mobbdev 1.4.0 → 1.4.2

package/dist/index.mjs

@@ -263,10 +263,12 @@ var init_client_generates = __esm({
       IssueType_Enum2["ImproperExceptionHandling"] = "IMPROPER_EXCEPTION_HANDLING";
       IssueType_Enum2["ImproperResourceShutdownOrRelease"] = "IMPROPER_RESOURCE_SHUTDOWN_OR_RELEASE";
       IssueType_Enum2["ImproperStringFormatting"] = "IMPROPER_STRING_FORMATTING";
+      IssueType_Enum2["ImproperValidationOfArrayIndex"] = "IMPROPER_VALIDATION_OF_ARRAY_INDEX";
       IssueType_Enum2["IncompleteHostnameRegex"] = "INCOMPLETE_HOSTNAME_REGEX";
       IssueType_Enum2["IncompleteSanitization"] = "INCOMPLETE_SANITIZATION";
       IssueType_Enum2["IncompleteUrlSanitization"] = "INCOMPLETE_URL_SANITIZATION";
       IssueType_Enum2["IncompleteUrlSchemeCheck"] = "INCOMPLETE_URL_SCHEME_CHECK";
+      IssueType_Enum2["IncorrectIntegerConversion"] = "INCORRECT_INTEGER_CONVERSION";
       IssueType_Enum2["IncorrectSqlApiUsage"] = "INCORRECT_SQL_API_USAGE";
       IssueType_Enum2["InformationExposureViaHeaders"] = "INFORMATION_EXPOSURE_VIA_HEADERS";
       IssueType_Enum2["InsecureBinderConfiguration"] = "INSECURE_BINDER_CONFIGURATION";
@@ -291,6 +293,7 @@ var init_client_generates = __esm({
       IssueType_Enum2["MissingUser"] = "MISSING_USER";
       IssueType_Enum2["MissingWhitespace"] = "MISSING_WHITESPACE";
       IssueType_Enum2["MissingWorkflowPermissions"] = "MISSING_WORKFLOW_PERMISSIONS";
+      IssueType_Enum2["MissingXFrameOptions"] = "MISSING_X_FRAME_OPTIONS";
       IssueType_Enum2["ModifiedDefaultParam"] = "MODIFIED_DEFAULT_PARAM";
       IssueType_Enum2["NonFinalPublicStaticField"] = "NON_FINAL_PUBLIC_STATIC_FIELD";
       IssueType_Enum2["NonReadonlyField"] = "NON_READONLY_FIELD";
@@ -408,6 +411,7 @@ var init_client_generates = __esm({
       return Vulnerability_Report_Issue_Tag_Enum3;
     })(Vulnerability_Report_Issue_Tag_Enum || {});
     Vulnerability_Report_Vendor_Enum = /* @__PURE__ */ ((Vulnerability_Report_Vendor_Enum3) => {
+      Vulnerability_Report_Vendor_Enum3["BlackDuck"] = "blackDuck";
       Vulnerability_Report_Vendor_Enum3["Checkmarx"] = "checkmarx";
       Vulnerability_Report_Vendor_Enum3["CheckmarxXml"] = "checkmarxXml";
       Vulnerability_Report_Vendor_Enum3["Codeql"] = "codeql";
@@ -1467,7 +1471,10 @@ var init_getIssueType = __esm({
       ["REDUNDANT_NIL_ERROR_CHECK" /* RedundantNilErrorCheck */]: "Redundant Nil Error Check",
       ["MISSING_WORKFLOW_PERMISSIONS" /* MissingWorkflowPermissions */]: "Missing Workflow Permissions",
       ["EXCESSIVE_SECRETS_EXPOSURE" /* ExcessiveSecretsExposure */]: "Excessive Secrets Exposure",
-      ["TAINTED_NUMERIC_CAST" /* TaintedNumericCast */]: "Tainted Numeric Cast"
+      ["TAINTED_NUMERIC_CAST" /* TaintedNumericCast */]: "Tainted Numeric Cast",
+      ["MISSING_X_FRAME_OPTIONS" /* MissingXFrameOptions */]: "Missing X-Frame-Options Header",
+      ["IMPROPER_VALIDATION_OF_ARRAY_INDEX" /* ImproperValidationOfArrayIndex */]: "Improper Validation of Array Index",
+      ["INCORRECT_INTEGER_CONVERSION" /* IncorrectIntegerConversion */]: "Incorrect Integer Conversion"
     };
     issueTypeZ = z.nativeEnum(IssueType_Enum);
     getIssueTypeFriendlyString = (issueType) => {
@@ -4141,11 +4148,11 @@ ${rootContent}`;
         try {
           const gitRoot = await this.getGitRoot();
           const gitignorePath = path2.join(gitRoot, ".gitignore");
-          const exists = fs2.existsSync(gitignorePath);
+          const exists2 = fs2.existsSync(gitignorePath);
           this.log("[GitService] .gitignore existence check complete", "debug", {
-            exists
+            exists: exists2
           });
-          return exists;
+          return exists2;
         } catch (error) {
           const errorMessage = `Failed to check .gitignore existence: ${error.message}`;
           this.log(`[GitService] ${errorMessage}`, "error", { error });
@@ -4660,7 +4667,10 @@ var fixDetailsData = {
   ["REDUNDANT_NIL_ERROR_CHECK" /* RedundantNilErrorCheck */]: void 0,
   ["MISSING_WORKFLOW_PERMISSIONS" /* MissingWorkflowPermissions */]: void 0,
   ["EXCESSIVE_SECRETS_EXPOSURE" /* ExcessiveSecretsExposure */]: void 0,
-  ["TAINTED_NUMERIC_CAST" /* TaintedNumericCast */]: void 0
+  ["TAINTED_NUMERIC_CAST" /* TaintedNumericCast */]: void 0,
+  ["MISSING_X_FRAME_OPTIONS" /* MissingXFrameOptions */]: void 0,
+  ["IMPROPER_VALIDATION_OF_ARRAY_INDEX" /* ImproperValidationOfArrayIndex */]: void 0,
+  ["INCORRECT_INTEGER_CONVERSION" /* IncorrectIntegerConversion */]: void 0
 };
 
 // src/features/analysis/scm/shared/src/commitDescriptionMarkup.ts
@@ -5997,6 +6007,19 @@ var headerMaxAge = {
   }
 };
 
+// src/features/analysis/scm/shared/src/storedQuestionData/js/missingXFrameOptions.ts
+var xFrameOptionsValue = {
+  xFrameOptionsValue: {
+    content: () => "Please provide the value for the X-Frame-Options header",
+    description: () => `The \`X-Frame-Options\` HTTP response header tells the browser whether the page is allowed to be rendered inside a \`<frame>\`, \`<iframe>\`, \`<embed>\` or \`<object>\`. Without it, attackers can embed your application in an invisible iframe and trick users into clicking on it \u2014 a class of attacks known as clickjacking (UI redressing).    
+&nbsp;    
+&nbsp;    **Allowed values:**    
+&nbsp;    - \`DENY\` \u2014 the page cannot be framed by any site, including your own. Recommended default for any page that does not need to be embedded.    
+&nbsp;    - \`SAMEORIGIN\` \u2014 the page can only be framed by pages served from the same origin. Use this only if your own application legitimately embeds this page in an iframe.`,
+    guidance: () => ``
+  }
+};
+
 // src/features/analysis/scm/shared/src/storedQuestionData/js/noLimitsOrThrottling.ts
 var noLimitsOrThrottling2 = {
   setGlobalLimiter: {
@@ -6141,6 +6164,7 @@ var vulnerabilities13 = {
   ["UNCHECKED_LOOP_CONDITION" /* UncheckedLoopCondition */]: uncheckedLoopCondition2,
   ["NO_LIMITS_OR_THROTTLING" /* NoLimitsOrThrottling */]: noLimitsOrThrottling2,
   ["MISSING_CSP_HEADER" /* MissingCspHeader */]: cspHeaderValue,
+  ["MISSING_X_FRAME_OPTIONS" /* MissingXFrameOptions */]: xFrameOptionsValue,
   ["HARDCODED_DOMAIN_IN_HTML" /* HardcodedDomainInHtml */]: hardcodedDomainInHtml,
   ["CSRF" /* Csrf */]: csrf2
 };
@@ -6461,6 +6485,13 @@ var ReferenceType = /* @__PURE__ */ ((ReferenceType2) => {
   ReferenceType2["TAG"] = "TAG";
   return ReferenceType2;
 })(ReferenceType || {});
+var GithubFullShaZ = z13.string().regex(/^[a-f0-9]{40}$/);
+var MergedPrSurvivalMetadataZ = z13.object({
+  mergeCommitShas: z13.array(GithubFullShaZ).min(1).refine((shas) => new Set(shas).size === shas.length, {
+    message: "mergeCommitShas must contain unique SHAs"
+  }),
+  targetBranch: z13.string().min(1)
+});
 var ScmLibScmType = /* @__PURE__ */ ((ScmLibScmType2) => {
   ScmLibScmType2["GITHUB"] = "GITHUB";
   ScmLibScmType2["GITLAB"] = "GITLAB";
@@ -7147,7 +7178,7 @@ async function getAdoSdk(params) {
       const url = new URL(repoUrl);
       const origin = url.origin.toLowerCase().endsWith(".visualstudio.com") ? DEFUALT_ADO_ORIGIN : url.origin.toLowerCase();
       const params2 = `path=/&versionDescriptor[versionOptions]=0&versionDescriptor[versionType]=commit&versionDescriptor[version]=${branch}&resolveLfs=true&$format=zip&api-version=5.0&download=true`;
-      const path34 = [
+      const path36 = [
         prefixPath,
         owner,
         projectName,
@@ -7158,7 +7189,7 @@ async function getAdoSdk(params) {
         "items",
         "items"
       ].filter(Boolean).join("/");
-      return new URL(`${path34}?${params2}`, origin).toString();
+      return new URL(`${path36}?${params2}`, origin).toString();
     },
     async getAdoBranchList({ repoUrl }) {
       try {
@@ -7247,8 +7278,8 @@ async function getAdoSdk(params) {
         const changeType = entry.changeType;
         return changeType !== 16 && entry.item?.path;
       }).map((entry) => {
-        const path34 = entry.item.path;
-        return path34.startsWith("/") ? path34.slice(1) : path34;
+        const path36 = entry.item.path;
+        return path36.startsWith("/") ? path36.slice(1) : path36;
       });
     },
     async searchAdoPullRequests({
@@ -7649,6 +7680,12 @@ var SCMLib = class {
   async getPrDataBatch(_repoUrl, _prNumbers) {
     throw new Error("getPrDataBatch not implemented for this SCM provider");
   }
+  /**
+   * GitHub: merge detection for main-branch survival. Other providers return null.
+   */
+  async getMergedPrSurvivalMetadata(_prNumber) {
+    return null;
+  }
   getAccessToken() {
     return this.accessToken || "";
   }
@@ -8910,6 +8947,24 @@ async function encryptSecret(secret, key) {
   return sodium.to_base64(encBytes, sodium.base64_variants.ORIGINAL);
 }
 
