mobbdev 1.4.16 → 1.4.18

package/dist/args/commands/upload_ai_blame.mjs

@@ -163,6 +163,7 @@ var init_client_generates = __esm({
       Language2["Default"] = "DEFAULT";
       Language2["Dockerfile"] = "DOCKERFILE";
       Language2["Go"] = "GO";
+      Language2["Hcl"] = "HCL";
       Language2["Java"] = "JAVA";
       Language2["Js"] = "JS";
       Language2["Php"] = "PHP";
@@ -217,6 +218,7 @@ var init_client_generates = __esm({
       IssueLanguage_Enum2["Default"] = "Default";
       IssueLanguage_Enum2["Dockerfile"] = "Dockerfile";
       IssueLanguage_Enum2["Go"] = "Go";
+      IssueLanguage_Enum2["Hcl"] = "Hcl";
       IssueLanguage_Enum2["Java"] = "Java";
       IssueLanguage_Enum2["JavaScript"] = "JavaScript";
       IssueLanguage_Enum2["Php"] = "PHP";
@@ -231,6 +233,7 @@ var init_client_generates = __esm({
       IssueType_Enum2["AutoEscapeFalse"] = "AUTO_ESCAPE_FALSE";
       IssueType_Enum2["AvoidBuiltinShadowing"] = "AVOID_BUILTIN_SHADOWING";
       IssueType_Enum2["AvoidIdentityComparisonCachedTypes"] = "AVOID_IDENTITY_COMPARISON_CACHED_TYPES";
+      IssueType_Enum2["AwsDynamodbPointInTimeRecoveryDisabled"] = "AWS_DYNAMODB_POINT_IN_TIME_RECOVERY_DISABLED";
       IssueType_Enum2["BufferOverflow"] = "BUFFER_OVERFLOW";
       IssueType_Enum2["ClientDomStoredCodeInjection"] = "CLIENT_DOM_STORED_CODE_INJECTION";
       IssueType_Enum2["CmDi"] = "CMDi";
@@ -280,6 +283,7 @@ var init_client_generates = __esm({
       IssueType_Enum2["InformationExposureViaHeaders"] = "INFORMATION_EXPOSURE_VIA_HEADERS";
       IssueType_Enum2["InsecureBinderConfiguration"] = "INSECURE_BINDER_CONFIGURATION";
       IssueType_Enum2["InsecureCookie"] = "INSECURE_COOKIE";
+      IssueType_Enum2["InsecureDeserialization"] = "INSECURE_DESERIALIZATION";
       IssueType_Enum2["InsecurePostmessage"] = "INSECURE_POSTMESSAGE";
       IssueType_Enum2["InsecureRandomness"] = "INSECURE_RANDOMNESS";
       IssueType_Enum2["InsecureTmpFile"] = "INSECURE_TMP_FILE";
@@ -346,6 +350,7 @@ var init_client_generates = __esm({
       IssueType_Enum2["TrustBoundaryViolation"] = "TRUST_BOUNDARY_VIOLATION";
       IssueType_Enum2["TypeConfusion"] = "TYPE_CONFUSION";
       IssueType_Enum2["UncheckedLoopCondition"] = "UNCHECKED_LOOP_CONDITION";
+      IssueType_Enum2["UnencryptedAwsSqsQueue"] = "UNENCRYPTED_AWS_SQS_QUEUE";
       IssueType_Enum2["UnnecessaryImports"] = "UNNECESSARY_IMPORTS";
       IssueType_Enum2["UnsafeDeserialization"] = "UNSAFE_DESERIALIZATION";
       IssueType_Enum2["UnsafeTargetBlank"] = "UNSAFE_TARGET_BLANK";
@@ -1884,7 +1889,10 @@ var init_getIssueType = __esm({
       ["IMPROPER_VALIDATION_OF_ARRAY_INDEX" /* ImproperValidationOfArrayIndex */]: "Improper Validation of Array Index",
       ["INCORRECT_INTEGER_CONVERSION" /* IncorrectIntegerConversion */]: "Incorrect Integer Conversion",
       ["IMPROPER_CERTIFICATE_VALIDATION" /* ImproperCertificateValidation */]: "Improper Certificate Validation",
-      ["OFTEN_MISUSED_BOOLEAN_GET_BOOLEAN" /* OftenMisusedBooleanGetBoolean */]: "Often Misused: Boolean.getBoolean()"
+      ["OFTEN_MISUSED_BOOLEAN_GET_BOOLEAN" /* OftenMisusedBooleanGetBoolean */]: "Often Misused: Boolean.getBoolean()",
+      ["UNENCRYPTED_AWS_SQS_QUEUE" /* UnencryptedAwsSqsQueue */]: "AWS SQS Queue Unencrypted",
+      ["INSECURE_DESERIALIZATION" /* InsecureDeserialization */]: "Insecure Deserialization",
+      ["AWS_DYNAMODB_POINT_IN_TIME_RECOVERY_DISABLED" /* AwsDynamodbPointInTimeRecoveryDisabled */]: "AWS DynamoDB Point-in-Time Recovery Disabled"
     };
     issueTypeZ = z5.nativeEnum(IssueType_Enum);
     getIssueTypeFriendlyString = (issueType) => {
@@ -2863,7 +2871,23 @@ var init_gitBlameTypes = __esm({
     "use strict";
     PrepareGitBlameMessageZ = z19.object({
       reportId: z19.string(),
-      repoArchivePath: z19.string()
+      repoArchivePath: z19.string(),
+      // Optional list of file paths to blame. Producers must pick one of two modes:
+      //
+      //  - **Omit `filePaths`** = "blame every file in the archive". Used by the
+      //    legacy side-effect producer in scm_agent's PrepareRepository handler
+      //    (consumers/scm_agent/src/index.ts) where the archive is already
+      //    sparse-checkout-narrowed to the report's file set.
+      //
+      //  - **Provide `filePaths`** = "filter the walked tree to this set". Used by
+      //    report_init's `_ensure_git_blame_enqueued` (Python) when the archive is
+      //    a full-repo scan-mode zip that wasn't pre-narrowed.
+      //
+      // Entries should be repo-root-relative paths, but basename-only forms (e.g.
+      // "Login.java" when the actual file is "src/main/java/Login.java") are
+      // tolerated — scm_agent's filter matches exact-or-trailing-basename. Empty
+      // strings are filtered out defensively.
+      filePaths: z19.array(z19.string()).optional()
     });
     PrepareGitBlameResponseMessageZ = z19.object({
       reportId: z19.string()
@@ -3546,6 +3570,7 @@ var init_FilePatterns = __esm({
       ".tf",
       ".hcl",
       ".tfvars",
+      ".tofu",
       // TypeScript
       ".ts",
       ".tsx",
@@ -5108,7 +5133,16 @@ var fixDetailsData = {
   ["IMPROPER_VALIDATION_OF_ARRAY_INDEX" /* ImproperValidationOfArrayIndex */]: void 0,
   ["INCORRECT_INTEGER_CONVERSION" /* IncorrectIntegerConversion */]: void 0,
   ["IMPROPER_CERTIFICATE_VALIDATION" /* ImproperCertificateValidation */]: void 0,
-  ["OFTEN_MISUSED_BOOLEAN_GET_BOOLEAN" /* OftenMisusedBooleanGetBoolean */]: void 0
+  ["OFTEN_MISUSED_BOOLEAN_GET_BOOLEAN" /* OftenMisusedBooleanGetBoolean */]: void 0,
+  ["UNENCRYPTED_AWS_SQS_QUEUE" /* UnencryptedAwsSqsQueue */]: {
+    issueDescription: "AWS SQS queue contents are unencrypted; data could be read if the queue is compromised.",
+    fixInstructions: "Enable server-side encryption by setting sqs_managed_sse_enabled = true, or supply a KMS key via kms_master_key_id."
+  },
+  ["INSECURE_DESERIALIZATION" /* InsecureDeserialization */]: void 0,
+  ["AWS_DYNAMODB_POINT_IN_TIME_RECOVERY_DISABLED" /* AwsDynamodbPointInTimeRecoveryDisabled */]: {
+    issueDescription: "AWS DynamoDB table has point-in-time recovery disabled; accidental or malicious writes/deletes cannot be rolled back from a known-good snapshot.",
+    fixInstructions: "Enable point-in-time recovery by adding `point_in_time_recovery { enabled = true }` to the aws_dynamodb_table resource."
+  }
 };
 
