mobbdev 1.3.5 → 1.4.0

package/dist/index.mjs

@@ -129,10 +129,13 @@ function getSdk(client, withWrapper = defaultWrapper) {
     },
     ScanSkill(variables, requestHeaders, signal) {
       return withWrapper((wrappedRequestHeaders) => client.request({ document: ScanSkillDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "ScanSkill", "mutation", variables);
+    },
+    SkillVerdictsByMd5(variables, requestHeaders, signal) {
+      return withWrapper((wrappedRequestHeaders) => client.request({ document: SkillVerdictsByMd5Document, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "SkillVerdictsByMd5", "query", variables);
     }
   };
 }
-var AiBlameInferenceType, FixQuestionInputType, Language, ManifestAction, Effort_To_Apply_Fix_Enum, Fix_Rating_Tag_Enum, Fix_Report_State_Enum, Fix_State_Enum, IssueLanguage_Enum, IssueType_Enum, Pr_Status_Enum, Project_Role_Type_Enum, Vulnerability_Report_Issue_Category_Enum, Vulnerability_Report_Issue_State_Enum, Vulnerability_Report_Issue_Tag_Enum, Vulnerability_Report_Vendor_Enum, Vulnerability_Severity_Enum, FixDetailsFragmentDoc, FixReportSummaryFieldsFragmentDoc, MeDocument, GetLastOrgAndNamedProjectDocument, GetLastOrgDocument, GetEncryptedApiTokenDocument, FixReportStateDocument, GetVulnerabilityReportPathsDocument, GetAnalysisSubscriptionDocument, GetAnalysisDocument, GetFixesDocument, GetVulByNodesMetadataDocument, GetFalsePositiveDocument, UpdateScmTokenDocument, UploadS3BucketInfoDocument, GetTracyDiffUploadUrlDocument, AnalyzeCommitForExtensionAiBlameDocument, GetAiBlameInferenceDocument, GetAiBlameAttributionPromptDocument, GetPromptSummaryDocument, UploadAiBlameInferencesInitDocument, FinalizeAiBlameInferencesUploadDocument, UploadTracyRecordsDocument, GetTracyRawDataUploadUrlDocument, DigestVulnerabilityReportDocument, SubmitVulnerabilityReportDocument, CreateCommunityUserDocument, CreateCliLoginDocument, PerformCliLoginDocument, CreateProjectDocument, ValidateRepoUrlDocument, GitReferenceDocument, AutoPrAnalysisDocument, GetFixReportsByRepoUrlDocument, GetReportFixesDocument, GetLatestReportByRepoUrlDocument, UpdateDownloadedFixDataDocument, GetUserMvsAutoFixDocument, StreamBlameAiAnalysisRequestsDocument, StreamCommitBlameRequestsDocument, ScanSkillDocument, defaultWrapper;
+var AiBlameInferenceType, FixQuestionInputType, Language, ManifestAction, Effort_To_Apply_Fix_Enum, Fix_Rating_Tag_Enum, Fix_Report_State_Enum, Fix_State_Enum, IssueLanguage_Enum, IssueType_Enum, Pr_Status_Enum, Project_Role_Type_Enum, Vulnerability_Report_Issue_Category_Enum, Vulnerability_Report_Issue_State_Enum, Vulnerability_Report_Issue_Tag_Enum, Vulnerability_Report_Vendor_Enum, Vulnerability_Severity_Enum, FixDetailsFragmentDoc, FixReportSummaryFieldsFragmentDoc, MeDocument, GetLastOrgAndNamedProjectDocument, GetLastOrgDocument, GetEncryptedApiTokenDocument, FixReportStateDocument, GetVulnerabilityReportPathsDocument, GetAnalysisSubscriptionDocument, GetAnalysisDocument, GetFixesDocument, GetVulByNodesMetadataDocument, GetFalsePositiveDocument, UpdateScmTokenDocument, UploadS3BucketInfoDocument, GetTracyDiffUploadUrlDocument, AnalyzeCommitForExtensionAiBlameDocument, GetAiBlameInferenceDocument, GetAiBlameAttributionPromptDocument, GetPromptSummaryDocument, UploadAiBlameInferencesInitDocument, FinalizeAiBlameInferencesUploadDocument, UploadTracyRecordsDocument, GetTracyRawDataUploadUrlDocument, DigestVulnerabilityReportDocument, SubmitVulnerabilityReportDocument, CreateCommunityUserDocument, CreateCliLoginDocument, PerformCliLoginDocument, CreateProjectDocument, ValidateRepoUrlDocument, GitReferenceDocument, AutoPrAnalysisDocument, GetFixReportsByRepoUrlDocument, GetReportFixesDocument, GetLatestReportByRepoUrlDocument, UpdateDownloadedFixDataDocument, GetUserMvsAutoFixDocument, StreamBlameAiAnalysisRequestsDocument, StreamCommitBlameRequestsDocument, ScanSkillDocument, SkillVerdictsByMd5Document, defaultWrapper;
 var init_client_generates = __esm({
   "src/features/analysis/scm/generates/client_generates.ts"() {
     "use strict";
@@ -326,6 +329,7 @@ var init_client_generates = __esm({
       IssueType_Enum2["SystemExitShouldReraise"] = "SYSTEM_EXIT_SHOULD_RERAISE";
       IssueType_Enum2["SystemInformationLeak"] = "SYSTEM_INFORMATION_LEAK";
       IssueType_Enum2["SystemInformationLeakExternal"] = "SYSTEM_INFORMATION_LEAK_EXTERNAL";
+      IssueType_Enum2["TaintedNumericCast"] = "TAINTED_NUMERIC_CAST";
       IssueType_Enum2["TarSlip"] = "TAR_SLIP";
       IssueType_Enum2["TrustBoundaryViolation"] = "TRUST_BOUNDARY_VIOLATION";
       IssueType_Enum2["TypeConfusion"] = "TYPE_CONFUSION";
@@ -1264,6 +1268,18 @@ var init_client_generates = __esm({
     cached
     summary
   }
+}
+    `;
+    SkillVerdictsByMd5Document = `
+    query SkillVerdictsByMd5($md5s: [String!]!) {
+  skillVerdictsByMd5(md5s: $md5s) {
+    md5
+    verdict
+    summary
+    scannerName
+    scannerVersion
+    scannedAt
+  }
 }
     `;
     defaultWrapper = (action, _operationName, _operationType, _variables) => action();
@@ -1450,7 +1466,8 @@ var init_getIssueType = __esm({
       ["DJANGO_BLANK_FIELD_NEEDS_NULL_OR_DEFAULT" /* DjangoBlankFieldNeedsNullOrDefault */]: "Django Blank Field Needs Null or Default",
       ["REDUNDANT_NIL_ERROR_CHECK" /* RedundantNilErrorCheck */]: "Redundant Nil Error Check",
       ["MISSING_WORKFLOW_PERMISSIONS" /* MissingWorkflowPermissions */]: "Missing Workflow Permissions",
-      ["EXCESSIVE_SECRETS_EXPOSURE" /* ExcessiveSecretsExposure */]: "Excessive Secrets Exposure"
+      ["EXCESSIVE_SECRETS_EXPOSURE" /* ExcessiveSecretsExposure */]: "Excessive Secrets Exposure",
+      ["TAINTED_NUMERIC_CAST" /* TaintedNumericCast */]: "Tainted Numeric Cast"
     };
     issueTypeZ = z.nativeEnum(IssueType_Enum);
     getIssueTypeFriendlyString = (issueType) => {
@@ -3577,8 +3594,8 @@ var init_FileUtils = __esm({
           const fullPath = path.join(dir, item);
           try {
             await fsPromises.access(fullPath, fs.constants.R_OK);
-            const stat2 = await fsPromises.stat(fullPath);
-            if (stat2.isDirectory()) {
+            const stat4 = await fsPromises.stat(fullPath);
+            if (stat4.isDirectory()) {
               if (isRootLevel && excludedRootDirectories.includes(item)) {
                 continue;
               }
@@ -3590,7 +3607,7 @@ var init_FileUtils = __esm({
                 name: item,
                 fullPath,
                 relativePath: path.relative(rootDir, fullPath),
-                time: stat2.mtime.getTime(),
+                time: stat4.mtime.getTime(),
                 isFile: true
               });
             }
@@ -4642,7 +4659,8 @@ var fixDetailsData = {
   ["DJANGO_BLANK_FIELD_NEEDS_NULL_OR_DEFAULT" /* DjangoBlankFieldNeedsNullOrDefault */]: void 0,
   ["REDUNDANT_NIL_ERROR_CHECK" /* RedundantNilErrorCheck */]: void 0,
   ["MISSING_WORKFLOW_PERMISSIONS" /* MissingWorkflowPermissions */]: void 0,
-  ["EXCESSIVE_SECRETS_EXPOSURE" /* ExcessiveSecretsExposure */]: void 0
+  ["EXCESSIVE_SECRETS_EXPOSURE" /* ExcessiveSecretsExposure */]: void 0,
+  ["TAINTED_NUMERIC_CAST" /* TaintedNumericCast */]: void 0
 };
 
 // src/features/analysis/scm/shared/src/commitDescriptionMarkup.ts
@@ -6174,6 +6192,17 @@ var openRedirect3 = {
   }
 };
 
+// src/features/analysis/scm/shared/src/storedQuestionData/python/ssrf.ts
+var ssrf5 = {
+  domainsAllowlist: {
+    content: () => "Allowed URL prefixes",
+    description: () => `The security risk of this issue is the ability of an attacker to provide input that shoots HTTP requests from your server to arbitrary URLs, including internal ones, like \`https://admin.mycompany.com\`    
+     
+     To eliminate the risk and fix the issue, check out your app logic and make a whitelist of URLs this API should be allowed to call.`,
+    guidance: () => ""
+  }
+};
+
 // src/features/analysis/scm/shared/src/storedQuestionData/python/uncheckedLoopCondition.ts
 var uncheckedLoopCondition3 = {
   loopLimit: {
@@ -6195,7 +6224,8 @@ var vulnerabilities14 = {
   ["OPEN_REDIRECT" /* OpenRedirect */]: openRedirect3,
   ["UNCHECKED_LOOP_CONDITION" /* UncheckedLoopCondition */]: uncheckedLoopCondition3,
   ["DUPLICATED_STRINGS" /* DuplicatedStrings */]: duplicatedStrings2,
-  ["MISSING_ENCODING_FILE_OPEN" /* MissingEncodingFileOpen */]: missingEncoding
+  ["MISSING_ENCODING_FILE_OPEN" /* MissingEncodingFileOpen */]: missingEncoding,
+  ["SSRF" /* Ssrf */]: ssrf5
 };
 var python_default2 = vulnerabilities14;
 
@@ -7117,7 +7147,7 @@ async function getAdoSdk(params) {
       const url = new URL(repoUrl);
       const origin = url.origin.toLowerCase().endsWith(".visualstudio.com") ? DEFUALT_ADO_ORIGIN : url.origin.toLowerCase();
       const params2 = `path=/&versionDescriptor[versionOptions]=0&versionDescriptor[versionType]=commit&versionDescriptor[version]=${branch}&resolveLfs=true&$format=zip&api-version=5.0&download=true`;
-      const path30 = [
+      const path34 = [
         prefixPath,
         owner,
         projectName,
@@ -7128,7 +7158,7 @@ async function getAdoSdk(params) {
         "items",
         "items"
       ].filter(Boolean).join("/");
-      return new URL(`${path30}?${params2}`, origin).toString();
+      return new URL(`${path34}?${params2}`, origin).toString();
     },
     async getAdoBranchList({ repoUrl }) {
       try {
@@ -7217,8 +7247,8 @@ async function getAdoSdk(params) {
         const changeType = entry.changeType;
         return changeType !== 16 && entry.item?.path;
       }).map((entry) => {
-        const path30 = entry.item.path;
-        return path30.startsWith("/") ? path30.slice(1) : path30;
+        const path34 = entry.item.path;
+        return path34.startsWith("/") ? path34.slice(1) : path34;
       });
     },
     async searchAdoPullRequests({
@@ -8091,6 +8121,15 @@ var BitbucketParseResultZ = z20.object({
   repoName: z20.string(),
   hostname: z20.literal(BITBUCKET_HOSTNAME)
 });
+var UserWorkspacePermissionsRepositoriesResponseZ = z20.object({
+  values: z20.array(
+    z20.object({
+      repository: z20.object({
+        full_name: z20.string().optional()
+      }).optional()
+    })
+  ).optional()
+});
 function parseBitbucketOrganizationAndRepo(bitbucketUrl) {
   const parsedGitHubUrl = normalizeUrl(bitbucketUrl);
   const parsingResult = parseScmURL(parsedGitHubUrl, "Bitbucket" /* Bitbucket */);
@@ -8155,12 +8194,17 @@ function getBitbucketSdk(params) {
       const { repoUrl } = params2;
       const { repo_slug, workspace } = parseBitbucketOrganizationAndRepo(repoUrl);
       const fullRepoName = `${workspace}/${repo_slug}`;
-      const res = await bitbucketClient.user.listPermissionsForRepos({
+      const res = await bitbucketClient.request({
+        method: "GET",
+        url: "/user/workspaces/{workspace}/permissions/repositories",
+        workspace,
         q: `repository.full_name~"${fullRepoName}"`
       });
-      return res.data.values?.some(
-        (res2) => res2.repository?.full_name === fullRepoName
-      ) ?? false;
+      const parsed = UserWorkspacePermissionsRepositoriesResponseZ.safeParse(
+        res.data
+      );
+      const values = parsed.success ? parsed.data.values : void 0;
+      return values?.some((v) => v.repository?.full_name === fullRepoName) ?? false;
     },
     async createPullRequest(params2) {
       const { repo_slug, workspace } = parseBitbucketOrganizationAndRepo(
@@ -8926,12 +8970,18 @@ function getOctoKit(options) {
       timeout: 1e4
       // 10 second timeout
     },
-    retry: options?.isEnableRetries ? {
-      doNotRetry: [400, 401, 403, 404, 422],
-      // Don't retry on these status codes
+    // Always retry on transient failures. 401 is intentionally retryable:
+    // GitHub briefly returns 401 for an OAuth token in the first few seconds
+    // after it is minted, and without this, validateRepoUrl and every
+    // downstream SCM call can fail permanently on that propagation glitch.
+    // Trade-off: a genuinely revoked/invalid token surfaces after ~14s of
+    // backoff (@octokit/plugin-retry uses retryCount^2 * 1000 ms: 1s, 4s, 9s)
+    // instead of immediately. Acceptable given the alternative is permanent
+    // failure / 10-minute test timeouts.
+    retry: {
+      doNotRetry: [400, 403, 404, 422],
       retries: 3
-      // Retry up to 3 times
-    } : { enabled: false },
+    },
     throttle: options?.isEnableRetries ? {
       onRateLimit: (retryAfter, options2, octokit, retryCount) => {
         octokit.log.warn(
@@ -9593,10 +9643,13 @@ function getGithubSdk(params = {}) {
       return res;
     },
     /**
-     * Search PRs using GitHub's Search API with sorting
-     * https://docs.github.com/en/rest/search/search?apiVersion=2022-11-28#search-issues-and-pull-requests
+     * List PRs using GitHub's REST `/repos/{owner}/{repo}/pulls` endpoint.
+     * https://docs.github.com/en/rest/pulls/pulls?apiVersion=2022-11-28#list-pull-requests
+     *
+     * Uses the 5000/hr core rate-limit bucket and reads freshly-created PRs
+     * without the indexing lag of the Search API.
      */
-    async searchPullRequests(params2) {
+    async listPullRequests(params2) {
       const {
         owner,
         repo,
@@ -9606,26 +9659,22 @@ function getGithubSdk(params = {}) {
         perPage = 10,
         page = 1
       } = params2;
-      let query = `repo:${owner}/${repo} is:pr`;
-      if (updatedAfter) {
-        const dateStr = updatedAfter.toISOString().split("T")[0];
-        query += ` updated:>=${dateStr}`;
-      }
-      if (state !== "all") {
-        query += ` is:${state}`;
-      }
-      const githubSortField = sort.field === "updated" || sort.field === "created" ? sort.field : "comments";
-      const response = await octokit.rest.search.issuesAndPullRequests({
-        q: query,
-        sort: githubSortField,
-        order: sort.order,
+      const restSortField = sort.field === "updated" || sort.field === "created" ? sort.field : "popularity";
+      const response = await octokit.rest.pulls.list({
+        owner,
+        repo,
+        state,
+        sort: restSortField,
+        direction: sort.order,
         per_page: perPage,
         page
       });
+      const filtered = updatedAfter ? response.data.filter((pr) => new Date(pr.updated_at) >= updatedAfter) : response.data;
+      const hitDescCutoff = sort.order === "desc" && updatedAfter !== void 0 && filtered.length < response.data.length;
+      const hasMore = response.data.length === perPage && !hitDescCutoff;
       return {
-        items: response.data.items,
-        totalCount: response.data.total_count,
-        hasMore: page * perPage < response.data.total_count
+        items: filtered,
+        hasMore
       };
     },
     /**
@@ -10225,8 +10274,12 @@ var GithubSCMLib = class extends SCMLib {
     }).map((file) => file.filename);
   }
   /**
-   * Override searchSubmitRequests to use GitHub's Search API for efficient pagination.
-   * This is much faster than fetching all PRs and filtering in-memory.
+   * Override searchSubmitRequests to use GitHub's REST `/pulls` endpoint.
+   *
+   * The Search API we used previously has a separate 30/min secondary rate
+   * limit and an async index that lags on just-created PRs. `/pulls` hits
+   * GitHub's primary datastore, uses the 5000/hr core bucket, and returns
+   * `head.ref` / `base.ref` so we can populate sourceBranch / targetBranch.
    */
   async searchSubmitRequests(params) {
     this._validateAccessToken();
@@ -10234,7 +10287,7 @@ var GithubSCMLib = class extends SCMLib {
     const page = parseCursorSafe(params.cursor, 1);
     const perPage = params.limit || 10;
     const sort = params.sort || { field: "updated", order: "desc" };
-    const searchResult = await this.githubSdk.searchPullRequests({
+    const listResult = await this.githubSdk.listPullRequests({
       owner,
       repo,
       updatedAfter: params.filters?.updatedAfter,
@@ -10243,38 +10296,33 @@ var GithubSCMLib = class extends SCMLib {
       perPage,
       page
     });
-    const results = searchResult.items.map((issue) => {
+    const results = listResult.items.map((pr) => {
       let status = "open";
-      if (issue.state === "closed") {
-        status = issue.pull_request?.merged_at ? "merged" : "closed";
-      } else if (issue.draft) {
+      if (pr.state === "closed") {
+        status = pr.merged_at ? "merged" : "closed";
+      } else if (pr.draft) {
         status = "draft";
       }
       return {
-        submitRequestId: String(issue.number),
-        submitRequestNumber: issue.number,
-        title: issue.title,
+        submitRequestId: String(pr.number),
+        submitRequestNumber: pr.number,
+        title: pr.title,
         status,
-        sourceBranch: "",
-        // Not available in search API
-        targetBranch: "",
-        // Not available in search API
-        authorName: issue.user?.login,
+        sourceBranch: pr.head?.ref ?? "",
+        targetBranch: pr.base?.ref ?? "",
+        authorName: pr.user?.login,
         authorEmail: void 0,
-        // Not available in search API
-        createdAt: new Date(issue.created_at),
-        updatedAt: new Date(issue.updated_at),
-        description: issue.body || void 0,
+        createdAt: new Date(pr.created_at),
+        updatedAt: new Date(pr.updated_at),
+        description: pr.body || void 0,
         tickets: [],
-        // Would need separate parsing
         changedLines: { added: 0, removed: 0 }
-        // Not available in search API
       };
     });
     return {
       results,
-      nextCursor: searchResult.hasMore ? String(page + 1) : void 0,
-      hasMore: searchResult.hasMore
+      nextCursor: listResult.hasMore ? String(page + 1) : void 0,
+      hasMore: listResult.hasMore
     };
   }
   /**
@@ -13506,6 +13554,10 @@ var GQLClient = class {
   async scanSkill(variables) {
     return await this._clientSdk.ScanSkill(variables);
   }
+  // T-467 — batched verdict lookup for the client-side quarantine check.
+  async skillVerdictsByMd5(md5s) {
+    return await this._clientSdk.SkillVerdictsByMd5({ md5s });
+  }
 };
 
