mobbdev 1.4.1 → 1.4.7

package/dist/index.mjs

@@ -94,6 +94,9 @@ function getSdk(client, withWrapper = defaultWrapper) {
     performCliLogin(variables, requestHeaders, signal) {
       return withWrapper((wrappedRequestHeaders) => client.request({ document: PerformCliLoginDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "performCliLogin", "mutation", variables);
     },
+    SetQuarantineEnabled(variables, requestHeaders, signal) {
+      return withWrapper((wrappedRequestHeaders) => client.request({ document: SetQuarantineEnabledDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "SetQuarantineEnabled", "mutation", variables);
+    },
     CreateProject(variables, requestHeaders, signal) {
       return withWrapper((wrappedRequestHeaders) => client.request({ document: CreateProjectDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "CreateProject", "mutation", variables);
     },
@@ -135,7 +138,7 @@ function getSdk(client, withWrapper = defaultWrapper) {
     }
   };
 }
-var AiBlameInferenceType, FixQuestionInputType, Language, ManifestAction, Effort_To_Apply_Fix_Enum, Fix_Rating_Tag_Enum, Fix_Report_State_Enum, Fix_State_Enum, IssueLanguage_Enum, IssueType_Enum, Pr_Status_Enum, Project_Role_Type_Enum, Vulnerability_Report_Issue_Category_Enum, Vulnerability_Report_Issue_State_Enum, Vulnerability_Report_Issue_Tag_Enum, Vulnerability_Report_Vendor_Enum, Vulnerability_Severity_Enum, FixDetailsFragmentDoc, FixReportSummaryFieldsFragmentDoc, MeDocument, GetLastOrgAndNamedProjectDocument, GetLastOrgDocument, GetEncryptedApiTokenDocument, FixReportStateDocument, GetVulnerabilityReportPathsDocument, GetAnalysisSubscriptionDocument, GetAnalysisDocument, GetFixesDocument, GetVulByNodesMetadataDocument, GetFalsePositiveDocument, UpdateScmTokenDocument, UploadS3BucketInfoDocument, GetTracyDiffUploadUrlDocument, AnalyzeCommitForExtensionAiBlameDocument, GetAiBlameInferenceDocument, GetAiBlameAttributionPromptDocument, GetPromptSummaryDocument, UploadAiBlameInferencesInitDocument, FinalizeAiBlameInferencesUploadDocument, UploadTracyRecordsDocument, GetTracyRawDataUploadUrlDocument, DigestVulnerabilityReportDocument, SubmitVulnerabilityReportDocument, CreateCommunityUserDocument, CreateCliLoginDocument, PerformCliLoginDocument, CreateProjectDocument, ValidateRepoUrlDocument, GitReferenceDocument, AutoPrAnalysisDocument, GetFixReportsByRepoUrlDocument, GetReportFixesDocument, GetLatestReportByRepoUrlDocument, UpdateDownloadedFixDataDocument, GetUserMvsAutoFixDocument, StreamBlameAiAnalysisRequestsDocument, StreamCommitBlameRequestsDocument, ScanSkillDocument, SkillVerdictsByMd5Document, defaultWrapper;
+var AiBlameInferenceType, FixQuestionInputType, Language, ManifestAction, Effort_To_Apply_Fix_Enum, Fix_Rating_Tag_Enum, Fix_Report_State_Enum, Fix_State_Enum, IssueLanguage_Enum, IssueType_Enum, Pr_Status_Enum, Project_Role_Type_Enum, Vulnerability_Report_Issue_Category_Enum, Vulnerability_Report_Issue_State_Enum, Vulnerability_Report_Issue_Tag_Enum, Vulnerability_Report_Vendor_Enum, Vulnerability_Severity_Enum, FixDetailsFragmentDoc, FixReportSummaryFieldsFragmentDoc, MeDocument, GetLastOrgAndNamedProjectDocument, GetLastOrgDocument, GetEncryptedApiTokenDocument, FixReportStateDocument, GetVulnerabilityReportPathsDocument, GetAnalysisSubscriptionDocument, GetAnalysisDocument, GetFixesDocument, GetVulByNodesMetadataDocument, GetFalsePositiveDocument, UpdateScmTokenDocument, UploadS3BucketInfoDocument, GetTracyDiffUploadUrlDocument, AnalyzeCommitForExtensionAiBlameDocument, GetAiBlameInferenceDocument, GetAiBlameAttributionPromptDocument, GetPromptSummaryDocument, UploadAiBlameInferencesInitDocument, FinalizeAiBlameInferencesUploadDocument, UploadTracyRecordsDocument, GetTracyRawDataUploadUrlDocument, DigestVulnerabilityReportDocument, SubmitVulnerabilityReportDocument, CreateCommunityUserDocument, CreateCliLoginDocument, PerformCliLoginDocument, SetQuarantineEnabledDocument, CreateProjectDocument, ValidateRepoUrlDocument, GitReferenceDocument, AutoPrAnalysisDocument, GetFixReportsByRepoUrlDocument, GetReportFixesDocument, GetLatestReportByRepoUrlDocument, UpdateDownloadedFixDataDocument, GetUserMvsAutoFixDocument, StreamBlameAiAnalysisRequestsDocument, StreamCommitBlameRequestsDocument, ScanSkillDocument, SkillVerdictsByMd5Document, defaultWrapper;
 var init_client_generates = __esm({
   "src/features/analysis/scm/generates/client_generates.ts"() {
     "use strict";
@@ -260,6 +263,7 @@ var init_client_generates = __esm({
       IssueType_Enum2["HttpParameterPollution"] = "HTTP_PARAMETER_POLLUTION";
       IssueType_Enum2["HttpResponseSplitting"] = "HTTP_RESPONSE_SPLITTING";
       IssueType_Enum2["IframeWithoutSandbox"] = "IFRAME_WITHOUT_SANDBOX";
+      IssueType_Enum2["ImproperCertificateValidation"] = "IMPROPER_CERTIFICATE_VALIDATION";
       IssueType_Enum2["ImproperExceptionHandling"] = "IMPROPER_EXCEPTION_HANDLING";
       IssueType_Enum2["ImproperResourceShutdownOrRelease"] = "IMPROPER_RESOURCE_SHUTDOWN_OR_RELEASE";
       IssueType_Enum2["ImproperStringFormatting"] = "IMPROPER_STRING_FORMATTING";
@@ -278,6 +282,7 @@ var init_client_generates = __esm({
       IssueType_Enum2["InsecureTmpFile"] = "INSECURE_TMP_FILE";
       IssueType_Enum2["InsecureUuidVersion"] = "INSECURE_UUID_VERSION";
       IssueType_Enum2["InsufficientLogging"] = "INSUFFICIENT_LOGGING";
+      IssueType_Enum2["J2EeGetConnection"] = "J2EE_GET_CONNECTION";
       IssueType_Enum2["JqueryDeprecatedSymbols"] = "JQUERY_DEPRECATED_SYMBOLS";
       IssueType_Enum2["LeftoverDebugCode"] = "LEFTOVER_DEBUG_CODE";
       IssueType_Enum2["LocaleDependentComparison"] = "LOCALE_DEPENDENT_COMPARISON";
@@ -941,6 +946,12 @@ var init_client_generates = __esm({
           level
           justification
         }
+        appliedSkills
+        mcpCalls {
+          mcpServer
+          mcpTool
+          callCount
+        }
       }
     }
     ... on PromptSummaryProcessing {
@@ -1092,6 +1103,13 @@ var init_client_generates = __esm({
   performCliLogin(loginId: $loginId) {
     status
   }
+}
+    `;
+    SetQuarantineEnabledDocument = `
+    mutation SetQuarantineEnabled($enabled: Boolean!) {
+  update_organization(where: {}, _set: {quarantineEnabled: $enabled}) {
+    affected_rows
+  }
 }
     `;
     CreateProjectDocument = `
@@ -1277,12 +1295,15 @@ var init_client_generates = __esm({
     SkillVerdictsByMd5Document = `
     query SkillVerdictsByMd5($md5s: [String!]!) {
   skillVerdictsByMd5(md5s: $md5s) {
-    md5
-    verdict
-    summary
-    scannerName
-    scannerVersion
-    scannedAt
+    quarantineEnabled
+    verdicts {
+      md5
+      verdict
+      summary
+      scannerName
+      scannerVersion
+      scannedAt
+    }
   }
 }
     `;
@@ -1400,6 +1421,7 @@ var init_getIssueType = __esm({
       ["NO_EQUIVALENCE_METHOD" /* NoEquivalenceMethod */]: "Class Does Not Implement Equivalence Method",
       ["INFORMATION_EXPOSURE_VIA_HEADERS" /* InformationExposureViaHeaders */]: "Information Exposure via Headers",
       ["DEBUG_ENABLED" /* DebugEnabled */]: "Debug Enabled",
+      ["J2EE_GET_CONNECTION" /* J2EeGetConnection */]: "J2EE Bad Practices: getConnection()",
       ["LEFTOVER_DEBUG_CODE" /* LeftoverDebugCode */]: "Leftover Debug Code",
       ["POOR_ERROR_HANDLING_EMPTY_CATCH_BLOCK" /* PoorErrorHandlingEmptyCatchBlock */]: "Poor Error Handling: Empty Catch Block",
       ["ERRONEOUS_STRING_COMPARE" /* ErroneousStringCompare */]: "Erroneous String Compare",
@@ -1474,7 +1496,8 @@ var init_getIssueType = __esm({
       ["TAINTED_NUMERIC_CAST" /* TaintedNumericCast */]: "Tainted Numeric Cast",
       ["MISSING_X_FRAME_OPTIONS" /* MissingXFrameOptions */]: "Missing X-Frame-Options Header",
       ["IMPROPER_VALIDATION_OF_ARRAY_INDEX" /* ImproperValidationOfArrayIndex */]: "Improper Validation of Array Index",
-      ["INCORRECT_INTEGER_CONVERSION" /* IncorrectIntegerConversion */]: "Incorrect Integer Conversion"
+      ["INCORRECT_INTEGER_CONVERSION" /* IncorrectIntegerConversion */]: "Incorrect Integer Conversion",
+      ["IMPROPER_CERTIFICATE_VALIDATION" /* ImproperCertificateValidation */]: "Improper Certificate Validation"
     };
     issueTypeZ = z.nativeEnum(IssueType_Enum);
     getIssueTypeFriendlyString = (issueType) => {
@@ -3601,8 +3624,8 @@ var init_FileUtils = __esm({
           const fullPath = path.join(dir, item);
           try {
             await fsPromises.access(fullPath, fs.constants.R_OK);
-            const stat4 = await fsPromises.stat(fullPath);
-            if (stat4.isDirectory()) {
+            const stat5 = await fsPromises.stat(fullPath);
+            if (stat5.isDirectory()) {
               if (isRootLevel && excludedRootDirectories.includes(item)) {
                 continue;
               }
@@ -3614,7 +3637,7 @@ var init_FileUtils = __esm({
                 name: item,
                 fullPath,
                 relativePath: path.relative(rootDir, fullPath),
-                time: stat4.mtime.getTime(),
+                time: stat5.mtime.getTime(),
                 isFile: true
               });
             }
@@ -4148,11 +4171,11 @@ ${rootContent}`;
         try {
           const gitRoot = await this.getGitRoot();
           const gitignorePath = path2.join(gitRoot, ".gitignore");
-          const exists = fs2.existsSync(gitignorePath);
+          const exists2 = fs2.existsSync(gitignorePath);
           this.log("[GitService] .gitignore existence check complete", "debug", {
-            exists
+            exists: exists2
           });
-          return exists;
+          return exists2;
         } catch (error) {
           const errorMessage = `Failed to check .gitignore existence: ${error.message}`;
           this.log(`[GitService] ${errorMessage}`, "error", { error });
@@ -4568,6 +4591,7 @@ var fixDetailsData = {
     issueDescription: "A data member and a function have the same name which can be confusing to the developer.",
     fixInstructions: "Rename the data member to avoid confusion."
   },
+  ["J2EE_GET_CONNECTION" /* J2EeGetConnection */]: void 0,
   ["LEFTOVER_DEBUG_CODE" /* LeftoverDebugCode */]: void 0,
   ["UNVALIDATED_PUBLIC_METHOD_ARGUMENT" /* UnvalidatedPublicMethodArgument */]: void 0,
   ["ERRONEOUS_STRING_COMPARE" /* ErroneousStringCompare */]: void 0,
@@ -4670,7 +4694,8 @@ var fixDetailsData = {
   ["TAINTED_NUMERIC_CAST" /* TaintedNumericCast */]: void 0,
   ["MISSING_X_FRAME_OPTIONS" /* MissingXFrameOptions */]: void 0,
   ["IMPROPER_VALIDATION_OF_ARRAY_INDEX" /* ImproperValidationOfArrayIndex */]: void 0,
-  ["INCORRECT_INTEGER_CONVERSION" /* IncorrectIntegerConversion */]: void 0
+  ["INCORRECT_INTEGER_CONVERSION" /* IncorrectIntegerConversion */]: void 0,
+  ["IMPROPER_CERTIFICATE_VALIDATION" /* ImproperCertificateValidation */]: void 0
 };
 
 // src/features/analysis/scm/shared/src/commitDescriptionMarkup.ts
@@ -4834,6 +4859,31 @@ var go_default = vulnerabilities3;
 // src/features/analysis/scm/shared/src/storedFixData/java/index.ts
 init_client_generates();
 
+// src/features/analysis/scm/shared/src/storedFixData/java/j2eeGetConnection.ts
+var j2eeGetConnection = {
+  guidance: () => `This fix replaces direct \`DriverManager.getConnection(...)\` calls with a container-managed JNDI \`DataSource\` lookup. The new code expects the app server (Tomcat / WildFly / WebSphere / etc.) to expose a configured connection pool under the JNDI name you specified.
+
+
+ 
+
+***Make sure the resource pool exists before merging.*** The patched code will throw a \`NamingException\` at runtime if the JNDI name does not resolve. Configure it in your container's resource definition:
+
+- **Tomcat**: declare a \`<Resource>\` element in \`context.xml\` (or per-app \`META-INF/context.xml\`) with the same JNDI name, plus \`url\`, \`username\`, \`password\`, \`driverClassName\`, and any pool sizing.
+- **Spring Boot (embedded Tomcat)**: configure via \`spring.datasource.jndi-name\` and matching \`<Resource>\`, or use \`@ConfigurationProperties\` to bind a \`DataSource\` bean.
+- **WildFly / JBoss EAP**: declare a \`<datasource>\` in the standalone/domain XML and reference its JNDI binding.
+- **WebSphere / WebLogic**: define the JDBC provider and data source through the admin console; bind it to the JNDI name.
+
+
+&nbsp;
+
+Also add a matching \`<resource-ref>\` (or \`<data-source>\`) in your \`WEB-INF/web.xml\` if you use one. The original connection details (URL, user, password) move from the call site into the resource definition \u2014 remove them from any constants / properties files where they were duplicated.
+
+
+&nbsp;
+
+This fix is mandated by the J2EE / Jakarta EE specification (CWE-245) \u2014 direct driver management bypasses the container's pooling, retry, and failover policies.`
+};
+
 // src/features/analysis/scm/shared/src/storedFixData/java/sqlInjection.ts
 var sqlInjection = {
   guidance: ({
@@ -4861,6 +4911,7 @@ var systemInformationLeak = {
 // src/features/analysis/scm/shared/src/storedFixData/java/index.ts
 var vulnerabilities4 = {
   ["PASSWORD_IN_COMMENT" /* PasswordInComment */]: passwordInComment,
+  ["J2EE_GET_CONNECTION" /* J2EeGetConnection */]: j2eeGetConnection,
   ["SQL_Injection" /* SqlInjection */]: sqlInjection,
   ["SYSTEM_INFORMATION_LEAK" /* SystemInformationLeak */]: systemInformationLeak
 };
@@ -4945,10 +4996,24 @@ See more information [here](https://jinja.palletsprojects.com/en/3.1.x/templates
 ***Note: make sure that none of the data you're marking as safe is coming from user input, as this can lead to XSS vulnerabilities!***`
 };
 