+// src/features/analysis/scm/github/utils/mergeCommitShas.ts
+async function commitShasBetweenBaseAndMerge(githubSdk, args) {
+  let compare;
+  try {
+    compare = await githubSdk.compareCommitsBasehead({
+      owner: args.owner,
+      repo: args.repo,
+      basehead: `${args.baseSha}...${args.mergeCommitSha}`
+    });
+  } catch (err) {
+    throw new Error(
+      `Failed to compare commits ${args.baseSha}...${args.mergeCommitSha}: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+  const shas = compare.data.commits.map((c) => c.sha);
+  return shas.length > 0 ? shas : [args.mergeCommitSha];
+}
+
 // src/features/analysis/scm/github/utils/utils.ts
 import { Octokit } from "octokit";
 import { fetch as fetch2, ProxyAgent } from "undici";
@@ -9642,6 +9697,12 @@ function getGithubSdk(params = {}) {
       );
       return res;
     },
+    async listPullRequestCommits(params2) {
+      return octokit.rest.pulls.listCommits(params2);
+    },
+    async compareCommitsBasehead(params2) {
+      return octokit.rest.repos.compareCommitsWithBasehead(params2);
+    },
     /**
      * List PRs using GitHub's REST `/repos/{owner}/{repo}/pulls` endpoint.
      * https://docs.github.com/en/rest/pulls/pulls?apiVersion=2022-11-28#list-pull-requests
@@ -10456,6 +10517,34 @@ var GithubSCMLib = class extends SCMLib {
       commentIds
     };
   }
+  /**
+   * Detect merge strategy and SHAs on the target branch for main-branch survival (GitHub only).
+   */
+  async getMergedPrSurvivalMetadata(prNumber) {
+    this._validateAccessTokenAndUrl();
+    const { owner, repo } = parseGithubOwnerAndRepo(this.url);
+    const pr = await this.githubSdk.getPr({
+      owner,
+      repo,
+      pull_number: prNumber
+    });
+    if (pr.data.merged !== true || !pr.data.merge_commit_sha) {
+      return null;
+    }
+    const mergeCommitSha = pr.data.merge_commit_sha;
+    const targetBranch = pr.data.base.ref;
+    const baseSha = pr.data.base.sha;
+    const mergeCommitShas = await commitShasBetweenBaseAndMerge(
+      this.githubSdk,
+      {
+        owner,
+        repo,
+        baseSha,
+        mergeCommitSha
+      }
+    );
+    return { mergeCommitShas, targetBranch };
+  }
 };
 
 // src/features/analysis/scm/gitlab/gitlab.ts
@@ -12462,7 +12551,8 @@ var SCANNERS = {
   Snyk: "snyk",
   Sonarqube: "sonarqube",
   Semgrep: "semgrep",
-  Datadog: "datadog"
+  Datadog: "datadog",
+  BlackDuck: "blackduck"
 };
 var scannerToVulnerabilityReportVendorEnum = {
   [SCANNERS.Checkmarx]: "checkmarx" /* Checkmarx */,
@@ -12471,7 +12561,8 @@ var scannerToVulnerabilityReportVendorEnum = {
   [SCANNERS.Codeql]: "codeql" /* Codeql */,
   [SCANNERS.Fortify]: "fortify" /* Fortify */,
   [SCANNERS.Semgrep]: "semgrep" /* Semgrep */,
-  [SCANNERS.Datadog]: "datadog" /* Datadog */
+  [SCANNERS.Datadog]: "datadog" /* Datadog */,
+  [SCANNERS.BlackDuck]: "blackDuck" /* BlackDuck */
 };
 var SupportedScannersZ = z25.enum([SCANNERS.Checkmarx, SCANNERS.Snyk]);
 var envVariablesSchema = z25.object({
@@ -14890,7 +14981,8 @@ var scannerToFriendlyString = {
   snyk: "Snyk",
   sonarqube: "Sonarqube",
   semgrep: "Semgrep",
-  datadog: "Datadog"
+  datadog: "Datadog",
+  blackduck: "Black Duck"
 };
 
 // src/features/analysis/add_fix_comments_for_pr/utils/buildCommentBody.ts
@@ -15080,7 +15172,7 @@ async function postIssueComment(params) {
     fpDescription
   } = params;
   const {
-    path: path34,
+    path: path36,
     startLine,
     vulnerabilityReportIssue: {
       vulnerabilityReportIssueTags,
@@ -15095,7 +15187,7 @@ async function postIssueComment(params) {
 Refresh the page in order to see the changes.`,
     pull_number: pullRequest,
     commit_id: commitSha,
-    path: path34,
+    path: path36,
     line: startLine
   });
   const commentId = commentRes.data.id;
@@ -15129,7 +15221,7 @@ async function postFixComment(params) {
     scanner
   } = params;
   const {
-    path: path34,
+    path: path36,
     startLine,
     vulnerabilityReportIssue: { fixId, vulnerabilityReportIssueTags, category },
     vulnerabilityReportIssueId
@@ -15147,7 +15239,7 @@ async function postFixComment(params) {
 Refresh the page in order to see the changes.`,
     pull_number: pullRequest,
     commit_id: commitSha,
-    path: path34,
+    path: path36,
     line: startLine
   });
   const commentId = commentRes.data.id;
@@ -16998,7 +17090,7 @@ function analyzeBuilder(yargs2) {
     alias: "scan-file",
     type: "string",
     describe: chalk10.bold(
-      "Select the vulnerability report to analyze (Checkmarx, Snyk, Fortify, CodeQL, Sonarqube, Semgrep, Datadog)"
+      "Select the vulnerability report to analyze (Checkmarx, Snyk, Fortify, CodeQL, Sonarqube, Semgrep, Datadog, Black Duck)"
     )
   }).option("repo", repoOption).option("p", {
     alias: "src-path",
@@ -17069,7 +17161,7 @@ import { spawn } from "child_process";
 
 // src/features/claude_code/daemon.ts
 import { readFileSync, writeFileSync as writeFileSync2 } from "fs";
-import path21 from "path";
+import path23 from "path";
 import { setTimeout as sleep2 } from "timers/promises";
 import Configstore3 from "configstore";
 
@@ -17081,7 +17173,12 @@ var HEARTBEAT_DEBOUNCE_MS = (() => {
 })();
 var KILL_SWITCH_ENV = "MOBB_TRACY_SKILL_QUARANTINE_DISABLE";
 var MALICIOUS_VERDICT = "MALICIOUS";
-var ORPHAN_SWEEP_GRACE_MS = 10 * 60 * 1e3;
+var PARTIAL_SWEEP_GRACE_MS = 10 * 60 * 1e3;
+var STUB_MARKER = "\u26D4 QUARANTINED BY TRACY";
+
+// src/features/analysis/skill_quarantine/enumerateInstalledSkills.ts
+import { homedir as homedir2 } from "os";
+import path15 from "path";
 
 // src/features/analysis/context_file_processor.ts
 import { createHash } from "crypto";
@@ -17136,7 +17233,7 @@ async function processContextFiles(regularFiles, skillGroups) {
 }
 
 // src/features/analysis/context_file_scanner.ts
-import { lstat, readFile, stat } from "fs/promises";
+import { lstat, readdir, readFile, realpath, stat } from "fs/promises";
 import { homedir } from "os";
 import path14 from "path";
 import { globby as globby2 } from "globby";
@@ -17160,15 +17257,15 @@ var SCAN_PATHS = {
       root: "home"
     },
     { kind: "skill-bundle", skillsRoot: ".claude/skills", root: "workspace" },
-    { glob: ".claude/commands/*.md", category: "command", root: "workspace" },
+    { glob: ".claude/commands/*.md", category: "skill", root: "workspace" },
     {
       glob: ".claude/agents/*.md",
-      category: "agent-config",
+      category: SKILL_CATEGORY,
       root: "workspace"
     },
     { kind: "skill-bundle", skillsRoot: ".claude/skills", root: "home" },
-    { glob: ".claude/commands/*.md", category: "command", root: "home" },
-    { glob: ".claude/agents/*.md", category: "agent-config", root: "home" },
+    { glob: ".claude/commands/*.md", category: "skill", root: "home" },
+    { glob: ".claude/agents/*.md", category: SKILL_CATEGORY, root: "home" },
     { glob: ".claude/settings.json", category: "config", root: "workspace" },
     {
       glob: ".claude/settings.local.json",
@@ -17247,7 +17344,7 @@ var SCAN_PATHS = {
     },
     {
       glob: ".claude/agents/*.md",
-      category: "agent-config",
+      category: SKILL_CATEGORY,
       root: "workspace"
     },
     // Agent skills — Copilot discovers skills in all three roots (VS Code docs:
@@ -17279,7 +17376,7 @@ var SCAN_PATHS = {
     // Cross-compat home paths (Copilot reads Claude / generic agent dirs too)
     { glob: ".claude/CLAUDE.md", category: "rule", root: "home" },
     { glob: ".claude/rules/**/*.md", category: "rule", root: "home" },
-    { glob: ".claude/agents/*.md", category: "agent-config", root: "home" },
+    { glob: ".claude/agents/*.md", category: SKILL_CATEGORY, root: "home" },
     { kind: "skill-bundle", skillsRoot: ".claude/skills", root: "home" },
     { kind: "skill-bundle", skillsRoot: ".agents/skills", root: "home" }
   ]
@@ -17450,11 +17547,11 @@ async function readJsoncSettings(settingsPath) {
   putSettingsCache(settingsPath, { mtimeMs, parsed: payload });
   return payload;
 }
-function putSettingsCache(path34, entry) {
-  if (!settingsCache.has(path34) && settingsCache.size >= MAX_SETTINGS_CACHE_SIZE) {
+function putSettingsCache(path36, entry) {
+  if (!settingsCache.has(path36) && settingsCache.size >= MAX_SETTINGS_CACHE_SIZE) {
     settingsCache.delete(settingsCache.keys().next().value);
   }
-  settingsCache.set(path34, entry);
+  settingsCache.set(path36, entry);
 }
 async function readCopilotCustomLocations(workspaceRoot) {
   const parsed = await readJsoncSettings(
@@ -17704,7 +17801,7 @@ async function enumerateGlob(pattern, cwd, category, isDynamic) {
   } catch {
     return [];
   }
-  return files.map((path34) => ({ path: path34, category }));
+  return files.map((path36) => ({ path: path36, category }));
 }
 async function enumerateSkillBundle(baseDir, skillsRoot) {
   const skillsDir = path14.resolve(baseDir, skillsRoot);
@@ -17738,7 +17835,68 @@ async function enumerateSkillBundle(baseDir, skillsRoot) {
       }
     })
   );
-  return perSkillResults.flat().map((p) => ({ path: p, category: "skill" }));
+  const standaloneFiles = await enumerateStandaloneSkills(skillsDir);
+  const symlinkResults = await enumerateSymlinkedSkills(skillsDir);
+  return [
+    ...perSkillResults.flat().map((p) => ({ path: p, category: "skill" })),
+    ...standaloneFiles.map((p) => ({ path: p, category: "skill" })),
+    ...symlinkResults
+  ];
+}
+async function enumerateStandaloneSkills(skillsDir) {
+  try {
+    return await globby2("*.md", {
+      cwd: skillsDir,
+      absolute: true,
+      onlyFiles: true,
+      dot: false,
+      followSymbolicLinks: false
+    });
+  } catch {
+    return [];
+  }
+}
+async function enumerateSymlinkedSkills(skillsDir) {
+  let dirEntries;
+  try {
+    dirEntries = await readdir(skillsDir, {
+      withFileTypes: true,
+      encoding: "utf8"
+    });
+  } catch {
+    return [];
+  }
+  const results = [];
+  for (const entry of dirEntries) {
+    if (!entry.isSymbolicLink()) continue;
+    const entryPath = path14.join(skillsDir, entry.name);
+    try {
+      const st = await stat(entryPath);
+      if (st.isDirectory()) {
+        const hasManifest = await stat(path14.join(entryPath, "SKILL.md")).then(() => true).catch(() => false);
+        if (!hasManifest) continue;
+        const realDir = await realpath(entryPath);
+        const realFiles = await globby2("**/*", {
+          cwd: realDir,
+          absolute: true,
+          onlyFiles: true,
+          dot: true,
+          followSymbolicLinks: false,
+          deep: SKILL_BUNDLE_MAX_DEPTH
+        }).catch(() => []);
+        for (const f of realFiles) {
+          results.push({
+            path: path14.join(entryPath, path14.relative(realDir, f)),
+            category: "skill"
+          });
+        }
+      } else if (st.isFile() && entry.name.endsWith(".md")) {
+        results.push({ path: entryPath, category: "skill" });
+      }
+    } catch {
+    }
+  }
+  return results;
 }
 var DYNAMIC_SCAN_MAX_DEPTH = 6;
 var SKILL_MANIFEST_SCAN_DEPTH = 2;
@@ -17769,15 +17927,26 @@ function deriveIdentifier(filePath, baseDir) {
 