 // src/features/analysis/graphql/tracy-batch-upload.ts
@@ -13893,13 +13945,13 @@ function maskString(str, showStart = 2, showEnd = 2) {
   }
   return str.slice(0, showStart) + "*".repeat(str.length - showStart - showEnd) + str.slice(-showEnd);
 }
-async function sanitizeDataWithCounts(obj) {
+async function sanitizeDataWithCounts(obj, options) {
   const counts = {
     detections: { total: 0, high: 0, medium: 0, low: 0 }
   };
   const MAX_SCAN_LENGTH = 1e5;
   const sanitizeString = async (str) => {
-    if (str.length > MAX_SCAN_LENGTH) {
+    if (!options?.noSizeLimit && str.length > MAX_SCAN_LENGTH) {
       return str;
     }
     let result = str;
@@ -14358,7 +14410,7 @@ async function prepareAndSendTracyRecords(client, rawRecords, workingDir, option
     `${shouldSanitize ? "sanitize" : "serialize"} ${rawRecords.length} records`,
     () => Promise.all(
       rawRecords.map(async (record, index) => {
-        if (record.rawData != null) {
+        if (record.rawData != null && record.rawDataS3Key == null) {
           const serialized = shouldSanitize ? await sanitizeRawData(record.rawData) : JSON.stringify(record.rawData);
           serializedRawDataByIndex.set(index, serialized);
         }
@@ -15028,7 +15080,7 @@ async function postIssueComment(params) {
     fpDescription
   } = params;
   const {
-    path: path30,
+    path: path34,
     startLine,
     vulnerabilityReportIssue: {
       vulnerabilityReportIssueTags,
@@ -15043,7 +15095,7 @@ async function postIssueComment(params) {
 Refresh the page in order to see the changes.`,
     pull_number: pullRequest,
     commit_id: commitSha,
-    path: path30,
+    path: path34,
     line: startLine
   });
   const commentId = commentRes.data.id;
@@ -15077,7 +15129,7 @@ async function postFixComment(params) {
     scanner
   } = params;
   const {
-    path: path30,
+    path: path34,
     startLine,
     vulnerabilityReportIssue: { fixId, vulnerabilityReportIssueTags, category },
     vulnerabilityReportIssueId
@@ -15095,7 +15147,7 @@ async function postFixComment(params) {
 Refresh the page in order to see the changes.`,
     pull_number: pullRequest,
     commit_id: commitSha,
-    path: path30,
+    path: path34,
     line: startLine
   });
   const commentId = commentRes.data.id;
@@ -16617,8 +16669,8 @@ async function resolveSkillScanInput(skillInput) {
   if (!fs11.existsSync(resolvedPath)) {
     return skillInput;
   }
-  const stat2 = fs11.statSync(resolvedPath);
-  if (!stat2.isDirectory()) {
+  const stat4 = fs11.statSync(resolvedPath);
+  if (!stat4.isDirectory()) {
     throw new CliError(
       "Local skill input must be a directory containing SKILL.md"
     );
@@ -17016,13 +17068,1110 @@ async function analyzeHandler(args) {
 import { spawn } from "child_process";
 