+// src/features/analysis/scm/shared/src/storedFixData/python/improperCertificateValidation.ts
+var improperCertificateValidation = {
+  guidance: () => `This fix re-enables TLS certificate validation by changing \`verify=False\` to \`verify=True\` on the HTTP request. Any call that was deliberately reaching a server with a self-signed, expired, or otherwise untrusted certificate will start raising \`ssl.SSLError\` / \`requests.exceptions.SSLError\` after this change.
+
+&nbsp;
+
+***Before merging, confirm that every endpoint reached by this call presents a certificate signed by a trusted CA.*** If the call must talk to an internal service that uses a private CA, prefer pointing \`verify\` at the CA bundle (\`verify="/path/to/ca.pem"\`) over disabling validation. If the certificate cannot be trusted at all, the safe fix is to terminate that connection at a properly configured proxy, not to keep it unvalidated.
+
+&nbsp;
+
+See the [\`requests\` SSL verification docs](https://requests.readthedocs.io/en/latest/user/advanced/#ssl-cert-verification) for the supported \`verify\` values.`
+};
+
 // src/features/analysis/scm/shared/src/storedFixData/python/index.ts
 var vulnerabilities7 = {
   ["AUTO_ESCAPE_FALSE" /* AutoEscapeFalse */]: autoEscapeFalse,
-  ["CSRF" /* Csrf */]: csrf
+  ["CSRF" /* Csrf */]: csrf,
+  ["IMPROPER_CERTIFICATE_VALIDATION" /* ImproperCertificateValidation */]: improperCertificateValidation
 };
 var python_default = vulnerabilities7;
 
@@ -5484,6 +5549,15 @@ var insecureCookie2 = {
   }
 };
 
+// src/features/analysis/scm/shared/src/storedQuestionData/java/j2eeGetConnection.ts
+var j2eeGetConnection2 = {
+  jndiResourceName: {
+    content: () => "What JNDI name is the database connection pool registered under?",
+    description: () => 'We need the JNDI name your app server uses to expose its container-managed `DataSource`. The fix performs `new InitialContext().lookup(<jndi-name>)` to retrieve the pool, so this value must exactly match the resource definition (e.g. `<Resource name="...">` in Tomcat `context.xml`, or the binding declared in WildFly / WebSphere / WebLogic). The default `java:comp/env/jdbc/myDataSource` is the canonical Tomcat / Spring convention; replace it with whatever your environment uses.',
+    guidance: () => ""
+  }
+};
+
 // src/features/analysis/scm/shared/src/storedQuestionData/java/leftoverDebugCode.ts
 var leftoverDebugCode = {
   isCodeUsed: {
@@ -5812,6 +5886,7 @@ var vulnerabilities12 = {
   ["UNCHECKED_LOOP_CONDITION" /* UncheckedLoopCondition */]: uncheckedLoopCondition,
   ["INSECURE_COOKIE" /* InsecureCookie */]: insecureCookie2,
   ["TRUST_BOUNDARY_VIOLATION" /* TrustBoundaryViolation */]: trustBoundaryViolation2,
+  ["J2EE_GET_CONNECTION" /* J2EeGetConnection */]: j2eeGetConnection2,
   ["LEFTOVER_DEBUG_CODE" /* LeftoverDebugCode */]: leftoverDebugCode,
   ["ERRONEOUS_STRING_COMPARE" /* ErroneousStringCompare */]: erroneousStringCompare,
   ["DUPLICATED_STRINGS" /* DuplicatedStrings */]: duplicatedStrings
@@ -7178,7 +7253,7 @@ async function getAdoSdk(params) {
       const url = new URL(repoUrl);
       const origin = url.origin.toLowerCase().endsWith(".visualstudio.com") ? DEFUALT_ADO_ORIGIN : url.origin.toLowerCase();
       const params2 = `path=/&versionDescriptor[versionOptions]=0&versionDescriptor[versionType]=commit&versionDescriptor[version]=${branch}&resolveLfs=true&$format=zip&api-version=5.0&download=true`;
-      const path35 = [
+      const path37 = [
         prefixPath,
         owner,
         projectName,
@@ -7189,7 +7264,7 @@ async function getAdoSdk(params) {
         "items",
         "items"
       ].filter(Boolean).join("/");
-      return new URL(`${path35}?${params2}`, origin).toString();
+      return new URL(`${path37}?${params2}`, origin).toString();
     },
     async getAdoBranchList({ repoUrl }) {
       try {
@@ -7278,8 +7353,8 @@ async function getAdoSdk(params) {
         const changeType = entry.changeType;
         return changeType !== 16 && entry.item?.path;
       }).map((entry) => {
-        const path35 = entry.item.path;
-        return path35.startsWith("/") ? path35.slice(1) : path35;
+        const path37 = entry.item.path;
+        return path37.startsWith("/") ? path37.slice(1) : path37;
       });
     },
     async searchAdoPullRequests({
@@ -13646,6 +13721,7 @@ var GQLClient = class {
     return await this._clientSdk.ScanSkill(variables);
   }
   // T-467 — batched verdict lookup for the client-side quarantine check.
+  // T-493 — response is the envelope `{ quarantineEnabled, verdicts }`.
   async skillVerdictsByMd5(md5s) {
     return await this._clientSdk.SkillVerdictsByMd5({ md5s });
   }
@@ -14068,7 +14144,11 @@ async function sanitizeDataWithCounts(obj, options) {
     if (typeof data === "string") {
       return sanitizeString(data);
     } else if (Array.isArray(data)) {
-      return Promise.all(data.map((item) => sanitizeRecursive(item)));
+      const results = [];
+      for (const item of data) {
+        results.push(await sanitizeRecursive(item));
+      }
+      return results;
     } else if (data instanceof Error) {
       return data;
     } else if (data instanceof Date) {
@@ -14499,22 +14579,25 @@ async function prepareAndSendTracyRecords(client, rawRecords, workingDir, option
   const serializedRawDataByIndex = /* @__PURE__ */ new Map();
   const records = await timedStep(
     `${shouldSanitize ? "sanitize" : "serialize"} ${rawRecords.length} records`,
-    () => Promise.all(
-      rawRecords.map(async (record, index) => {
+    async () => {
+      const results = [];
+      for (let index = 0; index < rawRecords.length; index++) {
+        const record = rawRecords[index];
         if (record.rawData != null && record.rawDataS3Key == null) {
           const serialized = shouldSanitize ? await sanitizeRawData(record.rawData) : JSON.stringify(record.rawData);
           serializedRawDataByIndex.set(index, serialized);
         }
         const { rawData: _rawData, ...rest } = record;
-        return {
+        results.push({
           ...rest,
           repositoryUrl: record.repositoryUrl ?? defaultRepoUrl,
           computerName,
           userName,
           clientVersion: record.clientVersion ?? defaultClientVersion
-        };
-      })
-    )
+        });
+      }
+      return results;
+    }
   );
   const recordsWithRawData = rawRecords.map((r, i) => ({ recordId: r.recordId, index: i })).filter((entry) => serializedRawDataByIndex.has(entry.index));
   if (recordsWithRawData.length > 0) {
@@ -14555,32 +14638,39 @@ async function prepareAndSendTracyRecords(client, rawRecords, workingDir, option
         errors: ["[step:s3-url] Malformed uploadFieldsJSON from server"]
       };
     }
+    const MAX_CONCURRENT_S3_UPLOADS = 5;
     debug10(
-      "[step:s3-upload] Uploading %d files to S3",
-      recordsWithRawData.length
+      "[step:s3-upload] Uploading %d files to S3 (concurrency=%d)",
+      recordsWithRawData.length,
+      MAX_CONCURRENT_S3_UPLOADS
     );
     const s3Start = Date.now();
-    const uploadResults = await Promise.allSettled(
-      recordsWithRawData.map(async (entry) => {
-        const rawDataJson = serializedRawDataByIndex.get(entry.index);
-        if (!rawDataJson) {
-          debug10("No serialized rawData for recordId=%s", entry.recordId);
-          return;
-        }
-        const uploadKey = `${keyPrefix}${entry.recordId}.json`;
-        await withTimeout(
-          uploadFile({
-            file: Buffer.from(rawDataJson, "utf-8"),
-            url,
-            uploadKey,
-            uploadFields
-          }),
-          BATCH_TIMEOUT_MS,
-          `[step:s3-upload] uploadFile ${entry.recordId}`
-        );
-        records[entry.index].rawDataS3Key = uploadKey;
-      })
-    );
+    const uploadResults = [];
+    for (let i = 0; i < recordsWithRawData.length; i += MAX_CONCURRENT_S3_UPLOADS) {
+      const chunk = recordsWithRawData.slice(i, i + MAX_CONCURRENT_S3_UPLOADS);
+      const chunkResults = await Promise.allSettled(
+        chunk.map(async (entry) => {
+          const rawDataJson = serializedRawDataByIndex.get(entry.index);
+          if (!rawDataJson) {
+            debug10("No serialized rawData for recordId=%s", entry.recordId);
+            return;
+          }
+          const uploadKey = `${keyPrefix}${entry.recordId}.json`;
+          await withTimeout(
+            uploadFile({
+              file: Buffer.from(rawDataJson, "utf-8"),
+              url,
+              uploadKey,
+              uploadFields
+            }),
+            BATCH_TIMEOUT_MS,
+            `[step:s3-upload] uploadFile ${entry.recordId}`
+          );
+          records[entry.index].rawDataS3Key = uploadKey;
+        })
+      );
+      uploadResults.push(...chunkResults);
+    }
     debug10(
       "[perf] s3-upload %d files: %dms",
       recordsWithRawData.length,
@@ -15172,7 +15262,7 @@ async function postIssueComment(params) {
     fpDescription
   } = params;
   const {
-    path: path35,
+    path: path37,
     startLine,
     vulnerabilityReportIssue: {
       vulnerabilityReportIssueTags,
@@ -15187,7 +15277,7 @@ async function postIssueComment(params) {
 Refresh the page in order to see the changes.`,
     pull_number: pullRequest,
     commit_id: commitSha,
-    path: path35,
+    path: path37,
     line: startLine
   });
   const commentId = commentRes.data.id;
@@ -15221,7 +15311,7 @@ async function postFixComment(params) {
     scanner
   } = params;
   const {
-    path: path35,
+    path: path37,
     startLine,
     vulnerabilityReportIssue: { fixId, vulnerabilityReportIssueTags, category },
     vulnerabilityReportIssueId
@@ -15239,7 +15329,7 @@ async function postFixComment(params) {
 Refresh the page in order to see the changes.`,
     pull_number: pullRequest,
     commit_id: commitSha,
-    path: path35,
+    path: path37,
     line: startLine
   });
   const commentId = commentRes.data.id;
@@ -15843,8 +15933,8 @@ if (typeof __filename !== "undefined") {
 }
 var costumeRequire = createRequire(moduleUrl);
 var getCheckmarxPath = () => {
-  const os16 = type();
-  const cxFileName = os16 === "Windows_NT" ? "cx.exe" : "cx";
+  const os17 = type();
+  const cxFileName = os17 === "Windows_NT" ? "cx.exe" : "cx";
   try {
     return costumeRequire.resolve(`.bin/${cxFileName}`);
   } catch (e) {
@@ -16761,8 +16851,8 @@ async function resolveSkillScanInput(skillInput) {
   if (!fs11.existsSync(resolvedPath)) {
     return skillInput;
   }
-  const stat4 = fs11.statSync(resolvedPath);
-  if (!stat4.isDirectory()) {
+  const stat5 = fs11.statSync(resolvedPath);
+  if (!stat5.isDirectory()) {
     throw new CliError(
       "Local skill input must be a directory containing SKILL.md"
     );
@@ -17161,10 +17251,16 @@ import { spawn } from "child_process";
 
 // src/features/claude_code/daemon.ts
 import { readFileSync, writeFileSync as writeFileSync2 } from "fs";
-import path22 from "path";
+import * as os8 from "os";
+import path24 from "path";
 import { setTimeout as sleep2 } from "timers/promises";
 import Configstore3 from "configstore";
 
+// src/features/analysis/skill_quarantine/runQuarantineCheck.ts
+import { stat as stat3 } from "fs/promises";
+import { homedir as homedir4 } from "os";
+import path19 from "path";
+
 // src/features/analysis/skill_quarantine/constants.ts
 var HEARTBEAT_DEBOUNCE_MS = (() => {
   const raw = Number(process.env["MOBB_TRACY_SKILL_QUARANTINE_DEBOUNCE_MS"]);
@@ -17173,7 +17269,8 @@ var HEARTBEAT_DEBOUNCE_MS = (() => {
 })();
 var KILL_SWITCH_ENV = "MOBB_TRACY_SKILL_QUARANTINE_DISABLE";
 var MALICIOUS_VERDICT = "MALICIOUS";
-var ORPHAN_SWEEP_GRACE_MS = 10 * 60 * 1e3;
+var PARTIAL_SWEEP_GRACE_MS = 10 * 60 * 1e3;
+var STUB_MARKER = "\u26D4 QUARANTINED BY TRACY";
 
 // src/features/analysis/skill_quarantine/enumerateInstalledSkills.ts
 import { homedir as homedir2 } from "os";
@@ -17239,51 +17336,86 @@ import { globby as globby2 } from "globby";
 import { parse as parseJsoncLib } from "jsonc-parser";
 