 // src/features/analysis/skill_quarantine/enumerateInstalledSkills.ts
 async function enumerateInstalledSkills(workspaceRoot) {
-  const { skillGroups } = await scanContextFiles(
+  const { skillGroups, regularFiles } = await scanContextFiles(
     workspaceRoot,
     "claude-code",
     void 0
   );
-  if (skillGroups.length === 0) {
+  const home = homedir2();
+  const agentGroups = regularFiles.filter((f) => f.category === "agent-config").map((f) => ({
+    name: path15.basename(f.path, path15.extname(f.path)),
+    root: f.path.startsWith(home + path15.sep) ? "home" : "workspace",
+    skillPath: f.path,
+    files: [f],
+    isFolder: false,
+    maxMtimeMs: f.mtimeMs,
+    sessionKey: `agent-config:${f.path}`
+  }));
+  const allGroups = [...skillGroups, ...agentGroups];
+  if (allGroups.length === 0) {
     return [];
   }
-  const { skills } = await processContextFiles([], skillGroups);
+  const { skills } = await processContextFiles([], allGroups);
   return skills.map((s) => {
     const parts = s.group.skillPath.split(/[\\/]/);
     const origName = parts[parts.length - 1] || s.group.name;
@@ -17798,64 +17967,73 @@ var Metric = {
   CHECK_DISABLED_ENV: "skill_quarantine.check_disabled_env",
   /** Verdict-query call failed. Fail-open. */
   QUERY_ERROR: "skill_quarantine.query_error",
-  /** Count of skills enumerated in this run (histogram-ish). */
+  /** Count of skills enumerated in this run. */
   SKILLS_CHECKED: "skill_quarantine.skills_checked",
-  /** A skill was freshly quarantined. Tagged with shape. */
+  /** A skill was freshly quarantined. */
   QUARANTINED: "skill_quarantine.quarantined",
-  /** Presence check hit; skill already quarantined. */
+  /** Presence check hit (`<md5>.zip` exists); skill already quarantined. */
   ALREADY_QUARANTINED: "skill_quarantine.already_quarantined",
-  /** Move step failed. Tagged with phase (stage | publish). */
-  MOVE_ERROR: "skill_quarantine.move_error",
-  /** Stub creation failed after the move succeeded. */
+  /** Zip build or partial→tmp rename failed (phase 1). */
+  ZIP_ERROR: "skill_quarantine.zip_error",
+  /** Stub write failed (phase 2); tmp preserved for reconcile. */
   STUB_ERROR: "skill_quarantine.stub_error",
-  /** A stale staging dir was swept. */
-  ORPHAN_SWEPT: "skill_quarantine.orphan_swept",
+  /** Tmp→published rename failed (phase 3); reconcile will retry. */
+  PUBLISH_ERROR: "skill_quarantine.publish_error",
+  /** Reconcile published a leftover tmp whose `<md5>.zip` was missing. */
+  RECONCILED: "skill_quarantine.reconciled",
+  /** Tmp removed because `<md5>.zip` already existed. */
+  SWEPT_REDUNDANT_TMP: "skill_quarantine.swept_redundant_tmp",
+  /** Stale partial zip swept (older than grace window). */
+  SWEPT_PARTIAL: "skill_quarantine.swept_partial",
   /** Total run duration including I/O. */
   DURATION_MS: "skill_quarantine.duration_ms"
 };
 
 // src/features/analysis/skill_quarantine/quarantineSkill.ts
 import { randomUUID } from "crypto";
-import { existsSync as existsSync2 } from "fs";
 import {
+  access,
   mkdir,
-  readdir,
+  readdir as readdir2,
   readFile as readFile2,
   rename,
   rm,
   stat as stat2,
+  unlink,
   writeFile
 } from "fs/promises";
-import path16 from "path";
-import { move } from "fs-extra";
+import path18 from "path";
+import AdmZip4 from "adm-zip";
 
 // src/features/analysis/skill_quarantine/paths.ts
-import { homedir as homedir2 } from "os";
-import path15 from "path";
+import { homedir as homedir3 } from "os";
+import path16 from "path";
 function getQuarantineRoot() {
-  return path15.join(homedir2(), ".tracy", "quarantine", "claude", "skills");
-}
-function getQuarantinedHashDir(md5) {
-  return path15.join(getQuarantineRoot(), md5);
+  return path16.join(homedir3(), ".tracy", "quarantine", "claude", "skills");
 }
-function getQuarantinedTargetPath(md5, origName) {
-  return path15.join(getQuarantinedHashDir(md5), origName);
+function getQuarantineZipPath(md5) {
+  return path16.join(getQuarantineRoot(), `${md5}.zip`);
 }
-function getStagingDir(md5, pid, uuid) {
-  return path15.join(getQuarantineRoot(), `${md5}_tmp_${pid}_${uuid}`);
+function getTmpZipPath(md5, uuid) {
+  return path16.join(getQuarantineRoot(), `${md5}_tmp_${uuid}.zip`);
 }
-var STAGING_DIR_REGEX = /^([0-9a-f]{32})_tmp_/;
+var TMP_ZIP_REGEX = /^([0-9a-f]{32})_tmp_[0-9a-f-]+\.zip$/;
+var COMMITTED_ZIP_REGEX = /^([0-9a-f]{32})\.zip$/;
 
 // src/features/analysis/skill_quarantine/stubTemplate.ts
+import path17 from "path";
+import { quote } from "shell-quote";
 var LEGACY_SUMMARY_FALLBACK = "not available (scan predates current schema)";
 function renderStub(params) {
   const folderOrFile = params.isFolder ? "skill folder" : "skill file";
   const reason = params.summary ?? LEGACY_SUMMARY_FALLBACK;
-  return `# \u26D4 QUARANTINED BY TRACY
+  const extractParent = path17.dirname(params.origPath);
+  const recoverCommand = `rm -rf ${quote([params.origPath])} && unzip -o ${quote([params.quarantinedZipPath])} -d ${quote([extractParent])}`;
+  return `# ${STUB_MARKER}
 
 This skill was flagged **MALICIOUS** by the Mobb security scanner and has been
-moved out of your skills folder. **Claude Code will not execute it** while this
-stub is in place.
+archived out of your skills folder. **Claude Code will not execute it** while
+this stub is in place.
 
 ## Why this skill was flagged
 
@@ -17866,23 +18044,22 @@ stub is in place.
 
 ## Where the original is now
 
-The original ${folderOrFile} has been moved to:
+The original ${folderOrFile} has been archived to:
 
-    ${params.quarantinedPath}
+    ${params.quarantinedZipPath}
 
-Nothing has been deleted. The contents are intact; only the location changed.
+Nothing has been deleted. The archive preserves the skill exactly as it was,
+including any secrets or local-only edits.
 
 ## If this is a false positive \u2014 how to recover
 
 If you're confident this skill is safe and want to restore it:
 
-    mv ${params.quarantinedPath} ${params.origPath}
+    ${recoverCommand}
 
-Tracy will not re-quarantine it as long as the directory
-\`~/.tracy/quarantine/claude/skills/${params.md5}/\` still exists on your
-machine (even if it's empty after you moved the contents out). If you delete
-that directory entirely, the next heartbeat will re-evaluate the skill from
-scratch.
+Tracy will not re-quarantine it as long as \`${params.md5}.zip\` remains in
+the quarantine folder. If you delete the archive, the next heartbeat will
+re-evaluate the skill from scratch.
 
