-import crypto2 from "crypto";
-import os5 from "os";
-import open4 from "open";
-init_configs();
-var _McpAuthService = class _McpAuthService {
-  constructor(client) {
-    __publicField(this, "client");
-    this.client = client;
-  }
-  /** Reset cooldown state. Used by tests to ensure isolation. */
-  static resetCooldown() {
-    _McpAuthService.lastBrowserOpenTime = 0;
-  }
-  /**
-   * Opens a browser window for authentication
-   * @param url URL to open in browser
-   * @param isBackgoundCall Whether this is called from tools context
-   */
-  async openBrowser(url, isBackgoundCall) {
-    if (isBackgoundCall) {
-      const now = Date.now();
-      if (now - _McpAuthService.lastBrowserOpenTime < MCP_TOOLS_BROWSER_COOLDOWN_MS) {
-        logDebug(`browser cooldown active, skipping open for ${url}`);
-        return false;
-      }
-    }
-    logDebug(`opening browser url ${url}`);
-    await open4(url);
-    _McpAuthService.lastBrowserOpenTime = Date.now();
-    return true;
-  }
-  /**
-   * Handles the complete authentication flow
-   * @param isBackgoundCall Whether this is called from tools context
-   * @param loginContext Context information about who triggered the login
-   * @returns Authenticated API token
-   */
-  async authenticate(isBackgoundCall = false, loginContext) {
-    const { publicKey, privateKey } = crypto2.generateKeyPairSync("rsa", {
-      modulusLength: 2048
-    });
-    logDebug("creating cli login");
-    const loginId = await this.client.createCliLogin({
-      publicKey: publicKey.export({ format: "pem", type: "pkcs1" }).toString()
-    });
-    if (!loginId) {
-      throw new CliLoginError("Error: createCliLogin failed");
-    }
-    logDebug(`cli login created ${loginId}`);
-    const webLoginUrl = `${WEB_APP_URL}/mvs-login`;
-    const browserUrl = loginContext ? buildLoginUrl(webLoginUrl, loginId, os5.hostname(), loginContext) : `${webLoginUrl}/${loginId}?hostname=${os5.hostname()}`;
-    const browserOpened = await this.openBrowser(browserUrl, isBackgoundCall);
-    if (!browserOpened) {
-      throw new AuthenticationError(
-        "Authentication required but browser cooldown is active"
-      );
-    }
-    logDebug(`waiting for login to complete`);
-    let newApiToken = null;
-    for (let i = 0; i < MCP_LOGIN_MAX_WAIT / MCP_LOGIN_CHECK_DELAY; i++) {
-      const encryptedApiToken = await this.client.getEncryptedApiToken({
-        loginId
-      });
-      if (encryptedApiToken) {
-        logDebug("encrypted API token received");
-        newApiToken = crypto2.privateDecrypt(privateKey, Buffer.from(encryptedApiToken, "base64")).toString("utf-8");
-        logDebug("API token decrypted");
-        break;
-      }
-      await sleep(MCP_LOGIN_CHECK_DELAY);
-    }
-    if (!newApiToken) {
-      throw new FailedToGetApiTokenError(
-        "Error: failed to get encrypted api token"
-      );
-    }
-    const verifyClient = new McpGQLClient({
-      apiKey: newApiToken,
-      type: "apiKey"
-    });
-    const loginSuccess = await verifyClient.validateUserToken();
-    if (!loginSuccess) {
-      throw new AuthenticationError("Invalid API token");
-    }
-    return newApiToken;
-  }
-};
-// Static so cooldown persists across McpAuthService instances
-__publicField(_McpAuthService, "lastBrowserOpenTime", 0);
-var McpAuthService = _McpAuthService;
-
 // src/mcp/services/McpGQLClient.ts
-function isAuthError2(error) {
-  if (error instanceof ClientError2) {
-    const gqlErrors = error.response?.errors;
-    return gqlErrors?.some(
-      (e) => e.extensions?.["code"] === "access-denied" || e.message?.includes("Authentication hook unauthorized")
-    ) ?? false;
-  }
-  return false;
-}
-function isNetworkError2(error) {
-  const errorString = error?.toString() ?? "";
-  return errorString.includes("FetchError") || errorString.includes("TypeError") || errorString.includes("ECONNREFUSED") || errorString.includes("ENOTFOUND") || errorString.includes("ETIMEDOUT") || errorString.includes("UND_ERR");
-}
-var McpGQLClient = class {
+var McpGQLClient = class extends GQLClient {
   constructor(args) {
-    __publicField(this, "client");
-    __publicField(this, "clientSdk");
