mobbdev 1.4.2 → 1.4.9

package/dist/index.mjs

@@ -94,6 +94,9 @@ function getSdk(client, withWrapper = defaultWrapper) {
     performCliLogin(variables, requestHeaders, signal) {
       return withWrapper((wrappedRequestHeaders) => client.request({ document: PerformCliLoginDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "performCliLogin", "mutation", variables);
     },
+    SetQuarantineEnabled(variables, requestHeaders, signal) {
+      return withWrapper((wrappedRequestHeaders) => client.request({ document: SetQuarantineEnabledDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "SetQuarantineEnabled", "mutation", variables);
+    },
     CreateProject(variables, requestHeaders, signal) {
       return withWrapper((wrappedRequestHeaders) => client.request({ document: CreateProjectDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "CreateProject", "mutation", variables);
     },
@@ -135,7 +138,7 @@ function getSdk(client, withWrapper = defaultWrapper) {
     }
   };
 }
-var AiBlameInferenceType, FixQuestionInputType, Language, ManifestAction, Effort_To_Apply_Fix_Enum, Fix_Rating_Tag_Enum, Fix_Report_State_Enum, Fix_State_Enum, IssueLanguage_Enum, IssueType_Enum, Pr_Status_Enum, Project_Role_Type_Enum, Vulnerability_Report_Issue_Category_Enum, Vulnerability_Report_Issue_State_Enum, Vulnerability_Report_Issue_Tag_Enum, Vulnerability_Report_Vendor_Enum, Vulnerability_Severity_Enum, FixDetailsFragmentDoc, FixReportSummaryFieldsFragmentDoc, MeDocument, GetLastOrgAndNamedProjectDocument, GetLastOrgDocument, GetEncryptedApiTokenDocument, FixReportStateDocument, GetVulnerabilityReportPathsDocument, GetAnalysisSubscriptionDocument, GetAnalysisDocument, GetFixesDocument, GetVulByNodesMetadataDocument, GetFalsePositiveDocument, UpdateScmTokenDocument, UploadS3BucketInfoDocument, GetTracyDiffUploadUrlDocument, AnalyzeCommitForExtensionAiBlameDocument, GetAiBlameInferenceDocument, GetAiBlameAttributionPromptDocument, GetPromptSummaryDocument, UploadAiBlameInferencesInitDocument, FinalizeAiBlameInferencesUploadDocument, UploadTracyRecordsDocument, GetTracyRawDataUploadUrlDocument, DigestVulnerabilityReportDocument, SubmitVulnerabilityReportDocument, CreateCommunityUserDocument, CreateCliLoginDocument, PerformCliLoginDocument, CreateProjectDocument, ValidateRepoUrlDocument, GitReferenceDocument, AutoPrAnalysisDocument, GetFixReportsByRepoUrlDocument, GetReportFixesDocument, GetLatestReportByRepoUrlDocument, UpdateDownloadedFixDataDocument, GetUserMvsAutoFixDocument, StreamBlameAiAnalysisRequestsDocument, StreamCommitBlameRequestsDocument, ScanSkillDocument, SkillVerdictsByMd5Document, defaultWrapper;
+var AiBlameInferenceType, FixQuestionInputType, Language, ManifestAction, Effort_To_Apply_Fix_Enum, Fix_Rating_Tag_Enum, Fix_Report_State_Enum, Fix_State_Enum, IssueLanguage_Enum, IssueType_Enum, Pr_Status_Enum, Project_Role_Type_Enum, Vulnerability_Report_Issue_Category_Enum, Vulnerability_Report_Issue_State_Enum, Vulnerability_Report_Issue_Tag_Enum, Vulnerability_Report_Vendor_Enum, Vulnerability_Severity_Enum, FixDetailsFragmentDoc, FixReportSummaryFieldsFragmentDoc, MeDocument, GetLastOrgAndNamedProjectDocument, GetLastOrgDocument, GetEncryptedApiTokenDocument, FixReportStateDocument, GetVulnerabilityReportPathsDocument, GetAnalysisSubscriptionDocument, GetAnalysisDocument, GetFixesDocument, GetVulByNodesMetadataDocument, GetFalsePositiveDocument, UpdateScmTokenDocument, UploadS3BucketInfoDocument, GetTracyDiffUploadUrlDocument, AnalyzeCommitForExtensionAiBlameDocument, GetAiBlameInferenceDocument, GetAiBlameAttributionPromptDocument, GetPromptSummaryDocument, UploadAiBlameInferencesInitDocument, FinalizeAiBlameInferencesUploadDocument, UploadTracyRecordsDocument, GetTracyRawDataUploadUrlDocument, DigestVulnerabilityReportDocument, SubmitVulnerabilityReportDocument, CreateCommunityUserDocument, CreateCliLoginDocument, PerformCliLoginDocument, SetQuarantineEnabledDocument, CreateProjectDocument, ValidateRepoUrlDocument, GitReferenceDocument, AutoPrAnalysisDocument, GetFixReportsByRepoUrlDocument, GetReportFixesDocument, GetLatestReportByRepoUrlDocument, UpdateDownloadedFixDataDocument, GetUserMvsAutoFixDocument, StreamBlameAiAnalysisRequestsDocument, StreamCommitBlameRequestsDocument, ScanSkillDocument, SkillVerdictsByMd5Document, defaultWrapper;
 var init_client_generates = __esm({
   "src/features/analysis/scm/generates/client_generates.ts"() {
     "use strict";
@@ -260,6 +263,7 @@ var init_client_generates = __esm({
       IssueType_Enum2["HttpParameterPollution"] = "HTTP_PARAMETER_POLLUTION";
       IssueType_Enum2["HttpResponseSplitting"] = "HTTP_RESPONSE_SPLITTING";
       IssueType_Enum2["IframeWithoutSandbox"] = "IFRAME_WITHOUT_SANDBOX";
+      IssueType_Enum2["ImproperCertificateValidation"] = "IMPROPER_CERTIFICATE_VALIDATION";
       IssueType_Enum2["ImproperExceptionHandling"] = "IMPROPER_EXCEPTION_HANDLING";
       IssueType_Enum2["ImproperResourceShutdownOrRelease"] = "IMPROPER_RESOURCE_SHUTDOWN_OR_RELEASE";
       IssueType_Enum2["ImproperStringFormatting"] = "IMPROPER_STRING_FORMATTING";
@@ -278,6 +282,7 @@ var init_client_generates = __esm({
       IssueType_Enum2["InsecureTmpFile"] = "INSECURE_TMP_FILE";
       IssueType_Enum2["InsecureUuidVersion"] = "INSECURE_UUID_VERSION";
       IssueType_Enum2["InsufficientLogging"] = "INSUFFICIENT_LOGGING";
+      IssueType_Enum2["J2EeGetConnection"] = "J2EE_GET_CONNECTION";
       IssueType_Enum2["JqueryDeprecatedSymbols"] = "JQUERY_DEPRECATED_SYMBOLS";
       IssueType_Enum2["LeftoverDebugCode"] = "LEFTOVER_DEBUG_CODE";
       IssueType_Enum2["LocaleDependentComparison"] = "LOCALE_DEPENDENT_COMPARISON";
@@ -593,6 +598,7 @@ var init_client_generates = __esm({
       id
       organization {
         id
+        enableV2Fixes
         projects(where: {name: {_eq: $projectName}}) {
           name
           id
@@ -611,6 +617,7 @@ var init_client_generates = __esm({
       id
       organization {
         id
+        enableV2Fixes
       }
     }
   }
@@ -941,6 +948,12 @@ var init_client_generates = __esm({
           level
           justification
         }
+        appliedSkills
+        mcpCalls {
+          mcpServer
+          mcpTool
+          callCount
+        }
       }
     }
     ... on PromptSummaryProcessing {
@@ -1092,6 +1105,13 @@ var init_client_generates = __esm({
   performCliLogin(loginId: $loginId) {
     status
   }
+}
+    `;
+    SetQuarantineEnabledDocument = `
+    mutation SetQuarantineEnabled($enabled: Boolean!) {
+  update_organization(where: {}, _set: {quarantineEnabled: $enabled}) {
+    affected_rows
+  }
 }
     `;
     CreateProjectDocument = `
@@ -1277,12 +1297,15 @@ var init_client_generates = __esm({
     SkillVerdictsByMd5Document = `
     query SkillVerdictsByMd5($md5s: [String!]!) {
   skillVerdictsByMd5(md5s: $md5s) {
-    md5
-    verdict
-    summary
-    scannerName
-    scannerVersion
-    scannedAt
+    quarantineEnabled
+    verdicts {
+      md5
+      verdict
+      summary
+      scannerName
+      scannerVersion
+      scannedAt
+    }
   }
 }
     `;
@@ -1400,6 +1423,7 @@ var init_getIssueType = __esm({
       ["NO_EQUIVALENCE_METHOD" /* NoEquivalenceMethod */]: "Class Does Not Implement Equivalence Method",
       ["INFORMATION_EXPOSURE_VIA_HEADERS" /* InformationExposureViaHeaders */]: "Information Exposure via Headers",
       ["DEBUG_ENABLED" /* DebugEnabled */]: "Debug Enabled",
+      ["J2EE_GET_CONNECTION" /* J2EeGetConnection */]: "J2EE Bad Practices: getConnection()",
       ["LEFTOVER_DEBUG_CODE" /* LeftoverDebugCode */]: "Leftover Debug Code",
       ["POOR_ERROR_HANDLING_EMPTY_CATCH_BLOCK" /* PoorErrorHandlingEmptyCatchBlock */]: "Poor Error Handling: Empty Catch Block",
       ["ERRONEOUS_STRING_COMPARE" /* ErroneousStringCompare */]: "Erroneous String Compare",
@@ -1474,7 +1498,8 @@ var init_getIssueType = __esm({
       ["TAINTED_NUMERIC_CAST" /* TaintedNumericCast */]: "Tainted Numeric Cast",
       ["MISSING_X_FRAME_OPTIONS" /* MissingXFrameOptions */]: "Missing X-Frame-Options Header",
       ["IMPROPER_VALIDATION_OF_ARRAY_INDEX" /* ImproperValidationOfArrayIndex */]: "Improper Validation of Array Index",
-      ["INCORRECT_INTEGER_CONVERSION" /* IncorrectIntegerConversion */]: "Incorrect Integer Conversion"
+      ["INCORRECT_INTEGER_CONVERSION" /* IncorrectIntegerConversion */]: "Incorrect Integer Conversion",
+      ["IMPROPER_CERTIFICATE_VALIDATION" /* ImproperCertificateValidation */]: "Improper Certificate Validation"
     };
     issueTypeZ = z.nativeEnum(IssueType_Enum);
     getIssueTypeFriendlyString = (issueType) => {
@@ -2733,7 +2758,7 @@ var init_env = __esm({
       GITLAB_API_TOKEN: z15.string().optional(),
       GITHUB_API_TOKEN: z15.string().optional(),
       GIT_PROXY_HOST: z15.string().optional().default("http://tinyproxy:8888"),
-      MAX_UPLOAD_FILE_SIZE_MB: z15.coerce.number().gt(0).default(5),
+      MAX_UPLOAD_FILE_SIZE_MB: z15.coerce.number().gt(0).default(2),
       GITHUB_API_CONCURRENCY: z15.coerce.number().gt(0).optional().default(10)
     });
     ({
@@ -3598,11 +3623,17 @@ var init_FileUtils = __esm({
         const results = [];
         const filePromises = [];
         for (const item of items) {
-          const fullPath = path.join(dir, item);
+          const safeInput = path.resolve(
+            path.sep,
+            path.normalize(
+              String(dir || "").replace("\0", "").replace(/^(\.\.(\/|\\$))+/, "")
+            )
+          );
+          const fullPath = path.join(safeInput, item);
           try {
             await fsPromises.access(fullPath, fs.constants.R_OK);
-            const stat4 = await fsPromises.stat(fullPath);
-            if (stat4.isDirectory()) {
+            const stat5 = await fsPromises.stat(fullPath);
+            if (stat5.isDirectory()) {
               if (isRootLevel && excludedRootDirectories.includes(item)) {
                 continue;
               }
@@ -3614,7 +3645,7 @@ var init_FileUtils = __esm({
                 name: item,
                 fullPath,
                 relativePath: path.relative(rootDir, fullPath),
-                time: stat4.mtime.getTime(),
+                time: stat5.mtime.getTime(),
                 isFile: true
               });
             }
@@ -3636,7 +3667,9 @@ var init_FileUtils = __esm({
       }) {
         try {
           const stats = fs.statSync(dir);
-          if (!stats.isDirectory()) return [];
+          if (!stats.isDirectory()) {
+            return [];
+          }
         } catch {
           return [];
         }
@@ -3645,7 +3678,7 @@ var init_FileUtils = __esm({
           const { GitService: GitService2 } = await Promise.resolve().then(() => (init_GitService(), GitService_exports));
           const gitService = new GitService2(dir);
           gitMatcher = await gitService.getGitignoreMatcher();
-        } catch (e) {
+        } catch {
         }
         const allFiles = await this.processRootDirectory(dir, EXCLUDED_DIRS);
         const filteredFiles = allFiles.filter(
@@ -4568,6 +4601,7 @@ var fixDetailsData = {
     issueDescription: "A data member and a function have the same name which can be confusing to the developer.",
     fixInstructions: "Rename the data member to avoid confusion."
   },
+  ["J2EE_GET_CONNECTION" /* J2EeGetConnection */]: void 0,
   ["LEFTOVER_DEBUG_CODE" /* LeftoverDebugCode */]: void 0,
   ["UNVALIDATED_PUBLIC_METHOD_ARGUMENT" /* UnvalidatedPublicMethodArgument */]: void 0,
   ["ERRONEOUS_STRING_COMPARE" /* ErroneousStringCompare */]: void 0,
@@ -4670,7 +4704,8 @@ var fixDetailsData = {
   ["TAINTED_NUMERIC_CAST" /* TaintedNumericCast */]: void 0,
   ["MISSING_X_FRAME_OPTIONS" /* MissingXFrameOptions */]: void 0,
   ["IMPROPER_VALIDATION_OF_ARRAY_INDEX" /* ImproperValidationOfArrayIndex */]: void 0,
-  ["INCORRECT_INTEGER_CONVERSION" /* IncorrectIntegerConversion */]: void 0
+  ["INCORRECT_INTEGER_CONVERSION" /* IncorrectIntegerConversion */]: void 0,
+  ["IMPROPER_CERTIFICATE_VALIDATION" /* ImproperCertificateValidation */]: void 0
 };
 
