mobbdev 1.4.12 → 1.4.15

package/dist/args/commands/upload_ai_blame.mjs

@@ -1037,7 +1037,7 @@ var init_client_generates = __esm({
 }
     `;
     DigestVulnerabilityReportDocument = `
-    mutation DigestVulnerabilityReport($vulnerabilityReportFileName: String, $fixReportId: String!, $projectId: String!, $scanSource: String!, $repoUrl: String, $reference: String, $sha: String) {
+    mutation DigestVulnerabilityReport($vulnerabilityReportFileName: String, $fixReportId: String!, $projectId: String!, $scanSource: String!, $repoUrl: String, $reference: String, $sha: String, $baselineCommit: String) {
   digestVulnerabilityReport(
     fixReportId: $fixReportId
     vulnerabilityReportFileName: $vulnerabilityReportFileName
@@ -1046,6 +1046,7 @@ var init_client_generates = __esm({
     repoUrl: $repoUrl
     reference: $reference
     sha: $sha
+    baselineCommit: $baselineCommit
   ) {
     __typename
     ... on VulnerabilityReport {
@@ -1262,14 +1263,14 @@ var init_client_generates = __esm({
     GetLatestReportByRepoUrlDocument = `
     query GetLatestReportByRepoUrl($repoUrl: String!, $filters: fix_bool_exp = {}, $limit: Int!, $offset: Int!, $currentUserEmail: String!) {
   fixReport(
-    where: {_and: [{repo: {originalUrl: {_eq: $repoUrl}}}, {state: {_eq: Finished}}, {vulnerabilityReport: {scanSource: {_neq: MCP}}}]}
+    where: {_and: [{repo: {originalUrl: {_ilike: $repoUrl}}}, {state: {_eq: Finished}}, {vulnerabilityReport: {scanSource: {_neq: MCP}}}]}
     order_by: {createdOn: desc}
     limit: 1
   ) {
     ...FixReportSummaryFields
   }
   expiredReport: fixReport(
-    where: {_and: [{repo: {originalUrl: {_eq: $repoUrl}}}, {state: {_eq: Expired}}, {vulnerabilityReport: {scanSource: {_neq: MCP}}}]}
+    where: {_and: [{repo: {originalUrl: {_ilike: $repoUrl}}}, {state: {_eq: Expired}}, {vulnerabilityReport: {scanSource: {_neq: MCP}}}]}
     order_by: {createdOn: desc}
     limit: 1
   ) {
@@ -1577,7 +1578,7 @@ var init_analysis = __esm({
 
 // src/features/analysis/scm/shared/src/types/issue.ts
 import { z as z4 } from "zod";
-var MAX_SOURCE_CODE_FILE_SIZE_IN_BYTES, VulnerabilityReportIssueRatingZ, VulnerabilityReportIssueSharedStateZ, BaseIssuePartsZ, FalsePositivePartsZ, IssuePartsWithFixZ, IssuePartsFpZ, GeneralIssueZ, IssuePartsZ, GetIssueIndexesZ, GetIssueScreenDataZ, IssueBucketZ, mapBucketTypeToCategory;
+var MAX_SOURCE_CODE_FILE_SIZE_IN_BYTES, VulnerabilityReportIssueRatingZ, VulnerabilityReportIssueSharedStateZ, BaseIssuePartsZ, FalsePositivePartsZ, UnfixablePartsZ, IssuePartsWithFixZ, IssuePartsFpZ, GeneralIssueZ, IssuePartsZ, GetIssueIndexesZ, GetIssueScreenDataZ, IssueBucketZ, mapBucketTypeToCategory;
 var init_issue = __esm({
   "src/features/analysis/scm/shared/src/types/issue.ts"() {
     "use strict";
@@ -1659,12 +1660,17 @@ var init_issue = __esm({
           return { codeDiff };
         })
       }).nullish(),
-      sharedState: VulnerabilityReportIssueSharedStateZ
+      sharedState: VulnerabilityReportIssueSharedStateZ,
+      unfixableId: z4.string().uuid().nullish()
     });
     FalsePositivePartsZ = z4.object({
       extraContext: z4.array(z4.object({ key: z4.string(), value: z4.string() })),
       fixDescription: z4.string()
     });
+    UnfixablePartsZ = z4.object({
+      extraContext: z4.array(z4.object({ key: z4.string(), value: z4.string() })),
+      fixDescription: z4.string()
+    });
     IssuePartsWithFixZ = BaseIssuePartsZ.merge(
       z4.object({
         category: z4.literal("Irrelevant" /* Irrelevant */),
@@ -1686,7 +1692,8 @@ var init_issue = __esm({
           z4.literal("Fixable" /* Fixable */),
           z4.literal("Filtered" /* Filtered */),
           z4.literal("Pending" /* Pending */)
-        ])
+        ]),
