mobbdev 1.3.7 → 1.4.0

package/dist/index.mjs

@@ -129,10 +129,13 @@ function getSdk(client, withWrapper = defaultWrapper) {
     },
     ScanSkill(variables, requestHeaders, signal) {
       return withWrapper((wrappedRequestHeaders) => client.request({ document: ScanSkillDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "ScanSkill", "mutation", variables);
+    },
+    SkillVerdictsByMd5(variables, requestHeaders, signal) {
+      return withWrapper((wrappedRequestHeaders) => client.request({ document: SkillVerdictsByMd5Document, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "SkillVerdictsByMd5", "query", variables);
     }
   };
 }
-var AiBlameInferenceType, FixQuestionInputType, Language, ManifestAction, Effort_To_Apply_Fix_Enum, Fix_Rating_Tag_Enum, Fix_Report_State_Enum, Fix_State_Enum, IssueLanguage_Enum, IssueType_Enum, Pr_Status_Enum, Project_Role_Type_Enum, Vulnerability_Report_Issue_Category_Enum, Vulnerability_Report_Issue_State_Enum, Vulnerability_Report_Issue_Tag_Enum, Vulnerability_Report_Vendor_Enum, Vulnerability_Severity_Enum, FixDetailsFragmentDoc, FixReportSummaryFieldsFragmentDoc, MeDocument, GetLastOrgAndNamedProjectDocument, GetLastOrgDocument, GetEncryptedApiTokenDocument, FixReportStateDocument, GetVulnerabilityReportPathsDocument, GetAnalysisSubscriptionDocument, GetAnalysisDocument, GetFixesDocument, GetVulByNodesMetadataDocument, GetFalsePositiveDocument, UpdateScmTokenDocument, UploadS3BucketInfoDocument, GetTracyDiffUploadUrlDocument, AnalyzeCommitForExtensionAiBlameDocument, GetAiBlameInferenceDocument, GetAiBlameAttributionPromptDocument, GetPromptSummaryDocument, UploadAiBlameInferencesInitDocument, FinalizeAiBlameInferencesUploadDocument, UploadTracyRecordsDocument, GetTracyRawDataUploadUrlDocument, DigestVulnerabilityReportDocument, SubmitVulnerabilityReportDocument, CreateCommunityUserDocument, CreateCliLoginDocument, PerformCliLoginDocument, CreateProjectDocument, ValidateRepoUrlDocument, GitReferenceDocument, AutoPrAnalysisDocument, GetFixReportsByRepoUrlDocument, GetReportFixesDocument, GetLatestReportByRepoUrlDocument, UpdateDownloadedFixDataDocument, GetUserMvsAutoFixDocument, StreamBlameAiAnalysisRequestsDocument, StreamCommitBlameRequestsDocument, ScanSkillDocument, defaultWrapper;
+var AiBlameInferenceType, FixQuestionInputType, Language, ManifestAction, Effort_To_Apply_Fix_Enum, Fix_Rating_Tag_Enum, Fix_Report_State_Enum, Fix_State_Enum, IssueLanguage_Enum, IssueType_Enum, Pr_Status_Enum, Project_Role_Type_Enum, Vulnerability_Report_Issue_Category_Enum, Vulnerability_Report_Issue_State_Enum, Vulnerability_Report_Issue_Tag_Enum, Vulnerability_Report_Vendor_Enum, Vulnerability_Severity_Enum, FixDetailsFragmentDoc, FixReportSummaryFieldsFragmentDoc, MeDocument, GetLastOrgAndNamedProjectDocument, GetLastOrgDocument, GetEncryptedApiTokenDocument, FixReportStateDocument, GetVulnerabilityReportPathsDocument, GetAnalysisSubscriptionDocument, GetAnalysisDocument, GetFixesDocument, GetVulByNodesMetadataDocument, GetFalsePositiveDocument, UpdateScmTokenDocument, UploadS3BucketInfoDocument, GetTracyDiffUploadUrlDocument, AnalyzeCommitForExtensionAiBlameDocument, GetAiBlameInferenceDocument, GetAiBlameAttributionPromptDocument, GetPromptSummaryDocument, UploadAiBlameInferencesInitDocument, FinalizeAiBlameInferencesUploadDocument, UploadTracyRecordsDocument, GetTracyRawDataUploadUrlDocument, DigestVulnerabilityReportDocument, SubmitVulnerabilityReportDocument, CreateCommunityUserDocument, CreateCliLoginDocument, PerformCliLoginDocument, CreateProjectDocument, ValidateRepoUrlDocument, GitReferenceDocument, AutoPrAnalysisDocument, GetFixReportsByRepoUrlDocument, GetReportFixesDocument, GetLatestReportByRepoUrlDocument, UpdateDownloadedFixDataDocument, GetUserMvsAutoFixDocument, StreamBlameAiAnalysisRequestsDocument, StreamCommitBlameRequestsDocument, ScanSkillDocument, SkillVerdictsByMd5Document, defaultWrapper;
 var init_client_generates = __esm({
   "src/features/analysis/scm/generates/client_generates.ts"() {
     "use strict";
@@ -1265,6 +1268,18 @@ var init_client_generates = __esm({
     cached
     summary
   }
+}
+    `;
+    SkillVerdictsByMd5Document = `
+    query SkillVerdictsByMd5($md5s: [String!]!) {
+  skillVerdictsByMd5(md5s: $md5s) {
+    md5
+    verdict
+    summary
+    scannerName
+    scannerVersion
+    scannedAt
+  }
 }
     `;
     defaultWrapper = (action, _operationName, _operationType, _variables) => action();
@@ -3579,8 +3594,8 @@ var init_FileUtils = __esm({
           const fullPath = path.join(dir, item);
           try {
             await fsPromises.access(fullPath, fs.constants.R_OK);
-            const stat3 = await fsPromises.stat(fullPath);
-            if (stat3.isDirectory()) {
+            const stat4 = await fsPromises.stat(fullPath);
+            if (stat4.isDirectory()) {
               if (isRootLevel && excludedRootDirectories.includes(item)) {
                 continue;
               }
@@ -3592,7 +3607,7 @@ var init_FileUtils = __esm({
                 name: item,
                 fullPath,
                 relativePath: path.relative(rootDir, fullPath),
-                time: stat3.mtime.getTime(),
+                time: stat4.mtime.getTime(),
                 isFile: true
               });
             }
@@ -7132,7 +7147,7 @@ async function getAdoSdk(params) {
       const url = new URL(repoUrl);
       const origin = url.origin.toLowerCase().endsWith(".visualstudio.com") ? DEFUALT_ADO_ORIGIN : url.origin.toLowerCase();
       const params2 = `path=/&versionDescriptor[versionOptions]=0&versionDescriptor[versionType]=commit&versionDescriptor[version]=${branch}&resolveLfs=true&$format=zip&api-version=5.0&download=true`;
-      const path32 = [
+      const path34 = [
         prefixPath,
         owner,
         projectName,
@@ -7143,7 +7158,7 @@ async function getAdoSdk(params) {
         "items",
         "items"
       ].filter(Boolean).join("/");
-      return new URL(`${path32}?${params2}`, origin).toString();
+      return new URL(`${path34}?${params2}`, origin).toString();
     },
     async getAdoBranchList({ repoUrl }) {
       try {
@@ -7232,8 +7247,8 @@ async function getAdoSdk(params) {
         const changeType = entry.changeType;
         return changeType !== 16 && entry.item?.path;
       }).map((entry) => {
-        const path32 = entry.item.path;
-        return path32.startsWith("/") ? path32.slice(1) : path32;
+        const path34 = entry.item.path;
+        return path34.startsWith("/") ? path34.slice(1) : path34;
       });
     },
     async searchAdoPullRequests({
@@ -13539,6 +13554,10 @@ var GQLClient = class {
   async scanSkill(variables) {
     return await this._clientSdk.ScanSkill(variables);
   }
+  // T-467 — batched verdict lookup for the client-side quarantine check.
+  async skillVerdictsByMd5(md5s) {
+    return await this._clientSdk.SkillVerdictsByMd5({ md5s });
+  }
 };
 
 // src/features/analysis/graphql/tracy-batch-upload.ts
@@ -15061,7 +15080,7 @@ async function postIssueComment(params) {
     fpDescription
   } = params;
   const {
-    path: path32,
+    path: path34,
     startLine,
     vulnerabilityReportIssue: {
       vulnerabilityReportIssueTags,
@@ -15076,7 +15095,7 @@ async function postIssueComment(params) {
 Refresh the page in order to see the changes.`,
     pull_number: pullRequest,
     commit_id: commitSha,
-    path: path32,
+    path: path34,
     line: startLine
   });
   const commentId = commentRes.data.id;
@@ -15110,7 +15129,7 @@ async function postFixComment(params) {
     scanner
   } = params;
   const {
-    path: path32,
+    path: path34,
     startLine,
     vulnerabilityReportIssue: { fixId, vulnerabilityReportIssueTags, category },
     vulnerabilityReportIssueId
@@ -15128,7 +15147,7 @@ async function postFixComment(params) {
 Refresh the page in order to see the changes.`,
     pull_number: pullRequest,
     commit_id: commitSha,
-    path: path32,
+    path: path34,
     line: startLine
   });
   const commentId = commentRes.data.id;
@@ -16650,8 +16669,8 @@ async function resolveSkillScanInput(skillInput) {
   if (!fs11.existsSync(resolvedPath)) {
     return skillInput;
   }
-  const stat3 = fs11.statSync(resolvedPath);
-  if (!stat3.isDirectory()) {
+  const stat4 = fs11.statSync(resolvedPath);
+  if (!stat4.isDirectory()) {
     throw new CliError(
       "Local skill input must be a directory containing SKILL.md"
     );
@@ -17050,108 +17069,23 @@ import { spawn } from "child_process";
 
 // src/features/claude_code/daemon.ts
 import { readFileSync, writeFileSync as writeFileSync2 } from "fs";
-import path19 from "path";
+import path21 from "path";
 import { setTimeout as sleep2 } from "timers/promises";
 import Configstore3 from "configstore";
 
-// src/features/claude_code/daemon_pid_file.ts
-import fs13 from "fs";
-import os4 from "os";
-import path13 from "path";
-
-// src/features/claude_code/data_collector_constants.ts
-var CC_VERSION_CACHE_KEY = "claudeCode.detectedCCVersion";
-var CC_VERSION_CLI_KEY = "claudeCode.detectedCCVersionCli";
-var GQL_AUTH_TIMEOUT_MS = 15e3;
-var STALE_KEY_MAX_AGE_MS = 14 * 24 * 60 * 60 * 1e3;
-var CLEANUP_INTERVAL_MS = 24 * 60 * 60 * 1e3;
-var DAEMON_TTL_MS = 30 * 60 * 1e3;
-var DAEMON_POLL_INTERVAL_MS = 1e4;
-var HEARTBEAT_STALE_MS = 3e4;
-var TRANSCRIPT_MAX_AGE_MS = 24 * 60 * 60 * 1e3;
-var DAEMON_CHUNK_SIZE = 50;
-
-// src/features/claude_code/daemon_pid_file.ts
-function getMobbdevDir() {
-  return path13.join(os4.homedir(), ".mobbdev");
-}
-function getDaemonCheckScriptPath() {
-  return path13.join(getMobbdevDir(), "daemon-check.js");
-}
-var DaemonPidFile = class {
-  constructor() {
-    __publicField(this, "data", null);
-  }
-  get filePath() {
-    return path13.join(getMobbdevDir(), "daemon.pid");
-  }
-  /** Ensure ~/.mobbdev/ directory exists. */
-  ensureDir() {
-    fs13.mkdirSync(getMobbdevDir(), { recursive: true });
-  }
-  /** Read the PID file from disk. Returns the parsed data or null. */
-  read() {
-    try {
-      const raw = fs13.readFileSync(this.filePath, "utf8");
-      const parsed = JSON.parse(raw);
-      if (typeof parsed.pid !== "number" || typeof parsed.startedAt !== "number" || typeof parsed.heartbeat !== "number") {
-        this.data = null;
-      } else {
-        this.data = parsed;
-      }
-    } catch {
-      this.data = null;
-    }
-    return this.data;
-  }
-  /** Write a new PID file for the given process id. */
-  write(pid, version) {
-    this.data = {
-      pid,
-      startedAt: Date.now(),
-      heartbeat: Date.now(),
-      version
-    };
-    fs13.writeFileSync(this.filePath, JSON.stringify(this.data), "utf8");
-  }
-  /** Update the heartbeat timestamp of the current PID file. */
-  updateHeartbeat() {
-    if (!this.data) this.read();
-    if (!this.data) return;
-    this.data.heartbeat = Date.now();
-    fs13.writeFileSync(this.filePath, JSON.stringify(this.data), "utf8");
-  }
-  /** Check whether the previously read PID data represents a live daemon. */
-  isAlive() {
-    if (!this.data) return false;
-    if (Date.now() - this.data.heartbeat > HEARTBEAT_STALE_MS) return false;
-    try {
-      process.kill(this.data.pid, 0);
-      return true;
-    } catch {
-      return false;
-    }
-  }
-  /** Remove the PID file from disk (best-effort). */
-  remove() {
-    this.data = null;
-    try {
-      fs13.unlinkSync(this.filePath);
-    } catch {
-    }
-  }
-};
-
-// src/features/claude_code/data_collector.ts
-import { execFile } from "child_process";
-import { createHash as createHash3 } from "crypto";
-import { access, open as open4, readdir, readFile as readFile2, unlink } from "fs/promises";
-import path16 from "path";
-import { promisify } from "util";
+// src/features/analysis/skill_quarantine/constants.ts
+var HEARTBEAT_DEBOUNCE_MS = (() => {
+  const raw = Number(process.env["MOBB_TRACY_SKILL_QUARANTINE_DEBOUNCE_MS"]);
+  if (!Number.isFinite(raw) || raw < 0) return 3e4;
+  return Math.min(raw, 3e5);
+})();
+var KILL_SWITCH_ENV = "MOBB_TRACY_SKILL_QUARANTINE_DISABLE";
+var MALICIOUS_VERDICT = "MALICIOUS";
+var ORPHAN_SWEEP_GRACE_MS = 10 * 60 * 1e3;
 