 // src/features/analysis/scm/shared/src/commitDescriptionMarkup.ts
@@ -4834,6 +4869,31 @@ var go_default = vulnerabilities3;
 // src/features/analysis/scm/shared/src/storedFixData/java/index.ts
 init_client_generates();
 
+// src/features/analysis/scm/shared/src/storedFixData/java/j2eeGetConnection.ts
+var j2eeGetConnection = {
+  guidance: () => `This fix replaces direct \`DriverManager.getConnection(...)\` calls with a container-managed JNDI \`DataSource\` lookup. The new code expects the app server (Tomcat / WildFly / WebSphere / etc.) to expose a configured connection pool under the JNDI name you specified.
+
+
+ 
+
+***Make sure the resource pool exists before merging.*** The patched code will throw a \`NamingException\` at runtime if the JNDI name does not resolve. Configure it in your container's resource definition:
+
+- **Tomcat**: declare a \`<Resource>\` element in \`context.xml\` (or per-app \`META-INF/context.xml\`) with the same JNDI name, plus \`url\`, \`username\`, \`password\`, \`driverClassName\`, and any pool sizing.
+- **Spring Boot (embedded Tomcat)**: configure via \`spring.datasource.jndi-name\` and matching \`<Resource>\`, or use \`@ConfigurationProperties\` to bind a \`DataSource\` bean.
+- **WildFly / JBoss EAP**: declare a \`<datasource>\` in the standalone/domain XML and reference its JNDI binding.
+- **WebSphere / WebLogic**: define the JDBC provider and data source through the admin console; bind it to the JNDI name.
+
+
+&nbsp;
+
+Also add a matching \`<resource-ref>\` (or \`<data-source>\`) in your \`WEB-INF/web.xml\` if you use one. The original connection details (URL, user, password) move from the call site into the resource definition \u2014 remove them from any constants / properties files where they were duplicated.
+
+
+&nbsp;
+
+This fix is mandated by the J2EE / Jakarta EE specification (CWE-245) \u2014 direct driver management bypasses the container's pooling, retry, and failover policies.`
+};
+
 // src/features/analysis/scm/shared/src/storedFixData/java/sqlInjection.ts
 var sqlInjection = {
   guidance: ({
@@ -4861,6 +4921,7 @@ var systemInformationLeak = {
 // src/features/analysis/scm/shared/src/storedFixData/java/index.ts
 var vulnerabilities4 = {
   ["PASSWORD_IN_COMMENT" /* PasswordInComment */]: passwordInComment,
+  ["J2EE_GET_CONNECTION" /* J2EeGetConnection */]: j2eeGetConnection,
   ["SQL_Injection" /* SqlInjection */]: sqlInjection,
   ["SYSTEM_INFORMATION_LEAK" /* SystemInformationLeak */]: systemInformationLeak
 };
@@ -4945,10 +5006,24 @@ See more information [here](https://jinja.palletsprojects.com/en/3.1.x/templates
 ***Note: make sure that none of the data you're marking as safe is coming from user input, as this can lead to XSS vulnerabilities!***`
 };
 
+// src/features/analysis/scm/shared/src/storedFixData/python/improperCertificateValidation.ts
+var improperCertificateValidation = {
+  guidance: () => `This fix re-enables TLS certificate validation by changing \`verify=False\` to \`verify=True\` on the HTTP request. Any call that was deliberately reaching a server with a self-signed, expired, or otherwise untrusted certificate will start raising \`ssl.SSLError\` / \`requests.exceptions.SSLError\` after this change.
+
+&nbsp;
+
+***Before merging, confirm that every endpoint reached by this call presents a certificate signed by a trusted CA.*** If the call must talk to an internal service that uses a private CA, prefer pointing \`verify\` at the CA bundle (\`verify="/path/to/ca.pem"\`) over disabling validation. If the certificate cannot be trusted at all, the safe fix is to terminate that connection at a properly configured proxy, not to keep it unvalidated.
+
+&nbsp;
+
+See the [\`requests\` SSL verification docs](https://requests.readthedocs.io/en/latest/user/advanced/#ssl-cert-verification) for the supported \`verify\` values.`
+};
+
 // src/features/analysis/scm/shared/src/storedFixData/python/index.ts
 var vulnerabilities7 = {
   ["AUTO_ESCAPE_FALSE" /* AutoEscapeFalse */]: autoEscapeFalse,
-  ["CSRF" /* Csrf */]: csrf
+  ["CSRF" /* Csrf */]: csrf,
+  ["IMPROPER_CERTIFICATE_VALIDATION" /* ImproperCertificateValidation */]: improperCertificateValidation
 };
 var python_default = vulnerabilities7;
 
@@ -5484,6 +5559,15 @@ var insecureCookie2 = {
   }
 };
 
+// src/features/analysis/scm/shared/src/storedQuestionData/java/j2eeGetConnection.ts
+var j2eeGetConnection2 = {
+  jndiResourceName: {
+    content: () => "What JNDI name is the database connection pool registered under?",
+    description: () => 'We need the JNDI name your app server uses to expose its container-managed `DataSource`. The fix performs `new InitialContext().lookup(<jndi-name>)` to retrieve the pool, so this value must exactly match the resource definition (e.g. `<Resource name="...">` in Tomcat `context.xml`, or the binding declared in WildFly / WebSphere / WebLogic). The default `java:comp/env/jdbc/myDataSource` is the canonical Tomcat / Spring convention; replace it with whatever your environment uses.',
+    guidance: () => ""
+  }
+};
+
 // src/features/analysis/scm/shared/src/storedQuestionData/java/leftoverDebugCode.ts
 var leftoverDebugCode = {
   isCodeUsed: {
@@ -5812,6 +5896,7 @@ var vulnerabilities12 = {
   ["UNCHECKED_LOOP_CONDITION" /* UncheckedLoopCondition */]: uncheckedLoopCondition,
   ["INSECURE_COOKIE" /* InsecureCookie */]: insecureCookie2,
   ["TRUST_BOUNDARY_VIOLATION" /* TrustBoundaryViolation */]: trustBoundaryViolation2,
+  ["J2EE_GET_CONNECTION" /* J2EeGetConnection */]: j2eeGetConnection2,
   ["LEFTOVER_DEBUG_CODE" /* LeftoverDebugCode */]: leftoverDebugCode,
   ["ERRONEOUS_STRING_COMPARE" /* ErroneousStringCompare */]: erroneousStringCompare,
   ["DUPLICATED_STRINGS" /* DuplicatedStrings */]: duplicatedStrings
@@ -7178,7 +7263,7 @@ async function getAdoSdk(params) {
       const url = new URL(repoUrl);
       const origin = url.origin.toLowerCase().endsWith(".visualstudio.com") ? DEFUALT_ADO_ORIGIN : url.origin.toLowerCase();
       const params2 = `path=/&versionDescriptor[versionOptions]=0&versionDescriptor[versionType]=commit&versionDescriptor[version]=${branch}&resolveLfs=true&$format=zip&api-version=5.0&download=true`;
-      const path36 = [
+      const path37 = [
         prefixPath,
         owner,
         projectName,
@@ -7189,7 +7274,7 @@ async function getAdoSdk(params) {
         "items",
         "items"
       ].filter(Boolean).join("/");
-      return new URL(`${path36}?${params2}`, origin).toString();
+      return new URL(`${path37}?${params2}`, origin).toString();
     },
     async getAdoBranchList({ repoUrl }) {
       try {
@@ -7278,8 +7363,8 @@ async function getAdoSdk(params) {
         const changeType = entry.changeType;
         return changeType !== 16 && entry.item?.path;
       }).map((entry) => {
-        const path36 = entry.item.path;
-        return path36.startsWith("/") ? path36.slice(1) : path36;
+        const path37 = entry.item.path;
+        return path37.startsWith("/") ? path37.slice(1) : path37;
       });
     },
     async searchAdoPullRequests({
@@ -13234,7 +13319,8 @@ var GQLClient = class {
     const getLastOrgRes = await this._clientSdk.getLastOrg({ email });
     return {
       organizationId: getLastOrgRes?.user?.[0]?.userOrganizationsAndUserOrganizationRoles?.[0]?.organization?.id,
-      userName: getLastOrgRes?.user?.[0]?.name ?? ""
+      userName: getLastOrgRes?.user?.[0]?.name ?? "",
+      enableV2Fixes: getLastOrgRes?.user?.[0]?.userOrganizationsAndUserOrganizationRoles?.[0]?.organization?.enableV2Fixes === true
     };
   }
   async createCliLogin(variables) {
@@ -13316,7 +13402,8 @@ var GQLClient = class {
     }
     return {
       organizationId: organization.id,
-      projectId
+      projectId,
+      enableV2Fixes: organization.enableV2Fixes === true
     };
   }
   async getEncryptedApiToken(variables) {
@@ -13646,6 +13733,7 @@ var GQLClient = class {
     return await this._clientSdk.ScanSkill(variables);
   }
   // T-467 — batched verdict lookup for the client-side quarantine check.
+  // T-493 — response is the envelope `{ quarantineEnabled, verdicts }`.
   async skillVerdictsByMd5(md5s) {
     return await this._clientSdk.SkillVerdictsByMd5({ md5s });
   }
@@ -14068,7 +14156,11 @@ async function sanitizeDataWithCounts(obj, options) {
     if (typeof data === "string") {
       return sanitizeString(data);
     } else if (Array.isArray(data)) {
-      return Promise.all(data.map((item) => sanitizeRecursive(item)));
+      const results = [];
+      for (const item of data) {
+        results.push(await sanitizeRecursive(item));
+      }
+      return results;
     } else if (data instanceof Error) {
       return data;
     } else if (data instanceof Date) {
@@ -14499,22 +14591,25 @@ async function prepareAndSendTracyRecords(client, rawRecords, workingDir, option
   const serializedRawDataByIndex = /* @__PURE__ */ new Map();
   const records = await timedStep(
     `${shouldSanitize ? "sanitize" : "serialize"} ${rawRecords.length} records`,
-    () => Promise.all(
-      rawRecords.map(async (record, index) => {
+    async () => {
+      const results = [];
+      for (let index = 0; index < rawRecords.length; index++) {
+        const record = rawRecords[index];
         if (record.rawData != null && record.rawDataS3Key == null) {
           const serialized = shouldSanitize ? await sanitizeRawData(record.rawData) : JSON.stringify(record.rawData);
           serializedRawDataByIndex.set(index, serialized);
         }
         const { rawData: _rawData, ...rest } = record;
-        return {
+        results.push({
           ...rest,
           repositoryUrl: record.repositoryUrl ?? defaultRepoUrl,
           computerName,
           userName,
           clientVersion: record.clientVersion ?? defaultClientVersion
-        };
-      })
-    )
+        });
+      }
+      return results;
+    }
   );
   const recordsWithRawData = rawRecords.map((r, i) => ({ recordId: r.recordId, index: i })).filter((entry) => serializedRawDataByIndex.has(entry.index));
   if (recordsWithRawData.length > 0) {
@@ -14555,32 +14650,39 @@ async function prepareAndSendTracyRecords(client, rawRecords, workingDir, option
         errors: ["[step:s3-url] Malformed uploadFieldsJSON from server"]
       };
     }
+    const MAX_CONCURRENT_S3_UPLOADS = 5;
     debug10(
-      "[step:s3-upload] Uploading %d files to S3",
-      recordsWithRawData.length
+      "[step:s3-upload] Uploading %d files to S3 (concurrency=%d)",
+      recordsWithRawData.length,
+      MAX_CONCURRENT_S3_UPLOADS
     );
     const s3Start = Date.now();
-    const uploadResults = await Promise.allSettled(
-      recordsWithRawData.map(async (entry) => {
-        const rawDataJson = serializedRawDataByIndex.get(entry.index);
-        if (!rawDataJson) {
-          debug10("No serialized rawData for recordId=%s", entry.recordId);
-          return;
-        }
-        const uploadKey = `${keyPrefix}${entry.recordId}.json`;
-        await withTimeout(
-          uploadFile({
-            file: Buffer.from(rawDataJson, "utf-8"),
-            url,
-            uploadKey,
-            uploadFields
-          }),
-          BATCH_TIMEOUT_MS,
-          `[step:s3-upload] uploadFile ${entry.recordId}`
-        );
-        records[entry.index].rawDataS3Key = uploadKey;
-      })
-    );
+    const uploadResults = [];
+    for (let i = 0; i < recordsWithRawData.length; i += MAX_CONCURRENT_S3_UPLOADS) {
+      const chunk = recordsWithRawData.slice(i, i + MAX_CONCURRENT_S3_UPLOADS);
+      const chunkResults = await Promise.allSettled(
+        chunk.map(async (entry) => {
+          const rawDataJson = serializedRawDataByIndex.get(entry.index);
+          if (!rawDataJson) {
+            debug10("No serialized rawData for recordId=%s", entry.recordId);
+            return;
+          }
+          const uploadKey = `${keyPrefix}${entry.recordId}.json`;
+          await withTimeout(
+            uploadFile({
+              file: Buffer.from(rawDataJson, "utf-8"),
+              url,
+              uploadKey,
+              uploadFields
+            }),
+            BATCH_TIMEOUT_MS,
+            `[step:s3-upload] uploadFile ${entry.recordId}`
+          );
+          records[entry.index].rawDataS3Key = uploadKey;
+        })
+      );
+      uploadResults.push(...chunkResults);
+    }
     debug10(
       "[perf] s3-upload %d files: %dms",
       recordsWithRawData.length,
@@ -15172,7 +15274,7 @@ async function postIssueComment(params) {
     fpDescription
   } = params;
   const {
-    path: path36,
+    path: path37,
     startLine,
     vulnerabilityReportIssue: {
       vulnerabilityReportIssueTags,
@@ -15187,7 +15289,7 @@ async function postIssueComment(params) {
 Refresh the page in order to see the changes.`,
     pull_number: pullRequest,
     commit_id: commitSha,
-    path: path36,
+    path: path37,
     line: startLine
   });
   const commentId = commentRes.data.id;
@@ -15221,7 +15323,7 @@ async function postFixComment(params) {
     scanner
   } = params;
   const {
-    path: path36,
+    path: path37,
     startLine,
     vulnerabilityReportIssue: { fixId, vulnerabilityReportIssueTags, category },
     vulnerabilityReportIssueId
@@ -15239,7 +15341,7 @@ async function postFixComment(params) {
 Refresh the page in order to see the changes.`,
     pull_number: pullRequest,
     commit_id: commitSha,
-    path: path36,
+    path: path37,
     line: startLine
   });
   const commentId = commentRes.data.id;
@@ -15607,7 +15709,7 @@ function getManifestFilesSuffixes() {
 }
 async function pack(srcDirPath, vulnFiles, isIncludeAllFiles = false) {
   debug18("pack folder %s", srcDirPath);
-  let git = void 0;
+  let git;
   try {
     git = simpleGit3({
       baseDir: srcDirPath,
@@ -15653,7 +15755,11 @@ async function pack(srcDirPath, vulnFiles, isIncludeAllFiles = false) {
       }
     }
     if (fs9.lstatSync(absFilepath).size > MCP_MAX_FILE_SIZE) {
-      debug18("ignoring %s because the size is > 5MB", filepath);
+      debug18(
+        "ignoring %s \u2014 file size exceeds MCP_MAX_FILE_SIZE (%d bytes)",
+        filepath,
+        MCP_MAX_FILE_SIZE
+      );
       continue;
     }
     let data;
@@ -15843,8 +15949,8 @@ if (typeof __filename !== "undefined") {
 }
 var costumeRequire = createRequire(moduleUrl);
 var getCheckmarxPath = () => {
-  const os16 = type();
-  const cxFileName = os16 === "Windows_NT" ? "cx.exe" : "cx";
+  const os17 = type();
+  const cxFileName = os17 === "Windows_NT" ? "cx.exe" : "cx";
   try {
     return costumeRequire.resolve(`.bin/${cxFileName}`);
   } catch (e) {
@@ -16034,7 +16140,9 @@ async function getSnykReport(reportPath, repoRoot, { skipPrompts = false }) {
 init_client_generates();
 var { CliError: CliError2, Spinner: Spinner2 } = utils_exports;
 function _getScanSource(command, ci) {
-  if (command === "review") return "AUTO_FIXER" /* AutoFixer */;
+  if (command === "review") {
+    return "AUTO_FIXER" /* AutoFixer */;
+  }
   const envToCi = [
     ["GITLAB_CI", "CI_GITLAB" /* CiGitlab */],
     ["GITHUB_ACTIONS", "CI_GITHUB" /* CiGithub */],
@@ -16251,7 +16359,11 @@ async function _scan(params, { skipPrompts = false } = {}) {
   if (!mobbProjectName) {
     throw new Error("mobbProjectName is required");
   }
-  const { projectId, organizationId } = await gqlClient.getLastOrgAndNamedProject({
+  const {
+    projectId,
+    organizationId,
+    enableV2Fixes: orgEnableV2Fixes
+  } = await gqlClient.getLastOrgAndNamedProject({
     projectName: mobbProjectName,
     userDefinedOrganizationId: userOrganizationId
   });
@@ -16501,7 +16613,7 @@ async function _scan(params, { skipPrompts = false } = {}) {
         srcPath,
         vulnFiles,
         repoUploadInfo,
-        isIncludeAllFiles: false
+        isIncludeAllFiles: orgEnableV2Fixes
       });
       gitInfo2 = res.gitInfo;
     } else {
@@ -16761,8 +16873,8 @@ async function resolveSkillScanInput(skillInput) {
   if (!fs11.existsSync(resolvedPath)) {
     return skillInput;
   }
-  const stat4 = fs11.statSync(resolvedPath);
-  if (!stat4.isDirectory()) {
+  const stat5 = fs11.statSync(resolvedPath);
+  if (!stat5.isDirectory()) {
     throw new CliError(
       "Local skill input must be a directory containing SKILL.md"
     );
@@ -17161,10 +17273,16 @@ import { spawn } from "child_process";
 