-    __publicField(this, "_auth");
-    __publicField(this, "currentUser", null);
-    __publicField(this, "apiUrl");
-    this._auth = args;
-    this.apiUrl = process.env["API_URL"] || DEFAULT_API_URL;
-    logDebug(`[GraphQL] Creating graphql client with api url ${this.apiUrl}`, {
-      args
-    });
-    this.client = new GraphQLClient2(this.apiUrl, {
-      headers: args.type === "apiKey" ? { [MCP_API_KEY_HEADER_NAME]: args.apiKey || "" } : {
-        Authorization: `Bearer ${args.token}`
-      },
-      fetch: fetchWithProxy,
-      requestMiddleware: (request) => {
-        const requestId = uuidv42();
-        return {
-          ...request,
-          headers: {
-            ...request.headers,
-            "x-hasura-request-id": requestId
-          }
-        };
-      }
+    super({
+      ...args,
+      apiUrl: process.env["API_URL"] || void 0
     });
-    this.clientSdk = getSdk(this.client);
+    __publicField(this, "currentUser", null);
   }
   getErrorContext() {
     return {
-      endpoint: this.apiUrl,
+      endpoint: this._apiUrl,
       apiKey: this._auth.type === "apiKey" ? this._auth.apiKey : "",
       headers: {
-        [MCP_API_KEY_HEADER_NAME]: this._auth.type === "apiKey" ? "[REDACTED]" : "undefined",
+        "x-mobb-key": this._auth.type === "apiKey" ? "[REDACTED]" : "undefined",
         "x-hasura-request-id": "[DYNAMIC]"
       }
     };
   }
-  async uploadAIBlameInferencesInitRaw(variables) {
-    return await this.clientSdk.UploadAIBlameInferencesInit(variables);
-  }
-  async finalizeAIBlameInferencesUploadRaw(variables) {
-    return await this.clientSdk.FinalizeAIBlameInferencesUpload(variables);
-  }
-  async isApiEndpointReachable() {
-    try {
-      logDebug("[GraphQL] Calling Me query for API connection verification");
-      const result = await this.getUserInfo();
-      logDebug("[GraphQL] Me query successful", { result });
-      return true;
-    } catch (e) {
-      logDebug("[GraphQL] API connection verification failed", { error: e });
-      if (isNetworkError2(e)) {
-        logError("[GraphQL] API endpoint unreachable (network error)", {
-          error: e
-        });
-        return false;
-      }
-      logDebug("[GraphQL] API endpoint is reachable (non-network error)");
-      return true;
-    }
+  async getUserInfo() {
+    const me = await super.getUserInfo();
+    this.currentUser = me;
+    return me;
   }
-  /**
-   * Verifies both API endpoint reachability and user authentication
-   * @returns true if both API is reachable and user is authenticated
-   */
-  async verifyApiConnection() {
-    const isReachable = await this.isApiEndpointReachable();
-    if (!isReachable) {
-      return false;
-    }
-    try {
-      await this.validateUserToken();
-      return true;
-    } catch (e) {
-      logError("User token validation failed", { error: e });
-      return false;
-    }
+  getCurrentUser() {
+    return this.currentUser;
   }
   async uploadS3BucketInfo() {
     try {
       logDebug("[GraphQL] Calling uploadS3BucketInfo mutation");
-      const result = await this.clientSdk.uploadS3BucketInfo({
+      const result = await this._clientSdk.uploadS3BucketInfo({
         fileName: "report.json"
       });
       logDebug("[GraphQL] uploadS3BucketInfo successful", { result });
@@ -16770,7 +16664,7 @@ var McpGQLClient = class {
   async getAnalysis(analysisId) {
     try {
       logDebug("[GraphQL] Calling getAnalysis query", { analysisId });
-      const res = await this.clientSdk.getAnalysis({
+      const res = await this._clientSdk.getAnalysis({
         analysisId
       });
       logDebug("[GraphQL] getAnalysis successful", { result: res });
@@ -16792,7 +16686,7 @@ var McpGQLClient = class {
       logDebug("[GraphQL] Calling SubmitVulnerabilityReport mutation", {
         variables
       });
-      const result = await this.clientSdk.SubmitVulnerabilityReport(variables);
+      const result = await this._clientSdk.SubmitVulnerabilityReport(variables);
       logDebug("[GraphQL] SubmitVulnerabilityReport successful", { result });
       return result;
     } catch (e) {
@@ -16871,15 +16765,15 @@ var McpGQLClient = class {
