mobbdev 1.4.10 → 1.4.11

package/dist/args/commands/upload_ai_blame.d.mts

@@ -206,6 +206,25 @@ declare const PromptItemArrayZ: z.ZodArray<z.ZodObject<{
     }[] | undefined;
 }>, "many">;
 type PromptItemArray = z.infer<typeof PromptItemArrayZ>;
+type RepoState = {
+    repositoryUrl: string | null;
+    branch: string | null;
+    commitSha: string | null;
+};
+/**
+ * Reads git state for tracy event attribution: repo URL, current branch, and
+ * HEAD commit SHA. Each field is read fresh — no caching across calls. Detached
+ * HEAD (rebase, bisect) returns `branch: null` rather than the literal string
+ * "HEAD" that `git rev-parse --abbrev-ref HEAD` would produce.
+ *
+ * Both the CLI daemon and the VS Code extension flow through the shared
+ * `GitService.getCurrentRepoState()` so detached-HEAD handling and SHA
+ * normalization stay in lockstep across the two clients.
+ *
+ * Never throws — non-existent dirs, missing git binaries, and unrecognized
+ * remotes all resolve to nulls so the daemon hot path can rely on a value.
+ */
+declare function readRepoState(workingDir?: string): Promise<RepoState>;
 /**
  * Gets the normalized GitHub repository URL from the current working directory.
  * Returns null if not in a git repository or if not a GitHub repository.
@@ -265,4 +284,4 @@ type UploadAiBlameHandlerOptions = {
 declare function uploadAiBlameHandler(options: UploadAiBlameHandlerOptions): Promise<void>;
 declare function uploadAiBlameCommandHandler(args: UploadAiBlameOptions): Promise<void>;
 
-export { type PromptItem, type PromptItemArray, type UploadAiBlameOptions, type UploadAiBlameResult, getRepositoryUrl, getSystemInfo, uploadAiBlameBuilder, uploadAiBlameCommandHandler, uploadAiBlameHandler, uploadAiBlameHandlerFromExtension };
+export { type PromptItem, type PromptItemArray, type RepoState, type UploadAiBlameOptions, type UploadAiBlameResult, getRepositoryUrl, getSystemInfo, readRepoState, uploadAiBlameBuilder, uploadAiBlameCommandHandler, uploadAiBlameHandler, uploadAiBlameHandlerFromExtension };

package/dist/args/commands/upload_ai_blame.mjs

@@ -464,6 +464,9 @@ var init_client_generates = __esm({
     ... on FixData {
       patch
       patchOriginalEncodingBase64
+      questions {
+        name
+      }
       extraContext {
         extraContext {
           key
@@ -3865,6 +3868,31 @@ var init_GitService = __esm({
           throw new Error(errorMessage);
         }
       }
+      /**
+       * Reads `{ branch, commitSha }` for tracy event attribution. Detached-HEAD
+       * (rebase, bisect, "open this commit") returns `branch: null` rather than
+       * the literal string `"HEAD"` that `getCurrentBranch()` produces — that
+       * literal would silently corrupt downstream branch dashboards.
+       *
+       * The two reads run in parallel so the wall-time cost is one `git`
+       * round-trip rather than two. Never throws — failures resolve to nulls so
+       * the daemon hot path can rely on a value, not an exception.