 // src/features/analysis/scm/shared/src/commitDescriptionMarkup.ts
@@ -5182,9 +5216,18 @@ var dockerfile_default = vulnerabilities2;
 var vulnerabilities3 = {};
 var go_default = vulnerabilities3;
 
+// src/features/analysis/scm/shared/src/storedFixData/hcl/index.ts
+var vulnerabilities4 = {};
+var hcl_default = vulnerabilities4;
+
 // src/features/analysis/scm/shared/src/storedFixData/java/index.ts
 init_client_generates();
 
+// src/features/analysis/scm/shared/src/storedFixData/java/insecureDeserialization.ts
+var insecureDeserialization = {
+  guidance: () => "Added a `@Consumes` annotation restricting the endpoint to common safe media types (JSON, XML, form, multipart, octet-stream, plain text). Requests with `Content-Type: application/x-java-serialized-object` are no longer routed to the RESTEasy `SerializableProvider`. If your endpoint legitimately accepts a content type not in this allowlist (e.g. `image/png`, a custom JSON variant), expect HTTP 415 from those clients and extend the `@Consumes` list to include it."
+};
+
 // src/features/analysis/scm/shared/src/storedFixData/java/j2eeGetConnection.ts
 var j2eeGetConnection = {
   guidance: () => `This fix replaces direct \`DriverManager.getConnection(...)\` calls with a container-managed JNDI \`DataSource\` lookup. The new code expects the app server (Tomcat / WildFly / WebSphere / etc.) to expose a configured connection pool under the JNDI name you specified.
@@ -5235,13 +5278,14 @@ var systemInformationLeak = {
 };
 