             this._auth.type === "apiKey" ? {
               apiKey: this._auth.apiKey,
               type: "apiKey",
-              url: httpToWsUrl(this.apiUrl),
+              url: httpToWsUrl(this._apiUrl),
               timeoutInMs: params.timeoutInMs,
-              proxyAgent: getProxyAgent(this.apiUrl)
+              proxyAgent: getProxyAgent(this._apiUrl)
             } : {
               token: this._auth.token,
               type: "token",
-              url: httpToWsUrl(this.apiUrl),
+              url: httpToWsUrl(this._apiUrl),
               timeoutInMs: params.timeoutInMs,
-              proxyAgent: getProxyAgent(this.apiUrl)
+              proxyAgent: getProxyAgent(this._apiUrl)
             }
           );
         }
@@ -16903,12 +16797,12 @@ var McpGQLClient = class {
       if (!userEmail) {
         throw new Error("User email not found");
       }
-      const shortEmailHash = crypto3.createHash("sha256").update(userEmail).digest("hex").slice(0, 8).toUpperCase();
+      const shortEmailHash = crypto2.createHash("sha256").update(userEmail).digest("hex").slice(0, 8).toUpperCase();
       const projectName = `MCP Scans ${shortEmailHash}`;
       logDebug("[GraphQL] Calling getLastOrgAndNamedProject query", {
         projectName
       });
-      const orgAndProjectRes = await this.clientSdk.getLastOrgAndNamedProject({
+      const orgAndProjectRes = await this._clientSdk.getLastOrgAndNamedProject({
         email: userEmail,
         projectName
       });
@@ -16934,7 +16828,7 @@ var McpGQLClient = class {
         projectName
       });
       try {
-        const createdProject = await this.clientSdk.CreateProject({
+        const createdProject = await this._clientSdk.CreateProject({
           organizationId: organization.id,
           projectName
         });
@@ -16956,7 +16850,7 @@ var McpGQLClient = class {
               error: errorMessage
             }
           );
-          const retryOrgAndProjectRes = await this.clientSdk.getLastOrgAndNamedProject({
+          const retryOrgAndProjectRes = await this._clientSdk.getLastOrgAndNamedProject({
             email: userEmail,
             projectName
           });
@@ -16990,71 +16884,6 @@ var McpGQLClient = class {
       throw e;
     }
   }
-  async getUserInfo() {
-    const { me } = await this.clientSdk.Me();
-    this.currentUser = me;
-    return me;
-  }
-  getCurrentUser() {
-    return this.currentUser;
-  }
-  async validateUserToken() {
-    logDebug("[GraphQL] Validating user token");
-    try {
-      await this.clientSdk.CreateCommunityUser();
-      const info = await this.getUserInfo();
-      if (!info) {
-        logDebug("[GraphQL] User token is invalid (no user info returned)");
-        return false;
-      }
-      logDebug("[GraphQL] User token validated successfully");
-      return info.email || true;
-    } catch (e) {
-      if (isAuthError2(e)) {
-        logDebug("[GraphQL] User token is invalid (auth error from server)");
-        return false;
-      }
-      if (isNetworkError2(e)) {
-        logError("[GraphQL] Token validation failed due to network error", {
-          error: e
-        });
-        throw e;
-      }
-      logError("[GraphQL] Token validation failed with unexpected error", {
-        error: e
-      });
-      throw e;
-    }
-  }
-  async createCliLogin(variables) {
-    try {
-      const res = await this.clientSdk.CreateCliLogin(variables, {
-        // We may have outdated API key in the config storage. Avoid using it for the login request.
-        [MCP_API_KEY_HEADER_NAME]: ""
-      });
-      const loginId = res.insert_cli_login_one?.id || "";
-      if (!loginId) {
-        logError("[GraphQL] Create cli login failed - no login ID returned");
-        return "";
-      }
-      return loginId;
-    } catch (e) {
-      logError("[GraphQL] Create cli login failed", { error: e });
-      return "";
-    }
-  }
-  async getEncryptedApiToken(variables) {
-    try {
-      const res = await this.clientSdk.GetEncryptedApiToken(variables, {
-        // We may have outdated API key in the config storage. Avoid using it for the login request.