+       */
+      async getCurrentRepoState() {
+        const branchPromise = this.git.raw(["symbolic-ref", "--short", "-q", "HEAD"]).then((s) => {
+          const trimmed = s.trim();
+          return trimmed.length > 0 ? trimmed : null;
+        }).catch(() => null);
+        const commitShaPromise = this.git.raw(["rev-parse", "HEAD"]).then((s) => {
+          const trimmed = s.trim().toLowerCase();
+          return /^[0-9a-f]{40}$/.test(trimmed) ? trimmed : null;
+        }).catch(() => null);
+        const [branch, commitSha] = await Promise.all([
+          branchPromise,
+          commitShaPromise
+        ]);
+        return { branch, commitSha };
+      }
       /**
        * Gets both the current commit hash and current branch name
        */
@@ -8115,19 +8143,33 @@ var PromptItemZ = z27.object({
   }).optional()
 });
 var PromptItemArrayZ = z27.array(PromptItemZ);
-async function getRepositoryUrl(workingDir) {
+var NULL_REPO_STATE = {
+  repositoryUrl: null,
+  branch: null,
+  commitSha: null
+};
+async function readRepoState(workingDir) {
+  const dir = workingDir ?? process.cwd();
+  let gitService;
   try {
-    const gitService = new GitService(workingDir ?? process.cwd());
-    const isRepo = await gitService.isGitRepository();
-    if (!isRepo) {
-      return null;
-    }
-    const remoteUrl = await gitService.getRemoteUrl();
-    const parsed = parseScmURL(remoteUrl);
-    return parsed?.scmType && parsed.scmType !== "Unknown" ? remoteUrl : null;
+    gitService = new GitService(dir);
   } catch {
-    return null;
-  }
+    return NULL_REPO_STATE;
+  }
+  const repoStatePromise = gitService.getCurrentRepoState().catch(() => ({ branch: null, commitSha: null }));
+  const repositoryUrlPromise = gitService.getRemoteUrl().then((url) => {
+    if (!url) return null;
+    const parsed = parseScmURL(url);
+    return parsed?.scmType && parsed.scmType !== "Unknown" ? url : null;
+  }).catch(() => null);
+  const [{ branch, commitSha }, repositoryUrl] = await Promise.all([
+    repoStatePromise,
+    repositoryUrlPromise
+  ]);
+  return { repositoryUrl, branch, commitSha };
+}
+async function getRepositoryUrl(workingDir) {
+  return (await readRepoState(workingDir)).repositoryUrl;
 }
 function getSystemInfo() {
   let userName;
@@ -8409,6 +8451,7 @@ async function uploadAiBlameCommandHandler(args) {
 export {
   getRepositoryUrl,
   getSystemInfo,
+  readRepoState,
   uploadAiBlameBuilder,
   uploadAiBlameCommandHandler,
   uploadAiBlameHandler,

package/dist/index.mjs

@@ -464,6 +464,9 @@ var init_client_generates = __esm({
     ... on FixData {
       patch
       patchOriginalEncodingBase64
+      questions {
+        name
+      }
       extraContext {
         extraContext {
           key
@@ -3917,6 +3920,31 @@ var init_GitService = __esm({
           throw new Error(errorMessage);
         }
       }
+      /**
+       * Reads `{ branch, commitSha }` for tracy event attribution. Detached-HEAD
+       * (rebase, bisect, "open this commit") returns `branch: null` rather than
+       * the literal string `"HEAD"` that `getCurrentBranch()` produces — that
+       * literal would silently corrupt downstream branch dashboards.
+       *
+       * The two reads run in parallel so the wall-time cost is one `git`
+       * round-trip rather than two. Never throws — failures resolve to nulls so
+       * the daemon hot path can rely on a value, not an exception.
+       */
+      async getCurrentRepoState() {
+        const branchPromise = this.git.raw(["symbolic-ref", "--short", "-q", "HEAD"]).then((s) => {
+          const trimmed = s.trim();
+          return trimmed.length > 0 ? trimmed : null;
+        }).catch(() => null);
+        const commitShaPromise = this.git.raw(["rev-parse", "HEAD"]).then((s) => {
+          const trimmed = s.trim().toLowerCase();
+          return /^[0-9a-f]{40}$/.test(trimmed) ? trimmed : null;
+        }).catch(() => null);
+        const [branch, commitSha] = await Promise.all([
+          branchPromise,
+          commitShaPromise
+        ]);
+        return { branch, commitSha };
+      }
       /**
        * Gets both the current commit hash and current branch name
