mobbdev 1.4.18 → 1.4.20

package/dist/args/commands/upload_ai_blame.mjs

@@ -291,6 +291,7 @@ var init_client_generates = __esm({
       IssueType_Enum2["InsufficientLogging"] = "INSUFFICIENT_LOGGING";
       IssueType_Enum2["J2EeGetConnection"] = "J2EE_GET_CONNECTION";
       IssueType_Enum2["JqueryDeprecatedSymbols"] = "JQUERY_DEPRECATED_SYMBOLS";
+      IssueType_Enum2["JwtDecodeWithoutVerify"] = "JWT_DECODE_WITHOUT_VERIFY";
       IssueType_Enum2["LeftoverDebugCode"] = "LEFTOVER_DEBUG_CODE";
       IssueType_Enum2["LocaleDependentComparison"] = "LOCALE_DEPENDENT_COMPARISON";
       IssueType_Enum2["LogForging"] = "LOG_FORGING";
@@ -353,6 +354,7 @@ var init_client_generates = __esm({
       IssueType_Enum2["UnencryptedAwsSqsQueue"] = "UNENCRYPTED_AWS_SQS_QUEUE";
       IssueType_Enum2["UnnecessaryImports"] = "UNNECESSARY_IMPORTS";
       IssueType_Enum2["UnsafeDeserialization"] = "UNSAFE_DESERIALIZATION";
+      IssueType_Enum2["UnsafeReflection"] = "UNSAFE_REFLECTION";
       IssueType_Enum2["UnsafeTargetBlank"] = "UNSAFE_TARGET_BLANK";
       IssueType_Enum2["UnsafeWebThread"] = "UNSAFE_WEB_THREAD";
       IssueType_Enum2["UnvalidatedPublicMethodArgument"] = "UNVALIDATED_PUBLIC_METHOD_ARGUMENT";
@@ -1778,6 +1780,7 @@ var init_getIssueType = __esm({
       ["TRUST_BOUNDARY_VIOLATION" /* TrustBoundaryViolation */]: "Trust Boundary Violation",
       ["NULL_DEREFERENCE" /* NullDereference */]: "Null Dereference",
       ["UNSAFE_DESERIALIZATION" /* UnsafeDeserialization */]: "Unsafe deserialization",
+      ["UNSAFE_REFLECTION" /* UnsafeReflection */]: "Unsafe Reflection",
       ["INSECURE_BINDER_CONFIGURATION" /* InsecureBinderConfiguration */]: "Insecure Binder Configuration",
       ["UNSAFE_TARGET_BLANK" /* UnsafeTargetBlank */]: "Unsafe use of target blank",
       ["IFRAME_WITHOUT_SANDBOX" /* IframeWithoutSandbox */]: "Client use of iframe without sandbox",
@@ -1892,7 +1895,8 @@ var init_getIssueType = __esm({
       ["OFTEN_MISUSED_BOOLEAN_GET_BOOLEAN" /* OftenMisusedBooleanGetBoolean */]: "Often Misused: Boolean.getBoolean()",
       ["UNENCRYPTED_AWS_SQS_QUEUE" /* UnencryptedAwsSqsQueue */]: "AWS SQS Queue Unencrypted",
       ["INSECURE_DESERIALIZATION" /* InsecureDeserialization */]: "Insecure Deserialization",
-      ["AWS_DYNAMODB_POINT_IN_TIME_RECOVERY_DISABLED" /* AwsDynamodbPointInTimeRecoveryDisabled */]: "AWS DynamoDB Point-in-Time Recovery Disabled"
+      ["AWS_DYNAMODB_POINT_IN_TIME_RECOVERY_DISABLED" /* AwsDynamodbPointInTimeRecoveryDisabled */]: "AWS DynamoDB Point-in-Time Recovery Disabled",
+      ["JWT_DECODE_WITHOUT_VERIFY" /* JwtDecodeWithoutVerify */]: "JWT Decoded Without Signature Verification"
     };
     issueTypeZ = z5.nativeEnum(IssueType_Enum);
     getIssueTypeFriendlyString = (issueType) => {
@@ -2049,6 +2053,7 @@ var init_types = __esm({