-        [MCP_API_KEY_HEADER_NAME]: ""
-      });
-      return res?.cli_login_by_pk?.encryptedApiToken || null;
-    } catch (e) {
-      logError("[GraphQL] Get encrypted api token failed", { error: e });
-      return null;
-    }
-  }
   generateFixUrl({
     fixId,
     organizationId,
@@ -17064,7 +16893,7 @@ var McpGQLClient = class {
     if (!organizationId || !projectId || !reportId) {
       return void 0;
     }
-    const appBaseUrl = this.apiUrl.replace("/v1/graphql", "").replace("api.", "");
+    const appBaseUrl = this._apiUrl.replace("/v1/graphql", "").replace("api.", "");
     return `${appBaseUrl}/organization/${organizationId}/project/${projectId}/report/${reportId}/fix/${fixId}`;
   }
   mergeUserAndSystemFixes({
@@ -17111,7 +16940,7 @@ var McpGQLClient = class {
   }
   async updateFixesDownloadStatus(fixIds) {
     if (fixIds.length > 0) {
-      const resUpdate = await this.clientSdk.updateDownloadedFixData({
+      const resUpdate = await this._clientSdk.updateDownloadedFixData({
         fixIds,
         source: "MCP" /* Mcp */
       });
@@ -17125,7 +16954,7 @@ var McpGQLClient = class {
   }
   async updateAutoAppliedFixesStatus(fixIds) {
     if (fixIds.length > 0) {
-      const resUpdate = await this.clientSdk.updateDownloadedFixData({
+      const resUpdate = await this._clientSdk.updateDownloadedFixData({
         fixIds,
         source: "AUTO_MVS" /* AutoMvs */
       });
@@ -17156,7 +16985,7 @@ var McpGQLClient = class {
       logDebug("[GraphQL] Calling GetUserMvsAutoFix query", {
         userEmail: userInfo2.email
       });
-      const result = await this.clientSdk.GetUserMvsAutoFix({
+      const result = await this._clientSdk.GetUserMvsAutoFix({
         userEmail: userInfo2.email
       });
       logDebug("[GraphQL] GetUserMvsAutoFix successful", { result });
@@ -17199,7 +17028,7 @@ var McpGQLClient = class {
           codeNodes: { path: { _in: fileFilter } }
         };
       }
-      const resp = await this.clientSdk.GetLatestReportByRepoUrl({
+      const resp = await this._clientSdk.GetLatestReportByRepoUrl({
         repoUrl,
         limit,
         offset,
@@ -17272,7 +17101,7 @@ var McpGQLClient = class {
           error: err
         });
       }
-      const res = await this.clientSdk.GetReportFixes({
+      const res = await this._clientSdk.GetReportFixes({
         reportId,
         limit,
         offset,
@@ -17317,45 +17146,65 @@ async function createAuthenticatedMcpGQLClient({
   isBackgroundCall = false,
   loginContext
 } = {}) {
+  if (isBackgroundCall) {
+    AuthManager.setBrowserCooldown(MCP_TOOLS_BROWSER_COOLDOWN_MS);
+  }
   logDebug("[GraphQL] Getting config", {
     apiToken: configStore.get("apiToken")
   });
-  const initialClient = new McpGQLClient({
-    apiKey: process.env["MOBB_API_KEY"] || process.env["API_KEY"] || // fallback for backward compatibility
-    configStore.get("apiToken") || "",
-    type: "apiKey"
-  });
-  const isApiEndpointReachable = await initialClient.isApiEndpointReachable();
-  logDebug("[GraphQL] API connection status", { isApiEndpointReachable });
-  if (!isApiEndpointReachable) {
-    throw new ApiConnectionError("Error: failed to reach Mobb GraphQL endpoint");
+  const apiKey = process.env["MOBB_API_KEY"] || process.env["API_KEY"] || // fallback for backward compatibility
+  configStore.get("apiToken") || "";
+  const resolvedApiUrl = process.env["API_URL"] || void 0;
+  const authManager = new AuthManager(void 0, resolvedApiUrl);
+  const initialClient = new McpGQLClient({ apiKey, type: "apiKey" });
+  authManager.setGQLClient(initialClient);
+  const authResult = await authManager.checkAuthentication();
+  if (authResult.isAuthenticated) {
+    return initialClient;
   }
-  logDebug("[GraphQL] Validating user token");
-  let userVerify;
-  try {
-    userVerify = await initialClient.validateUserToken();
-  } catch (e) {
-    logError("[GraphQL] Token validation failed due to transient error", {