 // src/features/claude_code/daemon.ts
-import path17 from "path";
+import { readFileSync, writeFileSync as writeFileSync2 } from "fs";
+import path21 from "path";
 import { setTimeout as sleep2 } from "timers/promises";
+import Configstore3 from "configstore";
+
+// src/features/analysis/skill_quarantine/constants.ts
+var HEARTBEAT_DEBOUNCE_MS = (() => {
+  const raw = Number(process.env["MOBB_TRACY_SKILL_QUARANTINE_DEBOUNCE_MS"]);
+  if (!Number.isFinite(raw) || raw < 0) return 3e4;
+  return Math.min(raw, 3e5);
+})();
+var KILL_SWITCH_ENV = "MOBB_TRACY_SKILL_QUARANTINE_DISABLE";
+var MALICIOUS_VERDICT = "MALICIOUS";
+var ORPHAN_SWEEP_GRACE_MS = 10 * 60 * 1e3;
+
+// src/features/analysis/context_file_processor.ts
+import { createHash } from "crypto";
+import path13 from "path";
+import AdmZip3 from "adm-zip";
+import pLimit6 from "p-limit";
+var SANITIZE_CONCURRENCY = 5;
+function md5Hex(data) {
+  return createHash("md5").update(typeof data === "string" ? Buffer.from(data, "utf-8") : data).digest("hex");
+}
+async function sanitizeFileContent(content) {
+  const { sanitizedData } = await sanitizeDataWithCounts(content, {
+    noSizeLimit: true
+  });
+  return sanitizedData;
+}
+async function processContextFiles(regularFiles, skillGroups) {
+  const limit = pLimit6(SANITIZE_CONCURRENCY);
+  const processedFiles = await Promise.all(
+    regularFiles.map(
+      (entry) => limit(async () => {
+        const sanitizedContent = await sanitizeFileContent(entry.content);
+        const md5 = md5Hex(sanitizedContent);
+        const sizeBytes = Buffer.byteLength(sanitizedContent, "utf-8");
+        return { entry, sanitizedContent, md5, sizeBytes };
+      })
+    )
+  );
+  const processedSkills = await Promise.all(
+    skillGroups.filter((group) => group.files.length > 0).map(
+      (group) => limit(async () => {
+        const zip = new AdmZip3();
+        const sortedFiles = [...group.files].sort(
+          (a, b) => a.path.localeCompare(b.path)
+        );
+        for (const file of sortedFiles) {
+          const sanitizedContent = await sanitizeFileContent(file.content);
+          const zipEntryName = group.isFolder ? path13.relative(group.skillPath, file.path).replace(/\\/g, "/") : path13.basename(file.path);
+          zip.addFile(zipEntryName, Buffer.from(sanitizedContent, "utf-8"));
+          const entry = zip.getEntry(zipEntryName);
+          if (entry) {
+            entry.header.time = /* @__PURE__ */ new Date(0);
+          }
+        }
+        const zipBuffer = zip.toBuffer();
+        const md5 = md5Hex(zipBuffer);
+        return { group, zipBuffer, md5, sizeBytes: zipBuffer.byteLength };
+      })
+    )
+  );
+  return { files: processedFiles, skills: processedSkills };
+}
+
+// src/features/analysis/context_file_scanner.ts
+import { lstat, readFile, stat } from "fs/promises";
+import { homedir } from "os";
+import path14 from "path";
+import { globby as globby2 } from "globby";
+import { parse as parseJsoncLib } from "jsonc-parser";
+
+// src/features/analysis/context_file_scan_paths.ts
+var SKILL_CATEGORY = "skill";
+var SCAN_PATHS = {
+  "claude-code": [
+    { glob: "CLAUDE.md", category: "rule", root: "workspace" },
+    { glob: "CLAUDE.local.md", category: "rule", root: "workspace" },
+    { glob: "INSIGHTS.md", category: "rule", root: "workspace" },
+    { glob: "AGENTS.md", category: "rule", root: "workspace" },
+    { glob: ".claude/rules/**/*.md", category: "rule", root: "workspace" },
+    { glob: ".claude/CLAUDE.md", category: "rule", root: "home" },
+    { glob: ".claude/INSIGHTS.md", category: "rule", root: "home" },
+    { glob: ".claude/rules/**/*.md", category: "rule", root: "home" },
+    {
+      glob: ".claude/projects/*/memory/*.md",
+      category: "memory",
+      root: "home"
+    },
+    { kind: "skill-bundle", skillsRoot: ".claude/skills", root: "workspace" },
+    { glob: ".claude/commands/*.md", category: "command", root: "workspace" },
+    {
+      glob: ".claude/agents/*.md",
+      category: "agent-config",
+      root: "workspace"
+    },
+    { kind: "skill-bundle", skillsRoot: ".claude/skills", root: "home" },
+    { glob: ".claude/commands/*.md", category: "command", root: "home" },
+    { glob: ".claude/agents/*.md", category: "agent-config", root: "home" },
+    { glob: ".claude/settings.json", category: "config", root: "workspace" },
+    {
+      glob: ".claude/settings.local.json",
+      category: "config",
+      root: "workspace"
+    },
+    { glob: ".mcp.json", category: "mcp-config", root: "workspace" },
+    { glob: ".claude/.mcp.json", category: "mcp-config", root: "workspace" },
+    { glob: ".claude/settings.json", category: "config", root: "home" },
+    { glob: ".claudeignore", category: "ignore", root: "workspace" }
+  ],
+  cursor: [
+    // Legacy single-file rules
+    { glob: ".cursorrules", category: "rule", root: "workspace" },
+    // Project Rules — docs support both `.mdc` and `.md` inside .cursor/rules/
+    { glob: ".cursor/rules/**/*.mdc", category: "rule", root: "workspace" },
+    { glob: ".cursor/rules/**/*.md", category: "rule", root: "workspace" },
+    // AGENTS.md — Cursor's documented alternative to .cursor/rules/
+    { glob: "AGENTS.md", category: "rule", root: "workspace" },
+    // Agent skills — Cursor auto-loads from these dirs plus compat with
+    // Claude / Codex / generic .agents/ per Cursor docs.
+    { kind: "skill-bundle", skillsRoot: ".cursor/skills", root: "workspace" },
+    { kind: "skill-bundle", skillsRoot: ".agents/skills", root: "workspace" },
+    { kind: "skill-bundle", skillsRoot: ".claude/skills", root: "workspace" },
+    { kind: "skill-bundle", skillsRoot: ".codex/skills", root: "workspace" },
+    // MCP — project + global
+    { glob: ".cursor/mcp.json", category: "mcp-config", root: "workspace" },
+    { glob: ".cursor/mcp.json", category: "mcp-config", root: "home" },
+    // Home skills (user-level cross-project skills)
+    { kind: "skill-bundle", skillsRoot: ".cursor/skills", root: "home" },
+    { kind: "skill-bundle", skillsRoot: ".agents/skills", root: "home" },
+    { kind: "skill-bundle", skillsRoot: ".claude/skills", root: "home" },
+    { kind: "skill-bundle", skillsRoot: ".codex/skills", root: "home" },
+    // Exclusion
+    { glob: ".cursorignore", category: "ignore", root: "workspace" }
+    // Note: Cursor's global "Rules for AI" from Settings UI is stored in
+    // Cursor's internal settings DB. The tracer_ext reads it via VS Code API
+    // (vscode.workspace.getConfiguration) and includes it as a synthetic entry.
+  ],
+  copilot: [
+    // Instructions — workspace
+    {
+      glob: ".github/copilot-instructions.md",
+      category: "rule",
+      root: "workspace"
+    },
+    {
+      glob: ".github/instructions/**/*.instructions.md",
+      category: "rule",
+      root: "workspace"
+    },
+    // AGENTS.md / CLAUDE.md family (Copilot reads these via chat.useAgentsMdFile,
+    // chat.useClaudeMdFile for cross-compat with Claude Code / other agents).
+    { glob: "AGENTS.md", category: "rule", root: "workspace" },
+    { glob: "CLAUDE.md", category: "rule", root: "workspace" },
+    { glob: "CLAUDE.local.md", category: "rule", root: "workspace" },
+    { glob: ".claude/CLAUDE.md", category: "rule", root: "workspace" },
+    { glob: ".claude/rules/**/*.md", category: "rule", root: "workspace" },
+    // Prompts — workspace
+    {
+      glob: ".github/prompts/*.prompt.md",
+      category: SKILL_CATEGORY,
+      root: "workspace"
+    },
+    // Custom agents — `.agent.md` is the current format; `.chatmode.md` is the
+    // legacy naming docs recommend renaming. We scan both for transition.
+    {
+      glob: ".github/agents/*.agent.md",
+      category: "agent-config",
+      root: "workspace"
+    },
+    {
+      glob: ".github/chatmodes/*.chatmode.md",
+      category: "agent-config",
+      root: "workspace"
+    },
+    {
+      glob: ".claude/agents/*.md",
+      category: "agent-config",
+      root: "workspace"
+    },
+    // Agent skills — Copilot discovers skills in all three roots (VS Code docs:
+    // Agent Skills). Each skill is a directory with SKILL.md plus sibling files.
+    { kind: "skill-bundle", skillsRoot: ".github/skills", root: "workspace" },
+    { kind: "skill-bundle", skillsRoot: ".claude/skills", root: "workspace" },
+    { kind: "skill-bundle", skillsRoot: ".agents/skills", root: "workspace" },
+    // MCP — VS Code Copilot reads MCP servers from .vscode/mcp.json
+    { glob: ".vscode/mcp.json", category: "mcp-config", root: "workspace" },
+    // Global — home (JetBrains stores global instructions here)
+    {
+      glob: ".config/github-copilot/global-copilot-instructions.md",
+      category: "rule",
+      root: "home"
+    },
+    // User-level Copilot customizations (~/.copilot/)
+    {
+      glob: ".copilot/instructions/**/*.instructions.md",
+      category: "rule",
+      root: "home"
+    },
+    { glob: ".copilot/prompts/*.prompt.md", category: "skill", root: "home" },
+    {
+      glob: ".copilot/agents/*.agent.md",
+      category: "agent-config",
+      root: "home"
+    },
+    { kind: "skill-bundle", skillsRoot: ".copilot/skills", root: "home" },
+    // Cross-compat home paths (Copilot reads Claude / generic agent dirs too)
+    { glob: ".claude/CLAUDE.md", category: "rule", root: "home" },
+    { glob: ".claude/rules/**/*.md", category: "rule", root: "home" },
+    { glob: ".claude/agents/*.md", category: "agent-config", root: "home" },
+    { kind: "skill-bundle", skillsRoot: ".claude/skills", root: "home" },
+    { kind: "skill-bundle", skillsRoot: ".agents/skills", root: "home" }
+  ]
+};
+
+// src/features/analysis/context_file_scanner.ts
+var MAX_CONTEXT_FILE_SIZE = 20 * 1024 * 1024;
+var SESSION_TTL_MS = 24 * 60 * 60 * 1e3;
+var sessionMtimes = /* @__PURE__ */ new Map();
+function markContextFilesUploaded(sessionId, files, skills) {
+  let entry = sessionMtimes.get(sessionId);
+  if (!entry) {
+    entry = { files: /* @__PURE__ */ new Map(), skills: /* @__PURE__ */ new Map(), lastUpdatedAt: Date.now() };
+    sessionMtimes.set(sessionId, entry);
+  }
+  for (const f of files) {
+    entry.files.set(f.path, f.mtimeMs);
+  }
+  if (skills) {
+    for (const sg of skills) {
+      entry.skills.set(sg.sessionKey, sg.maxMtimeMs);
+    }
+  }
+  entry.lastUpdatedAt = Date.now();
+}
+var COPILOT_CUSTOM_LOCATION_SETTINGS = [
+  {
+    key: "chat.agentSkillsLocations",
+    kind: "skill-bundle"
+  },
+  {
+    key: "chat.instructionsFilesLocations",
+    kind: "glob",
+    category: "rule",
+    glob: "**/*.instructions.md"
+  },
+  {
+    key: "chat.promptFilesLocations",
+    kind: "glob",
+    category: "skill",
+    glob: "**/*.prompt.md"
+  },
+  {
+    key: "chat.agentFilesLocations",
+    kind: "glob",
+    category: "agent-config",
+    glob: "**/*.agent.md"
+  }
+];
+var CLAUDE_CODE_CUSTOM_LOCATION_SETTINGS = [
+  {
+    key: "autoMemoryDirectory",
+    category: "memory",
+    glob: "*/memory/*.md"
+  }
+];
+function parseJsonc(text) {
+  const errors = [];
+  const parsed = parseJsoncLib(text, errors, {
+    allowTrailingComma: true,
+    disallowComments: false
+  });
+  return parsed ?? null;
+}
+function extractCustomLocations(value) {
+  if (Array.isArray(value)) {
+    return value.filter(
+      (v) => typeof v === "string" && v.length > 0
+    );
+  }
+  if (value && typeof value === "object") {
+    return Object.entries(value).filter(([, v]) => v === true).map(([k]) => k).filter((k) => k.length > 0);
+  }
+  return [];
+}
+var SENSITIVE_HOME_SUBDIRS = [
+  ".ssh",
+  ".aws",
+  ".gnupg",
+  ".config",
+  ".kube",
+  ".docker",
+  ".gcloud",
+  ".npmrc",
+  ".netrc",
+  ".git-credentials",
+  ".m2",
+  ".pypirc",
+  ".pgpass",
+  ".boto",
+  ".password-store"
+];
+function resolveCustomLocationPath(raw, workspaceRoot, home) {
+  let s = raw.replace(/\$\{workspaceFolder\}/g, workspaceRoot);
+  if (/\$\{[^}]+\}/.test(s)) {
+    return null;
+  }
+  if (/^~[^/]/.test(s)) {
+    return null;
+  }
+  if (s.startsWith("~/") || s === "~") {
+    s = path14.join(home, s.slice(1));
+  }
+  if (!path14.isAbsolute(s)) {
+    s = path14.resolve(workspaceRoot, s);
+  }
+  const resolved = path14.normalize(s);
+  if (resolved === "/" || resolved === home) {
+    return null;
+  }
+  for (const sub of SENSITIVE_HOME_SUBDIRS) {
+    const sensitive = path14.join(home, sub);
+    if (resolved === sensitive || resolved.startsWith(`${sensitive}${path14.sep}`)) {
+      return null;
+    }
+  }
+  const relWorkspace = path14.relative(workspaceRoot, resolved);
+  const relHome = path14.relative(home, resolved);
+  const escapesWorkspace = relWorkspace.startsWith("..") || path14.isAbsolute(relWorkspace);
+  const escapesHome = relHome.startsWith("..") || path14.isAbsolute(relHome);
+  if (escapesWorkspace && escapesHome) {
+    return null;
+  }
+  return resolved;
+}
+var MAX_SETTINGS_CACHE_SIZE = 50;
+var settingsCache = /* @__PURE__ */ new Map();
+async function readJsoncSettings(settingsPath) {
+  try {
+    const lst = await lstat(settingsPath);
+    if (lst.isSymbolicLink()) {
+      return null;
+    }
+  } catch {
+    putSettingsCache(settingsPath, { mtimeMs: null, parsed: null });
+    return null;
+  }
+  let mtimeMs = null;
+  try {
+    const st = await stat(settingsPath);
+    if (!st.isFile()) {
+      putSettingsCache(settingsPath, { mtimeMs: null, parsed: null });
+      return null;
+    }
+    mtimeMs = st.mtimeMs;
+  } catch (err) {
+    if (err.code === "ENOENT") {
+      putSettingsCache(settingsPath, { mtimeMs: null, parsed: null });
+    }
+    return null;
+  }
+  const cached = settingsCache.get(settingsPath);
+  if (cached && cached.mtimeMs === mtimeMs) {
+    return cached.parsed;
+  }
+  let text;
+  try {
+    text = await readFile(settingsPath, "utf-8");
+  } catch {
+    return null;
+  }
+  const parsed = parseJsonc(text);
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+    putSettingsCache(settingsPath, { mtimeMs, parsed: null });
+    return null;
+  }
+  const payload = parsed;
+  putSettingsCache(settingsPath, { mtimeMs, parsed: payload });
+  return payload;
+}
+function putSettingsCache(path34, entry) {
+  if (!settingsCache.has(path34) && settingsCache.size >= MAX_SETTINGS_CACHE_SIZE) {
+    settingsCache.delete(settingsCache.keys().next().value);
+  }
+  settingsCache.set(path34, entry);
+}
+async function readCopilotCustomLocations(workspaceRoot) {
+  const parsed = await readJsoncSettings(
+    path14.join(workspaceRoot, ".vscode", "settings.json")
+  );
+  if (!parsed) {
+    return [];
+  }
+  const home = homedir();
+  const dynamic = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const setting of COPILOT_CUSTOM_LOCATION_SETTINGS) {
+    for (const loc of extractCustomLocations(parsed[setting.key])) {
+      const abs = resolveCustomLocationPath(loc, workspaceRoot, home);
+      if (!abs) {
+        continue;
+      }
+      if (setting.kind === "skill-bundle") {
+        const dedupKey = `skill-bundle:${abs}`;
+        if (seen.has(dedupKey)) {
+          continue;
+        }
+        seen.add(dedupKey);
+        dynamic.push({
+          kind: "skill-bundle",
+          skillsRoot: ".",
+          root: "absolute",
+          absoluteBase: abs
+        });
+      } else {
+        const dedupKey = `${setting.category}:${abs}`;
+        if (seen.has(dedupKey)) {
+          continue;
+        }
+        seen.add(dedupKey);
+        dynamic.push({
+          kind: "glob",
+          glob: setting.glob,
+          category: setting.category,
+          root: "absolute",
+          absoluteBase: abs
+        });
+      }
+    }
+  }
+  return dynamic;
+}
+async function readClaudeCodeCustomLocations() {
+  const home = homedir();
+  const parsed = await readJsoncSettings(
+    path14.join(home, ".claude", "settings.json")
+  );
+  if (!parsed) {
+    return [];
+  }
+  const dynamic = [];
+  for (const { key, category, glob } of CLAUDE_CODE_CUSTOM_LOCATION_SETTINGS) {
+    const raw = parsed[key];
+    if (typeof raw !== "string" || raw.length === 0) {
+      continue;
+    }
+    if (/\$\{workspaceFolder\}/.test(raw)) {
+      continue;
+    }
+    const abs = resolveCustomLocationPath(raw, home, home);
+    if (!abs) {
+      continue;
+    }
+    dynamic.push({
+      kind: "glob",
+      glob,
+      category,
+      root: "absolute",
+      absoluteBase: abs
+    });
+  }
+  return dynamic;
+}
+async function readCustomLocations(workspaceRoot, platform2) {
+  if (platform2 === "copilot") {
+    return readCopilotCustomLocations(workspaceRoot);
+  }
+  if (platform2 === "claude-code") {
+    return readClaudeCodeCustomLocations();
+  }
+  return [];
+}
+function groupSkills(files, root, baseDir) {
+  const skillFiles = files.filter((f) => f.category === SKILL_CATEGORY);
+  const folderMap = /* @__PURE__ */ new Map();
+  const standalone = [];
+  for (const f of skillFiles) {
+    const rel = path14.relative(baseDir, f.path).replace(/\\/g, "/");
+    const skillsMarker = "skills/";
+    const skillsIdx = rel.indexOf(skillsMarker);
+    if (skillsIdx === -1) {
+      standalone.push(f);
+      continue;
+    }
+    const relFromSkills = rel.slice(skillsIdx + skillsMarker.length);
+    const slashIdx = relFromSkills.indexOf("/");
+    if (slashIdx === -1) {
+      standalone.push(f);
+    } else {
+      const folderName = relFromSkills.slice(0, slashIdx);
+      if (!folderMap.has(folderName)) {
+        folderMap.set(folderName, []);
+      }
+      folderMap.get(folderName).push(f);
+    }
+  }
+  const groups = [];
+  for (const f of standalone) {
+    const name = path14.basename(f.path, path14.extname(f.path));
+    const sessionKey = `skill:${root}:${name}`;
+    groups.push({
+      name,
+      root,
+      skillPath: f.path,
+      files: [f],
+      isFolder: false,
+      maxMtimeMs: f.mtimeMs,
+      sessionKey
+    });
+  }
+  for (const [folderName, folderFiles] of folderMap) {
+    const maxMtimeMs = Math.max(...folderFiles.map((f) => f.mtimeMs));
+    const anyFile = folderFiles[0];
+    const rel = path14.relative(baseDir, anyFile.path).replace(/\\/g, "/");
+    const skillsIdx = rel.indexOf("skills/");
+    const skillRelPath = rel.slice(
+      0,
+      skillsIdx + "skills/".length + folderName.length
