mobbdev 1.4.11 → 1.4.15

package/dist/index.mjs

@@ -109,6 +109,9 @@ function getSdk(client, withWrapper = defaultWrapper) {
     autoPrAnalysis(variables, requestHeaders, signal) {
       return withWrapper((wrappedRequestHeaders) => client.request({ document: AutoPrAnalysisDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "autoPrAnalysis", "mutation", variables);
     },
+    getFixWithAnswers(variables, requestHeaders, signal) {
+      return withWrapper((wrappedRequestHeaders) => client.request({ document: GetFixWithAnswersDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "getFixWithAnswers", "query", variables);
+    },
     GetFixReportsByRepoUrl(variables, requestHeaders, signal) {
       return withWrapper((wrappedRequestHeaders) => client.request({ document: GetFixReportsByRepoUrlDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "GetFixReportsByRepoUrl", "query", variables);
     },
@@ -138,7 +141,7 @@ function getSdk(client, withWrapper = defaultWrapper) {
     }
   };
 }
-var AiBlameInferenceType, FixQuestionInputType, Language, ManifestAction, Effort_To_Apply_Fix_Enum, Fix_Rating_Tag_Enum, Fix_Report_State_Enum, Fix_State_Enum, IssueLanguage_Enum, IssueType_Enum, Pr_Status_Enum, Project_Role_Type_Enum, Vulnerability_Report_Issue_Category_Enum, Vulnerability_Report_Issue_State_Enum, Vulnerability_Report_Issue_Tag_Enum, Vulnerability_Report_Vendor_Enum, Vulnerability_Severity_Enum, FixDetailsFragmentDoc, FixReportSummaryFieldsFragmentDoc, MeDocument, GetLastOrgAndNamedProjectDocument, GetLastOrgDocument, GetEncryptedApiTokenDocument, FixReportStateDocument, GetVulnerabilityReportPathsDocument, GetAnalysisSubscriptionDocument, GetAnalysisDocument, GetFixesDocument, GetVulByNodesMetadataDocument, GetFalsePositiveDocument, UpdateScmTokenDocument, UploadS3BucketInfoDocument, GetTracyDiffUploadUrlDocument, AnalyzeCommitForExtensionAiBlameDocument, GetAiBlameInferenceDocument, GetAiBlameAttributionPromptDocument, GetPromptSummaryDocument, UploadAiBlameInferencesInitDocument, FinalizeAiBlameInferencesUploadDocument, UploadTracyRecordsDocument, GetTracyRawDataUploadUrlDocument, DigestVulnerabilityReportDocument, SubmitVulnerabilityReportDocument, CreateCommunityUserDocument, CreateCliLoginDocument, PerformCliLoginDocument, SetQuarantineEnabledDocument, CreateProjectDocument, ValidateRepoUrlDocument, GitReferenceDocument, AutoPrAnalysisDocument, GetFixReportsByRepoUrlDocument, GetReportFixesDocument, GetLatestReportByRepoUrlDocument, UpdateDownloadedFixDataDocument, GetUserMvsAutoFixDocument, StreamBlameAiAnalysisRequestsDocument, StreamCommitBlameRequestsDocument, ScanSkillDocument, SkillVerdictsByMd5Document, defaultWrapper;
+var AiBlameInferenceType, FixQuestionInputType, Language, ManifestAction, Effort_To_Apply_Fix_Enum, Fix_Rating_Tag_Enum, Fix_Report_State_Enum, Fix_State_Enum, IssueLanguage_Enum, IssueType_Enum, Pr_Status_Enum, Project_Role_Type_Enum, Vulnerability_Report_Issue_Category_Enum, Vulnerability_Report_Issue_State_Enum, Vulnerability_Report_Issue_Tag_Enum, Vulnerability_Report_Vendor_Enum, Vulnerability_Severity_Enum, FixDetailsFragmentDoc, FixReportSummaryFieldsFragmentDoc, MeDocument, GetLastOrgAndNamedProjectDocument, GetLastOrgDocument, GetEncryptedApiTokenDocument, FixReportStateDocument, GetVulnerabilityReportPathsDocument, GetAnalysisSubscriptionDocument, GetAnalysisDocument, GetFixesDocument, GetVulByNodesMetadataDocument, GetFalsePositiveDocument, UpdateScmTokenDocument, UploadS3BucketInfoDocument, GetTracyDiffUploadUrlDocument, AnalyzeCommitForExtensionAiBlameDocument, GetAiBlameInferenceDocument, GetAiBlameAttributionPromptDocument, GetPromptSummaryDocument, UploadAiBlameInferencesInitDocument, FinalizeAiBlameInferencesUploadDocument, UploadTracyRecordsDocument, GetTracyRawDataUploadUrlDocument, DigestVulnerabilityReportDocument, SubmitVulnerabilityReportDocument, CreateCommunityUserDocument, CreateCliLoginDocument, PerformCliLoginDocument, SetQuarantineEnabledDocument, CreateProjectDocument, ValidateRepoUrlDocument, GitReferenceDocument, AutoPrAnalysisDocument, GetFixWithAnswersDocument, GetFixReportsByRepoUrlDocument, GetReportFixesDocument, GetLatestReportByRepoUrlDocument, UpdateDownloadedFixDataDocument, GetUserMvsAutoFixDocument, StreamBlameAiAnalysisRequestsDocument, StreamCommitBlameRequestsDocument, ScanSkillDocument, SkillVerdictsByMd5Document, defaultWrapper;
 var init_client_generates = __esm({
   "src/features/analysis/scm/generates/client_generates.ts"() {
     "use strict";
@@ -312,6 +315,7 @@ var init_client_generates = __esm({
       IssueType_Enum2["NoReturnInFinally"] = "NO_RETURN_IN_FINALLY";
       IssueType_Enum2["NoVar"] = "NO_VAR";
       IssueType_Enum2["NullDereference"] = "NULL_DEREFERENCE";
+      IssueType_Enum2["OftenMisusedBooleanGetBoolean"] = "OFTEN_MISUSED_BOOLEAN_GET_BOOLEAN";
       IssueType_Enum2["OpenRedirect"] = "OPEN_REDIRECT";
       IssueType_Enum2["OverlyBroadCatch"] = "OVERLY_BROAD_CATCH";
       IssueType_Enum2["OverlyLargeRange"] = "OVERLY_LARGE_RANGE";
@@ -442,6 +446,7 @@ var init_client_generates = __esm({
   id
   confidence
   safeIssueType
+  safeIssueLanguage
   severityText
   gitBlameLogin
   severityValue
@@ -465,7 +470,17 @@ var init_client_generates = __esm({
       patch
       patchOriginalEncodingBase64
       questions {
+        key
         name
+        defaultValue
+        value
+        inputType
+        options
+        index
+        extraContext {
+          key
+          value
+        }
       }
       extraContext {
         extraContext {
@@ -1022,7 +1037,7 @@ var init_client_generates = __esm({
 }
     `;
     DigestVulnerabilityReportDocument = `
-    mutation DigestVulnerabilityReport($vulnerabilityReportFileName: String, $fixReportId: String!, $projectId: String!, $scanSource: String!, $repoUrl: String, $reference: String, $sha: String) {
+    mutation DigestVulnerabilityReport($vulnerabilityReportFileName: String, $fixReportId: String!, $projectId: String!, $scanSource: String!, $repoUrl: String, $reference: String, $sha: String, $baselineCommit: String) {
   digestVulnerabilityReport(
     fixReportId: $fixReportId
     vulnerabilityReportFileName: $vulnerabilityReportFileName
@@ -1031,6 +1046,7 @@ var init_client_generates = __esm({
     repoUrl: $repoUrl
     reference: $reference
     sha: $sha
+    baselineCommit: $baselineCommit
   ) {
     __typename
     ... on VulnerabilityReport {
@@ -1182,6 +1198,37 @@ var init_client_generates = __esm({
       error
     }
   }
+}
+    `;
+    GetFixWithAnswersDocument = `
+    query getFixWithAnswers($fixId: uuid!, $userInput: [QuestionAnswer!]!) {
+  fixData: getFix(fixId: $fixId, userInput: $userInput, loadAnswers: false) {
+    __typename
+    ... on FixData {
+      patch
+      patchOriginalEncodingBase64
+      questions {
+        key
+        name
+        defaultValue
+        value
+        inputType
+        options
+        index
+        extraContext {
+          key
+          value
+        }
+      }
+      extraContext {
+        extraContext {
+          key
+          value
+        }
+        fixDescription
+      }
+    }
+  }
 }
     `;
     GetFixReportsByRepoUrlDocument = `
@@ -1216,14 +1263,14 @@ var init_client_generates = __esm({
     GetLatestReportByRepoUrlDocument = `
     query GetLatestReportByRepoUrl($repoUrl: String!, $filters: fix_bool_exp = {}, $limit: Int!, $offset: Int!, $currentUserEmail: String!) {
   fixReport(
-    where: {_and: [{repo: {originalUrl: {_eq: $repoUrl}}}, {state: {_eq: Finished}}, {vulnerabilityReport: {scanSource: {_neq: MCP}}}]}
+    where: {_and: [{repo: {originalUrl: {_ilike: $repoUrl}}}, {state: {_eq: Finished}}, {vulnerabilityReport: {scanSource: {_neq: MCP}}}]}
     order_by: {createdOn: desc}
     limit: 1
   ) {
     ...FixReportSummaryFields
   }
   expiredReport: fixReport(
-    where: {_and: [{repo: {originalUrl: {_eq: $repoUrl}}}, {state: {_eq: Expired}}, {vulnerabilityReport: {scanSource: {_neq: MCP}}}]}
+    where: {_and: [{repo: {originalUrl: {_ilike: $repoUrl}}}, {state: {_eq: Expired}}, {vulnerabilityReport: {scanSource: {_neq: MCP}}}]}
     order_by: {createdOn: desc}
     limit: 1
   ) {
@@ -1318,8 +1365,8 @@ var init_client_generates = __esm({
 