+        getUnfixable: UnfixablePartsZ.nullish()
       })
     );
     IssuePartsZ = z4.union([
@@ -4431,6 +4438,18 @@ if (!semver.satisfies(process.version, packageJson.engines.node)) {
 
 // src/utils/gitUtils.ts
 import simpleGit from "simple-git";
+var tag = (sink) => (data, msg) => {
+  if (msg) {
+    const sanitizedMsg = String(msg).replace(/\n|\r/g, "");
+    sink(`[GIT] ${sanitizedMsg}`, data);
+  } else {
+    sink("[GIT]", data);
+  }
+};
+var defaultLogger = {
+  debug: tag(console.log),
+  warn: tag(console.warn)
+};
 
 // src/utils/index.ts
 var sleep = (ms = 2e3) => new Promise((r) => setTimeout(r, ms));
@@ -7222,7 +7241,8 @@ var GQLClient = class {
     repoUrl,
     reference,
     sha,
-    shouldScan
+    shouldScan,
+    baselineCommit
   }) {
     const res = await this._clientSdk.DigestVulnerabilityReport({
       fixReportId,
@@ -7231,7 +7251,8 @@ var GQLClient = class {
       scanSource,
       repoUrl,
       reference,
-      sha
+      sha,
+      baselineCommit
     });
     if (res.digestVulnerabilityReport.__typename !== "VulnerabilityReport") {
       throw new Error("Digesting vulnerability report failed");
@@ -8148,7 +8169,7 @@ function getStableComputerName() {
 }
 
 // src/args/commands/upload_ai_blame.ts
-var defaultLogger = {
+var defaultLogger2 = {
   info: (msg, data) => {
     if (data !== void 0) {
       console.log(msg, data);
@@ -8365,7 +8386,7 @@ async function uploadAiBlameHandler(options) {
     exitOnError = true,
     apiUrl,
     webAppUrl,
-    logger = defaultLogger
+    logger = defaultLogger2
   } = options;
   const prompts = args.prompt || [];
   const inferences = args.inference || [];

package/dist/index.mjs

@@ -1037,7 +1037,7 @@ var init_client_generates = __esm({
 }
     `;
     DigestVulnerabilityReportDocument = `
-    mutation DigestVulnerabilityReport($vulnerabilityReportFileName: String, $fixReportId: String!, $projectId: String!, $scanSource: String!, $repoUrl: String, $reference: String, $sha: String) {
+    mutation DigestVulnerabilityReport($vulnerabilityReportFileName: String, $fixReportId: String!, $projectId: String!, $scanSource: String!, $repoUrl: String, $reference: String, $sha: String, $baselineCommit: String) {
   digestVulnerabilityReport(
     fixReportId: $fixReportId
     vulnerabilityReportFileName: $vulnerabilityReportFileName
@@ -1046,6 +1046,7 @@ var init_client_generates = __esm({
     repoUrl: $repoUrl
     reference: $reference
     sha: $sha
+    baselineCommit: $baselineCommit
   ) {
     __typename
     ... on VulnerabilityReport {
@@ -1262,14 +1263,14 @@ var init_client_generates = __esm({
     GetLatestReportByRepoUrlDocument = `
     query GetLatestReportByRepoUrl($repoUrl: String!, $filters: fix_bool_exp = {}, $limit: Int!, $offset: Int!, $currentUserEmail: String!) {
   fixReport(
-    where: {_and: [{repo: {originalUrl: {_eq: $repoUrl}}}, {state: {_eq: Finished}}, {vulnerabilityReport: {scanSource: {_neq: MCP}}}]}
+    where: {_and: [{repo: {originalUrl: {_ilike: $repoUrl}}}, {state: {_eq: Finished}}, {vulnerabilityReport: {scanSource: {_neq: MCP}}}]}
     order_by: {createdOn: desc}
     limit: 1
   ) {
     ...FixReportSummaryFields
   }
   expiredReport: fixReport(
-    where: {_and: [{repo: {originalUrl: {_eq: $repoUrl}}}, {state: {_eq: Expired}}, {vulnerabilityReport: {scanSource: {_neq: MCP}}}]}
+    where: {_and: [{repo: {originalUrl: {_ilike: $repoUrl}}}, {state: {_eq: Expired}}, {vulnerabilityReport: {scanSource: {_neq: MCP}}}]}
     order_by: {createdOn: desc}
     limit: 1
   ) {
@@ -1364,8 +1365,8 @@ var init_client_generates = __esm({
 
 // src/features/analysis/scm/shared/src/getIssueType.ts
 import { z } from "zod";
-function getTagTooltip(tag) {
-  switch (tag) {
+function getTagTooltip(tag2) {