         expirationOn: z7.string().nullable(),
         state: z7.nativeEnum(Fix_Report_State_Enum),
         failReason: z7.string().nullable(),
+        candidateToRerun: z7.boolean(),
         fixes: z7.array(
           z7.object({
             id: z7.string().uuid(),
@@ -5134,6 +5139,7 @@ var fixDetailsData = {
   ["INCORRECT_INTEGER_CONVERSION" /* IncorrectIntegerConversion */]: void 0,
   ["IMPROPER_CERTIFICATE_VALIDATION" /* ImproperCertificateValidation */]: void 0,
   ["OFTEN_MISUSED_BOOLEAN_GET_BOOLEAN" /* OftenMisusedBooleanGetBoolean */]: void 0,
+  ["UNSAFE_REFLECTION" /* UnsafeReflection */]: void 0,
   ["UNENCRYPTED_AWS_SQS_QUEUE" /* UnencryptedAwsSqsQueue */]: {
     issueDescription: "AWS SQS queue contents are unencrypted; data could be read if the queue is compromised.",
     fixInstructions: "Enable server-side encryption by setting sqs_managed_sse_enabled = true, or supply a KMS key via kms_master_key_id."
@@ -5142,6 +5148,10 @@ var fixDetailsData = {
   ["AWS_DYNAMODB_POINT_IN_TIME_RECOVERY_DISABLED" /* AwsDynamodbPointInTimeRecoveryDisabled */]: {
     issueDescription: "AWS DynamoDB table has point-in-time recovery disabled; accidental or malicious writes/deletes cannot be rolled back from a known-good snapshot.",
     fixInstructions: "Enable point-in-time recovery by adding `point_in_time_recovery { enabled = true }` to the aws_dynamodb_table resource."
+  },
+  ["JWT_DECODE_WITHOUT_VERIFY" /* JwtDecodeWithoutVerify */]: {
+    issueDescription: "Decoding a JWT with `JWT.decode()` only base64-decodes the token without checking its signature, so an attacker can forge a token with arbitrary claims (identity, roles, expiration) and have it trusted. CWE-345, OWASP A08:2021 Software and Data Integrity Failures.",
+    fixInstructions: "Verify the signature before trusting any claims: build a verifier with the expected algorithm and secret/key (e.g. `JWT.require(Algorithm.HMAC256(secret)).build().verify(token)`) instead of calling `JWT.decode(token)`. After merging, confirm the verifier is configured with the same algorithm and secret/key used to sign your tokens \u2014 an incorrect or placeholder secret will make verification throw `JWTVerificationException` at runtime and reject legitimate tokens."
   }
 };
 
@@ -6172,6 +6182,15 @@ var uncheckedLoopCondition = {
   }
 };
 
+// src/features/analysis/scm/shared/src/storedQuestionData/java/unsafeReflection.ts
+var unsafeReflection = {
+  classAllowlist: {
+    content: () => "Allowed class names for reflection",
+    description: () => `Provide a comma-separated list of fully-qualified class names that are permitted to be loaded via reflection (e.g. \`com.example.MyClass\`). Any other class name will be rejected at runtime.`,
+    guidance: () => ""
+  }
+};
+
 // src/features/analysis/scm/shared/src/storedQuestionData/java/useOfSystemOutputStream.ts