 // src/features/analysis/context_file_processor.ts
 import { createHash } from "crypto";
-import path14 from "path";
+import path13 from "path";
 import AdmZip3 from "adm-zip";
 import pLimit6 from "p-limit";
 var SANITIZE_CONCURRENCY = 5;
@@ -17185,8 +17119,12 @@ async function processContextFiles(regularFiles, skillGroups) {
         );
         for (const file of sortedFiles) {
           const sanitizedContent = await sanitizeFileContent(file.content);
-          const zipEntryName = group.isFolder ? path14.relative(group.skillPath, file.path).replace(/\\/g, "/") : path14.basename(file.path);
+          const zipEntryName = group.isFolder ? path13.relative(group.skillPath, file.path).replace(/\\/g, "/") : path13.basename(file.path);
           zip.addFile(zipEntryName, Buffer.from(sanitizedContent, "utf-8"));
+          const entry = zip.getEntry(zipEntryName);
+          if (entry) {
+            entry.header.time = /* @__PURE__ */ new Date(0);
+          }
         }
         const zipBuffer = zip.toBuffer();
         const md5 = md5Hex(zipBuffer);
@@ -17198,30 +17136,14 @@ async function processContextFiles(regularFiles, skillGroups) {
 }
 
 // src/features/analysis/context_file_scanner.ts
-import { readFile, stat } from "fs/promises";
+import { lstat, readFile, stat } from "fs/promises";
 import { homedir } from "os";
-import path15 from "path";
+import path14 from "path";
 import { globby as globby2 } from "globby";
-var MAX_CONTEXT_FILE_SIZE = 20 * 1024 * 1024;
+import { parse as parseJsoncLib } from "jsonc-parser";
+
+// src/features/analysis/context_file_scan_paths.ts
 var SKILL_CATEGORY = "skill";
-var SESSION_TTL_MS = 24 * 60 * 60 * 1e3;
-var sessionMtimes = /* @__PURE__ */ new Map();
-function markContextFilesUploaded(sessionId, files, skills) {
-  let entry = sessionMtimes.get(sessionId);
-  if (!entry) {
-    entry = { files: /* @__PURE__ */ new Map(), skills: /* @__PURE__ */ new Map(), lastUpdatedAt: Date.now() };
-    sessionMtimes.set(sessionId, entry);
-  }
-  for (const f of files) {
-    entry.files.set(f.path, f.mtimeMs);
-  }
-  if (skills) {
-    for (const sg of skills) {
-      entry.skills.set(sg.sessionKey, sg.maxMtimeMs);
-    }
-  }
-  entry.lastUpdatedAt = Date.now();
-}
 var SCAN_PATHS = {
   "claude-code": [
     { glob: "CLAUDE.md", category: "rule", root: "workspace" },
@@ -17237,18 +17159,14 @@ var SCAN_PATHS = {
       category: "memory",
       root: "home"
     },
-    {
-      glob: ".claude/skills/**/*",
-      category: SKILL_CATEGORY,
-      root: "workspace"
-    },
+    { kind: "skill-bundle", skillsRoot: ".claude/skills", root: "workspace" },
     { glob: ".claude/commands/*.md", category: "command", root: "workspace" },
     {
       glob: ".claude/agents/*.md",
       category: "agent-config",
       root: "workspace"
     },
-    { glob: ".claude/skills/**/*", category: SKILL_CATEGORY, root: "home" },
+    { kind: "skill-bundle", skillsRoot: ".claude/skills", root: "home" },
     { glob: ".claude/commands/*.md", category: "command", root: "home" },
     { glob: ".claude/agents/*.md", category: "agent-config", root: "home" },
     { glob: ".claude/settings.json", category: "config", root: "workspace" },
@@ -17263,126 +17181,452 @@ var SCAN_PATHS = {
     { glob: ".claudeignore", category: "ignore", root: "workspace" }
   ],
   cursor: [
+    // Legacy single-file rules
     { glob: ".cursorrules", category: "rule", root: "workspace" },
+    // Project Rules — docs support both `.mdc` and `.md` inside .cursor/rules/
     { glob: ".cursor/rules/**/*.mdc", category: "rule", root: "workspace" },
+    { glob: ".cursor/rules/**/*.md", category: "rule", root: "workspace" },
+    // AGENTS.md — Cursor's documented alternative to .cursor/rules/
+    { glob: "AGENTS.md", category: "rule", root: "workspace" },
+    // Agent skills — Cursor auto-loads from these dirs plus compat with
+    // Claude / Codex / generic .agents/ per Cursor docs.
+    { kind: "skill-bundle", skillsRoot: ".cursor/skills", root: "workspace" },
+    { kind: "skill-bundle", skillsRoot: ".agents/skills", root: "workspace" },
+    { kind: "skill-bundle", skillsRoot: ".claude/skills", root: "workspace" },
+    { kind: "skill-bundle", skillsRoot: ".codex/skills", root: "workspace" },
+    // MCP — project + global
     { glob: ".cursor/mcp.json", category: "mcp-config", root: "workspace" },
     { glob: ".cursor/mcp.json", category: "mcp-config", root: "home" },
+    // Home skills (user-level cross-project skills)
+    { kind: "skill-bundle", skillsRoot: ".cursor/skills", root: "home" },
+    { kind: "skill-bundle", skillsRoot: ".agents/skills", root: "home" },
+    { kind: "skill-bundle", skillsRoot: ".claude/skills", root: "home" },
+    { kind: "skill-bundle", skillsRoot: ".codex/skills", root: "home" },
+    // Exclusion
     { glob: ".cursorignore", category: "ignore", root: "workspace" }
+    // Note: Cursor's global "Rules for AI" from Settings UI is stored in
+    // Cursor's internal settings DB. The tracer_ext reads it via VS Code API
+    // (vscode.workspace.getConfiguration) and includes it as a synthetic entry.
   ],
   copilot: [
+    // Instructions — workspace
     {
       glob: ".github/copilot-instructions.md",
       category: "rule",
       root: "workspace"
     },
     {
-      glob: ".github/instructions/*.instructions.md",
+      glob: ".github/instructions/**/*.instructions.md",
       category: "rule",
       root: "workspace"
     },
+    // AGENTS.md / CLAUDE.md family (Copilot reads these via chat.useAgentsMdFile,
+    // chat.useClaudeMdFile for cross-compat with Claude Code / other agents).
+    { glob: "AGENTS.md", category: "rule", root: "workspace" },
+    { glob: "CLAUDE.md", category: "rule", root: "workspace" },
+    { glob: "CLAUDE.local.md", category: "rule", root: "workspace" },
+    { glob: ".claude/CLAUDE.md", category: "rule", root: "workspace" },
+    { glob: ".claude/rules/**/*.md", category: "rule", root: "workspace" },
+    // Prompts — workspace
     {
       glob: ".github/prompts/*.prompt.md",
       category: SKILL_CATEGORY,
       root: "workspace"
     },
+    // Custom agents — `.agent.md` is the current format; `.chatmode.md` is the
+    // legacy naming docs recommend renaming. We scan both for transition.
+    {
+      glob: ".github/agents/*.agent.md",
+      category: "agent-config",
+      root: "workspace"
+    },
     {
       glob: ".github/chatmodes/*.chatmode.md",
-      category: SKILL_CATEGORY,
+      category: "agent-config",
+      root: "workspace"
+    },
+    {
+      glob: ".claude/agents/*.md",
+      category: "agent-config",
       root: "workspace"
     },
+    // Agent skills — Copilot discovers skills in all three roots (VS Code docs:
+    // Agent Skills). Each skill is a directory with SKILL.md plus sibling files.
+    { kind: "skill-bundle", skillsRoot: ".github/skills", root: "workspace" },
+    { kind: "skill-bundle", skillsRoot: ".claude/skills", root: "workspace" },
+    { kind: "skill-bundle", skillsRoot: ".agents/skills", root: "workspace" },
+    // MCP — VS Code Copilot reads MCP servers from .vscode/mcp.json
+    { glob: ".vscode/mcp.json", category: "mcp-config", root: "workspace" },
+    // Global — home (JetBrains stores global instructions here)
     {
       glob: ".config/github-copilot/global-copilot-instructions.md",
       category: "rule",
       root: "home"
-    }
+    },
+    // User-level Copilot customizations (~/.copilot/)
+    {
+      glob: ".copilot/instructions/**/*.instructions.md",
+      category: "rule",
+      root: "home"
+    },
+    { glob: ".copilot/prompts/*.prompt.md", category: "skill", root: "home" },
+    {
+      glob: ".copilot/agents/*.agent.md",
+      category: "agent-config",
+      root: "home"
+    },
+    { kind: "skill-bundle", skillsRoot: ".copilot/skills", root: "home" },
+    // Cross-compat home paths (Copilot reads Claude / generic agent dirs too)
+    { glob: ".claude/CLAUDE.md", category: "rule", root: "home" },
+    { glob: ".claude/rules/**/*.md", category: "rule", root: "home" },
+    { glob: ".claude/agents/*.md", category: "agent-config", root: "home" },
+    { kind: "skill-bundle", skillsRoot: ".claude/skills", root: "home" },
+    { kind: "skill-bundle", skillsRoot: ".agents/skills", root: "home" }
   ]
 };
-function groupSkills(files, root, baseDir) {
-  const skillFiles = files.filter((f) => f.category === SKILL_CATEGORY);
-  const folderMap = /* @__PURE__ */ new Map();
-  const standalone = [];
-  for (const f of skillFiles) {
-    const rel = path15.relative(baseDir, f.path).replace(/\\/g, "/");
-    const skillsMarker = "skills/";
-    const skillsIdx = rel.indexOf(skillsMarker);
-    if (skillsIdx === -1) {
-      standalone.push(f);
-      continue;
-    }
-    const relFromSkills = rel.slice(skillsIdx + skillsMarker.length);
-    const slashIdx = relFromSkills.indexOf("/");
-    if (slashIdx === -1) {
-      standalone.push(f);
-    } else {
-      const folderName = relFromSkills.slice(0, slashIdx);
-      if (!folderMap.has(folderName)) {
-        folderMap.set(folderName, []);
-      }
-      folderMap.get(folderName).push(f);
+
+// src/features/analysis/context_file_scanner.ts
+var MAX_CONTEXT_FILE_SIZE = 20 * 1024 * 1024;
+var SESSION_TTL_MS = 24 * 60 * 60 * 1e3;
+var sessionMtimes = /* @__PURE__ */ new Map();
+function markContextFilesUploaded(sessionId, files, skills) {
+  let entry = sessionMtimes.get(sessionId);
+  if (!entry) {
+    entry = { files: /* @__PURE__ */ new Map(), skills: /* @__PURE__ */ new Map(), lastUpdatedAt: Date.now() };
+    sessionMtimes.set(sessionId, entry);
+  }
+  for (const f of files) {
+    entry.files.set(f.path, f.mtimeMs);
+  }
+  if (skills) {
+    for (const sg of skills) {
+      entry.skills.set(sg.sessionKey, sg.maxMtimeMs);
     }
   }
-  const groups = [];
-  for (const f of standalone) {
-    const name = path15.basename(f.path, path15.extname(f.path));
-    const sessionKey = `skill:${root}:${name}`;
-    groups.push({
-      name,
-      root,
-      skillPath: f.path,
-      files: [f],
-      isFolder: false,
-      maxMtimeMs: f.mtimeMs,
-      sessionKey
-    });
+  entry.lastUpdatedAt = Date.now();
+}
+var COPILOT_CUSTOM_LOCATION_SETTINGS = [
+  {
+    key: "chat.agentSkillsLocations",
+    kind: "skill-bundle"
+  },
+  {
+    key: "chat.instructionsFilesLocations",
+    kind: "glob",
+    category: "rule",
+    glob: "**/*.instructions.md"
+  },
+  {
+    key: "chat.promptFilesLocations",
+    kind: "glob",
+    category: "skill",
+    glob: "**/*.prompt.md"
+  },
+  {
+    key: "chat.agentFilesLocations",
+    kind: "glob",
+    category: "agent-config",
+    glob: "**/*.agent.md"
   }
-  for (const [folderName, folderFiles] of folderMap) {
-    const maxMtimeMs = Math.max(...folderFiles.map((f) => f.mtimeMs));
-    const anyFile = folderFiles[0];
-    const rel = path15.relative(baseDir, anyFile.path).replace(/\\/g, "/");
-    const skillsIdx = rel.indexOf("skills/");
-    const skillRelPath = rel.slice(
-      0,
-      skillsIdx + "skills/".length + folderName.length
+];
+var CLAUDE_CODE_CUSTOM_LOCATION_SETTINGS = [
+  {
+    key: "autoMemoryDirectory",
+    category: "memory",
+    glob: "*/memory/*.md"
+  }
+];
+function parseJsonc(text) {
+  const errors = [];
+  const parsed = parseJsoncLib(text, errors, {
+    allowTrailingComma: true,
+    disallowComments: false
+  });
+  return parsed ?? null;
+}
+function extractCustomLocations(value) {
+  if (Array.isArray(value)) {
+    return value.filter(
+      (v) => typeof v === "string" && v.length > 0
     );
-    const skillPath = path15.join(baseDir, skillRelPath);
-    const sessionKey = `skill:${root}:${folderName}`;
-    groups.push({
-      name: folderName,
-      root,
-      skillPath,
-      files: folderFiles,
-      isFolder: true,
-      maxMtimeMs,
-      sessionKey
-    });
   }
-  return groups;
+  if (value && typeof value === "object") {
+    return Object.entries(value).filter(([, v]) => v === true).map(([k]) => k).filter((k) => k.length > 0);
+  }
+  return [];
 }
-async function scanContextFiles(workspaceRoot, platform2, sessionId) {
-  const entries = SCAN_PATHS[platform2];
-  if (!entries || entries.length === 0) {
-    return { regularFiles: [], skillGroups: [] };
+var SENSITIVE_HOME_SUBDIRS = [
+  ".ssh",
+  ".aws",
+  ".gnupg",
+  ".config",
+  ".kube",
+  ".docker",
+  ".gcloud",
+  ".npmrc",
+  ".netrc",
+  ".git-credentials",
+  ".m2",
+  ".pypirc",
+  ".pgpass",
+  ".boto",
+  ".password-store"
+];
+function resolveCustomLocationPath(raw, workspaceRoot, home) {
+  let s = raw.replace(/\$\{workspaceFolder\}/g, workspaceRoot);
+  if (/\$\{[^}]+\}/.test(s)) {
+    return null;
   }
-  const now = Date.now();
-  for (const [sid, entry] of sessionMtimes) {
-    if (now - entry.lastUpdatedAt > SESSION_TTL_MS) {
-      sessionMtimes.delete(sid);
-    }
+  if (/^~[^/]/.test(s)) {
+    return null;
   }
-  const home = homedir();
-  const sessionEntry = sessionId ? sessionMtimes.get(sessionId) : void 0;
-  const allFiles = [];
-  const skillFilesByRoot = /* @__PURE__ */ new Map();
-  const seenPaths = /* @__PURE__ */ new Set();
-  for (const entry of entries) {
-    const baseDir = entry.root === "home" ? home : workspaceRoot;
-    const matchedFiles = await globby2(entry.glob, {
-      cwd: baseDir,
-      absolute: true,
-      onlyFiles: true,
-      dot: true
+  if (s.startsWith("~/") || s === "~") {
+    s = path14.join(home, s.slice(1));
+  }
+  if (!path14.isAbsolute(s)) {
+    s = path14.resolve(workspaceRoot, s);
+  }
+  const resolved = path14.normalize(s);
+  if (resolved === "/" || resolved === home) {
+    return null;
+  }
+  for (const sub of SENSITIVE_HOME_SUBDIRS) {
+    const sensitive = path14.join(home, sub);