 // src/features/analysis/scm/shared/src/getIssueType.ts
 import { z } from "zod";
-function getTagTooltip(tag) {
-  switch (tag) {
+function getTagTooltip(tag2) {
+  switch (tag2) {
     case "FALSE_POSITIVE":
       return "Issue was found to be a false positive";
     case "TEST_CODE":
@@ -1335,7 +1382,7 @@ function getTagTooltip(tag) {
     case "SUPPRESSED":
       return "Suppressed in the scan report";
     default:
-      return tag;
+      return tag2;
   }
 }
 function replaceKeysWithValues(fixDescription, extraContext) {
@@ -1502,7 +1549,8 @@ var init_getIssueType = __esm({
       ["MISSING_X_FRAME_OPTIONS" /* MissingXFrameOptions */]: "Missing X-Frame-Options Header",
       ["IMPROPER_VALIDATION_OF_ARRAY_INDEX" /* ImproperValidationOfArrayIndex */]: "Improper Validation of Array Index",
       ["INCORRECT_INTEGER_CONVERSION" /* IncorrectIntegerConversion */]: "Incorrect Integer Conversion",
-      ["IMPROPER_CERTIFICATE_VALIDATION" /* ImproperCertificateValidation */]: "Improper Certificate Validation"
+      ["IMPROPER_CERTIFICATE_VALIDATION" /* ImproperCertificateValidation */]: "Improper Certificate Validation",
+      ["OFTEN_MISUSED_BOOLEAN_GET_BOOLEAN" /* OftenMisusedBooleanGetBoolean */]: "Often Misused: Boolean.getBoolean()"
     };
     issueTypeZ = z.nativeEnum(IssueType_Enum);
     getIssueTypeFriendlyString = (issueType) => {
@@ -1752,7 +1800,7 @@ var init_analysis = __esm({
 
 // src/features/analysis/scm/shared/src/types/issue.ts
 import { z as z9 } from "zod";
-var MAX_SOURCE_CODE_FILE_SIZE_IN_BYTES, VulnerabilityReportIssueRatingZ, VulnerabilityReportIssueSharedStateZ, BaseIssuePartsZ, FalsePositivePartsZ, IssuePartsWithFixZ, IssuePartsFpZ, GeneralIssueZ, IssuePartsZ, GetIssueIndexesZ, GetIssueScreenDataZ, IssueBucketZ, mapCategoryToBucket, mapBucketTypeToCategory;
+var MAX_SOURCE_CODE_FILE_SIZE_IN_BYTES, VulnerabilityReportIssueRatingZ, VulnerabilityReportIssueSharedStateZ, BaseIssuePartsZ, FalsePositivePartsZ, UnfixablePartsZ, IssuePartsWithFixZ, IssuePartsFpZ, GeneralIssueZ, IssuePartsZ, GetIssueIndexesZ, GetIssueScreenDataZ, IssueBucketZ, mapCategoryToBucket, mapBucketTypeToCategory;
 var init_issue = __esm({
   "src/features/analysis/scm/shared/src/types/issue.ts"() {
     "use strict";
@@ -1834,12 +1882,17 @@ var init_issue = __esm({
           return { codeDiff };
         })
       }).nullish(),
-      sharedState: VulnerabilityReportIssueSharedStateZ
+      sharedState: VulnerabilityReportIssueSharedStateZ,
+      unfixableId: z9.string().uuid().nullish()
     });
     FalsePositivePartsZ = z9.object({
       extraContext: z9.array(z9.object({ key: z9.string(), value: z9.string() })),
       fixDescription: z9.string()
     });
+    UnfixablePartsZ = z9.object({
+      extraContext: z9.array(z9.object({ key: z9.string(), value: z9.string() })),
+      fixDescription: z9.string()
+    });
     IssuePartsWithFixZ = BaseIssuePartsZ.merge(
       z9.object({
         category: z9.literal("Irrelevant" /* Irrelevant */),
@@ -1861,7 +1914,8 @@ var init_issue = __esm({
           z9.literal("Fixable" /* Fixable */),
           z9.literal("Filtered" /* Filtered */),
           z9.literal("Pending" /* Pending */)
-        ])
+        ]),
+        getUnfixable: UnfixablePartsZ.nullish()
       })
     );
     IssuePartsZ = z9.union([
@@ -4753,7 +4807,8 @@ var fixDetailsData = {
   ["MISSING_X_FRAME_OPTIONS" /* MissingXFrameOptions */]: void 0,
   ["IMPROPER_VALIDATION_OF_ARRAY_INDEX" /* ImproperValidationOfArrayIndex */]: void 0,
   ["INCORRECT_INTEGER_CONVERSION" /* IncorrectIntegerConversion */]: void 0,
-  ["IMPROPER_CERTIFICATE_VALIDATION" /* ImproperCertificateValidation */]: void 0
+  ["IMPROPER_CERTIFICATE_VALIDATION" /* ImproperCertificateValidation */]: void 0,
+  ["OFTEN_MISUSED_BOOLEAN_GET_BOOLEAN" /* OftenMisusedBooleanGetBoolean */]: void 0
 };
 
 // src/features/analysis/scm/shared/src/commitDescriptionMarkup.ts
@@ -4823,7 +4878,8 @@ var getCommitIssueDescription = ({
   vendor,
   issueType,
   irrelevantIssueWithTags,
-  fpDescription
+  fpDescription,
+  unfixableDescription
 }) => {
   const issueTypeString = getIssueTypeFriendlyString(issueType);
   let description = `The following issues reported by ${capitalizeFirstLetter(vendor)} on this PR were found to be irrelevant to your project:
@@ -4839,7 +4895,7 @@ var getCommitIssueDescription = ({
 
 
 ## Justification
-${fpDescription ?? issueDescription[irrelevantIssueWithTags[0].tag]}
+${fpDescription ?? unfixableDescription ?? issueDescription[irrelevantIssueWithTags[0].tag]}
 `;
     }
     const staticData = fixDetailsData[parseIssueTypeRes.data];
@@ -6861,25 +6917,18 @@ function getScmConfig({
   });
   const virtualDomain = filteredBrokerHosts[0]?.virtualDomain;
   const virtualUrl = virtualDomain ? `https://${virtualDomain}${urlObject.pathname}${urlObject.search}` : void 0;
-  const scmOrgConfig = filteredScmConfigs.find((scm) => scm.orgId && scm.token);
-  if (scmOrgConfig && includeOrgTokens) {
-    return {
-      id: scmOrgConfig.id,
-      accessToken: scmOrgConfig.token || void 0,
-      scmLibType: getScmLibTypeFromScmType(scmOrgConfig.scmType),
-      scmOrg: scmOrgConfig.scmOrg || void 0,
-      virtualUrl
-    };
-  }
-  const scmUserConfig = filteredScmConfigs.find(
-    (scm) => scm.userId && scm.token
-  );
-  if (scmUserConfig) {
+  const matched = filteredScmConfigs.find((scm) => {
+    if (!scm.token) return false;
+    if (scm.userId) return true;
+    if (scm.orgId) return includeOrgTokens;
+    return false;
+  });
+  if (matched) {
     return {
-      id: scmUserConfig.id,
-      accessToken: scmUserConfig.token || void 0,
-      scmLibType: getScmLibTypeFromScmType(scmUserConfig.scmType),
-      scmOrg: scmUserConfig.scmOrg || void 0,
+      id: matched.id,
+      accessToken: matched.token || void 0,
+      scmLibType: getScmLibTypeFromScmType(matched.scmType),
+      scmOrg: matched.scmOrg || void 0,
       virtualUrl
     };
   }
@@ -9583,12 +9632,12 @@ function getGithubSdk(params = {}) {
       });
     },
     async getTagDate({
-      tag,
+      tag: tag2,
       owner,
       repo
     }) {
       const refResponse = await octokit.rest.git.getRef({
-        ref: `tags/${tag}`,
+        ref: `tags/${tag2}`,
         owner,
         repo
       });
@@ -10607,7 +10656,11 @@ var GithubSCMLib = class extends SCMLib {
       }
       const aDate = a.repoUpdatedAt ? Date.parse(a.repoUpdatedAt) : 0;
       const bDate = b.repoUpdatedAt ? Date.parse(b.repoUpdatedAt) : 0;
-      return (aDate - bDate) * sortOrder;
+      const dateCmp = (aDate - bDate) * sortOrder;
+      if (dateCmp !== 0) {
+        return dateCmp;
+      }
+      return a.repoName.localeCompare(b.repoName) * sortOrder;
     });
     const limit = params.limit || 10;
     const offset = parseCursorSafe(params.cursor, 0);
@@ -12220,22 +12273,24 @@ if (!semver.satisfies(process.version, packageJson.engines.node)) {
 