+  switch (tag2) {
     case "FALSE_POSITIVE":
       return "Issue was found to be a false positive";
     case "TEST_CODE":
@@ -1381,7 +1382,7 @@ function getTagTooltip(tag) {
     case "SUPPRESSED":
       return "Suppressed in the scan report";
     default:
-      return tag;
+      return tag2;
   }
 }
 function replaceKeysWithValues(fixDescription, extraContext) {
@@ -1799,7 +1800,7 @@ var init_analysis = __esm({
 
 // src/features/analysis/scm/shared/src/types/issue.ts
 import { z as z9 } from "zod";
-var MAX_SOURCE_CODE_FILE_SIZE_IN_BYTES, VulnerabilityReportIssueRatingZ, VulnerabilityReportIssueSharedStateZ, BaseIssuePartsZ, FalsePositivePartsZ, IssuePartsWithFixZ, IssuePartsFpZ, GeneralIssueZ, IssuePartsZ, GetIssueIndexesZ, GetIssueScreenDataZ, IssueBucketZ, mapCategoryToBucket, mapBucketTypeToCategory;
+var MAX_SOURCE_CODE_FILE_SIZE_IN_BYTES, VulnerabilityReportIssueRatingZ, VulnerabilityReportIssueSharedStateZ, BaseIssuePartsZ, FalsePositivePartsZ, UnfixablePartsZ, IssuePartsWithFixZ, IssuePartsFpZ, GeneralIssueZ, IssuePartsZ, GetIssueIndexesZ, GetIssueScreenDataZ, IssueBucketZ, mapCategoryToBucket, mapBucketTypeToCategory;
 var init_issue = __esm({
   "src/features/analysis/scm/shared/src/types/issue.ts"() {
     "use strict";
@@ -1881,12 +1882,17 @@ var init_issue = __esm({
           return { codeDiff };
         })
       }).nullish(),
-      sharedState: VulnerabilityReportIssueSharedStateZ
+      sharedState: VulnerabilityReportIssueSharedStateZ,
+      unfixableId: z9.string().uuid().nullish()
     });
     FalsePositivePartsZ = z9.object({
       extraContext: z9.array(z9.object({ key: z9.string(), value: z9.string() })),
       fixDescription: z9.string()
     });
+    UnfixablePartsZ = z9.object({
+      extraContext: z9.array(z9.object({ key: z9.string(), value: z9.string() })),
+      fixDescription: z9.string()
+    });
     IssuePartsWithFixZ = BaseIssuePartsZ.merge(
       z9.object({
         category: z9.literal("Irrelevant" /* Irrelevant */),
@@ -1908,7 +1914,8 @@ var init_issue = __esm({
           z9.literal("Fixable" /* Fixable */),
           z9.literal("Filtered" /* Filtered */),
           z9.literal("Pending" /* Pending */)
-        ])
+        ]),
+        getUnfixable: UnfixablePartsZ.nullish()
       })
     );
     IssuePartsZ = z9.union([
@@ -4871,7 +4878,8 @@ var getCommitIssueDescription = ({
   vendor,
   issueType,
   irrelevantIssueWithTags,
-  fpDescription
+  fpDescription,
+  unfixableDescription
 }) => {
   const issueTypeString = getIssueTypeFriendlyString(issueType);
   let description = `The following issues reported by ${capitalizeFirstLetter(vendor)} on this PR were found to be irrelevant to your project:
@@ -4887,7 +4895,7 @@ var getCommitIssueDescription = ({
 
 
 ## Justification
-${fpDescription ?? issueDescription[irrelevantIssueWithTags[0].tag]}
+${fpDescription ?? unfixableDescription ?? issueDescription[irrelevantIssueWithTags[0].tag]}
 `;
     }
     const staticData = fixDetailsData[parseIssueTypeRes.data];
@@ -6909,25 +6917,18 @@ function getScmConfig({
   });
   const virtualDomain = filteredBrokerHosts[0]?.virtualDomain;
   const virtualUrl = virtualDomain ? `https://${virtualDomain}${urlObject.pathname}${urlObject.search}` : void 0;
-  const scmOrgConfig = filteredScmConfigs.find((scm) => scm.orgId && scm.token);
-  if (scmOrgConfig && includeOrgTokens) {
-    return {
-      id: scmOrgConfig.id,
-      accessToken: scmOrgConfig.token || void 0,
-      scmLibType: getScmLibTypeFromScmType(scmOrgConfig.scmType),
-      scmOrg: scmOrgConfig.scmOrg || void 0,
-      virtualUrl
-    };
-  }
-  const scmUserConfig = filteredScmConfigs.find(
-    (scm) => scm.userId && scm.token
-  );
-  if (scmUserConfig) {