 // src/features/analysis/context_file_scan_paths.ts
-var SKILL_CATEGORY = "skill";
+var CATEGORY = {
+  RULE: "rule",
+  MEMORY: "memory",
+  SKILL: "skill",
+  COMMAND: "command",
+  PROMPT: "prompt",
+  AGENT_CONFIG: "agent-config",
+  CONFIG: "config",
+  MCP_CONFIG: "mcp-config",
+  IGNORE: "ignore"
+};
+var SKILL_CATEGORY = CATEGORY.SKILL;
 var SCAN_PATHS = {
   "claude-code": [
-    { glob: "CLAUDE.md", category: "rule", root: "workspace" },
-    { glob: "CLAUDE.local.md", category: "rule", root: "workspace" },
-    { glob: "INSIGHTS.md", category: "rule", root: "workspace" },
-    { glob: "AGENTS.md", category: "rule", root: "workspace" },
-    { glob: ".claude/rules/**/*.md", category: "rule", root: "workspace" },
-    { glob: ".claude/CLAUDE.md", category: "rule", root: "home" },
-    { glob: ".claude/INSIGHTS.md", category: "rule", root: "home" },
-    { glob: ".claude/rules/**/*.md", category: "rule", root: "home" },
+    { glob: "CLAUDE.md", category: CATEGORY.RULE, root: "workspace" },
+    { glob: "CLAUDE.local.md", category: CATEGORY.RULE, root: "workspace" },
+    { glob: "INSIGHTS.md", category: CATEGORY.RULE, root: "workspace" },
+    { glob: "AGENTS.md", category: CATEGORY.RULE, root: "workspace" },
+    {
+      glob: ".claude/rules/**/*.md",
+      category: CATEGORY.RULE,
+      root: "workspace"
+    },
+    { glob: ".claude/CLAUDE.md", category: CATEGORY.RULE, root: "home" },
+    { glob: ".claude/INSIGHTS.md", category: CATEGORY.RULE, root: "home" },
+    { glob: ".claude/rules/**/*.md", category: CATEGORY.RULE, root: "home" },
     {
       glob: ".claude/projects/*/memory/*.md",
-      category: "memory",
+      category: CATEGORY.MEMORY,
       root: "home"
     },
     { kind: "skill-bundle", skillsRoot: ".claude/skills", root: "workspace" },
-    { glob: ".claude/commands/*.md", category: "skill", root: "workspace" },
+    {
+      glob: ".claude/commands/*.md",
+      category: CATEGORY.COMMAND,
+      root: "workspace"
+    },
     {
       glob: ".claude/agents/*.md",
-      category: SKILL_CATEGORY,
+      category: CATEGORY.SKILL,
       root: "workspace"
     },
     { kind: "skill-bundle", skillsRoot: ".claude/skills", root: "home" },
-    { glob: ".claude/commands/*.md", category: "skill", root: "home" },
-    { glob: ".claude/agents/*.md", category: SKILL_CATEGORY, root: "home" },
-    { glob: ".claude/settings.json", category: "config", root: "workspace" },
+    { glob: ".claude/commands/*.md", category: CATEGORY.COMMAND, root: "home" },
+    { glob: ".claude/agents/*.md", category: CATEGORY.SKILL, root: "home" },
+    {
+      glob: ".claude/settings.json",
+      category: CATEGORY.CONFIG,
+      root: "workspace"
+    },
     {
       glob: ".claude/settings.local.json",
-      category: "config",
+      category: CATEGORY.CONFIG,
       root: "workspace"
     },
-    { glob: ".mcp.json", category: "mcp-config", root: "workspace" },
-    { glob: ".claude/.mcp.json", category: "mcp-config", root: "workspace" },
-    { glob: ".claude/settings.json", category: "config", root: "home" },
-    { glob: ".claudeignore", category: "ignore", root: "workspace" }
+    { glob: ".mcp.json", category: CATEGORY.MCP_CONFIG, root: "workspace" },
+    {
+      glob: ".claude/.mcp.json",
+      category: CATEGORY.MCP_CONFIG,
+      root: "workspace"
+    },
+    { glob: ".claude/settings.json", category: CATEGORY.CONFIG, root: "home" },
+    { glob: ".claudeignore", category: CATEGORY.IGNORE, root: "workspace" }
   ],
   cursor: [
     // Legacy single-file rules
-    { glob: ".cursorrules", category: "rule", root: "workspace" },
+    { glob: ".cursorrules", category: CATEGORY.RULE, root: "workspace" },
     // Project Rules — docs support both `.mdc` and `.md` inside .cursor/rules/
-    { glob: ".cursor/rules/**/*.mdc", category: "rule", root: "workspace" },
-    { glob: ".cursor/rules/**/*.md", category: "rule", root: "workspace" },
+    {
+      glob: ".cursor/rules/**/*.mdc",
+      category: CATEGORY.RULE,
+      root: "workspace"
+    },
+    {
+      glob: ".cursor/rules/**/*.md",
+      category: CATEGORY.RULE,
+      root: "workspace"
+    },
     // AGENTS.md — Cursor's documented alternative to .cursor/rules/
-    { glob: "AGENTS.md", category: "rule", root: "workspace" },
+    { glob: "AGENTS.md", category: CATEGORY.RULE, root: "workspace" },
     // Agent skills — Cursor auto-loads from these dirs plus compat with
     // Claude / Codex / generic .agents/ per Cursor docs.
     { kind: "skill-bundle", skillsRoot: ".cursor/skills", root: "workspace" },
@@ -17291,15 +17423,19 @@ var SCAN_PATHS = {
     { kind: "skill-bundle", skillsRoot: ".claude/skills", root: "workspace" },
     { kind: "skill-bundle", skillsRoot: ".codex/skills", root: "workspace" },
     // MCP — project + global
-    { glob: ".cursor/mcp.json", category: "mcp-config", root: "workspace" },
-    { glob: ".cursor/mcp.json", category: "mcp-config", root: "home" },
+    {
+      glob: ".cursor/mcp.json",
+      category: CATEGORY.MCP_CONFIG,
+      root: "workspace"
+    },
+    { glob: ".cursor/mcp.json", category: CATEGORY.MCP_CONFIG, root: "home" },
     // Home skills (user-level cross-project skills)
     { kind: "skill-bundle", skillsRoot: ".cursor/skills", root: "home" },
     { kind: "skill-bundle", skillsRoot: ".agents/skills", root: "home" },
     { kind: "skill-bundle", skillsRoot: ".claude/skills", root: "home" },
     { kind: "skill-bundle", skillsRoot: ".codex/skills", root: "home" },
     // Exclusion
-    { glob: ".cursorignore", category: "ignore", root: "workspace" }
+    { glob: ".cursorignore", category: CATEGORY.IGNORE, root: "workspace" }
     // Note: Cursor's global "Rules for AI" from Settings UI is stored in
     // Cursor's internal settings DB. The tracer_ext reads it via VS Code API
     // (vscode.workspace.getConfiguration) and includes it as a synthetic entry.
@@ -17308,42 +17444,46 @@ var SCAN_PATHS = {
     // Instructions — workspace
     {
       glob: ".github/copilot-instructions.md",
-      category: "rule",
+      category: CATEGORY.RULE,
       root: "workspace"
     },
     {
       glob: ".github/instructions/**/*.instructions.md",
-      category: "rule",
+      category: CATEGORY.RULE,
       root: "workspace"
     },
     // AGENTS.md / CLAUDE.md family (Copilot reads these via chat.useAgentsMdFile,
     // chat.useClaudeMdFile for cross-compat with Claude Code / other agents).
-    { glob: "AGENTS.md", category: "rule", root: "workspace" },
-    { glob: "CLAUDE.md", category: "rule", root: "workspace" },
-    { glob: "CLAUDE.local.md", category: "rule", root: "workspace" },
-    { glob: ".claude/CLAUDE.md", category: "rule", root: "workspace" },
-    { glob: ".claude/rules/**/*.md", category: "rule", root: "workspace" },
+    { glob: "AGENTS.md", category: CATEGORY.RULE, root: "workspace" },
+    { glob: "CLAUDE.md", category: CATEGORY.RULE, root: "workspace" },
+    { glob: "CLAUDE.local.md", category: CATEGORY.RULE, root: "workspace" },
+    { glob: ".claude/CLAUDE.md", category: CATEGORY.RULE, root: "workspace" },
+    {
+      glob: ".claude/rules/**/*.md",
+      category: CATEGORY.RULE,
+      root: "workspace"
+    },
     // Prompts — workspace
     {
       glob: ".github/prompts/*.prompt.md",
-      category: SKILL_CATEGORY,
+      category: CATEGORY.PROMPT,
       root: "workspace"
     },
     // Custom agents — `.agent.md` is the current format; `.chatmode.md` is the
     // legacy naming docs recommend renaming. We scan both for transition.
     {
       glob: ".github/agents/*.agent.md",
-      category: "agent-config",
+      category: CATEGORY.AGENT_CONFIG,
       root: "workspace"
     },
     {
       glob: ".github/chatmodes/*.chatmode.md",
-      category: "agent-config",
+      category: CATEGORY.AGENT_CONFIG,
       root: "workspace"
     },
     {
       glob: ".claude/agents/*.md",
-      category: SKILL_CATEGORY,
+      category: CATEGORY.SKILL,
       root: "workspace"
     },
     // Agent skills — Copilot discovers skills in all three roots (VS Code docs:
@@ -17352,30 +17492,38 @@ var SCAN_PATHS = {
     { kind: "skill-bundle", skillsRoot: ".claude/skills", root: "workspace" },
     { kind: "skill-bundle", skillsRoot: ".agents/skills", root: "workspace" },
     // MCP — VS Code Copilot reads MCP servers from .vscode/mcp.json
-    { glob: ".vscode/mcp.json", category: "mcp-config", root: "workspace" },
+    {
+      glob: ".vscode/mcp.json",
+      category: CATEGORY.MCP_CONFIG,
+      root: "workspace"
+    },
     // Global — home (JetBrains stores global instructions here)
     {
       glob: ".config/github-copilot/global-copilot-instructions.md",
-      category: "rule",
+      category: CATEGORY.RULE,
       root: "home"
     },
     // User-level Copilot customizations (~/.copilot/)
     {
       glob: ".copilot/instructions/**/*.instructions.md",
-      category: "rule",
+      category: CATEGORY.RULE,
+      root: "home"
+    },
+    {
+      glob: ".copilot/prompts/*.prompt.md",
+      category: CATEGORY.PROMPT,
       root: "home"
     },
-    { glob: ".copilot/prompts/*.prompt.md", category: "skill", root: "home" },
     {
       glob: ".copilot/agents/*.agent.md",
-      category: "agent-config",
+      category: CATEGORY.AGENT_CONFIG,
       root: "home"
     },
     { kind: "skill-bundle", skillsRoot: ".copilot/skills", root: "home" },
     // Cross-compat home paths (Copilot reads Claude / generic agent dirs too)
-    { glob: ".claude/CLAUDE.md", category: "rule", root: "home" },
-    { glob: ".claude/rules/**/*.md", category: "rule", root: "home" },
-    { glob: ".claude/agents/*.md", category: SKILL_CATEGORY, root: "home" },
+    { glob: ".claude/CLAUDE.md", category: CATEGORY.RULE, root: "home" },
+    { glob: ".claude/rules/**/*.md", category: CATEGORY.RULE, root: "home" },
+    { glob: ".claude/agents/*.md", category: CATEGORY.SKILL, root: "home" },
     { kind: "skill-bundle", skillsRoot: ".claude/skills", root: "home" },
     { kind: "skill-bundle", skillsRoot: ".agents/skills", root: "home" }
   ]
@@ -17415,7 +17563,7 @@ var COPILOT_CUSTOM_LOCATION_SETTINGS = [
   {
     key: "chat.promptFilesLocations",
     kind: "glob",
-    category: "skill",
+    category: "prompt",
     glob: "**/*.prompt.md"
   },
   {
@@ -17546,11 +17694,11 @@ async function readJsoncSettings(settingsPath) {
   putSettingsCache(settingsPath, { mtimeMs, parsed: payload });
   return payload;
 }
-function putSettingsCache(path35, entry) {
-  if (!settingsCache.has(path35) && settingsCache.size >= MAX_SETTINGS_CACHE_SIZE) {
+function putSettingsCache(path37, entry) {
+  if (!settingsCache.has(path37) && settingsCache.size >= MAX_SETTINGS_CACHE_SIZE) {
     settingsCache.delete(settingsCache.keys().next().value);
   }
-  settingsCache.set(path35, entry);
+  settingsCache.set(path37, entry);
 }
 async function readCopilotCustomLocations(workspaceRoot) {
   const parsed = await readJsoncSettings(
@@ -17800,7 +17948,7 @@ async function enumerateGlob(pattern, cwd, category, isDynamic) {
   } catch {
     return [];
   }
-  return files.map((path35) => ({ path: path35, category }));
+  return files.map((path37) => ({ path: path37, category }));
 }
 async function enumerateSkillBundle(baseDir, skillsRoot) {
   const skillsDir = path14.resolve(baseDir, skillsRoot);
@@ -17964,29 +18112,51 @@ var Metric = {
   CHECK_TRIGGERED: "skill_quarantine.check_triggered",
   /** The env-var kill switch skipped the run. */
   CHECK_DISABLED_ENV: "skill_quarantine.check_disabled_env",
+  /**
+   * T-493 — the per-org opt-in toggle was off for every org the caller
+   * belongs to. Verdict query still ran (useful server-side telemetry);
+   * on-disk enforcement was skipped.
+   */
+  CHECK_DISABLED_ORG: "skill_quarantine.check_disabled_org",
   /** Verdict-query call failed. Fail-open. */
   QUERY_ERROR: "skill_quarantine.query_error",
-  /** Count of skills enumerated in this run (histogram-ish). */
+  /** Count of skills enumerated in this run. */
   SKILLS_CHECKED: "skill_quarantine.skills_checked",
-  /** A skill was freshly quarantined. Tagged with shape. */
+  /** A skill was freshly quarantined. */
   QUARANTINED: "skill_quarantine.quarantined",
-  /** Presence check hit; skill already quarantined. */
+  /** Presence check hit (`<md5>.zip` exists); skill already quarantined. */
   ALREADY_QUARANTINED: "skill_quarantine.already_quarantined",
-  /** Move step failed. Tagged with phase (stage | publish). */
-  MOVE_ERROR: "skill_quarantine.move_error",
-  /** Stub creation failed after the move succeeded. */
+  /** Zip build or partial→tmp rename failed (phase 1). */
+  ZIP_ERROR: "skill_quarantine.zip_error",
+  /** Stub write failed (phase 2); tmp preserved for reconcile. */
   STUB_ERROR: "skill_quarantine.stub_error",
-  /** A stale staging dir was swept. */
-  ORPHAN_SWEPT: "skill_quarantine.orphan_swept",
+  /** Tmp→published rename failed (phase 3); reconcile will retry. */
+  PUBLISH_ERROR: "skill_quarantine.publish_error",
+  /** Reconcile published a leftover tmp whose `<md5>.zip` was missing. */
+  RECONCILED: "skill_quarantine.reconciled",
+  /** Tmp removed because `<md5>.zip` already existed. */
+  SWEPT_REDUNDANT_TMP: "skill_quarantine.swept_redundant_tmp",
+  /** Stale partial zip swept (older than grace window). */
+  SWEPT_PARTIAL: "skill_quarantine.swept_partial",
   /** Total run duration including I/O. */
-  DURATION_MS: "skill_quarantine.duration_ms"
+  DURATION_MS: "skill_quarantine.duration_ms",
+  /**
+   * T-492 — Stub-md5 sentinel published successfully. The next heartbeat's
+   * presence check will short-circuit re-quarantining our own stub.
+   */
+  STUB_PREREGISTERED: "skill_quarantine.stub_preregistered",
+  /**
+   * T-492 — Stub-md5 sentinel write failed. Layer 1 (the scanner LLM
+   * recognising stubs) still protects against the loop; this layer is
+   * defense in depth.
+   */
+  STUB_PREREGISTER_ERROR: "skill_quarantine.stub_preregister_error"
 };
 
 // src/features/analysis/skill_quarantine/quarantineSkill.ts
 import { randomUUID } from "crypto";
-import { existsSync as existsSync2 } from "fs";
 import {
-  lstat as lstat2,
+  access,
   mkdir,
   readdir as readdir2,
   readFile as readFile2,
@@ -17996,8 +18166,8 @@ import {
   unlink,
   writeFile
 } from "fs/promises";
-import path17 from "path";
-import { move } from "fs-extra";
+import path18 from "path";
+import AdmZip4 from "adm-zip";
 
 // src/features/analysis/skill_quarantine/paths.ts
 import { homedir as homedir3 } from "os";
@@ -18005,27 +18175,29 @@ import path16 from "path";
 function getQuarantineRoot() {
   return path16.join(homedir3(), ".tracy", "quarantine", "claude", "skills");
 }
-function getQuarantinedHashDir(md5) {
-  return path16.join(getQuarantineRoot(), md5);
-}
-function getQuarantinedTargetPath(md5, origName) {
-  return path16.join(getQuarantinedHashDir(md5), origName);
+function getQuarantineZipPath(md5) {
+  return path16.join(getQuarantineRoot(), `${md5}.zip`);
 }
-function getStagingDir(md5, pid, uuid) {
-  return path16.join(getQuarantineRoot(), `${md5}_tmp_${pid}_${uuid}`);
+function getTmpZipPath(md5, uuid) {
+  return path16.join(getQuarantineRoot(), `${md5}_tmp_${uuid}.zip`);
 }
-var STAGING_DIR_REGEX = /^([0-9a-f]{32})_tmp_/;
+var TMP_ZIP_REGEX = /^([0-9a-f]{32})_tmp_[0-9a-f-]+\.zip$/;
+var COMMITTED_ZIP_REGEX = /^([0-9a-f]{32})\.zip$/;
 
 // src/features/analysis/skill_quarantine/stubTemplate.ts
+import path17 from "path";
+import { quote } from "shell-quote";
 var LEGACY_SUMMARY_FALLBACK = "not available (scan predates current schema)";
 function renderStub(params) {
   const folderOrFile = params.isFolder ? "skill folder" : "skill file";
   const reason = params.summary ?? LEGACY_SUMMARY_FALLBACK;
-  return `# \u26D4 QUARANTINED BY TRACY
+  const extractParent = path17.dirname(params.origPath);
+  const recoverCommand = `rm -rf ${quote([params.origPath])} && unzip -o ${quote([params.quarantinedZipPath])} -d ${quote([extractParent])}`;
+  return `# ${STUB_MARKER}
 
 This skill was flagged **MALICIOUS** by the Mobb security scanner and has been
-moved out of your skills folder. **Claude Code will not execute it** while this
-stub is in place.
+archived out of your skills folder. **Claude Code will not execute it** while
+this stub is in place.
 
