npm - mobbdev - Versions diffs - 1.4.10 → 1.4.12 - Mend

mobbdev 1.4.10 → 1.4.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/args/commands/upload_ai_blame.d.mts +28 -9
package/dist/args/commands/upload_ai_blame.mjs +114 -15
package/dist/index.mjs +814 -146
package/package.json +1 -1

package/dist/index.mjs CHANGED Viewed

@@ -109,6 +109,9 @@ function getSdk(client, withWrapper = defaultWrapper) {
     autoPrAnalysis(variables, requestHeaders, signal) {
       return withWrapper((wrappedRequestHeaders) => client.request({ document: AutoPrAnalysisDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "autoPrAnalysis", "mutation", variables);
     },
+    getFixWithAnswers(variables, requestHeaders, signal) {
+      return withWrapper((wrappedRequestHeaders) => client.request({ document: GetFixWithAnswersDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "getFixWithAnswers", "query", variables);
+    },
     GetFixReportsByRepoUrl(variables, requestHeaders, signal) {
       return withWrapper((wrappedRequestHeaders) => client.request({ document: GetFixReportsByRepoUrlDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "GetFixReportsByRepoUrl", "query", variables);
     },
@@ -138,7 +141,7 @@ function getSdk(client, withWrapper = defaultWrapper) {
     }
   };
 }
-var AiBlameInferenceType, FixQuestionInputType, Language, ManifestAction, Effort_To_Apply_Fix_Enum, Fix_Rating_Tag_Enum, Fix_Report_State_Enum, Fix_State_Enum, IssueLanguage_Enum, IssueType_Enum, Pr_Status_Enum, Project_Role_Type_Enum, Vulnerability_Report_Issue_Category_Enum, Vulnerability_Report_Issue_State_Enum, Vulnerability_Report_Issue_Tag_Enum, Vulnerability_Report_Vendor_Enum, Vulnerability_Severity_Enum, FixDetailsFragmentDoc, FixReportSummaryFieldsFragmentDoc, MeDocument, GetLastOrgAndNamedProjectDocument, GetLastOrgDocument, GetEncryptedApiTokenDocument, FixReportStateDocument, GetVulnerabilityReportPathsDocument, GetAnalysisSubscriptionDocument, GetAnalysisDocument, GetFixesDocument, GetVulByNodesMetadataDocument, GetFalsePositiveDocument, UpdateScmTokenDocument, UploadS3BucketInfoDocument, GetTracyDiffUploadUrlDocument, AnalyzeCommitForExtensionAiBlameDocument, GetAiBlameInferenceDocument, GetAiBlameAttributionPromptDocument, GetPromptSummaryDocument, UploadAiBlameInferencesInitDocument, FinalizeAiBlameInferencesUploadDocument, UploadTracyRecordsDocument, GetTracyRawDataUploadUrlDocument, DigestVulnerabilityReportDocument, SubmitVulnerabilityReportDocument, CreateCommunityUserDocument, CreateCliLoginDocument, PerformCliLoginDocument, SetQuarantineEnabledDocument, CreateProjectDocument, ValidateRepoUrlDocument, GitReferenceDocument, AutoPrAnalysisDocument, GetFixReportsByRepoUrlDocument, GetReportFixesDocument, GetLatestReportByRepoUrlDocument, UpdateDownloadedFixDataDocument, GetUserMvsAutoFixDocument, StreamBlameAiAnalysisRequestsDocument, StreamCommitBlameRequestsDocument, ScanSkillDocument, SkillVerdictsByMd5Document, defaultWrapper;
+var AiBlameInferenceType, FixQuestionInputType, Language, ManifestAction, Effort_To_Apply_Fix_Enum, Fix_Rating_Tag_Enum, Fix_Report_State_Enum, Fix_State_Enum, IssueLanguage_Enum, IssueType_Enum, Pr_Status_Enum, Project_Role_Type_Enum, Vulnerability_Report_Issue_Category_Enum, Vulnerability_Report_Issue_State_Enum, Vulnerability_Report_Issue_Tag_Enum, Vulnerability_Report_Vendor_Enum, Vulnerability_Severity_Enum, FixDetailsFragmentDoc, FixReportSummaryFieldsFragmentDoc, MeDocument, GetLastOrgAndNamedProjectDocument, GetLastOrgDocument, GetEncryptedApiTokenDocument, FixReportStateDocument, GetVulnerabilityReportPathsDocument, GetAnalysisSubscriptionDocument, GetAnalysisDocument, GetFixesDocument, GetVulByNodesMetadataDocument, GetFalsePositiveDocument, UpdateScmTokenDocument, UploadS3BucketInfoDocument, GetTracyDiffUploadUrlDocument, AnalyzeCommitForExtensionAiBlameDocument, GetAiBlameInferenceDocument, GetAiBlameAttributionPromptDocument, GetPromptSummaryDocument, UploadAiBlameInferencesInitDocument, FinalizeAiBlameInferencesUploadDocument, UploadTracyRecordsDocument, GetTracyRawDataUploadUrlDocument, DigestVulnerabilityReportDocument, SubmitVulnerabilityReportDocument, CreateCommunityUserDocument, CreateCliLoginDocument, PerformCliLoginDocument, SetQuarantineEnabledDocument, CreateProjectDocument, ValidateRepoUrlDocument, GitReferenceDocument, AutoPrAnalysisDocument, GetFixWithAnswersDocument, GetFixReportsByRepoUrlDocument, GetReportFixesDocument, GetLatestReportByRepoUrlDocument, UpdateDownloadedFixDataDocument, GetUserMvsAutoFixDocument, StreamBlameAiAnalysisRequestsDocument, StreamCommitBlameRequestsDocument, ScanSkillDocument, SkillVerdictsByMd5Document, defaultWrapper;
 var init_client_generates = __esm({
   "src/features/analysis/scm/generates/client_generates.ts"() {
     "use strict";
@@ -312,6 +315,7 @@ var init_client_generates = __esm({
       IssueType_Enum2["NoReturnInFinally"] = "NO_RETURN_IN_FINALLY";
       IssueType_Enum2["NoVar"] = "NO_VAR";
       IssueType_Enum2["NullDereference"] = "NULL_DEREFERENCE";
+      IssueType_Enum2["OftenMisusedBooleanGetBoolean"] = "OFTEN_MISUSED_BOOLEAN_GET_BOOLEAN";
       IssueType_Enum2["OpenRedirect"] = "OPEN_REDIRECT";
       IssueType_Enum2["OverlyBroadCatch"] = "OVERLY_BROAD_CATCH";
       IssueType_Enum2["OverlyLargeRange"] = "OVERLY_LARGE_RANGE";
@@ -442,6 +446,7 @@ var init_client_generates = __esm({
   id
   confidence
   safeIssueType
+  safeIssueLanguage
   severityText
   gitBlameLogin
   severityValue
@@ -464,6 +469,19 @@ var init_client_generates = __esm({
     ... on FixData {
       patch
       patchOriginalEncodingBase64
+      questions {
+        key
+        name
+        defaultValue
+        value
+        inputType
+        options
+        index
+        extraContext {
+          key
+          value
+        }
+      }
       extraContext {
         extraContext {
           key
@@ -1179,6 +1197,37 @@ var init_client_generates = __esm({
       error
     }
   }
+}
+    `;
+    GetFixWithAnswersDocument = `
+    query getFixWithAnswers($fixId: uuid!, $userInput: [QuestionAnswer!]!) {
+  fixData: getFix(fixId: $fixId, userInput: $userInput, loadAnswers: false) {
+    __typename
+    ... on FixData {
+      patch
+      patchOriginalEncodingBase64
+      questions {
+        key
+        name
+        defaultValue
+        value
+        inputType
+        options
+        index
+        extraContext {
+          key
+          value
+        }
+      }
+      extraContext {
+        extraContext {
+          key
+          value
+        }
+        fixDescription
+      }
+    }
+  }
 }
     `;
     GetFixReportsByRepoUrlDocument = `
@@ -1499,7 +1548,8 @@ var init_getIssueType = __esm({
       ["MISSING_X_FRAME_OPTIONS" /* MissingXFrameOptions */]: "Missing X-Frame-Options Header",
       ["IMPROPER_VALIDATION_OF_ARRAY_INDEX" /* ImproperValidationOfArrayIndex */]: "Improper Validation of Array Index",
       ["INCORRECT_INTEGER_CONVERSION" /* IncorrectIntegerConversion */]: "Incorrect Integer Conversion",
-      ["IMPROPER_CERTIFICATE_VALIDATION" /* ImproperCertificateValidation */]: "Improper Certificate Validation"
+      ["IMPROPER_CERTIFICATE_VALIDATION" /* ImproperCertificateValidation */]: "Improper Certificate Validation",
+      ["OFTEN_MISUSED_BOOLEAN_GET_BOOLEAN" /* OftenMisusedBooleanGetBoolean */]: "Often Misused: Boolean.getBoolean()"
     };
     issueTypeZ = z.nativeEnum(IssueType_Enum);
     getIssueTypeFriendlyString = (issueType) => {
@@ -3917,6 +3967,31 @@ var init_GitService = __esm({
           throw new Error(errorMessage);
         }
       }
+      /**
+       * Reads `{ branch, commitSha }` for tracy event attribution. Detached-HEAD
+       * (rebase, bisect, "open this commit") returns `branch: null` rather than
+       * the literal string `"HEAD"` that `getCurrentBranch()` produces — that
+       * literal would silently corrupt downstream branch dashboards.