+  const matched = filteredScmConfigs.find((scm) => {
+    if (!scm.token) return false;
+    if (scm.userId) return true;
+    if (scm.orgId) return includeOrgTokens;
+    return false;
+  });
+  if (matched) {
     return {
-      id: scmUserConfig.id,
-      accessToken: scmUserConfig.token || void 0,
-      scmLibType: getScmLibTypeFromScmType(scmUserConfig.scmType),
-      scmOrg: scmUserConfig.scmOrg || void 0,
+      id: matched.id,
+      accessToken: matched.token || void 0,
+      scmLibType: getScmLibTypeFromScmType(matched.scmType),
+      scmOrg: matched.scmOrg || void 0,
       virtualUrl
     };
   }
@@ -9631,12 +9632,12 @@ function getGithubSdk(params = {}) {
       });
     },
     async getTagDate({
-      tag,
+      tag: tag2,
       owner,
       repo
     }) {
       const refResponse = await octokit.rest.git.getRef({
-        ref: `tags/${tag}`,
+        ref: `tags/${tag2}`,
         owner,
         repo
       });
@@ -10655,7 +10656,11 @@ var GithubSCMLib = class extends SCMLib {
       }
       const aDate = a.repoUpdatedAt ? Date.parse(a.repoUpdatedAt) : 0;
       const bDate = b.repoUpdatedAt ? Date.parse(b.repoUpdatedAt) : 0;
-      return (aDate - bDate) * sortOrder;
+      const dateCmp = (aDate - bDate) * sortOrder;
+      if (dateCmp !== 0) {
+        return dateCmp;
+      }
+      return a.repoName.localeCompare(b.repoName) * sortOrder;
     });
     const limit = params.limit || 10;
     const offset = parseCursorSafe(params.cursor, 0);
@@ -12268,22 +12273,24 @@ if (!semver.satisfies(process.version, packageJson.engines.node)) {
 
 // src/utils/gitUtils.ts
 import simpleGit2 from "simple-git";
-var defaultLogger = {
-  info: (data, msg) => {
-    if (msg) {
-      const sanitizedMsg = String(msg).replace(/\n|\r/g, "");
-      console.log(`[GIT] ${sanitizedMsg}`, data);
-    } else {
-      console.log("[GIT]", data);
-    }
+var tag = (sink) => (data, msg) => {
+  if (msg) {
+    const sanitizedMsg = String(msg).replace(/\n|\r/g, "");
+    sink(`[GIT] ${sanitizedMsg}`, data);
+  } else {
+    sink("[GIT]", data);
   }
 };
+var defaultLogger = {
+  debug: tag(console.log),
+  warn: tag(console.warn)
+};
 function createGitWithLogging(dirName, logger3 = defaultLogger) {
   return simpleGit2(dirName, {
     maxConcurrentProcesses: 6
   }).outputHandler((bin, stdout2, stderr2) => {
     const callID = Math.random();
-    logger3.info({ callID, bin }, "Start git CLI call");
+    logger3.debug({ callID, bin }, "Start git CLI call");
     let errChunks = [];
     let outChunks = [];
     let isStdoutDone = false;
@@ -12304,7 +12311,7 @@ function createGitWithLogging(dirName, logger3 = defaultLogger) {
         err: `${errChunks.join("").slice(0, 200)}...`,
         out: `${outChunks.join("").slice(0, 200)}...`
       };
-      logger3.info(logObj, "git log output");
+      logger3.debug(logObj, "git log output");
       stderr2.removeListener("data", onStderrData);
       stdout2.removeListener("data", onStdoutData);
       errChunks = [];
@@ -12318,11 +12325,11 @@ function createGitWithLogging(dirName, logger3 = defaultLogger) {
     stderr2.on("close", () => markDone("stderr"));
     stdout2.on("close", () => markDone("stdout"));
     stderr2.on("error", (error) => {
-      logger3.info({ callID, error: String(error) }, "git stderr stream error");
+      logger3.warn({ callID, error: String(error) }, "git stderr stream error");
       markDone("stderr");
     });
     stdout2.on("error", (error) => {
-      logger3.info({ callID, error: String(error) }, "git stdout stream error");
+      logger3.warn({ callID, error: String(error) }, "git stdout stream error");
       markDone("stdout");
     });
   });
@@ -12340,15 +12347,15 @@ import sax from "sax";
 var BaseStreamParser = class {