+    );
+    const skillPath = path14.join(baseDir, skillRelPath);
+    const sessionKey = `skill:${root}:${folderName}`;
+    groups.push({
+      name: folderName,
+      root,
+      skillPath,
+      files: folderFiles,
+      isFolder: true,
+      maxMtimeMs,
+      sessionKey
+    });
+  }
+  return groups;
+}
+async function scanContextFiles(workspaceRoot, platform2, sessionId) {
+  const staticEntries = SCAN_PATHS[platform2] ?? [];
+  const dynamicEntries = await readCustomLocations(workspaceRoot, platform2);
+  const entries = [...staticEntries, ...dynamicEntries];
+  if (entries.length === 0) {
+    return { regularFiles: [], skillGroups: [] };
+  }
+  const now = Date.now();
+  for (const [sid, entry] of sessionMtimes) {
+    if (now - entry.lastUpdatedAt > SESSION_TTL_MS) {
+      sessionMtimes.delete(sid);
+    }
+  }
+  const home = homedir();
+  const sessionEntry = sessionId ? sessionMtimes.get(sessionId) : void 0;
+  const allFiles = [];
+  const skillBatches = /* @__PURE__ */ new Map();
+  const seenPaths = /* @__PURE__ */ new Set();
+  for (const entry of entries) {
+    const baseDir = resolveBaseDir(entry, workspaceRoot, home);
+    const scope = scopeForRoot(entry.root);
+    const isDynamic = entry.root === "absolute";
+    const matches = entry.kind === "skill-bundle" ? await enumerateSkillBundle(baseDir, entry.skillsRoot) : await enumerateGlob(entry.glob, baseDir, entry.category, isDynamic);
+    for (const { path: filePath, category } of matches) {
+      if (seenPaths.has(filePath)) {
+        continue;
+      }
+      seenPaths.add(filePath);
+      try {
+        const fileStat = await stat(filePath);
+        if (fileStat.size === 0 || fileStat.size > MAX_CONTEXT_FILE_SIZE || !fileStat.isFile()) {
+          continue;
+        }
+        const content = await readFile(filePath, "utf-8");
+        const sizeBytes = Buffer.byteLength(content, "utf-8");
+        const name = deriveIdentifier(filePath, baseDir);
+        const fileEntry = {
+          name,
+          path: filePath,
+          content,
+          sizeBytes,
+          category,
+          mtimeMs: fileStat.mtimeMs
+        };
+        if (scope) {
+          fileEntry.scope = scope;
+        }
+        if (category === SKILL_CATEGORY) {
+          const effectiveRoot = entry.root === "home" ? "home" : "workspace";
+          const batchKey = `${effectiveRoot}:${baseDir}`;
+          let batch = skillBatches.get(batchKey);
+          if (!batch) {
+            batch = { root: effectiveRoot, baseDir, files: [] };
+            skillBatches.set(batchKey, batch);
+          }
+          batch.files.push(fileEntry);
+        } else {
+          const prevMtime = sessionEntry?.files.get(filePath);
+          if (prevMtime !== void 0 && fileStat.mtimeMs <= prevMtime) {
+            continue;
+          }
+          allFiles.push(fileEntry);
+        }
+      } catch {
+      }
+    }
+  }
+  const allSkillGroups = [];
+  for (const { root, baseDir, files } of skillBatches.values()) {
+    const groups = groupSkills(files, root, baseDir);
+    for (const group of groups) {
+      if (sessionEntry) {
+        const prevMtime = sessionEntry.skills.get(group.sessionKey);
+        if (prevMtime !== void 0 && group.maxMtimeMs <= prevMtime) {
+          continue;
+        }
+      }
+      allSkillGroups.push(group);
+    }
+  }
+  return { regularFiles: allFiles, skillGroups: allSkillGroups };
+}
+async function enumerateGlob(pattern, cwd, category, isDynamic) {
+  let files;
+  try {
+    files = await globby2(pattern, {
+      cwd,
+      absolute: true,
+      onlyFiles: true,
+      dot: true,
+      // Never follow symlinks — a malicious committed repo can place a
+      // symlink at a scanned path (e.g. .github/copilot-instructions.md →
+      // ~/.aws/credentials) and the scanner would read and upload the target.
+      followSymbolicLinks: false,
+      // Dynamic absolute bases additionally cap traversal depth so a
+      // misconfigured setting can't enumerate the whole filesystem.
+      ...isDynamic ? { deep: DYNAMIC_SCAN_MAX_DEPTH } : {}
+    });
+  } catch {
+    return [];
+  }
+  return files.map((path34) => ({ path: path34, category }));
+}
+async function enumerateSkillBundle(baseDir, skillsRoot) {
+  const skillsDir = path14.resolve(baseDir, skillsRoot);
+  let manifests;
+  try {
+    manifests = await globby2("*/SKILL.md", {
+      cwd: skillsDir,
+      absolute: true,
+      onlyFiles: true,
+      dot: true,
+      followSymbolicLinks: false,
+      deep: SKILL_MANIFEST_SCAN_DEPTH
+    });
+  } catch {
+    return [];
+  }
+  const perSkillResults = await Promise.all(
+    manifests.map(async (manifest) => {
+      const skillDir = path14.dirname(manifest);
+      try {
+        return await globby2("**/*", {
+          cwd: skillDir,
+          absolute: true,
+          onlyFiles: true,
+          dot: true,
+          followSymbolicLinks: false,
+          deep: SKILL_BUNDLE_MAX_DEPTH
+        });
+      } catch {
+        return [];
+      }
+    })
+  );
+  return perSkillResults.flat().map((p) => ({ path: p, category: "skill" }));
+}
+var DYNAMIC_SCAN_MAX_DEPTH = 6;
+var SKILL_MANIFEST_SCAN_DEPTH = 2;
+var SKILL_BUNDLE_MAX_DEPTH = 5;
+function resolveBaseDir(entry, workspaceRoot, home) {
+  switch (entry.root) {
+    case "home":
+      return home;
+    case "absolute":
+      return entry.absoluteBase;
+    default:
+      return workspaceRoot;
+  }
+}
+function scopeForRoot(root) {
+  if (root === "home" || root === "absolute") {
+    return "user-global";
+  }
+  return void 0;
+}
+function deriveIdentifier(filePath, baseDir) {
+  const relative2 = path14.relative(baseDir, filePath);
+  if (!relative2.startsWith("..")) {
+    return relative2.replace(/\\/g, "/");
+  }
+  return path14.basename(filePath);
+}
+
+// src/features/analysis/skill_quarantine/enumerateInstalledSkills.ts
+async function enumerateInstalledSkills(workspaceRoot) {
+  const { skillGroups } = await scanContextFiles(
+    workspaceRoot,
+    "claude-code",
+    void 0
+  );
+  if (skillGroups.length === 0) {
+    return [];
+  }
+  const { skills } = await processContextFiles([], skillGroups);
+  return skills.map((s) => {
+    const parts = s.group.skillPath.split(/[\\/]/);
+    const origName = parts[parts.length - 1] || s.group.name;
+    return {
+      skillPath: s.group.skillPath,
+      md5: s.md5,
+      origName,
+      isFolder: s.group.isFolder
+    };
+  });
+}
+
+// src/features/analysis/skill_quarantine/metrics.ts
+var Metric = {
+  /** A heartbeat triggered the quarantine check (after debounce). */
+  CHECK_TRIGGERED: "skill_quarantine.check_triggered",
+  /** The env-var kill switch skipped the run. */
+  CHECK_DISABLED_ENV: "skill_quarantine.check_disabled_env",
+  /** Verdict-query call failed. Fail-open. */
+  QUERY_ERROR: "skill_quarantine.query_error",
+  /** Count of skills enumerated in this run (histogram-ish). */
+  SKILLS_CHECKED: "skill_quarantine.skills_checked",
+  /** A skill was freshly quarantined. Tagged with shape. */
+  QUARANTINED: "skill_quarantine.quarantined",
+  /** Presence check hit; skill already quarantined. */
+  ALREADY_QUARANTINED: "skill_quarantine.already_quarantined",
+  /** Move step failed. Tagged with phase (stage | publish). */
+  MOVE_ERROR: "skill_quarantine.move_error",
+  /** Stub creation failed after the move succeeded. */
+  STUB_ERROR: "skill_quarantine.stub_error",
+  /** A stale staging dir was swept. */
+  ORPHAN_SWEPT: "skill_quarantine.orphan_swept",
+  /** Total run duration including I/O. */
+  DURATION_MS: "skill_quarantine.duration_ms"
+};
+
+// src/features/analysis/skill_quarantine/quarantineSkill.ts
+import { randomUUID } from "crypto";
+import { existsSync as existsSync2 } from "fs";
+import {
+  mkdir,
+  readdir,
+  readFile as readFile2,
+  rename,
+  rm,
+  stat as stat2,
+  writeFile
+} from "fs/promises";
+import path16 from "path";
+import { move } from "fs-extra";
+
+// src/features/analysis/skill_quarantine/paths.ts
+import { homedir as homedir2 } from "os";
+import path15 from "path";
+function getQuarantineRoot() {
+  return path15.join(homedir2(), ".tracy", "quarantine", "claude", "skills");
+}
+function getQuarantinedHashDir(md5) {
+  return path15.join(getQuarantineRoot(), md5);
+}
+function getQuarantinedTargetPath(md5, origName) {
+  return path15.join(getQuarantinedHashDir(md5), origName);
+}
+function getStagingDir(md5, pid, uuid) {
+  return path15.join(getQuarantineRoot(), `${md5}_tmp_${pid}_${uuid}`);
+}
+var STAGING_DIR_REGEX = /^([0-9a-f]{32})_tmp_/;
+
+// src/features/analysis/skill_quarantine/stubTemplate.ts
+var LEGACY_SUMMARY_FALLBACK = "not available (scan predates current schema)";
+function renderStub(params) {
+  const folderOrFile = params.isFolder ? "skill folder" : "skill file";
+  const reason = params.summary ?? LEGACY_SUMMARY_FALLBACK;
+  return `# \u26D4 QUARANTINED BY TRACY
+
+This skill was flagged **MALICIOUS** by the Mobb security scanner and has been
+moved out of your skills folder. **Claude Code will not execute it** while this
+stub is in place.
+
+## Why this skill was flagged
+
+- **Reason:** ${reason}
+- **Scanner:** ${params.scannerName} @ ${params.scannerVersion}
+- **Scanned at:** ${params.scannedAt}
+- **Content hash (MD5):** \`${params.md5}\`
+
+## Where the original is now
+
+The original ${folderOrFile} has been moved to:
+
+    ${params.quarantinedPath}
+
+Nothing has been deleted. The contents are intact; only the location changed.
+
+## If this is a false positive \u2014 how to recover
+
+If you're confident this skill is safe and want to restore it:
+
+    mv ${params.quarantinedPath} ${params.origPath}
+
+Tracy will not re-quarantine it as long as the directory
+\`~/.tracy/quarantine/claude/skills/${params.md5}/\` still exists on your
+machine (even if it's empty after you moved the contents out). If you delete
+that directory entirely, the next heartbeat will re-evaluate the skill from
+scratch.
+
+## How to report a false positive
+
+Please email **security@mobb.ai** with:
+
+- The MD5 above
+- A short description of why you believe the flag was wrong
+- (Optional) the skill folder contents
+
+Your report helps tune the scanner for everyone.
+`;
+}
+
+// src/features/analysis/skill_quarantine/quarantineSkill.ts
+async function quarantineSkill(params) {
+  const { skillPath, isFolder, md5, origName, verdict, log: log2 } = params;
+  const hashDir = getQuarantinedHashDir(md5);
+  if (existsSync2(hashDir)) {
+    log2.debug(
+      { md5, metric: Metric.ALREADY_QUARANTINED },
+      "skill_quarantine: already quarantined, skipping"
+    );
+    return { status: "already_quarantined" };
+  }
+  const stagingDir = getStagingDir(md5, process.pid, randomUUID());
+  const stagingTarget = path16.join(stagingDir, origName);
+  const finalTarget = getQuarantinedTargetPath(md5, origName);
+  try {
+    await mkdir(stagingDir, { recursive: true });
+  } catch (err) {
+    log2.error(
+      { err, md5, metric: Metric.MOVE_ERROR, phase: "stage" },
+      "skill_quarantine: failed to create staging dir"
+    );
+    return { status: "move_error", phase: "stage", err };
+  }
+  try {
+    await move(skillPath, stagingTarget);
+  } catch (err) {
+    await tryRm(stagingDir);
+    log2.error(
+      { err, md5, metric: Metric.MOVE_ERROR, phase: "stage" },
+      "skill_quarantine: phase-1 move failed"
+    );
+    return { status: "move_error", phase: "stage", err };
+  }
+  try {
+    await rename(stagingDir, hashDir);
+  } catch (err) {
+    log2.error(
+      {
+        err,
+        md5,
+        stagingDir,
+        metric: Metric.MOVE_ERROR,
+        phase: "publish"
+      },
+      "skill_quarantine: phase-2 publish failed; staging dir preserved for manual recovery"
+    );
+    return { status: "move_error", phase: "publish", err };
+  }
+  const quarantinedPath = finalTarget;
+  const stubContent = renderStub({
+    md5,
+    isFolder,
+    quarantinedPath,
+    origPath: skillPath,
+    summary: verdict.summary,
+    scannerName: verdict.scannerName,
+    scannerVersion: verdict.scannerVersion,
+    scannedAt: verdict.scannedAt
+  });
+  try {
+    if (isFolder) {
+      await mkdir(skillPath, { recursive: true });
+      await writeFile(path16.join(skillPath, "SKILL.md"), stubContent, "utf8");
+    } else {
+      await writeFile(skillPath, stubContent, "utf8");
+    }
+  } catch (err) {
+    log2.error(
+      { err, md5, skillPath, metric: Metric.STUB_ERROR },
+      "skill_quarantine: stub write failed; quarantine is still in place"
+    );
+    return { status: "stub_error", err };
+  }
+  await preRegisterStubMd5(skillPath, isFolder, log2);
+  log2.info(
+    {
+      md5,
+      verdict: verdict.verdict,
+      shape: isFolder ? "folder" : "standalone",
+      scanner: verdict.scannerName,
+      scannerVersion: verdict.scannerVersion,
+      metric: Metric.QUARANTINED
+    },
+    "skill_quarantine: quarantined"
+  );
+  return { status: "quarantined" };
+}
+async function preRegisterStubMd5(skillPath, isFolder, log2) {
+  try {
+    const stubEntries = await gatherStubEntries(skillPath, isFolder);
+    const stubGroup = {
+      name: path16.basename(skillPath).replace(/\.md$/i, ""),
+      root: "workspace",
+      skillPath,
+      files: stubEntries,
+      isFolder,
+      maxMtimeMs: Date.now(),
+      sessionKey: `quarantine-stub:${skillPath}`
+    };
+    const { skills } = await processContextFiles([], [stubGroup]);
+    if (skills.length === 0) return;
+    const stubMd5 = skills[0].md5;
+    await mkdir(getQuarantinedHashDir(stubMd5), { recursive: true });
+  } catch (err) {
+    log2.warn(
+      { err, skillPath },
+      "skill_quarantine: failed to pre-register stub md5"
+    );
+  }
+}
+async function gatherStubEntries(skillPath, isFolder) {
+  const now = Date.now();
+  const target = isFolder ? path16.join(skillPath, "SKILL.md") : skillPath;
+  const [st, content] = await Promise.all([
+    stat2(target),
+    readFile2(target, "utf8")
+  ]);
+  return [
+    {
+      name: isFolder ? "SKILL.md" : path16.basename(skillPath),
+      path: target,
+      content,
+      sizeBytes: st.size,
+      category: "skill",
+      mtimeMs: now
+    }
+  ];
+}
+async function sweepOrphanStagingDirs(log2) {
+  const root = getQuarantineRoot();
+  let entries;
+  try {
+    entries = await readdir(root);
+  } catch (err) {
+    if (err.code === "ENOENT") return 0;
+    log2.warn({ err, root }, "skill_quarantine: orphan sweep readdir failed");
+    return 0;
+  }
+  const now = Date.now();
+  let swept = 0;
+  for (const entry of entries) {
+    if (!STAGING_DIR_REGEX.test(entry)) continue;
+    const full = path16.join(root, entry);
+    let mtimeMs;
+    try {
+      mtimeMs = (await stat2(full)).mtimeMs;
+    } catch {
+      continue;
+    }
+    if (now - mtimeMs < ORPHAN_SWEEP_GRACE_MS) continue;
+    try {
+      await rm(full, { recursive: true, force: true });
+      swept += 1;
+      log2.info(
+        { path: full, metric: Metric.ORPHAN_SWEPT },
+        "skill_quarantine: orphan swept"
+      );
+    } catch (err) {
+      log2.warn({ err, path: full }, "skill_quarantine: orphan sweep rm failed");
+    }
+  }
+  return swept;
+}
+async function tryRm(p) {
+  try {
+    await rm(p, { recursive: true, force: true });
+  } catch {
+  }
+}
+
+// src/features/analysis/skill_quarantine/queryVerdicts.ts
+async function queryVerdicts(gqlClient, md5s, log2) {
+  if (md5s.length === 0) {
+    return /* @__PURE__ */ new Map();
+  }
+  try {
+    const res = await gqlClient.skillVerdictsByMd5(md5s);
+    const out = /* @__PURE__ */ new Map();
+    for (const row of res.skillVerdictsByMd5) {
+      out.set(row.md5, {
+        md5: row.md5,
+        verdict: row.verdict,
+        summary: row.summary ?? null,
+        scannerName: row.scannerName,
+        scannerVersion: row.scannerVersion,
+        scannedAt: row.scannedAt
+      });
+    }
+    return out;
+  } catch (err) {
+    log2.warn(
+      { err, md5_count: md5s.length, metric: "skill_quarantine.query_error" },
+      "skill_quarantine: verdict query failed, failing open"
+    );
+    return /* @__PURE__ */ new Map();
+  }
+}
+
+// src/features/analysis/skill_quarantine/runQuarantineCheck.ts
+var lastRunAt = /* @__PURE__ */ new Map();
+var killSwitchLogged = false;
+async function runQuarantineCheckIfNeeded(opts) {
+  const { sessionId, cwd, gqlClient, log: log2 } = opts;
+  if (process.env[KILL_SWITCH_ENV] === "1") {
+    if (!killSwitchLogged) {
+      log2.warn(
+        { metric: Metric.CHECK_DISABLED_ENV },
+        `skill_quarantine: disabled by ${KILL_SWITCH_ENV}=1`
+      );
+      killSwitchLogged = true;
+    }
+    return;
+  }
+  const now = Date.now();
+  const prev = lastRunAt.get(sessionId);
+  if (prev !== void 0 && now - prev < HEARTBEAT_DEBOUNCE_MS) {
+    return;
+  }
+  lastRunAt.set(sessionId, now);
+  log2.info(
+    { sessionId, metric: Metric.CHECK_TRIGGERED },
+    "skill_quarantine: check start"
+  );
+  const t0 = Date.now();
+  try {
+    await sweepOrphanStagingDirs(log2);
+    const installed = await enumerateInstalledSkills(cwd);
+    log2.info(
+      { sessionId, count: installed.length, metric: Metric.SKILLS_CHECKED },
+      "skill_quarantine: skills enumerated"
+    );
+    if (installed.length === 0) {
+      return;
+    }
+    const verdicts = await queryVerdicts(
+      gqlClient,
+      installed.map((s) => s.md5),
+      log2
+    );
+    for (const skill of installed) {
+      const verdict = verdicts.get(skill.md5);
+      if (!verdict || verdict.verdict !== MALICIOUS_VERDICT) {
+        continue;
+      }
+      try {
+        await quarantineSkill({
+          skillPath: skill.skillPath,
+          isFolder: skill.isFolder,
+          md5: skill.md5,
+          origName: skill.origName,
+          verdict,
+          log: log2
+        });
+      } catch (err) {
+        log2.error(
+          { err, md5: skill.md5, skillPath: skill.skillPath },
+          "skill_quarantine: unexpected error during quarantine"
+        );
+      }
+    }
+  } finally {
+    log2.info(
+      {
+        sessionId,
+        duration_ms: Date.now() - t0,
+        metric: Metric.DURATION_MS
+      },
+      "skill_quarantine: check done"
+    );
+  }
+}
 