 // src/utils/gitUtils.ts
 import simpleGit2 from "simple-git";
-var defaultLogger = {
-  info: (data, msg) => {
-    if (msg) {
-      const sanitizedMsg = String(msg).replace(/\n|\r/g, "");
-      console.log(`[GIT] ${sanitizedMsg}`, data);
-    } else {
-      console.log("[GIT]", data);
-    }
+var tag = (sink) => (data, msg) => {
+  if (msg) {
+    const sanitizedMsg = String(msg).replace(/\n|\r/g, "");
+    sink(`[GIT] ${sanitizedMsg}`, data);
+  } else {
+    sink("[GIT]", data);
   }
 };
+var defaultLogger = {
+  debug: tag(console.log),
+  warn: tag(console.warn)
+};
 function createGitWithLogging(dirName, logger3 = defaultLogger) {
   return simpleGit2(dirName, {
     maxConcurrentProcesses: 6
   }).outputHandler((bin, stdout2, stderr2) => {
     const callID = Math.random();
-    logger3.info({ callID, bin }, "Start git CLI call");
+    logger3.debug({ callID, bin }, "Start git CLI call");
     let errChunks = [];
     let outChunks = [];
     let isStdoutDone = false;
@@ -12256,7 +12311,7 @@ function createGitWithLogging(dirName, logger3 = defaultLogger) {
         err: `${errChunks.join("").slice(0, 200)}...`,
         out: `${outChunks.join("").slice(0, 200)}...`
       };
-      logger3.info(logObj, "git log output");
+      logger3.debug(logObj, "git log output");
       stderr2.removeListener("data", onStderrData);
       stdout2.removeListener("data", onStdoutData);
       errChunks = [];
@@ -12270,11 +12325,11 @@ function createGitWithLogging(dirName, logger3 = defaultLogger) {
     stderr2.on("close", () => markDone("stderr"));
     stdout2.on("close", () => markDone("stdout"));
     stderr2.on("error", (error) => {
-      logger3.info({ callID, error: String(error) }, "git stderr stream error");
+      logger3.warn({ callID, error: String(error) }, "git stderr stream error");
       markDone("stderr");
     });
     stdout2.on("error", (error) => {
-      logger3.info({ callID, error: String(error) }, "git stdout stream error");
+      logger3.warn({ callID, error: String(error) }, "git stdout stream error");
       markDone("stdout");
     });
   });
@@ -12292,15 +12347,15 @@ import sax from "sax";
 var BaseStreamParser = class {
   constructor(parser) {
     __publicField(this, "currentPath", []);
-    parser.on("opentag", (tag) => this.onOpenTag(tag));
+    parser.on("opentag", (tag2) => this.onOpenTag(tag2));
     parser.on("closetag", () => this.onCloseTag());
     parser.on("text", (text) => this.onText(text));
   }
   getPathString() {
     return this.currentPath.join(" > ");
   }
-  onOpenTag(tag) {
-    this.currentPath.push(tag.name);
+  onOpenTag(tag2) {
+    this.currentPath.push(tag2.name);
   }
   onCloseTag() {
     this.currentPath.pop();
@@ -12313,12 +12368,12 @@ var AuditMetadataParser = class extends BaseStreamParser {
     super(...arguments);
     __publicField(this, "suppressedMap", {});
   }
-  onOpenTag(tag) {
-    super.onOpenTag(tag);
+  onOpenTag(tag2) {
+    super.onOpenTag(tag2);
     switch (this.getPathString()) {
       case "Audit > IssueList > Issue":
-        this.suppressedMap[String(tag.attributes["instanceId"] ?? "")] = String(
-          tag.attributes["suppressed"] ?? ""
+        this.suppressedMap[String(tag2.attributes["instanceId"] ?? "")] = String(
+          tag2.attributes["suppressed"] ?? ""
         );
         break;
     }
@@ -12337,18 +12392,18 @@ var ReportMetadataParser = class extends BaseStreamParser {
     __publicField(this, "ruleId", "");
     __publicField(this, "groupName", "");
   }
-  onOpenTag(tag) {
-    super.onOpenTag(tag);
+  onOpenTag(tag2) {
+    super.onOpenTag(tag2);
     switch (this.getPathString()) {
       case "FVDL > EngineData > RuleInfo > Rule":
-        this.ruleId = String(tag.attributes["id"] ?? "");
+        this.ruleId = String(tag2.attributes["id"] ?? "");
         break;
       case "FVDL > EngineData > RuleInfo > Rule > MetaInfo > Group":
-        this.groupName = String(tag.attributes["name"] ?? "");
+        this.groupName = String(tag2.attributes["name"] ?? "");
         break;
       case "FVDL > CreatedTS":
-        this.createdTSDate = String(tag.attributes["date"] ?? "");
-        this.createdTSTime = String(tag.attributes["time"] ?? "");
+        this.createdTSDate = String(tag2.attributes["date"] ?? "");
+        this.createdTSTime = String(tag2.attributes["time"] ?? "");
         break;
     }
   }
@@ -12381,19 +12436,19 @@ var UnifiedNodePoolParser = class extends BaseStreamParser {
     __publicField(this, "codePoints", {});
     __publicField(this, "nodeId", "");
   }
-  onOpenTag(tag) {
-    super.onOpenTag(tag);
+  onOpenTag(tag2) {
+    super.onOpenTag(tag2);
     switch (this.getPathString()) {
       case "FVDL > UnifiedNodePool > Node":
-        this.nodeId = String(tag.attributes["id"] ?? "");
+        this.nodeId = String(tag2.attributes["id"] ?? "");
         break;
       case "FVDL > UnifiedNodePool > Node > SourceLocation":
         this.codePoints[this.nodeId] = {
-          path: String(tag.attributes["path"] ?? ""),
-          colStart: String(tag.attributes["colStart"] ?? ""),
-          colEnd: String(tag.attributes["colEnd"] ?? ""),
-          line: String(tag.attributes["line"] ?? ""),
-          lineEnd: String(tag.attributes["lineEnd"] ?? "")
+          path: String(tag2.attributes["path"] ?? ""),
+          colStart: String(tag2.attributes["colStart"] ?? ""),
+          colEnd: String(tag2.attributes["colEnd"] ?? ""),
+          line: String(tag2.attributes["line"] ?? ""),
+          lineEnd: String(tag2.attributes["lineEnd"] ?? "")
         };
         break;
     }
@@ -12415,8 +12470,8 @@ var VulnerabilityParser = class extends BaseStreamParser {
     this.tmpStorageFilePath = tmpStorageFilePath;
     this.tmpStorageFileWriter = fs5.createWriteStream(tmpStorageFilePath);
   }
-  onOpenTag(tag) {
-    super.onOpenTag(tag);
+  onOpenTag(tag2) {
+    super.onOpenTag(tag2);
     switch (this.getPathString()) {
       case "FVDL > Vulnerabilities > Vulnerability":
         this.isInVulnerability = true;
@@ -12425,21 +12480,21 @@ var VulnerabilityParser = class extends BaseStreamParser {
         this.codePoints = [];
         break;
       case "FVDL > Vulnerabilities > Vulnerability > InstanceInfo > MetaInfo > Group":
-        this.groupName = String(tag.attributes["name"] ?? "");
+        this.groupName = String(tag2.attributes["name"] ?? "");
         break;
     }
     if (this.isInVulnerability) {
       if (this.getPathString().endsWith(" > Entry > Node > SourceLocation")) {
         this.codePoints.push({
-          path: String(tag.attributes["path"] ?? ""),
-          colStart: String(tag.attributes["colStart"] ?? ""),
-          colEnd: String(tag.attributes["colEnd"] ?? ""),
-          line: String(tag.attributes["line"] ?? ""),
-          lineEnd: String(tag.attributes["lineEnd"] ?? "")
+          path: String(tag2.attributes["path"] ?? ""),
+          colStart: String(tag2.attributes["colStart"] ?? ""),
+          colEnd: String(tag2.attributes["colEnd"] ?? ""),
+          line: String(tag2.attributes["line"] ?? ""),
+          lineEnd: String(tag2.attributes["lineEnd"] ?? "")
         });
       } else if (this.getPathString().endsWith(" > Entry > NodeRef")) {
         this.codePoints.push({
-          id: String(tag.attributes["id"] ?? "")
+          id: String(tag2.attributes["id"] ?? "")
         });
       }
     }
@@ -12916,6 +12971,12 @@ var convertToSarifCodePathPatternsOption = {
   type: "string",
   array: true
 };
+var baselineCommitOption = {
+  describe: chalk2.bold(
+    "Only report findings introduced since this commit (PR mode). The sha must be reachable from the scanned repository \u2014 unreachable baselines fail the scan loudly. Effective only when no scan file is provided."
+  ),
+  type: "string"
+};
 var pollingOption = {
   describe: chalk2.bold(
     "Use HTTP polling instead of WebSocket for status updates. Useful for proxy environments or firewalls that block WebSocket connections. Polling interval: 5 seconds, timeout: 30 minutes."
@@ -13567,7 +13628,8 @@ var GQLClient = class {
     repoUrl,
     reference,
     sha,
-    shouldScan
+    shouldScan,
+    baselineCommit
   }) {
     const res = await this._clientSdk.DigestVulnerabilityReport({
       fixReportId,
@@ -13576,7 +13638,8 @@ var GQLClient = class {
       scanSource,
       repoUrl,
       reference,
-      sha
+      sha,
+      baselineCommit
     });
     if (res.digestVulnerabilityReport.__typename !== "VulnerabilityReport") {
       throw new Error("Digesting vulnerability report failed");
@@ -14106,8 +14169,16 @@ var ADO_PAT_PATTERN = {
   severity: "high",
   validator: (match) => match.length >= 52 && match.length <= 100
 };
+var DATADOG_APP_KEY_PATTERN = {
+  type: "DATADOG_APP_KEY",
+  regex: /\bddapp_[a-zA-Z0-9]{30,}\b/g,
+  priority: 95,
+  placeholder: "[DATADOG_APP_KEY_{n}]",
+  description: "Datadog Application Key",
+  severity: "high"
+};
 var openRedaction = new OpenRedaction({
-  customPatterns: [ADO_PAT_PATTERN],
+  customPatterns: [ADO_PAT_PATTERN, DATADOG_APP_KEY_PATTERN],
   patterns: [
     // Core Personal Data
     // Removed EMAIL - causes false positives in code/test snippets (e.g. --author="Eve Author <eve@example.com>")
@@ -15982,10 +16053,10 @@ function createFork({ args, processPath, name }, options) {
   });
   return createChildProcess({ childProcess: child, name }, options);
 }
-function createSpawn({ args, processPath, name, cwd }, options) {
+function createSpawn({ args, processPath, name, cwd, env: env3 }, options) {
   const child = cp.spawn(processPath, args, {
     stdio: ["inherit", "pipe", "pipe", "ipc"],
-    env: { ...process2.env },
+    env: { ...process2.env, ...env3 },
     cwd
   });
   return createChildProcess({ childProcess: child, name }, options);
@@ -16440,7 +16511,8 @@ async function _scan(params, { skipPrompts = false } = {}) {
     createOnePr,
     commitDirectly,
     pullRequest,
-    polling
+    polling,
+    baselineCommit
   } = params;
   debug21("start %s %s", dirname, repo);
   const { createSpinner: createSpinner5 } = Spinner2({ ci });
@@ -16557,7 +16629,9 @@ async function _scan(params, { skipPrompts = false } = {}) {
     sha,
     reference,
     shouldScan,
-    polling
+    polling,
+    // Only meaningful when opengrep is going to run (no user-supplied report).
+    baselineCommit: shouldScan ? baselineCommit : void 0
   });
   uploadReportSpinner.success({ text: "\u{1F4C1} Report uploaded successfully" });
   const mobbSpinner = createSpinner5("\u{1F575}\uFE0F\u200D\u2642\uFE0F Initiating Mobb analysis").start();
@@ -16700,7 +16774,11 @@ async function _scan(params, { skipPrompts = false } = {}) {
         command,
         ci,
         shouldScan: shouldScan2,
-        polling
+        polling,
+        // shouldScan is false here (user provided a report); baseline filter
+        // only applies to the opengrep code path. Drop it to keep the contract
+        // honest with the CLI help text.
+        baselineCommit: void 0
       });
       const res = await _zipAndUploadRepo({
         srcPath,
@@ -16724,7 +16802,8 @@ async function _scan(params, { skipPrompts = false } = {}) {
         command,
         ci,
         shouldScan: shouldScan2,
-        polling
+        polling,
+        baselineCommit
       });
     }
     const mobbSpinner2 = createSpinner5("\u{1F575}\uFE0F\u200D\u2642\uFE0F Initiating Mobb analysis").start();
@@ -16819,7 +16898,8 @@ async function _digestReport({
   sha,
   reference,
   shouldScan,
-  polling
+  polling,
+  baselineCommit
 }) {
   const digestSpinner = createSpinner4(
     progressMassages.processingVulnerabilityReport
@@ -16833,7 +16913,8 @@ async function _digestReport({
         repoUrl,
         sha,
         reference,
-        shouldScan
+        shouldScan,
+        baselineCommit
       }
     );
     const callbackStates = [
@@ -17083,7 +17164,8 @@ async function analyze({
   createOnePr,
   commitDirectly,
   pullRequest,
-  polling
+  polling,
+  baselineCommit
 }, { skipPrompts = false } = {}) {
   !ci && await showWelcomeMessage(skipPrompts);
   await runAnalysis(
@@ -17102,7 +17184,8 @@ async function analyze({
       commitDirectly,
       pullRequest,
       createOnePr,
-      polling
+      polling,
+      baselineCommit
     },
     { skipPrompts }
   );
@@ -17312,9 +17395,12 @@ function analyzeBuilder(yargs2) {
     describe: chalk10.bold("Number of the pull request"),
     type: "number",
     demandOption: false
-  }).option("polling", pollingOption).example(
+  }).option("polling", pollingOption).option("baseline-commit", baselineCommitOption).example(
     "npx mobbdev@latest analyze -r https://github.com/WebGoat/WebGoat -f <your_vulnerability_report_path>",
     "analyze an existing repository"
+  ).example(
+    "npx mobbdev@latest analyze -r https://github.com/org/repo --baseline-commit <sha>",
+    "analyze only findings introduced since <sha> (PR-mode scan)"
   ).help();
 }
 function validateAnalyzeOptions(argv) {
@@ -19313,7 +19399,7 @@ function createLogger(config2) {
 