        */
@@ -9280,6 +9308,52 @@ async function executeBatchGraphQL(octokit, owner, repo, config2) {
 }
 function getGithubSdk(params = {}) {
   const octokit = getOctoKit(params);
+  async function openPrWithFiles(params2) {
+    const { owner, repo } = parseGithubOwnerAndRepo(params2.userRepoUrl);
+    const { data: repository } = await octokit.rest.repos.get({ owner, repo });
+    const defaultBranch = repository.default_branch;
+    const baseSha = await octokit.rest.git.getRef({ owner, repo, ref: `heads/${defaultBranch}` }).then((r) => r.data.object.sha);
+    await octokit.rest.git.createRef({
+      owner,
+      repo,
+      ref: `refs/heads/${params2.branch}`,
+      sha: baseSha
+    });
+    const tree = await octokit.rest.git.createTree({
+      owner,
+      repo,
+      base_tree: baseSha,
+      tree: params2.files.map((f) => ({
+        path: f.path,
+        mode: "100644",
+        type: "blob",
+        content: f.content
+      }))
+    });
+    const commit = await octokit.rest.git.createCommit({
+      owner,
+      repo,
+      message: params2.commitMessage ?? params2.title,
+      tree: tree.data.sha,
+      parents: [baseSha]
+    });
+    await octokit.rest.git.updateRef({
+      owner,
+      repo,
+      ref: `heads/${params2.branch}`,
+      sha: commit.data.sha
+    });
+    const pr = await octokit.rest.pulls.create({
+      owner,
+      repo,
+      title: params2.title,
+      head: params2.branch,
+      ...params2.headRepo ? { head_repo: params2.headRepo } : {},
+      body: safeBody(params2.body, MAX_GH_PR_BODY_LENGTH),
+      base: defaultBranch
+    });
+    return { pull_request_url: pr.data.html_url };
+  }
   return {
     async postPrComment(params2) {
       return octokit.request(POST_COMMENT_PATH, params2);
@@ -9576,86 +9650,26 @@ function getGithubSdk(params = {}) {
     async createPr(params2) {
       const { sourceRepoUrl, filesPaths, userRepoUrl, title, body } = params2;
       const { owner: sourceOwner, repo: sourceRepo } = parseGithubOwnerAndRepo(sourceRepoUrl);
-      const { owner, repo } = parseGithubOwnerAndRepo(userRepoUrl);
-      const [sourceFilePath, secondFilePath] = filesPaths;
-      const sourceFileContentResponse = await octokit.rest.repos.getContent({
-        owner: sourceOwner,
-        repo: sourceRepo,
-        path: `/${sourceFilePath}`
-      });
-      const { data: repository } = await octokit.rest.repos.get({ owner, repo });
-      const defaultBranch = repository.default_branch;
-      const newBranchName = `mobb/workflow-${Date.now()}`;
-      await octokit.rest.git.createRef({
-        owner,
-        repo,
-        ref: `refs/heads/${newBranchName}`,
-        sha: await octokit.rest.git.getRef({ owner, repo, ref: `heads/${defaultBranch}` }).then((response) => response.data.object.sha)
-      });
-      const decodedContent = Buffer.from(
-        // Check if file content exists and handle different response types
-        typeof sourceFileContentResponse.data === "object" && !Array.isArray(sourceFileContentResponse.data) && "content" in sourceFileContentResponse.data && typeof sourceFileContentResponse.data.content === "string" ? sourceFileContentResponse.data.content : "",
-        "base64"
-      ).toString("utf-8");
-      const tree = [
-        {
-          path: sourceFilePath,
-          mode: "100644",
-          type: "blob",
-          content: decodedContent
-        }
-      ];
-      if (secondFilePath) {
-        const secondFileContentResponse = await octokit.rest.repos.getContent({
-          owner: sourceOwner,
-          repo: sourceRepo,
-          path: `/${secondFilePath}`
-        });
-        const secondDecodedContent = Buffer.from(
-          // Check if file content exists and handle different response types
-          typeof secondFileContentResponse.data === "object" && !Array.isArray(secondFileContentResponse.data) && "content" in secondFileContentResponse.data && typeof secondFileContentResponse.data.content === "string" ? secondFileContentResponse.data.content : "",
-          "base64"
-        ).toString("utf-8");
-        tree.push({
-          path: secondFilePath,
-          mode: "100644",