+       *
+       * The two reads run in parallel so the wall-time cost is one `git`
+       * round-trip rather than two. Never throws — failures resolve to nulls so
+       * the daemon hot path can rely on a value, not an exception.
+       */
+      async getCurrentRepoState() {
+        const branchPromise = this.git.raw(["symbolic-ref", "--short", "-q", "HEAD"]).then((s) => {
+          const trimmed = s.trim();
+          return trimmed.length > 0 ? trimmed : null;
+        }).catch(() => null);
+        const commitShaPromise = this.git.raw(["rev-parse", "HEAD"]).then((s) => {
+          const trimmed = s.trim().toLowerCase();
+          return /^[0-9a-f]{40}$/.test(trimmed) ? trimmed : null;
+        }).catch(() => null);
+        const [branch, commitSha] = await Promise.all([
+          branchPromise,
+          commitShaPromise
+        ]);
+        return { branch, commitSha };
+      }
       /**
        * Gets both the current commit hash and current branch name
        */
@@ -4725,7 +4800,8 @@ var fixDetailsData = {
   ["MISSING_X_FRAME_OPTIONS" /* MissingXFrameOptions */]: void 0,
   ["IMPROPER_VALIDATION_OF_ARRAY_INDEX" /* ImproperValidationOfArrayIndex */]: void 0,
   ["INCORRECT_INTEGER_CONVERSION" /* IncorrectIntegerConversion */]: void 0,
-  ["IMPROPER_CERTIFICATE_VALIDATION" /* ImproperCertificateValidation */]: void 0
+  ["IMPROPER_CERTIFICATE_VALIDATION" /* ImproperCertificateValidation */]: void 0,
+  ["OFTEN_MISUSED_BOOLEAN_GET_BOOLEAN" /* OftenMisusedBooleanGetBoolean */]: void 0
 };
 // src/features/analysis/scm/shared/src/commitDescriptionMarkup.ts
@@ -9280,6 +9356,52 @@ async function executeBatchGraphQL(octokit, owner, repo, config2) {
 }
 function getGithubSdk(params = {}) {
   const octokit = getOctoKit(params);
+  async function openPrWithFiles(params2) {
+    const { owner, repo } = parseGithubOwnerAndRepo(params2.userRepoUrl);
+    const { data: repository } = await octokit.rest.repos.get({ owner, repo });
+    const defaultBranch = repository.default_branch;
+    const baseSha = await octokit.rest.git.getRef({ owner, repo, ref: `heads/${defaultBranch}` }).then((r) => r.data.object.sha);
+    await octokit.rest.git.createRef({
+      owner,
+      repo,
+      ref: `refs/heads/${params2.branch}`,
+      sha: baseSha
+    });
+    const tree = await octokit.rest.git.createTree({
+      owner,
+      repo,
+      base_tree: baseSha,
+      tree: params2.files.map((f) => ({
+        path: f.path,
+        mode: "100644",
+        type: "blob",
+        content: f.content
+      }))
+    });
+    const commit = await octokit.rest.git.createCommit({
+      owner,
+      repo,
+      message: params2.commitMessage ?? params2.title,
+      tree: tree.data.sha,
+      parents: [baseSha]
+    });
+    await octokit.rest.git.updateRef({
+      owner,
+      repo,
+      ref: `heads/${params2.branch}`,
+      sha: commit.data.sha
+    });
+    const pr = await octokit.rest.pulls.create({
+      owner,
+      repo,
+      title: params2.title,
+      head: params2.branch,
+      ...params2.headRepo ? { head_repo: params2.headRepo } : {},
+      body: safeBody(params2.body, MAX_GH_PR_BODY_LENGTH),
+      base: defaultBranch
+    });
+    return { pull_request_url: pr.data.html_url };
+  }
   return {
     async postPrComment(params2) {
       return octokit.request(POST_COMMENT_PATH, params2);
@@ -9576,86 +9698,26 @@ function getGithubSdk(params = {}) {
     async createPr(params2) {
       const { sourceRepoUrl, filesPaths, userRepoUrl, title, body } = params2;
       const { owner: sourceOwner, repo: sourceRepo } = parseGithubOwnerAndRepo(sourceRepoUrl);
-      const { owner, repo } = parseGithubOwnerAndRepo(userRepoUrl);
-      const [sourceFilePath, secondFilePath] = filesPaths;
-      const sourceFileContentResponse = await octokit.rest.repos.getContent({
-        owner: sourceOwner,
-        repo: sourceRepo,
-        path: `/${sourceFilePath}`
-      });
-      const { data: repository } = await octokit.rest.repos.get({ owner, repo });
-      const defaultBranch = repository.default_branch;
-      const newBranchName = `mobb/workflow-${Date.now()}`;
-      await octokit.rest.git.createRef({
-        owner,
-        repo,
-        ref: `refs/heads/${newBranchName}`,
-        sha: await octokit.rest.git.getRef({ owner, repo, ref: `heads/${defaultBranch}` }).then((response) => response.data.object.sha)
-      });
-      const decodedContent = Buffer.from(
-        // Check if file content exists and handle different response types
-        typeof sourceFileContentResponse.data === "object" && !Array.isArray(sourceFileContentResponse.data) && "content" in sourceFileContentResponse.data && typeof sourceFileContentResponse.data.content === "string" ? sourceFileContentResponse.data.content : "",
-        "base64"
-      ).toString("utf-8");
-      const tree = [
-        {
-          path: sourceFilePath,
-          mode: "100644",
-          type: "blob",
-          content: decodedContent
-        }
-      ];
-      if (secondFilePath) {
-        const secondFileContentResponse = await octokit.rest.repos.getContent({
-          owner: sourceOwner,
-          repo: sourceRepo,
-          path: `/${secondFilePath}`
-        });
-        const secondDecodedContent = Buffer.from(
-          // Check if file content exists and handle different response types
-          typeof secondFileContentResponse.data === "object" && !Array.isArray(secondFileContentResponse.data) && "content" in secondFileContentResponse.data && typeof secondFileContentResponse.data.content === "string" ? secondFileContentResponse.data.content : "",
-          "base64"
-        ).toString("utf-8");
-        tree.push({
-          path: secondFilePath,
-          mode: "100644",
-          type: "blob",
-          content: secondDecodedContent
-        });
-      }
-      const createTreeResponse = await octokit.rest.git.createTree({
-        owner,
-        repo,
-        base_tree: await octokit.rest.git.getRef({ owner, repo, ref: `heads/${defaultBranch}` }).then((response) => response.data.object.sha),
-        tree
-      });
-      const createCommitResponse = await octokit.rest.git.createCommit({
-        owner,
-        repo,
-        message: "Add new yaml file",
-        tree: createTreeResponse.data.sha,
-        parents: [
-          await octokit.rest.git.getRef({ owner, repo, ref: `heads/${defaultBranch}` }).then((response) => response.data.object.sha)
-        ]
-      });
-      await octokit.rest.git.updateRef({
-        owner,
-        repo,
-        ref: `heads/${newBranchName}`,
-        sha: createCommitResponse.data.sha
-      });
-      const createPRResponse = await octokit.rest.pulls.create({
-        owner,
-        repo,
+      const files = await Promise.all(
+        filesPaths.map(async (filePath) => {
+          const response = await octokit.rest.repos.getContent({
+            owner: sourceOwner,
+            repo: sourceRepo,
+            path: `/${filePath}`
+          });
+          const content = typeof response.data === "object" && !Array.isArray(response.data) && "content" in response.data && typeof response.data.content === "string" ? Buffer.from(response.data.content, "base64").toString("utf-8") : "";
+          return { path: filePath, content };
+        })
+      );
+      return openPrWithFiles({
+        userRepoUrl,
+        files,
+        branch: `mobb/workflow-${Date.now()}`,
         title,
-        head: newBranchName,
-        head_repo: sourceRepo,
-        body: safeBody(body, MAX_GH_PR_BODY_LENGTH),
-        base: defaultBranch
+        body,
+        commitMessage: "Add new yaml file",
+        headRepo: sourceRepo
       });
-      return {
-        pull_request_url: createPRResponse.data.html_url
-      };
     },
     async getGithubBranchList(repoUrl) {
       const { owner, repo } = parseGithubOwnerAndRepo(repoUrl);
@@ -9666,6 +9728,35 @@ function getGithubSdk(params = {}) {
         page: 1
       });
     },
+    // T-500 — open a PR adding a single inline file. Used by the
+    // openSecuritySkillPR resolver to deliver `.claude/skills/<slug>/SKILL.md`.