-      error: e
+  if (authResult.reason === "unknown") {
+    logError("[GraphQL] Auth check failed with transient error", {
+      message: authResult.message
     });
-    throw e;
-  }
-  if (userVerify) {
-    return initialClient;
+    throw new ApiConnectionError(
+      `Cannot verify authentication: ${authResult.message}`
+    );
   }
-  const authService = new McpAuthService(initialClient);
-  const newApiToken = await authService.authenticate(
-    isBackgroundCall,
+  const loginUrl = await authManager.generateLoginUrl(
+    "/mvs-login",
     loginContext
   );
+  if (!loginUrl) {
+    throw new AuthenticationError("Failed to generate login URL");
+  }
+  const opened = authManager.openUrlInBrowser();
+  if (!opened) {
+    throw new AuthenticationError(
+      "Authentication required but browser cooldown is active"
+    );
+  }
+  const newApiToken = await authManager.waitForApiToken();
+  if (!newApiToken) {
+    throw new FailedToGetApiTokenError(
+      `Login timeout: authentication not completed within ${AuthManager.loginMaxWait / 1e3 / 60} minutes`
+    );
+  }
+  const authenticatedClient = new McpGQLClient({
+    apiKey: newApiToken,
+    type: "apiKey"
+  });
+  const loginSuccess = await authenticatedClient.validateUserToken();
+  if (!loginSuccess) {
+    throw new AuthenticationError("Login failed: token validation failed");
+  }
   configStore.set("apiToken", newApiToken);
-  return new McpGQLClient({ apiKey: newApiToken, type: "apiKey" });
+  return authenticatedClient;
 }
 
 // src/mcp/services/McpUsageService/host.ts
 import { execSync as execSync2 } from "child_process";
 import fs13 from "fs";
-import os6 from "os";
+import os5 from "os";
 import path14 from "path";
 var IDEs = ["cursor", "windsurf", "webstorm", "vscode", "claude"];
 var runCommand = (cmd) => {
@@ -17370,7 +17219,7 @@ var gitInfo = {
   email: runCommand("git config user.email")
 };
 var getClaudeWorkspacePaths = () => {
-  const home = os6.homedir();
+  const home = os5.homedir();
   const claudeIdePath = path14.join(home, ".claude", "ide");
   const workspacePaths = [];
   if (!fs13.existsSync(claudeIdePath)) {
@@ -17399,7 +17248,7 @@ var getClaudeWorkspacePaths = () => {
   return workspacePaths;
 };
 var getMCPConfigPaths = (hostName) => {
-  const home = os6.homedir();
+  const home = os5.homedir();
   const currentDir = process.env["WORKSPACE_FOLDER_PATHS"] || process.env["PWD"] || process.cwd();
   switch (hostName.toLowerCase()) {
     case "cursor":
@@ -17489,7 +17338,7 @@ var readMCPConfig = (hostName) => {
 };
 var getRunningProcesses = () => {
   try {
-    return os6.platform() === "win32" ? execSync2("tasklist", { encoding: "utf8" }) : execSync2("ps aux", { encoding: "utf8" });
+    return os5.platform() === "win32" ? execSync2("tasklist", { encoding: "utf8" }) : execSync2("ps aux", { encoding: "utf8" });
   } catch {
     return "";
   }
@@ -17564,7 +17413,7 @@ var versionCommands = {
   }
 };
 var getProcessInfo = (pid) => {
-  const platform2 = os6.platform();
+  const platform2 = os5.platform();
   try {
     if (platform2 === "linux" || platform2 === "darwin") {
       const output = execSync2(`ps -o pid=,ppid=,comm= -p ${pid}`, {
@@ -17683,7 +17532,7 @@ var getHostInfo = (additionalMcpList) => {
     const config2 = allConfigs[ide] || null;
     const ideName = ide.charAt(0).toUpperCase() + ide.slice(1) || "Unknown";
     let ideVersion = "Unknown";
-    const platform2 = os6.platform();
+    const platform2 = os5.platform();
     const cmds = versionCommands[ideName]?.[platform2] ?? [];
     for (const cmd of cmds) {
       try {
@@ -17716,14 +17565,14 @@ var getHostInfo = (additionalMcpList) => {
 
 // src/mcp/services/McpUsageService/McpUsageService.ts
 import fetch5 from "node-fetch";
-import os8 from "os";
-import { v4 as uuidv43, v5 as uuidv5 } from "uuid";
+import os7 from "os";
+import { v4 as uuidv42, v5 as uuidv5 } from "uuid";
 init_configs();
 