-          type: "blob",
-          content: secondDecodedContent
-        });
-      }
-      const createTreeResponse = await octokit.rest.git.createTree({
-        owner,
-        repo,
-        base_tree: await octokit.rest.git.getRef({ owner, repo, ref: `heads/${defaultBranch}` }).then((response) => response.data.object.sha),
-        tree
-      });
-      const createCommitResponse = await octokit.rest.git.createCommit({
-        owner,
-        repo,
-        message: "Add new yaml file",
-        tree: createTreeResponse.data.sha,
-        parents: [
-          await octokit.rest.git.getRef({ owner, repo, ref: `heads/${defaultBranch}` }).then((response) => response.data.object.sha)
-        ]
-      });
-      await octokit.rest.git.updateRef({
-        owner,
-        repo,
-        ref: `heads/${newBranchName}`,
-        sha: createCommitResponse.data.sha
-      });
-      const createPRResponse = await octokit.rest.pulls.create({
-        owner,
-        repo,
+      const files = await Promise.all(
+        filesPaths.map(async (filePath) => {
+          const response = await octokit.rest.repos.getContent({
+            owner: sourceOwner,
+            repo: sourceRepo,
+            path: `/${filePath}`
+          });
+          const content = typeof response.data === "object" && !Array.isArray(response.data) && "content" in response.data && typeof response.data.content === "string" ? Buffer.from(response.data.content, "base64").toString("utf-8") : "";
+          return { path: filePath, content };
+        })
+      );
+      return openPrWithFiles({
+        userRepoUrl,
+        files,
+        branch: `mobb/workflow-${Date.now()}`,
         title,
-        head: newBranchName,
-        head_repo: sourceRepo,
-        body: safeBody(body, MAX_GH_PR_BODY_LENGTH),
-        base: defaultBranch
+        body,
+        commitMessage: "Add new yaml file",
+        headRepo: sourceRepo
       });
-      return {
-        pull_request_url: createPRResponse.data.html_url
-      };
     },
     async getGithubBranchList(repoUrl) {
       const { owner, repo } = parseGithubOwnerAndRepo(repoUrl);
@@ -9666,6 +9680,35 @@ function getGithubSdk(params = {}) {
         page: 1
       });
     },
+    // T-500 — open a PR adding a single inline file. Used by the
+    // openSecuritySkillPR resolver to deliver `.claude/skills/<slug>/SKILL.md`.
+    async createPrWithContent(params2) {
+      return openPrWithFiles({
+        userRepoUrl: params2.userRepoUrl,
+        files: [{ path: params2.filePath, content: params2.content }],
+        branch: params2.branch,
+        title: params2.title,
+        body: params2.body
+      });
+    },
+    // T-500 — best-effort branch cleanup for openSecuritySkillPR retry.
+    // Swallows 422/404 so callers can call it unconditionally before
+    // a fresh PR-creation attempt.
+    async deleteBranchIfExists(params2) {
+      const { owner, repo } = parseGithubOwnerAndRepo(params2.userRepoUrl);
+      try {
+        await octokit.rest.git.deleteRef({
+          owner,
+          repo,
+          ref: `heads/${params2.branch}`
+        });
+      } catch (err) {
+        if (err instanceof RequestError && (err.status === 422 || err.status === 404)) {
+          return;
+        }
+        throw err;
+      }
+    },
     async createPullRequest(options) {
       const { owner, repo } = parseGithubOwnerAndRepo(options.repoUrl);
       return octokit.rest.pulls.create({
@@ -10036,6 +10079,20 @@ var GithubSCMLib = class extends SCMLib {
     });
     return { pull_request_url };
   }
+  // T-500 — sibling of `createPullRequestWithNewFile` that takes inline
+  // content rather than reading from a source repo. Used by
+  // openSecuritySkillPR to deliver `.claude/skills/<slug>/SKILL.md`.
+  async createPullRequestWithInlineFile(params) {
+    const { pull_request_url } = await this.githubSdk.createPrWithContent(params);
+    return { pull_request_url };
+  }
+  // T-500 — used by the openSecuritySkillPR resolver to clean up a
+  // branch left behind by a prior failed PR-creation attempt before
+  // retrying. Swallows missing-branch responses; only real network
+  // errors propagate.