 // src/features/claude_code/daemon.ts
 import { readFileSync, writeFileSync as writeFileSync2 } from "fs";
-import path23 from "path";
+import * as os8 from "os";
+import path24 from "path";
 import { setTimeout as sleep2 } from "timers/promises";
 import Configstore3 from "configstore";
 
+// src/features/analysis/skill_quarantine/runQuarantineCheck.ts
+import { stat as stat3 } from "fs/promises";
+import { homedir as homedir4 } from "os";
+import path19 from "path";
+
 // src/features/analysis/skill_quarantine/constants.ts
 var HEARTBEAT_DEBOUNCE_MS = (() => {
   const raw = Number(process.env["MOBB_TRACY_SKILL_QUARANTINE_DEBOUNCE_MS"]);
@@ -17240,51 +17358,86 @@ import { globby as globby2 } from "globby";
 import { parse as parseJsoncLib } from "jsonc-parser";
 
 // src/features/analysis/context_file_scan_paths.ts
-var SKILL_CATEGORY = "skill";
+var CATEGORY = {
+  RULE: "rule",
+  MEMORY: "memory",
+  SKILL: "skill",
+  COMMAND: "command",
+  PROMPT: "prompt",
+  AGENT_CONFIG: "agent-config",
+  CONFIG: "config",
+  MCP_CONFIG: "mcp-config",
+  IGNORE: "ignore"
+};
+var SKILL_CATEGORY = CATEGORY.SKILL;
 var SCAN_PATHS = {
   "claude-code": [
-    { glob: "CLAUDE.md", category: "rule", root: "workspace" },
-    { glob: "CLAUDE.local.md", category: "rule", root: "workspace" },
-    { glob: "INSIGHTS.md", category: "rule", root: "workspace" },
-    { glob: "AGENTS.md", category: "rule", root: "workspace" },
-    { glob: ".claude/rules/**/*.md", category: "rule", root: "workspace" },
-    { glob: ".claude/CLAUDE.md", category: "rule", root: "home" },
-    { glob: ".claude/INSIGHTS.md", category: "rule", root: "home" },
-    { glob: ".claude/rules/**/*.md", category: "rule", root: "home" },
+    { glob: "CLAUDE.md", category: CATEGORY.RULE, root: "workspace" },
+    { glob: "CLAUDE.local.md", category: CATEGORY.RULE, root: "workspace" },
+    { glob: "INSIGHTS.md", category: CATEGORY.RULE, root: "workspace" },
+    { glob: "AGENTS.md", category: CATEGORY.RULE, root: "workspace" },
+    {
+      glob: ".claude/rules/**/*.md",
+      category: CATEGORY.RULE,
+      root: "workspace"
+    },
+    { glob: ".claude/CLAUDE.md", category: CATEGORY.RULE, root: "home" },
+    { glob: ".claude/INSIGHTS.md", category: CATEGORY.RULE, root: "home" },
+    { glob: ".claude/rules/**/*.md", category: CATEGORY.RULE, root: "home" },
     {
       glob: ".claude/projects/*/memory/*.md",
-      category: "memory",
+      category: CATEGORY.MEMORY,
       root: "home"
     },
     { kind: "skill-bundle", skillsRoot: ".claude/skills", root: "workspace" },
-    { glob: ".claude/commands/*.md", category: "skill", root: "workspace" },
+    {
+      glob: ".claude/commands/*.md",
+      category: CATEGORY.COMMAND,
+      root: "workspace"
+    },
     {
       glob: ".claude/agents/*.md",
-      category: SKILL_CATEGORY,
+      category: CATEGORY.SKILL,
       root: "workspace"
     },
     { kind: "skill-bundle", skillsRoot: ".claude/skills", root: "home" },
-    { glob: ".claude/commands/*.md", category: "skill", root: "home" },
-    { glob: ".claude/agents/*.md", category: SKILL_CATEGORY, root: "home" },
-    { glob: ".claude/settings.json", category: "config", root: "workspace" },
+    { glob: ".claude/commands/*.md", category: CATEGORY.COMMAND, root: "home" },
+    { glob: ".claude/agents/*.md", category: CATEGORY.SKILL, root: "home" },
+    {
+      glob: ".claude/settings.json",
+      category: CATEGORY.CONFIG,
+      root: "workspace"
+    },
     {
       glob: ".claude/settings.local.json",
-      category: "config",
+      category: CATEGORY.CONFIG,
       root: "workspace"
     },
-    { glob: ".mcp.json", category: "mcp-config", root: "workspace" },
-    { glob: ".claude/.mcp.json", category: "mcp-config", root: "workspace" },
-    { glob: ".claude/settings.json", category: "config", root: "home" },
-    { glob: ".claudeignore", category: "ignore", root: "workspace" }
+    { glob: ".mcp.json", category: CATEGORY.MCP_CONFIG, root: "workspace" },
+    {
+      glob: ".claude/.mcp.json",
+      category: CATEGORY.MCP_CONFIG,
+      root: "workspace"
+    },
+    { glob: ".claude/settings.json", category: CATEGORY.CONFIG, root: "home" },
+    { glob: ".claudeignore", category: CATEGORY.IGNORE, root: "workspace" }
   ],
   cursor: [
     // Legacy single-file rules
-    { glob: ".cursorrules", category: "rule", root: "workspace" },
+    { glob: ".cursorrules", category: CATEGORY.RULE, root: "workspace" },
     // Project Rules — docs support both `.mdc` and `.md` inside .cursor/rules/
-    { glob: ".cursor/rules/**/*.mdc", category: "rule", root: "workspace" },
-    { glob: ".cursor/rules/**/*.md", category: "rule", root: "workspace" },
+    {
+      glob: ".cursor/rules/**/*.mdc",
+      category: CATEGORY.RULE,
+      root: "workspace"
+    },
+    {
+      glob: ".cursor/rules/**/*.md",
+      category: CATEGORY.RULE,
+      root: "workspace"
+    },
     // AGENTS.md — Cursor's documented alternative to .cursor/rules/
-    { glob: "AGENTS.md", category: "rule", root: "workspace" },
+    { glob: "AGENTS.md", category: CATEGORY.RULE, root: "workspace" },
     // Agent skills — Cursor auto-loads from these dirs plus compat with
     // Claude / Codex / generic .agents/ per Cursor docs.
     { kind: "skill-bundle", skillsRoot: ".cursor/skills", root: "workspace" },
@@ -17292,15 +17445,19 @@ var SCAN_PATHS = {
     { kind: "skill-bundle", skillsRoot: ".claude/skills", root: "workspace" },
     { kind: "skill-bundle", skillsRoot: ".codex/skills", root: "workspace" },
     // MCP — project + global
-    { glob: ".cursor/mcp.json", category: "mcp-config", root: "workspace" },
-    { glob: ".cursor/mcp.json", category: "mcp-config", root: "home" },
+    {
+      glob: ".cursor/mcp.json",
+      category: CATEGORY.MCP_CONFIG,
+      root: "workspace"
+    },
+    { glob: ".cursor/mcp.json", category: CATEGORY.MCP_CONFIG, root: "home" },
     // Home skills (user-level cross-project skills)
     { kind: "skill-bundle", skillsRoot: ".cursor/skills", root: "home" },
     { kind: "skill-bundle", skillsRoot: ".agents/skills", root: "home" },
     { kind: "skill-bundle", skillsRoot: ".claude/skills", root: "home" },
     { kind: "skill-bundle", skillsRoot: ".codex/skills", root: "home" },
     // Exclusion
-    { glob: ".cursorignore", category: "ignore", root: "workspace" }
+    { glob: ".cursorignore", category: CATEGORY.IGNORE, root: "workspace" }
     // Note: Cursor's global "Rules for AI" from Settings UI is stored in
     // Cursor's internal settings DB. The tracer_ext reads it via VS Code API
     // (vscode.workspace.getConfiguration) and includes it as a synthetic entry.
@@ -17309,42 +17466,46 @@ var SCAN_PATHS = {
     // Instructions — workspace
     {
       glob: ".github/copilot-instructions.md",
-      category: "rule",
+      category: CATEGORY.RULE,
       root: "workspace"
     },
     {
       glob: ".github/instructions/**/*.instructions.md",
-      category: "rule",
+      category: CATEGORY.RULE,
       root: "workspace"
     },
     // AGENTS.md / CLAUDE.md family (Copilot reads these via chat.useAgentsMdFile,
     // chat.useClaudeMdFile for cross-compat with Claude Code / other agents).
-    { glob: "AGENTS.md", category: "rule", root: "workspace" },
-    { glob: "CLAUDE.md", category: "rule", root: "workspace" },
-    { glob: "CLAUDE.local.md", category: "rule", root: "workspace" },
-    { glob: ".claude/CLAUDE.md", category: "rule", root: "workspace" },
-    { glob: ".claude/rules/**/*.md", category: "rule", root: "workspace" },
+    { glob: "AGENTS.md", category: CATEGORY.RULE, root: "workspace" },
+    { glob: "CLAUDE.md", category: CATEGORY.RULE, root: "workspace" },
+    { glob: "CLAUDE.local.md", category: CATEGORY.RULE, root: "workspace" },
+    { glob: ".claude/CLAUDE.md", category: CATEGORY.RULE, root: "workspace" },
+    {
+      glob: ".claude/rules/**/*.md",
+      category: CATEGORY.RULE,
+      root: "workspace"
+    },
     // Prompts — workspace
     {
       glob: ".github/prompts/*.prompt.md",
-      category: SKILL_CATEGORY,
+      category: CATEGORY.PROMPT,
       root: "workspace"
     },
     // Custom agents — `.agent.md` is the current format; `.chatmode.md` is the
     // legacy naming docs recommend renaming. We scan both for transition.
     {
       glob: ".github/agents/*.agent.md",
-      category: "agent-config",
+      category: CATEGORY.AGENT_CONFIG,
       root: "workspace"
     },
     {
       glob: ".github/chatmodes/*.chatmode.md",
-      category: "agent-config",
+      category: CATEGORY.AGENT_CONFIG,
       root: "workspace"
     },
     {
       glob: ".claude/agents/*.md",
-      category: SKILL_CATEGORY,
+      category: CATEGORY.SKILL,
       root: "workspace"
     },
     // Agent skills — Copilot discovers skills in all three roots (VS Code docs:
@@ -17353,30 +17514,38 @@ var SCAN_PATHS = {
     { kind: "skill-bundle", skillsRoot: ".claude/skills", root: "workspace" },
     { kind: "skill-bundle", skillsRoot: ".agents/skills", root: "workspace" },
     // MCP — VS Code Copilot reads MCP servers from .vscode/mcp.json
-    { glob: ".vscode/mcp.json", category: "mcp-config", root: "workspace" },
+    {
+      glob: ".vscode/mcp.json",
+      category: CATEGORY.MCP_CONFIG,
+      root: "workspace"
+    },
     // Global — home (JetBrains stores global instructions here)
     {