 // src/features/analysis/scm/shared/src/storedFixData/java/index.ts
-var vulnerabilities4 = {
+var vulnerabilities5 = {
   ["PASSWORD_IN_COMMENT" /* PasswordInComment */]: passwordInComment,
+  ["INSECURE_DESERIALIZATION" /* InsecureDeserialization */]: insecureDeserialization,
   ["J2EE_GET_CONNECTION" /* J2EeGetConnection */]: j2eeGetConnection,
   ["SQL_Injection" /* SqlInjection */]: sqlInjection,
   ["SYSTEM_INFORMATION_LEAK" /* SystemInformationLeak */]: systemInformationLeak
 };
-var java_default = vulnerabilities4;
+var java_default = vulnerabilities5;
 
 // src/features/analysis/scm/shared/src/storedFixData/javascript/index.ts
 init_client_generates();
@@ -5287,18 +5331,18 @@ var ssrf = {
 };
 
 // src/features/analysis/scm/shared/src/storedFixData/javascript/index.ts
-var vulnerabilities5 = {
+var vulnerabilities6 = {
   ["SSRF" /* Ssrf */]: ssrf,
   ["HARDCODED_SECRETS" /* HardcodedSecrets */]: hardcodedSecrets,
   ["PASSWORD_IN_COMMENT" /* PasswordInComment */]: passwordInComment,
   ["NO_LIMITS_OR_THROTTLING" /* NoLimitsOrThrottling */]: noLimitsOrThrottling,
   ["CSRF" /* Csrf */]: csrf
 };
-var javascript_default = vulnerabilities5;
+var javascript_default = vulnerabilities6;
 
 // src/features/analysis/scm/shared/src/storedFixData/php/index.ts
-var vulnerabilities6 = {};
-var php_default = vulnerabilities6;
+var vulnerabilities7 = {};
+var php_default = vulnerabilities7;
 
 // src/features/analysis/scm/shared/src/storedFixData/python/index.ts
 init_client_generates();
@@ -5336,12 +5380,12 @@ See the [\`requests\` SSL verification docs](https://requests.readthedocs.io/en/
 };
 
 // src/features/analysis/scm/shared/src/storedFixData/python/index.ts
-var vulnerabilities7 = {
+var vulnerabilities8 = {
   ["AUTO_ESCAPE_FALSE" /* AutoEscapeFalse */]: autoEscapeFalse,
   ["CSRF" /* Csrf */]: csrf,
   ["IMPROPER_CERTIFICATE_VALIDATION" /* ImproperCertificateValidation */]: improperCertificateValidation
 };
-var python_default = vulnerabilities7;
+var python_default = vulnerabilities8;
 
 // src/features/analysis/scm/shared/src/storedFixData/sql/index.ts
 init_client_generates();
@@ -5352,17 +5396,17 @@ var defaultRightsInObjDefinition = {
 };
 
 // src/features/analysis/scm/shared/src/storedFixData/sql/index.ts
-var vulnerabilities8 = {
+var vulnerabilities9 = {
   ["DEFAULT_RIGHTS_IN_OBJ_DEFINITION" /* DefaultRightsInObjDefinition */]: defaultRightsInObjDefinition
 };
-var sql_default = vulnerabilities8;
+var sql_default = vulnerabilities9;
 
 // src/features/analysis/scm/shared/src/storedFixData/xml/index.ts
 init_client_generates();
-var vulnerabilities9 = {
+var vulnerabilities10 = {
   ["PASSWORD_IN_COMMENT" /* PasswordInComment */]: passwordInComment
 };
-var xml_default = vulnerabilities9;
+var xml_default = vulnerabilities10;
 
 // src/features/analysis/scm/shared/src/storedFixData/index.ts
 var StoredFixDataItemZ = z10.object({
@@ -5377,7 +5421,8 @@ var languages = {
   ["Python" /* Python */]: python_default,
   ["PHP" /* Php */]: php_default,
   ["Go" /* Go */]: go_default,
-  ["Dockerfile" /* Dockerfile */]: dockerfile_default
+  ["Dockerfile" /* Dockerfile */]: dockerfile_default,
+  ["Hcl" /* Hcl */]: hcl_default
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/index.ts
@@ -5680,7 +5725,7 @@ var xxe = {
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/csharp/index.ts
-var vulnerabilities10 = {
+var vulnerabilities11 = {
   ["LOG_FORGING" /* LogForging */]: logForging,
   ["SSRF" /* Ssrf */]: ssrf2,
   ["XXE" /* Xxe */]: xxe,
@@ -5701,7 +5746,7 @@ var vulnerabilities10 = {
   ["SQL_Injection" /* SqlInjection */]: sqlInjection2,
   ["REQUEST_PARAMETERS_BOUND_VIA_INPUT" /* RequestParametersBoundViaInput */]: requestParametersBoundViaInput
 };
-var csharp_default2 = vulnerabilities10;
+var csharp_default2 = vulnerabilities11;
 