+    async createPrWithContent(params2) {
+      return openPrWithFiles({
+        userRepoUrl: params2.userRepoUrl,
+        files: [{ path: params2.filePath, content: params2.content }],
+        branch: params2.branch,
+        title: params2.title,
+        body: params2.body
+      });
+    },
+    // T-500 — best-effort branch cleanup for openSecuritySkillPR retry.
+    // Swallows 422/404 so callers can call it unconditionally before
+    // a fresh PR-creation attempt.
+    async deleteBranchIfExists(params2) {
+      const { owner, repo } = parseGithubOwnerAndRepo(params2.userRepoUrl);
+      try {
+        await octokit.rest.git.deleteRef({
+          owner,
+          repo,
+          ref: `heads/${params2.branch}`
+        });
+      } catch (err) {
+        if (err instanceof RequestError && (err.status === 422 || err.status === 404)) {
+          return;
+        }
+        throw err;
+      }
+    },
     async createPullRequest(options) {
       const { owner, repo } = parseGithubOwnerAndRepo(options.repoUrl);
       return octokit.rest.pulls.create({
@@ -10036,6 +10127,20 @@ var GithubSCMLib = class extends SCMLib {
     });
     return { pull_request_url };
   }
+  // T-500 — sibling of `createPullRequestWithNewFile` that takes inline
+  // content rather than reading from a source repo. Used by
+  // openSecuritySkillPR to deliver `.claude/skills/<slug>/SKILL.md`.
+  async createPullRequestWithInlineFile(params) {
+    const { pull_request_url } = await this.githubSdk.createPrWithContent(params);
+    return { pull_request_url };
+  }
+  // T-500 — used by the openSecuritySkillPR resolver to clean up a
+  // branch left behind by a prior failed PR-creation attempt before
+  // retrying. Swallows missing-branch responses; only real network
+  // errors propagate.
+  async deleteBranchIfExists(params) {
+    return this.githubSdk.deleteBranchIfExists(params);
+  }
   async validateParams() {
     return await githubValidateParams(this.url, this.accessToken);
   }
@@ -14049,8 +14154,16 @@ var ADO_PAT_PATTERN = {
   severity: "high",
   validator: (match) => match.length >= 52 && match.length <= 100
 };
+var DATADOG_APP_KEY_PATTERN = {
+  type: "DATADOG_APP_KEY",
+  regex: /\bddapp_[a-zA-Z0-9]{30,}\b/g,
+  priority: 95,
+  placeholder: "[DATADOG_APP_KEY_{n}]",
+  description: "Datadog Application Key",
+  severity: "high"
+};
 var openRedaction = new OpenRedaction({
-  customPatterns: [ADO_PAT_PATTERN],
+  customPatterns: [ADO_PAT_PATTERN, DATADOG_APP_KEY_PATTERN],
   patterns: [
     // Core Personal Data
     // Removed EMAIL - causes false positives in code/test snippets (e.g. --author="Eve Author <eve@example.com>")
@@ -14257,19 +14370,33 @@ var PromptItemZ = z27.object({
   }).optional()
 });
 var PromptItemArrayZ = z27.array(PromptItemZ);
-async function getRepositoryUrl(workingDir) {
+var NULL_REPO_STATE = {
+  repositoryUrl: null,
+  branch: null,
+  commitSha: null
+};
+async function readRepoState(workingDir) {
+  const dir = workingDir ?? process.cwd();
+  let gitService;
   try {
-    const gitService = new GitService(workingDir ?? process.cwd());
-    const isRepo = await gitService.isGitRepository();
-    if (!isRepo) {
-      return null;
-    }
-    const remoteUrl = await gitService.getRemoteUrl();
-    const parsed = parseScmURL(remoteUrl);
-    return parsed?.scmType && parsed.scmType !== "Unknown" ? remoteUrl : null;
+    gitService = new GitService(dir);
   } catch {
-    return null;
-  }
+    return NULL_REPO_STATE;
+  }
+  const repoStatePromise = gitService.getCurrentRepoState().catch(() => ({ branch: null, commitSha: null }));
+  const repositoryUrlPromise = gitService.getRemoteUrl().then((url) => {
+    if (!url) return null;
+    const parsed = parseScmURL(url);
+    return parsed?.scmType && parsed.scmType !== "Unknown" ? url : null;
+  }).catch(() => null);
+  const [{ branch, commitSha }, repositoryUrl] = await Promise.all([
+    repoStatePromise,
+    repositoryUrlPromise
+  ]);
+  return { repositoryUrl, branch, commitSha };
+}
+async function getRepositoryUrl(workingDir) {
+  return (await readRepoState(workingDir)).repositoryUrl;
 }
 function getSystemInfo() {
   let userName;
@@ -14602,7 +14729,7 @@ async function prepareAndSendTracyRecords(client, rawRecords, workingDir, option
   const { computerName, userName } = getSystemInfo();
   const defaultClientVersion = packageJson.version;
   const shouldSanitize = options?.sanitize ?? true;
-  const defaultRepoUrl = rawRecords[0]?.repositoryUrl ? void 0 : await getRepositoryUrl(workingDir) ?? void 0;
+  const defaults = workingDir != null ? await readRepoState(workingDir) : { repositoryUrl: null, branch: null, commitSha: null };
   debug10(
     "[step:sanitize] %s %d records",
     shouldSanitize ? "Sanitizing" : "Serializing",
@@ -14622,7 +14749,9 @@ async function prepareAndSendTracyRecords(client, rawRecords, workingDir, option
         const { rawData: _rawData, ...rest } = record;
         results.push({
           ...rest,
-          repositoryUrl: record.repositoryUrl ?? defaultRepoUrl,
+          repositoryUrl: record.repositoryUrl ?? defaults.repositoryUrl ?? void 0,
+          branch: record.branch ?? defaults.branch ?? void 0,
+          commitSha: record.commitSha ?? defaults.commitSha ?? void 0,
           computerName,
           userName,
           clientVersion: record.clientVersion ?? defaultClientVersion
@@ -18760,6 +18889,8 @@ async function uploadContextRecords(opts) {
     now,
     platform: platform2,
     repositoryUrl,
+    branch,
+    commitSha,
     clientVersion,
     onFileError,
     onSkillError
@@ -18770,6 +18901,8 @@ async function uploadContextRecords(opts) {
   const limit = pLimit7(UPLOAD_CONCURRENCY);
   const extraFields = {
     ...repositoryUrl !== void 0 && { repositoryUrl },
+    ...branch !== void 0 && { branch },
+    ...commitSha !== void 0 && { commitSha },
     ...clientVersion !== void 0 && { clientVersion }
   };
   const tasks = [
@@ -18855,6 +18988,8 @@ async function runContextFileUploadPipeline(opts) {
     uploadFieldsJSON,
     keyPrefix,
     repositoryUrl,
+    branch,
+    commitSha,
     clientVersion,
     submitRecords,
     onFileError,
@@ -18877,6 +19012,8 @@ async function runContextFileUploadPipeline(opts) {
     now,
     platform: platform2,
     repositoryUrl,
+    branch,
+    commitSha,
     clientVersion,
     onFileError,
     onSkillError
@@ -19232,7 +19369,7 @@ function createLogger(config2) {
 // src/features/claude_code/hook_logger.ts
 var DD_RUM_TOKEN = true ? "pubf59c0182545bfb4c299175119f1abf9b" : "";
-var CLI_VERSION = true ? "1.4.10" : "unknown";
+var CLI_VERSION = true ? "1.4.12" : "unknown";
 var NAMESPACE = "mobbdev-claude-code-hook-logs";
 var claudeCodeVersion;
 function buildDdTags() {
@@ -19699,6 +19836,7 @@ async function processTranscript(input, sessionStore, log2, maxEntries = DAEMON_
   }
   const cursorForModel = sessionStore.get(cursorKey);
   let lastSeenModel = cursorForModel?.lastModel ?? null;
+  const sampledRepoState = await readRepoState(input.cwd);
   const records = entries.map((entry) => {
     const { _recordId, ...rawEntry } = entry;
     const message = rawEntry["message"];
@@ -19720,7 +19858,10 @@ async function processTranscript(input, sessionStore, log2, maxEntries = DAEMON_
       recordId: _recordId,
       recordTimestamp: entry.timestamp ?? (/* @__PURE__ */ new Date()).toISOString(),
       blameType: "CHAT" /* Chat */,
-      rawData: rawEntry
+      rawData: rawEntry,