+    if (resolved === sensitive || resolved.startsWith(`${sensitive}${path14.sep}`)) {
+      return null;
+    }
+  }
+  const relWorkspace = path14.relative(workspaceRoot, resolved);
+  const relHome = path14.relative(home, resolved);
+  const escapesWorkspace = relWorkspace.startsWith("..") || path14.isAbsolute(relWorkspace);
+  const escapesHome = relHome.startsWith("..") || path14.isAbsolute(relHome);
+  if (escapesWorkspace && escapesHome) {
+    return null;
+  }
+  return resolved;
+}
+var MAX_SETTINGS_CACHE_SIZE = 50;
+var settingsCache = /* @__PURE__ */ new Map();
+async function readJsoncSettings(settingsPath) {
+  try {
+    const lst = await lstat(settingsPath);
+    if (lst.isSymbolicLink()) {
+      return null;
+    }
+  } catch {
+    putSettingsCache(settingsPath, { mtimeMs: null, parsed: null });
+    return null;
+  }
+  let mtimeMs = null;
+  try {
+    const st = await stat(settingsPath);
+    if (!st.isFile()) {
+      putSettingsCache(settingsPath, { mtimeMs: null, parsed: null });
+      return null;
+    }
+    mtimeMs = st.mtimeMs;
+  } catch (err) {
+    if (err.code === "ENOENT") {
+      putSettingsCache(settingsPath, { mtimeMs: null, parsed: null });
+    }
+    return null;
+  }
+  const cached = settingsCache.get(settingsPath);
+  if (cached && cached.mtimeMs === mtimeMs) {
+    return cached.parsed;
+  }
+  let text;
+  try {
+    text = await readFile(settingsPath, "utf-8");
+  } catch {
+    return null;
+  }
+  const parsed = parseJsonc(text);
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+    putSettingsCache(settingsPath, { mtimeMs, parsed: null });
+    return null;
+  }
+  const payload = parsed;
+  putSettingsCache(settingsPath, { mtimeMs, parsed: payload });
+  return payload;
+}
+function putSettingsCache(path34, entry) {
+  if (!settingsCache.has(path34) && settingsCache.size >= MAX_SETTINGS_CACHE_SIZE) {
+    settingsCache.delete(settingsCache.keys().next().value);
+  }
+  settingsCache.set(path34, entry);
+}
+async function readCopilotCustomLocations(workspaceRoot) {
+  const parsed = await readJsoncSettings(
+    path14.join(workspaceRoot, ".vscode", "settings.json")
+  );
+  if (!parsed) {
+    return [];
+  }
+  const home = homedir();
+  const dynamic = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const setting of COPILOT_CUSTOM_LOCATION_SETTINGS) {
+    for (const loc of extractCustomLocations(parsed[setting.key])) {
+      const abs = resolveCustomLocationPath(loc, workspaceRoot, home);
+      if (!abs) {
+        continue;
+      }
+      if (setting.kind === "skill-bundle") {
+        const dedupKey = `skill-bundle:${abs}`;
+        if (seen.has(dedupKey)) {
+          continue;
+        }
+        seen.add(dedupKey);
+        dynamic.push({
+          kind: "skill-bundle",
+          skillsRoot: ".",
+          root: "absolute",
+          absoluteBase: abs
+        });
+      } else {
+        const dedupKey = `${setting.category}:${abs}`;
+        if (seen.has(dedupKey)) {
+          continue;
+        }
+        seen.add(dedupKey);
+        dynamic.push({
+          kind: "glob",
+          glob: setting.glob,
+          category: setting.category,
+          root: "absolute",
+          absoluteBase: abs
+        });
+      }
+    }
+  }
+  return dynamic;
+}
+async function readClaudeCodeCustomLocations() {
+  const home = homedir();
+  const parsed = await readJsoncSettings(
+    path14.join(home, ".claude", "settings.json")
+  );
+  if (!parsed) {
+    return [];
+  }
+  const dynamic = [];
+  for (const { key, category, glob } of CLAUDE_CODE_CUSTOM_LOCATION_SETTINGS) {
+    const raw = parsed[key];
+    if (typeof raw !== "string" || raw.length === 0) {
+      continue;
+    }
+    if (/\$\{workspaceFolder\}/.test(raw)) {
+      continue;
+    }
+    const abs = resolveCustomLocationPath(raw, home, home);
+    if (!abs) {
+      continue;
+    }
+    dynamic.push({
+      kind: "glob",
+      glob,
+      category,
+      root: "absolute",
+      absoluteBase: abs
+    });
+  }
+  return dynamic;
+}
+async function readCustomLocations(workspaceRoot, platform2) {
+  if (platform2 === "copilot") {
+    return readCopilotCustomLocations(workspaceRoot);
+  }
+  if (platform2 === "claude-code") {
+    return readClaudeCodeCustomLocations();
+  }
+  return [];
+}
+function groupSkills(files, root, baseDir) {
+  const skillFiles = files.filter((f) => f.category === SKILL_CATEGORY);
+  const folderMap = /* @__PURE__ */ new Map();
+  const standalone = [];
+  for (const f of skillFiles) {
+    const rel = path14.relative(baseDir, f.path).replace(/\\/g, "/");
+    const skillsMarker = "skills/";
+    const skillsIdx = rel.indexOf(skillsMarker);
+    if (skillsIdx === -1) {
+      standalone.push(f);
+      continue;
+    }
+    const relFromSkills = rel.slice(skillsIdx + skillsMarker.length);
+    const slashIdx = relFromSkills.indexOf("/");
+    if (slashIdx === -1) {
+      standalone.push(f);
+    } else {
+      const folderName = relFromSkills.slice(0, slashIdx);
+      if (!folderMap.has(folderName)) {
+        folderMap.set(folderName, []);
+      }
+      folderMap.get(folderName).push(f);
+    }
+  }
+  const groups = [];
+  for (const f of standalone) {
+    const name = path14.basename(f.path, path14.extname(f.path));
+    const sessionKey = `skill:${root}:${name}`;
+    groups.push({
+      name,
+      root,
+      skillPath: f.path,
+      files: [f],
+      isFolder: false,
+      maxMtimeMs: f.mtimeMs,
+      sessionKey
+    });
+  }
+  for (const [folderName, folderFiles] of folderMap) {
+    const maxMtimeMs = Math.max(...folderFiles.map((f) => f.mtimeMs));
+    const anyFile = folderFiles[0];
+    const rel = path14.relative(baseDir, anyFile.path).replace(/\\/g, "/");
+    const skillsIdx = rel.indexOf("skills/");
+    const skillRelPath = rel.slice(
+      0,
+      skillsIdx + "skills/".length + folderName.length
+    );
+    const skillPath = path14.join(baseDir, skillRelPath);
+    const sessionKey = `skill:${root}:${folderName}`;
+    groups.push({
+      name: folderName,
+      root,
+      skillPath,
+      files: folderFiles,
+      isFolder: true,
+      maxMtimeMs,
+      sessionKey
     });
-    for (const filePath of matchedFiles) {
+  }
+  return groups;
+}
+async function scanContextFiles(workspaceRoot, platform2, sessionId) {
+  const staticEntries = SCAN_PATHS[platform2] ?? [];
+  const dynamicEntries = await readCustomLocations(workspaceRoot, platform2);
+  const entries = [...staticEntries, ...dynamicEntries];
+  if (entries.length === 0) {
+    return { regularFiles: [], skillGroups: [] };
+  }
+  const now = Date.now();
+  for (const [sid, entry] of sessionMtimes) {
+    if (now - entry.lastUpdatedAt > SESSION_TTL_MS) {
+      sessionMtimes.delete(sid);
+    }
+  }
+  const home = homedir();
+  const sessionEntry = sessionId ? sessionMtimes.get(sessionId) : void 0;
+  const allFiles = [];
+  const skillBatches = /* @__PURE__ */ new Map();
+  const seenPaths = /* @__PURE__ */ new Set();
+  for (const entry of entries) {
+    const baseDir = resolveBaseDir(entry, workspaceRoot, home);
+    const scope = scopeForRoot(entry.root);
+    const isDynamic = entry.root === "absolute";
+    const matches = entry.kind === "skill-bundle" ? await enumerateSkillBundle(baseDir, entry.skillsRoot) : await enumerateGlob(entry.glob, baseDir, entry.category, isDynamic);
+    for (const { path: filePath, category } of matches) {
       if (seenPaths.has(filePath)) {
         continue;
       }
@@ -17400,16 +17644,21 @@ async function scanContextFiles(workspaceRoot, platform2, sessionId) {
           path: filePath,
           content,
           sizeBytes,
-          category: entry.category,
+          category,
           mtimeMs: fileStat.mtimeMs
         };
-        if (entry.category === SKILL_CATEGORY) {
-          let rootFiles = skillFilesByRoot.get(entry.root);
-          if (!rootFiles) {
-            rootFiles = [];
-            skillFilesByRoot.set(entry.root, rootFiles);
+        if (scope) {
+          fileEntry.scope = scope;
+        }
+        if (category === SKILL_CATEGORY) {
+          const effectiveRoot = entry.root === "home" ? "home" : "workspace";
+          const batchKey = `${effectiveRoot}:${baseDir}`;
+          let batch = skillBatches.get(batchKey);
+          if (!batch) {
+            batch = { root: effectiveRoot, baseDir, files: [] };
+            skillBatches.set(batchKey, batch);
           }
-          rootFiles.push(fileEntry);
+          batch.files.push(fileEntry);
         } else {
           const prevMtime = sessionEntry?.files.get(filePath);
           if (prevMtime !== void 0 && fileStat.mtimeMs <= prevMtime) {
@@ -17417,13 +17666,12 @@ async function scanContextFiles(workspaceRoot, platform2, sessionId) {
           }
           allFiles.push(fileEntry);
         }
-      } catch (_err) {
+      } catch {
       }
     }
   }
   const allSkillGroups = [];
-  for (const [root, files] of skillFilesByRoot) {
-    const baseDir = root === "home" ? home : workspaceRoot;
+  for (const { root, baseDir, files } of skillBatches.values()) {
     const groups = groupSkills(files, root, baseDir);
     for (const group of groups) {
       if (sessionEntry) {
@@ -17437,13 +17685,587 @@ async function scanContextFiles(workspaceRoot, platform2, sessionId) {
   }
   return { regularFiles: allFiles, skillGroups: allSkillGroups };
 }
+async function enumerateGlob(pattern, cwd, category, isDynamic) {
+  let files;
+  try {
+    files = await globby2(pattern, {
+      cwd,
+      absolute: true,
+      onlyFiles: true,
+      dot: true,
+      // Never follow symlinks — a malicious committed repo can place a
+      // symlink at a scanned path (e.g. .github/copilot-instructions.md →
+      // ~/.aws/credentials) and the scanner would read and upload the target.
+      followSymbolicLinks: false,
+      // Dynamic absolute bases additionally cap traversal depth so a
+      // misconfigured setting can't enumerate the whole filesystem.
+      ...isDynamic ? { deep: DYNAMIC_SCAN_MAX_DEPTH } : {}
+    });
+  } catch {
+    return [];
+  }
+  return files.map((path34) => ({ path: path34, category }));
+}
+async function enumerateSkillBundle(baseDir, skillsRoot) {
+  const skillsDir = path14.resolve(baseDir, skillsRoot);
+  let manifests;
+  try {
+    manifests = await globby2("*/SKILL.md", {
+      cwd: skillsDir,
+      absolute: true,
+      onlyFiles: true,
+      dot: true,
+      followSymbolicLinks: false,
+      deep: SKILL_MANIFEST_SCAN_DEPTH
+    });
+  } catch {
+    return [];
+  }
+  const perSkillResults = await Promise.all(
+    manifests.map(async (manifest) => {
+      const skillDir = path14.dirname(manifest);
+      try {
+        return await globby2("**/*", {
+          cwd: skillDir,
+          absolute: true,
+          onlyFiles: true,
+          dot: true,
+          followSymbolicLinks: false,
+          deep: SKILL_BUNDLE_MAX_DEPTH
+        });
+      } catch {
+        return [];
+      }
+    })
+  );
+  return perSkillResults.flat().map((p) => ({ path: p, category: "skill" }));
+}
+var DYNAMIC_SCAN_MAX_DEPTH = 6;
+var SKILL_MANIFEST_SCAN_DEPTH = 2;
+var SKILL_BUNDLE_MAX_DEPTH = 5;
+function resolveBaseDir(entry, workspaceRoot, home) {
+  switch (entry.root) {
+    case "home":
+      return home;
+    case "absolute":
+      return entry.absoluteBase;
+    default:
+      return workspaceRoot;
+  }
+}
+function scopeForRoot(root) {
+  if (root === "home" || root === "absolute") {
+    return "user-global";
+  }
+  return void 0;
+}
 function deriveIdentifier(filePath, baseDir) {
-  const relative2 = path15.relative(baseDir, filePath);
+  const relative2 = path14.relative(baseDir, filePath);
   if (!relative2.startsWith("..")) {
     return relative2.replace(/\\/g, "/");
   }
-  return path15.basename(filePath);
+  return path14.basename(filePath);
+}
+
+// src/features/analysis/skill_quarantine/enumerateInstalledSkills.ts
+async function enumerateInstalledSkills(workspaceRoot) {
+  const { skillGroups } = await scanContextFiles(
+    workspaceRoot,
+    "claude-code",
+    void 0
+  );
+  if (skillGroups.length === 0) {
+    return [];
+  }
+  const { skills } = await processContextFiles([], skillGroups);
+  return skills.map((s) => {
+    const parts = s.group.skillPath.split(/[\\/]/);
+    const origName = parts[parts.length - 1] || s.group.name;
+    return {
+      skillPath: s.group.skillPath,
+      md5: s.md5,
+      origName,
+      isFolder: s.group.isFolder
+    };
+  });
+}
+
+// src/features/analysis/skill_quarantine/metrics.ts
+var Metric = {
+  /** A heartbeat triggered the quarantine check (after debounce). */
+  CHECK_TRIGGERED: "skill_quarantine.check_triggered",
+  /** The env-var kill switch skipped the run. */
+  CHECK_DISABLED_ENV: "skill_quarantine.check_disabled_env",
+  /** Verdict-query call failed. Fail-open. */
+  QUERY_ERROR: "skill_quarantine.query_error",
+  /** Count of skills enumerated in this run (histogram-ish). */
+  SKILLS_CHECKED: "skill_quarantine.skills_checked",
+  /** A skill was freshly quarantined. Tagged with shape. */
+  QUARANTINED: "skill_quarantine.quarantined",
+  /** Presence check hit; skill already quarantined. */
+  ALREADY_QUARANTINED: "skill_quarantine.already_quarantined",
+  /** Move step failed. Tagged with phase (stage | publish). */
+  MOVE_ERROR: "skill_quarantine.move_error",
+  /** Stub creation failed after the move succeeded. */
+  STUB_ERROR: "skill_quarantine.stub_error",
+  /** A stale staging dir was swept. */
+  ORPHAN_SWEPT: "skill_quarantine.orphan_swept",
+  /** Total run duration including I/O. */
+  DURATION_MS: "skill_quarantine.duration_ms"
+};
+
+// src/features/analysis/skill_quarantine/quarantineSkill.ts