+  async deleteBranchIfExists(params) {
+    return this.githubSdk.deleteBranchIfExists(params);
+  }
   async validateParams() {
     return await githubValidateParams(this.url, this.accessToken);
   }
@@ -14257,19 +14314,33 @@ var PromptItemZ = z27.object({
   }).optional()
 });
 var PromptItemArrayZ = z27.array(PromptItemZ);
-async function getRepositoryUrl(workingDir) {
+var NULL_REPO_STATE = {
+  repositoryUrl: null,
+  branch: null,
+  commitSha: null
+};
+async function readRepoState(workingDir) {
+  const dir = workingDir ?? process.cwd();
+  let gitService;
   try {
-    const gitService = new GitService(workingDir ?? process.cwd());
-    const isRepo = await gitService.isGitRepository();
-    if (!isRepo) {
-      return null;
-    }
-    const remoteUrl = await gitService.getRemoteUrl();
-    const parsed = parseScmURL(remoteUrl);
-    return parsed?.scmType && parsed.scmType !== "Unknown" ? remoteUrl : null;
+    gitService = new GitService(dir);
   } catch {
-    return null;
-  }
+    return NULL_REPO_STATE;
+  }
+  const repoStatePromise = gitService.getCurrentRepoState().catch(() => ({ branch: null, commitSha: null }));
+  const repositoryUrlPromise = gitService.getRemoteUrl().then((url) => {
+    if (!url) return null;
+    const parsed = parseScmURL(url);
+    return parsed?.scmType && parsed.scmType !== "Unknown" ? url : null;
+  }).catch(() => null);
+  const [{ branch, commitSha }, repositoryUrl] = await Promise.all([
+    repoStatePromise,
+    repositoryUrlPromise
+  ]);
+  return { repositoryUrl, branch, commitSha };
+}
+async function getRepositoryUrl(workingDir) {
+  return (await readRepoState(workingDir)).repositoryUrl;
 }
 function getSystemInfo() {
   let userName;
@@ -14602,7 +14673,7 @@ async function prepareAndSendTracyRecords(client, rawRecords, workingDir, option
   const { computerName, userName } = getSystemInfo();
   const defaultClientVersion = packageJson.version;
   const shouldSanitize = options?.sanitize ?? true;
-  const defaultRepoUrl = rawRecords[0]?.repositoryUrl ? void 0 : await getRepositoryUrl(workingDir) ?? void 0;
+  const defaults = workingDir != null ? await readRepoState(workingDir) : { repositoryUrl: null, branch: null, commitSha: null };
   debug10(
     "[step:sanitize] %s %d records",
     shouldSanitize ? "Sanitizing" : "Serializing",
@@ -14622,7 +14693,9 @@ async function prepareAndSendTracyRecords(client, rawRecords, workingDir, option
         const { rawData: _rawData, ...rest } = record;
         results.push({
           ...rest,
-          repositoryUrl: record.repositoryUrl ?? defaultRepoUrl,
+          repositoryUrl: record.repositoryUrl ?? defaults.repositoryUrl ?? void 0,
+          branch: record.branch ?? defaults.branch ?? void 0,
+          commitSha: record.commitSha ?? defaults.commitSha ?? void 0,
           computerName,
           userName,
           clientVersion: record.clientVersion ?? defaultClientVersion
@@ -18760,6 +18833,8 @@ async function uploadContextRecords(opts) {
     now,
     platform: platform2,
     repositoryUrl,
+    branch,
+    commitSha,
     clientVersion,
     onFileError,
     onSkillError
@@ -18770,6 +18845,8 @@ async function uploadContextRecords(opts) {
   const limit = pLimit7(UPLOAD_CONCURRENCY);
   const extraFields = {
     ...repositoryUrl !== void 0 && { repositoryUrl },
+    ...branch !== void 0 && { branch },
+    ...commitSha !== void 0 && { commitSha },