 ## Why this skill was flagged
 
@@ -18036,23 +18208,22 @@ stub is in place.
 
 ## Where the original is now
 
-The original ${folderOrFile} has been moved to:
+The original ${folderOrFile} has been archived to:
 
-    ${params.quarantinedPath}
+    ${params.quarantinedZipPath}
 
-Nothing has been deleted. The contents are intact; only the location changed.
+Nothing has been deleted. The archive preserves the skill exactly as it was,
+including any secrets or local-only edits.
 
 ## If this is a false positive \u2014 how to recover
 
 If you're confident this skill is safe and want to restore it:
 
-    mv ${params.quarantinedPath} ${params.origPath}
+    ${recoverCommand}
 
-Tracy will not re-quarantine it as long as the directory
-\`~/.tracy/quarantine/claude/skills/${params.md5}/\` still exists on your
-machine (even if it's empty after you moved the contents out). If you delete
-that directory entirely, the next heartbeat will re-evaluate the skill from
-scratch.
+Tracy will not re-quarantine it as long as \`${params.md5}.zip\` remains in
+the quarantine folder. If you delete the archive, the next heartbeat will
+re-evaluate the skill from scratch.
 
 ## How to report a false positive
 
@@ -18069,130 +18240,56 @@ Your report helps tune the scanner for everyone.
 // src/features/analysis/skill_quarantine/quarantineSkill.ts
 async function quarantineSkill(params) {
   const { skillPath, isFolder, md5, origName, verdict, log: log2 } = params;
-  const hashDir = getQuarantinedHashDir(md5);
-  if (existsSync2(hashDir)) {
+  const finalZip = getQuarantineZipPath(md5);
+  if (await exists(finalZip)) {
     log2.debug(
       { md5, metric: Metric.ALREADY_QUARANTINED },
-      "skill_quarantine: already quarantined, skipping"
+      "skill_quarantine: already quarantined"
     );
     return { status: "already_quarantined" };
   }
-  let isSymlink = false;
+  const tmpZip = getTmpZipPath(md5, randomUUID());
   try {
-    const lst = await lstat2(skillPath);
-    isSymlink = lst.isSymbolicLink();
-  } catch {
-  }
-  if (isSymlink) {
-    const stubContent2 = renderStub({
-      md5,
-      isFolder,
-      // Symlinks have no quarantine archive; note that in the stub.
-      quarantinedPath: `(symlink at ${skillPath} replaced \u2014 original content was not moved)`,
-      origPath: skillPath,
-      summary: verdict.summary,
-      scannerName: verdict.scannerName,
-      scannerVersion: verdict.scannerVersion,
-      scannedAt: verdict.scannedAt
-    });
-    try {
-      await mkdir(hashDir, { recursive: true });
-      if (isFolder) {
-        const tmpDir = `${skillPath}.__tracy_tmp__`;
-        await mkdir(tmpDir, { recursive: true });
-        await writeFile(path17.join(tmpDir, "SKILL.md"), stubContent2, "utf8");
-        await unlink(skillPath);
-        await rename(tmpDir, skillPath);
-      } else {
-        const tmpFile = `${skillPath}.__tracy_tmp__`;
-        await writeFile(tmpFile, stubContent2, "utf8");
-        await unlink(skillPath);
-        await rename(tmpFile, skillPath);
-      }
-    } catch (err) {
-      log2.error(
-        { err, md5, skillPath, metric: Metric.STUB_ERROR },
-        "skill_quarantine: symlink stub write failed"
-      );
-      return { status: "stub_error", err };
+    await mkdir(getQuarantineRoot(), { recursive: true });
+    const zip = new AdmZip4();
+    if (isFolder) {
+      await addFolderAsync(zip, skillPath, origName);
+    } else {
+      zip.addFile(origName, await readFile2(skillPath));
     }
-    await preRegisterStubMd5(skillPath, isFolder, log2);
-    log2.info(
-      {
-        md5,
-        verdict: verdict.verdict,
-        shape: isFolder ? "folder" : "standalone",
-        scanner: verdict.scannerName,
-        scannerVersion: verdict.scannerVersion,
-        metric: Metric.QUARANTINED
-      },
-      "skill_quarantine: quarantined (symlink)"
-    );
-    return { status: "quarantined" };
-  }
-  const stagingDir = getStagingDir(md5, process.pid, randomUUID());
-  const stagingTarget = path17.join(stagingDir, origName);
-  const finalTarget = getQuarantinedTargetPath(md5, origName);
-  try {
-    await mkdir(stagingDir, { recursive: true });
+    await writeFile(tmpZip, zip.toBuffer());
   } catch (err) {
+    await unlink(tmpZip).catch(ignoreErr);
     log2.error(
-      { err, md5, metric: Metric.MOVE_ERROR, phase: "stage" },
-      "skill_quarantine: failed to create staging dir"
+      { err, md5, metric: Metric.ZIP_ERROR },
+      "skill_quarantine: phase-1 zip write failed"
     );
-    return { status: "move_error", phase: "stage", err };
+    return { status: "zip_error", err };
   }
   try {
-    await move(skillPath, stagingTarget);
+    await writeStub(params);
   } catch (err) {
-    await tryRm(stagingDir);
     log2.error(
-      { err, md5, metric: Metric.MOVE_ERROR, phase: "stage" },
-      "skill_quarantine: phase-1 move failed"
+      { err, md5, skillPath, metric: Metric.STUB_ERROR },
+      "skill_quarantine: stub write failed; tmp zip preserved for reconcile"
     );
-    return { status: "move_error", phase: "stage", err };
+    return { status: "stub_error", err };
   }
   try {
-    await rename(stagingDir, hashDir);
+    await rename(tmpZip, finalZip);
   } catch (err) {
     log2.error(
-      {
-        err,
-        md5,
-        stagingDir,
-        metric: Metric.MOVE_ERROR,
-        phase: "publish"
-      },
-      "skill_quarantine: phase-2 publish failed; staging dir preserved for manual recovery"
+      { err, md5, tmpZip, metric: Metric.PUBLISH_ERROR },
+      "skill_quarantine: phase-3 publish failed; reconcile will retry"
     );
-    return { status: "move_error", phase: "publish", err };
+    return { status: "publish_error", err };
   }
-  const quarantinedPath = finalTarget;
-  const stubContent = renderStub({
-    md5,
-    isFolder,
-    quarantinedPath,
-    origPath: skillPath,
-    summary: verdict.summary,
-    scannerName: verdict.scannerName,
-    scannerVersion: verdict.scannerVersion,
-    scannedAt: verdict.scannedAt
-  });
-  try {
-    if (isFolder) {
-      await mkdir(skillPath, { recursive: true });
-      await writeFile(path17.join(skillPath, "SKILL.md"), stubContent, "utf8");
-    } else {
-      await writeFile(skillPath, stubContent, "utf8");
-    }
-  } catch (err) {
-    log2.error(
-      { err, md5, skillPath, metric: Metric.STUB_ERROR },
-      "skill_quarantine: stub write failed; quarantine is still in place"
+  await preregisterStubMd5(params).catch((err) => {
+    log2.warn(
+      { err, md5, metric: Metric.STUB_PREREGISTER_ERROR },
+      "skill_quarantine: stub-md5 pre-registration failed; LLM-side recognition remains"
     );
-    return { status: "stub_error", err };
-  }
-  await preRegisterStubMd5(skillPath, isFolder, log2);
+  });
   log2.info(
     {
       md5,
@@ -18206,98 +18303,169 @@ async function quarantineSkill(params) {
   );
   return { status: "quarantined" };
 }
-async function preRegisterStubMd5(skillPath, isFolder, log2) {
+async function preregisterStubMd5(params) {
+  const { skillPath, isFolder, origName, log: log2 } = params;
+  const stubFilePath = isFolder ? path18.join(skillPath, "SKILL.md") : skillPath;
+  const stubEntryName = isFolder ? `${origName}/SKILL.md` : origName;
+  const content = await readFile2(stubFilePath, "utf-8");
+  const fileStat = await stat2(stubFilePath);
+  const stubFile = {
+    name: stubEntryName,
+    path: stubFilePath,
+    content,
+    sizeBytes: fileStat.size,
+    category: "skill",
+    mtimeMs: fileStat.mtimeMs
+  };
+  const stubGroup = {
+    name: isFolder ? origName : path18.basename(skillPath, path18.extname(skillPath)),
+    root: "workspace",
+    // unused by md5 computation
+    skillPath,
+    files: [stubFile],
+    isFolder,
+    maxMtimeMs: stubFile.mtimeMs,
+    sessionKey: `stub-preregister:${skillPath}`
+  };
+  const { skills } = await processContextFiles([], [stubGroup]);
+  const processed = skills[0];
+  if (!processed) {
+    return;
+  }
+  const { md5: stubMd5, zipBuffer } = processed;
+  const sentinelPath = getQuarantineZipPath(stubMd5);
+  if (await exists(sentinelPath)) {
+    return;
+  }
+  const tmpSentinel = getTmpZipPath(stubMd5, randomUUID());
   try {
-    const stubEntries = await gatherStubEntries(skillPath, isFolder);
-    const stubGroup = {
-      name: path17.basename(skillPath).replace(/\.md$/i, ""),
-      root: "workspace",
-      skillPath,
-      files: stubEntries,
-      isFolder,
-      maxMtimeMs: Date.now(),
-      sessionKey: `quarantine-stub:${skillPath}`
-    };
-    const { skills } = await processContextFiles([], [stubGroup]);
-    if (skills.length === 0) return;
-    const stubMd5 = skills[0].md5;
-    await mkdir(getQuarantinedHashDir(stubMd5), { recursive: true });
+    await writeFile(tmpSentinel, zipBuffer);
+    await rename(tmpSentinel, sentinelPath);
   } catch (err) {
-    log2.warn(
-      { err, skillPath },
-      "skill_quarantine: failed to pre-register stub md5"
-    );
+    await unlink(tmpSentinel).catch(ignoreErr);
+    throw err;
   }
+  log2.info(
+    { stubMd5, metric: Metric.STUB_PREREGISTERED },
+    "skill_quarantine: stub md5 pre-registered"
+  );
 }
-async function gatherStubEntries(skillPath, isFolder) {
-  const now = Date.now();
-  const target = isFolder ? path17.join(skillPath, "SKILL.md") : skillPath;
-  const [st, content] = await Promise.all([
-    stat2(target),
-    readFile2(target, "utf8")
-  ]);
-  return [
-    {
-      name: isFolder ? "SKILL.md" : path17.basename(skillPath),
-      path: target,
-      content,
-      sizeBytes: st.size,
-      category: "skill",
-      mtimeMs: now
-    }
-  ];
+async function writeStub(params) {
+  const { skillPath, isFolder, md5, verdict } = params;
+  const stubContent = renderStub({
+    md5,
+    isFolder,
+    quarantinedZipPath: getQuarantineZipPath(md5),
+    origPath: skillPath,
+    summary: verdict.summary,
+    scannerName: verdict.scannerName,
+    scannerVersion: verdict.scannerVersion,
+    scannedAt: verdict.scannedAt
+  });
+  if (isFolder) {
+    await rm(skillPath, { recursive: true, force: true });
+    await mkdir(skillPath, { recursive: true });
+    await writeFile(path18.join(skillPath, "SKILL.md"), stubContent, "utf8");
+  } else {
+    await writeFile(skillPath, stubContent, "utf8");
+  }
 }
-async function sweepOrphanStagingDirs(log2) {
+async function reconcileAndSweep(log2) {
   const root = getQuarantineRoot();
   let entries;
   try {
     entries = await readdir2(root);
   } catch (err) {
-    if (err.code === "ENOENT") return 0;
-    log2.warn({ err, root }, "skill_quarantine: orphan sweep readdir failed");
-    return 0;
+    if (err.code === "ENOENT") return;
+    log2.warn({ err, root }, "skill_quarantine: reconcile readdir failed");
+    return;
   }
+  const committed = new Set(
+    entries.map((e) => COMMITTED_ZIP_REGEX.exec(e)?.[1]).filter((m) => m !== void 0)
+  );
   const now = Date.now();
-  let swept = 0;
   for (const entry of entries) {
-    if (!STAGING_DIR_REGEX.test(entry)) continue;
-    const full = path17.join(root, entry);
-    let mtimeMs;
-    try {
-      mtimeMs = (await stat2(full)).mtimeMs;
-    } catch {
+    const md5 = TMP_ZIP_REGEX.exec(entry)?.[1];
+    if (md5 === void 0) continue;
+    const full = path18.join(root, entry);
+    if (committed.has(md5)) {
+      await unlink(full).catch(
+        (err) => log2.warn(
+          { err, path: full, md5 },
+          "skill_quarantine: redundant tmp unlink failed"
+        )
+      );
+      log2.info(
+        { path: full, md5, metric: Metric.SWEPT_REDUNDANT_TMP },
+        "skill_quarantine: swept redundant tmp"
+      );
       continue;
     }
-    if (now - mtimeMs < ORPHAN_SWEEP_GRACE_MS) continue;
+    let valid;
     try {
-      await rm(full, { recursive: true, force: true });
-      swept += 1;
-      log2.info(
-        { path: full, metric: Metric.ORPHAN_SWEPT },
-        "skill_quarantine: orphan swept"
-      );
-    } catch (err) {
-      log2.warn({ err, path: full }, "skill_quarantine: orphan sweep rm failed");
+      new AdmZip4(full).getEntries();
+      valid = true;
+    } catch {
+      valid = false;
     }
+    if (valid) {
+      try {
+        await rename(full, getQuarantineZipPath(md5));
+        committed.add(md5);
+        log2.info(
+          { path: full, md5, metric: Metric.RECONCILED },
+          "skill_quarantine: reconciled tmp \u2192 published"
+        );
+      } catch (err) {
+        log2.warn(
+          { err, path: full, md5 },
+          "skill_quarantine: reconcile rename failed"
+        );
+      }
+      continue;
+    }
+    const { mtimeMs } = await stat2(full).catch(() => ({ mtimeMs: now }));
+    if (now - mtimeMs < PARTIAL_SWEEP_GRACE_MS) continue;
+    await unlink(full).catch(
+      (err) => log2.warn({ err, path: full }, "skill_quarantine: partial unlink failed")
+    );
+    log2.info(
+      { path: full, metric: Metric.SWEPT_PARTIAL },
+      "skill_quarantine: swept broken tmp (partial write)"
+    );
   }
-  return swept;
 }
-async function tryRm(p) {
-  try {
-    await rm(p, { recursive: true, force: true });
-  } catch {
+function exists(p) {
+  return access(p).then(
+    () => true,
+    () => false
+  );
+}
+function ignoreErr() {
+}
+async function addFolderAsync(zip, root, prefix) {
+  async function walk(dir, relPrefix) {
+    const entries = await readdir2(dir, { withFileTypes: true });
+    for (const e of entries) {
+      const full = path18.join(dir, e.name);
+      const rel = path18.posix.join(relPrefix, e.name);
+      if (e.isDirectory()) await walk(full, rel);
+      else if (e.isFile()) zip.addFile(rel, await readFile2(full));
+    }
   }
+  await walk(root, prefix);
 }
 