   constructor(parser) {
     __publicField(this, "currentPath", []);
-    parser.on("opentag", (tag) => this.onOpenTag(tag));
+    parser.on("opentag", (tag2) => this.onOpenTag(tag2));
     parser.on("closetag", () => this.onCloseTag());
     parser.on("text", (text) => this.onText(text));
   }
   getPathString() {
     return this.currentPath.join(" > ");
   }
-  onOpenTag(tag) {
-    this.currentPath.push(tag.name);
+  onOpenTag(tag2) {
+    this.currentPath.push(tag2.name);
   }
   onCloseTag() {
     this.currentPath.pop();
@@ -12361,12 +12368,12 @@ var AuditMetadataParser = class extends BaseStreamParser {
     super(...arguments);
     __publicField(this, "suppressedMap", {});
   }
-  onOpenTag(tag) {
-    super.onOpenTag(tag);
+  onOpenTag(tag2) {
+    super.onOpenTag(tag2);
     switch (this.getPathString()) {
       case "Audit > IssueList > Issue":
-        this.suppressedMap[String(tag.attributes["instanceId"] ?? "")] = String(
-          tag.attributes["suppressed"] ?? ""
+        this.suppressedMap[String(tag2.attributes["instanceId"] ?? "")] = String(
+          tag2.attributes["suppressed"] ?? ""
         );
         break;
     }
@@ -12385,18 +12392,18 @@ var ReportMetadataParser = class extends BaseStreamParser {
     __publicField(this, "ruleId", "");
     __publicField(this, "groupName", "");
   }
-  onOpenTag(tag) {
-    super.onOpenTag(tag);
+  onOpenTag(tag2) {
+    super.onOpenTag(tag2);
     switch (this.getPathString()) {
       case "FVDL > EngineData > RuleInfo > Rule":
-        this.ruleId = String(tag.attributes["id"] ?? "");
+        this.ruleId = String(tag2.attributes["id"] ?? "");
         break;
       case "FVDL > EngineData > RuleInfo > Rule > MetaInfo > Group":
-        this.groupName = String(tag.attributes["name"] ?? "");
+        this.groupName = String(tag2.attributes["name"] ?? "");
         break;
       case "FVDL > CreatedTS":
-        this.createdTSDate = String(tag.attributes["date"] ?? "");
-        this.createdTSTime = String(tag.attributes["time"] ?? "");
+        this.createdTSDate = String(tag2.attributes["date"] ?? "");
+        this.createdTSTime = String(tag2.attributes["time"] ?? "");
         break;
     }
   }
@@ -12429,19 +12436,19 @@ var UnifiedNodePoolParser = class extends BaseStreamParser {
     __publicField(this, "codePoints", {});
     __publicField(this, "nodeId", "");
   }
-  onOpenTag(tag) {
-    super.onOpenTag(tag);
+  onOpenTag(tag2) {
+    super.onOpenTag(tag2);
     switch (this.getPathString()) {
       case "FVDL > UnifiedNodePool > Node":
-        this.nodeId = String(tag.attributes["id"] ?? "");
+        this.nodeId = String(tag2.attributes["id"] ?? "");
         break;
       case "FVDL > UnifiedNodePool > Node > SourceLocation":
         this.codePoints[this.nodeId] = {
-          path: String(tag.attributes["path"] ?? ""),
-          colStart: String(tag.attributes["colStart"] ?? ""),
-          colEnd: String(tag.attributes["colEnd"] ?? ""),
-          line: String(tag.attributes["line"] ?? ""),
-          lineEnd: String(tag.attributes["lineEnd"] ?? "")
+          path: String(tag2.attributes["path"] ?? ""),
+          colStart: String(tag2.attributes["colStart"] ?? ""),
+          colEnd: String(tag2.attributes["colEnd"] ?? ""),
+          line: String(tag2.attributes["line"] ?? ""),
+          lineEnd: String(tag2.attributes["lineEnd"] ?? "")
         };
         break;
     }
@@ -12463,8 +12470,8 @@ var VulnerabilityParser = class extends BaseStreamParser {
     this.tmpStorageFilePath = tmpStorageFilePath;
     this.tmpStorageFileWriter = fs5.createWriteStream(tmpStorageFilePath);
   }
-  onOpenTag(tag) {
-    super.onOpenTag(tag);
+  onOpenTag(tag2) {
+    super.onOpenTag(tag2);
     switch (this.getPathString()) {