 ## How to report a false positive
 
@@ -17899,77 +18076,50 @@ Your report helps tune the scanner for everyone.
 // src/features/analysis/skill_quarantine/quarantineSkill.ts
 async function quarantineSkill(params) {
   const { skillPath, isFolder, md5, origName, verdict, log: log2 } = params;
-  const hashDir = getQuarantinedHashDir(md5);
-  if (existsSync2(hashDir)) {
+  const finalZip = getQuarantineZipPath(md5);
+  if (await exists(finalZip)) {
     log2.debug(
       { md5, metric: Metric.ALREADY_QUARANTINED },
-      "skill_quarantine: already quarantined, skipping"
+      "skill_quarantine: already quarantined"
     );
     return { status: "already_quarantined" };
   }
-  const stagingDir = getStagingDir(md5, process.pid, randomUUID());
-  const stagingTarget = path16.join(stagingDir, origName);
-  const finalTarget = getQuarantinedTargetPath(md5, origName);
+  const tmpZip = getTmpZipPath(md5, randomUUID());
   try {
-    await mkdir(stagingDir, { recursive: true });
+    await mkdir(getQuarantineRoot(), { recursive: true });
+    const zip = new AdmZip4();
+    if (isFolder) {
+      await addFolderAsync(zip, skillPath, origName);
+    } else {
+      zip.addFile(origName, await readFile2(skillPath));
+    }
+    await writeFile(tmpZip, zip.toBuffer());
   } catch (err) {
+    await unlink(tmpZip).catch(ignoreErr);
     log2.error(
-      { err, md5, metric: Metric.MOVE_ERROR, phase: "stage" },
-      "skill_quarantine: failed to create staging dir"
+      { err, md5, metric: Metric.ZIP_ERROR },
+      "skill_quarantine: phase-1 zip write failed"
     );
-    return { status: "move_error", phase: "stage", err };
+    return { status: "zip_error", err };
   }
   try {
-    await move(skillPath, stagingTarget);
+    await writeStub(params);
   } catch (err) {
-    await tryRm(stagingDir);
     log2.error(
-      { err, md5, metric: Metric.MOVE_ERROR, phase: "stage" },
-      "skill_quarantine: phase-1 move failed"
+      { err, md5, skillPath, metric: Metric.STUB_ERROR },
+      "skill_quarantine: stub write failed; tmp zip preserved for reconcile"
     );
-    return { status: "move_error", phase: "stage", err };
+    return { status: "stub_error", err };
   }
   try {
-    await rename(stagingDir, hashDir);
+    await rename(tmpZip, finalZip);
   } catch (err) {
     log2.error(
-      {
-        err,
-        md5,
-        stagingDir,
-        metric: Metric.MOVE_ERROR,
-        phase: "publish"
-      },
-      "skill_quarantine: phase-2 publish failed; staging dir preserved for manual recovery"
+      { err, md5, tmpZip, metric: Metric.PUBLISH_ERROR },
+      "skill_quarantine: phase-3 publish failed; reconcile will retry"
     );
-    return { status: "move_error", phase: "publish", err };
+    return { status: "publish_error", err };
   }
-  const quarantinedPath = finalTarget;
-  const stubContent = renderStub({
-    md5,
-    isFolder,
-    quarantinedPath,
-    origPath: skillPath,
-    summary: verdict.summary,
-    scannerName: verdict.scannerName,
-    scannerVersion: verdict.scannerVersion,
-    scannedAt: verdict.scannedAt
-  });
-  try {
-    if (isFolder) {
-      await mkdir(skillPath, { recursive: true });
-      await writeFile(path16.join(skillPath, "SKILL.md"), stubContent, "utf8");
-    } else {
-      await writeFile(skillPath, stubContent, "utf8");
-    }
-  } catch (err) {
-    log2.error(
-      { err, md5, skillPath, metric: Metric.STUB_ERROR },
-      "skill_quarantine: stub write failed; quarantine is still in place"
-    );
-    return { status: "stub_error", err };
-  }
-  await preRegisterStubMd5(skillPath, isFolder, log2);
   log2.info(
     {
       md5,
@@ -17983,87 +18133,110 @@ async function quarantineSkill(params) {
   );
   return { status: "quarantined" };
 }
-async function preRegisterStubMd5(skillPath, isFolder, log2) {
-  try {
-    const stubEntries = await gatherStubEntries(skillPath, isFolder);
-    const stubGroup = {
-      name: path16.basename(skillPath).replace(/\.md$/i, ""),
-      root: "workspace",
-      skillPath,
-      files: stubEntries,
-      isFolder,
-      maxMtimeMs: Date.now(),
-      sessionKey: `quarantine-stub:${skillPath}`
-    };
-    const { skills } = await processContextFiles([], [stubGroup]);
-    if (skills.length === 0) return;
-    const stubMd5 = skills[0].md5;
-    await mkdir(getQuarantinedHashDir(stubMd5), { recursive: true });
-  } catch (err) {
-    log2.warn(
-      { err, skillPath },
-      "skill_quarantine: failed to pre-register stub md5"
-    );
+async function writeStub(params) {
+  const { skillPath, isFolder, md5, verdict } = params;
+  const stubContent = renderStub({
+    md5,
+    isFolder,
+    quarantinedZipPath: getQuarantineZipPath(md5),
+    origPath: skillPath,
+    summary: verdict.summary,
+    scannerName: verdict.scannerName,
+    scannerVersion: verdict.scannerVersion,
+    scannedAt: verdict.scannedAt
+  });
+  if (isFolder) {
+    await rm(skillPath, { recursive: true, force: true });
+    await mkdir(skillPath, { recursive: true });
+    await writeFile(path18.join(skillPath, "SKILL.md"), stubContent, "utf8");
+  } else {
+    await writeFile(skillPath, stubContent, "utf8");
   }
 }
-async function gatherStubEntries(skillPath, isFolder) {
-  const now = Date.now();
-  const target = isFolder ? path16.join(skillPath, "SKILL.md") : skillPath;
-  const [st, content] = await Promise.all([
-    stat2(target),
-    readFile2(target, "utf8")
-  ]);
-  return [
-    {
-      name: isFolder ? "SKILL.md" : path16.basename(skillPath),
-      path: target,
-      content,
-      sizeBytes: st.size,
-      category: "skill",
-      mtimeMs: now
-    }
-  ];
-}
-async function sweepOrphanStagingDirs(log2) {
+async function reconcileAndSweep(log2) {
   const root = getQuarantineRoot();
   let entries;
   try {
-    entries = await readdir(root);
+    entries = await readdir2(root);
   } catch (err) {
-    if (err.code === "ENOENT") return 0;
-    log2.warn({ err, root }, "skill_quarantine: orphan sweep readdir failed");
-    return 0;
+    if (err.code === "ENOENT") return;
+    log2.warn({ err, root }, "skill_quarantine: reconcile readdir failed");
+    return;
   }
+  const committed = new Set(
+    entries.map((e) => COMMITTED_ZIP_REGEX.exec(e)?.[1]).filter((m) => m !== void 0)
+  );
   const now = Date.now();
-  let swept = 0;
   for (const entry of entries) {
-    if (!STAGING_DIR_REGEX.test(entry)) continue;
-    const full = path16.join(root, entry);
-    let mtimeMs;
-    try {
-      mtimeMs = (await stat2(full)).mtimeMs;
-    } catch {
+    const md5 = TMP_ZIP_REGEX.exec(entry)?.[1];
+    if (md5 === void 0) continue;
+    const full = path18.join(root, entry);
+    if (committed.has(md5)) {
+      await unlink(full).catch(
+        (err) => log2.warn(
+          { err, path: full, md5 },
+          "skill_quarantine: redundant tmp unlink failed"
+        )
+      );
+      log2.info(
+        { path: full, md5, metric: Metric.SWEPT_REDUNDANT_TMP },
+        "skill_quarantine: swept redundant tmp"
+      );
       continue;
     }
-    if (now - mtimeMs < ORPHAN_SWEEP_GRACE_MS) continue;
+    let valid;
     try {
-      await rm(full, { recursive: true, force: true });
-      swept += 1;
-      log2.info(
-        { path: full, metric: Metric.ORPHAN_SWEPT },
-        "skill_quarantine: orphan swept"
-      );
-    } catch (err) {
-      log2.warn({ err, path: full }, "skill_quarantine: orphan sweep rm failed");
+      new AdmZip4(full).getEntries();
+      valid = true;
+    } catch {
+      valid = false;
     }
+    if (valid) {
+      try {
+        await rename(full, getQuarantineZipPath(md5));
+        committed.add(md5);
+        log2.info(
+          { path: full, md5, metric: Metric.RECONCILED },
+          "skill_quarantine: reconciled tmp \u2192 published"
+        );
+      } catch (err) {
+        log2.warn(
+          { err, path: full, md5 },
+          "skill_quarantine: reconcile rename failed"
+        );
+      }
+      continue;
+    }
+    const { mtimeMs } = await stat2(full).catch(() => ({ mtimeMs: now }));
+    if (now - mtimeMs < PARTIAL_SWEEP_GRACE_MS) continue;
+    await unlink(full).catch(
+      (err) => log2.warn({ err, path: full }, "skill_quarantine: partial unlink failed")
+    );
+    log2.info(
+      { path: full, metric: Metric.SWEPT_PARTIAL },
+      "skill_quarantine: swept broken tmp (partial write)"
+    );
   }
-  return swept;
 }
-async function tryRm(p) {
-  try {
-    await rm(p, { recursive: true, force: true });
-  } catch {
+function exists(p) {
+  return access(p).then(
+    () => true,
+    () => false
+  );
+}
+function ignoreErr() {
+}
+async function addFolderAsync(zip, root, prefix) {
+  async function walk(dir, relPrefix) {
+    const entries = await readdir2(dir, { withFileTypes: true });
+    for (const e of entries) {
+      const full = path18.join(dir, e.name);
+      const rel = path18.posix.join(relPrefix, e.name);
+      if (e.isDirectory()) await walk(full, rel);
+      else if (e.isFile()) zip.addFile(rel, await readFile2(full));
+    }
   }
+  await walk(root, prefix);
 }
 
 // src/features/analysis/skill_quarantine/queryVerdicts.ts
@@ -18121,7 +18294,7 @@ async function runQuarantineCheckIfNeeded(opts) {
   );
   const t0 = Date.now();
   try {
-    await sweepOrphanStagingDirs(log2);
+    await reconcileAndSweep(log2);
     const installed = await enumerateInstalledSkills(cwd);
     log2.info(
       { sessionId, count: installed.length, metric: Metric.SKILLS_CHECKED },
@@ -18171,7 +18344,7 @@ async function runQuarantineCheckIfNeeded(opts) {
 // src/features/claude_code/daemon_pid_file.ts
 import fs13 from "fs";
 import os4 from "os";
-import path17 from "path";
+import path19 from "path";
 
 // src/features/claude_code/data_collector_constants.ts
 var CC_VERSION_CACHE_KEY = "claudeCode.detectedCCVersion";
@@ -18188,20 +18361,21 @@ var DAEMON_POLL_INTERVAL_MS = (() => {
 var HEARTBEAT_STALE_MS = 3e4;
 var TRANSCRIPT_MAX_AGE_MS = 24 * 60 * 60 * 1e3;
 var DAEMON_CHUNK_SIZE = 50;
+var CONTEXT_SCAN_INTERVAL_MS = 5e3;
 
 // src/features/claude_code/daemon_pid_file.ts
 function getMobbdevDir() {
-  return path17.join(os4.homedir(), ".mobbdev");
+  return path19.join(os4.homedir(), ".mobbdev");
 }
 function getDaemonCheckScriptPath() {
-  return path17.join(getMobbdevDir(), "daemon-check.js");
+  return path19.join(getMobbdevDir(), "daemon-check.js");
 }
 var DaemonPidFile = class {
   constructor() {
     __publicField(this, "data", null);
   }
   get filePath() {
-    return path17.join(getMobbdevDir(), "daemon.pid");
+    return path19.join(getMobbdevDir(), "daemon.pid");
   }
   /** Ensure ~/.mobbdev/ directory exists. */
   ensureDir() {
@@ -18263,8 +18437,8 @@ var DaemonPidFile = class {
 // src/features/claude_code/data_collector.ts
 import { execFile } from "child_process";
 import { createHash as createHash3 } from "crypto";
-import { access, open as open4, readdir as readdir2, readFile as readFile3, unlink } from "fs/promises";
-import path18 from "path";
+import { access as access2, open as open4, readdir as readdir3, readFile as readFile3, unlink as unlink2 } from "fs/promises";
+import path20 from "path";
 import { promisify } from "util";
 