 // src/features/analysis/scm/shared/src/storedQuestionData/go/index.ts
 init_client_generates();
@@ -5734,12 +5779,12 @@ var websocketMissingOriginCheck = {
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/go/index.ts
-var vulnerabilities11 = {
+var vulnerabilities12 = {
   ["LOG_FORGING" /* LogForging */]: logForging2,
   ["MISSING_SSL_MINVERSION" /* MissingSslMinversion */]: missingSslMinversion,
   ["WEBSOCKET_MISSING_ORIGIN_CHECK" /* WebsocketMissingOriginCheck */]: websocketMissingOriginCheck
 };
-var go_default2 = vulnerabilities11;
+var go_default2 = vulnerabilities12;
 
 // src/features/analysis/scm/shared/src/storedQuestionData/java/index.ts
 init_client_generates();
@@ -6190,7 +6235,7 @@ var xxe2 = {
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/java/index.ts
-var vulnerabilities12 = {
+var vulnerabilities13 = {
   ["SQL_Injection" /* SqlInjection */]: sqlInjection3,
   ["CMDi_relative_path_command" /* CmDiRelativePathCommand */]: relativePathCommand,
   ["CMDi" /* CmDi */]: commandInjection,
@@ -6217,7 +6262,7 @@ var vulnerabilities12 = {
   ["ERRONEOUS_STRING_COMPARE" /* ErroneousStringCompare */]: erroneousStringCompare,
   ["DUPLICATED_STRINGS" /* DuplicatedStrings */]: duplicatedStrings
 };
-var java_default2 = vulnerabilities12;
+var java_default2 = vulnerabilities13;
 
 // src/features/analysis/scm/shared/src/storedQuestionData/js/index.ts
 init_client_generates();
@@ -6546,7 +6591,7 @@ var xss3 = {
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/js/index.ts
-var vulnerabilities13 = {
+var vulnerabilities14 = {
   ["CMDi" /* CmDi */]: commandInjection2,
   ["GRAPHQL_DEPTH_LIMIT" /* GraphqlDepthLimit */]: graphqlDepthLimit,
   ["INSECURE_RANDOMNESS" /* InsecureRandomness */]: insecureRandomness2,
@@ -6569,7 +6614,7 @@ var vulnerabilities13 = {
   ["HARDCODED_DOMAIN_IN_HTML" /* HardcodedDomainInHtml */]: hardcodedDomainInHtml,
   ["CSRF" /* Csrf */]: csrf2
 };
-var js_default = vulnerabilities13;
+var js_default = vulnerabilities14;
 
 // src/features/analysis/scm/shared/src/storedQuestionData/python/index.ts
 init_client_generates();
@@ -6643,7 +6688,7 @@ var uncheckedLoopCondition3 = {
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/python/index.ts
-var vulnerabilities14 = {
+var vulnerabilities15 = {
   ["CSRF" /* Csrf */]: csrf2,
   ["LOG_FORGING" /* LogForging */]: logForging5,
   ["OPEN_REDIRECT" /* OpenRedirect */]: openRedirect3,
@@ -6652,7 +6697,7 @@ var vulnerabilities14 = {
   ["MISSING_ENCODING_FILE_OPEN" /* MissingEncodingFileOpen */]: missingEncoding,
   ["SSRF" /* Ssrf */]: ssrf5
 };
-var python_default2 = vulnerabilities14;
+var python_default2 = vulnerabilities15;
 
 // src/features/analysis/scm/shared/src/storedQuestionData/xml/index.ts
 init_client_generates();
@@ -6669,10 +6714,10 @@ A value too high will cause performance issues up to and including denial of ser
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/xml/index.ts
-var vulnerabilities15 = {
+var vulnerabilities16 = {
   ["WEAK_XML_SCHEMA_UNBOUNDED_OCCURRENCES" /* WeakXmlSchemaUnboundedOccurrences */]: unboundedOccurrences
 };
-var xml_default2 = vulnerabilities15;
+var xml_default2 = vulnerabilities16;
 
 // src/features/analysis/scm/shared/src/storedQuestionData/yaml/index.ts
 init_client_generates();
@@ -6705,12 +6750,12 @@ var writableFilesystemService = {
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/yaml/index.ts
-var vulnerabilities16 = {
+var vulnerabilities17 = {
   ["PORT_ALL_INTERFACES" /* PortAllInterfaces */]: portAllInterfaces,
   ["WRITABLE_FILESYSTEM_SERVICE" /* WritableFilesystemService */]: writableFilesystemService,
   ["NO_NEW_PRIVILEGES" /* NoNewPrivileges */]: noNewPrivileges
 };
-var yaml_default = vulnerabilities16;
+var yaml_default = vulnerabilities17;
 