+      repositoryUrl: sampledRepoState.repositoryUrl ?? void 0,
+      branch: sampledRepoState.branch,
+      commitSha: sampledRepoState.commitSha
     };
   });
   let totalRawDataBytes = 0;
@@ -20714,10 +20855,22 @@ var FixExtraContextResponseSchema = z33.object({
   extraContext: z33.array(UnstructuredFixExtraContextSchema),
   fixDescription: z33.string()
 });
+var FixQuestionSchema = z33.object({
+  __typename: z33.literal("FixQuestion").optional(),
+  key: z33.string(),
+  name: z33.string(),
+  defaultValue: z33.string(),
+  value: z33.string().nullable().optional(),
+  inputType: z33.nativeEnum(FixQuestionInputType),
+  options: z33.array(z33.string()),
+  index: z33.number(),
+  extraContext: z33.array(UnstructuredFixExtraContextSchema)
+});
 var FixDataSchema = z33.object({
   __typename: z33.literal("FixData"),
   patch: z33.string(),
   patchOriginalEncodingBase64: z33.string(),
+  questions: z33.array(FixQuestionSchema),
   extraContext: FixExtraContextResponseSchema
 });
 var GetFixNoFixErrorSchema = z33.object({
@@ -20730,6 +20883,7 @@ var McpFixSchema = z33.object({
   // GraphQL uses `any` type for UUID
   confidence: z33.number(),
   safeIssueType: z33.string().nullable(),
+  safeIssueLanguage: z33.string().nullable().optional(),
   severityText: z33.string().nullable(),
   gitBlameLogin: z33.string().nullable().optional(),
   // Optional in GraphQL
@@ -20809,6 +20963,63 @@ var GetLatestReportByRepoUrlResponseSchema = z33.object({
   expiredReport: z33.array(ExpiredReportSchema)
 });
+// src/mcp/services/InteractiveFixFilter.ts
+var isInteractiveFix = (fix) => {
+  if (fix.patchAndQuestions.__typename !== "FixData") {
+    return false;
+  }
+  return fix.patchAndQuestions.questions.length > 0;
+};
+var ruleIdFor = (fix) => fix.safeIssueType ?? "UNKNOWN";
+var countByRule = (ruleIds) => {
+  const counts = {};
+  for (const ruleId of ruleIds) {
+    counts[ruleId] = (counts[ruleId] ?? 0) + 1;
+  }
+  return counts;
+};
+var MOBB_MCP_DISABLE_INTERACTIVE_FILTER_DEFAULT = false;
+var isInteractiveRoutingDisabled = () => {
+  const raw = process.env["MOBB_MCP_DISABLE_INTERACTIVE_FILTER"];
+  if (!raw) return MOBB_MCP_DISABLE_INTERACTIVE_FILTER_DEFAULT;
+  const normalized = raw.toLowerCase();
+  return normalized === "1" || normalized === "true";
+};
+var partitionInteractiveFixes = (fixes) => {
+  const disabled = isInteractiveRoutingDisabled();
+  const applicableFixes = [];
+  const interactiveFixes = [];
+  const droppedInteractive = [];
+  for (const fix of fixes) {
+    if (isInteractiveFix(fix)) {
+      if (disabled) {
+        droppedInteractive.push(fix);
+      } else {
+        interactiveFixes.push(fix);
+      }
+    } else {
+      applicableFixes.push(fix);
+    }
+  }
+  if (disabled && droppedInteractive.length > 0) {
+    logInfo(
+      "[InteractiveFixFilter] Dropping interactive fixes (MOBB_MCP_DISABLE_INTERACTIVE_FILTER=true)",
+      {
+        totalFixes: fixes.length,
+        droppedCount: droppedInteractive.length,
+        droppedByRule: countByRule(droppedInteractive.map(ruleIdFor))
+      }
+    );
+  } else if (interactiveFixes.length > 0) {
+    logInfo("[InteractiveFixFilter] Routing interactive fixes to LLM", {
+      totalFixes: fixes.length,
+      interactiveCount: interactiveFixes.length,
+      interactiveByRule: countByRule(interactiveFixes.map(ruleIdFor))
+    });
+  }
+  return { applicableFixes, interactiveFixes };
+};
 // src/mcp/services/McpGQLClient.ts
 var McpGQLClient = class extends GQLClient {
   constructor(args) {
@@ -21091,7 +21302,7 @@ var McpGQLClient = class extends GQLClient {
     reportData,
     limit
   }) {
-    if (!reportData) return [];
+    if (!reportData) return { applicableFixes: [], interactiveFixes: [] };
     const reportMetadata = {
       id: reportData.id,
       organizationId: reportData.vulnerabilityReport?.project?.organizationId,
@@ -21127,7 +21338,12 @@ var McpGQLClient = class extends GQLClient {
         fixMap.set(fix.id, fixWithUrl);
       }
     }
-    return Array.from(fixMap.values()).slice(0, limit);
+    const merged = Array.from(fixMap.values());
+    const { applicableFixes, interactiveFixes } = partitionInteractiveFixes(merged);
+    return {
+      applicableFixes: applicableFixes.slice(0, limit),
+      interactiveFixes: interactiveFixes.slice(0, limit)
+    };
   }
   async updateFixesDownloadStatus(fixIds) {
     if (fixIds.length > 0) {
@@ -21231,14 +21447,15 @@ var McpGQLClient = class extends GQLClient {
         reportCount: resp.fixReport?.length || 0
       });
       const latestReport = resp.fixReport?.[0] && FixReportSummarySchema.parse(resp.fixReport?.[0]);
-      const fixes = this.mergeUserAndSystemFixes({
+      const { applicableFixes, interactiveFixes } = this.mergeUserAndSystemFixes({
         reportData: latestReport,
         limit
       });
       return {
         fixReport: latestReport ? {
           ...latestReport,
-          fixes
+          fixes: applicableFixes,
+          interactiveFixes
         } : null,
         expiredReport: resp.expiredReport?.[0] || null
       };
@@ -21308,13 +21525,17 @@ var McpGQLClient = class extends GQLClient {
         return null;
       }
       const latestReport = FixReportSummarySchema.parse(res.fixReport?.[0]);
-      const fixes = this.mergeUserAndSystemFixes({
+      const { applicableFixes, interactiveFixes } = this.mergeUserAndSystemFixes({
         reportData: latestReport,
         limit
       });
-      logDebug("[GraphQL] GetReportFixes response parsed", { fixes });
+      logDebug("[GraphQL] GetReportFixes response parsed", {
+        fixes: applicableFixes,
+        interactiveCount: interactiveFixes.length
+      });
       return {
-        fixes,
+        fixes: applicableFixes,
+        interactiveFixes,
         totalCount: res.fixReport?.[0]?.filteredFixesCount?.aggregate?.count || 0,
         expiredReport: res.expiredReport?.[0] || null,
         fixReport: res.fixReport?.[0] ? {
@@ -21332,6 +21553,36 @@ var McpGQLClient = class extends GQLClient {
       throw e;
     }
   }
+  /** Root getFix recomputes the patch; fix_by_pk.patchAndQuestions(userInput) does not (stale questions looked like cascading). */
+  async getFixWithAnswers({
+    fixId,
+    answers
+  }) {
+    try {
+      logDebug("[GraphQL] Calling getFixWithAnswers query", {
+        fixId,
+        answerCount: answers.length,
+        userInput: answers
+      });
+      const resp = await this._clientSdk.getFixWithAnswers({
+        fixId,
+        userInput: answers
+      });
+      logDebug("[GraphQL] getFixWithAnswers successful", {
+        fixId,
+        responseTypename: resp.fixData?.__typename,
+        remainingQuestionKeys: resp.fixData?.__typename === "FixData" ? resp.fixData.questions.map((q) => q.key) : void 0
+      });
+      return { fixData: resp.fixData ?? null };
+    } catch (e) {
+      logError("[GraphQL] getFixWithAnswers failed", {
+        error: e,
+        fixId,
+        ...this.getErrorContext()
+      });
+      throw e;
+    }
+  }
 };
 async function createAuthenticatedMcpGQLClient({
   isBackgroundCall = false,
@@ -24374,6 +24625,7 @@ init_client_generates();
 init_configs();
 // src/mcp/core/prompts.ts
+init_client_generates();
 init_configs();
 function friendlyType(s) {
   const withoutUnderscores = s.replace(/_/g, " ");
@@ -24382,6 +24634,133 @@ function friendlyType(s) {
 }
 var noFixesReturnedForParameters = `No fixes returned for the given offset and limit parameters.