+import { randomUUID } from "crypto";
+import { existsSync as existsSync2 } from "fs";
+import {
+  mkdir,
+  readdir,
+  readFile as readFile2,
+  rename,
+  rm,
+  stat as stat2,
+  writeFile
+} from "fs/promises";
+import path16 from "path";
+import { move } from "fs-extra";
+
+// src/features/analysis/skill_quarantine/paths.ts
+import { homedir as homedir2 } from "os";
+import path15 from "path";
+function getQuarantineRoot() {
+  return path15.join(homedir2(), ".tracy", "quarantine", "claude", "skills");
+}
+function getQuarantinedHashDir(md5) {
+  return path15.join(getQuarantineRoot(), md5);
+}
+function getQuarantinedTargetPath(md5, origName) {
+  return path15.join(getQuarantinedHashDir(md5), origName);
+}
+function getStagingDir(md5, pid, uuid) {
+  return path15.join(getQuarantineRoot(), `${md5}_tmp_${pid}_${uuid}`);
+}
+var STAGING_DIR_REGEX = /^([0-9a-f]{32})_tmp_/;
+
+// src/features/analysis/skill_quarantine/stubTemplate.ts
+var LEGACY_SUMMARY_FALLBACK = "not available (scan predates current schema)";
+function renderStub(params) {
+  const folderOrFile = params.isFolder ? "skill folder" : "skill file";
+  const reason = params.summary ?? LEGACY_SUMMARY_FALLBACK;
+  return `# \u26D4 QUARANTINED BY TRACY
+
+This skill was flagged **MALICIOUS** by the Mobb security scanner and has been
+moved out of your skills folder. **Claude Code will not execute it** while this
+stub is in place.
+
+## Why this skill was flagged
+
+- **Reason:** ${reason}
+- **Scanner:** ${params.scannerName} @ ${params.scannerVersion}
+- **Scanned at:** ${params.scannedAt}
+- **Content hash (MD5):** \`${params.md5}\`
+
+## Where the original is now
+
+The original ${folderOrFile} has been moved to:
+
+    ${params.quarantinedPath}
+
+Nothing has been deleted. The contents are intact; only the location changed.
+
+## If this is a false positive \u2014 how to recover
+
+If you're confident this skill is safe and want to restore it:
+
+    mv ${params.quarantinedPath} ${params.origPath}
+
+Tracy will not re-quarantine it as long as the directory
+\`~/.tracy/quarantine/claude/skills/${params.md5}/\` still exists on your
+machine (even if it's empty after you moved the contents out). If you delete
+that directory entirely, the next heartbeat will re-evaluate the skill from
+scratch.
+
+## How to report a false positive
+
+Please email **security@mobb.ai** with:
+
+- The MD5 above
+- A short description of why you believe the flag was wrong
+- (Optional) the skill folder contents
+
+Your report helps tune the scanner for everyone.
+`;
+}
+
+// src/features/analysis/skill_quarantine/quarantineSkill.ts
+async function quarantineSkill(params) {
+  const { skillPath, isFolder, md5, origName, verdict, log: log2 } = params;
+  const hashDir = getQuarantinedHashDir(md5);
+  if (existsSync2(hashDir)) {
+    log2.debug(
+      { md5, metric: Metric.ALREADY_QUARANTINED },
+      "skill_quarantine: already quarantined, skipping"
+    );
+    return { status: "already_quarantined" };
+  }
+  const stagingDir = getStagingDir(md5, process.pid, randomUUID());
+  const stagingTarget = path16.join(stagingDir, origName);
+  const finalTarget = getQuarantinedTargetPath(md5, origName);
+  try {
+    await mkdir(stagingDir, { recursive: true });
+  } catch (err) {
+    log2.error(
+      { err, md5, metric: Metric.MOVE_ERROR, phase: "stage" },
+      "skill_quarantine: failed to create staging dir"
+    );
+    return { status: "move_error", phase: "stage", err };
+  }
+  try {
+    await move(skillPath, stagingTarget);
+  } catch (err) {
+    await tryRm(stagingDir);
+    log2.error(
+      { err, md5, metric: Metric.MOVE_ERROR, phase: "stage" },
+      "skill_quarantine: phase-1 move failed"
+    );
+    return { status: "move_error", phase: "stage", err };
+  }
+  try {
+    await rename(stagingDir, hashDir);
+  } catch (err) {
+    log2.error(
+      {
+        err,
+        md5,
+        stagingDir,
+        metric: Metric.MOVE_ERROR,
+        phase: "publish"
+      },
+      "skill_quarantine: phase-2 publish failed; staging dir preserved for manual recovery"
+    );
+    return { status: "move_error", phase: "publish", err };
+  }
+  const quarantinedPath = finalTarget;
+  const stubContent = renderStub({
+    md5,
+    isFolder,
+    quarantinedPath,
+    origPath: skillPath,
+    summary: verdict.summary,
+    scannerName: verdict.scannerName,
+    scannerVersion: verdict.scannerVersion,
+    scannedAt: verdict.scannedAt
+  });
+  try {
+    if (isFolder) {
+      await mkdir(skillPath, { recursive: true });
+      await writeFile(path16.join(skillPath, "SKILL.md"), stubContent, "utf8");
+    } else {
+      await writeFile(skillPath, stubContent, "utf8");
+    }
+  } catch (err) {
+    log2.error(
+      { err, md5, skillPath, metric: Metric.STUB_ERROR },
+      "skill_quarantine: stub write failed; quarantine is still in place"
+    );
+    return { status: "stub_error", err };
+  }
+  await preRegisterStubMd5(skillPath, isFolder, log2);
+  log2.info(
+    {
+      md5,
+      verdict: verdict.verdict,
+      shape: isFolder ? "folder" : "standalone",
+      scanner: verdict.scannerName,
+      scannerVersion: verdict.scannerVersion,
+      metric: Metric.QUARANTINED
+    },
+    "skill_quarantine: quarantined"
+  );
+  return { status: "quarantined" };
+}
+async function preRegisterStubMd5(skillPath, isFolder, log2) {
+  try {
+    const stubEntries = await gatherStubEntries(skillPath, isFolder);
+    const stubGroup = {
+      name: path16.basename(skillPath).replace(/\.md$/i, ""),
+      root: "workspace",
+      skillPath,
+      files: stubEntries,
+      isFolder,
+      maxMtimeMs: Date.now(),
+      sessionKey: `quarantine-stub:${skillPath}`
+    };
+    const { skills } = await processContextFiles([], [stubGroup]);
+    if (skills.length === 0) return;
+    const stubMd5 = skills[0].md5;
+    await mkdir(getQuarantinedHashDir(stubMd5), { recursive: true });
+  } catch (err) {
+    log2.warn(
+      { err, skillPath },
+      "skill_quarantine: failed to pre-register stub md5"
+    );
+  }
+}
+async function gatherStubEntries(skillPath, isFolder) {
+  const now = Date.now();
+  const target = isFolder ? path16.join(skillPath, "SKILL.md") : skillPath;
+  const [st, content] = await Promise.all([
+    stat2(target),
+    readFile2(target, "utf8")
+  ]);
+  return [
+    {
+      name: isFolder ? "SKILL.md" : path16.basename(skillPath),
+      path: target,
+      content,
+      sizeBytes: st.size,
+      category: "skill",
+      mtimeMs: now
+    }
+  ];
+}
+async function sweepOrphanStagingDirs(log2) {
+  const root = getQuarantineRoot();
+  let entries;
+  try {
+    entries = await readdir(root);
+  } catch (err) {
+    if (err.code === "ENOENT") return 0;
+    log2.warn({ err, root }, "skill_quarantine: orphan sweep readdir failed");
+    return 0;
+  }
+  const now = Date.now();
+  let swept = 0;
+  for (const entry of entries) {
+    if (!STAGING_DIR_REGEX.test(entry)) continue;
+    const full = path16.join(root, entry);
+    let mtimeMs;
+    try {
+      mtimeMs = (await stat2(full)).mtimeMs;
+    } catch {
+      continue;
+    }
+    if (now - mtimeMs < ORPHAN_SWEEP_GRACE_MS) continue;
+    try {
+      await rm(full, { recursive: true, force: true });
+      swept += 1;
+      log2.info(
+        { path: full, metric: Metric.ORPHAN_SWEPT },
+        "skill_quarantine: orphan swept"
+      );
+    } catch (err) {
+      log2.warn({ err, path: full }, "skill_quarantine: orphan sweep rm failed");
+    }
+  }
+  return swept;
+}
+async function tryRm(p) {
+  try {
+    await rm(p, { recursive: true, force: true });
+  } catch {
+  }
+}
+
+// src/features/analysis/skill_quarantine/queryVerdicts.ts
+async function queryVerdicts(gqlClient, md5s, log2) {
+  if (md5s.length === 0) {
+    return /* @__PURE__ */ new Map();
+  }
+  try {
+    const res = await gqlClient.skillVerdictsByMd5(md5s);
+    const out = /* @__PURE__ */ new Map();
+    for (const row of res.skillVerdictsByMd5) {
+      out.set(row.md5, {
+        md5: row.md5,
+        verdict: row.verdict,
+        summary: row.summary ?? null,
+        scannerName: row.scannerName,
+        scannerVersion: row.scannerVersion,
+        scannedAt: row.scannedAt
+      });
+    }
+    return out;
+  } catch (err) {
+    log2.warn(
+      { err, md5_count: md5s.length, metric: "skill_quarantine.query_error" },
+      "skill_quarantine: verdict query failed, failing open"
+    );
+    return /* @__PURE__ */ new Map();
+  }
+}
+
+// src/features/analysis/skill_quarantine/runQuarantineCheck.ts
+var lastRunAt = /* @__PURE__ */ new Map();
+var killSwitchLogged = false;
+async function runQuarantineCheckIfNeeded(opts) {
+  const { sessionId, cwd, gqlClient, log: log2 } = opts;
+  if (process.env[KILL_SWITCH_ENV] === "1") {
+    if (!killSwitchLogged) {
+      log2.warn(
+        { metric: Metric.CHECK_DISABLED_ENV },
+        `skill_quarantine: disabled by ${KILL_SWITCH_ENV}=1`
+      );
+      killSwitchLogged = true;
+    }
+    return;
+  }
+  const now = Date.now();
+  const prev = lastRunAt.get(sessionId);
+  if (prev !== void 0 && now - prev < HEARTBEAT_DEBOUNCE_MS) {
+    return;
+  }
+  lastRunAt.set(sessionId, now);
+  log2.info(
+    { sessionId, metric: Metric.CHECK_TRIGGERED },
+    "skill_quarantine: check start"
+  );
+  const t0 = Date.now();
+  try {
+    await sweepOrphanStagingDirs(log2);
+    const installed = await enumerateInstalledSkills(cwd);
+    log2.info(
+      { sessionId, count: installed.length, metric: Metric.SKILLS_CHECKED },
+      "skill_quarantine: skills enumerated"
+    );
+    if (installed.length === 0) {
+      return;
+    }
+    const verdicts = await queryVerdicts(
+      gqlClient,
+      installed.map((s) => s.md5),
+      log2
+    );
+    for (const skill of installed) {
+      const verdict = verdicts.get(skill.md5);
+      if (!verdict || verdict.verdict !== MALICIOUS_VERDICT) {
+        continue;
+      }
+      try {
+        await quarantineSkill({
+          skillPath: skill.skillPath,
+          isFolder: skill.isFolder,
+          md5: skill.md5,
+          origName: skill.origName,
+          verdict,
+          log: log2
+        });
+      } catch (err) {
+        log2.error(
+          { err, md5: skill.md5, skillPath: skill.skillPath },
+          "skill_quarantine: unexpected error during quarantine"
+        );
+      }
+    }
+  } finally {
+    log2.info(
+      {
+        sessionId,
+        duration_ms: Date.now() - t0,
+        metric: Metric.DURATION_MS
+      },
+      "skill_quarantine: check done"
+    );
+  }
+}
+
+// src/features/claude_code/daemon_pid_file.ts
+import fs13 from "fs";
+import os4 from "os";
+import path17 from "path";
+
+// src/features/claude_code/data_collector_constants.ts
+var CC_VERSION_CACHE_KEY = "claudeCode.detectedCCVersion";
+var CC_VERSION_CLI_KEY = "claudeCode.detectedCCVersionCli";
+var GQL_AUTH_TIMEOUT_MS = 15e3;
+var STALE_KEY_MAX_AGE_MS = 14 * 24 * 60 * 60 * 1e3;
+var CLEANUP_INTERVAL_MS = 24 * 60 * 60 * 1e3;
+var DAEMON_TTL_MS = 30 * 60 * 1e3;
+var DAEMON_POLL_INTERVAL_MS = (() => {
+  const raw = Number(process.env["MOBB_DAEMON_POLL_INTERVAL_MS"]);
+  if (!Number.isFinite(raw) || raw <= 0) return 1e4;
+  return Math.min(Math.max(raw, 100), 6e4);
+})();
+var HEARTBEAT_STALE_MS = 3e4;
+var TRANSCRIPT_MAX_AGE_MS = 24 * 60 * 60 * 1e3;
+var DAEMON_CHUNK_SIZE = 50;
+
+// src/features/claude_code/daemon_pid_file.ts
+function getMobbdevDir() {
+  return path17.join(os4.homedir(), ".mobbdev");
+}
+function getDaemonCheckScriptPath() {
+  return path17.join(getMobbdevDir(), "daemon-check.js");
 }
+var DaemonPidFile = class {
+  constructor() {
+    __publicField(this, "data", null);
+  }
+  get filePath() {
+    return path17.join(getMobbdevDir(), "daemon.pid");
+  }
+  /** Ensure ~/.mobbdev/ directory exists. */
+  ensureDir() {
+    fs13.mkdirSync(getMobbdevDir(), { recursive: true });
+  }
+  /** Read the PID file from disk. Returns the parsed data or null. */
+  read() {
+    try {
+      const raw = fs13.readFileSync(this.filePath, "utf8");
+      const parsed = JSON.parse(raw);
+      if (typeof parsed.pid !== "number" || typeof parsed.startedAt !== "number" || typeof parsed.heartbeat !== "number") {
+        this.data = null;
+      } else {
+        this.data = parsed;
+      }
+    } catch {
+      this.data = null;
+    }
+    return this.data;
+  }
+  /** Write a new PID file for the given process id. */
+  write(pid, version) {
+    this.data = {
+      pid,
+      startedAt: Date.now(),
+      heartbeat: Date.now(),
+      version
+    };
+    fs13.writeFileSync(this.filePath, JSON.stringify(this.data), "utf8");
+  }
+  /** Update the heartbeat timestamp of the current PID file. */
+  updateHeartbeat() {
+    if (!this.data) this.read();
+    if (!this.data) return;
+    this.data.heartbeat = Date.now();
+    fs13.writeFileSync(this.filePath, JSON.stringify(this.data), "utf8");
+  }
+  /** Check whether the previously read PID data represents a live daemon. */
+  isAlive() {
+    if (!this.data) return false;
+    if (Date.now() - this.data.heartbeat > HEARTBEAT_STALE_MS) return false;
+    try {
+      process.kill(this.data.pid, 0);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  /** Remove the PID file from disk (best-effort). */
+  remove() {
+    this.data = null;
+    try {
+      fs13.unlinkSync(this.filePath);
+    } catch {
+    }
+  }
+};
+
+// src/features/claude_code/data_collector.ts
+import { execFile } from "child_process";
+import { createHash as createHash3 } from "crypto";
+import { access, open as open4, readdir as readdir2, readFile as readFile3, unlink } from "fs/promises";
+import path18 from "path";
+import { promisify } from "util";
 
