mobbdev 1.4.17 → 1.4.19

package/dist/args/commands/upload_ai_blame.mjs

@@ -233,6 +233,7 @@ var init_client_generates = __esm({
       IssueType_Enum2["AutoEscapeFalse"] = "AUTO_ESCAPE_FALSE";
       IssueType_Enum2["AvoidBuiltinShadowing"] = "AVOID_BUILTIN_SHADOWING";
       IssueType_Enum2["AvoidIdentityComparisonCachedTypes"] = "AVOID_IDENTITY_COMPARISON_CACHED_TYPES";
+      IssueType_Enum2["AwsDynamodbPointInTimeRecoveryDisabled"] = "AWS_DYNAMODB_POINT_IN_TIME_RECOVERY_DISABLED";
       IssueType_Enum2["BufferOverflow"] = "BUFFER_OVERFLOW";
       IssueType_Enum2["ClientDomStoredCodeInjection"] = "CLIENT_DOM_STORED_CODE_INJECTION";
       IssueType_Enum2["CmDi"] = "CMDi";
@@ -282,6 +283,7 @@ var init_client_generates = __esm({
       IssueType_Enum2["InformationExposureViaHeaders"] = "INFORMATION_EXPOSURE_VIA_HEADERS";
       IssueType_Enum2["InsecureBinderConfiguration"] = "INSECURE_BINDER_CONFIGURATION";
       IssueType_Enum2["InsecureCookie"] = "INSECURE_COOKIE";
+      IssueType_Enum2["InsecureDeserialization"] = "INSECURE_DESERIALIZATION";
       IssueType_Enum2["InsecurePostmessage"] = "INSECURE_POSTMESSAGE";
       IssueType_Enum2["InsecureRandomness"] = "INSECURE_RANDOMNESS";
       IssueType_Enum2["InsecureTmpFile"] = "INSECURE_TMP_FILE";
@@ -1888,7 +1890,9 @@ var init_getIssueType = __esm({
       ["INCORRECT_INTEGER_CONVERSION" /* IncorrectIntegerConversion */]: "Incorrect Integer Conversion",
       ["IMPROPER_CERTIFICATE_VALIDATION" /* ImproperCertificateValidation */]: "Improper Certificate Validation",
       ["OFTEN_MISUSED_BOOLEAN_GET_BOOLEAN" /* OftenMisusedBooleanGetBoolean */]: "Often Misused: Boolean.getBoolean()",
-      ["UNENCRYPTED_AWS_SQS_QUEUE" /* UnencryptedAwsSqsQueue */]: "AWS SQS Queue Unencrypted"
+      ["UNENCRYPTED_AWS_SQS_QUEUE" /* UnencryptedAwsSqsQueue */]: "AWS SQS Queue Unencrypted",
+      ["INSECURE_DESERIALIZATION" /* InsecureDeserialization */]: "Insecure Deserialization",
+      ["AWS_DYNAMODB_POINT_IN_TIME_RECOVERY_DISABLED" /* AwsDynamodbPointInTimeRecoveryDisabled */]: "AWS DynamoDB Point-in-Time Recovery Disabled"
     };
     issueTypeZ = z5.nativeEnum(IssueType_Enum);
     getIssueTypeFriendlyString = (issueType) => {
@@ -2867,7 +2871,23 @@ var init_gitBlameTypes = __esm({
     "use strict";
     PrepareGitBlameMessageZ = z19.object({
       reportId: z19.string(),
-      repoArchivePath: z19.string()
+      repoArchivePath: z19.string(),
+      // Optional list of file paths to blame. Producers must pick one of two modes:
+      //
+      //  - **Omit `filePaths`** = "blame every file in the archive". Used by the
+      //    legacy side-effect producer in scm_agent's PrepareRepository handler
+      //    (consumers/scm_agent/src/index.ts) where the archive is already
+      //    sparse-checkout-narrowed to the report's file set.
+      //
+      //  - **Provide `filePaths`** = "filter the walked tree to this set". Used by
+      //    report_init's `_ensure_git_blame_enqueued` (Python) when the archive is
+      //    a full-repo scan-mode zip that wasn't pre-narrowed.
+      //
+      // Entries should be repo-root-relative paths, but basename-only forms (e.g.
+      // "Login.java" when the actual file is "src/main/java/Login.java") are
+      // tolerated — scm_agent's filter matches exact-or-trailing-basename. Empty
+      // strings are filtered out defensively.
+      filePaths: z19.array(z19.string()).optional()
     });
     PrepareGitBlameResponseMessageZ = z19.object({
       reportId: z19.string()
@@ -5117,6 +5137,11 @@ var fixDetailsData = {
   ["UNENCRYPTED_AWS_SQS_QUEUE" /* UnencryptedAwsSqsQueue */]: {
     issueDescription: "AWS SQS queue contents are unencrypted; data could be read if the queue is compromised.",
     fixInstructions: "Enable server-side encryption by setting sqs_managed_sse_enabled = true, or supply a KMS key via kms_master_key_id."
+  },
+  ["INSECURE_DESERIALIZATION" /* InsecureDeserialization */]: void 0,
+  ["AWS_DYNAMODB_POINT_IN_TIME_RECOVERY_DISABLED" /* AwsDynamodbPointInTimeRecoveryDisabled */]: {
+    issueDescription: "AWS DynamoDB table has point-in-time recovery disabled; accidental or malicious writes/deletes cannot be rolled back from a known-good snapshot.",
+    fixInstructions: "Enable point-in-time recovery by adding `point_in_time_recovery { enabled = true }` to the aws_dynamodb_table resource."
   }
 };
 