 // src/features/claude_code/daemon_pid_file.ts
 import fs13 from "fs";
 import os4 from "os";
-import path13 from "path";
+import path17 from "path";
 
 // src/features/claude_code/data_collector_constants.ts
 var CC_VERSION_CACHE_KEY = "claudeCode.detectedCCVersion";
@@ -17031,24 +18180,28 @@ var GQL_AUTH_TIMEOUT_MS = 15e3;
 var STALE_KEY_MAX_AGE_MS = 14 * 24 * 60 * 60 * 1e3;
 var CLEANUP_INTERVAL_MS = 24 * 60 * 60 * 1e3;
 var DAEMON_TTL_MS = 30 * 60 * 1e3;
-var DAEMON_POLL_INTERVAL_MS = 1e4;
+var DAEMON_POLL_INTERVAL_MS = (() => {
+  const raw = Number(process.env["MOBB_DAEMON_POLL_INTERVAL_MS"]);
+  if (!Number.isFinite(raw) || raw <= 0) return 1e4;
+  return Math.min(Math.max(raw, 100), 6e4);
+})();
 var HEARTBEAT_STALE_MS = 3e4;
 var TRANSCRIPT_MAX_AGE_MS = 24 * 60 * 60 * 1e3;
 var DAEMON_CHUNK_SIZE = 50;
 
 // src/features/claude_code/daemon_pid_file.ts
 function getMobbdevDir() {
-  return path13.join(os4.homedir(), ".mobbdev");
+  return path17.join(os4.homedir(), ".mobbdev");
 }
 function getDaemonCheckScriptPath() {
-  return path13.join(getMobbdevDir(), "daemon-check.js");
+  return path17.join(getMobbdevDir(), "daemon-check.js");
 }
 var DaemonPidFile = class {
   constructor() {
     __publicField(this, "data", null);
   }
   get filePath() {
-    return path13.join(getMobbdevDir(), "daemon.pid");
+    return path17.join(getMobbdevDir(), "daemon.pid");
   }
   /** Ensure ~/.mobbdev/ directory exists. */
   ensureDir() {
@@ -17109,10 +18262,159 @@ var DaemonPidFile = class {
 
 // src/features/claude_code/data_collector.ts
 import { execFile } from "child_process";
-import { createHash as createHash2 } from "crypto";
-import { access, open as open4, readdir, readFile, unlink } from "fs/promises";
-import path14 from "path";
+import { createHash as createHash3 } from "crypto";
+import { access, open as open4, readdir as readdir2, readFile as readFile3, unlink } from "fs/promises";
+import path18 from "path";
 import { promisify } from "util";
+
+// src/features/analysis/context_file_uploader.ts
+import pLimit7 from "p-limit";
+init_client_generates();
+var UPLOAD_CONCURRENCY = 5;
+async function uploadContextRecords(opts) {
+  const {
+    processedFiles,
+    processedSkills,
+    keyPrefix,
+    url,
+    uploadFields,
+    sessionId,
+    now,
+    platform: platform2,
+    repositoryUrl,
+    clientVersion,
+    onFileError,
+    onSkillError
+  } = opts;
+  const records = [];
+  const uploadedFiles = [];
+  const uploadedSkillGroups = [];
+  const limit = pLimit7(UPLOAD_CONCURRENCY);
+  const extraFields = {
+    ...repositoryUrl !== void 0 && { repositoryUrl },
+    ...clientVersion !== void 0 && { clientVersion }
+  };
+  const tasks = [
+    ...processedFiles.map(
+      (pf) => limit(async () => {
+        const s3Key = `${keyPrefix}ctx-${pf.md5}.bin`;
+        try {
+          await uploadFile({
+            file: Buffer.from(pf.sanitizedContent, "utf-8"),
+            url,
+            uploadKey: s3Key,
+            uploadFields
+          });
+        } catch (err) {
+          onFileError?.(pf.entry.name, err);
+          return;
+        }
+        records.push({
+          // eslint-disable-next-line @typescript-eslint/no-explicit-any
+          platform: platform2,
+          recordId: `ctx:${sessionId}:${pf.md5}`,
+          recordTimestamp: now,
+          blameType: "CHAT" /* Chat */,
+          rawDataS3Key: s3Key,
+          ...extraFields,
+          context: {
+            md5: pf.md5,
+            category: pf.entry.category,
+            name: pf.entry.name,
+            sizeBytes: pf.sizeBytes,
+            filePath: pf.entry.path,
+            sessionId
+          }
+        });
+        uploadedFiles.push(pf.entry);
+      })
+    ),
+    ...processedSkills.map(
+      (ps) => limit(async () => {
+        const s3Key = `${keyPrefix}skill-${ps.md5}.zip`;
+        try {
+          await uploadFile({
+            file: ps.zipBuffer,
+            url,
+            uploadKey: s3Key,
+            uploadFields
+          });
+        } catch (err) {
+          onSkillError?.(ps.group.name, err);
+          return;
+        }
+        records.push({
+          // eslint-disable-next-line @typescript-eslint/no-explicit-any
+          platform: platform2,
+          recordId: `ctx:${sessionId}:${ps.md5}`,
+          recordTimestamp: now,
+          blameType: "CHAT" /* Chat */,
+          rawDataS3Key: s3Key,
+          ...extraFields,
+          context: {
+            md5: ps.md5,
+            category: SKILL_CATEGORY,
+            name: ps.group.name,
+            sizeBytes: ps.sizeBytes,
+            filePath: ps.group.skillPath,
+            sessionId
+          }
+        });
+        uploadedSkillGroups.push(ps.group);
+      })
+    )
+  ];
+  await Promise.allSettled(tasks);
+  return { records, uploadedFiles, uploadedSkillGroups };
+}
+async function runContextFileUploadPipeline(opts) {
+  const {
+    processedFiles,
+    processedSkills,
+    sessionId,
+    platform: platform2,
+    url,
+    uploadFieldsJSON,
+    keyPrefix,
+    repositoryUrl,
+    clientVersion,
+    submitRecords,
+    onFileError,
+    onSkillError
+  } = opts;
+  let uploadFields;
+  try {
+    uploadFields = JSON.parse(uploadFieldsJSON);
+  } catch {
+    return null;
+  }
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const { records, uploadedFiles, uploadedSkillGroups } = await uploadContextRecords({
+    processedFiles,
+    processedSkills,
+    keyPrefix,
+    url,
+    uploadFields,
+    sessionId,
+    now,
+    platform: platform2,
+    repositoryUrl,
+    clientVersion,
+    onFileError,
+    onSkillError
+  });
+  if (records.length === 0) {
+    return { fileCount: 0, skillCount: 0 };
+  }
+  await submitRecords(records);
+  markContextFilesUploaded(sessionId, uploadedFiles, uploadedSkillGroups);
+  return {
+    fileCount: uploadedFiles.length,
+    skillCount: uploadedSkillGroups.length
+  };
+}
+
+// src/features/claude_code/data_collector.ts
 init_client_generates();
 
 // src/utils/shared-logger/create-logger.ts
@@ -17126,6 +18428,8 @@ var DEFAULT_MAX_LOGS = 1e3;
 var DEFAULT_MAX_HEARTBEAT = 100;
 var LOGS_KEY = "logs";
 var HEARTBEAT_KEY = "heartbeat";
+var MAX_DATA_CHARS = 2048;
+var MAX_SCOPE_KEYS = 20;
 function createConfigstoreStream(store, opts) {
   const maxLogs = opts.maxLogs ?? DEFAULT_MAX_LOGS;
   const maxHeartbeat = opts.maxHeartbeat ?? DEFAULT_MAX_HEARTBEAT;
@@ -17141,6 +18445,10 @@ function createConfigstoreStream(store, opts) {
       existing.push(...entries);
       const trimmed = existing.length > max ? existing.slice(-max) : existing;
       store.set(key, trimmed);
+      const prefix = key.includes(":") ? key.split(":")[0] : null;
+      if (prefix) {
+        pruneStaleScopes(prefix);
+      }
     } catch {
       try {
         const lines = `${entries.map((e) => JSON.stringify(e)).join("\n")}
@@ -17150,11 +18458,40 @@ function createConfigstoreStream(store, opts) {
       }
     }
   }
+  function pruneStaleScopes(prefix) {
+    const allKeys = Object.keys(store.all);
+    const scopedKeys = allKeys.filter(
+      (k) => k.startsWith(`${prefix}:`) && Array.isArray(store.get(k))
+    );
+    if (scopedKeys.length <= MAX_SCOPE_KEYS) {
+      return;
+    }
+    const withTimestamp = scopedKeys.map((k) => {
+      const entries = store.get(k);
+      const last = entries.length > 0 ? entries[entries.length - 1] : void 0;
+      return { key: k, lastTs: last?.timestamp ?? "" };
+    });
+    withTimestamp.sort((a, b) => a.lastTs.localeCompare(b.lastTs));
+    const toDelete = withTimestamp.slice(
+      0,
+      withTimestamp.length - MAX_SCOPE_KEYS
+    );
+    for (const { key: k } of toDelete) {
+      store.delete(k);
+    }
+  }
   const writable = new stream.Writable({
     write(chunk, _encoding, callback) {
       callback();
       try {
         const parsed = JSON.parse(chunk.toString());
+        let data = parsed.data;
+        if (data !== void 0) {
+          const serialized = JSON.stringify(data);
+          if (serialized.length > MAX_DATA_CHARS) {
+            data = `${serialized.slice(0, MAX_DATA_CHARS)}... [truncated, ${serialized.length} chars]`;
+          }
+        }
         const entry = {
           timestamp: parsed.time ? new Date(parsed.time).toISOString() : (/* @__PURE__ */ new Date()).toISOString(),
           level: parsed.level ?? "info",
@@ -17162,7 +18499,7 @@ function createConfigstoreStream(store, opts) {
           ...parsed.durationMs !== void 0 && {
             durationMs: parsed.durationMs
           },
-          ...parsed.data !== void 0 && { data: parsed.data }
+          ...data !== void 0 && { data }
         };
         const isHeartbeat = parsed.heartbeat === true;
         if (opts.buffered) {
@@ -17192,8 +18529,8 @@ function createConfigstoreStream(store, opts) {
       heartbeatBuffer.length = 0;
     }
   }
-  function setScopePath(path30) {
-    scopePath = path30;
+  function setScopePath(path34) {
+    scopePath = path34;
   }
   return { writable, flush, setScopePath };
 }
@@ -17274,10 +18611,10 @@ function createDdBatch(config2) {
 }
 
 // src/utils/shared-logger/hostname.ts
-import { createHash } from "crypto";
+import { createHash as createHash2 } from "crypto";
 import os5 from "os";
 function hashString(input) {
-  return createHash("sha256").update(input).digest("hex").slice(0, 16);
+  return createHash2("sha256").update(input).digest("hex").slice(0, 16);
 }
 function getPlainHostname() {
   try {
@@ -17417,7 +18754,7 @@ function createLogger(config2) {
 