 // src/features/analysis/context_file_uploader.ts
 import pLimit7 from "p-limit";
@@ -17707,8 +18529,8 @@ function createConfigstoreStream(store, opts) {
       heartbeatBuffer.length = 0;
     }
   }
-  function setScopePath(path32) {
-    scopePath = path32;
+  function setScopePath(path34) {
+    scopePath = path34;
   }
   return { writable, flush, setScopePath };
 }
@@ -17932,7 +18754,7 @@ function createLogger(config2) {
 
 // src/features/claude_code/hook_logger.ts
 var DD_RUM_TOKEN = true ? "pubf59c0182545bfb4c299175119f1abf9b" : "";
-var CLI_VERSION = true ? "1.3.7" : "unknown";
+var CLI_VERSION = true ? "1.4.0" : "unknown";
 var NAMESPACE = "mobbdev-claude-code-hook-logs";
 var claudeCodeVersion;
 function buildDdTags() {
@@ -18023,12 +18845,12 @@ async function resolveTranscriptPath(transcriptPath, sessionId) {
     return transcriptPath;
   } catch {
   }
-  const filename = path16.basename(transcriptPath);
-  const dirName = path16.basename(path16.dirname(transcriptPath));
-  const projectsDir = path16.dirname(path16.dirname(transcriptPath));
+  const filename = path18.basename(transcriptPath);
+  const dirName = path18.basename(path18.dirname(transcriptPath));
+  const projectsDir = path18.dirname(path18.dirname(transcriptPath));
   const baseDirName = dirName.replace(/[-.]claude-worktrees-.+$/, "");
   if (baseDirName !== dirName) {
-    const candidate = path16.join(projectsDir, baseDirName, filename);
+    const candidate = path18.join(projectsDir, baseDirName, filename);
     try {
       await access(candidate);
       hookLog.info(
@@ -18047,10 +18869,10 @@ async function resolveTranscriptPath(transcriptPath, sessionId) {
     }
   }
   try {
-    const dirs = await readdir(projectsDir);
+    const dirs = await readdir2(projectsDir);
     for (const dir of dirs) {
       if (dir === dirName) continue;
-      const candidate = path16.join(projectsDir, dir, filename);
+      const candidate = path18.join(projectsDir, dir, filename);
       try {
         await access(candidate);
         hookLog.info(
@@ -18081,9 +18903,9 @@ async function readNewTranscriptEntries(transcriptPath, sessionId, sessionStore,
   if (cursor?.byteOffset) {
     const fh = await open4(transcriptPath, "r");
     try {
-      const stat3 = await fh.stat();
-      fileSize = stat3.size;
-      if (cursor.byteOffset >= stat3.size) {
+      const stat4 = await fh.stat();
+      fileSize = stat4.size;
+      if (cursor.byteOffset >= stat4.size) {
         hookLog.info({ data: { sessionId } }, "No new data in transcript file");
         return {
           entries: [],
@@ -18091,7 +18913,7 @@ async function readNewTranscriptEntries(transcriptPath, sessionId, sessionStore,
           resolvedTranscriptPath: transcriptPath
         };
       }
-      const buf = Buffer.alloc(stat3.size - cursor.byteOffset);
+      const buf = Buffer.alloc(stat4.size - cursor.byteOffset);
       await fh.read(buf, 0, buf.length, cursor.byteOffset);
       content = buf.toString("utf-8");
     } finally {
@@ -18109,7 +18931,7 @@ async function readNewTranscriptEntries(transcriptPath, sessionId, sessionStore,
       "Read transcript file from offset"
     );
   } else {
-    content = await readFile2(transcriptPath, "utf-8");
+    content = await readFile3(transcriptPath, "utf-8");
     fileSize = Buffer.byteLength(content, "utf-8");
     lineIndexOffset = 0;
     hookLog.debug(
@@ -18231,13 +19053,13 @@ async function cleanupStaleSessions(configDir) {
   const now = Date.now();
   const prefix = getSessionFilePrefix();
   try {
-    const files = await readdir(configDir);
+    const files = await readdir2(configDir);
     let deletedCount = 0;
     for (const file of files) {
       if (!file.startsWith(prefix) || !file.endsWith(".json")) continue;
-      const filePath = path16.join(configDir, file);
+      const filePath = path18.join(configDir, file);
       try {
-        const content = JSON.parse(await readFile2(filePath, "utf-8"));
+        const content = JSON.parse(await readFile3(filePath, "utf-8"));
         let newest = 0;
         const cursors = content["cursor"];
         if (cursors && typeof cursors === "object") {
@@ -18483,14 +19305,14 @@ async function uploadContextFilesIfNeeded(sessionId, cwd, gqlClient, log2) {
 import fs14 from "fs";
 import fsPromises4 from "fs/promises";
 import os6 from "os";
-import path17 from "path";
+import path19 from "path";
 import chalk11 from "chalk";
 