 // src/features/analysis/scm/shared/src/storedQuestionData/index.ts
 var StoredQuestionDataItemZ = z11.object({

package/dist/index.mjs

@@ -163,6 +163,7 @@ var init_client_generates = __esm({
       Language2["Default"] = "DEFAULT";
       Language2["Dockerfile"] = "DOCKERFILE";
       Language2["Go"] = "GO";
+      Language2["Hcl"] = "HCL";
       Language2["Java"] = "JAVA";
       Language2["Js"] = "JS";
       Language2["Php"] = "PHP";
@@ -217,6 +218,7 @@ var init_client_generates = __esm({
       IssueLanguage_Enum2["Default"] = "Default";
       IssueLanguage_Enum2["Dockerfile"] = "Dockerfile";
       IssueLanguage_Enum2["Go"] = "Go";
+      IssueLanguage_Enum2["Hcl"] = "Hcl";
       IssueLanguage_Enum2["Java"] = "Java";
       IssueLanguage_Enum2["JavaScript"] = "JavaScript";
       IssueLanguage_Enum2["Php"] = "PHP";
@@ -231,6 +233,7 @@ var init_client_generates = __esm({
       IssueType_Enum2["AutoEscapeFalse"] = "AUTO_ESCAPE_FALSE";
       IssueType_Enum2["AvoidBuiltinShadowing"] = "AVOID_BUILTIN_SHADOWING";
       IssueType_Enum2["AvoidIdentityComparisonCachedTypes"] = "AVOID_IDENTITY_COMPARISON_CACHED_TYPES";
+      IssueType_Enum2["AwsDynamodbPointInTimeRecoveryDisabled"] = "AWS_DYNAMODB_POINT_IN_TIME_RECOVERY_DISABLED";
       IssueType_Enum2["BufferOverflow"] = "BUFFER_OVERFLOW";
       IssueType_Enum2["ClientDomStoredCodeInjection"] = "CLIENT_DOM_STORED_CODE_INJECTION";
       IssueType_Enum2["CmDi"] = "CMDi";
@@ -280,6 +283,7 @@ var init_client_generates = __esm({
       IssueType_Enum2["InformationExposureViaHeaders"] = "INFORMATION_EXPOSURE_VIA_HEADERS";
       IssueType_Enum2["InsecureBinderConfiguration"] = "INSECURE_BINDER_CONFIGURATION";
       IssueType_Enum2["InsecureCookie"] = "INSECURE_COOKIE";
+      IssueType_Enum2["InsecureDeserialization"] = "INSECURE_DESERIALIZATION";
       IssueType_Enum2["InsecurePostmessage"] = "INSECURE_POSTMESSAGE";
       IssueType_Enum2["InsecureRandomness"] = "INSECURE_RANDOMNESS";
       IssueType_Enum2["InsecureTmpFile"] = "INSECURE_TMP_FILE";
@@ -346,6 +350,7 @@ var init_client_generates = __esm({
       IssueType_Enum2["TrustBoundaryViolation"] = "TRUST_BOUNDARY_VIOLATION";
       IssueType_Enum2["TypeConfusion"] = "TYPE_CONFUSION";
       IssueType_Enum2["UncheckedLoopCondition"] = "UNCHECKED_LOOP_CONDITION";
+      IssueType_Enum2["UnencryptedAwsSqsQueue"] = "UNENCRYPTED_AWS_SQS_QUEUE";
       IssueType_Enum2["UnnecessaryImports"] = "UNNECESSARY_IMPORTS";
       IssueType_Enum2["UnsafeDeserialization"] = "UNSAFE_DESERIALIZATION";
       IssueType_Enum2["UnsafeTargetBlank"] = "UNSAFE_TARGET_BLANK";
@@ -1550,7 +1555,10 @@ var init_getIssueType = __esm({
       ["IMPROPER_VALIDATION_OF_ARRAY_INDEX" /* ImproperValidationOfArrayIndex */]: "Improper Validation of Array Index",
       ["INCORRECT_INTEGER_CONVERSION" /* IncorrectIntegerConversion */]: "Incorrect Integer Conversion",
       ["IMPROPER_CERTIFICATE_VALIDATION" /* ImproperCertificateValidation */]: "Improper Certificate Validation",
-      ["OFTEN_MISUSED_BOOLEAN_GET_BOOLEAN" /* OftenMisusedBooleanGetBoolean */]: "Often Misused: Boolean.getBoolean()"
+      ["OFTEN_MISUSED_BOOLEAN_GET_BOOLEAN" /* OftenMisusedBooleanGetBoolean */]: "Often Misused: Boolean.getBoolean()",
+      ["UNENCRYPTED_AWS_SQS_QUEUE" /* UnencryptedAwsSqsQueue */]: "AWS SQS Queue Unencrypted",
+      ["INSECURE_DESERIALIZATION" /* InsecureDeserialization */]: "Insecure Deserialization",
+      ["AWS_DYNAMODB_POINT_IN_TIME_RECOVERY_DISABLED" /* AwsDynamodbPointInTimeRecoveryDisabled */]: "AWS DynamoDB Point-in-Time Recovery Disabled"
     };
     issueTypeZ = z.nativeEnum(IssueType_Enum);
     getIssueTypeFriendlyString = (issueType) => {
@@ -2915,7 +2923,23 @@ var init_gitBlameTypes = __esm({
     "use strict";
     PrepareGitBlameMessageZ = z18.object({
       reportId: z18.string(),
-      repoArchivePath: z18.string()
+      repoArchivePath: z18.string(),
+      // Optional list of file paths to blame. Producers must pick one of two modes:
+      //
+      //  - **Omit `filePaths`** = "blame every file in the archive". Used by the
+      //    legacy side-effect producer in scm_agent's PrepareRepository handler
+      //    (consumers/scm_agent/src/index.ts) where the archive is already
+      //    sparse-checkout-narrowed to the report's file set.
+      //
+      //  - **Provide `filePaths`** = "filter the walked tree to this set". Used by
+      //    report_init's `_ensure_git_blame_enqueued` (Python) when the archive is
+      //    a full-repo scan-mode zip that wasn't pre-narrowed.
+      //
+      // Entries should be repo-root-relative paths, but basename-only forms (e.g.
+      // "Login.java" when the actual file is "src/main/java/Login.java") are
+      // tolerated — scm_agent's filter matches exact-or-trailing-basename. Empty
+      // strings are filtered out defensively.
+      filePaths: z18.array(z18.string()).optional()
     });
     PrepareGitBlameResponseMessageZ = z18.object({
       reportId: z18.string()
@@ -3598,6 +3622,7 @@ var init_FilePatterns = __esm({
       ".tf",
       ".hcl",
       ".tfvars",
+      ".tofu",
       // TypeScript
       ".ts",
       ".tsx",
@@ -4812,7 +4837,16 @@ var fixDetailsData = {
   ["IMPROPER_VALIDATION_OF_ARRAY_INDEX" /* ImproperValidationOfArrayIndex */]: void 0,
   ["INCORRECT_INTEGER_CONVERSION" /* IncorrectIntegerConversion */]: void 0,
   ["IMPROPER_CERTIFICATE_VALIDATION" /* ImproperCertificateValidation */]: void 0,
-  ["OFTEN_MISUSED_BOOLEAN_GET_BOOLEAN" /* OftenMisusedBooleanGetBoolean */]: void 0
+  ["OFTEN_MISUSED_BOOLEAN_GET_BOOLEAN" /* OftenMisusedBooleanGetBoolean */]: void 0,
+  ["UNENCRYPTED_AWS_SQS_QUEUE" /* UnencryptedAwsSqsQueue */]: {
+    issueDescription: "AWS SQS queue contents are unencrypted; data could be read if the queue is compromised.",
+    fixInstructions: "Enable server-side encryption by setting sqs_managed_sse_enabled = true, or supply a KMS key via kms_master_key_id."
+  },
+  ["INSECURE_DESERIALIZATION" /* InsecureDeserialization */]: void 0,
+  ["AWS_DYNAMODB_POINT_IN_TIME_RECOVERY_DISABLED" /* AwsDynamodbPointInTimeRecoveryDisabled */]: {
+    issueDescription: "AWS DynamoDB table has point-in-time recovery disabled; accidental or malicious writes/deletes cannot be rolled back from a known-good snapshot.",
+    fixInstructions: "Enable point-in-time recovery by adding `point_in_time_recovery { enabled = true }` to the aws_dynamodb_table resource."
+  }
 };
 