 // src/features/claude_code/hook_logger.ts
 var DD_RUM_TOKEN = true ? "pubf59c0182545bfb4c299175119f1abf9b" : "";
-var CLI_VERSION = true ? "1.4.11" : "unknown";
+var CLI_VERSION = true ? "1.4.15" : "unknown";
 var NAMESPACE = "mobbdev-claude-code-hook-logs";
 var claudeCodeVersion;
 function buildDdTags() {
@@ -20801,7 +20887,14 @@ var FixExtraContextResponseSchema = z33.object({
 });
 var FixQuestionSchema = z33.object({
   __typename: z33.literal("FixQuestion").optional(),
-  name: z33.string()
+  key: z33.string(),
+  name: z33.string(),
+  defaultValue: z33.string(),
+  value: z33.string().nullable().optional(),
+  inputType: z33.nativeEnum(FixQuestionInputType),
+  options: z33.array(z33.string()),
+  index: z33.number(),
+  extraContext: z33.array(UnstructuredFixExtraContextSchema)
 });
 var FixDataSchema = z33.object({
   __typename: z33.literal("FixData"),
@@ -20820,6 +20913,7 @@ var McpFixSchema = z33.object({
   // GraphQL uses `any` type for UUID
   confidence: z33.number(),
   safeIssueType: z33.string().nullable(),
+  safeIssueLanguage: z33.string().nullable().optional(),
   severityText: z33.string().nullable(),
   gitBlameLogin: z33.string().nullable().optional(),
   // Optional in GraphQL
@@ -20900,10 +20994,6 @@ var GetLatestReportByRepoUrlResponseSchema = z33.object({
 });
 
 // src/mcp/services/InteractiveFixFilter.ts
-var isFilterDisabled = () => {
-  const raw = process.env["MOBB_MCP_DISABLE_INTERACTIVE_FILTER"];
-  return raw === "1" || raw === "true";
-};
 var isInteractiveFix = (fix) => {
   if (fix.patchAndQuestions.__typename !== "FixData") {
     return false;
@@ -20918,27 +21008,46 @@ var countByRule = (ruleIds) => {
   }
   return counts;
 };
+var MOBB_MCP_DISABLE_INTERACTIVE_FILTER_DEFAULT = false;
+var isInteractiveRoutingDisabled = () => {
+  const raw = process.env["MOBB_MCP_DISABLE_INTERACTIVE_FILTER"];
+  if (!raw) return MOBB_MCP_DISABLE_INTERACTIVE_FILTER_DEFAULT;
+  const normalized = raw.toLowerCase();
+  return normalized === "1" || normalized === "true";
+};
 var partitionInteractiveFixes = (fixes) => {
-  if (isFilterDisabled()) {
-    return { applicableFixes: fixes, skippedRuleIds: [] };
-  }
+  const disabled = isInteractiveRoutingDisabled();
   const applicableFixes = [];
-  const skippedRuleIds = [];
+  const interactiveFixes = [];
+  const droppedInteractive = [];
   for (const fix of fixes) {
     if (isInteractiveFix(fix)) {
-      skippedRuleIds.push(ruleIdFor(fix));
+      if (disabled) {
+        droppedInteractive.push(fix);
+      } else {
+        interactiveFixes.push(fix);
+      }
     } else {
       applicableFixes.push(fix);
     }
   }
-  if (skippedRuleIds.length > 0) {
-    logInfo("[InteractiveFixFilter] Skipped interactive fixes", {
+  if (disabled && droppedInteractive.length > 0) {
+    logInfo(
+      "[InteractiveFixFilter] Dropping interactive fixes (MOBB_MCP_DISABLE_INTERACTIVE_FILTER=true)",
+      {
+        totalFixes: fixes.length,
+        droppedCount: droppedInteractive.length,
+        droppedByRule: countByRule(droppedInteractive.map(ruleIdFor))
+      }
+    );
+  } else if (interactiveFixes.length > 0) {
+    logInfo("[InteractiveFixFilter] Routing interactive fixes to LLM", {
       totalFixes: fixes.length,
-      skippedCount: skippedRuleIds.length,
-      skippedByRule: countByRule(skippedRuleIds)
+      interactiveCount: interactiveFixes.length,
+      interactiveByRule: countByRule(interactiveFixes.map(ruleIdFor))
     });
   }
-  return { applicableFixes, skippedRuleIds };
+  return { applicableFixes, interactiveFixes };
 };
 