 // src/features/claude_code/daemon-check-shim.tmpl.js
 var daemon_check_shim_tmpl_default = "// Mobb daemon shim \u2014 checks if daemon is alive, spawns if dead.\n// Auto-generated by mobbdev CLI. Do not edit.\nvar fs = require('fs')\nvar spawn = require('child_process').spawn\nvar path = require('path')\nvar os = require('os')\n\nvar pidFile = path.join(os.homedir(), '.mobbdev', 'daemon.pid')\nvar HEARTBEAT_STALE_MS = __HEARTBEAT_STALE_MS__\n\ntry {\n  var data = JSON.parse(fs.readFileSync(pidFile, 'utf8'))\n  if (Date.now() - data.heartbeat > HEARTBEAT_STALE_MS) throw new Error('stale')\n  process.kill(data.pid, 0) // throws ESRCH if the process is gone\n} catch (e) {\n  var localCli = process.env.MOBBDEV_LOCAL_CLI\n  var child = localCli\n    ? spawn('node', [localCli, 'claude-code-daemon'], { detached: true, stdio: 'ignore', windowsHide: true })\n    : spawn('npx', ['--yes', 'mobbdev@latest', 'claude-code-daemon'], { detached: true, stdio: 'ignore', shell: true, windowsHide: true })\n  child.unref()\n}\n";
 
 // src/features/claude_code/install_hook.ts
-var CLAUDE_SETTINGS_PATH = path17.join(os6.homedir(), ".claude", "settings.json");
+var CLAUDE_SETTINGS_PATH = path19.join(os6.homedir(), ".claude", "settings.json");
 var RECOMMENDED_MATCHER = "*";
 async function claudeSettingsExists() {
   try {
@@ -18636,18 +19458,18 @@ async function installMobbHooks(options = {}) {
 }
 
 // src/features/claude_code/transcript_scanner.ts
-import { open as open5, readdir as readdir2, stat as stat2 } from "fs/promises";
+import { open as open5, readdir as readdir3, stat as stat3 } from "fs/promises";
 import os7 from "os";
-import path18 from "path";
+import path20 from "path";
 var UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
 function getClaudeProjectsDirs() {
   const dirs = [];
   const configDir = process.env["CLAUDE_CONFIG_DIR"];
   if (configDir) {
-    dirs.push(path18.join(configDir, "projects"));
+    dirs.push(path20.join(configDir, "projects"));
   }
-  dirs.push(path18.join(os7.homedir(), ".config", "claude", "projects"));
-  dirs.push(path18.join(os7.homedir(), ".claude", "projects"));
+  dirs.push(path20.join(os7.homedir(), ".config", "claude", "projects"));
+  dirs.push(path20.join(os7.homedir(), ".claude", "projects"));
   return dirs;
 }
 async function collectJsonlFiles(files, dir, projectDir, seen, now, results) {
@@ -18655,12 +19477,12 @@ async function collectJsonlFiles(files, dir, projectDir, seen, now, results) {
     if (!file.endsWith(".jsonl")) continue;
     const sessionId = file.replace(".jsonl", "");
     if (!UUID_RE.test(sessionId)) continue;
-    const filePath = path18.join(dir, file);
+    const filePath = path20.join(dir, file);
     if (seen.has(filePath)) continue;
     seen.add(filePath);
     let fileStat;
     try {
-      fileStat = await stat2(filePath);
+      fileStat = await stat3(filePath);
     } catch {
       continue;
     }
@@ -18681,33 +19503,33 @@ async function scanForTranscripts(projectsDirs = getClaudeProjectsDirs()) {
   for (const projectsDir of projectsDirs) {
     let projectDirs;
     try {
-      projectDirs = await readdir2(projectsDir);
+      projectDirs = await readdir3(projectsDir);
     } catch {
       continue;
     }
     for (const projName of projectDirs) {
-      const projPath = path18.join(projectsDir, projName);
+      const projPath = path20.join(projectsDir, projName);
       let projStat;
       try {
-        projStat = await stat2(projPath);
+        projStat = await stat3(projPath);
       } catch {
         continue;
       }
       if (!projStat.isDirectory()) continue;
       let files;
       try {
-        files = await readdir2(projPath);
+        files = await readdir3(projPath);
       } catch {
         continue;
       }
       await collectJsonlFiles(files, projPath, projPath, seen, now, results);
       for (const entry of files) {
         if (!UUID_RE.test(entry)) continue;
-        const subagentsDir = path18.join(projPath, entry, "subagents");
+        const subagentsDir = path20.join(projPath, entry, "subagents");
         try {
-          const s = await stat2(subagentsDir);
+          const s = await stat3(subagentsDir);
           if (!s.isDirectory()) continue;
-          const subFiles = await readdir2(subagentsDir);
+          const subFiles = await readdir3(subagentsDir);
           await collectJsonlFiles(
             subFiles,
             subagentsDir,
@@ -18804,7 +19626,7 @@ async function startDaemon() {
       for (const transcript of changed) {
         const sessionStore = createSessionConfigStore(transcript.sessionId);
         if (!cleanupConfigDir) {
-          cleanupConfigDir = path19.dirname(sessionStore.path);
+          cleanupConfigDir = path21.dirname(sessionStore.path);
         }
         await drainTranscript(transcript, sessionStore, gqlClient);
       }
@@ -18886,6 +19708,19 @@ async function drainTranscript(transcript, sessionStore, gqlClient) {
       "Error processing transcript \u2014 skipping"
     );
   }
+  if (cwd) {
+    runQuarantineCheckIfNeeded({
+      sessionId: transcript.sessionId,
+      cwd,
+      gqlClient,
+      log: log2
+    }).catch((err) => {
+      hookLog.warn(
+        { err, data: { sessionId: transcript.sessionId } },
+        "runQuarantineCheckIfNeeded failed"
+      );
+    });
+  }
 }
 async function detectChangedTranscripts(lastSeen) {
   const transcripts = await scanForTranscripts();
@@ -19062,8 +19897,8 @@ var WorkspaceService = class {
    * Sets a known workspace path that was discovered through successful validation
    * @param path The validated workspace path to store
    */
-  static setKnownWorkspacePath(path32) {
-    this.knownWorkspacePath = path32;
+  static setKnownWorkspacePath(path34) {
+    this.knownWorkspacePath = path34;
   }
   /**
    * Gets the known workspace path that was previously validated
@@ -19924,7 +20759,7 @@ async function createAuthenticatedMcpGQLClient({
 import { execSync as execSync2 } from "child_process";
 import fs15 from "fs";
 import os8 from "os";
-import path20 from "path";
+import path22 from "path";
 var IDEs = ["cursor", "windsurf", "webstorm", "vscode", "claude"];
 var runCommand = (cmd) => {
   try {
@@ -19939,7 +20774,7 @@ var gitInfo = {
 };
 var getClaudeWorkspacePaths = () => {
   const home = os8.homedir();
-  const claudeIdePath = path20.join(home, ".claude", "ide");
+  const claudeIdePath = path22.join(home, ".claude", "ide");
   const workspacePaths = [];
   if (!fs15.existsSync(claudeIdePath)) {
     return workspacePaths;
@@ -19947,7 +20782,7 @@ var getClaudeWorkspacePaths = () => {
   try {
     const lockFiles = fs15.readdirSync(claudeIdePath).filter((file) => file.endsWith(".lock"));
     for (const lockFile of lockFiles) {
-      const lockFilePath = path20.join(claudeIdePath, lockFile);
+      const lockFilePath = path22.join(claudeIdePath, lockFile);
       try {
         const lockContent = JSON.parse(fs15.readFileSync(lockFilePath, "utf8"));
         if (lockContent.workspaceFolders && Array.isArray(lockContent.workspaceFolders)) {
@@ -19972,24 +20807,24 @@ var getMCPConfigPaths = (hostName) => {
   switch (hostName.toLowerCase()) {
     case "cursor":
       return [
-        path20.join(currentDir, ".cursor", "mcp.json"),
+        path22.join(currentDir, ".cursor", "mcp.json"),
         // local first
-        path20.join(home, ".cursor", "mcp.json")
+        path22.join(home, ".cursor", "mcp.json")
       ];
     case "windsurf":
       return [
-        path20.join(currentDir, ".codeium", "mcp_config.json"),
+        path22.join(currentDir, ".codeium", "mcp_config.json"),
         // local first
-        path20.join(home, ".codeium", "windsurf", "mcp_config.json")
+        path22.join(home, ".codeium", "windsurf", "mcp_config.json")
       ];
     case "webstorm":
       return [];
     case "visualstudiocode":
     case "vscode":
       return [
-        path20.join(currentDir, ".vscode", "mcp.json"),
+        path22.join(currentDir, ".vscode", "mcp.json"),
         // local first
-        process.platform === "win32" ? path20.join(home, "AppData", "Roaming", "Code", "User", "mcp.json") : path20.join(
+        process.platform === "win32" ? path22.join(home, "AppData", "Roaming", "Code", "User", "mcp.json") : path22.join(
           home,
           "Library",
           "Application Support",
@@ -20000,13 +20835,13 @@ var getMCPConfigPaths = (hostName) => {
       ];
     case "claude": {
       const claudePaths = [
-        path20.join(currentDir, ".claude.json"),
+        path22.join(currentDir, ".claude.json"),
         // local first
-        path20.join(home, ".claude.json")
+        path22.join(home, ".claude.json")
       ];
       const workspacePaths = getClaudeWorkspacePaths();
       for (const workspacePath of workspacePaths) {
-        claudePaths.push(path20.join(workspacePath, ".mcp.json"));
+        claudePaths.push(path22.join(workspacePath, ".mcp.json"));
       }
       return claudePaths;
     }
@@ -20167,10 +21002,10 @@ var getHostInfo = (additionalMcpList) => {
   const ideConfigPaths = /* @__PURE__ */ new Set();
   for (const ide of IDEs) {
     const configPaths = getMCPConfigPaths(ide);
-    configPaths.forEach((path32) => ideConfigPaths.add(path32));
+    configPaths.forEach((path34) => ideConfigPaths.add(path34));
   }
   const uniqueAdditionalPaths = additionalMcpList.filter(
-    (path32) => !ideConfigPaths.has(path32)
+    (path34) => !ideConfigPaths.has(path34)
   );
   for (const ide of IDEs) {
     const cfg = readMCPConfig(ide);
@@ -20292,7 +21127,7 @@ init_configs();
 init_configs();
 import fs16 from "fs";
 import os9 from "os";
-import path21 from "path";
+import path23 from "path";
 var MAX_DEPTH = 2;
 var patterns = ["mcp", "claude"];
 var isFileMatch = (fileName) => {
@@ -20312,7 +21147,7 @@ var searchDir = async (dir, depth = 0) => {
   if (depth > MAX_DEPTH) return results;
   const entries = await fs16.promises.readdir(dir, { withFileTypes: true }).catch(() => []);
   for (const entry of entries) {
-    const fullPath = path21.join(dir, entry.name);
+    const fullPath = path23.join(dir, entry.name);
     if (entry.isFile() && isFileMatch(entry.name)) {
       results.push(fullPath);
     } else if (entry.isDirectory()) {
@@ -20329,14 +21164,14 @@ var findSystemMCPConfigs = async () => {
     const home = os9.homedir();
     const platform2 = os9.platform();
     const knownDirs = platform2 === "win32" ? [
-      path21.join(home, ".cursor"),
-      path21.join(home, "Documents"),
-      path21.join(home, "Downloads")
+      path23.join(home, ".cursor"),
+      path23.join(home, "Documents"),
+      path23.join(home, "Downloads")
     ] : [
-      path21.join(home, ".cursor"),
-      process.env["XDG_CONFIG_HOME"] || path21.join(home, ".config"),
-      path21.join(home, "Documents"),
-      path21.join(home, "Downloads")
+      path23.join(home, ".cursor"),
+      process.env["XDG_CONFIG_HOME"] || path23.join(home, ".config"),
+      path23.join(home, "Documents"),
+      path23.join(home, "Downloads")
     ];
     const timeoutPromise = new Promise(
       (resolve) => setTimeout(() => {
@@ -22752,13 +23587,13 @@ For a complete security audit workflow, use the \`full-security-audit\` prompt.
 // src/mcp/services/McpDetectionService/CursorMcpDetectionService.ts
 import * as fs19 from "fs";
 import * as os12 from "os";
-import * as path23 from "path";
+import * as path25 from "path";
 