     ...clientVersion !== void 0 && { clientVersion }
   };
   const tasks = [
@@ -18855,6 +18932,8 @@ async function runContextFileUploadPipeline(opts) {
     uploadFieldsJSON,
     keyPrefix,
     repositoryUrl,
+    branch,
+    commitSha,
     clientVersion,
     submitRecords,
     onFileError,
@@ -18877,6 +18956,8 @@ async function runContextFileUploadPipeline(opts) {
     now,
     platform: platform2,
     repositoryUrl,
+    branch,
+    commitSha,
     clientVersion,
     onFileError,
     onSkillError
@@ -19232,7 +19313,7 @@ function createLogger(config2) {
 
 // src/features/claude_code/hook_logger.ts
 var DD_RUM_TOKEN = true ? "pubf59c0182545bfb4c299175119f1abf9b" : "";
-var CLI_VERSION = true ? "1.4.10" : "unknown";
+var CLI_VERSION = true ? "1.4.11" : "unknown";
 var NAMESPACE = "mobbdev-claude-code-hook-logs";
 var claudeCodeVersion;
 function buildDdTags() {
@@ -19699,6 +19780,7 @@ async function processTranscript(input, sessionStore, log2, maxEntries = DAEMON_
   }
   const cursorForModel = sessionStore.get(cursorKey);
   let lastSeenModel = cursorForModel?.lastModel ?? null;
+  const sampledRepoState = await readRepoState(input.cwd);
   const records = entries.map((entry) => {
     const { _recordId, ...rawEntry } = entry;
     const message = rawEntry["message"];
@@ -19720,7 +19802,10 @@ async function processTranscript(input, sessionStore, log2, maxEntries = DAEMON_
       recordId: _recordId,
       recordTimestamp: entry.timestamp ?? (/* @__PURE__ */ new Date()).toISOString(),
       blameType: "CHAT" /* Chat */,
-      rawData: rawEntry
+      rawData: rawEntry,
+      repositoryUrl: sampledRepoState.repositoryUrl ?? void 0,
+      branch: sampledRepoState.branch,
+      commitSha: sampledRepoState.commitSha
     };
   });
   let totalRawDataBytes = 0;
@@ -20714,10 +20799,15 @@ var FixExtraContextResponseSchema = z33.object({
   extraContext: z33.array(UnstructuredFixExtraContextSchema),
   fixDescription: z33.string()
 });
+var FixQuestionSchema = z33.object({
+  __typename: z33.literal("FixQuestion").optional(),
+  name: z33.string()
+});
 var FixDataSchema = z33.object({
   __typename: z33.literal("FixData"),
   patch: z33.string(),
   patchOriginalEncodingBase64: z33.string(),
+  questions: z33.array(FixQuestionSchema),
   extraContext: FixExtraContextResponseSchema
 });
 var GetFixNoFixErrorSchema = z33.object({
@@ -20809,6 +20899,48 @@ var GetLatestReportByRepoUrlResponseSchema = z33.object({
   expiredReport: z33.array(ExpiredReportSchema)
 });
 
+// src/mcp/services/InteractiveFixFilter.ts
+var isFilterDisabled = () => {
+  const raw = process.env["MOBB_MCP_DISABLE_INTERACTIVE_FILTER"];
+  return raw === "1" || raw === "true";
+};
+var isInteractiveFix = (fix) => {
+  if (fix.patchAndQuestions.__typename !== "FixData") {
+    return false;
+  }
+  return fix.patchAndQuestions.questions.length > 0;
+};
+var ruleIdFor = (fix) => fix.safeIssueType ?? "UNKNOWN";
+var countByRule = (ruleIds) => {
+  const counts = {};
+  for (const ruleId of ruleIds) {
+    counts[ruleId] = (counts[ruleId] ?? 0) + 1;
+  }
+  return counts;
+};
+var partitionInteractiveFixes = (fixes) => {
+  if (isFilterDisabled()) {
+    return { applicableFixes: fixes, skippedRuleIds: [] };
+  }
+  const applicableFixes = [];
+  const skippedRuleIds = [];
+  for (const fix of fixes) {
+    if (isInteractiveFix(fix)) {
+      skippedRuleIds.push(ruleIdFor(fix));
+    } else {