@@ -5198,6 +5223,11 @@ var hcl_default = vulnerabilities4;
 // src/features/analysis/scm/shared/src/storedFixData/java/index.ts
 init_client_generates();
 
+// src/features/analysis/scm/shared/src/storedFixData/java/insecureDeserialization.ts
+var insecureDeserialization = {
+  guidance: () => "Added a `@Consumes` annotation restricting the endpoint to common safe media types (JSON, XML, form, multipart, octet-stream, plain text). Requests with `Content-Type: application/x-java-serialized-object` are no longer routed to the RESTEasy `SerializableProvider`. If your endpoint legitimately accepts a content type not in this allowlist (e.g. `image/png`, a custom JSON variant), expect HTTP 415 from those clients and extend the `@Consumes` list to include it."
+};
+
 // src/features/analysis/scm/shared/src/storedFixData/java/j2eeGetConnection.ts
 var j2eeGetConnection = {
   guidance: () => `This fix replaces direct \`DriverManager.getConnection(...)\` calls with a container-managed JNDI \`DataSource\` lookup. The new code expects the app server (Tomcat / WildFly / WebSphere / etc.) to expose a configured connection pool under the JNDI name you specified.
@@ -5250,6 +5280,7 @@ var systemInformationLeak = {
 // src/features/analysis/scm/shared/src/storedFixData/java/index.ts
 var vulnerabilities5 = {
   ["PASSWORD_IN_COMMENT" /* PasswordInComment */]: passwordInComment,
+  ["INSECURE_DESERIALIZATION" /* InsecureDeserialization */]: insecureDeserialization,
   ["J2EE_GET_CONNECTION" /* J2EeGetConnection */]: j2eeGetConnection,
   ["SQL_Injection" /* SqlInjection */]: sqlInjection,
   ["SYSTEM_INFORMATION_LEAK" /* SystemInformationLeak */]: systemInformationLeak