 // src/mcp/services/McpDetectionService/BaseMcpDetectionService.ts
 init_configs();
 import * as fs18 from "fs";
 import fetch7 from "node-fetch";
-import * as path22 from "path";
+import * as path24 from "path";
 
 // src/mcp/services/McpDetectionService/McpDetectionServiceUtils.ts
 import * as fs17 from "fs";
@@ -22767,14 +23602,14 @@ import * as os11 from "os";
 // src/mcp/services/McpDetectionService/VscodeMcpDetectionService.ts
 import * as fs20 from "fs";
 import * as os13 from "os";
-import * as path24 from "path";
+import * as path26 from "path";
 
 // src/mcp/tools/checkForNewAvailableFixes/CheckForNewAvailableFixesTool.ts
 import { z as z42 } from "zod";
 
 // src/mcp/services/PathValidation.ts
 import fs21 from "fs";
-import path25 from "path";
+import path27 from "path";
 async function validatePath(inputPath) {
   logDebug("Validating MCP path", { inputPath });
   if (/^\/[a-zA-Z]:\//.test(inputPath)) {
@@ -22806,7 +23641,7 @@ async function validatePath(inputPath) {
     logError(error);
     return { isValid: false, error, path: inputPath };
   }
-  const normalizedPath = path25.normalize(inputPath);
+  const normalizedPath = path27.normalize(inputPath);
   if (normalizedPath.includes("..")) {
     const error = `Normalized path contains path traversal patterns: ${inputPath}`;
     logError(error);
@@ -23458,7 +24293,7 @@ init_configs();
 import fs22 from "fs/promises";
 import nodePath from "path";
 var getLocalFiles = async ({
-  path: path32,
+  path: path34,
   maxFileSize = MCP_MAX_FILE_SIZE,
   maxFiles,
   isAllFilesScan,
@@ -23466,17 +24301,17 @@ var getLocalFiles = async ({
   scanRecentlyChangedFiles
 }) => {
   logDebug(`[${scanContext}] Starting getLocalFiles`, {
-    path: path32,
+    path: path34,
     maxFileSize,
     maxFiles,
     isAllFilesScan,
     scanRecentlyChangedFiles
   });
   try {
-    const resolvedRepoPath = await fs22.realpath(path32);
+    const resolvedRepoPath = await fs22.realpath(path34);
     logDebug(`[${scanContext}] Resolved repository path`, {
       resolvedRepoPath,
-      originalPath: path32
+      originalPath: path34
     });
     const gitService = new GitService(resolvedRepoPath, log);
     const gitValidation = await gitService.validateRepository();
@@ -23489,7 +24324,7 @@ var getLocalFiles = async ({
     if (!gitValidation.isValid || isAllFilesScan) {
       try {
         files = await FileUtils.getLastChangedFiles({
-          dir: path32,
+          dir: path34,
           maxFileSize,
           maxFiles,
           isAllFilesScan
@@ -23581,7 +24416,7 @@ var getLocalFiles = async ({
     logError(`${scanContext}Unexpected error in getLocalFiles`, {
       error: error instanceof Error ? error.message : String(error),
       stack: error instanceof Error ? error.stack : void 0,
-      path: path32
+      path: path34
     });
     throw error;
   }
@@ -23591,7 +24426,7 @@ var getLocalFiles = async ({
 init_client_generates();
 init_GitService();
 import fs23 from "fs";
-import path26 from "path";
+import path28 from "path";
 import { z as z41 } from "zod";
 function extractPathFromPatch(patch) {
   const match = patch?.match(/diff --git a\/([^\s]+) b\//);
@@ -23677,7 +24512,7 @@ var LocalMobbFolderService = class {
           "[LocalMobbFolderService] Non-git repository detected, skipping .gitignore operations"
         );
       }
-      const mobbFolderPath = path26.join(
+      const mobbFolderPath = path28.join(
         this.repoPath,
         this.defaultMobbFolderName
       );
@@ -23849,7 +24684,7 @@ var LocalMobbFolderService = class {
         mobbFolderPath,
         baseFileName
       );
-      const filePath = path26.join(mobbFolderPath, uniqueFileName);
+      const filePath = path28.join(mobbFolderPath, uniqueFileName);
       await fs23.promises.writeFile(filePath, patch, "utf8");
       logInfo("[LocalMobbFolderService] Patch saved successfully", {
         filePath,
@@ -23907,11 +24742,11 @@ var LocalMobbFolderService = class {
    * @returns Unique filename that doesn't conflict with existing files
    */
   getUniqueFileName(folderPath, baseFileName) {
-    const baseName = path26.parse(baseFileName).name;
-    const extension = path26.parse(baseFileName).ext;
+    const baseName = path28.parse(baseFileName).name;
+    const extension = path28.parse(baseFileName).ext;
     let uniqueFileName = baseFileName;
     let index = 1;
-    while (fs23.existsSync(path26.join(folderPath, uniqueFileName))) {
+    while (fs23.existsSync(path28.join(folderPath, uniqueFileName))) {
       uniqueFileName = `${baseName}-${index}${extension}`;
       index++;
       if (index > 1e3) {
@@ -23942,7 +24777,7 @@ var LocalMobbFolderService = class {
     logDebug("[LocalMobbFolderService] Logging patch info", { fixId: fix.id });
     try {
       const mobbFolderPath = await this.getFolder();
-      const patchInfoPath = path26.join(mobbFolderPath, "patchInfo.md");
+      const patchInfoPath = path28.join(mobbFolderPath, "patchInfo.md");
       const markdownContent = this.generateFixMarkdown(fix, savedPatchFileName);
       let existingContent = "";
       if (fs23.existsSync(patchInfoPath)) {
@@ -23984,7 +24819,7 @@ var LocalMobbFolderService = class {
     const timestamp = (/* @__PURE__ */ new Date()).toISOString();
     const patch = this.extractPatchFromFix(fix);
     const relativePatchedFilePath = patch ? extractPathFromPatch(patch) : null;
-    const patchedFilePath = relativePatchedFilePath ? path26.resolve(this.repoPath, relativePatchedFilePath) : null;
+    const patchedFilePath = relativePatchedFilePath ? path28.resolve(this.repoPath, relativePatchedFilePath) : null;
     const fixIdentifier = savedPatchFileName ? savedPatchFileName.replace(".patch", "") : fix.id;
     let markdown = `# Fix ${fixIdentifier}
 