       case "FVDL > Vulnerabilities > Vulnerability":
         this.isInVulnerability = true;
@@ -12473,21 +12480,21 @@ var VulnerabilityParser = class extends BaseStreamParser {
         this.codePoints = [];
         break;
       case "FVDL > Vulnerabilities > Vulnerability > InstanceInfo > MetaInfo > Group":
-        this.groupName = String(tag.attributes["name"] ?? "");
+        this.groupName = String(tag2.attributes["name"] ?? "");
         break;
     }
     if (this.isInVulnerability) {
       if (this.getPathString().endsWith(" > Entry > Node > SourceLocation")) {
         this.codePoints.push({
-          path: String(tag.attributes["path"] ?? ""),
-          colStart: String(tag.attributes["colStart"] ?? ""),
-          colEnd: String(tag.attributes["colEnd"] ?? ""),
-          line: String(tag.attributes["line"] ?? ""),
-          lineEnd: String(tag.attributes["lineEnd"] ?? "")
+          path: String(tag2.attributes["path"] ?? ""),
+          colStart: String(tag2.attributes["colStart"] ?? ""),
+          colEnd: String(tag2.attributes["colEnd"] ?? ""),
+          line: String(tag2.attributes["line"] ?? ""),
+          lineEnd: String(tag2.attributes["lineEnd"] ?? "")
         });
       } else if (this.getPathString().endsWith(" > Entry > NodeRef")) {
         this.codePoints.push({
-          id: String(tag.attributes["id"] ?? "")
+          id: String(tag2.attributes["id"] ?? "")
         });
       }
     }
@@ -12964,6 +12971,12 @@ var convertToSarifCodePathPatternsOption = {
   type: "string",
   array: true
 };
+var baselineCommitOption = {
+  describe: chalk2.bold(
+    "Only report findings introduced since this commit (PR mode). The sha must be reachable from the scanned repository \u2014 unreachable baselines fail the scan loudly. Effective only when no scan file is provided."
+  ),
+  type: "string"
+};
 var pollingOption = {
   describe: chalk2.bold(
     "Use HTTP polling instead of WebSocket for status updates. Useful for proxy environments or firewalls that block WebSocket connections. Polling interval: 5 seconds, timeout: 30 minutes."
@@ -13615,7 +13628,8 @@ var GQLClient = class {
     repoUrl,
     reference,
     sha,
-    shouldScan
+    shouldScan,
+    baselineCommit
   }) {
     const res = await this._clientSdk.DigestVulnerabilityReport({
       fixReportId,
@@ -13624,7 +13638,8 @@ var GQLClient = class {
       scanSource,
       repoUrl,
       reference,
-      sha
+      sha,
+      baselineCommit
     });
     if (res.digestVulnerabilityReport.__typename !== "VulnerabilityReport") {
       throw new Error("Digesting vulnerability report failed");
@@ -16038,10 +16053,10 @@ function createFork({ args, processPath, name }, options) {
   });
   return createChildProcess({ childProcess: child, name }, options);
 }
-function createSpawn({ args, processPath, name, cwd }, options) {
+function createSpawn({ args, processPath, name, cwd, env: env3 }, options) {
   const child = cp.spawn(processPath, args, {
     stdio: ["inherit", "pipe", "pipe", "ipc"],
-    env: { ...process2.env },
+    env: { ...process2.env, ...env3 },
     cwd
   });
   return createChildProcess({ childProcess: child, name }, options);
@@ -16496,7 +16511,8 @@ async function _scan(params, { skipPrompts = false } = {}) {
     createOnePr,
     commitDirectly,
     pullRequest,
-    polling
+    polling,
+    baselineCommit
   } = params;
   debug21("start %s %s", dirname, repo);
   const { createSpinner: createSpinner5 } = Spinner2({ ci });
@@ -16613,7 +16629,9 @@ async function _scan(params, { skipPrompts = false } = {}) {
     sha,
     reference,
     shouldScan,
-    polling
+    polling,
+    // Only meaningful when opengrep is going to run (no user-supplied report).