 // src/features/claude_code/hook_logger.ts
 var DD_RUM_TOKEN = true ? "pubf59c0182545bfb4c299175119f1abf9b" : "";
-var CLI_VERSION = true ? "1.3.5" : "unknown";
+var CLI_VERSION = true ? "1.4.0" : "unknown";
 var NAMESPACE = "mobbdev-claude-code-hook-logs";
 var claudeCodeVersion;
 function buildDdTags() {
@@ -17495,11 +18832,11 @@ async function detectClaudeCodeVersion() {
 }
 function generateSyntheticId(sessionId, timestamp, type2, lineIndex) {
   const input = `${sessionId ?? ""}:${timestamp ?? ""}:${type2 ?? ""}:${lineIndex}`;
-  const hash = createHash2("sha256").update(input).digest("hex").slice(0, 16);
+  const hash = createHash3("sha256").update(input).digest("hex").slice(0, 16);
   return `synth:${hash}`;
 }
 function getCursorKey(transcriptPath) {
-  const hash = createHash2("sha256").update(transcriptPath).digest("hex").slice(0, 12);
+  const hash = createHash3("sha256").update(transcriptPath).digest("hex").slice(0, 12);
   return `cursor.${hash}`;
 }
 async function resolveTranscriptPath(transcriptPath, sessionId) {
@@ -17508,12 +18845,12 @@ async function resolveTranscriptPath(transcriptPath, sessionId) {
     return transcriptPath;
   } catch {
   }
-  const filename = path14.basename(transcriptPath);
-  const dirName = path14.basename(path14.dirname(transcriptPath));
-  const projectsDir = path14.dirname(path14.dirname(transcriptPath));
+  const filename = path18.basename(transcriptPath);
+  const dirName = path18.basename(path18.dirname(transcriptPath));
+  const projectsDir = path18.dirname(path18.dirname(transcriptPath));
   const baseDirName = dirName.replace(/[-.]claude-worktrees-.+$/, "");
   if (baseDirName !== dirName) {
-    const candidate = path14.join(projectsDir, baseDirName, filename);
+    const candidate = path18.join(projectsDir, baseDirName, filename);
     try {
       await access(candidate);
       hookLog.info(
@@ -17532,10 +18869,10 @@ async function resolveTranscriptPath(transcriptPath, sessionId) {
     }
   }
   try {
-    const dirs = await readdir(projectsDir);
+    const dirs = await readdir2(projectsDir);
     for (const dir of dirs) {
       if (dir === dirName) continue;
-      const candidate = path14.join(projectsDir, dir, filename);
+      const candidate = path18.join(projectsDir, dir, filename);
       try {
         await access(candidate);
         hookLog.info(
@@ -17566,9 +18903,9 @@ async function readNewTranscriptEntries(transcriptPath, sessionId, sessionStore,
   if (cursor?.byteOffset) {
     const fh = await open4(transcriptPath, "r");
     try {
-      const stat2 = await fh.stat();
-      fileSize = stat2.size;
-      if (cursor.byteOffset >= stat2.size) {
+      const stat4 = await fh.stat();
+      fileSize = stat4.size;
+      if (cursor.byteOffset >= stat4.size) {
         hookLog.info({ data: { sessionId } }, "No new data in transcript file");
         return {
           entries: [],
@@ -17576,7 +18913,7 @@ async function readNewTranscriptEntries(transcriptPath, sessionId, sessionStore,
           resolvedTranscriptPath: transcriptPath
         };
       }
-      const buf = Buffer.alloc(stat2.size - cursor.byteOffset);
+      const buf = Buffer.alloc(stat4.size - cursor.byteOffset);
       await fh.read(buf, 0, buf.length, cursor.byteOffset);
       content = buf.toString("utf-8");
     } finally {
@@ -17594,7 +18931,7 @@ async function readNewTranscriptEntries(transcriptPath, sessionId, sessionStore,
       "Read transcript file from offset"
     );
   } else {
-    content = await readFile(transcriptPath, "utf-8");
+    content = await readFile3(transcriptPath, "utf-8");
     fileSize = Buffer.byteLength(content, "utf-8");
     lineIndexOffset = 0;
     hookLog.debug(
@@ -17693,14 +19030,6 @@ var FILTERED_ENTRY_TYPES = /* @__PURE__ */ new Set([
   // Redundant — the actual user prompt is already captured in the 'user' entry.
   "last-prompt"
 ]);
-var FILTERED_ASSISTANT_TOOLS = /* @__PURE__ */ new Set([
-  // Polls for a sub-agent result. The input is just task_id + boilerplate
-  // (block, timeout). The actual result is captured in the user:tool_result.
-  "TaskOutput",
-  // Discovers available deferred/MCP tools. The input is just a search query.
-  // The discovered tools are captured in the user:tool_result.
-  "ToolSearch"
-]);
 function filterEntries(entries) {
   const filtered = entries.filter((entry) => {
     const entryType = entry.type ?? "";
@@ -17712,16 +19041,6 @@ function filterEntries(entries) {
       const subtype = typeof data?.["type"] === "string" ? data["type"] : "";
       return !FILTERED_PROGRESS_SUBTYPES.has(subtype);
     }
-    if (entryType === "assistant") {
-      const message = entry["message"];
-      const content = message?.["content"];
-      if (Array.isArray(content) && content.length > 0) {
-        const block = content[0];
-        if (block["type"] === "tool_use" && typeof block["name"] === "string" && FILTERED_ASSISTANT_TOOLS.has(block["name"])) {
-          return false;
-        }
-      }
-    }
     return true;
   });
   return { filtered, filteredOut: entries.length - filtered.length };
@@ -17734,13 +19053,13 @@ async function cleanupStaleSessions(configDir) {
   const now = Date.now();
   const prefix = getSessionFilePrefix();
   try {
-    const files = await readdir(configDir);
+    const files = await readdir2(configDir);
     let deletedCount = 0;
     for (const file of files) {
       if (!file.startsWith(prefix) || !file.endsWith(".json")) continue;
-      const filePath = path14.join(configDir, file);
+      const filePath = path18.join(configDir, file);
       try {
-        const content = JSON.parse(await readFile(filePath, "utf-8"));
+        const content = JSON.parse(await readFile3(filePath, "utf-8"));
         let newest = 0;
         const cursors = content["cursor"];
         if (cursors && typeof cursors === "object") {
@@ -17890,6 +19209,16 @@ async function processTranscript(input, sessionStore, log2, maxEntries = DAEMON_
       entriesSkipped: filteredOut,
       claudeCodeVersion: getClaudeCodeVersion()
     });
+    if (input.cwd) {
+      uploadContextFilesIfNeeded(
+        input.session_id,
+        input.cwd,
+        gqlClient,
+        log2
+      ).catch((err) => {
+        log2.error({ data: { err } }, "uploadContextFilesIfNeeded failed");
+      });
+    }
     return {
       entriesUploaded: entries.length,
       entriesSkipped: filteredOut,
@@ -17906,19 +19235,84 @@ async function processTranscript(input, sessionStore, log2, maxEntries = DAEMON_
     errors: entries.length
   };
 }
+async function uploadContextFilesIfNeeded(sessionId, cwd, gqlClient, log2) {
+  const { regularFiles, skillGroups } = await scanContextFiles(
+    cwd,
+    "claude-code",
+    sessionId
+  );
+  if (regularFiles.length === 0 && skillGroups.length === 0) {
+    return;
+  }
+  const { files: processedFiles, skills: processedSkills } = await processContextFiles(regularFiles, skillGroups);
+  if (processedFiles.length === 0 && processedSkills.length === 0) {
+    return;
+  }
+  const uploadUrlResult = await gqlClient.getTracyRawDataUploadUrl();
+  const { url, uploadFieldsJSON, keyPrefix } = uploadUrlResult.getTracyRawDataUploadUrl;
+  if (!url || !uploadFieldsJSON || !keyPrefix) {
+    log2.error(
+      { data: { sessionId } },
+      "Failed to get S3 upload URL for context files"
+    );
+    return;
+  }
+  const pipelineResult = await runContextFileUploadPipeline({
+    processedFiles,
+    processedSkills,
+    sessionId,
+    platform: "CLAUDE_CODE" /* ClaudeCode */,
+    url,
+    uploadFieldsJSON,
+    keyPrefix,
+    submitRecords: async (records) => {
+      const r = await prepareAndSendTracyRecords(gqlClient, records, cwd);
+      if (!r.ok) {
+        throw new Error(r.errors?.join(", ") ?? "batch upload failed");
+      }
+    },
+    onFileError: (name, err) => log2.error(
+      { data: { sessionId, name, err } },
+      "Failed to upload context file to S3"
+    ),
+    onSkillError: (name, err) => log2.error(
+      { data: { sessionId, name, err } },
+      "Failed to upload skill zip to S3"
+    )
+  });
+  if (pipelineResult === null) {
+    log2.error(
+      { data: { sessionId } },
+      "Malformed uploadFieldsJSON for context files"
+    );
+    return;
+  }
+  if (pipelineResult.fileCount > 0 || pipelineResult.skillCount > 0) {
+    log2.info(
+      {
+        data: {
+          sessionId,
+          fileCount: pipelineResult.fileCount,
+          skillCount: pipelineResult.skillCount
+        }
+      },
+      "Uploaded context files and skills for session"
+    );
+  }
+}
 
 // src/features/claude_code/install_hook.ts
 import fs14 from "fs";
 import fsPromises4 from "fs/promises";
 import os6 from "os";
-import path15 from "path";
+import path19 from "path";
 import chalk11 from "chalk";
 
 // src/features/claude_code/daemon-check-shim.tmpl.js
 var daemon_check_shim_tmpl_default = "// Mobb daemon shim \u2014 checks if daemon is alive, spawns if dead.\n// Auto-generated by mobbdev CLI. Do not edit.\nvar fs = require('fs')\nvar spawn = require('child_process').spawn\nvar path = require('path')\nvar os = require('os')\n\nvar pidFile = path.join(os.homedir(), '.mobbdev', 'daemon.pid')\nvar HEARTBEAT_STALE_MS = __HEARTBEAT_STALE_MS__\n\ntry {\n  var data = JSON.parse(fs.readFileSync(pidFile, 'utf8'))\n  if (Date.now() - data.heartbeat > HEARTBEAT_STALE_MS) throw new Error('stale')\n  process.kill(data.pid, 0) // throws ESRCH if the process is gone\n} catch (e) {\n  var localCli = process.env.MOBBDEV_LOCAL_CLI\n  var child = localCli\n    ? spawn('node', [localCli, 'claude-code-daemon'], { detached: true, stdio: 'ignore', windowsHide: true })\n    : spawn('npx', ['--yes', 'mobbdev@latest', 'claude-code-daemon'], { detached: true, stdio: 'ignore', shell: true, windowsHide: true })\n  child.unref()\n}\n";
 
 // src/features/claude_code/install_hook.ts
-var CLAUDE_SETTINGS_PATH = path15.join(os6.homedir(), ".claude", "settings.json");
+var CLAUDE_SETTINGS_PATH = path19.join(os6.homedir(), ".claude", "settings.json");
 var RECOMMENDED_MATCHER = "*";
 async function claudeSettingsExists() {
   try {
@@ -18064,18 +19458,18 @@ async function installMobbHooks(options = {}) {
 }
 
 // src/features/claude_code/transcript_scanner.ts
-import { open as open5, readdir as readdir2, stat } from "fs/promises";
+import { open as open5, readdir as readdir3, stat as stat3 } from "fs/promises";
 import os7 from "os";
-import path16 from "path";
+import path20 from "path";
 var UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
 function getClaudeProjectsDirs() {
   const dirs = [];
   const configDir = process.env["CLAUDE_CONFIG_DIR"];
   if (configDir) {
-    dirs.push(path16.join(configDir, "projects"));
+    dirs.push(path20.join(configDir, "projects"));
   }
-  dirs.push(path16.join(os7.homedir(), ".config", "claude", "projects"));
-  dirs.push(path16.join(os7.homedir(), ".claude", "projects"));
+  dirs.push(path20.join(os7.homedir(), ".config", "claude", "projects"));
+  dirs.push(path20.join(os7.homedir(), ".claude", "projects"));
   return dirs;
 }
 async function collectJsonlFiles(files, dir, projectDir, seen, now, results) {
@@ -18083,12 +19477,12 @@ async function collectJsonlFiles(files, dir, projectDir, seen, now, results) {
     if (!file.endsWith(".jsonl")) continue;
     const sessionId = file.replace(".jsonl", "");
     if (!UUID_RE.test(sessionId)) continue;
-    const filePath = path16.join(dir, file);
+    const filePath = path20.join(dir, file);
     if (seen.has(filePath)) continue;
     seen.add(filePath);
     let fileStat;
     try {
-      fileStat = await stat(filePath);
+      fileStat = await stat3(filePath);
     } catch {
       continue;
     }
@@ -18109,33 +19503,33 @@ async function scanForTranscripts(projectsDirs = getClaudeProjectsDirs()) {
   for (const projectsDir of projectsDirs) {
     let projectDirs;
     try {
-      projectDirs = await readdir2(projectsDir);
+      projectDirs = await readdir3(projectsDir);
     } catch {
       continue;
     }
     for (const projName of projectDirs) {
-      const projPath = path16.join(projectsDir, projName);
+      const projPath = path20.join(projectsDir, projName);
       let projStat;
       try {
-        projStat = await stat(projPath);
+        projStat = await stat3(projPath);
       } catch {
         continue;
       }
       if (!projStat.isDirectory()) continue;
       let files;
       try {
-        files = await readdir2(projPath);
+        files = await readdir3(projPath);
       } catch {
         continue;
       }
       await collectJsonlFiles(files, projPath, projPath, seen, now, results);
       for (const entry of files) {
         if (!UUID_RE.test(entry)) continue;
-        const subagentsDir = path16.join(projPath, entry, "subagents");
+        const subagentsDir = path20.join(projPath, entry, "subagents");
         try {
-          const s = await stat(subagentsDir);
+          const s = await stat3(subagentsDir);
           if (!s.isDirectory()) continue;
-          const subFiles = await readdir2(subagentsDir);
+          const subFiles = await readdir3(subagentsDir);
           await collectJsonlFiles(
             subFiles,
             subagentsDir,
@@ -18185,6 +19579,7 @@ async function extractCwdFromTranscript(filePath) {
 // src/features/claude_code/daemon.ts
 async function startDaemon() {
   hookLog.info("Daemon starting");
+  pruneHookLogFile();
   const pidFile = await acquirePidFile();
   async function gracefulExit(code, reason) {
     hookLog.info({ data: { code } }, `Daemon exiting: ${reason}`);
@@ -18231,7 +19626,7 @@ async function startDaemon() {
       for (const transcript of changed) {
         const sessionStore = createSessionConfigStore(transcript.sessionId);
         if (!cleanupConfigDir) {
-          cleanupConfigDir = path17.dirname(sessionStore.path);
+          cleanupConfigDir = path21.dirname(sessionStore.path);
         }
         await drainTranscript(transcript, sessionStore, gqlClient);
       }
@@ -18313,6 +19708,19 @@ async function drainTranscript(transcript, sessionStore, gqlClient) {
       "Error processing transcript \u2014 skipping"
     );
   }
+  if (cwd) {
+    runQuarantineCheckIfNeeded({
+      sessionId: transcript.sessionId,
+      cwd,
+      gqlClient,
+      log: log2
+    }).catch((err) => {
+      hookLog.warn(
+        { err, data: { sessionId: transcript.sessionId } },
+        "runQuarantineCheckIfNeeded failed"
+      );
+    });
+  }
 }
 async function detectChangedTranscripts(lastSeen) {
   const transcripts = await scanForTranscripts();
@@ -18346,6 +19754,53 @@ async function tryAutoUpgradeHooks() {
     hookLog.warn({ err }, "Failed to auto-upgrade hook matcher");
   }
 }
+var HOOK_LOG_MAX_SCOPE_KEYS = 20;
+var HOOK_LOG_MAX_ENTRIES_PER_KEY = 200;
+function pruneHookLogFile() {
+  const logFilePath = new Configstore3("mobbdev-claude-code-hook-logs").path;
+  try {
+    const raw = readFileSync(logFilePath, "utf-8");
+    const data = JSON.parse(raw);
+    const prefixes = /* @__PURE__ */ new Map();
+    for (const key of Object.keys(data)) {
+      const colonIdx = key.indexOf(":");
+      const prefix = colonIdx > 0 ? key.slice(0, colonIdx) : key;
+      const group = prefixes.get(prefix) ?? [];
+      group.push(key);
+      prefixes.set(prefix, group);
+    }
+    let changed = false;
+    for (const [, keys] of prefixes) {
+      if (keys.length <= HOOK_LOG_MAX_SCOPE_KEYS) {
+        continue;
+      }
+      const withTs = keys.map((k) => {
+        const val = data[k];
+        if (!Array.isArray(val) || val.length === 0) {
+          return { key: k, lastTs: "" };
+        }
+        const last = val[val.length - 1];
+        return { key: k, lastTs: last?.timestamp ?? "" };
+      }).sort((a, b) => a.lastTs.localeCompare(b.lastTs));
+      const toDelete = withTs.slice(0, withTs.length - HOOK_LOG_MAX_SCOPE_KEYS);
+      for (const { key } of toDelete) {
+        delete data[key];
+        changed = true;
+      }
+    }
+    for (const [key, val] of Object.entries(data)) {
+      if (Array.isArray(val) && val.length > HOOK_LOG_MAX_ENTRIES_PER_KEY) {
+        data[key] = val.slice(-HOOK_LOG_MAX_ENTRIES_PER_KEY);
+        changed = true;
+      }
+    }
+    if (changed) {
+      writeFileSync2(logFilePath, JSON.stringify(data, null, "	"));
+      hookLog.info("Pruned hook log file");
+    }
+  } catch {
+  }
+}
 
 // src/args/commands/claude_code.ts
 var claudeCodeInstallHookBuilder = (yargs2) => {
@@ -18434,7 +19889,7 @@ import {
 } from "@modelcontextprotocol/sdk/types.js";
 
 // src/mcp/Logger.ts
-import Configstore3 from "configstore";
+import Configstore4 from "configstore";
 