 var useOfSystemOutputStream2 = {
   noLoggerAction: {
@@ -6257,6 +6276,7 @@ var vulnerabilities13 = {
   ["UNCHECKED_LOOP_CONDITION" /* UncheckedLoopCondition */]: uncheckedLoopCondition,
   ["INSECURE_COOKIE" /* InsecureCookie */]: insecureCookie2,
   ["TRUST_BOUNDARY_VIOLATION" /* TrustBoundaryViolation */]: trustBoundaryViolation2,
+  ["UNSAFE_REFLECTION" /* UnsafeReflection */]: unsafeReflection,
   ["J2EE_GET_CONNECTION" /* J2EeGetConnection */]: j2eeGetConnection2,
   ["LEFTOVER_DEBUG_CODE" /* LeftoverDebugCode */]: leftoverDebugCode,
   ["ERRONEOUS_STRING_COMPARE" /* ErroneousStringCompare */]: erroneousStringCompare,

package/dist/index.mjs

@@ -291,6 +291,7 @@ var init_client_generates = __esm({
       IssueType_Enum2["InsufficientLogging"] = "INSUFFICIENT_LOGGING";
       IssueType_Enum2["J2EeGetConnection"] = "J2EE_GET_CONNECTION";
       IssueType_Enum2["JqueryDeprecatedSymbols"] = "JQUERY_DEPRECATED_SYMBOLS";
+      IssueType_Enum2["JwtDecodeWithoutVerify"] = "JWT_DECODE_WITHOUT_VERIFY";
       IssueType_Enum2["LeftoverDebugCode"] = "LEFTOVER_DEBUG_CODE";
       IssueType_Enum2["LocaleDependentComparison"] = "LOCALE_DEPENDENT_COMPARISON";
       IssueType_Enum2["LogForging"] = "LOG_FORGING";
@@ -353,6 +354,7 @@ var init_client_generates = __esm({
       IssueType_Enum2["UnencryptedAwsSqsQueue"] = "UNENCRYPTED_AWS_SQS_QUEUE";
       IssueType_Enum2["UnnecessaryImports"] = "UNNECESSARY_IMPORTS";
       IssueType_Enum2["UnsafeDeserialization"] = "UNSAFE_DESERIALIZATION";
+      IssueType_Enum2["UnsafeReflection"] = "UNSAFE_REFLECTION";
       IssueType_Enum2["UnsafeTargetBlank"] = "UNSAFE_TARGET_BLANK";
       IssueType_Enum2["UnsafeWebThread"] = "UNSAFE_WEB_THREAD";
       IssueType_Enum2["UnvalidatedPublicMethodArgument"] = "UNVALIDATED_PUBLIC_METHOD_ARGUMENT";
@@ -1444,6 +1446,7 @@ var init_getIssueType = __esm({
       ["TRUST_BOUNDARY_VIOLATION" /* TrustBoundaryViolation */]: "Trust Boundary Violation",
       ["NULL_DEREFERENCE" /* NullDereference */]: "Null Dereference",
       ["UNSAFE_DESERIALIZATION" /* UnsafeDeserialization */]: "Unsafe deserialization",
+      ["UNSAFE_REFLECTION" /* UnsafeReflection */]: "Unsafe Reflection",
       ["INSECURE_BINDER_CONFIGURATION" /* InsecureBinderConfiguration */]: "Insecure Binder Configuration",
       ["UNSAFE_TARGET_BLANK" /* UnsafeTargetBlank */]: "Unsafe use of target blank",
       ["IFRAME_WITHOUT_SANDBOX" /* IframeWithoutSandbox */]: "Client use of iframe without sandbox",
@@ -1558,7 +1561,8 @@ var init_getIssueType = __esm({
       ["OFTEN_MISUSED_BOOLEAN_GET_BOOLEAN" /* OftenMisusedBooleanGetBoolean */]: "Often Misused: Boolean.getBoolean()",
       ["UNENCRYPTED_AWS_SQS_QUEUE" /* UnencryptedAwsSqsQueue */]: "AWS SQS Queue Unencrypted",
       ["INSECURE_DESERIALIZATION" /* InsecureDeserialization */]: "Insecure Deserialization",