       glob: ".config/github-copilot/global-copilot-instructions.md",
-      category: "rule",
+      category: CATEGORY.RULE,
       root: "home"
     },
     // User-level Copilot customizations (~/.copilot/)
     {
       glob: ".copilot/instructions/**/*.instructions.md",
-      category: "rule",
+      category: CATEGORY.RULE,
+      root: "home"
+    },
+    {
+      glob: ".copilot/prompts/*.prompt.md",
+      category: CATEGORY.PROMPT,
       root: "home"
     },
-    { glob: ".copilot/prompts/*.prompt.md", category: "skill", root: "home" },
     {
       glob: ".copilot/agents/*.agent.md",
-      category: "agent-config",
+      category: CATEGORY.AGENT_CONFIG,
       root: "home"
     },
     { kind: "skill-bundle", skillsRoot: ".copilot/skills", root: "home" },
     // Cross-compat home paths (Copilot reads Claude / generic agent dirs too)
-    { glob: ".claude/CLAUDE.md", category: "rule", root: "home" },
-    { glob: ".claude/rules/**/*.md", category: "rule", root: "home" },
-    { glob: ".claude/agents/*.md", category: SKILL_CATEGORY, root: "home" },
+    { glob: ".claude/CLAUDE.md", category: CATEGORY.RULE, root: "home" },
+    { glob: ".claude/rules/**/*.md", category: CATEGORY.RULE, root: "home" },
+    { glob: ".claude/agents/*.md", category: CATEGORY.SKILL, root: "home" },
     { kind: "skill-bundle", skillsRoot: ".claude/skills", root: "home" },
     { kind: "skill-bundle", skillsRoot: ".agents/skills", root: "home" }
   ]
@@ -17416,7 +17585,7 @@ var COPILOT_CUSTOM_LOCATION_SETTINGS = [
   {
     key: "chat.promptFilesLocations",
     kind: "glob",
-    category: "skill",
+    category: "prompt",
     glob: "**/*.prompt.md"
   },
   {
@@ -17547,11 +17716,11 @@ async function readJsoncSettings(settingsPath) {
   putSettingsCache(settingsPath, { mtimeMs, parsed: payload });
   return payload;
 }
-function putSettingsCache(path36, entry) {
-  if (!settingsCache.has(path36) && settingsCache.size >= MAX_SETTINGS_CACHE_SIZE) {
+function putSettingsCache(path37, entry) {
+  if (!settingsCache.has(path37) && settingsCache.size >= MAX_SETTINGS_CACHE_SIZE) {
     settingsCache.delete(settingsCache.keys().next().value);
   }
-  settingsCache.set(path36, entry);
+  settingsCache.set(path37, entry);
 }
 async function readCopilotCustomLocations(workspaceRoot) {
   const parsed = await readJsoncSettings(
@@ -17657,16 +17826,23 @@ function groupSkills(files, root, baseDir) {
       standalone.push(f);
     } else {
       const folderName = relFromSkills.slice(0, slashIdx);
-      if (!folderMap.has(folderName)) {
-        folderMap.set(folderName, []);
+      const folderKey = rel.slice(
+        0,
+        skillsIdx + skillsMarker.length + folderName.length
+      );
+      let bucket = folderMap.get(folderKey);
+      if (!bucket) {
+        bucket = { folderName, files: [] };
+        folderMap.set(folderKey, bucket);
       }
-      folderMap.get(folderName).push(f);
+      bucket.files.push(f);
     }
   }
   const groups = [];
   for (const f of standalone) {
     const name = path14.basename(f.path, path14.extname(f.path));
-    const sessionKey = `skill:${root}:${name}`;
+    const standaloneRel = path14.relative(baseDir, f.path).replace(/\\/g, "/");
+    const sessionKey = `skill:${root}:${standaloneRel}`;
     groups.push({
       name,
       root,
@@ -17677,17 +17853,10 @@ function groupSkills(files, root, baseDir) {
       sessionKey
     });
   }
-  for (const [folderName, folderFiles] of folderMap) {
+  for (const [folderKey, { folderName, files: folderFiles }] of folderMap) {
     const maxMtimeMs = Math.max(...folderFiles.map((f) => f.mtimeMs));
-    const anyFile = folderFiles[0];
-    const rel = path14.relative(baseDir, anyFile.path).replace(/\\/g, "/");
-    const skillsIdx = rel.indexOf("skills/");
-    const skillRelPath = rel.slice(
-      0,
-      skillsIdx + "skills/".length + folderName.length
-    );
-    const skillPath = path14.join(baseDir, skillRelPath);
-    const sessionKey = `skill:${root}:${folderName}`;
+    const skillPath = path14.join(baseDir, folderKey);
+    const sessionKey = `skill:${root}:${folderKey}`;
     groups.push({
       name: folderName,
       root,
@@ -17801,7 +17970,7 @@ async function enumerateGlob(pattern, cwd, category, isDynamic) {
   } catch {
     return [];
   }
-  return files.map((path36) => ({ path: path36, category }));
+  return files.map((path37) => ({ path: path37, category }));
 }
 async function enumerateSkillBundle(baseDir, skillsRoot) {
   const skillsDir = path14.resolve(baseDir, skillsRoot);
@@ -17965,6 +18134,12 @@ var Metric = {
   CHECK_TRIGGERED: "skill_quarantine.check_triggered",
   /** The env-var kill switch skipped the run. */
   CHECK_DISABLED_ENV: "skill_quarantine.check_disabled_env",
+  /**
+   * T-493 — the per-org opt-in toggle was off for every org the caller
+   * belongs to. Verdict query still ran (useful server-side telemetry);
+   * on-disk enforcement was skipped.
+   */
+  CHECK_DISABLED_ORG: "skill_quarantine.check_disabled_org",
   /** Verdict-query call failed. Fail-open. */
   QUERY_ERROR: "skill_quarantine.query_error",
   /** Count of skills enumerated in this run. */
@@ -17986,7 +18161,18 @@ var Metric = {
   /** Stale partial zip swept (older than grace window). */
   SWEPT_PARTIAL: "skill_quarantine.swept_partial",
   /** Total run duration including I/O. */
-  DURATION_MS: "skill_quarantine.duration_ms"
+  DURATION_MS: "skill_quarantine.duration_ms",
+  /**
+   * T-492 — Stub-md5 sentinel published successfully. The next heartbeat's
+   * presence check will short-circuit re-quarantining our own stub.
+   */
+  STUB_PREREGISTERED: "skill_quarantine.stub_preregistered",
+  /**
+   * T-492 — Stub-md5 sentinel write failed. Layer 1 (the scanner LLM
+   * recognising stubs) still protects against the loop; this layer is
+   * defense in depth.
+   */
+  STUB_PREREGISTER_ERROR: "skill_quarantine.stub_preregister_error"
 };
 
 // src/features/analysis/skill_quarantine/quarantineSkill.ts
@@ -18120,6 +18306,12 @@ async function quarantineSkill(params) {
     );
     return { status: "publish_error", err };
   }
+  await preregisterStubMd5(params).catch((err) => {
+    log2.warn(
+      { err, md5, metric: Metric.STUB_PREREGISTER_ERROR },
+      "skill_quarantine: stub-md5 pre-registration failed; LLM-side recognition remains"
+    );
+  });
   log2.info(
     {
       md5,
@@ -18133,6 +18325,53 @@ async function quarantineSkill(params) {
   );
   return { status: "quarantined" };
 }
+async function preregisterStubMd5(params) {
+  const { skillPath, isFolder, origName, log: log2 } = params;
+  const stubFilePath = isFolder ? path18.join(skillPath, "SKILL.md") : skillPath;
+  const stubEntryName = isFolder ? `${origName}/SKILL.md` : origName;
+  const content = await readFile2(stubFilePath, "utf-8");
+  const fileStat = await stat2(stubFilePath);
+  const stubFile = {
+    name: stubEntryName,
+    path: stubFilePath,
+    content,
+    sizeBytes: fileStat.size,
+    category: "skill",
+    mtimeMs: fileStat.mtimeMs
+  };
+  const stubGroup = {
+    name: isFolder ? origName : path18.basename(skillPath, path18.extname(skillPath)),
+    root: "workspace",
+    // unused by md5 computation
+    skillPath,
+    files: [stubFile],
+    isFolder,
+    maxMtimeMs: stubFile.mtimeMs,
+    sessionKey: `stub-preregister:${skillPath}`
+  };
+  const { skills } = await processContextFiles([], [stubGroup]);
+  const processed = skills[0];
+  if (!processed) {
+    return;
+  }
+  const { md5: stubMd5, zipBuffer } = processed;
+  const sentinelPath = getQuarantineZipPath(stubMd5);
+  if (await exists(sentinelPath)) {
+    return;
+  }
+  const tmpSentinel = getTmpZipPath(stubMd5, randomUUID());
+  try {
+    await writeFile(tmpSentinel, zipBuffer);
+    await rename(tmpSentinel, sentinelPath);
+  } catch (err) {
+    await unlink(tmpSentinel).catch(ignoreErr);
+    throw err;
+  }
+  log2.info(
+    { stubMd5, metric: Metric.STUB_PREREGISTERED },
+    "skill_quarantine: stub md5 pre-registered"
+  );
+}
 async function writeStub(params) {
   const { skillPath, isFolder, md5, verdict } = params;
   const stubContent = renderStub({
@@ -18242,12 +18481,13 @@ async function addFolderAsync(zip, root, prefix) {
 // src/features/analysis/skill_quarantine/queryVerdicts.ts
 async function queryVerdicts(gqlClient, md5s, log2) {
   if (md5s.length === 0) {
-    return /* @__PURE__ */ new Map();
+    return { verdicts: /* @__PURE__ */ new Map(), quarantineEnabled: false };
   }
   try {
     const res = await gqlClient.skillVerdictsByMd5(md5s);
+    const envelope = res.skillVerdictsByMd5;
     const out = /* @__PURE__ */ new Map();
-    for (const row of res.skillVerdictsByMd5) {
+    for (const row of envelope.verdicts) {
       out.set(row.md5, {
         md5: row.md5,
         verdict: row.verdict,
@@ -18257,18 +18497,41 @@ async function queryVerdicts(gqlClient, md5s, log2) {
         scannedAt: row.scannedAt
       });
     }
-    return out;
+    return { verdicts: out, quarantineEnabled: envelope.quarantineEnabled };
   } catch (err) {
     log2.warn(
       { err, md5_count: md5s.length, metric: "skill_quarantine.query_error" },
       "skill_quarantine: verdict query failed, failing open"
     );
-    return /* @__PURE__ */ new Map();
+    return { verdicts: /* @__PURE__ */ new Map(), quarantineEnabled: false };
   }
 }
 