 // src/mcp/services/McpUsageService/system.ts
 init_configs();
 import fs14 from "fs";
-import os7 from "os";
+import os6 from "os";
 import path15 from "path";
 var MAX_DEPTH = 2;
 var patterns = ["mcp", "claude"];
@@ -17758,8 +17607,8 @@ var searchDir = async (dir, depth = 0) => {
 };
 var findSystemMCPConfigs = async () => {
   try {
-    const home = os7.homedir();
-    const platform2 = os7.platform();
+    const home = os6.homedir();
+    const platform2 = os6.platform();
     const knownDirs = platform2 === "win32" ? [
       path15.join(home, ".cursor"),
       path15.join(home, "Documents"),
@@ -17831,7 +17680,7 @@ var McpUsageService = class {
   generateHostId() {
     const stored = configStore.get(this.configKey);
     if (stored?.mcpHostId) return stored.mcpHostId;
-    const interfaces = os8.networkInterfaces();
+    const interfaces = os7.networkInterfaces();
     const macs = [];
     for (const iface of Object.values(interfaces)) {
       if (!iface) continue;
@@ -17839,7 +17688,7 @@ var McpUsageService = class {
         if (net.mac && net.mac !== "00:00:00:00:00:00") macs.push(net.mac);
       }
     }
-    const macString = macs.length ? macs.sort().join(",") : `${os8.hostname()}-${uuidv43()}`;
+    const macString = macs.length ? macs.sort().join(",") : `${os7.hostname()}-${uuidv42()}`;
     const hostId = uuidv5(macString, uuidv5.DNS);
     logDebug("[UsageService] Generated new host ID", { hostId });
     return hostId;
@@ -17862,7 +17711,7 @@ var McpUsageService = class {
       mcpHostId,
       organizationId,
       mcpVersion: packageJson.version,
-      mcpOsName: os8.platform(),
+      mcpOsName: os7.platform(),
       mcps: JSON.stringify(mcps),
       status,
       userName: user.name,
@@ -20183,7 +20032,7 @@ For a complete security audit workflow, use the \`full-security-audit\` prompt.
 
 // src/mcp/services/McpDetectionService/CursorMcpDetectionService.ts
 import * as fs17 from "fs";
-import * as os10 from "os";
+import * as os9 from "os";
 import * as path17 from "path";
 
 // src/mcp/services/McpDetectionService/BaseMcpDetectionService.ts
@@ -20194,11 +20043,11 @@ import * as path16 from "path";
 
 // src/mcp/services/McpDetectionService/McpDetectionServiceUtils.ts
 import * as fs15 from "fs";
-import * as os9 from "os";
+import * as os8 from "os";
 
 // src/mcp/services/McpDetectionService/VscodeMcpDetectionService.ts
 import * as fs18 from "fs";
-import * as os11 from "os";
+import * as os10 from "os";
 import * as path18 from "path";
 
 // src/mcp/tools/checkForNewAvailableFixes/CheckForNewAvailableFixesTool.ts
@@ -24643,18 +24492,18 @@ async function getGrpcClient(port, csrf3) {
 
 // src/features/codeium_intellij/parse_intellij_logs.ts
 import fs25 from "fs";
-import os12 from "os";
+import os11 from "os";
 import path24 from "path";
 function getLogsDir() {
   if (process.platform === "darwin") {
-    return path24.join(os12.homedir(), "Library/Logs/JetBrains");
+    return path24.join(os11.homedir(), "Library/Logs/JetBrains");
   } else if (process.platform === "win32") {
     return path24.join(
-      process.env["LOCALAPPDATA"] || path24.join(os12.homedir(), "AppData/Local"),
+      process.env["LOCALAPPDATA"] || path24.join(os11.homedir(), "AppData/Local"),
       "JetBrains"
     );
   } else {
-    return path24.join(os12.homedir(), ".cache/JetBrains");
+    return path24.join(os11.homedir(), ".cache/JetBrains");
   }
 }
 function parseIdeLogDir(ideLogDir) {
@@ -24877,11 +24726,11 @@ function processChatStepCodeAction(step) {
 
 // src/features/codeium_intellij/install_hook.ts
 import fsPromises6 from "fs/promises";
-import os13 from "os";
+import os12 from "os";
 import path25 from "path";
 import chalk14 from "chalk";
 function getCodeiumHooksPath() {
-  return path25.join(os13.homedir(), ".codeium", "hooks.json");
+  return path25.join(os12.homedir(), ".codeium", "hooks.json");
 }
 async function readCodeiumHooks() {
   const hooksPath = getCodeiumHooksPath();