 `;
+var resolveQuestionText = ({
+  fix,
+  question
+}) => {
+  const language = fix.safeIssueLanguage ?? void 0;
+  const issueType = fix.safeIssueType ?? void 0;
+  if (!language || !issueType) {
+    return { content: question.name, description: "" };
+  }
+  const item = storedQuestionData_default[language]?.[issueType]?.[question.name];
+  if (!item) {
+    return { content: question.name, description: "" };
+  }
+  const args = question.extraContext.reduce(
+    (acc, ctx) => {
+      acc[ctx.key] = ctx.value;
+      return acc;
+    },
+    {}
+  );
+  try {
+    return {
+      content: item.content(args) || question.name,
+      description: item.description(args) || ""
+    };
+  } catch {
+    return { content: question.name, description: "" };
+  }
+};
+var formatQuestionInputContract = (question) => {
+  switch (question.inputType) {
+    case "SELECT" /* Select */:
+      return `Pick exactly ONE of: ${question.options.map((o) => `\`${o}\``).join(", ")}`;
+    case "NUMBER" /* Number */:
+      return 'Provide a numeric string (e.g. "60").';
+    case "TEXT" /* Text */:
+      return "Provide a free-form string (or an empty string to accept the default).";
+  }
+};
+var renderInteractiveFix = (fix, index) => {
+  if (fix.patchAndQuestions.__typename !== "FixData") return "";
+  const { questions, extraContext } = fix.patchAndQuestions;
+  const vulnerabilityType = friendlyType(fix.safeIssueType ?? "Unknown");
+  const questionsBlock = questions.slice().sort((a, b) => a.index - b.index).map((q, qIdx) => {
+    const { content, description } = resolveQuestionText({ fix, question: q });
+    const desc = description ? `
+  *Why it matters:* ${description}` : "";
+    const defaultLine = q.defaultValue ? `
+  *Default if you don't decide:* \`${q.defaultValue}\`` : "";
+    return `${qIdx + 1}. **\`${q.key}\`** \u2014 ${content}
+  *Input:* ${formatQuestionInputContract(q)}${defaultLine}${desc}`;
+  }).join("\n\n");
+  return `### Interactive fix ${index + 1}: ${vulnerabilityType}
+**Fix id:** \`${fix.id}\`
+**Description:** ${extraContext?.fixDescription || "Security vulnerability fix that requires answers before it can be tailored."}
+**Questions you must answer before this fix can be applied:**
+${questionsBlock}
+`;
+};
+var interactiveFixesPrompt = ({
+  interactiveFixes,
+  repositoryPath
+}) => {
+  if (interactiveFixes.length === 0) return "";
+  const fixesBlock = interactiveFixes.map((fix, idx) => renderInteractiveFix(fix, idx)).join("\n---\n");
+  return `
+## Interactive fixes \u2014 decide from code, then apply or abstain
+The Mobb backend produced ${interactiveFixes.length} fix${interactiveFixes.length === 1 ? "" : "es"} that need context before the patch can be tailored. **Infer answers only from the real code**: touched files, imports, framework, and how untrusted data flows (SSR/XSS/PT/SSRF, etc.). **Do NOT ask the end user** \u2014 use tooling/read-only repo inspection only.
+### CRITICAL INSTRUCTIONS \u2014 READ CAREFULLY
+1. **Defaults are hints from Mobb, not autopilot.** The line *Default if you don't decide* shows what the backend would fall back to. Prefer answers **consistent with the codebase**. Do **not** pick an answer **only** because it equals that default \u2014 a mismatched default can produce the wrong tailored patch.
+2. **Time budget \u2014 ~5 seconds per interactive fix, as one shared pool.** With ${interactiveFixes.length} interactive fix${interactiveFixes.length === 1 ? "" : "es"} above, spend **at most ~${interactiveFixes.length * 5} seconds total** inspecting the codebase before re-calling \`${MCP_TOOL_SCAN_AND_FIX_VULNERABILITIES}\` with \`interactiveAnswers\`. The budget is a pool \u2014 one fix may take 8s if it's genuinely ambiguous while another takes 2s if the call site is obvious, as long as the total stays near the bound. If a fix is still uncertain when its share runs out, **omit it from \`interactiveAnswers\`** (rule 4) rather than over-deliberating.
+3. **Confidence required.** Include in \`interactiveAnswers\` **only** fixes where your answers are justified by what you see in code (exact SELECT strings where applicable).
+4. **Abstain rather than guess.** If you **cannot** justify any responsible answer after inspecting the code (ambiguous flows, missing callers, isomorphic bundles, unclear SSRF allowlists, etc.), **omit that fix id entirely** from \`interactiveAnswers\`. Tell the user in prose what was skipped and why so they can fix manually or follow up later \u2014 **do not fabricate answers**.
+5. **Skipping everything.** If you skip **all** interactive fixes, still call **\`${MCP_TOOL_SCAN_AND_FIX_VULNERABILITIES}\`** once with \`"interactiveAnswers": []\` (empty array) together with \`path\`. That acknowledges abstention **without** starting a new scan. Omitting \`interactiveAnswers\` entirely falls back to scan mode instead \u2014 avoid that when you intend purely to abstain.
+6. **Use exact option strings for SELECT questions.** Copy them character-for-character from the option list. Do **not** append explanation, rationale, or commentary to the value \u2014 that turns the answer into a non-matching string and the backend silently falls back to its default.
+7. **Use the \`key\` verbatim, not the human label.** Each question shows a backtick-quoted key (e.g. \`is_server_side_code\`, \`tainted_term_type\`). That exact string goes into \`answers[].key\`. The display name (e.g. \`isServerSideCode\`, \`taintedTermType\`) is for humans only \u2014 sending it as a key means the backend won't recognise the answer and falls back to the default.
+8. **After the tool call**, summarize: fixes applied with reasoning; fixes skipped (confidence/abstention/time-budget); tool failures.
+### Decision heuristics for common questions
+(Keys shown in snake_case \u2014 copy them verbatim from each fix's question block.)
+- **\`is_server_side_code\` (XSS)** \u2014 \`yes\` when server-render or Node HTTP handlers dominate; \`no\` when clearly browser-only. If bundle/context is genuinely ambiguous after inspection, **omit** this fix from \`interactiveAnswers\`.
+- **\`tainted_term_type\` (Path Traversal)** \u2014 match how user input is joined/consumed (single filename vs path segments vs absolute). If usage cannot be determined, **omit**.
+- **\`iframe_restrictions\`** \u2014 strict sandbox (\`""\`) unless embedded content clearly needs listed capabilities.
+### How to call \`${MCP_TOOL_SCAN_AND_FIX_VULNERABILITIES}\`
+Apply fixes you are confident about (subset allowed):
+\`\`\`json
+{
+  "path": "${repositoryPath}",
+  "interactiveAnswers": [
+    {
+      "fixId": "<fix id from below>",
+      "answers": [
+        { "key": "<question key, exactly as shown>", "value": "<your decided value>" }
+      ]
+    }
+  ]
+}
+\`\`\`
+Explicit abstention \u2014 skip **all** interactive fixes without rescanning:
+\`\`\`json
+{
+  "path": "${repositoryPath}",
+  "interactiveAnswers": []
+}
+\`\`\`
+${fixesBlock}
+`;
+};
+var interactiveAnswersAbstainAllToolResponse = `## Interactive fixes \u2014 none applied
+\`interactiveAnswers\` was an empty array: **no** tailored patches were requested and **no** scan was run.