 // src/mcp/services/McpGQLClient.ts
@@ -21223,7 +21332,7 @@ var McpGQLClient = class extends GQLClient {
     reportData,
     limit
   }) {
-    if (!reportData) return { applicableFixes: [], skippedRuleIds: [] };
+    if (!reportData) return { applicableFixes: [], interactiveFixes: [] };
     const reportMetadata = {
       id: reportData.id,
       organizationId: reportData.vulnerabilityReport?.project?.organizationId,
@@ -21260,10 +21369,10 @@ var McpGQLClient = class extends GQLClient {
       }
     }
     const merged = Array.from(fixMap.values());
-    const { applicableFixes, skippedRuleIds } = partitionInteractiveFixes(merged);
+    const { applicableFixes, interactiveFixes } = partitionInteractiveFixes(merged);
     return {
       applicableFixes: applicableFixes.slice(0, limit),
-      skippedRuleIds
+      interactiveFixes: interactiveFixes.slice(0, limit)
     };
   }
   async updateFixesDownloadStatus(fixIds) {
@@ -21356,8 +21465,9 @@ var McpGQLClient = class extends GQLClient {
           codeNodes: { path: { _in: fileFilter } }
         };
       }
+      const escapedRepoUrl = repoUrl.replace(/[%_\\]/g, (c) => `\\${c}`);
       const resp = await this._clientSdk.GetLatestReportByRepoUrl({
-        repoUrl,
+        repoUrl: escapedRepoUrl,
         limit,
         offset,
         currentUserEmail,
@@ -21368,7 +21478,7 @@ var McpGQLClient = class extends GQLClient {
         reportCount: resp.fixReport?.length || 0
       });
       const latestReport = resp.fixReport?.[0] && FixReportSummarySchema.parse(resp.fixReport?.[0]);
-      const { applicableFixes, skippedRuleIds } = this.mergeUserAndSystemFixes({
+      const { applicableFixes, interactiveFixes } = this.mergeUserAndSystemFixes({
         reportData: latestReport,
         limit
       });
@@ -21376,7 +21486,7 @@ var McpGQLClient = class extends GQLClient {
         fixReport: latestReport ? {
           ...latestReport,
           fixes: applicableFixes,
-          skippedRuleIds
+          interactiveFixes
         } : null,
         expiredReport: resp.expiredReport?.[0] || null
       };
@@ -21446,17 +21556,17 @@ var McpGQLClient = class extends GQLClient {
         return null;
       }
       const latestReport = FixReportSummarySchema.parse(res.fixReport?.[0]);
-      const { applicableFixes, skippedRuleIds } = this.mergeUserAndSystemFixes({
+      const { applicableFixes, interactiveFixes } = this.mergeUserAndSystemFixes({
         reportData: latestReport,
         limit
       });
       logDebug("[GraphQL] GetReportFixes response parsed", {
         fixes: applicableFixes,
-        skippedCount: skippedRuleIds.length
+        interactiveCount: interactiveFixes.length
       });
       return {
         fixes: applicableFixes,
-        skippedRuleIds,
+        interactiveFixes,
         totalCount: res.fixReport?.[0]?.filteredFixesCount?.aggregate?.count || 0,
         expiredReport: res.expiredReport?.[0] || null,
         fixReport: res.fixReport?.[0] ? {
@@ -21474,6 +21584,36 @@ var McpGQLClient = class extends GQLClient {
       throw e;
     }
   }
+  /** Root getFix recomputes the patch; fix_by_pk.patchAndQuestions(userInput) does not (stale questions looked like cascading). */
+  async getFixWithAnswers({
+    fixId,
+    answers
+  }) {
+    try {
+      logDebug("[GraphQL] Calling getFixWithAnswers query", {
+        fixId,
+        answerCount: answers.length,
+        userInput: answers
+      });
+      const resp = await this._clientSdk.getFixWithAnswers({
+        fixId,
+        userInput: answers
+      });
+      logDebug("[GraphQL] getFixWithAnswers successful", {
+        fixId,
+        responseTypename: resp.fixData?.__typename,
+        remainingQuestionKeys: resp.fixData?.__typename === "FixData" ? resp.fixData.questions.map((q) => q.key) : void 0
+      });
+      return { fixData: resp.fixData ?? null };
+    } catch (e) {
+      logError("[GraphQL] getFixWithAnswers failed", {
+        error: e,
+        fixId,
+        ...this.getErrorContext()
+      });
+      throw e;
+    }
+  }
 };
 async function createAuthenticatedMcpGQLClient({
   isBackgroundCall = false,
@@ -24516,6 +24656,7 @@ init_client_generates();
 init_configs();
 
 // src/mcp/core/prompts.ts
+init_client_generates();
 init_configs();
 function friendlyType(s) {
   const withoutUnderscores = s.replace(/_/g, " ");
@@ -24524,17 +24665,133 @@ function friendlyType(s) {
 }
 var noFixesReturnedForParameters = `No fixes returned for the given offset and limit parameters.
 `;
-var skippedInteractiveFixesNotice = (skippedCount) => {
-  if (skippedCount <= 0) return "";
-  const s = skippedCount === 1 ? "" : "es";
-  const verb = skippedCount === 1 ? "requires" : "require";
-  const wasWere = skippedCount === 1 ? "was" : "were";
+var resolveQuestionText = ({
+  fix,
+  question
+}) => {
+  const language = fix.safeIssueLanguage ?? void 0;
+  const issueType = fix.safeIssueType ?? void 0;
+  if (!language || !issueType) {
+    return { content: question.name, description: "" };
+  }
+  const item = storedQuestionData_default[language]?.[issueType]?.[question.name];
+  if (!item) {
+    return { content: question.name, description: "" };
+  }
+  const args = question.extraContext.reduce(
+    (acc, ctx) => {
+      acc[ctx.key] = ctx.value;
+      return acc;
+    },
+    {}
+  );
+  try {
+    return {
+      content: item.content(args) || question.name,
+      description: item.description(args) || ""
+    };
+  } catch {
+    return { content: question.name, description: "" };
+  }
+};
+var formatQuestionInputContract = (question) => {
+  switch (question.inputType) {
+    case "SELECT" /* Select */:
+      return `Pick exactly ONE of: ${question.options.map((o) => `\`${o}\``).join(", ")}`;
+    case "NUMBER" /* Number */:
+      return 'Provide a numeric string (e.g. "60").';
+    case "TEXT" /* Text */:
+      return "Provide a free-form string (or an empty string to accept the default).";
+  }
+};
+var renderInteractiveFix = (fix, index) => {
+  if (fix.patchAndQuestions.__typename !== "FixData") return "";
+  const { questions, extraContext } = fix.patchAndQuestions;
+  const vulnerabilityType = friendlyType(fix.safeIssueType ?? "Unknown");
+  const questionsBlock = questions.slice().sort((a, b) => a.index - b.index).map((q, qIdx) => {
+    const { content, description } = resolveQuestionText({ fix, question: q });
+    const desc = description ? `
+  *Why it matters:* ${description}` : "";
+    const defaultLine = q.defaultValue ? `
+  *Default if you don't decide:* \`${q.defaultValue}\`` : "";
+    return `${qIdx + 1}. **\`${q.key}\`** \u2014 ${content}
+  *Input:* ${formatQuestionInputContract(q)}${defaultLine}${desc}`;
+  }).join("\n\n");
+  return `### Interactive fix ${index + 1}: ${vulnerabilityType}
+
+**Fix id:** \`${fix.id}\`
+**Description:** ${extraContext?.fixDescription || "Security vulnerability fix that requires answers before it can be tailored."}
+
+**Questions you must answer before this fix can be applied:**
+
+${questionsBlock}
+`;
+};
+var interactiveFixesPrompt = ({
+  interactiveFixes,
+  repositoryPath
+}) => {
+  if (interactiveFixes.length === 0) return "";
+  const fixesBlock = interactiveFixes.map((fix, idx) => renderInteractiveFix(fix, idx)).join("\n---\n");
   return `
-## Skipped fixes
+## Interactive fixes \u2014 decide from code, then apply or abstain
+
+The Mobb backend produced ${interactiveFixes.length} fix${interactiveFixes.length === 1 ? "" : "es"} that need context before the patch can be tailored. **Infer answers only from the real code**: touched files, imports, framework, and how untrusted data flows (SSR/XSS/PT/SSRF, etc.). **Do NOT ask the end user** \u2014 use tooling/read-only repo inspection only.
+
+### CRITICAL INSTRUCTIONS \u2014 READ CAREFULLY
+
+1. **Defaults are hints from Mobb, not autopilot.** The line *Default if you don't decide* shows what the backend would fall back to. Prefer answers **consistent with the codebase**. Do **not** pick an answer **only** because it equals that default \u2014 a mismatched default can produce the wrong tailored patch.
+2. **Time budget \u2014 ~5 seconds per interactive fix, as one shared pool.** With ${interactiveFixes.length} interactive fix${interactiveFixes.length === 1 ? "" : "es"} above, spend **at most ~${interactiveFixes.length * 5} seconds total** inspecting the codebase before re-calling \`${MCP_TOOL_SCAN_AND_FIX_VULNERABILITIES}\` with \`interactiveAnswers\`. The budget is a pool \u2014 one fix may take 8s if it's genuinely ambiguous while another takes 2s if the call site is obvious, as long as the total stays near the bound. If a fix is still uncertain when its share runs out, **omit it from \`interactiveAnswers\`** (rule 4) rather than over-deliberating.
+3. **Confidence required.** Include in \`interactiveAnswers\` **only** fixes where your answers are justified by what you see in code (exact SELECT strings where applicable).
+4. **Abstain rather than guess.** If you **cannot** justify any responsible answer after inspecting the code (ambiguous flows, missing callers, isomorphic bundles, unclear SSRF allowlists, etc.), **omit that fix id entirely** from \`interactiveAnswers\`. Tell the user in prose what was skipped and why so they can fix manually or follow up later \u2014 **do not fabricate answers**.
+5. **Skipping everything.** If you skip **all** interactive fixes, still call **\`${MCP_TOOL_SCAN_AND_FIX_VULNERABILITIES}\`** once with \`"interactiveAnswers": []\` (empty array) together with \`path\`. That acknowledges abstention **without** starting a new scan. Omitting \`interactiveAnswers\` entirely falls back to scan mode instead \u2014 avoid that when you intend purely to abstain.
+6. **Use exact option strings for SELECT questions.** Copy them character-for-character from the option list. Do **not** append explanation, rationale, or commentary to the value \u2014 that turns the answer into a non-matching string and the backend silently falls back to its default.
+7. **Use the \`key\` verbatim, not the human label.** Each question shows a backtick-quoted key (e.g. \`is_server_side_code\`, \`tainted_term_type\`). That exact string goes into \`answers[].key\`. The display name (e.g. \`isServerSideCode\`, \`taintedTermType\`) is for humans only \u2014 sending it as a key means the backend won't recognise the answer and falls back to the default.
+8. **After the tool call**, summarize: fixes applied with reasoning; fixes skipped (confidence/abstention/time-budget); tool failures.
+
+### Decision heuristics for common questions
+
+(Keys shown in snake_case \u2014 copy them verbatim from each fix's question block.)
+
+- **\`is_server_side_code\` (XSS)** \u2014 \`yes\` when server-render or Node HTTP handlers dominate; \`no\` when clearly browser-only. If bundle/context is genuinely ambiguous after inspection, **omit** this fix from \`interactiveAnswers\`.
+- **\`tainted_term_type\` (Path Traversal)** \u2014 match how user input is joined/consumed (single filename vs path segments vs absolute). If usage cannot be determined, **omit**.
+- **\`iframe_restrictions\`** \u2014 strict sandbox (\`""\`) unless embedded content clearly needs listed capabilities.
+
+### How to call \`${MCP_TOOL_SCAN_AND_FIX_VULNERABILITIES}\`
+
+Apply fixes you are confident about (subset allowed):
+
+\`\`\`json
+{
+  "path": "${repositoryPath}",
+  "interactiveAnswers": [
+    {
+      "fixId": "<fix id from below>",
+      "answers": [
+        { "key": "<question key, exactly as shown>", "value": "<your decided value>" }
+      ]
+    }
+  ]
+}
+\`\`\`
+
+Explicit abstention \u2014 skip **all** interactive fixes without rescanning:
+
+\`\`\`json
+{
+  "path": "${repositoryPath}",
+  "interactiveAnswers": []
+}
+\`\`\`
 