+    baselineCommit: shouldScan ? baselineCommit : void 0
   });
   uploadReportSpinner.success({ text: "\u{1F4C1} Report uploaded successfully" });
   const mobbSpinner = createSpinner5("\u{1F575}\uFE0F\u200D\u2642\uFE0F Initiating Mobb analysis").start();
@@ -16756,7 +16774,11 @@ async function _scan(params, { skipPrompts = false } = {}) {
         command,
         ci,
         shouldScan: shouldScan2,
-        polling
+        polling,
+        // shouldScan is false here (user provided a report); baseline filter
+        // only applies to the opengrep code path. Drop it to keep the contract
+        // honest with the CLI help text.
+        baselineCommit: void 0
       });
       const res = await _zipAndUploadRepo({
         srcPath,
@@ -16780,7 +16802,8 @@ async function _scan(params, { skipPrompts = false } = {}) {
         command,
         ci,
         shouldScan: shouldScan2,
-        polling
+        polling,
+        baselineCommit
       });
     }
     const mobbSpinner2 = createSpinner5("\u{1F575}\uFE0F\u200D\u2642\uFE0F Initiating Mobb analysis").start();
@@ -16875,7 +16898,8 @@ async function _digestReport({
   sha,
   reference,
   shouldScan,
-  polling
+  polling,
+  baselineCommit
 }) {
   const digestSpinner = createSpinner4(
     progressMassages.processingVulnerabilityReport
@@ -16889,7 +16913,8 @@ async function _digestReport({
         repoUrl,
         sha,
         reference,
-        shouldScan
+        shouldScan,
+        baselineCommit
       }
     );
     const callbackStates = [
@@ -17139,7 +17164,8 @@ async function analyze({
   createOnePr,
   commitDirectly,
   pullRequest,
-  polling
+  polling,
+  baselineCommit
 }, { skipPrompts = false } = {}) {
   !ci && await showWelcomeMessage(skipPrompts);
   await runAnalysis(
@@ -17158,7 +17184,8 @@ async function analyze({
       commitDirectly,
       pullRequest,
       createOnePr,
-      polling
+      polling,
+      baselineCommit
     },
     { skipPrompts }
   );
@@ -17368,9 +17395,12 @@ function analyzeBuilder(yargs2) {
     describe: chalk10.bold("Number of the pull request"),
     type: "number",
     demandOption: false
-  }).option("polling", pollingOption).example(
+  }).option("polling", pollingOption).option("baseline-commit", baselineCommitOption).example(
     "npx mobbdev@latest analyze -r https://github.com/WebGoat/WebGoat -f <your_vulnerability_report_path>",
     "analyze an existing repository"
+  ).example(
+    "npx mobbdev@latest analyze -r https://github.com/org/repo --baseline-commit <sha>",
+    "analyze only findings introduced since <sha> (PR-mode scan)"
   ).help();
 }
 function validateAnalyzeOptions(argv) {
@@ -19369,7 +19399,7 @@ function createLogger(config2) {
 
 // src/features/claude_code/hook_logger.ts
 var DD_RUM_TOKEN = true ? "pubf59c0182545bfb4c299175119f1abf9b" : "";
-var CLI_VERSION = true ? "1.4.12" : "unknown";
+var CLI_VERSION = true ? "1.4.15" : "unknown";
 var NAMESPACE = "mobbdev-claude-code-hook-logs";
 var claudeCodeVersion;
 function buildDdTags() {
@@ -21435,8 +21465,9 @@ var McpGQLClient = class extends GQLClient {
           codeNodes: { path: { _in: fileFilter } }
         };
       }
+      const escapedRepoUrl = repoUrl.replace(/[%_\\]/g, (c) => `\\${c}`);
       const resp = await this._clientSdk.GetLatestReportByRepoUrl({
-        repoUrl,
+        repoUrl: escapedRepoUrl,
         limit,
         offset,
         currentUserEmail,
@@ -25920,7 +25951,7 @@ var LocalMobbFolderService = class {
     if (fix.vulnerabilityReportIssues.length > 0) {
       fix.vulnerabilityReportIssues.forEach((issue) => {