+State clearly for the user which interactive fixes you **skipped**, why the code did not support a confident answer, and that they can apply those manually or re-run after clarifying the codebase.`;
 var noFixesReturnedForParametersWithGuidance = ({
   offset,
   limit,
@@ -24440,9 +24819,13 @@ var applyFixesPrompt = ({
   currentTool,
   offset,
   limit,
-  gqlClient
+  gqlClient,
+  hasInteractiveFixes = false
 }) => {
   if (fixes.length === 0) {
+    if (hasInteractiveFixes) {
+      return "";
+    }
     if (totalCount > 0) {
       return noFixesReturnedForParametersWithGuidance({
         offset,
@@ -24628,11 +25011,17 @@ var fixesFoundPrompt = ({
   fixReport,
   offset,
   limit,
-  gqlClient
+  gqlClient,
+  interactiveFixes = [],
+  repositoryPath
 }) => {
   const totalFixes = fixReport.filteredFixesCount.aggregate?.count || 0;
+  const interactiveBlock = interactiveFixesPrompt({
+    interactiveFixes,
+    repositoryPath
+  });
   if (totalFixes === 0) {
-    return noFixesAvailablePrompt;
+    return noFixesAvailablePrompt + interactiveBlock;
   }
   const criticalFixes = fixReport.CRITICAL?.aggregate?.count || 0;
   const highFixes = fixReport.HIGH?.aggregate?.count || 0;
@@ -24674,8 +25063,9 @@ ${applyFixesPrompt({
     currentTool: MCP_TOOL_FETCH_AVAILABLE_FIXES,
     offset,
     limit,
-    gqlClient
-  })}`;
+    gqlClient,
+    hasInteractiveFixes: interactiveFixes.length > 0
+  })}${interactiveBlock}`;
 };
 var nextStepsPrompt = ({ scannedFiles }) => `
 ### \u{1F4C1} Scanned Files
@@ -24721,10 +25111,16 @@ var fixesPrompt = ({
   offset,
   scannedFiles,
   limit,
-  gqlClient
+  gqlClient,
+  interactiveFixes = [],
+  repositoryPath
 }) => {
+  const interactiveBlock = interactiveFixesPrompt({
+    interactiveFixes,
+    repositoryPath
+  });
   if (totalCount === 0) {
-    return noFixesFoundPrompt({ scannedFiles });
+    return noFixesFoundPrompt({ scannedFiles }) + interactiveBlock;
   }
   const shownCount = fixes.length;
   const nextOffset = offset + shownCount;
@@ -24740,9 +25136,10 @@ ${applyFixesPrompt({
     currentTool: MCP_TOOL_SCAN_AND_FIX_VULNERABILITIES,
     offset,
     limit,
-    gqlClient
+    gqlClient,
+    hasInteractiveFixes: interactiveFixes.length > 0
   })}
+${interactiveBlock}
 ${nextStepsPrompt({ scannedFiles })}
 `;
 };
@@ -24815,7 +25212,9 @@ For assistance:
 var freshFixesPrompt = ({
   fixes,
   limit,
-  gqlClient
+  gqlClient,
+  interactiveFixes = [],
+  repositoryPath
 }) => {
   return `Here are the fresh fixes to the vulnerabilities discovered by Mobb MCP
@@ -24828,8 +25227,10 @@ ${applyFixesPrompt({
     currentTool: MCP_TOOL_FETCH_AVAILABLE_FIXES,
     offset: 0,
     limit,
-    gqlClient
+    gqlClient,
+    hasInteractiveFixes: interactiveFixes.length > 0
   })}
+${interactiveFixesPrompt({ interactiveFixes, repositoryPath })}
 `;
 };
 function extractTargetFileFromPatch(patch) {
@@ -24848,7 +25249,9 @@ function formatSeverity(severityText, severityValue) {
 }
 var appliedFixesSummaryPrompt = ({
   fixes,
-  gqlClient
+  gqlClient,
+  interactiveFixes = [],
+  repositoryPath
 }) => {
   const fixIds = fixes.map((fix) => fix.id);
   void gqlClient.updateFixesDownloadStatus(fixIds);
@@ -24883,11 +25286,11 @@ ${fixes.map((fix, index) => {
 ${continuousMonitoringSection}
 ${autoFixSettingsSection}
+${interactiveFixesPrompt({ interactiveFixes, repositoryPath })}
 ## \u{1F4CB} Next Steps
 1. **Review the changes** - Check the modified files to understand what was fixed
-2. **Test your application** - Ensure the fixes don't break existing functionality
+2. **Test your application** - Ensure the fixes don't break existing functionality
 3. **Commit the changes** - Add and commit the security fixes to your repository
 4. **Continue coding** - Mobb will keep protecting your code automatically
@@ -25790,6 +26193,7 @@ var LocalMobbFolderService = class {
 };
 // src/mcp/services/PatchApplicationService.ts
+init_client_generates();
 init_configs();
 import {
   existsSync as existsSync6,
@@ -26355,7 +26759,8 @@ var PatchApplicationService = class {
     repositoryPath,
     scanStartTime,
     gqlClient,
-    scanContext
+    scanContext,
+    downloadSource = "AUTO_MVS" /* AutoMvs */
   }) {
     const appliedFixes = [];
     const failedFixes = [];
@@ -26414,20 +26819,26 @@ var PatchApplicationService = class {
     if (appliedFixes.length > 0 && gqlClient) {
       try {
         const appliedFixIds = appliedFixes.map((fix) => fix.id).filter(Boolean);
-        await gqlClient.updateAutoAppliedFixesStatus(appliedFixIds);
+        if (downloadSource === "MCP" /* Mcp */) {
+          await gqlClient.updateFixesDownloadStatus(appliedFixIds);
+        } else {
+          await gqlClient.updateAutoAppliedFixesStatus(appliedFixIds);
+        }
         logDebug(
-          `[${scanContext}] Successfully updated download status for auto-applied fixes`,
+          `[${scanContext}] Successfully updated download status for applied fixes`,
           {
             appliedFixIds,
-            count: appliedFixIds.length
+            count: appliedFixIds.length,
+            downloadSource
           }
         );
       } catch (error) {
         logError(
-          `[${scanContext}] Failed to update download status for auto-applied fixes`,
+          `[${scanContext}] Failed to update download status for applied fixes`,
           {
             error: error instanceof Error ? error.message : String(error),
-            appliedFixCount: appliedFixes.length
+            appliedFixCount: appliedFixes.length,
+            downloadSource
           }
         );
       }
@@ -27169,6 +27580,7 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
     __publicField(this, "path", "");
     __publicField(this, "filesLastScanned", {});
     __publicField(this, "freshFixes", []);
+    __publicField(this, "interactiveFixes", []);
     __publicField(this, "reportedFixes", []);
     __publicField(this, "intervalId", null);
     __publicField(this, "isInitialScanComplete", false);
@@ -27190,6 +27602,7 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
   reset() {
     this.filesLastScanned = {};
     this.freshFixes = [];
+    this.interactiveFixes = [];
     this.reportedFixes = [];
     this.hasAuthenticationFailed = false;
     this.fullScanPathsScanned = configStore.get("fullScanPathsScanned") || [];
@@ -27275,6 +27688,16 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
       const newFixes = fixes?.fixes?.filter(
         (fix) => !this.isFixAlreadyReported(fix)
       );
+      const newInteractiveFixes = fixes?.interactiveFixes?.filter(
+        (fix) => !this.isFixAlreadyReported(fix)
+      ) ?? [];
+      if (newInteractiveFixes.length > 0) {
+        this.interactiveFixes.push(...newInteractiveFixes);
+        logInfo(
+          `[${scanContext}] Buffered ${newInteractiveFixes.length} interactive fixes for next response`,
+          { totalBuffered: this.interactiveFixes.length }
+        );
+      }
       logInfo(
         `[${scanContext}] Security fixes retrieved, total: ${fixes?.fixes?.length || 0}, new: ${newFixes?.length || 0}`
       );
@@ -27704,7 +28127,9 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
       return freshFixesPrompt({
         fixes: freshFixes,
         limit: MCP_DEFAULT_LIMIT,
-        gqlClient: this.gqlClient
+        gqlClient: this.gqlClient,
+        interactiveFixes: this.interactiveFixes.splice(0, MCP_DEFAULT_LIMIT),
+        repositoryPath: this.path
       });
     }
     logInfo(`[${scanContext}] No fresh fixes to report`);
@@ -27718,7 +28143,9 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
       );
       return appliedFixesSummaryPrompt({
         fixes: appliedFixesToShow,
-        gqlClient: this.gqlClient
+        gqlClient: this.gqlClient,
+        interactiveFixes: this.interactiveFixes.splice(0, MCP_DEFAULT_LIMIT),
+        repositoryPath: this.path
       });
     }
     logInfo(`[${scanContext}] No applied fixes to report`);
@@ -27825,6 +28252,7 @@ var _FetchAvailableFixesService = class _FetchAvailableFixesService {
   }
   async checkForAvailableFixes({
     repoUrl,
+    repositoryPath,
     limit = MCP_DEFAULT_LIMIT,
     offset,
     fileFilter