 // src/mcp/services/WorkspaceService.ts
 var WorkspaceService = class {
@@ -18442,8 +19897,8 @@ var WorkspaceService = class {
    * Sets a known workspace path that was discovered through successful validation
    * @param path The validated workspace path to store
    */
-  static setKnownWorkspacePath(path30) {
-    this.knownWorkspacePath = path30;
+  static setKnownWorkspacePath(path34) {
+    this.knownWorkspacePath = path34;
   }
   /**
    * Gets the known workspace path that was previously validated
@@ -18520,7 +19975,7 @@ var Logger = class {
     __publicField(this, "lastKnownPath", null);
     this.host = WorkspaceService.getHost();
     this.unknownPathSuffix = Math.floor(1e3 + Math.random() * 9e3).toString();
-    this.mobbConfigStore = new Configstore3("mobb-logs", {});
+    this.mobbConfigStore = new Configstore4("mobb-logs", {});
     this.mobbConfigStore.set("version", packageJson.version);
   }
   /**
@@ -19304,7 +20759,7 @@ async function createAuthenticatedMcpGQLClient({
 import { execSync as execSync2 } from "child_process";
 import fs15 from "fs";
 import os8 from "os";
-import path18 from "path";
+import path22 from "path";
 var IDEs = ["cursor", "windsurf", "webstorm", "vscode", "claude"];
 var runCommand = (cmd) => {
   try {
@@ -19319,7 +20774,7 @@ var gitInfo = {
 };
 var getClaudeWorkspacePaths = () => {
   const home = os8.homedir();
-  const claudeIdePath = path18.join(home, ".claude", "ide");
+  const claudeIdePath = path22.join(home, ".claude", "ide");
   const workspacePaths = [];
   if (!fs15.existsSync(claudeIdePath)) {
     return workspacePaths;
@@ -19327,7 +20782,7 @@ var getClaudeWorkspacePaths = () => {
   try {
     const lockFiles = fs15.readdirSync(claudeIdePath).filter((file) => file.endsWith(".lock"));
     for (const lockFile of lockFiles) {
-      const lockFilePath = path18.join(claudeIdePath, lockFile);
+      const lockFilePath = path22.join(claudeIdePath, lockFile);
       try {
         const lockContent = JSON.parse(fs15.readFileSync(lockFilePath, "utf8"));
         if (lockContent.workspaceFolders && Array.isArray(lockContent.workspaceFolders)) {
@@ -19352,24 +20807,24 @@ var getMCPConfigPaths = (hostName) => {
   switch (hostName.toLowerCase()) {
     case "cursor":
       return [
-        path18.join(currentDir, ".cursor", "mcp.json"),
+        path22.join(currentDir, ".cursor", "mcp.json"),
         // local first
-        path18.join(home, ".cursor", "mcp.json")
+        path22.join(home, ".cursor", "mcp.json")
       ];
     case "windsurf":
       return [
-        path18.join(currentDir, ".codeium", "mcp_config.json"),
+        path22.join(currentDir, ".codeium", "mcp_config.json"),
         // local first
-        path18.join(home, ".codeium", "windsurf", "mcp_config.json")
+        path22.join(home, ".codeium", "windsurf", "mcp_config.json")
       ];
     case "webstorm":
       return [];
     case "visualstudiocode":
     case "vscode":
       return [
-        path18.join(currentDir, ".vscode", "mcp.json"),
+        path22.join(currentDir, ".vscode", "mcp.json"),
         // local first
-        process.platform === "win32" ? path18.join(home, "AppData", "Roaming", "Code", "User", "mcp.json") : path18.join(
+        process.platform === "win32" ? path22.join(home, "AppData", "Roaming", "Code", "User", "mcp.json") : path22.join(
           home,
           "Library",
           "Application Support",
@@ -19380,13 +20835,13 @@ var getMCPConfigPaths = (hostName) => {
       ];
     case "claude": {
       const claudePaths = [
-        path18.join(currentDir, ".claude.json"),
+        path22.join(currentDir, ".claude.json"),
         // local first
-        path18.join(home, ".claude.json")
+        path22.join(home, ".claude.json")
       ];
       const workspacePaths = getClaudeWorkspacePaths();
       for (const workspacePath of workspacePaths) {
-        claudePaths.push(path18.join(workspacePath, ".mcp.json"));
+        claudePaths.push(path22.join(workspacePath, ".mcp.json"));
       }
       return claudePaths;
     }
@@ -19547,10 +21002,10 @@ var getHostInfo = (additionalMcpList) => {
   const ideConfigPaths = /* @__PURE__ */ new Set();
   for (const ide of IDEs) {
     const configPaths = getMCPConfigPaths(ide);
-    configPaths.forEach((path30) => ideConfigPaths.add(path30));
+    configPaths.forEach((path34) => ideConfigPaths.add(path34));
   }
   const uniqueAdditionalPaths = additionalMcpList.filter(
-    (path30) => !ideConfigPaths.has(path30)
+    (path34) => !ideConfigPaths.has(path34)
   );
   for (const ide of IDEs) {
     const cfg = readMCPConfig(ide);
@@ -19672,7 +21127,7 @@ init_configs();
 init_configs();
 import fs16 from "fs";
 import os9 from "os";
-import path19 from "path";
+import path23 from "path";
 var MAX_DEPTH = 2;
 var patterns = ["mcp", "claude"];
 var isFileMatch = (fileName) => {
@@ -19692,7 +21147,7 @@ var searchDir = async (dir, depth = 0) => {
   if (depth > MAX_DEPTH) return results;
   const entries = await fs16.promises.readdir(dir, { withFileTypes: true }).catch(() => []);
   for (const entry of entries) {
-    const fullPath = path19.join(dir, entry.name);
+    const fullPath = path23.join(dir, entry.name);
     if (entry.isFile() && isFileMatch(entry.name)) {
       results.push(fullPath);
     } else if (entry.isDirectory()) {
@@ -19709,14 +21164,14 @@ var findSystemMCPConfigs = async () => {
     const home = os9.homedir();
     const platform2 = os9.platform();
     const knownDirs = platform2 === "win32" ? [
-      path19.join(home, ".cursor"),
-      path19.join(home, "Documents"),
-      path19.join(home, "Downloads")
+      path23.join(home, ".cursor"),
+      path23.join(home, "Documents"),
+      path23.join(home, "Downloads")
     ] : [
-      path19.join(home, ".cursor"),
-      process.env["XDG_CONFIG_HOME"] || path19.join(home, ".config"),
-      path19.join(home, "Documents"),
-      path19.join(home, "Downloads")
+      path23.join(home, ".cursor"),
+      process.env["XDG_CONFIG_HOME"] || path23.join(home, ".config"),
+      path23.join(home, "Documents"),
+      path23.join(home, "Downloads")
     ];
     const timeoutPromise = new Promise(
       (resolve) => setTimeout(() => {
@@ -22132,13 +23587,13 @@ For a complete security audit workflow, use the \`full-security-audit\` prompt.
 // src/mcp/services/McpDetectionService/CursorMcpDetectionService.ts
 import * as fs19 from "fs";
 import * as os12 from "os";
-import * as path21 from "path";
+import * as path25 from "path";
 
 // src/mcp/services/McpDetectionService/BaseMcpDetectionService.ts
 init_configs();
 import * as fs18 from "fs";
 import fetch7 from "node-fetch";
-import * as path20 from "path";
+import * as path24 from "path";
 
 // src/mcp/services/McpDetectionService/McpDetectionServiceUtils.ts
 import * as fs17 from "fs";
@@ -22147,14 +23602,14 @@ import * as os11 from "os";
 // src/mcp/services/McpDetectionService/VscodeMcpDetectionService.ts
 import * as fs20 from "fs";
 import * as os13 from "os";
-import * as path22 from "path";
+import * as path26 from "path";
 
 // src/mcp/tools/checkForNewAvailableFixes/CheckForNewAvailableFixesTool.ts
 import { z as z42 } from "zod";
 
 // src/mcp/services/PathValidation.ts
 import fs21 from "fs";
-import path23 from "path";
+import path27 from "path";
 async function validatePath(inputPath) {
   logDebug("Validating MCP path", { inputPath });
   if (/^\/[a-zA-Z]:\//.test(inputPath)) {
@@ -22186,7 +23641,7 @@ async function validatePath(inputPath) {
     logError(error);
     return { isValid: false, error, path: inputPath };
   }
-  const normalizedPath = path23.normalize(inputPath);
+  const normalizedPath = path27.normalize(inputPath);
   if (normalizedPath.includes("..")) {
     const error = `Normalized path contains path traversal patterns: ${inputPath}`;
     logError(error);
@@ -22838,7 +24293,7 @@ init_configs();
 import fs22 from "fs/promises";
 import nodePath from "path";
 var getLocalFiles = async ({
-  path: path30,
+  path: path34,
   maxFileSize = MCP_MAX_FILE_SIZE,
   maxFiles,
   isAllFilesScan,
@@ -22846,17 +24301,17 @@ var getLocalFiles = async ({
   scanRecentlyChangedFiles
 }) => {
   logDebug(`[${scanContext}] Starting getLocalFiles`, {
-    path: path30,
+    path: path34,
     maxFileSize,
     maxFiles,
     isAllFilesScan,
     scanRecentlyChangedFiles
   });
   try {
-    const resolvedRepoPath = await fs22.realpath(path30);
+    const resolvedRepoPath = await fs22.realpath(path34);
     logDebug(`[${scanContext}] Resolved repository path`, {
       resolvedRepoPath,
-      originalPath: path30
+      originalPath: path34
     });
     const gitService = new GitService(resolvedRepoPath, log);
     const gitValidation = await gitService.validateRepository();
@@ -22869,7 +24324,7 @@ var getLocalFiles = async ({
     if (!gitValidation.isValid || isAllFilesScan) {
       try {
         files = await FileUtils.getLastChangedFiles({
-          dir: path30,
+          dir: path34,
           maxFileSize,
           maxFiles,
           isAllFilesScan
@@ -22961,7 +24416,7 @@ var getLocalFiles = async ({
     logError(`${scanContext}Unexpected error in getLocalFiles`, {
       error: error instanceof Error ? error.message : String(error),
       stack: error instanceof Error ? error.stack : void 0,
-      path: path30
+      path: path34
     });
     throw error;
   }
@@ -22971,7 +24426,7 @@ var getLocalFiles = async ({
 init_client_generates();
 init_GitService();
 import fs23 from "fs";
-import path24 from "path";
+import path28 from "path";
 import { z as z41 } from "zod";
 function extractPathFromPatch(patch) {
   const match = patch?.match(/diff --git a\/([^\s]+) b\//);
@@ -23057,7 +24512,7 @@ var LocalMobbFolderService = class {
           "[LocalMobbFolderService] Non-git repository detected, skipping .gitignore operations"
         );
       }
-      const mobbFolderPath = path24.join(
+      const mobbFolderPath = path28.join(
         this.repoPath,
         this.defaultMobbFolderName
       );
@@ -23229,7 +24684,7 @@ var LocalMobbFolderService = class {
         mobbFolderPath,
         baseFileName
       );
-      const filePath = path24.join(mobbFolderPath, uniqueFileName);
+      const filePath = path28.join(mobbFolderPath, uniqueFileName);
       await fs23.promises.writeFile(filePath, patch, "utf8");
       logInfo("[LocalMobbFolderService] Patch saved successfully", {
         filePath,
@@ -23287,11 +24742,11 @@ var LocalMobbFolderService = class {
    * @returns Unique filename that doesn't conflict with existing files
    */
   getUniqueFileName(folderPath, baseFileName) {
-    const baseName = path24.parse(baseFileName).name;
-    const extension = path24.parse(baseFileName).ext;
+    const baseName = path28.parse(baseFileName).name;
+    const extension = path28.parse(baseFileName).ext;
     let uniqueFileName = baseFileName;
     let index = 1;
-    while (fs23.existsSync(path24.join(folderPath, uniqueFileName))) {
+    while (fs23.existsSync(path28.join(folderPath, uniqueFileName))) {
       uniqueFileName = `${baseName}-${index}${extension}`;
       index++;
       if (index > 1e3) {
@@ -23322,7 +24777,7 @@ var LocalMobbFolderService = class {
     logDebug("[LocalMobbFolderService] Logging patch info", { fixId: fix.id });
     try {
       const mobbFolderPath = await this.getFolder();
-      const patchInfoPath = path24.join(mobbFolderPath, "patchInfo.md");
+      const patchInfoPath = path28.join(mobbFolderPath, "patchInfo.md");
       const markdownContent = this.generateFixMarkdown(fix, savedPatchFileName);
       let existingContent = "";
       if (fs23.existsSync(patchInfoPath)) {
@@ -23364,7 +24819,7 @@ var LocalMobbFolderService = class {
     const timestamp = (/* @__PURE__ */ new Date()).toISOString();
     const patch = this.extractPatchFromFix(fix);
     const relativePatchedFilePath = patch ? extractPathFromPatch(patch) : null;
-    const patchedFilePath = relativePatchedFilePath ? path24.resolve(this.repoPath, relativePatchedFilePath) : null;
+    const patchedFilePath = relativePatchedFilePath ? path28.resolve(this.repoPath, relativePatchedFilePath) : null;
     const fixIdentifier = savedPatchFileName ? savedPatchFileName.replace(".patch", "") : fix.id;
     let markdown = `# Fix ${fixIdentifier}
 