 // src/features/analysis/skill_quarantine/queryVerdicts.ts
 async function queryVerdicts(gqlClient, md5s, log2) {
   if (md5s.length === 0) {
-    return /* @__PURE__ */ new Map();
+    return { verdicts: /* @__PURE__ */ new Map(), quarantineEnabled: false };
   }
   try {
     const res = await gqlClient.skillVerdictsByMd5(md5s);
+    const envelope = res.skillVerdictsByMd5;
     const out = /* @__PURE__ */ new Map();
-    for (const row of res.skillVerdictsByMd5) {
+    for (const row of envelope.verdicts) {
       out.set(row.md5, {
         md5: row.md5,
         verdict: row.verdict,
@@ -18307,18 +18475,41 @@ async function queryVerdicts(gqlClient, md5s, log2) {
         scannedAt: row.scannedAt
       });
     }
-    return out;
+    return { verdicts: out, quarantineEnabled: envelope.quarantineEnabled };
   } catch (err) {
     log2.warn(
       { err, md5_count: md5s.length, metric: "skill_quarantine.query_error" },
       "skill_quarantine: verdict query failed, failing open"
     );
-    return /* @__PURE__ */ new Map();
+    return { verdicts: /* @__PURE__ */ new Map(), quarantineEnabled: false };
   }
 }
 
 // src/features/analysis/skill_quarantine/runQuarantineCheck.ts
+var SKILL_PARENT_DIRS = [
+  ".claude/skills",
+  ".claude/commands",
+  ".claude/agents"
+];
+async function getSkillDirsMtimeMs(cwd) {
+  const home = homedir4();
+  const dirs = SKILL_PARENT_DIRS.flatMap((d) => [
+    path19.join(cwd, d),
+    path19.join(home, d)
+  ]);
+  let max = 0;
+  for (const dir of dirs) {
+    try {
+      const s = await stat3(dir);
+      if (s.mtimeMs > max) max = s.mtimeMs;
+    } catch {
+    }
+  }
+  return max;
+}
 var lastRunAt = /* @__PURE__ */ new Map();
+var lastDirsMtimeMs = /* @__PURE__ */ new Map();
+var seenSkillMd5s = /* @__PURE__ */ new Set();
 var killSwitchLogged = false;
 async function runQuarantineCheckIfNeeded(opts) {
   const { sessionId, cwd, gqlClient, log: log2 } = opts;
@@ -18334,18 +18525,25 @@ async function runQuarantineCheckIfNeeded(opts) {
   }
   const now = Date.now();
   const prev = lastRunAt.get(sessionId);
-  if (prev !== void 0 && now - prev < HEARTBEAT_DEBOUNCE_MS) {
+  const withinDebounce = prev !== void 0 && now - prev < HEARTBEAT_DEBOUNCE_MS;
+  lastRunAt.set(sessionId, now);
+  const dirsMtime = await getSkillDirsMtimeMs(cwd);
+  if (withinDebounce && dirsMtime <= (lastDirsMtimeMs.get(sessionId) ?? 0)) {
     return;
   }
-  lastRunAt.set(sessionId, now);
+  const installed = await enumerateInstalledSkills(cwd);
+  const hasNewSkills = installed.some((s) => !seenSkillMd5s.has(s.md5));
+  if (!hasNewSkills && withinDebounce) {
+    return;
+  }
+  lastDirsMtimeMs.set(sessionId, dirsMtime);
   log2.info(
-    { sessionId, metric: Metric.CHECK_TRIGGERED },
+    { sessionId, metric: Metric.CHECK_TRIGGERED, hasNewSkills },
     "skill_quarantine: check start"
   );
   const t0 = Date.now();
   try {
-    await sweepOrphanStagingDirs(log2);
-    const installed = await enumerateInstalledSkills(cwd);
+    await reconcileAndSweep(log2);
     log2.info(
       { sessionId, count: installed.length, metric: Metric.SKILLS_CHECKED },
       "skill_quarantine: skills enumerated"
@@ -18353,11 +18551,25 @@ async function runQuarantineCheckIfNeeded(opts) {
     if (installed.length === 0) {
       return;
     }
-    const verdicts = await queryVerdicts(
+    const currentMd5s = new Set(installed.map((s) => s.md5));
+    for (const md5 of seenSkillMd5s) {
+      if (!currentMd5s.has(md5)) seenSkillMd5s.delete(md5);
+    }
+    for (const skill of installed) {
+      seenSkillMd5s.add(skill.md5);
+    }
+    const { verdicts, quarantineEnabled } = await queryVerdicts(
       gqlClient,
       installed.map((s) => s.md5),
       log2
     );
+    if (!quarantineEnabled) {
+      log2.info(
+        { sessionId, metric: Metric.CHECK_DISABLED_ORG },
+        "skill_quarantine: opt-in not enabled for any org of caller; skipping enforcement"
+      );
+      return;
+    }
     for (const skill of installed) {
       const verdict = verdicts.get(skill.md5);
       if (!verdict || verdict.verdict !== MALICIOUS_VERDICT) {
@@ -18394,7 +18606,7 @@ async function runQuarantineCheckIfNeeded(opts) {
 // src/features/claude_code/daemon_pid_file.ts
 import fs13 from "fs";
 import os4 from "os";
-import path18 from "path";
+import path20 from "path";
 
 // src/features/claude_code/data_collector_constants.ts
 var CC_VERSION_CACHE_KEY = "claudeCode.detectedCCVersion";
@@ -18415,17 +18627,17 @@ var CONTEXT_SCAN_INTERVAL_MS = 5e3;
 
 // src/features/claude_code/daemon_pid_file.ts
 function getMobbdevDir() {
-  return path18.join(os4.homedir(), ".mobbdev");
+  return path20.join(os4.homedir(), ".mobbdev");
 }
 function getDaemonCheckScriptPath() {
-  return path18.join(getMobbdevDir(), "daemon-check.js");
+  return path20.join(getMobbdevDir(), "daemon-check.js");
 }
 var DaemonPidFile = class {
   constructor() {
     __publicField(this, "data", null);
   }
   get filePath() {
-    return path18.join(getMobbdevDir(), "daemon.pid");
+    return path20.join(getMobbdevDir(), "daemon.pid");
   }
   /** Ensure ~/.mobbdev/ directory exists. */
   ensureDir() {
@@ -18487,8 +18699,8 @@ var DaemonPidFile = class {
 // src/features/claude_code/data_collector.ts
 import { execFile } from "child_process";
 import { createHash as createHash3 } from "crypto";
-import { access, open as open4, readdir as readdir3, readFile as readFile3, unlink as unlink2 } from "fs/promises";
-import path19 from "path";
+import { access as access2, open as open4, readdir as readdir3, readFile as readFile3, unlink as unlink2 } from "fs/promises";
+import path21 from "path";
 import { promisify } from "util";
 
 // src/features/analysis/context_file_uploader.ts
@@ -18753,8 +18965,8 @@ function createConfigstoreStream(store, opts) {
       heartbeatBuffer.length = 0;
     }
   }
-  function setScopePath(path35) {
-    scopePath = path35;
+  function setScopePath(path37) {
+    scopePath = path37;
   }
   return { writable, flush, setScopePath };
 }
@@ -18978,18 +19190,24 @@ function createLogger(config2) {
 
 // src/features/claude_code/hook_logger.ts
 var DD_RUM_TOKEN = true ? "pubf59c0182545bfb4c299175119f1abf9b" : "";
-var CLI_VERSION = true ? "1.4.1" : "unknown";
+var CLI_VERSION = true ? "1.4.7" : "unknown";
 var NAMESPACE = "mobbdev-claude-code-hook-logs";
 var claudeCodeVersion;
 function buildDdTags() {
-  const tags = [`version:${CLI_VERSION}`];
+  const tags = [
+    `version:${CLI_VERSION}`,
+    `platform:claude_code`,
+    `os:${process.platform}`,
+    `arch:${process.arch}`
+  ];
   if (claudeCodeVersion) {
     tags.push(`cc_version:${claudeCodeVersion}`);
   }
   return tags.join(",");
 }
+var handlingDdError = false;
 function createHookLogger(opts) {
-  return createLogger({
+  const created = createLogger({
     namespace: NAMESPACE,
     scopePath: opts?.scopePath,
     enableConfigstore: opts?.enableConfigstore,
@@ -18999,9 +19217,26 @@ function createHookLogger(opts) {
       service: "mobbdev-cli-hook",
       ddtags: buildDdTags(),
       hostnameMode: "hashed",
-      unrefTimer: true
+      unrefTimer: true,
+      onError: (error) => {
+        if (handlingDdError) {
+          process.stderr.write(`dd-ship-error: ${String(error)}
+`);
+          return;
+        }
+        handlingDdError = true;
+        try {
+          created.warn(
+            { err: String(error), source: "dd-log-shipping" },
+            "Datadog log shipping failed"
+          );
+        } finally {
+          handlingDdError = false;
+        }
+      }
     }
   });
+  return created;
 }
 var logger = createHookLogger();
 var activeScopedLoggers = [];
@@ -19031,6 +19266,9 @@ function createScopedHookLog(scopePath, opts) {
   activeScopedLoggers.push(scoped);
   return scoped;
 }
+function getScopedLoggerCount() {
+  return scopedLoggerCache.size;
+}
 
 // src/features/claude_code/data_collector.ts
 var execFileAsync = promisify(execFile);
@@ -19065,18 +19303,18 @@ function getCursorKey(transcriptPath) {
 }
 async function resolveTranscriptPath(transcriptPath, sessionId) {
   try {
-    await access(transcriptPath);
+    await access2(transcriptPath);
     return transcriptPath;
   } catch {
   }
-  const filename = path19.basename(transcriptPath);
-  const dirName = path19.basename(path19.dirname(transcriptPath));
-  const projectsDir = path19.dirname(path19.dirname(transcriptPath));
+  const filename = path21.basename(transcriptPath);
+  const dirName = path21.basename(path21.dirname(transcriptPath));
+  const projectsDir = path21.dirname(path21.dirname(transcriptPath));
   const baseDirName = dirName.replace(/[-.]claude-worktrees-.+$/, "");
   if (baseDirName !== dirName) {
-    const candidate = path19.join(projectsDir, baseDirName, filename);
+    const candidate = path21.join(projectsDir, baseDirName, filename);
     try {
-      await access(candidate);
+      await access2(candidate);
       hookLog.info(
         {
           data: {
@@ -19096,9 +19334,9 @@ async function resolveTranscriptPath(transcriptPath, sessionId) {
     const dirs = await readdir3(projectsDir);
     for (const dir of dirs) {
       if (dir === dirName) continue;
-      const candidate = path19.join(projectsDir, dir, filename);
+      const candidate = path21.join(projectsDir, dir, filename);
       try {
-        await access(candidate);
+        await access2(candidate);
         hookLog.info(
           {
             data: {
@@ -19125,21 +19363,33 @@ async function readNewTranscriptEntries(transcriptPath, sessionId, sessionStore,
   let fileSize;
   let lineIndexOffset;
   if (cursor?.byteOffset) {
+    const MAX_TRANSCRIPT_READ_BYTES = 10 * 1024 * 1024;
     const fh = await open4(transcriptPath, "r");
     try {
-      const stat4 = await fh.stat();
-      fileSize = stat4.size;
-      if (cursor.byteOffset >= stat4.size) {
+      const stat5 = await fh.stat();
+      fileSize = stat5.size;
+      if (cursor.byteOffset >= stat5.size) {
         hookLog.info({ data: { sessionId } }, "No new data in transcript file");
         return {
           entries: [],
           endByteOffset: fileSize,
-          resolvedTranscriptPath: transcriptPath
+          resolvedTranscriptPath: transcriptPath,
+          transcriptBytesRead: 0
         };
       }
-      const buf = Buffer.alloc(stat4.size - cursor.byteOffset);
-      await fh.read(buf, 0, buf.length, cursor.byteOffset);
+      const bytesToRead = Math.min(
+        stat5.size - cursor.byteOffset,
+        MAX_TRANSCRIPT_READ_BYTES
+      );
+      const buf = Buffer.alloc(bytesToRead);
+      await fh.read(buf, 0, bytesToRead, cursor.byteOffset);
       content = buf.toString("utf-8");
+      if (bytesToRead < stat5.size - cursor.byteOffset && !content.endsWith("\n")) {
+        const lastNewline = content.lastIndexOf("\n");
+        if (lastNewline > 0) {
+          content = content.substring(0, lastNewline + 1);
+        }
+      }
     } finally {
       await fh.close();
     }
@@ -19155,12 +19405,34 @@ async function readNewTranscriptEntries(transcriptPath, sessionId, sessionStore,
       "Read transcript file from offset"
     );
   } else {
-    content = await readFile3(transcriptPath, "utf-8");
-    fileSize = Buffer.byteLength(content, "utf-8");
+    const MAX_CWD_READ_BYTES = 2 * 1024 * 1024;
+    const fh = await open4(transcriptPath, "r");
+    try {
+      const stat5 = await fh.stat();
+      fileSize = stat5.size;
+      const bytesToRead = Math.min(stat5.size, MAX_CWD_READ_BYTES);
+      const buf = Buffer.alloc(bytesToRead);
+      await fh.read(buf, 0, bytesToRead, 0);
+      content = buf.toString("utf-8");
+      if (bytesToRead < stat5.size && !content.endsWith("\n")) {
+        const lastNewline = content.lastIndexOf("\n");
+        if (lastNewline > 0) {
+          content = content.substring(0, lastNewline + 1);
+        }
+      }
+    } finally {
+      await fh.close();
+    }
     lineIndexOffset = 0;
     hookLog.debug(
-      { data: { transcriptPath, totalBytes: fileSize } },
-      "Read full transcript file"
+      {
+        data: {
+          transcriptPath,
+          totalBytes: fileSize,
+          cappedBytes: content.length
+        }
+      },
+      "Read transcript file (first run)"
     );
   }
   const startOffset = cursor?.byteOffset ?? 0;
@@ -19225,7 +19497,8 @@ async function readNewTranscriptEntries(transcriptPath, sessionId, sessionStore,
   return {
     entries: parsed,
     endByteOffset,
-    resolvedTranscriptPath: transcriptPath
+    resolvedTranscriptPath: transcriptPath,
+    transcriptBytesRead: content.length
   };
 }
 var FILTERED_PROGRESS_SUBTYPES = /* @__PURE__ */ new Set([
@@ -19274,14 +19547,16 @@ async function cleanupStaleSessions(configDir) {
   if (lastCleanup && Date.now() - lastCleanup < CLEANUP_INTERVAL_MS) {
     return;
   }
-  const now = Date.now();
+  const cleanupStart = Date.now();
   const prefix = getSessionFilePrefix();
   try {
     const files = await readdir3(configDir);
+    const sessionFiles = files.filter(
+      (f) => f.startsWith(prefix) && f.endsWith(".json")
+    );
     let deletedCount = 0;
-    for (const file of files) {
-      if (!file.startsWith(prefix) || !file.endsWith(".json")) continue;
-      const filePath = path19.join(configDir, file);
+    for (const file of sessionFiles) {
+      const filePath = path21.join(configDir, file);
       try {
         const content = JSON.parse(await readFile3(filePath, "utf-8"));
         let newest = 0;
@@ -19292,25 +19567,34 @@ async function cleanupStaleSessions(configDir) {
             if (c?.updatedAt && c.updatedAt > newest) newest = c.updatedAt;
           }
         }
-        if (newest > 0 && now - newest > STALE_KEY_MAX_AGE_MS) {
+        if (newest > 0 && cleanupStart - newest > STALE_KEY_MAX_AGE_MS) {
           await unlink2(filePath);
           deletedCount++;
         }
       } catch {
       }
     }
-    if (deletedCount > 0) {
-      hookLog.info({ data: { deletedCount } }, "Cleaned up stale session files");
-    }
+    hookLog.info(
+      {
+        heartbeat: true,
+        data: {
+          sessionFileCount: sessionFiles.length,
+          deletedCount,
+          cleanupDurationMs: Date.now() - cleanupStart
+        }
+      },
+      "Session cleanup"
+    );
   } catch {
   }
-  configStore.set("claudeCode.lastCleanupAt", now);
+  configStore.set("claudeCode.lastCleanupAt", cleanupStart);
 }
 async function processTranscript(input, sessionStore, log2, maxEntries = DAEMON_CHUNK_SIZE, gqlClientOverride) {
   const {
     entries: rawEntries,
     endByteOffset,
-    resolvedTranscriptPath
+    resolvedTranscriptPath,
+    transcriptBytesRead
   } = await log2.timed(
     "Read transcript",
     () => readNewTranscriptEntries(
@@ -19397,15 +19681,21 @@ async function processTranscript(input, sessionStore, log2, maxEntries = DAEMON_
       rawData: rawEntry
     };
   });
-  const totalRawDataBytes = records.reduce((sum, r) => {
-    return sum + (r.rawData ? JSON.stringify(r.rawData).length : 0);
-  }, 0);
+  let totalRawDataBytes = 0;
+  let maxRecordBytes = 0;
+  for (const r of records) {
+    const size = r.rawData ? JSON.stringify(r.rawData).length : 0;
+    totalRawDataBytes += size;
+    if (size > maxRecordBytes) maxRecordBytes = size;
+  }
   log2.info(
     {
       data: {
         count: records.length,
         skipped: filteredOut,
+        transcriptBytesRead,
         rawDataBytes: totalRawDataBytes,
+        maxRecordBytes,
         firstRecordId: records[0]?.recordId,
         lastRecordId: records[records.length - 1]?.recordId
       }
@@ -19519,14 +19809,14 @@ async function uploadContextFilesIfNeeded(sessionId, cwd, gqlClient, log2) {
 import fs14 from "fs";
 import fsPromises4 from "fs/promises";
 import os6 from "os";
-import path20 from "path";
+import path22 from "path";
 import chalk11 from "chalk";
 