 // src/features/analysis/skill_quarantine/runQuarantineCheck.ts
+var SKILL_PARENT_DIRS = [
+  ".claude/skills",
+  ".claude/commands",
+  ".claude/agents"
+];
+async function getSkillDirsMtimeMs(cwd) {
+  const home = homedir4();
+  const dirs = SKILL_PARENT_DIRS.flatMap((d) => [
+    path19.join(cwd, d),
+    path19.join(home, d)
+  ]);
+  let max = 0;
+  for (const dir of dirs) {
+    try {
+      const s = await stat3(dir);
+      if (s.mtimeMs > max) max = s.mtimeMs;
+    } catch {
+    }
+  }
+  return max;
+}
 var lastRunAt = /* @__PURE__ */ new Map();
+var lastDirsMtimeMs = /* @__PURE__ */ new Map();
+var seenSkillMd5s = /* @__PURE__ */ new Set();
 var killSwitchLogged = false;
 async function runQuarantineCheckIfNeeded(opts) {
   const { sessionId, cwd, gqlClient, log: log2 } = opts;
@@ -18284,18 +18547,25 @@ async function runQuarantineCheckIfNeeded(opts) {
   }
   const now = Date.now();
   const prev = lastRunAt.get(sessionId);
-  if (prev !== void 0 && now - prev < HEARTBEAT_DEBOUNCE_MS) {
+  const withinDebounce = prev !== void 0 && now - prev < HEARTBEAT_DEBOUNCE_MS;
+  lastRunAt.set(sessionId, now);
+  const dirsMtime = await getSkillDirsMtimeMs(cwd);
+  if (withinDebounce && dirsMtime <= (lastDirsMtimeMs.get(sessionId) ?? 0)) {
     return;
   }
-  lastRunAt.set(sessionId, now);
+  const installed = await enumerateInstalledSkills(cwd);
+  const hasNewSkills = installed.some((s) => !seenSkillMd5s.has(s.md5));
+  if (!hasNewSkills && withinDebounce) {
+    return;
+  }
+  lastDirsMtimeMs.set(sessionId, dirsMtime);
   log2.info(
-    { sessionId, metric: Metric.CHECK_TRIGGERED },
+    { sessionId, metric: Metric.CHECK_TRIGGERED, hasNewSkills },
     "skill_quarantine: check start"
   );
   const t0 = Date.now();
   try {
     await reconcileAndSweep(log2);
-    const installed = await enumerateInstalledSkills(cwd);
     log2.info(
       { sessionId, count: installed.length, metric: Metric.SKILLS_CHECKED },
       "skill_quarantine: skills enumerated"
@@ -18303,11 +18573,25 @@ async function runQuarantineCheckIfNeeded(opts) {
     if (installed.length === 0) {
       return;
     }
-    const verdicts = await queryVerdicts(
+    const currentMd5s = new Set(installed.map((s) => s.md5));
+    for (const md5 of seenSkillMd5s) {
+      if (!currentMd5s.has(md5)) seenSkillMd5s.delete(md5);
+    }
+    for (const skill of installed) {
+      seenSkillMd5s.add(skill.md5);
+    }
+    const { verdicts, quarantineEnabled } = await queryVerdicts(
       gqlClient,
       installed.map((s) => s.md5),
       log2
     );
+    if (!quarantineEnabled) {
+      log2.info(
+        { sessionId, metric: Metric.CHECK_DISABLED_ORG },
+        "skill_quarantine: opt-in not enabled for any org of caller; skipping enforcement"
+      );
+      return;
+    }
     for (const skill of installed) {
       const verdict = verdicts.get(skill.md5);
       if (!verdict || verdict.verdict !== MALICIOUS_VERDICT) {
@@ -18344,7 +18628,7 @@ async function runQuarantineCheckIfNeeded(opts) {
 // src/features/claude_code/daemon_pid_file.ts
 import fs13 from "fs";
 import os4 from "os";
-import path19 from "path";
+import path20 from "path";
 
 // src/features/claude_code/data_collector_constants.ts
 var CC_VERSION_CACHE_KEY = "claudeCode.detectedCCVersion";
@@ -18365,17 +18649,17 @@ var CONTEXT_SCAN_INTERVAL_MS = 5e3;
 
 // src/features/claude_code/daemon_pid_file.ts
 function getMobbdevDir() {
-  return path19.join(os4.homedir(), ".mobbdev");
+  return path20.join(os4.homedir(), ".mobbdev");
 }
 function getDaemonCheckScriptPath() {
-  return path19.join(getMobbdevDir(), "daemon-check.js");
+  return path20.join(getMobbdevDir(), "daemon-check.js");
 }
 var DaemonPidFile = class {
   constructor() {
     __publicField(this, "data", null);
   }
   get filePath() {
-    return path19.join(getMobbdevDir(), "daemon.pid");
+    return path20.join(getMobbdevDir(), "daemon.pid");
   }
   /** Ensure ~/.mobbdev/ directory exists. */
   ensureDir() {
@@ -18438,7 +18722,7 @@ var DaemonPidFile = class {
 import { execFile } from "child_process";
 import { createHash as createHash3 } from "crypto";
 import { access as access2, open as open4, readdir as readdir3, readFile as readFile3, unlink as unlink2 } from "fs/promises";
-import path20 from "path";
+import path21 from "path";
 import { promisify } from "util";
 
 // src/features/analysis/context_file_uploader.ts
@@ -18703,8 +18987,8 @@ function createConfigstoreStream(store, opts) {
       heartbeatBuffer.length = 0;
     }
   }
-  function setScopePath(path36) {
-    scopePath = path36;
+  function setScopePath(path37) {
+    scopePath = path37;
   }
   return { writable, flush, setScopePath };
 }
@@ -18928,18 +19212,24 @@ function createLogger(config2) {
 
 // src/features/claude_code/hook_logger.ts
 var DD_RUM_TOKEN = true ? "pubf59c0182545bfb4c299175119f1abf9b" : "";
-var CLI_VERSION = true ? "1.4.2" : "unknown";
+var CLI_VERSION = true ? "1.4.9" : "unknown";
 var NAMESPACE = "mobbdev-claude-code-hook-logs";
 var claudeCodeVersion;
 function buildDdTags() {
-  const tags = [`version:${CLI_VERSION}`];
+  const tags = [
+    `version:${CLI_VERSION}`,
+    `platform:claude_code`,
+    `os:${process.platform}`,
+    `arch:${process.arch}`
+  ];
   if (claudeCodeVersion) {
     tags.push(`cc_version:${claudeCodeVersion}`);
   }
   return tags.join(",");
 }
+var handlingDdError = false;
 function createHookLogger(opts) {
-  return createLogger({
+  const created = createLogger({
     namespace: NAMESPACE,
     scopePath: opts?.scopePath,
     enableConfigstore: opts?.enableConfigstore,
@@ -18949,9 +19239,26 @@ function createHookLogger(opts) {
       service: "mobbdev-cli-hook",
       ddtags: buildDdTags(),
       hostnameMode: "hashed",
-      unrefTimer: true
+      unrefTimer: true,
+      onError: (error) => {
+        if (handlingDdError) {
+          process.stderr.write(`dd-ship-error: ${String(error)}
+`);
+          return;
+        }
+        handlingDdError = true;
+        try {
+          created.warn(
+            { err: String(error), source: "dd-log-shipping" },
+            "Datadog log shipping failed"
+          );
+        } finally {
+          handlingDdError = false;
+        }
+      }
     }
   });
+  return created;
 }
 var logger = createHookLogger();
 var activeScopedLoggers = [];
@@ -18981,6 +19288,9 @@ function createScopedHookLog(scopePath, opts) {
   activeScopedLoggers.push(scoped);
   return scoped;
 }
+function getScopedLoggerCount() {
+  return scopedLoggerCache.size;
+}
 
 // src/features/claude_code/data_collector.ts
 var execFileAsync = promisify(execFile);
@@ -19019,12 +19329,12 @@ async function resolveTranscriptPath(transcriptPath, sessionId) {
     return transcriptPath;
   } catch {
   }
-  const filename = path20.basename(transcriptPath);
-  const dirName = path20.basename(path20.dirname(transcriptPath));
-  const projectsDir = path20.dirname(path20.dirname(transcriptPath));
+  const filename = path21.basename(transcriptPath);
+  const dirName = path21.basename(path21.dirname(transcriptPath));
+  const projectsDir = path21.dirname(path21.dirname(transcriptPath));
   const baseDirName = dirName.replace(/[-.]claude-worktrees-.+$/, "");
   if (baseDirName !== dirName) {
-    const candidate = path20.join(projectsDir, baseDirName, filename);
+    const candidate = path21.join(projectsDir, baseDirName, filename);
     try {
       await access2(candidate);
       hookLog.info(
@@ -19046,7 +19356,7 @@ async function resolveTranscriptPath(transcriptPath, sessionId) {
     const dirs = await readdir3(projectsDir);
     for (const dir of dirs) {
       if (dir === dirName) continue;
-      const candidate = path20.join(projectsDir, dir, filename);
+      const candidate = path21.join(projectsDir, dir, filename);
       try {
         await access2(candidate);
         hookLog.info(
@@ -19075,21 +19385,33 @@ async function readNewTranscriptEntries(transcriptPath, sessionId, sessionStore,
   let fileSize;
   let lineIndexOffset;
   if (cursor?.byteOffset) {
+    const MAX_TRANSCRIPT_READ_BYTES = 10 * 1024 * 1024;
     const fh = await open4(transcriptPath, "r");
     try {
-      const stat4 = await fh.stat();
-      fileSize = stat4.size;
-      if (cursor.byteOffset >= stat4.size) {
+      const stat5 = await fh.stat();
+      fileSize = stat5.size;
+      if (cursor.byteOffset >= stat5.size) {
         hookLog.info({ data: { sessionId } }, "No new data in transcript file");
         return {
           entries: [],
           endByteOffset: fileSize,
-          resolvedTranscriptPath: transcriptPath
+          resolvedTranscriptPath: transcriptPath,
+          transcriptBytesRead: 0
         };
       }
-      const buf = Buffer.alloc(stat4.size - cursor.byteOffset);
-      await fh.read(buf, 0, buf.length, cursor.byteOffset);
+      const bytesToRead = Math.min(
+        stat5.size - cursor.byteOffset,
+        MAX_TRANSCRIPT_READ_BYTES
+      );
+      const buf = Buffer.alloc(bytesToRead);
+      await fh.read(buf, 0, bytesToRead, cursor.byteOffset);
       content = buf.toString("utf-8");
+      if (bytesToRead < stat5.size - cursor.byteOffset && !content.endsWith("\n")) {
+        const lastNewline = content.lastIndexOf("\n");
+        if (lastNewline > 0) {
+          content = content.substring(0, lastNewline + 1);
+        }
+      }
     } finally {
       await fh.close();
     }
@@ -19105,12 +19427,34 @@ async function readNewTranscriptEntries(transcriptPath, sessionId, sessionStore,
       "Read transcript file from offset"
     );
   } else {
-    content = await readFile3(transcriptPath, "utf-8");
-    fileSize = Buffer.byteLength(content, "utf-8");
+    const MAX_CWD_READ_BYTES = 2 * 1024 * 1024;
+    const fh = await open4(transcriptPath, "r");
+    try {
+      const stat5 = await fh.stat();
+      fileSize = stat5.size;
+      const bytesToRead = Math.min(stat5.size, MAX_CWD_READ_BYTES);
+      const buf = Buffer.alloc(bytesToRead);
+      await fh.read(buf, 0, bytesToRead, 0);
+      content = buf.toString("utf-8");
+      if (bytesToRead < stat5.size && !content.endsWith("\n")) {
+        const lastNewline = content.lastIndexOf("\n");
+        if (lastNewline > 0) {
+          content = content.substring(0, lastNewline + 1);
+        }
+      }
+    } finally {
+      await fh.close();
+    }
     lineIndexOffset = 0;
     hookLog.debug(
-      { data: { transcriptPath, totalBytes: fileSize } },
-      "Read full transcript file"
+      {
+        data: {
+          transcriptPath,
+          totalBytes: fileSize,
+          cappedBytes: content.length
+        }
+      },
+      "Read transcript file (first run)"
     );
   }
   const startOffset = cursor?.byteOffset ?? 0;
@@ -19175,7 +19519,8 @@ async function readNewTranscriptEntries(transcriptPath, sessionId, sessionStore,
   return {
     entries: parsed,
     endByteOffset,
-    resolvedTranscriptPath: transcriptPath
+    resolvedTranscriptPath: transcriptPath,
+    transcriptBytesRead: content.length
   };
 }
 var FILTERED_PROGRESS_SUBTYPES = /* @__PURE__ */ new Set([
@@ -19224,14 +19569,16 @@ async function cleanupStaleSessions(configDir) {
   if (lastCleanup && Date.now() - lastCleanup < CLEANUP_INTERVAL_MS) {
     return;
   }
-  const now = Date.now();
+  const cleanupStart = Date.now();
   const prefix = getSessionFilePrefix();
   try {
     const files = await readdir3(configDir);
+    const sessionFiles = files.filter(
+      (f) => f.startsWith(prefix) && f.endsWith(".json")
+    );
     let deletedCount = 0;
-    for (const file of files) {
-      if (!file.startsWith(prefix) || !file.endsWith(".json")) continue;
-      const filePath = path20.join(configDir, file);
+    for (const file of sessionFiles) {
+      const filePath = path21.join(configDir, file);
       try {
         const content = JSON.parse(await readFile3(filePath, "utf-8"));
         let newest = 0;
@@ -19242,25 +19589,34 @@ async function cleanupStaleSessions(configDir) {
             if (c?.updatedAt && c.updatedAt > newest) newest = c.updatedAt;
           }
         }
-        if (newest > 0 && now - newest > STALE_KEY_MAX_AGE_MS) {
+        if (newest > 0 && cleanupStart - newest > STALE_KEY_MAX_AGE_MS) {
           await unlink2(filePath);
           deletedCount++;
         }
       } catch {
       }
     }
-    if (deletedCount > 0) {
-      hookLog.info({ data: { deletedCount } }, "Cleaned up stale session files");
-    }
+    hookLog.info(
+      {
+        heartbeat: true,
+        data: {
+          sessionFileCount: sessionFiles.length,
+          deletedCount,
+          cleanupDurationMs: Date.now() - cleanupStart
+        }
+      },
+      "Session cleanup"
+    );
   } catch {
   }
-  configStore.set("claudeCode.lastCleanupAt", now);
+  configStore.set("claudeCode.lastCleanupAt", cleanupStart);
 }
 async function processTranscript(input, sessionStore, log2, maxEntries = DAEMON_CHUNK_SIZE, gqlClientOverride) {
   const {
     entries: rawEntries,
     endByteOffset,
-    resolvedTranscriptPath
+    resolvedTranscriptPath,
+    transcriptBytesRead
   } = await log2.timed(
     "Read transcript",
     () => readNewTranscriptEntries(
@@ -19347,15 +19703,21 @@ async function processTranscript(input, sessionStore, log2, maxEntries = DAEMON_
       rawData: rawEntry
     };
   });
-  const totalRawDataBytes = records.reduce((sum, r) => {
-    return sum + (r.rawData ? JSON.stringify(r.rawData).length : 0);
-  }, 0);
+  let totalRawDataBytes = 0;
+  let maxRecordBytes = 0;
+  for (const r of records) {
+    const size = r.rawData ? JSON.stringify(r.rawData).length : 0;
+    totalRawDataBytes += size;
+    if (size > maxRecordBytes) maxRecordBytes = size;
+  }
   log2.info(
     {
       data: {
         count: records.length,
         skipped: filteredOut,
+        transcriptBytesRead,
         rawDataBytes: totalRawDataBytes,
+        maxRecordBytes,
         firstRecordId: records[0]?.recordId,
         lastRecordId: records[records.length - 1]?.recordId
       }
@@ -19469,14 +19831,14 @@ async function uploadContextFilesIfNeeded(sessionId, cwd, gqlClient, log2) {
 import fs14 from "fs";
 import fsPromises4 from "fs/promises";
 import os6 from "os";
-import path21 from "path";
+import path22 from "path";
 import chalk11 from "chalk";
 