 // src/features/analysis/context_file_uploader.ts
@@ -18529,8 +18703,8 @@ function createConfigstoreStream(store, opts) {
       heartbeatBuffer.length = 0;
     }
   }
-  function setScopePath(path34) {
-    scopePath = path34;
+  function setScopePath(path36) {
+    scopePath = path36;
   }
   return { writable, flush, setScopePath };
 }
@@ -18754,7 +18928,7 @@ function createLogger(config2) {
 
 // src/features/claude_code/hook_logger.ts
 var DD_RUM_TOKEN = true ? "pubf59c0182545bfb4c299175119f1abf9b" : "";
-var CLI_VERSION = true ? "1.4.0" : "unknown";
+var CLI_VERSION = true ? "1.4.2" : "unknown";
 var NAMESPACE = "mobbdev-claude-code-hook-logs";
 var claudeCodeVersion;
 function buildDdTags() {
@@ -18841,18 +19015,18 @@ function getCursorKey(transcriptPath) {
 }
 async function resolveTranscriptPath(transcriptPath, sessionId) {
   try {
-    await access(transcriptPath);
+    await access2(transcriptPath);
     return transcriptPath;
   } catch {
   }
-  const filename = path18.basename(transcriptPath);
-  const dirName = path18.basename(path18.dirname(transcriptPath));
-  const projectsDir = path18.dirname(path18.dirname(transcriptPath));
+  const filename = path20.basename(transcriptPath);
+  const dirName = path20.basename(path20.dirname(transcriptPath));
+  const projectsDir = path20.dirname(path20.dirname(transcriptPath));
   const baseDirName = dirName.replace(/[-.]claude-worktrees-.+$/, "");
   if (baseDirName !== dirName) {
-    const candidate = path18.join(projectsDir, baseDirName, filename);
+    const candidate = path20.join(projectsDir, baseDirName, filename);
     try {
-      await access(candidate);
+      await access2(candidate);
       hookLog.info(
         {
           data: {
@@ -18869,12 +19043,12 @@ async function resolveTranscriptPath(transcriptPath, sessionId) {
     }
   }
   try {
-    const dirs = await readdir2(projectsDir);
+    const dirs = await readdir3(projectsDir);
     for (const dir of dirs) {
       if (dir === dirName) continue;
-      const candidate = path18.join(projectsDir, dir, filename);
+      const candidate = path20.join(projectsDir, dir, filename);
       try {
-        await access(candidate);
+        await access2(candidate);
         hookLog.info(
           {
             data: {
@@ -19053,11 +19227,11 @@ async function cleanupStaleSessions(configDir) {
   const now = Date.now();
   const prefix = getSessionFilePrefix();
   try {
-    const files = await readdir2(configDir);
+    const files = await readdir3(configDir);
     let deletedCount = 0;
     for (const file of files) {
       if (!file.startsWith(prefix) || !file.endsWith(".json")) continue;
-      const filePath = path18.join(configDir, file);
+      const filePath = path20.join(configDir, file);
       try {
         const content = JSON.parse(await readFile3(filePath, "utf-8"));
         let newest = 0;
@@ -19069,7 +19243,7 @@ async function cleanupStaleSessions(configDir) {
           }
         }
         if (newest > 0 && now - newest > STALE_KEY_MAX_AGE_MS) {
-          await unlink(filePath);
+          await unlink2(filePath);
           deletedCount++;
         }
       } catch {
@@ -19209,16 +19383,6 @@ async function processTranscript(input, sessionStore, log2, maxEntries = DAEMON_
       entriesSkipped: filteredOut,
       claudeCodeVersion: getClaudeCodeVersion()
     });
-    if (input.cwd) {
-      uploadContextFilesIfNeeded(
-        input.session_id,
-        input.cwd,
-        gqlClient,
-        log2
-      ).catch((err) => {
-        log2.error({ data: { err } }, "uploadContextFilesIfNeeded failed");
-      });
-    }
     return {
       entriesUploaded: entries.length,
       entriesSkipped: filteredOut,
@@ -19305,14 +19469,14 @@ async function uploadContextFilesIfNeeded(sessionId, cwd, gqlClient, log2) {
 import fs14 from "fs";
 import fsPromises4 from "fs/promises";
 import os6 from "os";
-import path19 from "path";
+import path21 from "path";
 import chalk11 from "chalk";
 
 // src/features/claude_code/daemon-check-shim.tmpl.js
 var daemon_check_shim_tmpl_default = "// Mobb daemon shim \u2014 checks if daemon is alive, spawns if dead.\n// Auto-generated by mobbdev CLI. Do not edit.\nvar fs = require('fs')\nvar spawn = require('child_process').spawn\nvar path = require('path')\nvar os = require('os')\n\nvar pidFile = path.join(os.homedir(), '.mobbdev', 'daemon.pid')\nvar HEARTBEAT_STALE_MS = __HEARTBEAT_STALE_MS__\n\ntry {\n  var data = JSON.parse(fs.readFileSync(pidFile, 'utf8'))\n  if (Date.now() - data.heartbeat > HEARTBEAT_STALE_MS) throw new Error('stale')\n  process.kill(data.pid, 0) // throws ESRCH if the process is gone\n} catch (e) {\n  var localCli = process.env.MOBBDEV_LOCAL_CLI\n  var child = localCli\n    ? spawn('node', [localCli, 'claude-code-daemon'], { detached: true, stdio: 'ignore', windowsHide: true })\n    : spawn('npx', ['--yes', 'mobbdev@latest', 'claude-code-daemon'], { detached: true, stdio: 'ignore', shell: true, windowsHide: true })\n  child.unref()\n}\n";
 
 // src/features/claude_code/install_hook.ts
-var CLAUDE_SETTINGS_PATH = path19.join(os6.homedir(), ".claude", "settings.json");
+var CLAUDE_SETTINGS_PATH = path21.join(os6.homedir(), ".claude", "settings.json");
 var RECOMMENDED_MATCHER = "*";
 async function claudeSettingsExists() {
   try {
@@ -19458,18 +19622,18 @@ async function installMobbHooks(options = {}) {
 }
 