-${skippedCount} fix${s} ${verb} user input that is not available over MCP and ${wasWere} skipped. Mention this to the user when summarizing results.
+${fixesBlock}
 `;
 };
+var interactiveAnswersAbstainAllToolResponse = `## Interactive fixes \u2014 none applied
+
+\`interactiveAnswers\` was an empty array: **no** tailored patches were requested and **no** scan was run.
+
+State clearly for the user which interactive fixes you **skipped**, why the code did not support a confident answer, and that they can apply those manually or re-run after clarifying the codebase.`;
 var noFixesReturnedForParametersWithGuidance = ({
   offset,
   limit,
@@ -24593,9 +24850,13 @@ var applyFixesPrompt = ({
   currentTool,
   offset,
   limit,
-  gqlClient
+  gqlClient,
+  hasInteractiveFixes = false
 }) => {
   if (fixes.length === 0) {
+    if (hasInteractiveFixes) {
+      return "";
+    }
     if (totalCount > 0) {
       return noFixesReturnedForParametersWithGuidance({
         offset,
@@ -24782,11 +25043,16 @@ var fixesFoundPrompt = ({
   offset,
   limit,
   gqlClient,
-  skippedInteractiveCount = 0
+  interactiveFixes = [],
+  repositoryPath
 }) => {
   const totalFixes = fixReport.filteredFixesCount.aggregate?.count || 0;
+  const interactiveBlock = interactiveFixesPrompt({
+    interactiveFixes,
+    repositoryPath
+  });
   if (totalFixes === 0) {
-    return noFixesAvailablePrompt + skippedInteractiveFixesNotice(skippedInteractiveCount);
+    return noFixesAvailablePrompt + interactiveBlock;
   }
   const criticalFixes = fixReport.CRITICAL?.aggregate?.count || 0;
   const highFixes = fixReport.HIGH?.aggregate?.count || 0;
@@ -24828,8 +25094,9 @@ ${applyFixesPrompt({
     currentTool: MCP_TOOL_FETCH_AVAILABLE_FIXES,
     offset,
     limit,
-    gqlClient
-  })}${skippedInteractiveFixesNotice(skippedInteractiveCount)}`;
+    gqlClient,
+    hasInteractiveFixes: interactiveFixes.length > 0
+  })}${interactiveBlock}`;
 };
 var nextStepsPrompt = ({ scannedFiles }) => `
 ### \u{1F4C1} Scanned Files
@@ -24876,10 +25143,15 @@ var fixesPrompt = ({
   scannedFiles,
   limit,
   gqlClient,
-  skippedInteractiveCount = 0
+  interactiveFixes = [],
+  repositoryPath
 }) => {
+  const interactiveBlock = interactiveFixesPrompt({
+    interactiveFixes,
+    repositoryPath
+  });
   if (totalCount === 0) {
-    return noFixesFoundPrompt({ scannedFiles }) + skippedInteractiveFixesNotice(skippedInteractiveCount);
+    return noFixesFoundPrompt({ scannedFiles }) + interactiveBlock;
   }
   const shownCount = fixes.length;
   const nextOffset = offset + shownCount;
@@ -24895,9 +25167,10 @@ ${applyFixesPrompt({
     currentTool: MCP_TOOL_SCAN_AND_FIX_VULNERABILITIES,
     offset,
     limit,
-    gqlClient
+    gqlClient,
+    hasInteractiveFixes: interactiveFixes.length > 0
   })}
-${skippedInteractiveFixesNotice(skippedInteractiveCount)}
+${interactiveBlock}
 ${nextStepsPrompt({ scannedFiles })}
 `;
 };
@@ -24971,7 +25244,8 @@ var freshFixesPrompt = ({
   fixes,
   limit,
   gqlClient,
-  skippedInteractiveCount = 0
+  interactiveFixes = [],
+  repositoryPath
 }) => {
   return `Here are the fresh fixes to the vulnerabilities discovered by Mobb MCP
 
@@ -24984,9 +25258,10 @@ ${applyFixesPrompt({
     currentTool: MCP_TOOL_FETCH_AVAILABLE_FIXES,
     offset: 0,
     limit,
-    gqlClient
+    gqlClient,
+    hasInteractiveFixes: interactiveFixes.length > 0
   })}
-${skippedInteractiveFixesNotice(skippedInteractiveCount)}
+${interactiveFixesPrompt({ interactiveFixes, repositoryPath })}
 `;
 };
 function extractTargetFileFromPatch(patch) {
@@ -25006,7 +25281,8 @@ function formatSeverity(severityText, severityValue) {
 var appliedFixesSummaryPrompt = ({
   fixes,
   gqlClient,
-  skippedInteractiveCount = 0
+  interactiveFixes = [],
+  repositoryPath
 }) => {
   const fixIds = fixes.map((fix) => fix.id);
   void gqlClient.updateFixesDownloadStatus(fixIds);
@@ -25041,7 +25317,7 @@ ${fixes.map((fix, index) => {
 ${continuousMonitoringSection}
 
 ${autoFixSettingsSection}
-${skippedInteractiveFixesNotice(skippedInteractiveCount)}
+${interactiveFixesPrompt({ interactiveFixes, repositoryPath })}
 ## \u{1F4CB} Next Steps
 
 1. **Review the changes** - Check the modified files to understand what was fixed
@@ -25675,7 +25951,7 @@ var LocalMobbFolderService = class {
     if (fix.vulnerabilityReportIssues.length > 0) {
       fix.vulnerabilityReportIssues.forEach((issue) => {
         if (issue.vulnerabilityReportIssueTags && issue.vulnerabilityReportIssueTags.length > 0) {
-          markdown += `**Tags:** ${issue.vulnerabilityReportIssueTags.map((tag) => tag.vulnerability_report_issue_tag_value).join(", ")}
+          markdown += `**Tags:** ${issue.vulnerabilityReportIssueTags.map((tag2) => tag2.vulnerability_report_issue_tag_value).join(", ")}
 
 `;
         }
@@ -25948,6 +26224,7 @@ var LocalMobbFolderService = class {
 };
 