 // src/features/claude_code/daemon-check-shim.tmpl.js
 var daemon_check_shim_tmpl_default = "// Mobb daemon shim \u2014 checks if daemon is alive, spawns if dead.\n// Auto-generated by mobbdev CLI. Do not edit.\nvar fs = require('fs')\nvar spawn = require('child_process').spawn\nvar path = require('path')\nvar os = require('os')\n\nvar pidFile = path.join(os.homedir(), '.mobbdev', 'daemon.pid')\nvar HEARTBEAT_STALE_MS = __HEARTBEAT_STALE_MS__\n\ntry {\n  var data = JSON.parse(fs.readFileSync(pidFile, 'utf8'))\n  if (Date.now() - data.heartbeat > HEARTBEAT_STALE_MS) throw new Error('stale')\n  process.kill(data.pid, 0) // throws ESRCH if the process is gone\n} catch (e) {\n  var localCli = process.env.MOBBDEV_LOCAL_CLI\n  var child = localCli\n    ? spawn('node', [localCli, 'claude-code-daemon'], { detached: true, stdio: 'ignore', windowsHide: true })\n    : spawn('npx', ['--yes', 'mobbdev@latest', 'claude-code-daemon'], { detached: true, stdio: 'ignore', shell: true, windowsHide: true })\n  child.unref()\n}\n";
 
 // src/features/claude_code/install_hook.ts
-var CLAUDE_SETTINGS_PATH = path21.join(os6.homedir(), ".claude", "settings.json");
+var CLAUDE_SETTINGS_PATH = path22.join(os6.homedir(), ".claude", "settings.json");
 var RECOMMENDED_MATCHER = "*";
 async function claudeSettingsExists() {
   try {
@@ -19622,18 +19984,18 @@ async function installMobbHooks(options = {}) {
 }
 
 // src/features/claude_code/transcript_scanner.ts
-import { open as open5, readdir as readdir4, stat as stat3 } from "fs/promises";
+import { open as open5, readdir as readdir4, stat as stat4 } from "fs/promises";
 import os7 from "os";
-import path22 from "path";
+import path23 from "path";
 var UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
 function getClaudeProjectsDirs() {
   const dirs = [];
   const configDir = process.env["CLAUDE_CONFIG_DIR"];
   if (configDir) {
-    dirs.push(path22.join(configDir, "projects"));
+    dirs.push(path23.join(configDir, "projects"));
   }
-  dirs.push(path22.join(os7.homedir(), ".config", "claude", "projects"));
-  dirs.push(path22.join(os7.homedir(), ".claude", "projects"));
+  dirs.push(path23.join(os7.homedir(), ".config", "claude", "projects"));
+  dirs.push(path23.join(os7.homedir(), ".claude", "projects"));
   return dirs;
 }
 async function collectJsonlFiles(files, dir, projectDir, seen, now, results) {
@@ -19641,12 +20003,12 @@ async function collectJsonlFiles(files, dir, projectDir, seen, now, results) {
     if (!file.endsWith(".jsonl")) continue;
     const sessionId = file.replace(".jsonl", "");
     if (!UUID_RE.test(sessionId)) continue;
-    const filePath = path22.join(dir, file);
+    const filePath = path23.join(dir, file);
     if (seen.has(filePath)) continue;
     seen.add(filePath);
     let fileStat;
     try {
-      fileStat = await stat3(filePath);
+      fileStat = await stat4(filePath);
     } catch {
       continue;
     }
@@ -19672,10 +20034,10 @@ async function scanForTranscripts(projectsDirs = getClaudeProjectsDirs()) {
       continue;
     }
     for (const projName of projectDirs) {
-      const projPath = path22.join(projectsDir, projName);
+      const projPath = path23.join(projectsDir, projName);
       let projStat;
       try {
-        projStat = await stat3(projPath);
+        projStat = await stat4(projPath);
       } catch {
         continue;
       }
@@ -19689,9 +20051,9 @@ async function scanForTranscripts(projectsDirs = getClaudeProjectsDirs()) {
       await collectJsonlFiles(files, projPath, projPath, seen, now, results);
       for (const entry of files) {
         if (!UUID_RE.test(entry)) continue;
-        const subagentsDir = path22.join(projPath, entry, "subagents");
+        const subagentsDir = path23.join(projPath, entry, "subagents");
         try {
-          const s = await stat3(subagentsDir);
+          const s = await stat4(subagentsDir);
           if (!s.isDirectory()) continue;
           const subFiles = await readdir4(subagentsDir);
           await collectJsonlFiles(
@@ -19739,6 +20101,9 @@ async function extractCwdFromTranscript(filePath) {
   }
   return void 0;
 }
+function getCwdCacheSize() {
+  return cwdCache.size;
+}
 
 // src/features/claude_code/daemon.ts
 async function startDaemon() {
@@ -19779,6 +20144,11 @@ async function startDaemon() {
   let cleanupConfigDir;
   const sessionCwdCache = /* @__PURE__ */ new Map();
   let lastContextScanMs = 0;
+  const machineContext = {
+    cpuCount: os8.cpus().length,
+    totalMemGB: Math.round(os8.totalmem() / 1024 ** 3),
+    nodeVersion: process.version
+  };
   while (true) {
     if (shuttingDown) {
       await gracefulExit(0, "signal");
@@ -19787,19 +20157,44 @@ async function startDaemon() {
       await gracefulExit(0, "TTL reached");
     }
     pidFile.updateHeartbeat();
+    const cpuBefore = process.cpuUsage();
+    const heapBefore = process.memoryUsage().heapUsed;
+    const cycleStart = Date.now();
+    let changedCount = 0;
+    let totalUploaded = 0;
+    let totalErrors = 0;
     try {
       const changed = await detectChangedTranscripts(lastSeen);
+      changedCount = changed.length;
       for (const transcript of changed) {
         const sessionStore = createSessionConfigStore(transcript.sessionId);
         if (!cleanupConfigDir) {
-          cleanupConfigDir = path23.dirname(sessionStore.path);
+          cleanupConfigDir = path24.dirname(sessionStore.path);
         }
-        await drainTranscript(
+        pidFile.updateHeartbeat();
+        const drainStart = Date.now();
+        const result = await drainTranscript(
           transcript,
           sessionStore,
           gqlClient,
           sessionCwdCache
         );
+        totalUploaded += result.uploaded;
+        totalErrors += result.errors;
+        if (result.uploaded > 0 || result.errors > 0) {
+          hookLog.info(
+            {
+              data: {
+                sessionId: transcript.sessionId,
+                drainDurationMs: Date.now() - drainStart,
+                chunksProcessed: result.chunks,
+                entriesUploaded: result.uploaded,
+                errors: result.errors
+              }
+            },
+            "Transcript drained"
+          );
+        }
       }
       if (lastSeen.size > 0) {
         for (const filePath of sessionCwdCache.keys()) {
@@ -19822,6 +20217,29 @@ async function startDaemon() {
     } catch (err) {
       hookLog.warn({ err }, "Unexpected error in daemon cycle");
     }
+    const cpuDelta = process.cpuUsage(cpuBefore);
+    const heapAfter = process.memoryUsage().heapUsed;
+    hookLog.info(
+      {
+        heartbeat: true,
+        data: {
+          cycleDurationMs: Date.now() - cycleStart,
+          cpuUserUs: cpuDelta.user,
+          cpuSystemUs: cpuDelta.system,
+          heapDeltaBytes: heapAfter - heapBefore,
+          heapUsedBytes: heapAfter,
+          daemonUptimeMs: Date.now() - startedAt,
+          changedTranscripts: changedCount,
+          activeTranscripts: lastSeen.size,
+          entriesUploaded: totalUploaded,
+          errors: totalErrors,
+          cwdCacheSize: getCwdCacheSize(),
+          scopedLoggerCount: getScopedLoggerCount(),
+          ...machineContext
+        }
+      },
+      "daemon poll cycle"
+    );
     await sleep2(DAEMON_POLL_INTERVAL_MS);
   }
 }
@@ -19860,6 +20278,9 @@ async function drainTranscript(transcript, sessionStore, gqlClient, sessionCwdCa
   const log2 = createScopedHookLog(cwd ?? transcript.projectDir, {
     daemonMode: true
   });
+  let totalUploaded = 0;
+  let totalErrors = 0;
+  let chunks = 0;
   if (cwd) {
     sessionCwdCache.set(transcript.filePath, {
       sessionId: transcript.sessionId,
@@ -19869,6 +20290,7 @@ async function drainTranscript(transcript, sessionStore, gqlClient, sessionCwdCa
   try {
     let hasMore = true;
     while (hasMore) {
+      chunks++;
       const result = await processTranscript(
         {
           session_id: transcript.sessionId,
@@ -19880,8 +20302,10 @@ async function drainTranscript(transcript, sessionStore, gqlClient, sessionCwdCa
         DAEMON_CHUNK_SIZE,
         gqlClient
       );
+      totalUploaded += result.entriesUploaded;
       hasMore = result.entriesUploaded + result.entriesSkipped >= DAEMON_CHUNK_SIZE;
       if (result.errors > 0) {
+        totalErrors += result.errors;
         hookLog.warn(
           {
             data: {
@@ -19913,6 +20337,7 @@ async function drainTranscript(transcript, sessionStore, gqlClient, sessionCwdCa
       );
     });
   }
+  return { uploaded: totalUploaded, errors: totalErrors, chunks };
 }
 async function detectChangedTranscripts(lastSeen) {
   const transcripts = await scanForTranscripts();
@@ -20089,8 +20514,8 @@ var WorkspaceService = class {
    * Sets a known workspace path that was discovered through successful validation
    * @param path The validated workspace path to store
    */
-  static setKnownWorkspacePath(path36) {
-    this.knownWorkspacePath = path36;
+  static setKnownWorkspacePath(path37) {
+    this.knownWorkspacePath = path37;
   }
   /**
    * Gets the known workspace path that was previously validated
@@ -20950,8 +21375,8 @@ async function createAuthenticatedMcpGQLClient({
 // src/mcp/services/McpUsageService/host.ts
 import { execSync as execSync2 } from "child_process";
 import fs15 from "fs";
-import os8 from "os";
-import path24 from "path";
+import os9 from "os";
+import path25 from "path";
 var IDEs = ["cursor", "windsurf", "webstorm", "vscode", "claude"];
 var runCommand = (cmd) => {
   try {
@@ -20965,8 +21390,8 @@ var gitInfo = {
   email: runCommand("git config user.email")
 };
 var getClaudeWorkspacePaths = () => {
-  const home = os8.homedir();
-  const claudeIdePath = path24.join(home, ".claude", "ide");
+  const home = os9.homedir();
+  const claudeIdePath = path25.join(home, ".claude", "ide");
   const workspacePaths = [];
   if (!fs15.existsSync(claudeIdePath)) {
     return workspacePaths;
@@ -20974,7 +21399,7 @@ var getClaudeWorkspacePaths = () => {
   try {
     const lockFiles = fs15.readdirSync(claudeIdePath).filter((file) => file.endsWith(".lock"));
     for (const lockFile of lockFiles) {
-      const lockFilePath = path24.join(claudeIdePath, lockFile);
+      const lockFilePath = path25.join(claudeIdePath, lockFile);
       try {
         const lockContent = JSON.parse(fs15.readFileSync(lockFilePath, "utf8"));
         if (lockContent.workspaceFolders && Array.isArray(lockContent.workspaceFolders)) {
@@ -20994,29 +21419,29 @@ var getClaudeWorkspacePaths = () => {
   return workspacePaths;
 };
 var getMCPConfigPaths = (hostName) => {
-  const home = os8.homedir();
+  const home = os9.homedir();
   const currentDir = process.env["WORKSPACE_FOLDER_PATHS"] || process.env["PWD"] || process.cwd();
   switch (hostName.toLowerCase()) {
     case "cursor":
       return [
-        path24.join(currentDir, ".cursor", "mcp.json"),
+        path25.join(currentDir, ".cursor", "mcp.json"),
         // local first
-        path24.join(home, ".cursor", "mcp.json")
+        path25.join(home, ".cursor", "mcp.json")
       ];
     case "windsurf":
       return [
-        path24.join(currentDir, ".codeium", "mcp_config.json"),
+        path25.join(currentDir, ".codeium", "mcp_config.json"),
         // local first
-        path24.join(home, ".codeium", "windsurf", "mcp_config.json")
+        path25.join(home, ".codeium", "windsurf", "mcp_config.json")
       ];
     case "webstorm":
       return [];
     case "visualstudiocode":
     case "vscode":
       return [
-        path24.join(currentDir, ".vscode", "mcp.json"),
+        path25.join(currentDir, ".vscode", "mcp.json"),
         // local first
-        process.platform === "win32" ? path24.join(home, "AppData", "Roaming", "Code", "User", "mcp.json") : path24.join(
+        process.platform === "win32" ? path25.join(home, "AppData", "Roaming", "Code", "User", "mcp.json") : path25.join(
           home,
           "Library",
           "Application Support",
@@ -21027,13 +21452,13 @@ var getMCPConfigPaths = (hostName) => {
       ];
     case "claude": {
       const claudePaths = [
-        path24.join(currentDir, ".claude.json"),
+        path25.join(currentDir, ".claude.json"),
         // local first
-        path24.join(home, ".claude.json")
+        path25.join(home, ".claude.json")
       ];
       const workspacePaths = getClaudeWorkspacePaths();
       for (const workspacePath of workspacePaths) {
-        claudePaths.push(path24.join(workspacePath, ".mcp.json"));
+        claudePaths.push(path25.join(workspacePath, ".mcp.json"));
       }
       return claudePaths;
     }
@@ -21084,7 +21509,7 @@ var readMCPConfig = (hostName) => {
 };
 var getRunningProcesses = () => {
   try {
-    return os8.platform() === "win32" ? execSync2("tasklist", { encoding: "utf8" }) : execSync2("ps aux", { encoding: "utf8" });
+    return os9.platform() === "win32" ? execSync2("tasklist", { encoding: "utf8" }) : execSync2("ps aux", { encoding: "utf8" });
   } catch {
     return "";
   }
@@ -21159,7 +21584,7 @@ var versionCommands = {
   }
 };
 var getProcessInfo = (pid) => {
-  const platform2 = os8.platform();
+  const platform2 = os9.platform();
   try {
     if (platform2 === "linux" || platform2 === "darwin") {
       const output = execSync2(`ps -o pid=,ppid=,comm= -p ${pid}`, {
@@ -21194,10 +21619,10 @@ var getHostInfo = (additionalMcpList) => {
   const ideConfigPaths = /* @__PURE__ */ new Set();
   for (const ide of IDEs) {
     const configPaths = getMCPConfigPaths(ide);
-    configPaths.forEach((path36) => ideConfigPaths.add(path36));
+    configPaths.forEach((path37) => ideConfigPaths.add(path37));
   }
   const uniqueAdditionalPaths = additionalMcpList.filter(
-    (path36) => !ideConfigPaths.has(path36)
+    (path37) => !ideConfigPaths.has(path37)
   );
   for (const ide of IDEs) {
     const cfg = readMCPConfig(ide);
@@ -21278,7 +21703,7 @@ var getHostInfo = (additionalMcpList) => {
     const config2 = allConfigs[ide] || null;
     const ideName = ide.charAt(0).toUpperCase() + ide.slice(1) || "Unknown";
     let ideVersion = "Unknown";
-    const platform2 = os8.platform();
+    const platform2 = os9.platform();
     const cmds = versionCommands[ideName]?.[platform2] ?? [];
     for (const cmd of cmds) {
       try {
@@ -21311,15 +21736,15 @@ var getHostInfo = (additionalMcpList) => {
 