 // src/features/claude_code/transcript_scanner.ts
-import { open as open5, readdir as readdir3, stat as stat3 } from "fs/promises";
+import { open as open5, readdir as readdir4, stat as stat3 } from "fs/promises";
 import os7 from "os";
-import path20 from "path";
+import path22 from "path";
 var UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
 function getClaudeProjectsDirs() {
   const dirs = [];
   const configDir = process.env["CLAUDE_CONFIG_DIR"];
   if (configDir) {
-    dirs.push(path20.join(configDir, "projects"));
+    dirs.push(path22.join(configDir, "projects"));
   }
-  dirs.push(path20.join(os7.homedir(), ".config", "claude", "projects"));
-  dirs.push(path20.join(os7.homedir(), ".claude", "projects"));
+  dirs.push(path22.join(os7.homedir(), ".config", "claude", "projects"));
+  dirs.push(path22.join(os7.homedir(), ".claude", "projects"));
   return dirs;
 }
 async function collectJsonlFiles(files, dir, projectDir, seen, now, results) {
@@ -19477,7 +19641,7 @@ async function collectJsonlFiles(files, dir, projectDir, seen, now, results) {
     if (!file.endsWith(".jsonl")) continue;
     const sessionId = file.replace(".jsonl", "");
     if (!UUID_RE.test(sessionId)) continue;
-    const filePath = path20.join(dir, file);
+    const filePath = path22.join(dir, file);
     if (seen.has(filePath)) continue;
     seen.add(filePath);
     let fileStat;
@@ -19503,12 +19667,12 @@ async function scanForTranscripts(projectsDirs = getClaudeProjectsDirs()) {
   for (const projectsDir of projectsDirs) {
     let projectDirs;
     try {
-      projectDirs = await readdir3(projectsDir);
+      projectDirs = await readdir4(projectsDir);
     } catch {
       continue;
     }
     for (const projName of projectDirs) {
-      const projPath = path20.join(projectsDir, projName);
+      const projPath = path22.join(projectsDir, projName);
       let projStat;
       try {
         projStat = await stat3(projPath);
@@ -19518,18 +19682,18 @@ async function scanForTranscripts(projectsDirs = getClaudeProjectsDirs()) {
       if (!projStat.isDirectory()) continue;
       let files;
       try {
-        files = await readdir3(projPath);
+        files = await readdir4(projPath);
       } catch {
         continue;
       }
       await collectJsonlFiles(files, projPath, projPath, seen, now, results);
       for (const entry of files) {
         if (!UUID_RE.test(entry)) continue;
-        const subagentsDir = path20.join(projPath, entry, "subagents");
+        const subagentsDir = path22.join(projPath, entry, "subagents");
         try {
           const s = await stat3(subagentsDir);
           if (!s.isDirectory()) continue;
-          const subFiles = await readdir3(subagentsDir);
+          const subFiles = await readdir4(subagentsDir);
           await collectJsonlFiles(
             subFiles,
             subagentsDir,
@@ -19613,6 +19777,8 @@ async function startDaemon() {
   const startedAt = Date.now();
   const lastSeen = /* @__PURE__ */ new Map();
   let cleanupConfigDir;
+  const sessionCwdCache = /* @__PURE__ */ new Map();
+  let lastContextScanMs = 0;
   while (true) {
     if (shuttingDown) {
       await gracefulExit(0, "signal");
@@ -19626,9 +19792,29 @@ async function startDaemon() {
       for (const transcript of changed) {
         const sessionStore = createSessionConfigStore(transcript.sessionId);
         if (!cleanupConfigDir) {
-          cleanupConfigDir = path21.dirname(sessionStore.path);
+          cleanupConfigDir = path23.dirname(sessionStore.path);
+        }
+        await drainTranscript(
+          transcript,
+          sessionStore,
+          gqlClient,
+          sessionCwdCache
+        );
+      }
+      if (lastSeen.size > 0) {
+        for (const filePath of sessionCwdCache.keys()) {
+          if (!lastSeen.has(filePath)) sessionCwdCache.delete(filePath);
+        }
+      }
+      const now = Date.now();
+      if (now - lastContextScanMs >= CONTEXT_SCAN_INTERVAL_MS) {
+        lastContextScanMs = now;
+        for (const { sessionId, cwd } of sessionCwdCache.values()) {
+          const log2 = createScopedHookLog(cwd, { daemonMode: true });
+          uploadContextFilesIfNeeded(sessionId, cwd, gqlClient, log2).catch(
+            (err) => log2.warn({ err }, "Context file scan failed")
+          );
         }
-        await drainTranscript(transcript, sessionStore, gqlClient);
       }
       if (cleanupConfigDir) {
         await cleanupStaleSessions(cleanupConfigDir);
@@ -19669,11 +19855,17 @@ async function authenticateOrExit(exit) {
     return exit(1, "auth failed");
   }
 }
-async function drainTranscript(transcript, sessionStore, gqlClient) {
+async function drainTranscript(transcript, sessionStore, gqlClient, sessionCwdCache) {
   const cwd = await extractCwdFromTranscript(transcript.filePath);
   const log2 = createScopedHookLog(cwd ?? transcript.projectDir, {
     daemonMode: true
   });
+  if (cwd) {
+    sessionCwdCache.set(transcript.filePath, {
+      sessionId: transcript.sessionId,
+      cwd
+    });
+  }
   try {
     let hasMore = true;
     while (hasMore) {
@@ -19897,8 +20089,8 @@ var WorkspaceService = class {
    * Sets a known workspace path that was discovered through successful validation
    * @param path The validated workspace path to store
    */
-  static setKnownWorkspacePath(path34) {
-    this.knownWorkspacePath = path34;
+  static setKnownWorkspacePath(path36) {
+    this.knownWorkspacePath = path36;
   }
   /**
    * Gets the known workspace path that was previously validated
@@ -20759,7 +20951,7 @@ async function createAuthenticatedMcpGQLClient({
 import { execSync as execSync2 } from "child_process";
 import fs15 from "fs";
 import os8 from "os";
-import path22 from "path";
+import path24 from "path";
 var IDEs = ["cursor", "windsurf", "webstorm", "vscode", "claude"];
 var runCommand = (cmd) => {
   try {
@@ -20774,7 +20966,7 @@ var gitInfo = {
 };
 var getClaudeWorkspacePaths = () => {
   const home = os8.homedir();
-  const claudeIdePath = path22.join(home, ".claude", "ide");
+  const claudeIdePath = path24.join(home, ".claude", "ide");
   const workspacePaths = [];
   if (!fs15.existsSync(claudeIdePath)) {
     return workspacePaths;
@@ -20782,7 +20974,7 @@ var getClaudeWorkspacePaths = () => {
   try {
     const lockFiles = fs15.readdirSync(claudeIdePath).filter((file) => file.endsWith(".lock"));
     for (const lockFile of lockFiles) {
-      const lockFilePath = path22.join(claudeIdePath, lockFile);
+      const lockFilePath = path24.join(claudeIdePath, lockFile);
       try {
         const lockContent = JSON.parse(fs15.readFileSync(lockFilePath, "utf8"));
         if (lockContent.workspaceFolders && Array.isArray(lockContent.workspaceFolders)) {
@@ -20807,24 +20999,24 @@ var getMCPConfigPaths = (hostName) => {
   switch (hostName.toLowerCase()) {
     case "cursor":
       return [
-        path22.join(currentDir, ".cursor", "mcp.json"),
+        path24.join(currentDir, ".cursor", "mcp.json"),
         // local first
-        path22.join(home, ".cursor", "mcp.json")
+        path24.join(home, ".cursor", "mcp.json")
       ];
     case "windsurf":
       return [
-        path22.join(currentDir, ".codeium", "mcp_config.json"),
+        path24.join(currentDir, ".codeium", "mcp_config.json"),
         // local first
-        path22.join(home, ".codeium", "windsurf", "mcp_config.json")
+        path24.join(home, ".codeium", "windsurf", "mcp_config.json")
       ];
     case "webstorm":
       return [];
     case "visualstudiocode":
     case "vscode":
       return [
-        path22.join(currentDir, ".vscode", "mcp.json"),
+        path24.join(currentDir, ".vscode", "mcp.json"),
         // local first
-        process.platform === "win32" ? path22.join(home, "AppData", "Roaming", "Code", "User", "mcp.json") : path22.join(
+        process.platform === "win32" ? path24.join(home, "AppData", "Roaming", "Code", "User", "mcp.json") : path24.join(
           home,
           "Library",
           "Application Support",
@@ -20835,13 +21027,13 @@ var getMCPConfigPaths = (hostName) => {
       ];
     case "claude": {
       const claudePaths = [
-        path22.join(currentDir, ".claude.json"),
+        path24.join(currentDir, ".claude.json"),
         // local first
-        path22.join(home, ".claude.json")
+        path24.join(home, ".claude.json")
       ];
       const workspacePaths = getClaudeWorkspacePaths();
       for (const workspacePath of workspacePaths) {
-        claudePaths.push(path22.join(workspacePath, ".mcp.json"));
+        claudePaths.push(path24.join(workspacePath, ".mcp.json"));
       }
       return claudePaths;
     }
@@ -21002,10 +21194,10 @@ var getHostInfo = (additionalMcpList) => {
   const ideConfigPaths = /* @__PURE__ */ new Set();
   for (const ide of IDEs) {
     const configPaths = getMCPConfigPaths(ide);
-    configPaths.forEach((path34) => ideConfigPaths.add(path34));
+    configPaths.forEach((path36) => ideConfigPaths.add(path36));
   }
   const uniqueAdditionalPaths = additionalMcpList.filter(
-    (path34) => !ideConfigPaths.has(path34)
+    (path36) => !ideConfigPaths.has(path36)
   );
   for (const ide of IDEs) {
     const cfg = readMCPConfig(ide);
@@ -21127,7 +21319,7 @@ init_configs();
 init_configs();
 import fs16 from "fs";
 import os9 from "os";
-import path23 from "path";
+import path25 from "path";
 var MAX_DEPTH = 2;
 var patterns = ["mcp", "claude"];
 var isFileMatch = (fileName) => {
@@ -21147,7 +21339,7 @@ var searchDir = async (dir, depth = 0) => {
   if (depth > MAX_DEPTH) return results;
   const entries = await fs16.promises.readdir(dir, { withFileTypes: true }).catch(() => []);
   for (const entry of entries) {
-    const fullPath = path23.join(dir, entry.name);
+    const fullPath = path25.join(dir, entry.name);
     if (entry.isFile() && isFileMatch(entry.name)) {
       results.push(fullPath);
     } else if (entry.isDirectory()) {
@@ -21164,14 +21356,14 @@ var findSystemMCPConfigs = async () => {
     const home = os9.homedir();
     const platform2 = os9.platform();
     const knownDirs = platform2 === "win32" ? [
-      path23.join(home, ".cursor"),
-      path23.join(home, "Documents"),
-      path23.join(home, "Downloads")
+      path25.join(home, ".cursor"),
+      path25.join(home, "Documents"),
+      path25.join(home, "Downloads")
     ] : [
-      path23.join(home, ".cursor"),
-      process.env["XDG_CONFIG_HOME"] || path23.join(home, ".config"),
-      path23.join(home, "Documents"),
-      path23.join(home, "Downloads")
+      path25.join(home, ".cursor"),
+      process.env["XDG_CONFIG_HOME"] || path25.join(home, ".config"),
+      path25.join(home, "Documents"),
+      path25.join(home, "Downloads")
     ];
     const timeoutPromise = new Promise(
       (resolve) => setTimeout(() => {
@@ -23587,13 +23779,13 @@ For a complete security audit workflow, use the \`full-security-audit\` prompt.
 // src/mcp/services/McpDetectionService/CursorMcpDetectionService.ts
 import * as fs19 from "fs";
 import * as os12 from "os";
-import * as path25 from "path";
+import * as path27 from "path";
 
 // src/mcp/services/McpDetectionService/BaseMcpDetectionService.ts
 init_configs();
 import * as fs18 from "fs";
 import fetch7 from "node-fetch";
-import * as path24 from "path";
+import * as path26 from "path";
 
 // src/mcp/services/McpDetectionService/McpDetectionServiceUtils.ts
 import * as fs17 from "fs";
@@ -23602,14 +23794,14 @@ import * as os11 from "os";
 // src/mcp/services/McpDetectionService/VscodeMcpDetectionService.ts
 import * as fs20 from "fs";
 import * as os13 from "os";
-import * as path26 from "path";
+import * as path28 from "path";
 
 // src/mcp/tools/checkForNewAvailableFixes/CheckForNewAvailableFixesTool.ts
 import { z as z42 } from "zod";
 
 // src/mcp/services/PathValidation.ts
 import fs21 from "fs";
-import path27 from "path";
+import path29 from "path";
 async function validatePath(inputPath) {
   logDebug("Validating MCP path", { inputPath });
   if (/^\/[a-zA-Z]:\//.test(inputPath)) {
@@ -23641,7 +23833,7 @@ async function validatePath(inputPath) {
     logError(error);
     return { isValid: false, error, path: inputPath };
   }
-  const normalizedPath = path27.normalize(inputPath);
+  const normalizedPath = path29.normalize(inputPath);
   if (normalizedPath.includes("..")) {
     const error = `Normalized path contains path traversal patterns: ${inputPath}`;
     logError(error);
@@ -24293,7 +24485,7 @@ init_configs();
 import fs22 from "fs/promises";
 import nodePath from "path";
 var getLocalFiles = async ({
-  path: path34,
+  path: path36,
   maxFileSize = MCP_MAX_FILE_SIZE,
   maxFiles,
   isAllFilesScan,
@@ -24301,17 +24493,17 @@ var getLocalFiles = async ({
   scanRecentlyChangedFiles
 }) => {
   logDebug(`[${scanContext}] Starting getLocalFiles`, {
-    path: path34,
+    path: path36,
     maxFileSize,
     maxFiles,
     isAllFilesScan,
     scanRecentlyChangedFiles
   });
   try {
-    const resolvedRepoPath = await fs22.realpath(path34);
+    const resolvedRepoPath = await fs22.realpath(path36);
     logDebug(`[${scanContext}] Resolved repository path`, {
       resolvedRepoPath,
-      originalPath: path34
+      originalPath: path36
     });
     const gitService = new GitService(resolvedRepoPath, log);
     const gitValidation = await gitService.validateRepository();
@@ -24324,7 +24516,7 @@ var getLocalFiles = async ({
     if (!gitValidation.isValid || isAllFilesScan) {
       try {
         files = await FileUtils.getLastChangedFiles({
-          dir: path34,
+          dir: path36,
           maxFileSize,
           maxFiles,
           isAllFilesScan
@@ -24416,7 +24608,7 @@ var getLocalFiles = async ({
     logError(`${scanContext}Unexpected error in getLocalFiles`, {
       error: error instanceof Error ? error.message : String(error),
       stack: error instanceof Error ? error.stack : void 0,
-      path: path34
+      path: path36
     });
     throw error;
   }
@@ -24426,7 +24618,7 @@ var getLocalFiles = async ({
 init_client_generates();
 init_GitService();
 import fs23 from "fs";
-import path28 from "path";
+import path30 from "path";
 import { z as z41 } from "zod";
 function extractPathFromPatch(patch) {
   const match = patch?.match(/diff --git a\/([^\s]+) b\//);
@@ -24512,7 +24704,7 @@ var LocalMobbFolderService = class {
           "[LocalMobbFolderService] Non-git repository detected, skipping .gitignore operations"
         );
       }
-      const mobbFolderPath = path28.join(
+      const mobbFolderPath = path30.join(
         this.repoPath,
         this.defaultMobbFolderName
       );
@@ -24684,7 +24876,7 @@ var LocalMobbFolderService = class {
         mobbFolderPath,
         baseFileName
       );
-      const filePath = path28.join(mobbFolderPath, uniqueFileName);
+      const filePath = path30.join(mobbFolderPath, uniqueFileName);
       await fs23.promises.writeFile(filePath, patch, "utf8");
       logInfo("[LocalMobbFolderService] Patch saved successfully", {
         filePath,
@@ -24742,11 +24934,11 @@ var LocalMobbFolderService = class {
    * @returns Unique filename that doesn't conflict with existing files
    */
   getUniqueFileName(folderPath, baseFileName) {
-    const baseName = path28.parse(baseFileName).name;
-    const extension = path28.parse(baseFileName).ext;
+    const baseName = path30.parse(baseFileName).name;
+    const extension = path30.parse(baseFileName).ext;
     let uniqueFileName = baseFileName;
     let index = 1;
-    while (fs23.existsSync(path28.join(folderPath, uniqueFileName))) {
+    while (fs23.existsSync(path30.join(folderPath, uniqueFileName))) {
       uniqueFileName = `${baseName}-${index}${extension}`;
       index++;
       if (index > 1e3) {
@@ -24777,7 +24969,7 @@ var LocalMobbFolderService = class {
     logDebug("[LocalMobbFolderService] Logging patch info", { fixId: fix.id });
     try {
       const mobbFolderPath = await this.getFolder();
-      const patchInfoPath = path28.join(mobbFolderPath, "patchInfo.md");
+      const patchInfoPath = path30.join(mobbFolderPath, "patchInfo.md");
       const markdownContent = this.generateFixMarkdown(fix, savedPatchFileName);
       let existingContent = "";
       if (fs23.existsSync(patchInfoPath)) {
@@ -24819,7 +25011,7 @@ var LocalMobbFolderService = class {
     const timestamp = (/* @__PURE__ */ new Date()).toISOString();
     const patch = this.extractPatchFromFix(fix);
     const relativePatchedFilePath = patch ? extractPathFromPatch(patch) : null;
-    const patchedFilePath = relativePatchedFilePath ? path28.resolve(this.repoPath, relativePatchedFilePath) : null;
+    const patchedFilePath = relativePatchedFilePath ? path30.resolve(this.repoPath, relativePatchedFilePath) : null;
     const fixIdentifier = savedPatchFileName ? savedPatchFileName.replace(".patch", "") : fix.id;
     let markdown = `# Fix ${fixIdentifier}
 