package/dist/index.mjs

@@ -233,6 +233,7 @@ var init_client_generates = __esm({
       IssueType_Enum2["AutoEscapeFalse"] = "AUTO_ESCAPE_FALSE";
       IssueType_Enum2["AvoidBuiltinShadowing"] = "AVOID_BUILTIN_SHADOWING";
       IssueType_Enum2["AvoidIdentityComparisonCachedTypes"] = "AVOID_IDENTITY_COMPARISON_CACHED_TYPES";
+      IssueType_Enum2["AwsDynamodbPointInTimeRecoveryDisabled"] = "AWS_DYNAMODB_POINT_IN_TIME_RECOVERY_DISABLED";
       IssueType_Enum2["BufferOverflow"] = "BUFFER_OVERFLOW";
       IssueType_Enum2["ClientDomStoredCodeInjection"] = "CLIENT_DOM_STORED_CODE_INJECTION";
       IssueType_Enum2["CmDi"] = "CMDi";
@@ -282,6 +283,7 @@ var init_client_generates = __esm({
       IssueType_Enum2["InformationExposureViaHeaders"] = "INFORMATION_EXPOSURE_VIA_HEADERS";
       IssueType_Enum2["InsecureBinderConfiguration"] = "INSECURE_BINDER_CONFIGURATION";
       IssueType_Enum2["InsecureCookie"] = "INSECURE_COOKIE";
+      IssueType_Enum2["InsecureDeserialization"] = "INSECURE_DESERIALIZATION";
       IssueType_Enum2["InsecurePostmessage"] = "INSECURE_POSTMESSAGE";
       IssueType_Enum2["InsecureRandomness"] = "INSECURE_RANDOMNESS";
       IssueType_Enum2["InsecureTmpFile"] = "INSECURE_TMP_FILE";
@@ -1554,7 +1556,9 @@ var init_getIssueType = __esm({
       ["INCORRECT_INTEGER_CONVERSION" /* IncorrectIntegerConversion */]: "Incorrect Integer Conversion",
       ["IMPROPER_CERTIFICATE_VALIDATION" /* ImproperCertificateValidation */]: "Improper Certificate Validation",
       ["OFTEN_MISUSED_BOOLEAN_GET_BOOLEAN" /* OftenMisusedBooleanGetBoolean */]: "Often Misused: Boolean.getBoolean()",
-      ["UNENCRYPTED_AWS_SQS_QUEUE" /* UnencryptedAwsSqsQueue */]: "AWS SQS Queue Unencrypted"
+      ["UNENCRYPTED_AWS_SQS_QUEUE" /* UnencryptedAwsSqsQueue */]: "AWS SQS Queue Unencrypted",
+      ["INSECURE_DESERIALIZATION" /* InsecureDeserialization */]: "Insecure Deserialization",
+      ["AWS_DYNAMODB_POINT_IN_TIME_RECOVERY_DISABLED" /* AwsDynamodbPointInTimeRecoveryDisabled */]: "AWS DynamoDB Point-in-Time Recovery Disabled"
     };
     issueTypeZ = z.nativeEnum(IssueType_Enum);
     getIssueTypeFriendlyString = (issueType) => {
@@ -2919,7 +2923,23 @@ var init_gitBlameTypes = __esm({
     "use strict";
     PrepareGitBlameMessageZ = z18.object({
       reportId: z18.string(),
-      repoArchivePath: z18.string()
+      repoArchivePath: z18.string(),
+      // Optional list of file paths to blame. Producers must pick one of two modes:
+      //
+      //  - **Omit `filePaths`** = "blame every file in the archive". Used by the
+      //    legacy side-effect producer in scm_agent's PrepareRepository handler
+      //    (consumers/scm_agent/src/index.ts) where the archive is already
+      //    sparse-checkout-narrowed to the report's file set.
+      //
+      //  - **Provide `filePaths`** = "filter the walked tree to this set". Used by
+      //    report_init's `_ensure_git_blame_enqueued` (Python) when the archive is
+      //    a full-repo scan-mode zip that wasn't pre-narrowed.
+      //
+      // Entries should be repo-root-relative paths, but basename-only forms (e.g.
+      // "Login.java" when the actual file is "src/main/java/Login.java") are
+      // tolerated — scm_agent's filter matches exact-or-trailing-basename. Empty
+      // strings are filtered out defensively.
+      filePaths: z18.array(z18.string()).optional()
     });
     PrepareGitBlameResponseMessageZ = z18.object({
       reportId: z18.string()
@@ -4821,6 +4841,11 @@ var fixDetailsData = {
   ["UNENCRYPTED_AWS_SQS_QUEUE" /* UnencryptedAwsSqsQueue */]: {
     issueDescription: "AWS SQS queue contents are unencrypted; data could be read if the queue is compromised.",
     fixInstructions: "Enable server-side encryption by setting sqs_managed_sse_enabled = true, or supply a KMS key via kms_master_key_id."
+  },
+  ["INSECURE_DESERIALIZATION" /* InsecureDeserialization */]: void 0,
+  ["AWS_DYNAMODB_POINT_IN_TIME_RECOVERY_DISABLED" /* AwsDynamodbPointInTimeRecoveryDisabled */]: {
+    issueDescription: "AWS DynamoDB table has point-in-time recovery disabled; accidental or malicious writes/deletes cannot be rolled back from a known-good snapshot.",
+    fixInstructions: "Enable point-in-time recovery by adding `point_in_time_recovery { enabled = true }` to the aws_dynamodb_table resource."
   }
 };
 
@@ -4990,6 +5015,11 @@ var hcl_default = vulnerabilities4;
 // src/features/analysis/scm/shared/src/storedFixData/java/index.ts
 init_client_generates();
 