 // src/mcp/services/McpUsageService/McpUsageService.ts
 import fetch6 from "node-fetch";
-import os10 from "os";
+import os11 from "os";
 import { v4 as uuidv42, v5 as uuidv5 } from "uuid";
 init_configs();
 
 // src/mcp/services/McpUsageService/system.ts
 init_configs();
 import fs16 from "fs";
-import os9 from "os";
-import path25 from "path";
+import os10 from "os";
+import path26 from "path";
 var MAX_DEPTH = 2;
 var patterns = ["mcp", "claude"];
 var isFileMatch = (fileName) => {
@@ -21339,7 +21764,7 @@ var searchDir = async (dir, depth = 0) => {
   if (depth > MAX_DEPTH) return results;
   const entries = await fs16.promises.readdir(dir, { withFileTypes: true }).catch(() => []);
   for (const entry of entries) {
-    const fullPath = path25.join(dir, entry.name);
+    const fullPath = path26.join(dir, entry.name);
     if (entry.isFile() && isFileMatch(entry.name)) {
       results.push(fullPath);
     } else if (entry.isDirectory()) {
@@ -21353,17 +21778,17 @@ var searchDir = async (dir, depth = 0) => {
 };
 var findSystemMCPConfigs = async () => {
   try {
-    const home = os9.homedir();
-    const platform2 = os9.platform();
+    const home = os10.homedir();
+    const platform2 = os10.platform();
     const knownDirs = platform2 === "win32" ? [
-      path25.join(home, ".cursor"),
-      path25.join(home, "Documents"),
-      path25.join(home, "Downloads")
+      path26.join(home, ".cursor"),
+      path26.join(home, "Documents"),
+      path26.join(home, "Downloads")
     ] : [
-      path25.join(home, ".cursor"),
-      process.env["XDG_CONFIG_HOME"] || path25.join(home, ".config"),
-      path25.join(home, "Documents"),
-      path25.join(home, "Downloads")
+      path26.join(home, ".cursor"),
+      process.env["XDG_CONFIG_HOME"] || path26.join(home, ".config"),
+      path26.join(home, "Documents"),
+      path26.join(home, "Downloads")
     ];
     const timeoutPromise = new Promise(
       (resolve) => setTimeout(() => {
@@ -21426,7 +21851,7 @@ var McpUsageService = class {
   generateHostId() {
     const stored = configStore.get(this.configKey);
     if (stored?.mcpHostId) return stored.mcpHostId;
-    const interfaces = os10.networkInterfaces();
+    const interfaces = os11.networkInterfaces();
     const macs = [];
     for (const iface of Object.values(interfaces)) {
       if (!iface) continue;
@@ -21434,7 +21859,7 @@ var McpUsageService = class {
         if (net.mac && net.mac !== "00:00:00:00:00:00") macs.push(net.mac);
       }
     }
-    const macString = macs.length ? macs.sort().join(",") : `${os10.hostname()}-${uuidv42()}`;
+    const macString = macs.length ? macs.sort().join(",") : `${os11.hostname()}-${uuidv42()}`;
     const hostId = uuidv5(macString, uuidv5.DNS);
     logDebug("[UsageService] Generated new host ID", { hostId });
     return hostId;
@@ -21457,7 +21882,7 @@ var McpUsageService = class {
       mcpHostId,
       organizationId,
       mcpVersion: packageJson.version,
-      mcpOsName: os10.platform(),
+      mcpOsName: os11.platform(),
       mcps: JSON.stringify(mcps),
       status,
       userName: user.name,
@@ -23778,30 +24203,30 @@ For a complete security audit workflow, use the \`full-security-audit\` prompt.
 
 // src/mcp/services/McpDetectionService/CursorMcpDetectionService.ts
 import * as fs19 from "fs";
-import * as os12 from "os";
-import * as path27 from "path";
+import * as os13 from "os";
+import * as path28 from "path";
 
 // src/mcp/services/McpDetectionService/BaseMcpDetectionService.ts
 init_configs();
 import * as fs18 from "fs";
 import fetch7 from "node-fetch";
-import * as path26 from "path";
+import * as path27 from "path";
 
 // src/mcp/services/McpDetectionService/McpDetectionServiceUtils.ts
 import * as fs17 from "fs";
-import * as os11 from "os";
+import * as os12 from "os";
 
 // src/mcp/services/McpDetectionService/VscodeMcpDetectionService.ts
 import * as fs20 from "fs";
-import * as os13 from "os";
-import * as path28 from "path";
+import * as os14 from "os";
+import * as path29 from "path";
 
 // src/mcp/tools/checkForNewAvailableFixes/CheckForNewAvailableFixesTool.ts
 import { z as z42 } from "zod";
 
 // src/mcp/services/PathValidation.ts
 import fs21 from "fs";
-import path29 from "path";
+import path30 from "path";
 async function validatePath(inputPath) {
   logDebug("Validating MCP path", { inputPath });
   if (/^\/[a-zA-Z]:\//.test(inputPath)) {
@@ -23833,7 +24258,7 @@ async function validatePath(inputPath) {
     logError(error);
     return { isValid: false, error, path: inputPath };
   }
-  const normalizedPath = path29.normalize(inputPath);
+  const normalizedPath = path30.normalize(inputPath);
   if (normalizedPath.includes("..")) {
     const error = `Normalized path contains path traversal patterns: ${inputPath}`;
     logError(error);
@@ -24485,7 +24910,7 @@ init_configs();
 import fs22 from "fs/promises";
 import nodePath from "path";
 var getLocalFiles = async ({
-  path: path36,
+  path: path37,
   maxFileSize = MCP_MAX_FILE_SIZE,
   maxFiles,
   isAllFilesScan,
@@ -24493,17 +24918,17 @@ var getLocalFiles = async ({
   scanRecentlyChangedFiles
 }) => {
   logDebug(`[${scanContext}] Starting getLocalFiles`, {
-    path: path36,
+    path: path37,
     maxFileSize,
     maxFiles,
     isAllFilesScan,
     scanRecentlyChangedFiles
   });
   try {
-    const resolvedRepoPath = await fs22.realpath(path36);
+    const resolvedRepoPath = await fs22.realpath(path37);
     logDebug(`[${scanContext}] Resolved repository path`, {
       resolvedRepoPath,
-      originalPath: path36
+      originalPath: path37
     });
     const gitService = new GitService(resolvedRepoPath, log);
     const gitValidation = await gitService.validateRepository();
@@ -24516,7 +24941,7 @@ var getLocalFiles = async ({
     if (!gitValidation.isValid || isAllFilesScan) {
       try {
         files = await FileUtils.getLastChangedFiles({
-          dir: path36,
+          dir: path37,
           maxFileSize,
           maxFiles,
           isAllFilesScan
@@ -24608,7 +25033,7 @@ var getLocalFiles = async ({
     logError(`${scanContext}Unexpected error in getLocalFiles`, {
       error: error instanceof Error ? error.message : String(error),
       stack: error instanceof Error ? error.stack : void 0,
-      path: path36
+      path: path37
     });
     throw error;
   }
@@ -24618,7 +25043,7 @@ var getLocalFiles = async ({
 init_client_generates();
 init_GitService();
 import fs23 from "fs";
-import path30 from "path";
+import path31 from "path";
 import { z as z41 } from "zod";
 function extractPathFromPatch(patch) {
   const match = patch?.match(/diff --git a\/([^\s]+) b\//);
@@ -24704,7 +25129,7 @@ var LocalMobbFolderService = class {
           "[LocalMobbFolderService] Non-git repository detected, skipping .gitignore operations"
         );
       }
-      const mobbFolderPath = path30.join(
+      const mobbFolderPath = path31.join(
         this.repoPath,
         this.defaultMobbFolderName
       );
@@ -24876,7 +25301,7 @@ var LocalMobbFolderService = class {
         mobbFolderPath,
         baseFileName
       );
-      const filePath = path30.join(mobbFolderPath, uniqueFileName);
+      const filePath = path31.join(mobbFolderPath, uniqueFileName);
       await fs23.promises.writeFile(filePath, patch, "utf8");
       logInfo("[LocalMobbFolderService] Patch saved successfully", {
         filePath,
@@ -24934,11 +25359,11 @@ var LocalMobbFolderService = class {
    * @returns Unique filename that doesn't conflict with existing files
    */
   getUniqueFileName(folderPath, baseFileName) {
-    const baseName = path30.parse(baseFileName).name;
-    const extension = path30.parse(baseFileName).ext;
+    const baseName = path31.parse(baseFileName).name;
+    const extension = path31.parse(baseFileName).ext;
     let uniqueFileName = baseFileName;
     let index = 1;
-    while (fs23.existsSync(path30.join(folderPath, uniqueFileName))) {
+    while (fs23.existsSync(path31.join(folderPath, uniqueFileName))) {
       uniqueFileName = `${baseName}-${index}${extension}`;
       index++;
       if (index > 1e3) {
@@ -24969,7 +25394,7 @@ var LocalMobbFolderService = class {
     logDebug("[LocalMobbFolderService] Logging patch info", { fixId: fix.id });
     try {
       const mobbFolderPath = await this.getFolder();
-      const patchInfoPath = path30.join(mobbFolderPath, "patchInfo.md");
+      const patchInfoPath = path31.join(mobbFolderPath, "patchInfo.md");
       const markdownContent = this.generateFixMarkdown(fix, savedPatchFileName);
       let existingContent = "";
       if (fs23.existsSync(patchInfoPath)) {
@@ -25011,7 +25436,7 @@ var LocalMobbFolderService = class {
     const timestamp = (/* @__PURE__ */ new Date()).toISOString();
     const patch = this.extractPatchFromFix(fix);
     const relativePatchedFilePath = patch ? extractPathFromPatch(patch) : null;
-    const patchedFilePath = relativePatchedFilePath ? path30.resolve(this.repoPath, relativePatchedFilePath) : null;
+    const patchedFilePath = relativePatchedFilePath ? path31.resolve(this.repoPath, relativePatchedFilePath) : null;
     const fixIdentifier = savedPatchFileName ? savedPatchFileName.replace(".patch", "") : fix.id;
     let markdown = `# Fix ${fixIdentifier}
 