@@ -27861,7 +28289,9 @@ var _FetchAvailableFixesService = class _FetchAvailableFixesService {
         fixReport,
         offset: effectiveOffset,
         limit,
-        gqlClient
+        gqlClient,
+        interactiveFixes: fixReport.interactiveFixes ?? [],
+        repositoryPath
       });
       this.currentOffset = effectiveOffset + (fixReport.fixes?.length || 0);
       return prompt;
@@ -28003,6 +28433,7 @@ Call this tool instead of ${MCP_TOOL_SCAN_AND_FIX_VULNERABILITIES} when you only
     }
     const fixResult = await this.availableFixesService.checkForAvailableFixes({
       repoUrl: originUrl,
+      repositoryPath: path37,
       limit: args.limit,
       offset: args.offset,
       fileFilter: actualFileFilter
@@ -28106,6 +28537,7 @@ import z45 from "zod";
 init_configs();
 // src/mcp/tools/scanAndFixVulnerabilities/ScanAndFixVulnerabilitiesService.ts
+init_client_generates();
 init_configs();
 var _ScanAndFixVulnerabilitiesService = class _ScanAndFixVulnerabilitiesService {
   constructor() {
@@ -28196,7 +28628,9 @@ var _ScanAndFixVulnerabilitiesService = class _ScanAndFixVulnerabilitiesService
         offset: effectiveOffset,
         scannedFiles: [...fileList],
         limit: effectiveLimit,
-        gqlClient: this.gqlClient
+        gqlClient: this.gqlClient,
+        interactiveFixes: fixes.interactiveFixes,
+        repositoryPath
       });
       this.currentOffset = effectiveOffset + (fixes.fixes?.length || 0);
       return prompt;
@@ -28240,12 +28674,165 @@ var _ScanAndFixVulnerabilitiesService = class _ScanAndFixVulnerabilitiesService
     logDebug(`${fixes?.fixes?.length} fixes retrieved`);
     return {
       fixes: fixes?.fixes || [],
-      totalCount: fixes?.totalCount || 0
+      totalCount: fixes?.totalCount || 0,
+      interactiveFixes: fixes?.interactiveFixes || []
     };
   }
+  /** Applies patches from interactiveAnswers only (no scan). */
+  async applyInteractiveAnswers({
+    interactiveAnswers,
+    repositoryPath
+  }) {
+    this.gqlClient = await this.initializeGqlClient();
+    logInfo(
+      `Applying ${interactiveAnswers.length} interactive fix(es) with LLM-supplied answers`,
+      { repositoryPath }
+    );
+    const applied = [];
+    const failed = [];
+    const skipped = [];
+    for (const entry of interactiveAnswers) {
+      try {
+        const { fixData } = await this.gqlClient.getFixWithAnswers({
+          fixId: entry.fixId,
+          answers: entry.answers
+        });
+        if (!fixData) {
+          failed.push({
+            fixId: entry.fixId,
+            reason: "Fix not found on the server (may have expired)"
+          });
+          continue;
+        }
+        if (fixData.__typename !== "FixData") {
+          failed.push({
+            fixId: entry.fixId,
+            reason: `Backend returned ${fixData.__typename} \u2014 could not produce a patch with the supplied answers`
+          });
+          continue;
+        }
+        if (!fixData.patch) {
+          failed.push({
+            fixId: entry.fixId,
+            reason: "Backend returned FixData with no patch \u2014 answers did not yield an applicable fix"
+          });
+          continue;
+        }
+        const sentByKey = new Map(entry.answers.map((a) => [a.key, a.value]));
+        const invalidSelectAnswers = [];
+        for (const q of fixData.questions) {
+          if (q.inputType !== "SELECT" /* Select */) continue;
+          const sentValue = sentByKey.get(q.key);
+          if (sentValue === void 0) continue;
+          if (!q.options.includes(sentValue)) {
+            invalidSelectAnswers.push({
+              key: q.key,
+              sentValue,
+              options: [...q.options]
+            });
+          }
+        }
+        if (invalidSelectAnswers.length > 0) {
+          skipped.push({
+            fixId: entry.fixId,
+            invalidSelectAnswers
+          });
+          continue;
+        }
+        const newPendingKeys = fixData.questions.map((q) => q.key).filter((k) => !sentByKey.has(k));
+        const mcpFix = McpFixSchema.parse({
+          __typename: "fix",
+          id: entry.fixId,
+          confidence: 0,
+          safeIssueType: null,
+          safeIssueLanguage: null,
+          severityText: null,
+          severityValue: null,
+          vulnerabilityReportIssues: [],
+          patchAndQuestions: fixData
+        });
+        const result = await PatchApplicationService.applyFixes({
+          fixes: [mcpFix],
+          repositoryPath,
+          gqlClient: this.gqlClient,
+          scanContext: ScanContext.USER_REQUEST,
+          downloadSource: "MCP" /* Mcp */
+        });
+        if (result.appliedFixes.length > 0) {
+          const targetFile = extractTargetFile(fixData.patch) ?? "unknown file";
+          applied.push({
+            fixId: entry.fixId,
+            targetFile,
+            newPendingKeys
+          });
+        } else {
+          failed.push({
+            fixId: entry.fixId,
+            reason: result.failedFixes[0]?.error ?? "patch application failed"
+          });
+        }
+      } catch (error) {
+        failed.push({
+          fixId: entry.fixId,
+          reason: error.message
+        });
+      }
+    }
+    return formatApplyAnswersSummary({ applied, failed, skipped });
+  }
 };
 __publicField(_ScanAndFixVulnerabilitiesService, "instance");
 var ScanAndFixVulnerabilitiesService = _ScanAndFixVulnerabilitiesService;
+function extractTargetFile(patch) {
+  const match = patch.match(/^\+\+\+ b\/(.+)$/m);
+  return match?.[1] ?? null;
+}
+function formatApplyAnswersSummary({
+  applied,
+  failed,
+  skipped
+}) {
+  const sections = [];
+  if (applied.length > 0) {
+    sections.push(
+      `## \u2705 Applied ${applied.length} fix${applied.length === 1 ? "" : "es"}
+` + applied.map((a) => {
+        const hint = a.newPendingKeys.length > 0 ? `
+  \u26A0\uFE0F The backend returned additional question key(s) we didn't send: [${a.newPendingKeys.map((k) => `\`${k}\``).join(
+          ", "
+        )}]. This is either (a) a true cascading question \u2014 re-call \`scan_and_fix_vulnerabilities\` with those added to \`interactiveAnswers\` if you have a confident answer; or (b) the key we sent was wrong (e.g. camelCase vs snake_case) and the backend fell back to its default \u2014 copy the echoed key verbatim and retry. The patch above was already applied using defaults.` : "";
+        return `- **\`${a.fixId}\`** \u2192 \`${a.targetFile}\`${hint}`;
+      }).join("\n")
+    );
+  }
+  if (skipped.length > 0) {
+    sections.push(
+      `## \u23ED\uFE0F Skipped ${skipped.length} fix${skipped.length === 1 ? "" : "es"} \u2014 invalid SELECT answer value(s)
+` + skipped.map((s) => {
+        const detail = s.invalidSelectAnswers.map(
+          (a) => `\`${a.key}\` got \`"${a.sentValue}"\` \u2014 allowed options: [${a.options.map((o) => `\`"${o}"\``).join(", ")}]`
+        ).join("; ");
+        return `- **\`${s.fixId}\`** \u2014 ${detail}
+  The file was **not modified**. Re-call \`scan_and_fix_vulnerabilities\` with one of the exact allowed option strings (copy character-for-character, no commentary appended) or omit this fix entirely if no option is justified by the code.`;
+      }).join("\n") + `
+This guardrail exists to prevent the backend from silently falling back to its default sanitizer for an answer it didn't recognize \u2014 which could apply a semantically-wrong patch and break legitimate code paths.`
+    );
+  }
+  if (failed.length > 0) {
+    sections.push(
+      `## \u274C Failed
+` + failed.map((f) => `- **\`${f.fixId}\`** \u2014 ${f.reason}`).join("\n")
+    );
+  }
+  if (sections.length === 0) {
+    return "No fixes were processed.";
+  }
+  return sections.join("\n\n");
+}
 // src/mcp/tools/scanAndFixVulnerabilities/ScanAndFixVulnerabilitiesTool.ts
 var ScanAndFixVulnerabilitiesTool = class extends BaseTool {
@@ -28253,13 +28840,23 @@ var ScanAndFixVulnerabilitiesTool = class extends BaseTool {
     super();
     __publicField(this, "name", MCP_TOOL_SCAN_AND_FIX_VULNERABILITIES);
     __publicField(this, "displayName", "Scan and Fix Vulnerabilities");
-    // A detailed description to guide the LLM on when and how to invoke this tool.