 // src/features/analysis/scm/shared/src/commitDescriptionMarkup.ts
@@ -4974,9 +5008,18 @@ var dockerfile_default = vulnerabilities2;
 var vulnerabilities3 = {};
 var go_default = vulnerabilities3;
 
+// src/features/analysis/scm/shared/src/storedFixData/hcl/index.ts
+var vulnerabilities4 = {};
+var hcl_default = vulnerabilities4;
+
 // src/features/analysis/scm/shared/src/storedFixData/java/index.ts
 init_client_generates();
 
+// src/features/analysis/scm/shared/src/storedFixData/java/insecureDeserialization.ts
+var insecureDeserialization = {
+  guidance: () => "Added a `@Consumes` annotation restricting the endpoint to common safe media types (JSON, XML, form, multipart, octet-stream, plain text). Requests with `Content-Type: application/x-java-serialized-object` are no longer routed to the RESTEasy `SerializableProvider`. If your endpoint legitimately accepts a content type not in this allowlist (e.g. `image/png`, a custom JSON variant), expect HTTP 415 from those clients and extend the `@Consumes` list to include it."
+};
+
 // src/features/analysis/scm/shared/src/storedFixData/java/j2eeGetConnection.ts
 var j2eeGetConnection = {
   guidance: () => `This fix replaces direct \`DriverManager.getConnection(...)\` calls with a container-managed JNDI \`DataSource\` lookup. The new code expects the app server (Tomcat / WildFly / WebSphere / etc.) to expose a configured connection pool under the JNDI name you specified.
@@ -5027,13 +5070,14 @@ var systemInformationLeak = {
 };
 
 // src/features/analysis/scm/shared/src/storedFixData/java/index.ts
-var vulnerabilities4 = {
+var vulnerabilities5 = {
   ["PASSWORD_IN_COMMENT" /* PasswordInComment */]: passwordInComment,
+  ["INSECURE_DESERIALIZATION" /* InsecureDeserialization */]: insecureDeserialization,
   ["J2EE_GET_CONNECTION" /* J2EeGetConnection */]: j2eeGetConnection,
   ["SQL_Injection" /* SqlInjection */]: sqlInjection,
   ["SYSTEM_INFORMATION_LEAK" /* SystemInformationLeak */]: systemInformationLeak
 };
-var java_default = vulnerabilities4;
+var java_default = vulnerabilities5;
 