 // src/mcp/services/PatchApplicationService.ts
+init_client_generates();
 init_configs();
 import {
   existsSync as existsSync6,
@@ -26513,7 +26790,8 @@ var PatchApplicationService = class {
     repositoryPath,
     scanStartTime,
     gqlClient,
-    scanContext
+    scanContext,
+    downloadSource = "AUTO_MVS" /* AutoMvs */
   }) {
     const appliedFixes = [];
     const failedFixes = [];
@@ -26572,20 +26850,26 @@ var PatchApplicationService = class {
     if (appliedFixes.length > 0 && gqlClient) {
       try {
         const appliedFixIds = appliedFixes.map((fix) => fix.id).filter(Boolean);
-        await gqlClient.updateAutoAppliedFixesStatus(appliedFixIds);
+        if (downloadSource === "MCP" /* Mcp */) {
+          await gqlClient.updateFixesDownloadStatus(appliedFixIds);
+        } else {
+          await gqlClient.updateAutoAppliedFixesStatus(appliedFixIds);
+        }
         logDebug(
-          `[${scanContext}] Successfully updated download status for auto-applied fixes`,
+          `[${scanContext}] Successfully updated download status for applied fixes`,
           {
             appliedFixIds,
-            count: appliedFixIds.length
+            count: appliedFixIds.length,
+            downloadSource
           }
         );
       } catch (error) {
         logError(
-          `[${scanContext}] Failed to update download status for auto-applied fixes`,
+          `[${scanContext}] Failed to update download status for applied fixes`,
           {
             error: error instanceof Error ? error.message : String(error),
-            appliedFixCount: appliedFixes.length
+            appliedFixCount: appliedFixes.length,
+            downloadSource
           }
         );
       }
@@ -27327,6 +27611,7 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
     __publicField(this, "path", "");
     __publicField(this, "filesLastScanned", {});
     __publicField(this, "freshFixes", []);
+    __publicField(this, "interactiveFixes", []);
     __publicField(this, "reportedFixes", []);
     __publicField(this, "intervalId", null);
     __publicField(this, "isInitialScanComplete", false);
@@ -27348,6 +27633,7 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
   reset() {
     this.filesLastScanned = {};
     this.freshFixes = [];
+    this.interactiveFixes = [];
     this.reportedFixes = [];
     this.hasAuthenticationFailed = false;
     this.fullScanPathsScanned = configStore.get("fullScanPathsScanned") || [];
@@ -27433,6 +27719,16 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
       const newFixes = fixes?.fixes?.filter(
         (fix) => !this.isFixAlreadyReported(fix)
       );
+      const newInteractiveFixes = fixes?.interactiveFixes?.filter(
+        (fix) => !this.isFixAlreadyReported(fix)
+      ) ?? [];
+      if (newInteractiveFixes.length > 0) {
+        this.interactiveFixes.push(...newInteractiveFixes);
+        logInfo(
+          `[${scanContext}] Buffered ${newInteractiveFixes.length} interactive fixes for next response`,
+          { totalBuffered: this.interactiveFixes.length }
+        );
+      }
       logInfo(
         `[${scanContext}] Security fixes retrieved, total: ${fixes?.fixes?.length || 0}, new: ${newFixes?.length || 0}`
       );
@@ -27862,7 +28158,9 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
       return freshFixesPrompt({
         fixes: freshFixes,
         limit: MCP_DEFAULT_LIMIT,
-        gqlClient: this.gqlClient
+        gqlClient: this.gqlClient,
+        interactiveFixes: this.interactiveFixes.splice(0, MCP_DEFAULT_LIMIT),
+        repositoryPath: this.path
       });
     }
     logInfo(`[${scanContext}] No fresh fixes to report`);
@@ -27876,7 +28174,9 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
       );
       return appliedFixesSummaryPrompt({
         fixes: appliedFixesToShow,
-        gqlClient: this.gqlClient
+        gqlClient: this.gqlClient,
+        interactiveFixes: this.interactiveFixes.splice(0, MCP_DEFAULT_LIMIT),
+        repositoryPath: this.path
       });
     }
     logInfo(`[${scanContext}] No applied fixes to report`);
@@ -27983,6 +28283,7 @@ var _FetchAvailableFixesService = class _FetchAvailableFixesService {
   }
   async checkForAvailableFixes({
     repoUrl,
+    repositoryPath,
     limit = MCP_DEFAULT_LIMIT,
     offset,
     fileFilter
@@ -28020,7 +28321,8 @@ var _FetchAvailableFixesService = class _FetchAvailableFixesService {
         offset: effectiveOffset,
         limit,
         gqlClient,
-        skippedInteractiveCount: fixReport.skippedRuleIds?.length ?? 0
+        interactiveFixes: fixReport.interactiveFixes ?? [],
+        repositoryPath
       });
       this.currentOffset = effectiveOffset + (fixReport.fixes?.length || 0);
       return prompt;
@@ -28162,6 +28464,7 @@ Call this tool instead of ${MCP_TOOL_SCAN_AND_FIX_VULNERABILITIES} when you only
     }
     const fixResult = await this.availableFixesService.checkForAvailableFixes({
       repoUrl: originUrl,
+      repositoryPath: path37,
       limit: args.limit,
       offset: args.offset,
       fileFilter: actualFileFilter
@@ -28265,6 +28568,7 @@ import z45 from "zod";
 init_configs();
 
 // src/mcp/tools/scanAndFixVulnerabilities/ScanAndFixVulnerabilitiesService.ts
+init_client_generates();
 init_configs();
 var _ScanAndFixVulnerabilitiesService = class _ScanAndFixVulnerabilitiesService {
   constructor() {
@@ -28356,7 +28660,8 @@ var _ScanAndFixVulnerabilitiesService = class _ScanAndFixVulnerabilitiesService
         scannedFiles: [...fileList],
         limit: effectiveLimit,
         gqlClient: this.gqlClient,
-        skippedInteractiveCount: fixes.skippedRuleIds.length
+        interactiveFixes: fixes.interactiveFixes,
+        repositoryPath
       });
       this.currentOffset = effectiveOffset + (fixes.fixes?.length || 0);
       return prompt;
@@ -28401,12 +28706,164 @@ var _ScanAndFixVulnerabilitiesService = class _ScanAndFixVulnerabilitiesService
     return {
       fixes: fixes?.fixes || [],
       totalCount: fixes?.totalCount || 0,
-      skippedRuleIds: fixes?.skippedRuleIds || []
+      interactiveFixes: fixes?.interactiveFixes || []
     };
   }
+  /** Applies patches from interactiveAnswers only (no scan). */
+  async applyInteractiveAnswers({
+    interactiveAnswers,
+    repositoryPath
+  }) {
+    this.gqlClient = await this.initializeGqlClient();
+    logInfo(
+      `Applying ${interactiveAnswers.length} interactive fix(es) with LLM-supplied answers`,
+      { repositoryPath }
+    );
+    const applied = [];
+    const failed = [];
+    const skipped = [];
+    for (const entry of interactiveAnswers) {
+      try {
+        const { fixData } = await this.gqlClient.getFixWithAnswers({
+          fixId: entry.fixId,
+          answers: entry.answers
+        });
+        if (!fixData) {
+          failed.push({
+            fixId: entry.fixId,
+            reason: "Fix not found on the server (may have expired)"
+          });
+          continue;
+        }
+        if (fixData.__typename !== "FixData") {
+          failed.push({
+            fixId: entry.fixId,
+            reason: `Backend returned ${fixData.__typename} \u2014 could not produce a patch with the supplied answers`
+          });
+          continue;
+        }
+        if (!fixData.patch) {
+          failed.push({
+            fixId: entry.fixId,
+            reason: "Backend returned FixData with no patch \u2014 answers did not yield an applicable fix"
+          });
+          continue;
+        }
+        const sentByKey = new Map(entry.answers.map((a) => [a.key, a.value]));
+        const invalidSelectAnswers = [];
+        for (const q of fixData.questions) {
+          if (q.inputType !== "SELECT" /* Select */) continue;
+          const sentValue = sentByKey.get(q.key);
+          if (sentValue === void 0) continue;
+          if (!q.options.includes(sentValue)) {
+            invalidSelectAnswers.push({
+              key: q.key,
+              sentValue,
+              options: [...q.options]
+            });
+          }
+        }
+        if (invalidSelectAnswers.length > 0) {
+          skipped.push({
+            fixId: entry.fixId,
+            invalidSelectAnswers
+          });
+          continue;
+        }
+        const newPendingKeys = fixData.questions.map((q) => q.key).filter((k) => !sentByKey.has(k));
+        const mcpFix = McpFixSchema.parse({
+          __typename: "fix",
+          id: entry.fixId,
+          confidence: 0,
+          safeIssueType: null,
+          safeIssueLanguage: null,
+          severityText: null,
+          severityValue: null,
+          vulnerabilityReportIssues: [],
+          patchAndQuestions: fixData
+        });
+        const result = await PatchApplicationService.applyFixes({
+          fixes: [mcpFix],
+          repositoryPath,
+          gqlClient: this.gqlClient,
+          scanContext: ScanContext.USER_REQUEST,
+          downloadSource: "MCP" /* Mcp */
+        });
+        if (result.appliedFixes.length > 0) {
+          const targetFile = extractTargetFile(fixData.patch) ?? "unknown file";
+          applied.push({
+            fixId: entry.fixId,
+            targetFile,
+            newPendingKeys
+          });
+        } else {
+          failed.push({
+            fixId: entry.fixId,
+            reason: result.failedFixes[0]?.error ?? "patch application failed"
+          });
+        }
+      } catch (error) {
+        failed.push({
+          fixId: entry.fixId,
+          reason: error.message
+        });
+      }
+    }
+    return formatApplyAnswersSummary({ applied, failed, skipped });
+  }
 };
 __publicField(_ScanAndFixVulnerabilitiesService, "instance");
 var ScanAndFixVulnerabilitiesService = _ScanAndFixVulnerabilitiesService;
+function extractTargetFile(patch) {
+  const match = patch.match(/^\+\+\+ b\/(.+)$/m);
+  return match?.[1] ?? null;
+}
+function formatApplyAnswersSummary({
+  applied,
+  failed,
+  skipped
+}) {
+  const sections = [];
+  if (applied.length > 0) {
+    sections.push(
+      `## \u2705 Applied ${applied.length} fix${applied.length === 1 ? "" : "es"}
+
+` + applied.map((a) => {
+        const hint = a.newPendingKeys.length > 0 ? `
+  \u26A0\uFE0F The backend returned additional question key(s) we didn't send: [${a.newPendingKeys.map((k) => `\`${k}\``).join(
+          ", "
+        )}]. This is either (a) a true cascading question \u2014 re-call \`scan_and_fix_vulnerabilities\` with those added to \`interactiveAnswers\` if you have a confident answer; or (b) the key we sent was wrong (e.g. camelCase vs snake_case) and the backend fell back to its default \u2014 copy the echoed key verbatim and retry. The patch above was already applied using defaults.` : "";
+        return `- **\`${a.fixId}\`** \u2192 \`${a.targetFile}\`${hint}`;
+      }).join("\n")
+    );
+  }
+  if (skipped.length > 0) {
+    sections.push(
+      `## \u23ED\uFE0F Skipped ${skipped.length} fix${skipped.length === 1 ? "" : "es"} \u2014 invalid SELECT answer value(s)
+
+` + skipped.map((s) => {
+        const detail = s.invalidSelectAnswers.map(
+          (a) => `\`${a.key}\` got \`"${a.sentValue}"\` \u2014 allowed options: [${a.options.map((o) => `\`"${o}"\``).join(", ")}]`
+        ).join("; ");
+        return `- **\`${s.fixId}\`** \u2014 ${detail}
+  The file was **not modified**. Re-call \`scan_and_fix_vulnerabilities\` with one of the exact allowed option strings (copy character-for-character, no commentary appended) or omit this fix entirely if no option is justified by the code.`;
+      }).join("\n") + `
+
+This guardrail exists to prevent the backend from silently falling back to its default sanitizer for an answer it didn't recognize \u2014 which could apply a semantically-wrong patch and break legitimate code paths.`
+    );
+  }
+  if (failed.length > 0) {
+    sections.push(
+      `## \u274C Failed
+
+` + failed.map((f) => `- **\`${f.fixId}\`** \u2014 ${f.reason}`).join("\n")
+    );
+  }
+  if (sections.length === 0) {
+    return "No fixes were processed.";
+  }
+  return sections.join("\n\n");
+}
 