-      ["AWS_DYNAMODB_POINT_IN_TIME_RECOVERY_DISABLED" /* AwsDynamodbPointInTimeRecoveryDisabled */]: "AWS DynamoDB Point-in-Time Recovery Disabled"
+      ["AWS_DYNAMODB_POINT_IN_TIME_RECOVERY_DISABLED" /* AwsDynamodbPointInTimeRecoveryDisabled */]: "AWS DynamoDB Point-in-Time Recovery Disabled",
+      ["JWT_DECODE_WITHOUT_VERIFY" /* JwtDecodeWithoutVerify */]: "JWT Decoded Without Signature Verification"
     };
     issueTypeZ = z.nativeEnum(IssueType_Enum);
     getIssueTypeFriendlyString = (issueType) => {
@@ -2094,6 +2098,7 @@ var init_types = __esm({
         expirationOn: z11.string().nullable(),
         state: z11.nativeEnum(Fix_Report_State_Enum),
         failReason: z11.string().nullable(),
+        candidateToRerun: z11.boolean(),
         fixes: z11.array(
           z11.object({
             id: z11.string().uuid(),
@@ -4838,6 +4843,7 @@ var fixDetailsData = {
   ["INCORRECT_INTEGER_CONVERSION" /* IncorrectIntegerConversion */]: void 0,
   ["IMPROPER_CERTIFICATE_VALIDATION" /* ImproperCertificateValidation */]: void 0,
   ["OFTEN_MISUSED_BOOLEAN_GET_BOOLEAN" /* OftenMisusedBooleanGetBoolean */]: void 0,
+  ["UNSAFE_REFLECTION" /* UnsafeReflection */]: void 0,
   ["UNENCRYPTED_AWS_SQS_QUEUE" /* UnencryptedAwsSqsQueue */]: {
     issueDescription: "AWS SQS queue contents are unencrypted; data could be read if the queue is compromised.",
     fixInstructions: "Enable server-side encryption by setting sqs_managed_sse_enabled = true, or supply a KMS key via kms_master_key_id."
@@ -4846,6 +4852,10 @@ var fixDetailsData = {
   ["AWS_DYNAMODB_POINT_IN_TIME_RECOVERY_DISABLED" /* AwsDynamodbPointInTimeRecoveryDisabled */]: {
     issueDescription: "AWS DynamoDB table has point-in-time recovery disabled; accidental or malicious writes/deletes cannot be rolled back from a known-good snapshot.",
     fixInstructions: "Enable point-in-time recovery by adding `point_in_time_recovery { enabled = true }` to the aws_dynamodb_table resource."
+  },
+  ["JWT_DECODE_WITHOUT_VERIFY" /* JwtDecodeWithoutVerify */]: {
+    issueDescription: "Decoding a JWT with `JWT.decode()` only base64-decodes the token without checking its signature, so an attacker can forge a token with arbitrary claims (identity, roles, expiration) and have it trusted. CWE-345, OWASP A08:2021 Software and Data Integrity Failures.",
+    fixInstructions: "Verify the signature before trusting any claims: build a verifier with the expected algorithm and secret/key (e.g. `JWT.require(Algorithm.HMAC256(secret)).build().verify(token)`) instead of calling `JWT.decode(token)`. After merging, confirm the verifier is configured with the same algorithm and secret/key used to sign your tokens \u2014 an incorrect or placeholder secret will make verification throw `JWTVerificationException` at runtime and reject legitimate tokens."