         if (issue.vulnerabilityReportIssueTags && issue.vulnerabilityReportIssueTags.length > 0) {
-          markdown += `**Tags:** ${issue.vulnerabilityReportIssueTags.map((tag) => tag.vulnerability_report_issue_tag_value).join(", ")}
+          markdown += `**Tags:** ${issue.vulnerabilityReportIssueTags.map((tag2) => tag2.vulnerability_report_issue_tag_value).join(", ")}
 
 `;
         }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mobbdev",
-  "version": "1.4.12",
+  "version": "1.4.15",
   "description": "Automated secure code remediation tool",
   "repository": "git+https://github.com/mobb-dev/bugsy.git",
   "main": "dist/index.mjs",
@@ -17,10 +17,12 @@
     "test:mcp:watch": "vitest watch __tests__/mcp/",
     "test:mcp:verbose": "pnpm run build && NODE_ENV=test VERBOSE=true vitest run __tests__/mcp/",
     "test:mcp:all": "pnpm run test:unit:mcp && pnpm run test:integration:mcp && pnpm run test:e2e:mcp",
-    "test:unit": "GIT_PROXY_HOST=http://tinyproxy:8888 TOKEN=$(../../scripts/login_auth0.sh) vitest run --exclude='**/__tests__/integration.test.ts' --exclude='**/__tests__/integration.mcp.test.ts' --exclude='**/__tests__/mcp/**'",
-    "test:unit:ci": "GIT_PROXY_HOST=http://tinyproxy:8888 TOKEN=$(../../scripts/login_auth0.sh) vitest run --bail=1 --exclude='**/__tests__/integration.test.ts' --exclude='**/__tests__/integration.mcp.test.ts' --exclude='**/__tests__/mcp/**'",
+    "test:unit": "GIT_PROXY_HOST=http://tinyproxy:8888 TOKEN=$(../../scripts/login_auth0.sh) vitest run --exclude='**/__tests__/integration.test.ts' --exclude='**/__tests__/integration.mcp.test.ts' --exclude='**/__tests__/integration.baseline-commit.test.ts' --exclude='**/__tests__/mcp/**'",
+    "test:unit:ci": "GIT_PROXY_HOST=http://tinyproxy:8888 TOKEN=$(../../scripts/login_auth0.sh) vitest run --bail=1 --exclude='**/__tests__/integration.test.ts' --exclude='**/__tests__/integration.mcp.test.ts' --exclude='**/__tests__/integration.baseline-commit.test.ts' --exclude='**/__tests__/mcp/**'",
     "test:integration": "GIT_PROXY_HOST=http://tinyproxy:8888 TOKEN=$(../../scripts/login_auth0.sh) vitest run --sequence.concurrent=false false __tests__/integration.test.ts",
     "test:integration:ci": "GIT_PROXY_HOST=http://tinyproxy:8888 TOKEN=$(../../scripts/login_auth0.sh) vitest run --bail=1 --sequence.concurrent=false false __tests__/integration.test.ts",
+    "test:integration:baseline-commit": "GIT_PROXY_HOST=http://tinyproxy:8888 TOKEN=$(../../scripts/login_auth0.sh) vitest run --sequence.concurrent=false false __tests__/integration.baseline-commit.test.ts",
+    "test:integration:baseline-commit:proxy": "GIT_PROXY_HOST=http://tinyproxy:8888 HTTP_PROXY=http://localhost:8888 API_URL=http://app-api:8080/v1/graphql TOKEN=$(../../scripts/login_auth0.sh) vitest run --bail=1 --sequence.concurrent=false false __tests__/integration.baseline-commit.test.ts",
     "test:integration:mcp": "GIT_PROXY_HOST=http://tinyproxy:8888 TOKEN=$(../../scripts/login_auth0.sh) vitest run --sequence.concurrent=false false __tests__/integration.mcp.test.ts",
     "test:integration:mcp:ci": "GIT_PROXY_HOST=http://tinyproxy:8888 TOKEN=$(../../scripts/login_auth0.sh) vitest run --bail=1 --sequence.concurrent=false false __tests__/integration.mcp.test.ts",
     "test:integration:watch": "GIT_PROXY_HOST=http://tinyproxy:8888 TOKEN=$(../../scripts/login_auth0.sh) vitest watch run __tests__/integration.test.ts",
@@ -135,6 +137,7 @@
     "@typescript-eslint/parser": "7.17.0",
     "@vitest/coverage-v8": "3.2.4",
     "@vitest/ui": "3.2.4",
+    "dotenv-cli": "10.0.0",
     "eslint": "8.57.0",
     "eslint-plugin-graphql": "4.0.0",
     "eslint-plugin-import": "2.32.0",