 // src/features/analysis/scm/shared/src/storedFixData/javascript/index.ts
 init_client_generates();
@@ -5079,18 +5123,18 @@ var ssrf = {
 };
 
 // src/features/analysis/scm/shared/src/storedFixData/javascript/index.ts
-var vulnerabilities5 = {
+var vulnerabilities6 = {
   ["SSRF" /* Ssrf */]: ssrf,
   ["HARDCODED_SECRETS" /* HardcodedSecrets */]: hardcodedSecrets,
   ["PASSWORD_IN_COMMENT" /* PasswordInComment */]: passwordInComment,
   ["NO_LIMITS_OR_THROTTLING" /* NoLimitsOrThrottling */]: noLimitsOrThrottling,
   ["CSRF" /* Csrf */]: csrf
 };
-var javascript_default = vulnerabilities5;
+var javascript_default = vulnerabilities6;
 
 // src/features/analysis/scm/shared/src/storedFixData/php/index.ts
-var vulnerabilities6 = {};
-var php_default = vulnerabilities6;
+var vulnerabilities7 = {};
+var php_default = vulnerabilities7;
 
 // src/features/analysis/scm/shared/src/storedFixData/python/index.ts
 init_client_generates();
@@ -5128,12 +5172,12 @@ See the [\`requests\` SSL verification docs](https://requests.readthedocs.io/en/
 };
 
 // src/features/analysis/scm/shared/src/storedFixData/python/index.ts
-var vulnerabilities7 = {
+var vulnerabilities8 = {
   ["AUTO_ESCAPE_FALSE" /* AutoEscapeFalse */]: autoEscapeFalse,
   ["CSRF" /* Csrf */]: csrf,
   ["IMPROPER_CERTIFICATE_VALIDATION" /* ImproperCertificateValidation */]: improperCertificateValidation
 };
-var python_default = vulnerabilities7;
+var python_default = vulnerabilities8;
 
 // src/features/analysis/scm/shared/src/storedFixData/sql/index.ts
 init_client_generates();
@@ -5144,17 +5188,17 @@ var defaultRightsInObjDefinition = {
 };
 
 // src/features/analysis/scm/shared/src/storedFixData/sql/index.ts
-var vulnerabilities8 = {
+var vulnerabilities9 = {
   ["DEFAULT_RIGHTS_IN_OBJ_DEFINITION" /* DefaultRightsInObjDefinition */]: defaultRightsInObjDefinition
 };
-var sql_default = vulnerabilities8;
+var sql_default = vulnerabilities9;
 
 // src/features/analysis/scm/shared/src/storedFixData/xml/index.ts
 init_client_generates();
-var vulnerabilities9 = {
+var vulnerabilities10 = {
   ["PASSWORD_IN_COMMENT" /* PasswordInComment */]: passwordInComment
 };
-var xml_default = vulnerabilities9;
+var xml_default = vulnerabilities10;
 
 // src/features/analysis/scm/shared/src/storedFixData/index.ts
 var StoredFixDataItemZ = z3.object({
@@ -5169,7 +5213,8 @@ var languages = {
   ["Python" /* Python */]: python_default,
   ["PHP" /* Php */]: php_default,
   ["Go" /* Go */]: go_default,
-  ["Dockerfile" /* Dockerfile */]: dockerfile_default
+  ["Dockerfile" /* Dockerfile */]: dockerfile_default,
+  ["Hcl" /* Hcl */]: hcl_default
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/index.ts
@@ -5472,7 +5517,7 @@ var xxe = {
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/csharp/index.ts
-var vulnerabilities10 = {
+var vulnerabilities11 = {
   ["LOG_FORGING" /* LogForging */]: logForging,
   ["SSRF" /* Ssrf */]: ssrf2,
   ["XXE" /* Xxe */]: xxe,
@@ -5493,7 +5538,7 @@ var vulnerabilities10 = {
   ["SQL_Injection" /* SqlInjection */]: sqlInjection2,
   ["REQUEST_PARAMETERS_BOUND_VIA_INPUT" /* RequestParametersBoundViaInput */]: requestParametersBoundViaInput
 };
-var csharp_default2 = vulnerabilities10;
+var csharp_default2 = vulnerabilities11;
 
 // src/features/analysis/scm/shared/src/storedQuestionData/go/index.ts
 init_client_generates();
@@ -5526,12 +5571,12 @@ var websocketMissingOriginCheck = {
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/go/index.ts
-var vulnerabilities11 = {
+var vulnerabilities12 = {
   ["LOG_FORGING" /* LogForging */]: logForging2,
   ["MISSING_SSL_MINVERSION" /* MissingSslMinversion */]: missingSslMinversion,
   ["WEBSOCKET_MISSING_ORIGIN_CHECK" /* WebsocketMissingOriginCheck */]: websocketMissingOriginCheck
 };
-var go_default2 = vulnerabilities11;
+var go_default2 = vulnerabilities12;
 