@@ -23700,22 +25155,22 @@ var LocalMobbFolderService = class {
 // src/mcp/services/PatchApplicationService.ts
 init_configs();
 import {
-  existsSync as existsSync6,
+  existsSync as existsSync7,
   mkdirSync,
-  readFileSync as readFileSync3,
+  readFileSync as readFileSync4,
   unlinkSync,
-  writeFileSync as writeFileSync2
+  writeFileSync as writeFileSync3
 } from "fs";
 import fs24 from "fs/promises";
 import parseDiff2 from "parse-diff";
-import path25 from "path";
+import path29 from "path";
 var PatchApplicationService = class {
   /**
    * Gets the appropriate comment syntax for a file based on its extension
    */
   static getCommentSyntax(filePath) {
-    const ext = path25.extname(filePath).toLowerCase();
-    const basename2 = path25.basename(filePath);
+    const ext = path29.extname(filePath).toLowerCase();
+    const basename2 = path29.basename(filePath);
     const commentMap = {
       // C-style languages (single line comments)
       ".js": "//",
@@ -23923,18 +25378,18 @@ var PatchApplicationService = class {
         }
       );
     }
-    const dirPath = path25.dirname(normalizedFilePath);
+    const dirPath = path29.dirname(normalizedFilePath);
     mkdirSync(dirPath, { recursive: true });
-    writeFileSync2(normalizedFilePath, finalContent, "utf8");
+    writeFileSync3(normalizedFilePath, finalContent, "utf8");
     return normalizedFilePath;
   }
   static resolvePathWithinRepo({
     repositoryPath,
     targetPath
   }) {
-    const repoRoot = path25.resolve(repositoryPath);
-    const normalizedPath = path25.resolve(repoRoot, targetPath);
-    const repoRootWithSep = repoRoot.endsWith(path25.sep) ? repoRoot : `${repoRoot}${path25.sep}`;
+    const repoRoot = path29.resolve(repositoryPath);
+    const normalizedPath = path29.resolve(repoRoot, targetPath);
+    const repoRootWithSep = repoRoot.endsWith(path29.sep) ? repoRoot : `${repoRoot}${path29.sep}`;
     if (normalizedPath !== repoRoot && !normalizedPath.startsWith(repoRootWithSep)) {
       throw new Error(
         `Security violation: target path ${targetPath} resolves outside repository`
@@ -23943,7 +25398,7 @@ var PatchApplicationService = class {
     return {
       repoRoot,
       normalizedPath,
-      relativePath: path25.relative(repoRoot, normalizedPath)
+      relativePath: path29.relative(repoRoot, normalizedPath)
     };
   }
   /**
@@ -24225,8 +25680,8 @@ var PatchApplicationService = class {
         continue;
       }
       try {
-        const absolutePath = path25.resolve(repositoryPath, targetFile);
-        if (existsSync6(absolutePath)) {
+        const absolutePath = path29.resolve(repositoryPath, targetFile);
+        if (existsSync7(absolutePath)) {
           const stats = await fs24.stat(absolutePath);
           const fileModTime = stats.mtime.getTime();
           if (fileModTime > scanStartTime) {
@@ -24427,7 +25882,7 @@ var PatchApplicationService = class {
       targetFile,
       absoluteFilePath,
       relativePath,
-      exists: existsSync6(absoluteFilePath)
+      exists: existsSync7(absoluteFilePath)
     });
     return { absoluteFilePath, relativePath };
   }
@@ -24451,7 +25906,7 @@ var PatchApplicationService = class {
       fix,
       scanContext
     });
-    appliedFiles.push(path25.relative(repositoryPath, actualPath));
+    appliedFiles.push(path29.relative(repositoryPath, actualPath));
     logDebug(`[${scanContext}] Created new file: ${relativePath}`);
   }
   /**
@@ -24463,7 +25918,7 @@ var PatchApplicationService = class {
     appliedFiles,
     scanContext
   }) {
-    if (existsSync6(absoluteFilePath)) {
+    if (existsSync7(absoluteFilePath)) {
       unlinkSync(absoluteFilePath);
       appliedFiles.push(relativePath);
       logDebug(`[${scanContext}] Deleted file: ${relativePath}`);
@@ -24482,12 +25937,12 @@ var PatchApplicationService = class {
     appliedFiles,
     scanContext
   }) {
-    if (!existsSync6(absoluteFilePath)) {
+    if (!existsSync7(absoluteFilePath)) {
       throw new Error(
         `Target file does not exist: ${targetFile} (resolved to: ${absoluteFilePath})`
       );
     }
-    const originalContent = readFileSync3(absoluteFilePath, "utf8");
+    const originalContent = readFileSync4(absoluteFilePath, "utf8");
     const modifiedContent = this.applyHunksToFile(
       originalContent,
       fileDiff.chunks
@@ -24500,7 +25955,7 @@ var PatchApplicationService = class {
         fix,
         scanContext
       });
-      appliedFiles.push(path25.relative(repositoryPath, actualPath));
+      appliedFiles.push(path29.relative(repositoryPath, actualPath));
       logDebug(`[${scanContext}] Modified file: ${relativePath}`);
     }
   }
@@ -24697,8 +26152,8 @@ init_configs();
 // src/mcp/services/FileOperations.ts
 init_FileUtils();
 import fs25 from "fs";
-import path26 from "path";
-import AdmZip3 from "adm-zip";
+import path30 from "path";
+import AdmZip4 from "adm-zip";
 var FileOperations = class {
   /**
    * Creates a ZIP archive containing the specified source files
@@ -24713,14 +26168,14 @@ var FileOperations = class {
     maxFileSize
   }) {
     logDebug("[FileOperations] Packing files");
-    const zip = new AdmZip3();
+    const zip = new AdmZip4();
     let packedFilesCount = 0;
     const packedFiles = [];
     const excludedFiles = [];
-    const resolvedRepoPath = path26.resolve(repositoryPath);
+    const resolvedRepoPath = path30.resolve(repositoryPath);
     for (const filepath of fileList) {
-      const absoluteFilepath = path26.join(repositoryPath, filepath);
-      const resolvedFilePath = path26.resolve(absoluteFilepath);
+      const absoluteFilepath = path30.join(repositoryPath, filepath);
+      const resolvedFilePath = path30.resolve(absoluteFilepath);
       if (!resolvedFilePath.startsWith(resolvedRepoPath)) {
         const reason = "potential path traversal security risk";
         logDebug(`[FileOperations] Skipping ${filepath} due to ${reason}`);
@@ -24767,11 +26222,11 @@ var FileOperations = class {
     fileList,
     repositoryPath
   }) {
-    const resolvedRepoPath = path26.resolve(repositoryPath);
+    const resolvedRepoPath = path30.resolve(repositoryPath);
     const validatedPaths = [];
     for (const filepath of fileList) {
-      const absoluteFilepath = path26.join(repositoryPath, filepath);
-      const resolvedFilePath = path26.resolve(absoluteFilepath);
+      const absoluteFilepath = path30.join(repositoryPath, filepath);
+      const resolvedFilePath = path30.resolve(absoluteFilepath);
       if (!resolvedFilePath.startsWith(resolvedRepoPath)) {
         logDebug(
           `[FileOperations] Rejecting ${filepath} - path traversal attempt detected`
@@ -24799,7 +26254,7 @@ var FileOperations = class {
     for (const absolutePath of filePaths) {
       try {
         const content = await fs25.promises.readFile(absolutePath);
-        const relativePath = path26.basename(absolutePath);
+        const relativePath = path30.basename(absolutePath);
         fileDataArray.push({
           relativePath,
           absolutePath,
@@ -25111,14 +26566,14 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
    * since the last scan.
    */
   async scanForSecurityVulnerabilities({
-    path: path30,
+    path: path34,
     isAllDetectionRulesScan,
     isAllFilesScan,
     scanContext
   }) {
     this.hasAuthenticationFailed = false;
     logDebug(`[${scanContext}] Scanning for new security vulnerabilities`, {
-      path: path30
+      path: path34
     });
     if (!this.gqlClient) {
       logInfo(`[${scanContext}] No GQL client found, skipping scan`);
@@ -25134,11 +26589,11 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
       }
       logDebug(
         `[${scanContext}] Connected to the API, assembling list of files to scan`,
-        { path: path30 }
+        { path: path34 }
       );
       const isBackgroundScan = scanContext === ScanContext.BACKGROUND_INITIAL || scanContext === ScanContext.BACKGROUND_PERIODIC;
       const files = await getLocalFiles({
-        path: path30,
+        path: path34,
         isAllFilesScan,
         scanContext,
         scanRecentlyChangedFiles: !isBackgroundScan
@@ -25164,13 +26619,13 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
       });
       const { fixReportId, projectId } = await scanFiles({
         fileList: filesToScan.map((file) => file.relativePath),
-        repositoryPath: path30,
+        repositoryPath: path34,
         gqlClient: this.gqlClient,
         isAllDetectionRulesScan,
         scanContext
       });
       logInfo(
-        `[${scanContext}] Security scan completed for ${path30} reportId: ${fixReportId} projectId: ${projectId}`
+        `[${scanContext}] Security scan completed for ${path34} reportId: ${fixReportId} projectId: ${projectId}`
       );
       if (isAllFilesScan) {
         return;
@@ -25464,13 +26919,13 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
     });
     return scannedFiles.some((file) => file.relativePath === fixFile);
   }
-  async getFreshFixes({ path: path30 }) {
+  async getFreshFixes({ path: path34 }) {
     const scanContext = ScanContext.USER_REQUEST;
-    logDebug(`[${scanContext}] Getting fresh fixes`, { path: path30 });
-    if (this.path !== path30) {
-      this.path = path30;
+    logDebug(`[${scanContext}] Getting fresh fixes`, { path: path34 });
+    if (this.path !== path34) {
+      this.path = path34;
       this.reset();
-      logInfo(`[${scanContext}] Reset service state for new path`, { path: path30 });
+      logInfo(`[${scanContext}] Reset service state for new path`, { path: path34 });
     }
     try {
       const loginContext = createMcpLoginContext("check_new_fixes");
@@ -25489,7 +26944,7 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
       }
       throw error;
     }
-    this.triggerScan({ path: path30, gqlClient: this.gqlClient });
+    this.triggerScan({ path: path34, gqlClient: this.gqlClient });
     let isMvsAutoFixEnabled = null;
     try {
       isMvsAutoFixEnabled = await this.gqlClient.getMvsAutoFixSettings();
@@ -25523,33 +26978,33 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
     return noFreshFixesPrompt;
   }
   triggerScan({
-    path: path30,
+    path: path34,
     gqlClient
   }) {
-    if (this.path !== path30) {
-      this.path = path30;
+    if (this.path !== path34) {
+      this.path = path34;
       this.reset();
-      logInfo(`Reset service state for new path in triggerScan`, { path: path30 });
+      logInfo(`Reset service state for new path in triggerScan`, { path: path34 });
     }
     this.gqlClient = gqlClient;
     if (!this.intervalId) {
-      this.startPeriodicScanning(path30);
-      this.executeInitialScan(path30);
-      void this.executeInitialFullScan(path30);
+      this.startPeriodicScanning(path34);
+      this.executeInitialScan(path34);
+      void this.executeInitialFullScan(path34);
     }
   }
-  startPeriodicScanning(path30) {
+  startPeriodicScanning(path34) {
     const scanContext = ScanContext.BACKGROUND_PERIODIC;
     logDebug(
       `[${scanContext}] Starting periodic scan for new security vulnerabilities`,
       {
-        path: path30
+        path: path34
       }
     );
     this.intervalId = setInterval(() => {
-      logDebug(`[${scanContext}] Triggering periodic security scan`, { path: path30 });
+      logDebug(`[${scanContext}] Triggering periodic security scan`, { path: path34 });
       this.scanForSecurityVulnerabilities({
-        path: path30,
+        path: path34,
         scanContext
       }).catch((error) => {
         logError(`[${scanContext}] Error during periodic security scan`, {
@@ -25558,45 +27013,45 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
       });
     }, MCP_PERIODIC_CHECK_INTERVAL);
   }
-  async executeInitialFullScan(path30) {
+  async executeInitialFullScan(path34) {
     const scanContext = ScanContext.FULL_SCAN;
-    logDebug(`[${scanContext}] Triggering initial full security scan`, { path: path30 });
+    logDebug(`[${scanContext}] Triggering initial full security scan`, { path: path34 });
     logDebug(`[${scanContext}] Full scan paths scanned`, {
       fullScanPathsScanned: this.fullScanPathsScanned
     });
-    if (this.fullScanPathsScanned.includes(path30)) {
+    if (this.fullScanPathsScanned.includes(path34)) {
       logDebug(`[${scanContext}] Full scan already executed for this path`, {
-        path: path30
+        path: path34
       });
       return;
     }
     configStore.set("fullScanPathsScanned", [
       ...this.fullScanPathsScanned,
-      path30
+      path34
     ]);
     try {
       await this.scanForSecurityVulnerabilities({
-        path: path30,
+        path: path34,
         isAllFilesScan: true,
         isAllDetectionRulesScan: true,
         scanContext: ScanContext.FULL_SCAN
       });
-      if (!this.fullScanPathsScanned.includes(path30)) {
-        this.fullScanPathsScanned.push(path30);
+      if (!this.fullScanPathsScanned.includes(path34)) {
+        this.fullScanPathsScanned.push(path34);
         configStore.set("fullScanPathsScanned", this.fullScanPathsScanned);
       }
-      logInfo(`[${scanContext}] Full scan completed`, { path: path30 });
+      logInfo(`[${scanContext}] Full scan completed`, { path: path34 });
     } catch (error) {
       logError(`[${scanContext}] Error during initial full security scan`, {
         error
       });
     }
   }
-  executeInitialScan(path30) {
+  executeInitialScan(path34) {
     const scanContext = ScanContext.BACKGROUND_INITIAL;
-    logDebug(`[${scanContext}] Triggering initial security scan`, { path: path30 });
+    logDebug(`[${scanContext}] Triggering initial security scan`, { path: path34 });
     this.scanForSecurityVulnerabilities({
-      path: path30,
+      path: path34,
       scanContext: ScanContext.BACKGROUND_INITIAL
     }).catch((error) => {
       logError(`[${scanContext}] Error during initial security scan`, { error });
@@ -25693,9 +27148,9 @@ Example payload:
         `Invalid path: potential security risk detected in path: ${pathValidationResult.error}`
       );
     }
-    const path30 = pathValidationResult.path;
+    const path34 = pathValidationResult.path;
     const resultText = await this.newFixesService.getFreshFixes({
-      path: path30
+      path: path34
     });
     logInfo("CheckForNewAvailableFixesTool execution completed", {
       resultText
@@ -25873,8 +27328,8 @@ Call this tool instead of ${MCP_TOOL_SCAN_AND_FIX_VULNERABILITIES} when you only
         `Invalid path: potential security risk detected in path: ${pathValidationResult.error}`
       );
     }
-    const path30 = pathValidationResult.path;
-    const gitService = new GitService(path30, log);
+    const path34 = pathValidationResult.path;
+    const gitService = new GitService(path34, log);
     const gitValidation = await gitService.validateRepository();
     if (!gitValidation.isValid) {
       throw new Error(`Invalid git repository: ${gitValidation.error}`);
@@ -26259,9 +27714,9 @@ Example payload:
         `Invalid path: potential security risk detected in path: ${pathValidationResult.error}`
       );
     }
-    const path30 = pathValidationResult.path;
+    const path34 = pathValidationResult.path;
     const files = await getLocalFiles({
-      path: path30,
+      path: path34,
       maxFileSize: MCP_MAX_FILE_SIZE,
       maxFiles: args.maxFiles,
       scanContext: ScanContext.USER_REQUEST,
@@ -26281,7 +27736,7 @@ Example payload:
     try {
       const fixResult = await this.vulnerabilityFixService.processVulnerabilities({
         fileList: files.map((file) => file.relativePath),
-        repositoryPath: path30,
+        repositoryPath: path34,
         offset: args.offset,
         limit: args.limit,
         isRescan: args.rescan || !!args.maxFiles
@@ -26582,10 +28037,10 @@ init_client_generates();
 init_urlParser2();
 
 // src/features/codeium_intellij/codeium_language_server_grpc_client.ts
-import path27 from "path";
+import path31 from "path";
 import * as grpc from "@grpc/grpc-js";
 import * as protoLoader from "@grpc/proto-loader";
-var PROTO_PATH = path27.join(
+var PROTO_PATH = path31.join(
   getModuleRootDir(),
   "src/features/codeium_intellij/proto/exa/language_server_pb/language_server.proto"
 );
@@ -26597,7 +28052,7 @@ function loadProto() {
     defaults: true,
     oneofs: true,
     includeDirs: [
-      path27.join(getModuleRootDir(), "src/features/codeium_intellij/proto")
+      path31.join(getModuleRootDir(), "src/features/codeium_intellij/proto")
     ]
   });
   return grpc.loadPackageDefinition(
@@ -26653,28 +28108,28 @@ async function getGrpcClient(port, csrf3) {
 // src/features/codeium_intellij/parse_intellij_logs.ts
 import fs27 from "fs";
 import os14 from "os";
-import path28 from "path";
+import path32 from "path";
 function getLogsDir() {
   if (process.platform === "darwin") {
-    return path28.join(os14.homedir(), "Library/Logs/JetBrains");
+    return path32.join(os14.homedir(), "Library/Logs/JetBrains");
   } else if (process.platform === "win32") {
-    return path28.join(
-      process.env["LOCALAPPDATA"] || path28.join(os14.homedir(), "AppData/Local"),
+    return path32.join(
+      process.env["LOCALAPPDATA"] || path32.join(os14.homedir(), "AppData/Local"),
       "JetBrains"
     );
   } else {
-    return path28.join(os14.homedir(), ".cache/JetBrains");
+    return path32.join(os14.homedir(), ".cache/JetBrains");
   }
 }
 function parseIdeLogDir(ideLogDir) {
   const logFiles = fs27.readdirSync(ideLogDir).filter((f) => /^idea(\.\d+)?\.log$/.test(f)).map((f) => ({
     name: f,
-    mtime: fs27.statSync(path28.join(ideLogDir, f)).mtimeMs
+    mtime: fs27.statSync(path32.join(ideLogDir, f)).mtimeMs
   })).sort((a, b) => a.mtime - b.mtime).map((f) => f.name);
   let latestCsrf = null;
   let latestPort = null;
   for (const logFile of logFiles) {
-    const lines = fs27.readFileSync(path28.join(ideLogDir, logFile), "utf-8").split("\n");
+    const lines = fs27.readFileSync(path32.join(ideLogDir, logFile), "utf-8").split("\n");
     for (const line of lines) {
       if (!line.includes(
         "com.codeium.intellij.language_server.LanguageServerProcessHandler"
@@ -26702,9 +28157,9 @@ function findRunningCodeiumLanguageServers() {
   const logsDir = getLogsDir();
   if (!fs27.existsSync(logsDir)) return results;
   for (const ide of fs27.readdirSync(logsDir)) {
-    let ideLogDir = path28.join(logsDir, ide);
+    let ideLogDir = path32.join(logsDir, ide);
     if (process.platform !== "darwin") {
-      ideLogDir = path28.join(ideLogDir, "log");
+      ideLogDir = path32.join(ideLogDir, "log");
     }
     if (!fs27.existsSync(ideLogDir) || !fs27.statSync(ideLogDir).isDirectory()) {
       continue;
@@ -26887,10 +28342,10 @@ function processChatStepCodeAction(step) {
 // src/features/codeium_intellij/install_hook.ts
 import fsPromises5 from "fs/promises";
 import os15 from "os";
-import path29 from "path";
+import path33 from "path";
 import chalk14 from "chalk";
 function getCodeiumHooksPath() {
-  return path29.join(os15.homedir(), ".codeium", "hooks.json");
+  return path33.join(os15.homedir(), ".codeium", "hooks.json");
 }
 async function readCodeiumHooks() {
   const hooksPath = getCodeiumHooksPath();
@@ -26903,7 +28358,7 @@ async function readCodeiumHooks() {
 }
 async function writeCodeiumHooks(config2) {
   const hooksPath = getCodeiumHooksPath();
-  const dir = path29.dirname(hooksPath);
+  const dir = path33.dirname(hooksPath);
   await fsPromises5.mkdir(dir, { recursive: true });
   await fsPromises5.writeFile(
     hooksPath,