   }
 };
 
@@ -5964,6 +5974,15 @@ var uncheckedLoopCondition = {
   }
 };
 
+// src/features/analysis/scm/shared/src/storedQuestionData/java/unsafeReflection.ts
+var unsafeReflection = {
+  classAllowlist: {
+    content: () => "Allowed class names for reflection",
+    description: () => `Provide a comma-separated list of fully-qualified class names that are permitted to be loaded via reflection (e.g. \`com.example.MyClass\`). Any other class name will be rejected at runtime.`,
+    guidance: () => ""
+  }
+};
+
 // src/features/analysis/scm/shared/src/storedQuestionData/java/useOfSystemOutputStream.ts
 var useOfSystemOutputStream2 = {
   noLoggerAction: {
@@ -6049,6 +6068,7 @@ var vulnerabilities13 = {
   ["UNCHECKED_LOOP_CONDITION" /* UncheckedLoopCondition */]: uncheckedLoopCondition,
   ["INSECURE_COOKIE" /* InsecureCookie */]: insecureCookie2,
   ["TRUST_BOUNDARY_VIOLATION" /* TrustBoundaryViolation */]: trustBoundaryViolation2,
+  ["UNSAFE_REFLECTION" /* UnsafeReflection */]: unsafeReflection,
   ["J2EE_GET_CONNECTION" /* J2EeGetConnection */]: j2eeGetConnection2,
   ["LEFTOVER_DEBUG_CODE" /* LeftoverDebugCode */]: leftoverDebugCode,
   ["ERRONEOUS_STRING_COMPARE" /* ErroneousStringCompare */]: erroneousStringCompare,
@@ -19448,7 +19468,7 @@ function createLogger(config2) {
 
 // src/features/claude_code/hook_logger.ts
 var DD_RUM_TOKEN = true ? "pubf59c0182545bfb4c299175119f1abf9b" : "";
-var CLI_VERSION = true ? "1.4.18" : "unknown";
+var CLI_VERSION = true ? "1.4.20" : "unknown";
 var NAMESPACE = "mobbdev-claude-code-hook-logs";
 var claudeCodeVersion;
 function buildDdTags() {
@@ -19940,7 +19960,12 @@ async function processTranscript(input, sessionStore, log2, maxEntries = DAEMON_
       rawData: rawEntry,
       repositoryUrl: sampledRepoState.repositoryUrl ?? void 0,
       branch: sampledRepoState.branch,
-      commitSha: sampledRepoState.commitSha
+      commitSha: sampledRepoState.commitSha,
+      // T-510: sub-agent attribution stamped per record. Defaults preserve
+      // main-session semantics so the upload schema's `isSubagent` defaults
+      // to false on the wire for older clients / main-transcript files.
+      isSubagent: input.isSubagent ?? false,
+      agentType: input.agentType ?? null
     };
   });
   let totalRawDataBytes = 0;
@@ -19980,9 +20005,16 @@ async function processTranscript(input, sessionStore, log2, maxEntries = DAEMON_
       lastModel: lastSeenModel ?? void 0
     };
     sessionStore.set(cursorKey, cursor);
+    const isSubagentBatch = input.isSubagent === true;
     log2.heartbeat("Upload ok", {
       entriesUploaded: entries.length,
       entriesSkipped: filteredOut,
+      subagentEntriesUploaded: isSubagentBatch ? entries.length : 0,
+      // Renamed for clarity: this counts rows uploaded with no agent_type
+      // because the sibling .meta.json was missing/unreadable at scan
+      // time. Should be ~0 in steady state; a non-zero rate is a signal
+      // that Claude Code's meta convention may have changed.
+      subagentEntriesUploadedMissingMeta: isSubagentBatch && input.agentType == null ? entries.length : 0,
       claudeCodeVersion: getClaudeCodeVersion()
     });
     return {
@@ -20224,7 +20256,7 @@ async function installMobbHooks(options = {}) {
 }
 
 // src/features/claude_code/transcript_scanner.ts
-import { open as open5, readdir as readdir4, stat as stat4 } from "fs/promises";
+import { lstat as lstat2, open as open5, readdir as readdir4, stat as stat4 } from "fs/promises";
 import os7 from "os";
 import path23 from "path";
 var UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
@@ -20238,11 +20270,59 @@ function getClaudeProjectsDirs() {
   dirs.push(path23.join(os7.homedir(), ".claude", "projects"));
   return dirs;
 }
-async function collectJsonlFiles(files, dir, projectDir, seen, now, results) {
+var META_MAX_BYTES = 4096;
+var AGENT_TYPE_RE = /^[A-Za-z0-9_.\- ]+$/;
+var agentTypeCache = /* @__PURE__ */ new Map();
+var knownAbsentSubagentDirs = /* @__PURE__ */ new Set();
+async function readAgentType(jsonlPath, jsonlMtimeMs) {