+// src/features/analysis/scm/shared/src/storedFixData/java/insecureDeserialization.ts
+var insecureDeserialization = {
+  guidance: () => "Added a `@Consumes` annotation restricting the endpoint to common safe media types (JSON, XML, form, multipart, octet-stream, plain text). Requests with `Content-Type: application/x-java-serialized-object` are no longer routed to the RESTEasy `SerializableProvider`. If your endpoint legitimately accepts a content type not in this allowlist (e.g. `image/png`, a custom JSON variant), expect HTTP 415 from those clients and extend the `@Consumes` list to include it."
+};
+
 // src/features/analysis/scm/shared/src/storedFixData/java/j2eeGetConnection.ts
 var j2eeGetConnection = {
   guidance: () => `This fix replaces direct \`DriverManager.getConnection(...)\` calls with a container-managed JNDI \`DataSource\` lookup. The new code expects the app server (Tomcat / WildFly / WebSphere / etc.) to expose a configured connection pool under the JNDI name you specified.
@@ -5042,6 +5072,7 @@ var systemInformationLeak = {
 // src/features/analysis/scm/shared/src/storedFixData/java/index.ts
 var vulnerabilities5 = {
   ["PASSWORD_IN_COMMENT" /* PasswordInComment */]: passwordInComment,
+  ["INSECURE_DESERIALIZATION" /* InsecureDeserialization */]: insecureDeserialization,
   ["J2EE_GET_CONNECTION" /* J2EeGetConnection */]: j2eeGetConnection,
   ["SQL_Injection" /* SqlInjection */]: sqlInjection,
   ["SYSTEM_INFORMATION_LEAK" /* SystemInformationLeak */]: systemInformationLeak
@@ -19417,7 +19448,7 @@ function createLogger(config2) {
 
 // src/features/claude_code/hook_logger.ts
 var DD_RUM_TOKEN = true ? "pubf59c0182545bfb4c299175119f1abf9b" : "";
-var CLI_VERSION = true ? "1.4.17" : "unknown";
+var CLI_VERSION = true ? "1.4.19" : "unknown";
 var NAMESPACE = "mobbdev-claude-code-hook-logs";
 var claudeCodeVersion;
 function buildDdTags() {
@@ -19909,7 +19940,12 @@ async function processTranscript(input, sessionStore, log2, maxEntries = DAEMON_
       rawData: rawEntry,
       repositoryUrl: sampledRepoState.repositoryUrl ?? void 0,
       branch: sampledRepoState.branch,
-      commitSha: sampledRepoState.commitSha
+      commitSha: sampledRepoState.commitSha,
+      // T-510: sub-agent attribution stamped per record. Defaults preserve
+      // main-session semantics so the upload schema's `isSubagent` defaults
+      // to false on the wire for older clients / main-transcript files.
+      isSubagent: input.isSubagent ?? false,
+      agentType: input.agentType ?? null
     };
   });
   let totalRawDataBytes = 0;
@@ -19949,9 +19985,16 @@ async function processTranscript(input, sessionStore, log2, maxEntries = DAEMON_
       lastModel: lastSeenModel ?? void 0
     };
     sessionStore.set(cursorKey, cursor);
+    const isSubagentBatch = input.isSubagent === true;
     log2.heartbeat("Upload ok", {
       entriesUploaded: entries.length,
       entriesSkipped: filteredOut,
+      subagentEntriesUploaded: isSubagentBatch ? entries.length : 0,
+      // Renamed for clarity: this counts rows uploaded with no agent_type
+      // because the sibling .meta.json was missing/unreadable at scan
+      // time. Should be ~0 in steady state; a non-zero rate is a signal
+      // that Claude Code's meta convention may have changed.
+      subagentEntriesUploadedMissingMeta: isSubagentBatch && input.agentType == null ? entries.length : 0,
       claudeCodeVersion: getClaudeCodeVersion()
     });
     return {
@@ -20193,7 +20236,7 @@ async function installMobbHooks(options = {}) {
 }
 