 // src/features/analysis/scm/shared/src/storedQuestionData/java/index.ts
 init_client_generates();
@@ -5982,7 +6027,7 @@ var xxe2 = {
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/java/index.ts
-var vulnerabilities12 = {
+var vulnerabilities13 = {
   ["SQL_Injection" /* SqlInjection */]: sqlInjection3,
   ["CMDi_relative_path_command" /* CmDiRelativePathCommand */]: relativePathCommand,
   ["CMDi" /* CmDi */]: commandInjection,
@@ -6009,7 +6054,7 @@ var vulnerabilities12 = {
   ["ERRONEOUS_STRING_COMPARE" /* ErroneousStringCompare */]: erroneousStringCompare,
   ["DUPLICATED_STRINGS" /* DuplicatedStrings */]: duplicatedStrings
 };
-var java_default2 = vulnerabilities12;
+var java_default2 = vulnerabilities13;
 
 // src/features/analysis/scm/shared/src/storedQuestionData/js/index.ts
 init_client_generates();
@@ -6338,7 +6383,7 @@ var xss3 = {
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/js/index.ts
-var vulnerabilities13 = {
+var vulnerabilities14 = {
   ["CMDi" /* CmDi */]: commandInjection2,
   ["GRAPHQL_DEPTH_LIMIT" /* GraphqlDepthLimit */]: graphqlDepthLimit,
   ["INSECURE_RANDOMNESS" /* InsecureRandomness */]: insecureRandomness2,
@@ -6361,7 +6406,7 @@ var vulnerabilities13 = {
   ["HARDCODED_DOMAIN_IN_HTML" /* HardcodedDomainInHtml */]: hardcodedDomainInHtml,
   ["CSRF" /* Csrf */]: csrf2
 };
-var js_default = vulnerabilities13;
+var js_default = vulnerabilities14;
 
 // src/features/analysis/scm/shared/src/storedQuestionData/python/index.ts
 init_client_generates();
@@ -6435,7 +6480,7 @@ var uncheckedLoopCondition3 = {
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/python/index.ts
-var vulnerabilities14 = {
+var vulnerabilities15 = {
   ["CSRF" /* Csrf */]: csrf2,
   ["LOG_FORGING" /* LogForging */]: logForging5,
   ["OPEN_REDIRECT" /* OpenRedirect */]: openRedirect3,
@@ -6444,7 +6489,7 @@ var vulnerabilities14 = {
   ["MISSING_ENCODING_FILE_OPEN" /* MissingEncodingFileOpen */]: missingEncoding,
   ["SSRF" /* Ssrf */]: ssrf5
 };
-var python_default2 = vulnerabilities14;
+var python_default2 = vulnerabilities15;
 
 // src/features/analysis/scm/shared/src/storedQuestionData/xml/index.ts
 init_client_generates();
@@ -6461,10 +6506,10 @@ A value too high will cause performance issues up to and including denial of ser
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/xml/index.ts
-var vulnerabilities15 = {
+var vulnerabilities16 = {
   ["WEAK_XML_SCHEMA_UNBOUNDED_OCCURRENCES" /* WeakXmlSchemaUnboundedOccurrences */]: unboundedOccurrences
 };
-var xml_default2 = vulnerabilities15;
+var xml_default2 = vulnerabilities16;
 
 // src/features/analysis/scm/shared/src/storedQuestionData/yaml/index.ts
 init_client_generates();
@@ -6497,12 +6542,12 @@ var writableFilesystemService = {
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/yaml/index.ts
-var vulnerabilities16 = {
+var vulnerabilities17 = {
   ["PORT_ALL_INTERFACES" /* PortAllInterfaces */]: portAllInterfaces,
   ["WRITABLE_FILESYSTEM_SERVICE" /* WritableFilesystemService */]: writableFilesystemService,
   ["NO_NEW_PRIVILEGES" /* NoNewPrivileges */]: noNewPrivileges
 };
-var yaml_default = vulnerabilities16;
+var yaml_default = vulnerabilities17;
 
 // src/features/analysis/scm/shared/src/storedQuestionData/index.ts
 var StoredQuestionDataItemZ = z4.object({
@@ -19403,7 +19448,7 @@ function createLogger(config2) {
 
 // src/features/claude_code/hook_logger.ts
 var DD_RUM_TOKEN = true ? "pubf59c0182545bfb4c299175119f1abf9b" : "";
-var CLI_VERSION = true ? "1.4.16" : "unknown";
+var CLI_VERSION = true ? "1.4.18" : "unknown";
 var NAMESPACE = "mobbdev-claude-code-hook-logs";
 var claudeCodeVersion;
 function buildDdTags() {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mobbdev",
-  "version": "1.4.16",
+  "version": "1.4.18",
   "description": "Automated secure code remediation tool",
   "repository": "git+https://github.com/mobb-dev/bugsy.git",
   "main": "dist/index.mjs",