@@ -24320,7 +25155,7 @@ var LocalMobbFolderService = class {
 // src/mcp/services/PatchApplicationService.ts
 init_configs();
 import {
-  existsSync as existsSync6,
+  existsSync as existsSync7,
   mkdirSync,
   readFileSync as readFileSync4,
   unlinkSync,
@@ -24328,14 +25163,14 @@ import {
 } from "fs";
 import fs24 from "fs/promises";
 import parseDiff2 from "parse-diff";
-import path27 from "path";
+import path29 from "path";
 var PatchApplicationService = class {
   /**
    * Gets the appropriate comment syntax for a file based on its extension
    */
   static getCommentSyntax(filePath) {
-    const ext = path27.extname(filePath).toLowerCase();
-    const basename2 = path27.basename(filePath);
+    const ext = path29.extname(filePath).toLowerCase();
+    const basename2 = path29.basename(filePath);
     const commentMap = {
       // C-style languages (single line comments)
       ".js": "//",
@@ -24543,7 +25378,7 @@ var PatchApplicationService = class {
         }
       );
     }
-    const dirPath = path27.dirname(normalizedFilePath);
+    const dirPath = path29.dirname(normalizedFilePath);
     mkdirSync(dirPath, { recursive: true });
     writeFileSync3(normalizedFilePath, finalContent, "utf8");
     return normalizedFilePath;
@@ -24552,9 +25387,9 @@ var PatchApplicationService = class {
     repositoryPath,
     targetPath
   }) {
-    const repoRoot = path27.resolve(repositoryPath);
-    const normalizedPath = path27.resolve(repoRoot, targetPath);
-    const repoRootWithSep = repoRoot.endsWith(path27.sep) ? repoRoot : `${repoRoot}${path27.sep}`;
+    const repoRoot = path29.resolve(repositoryPath);
+    const normalizedPath = path29.resolve(repoRoot, targetPath);
+    const repoRootWithSep = repoRoot.endsWith(path29.sep) ? repoRoot : `${repoRoot}${path29.sep}`;
     if (normalizedPath !== repoRoot && !normalizedPath.startsWith(repoRootWithSep)) {
       throw new Error(
         `Security violation: target path ${targetPath} resolves outside repository`
@@ -24563,7 +25398,7 @@ var PatchApplicationService = class {
     return {
       repoRoot,
       normalizedPath,
-      relativePath: path27.relative(repoRoot, normalizedPath)
+      relativePath: path29.relative(repoRoot, normalizedPath)
     };
   }
   /**
@@ -24845,8 +25680,8 @@ var PatchApplicationService = class {
         continue;
       }
       try {
-        const absolutePath = path27.resolve(repositoryPath, targetFile);
-        if (existsSync6(absolutePath)) {
+        const absolutePath = path29.resolve(repositoryPath, targetFile);
+        if (existsSync7(absolutePath)) {
           const stats = await fs24.stat(absolutePath);
           const fileModTime = stats.mtime.getTime();
           if (fileModTime > scanStartTime) {
@@ -25047,7 +25882,7 @@ var PatchApplicationService = class {
       targetFile,
       absoluteFilePath,
       relativePath,
-      exists: existsSync6(absoluteFilePath)
+      exists: existsSync7(absoluteFilePath)
     });
     return { absoluteFilePath, relativePath };
   }
@@ -25071,7 +25906,7 @@ var PatchApplicationService = class {
       fix,
       scanContext
     });
-    appliedFiles.push(path27.relative(repositoryPath, actualPath));
+    appliedFiles.push(path29.relative(repositoryPath, actualPath));
     logDebug(`[${scanContext}] Created new file: ${relativePath}`);
   }
   /**
@@ -25083,7 +25918,7 @@ var PatchApplicationService = class {
     appliedFiles,
     scanContext
   }) {
-    if (existsSync6(absoluteFilePath)) {
+    if (existsSync7(absoluteFilePath)) {
       unlinkSync(absoluteFilePath);
       appliedFiles.push(relativePath);
       logDebug(`[${scanContext}] Deleted file: ${relativePath}`);
@@ -25102,7 +25937,7 @@ var PatchApplicationService = class {
     appliedFiles,
     scanContext
   }) {
-    if (!existsSync6(absoluteFilePath)) {
+    if (!existsSync7(absoluteFilePath)) {
       throw new Error(
         `Target file does not exist: ${targetFile} (resolved to: ${absoluteFilePath})`
       );
@@ -25120,7 +25955,7 @@ var PatchApplicationService = class {
         fix,
         scanContext
       });
-      appliedFiles.push(path27.relative(repositoryPath, actualPath));
+      appliedFiles.push(path29.relative(repositoryPath, actualPath));
       logDebug(`[${scanContext}] Modified file: ${relativePath}`);
     }
   }
@@ -25317,7 +26152,7 @@ init_configs();
 // src/mcp/services/FileOperations.ts
 init_FileUtils();
 import fs25 from "fs";
-import path28 from "path";
+import path30 from "path";
 import AdmZip4 from "adm-zip";
 var FileOperations = class {
   /**
@@ -25337,10 +26172,10 @@ var FileOperations = class {
     let packedFilesCount = 0;
     const packedFiles = [];
     const excludedFiles = [];
-    const resolvedRepoPath = path28.resolve(repositoryPath);
+    const resolvedRepoPath = path30.resolve(repositoryPath);
     for (const filepath of fileList) {
-      const absoluteFilepath = path28.join(repositoryPath, filepath);
-      const resolvedFilePath = path28.resolve(absoluteFilepath);
+      const absoluteFilepath = path30.join(repositoryPath, filepath);
+      const resolvedFilePath = path30.resolve(absoluteFilepath);
       if (!resolvedFilePath.startsWith(resolvedRepoPath)) {
         const reason = "potential path traversal security risk";
         logDebug(`[FileOperations] Skipping ${filepath} due to ${reason}`);
@@ -25387,11 +26222,11 @@ var FileOperations = class {
     fileList,
     repositoryPath
   }) {
-    const resolvedRepoPath = path28.resolve(repositoryPath);
+    const resolvedRepoPath = path30.resolve(repositoryPath);
     const validatedPaths = [];
     for (const filepath of fileList) {
-      const absoluteFilepath = path28.join(repositoryPath, filepath);
-      const resolvedFilePath = path28.resolve(absoluteFilepath);
+      const absoluteFilepath = path30.join(repositoryPath, filepath);
+      const resolvedFilePath = path30.resolve(absoluteFilepath);
       if (!resolvedFilePath.startsWith(resolvedRepoPath)) {
         logDebug(
           `[FileOperations] Rejecting ${filepath} - path traversal attempt detected`
@@ -25419,7 +26254,7 @@ var FileOperations = class {
     for (const absolutePath of filePaths) {
       try {
         const content = await fs25.promises.readFile(absolutePath);
-        const relativePath = path28.basename(absolutePath);
+        const relativePath = path30.basename(absolutePath);
         fileDataArray.push({
           relativePath,
           absolutePath,
@@ -25731,14 +26566,14 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
    * since the last scan.
    */
   async scanForSecurityVulnerabilities({
-    path: path32,
+    path: path34,
     isAllDetectionRulesScan,
     isAllFilesScan,
     scanContext
   }) {
     this.hasAuthenticationFailed = false;
     logDebug(`[${scanContext}] Scanning for new security vulnerabilities`, {
-      path: path32
+      path: path34
     });
     if (!this.gqlClient) {
       logInfo(`[${scanContext}] No GQL client found, skipping scan`);
@@ -25754,11 +26589,11 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
       }
       logDebug(
         `[${scanContext}] Connected to the API, assembling list of files to scan`,
-        { path: path32 }
+        { path: path34 }
       );
       const isBackgroundScan = scanContext === ScanContext.BACKGROUND_INITIAL || scanContext === ScanContext.BACKGROUND_PERIODIC;
       const files = await getLocalFiles({
-        path: path32,
+        path: path34,
         isAllFilesScan,
         scanContext,
         scanRecentlyChangedFiles: !isBackgroundScan
@@ -25784,13 +26619,13 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
       });
       const { fixReportId, projectId } = await scanFiles({
         fileList: filesToScan.map((file) => file.relativePath),
-        repositoryPath: path32,
+        repositoryPath: path34,
         gqlClient: this.gqlClient,
         isAllDetectionRulesScan,
         scanContext
       });
       logInfo(
-        `[${scanContext}] Security scan completed for ${path32} reportId: ${fixReportId} projectId: ${projectId}`
+        `[${scanContext}] Security scan completed for ${path34} reportId: ${fixReportId} projectId: ${projectId}`
       );
       if (isAllFilesScan) {
         return;
@@ -26084,13 +26919,13 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
     });
     return scannedFiles.some((file) => file.relativePath === fixFile);
   }
-  async getFreshFixes({ path: path32 }) {
+  async getFreshFixes({ path: path34 }) {
     const scanContext = ScanContext.USER_REQUEST;
-    logDebug(`[${scanContext}] Getting fresh fixes`, { path: path32 });
-    if (this.path !== path32) {
-      this.path = path32;
+    logDebug(`[${scanContext}] Getting fresh fixes`, { path: path34 });
+    if (this.path !== path34) {
+      this.path = path34;
       this.reset();
-      logInfo(`[${scanContext}] Reset service state for new path`, { path: path32 });
+      logInfo(`[${scanContext}] Reset service state for new path`, { path: path34 });
     }
     try {
       const loginContext = createMcpLoginContext("check_new_fixes");
@@ -26109,7 +26944,7 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
       }
       throw error;
     }
-    this.triggerScan({ path: path32, gqlClient: this.gqlClient });
+    this.triggerScan({ path: path34, gqlClient: this.gqlClient });
     let isMvsAutoFixEnabled = null;
     try {
       isMvsAutoFixEnabled = await this.gqlClient.getMvsAutoFixSettings();
@@ -26143,33 +26978,33 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
     return noFreshFixesPrompt;
   }
   triggerScan({
-    path: path32,
+    path: path34,
     gqlClient
   }) {
-    if (this.path !== path32) {
-      this.path = path32;
+    if (this.path !== path34) {
+      this.path = path34;
       this.reset();
-      logInfo(`Reset service state for new path in triggerScan`, { path: path32 });
+      logInfo(`Reset service state for new path in triggerScan`, { path: path34 });
     }
     this.gqlClient = gqlClient;
     if (!this.intervalId) {
-      this.startPeriodicScanning(path32);
-      this.executeInitialScan(path32);
-      void this.executeInitialFullScan(path32);
+      this.startPeriodicScanning(path34);
+      this.executeInitialScan(path34);
+      void this.executeInitialFullScan(path34);
     }
   }
-  startPeriodicScanning(path32) {
+  startPeriodicScanning(path34) {
     const scanContext = ScanContext.BACKGROUND_PERIODIC;
     logDebug(
       `[${scanContext}] Starting periodic scan for new security vulnerabilities`,
       {
-        path: path32
+        path: path34
       }
     );
     this.intervalId = setInterval(() => {
-      logDebug(`[${scanContext}] Triggering periodic security scan`, { path: path32 });
+      logDebug(`[${scanContext}] Triggering periodic security scan`, { path: path34 });
       this.scanForSecurityVulnerabilities({
-        path: path32,
+        path: path34,
         scanContext
       }).catch((error) => {
         logError(`[${scanContext}] Error during periodic security scan`, {
@@ -26178,45 +27013,45 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
       });
     }, MCP_PERIODIC_CHECK_INTERVAL);
   }
-  async executeInitialFullScan(path32) {
+  async executeInitialFullScan(path34) {
     const scanContext = ScanContext.FULL_SCAN;
-    logDebug(`[${scanContext}] Triggering initial full security scan`, { path: path32 });
+    logDebug(`[${scanContext}] Triggering initial full security scan`, { path: path34 });
     logDebug(`[${scanContext}] Full scan paths scanned`, {
       fullScanPathsScanned: this.fullScanPathsScanned
     });
-    if (this.fullScanPathsScanned.includes(path32)) {
+    if (this.fullScanPathsScanned.includes(path34)) {
       logDebug(`[${scanContext}] Full scan already executed for this path`, {
-        path: path32
+        path: path34
       });
       return;
     }
     configStore.set("fullScanPathsScanned", [
       ...this.fullScanPathsScanned,
-      path32
+      path34
     ]);
     try {
       await this.scanForSecurityVulnerabilities({
-        path: path32,
+        path: path34,
         isAllFilesScan: true,
         isAllDetectionRulesScan: true,
         scanContext: ScanContext.FULL_SCAN
       });
-      if (!this.fullScanPathsScanned.includes(path32)) {
-        this.fullScanPathsScanned.push(path32);
+      if (!this.fullScanPathsScanned.includes(path34)) {
+        this.fullScanPathsScanned.push(path34);
         configStore.set("fullScanPathsScanned", this.fullScanPathsScanned);
       }
-      logInfo(`[${scanContext}] Full scan completed`, { path: path32 });
+      logInfo(`[${scanContext}] Full scan completed`, { path: path34 });
     } catch (error) {
       logError(`[${scanContext}] Error during initial full security scan`, {
         error
       });
     }
   }
-  executeInitialScan(path32) {
+  executeInitialScan(path34) {
     const scanContext = ScanContext.BACKGROUND_INITIAL;
-    logDebug(`[${scanContext}] Triggering initial security scan`, { path: path32 });
+    logDebug(`[${scanContext}] Triggering initial security scan`, { path: path34 });
     this.scanForSecurityVulnerabilities({
-      path: path32,
+      path: path34,
       scanContext: ScanContext.BACKGROUND_INITIAL
     }).catch((error) => {
       logError(`[${scanContext}] Error during initial security scan`, { error });
@@ -26313,9 +27148,9 @@ Example payload:
         `Invalid path: potential security risk detected in path: ${pathValidationResult.error}`
       );
     }
-    const path32 = pathValidationResult.path;
+    const path34 = pathValidationResult.path;
     const resultText = await this.newFixesService.getFreshFixes({
-      path: path32
+      path: path34
     });
     logInfo("CheckForNewAvailableFixesTool execution completed", {
       resultText
@@ -26493,8 +27328,8 @@ Call this tool instead of ${MCP_TOOL_SCAN_AND_FIX_VULNERABILITIES} when you only
         `Invalid path: potential security risk detected in path: ${pathValidationResult.error}`
       );
     }
-    const path32 = pathValidationResult.path;
-    const gitService = new GitService(path32, log);
+    const path34 = pathValidationResult.path;
+    const gitService = new GitService(path34, log);
     const gitValidation = await gitService.validateRepository();
     if (!gitValidation.isValid) {
       throw new Error(`Invalid git repository: ${gitValidation.error}`);
@@ -26879,9 +27714,9 @@ Example payload:
         `Invalid path: potential security risk detected in path: ${pathValidationResult.error}`
       );
     }
-    const path32 = pathValidationResult.path;
+    const path34 = pathValidationResult.path;
     const files = await getLocalFiles({
-      path: path32,
+      path: path34,
       maxFileSize: MCP_MAX_FILE_SIZE,
       maxFiles: args.maxFiles,
       scanContext: ScanContext.USER_REQUEST,
@@ -26901,7 +27736,7 @@ Example payload:
     try {
       const fixResult = await this.vulnerabilityFixService.processVulnerabilities({
         fileList: files.map((file) => file.relativePath),
-        repositoryPath: path32,
+        repositoryPath: path34,
         offset: args.offset,
         limit: args.limit,
         isRescan: args.rescan || !!args.maxFiles
@@ -27202,10 +28037,10 @@ init_client_generates();
 init_urlParser2();
 
 // src/features/codeium_intellij/codeium_language_server_grpc_client.ts
-import path29 from "path";
+import path31 from "path";
 import * as grpc from "@grpc/grpc-js";
 import * as protoLoader from "@grpc/proto-loader";
-var PROTO_PATH = path29.join(
+var PROTO_PATH = path31.join(
   getModuleRootDir(),
   "src/features/codeium_intellij/proto/exa/language_server_pb/language_server.proto"
 );
@@ -27217,7 +28052,7 @@ function loadProto() {
     defaults: true,
     oneofs: true,
     includeDirs: [
-      path29.join(getModuleRootDir(), "src/features/codeium_intellij/proto")
+      path31.join(getModuleRootDir(), "src/features/codeium_intellij/proto")
     ]
   });
   return grpc.loadPackageDefinition(
@@ -27273,28 +28108,28 @@ async function getGrpcClient(port, csrf3) {
 // src/features/codeium_intellij/parse_intellij_logs.ts
 import fs27 from "fs";
 import os14 from "os";
-import path30 from "path";
+import path32 from "path";
 function getLogsDir() {
   if (process.platform === "darwin") {
-    return path30.join(os14.homedir(), "Library/Logs/JetBrains");
+    return path32.join(os14.homedir(), "Library/Logs/JetBrains");
   } else if (process.platform === "win32") {
-    return path30.join(
-      process.env["LOCALAPPDATA"] || path30.join(os14.homedir(), "AppData/Local"),
+    return path32.join(
+      process.env["LOCALAPPDATA"] || path32.join(os14.homedir(), "AppData/Local"),
       "JetBrains"
     );
   } else {
-    return path30.join(os14.homedir(), ".cache/JetBrains");
+    return path32.join(os14.homedir(), ".cache/JetBrains");
   }
 }
 function parseIdeLogDir(ideLogDir) {
   const logFiles = fs27.readdirSync(ideLogDir).filter((f) => /^idea(\.\d+)?\.log$/.test(f)).map((f) => ({
     name: f,
-    mtime: fs27.statSync(path30.join(ideLogDir, f)).mtimeMs
+    mtime: fs27.statSync(path32.join(ideLogDir, f)).mtimeMs
   })).sort((a, b) => a.mtime - b.mtime).map((f) => f.name);
   let latestCsrf = null;
   let latestPort = null;
   for (const logFile of logFiles) {
-    const lines = fs27.readFileSync(path30.join(ideLogDir, logFile), "utf-8").split("\n");
+    const lines = fs27.readFileSync(path32.join(ideLogDir, logFile), "utf-8").split("\n");
     for (const line of lines) {
       if (!line.includes(
         "com.codeium.intellij.language_server.LanguageServerProcessHandler"
@@ -27322,9 +28157,9 @@ function findRunningCodeiumLanguageServers() {
   const logsDir = getLogsDir();
   if (!fs27.existsSync(logsDir)) return results;
   for (const ide of fs27.readdirSync(logsDir)) {
-    let ideLogDir = path30.join(logsDir, ide);
+    let ideLogDir = path32.join(logsDir, ide);
     if (process.platform !== "darwin") {
-      ideLogDir = path30.join(ideLogDir, "log");
+      ideLogDir = path32.join(ideLogDir, "log");
     }
     if (!fs27.existsSync(ideLogDir) || !fs27.statSync(ideLogDir).isDirectory()) {
       continue;
@@ -27507,10 +28342,10 @@ function processChatStepCodeAction(step) {
 // src/features/codeium_intellij/install_hook.ts
 import fsPromises5 from "fs/promises";
 import os15 from "os";
-import path31 from "path";
+import path33 from "path";
 import chalk14 from "chalk";
 function getCodeiumHooksPath() {
-  return path31.join(os15.homedir(), ".codeium", "hooks.json");
+  return path33.join(os15.homedir(), ".codeium", "hooks.json");
 }
 async function readCodeiumHooks() {
   const hooksPath = getCodeiumHooksPath();
@@ -27523,7 +28358,7 @@ async function readCodeiumHooks() {
 }
 async function writeCodeiumHooks(config2) {
   const hooksPath = getCodeiumHooksPath();
-  const dir = path31.dirname(hooksPath);
+  const dir = path33.dirname(hooksPath);
   await fsPromises5.mkdir(dir, { recursive: true });
   await fsPromises5.writeFile(
     hooksPath,