-    __publicField(this, "description", `Scans a given local repository for security vulnerabilities and returns auto-generated code fixes.
+    __publicField(this, "description", `Scans a given local repository for security vulnerabilities, applies the auto-fixable ones, and surfaces any fix that needs your input as an "Interactive fix". Re-invoke with "interactiveAnswers" to apply those.
+Two modes of operation:
+A) SCAN MODE (default \u2014 interactiveAnswers omitted)
+   - Scans changed/recent files at "path"
+   - Auto-applies fixes that need no input
+   - Returns "Interactive fix" entries for fixes that need decisions; you (the AI) decide answers from the surrounding code
+B) APPLY-WITH-ANSWERS MODE (interactiveAnswers field supplied \u2014 array may be empty or partial)
+   - SKIPS scanning entirely (does NOT fall back to scan mode just because some fixes were skipped)
+   - Include ONLY fixes where answers are justified by code/context; omit fix IDs you are not confident about
+   - Empty array []: abstain from applying ALL interactive fixes (no patches fetched \u2014 summarize skips for the user)
 When to invoke:
-\u2022 Use when the user explicitly asks to "scan for vulnerabilities", "run a security check", or "test for security issues" in a local repository.
-\u2022 The repository must exist on disk; supply its absolute path with the required "path" argument.
-\u2022 Ideal after the user makes code changes (added/modified/staged files) but before committing, or whenever they request a full rescan.
+\u2022 Mode A \u2014 when the user asks to "scan for vulnerabilities", "run a security check", or after they make code changes.
+\u2022 Mode B \u2014 immediately after Mode A returns interactive fixes; pass confident answers only; use [] only when abstaining from every interactive fix.
 How to invoke:
 \u2022 Required argument:
@@ -28269,25 +28866,32 @@ How to invoke:
   \u2013 limit (number): maximum number of fixes to include in the response.
   \u2013 maxFiles (number): maximum number of files to scan (default: ${MCP_DEFAULT_MAX_FILES_TO_SCAN}). Provide this value to increase the scope of the scan.
   \u2013 rescan (boolean): true to force a complete rescan even if cached results exist.
+  \u2013 interactiveAnswers (array): triggers Mode B. Each entry: { fixId, answers: [{ key, value }] }. SELECT values MUST be exact strings from the option list. Omit fixes you cannot answer confidently. Use [] to abstain from all interactive fixes without rescanning.
-Behaviour:
-\u2022 If the directory is a valid Git repository, the tool scans the changed files in the repository. If there are no changes, it scans the files included in the las commit.
+Behaviour (Mode A):
+\u2022 If the directory is a valid Git repository, the tool scans the changed files in the repository. If there are no changes, it scans the files included in the last commit.
 \u2022 If the directory is not a valid Git repository, the tool falls back to scanning recently changed files in the folder.
 \u2022 If maxFiles is provided, the tool scans the maxFiles most recently changed files in the repository.
-\u2022 By default, only new, modified, or staged files are scanned; if none are found, it checks recently changed files.
-\u2022 The tool NEVER commits or pushes changes; it only returns proposed diffs/fixes as text.
+\u2022 The tool NEVER commits or pushes changes.
 Return value:
-The response is an object with a single "content" array containing one text element. The text is either:
-\u2022 A human-readable summary of the fixes / patches, or
-\u2022 A diagnostic or error message if the scan fails or finds nothing to fix.
+A "content" array with one text element. Either a human-readable summary of fixes/patches, an interactive-fix prompt, an apply-with-answers result, or an error message.
-Example payload:
+Example payload (Mode A):
+{ "path": "/home/user/my-project", "limit": 20, "maxFiles": 50 }
+Example payload (Mode B \u2014 subset or abstain):
 {
   "path": "/home/user/my-project",
-  "limit": 20,
-  "maxFiles": 50,
-  "rescan": false
+  "interactiveAnswers": [
+    { "fixId": "abc-123", "answers": [{ "key": "isServerSideCode", "value": "yes" }] }
+  ]
+}
+Example payload (Mode B \u2014 abstain from every interactive fix, no rescan):
+{
+  "path": "/home/user/my-project",
+  "interactiveAnswers": []
 }`);
     __publicField(this, "hasAuthentication", true);
     __publicField(this, "inputValidationSchema", z45.object({
@@ -28302,6 +28906,21 @@ Example payload:
       rescan: z45.boolean().optional().describe("Optional whether to rescan the repository"),
       scanRecentlyChangedFiles: z45.boolean().optional().describe(
         "Optional whether to automatically scan recently changed files when no changed files are found in git status. If false, the tool will prompt the user instead."
+      ),
+      interactiveAnswers: z45.array(
+        z45.object({
+          fixId: z45.string().min(1).describe('Fix id from a previous "Interactive fix" prompt block.'),
+          answers: z45.array(
+            z45.object({
+              key: z45.string().min(1).describe("FixQuestion key."),
+              value: z45.string().describe(
+                "For SELECT questions MUST be one of the listed options; for TEXT/NUMBER, a free-form value."
+              )
+            })
+          ).min(1)
+        })
+      ).optional().describe(
+        "When supplied (including []), SKIPS scanning. Non-empty: apply each listed interactive fix. Empty []: abstain from all interactive fixes \u2014 no patches applied. Omit entirely for scan mode."
       )
     }));
     __publicField(this, "inputSchema", {
@@ -28330,6 +28949,34 @@ Example payload:
         scanRecentlyChangedFiles: {
           type: "boolean",
           description: "[Optional] whether to automatically scan recently changed files when no changed files are found in git status. If false, the tool will prompt the user instead."
+        },
+        interactiveAnswers: {
+          type: "array",
+          items: {
+            type: "object",
+            properties: {
+              fixId: {
+                type: "string",
+                description: 'Fix id from a previous "Interactive fix" prompt.'
+              },
+              answers: {
+                type: "array",
+                items: {
+                  type: "object",
+                  properties: {
+                    key: { type: "string", description: "FixQuestion key." },
+                    value: {
+                      type: "string",
+                      description: "Decided value (SELECT must match an option exactly)."
+                    }
+                  },
+                  required: ["key", "value"]
+                }
+              }
+            },
+            required: ["fixId", "answers"]
+          },
+          description: "[Optional] When supplied (including []), skips scanning. Non-empty: apply interactive fixes with answers. Empty []: abstain from all interactive fixes without rescanning. Omit for scan mode."
         }
       },
       required: ["path"]
@@ -28340,7 +28987,8 @@ Example payload:
   }
   async executeInternal(args) {
     logDebug(`Executing tool: ${this.name}`, {
-      path: args.path
+      path: args.path,
+      mode: args.interactiveAnswers === void 0 ? "scan" : args.interactiveAnswers.length === 0 ? "apply-interactive-abstain-all" : "apply-with-answers"
     });
     if (!args.path) {
       throw new Error("Invalid arguments: Missing required parameter 'path'");
@@ -28352,6 +29000,26 @@ Example payload:
       );
     }
     const path37 = pathValidationResult.path;
+    if (args.interactiveAnswers !== void 0) {
+      if (args.interactiveAnswers.length === 0) {
+        return this.createSuccessResponse(
+          interactiveAnswersAbstainAllToolResponse
+        );
+      }
+      try {
+        const result = await this.vulnerabilityFixService.applyInteractiveAnswers({
+          interactiveAnswers: args.interactiveAnswers,
+          repositoryPath: path37
+        });
+        return this.createSuccessResponse(result);
+      } catch (error) {
+        const message = error.message;
+        logError("Tool execution failed (apply-with-answers)", {
+          error: message
+        });
+        return this.createSuccessResponse(message);
+      }
+    }
     const files = await getLocalFiles({
       path: path37,
       maxFileSize: MCP_MAX_FILE_SIZE,