+  const cached = agentTypeCache.get(jsonlPath);
+  if (cached && cached.mtimeMs === jsonlMtimeMs) {
+    return cached.value;
+  }
+  const metaPath = jsonlPath.replace(/\.jsonl$/, ".meta.json");
+  let fh;
+  let value = null;
+  try {
+    const lst = await lstat2(metaPath);
+    if (!lst.isFile() || lst.size > META_MAX_BYTES) {
+      agentTypeCache.set(jsonlPath, { mtimeMs: jsonlMtimeMs, value: null });
+      return null;
+    }
+    fh = await open5(metaPath, "r");
+    const buf = Buffer.alloc(Math.min(lst.size, META_MAX_BYTES));
+    const { bytesRead } = await fh.read(buf, 0, buf.length, 0);
+    const raw = buf.toString("utf8", 0, bytesRead);
+    const parsed = JSON.parse(raw);
+    if (parsed && typeof parsed === "object") {
+      const candidate = parsed.agentType;
+      if (typeof candidate === "string" && candidate.length > 0 && candidate.length <= 128 && AGENT_TYPE_RE.test(candidate.trim())) {
+        value = candidate.trim();
+      }
+    }
+  } catch {
+  } finally {
+    if (fh) {
+      await fh.close().catch(() => void 0);
+    }
+  }
+  agentTypeCache.set(jsonlPath, { mtimeMs: jsonlMtimeMs, value });
+  return value;
+}
+async function collectJsonlFiles(files, dir, projectDir, seen, now, results, override) {
   for (const file of files) {
     if (!file.endsWith(".jsonl")) continue;
-    const sessionId = file.replace(".jsonl", "");
-    if (!UUID_RE.test(sessionId)) continue;
+    let sessionId;
+    let isSubagent;
+    if (override) {
+      if (!/^agent-[A-Za-z0-9_-]+\.jsonl$/.test(file)) continue;
+      sessionId = override.parentUuid;
+      isSubagent = true;
+    } else {
+      const basename2 = file.replace(".jsonl", "");
+      if (!UUID_RE.test(basename2)) continue;
+      sessionId = basename2;
+      isSubagent = false;
+    }
     const filePath = path23.join(dir, file);
     if (seen.has(filePath)) continue;
     seen.add(filePath);
@@ -20253,12 +20333,15 @@ async function collectJsonlFiles(files, dir, projectDir, seen, now, results) {
       continue;
     }
     if (now - fileStat.mtimeMs > TRANSCRIPT_MAX_AGE_MS) continue;
+    const agentType = isSubagent ? await readAgentType(filePath, fileStat.mtimeMs) : null;
     results.push({
       filePath,
       sessionId,
       projectDir,
       mtimeMs: fileStat.mtimeMs,
-      size: fileStat.size
+      size: fileStat.size,
+      isSubagent,
+      agentType
     });
   }
 }
@@ -20292,6 +20375,7 @@ async function scanForTranscripts(projectsDirs = getClaudeProjectsDirs()) {
       for (const entry of files) {
         if (!UUID_RE.test(entry)) continue;
         const subagentsDir = path23.join(projPath, entry, "subagents");
+        if (knownAbsentSubagentDirs.has(subagentsDir)) continue;
         try {
           const s = await stat4(subagentsDir);
           if (!s.isDirectory()) continue;
@@ -20302,9 +20386,11 @@ async function scanForTranscripts(projectsDirs = getClaudeProjectsDirs()) {
             projPath,
             seen,
             now,
-            results
+            results,
+            { parentUuid: entry }
           );
         } catch {
+          knownAbsentSubagentDirs.add(subagentsDir);
         }
       }
     }
@@ -20535,7 +20621,12 @@ async function drainTranscript(transcript, sessionStore, gqlClient, sessionCwdCa
         {
           session_id: transcript.sessionId,
           transcript_path: transcript.filePath,
-          cwd
+          cwd,
+          // T-510: forward sub-agent attribution from transcript_scanner.ts.
+          // For main-session files these are false / null and behave
+          // identically to the pre-T-510 wire.
+          isSubagent: transcript.isSubagent,
+          agentType: transcript.agentType
         },
         sessionStore,
         log2,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mobbdev",
-  "version": "1.4.18",
+  "version": "1.4.20",
   "description": "Automated secure code remediation tool",
   "repository": "git+https://github.com/mobb-dev/bugsy.git",
   "main": "dist/index.mjs",