+      applicableFixes.push(fix);
+    }
+  }
+  if (skippedRuleIds.length > 0) {
+    logInfo("[InteractiveFixFilter] Skipped interactive fixes", {
+      totalFixes: fixes.length,
+      skippedCount: skippedRuleIds.length,
+      skippedByRule: countByRule(skippedRuleIds)
+    });
+  }
+  return { applicableFixes, skippedRuleIds };
+};
+
 // src/mcp/services/McpGQLClient.ts
 var McpGQLClient = class extends GQLClient {
   constructor(args) {
@@ -21091,7 +21223,7 @@ var McpGQLClient = class extends GQLClient {
     reportData,
     limit
   }) {
-    if (!reportData) return [];
+    if (!reportData) return { applicableFixes: [], skippedRuleIds: [] };
     const reportMetadata = {
       id: reportData.id,
       organizationId: reportData.vulnerabilityReport?.project?.organizationId,
@@ -21127,7 +21259,12 @@ var McpGQLClient = class extends GQLClient {
         fixMap.set(fix.id, fixWithUrl);
       }
     }
-    return Array.from(fixMap.values()).slice(0, limit);
+    const merged = Array.from(fixMap.values());
+    const { applicableFixes, skippedRuleIds } = partitionInteractiveFixes(merged);
+    return {
+      applicableFixes: applicableFixes.slice(0, limit),
+      skippedRuleIds
+    };
   }
   async updateFixesDownloadStatus(fixIds) {
     if (fixIds.length > 0) {
@@ -21231,14 +21368,15 @@ var McpGQLClient = class extends GQLClient {
         reportCount: resp.fixReport?.length || 0
       });
       const latestReport = resp.fixReport?.[0] && FixReportSummarySchema.parse(resp.fixReport?.[0]);
-      const fixes = this.mergeUserAndSystemFixes({
+      const { applicableFixes, skippedRuleIds } = this.mergeUserAndSystemFixes({
         reportData: latestReport,
         limit
       });
       return {
         fixReport: latestReport ? {
           ...latestReport,
-          fixes
+          fixes: applicableFixes,
+          skippedRuleIds
         } : null,
         expiredReport: resp.expiredReport?.[0] || null
       };
@@ -21308,13 +21446,17 @@ var McpGQLClient = class extends GQLClient {
         return null;
       }
       const latestReport = FixReportSummarySchema.parse(res.fixReport?.[0]);
-      const fixes = this.mergeUserAndSystemFixes({
+      const { applicableFixes, skippedRuleIds } = this.mergeUserAndSystemFixes({
         reportData: latestReport,
         limit
       });
-      logDebug("[GraphQL] GetReportFixes response parsed", { fixes });
+      logDebug("[GraphQL] GetReportFixes response parsed", {
+        fixes: applicableFixes,
+        skippedCount: skippedRuleIds.length
+      });
       return {
-        fixes,
+        fixes: applicableFixes,
+        skippedRuleIds,
         totalCount: res.fixReport?.[0]?.filteredFixesCount?.aggregate?.count || 0,
         expiredReport: res.expiredReport?.[0] || null,
         fixReport: res.fixReport?.[0] ? {
@@ -24382,6 +24524,17 @@ function friendlyType(s) {
 }
 var noFixesReturnedForParameters = `No fixes returned for the given offset and limit parameters.
 `;
+var skippedInteractiveFixesNotice = (skippedCount) => {
+  if (skippedCount <= 0) return "";
+  const s = skippedCount === 1 ? "" : "es";
+  const verb = skippedCount === 1 ? "requires" : "require";
+  const wasWere = skippedCount === 1 ? "was" : "were";
+  return `
+## Skipped fixes
+
+${skippedCount} fix${s} ${verb} user input that is not available over MCP and ${wasWere} skipped. Mention this to the user when summarizing results.