@@ -25155,7 +25347,7 @@ var LocalMobbFolderService = class {
 // src/mcp/services/PatchApplicationService.ts
 init_configs();
 import {
-  existsSync as existsSync7,
+  existsSync as existsSync6,
   mkdirSync,
   readFileSync as readFileSync4,
   unlinkSync,
@@ -25163,14 +25355,14 @@ import {
 } from "fs";
 import fs24 from "fs/promises";
 import parseDiff2 from "parse-diff";
-import path29 from "path";
+import path31 from "path";
 var PatchApplicationService = class {
   /**
    * Gets the appropriate comment syntax for a file based on its extension
    */
   static getCommentSyntax(filePath) {
-    const ext = path29.extname(filePath).toLowerCase();
-    const basename2 = path29.basename(filePath);
+    const ext = path31.extname(filePath).toLowerCase();
+    const basename2 = path31.basename(filePath);
     const commentMap = {
       // C-style languages (single line comments)
       ".js": "//",
@@ -25378,7 +25570,7 @@ var PatchApplicationService = class {
         }
       );
     }
-    const dirPath = path29.dirname(normalizedFilePath);
+    const dirPath = path31.dirname(normalizedFilePath);
     mkdirSync(dirPath, { recursive: true });
     writeFileSync3(normalizedFilePath, finalContent, "utf8");
     return normalizedFilePath;
@@ -25387,9 +25579,9 @@ var PatchApplicationService = class {
     repositoryPath,
     targetPath
   }) {
-    const repoRoot = path29.resolve(repositoryPath);
-    const normalizedPath = path29.resolve(repoRoot, targetPath);
-    const repoRootWithSep = repoRoot.endsWith(path29.sep) ? repoRoot : `${repoRoot}${path29.sep}`;
+    const repoRoot = path31.resolve(repositoryPath);
+    const normalizedPath = path31.resolve(repoRoot, targetPath);
+    const repoRootWithSep = repoRoot.endsWith(path31.sep) ? repoRoot : `${repoRoot}${path31.sep}`;
     if (normalizedPath !== repoRoot && !normalizedPath.startsWith(repoRootWithSep)) {
       throw new Error(
         `Security violation: target path ${targetPath} resolves outside repository`
@@ -25398,7 +25590,7 @@ var PatchApplicationService = class {
     return {
       repoRoot,
       normalizedPath,
-      relativePath: path29.relative(repoRoot, normalizedPath)
+      relativePath: path31.relative(repoRoot, normalizedPath)
     };
   }
   /**
@@ -25680,8 +25872,8 @@ var PatchApplicationService = class {
         continue;
       }
       try {
-        const absolutePath = path29.resolve(repositoryPath, targetFile);
-        if (existsSync7(absolutePath)) {
+        const absolutePath = path31.resolve(repositoryPath, targetFile);
+        if (existsSync6(absolutePath)) {
           const stats = await fs24.stat(absolutePath);
           const fileModTime = stats.mtime.getTime();
           if (fileModTime > scanStartTime) {
@@ -25882,7 +26074,7 @@ var PatchApplicationService = class {
       targetFile,
       absoluteFilePath,
       relativePath,
-      exists: existsSync7(absoluteFilePath)
+      exists: existsSync6(absoluteFilePath)
     });
     return { absoluteFilePath, relativePath };
   }
@@ -25906,7 +26098,7 @@ var PatchApplicationService = class {
       fix,
       scanContext
     });
-    appliedFiles.push(path29.relative(repositoryPath, actualPath));
+    appliedFiles.push(path31.relative(repositoryPath, actualPath));
     logDebug(`[${scanContext}] Created new file: ${relativePath}`);
   }
   /**
@@ -25918,7 +26110,7 @@ var PatchApplicationService = class {
     appliedFiles,
     scanContext
   }) {
-    if (existsSync7(absoluteFilePath)) {
+    if (existsSync6(absoluteFilePath)) {
       unlinkSync(absoluteFilePath);
       appliedFiles.push(relativePath);
       logDebug(`[${scanContext}] Deleted file: ${relativePath}`);
@@ -25937,7 +26129,7 @@ var PatchApplicationService = class {
     appliedFiles,
     scanContext
   }) {
-    if (!existsSync7(absoluteFilePath)) {
+    if (!existsSync6(absoluteFilePath)) {
       throw new Error(
         `Target file does not exist: ${targetFile} (resolved to: ${absoluteFilePath})`
       );
@@ -25955,7 +26147,7 @@ var PatchApplicationService = class {
         fix,
         scanContext
       });
-      appliedFiles.push(path29.relative(repositoryPath, actualPath));
+      appliedFiles.push(path31.relative(repositoryPath, actualPath));
       logDebug(`[${scanContext}] Modified file: ${relativePath}`);
     }
   }
@@ -26152,8 +26344,8 @@ init_configs();
 // src/mcp/services/FileOperations.ts
 init_FileUtils();
 import fs25 from "fs";
-import path30 from "path";
-import AdmZip4 from "adm-zip";
+import path32 from "path";
+import AdmZip5 from "adm-zip";
 var FileOperations = class {
   /**
    * Creates a ZIP archive containing the specified source files
@@ -26168,14 +26360,14 @@ var FileOperations = class {
     maxFileSize
   }) {
     logDebug("[FileOperations] Packing files");
-    const zip = new AdmZip4();
+    const zip = new AdmZip5();
     let packedFilesCount = 0;
     const packedFiles = [];
     const excludedFiles = [];
-    const resolvedRepoPath = path30.resolve(repositoryPath);
+    const resolvedRepoPath = path32.resolve(repositoryPath);
     for (const filepath of fileList) {
-      const absoluteFilepath = path30.join(repositoryPath, filepath);
-      const resolvedFilePath = path30.resolve(absoluteFilepath);
+      const absoluteFilepath = path32.join(repositoryPath, filepath);
+      const resolvedFilePath = path32.resolve(absoluteFilepath);
       if (!resolvedFilePath.startsWith(resolvedRepoPath)) {
         const reason = "potential path traversal security risk";
         logDebug(`[FileOperations] Skipping ${filepath} due to ${reason}`);
@@ -26222,11 +26414,11 @@ var FileOperations = class {
     fileList,
     repositoryPath
   }) {
-    const resolvedRepoPath = path30.resolve(repositoryPath);
+    const resolvedRepoPath = path32.resolve(repositoryPath);
     const validatedPaths = [];
     for (const filepath of fileList) {
-      const absoluteFilepath = path30.join(repositoryPath, filepath);
-      const resolvedFilePath = path30.resolve(absoluteFilepath);
+      const absoluteFilepath = path32.join(repositoryPath, filepath);
+      const resolvedFilePath = path32.resolve(absoluteFilepath);
       if (!resolvedFilePath.startsWith(resolvedRepoPath)) {
         logDebug(
           `[FileOperations] Rejecting ${filepath} - path traversal attempt detected`
@@ -26254,7 +26446,7 @@ var FileOperations = class {
     for (const absolutePath of filePaths) {
       try {
         const content = await fs25.promises.readFile(absolutePath);
-        const relativePath = path30.basename(absolutePath);
+        const relativePath = path32.basename(absolutePath);
         fileDataArray.push({
           relativePath,
           absolutePath,
@@ -26566,14 +26758,14 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
    * since the last scan.
    */
   async scanForSecurityVulnerabilities({
-    path: path34,
+    path: path36,
     isAllDetectionRulesScan,
     isAllFilesScan,
     scanContext
   }) {
     this.hasAuthenticationFailed = false;
     logDebug(`[${scanContext}] Scanning for new security vulnerabilities`, {
-      path: path34
+      path: path36
     });
     if (!this.gqlClient) {
       logInfo(`[${scanContext}] No GQL client found, skipping scan`);
@@ -26589,11 +26781,11 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
       }
       logDebug(
         `[${scanContext}] Connected to the API, assembling list of files to scan`,
-        { path: path34 }
+        { path: path36 }
       );
       const isBackgroundScan = scanContext === ScanContext.BACKGROUND_INITIAL || scanContext === ScanContext.BACKGROUND_PERIODIC;
       const files = await getLocalFiles({
-        path: path34,
+        path: path36,
         isAllFilesScan,
         scanContext,
         scanRecentlyChangedFiles: !isBackgroundScan
@@ -26619,13 +26811,13 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
       });
       const { fixReportId, projectId } = await scanFiles({
         fileList: filesToScan.map((file) => file.relativePath),
-        repositoryPath: path34,
+        repositoryPath: path36,
         gqlClient: this.gqlClient,
         isAllDetectionRulesScan,
         scanContext
       });
       logInfo(
-        `[${scanContext}] Security scan completed for ${path34} reportId: ${fixReportId} projectId: ${projectId}`
+        `[${scanContext}] Security scan completed for ${path36} reportId: ${fixReportId} projectId: ${projectId}`
       );
       if (isAllFilesScan) {
         return;
@@ -26919,13 +27111,13 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
     });
     return scannedFiles.some((file) => file.relativePath === fixFile);
   }
-  async getFreshFixes({ path: path34 }) {
+  async getFreshFixes({ path: path36 }) {
     const scanContext = ScanContext.USER_REQUEST;
-    logDebug(`[${scanContext}] Getting fresh fixes`, { path: path34 });
-    if (this.path !== path34) {
-      this.path = path34;
+    logDebug(`[${scanContext}] Getting fresh fixes`, { path: path36 });
+    if (this.path !== path36) {
+      this.path = path36;
       this.reset();
-      logInfo(`[${scanContext}] Reset service state for new path`, { path: path34 });
+      logInfo(`[${scanContext}] Reset service state for new path`, { path: path36 });
     }
     try {
       const loginContext = createMcpLoginContext("check_new_fixes");
@@ -26944,7 +27136,7 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
       }
       throw error;
     }
-    this.triggerScan({ path: path34, gqlClient: this.gqlClient });
+    this.triggerScan({ path: path36, gqlClient: this.gqlClient });
     let isMvsAutoFixEnabled = null;
     try {
       isMvsAutoFixEnabled = await this.gqlClient.getMvsAutoFixSettings();
@@ -26978,33 +27170,33 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
     return noFreshFixesPrompt;
   }
   triggerScan({
-    path: path34,
+    path: path36,
     gqlClient
   }) {
-    if (this.path !== path34) {
-      this.path = path34;
+    if (this.path !== path36) {
+      this.path = path36;
       this.reset();
-      logInfo(`Reset service state for new path in triggerScan`, { path: path34 });
+      logInfo(`Reset service state for new path in triggerScan`, { path: path36 });
     }
     this.gqlClient = gqlClient;
     if (!this.intervalId) {
-      this.startPeriodicScanning(path34);
-      this.executeInitialScan(path34);
-      void this.executeInitialFullScan(path34);
+      this.startPeriodicScanning(path36);
+      this.executeInitialScan(path36);
+      void this.executeInitialFullScan(path36);
     }
   }
-  startPeriodicScanning(path34) {
+  startPeriodicScanning(path36) {
     const scanContext = ScanContext.BACKGROUND_PERIODIC;
     logDebug(
       `[${scanContext}] Starting periodic scan for new security vulnerabilities`,
       {
-        path: path34
+        path: path36
       }
     );
     this.intervalId = setInterval(() => {
-      logDebug(`[${scanContext}] Triggering periodic security scan`, { path: path34 });
+      logDebug(`[${scanContext}] Triggering periodic security scan`, { path: path36 });
       this.scanForSecurityVulnerabilities({
-        path: path34,
+        path: path36,
         scanContext
       }).catch((error) => {
         logError(`[${scanContext}] Error during periodic security scan`, {
@@ -27013,45 +27205,45 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
       });
     }, MCP_PERIODIC_CHECK_INTERVAL);
   }
-  async executeInitialFullScan(path34) {
+  async executeInitialFullScan(path36) {
     const scanContext = ScanContext.FULL_SCAN;
-    logDebug(`[${scanContext}] Triggering initial full security scan`, { path: path34 });
+    logDebug(`[${scanContext}] Triggering initial full security scan`, { path: path36 });
     logDebug(`[${scanContext}] Full scan paths scanned`, {
       fullScanPathsScanned: this.fullScanPathsScanned
     });
-    if (this.fullScanPathsScanned.includes(path34)) {
+    if (this.fullScanPathsScanned.includes(path36)) {
       logDebug(`[${scanContext}] Full scan already executed for this path`, {
-        path: path34
+        path: path36
       });
       return;
     }
     configStore.set("fullScanPathsScanned", [
       ...this.fullScanPathsScanned,
-      path34
+      path36
     ]);
     try {
       await this.scanForSecurityVulnerabilities({
-        path: path34,
+        path: path36,
         isAllFilesScan: true,
         isAllDetectionRulesScan: true,
         scanContext: ScanContext.FULL_SCAN
       });
-      if (!this.fullScanPathsScanned.includes(path34)) {
-        this.fullScanPathsScanned.push(path34);
+      if (!this.fullScanPathsScanned.includes(path36)) {
+        this.fullScanPathsScanned.push(path36);
         configStore.set("fullScanPathsScanned", this.fullScanPathsScanned);
       }
-      logInfo(`[${scanContext}] Full scan completed`, { path: path34 });
+      logInfo(`[${scanContext}] Full scan completed`, { path: path36 });
     } catch (error) {
       logError(`[${scanContext}] Error during initial full security scan`, {
         error
       });
     }
   }
-  executeInitialScan(path34) {
+  executeInitialScan(path36) {
     const scanContext = ScanContext.BACKGROUND_INITIAL;
-    logDebug(`[${scanContext}] Triggering initial security scan`, { path: path34 });
+    logDebug(`[${scanContext}] Triggering initial security scan`, { path: path36 });
     this.scanForSecurityVulnerabilities({
-      path: path34,
+      path: path36,
       scanContext: ScanContext.BACKGROUND_INITIAL
     }).catch((error) => {
       logError(`[${scanContext}] Error during initial security scan`, { error });
@@ -27148,9 +27340,9 @@ Example payload:
         `Invalid path: potential security risk detected in path: ${pathValidationResult.error}`
       );
     }
-    const path34 = pathValidationResult.path;
+    const path36 = pathValidationResult.path;
     const resultText = await this.newFixesService.getFreshFixes({
-      path: path34
+      path: path36
     });
     logInfo("CheckForNewAvailableFixesTool execution completed", {
       resultText
@@ -27328,8 +27520,8 @@ Call this tool instead of ${MCP_TOOL_SCAN_AND_FIX_VULNERABILITIES} when you only
         `Invalid path: potential security risk detected in path: ${pathValidationResult.error}`
       );
     }
-    const path34 = pathValidationResult.path;
-    const gitService = new GitService(path34, log);
+    const path36 = pathValidationResult.path;
+    const gitService = new GitService(path36, log);
     const gitValidation = await gitService.validateRepository();
     if (!gitValidation.isValid) {
       throw new Error(`Invalid git repository: ${gitValidation.error}`);
@@ -27714,9 +27906,9 @@ Example payload:
         `Invalid path: potential security risk detected in path: ${pathValidationResult.error}`
       );
     }
-    const path34 = pathValidationResult.path;
+    const path36 = pathValidationResult.path;
     const files = await getLocalFiles({
-      path: path34,
+      path: path36,
       maxFileSize: MCP_MAX_FILE_SIZE,
       maxFiles: args.maxFiles,
       scanContext: ScanContext.USER_REQUEST,
@@ -27736,7 +27928,7 @@ Example payload:
     try {
       const fixResult = await this.vulnerabilityFixService.processVulnerabilities({
         fileList: files.map((file) => file.relativePath),
-        repositoryPath: path34,
+        repositoryPath: path36,
         offset: args.offset,
         limit: args.limit,
         isRescan: args.rescan || !!args.maxFiles
@@ -28037,10 +28229,10 @@ init_client_generates();
 init_urlParser2();
 