 // src/mcp/tools/scanAndFixVulnerabilities/ScanAndFixVulnerabilitiesTool.ts
 var ScanAndFixVulnerabilitiesTool = class extends BaseTool {
@@ -28414,13 +28871,23 @@ var ScanAndFixVulnerabilitiesTool = class extends BaseTool {
     super();
     __publicField(this, "name", MCP_TOOL_SCAN_AND_FIX_VULNERABILITIES);
     __publicField(this, "displayName", "Scan and Fix Vulnerabilities");
-    // A detailed description to guide the LLM on when and how to invoke this tool.
-    __publicField(this, "description", `Scans a given local repository for security vulnerabilities and returns auto-generated code fixes.
+    __publicField(this, "description", `Scans a given local repository for security vulnerabilities, applies the auto-fixable ones, and surfaces any fix that needs your input as an "Interactive fix". Re-invoke with "interactiveAnswers" to apply those.
+
+Two modes of operation:
+
+A) SCAN MODE (default \u2014 interactiveAnswers omitted)
+   - Scans changed/recent files at "path"
+   - Auto-applies fixes that need no input
+   - Returns "Interactive fix" entries for fixes that need decisions; you (the AI) decide answers from the surrounding code
+
+B) APPLY-WITH-ANSWERS MODE (interactiveAnswers field supplied \u2014 array may be empty or partial)
+   - SKIPS scanning entirely (does NOT fall back to scan mode just because some fixes were skipped)
+   - Include ONLY fixes where answers are justified by code/context; omit fix IDs you are not confident about
+   - Empty array []: abstain from applying ALL interactive fixes (no patches fetched \u2014 summarize skips for the user)
 
 When to invoke:
-\u2022 Use when the user explicitly asks to "scan for vulnerabilities", "run a security check", or "test for security issues" in a local repository.
-\u2022 The repository must exist on disk; supply its absolute path with the required "path" argument.
-\u2022 Ideal after the user makes code changes (added/modified/staged files) but before committing, or whenever they request a full rescan.
+\u2022 Mode A \u2014 when the user asks to "scan for vulnerabilities", "run a security check", or after they make code changes.
+\u2022 Mode B \u2014 immediately after Mode A returns interactive fixes; pass confident answers only; use [] only when abstaining from every interactive fix.
 
 How to invoke:
 \u2022 Required argument:
@@ -28430,25 +28897,32 @@ How to invoke:
   \u2013 limit (number): maximum number of fixes to include in the response.
   \u2013 maxFiles (number): maximum number of files to scan (default: ${MCP_DEFAULT_MAX_FILES_TO_SCAN}). Provide this value to increase the scope of the scan.
   \u2013 rescan (boolean): true to force a complete rescan even if cached results exist.
+  \u2013 interactiveAnswers (array): triggers Mode B. Each entry: { fixId, answers: [{ key, value }] }. SELECT values MUST be exact strings from the option list. Omit fixes you cannot answer confidently. Use [] to abstain from all interactive fixes without rescanning.
 
-Behaviour:
-\u2022 If the directory is a valid Git repository, the tool scans the changed files in the repository. If there are no changes, it scans the files included in the las commit.
+Behaviour (Mode A):
+\u2022 If the directory is a valid Git repository, the tool scans the changed files in the repository. If there are no changes, it scans the files included in the last commit.
 \u2022 If the directory is not a valid Git repository, the tool falls back to scanning recently changed files in the folder.
 \u2022 If maxFiles is provided, the tool scans the maxFiles most recently changed files in the repository.
-\u2022 By default, only new, modified, or staged files are scanned; if none are found, it checks recently changed files.
-\u2022 The tool NEVER commits or pushes changes; it only returns proposed diffs/fixes as text.
+\u2022 The tool NEVER commits or pushes changes.
 
 Return value:
-The response is an object with a single "content" array containing one text element. The text is either:
-\u2022 A human-readable summary of the fixes / patches, or
-\u2022 A diagnostic or error message if the scan fails or finds nothing to fix.
+A "content" array with one text element. Either a human-readable summary of fixes/patches, an interactive-fix prompt, an apply-with-answers result, or an error message.
 
-Example payload:
+Example payload (Mode A):
+{ "path": "/home/user/my-project", "limit": 20, "maxFiles": 50 }
+
+Example payload (Mode B \u2014 subset or abstain):
 {
   "path": "/home/user/my-project",
-  "limit": 20,
-  "maxFiles": 50,
-  "rescan": false
+  "interactiveAnswers": [
+    { "fixId": "abc-123", "answers": [{ "key": "isServerSideCode", "value": "yes" }] }
+  ]
+}
+
+Example payload (Mode B \u2014 abstain from every interactive fix, no rescan):
+{
+  "path": "/home/user/my-project",
+  "interactiveAnswers": []
 }`);
     __publicField(this, "hasAuthentication", true);
     __publicField(this, "inputValidationSchema", z45.object({
@@ -28463,6 +28937,21 @@ Example payload:
       rescan: z45.boolean().optional().describe("Optional whether to rescan the repository"),
       scanRecentlyChangedFiles: z45.boolean().optional().describe(
         "Optional whether to automatically scan recently changed files when no changed files are found in git status. If false, the tool will prompt the user instead."
+      ),
+      interactiveAnswers: z45.array(
+        z45.object({
+          fixId: z45.string().min(1).describe('Fix id from a previous "Interactive fix" prompt block.'),
+          answers: z45.array(
+            z45.object({
+              key: z45.string().min(1).describe("FixQuestion key."),
+              value: z45.string().describe(
+                "For SELECT questions MUST be one of the listed options; for TEXT/NUMBER, a free-form value."
+              )
+            })
+          ).min(1)
+        })
+      ).optional().describe(
+        "When supplied (including []), SKIPS scanning. Non-empty: apply each listed interactive fix. Empty []: abstain from all interactive fixes \u2014 no patches applied. Omit entirely for scan mode."
       )
     }));
     __publicField(this, "inputSchema", {
@@ -28491,6 +28980,34 @@ Example payload:
         scanRecentlyChangedFiles: {
           type: "boolean",
           description: "[Optional] whether to automatically scan recently changed files when no changed files are found in git status. If false, the tool will prompt the user instead."
+        },
+        interactiveAnswers: {
+          type: "array",
+          items: {
+            type: "object",
+            properties: {
+              fixId: {
+                type: "string",
+                description: 'Fix id from a previous "Interactive fix" prompt.'
+              },
+              answers: {
+                type: "array",
+                items: {
+                  type: "object",
+                  properties: {
+                    key: { type: "string", description: "FixQuestion key." },
+                    value: {
+                      type: "string",
+                      description: "Decided value (SELECT must match an option exactly)."
+                    }
+                  },
+                  required: ["key", "value"]
+                }
+              }
+            },
+            required: ["fixId", "answers"]
+          },
+          description: "[Optional] When supplied (including []), skips scanning. Non-empty: apply interactive fixes with answers. Empty []: abstain from all interactive fixes without rescanning. Omit for scan mode."
         }
       },
       required: ["path"]
@@ -28501,7 +29018,8 @@ Example payload:
   }
   async executeInternal(args) {
     logDebug(`Executing tool: ${this.name}`, {
-      path: args.path
+      path: args.path,
+      mode: args.interactiveAnswers === void 0 ? "scan" : args.interactiveAnswers.length === 0 ? "apply-interactive-abstain-all" : "apply-with-answers"
     });
     if (!args.path) {
       throw new Error("Invalid arguments: Missing required parameter 'path'");
@@ -28513,6 +29031,26 @@ Example payload:
       );
     }
     const path37 = pathValidationResult.path;
+    if (args.interactiveAnswers !== void 0) {
+      if (args.interactiveAnswers.length === 0) {
+        return this.createSuccessResponse(
+          interactiveAnswersAbstainAllToolResponse
+        );
+      }
+      try {
+        const result = await this.vulnerabilityFixService.applyInteractiveAnswers({
+          interactiveAnswers: args.interactiveAnswers,
+          repositoryPath: path37
+        });
+        return this.createSuccessResponse(result);
+      } catch (error) {
+        const message = error.message;
+        logError("Tool execution failed (apply-with-answers)", {
+          error: message
+        });
+        return this.createSuccessResponse(message);
+      }
+    }
     const files = await getLocalFiles({
       path: path37,
       maxFileSize: MCP_MAX_FILE_SIZE,