 // src/features/claude_code/daemon-check-shim.tmpl.js
 var daemon_check_shim_tmpl_default = "// Mobb daemon shim \u2014 checks if daemon is alive, spawns if dead.\n// Auto-generated by mobbdev CLI. Do not edit.\nvar fs = require('fs')\nvar spawn = require('child_process').spawn\nvar path = require('path')\nvar os = require('os')\n\nvar pidFile = path.join(os.homedir(), '.mobbdev', 'daemon.pid')\nvar HEARTBEAT_STALE_MS = __HEARTBEAT_STALE_MS__\n\ntry {\n  var data = JSON.parse(fs.readFileSync(pidFile, 'utf8'))\n  if (Date.now() - data.heartbeat > HEARTBEAT_STALE_MS) throw new Error('stale')\n  process.kill(data.pid, 0) // throws ESRCH if the process is gone\n} catch (e) {\n  var localCli = process.env.MOBBDEV_LOCAL_CLI\n  var child = localCli\n    ? spawn('node', [localCli, 'claude-code-daemon'], { detached: true, stdio: 'ignore', windowsHide: true })\n    : spawn('npx', ['--yes', 'mobbdev@latest', 'claude-code-daemon'], { detached: true, stdio: 'ignore', shell: true, windowsHide: true })\n  child.unref()\n}\n";
 
 // src/features/claude_code/install_hook.ts
-var CLAUDE_SETTINGS_PATH = path20.join(os6.homedir(), ".claude", "settings.json");
+var CLAUDE_SETTINGS_PATH = path22.join(os6.homedir(), ".claude", "settings.json");
 var RECOMMENDED_MATCHER = "*";
 async function claudeSettingsExists() {
   try {
@@ -19672,18 +19962,18 @@ async function installMobbHooks(options = {}) {
 }
 
 // src/features/claude_code/transcript_scanner.ts
-import { open as open5, readdir as readdir4, stat as stat3 } from "fs/promises";
+import { open as open5, readdir as readdir4, stat as stat4 } from "fs/promises";
 import os7 from "os";
-import path21 from "path";
+import path23 from "path";
 var UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
 function getClaudeProjectsDirs() {
   const dirs = [];
   const configDir = process.env["CLAUDE_CONFIG_DIR"];
   if (configDir) {
-    dirs.push(path21.join(configDir, "projects"));
+    dirs.push(path23.join(configDir, "projects"));
   }
-  dirs.push(path21.join(os7.homedir(), ".config", "claude", "projects"));
-  dirs.push(path21.join(os7.homedir(), ".claude", "projects"));
+  dirs.push(path23.join(os7.homedir(), ".config", "claude", "projects"));
+  dirs.push(path23.join(os7.homedir(), ".claude", "projects"));
   return dirs;
 }
 async function collectJsonlFiles(files, dir, projectDir, seen, now, results) {
@@ -19691,12 +19981,12 @@ async function collectJsonlFiles(files, dir, projectDir, seen, now, results) {
     if (!file.endsWith(".jsonl")) continue;
     const sessionId = file.replace(".jsonl", "");
     if (!UUID_RE.test(sessionId)) continue;
-    const filePath = path21.join(dir, file);
+    const filePath = path23.join(dir, file);
     if (seen.has(filePath)) continue;
     seen.add(filePath);
     let fileStat;
     try {
-      fileStat = await stat3(filePath);
+      fileStat = await stat4(filePath);
     } catch {
       continue;
     }
@@ -19722,10 +20012,10 @@ async function scanForTranscripts(projectsDirs = getClaudeProjectsDirs()) {
       continue;
     }
     for (const projName of projectDirs) {
-      const projPath = path21.join(projectsDir, projName);
+      const projPath = path23.join(projectsDir, projName);
       let projStat;
       try {
-        projStat = await stat3(projPath);
+        projStat = await stat4(projPath);
       } catch {
         continue;
       }
@@ -19739,9 +20029,9 @@ async function scanForTranscripts(projectsDirs = getClaudeProjectsDirs()) {
       await collectJsonlFiles(files, projPath, projPath, seen, now, results);
       for (const entry of files) {
         if (!UUID_RE.test(entry)) continue;
-        const subagentsDir = path21.join(projPath, entry, "subagents");
+        const subagentsDir = path23.join(projPath, entry, "subagents");
         try {
-          const s = await stat3(subagentsDir);
+          const s = await stat4(subagentsDir);
           if (!s.isDirectory()) continue;
           const subFiles = await readdir4(subagentsDir);
           await collectJsonlFiles(
@@ -19789,6 +20079,9 @@ async function extractCwdFromTranscript(filePath) {
   }
   return void 0;
 }
+function getCwdCacheSize() {
+  return cwdCache.size;
+}
 
 // src/features/claude_code/daemon.ts
 async function startDaemon() {
@@ -19829,6 +20122,11 @@ async function startDaemon() {
   let cleanupConfigDir;
   const sessionCwdCache = /* @__PURE__ */ new Map();
   let lastContextScanMs = 0;
+  const machineContext = {
+    cpuCount: os8.cpus().length,
+    totalMemGB: Math.round(os8.totalmem() / 1024 ** 3),
+    nodeVersion: process.version
+  };
   while (true) {
     if (shuttingDown) {
       await gracefulExit(0, "signal");
@@ -19837,19 +20135,44 @@ async function startDaemon() {
       await gracefulExit(0, "TTL reached");
     }
     pidFile.updateHeartbeat();
+    const cpuBefore = process.cpuUsage();
+    const heapBefore = process.memoryUsage().heapUsed;
+    const cycleStart = Date.now();
+    let changedCount = 0;
+    let totalUploaded = 0;
+    let totalErrors = 0;
     try {
       const changed = await detectChangedTranscripts(lastSeen);
+      changedCount = changed.length;
       for (const transcript of changed) {
         const sessionStore = createSessionConfigStore(transcript.sessionId);
         if (!cleanupConfigDir) {
-          cleanupConfigDir = path22.dirname(sessionStore.path);
+          cleanupConfigDir = path24.dirname(sessionStore.path);
         }
-        await drainTranscript(
+        pidFile.updateHeartbeat();
+        const drainStart = Date.now();
+        const result = await drainTranscript(
           transcript,
           sessionStore,
           gqlClient,
           sessionCwdCache
         );
+        totalUploaded += result.uploaded;
+        totalErrors += result.errors;
+        if (result.uploaded > 0 || result.errors > 0) {
+          hookLog.info(
+            {
+              data: {
+                sessionId: transcript.sessionId,
+                drainDurationMs: Date.now() - drainStart,
+                chunksProcessed: result.chunks,
+                entriesUploaded: result.uploaded,
+                errors: result.errors
+              }
+            },
+            "Transcript drained"
+          );
+        }
       }
       if (lastSeen.size > 0) {
         for (const filePath of sessionCwdCache.keys()) {
@@ -19872,6 +20195,29 @@ async function startDaemon() {
     } catch (err) {
       hookLog.warn({ err }, "Unexpected error in daemon cycle");
     }
+    const cpuDelta = process.cpuUsage(cpuBefore);
+    const heapAfter = process.memoryUsage().heapUsed;
+    hookLog.info(
+      {
+        heartbeat: true,
+        data: {
+          cycleDurationMs: Date.now() - cycleStart,
+          cpuUserUs: cpuDelta.user,
+          cpuSystemUs: cpuDelta.system,
+          heapDeltaBytes: heapAfter - heapBefore,
+          heapUsedBytes: heapAfter,
+          daemonUptimeMs: Date.now() - startedAt,
+          changedTranscripts: changedCount,
+          activeTranscripts: lastSeen.size,
+          entriesUploaded: totalUploaded,
+          errors: totalErrors,
+          cwdCacheSize: getCwdCacheSize(),
+          scopedLoggerCount: getScopedLoggerCount(),
+          ...machineContext
+        }
+      },
+      "daemon poll cycle"
+    );
     await sleep2(DAEMON_POLL_INTERVAL_MS);
   }
 }
@@ -19910,6 +20256,9 @@ async function drainTranscript(transcript, sessionStore, gqlClient, sessionCwdCa
   const log2 = createScopedHookLog(cwd ?? transcript.projectDir, {
     daemonMode: true
   });
+  let totalUploaded = 0;
+  let totalErrors = 0;
+  let chunks = 0;
   if (cwd) {
     sessionCwdCache.set(transcript.filePath, {
       sessionId: transcript.sessionId,
@@ -19919,6 +20268,7 @@ async function drainTranscript(transcript, sessionStore, gqlClient, sessionCwdCa
   try {
     let hasMore = true;
     while (hasMore) {
+      chunks++;
       const result = await processTranscript(
         {
           session_id: transcript.sessionId,
@@ -19930,8 +20280,10 @@ async function drainTranscript(transcript, sessionStore, gqlClient, sessionCwdCa
         DAEMON_CHUNK_SIZE,
         gqlClient
       );
+      totalUploaded += result.entriesUploaded;
       hasMore = result.entriesUploaded + result.entriesSkipped >= DAEMON_CHUNK_SIZE;
       if (result.errors > 0) {
+        totalErrors += result.errors;
         hookLog.warn(
           {
             data: {
@@ -19963,6 +20315,7 @@ async function drainTranscript(transcript, sessionStore, gqlClient, sessionCwdCa
       );
     });
   }
+  return { uploaded: totalUploaded, errors: totalErrors, chunks };
 }
 async function detectChangedTranscripts(lastSeen) {
   const transcripts = await scanForTranscripts();
@@ -20139,8 +20492,8 @@ var WorkspaceService = class {
    * Sets a known workspace path that was discovered through successful validation
    * @param path The validated workspace path to store
    */
-  static setKnownWorkspacePath(path35) {
-    this.knownWorkspacePath = path35;
+  static setKnownWorkspacePath(path37) {
+    this.knownWorkspacePath = path37;
   }
   /**
    * Gets the known workspace path that was previously validated
@@ -21000,8 +21353,8 @@ async function createAuthenticatedMcpGQLClient({
 // src/mcp/services/McpUsageService/host.ts
 import { execSync as execSync2 } from "child_process";
 import fs15 from "fs";
-import os8 from "os";
-import path23 from "path";
+import os9 from "os";
+import path25 from "path";
 var IDEs = ["cursor", "windsurf", "webstorm", "vscode", "claude"];
 var runCommand = (cmd) => {
   try {
@@ -21015,8 +21368,8 @@ var gitInfo = {
   email: runCommand("git config user.email")
 };
 var getClaudeWorkspacePaths = () => {
-  const home = os8.homedir();
-  const claudeIdePath = path23.join(home, ".claude", "ide");
+  const home = os9.homedir();
+  const claudeIdePath = path25.join(home, ".claude", "ide");
   const workspacePaths = [];
   if (!fs15.existsSync(claudeIdePath)) {
     return workspacePaths;
@@ -21024,7 +21377,7 @@ var getClaudeWorkspacePaths = () => {
   try {
     const lockFiles = fs15.readdirSync(claudeIdePath).filter((file) => file.endsWith(".lock"));
     for (const lockFile of lockFiles) {
-      const lockFilePath = path23.join(claudeIdePath, lockFile);
+      const lockFilePath = path25.join(claudeIdePath, lockFile);
       try {
         const lockContent = JSON.parse(fs15.readFileSync(lockFilePath, "utf8"));
         if (lockContent.workspaceFolders && Array.isArray(lockContent.workspaceFolders)) {
@@ -21044,29 +21397,29 @@ var getClaudeWorkspacePaths = () => {
   return workspacePaths;
 };
 var getMCPConfigPaths = (hostName) => {
-  const home = os8.homedir();
+  const home = os9.homedir();
   const currentDir = process.env["WORKSPACE_FOLDER_PATHS"] || process.env["PWD"] || process.cwd();
   switch (hostName.toLowerCase()) {
     case "cursor":
       return [
-        path23.join(currentDir, ".cursor", "mcp.json"),
+        path25.join(currentDir, ".cursor", "mcp.json"),
         // local first
-        path23.join(home, ".cursor", "mcp.json")
+        path25.join(home, ".cursor", "mcp.json")
       ];
     case "windsurf":
       return [
-        path23.join(currentDir, ".codeium", "mcp_config.json"),
+        path25.join(currentDir, ".codeium", "mcp_config.json"),
         // local first
-        path23.join(home, ".codeium", "windsurf", "mcp_config.json")
+        path25.join(home, ".codeium", "windsurf", "mcp_config.json")
       ];
     case "webstorm":
       return [];
     case "visualstudiocode":
     case "vscode":
       return [
-        path23.join(currentDir, ".vscode", "mcp.json"),
+        path25.join(currentDir, ".vscode", "mcp.json"),
         // local first
-        process.platform === "win32" ? path23.join(home, "AppData", "Roaming", "Code", "User", "mcp.json") : path23.join(
+        process.platform === "win32" ? path25.join(home, "AppData", "Roaming", "Code", "User", "mcp.json") : path25.join(
           home,
           "Library",
           "Application Support",
@@ -21077,13 +21430,13 @@ var getMCPConfigPaths = (hostName) => {
       ];
     case "claude": {
       const claudePaths = [
-        path23.join(currentDir, ".claude.json"),
+        path25.join(currentDir, ".claude.json"),
         // local first
-        path23.join(home, ".claude.json")
+        path25.join(home, ".claude.json")
       ];
       const workspacePaths = getClaudeWorkspacePaths();
       for (const workspacePath of workspacePaths) {
-        claudePaths.push(path23.join(workspacePath, ".mcp.json"));
+        claudePaths.push(path25.join(workspacePath, ".mcp.json"));
       }
       return claudePaths;
     }
@@ -21134,7 +21487,7 @@ var readMCPConfig = (hostName) => {
 };
 var getRunningProcesses = () => {
   try {
-    return os8.platform() === "win32" ? execSync2("tasklist", { encoding: "utf8" }) : execSync2("ps aux", { encoding: "utf8" });
+    return os9.platform() === "win32" ? execSync2("tasklist", { encoding: "utf8" }) : execSync2("ps aux", { encoding: "utf8" });
   } catch {
     return "";
   }
@@ -21209,7 +21562,7 @@ var versionCommands = {
   }
 };
 var getProcessInfo = (pid) => {
-  const platform2 = os8.platform();
+  const platform2 = os9.platform();
   try {
     if (platform2 === "linux" || platform2 === "darwin") {
       const output = execSync2(`ps -o pid=,ppid=,comm= -p ${pid}`, {
@@ -21244,10 +21597,10 @@ var getHostInfo = (additionalMcpList) => {
   const ideConfigPaths = /* @__PURE__ */ new Set();
   for (const ide of IDEs) {
     const configPaths = getMCPConfigPaths(ide);
-    configPaths.forEach((path35) => ideConfigPaths.add(path35));
+    configPaths.forEach((path37) => ideConfigPaths.add(path37));
   }
   const uniqueAdditionalPaths = additionalMcpList.filter(
-    (path35) => !ideConfigPaths.has(path35)
+    (path37) => !ideConfigPaths.has(path37)
   );
   for (const ide of IDEs) {
     const cfg = readMCPConfig(ide);
@@ -21328,7 +21681,7 @@ var getHostInfo = (additionalMcpList) => {
     const config2 = allConfigs[ide] || null;
     const ideName = ide.charAt(0).toUpperCase() + ide.slice(1) || "Unknown";
     let ideVersion = "Unknown";
-    const platform2 = os8.platform();
+    const platform2 = os9.platform();
     const cmds = versionCommands[ideName]?.[platform2] ?? [];
     for (const cmd of cmds) {
       try {
@@ -21361,15 +21714,15 @@ var getHostInfo = (additionalMcpList) => {
 