+`;
+};
 var noFixesReturnedForParametersWithGuidance = ({
   offset,
   limit,
@@ -24628,11 +24781,12 @@ var fixesFoundPrompt = ({
   fixReport,
   offset,
   limit,
-  gqlClient
+  gqlClient,
+  skippedInteractiveCount = 0
 }) => {
   const totalFixes = fixReport.filteredFixesCount.aggregate?.count || 0;
   if (totalFixes === 0) {
-    return noFixesAvailablePrompt;
+    return noFixesAvailablePrompt + skippedInteractiveFixesNotice(skippedInteractiveCount);
   }
   const criticalFixes = fixReport.CRITICAL?.aggregate?.count || 0;
   const highFixes = fixReport.HIGH?.aggregate?.count || 0;
@@ -24675,7 +24829,7 @@ ${applyFixesPrompt({
     offset,
     limit,
     gqlClient
-  })}`;
+  })}${skippedInteractiveFixesNotice(skippedInteractiveCount)}`;
 };
 var nextStepsPrompt = ({ scannedFiles }) => `
 ### \u{1F4C1} Scanned Files
@@ -24721,10 +24875,11 @@ var fixesPrompt = ({
   offset,
   scannedFiles,
   limit,
-  gqlClient
+  gqlClient,
+  skippedInteractiveCount = 0
 }) => {
   if (totalCount === 0) {
-    return noFixesFoundPrompt({ scannedFiles });
+    return noFixesFoundPrompt({ scannedFiles }) + skippedInteractiveFixesNotice(skippedInteractiveCount);
   }
   const shownCount = fixes.length;
   const nextOffset = offset + shownCount;
@@ -24742,7 +24897,7 @@ ${applyFixesPrompt({
     limit,
     gqlClient
   })}
-
+${skippedInteractiveFixesNotice(skippedInteractiveCount)}
 ${nextStepsPrompt({ scannedFiles })}
 `;
 };
@@ -24815,7 +24970,8 @@ For assistance:
 var freshFixesPrompt = ({
   fixes,
   limit,
-  gqlClient
+  gqlClient,
+  skippedInteractiveCount = 0
 }) => {
   return `Here are the fresh fixes to the vulnerabilities discovered by Mobb MCP
 
@@ -24830,6 +24986,7 @@ ${applyFixesPrompt({
     limit,
     gqlClient
   })}
+${skippedInteractiveFixesNotice(skippedInteractiveCount)}
 `;
 };
 function extractTargetFileFromPatch(patch) {
@@ -24848,7 +25005,8 @@ function formatSeverity(severityText, severityValue) {
 }
 var appliedFixesSummaryPrompt = ({
   fixes,
-  gqlClient
+  gqlClient,
+  skippedInteractiveCount = 0
 }) => {
   const fixIds = fixes.map((fix) => fix.id);
   void gqlClient.updateFixesDownloadStatus(fixIds);
@@ -24883,11 +25041,11 @@ ${fixes.map((fix, index) => {
 ${continuousMonitoringSection}
 
 ${autoFixSettingsSection}
-
+${skippedInteractiveFixesNotice(skippedInteractiveCount)}
 ## \u{1F4CB} Next Steps
 
 1. **Review the changes** - Check the modified files to understand what was fixed
-2. **Test your application** - Ensure the fixes don't break existing functionality  
+2. **Test your application** - Ensure the fixes don't break existing functionality
 3. **Commit the changes** - Add and commit the security fixes to your repository
 4. **Continue coding** - Mobb will keep protecting your code automatically
 
@@ -27861,7 +28019,8 @@ var _FetchAvailableFixesService = class _FetchAvailableFixesService {
         fixReport,
         offset: effectiveOffset,
         limit,
-        gqlClient
+        gqlClient,
+        skippedInteractiveCount: fixReport.skippedRuleIds?.length ?? 0
       });
       this.currentOffset = effectiveOffset + (fixReport.fixes?.length || 0);
       return prompt;
@@ -28196,7 +28355,8 @@ var _ScanAndFixVulnerabilitiesService = class _ScanAndFixVulnerabilitiesService
         offset: effectiveOffset,
         scannedFiles: [...fileList],
         limit: effectiveLimit,
-        gqlClient: this.gqlClient
+        gqlClient: this.gqlClient,
+        skippedInteractiveCount: fixes.skippedRuleIds.length
       });
       this.currentOffset = effectiveOffset + (fixes.fixes?.length || 0);
       return prompt;
@@ -28240,7 +28400,8 @@ var _ScanAndFixVulnerabilitiesService = class _ScanAndFixVulnerabilitiesService
     logDebug(`${fixes?.fixes?.length} fixes retrieved`);
     return {
       fixes: fixes?.fixes || [],
-      totalCount: fixes?.totalCount || 0
+      totalCount: fixes?.totalCount || 0,
+      skippedRuleIds: fixes?.skippedRuleIds || []
     };
   }
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mobbdev",
-  "version": "1.4.10",
+  "version": "1.4.11",
   "description": "Automated secure code remediation tool",
   "repository": "git+https://github.com/mobb-dev/bugsy.git",
   "main": "dist/index.mjs",