 // src/features/codeium_intellij/codeium_language_server_grpc_client.ts
-import path31 from "path";
+import path33 from "path";
 import * as grpc from "@grpc/grpc-js";
 import * as protoLoader from "@grpc/proto-loader";
-var PROTO_PATH = path31.join(
+var PROTO_PATH = path33.join(
   getModuleRootDir(),
   "src/features/codeium_intellij/proto/exa/language_server_pb/language_server.proto"
 );
@@ -28052,7 +28244,7 @@ function loadProto() {
     defaults: true,
     oneofs: true,
     includeDirs: [
-      path31.join(getModuleRootDir(), "src/features/codeium_intellij/proto")
+      path33.join(getModuleRootDir(), "src/features/codeium_intellij/proto")
     ]
   });
   return grpc.loadPackageDefinition(
@@ -28108,28 +28300,28 @@ async function getGrpcClient(port, csrf3) {
 // src/features/codeium_intellij/parse_intellij_logs.ts
 import fs27 from "fs";
 import os14 from "os";
-import path32 from "path";
+import path34 from "path";
 function getLogsDir() {
   if (process.platform === "darwin") {
-    return path32.join(os14.homedir(), "Library/Logs/JetBrains");
+    return path34.join(os14.homedir(), "Library/Logs/JetBrains");
   } else if (process.platform === "win32") {
-    return path32.join(
-      process.env["LOCALAPPDATA"] || path32.join(os14.homedir(), "AppData/Local"),
+    return path34.join(
+      process.env["LOCALAPPDATA"] || path34.join(os14.homedir(), "AppData/Local"),
       "JetBrains"
     );
   } else {
-    return path32.join(os14.homedir(), ".cache/JetBrains");
+    return path34.join(os14.homedir(), ".cache/JetBrains");
   }
 }
 function parseIdeLogDir(ideLogDir) {
   const logFiles = fs27.readdirSync(ideLogDir).filter((f) => /^idea(\.\d+)?\.log$/.test(f)).map((f) => ({
     name: f,
-    mtime: fs27.statSync(path32.join(ideLogDir, f)).mtimeMs
+    mtime: fs27.statSync(path34.join(ideLogDir, f)).mtimeMs
   })).sort((a, b) => a.mtime - b.mtime).map((f) => f.name);
   let latestCsrf = null;
   let latestPort = null;
   for (const logFile of logFiles) {
-    const lines = fs27.readFileSync(path32.join(ideLogDir, logFile), "utf-8").split("\n");
+    const lines = fs27.readFileSync(path34.join(ideLogDir, logFile), "utf-8").split("\n");
     for (const line of lines) {
       if (!line.includes(
         "com.codeium.intellij.language_server.LanguageServerProcessHandler"
@@ -28157,9 +28349,9 @@ function findRunningCodeiumLanguageServers() {
   const logsDir = getLogsDir();
   if (!fs27.existsSync(logsDir)) return results;
   for (const ide of fs27.readdirSync(logsDir)) {
-    let ideLogDir = path32.join(logsDir, ide);
+    let ideLogDir = path34.join(logsDir, ide);
     if (process.platform !== "darwin") {
-      ideLogDir = path32.join(ideLogDir, "log");
+      ideLogDir = path34.join(ideLogDir, "log");
     }
     if (!fs27.existsSync(ideLogDir) || !fs27.statSync(ideLogDir).isDirectory()) {
       continue;
@@ -28342,10 +28534,10 @@ function processChatStepCodeAction(step) {
 // src/features/codeium_intellij/install_hook.ts
 import fsPromises5 from "fs/promises";
 import os15 from "os";
-import path33 from "path";
+import path35 from "path";
 import chalk14 from "chalk";
 function getCodeiumHooksPath() {
-  return path33.join(os15.homedir(), ".codeium", "hooks.json");
+  return path35.join(os15.homedir(), ".codeium", "hooks.json");
 }
 async function readCodeiumHooks() {
   const hooksPath = getCodeiumHooksPath();
@@ -28358,7 +28550,7 @@ async function readCodeiumHooks() {
 }
 async function writeCodeiumHooks(config2) {
   const hooksPath = getCodeiumHooksPath();
-  const dir = path33.dirname(hooksPath);
+  const dir = path35.dirname(hooksPath);
   await fsPromises5.mkdir(dir, { recursive: true });
   await fsPromises5.writeFile(
     hooksPath,