 // src/mcp/services/McpUsageService/McpUsageService.ts
 import fetch6 from "node-fetch";
-import os10 from "os";
+import os11 from "os";
 import { v4 as uuidv42, v5 as uuidv5 } from "uuid";
 init_configs();
 
 // src/mcp/services/McpUsageService/system.ts
 init_configs();
 import fs16 from "fs";
-import os9 from "os";
-import path24 from "path";
+import os10 from "os";
+import path26 from "path";
 var MAX_DEPTH = 2;
 var patterns = ["mcp", "claude"];
 var isFileMatch = (fileName) => {
@@ -21389,7 +21742,7 @@ var searchDir = async (dir, depth = 0) => {
   if (depth > MAX_DEPTH) return results;
   const entries = await fs16.promises.readdir(dir, { withFileTypes: true }).catch(() => []);
   for (const entry of entries) {
-    const fullPath = path24.join(dir, entry.name);
+    const fullPath = path26.join(dir, entry.name);
     if (entry.isFile() && isFileMatch(entry.name)) {
       results.push(fullPath);
     } else if (entry.isDirectory()) {
@@ -21403,17 +21756,17 @@ var searchDir = async (dir, depth = 0) => {
 };
 var findSystemMCPConfigs = async () => {
   try {
-    const home = os9.homedir();
-    const platform2 = os9.platform();
+    const home = os10.homedir();
+    const platform2 = os10.platform();
     const knownDirs = platform2 === "win32" ? [
-      path24.join(home, ".cursor"),
-      path24.join(home, "Documents"),
-      path24.join(home, "Downloads")
+      path26.join(home, ".cursor"),
+      path26.join(home, "Documents"),
+      path26.join(home, "Downloads")
     ] : [
-      path24.join(home, ".cursor"),
-      process.env["XDG_CONFIG_HOME"] || path24.join(home, ".config"),
-      path24.join(home, "Documents"),
-      path24.join(home, "Downloads")
+      path26.join(home, ".cursor"),
+      process.env["XDG_CONFIG_HOME"] || path26.join(home, ".config"),
+      path26.join(home, "Documents"),
+      path26.join(home, "Downloads")
     ];
     const timeoutPromise = new Promise(
       (resolve) => setTimeout(() => {
@@ -21476,7 +21829,7 @@ var McpUsageService = class {
   generateHostId() {
     const stored = configStore.get(this.configKey);
     if (stored?.mcpHostId) return stored.mcpHostId;
-    const interfaces = os10.networkInterfaces();
+    const interfaces = os11.networkInterfaces();
     const macs = [];
     for (const iface of Object.values(interfaces)) {
       if (!iface) continue;
@@ -21484,7 +21837,7 @@ var McpUsageService = class {
         if (net.mac && net.mac !== "00:00:00:00:00:00") macs.push(net.mac);
       }
     }
-    const macString = macs.length ? macs.sort().join(",") : `${os10.hostname()}-${uuidv42()}`;
+    const macString = macs.length ? macs.sort().join(",") : `${os11.hostname()}-${uuidv42()}`;
     const hostId = uuidv5(macString, uuidv5.DNS);
     logDebug("[UsageService] Generated new host ID", { hostId });
     return hostId;
@@ -21507,7 +21860,7 @@ var McpUsageService = class {
       mcpHostId,
       organizationId,
       mcpVersion: packageJson.version,
-      mcpOsName: os10.platform(),
+      mcpOsName: os11.platform(),
       mcps: JSON.stringify(mcps),
       status,
       userName: user.name,
@@ -23828,30 +24181,30 @@ For a complete security audit workflow, use the \`full-security-audit\` prompt.
 
 // src/mcp/services/McpDetectionService/CursorMcpDetectionService.ts
 import * as fs19 from "fs";
-import * as os12 from "os";
-import * as path26 from "path";
+import * as os13 from "os";
+import * as path28 from "path";
 
 // src/mcp/services/McpDetectionService/BaseMcpDetectionService.ts
 init_configs();
 import * as fs18 from "fs";
 import fetch7 from "node-fetch";
-import * as path25 from "path";
+import * as path27 from "path";
 
 // src/mcp/services/McpDetectionService/McpDetectionServiceUtils.ts
 import * as fs17 from "fs";
-import * as os11 from "os";
+import * as os12 from "os";
 
 // src/mcp/services/McpDetectionService/VscodeMcpDetectionService.ts
 import * as fs20 from "fs";
-import * as os13 from "os";
-import * as path27 from "path";
+import * as os14 from "os";
+import * as path29 from "path";
 
 // src/mcp/tools/checkForNewAvailableFixes/CheckForNewAvailableFixesTool.ts
 import { z as z42 } from "zod";
 
 // src/mcp/services/PathValidation.ts
 import fs21 from "fs";
-import path28 from "path";
+import path30 from "path";
 async function validatePath(inputPath) {
   logDebug("Validating MCP path", { inputPath });
   if (/^\/[a-zA-Z]:\//.test(inputPath)) {
@@ -23883,7 +24236,7 @@ async function validatePath(inputPath) {
     logError(error);
     return { isValid: false, error, path: inputPath };
   }
-  const normalizedPath = path28.normalize(inputPath);
+  const normalizedPath = path30.normalize(inputPath);
   if (normalizedPath.includes("..")) {
     const error = `Normalized path contains path traversal patterns: ${inputPath}`;
     logError(error);
@@ -24535,7 +24888,7 @@ init_configs();
 import fs22 from "fs/promises";
 import nodePath from "path";
 var getLocalFiles = async ({
-  path: path35,
+  path: path37,
   maxFileSize = MCP_MAX_FILE_SIZE,
   maxFiles,
   isAllFilesScan,
@@ -24543,17 +24896,17 @@ var getLocalFiles = async ({
   scanRecentlyChangedFiles
 }) => {
   logDebug(`[${scanContext}] Starting getLocalFiles`, {
-    path: path35,
+    path: path37,
     maxFileSize,
     maxFiles,
     isAllFilesScan,
     scanRecentlyChangedFiles
   });
   try {
-    const resolvedRepoPath = await fs22.realpath(path35);
+    const resolvedRepoPath = await fs22.realpath(path37);
     logDebug(`[${scanContext}] Resolved repository path`, {
       resolvedRepoPath,
-      originalPath: path35
+      originalPath: path37
     });
     const gitService = new GitService(resolvedRepoPath, log);
     const gitValidation = await gitService.validateRepository();
@@ -24566,7 +24919,7 @@ var getLocalFiles = async ({
     if (!gitValidation.isValid || isAllFilesScan) {
       try {
         files = await FileUtils.getLastChangedFiles({
-          dir: path35,
+          dir: path37,
           maxFileSize,
           maxFiles,
           isAllFilesScan
@@ -24658,7 +25011,7 @@ var getLocalFiles = async ({
     logError(`${scanContext}Unexpected error in getLocalFiles`, {
       error: error instanceof Error ? error.message : String(error),
       stack: error instanceof Error ? error.stack : void 0,
-      path: path35
+      path: path37
     });
     throw error;
   }
@@ -24668,7 +25021,7 @@ var getLocalFiles = async ({
 init_client_generates();
 init_GitService();
 import fs23 from "fs";
-import path29 from "path";
+import path31 from "path";
 import { z as z41 } from "zod";
 function extractPathFromPatch(patch) {
   const match = patch?.match(/diff --git a\/([^\s]+) b\//);
@@ -24754,7 +25107,7 @@ var LocalMobbFolderService = class {
           "[LocalMobbFolderService] Non-git repository detected, skipping .gitignore operations"
         );
       }
-      const mobbFolderPath = path29.join(
+      const mobbFolderPath = path31.join(
         this.repoPath,
         this.defaultMobbFolderName
       );
@@ -24926,7 +25279,7 @@ var LocalMobbFolderService = class {
         mobbFolderPath,
         baseFileName
       );
-      const filePath = path29.join(mobbFolderPath, uniqueFileName);
+      const filePath = path31.join(mobbFolderPath, uniqueFileName);
       await fs23.promises.writeFile(filePath, patch, "utf8");
       logInfo("[LocalMobbFolderService] Patch saved successfully", {
         filePath,
@@ -24984,11 +25337,11 @@ var LocalMobbFolderService = class {
    * @returns Unique filename that doesn't conflict with existing files
    */
   getUniqueFileName(folderPath, baseFileName) {
-    const baseName = path29.parse(baseFileName).name;
-    const extension = path29.parse(baseFileName).ext;
+    const baseName = path31.parse(baseFileName).name;
+    const extension = path31.parse(baseFileName).ext;
     let uniqueFileName = baseFileName;
     let index = 1;
-    while (fs23.existsSync(path29.join(folderPath, uniqueFileName))) {
+    while (fs23.existsSync(path31.join(folderPath, uniqueFileName))) {
       uniqueFileName = `${baseName}-${index}${extension}`;
       index++;
       if (index > 1e3) {
@@ -25019,7 +25372,7 @@ var LocalMobbFolderService = class {
     logDebug("[LocalMobbFolderService] Logging patch info", { fixId: fix.id });
     try {
       const mobbFolderPath = await this.getFolder();
-      const patchInfoPath = path29.join(mobbFolderPath, "patchInfo.md");
+      const patchInfoPath = path31.join(mobbFolderPath, "patchInfo.md");
       const markdownContent = this.generateFixMarkdown(fix, savedPatchFileName);
       let existingContent = "";
       if (fs23.existsSync(patchInfoPath)) {
@@ -25061,7 +25414,7 @@ var LocalMobbFolderService = class {
     const timestamp = (/* @__PURE__ */ new Date()).toISOString();
     const patch = this.extractPatchFromFix(fix);
     const relativePatchedFilePath = patch ? extractPathFromPatch(patch) : null;
-    const patchedFilePath = relativePatchedFilePath ? path29.resolve(this.repoPath, relativePatchedFilePath) : null;
+    const patchedFilePath = relativePatchedFilePath ? path31.resolve(this.repoPath, relativePatchedFilePath) : null;
     const fixIdentifier = savedPatchFileName ? savedPatchFileName.replace(".patch", "") : fix.id;
     let markdown = `# Fix ${fixIdentifier}
 