 // src/features/claude_code/transcript_scanner.ts
-import { open as open5, readdir as readdir4, stat as stat4 } from "fs/promises";
+import { lstat as lstat2, open as open5, readdir as readdir4, stat as stat4 } from "fs/promises";
 import os7 from "os";
 import path23 from "path";
 var UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
@@ -20207,11 +20250,59 @@ function getClaudeProjectsDirs() {
   dirs.push(path23.join(os7.homedir(), ".claude", "projects"));
   return dirs;
 }
-async function collectJsonlFiles(files, dir, projectDir, seen, now, results) {
+var META_MAX_BYTES = 4096;
+var AGENT_TYPE_RE = /^[A-Za-z0-9_.\- ]+$/;
+var agentTypeCache = /* @__PURE__ */ new Map();
+var knownAbsentSubagentDirs = /* @__PURE__ */ new Set();
+async function readAgentType(jsonlPath, jsonlMtimeMs) {
+  const cached = agentTypeCache.get(jsonlPath);
+  if (cached && cached.mtimeMs === jsonlMtimeMs) {
+    return cached.value;
+  }
+  const metaPath = jsonlPath.replace(/\.jsonl$/, ".meta.json");
+  let fh;
+  let value = null;
+  try {
+    const lst = await lstat2(metaPath);
+    if (!lst.isFile() || lst.size > META_MAX_BYTES) {
+      agentTypeCache.set(jsonlPath, { mtimeMs: jsonlMtimeMs, value: null });
+      return null;
+    }
+    fh = await open5(metaPath, "r");
+    const buf = Buffer.alloc(Math.min(lst.size, META_MAX_BYTES));
+    const { bytesRead } = await fh.read(buf, 0, buf.length, 0);
+    const raw = buf.toString("utf8", 0, bytesRead);
+    const parsed = JSON.parse(raw);
+    if (parsed && typeof parsed === "object") {
+      const candidate = parsed.agentType;
+      if (typeof candidate === "string" && candidate.length > 0 && candidate.length <= 128 && AGENT_TYPE_RE.test(candidate.trim())) {
+        value = candidate.trim();
+      }
+    }
+  } catch {
+  } finally {
+    if (fh) {
+      await fh.close().catch(() => void 0);
+    }
+  }
+  agentTypeCache.set(jsonlPath, { mtimeMs: jsonlMtimeMs, value });
+  return value;
+}
+async function collectJsonlFiles(files, dir, projectDir, seen, now, results, override) {
   for (const file of files) {
     if (!file.endsWith(".jsonl")) continue;
-    const sessionId = file.replace(".jsonl", "");
-    if (!UUID_RE.test(sessionId)) continue;
+    let sessionId;
+    let isSubagent;
+    if (override) {
+      if (!/^agent-[A-Za-z0-9_-]+\.jsonl$/.test(file)) continue;
+      sessionId = override.parentUuid;
+      isSubagent = true;
+    } else {
+      const basename2 = file.replace(".jsonl", "");
+      if (!UUID_RE.test(basename2)) continue;
+      sessionId = basename2;
+      isSubagent = false;
+    }
     const filePath = path23.join(dir, file);
     if (seen.has(filePath)) continue;
     seen.add(filePath);
@@ -20222,12 +20313,15 @@ async function collectJsonlFiles(files, dir, projectDir, seen, now, results) {
       continue;
     }
     if (now - fileStat.mtimeMs > TRANSCRIPT_MAX_AGE_MS) continue;
+    const agentType = isSubagent ? await readAgentType(filePath, fileStat.mtimeMs) : null;
     results.push({
       filePath,
       sessionId,
       projectDir,
       mtimeMs: fileStat.mtimeMs,
-      size: fileStat.size
+      size: fileStat.size,
+      isSubagent,
+      agentType
     });
   }
 }
@@ -20261,6 +20355,7 @@ async function scanForTranscripts(projectsDirs = getClaudeProjectsDirs()) {
       for (const entry of files) {
         if (!UUID_RE.test(entry)) continue;
         const subagentsDir = path23.join(projPath, entry, "subagents");
+        if (knownAbsentSubagentDirs.has(subagentsDir)) continue;
         try {
           const s = await stat4(subagentsDir);
           if (!s.isDirectory()) continue;
@@ -20271,9 +20366,11 @@ async function scanForTranscripts(projectsDirs = getClaudeProjectsDirs()) {
             projPath,
             seen,
             now,
-            results
+            results,
+            { parentUuid: entry }
           );
         } catch {
+          knownAbsentSubagentDirs.add(subagentsDir);
         }
       }
     }
@@ -20504,7 +20601,12 @@ async function drainTranscript(transcript, sessionStore, gqlClient, sessionCwdCa
         {
           session_id: transcript.sessionId,
           transcript_path: transcript.filePath,
-          cwd
+          cwd,
+          // T-510: forward sub-agent attribution from transcript_scanner.ts.
+          // For main-session files these are false / null and behave
+          // identically to the pre-T-510 wire.
+          isSubagent: transcript.isSubagent,
+          agentType: transcript.agentType
         },
         sessionStore,
         log2,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mobbdev",
-  "version": "1.4.17",
+  "version": "1.4.19",
   "description": "Automated secure code remediation tool",
   "repository": "git+https://github.com/mobb-dev/bugsy.git",
   "main": "dist/index.mjs",