@@ -25397,7 +25750,7 @@ var LocalMobbFolderService = class {
 // src/mcp/services/PatchApplicationService.ts
 init_configs();
 import {
-  existsSync as existsSync7,
+  existsSync as existsSync6,
   mkdirSync,
   readFileSync as readFileSync4,
   unlinkSync,
@@ -25405,14 +25758,14 @@ import {
 } from "fs";
 import fs24 from "fs/promises";
 import parseDiff2 from "parse-diff";
-import path30 from "path";
+import path32 from "path";
 var PatchApplicationService = class {
   /**
    * Gets the appropriate comment syntax for a file based on its extension
    */
   static getCommentSyntax(filePath) {
-    const ext = path30.extname(filePath).toLowerCase();
-    const basename2 = path30.basename(filePath);
+    const ext = path32.extname(filePath).toLowerCase();
+    const basename2 = path32.basename(filePath);
     const commentMap = {
       // C-style languages (single line comments)
       ".js": "//",
@@ -25620,7 +25973,7 @@ var PatchApplicationService = class {
         }
       );
     }
-    const dirPath = path30.dirname(normalizedFilePath);
+    const dirPath = path32.dirname(normalizedFilePath);
     mkdirSync(dirPath, { recursive: true });
     writeFileSync3(normalizedFilePath, finalContent, "utf8");
     return normalizedFilePath;
@@ -25629,9 +25982,9 @@ var PatchApplicationService = class {
     repositoryPath,
     targetPath
   }) {
-    const repoRoot = path30.resolve(repositoryPath);
-    const normalizedPath = path30.resolve(repoRoot, targetPath);
-    const repoRootWithSep = repoRoot.endsWith(path30.sep) ? repoRoot : `${repoRoot}${path30.sep}`;
+    const repoRoot = path32.resolve(repositoryPath);
+    const normalizedPath = path32.resolve(repoRoot, targetPath);
+    const repoRootWithSep = repoRoot.endsWith(path32.sep) ? repoRoot : `${repoRoot}${path32.sep}`;
     if (normalizedPath !== repoRoot && !normalizedPath.startsWith(repoRootWithSep)) {
       throw new Error(
         `Security violation: target path ${targetPath} resolves outside repository`
@@ -25640,7 +25993,7 @@ var PatchApplicationService = class {
     return {
       repoRoot,
       normalizedPath,
-      relativePath: path30.relative(repoRoot, normalizedPath)
+      relativePath: path32.relative(repoRoot, normalizedPath)
     };
   }
   /**
@@ -25922,8 +26275,8 @@ var PatchApplicationService = class {
         continue;
       }
       try {
-        const absolutePath = path30.resolve(repositoryPath, targetFile);
-        if (existsSync7(absolutePath)) {
+        const absolutePath = path32.resolve(repositoryPath, targetFile);
+        if (existsSync6(absolutePath)) {
           const stats = await fs24.stat(absolutePath);
           const fileModTime = stats.mtime.getTime();
           if (fileModTime > scanStartTime) {
@@ -26124,7 +26477,7 @@ var PatchApplicationService = class {
       targetFile,
       absoluteFilePath,
       relativePath,
-      exists: existsSync7(absoluteFilePath)
+      exists: existsSync6(absoluteFilePath)
     });
     return { absoluteFilePath, relativePath };
   }
@@ -26148,7 +26501,7 @@ var PatchApplicationService = class {
       fix,
       scanContext
     });
-    appliedFiles.push(path30.relative(repositoryPath, actualPath));
+    appliedFiles.push(path32.relative(repositoryPath, actualPath));
     logDebug(`[${scanContext}] Created new file: ${relativePath}`);
   }
   /**
@@ -26160,7 +26513,7 @@ var PatchApplicationService = class {
     appliedFiles,
     scanContext
   }) {
-    if (existsSync7(absoluteFilePath)) {
+    if (existsSync6(absoluteFilePath)) {
       unlinkSync(absoluteFilePath);
       appliedFiles.push(relativePath);
       logDebug(`[${scanContext}] Deleted file: ${relativePath}`);
@@ -26179,7 +26532,7 @@ var PatchApplicationService = class {
     appliedFiles,
     scanContext
   }) {
-    if (!existsSync7(absoluteFilePath)) {
+    if (!existsSync6(absoluteFilePath)) {
       throw new Error(
         `Target file does not exist: ${targetFile} (resolved to: ${absoluteFilePath})`
       );
@@ -26197,7 +26550,7 @@ var PatchApplicationService = class {
         fix,
         scanContext
       });
-      appliedFiles.push(path30.relative(repositoryPath, actualPath));
+      appliedFiles.push(path32.relative(repositoryPath, actualPath));
       logDebug(`[${scanContext}] Modified file: ${relativePath}`);
     }
   }
@@ -26394,8 +26747,8 @@ init_configs();
 // src/mcp/services/FileOperations.ts
 init_FileUtils();
 import fs25 from "fs";
-import path31 from "path";
-import AdmZip4 from "adm-zip";
+import path33 from "path";
+import AdmZip5 from "adm-zip";
 var FileOperations = class {
   /**
    * Creates a ZIP archive containing the specified source files
@@ -26410,14 +26763,14 @@ var FileOperations = class {
     maxFileSize
   }) {
     logDebug("[FileOperations] Packing files");
-    const zip = new AdmZip4();
+    const zip = new AdmZip5();
     let packedFilesCount = 0;
     const packedFiles = [];
     const excludedFiles = [];
-    const resolvedRepoPath = path31.resolve(repositoryPath);
+    const resolvedRepoPath = path33.resolve(repositoryPath);
     for (const filepath of fileList) {
-      const absoluteFilepath = path31.join(repositoryPath, filepath);
-      const resolvedFilePath = path31.resolve(absoluteFilepath);
+      const absoluteFilepath = path33.join(repositoryPath, filepath);
+      const resolvedFilePath = path33.resolve(absoluteFilepath);
       if (!resolvedFilePath.startsWith(resolvedRepoPath)) {
         const reason = "potential path traversal security risk";
         logDebug(`[FileOperations] Skipping ${filepath} due to ${reason}`);
@@ -26464,11 +26817,11 @@ var FileOperations = class {
     fileList,
     repositoryPath
   }) {
-    const resolvedRepoPath = path31.resolve(repositoryPath);
+    const resolvedRepoPath = path33.resolve(repositoryPath);
     const validatedPaths = [];
     for (const filepath of fileList) {
-      const absoluteFilepath = path31.join(repositoryPath, filepath);
-      const resolvedFilePath = path31.resolve(absoluteFilepath);
+      const absoluteFilepath = path33.join(repositoryPath, filepath);
+      const resolvedFilePath = path33.resolve(absoluteFilepath);
       if (!resolvedFilePath.startsWith(resolvedRepoPath)) {
         logDebug(
           `[FileOperations] Rejecting ${filepath} - path traversal attempt detected`
@@ -26496,7 +26849,7 @@ var FileOperations = class {
     for (const absolutePath of filePaths) {
       try {
         const content = await fs25.promises.readFile(absolutePath);
-        const relativePath = path31.basename(absolutePath);
+        const relativePath = path33.basename(absolutePath);
         fileDataArray.push({
           relativePath,
           absolutePath,
@@ -26808,14 +27161,14 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
    * since the last scan.
    */
   async scanForSecurityVulnerabilities({
-    path: path35,
+    path: path37,
     isAllDetectionRulesScan,
     isAllFilesScan,
     scanContext
   }) {
     this.hasAuthenticationFailed = false;
     logDebug(`[${scanContext}] Scanning for new security vulnerabilities`, {
-      path: path35
+      path: path37
     });
     if (!this.gqlClient) {
       logInfo(`[${scanContext}] No GQL client found, skipping scan`);
@@ -26831,11 +27184,11 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
       }
       logDebug(
         `[${scanContext}] Connected to the API, assembling list of files to scan`,
-        { path: path35 }
+        { path: path37 }
       );
       const isBackgroundScan = scanContext === ScanContext.BACKGROUND_INITIAL || scanContext === ScanContext.BACKGROUND_PERIODIC;
       const files = await getLocalFiles({
-        path: path35,
+        path: path37,
         isAllFilesScan,
         scanContext,
         scanRecentlyChangedFiles: !isBackgroundScan
@@ -26861,13 +27214,13 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
       });
       const { fixReportId, projectId } = await scanFiles({
         fileList: filesToScan.map((file) => file.relativePath),
-        repositoryPath: path35,
+        repositoryPath: path37,
         gqlClient: this.gqlClient,
         isAllDetectionRulesScan,
         scanContext
       });
       logInfo(
-        `[${scanContext}] Security scan completed for ${path35} reportId: ${fixReportId} projectId: ${projectId}`
+        `[${scanContext}] Security scan completed for ${path37} reportId: ${fixReportId} projectId: ${projectId}`
       );
       if (isAllFilesScan) {
         return;
@@ -27161,13 +27514,13 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
     });
     return scannedFiles.some((file) => file.relativePath === fixFile);
   }
-  async getFreshFixes({ path: path35 }) {
+  async getFreshFixes({ path: path37 }) {
     const scanContext = ScanContext.USER_REQUEST;
-    logDebug(`[${scanContext}] Getting fresh fixes`, { path: path35 });
-    if (this.path !== path35) {
-      this.path = path35;
+    logDebug(`[${scanContext}] Getting fresh fixes`, { path: path37 });
+    if (this.path !== path37) {
+      this.path = path37;
       this.reset();
-      logInfo(`[${scanContext}] Reset service state for new path`, { path: path35 });
+      logInfo(`[${scanContext}] Reset service state for new path`, { path: path37 });
     }
     try {
       const loginContext = createMcpLoginContext("check_new_fixes");
@@ -27186,7 +27539,7 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
       }
       throw error;
     }
-    this.triggerScan({ path: path35, gqlClient: this.gqlClient });
+    this.triggerScan({ path: path37, gqlClient: this.gqlClient });
     let isMvsAutoFixEnabled = null;
     try {
       isMvsAutoFixEnabled = await this.gqlClient.getMvsAutoFixSettings();
@@ -27220,33 +27573,33 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
     return noFreshFixesPrompt;
   }
   triggerScan({
-    path: path35,
+    path: path37,
     gqlClient
   }) {
-    if (this.path !== path35) {
-      this.path = path35;
+    if (this.path !== path37) {
+      this.path = path37;
       this.reset();
-      logInfo(`Reset service state for new path in triggerScan`, { path: path35 });
+      logInfo(`Reset service state for new path in triggerScan`, { path: path37 });
     }
     this.gqlClient = gqlClient;
     if (!this.intervalId) {
-      this.startPeriodicScanning(path35);
-      this.executeInitialScan(path35);
-      void this.executeInitialFullScan(path35);
+      this.startPeriodicScanning(path37);
+      this.executeInitialScan(path37);
+      void this.executeInitialFullScan(path37);
     }
   }
-  startPeriodicScanning(path35) {
+  startPeriodicScanning(path37) {
     const scanContext = ScanContext.BACKGROUND_PERIODIC;
     logDebug(
       `[${scanContext}] Starting periodic scan for new security vulnerabilities`,
       {
-        path: path35
+        path: path37
       }
     );
     this.intervalId = setInterval(() => {
-      logDebug(`[${scanContext}] Triggering periodic security scan`, { path: path35 });
+      logDebug(`[${scanContext}] Triggering periodic security scan`, { path: path37 });
       this.scanForSecurityVulnerabilities({
-        path: path35,
+        path: path37,
         scanContext
       }).catch((error) => {
         logError(`[${scanContext}] Error during periodic security scan`, {
@@ -27255,45 +27608,45 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
       });
     }, MCP_PERIODIC_CHECK_INTERVAL);
   }
-  async executeInitialFullScan(path35) {
+  async executeInitialFullScan(path37) {
     const scanContext = ScanContext.FULL_SCAN;
-    logDebug(`[${scanContext}] Triggering initial full security scan`, { path: path35 });
+    logDebug(`[${scanContext}] Triggering initial full security scan`, { path: path37 });
     logDebug(`[${scanContext}] Full scan paths scanned`, {
       fullScanPathsScanned: this.fullScanPathsScanned
     });
-    if (this.fullScanPathsScanned.includes(path35)) {
+    if (this.fullScanPathsScanned.includes(path37)) {
       logDebug(`[${scanContext}] Full scan already executed for this path`, {
-        path: path35
+        path: path37
       });
       return;
     }
     configStore.set("fullScanPathsScanned", [
       ...this.fullScanPathsScanned,
-      path35
+      path37
     ]);
     try {
       await this.scanForSecurityVulnerabilities({
-        path: path35,
+        path: path37,
         isAllFilesScan: true,
         isAllDetectionRulesScan: true,
         scanContext: ScanContext.FULL_SCAN
       });
-      if (!this.fullScanPathsScanned.includes(path35)) {
-        this.fullScanPathsScanned.push(path35);
+      if (!this.fullScanPathsScanned.includes(path37)) {
+        this.fullScanPathsScanned.push(path37);
         configStore.set("fullScanPathsScanned", this.fullScanPathsScanned);
       }
-      logInfo(`[${scanContext}] Full scan completed`, { path: path35 });
+      logInfo(`[${scanContext}] Full scan completed`, { path: path37 });
     } catch (error) {
       logError(`[${scanContext}] Error during initial full security scan`, {
         error
       });
     }
   }
-  executeInitialScan(path35) {
+  executeInitialScan(path37) {
     const scanContext = ScanContext.BACKGROUND_INITIAL;
-    logDebug(`[${scanContext}] Triggering initial security scan`, { path: path35 });
+    logDebug(`[${scanContext}] Triggering initial security scan`, { path: path37 });
     this.scanForSecurityVulnerabilities({
-      path: path35,
+      path: path37,
       scanContext: ScanContext.BACKGROUND_INITIAL
     }).catch((error) => {
       logError(`[${scanContext}] Error during initial security scan`, { error });
@@ -27390,9 +27743,9 @@ Example payload:
         `Invalid path: potential security risk detected in path: ${pathValidationResult.error}`
       );
     }
-    const path35 = pathValidationResult.path;
+    const path37 = pathValidationResult.path;
     const resultText = await this.newFixesService.getFreshFixes({
-      path: path35
+      path: path37
     });
     logInfo("CheckForNewAvailableFixesTool execution completed", {
       resultText
@@ -27570,8 +27923,8 @@ Call this tool instead of ${MCP_TOOL_SCAN_AND_FIX_VULNERABILITIES} when you only
         `Invalid path: potential security risk detected in path: ${pathValidationResult.error}`
       );
     }
-    const path35 = pathValidationResult.path;
-    const gitService = new GitService(path35, log);
+    const path37 = pathValidationResult.path;
+    const gitService = new GitService(path37, log);
     const gitValidation = await gitService.validateRepository();
     if (!gitValidation.isValid) {
       throw new Error(`Invalid git repository: ${gitValidation.error}`);
@@ -27956,9 +28309,9 @@ Example payload:
         `Invalid path: potential security risk detected in path: ${pathValidationResult.error}`
       );
     }
-    const path35 = pathValidationResult.path;
+    const path37 = pathValidationResult.path;
     const files = await getLocalFiles({
-      path: path35,
+      path: path37,
       maxFileSize: MCP_MAX_FILE_SIZE,
       maxFiles: args.maxFiles,
       scanContext: ScanContext.USER_REQUEST,
@@ -27978,7 +28331,7 @@ Example payload:
     try {
       const fixResult = await this.vulnerabilityFixService.processVulnerabilities({
         fileList: files.map((file) => file.relativePath),
-        repositoryPath: path35,
+        repositoryPath: path37,
         offset: args.offset,
         limit: args.limit,
         isRescan: args.rescan || !!args.maxFiles
@@ -28279,10 +28632,10 @@ init_client_generates();
 init_urlParser2();
 
 // src/features/codeium_intellij/codeium_language_server_grpc_client.ts
-import path32 from "path";
+import path34 from "path";
 import * as grpc from "@grpc/grpc-js";
 import * as protoLoader from "@grpc/proto-loader";
-var PROTO_PATH = path32.join(
+var PROTO_PATH = path34.join(
   getModuleRootDir(),
   "src/features/codeium_intellij/proto/exa/language_server_pb/language_server.proto"
 );
@@ -28294,7 +28647,7 @@ function loadProto() {
     defaults: true,
     oneofs: true,
     includeDirs: [
-      path32.join(getModuleRootDir(), "src/features/codeium_intellij/proto")
+      path34.join(getModuleRootDir(), "src/features/codeium_intellij/proto")
     ]
   });
   return grpc.loadPackageDefinition(
@@ -28349,29 +28702,29 @@ async function getGrpcClient(port, csrf3) {
 
 // src/features/codeium_intellij/parse_intellij_logs.ts
 import fs27 from "fs";
-import os14 from "os";
-import path33 from "path";
+import os15 from "os";
+import path35 from "path";
 function getLogsDir() {
   if (process.platform === "darwin") {
-    return path33.join(os14.homedir(), "Library/Logs/JetBrains");
+    return path35.join(os15.homedir(), "Library/Logs/JetBrains");
   } else if (process.platform === "win32") {
-    return path33.join(
-      process.env["LOCALAPPDATA"] || path33.join(os14.homedir(), "AppData/Local"),
+    return path35.join(
+      process.env["LOCALAPPDATA"] || path35.join(os15.homedir(), "AppData/Local"),
       "JetBrains"
     );
   } else {
-    return path33.join(os14.homedir(), ".cache/JetBrains");
+    return path35.join(os15.homedir(), ".cache/JetBrains");
   }
 }
 function parseIdeLogDir(ideLogDir) {
   const logFiles = fs27.readdirSync(ideLogDir).filter((f) => /^idea(\.\d+)?\.log$/.test(f)).map((f) => ({
     name: f,
-    mtime: fs27.statSync(path33.join(ideLogDir, f)).mtimeMs
+    mtime: fs27.statSync(path35.join(ideLogDir, f)).mtimeMs
   })).sort((a, b) => a.mtime - b.mtime).map((f) => f.name);
   let latestCsrf = null;
   let latestPort = null;
   for (const logFile of logFiles) {
-    const lines = fs27.readFileSync(path33.join(ideLogDir, logFile), "utf-8").split("\n");
+    const lines = fs27.readFileSync(path35.join(ideLogDir, logFile), "utf-8").split("\n");
     for (const line of lines) {
       if (!line.includes(
         "com.codeium.intellij.language_server.LanguageServerProcessHandler"
@@ -28399,9 +28752,9 @@ function findRunningCodeiumLanguageServers() {
   const logsDir = getLogsDir();
   if (!fs27.existsSync(logsDir)) return results;
   for (const ide of fs27.readdirSync(logsDir)) {
-    let ideLogDir = path33.join(logsDir, ide);
+    let ideLogDir = path35.join(logsDir, ide);
     if (process.platform !== "darwin") {
-      ideLogDir = path33.join(ideLogDir, "log");
+      ideLogDir = path35.join(ideLogDir, "log");
     }
     if (!fs27.existsSync(ideLogDir) || !fs27.statSync(ideLogDir).isDirectory()) {
       continue;
@@ -28583,11 +28936,11 @@ function processChatStepCodeAction(step) {
 
 // src/features/codeium_intellij/install_hook.ts
 import fsPromises5 from "fs/promises";
-import os15 from "os";
-import path34 from "path";
+import os16 from "os";
+import path36 from "path";
 import chalk14 from "chalk";
 function getCodeiumHooksPath() {
-  return path34.join(os15.homedir(), ".codeium", "hooks.json");
+  return path36.join(os16.homedir(), ".codeium", "hooks.json");
 }
 async function readCodeiumHooks() {
   const hooksPath = getCodeiumHooksPath();
@@ -28600,7 +28953,7 @@ async function readCodeiumHooks() {
 }
 async function writeCodeiumHooks(config2) {
   const hooksPath = getCodeiumHooksPath();
-  const dir = path34.dirname(hooksPath);
+  const dir = path36.dirname(hooksPath);
   await fsPromises5.mkdir(dir, { recursive: true });
   await fsPromises5.writeFile(
     hooksPath,