@@ -25355,14 +25780,14 @@ import {
 } from "fs";
 import fs24 from "fs/promises";
 import parseDiff2 from "parse-diff";
-import path31 from "path";
+import path32 from "path";
 var PatchApplicationService = class {
   /**
    * Gets the appropriate comment syntax for a file based on its extension
    */
   static getCommentSyntax(filePath) {
-    const ext = path31.extname(filePath).toLowerCase();
-    const basename2 = path31.basename(filePath);
+    const ext = path32.extname(filePath).toLowerCase();
+    const basename2 = path32.basename(filePath);
     const commentMap = {
       // C-style languages (single line comments)
       ".js": "//",
@@ -25570,7 +25995,7 @@ var PatchApplicationService = class {
         }
       );
     }
-    const dirPath = path31.dirname(normalizedFilePath);
+    const dirPath = path32.dirname(normalizedFilePath);
     mkdirSync(dirPath, { recursive: true });
     writeFileSync3(normalizedFilePath, finalContent, "utf8");
     return normalizedFilePath;
@@ -25579,9 +26004,9 @@ var PatchApplicationService = class {
     repositoryPath,
     targetPath
   }) {
-    const repoRoot = path31.resolve(repositoryPath);
-    const normalizedPath = path31.resolve(repoRoot, targetPath);
-    const repoRootWithSep = repoRoot.endsWith(path31.sep) ? repoRoot : `${repoRoot}${path31.sep}`;
+    const repoRoot = path32.resolve(repositoryPath);
+    const normalizedPath = path32.resolve(repoRoot, targetPath);
+    const repoRootWithSep = repoRoot.endsWith(path32.sep) ? repoRoot : `${repoRoot}${path32.sep}`;
     if (normalizedPath !== repoRoot && !normalizedPath.startsWith(repoRootWithSep)) {
       throw new Error(
         `Security violation: target path ${targetPath} resolves outside repository`
@@ -25590,7 +26015,7 @@ var PatchApplicationService = class {
     return {
       repoRoot,
       normalizedPath,
-      relativePath: path31.relative(repoRoot, normalizedPath)
+      relativePath: path32.relative(repoRoot, normalizedPath)
     };
   }
   /**
@@ -25872,7 +26297,7 @@ var PatchApplicationService = class {
         continue;
       }
       try {
-        const absolutePath = path31.resolve(repositoryPath, targetFile);
+        const absolutePath = path32.resolve(repositoryPath, targetFile);
         if (existsSync6(absolutePath)) {
           const stats = await fs24.stat(absolutePath);
           const fileModTime = stats.mtime.getTime();
@@ -26098,7 +26523,7 @@ var PatchApplicationService = class {
       fix,
       scanContext
     });
-    appliedFiles.push(path31.relative(repositoryPath, actualPath));
+    appliedFiles.push(path32.relative(repositoryPath, actualPath));
     logDebug(`[${scanContext}] Created new file: ${relativePath}`);
   }
   /**
@@ -26147,7 +26572,7 @@ var PatchApplicationService = class {
         fix,
         scanContext
       });
-      appliedFiles.push(path31.relative(repositoryPath, actualPath));
+      appliedFiles.push(path32.relative(repositoryPath, actualPath));
       logDebug(`[${scanContext}] Modified file: ${relativePath}`);
     }
   }
@@ -26344,7 +26769,7 @@ init_configs();
 // src/mcp/services/FileOperations.ts
 init_FileUtils();
 import fs25 from "fs";
-import path32 from "path";
+import path33 from "path";
 import AdmZip5 from "adm-zip";
 var FileOperations = class {
   /**
@@ -26364,10 +26789,10 @@ var FileOperations = class {
     let packedFilesCount = 0;
     const packedFiles = [];
     const excludedFiles = [];
-    const resolvedRepoPath = path32.resolve(repositoryPath);
+    const resolvedRepoPath = path33.resolve(repositoryPath);
     for (const filepath of fileList) {
-      const absoluteFilepath = path32.join(repositoryPath, filepath);
-      const resolvedFilePath = path32.resolve(absoluteFilepath);
+      const absoluteFilepath = path33.join(repositoryPath, filepath);
+      const resolvedFilePath = path33.resolve(absoluteFilepath);
       if (!resolvedFilePath.startsWith(resolvedRepoPath)) {
         const reason = "potential path traversal security risk";
         logDebug(`[FileOperations] Skipping ${filepath} due to ${reason}`);
@@ -26414,11 +26839,11 @@ var FileOperations = class {
     fileList,
     repositoryPath
   }) {
-    const resolvedRepoPath = path32.resolve(repositoryPath);
+    const resolvedRepoPath = path33.resolve(repositoryPath);
     const validatedPaths = [];
     for (const filepath of fileList) {
-      const absoluteFilepath = path32.join(repositoryPath, filepath);
-      const resolvedFilePath = path32.resolve(absoluteFilepath);
+      const absoluteFilepath = path33.join(repositoryPath, filepath);
+      const resolvedFilePath = path33.resolve(absoluteFilepath);
       if (!resolvedFilePath.startsWith(resolvedRepoPath)) {
         logDebug(
           `[FileOperations] Rejecting ${filepath} - path traversal attempt detected`
@@ -26446,7 +26871,7 @@ var FileOperations = class {
     for (const absolutePath of filePaths) {
       try {
         const content = await fs25.promises.readFile(absolutePath);
-        const relativePath = path32.basename(absolutePath);
+        const relativePath = path33.basename(absolutePath);
         fileDataArray.push({
           relativePath,
           absolutePath,
@@ -26758,14 +27183,14 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
    * since the last scan.
    */
   async scanForSecurityVulnerabilities({
-    path: path36,
+    path: path37,
     isAllDetectionRulesScan,
     isAllFilesScan,
     scanContext
   }) {
     this.hasAuthenticationFailed = false;
     logDebug(`[${scanContext}] Scanning for new security vulnerabilities`, {
-      path: path36
+      path: path37
     });
     if (!this.gqlClient) {
       logInfo(`[${scanContext}] No GQL client found, skipping scan`);
@@ -26781,11 +27206,11 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
       }
       logDebug(
         `[${scanContext}] Connected to the API, assembling list of files to scan`,
-        { path: path36 }
+        { path: path37 }
       );
       const isBackgroundScan = scanContext === ScanContext.BACKGROUND_INITIAL || scanContext === ScanContext.BACKGROUND_PERIODIC;
       const files = await getLocalFiles({
-        path: path36,
+        path: path37,
         isAllFilesScan,
         scanContext,
         scanRecentlyChangedFiles: !isBackgroundScan
@@ -26811,13 +27236,13 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
       });
       const { fixReportId, projectId } = await scanFiles({
         fileList: filesToScan.map((file) => file.relativePath),
-        repositoryPath: path36,
+        repositoryPath: path37,
         gqlClient: this.gqlClient,
         isAllDetectionRulesScan,
         scanContext
       });
       logInfo(
-        `[${scanContext}] Security scan completed for ${path36} reportId: ${fixReportId} projectId: ${projectId}`
+        `[${scanContext}] Security scan completed for ${path37} reportId: ${fixReportId} projectId: ${projectId}`
       );
       if (isAllFilesScan) {
         return;
@@ -27111,13 +27536,13 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
     });
     return scannedFiles.some((file) => file.relativePath === fixFile);
   }
-  async getFreshFixes({ path: path36 }) {
+  async getFreshFixes({ path: path37 }) {
     const scanContext = ScanContext.USER_REQUEST;
-    logDebug(`[${scanContext}] Getting fresh fixes`, { path: path36 });
-    if (this.path !== path36) {
-      this.path = path36;
+    logDebug(`[${scanContext}] Getting fresh fixes`, { path: path37 });
+    if (this.path !== path37) {
+      this.path = path37;
       this.reset();
-      logInfo(`[${scanContext}] Reset service state for new path`, { path: path36 });
+      logInfo(`[${scanContext}] Reset service state for new path`, { path: path37 });
     }
     try {
       const loginContext = createMcpLoginContext("check_new_fixes");
@@ -27136,7 +27561,7 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
       }
       throw error;
     }
-    this.triggerScan({ path: path36, gqlClient: this.gqlClient });
+    this.triggerScan({ path: path37, gqlClient: this.gqlClient });
     let isMvsAutoFixEnabled = null;
     try {
       isMvsAutoFixEnabled = await this.gqlClient.getMvsAutoFixSettings();
@@ -27170,33 +27595,33 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
     return noFreshFixesPrompt;
   }
   triggerScan({
-    path: path36,
+    path: path37,
     gqlClient
   }) {
-    if (this.path !== path36) {
-      this.path = path36;
+    if (this.path !== path37) {
+      this.path = path37;
       this.reset();
-      logInfo(`Reset service state for new path in triggerScan`, { path: path36 });
+      logInfo(`Reset service state for new path in triggerScan`, { path: path37 });
     }
     this.gqlClient = gqlClient;
     if (!this.intervalId) {
-      this.startPeriodicScanning(path36);
-      this.executeInitialScan(path36);
-      void this.executeInitialFullScan(path36);
+      this.startPeriodicScanning(path37);
+      this.executeInitialScan(path37);
+      void this.executeInitialFullScan(path37);
     }
   }
-  startPeriodicScanning(path36) {
+  startPeriodicScanning(path37) {
     const scanContext = ScanContext.BACKGROUND_PERIODIC;
     logDebug(
       `[${scanContext}] Starting periodic scan for new security vulnerabilities`,
       {
-        path: path36
+        path: path37
       }
     );
     this.intervalId = setInterval(() => {
-      logDebug(`[${scanContext}] Triggering periodic security scan`, { path: path36 });
+      logDebug(`[${scanContext}] Triggering periodic security scan`, { path: path37 });
       this.scanForSecurityVulnerabilities({
-        path: path36,
+        path: path37,
         scanContext
       }).catch((error) => {
         logError(`[${scanContext}] Error during periodic security scan`, {
@@ -27205,45 +27630,45 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
       });
     }, MCP_PERIODIC_CHECK_INTERVAL);
   }
-  async executeInitialFullScan(path36) {
+  async executeInitialFullScan(path37) {
     const scanContext = ScanContext.FULL_SCAN;
-    logDebug(`[${scanContext}] Triggering initial full security scan`, { path: path36 });
+    logDebug(`[${scanContext}] Triggering initial full security scan`, { path: path37 });
     logDebug(`[${scanContext}] Full scan paths scanned`, {
       fullScanPathsScanned: this.fullScanPathsScanned
     });
-    if (this.fullScanPathsScanned.includes(path36)) {
+    if (this.fullScanPathsScanned.includes(path37)) {
       logDebug(`[${scanContext}] Full scan already executed for this path`, {
-        path: path36
+        path: path37
       });
       return;
     }
     configStore.set("fullScanPathsScanned", [
       ...this.fullScanPathsScanned,
-      path36
+      path37
     ]);
     try {
       await this.scanForSecurityVulnerabilities({
-        path: path36,
+        path: path37,
         isAllFilesScan: true,
         isAllDetectionRulesScan: true,
         scanContext: ScanContext.FULL_SCAN
       });
-      if (!this.fullScanPathsScanned.includes(path36)) {
-        this.fullScanPathsScanned.push(path36);
+      if (!this.fullScanPathsScanned.includes(path37)) {
+        this.fullScanPathsScanned.push(path37);
         configStore.set("fullScanPathsScanned", this.fullScanPathsScanned);
       }
-      logInfo(`[${scanContext}] Full scan completed`, { path: path36 });
+      logInfo(`[${scanContext}] Full scan completed`, { path: path37 });
     } catch (error) {
       logError(`[${scanContext}] Error during initial full security scan`, {
         error
       });
     }
   }
-  executeInitialScan(path36) {
+  executeInitialScan(path37) {
     const scanContext = ScanContext.BACKGROUND_INITIAL;
-    logDebug(`[${scanContext}] Triggering initial security scan`, { path: path36 });
+    logDebug(`[${scanContext}] Triggering initial security scan`, { path: path37 });
     this.scanForSecurityVulnerabilities({
-      path: path36,
+      path: path37,
       scanContext: ScanContext.BACKGROUND_INITIAL
     }).catch((error) => {
       logError(`[${scanContext}] Error during initial security scan`, { error });
@@ -27340,9 +27765,9 @@ Example payload:
         `Invalid path: potential security risk detected in path: ${pathValidationResult.error}`
       );
     }
-    const path36 = pathValidationResult.path;
+    const path37 = pathValidationResult.path;
     const resultText = await this.newFixesService.getFreshFixes({
-      path: path36
+      path: path37
     });
     logInfo("CheckForNewAvailableFixesTool execution completed", {
       resultText
@@ -27520,8 +27945,8 @@ Call this tool instead of ${MCP_TOOL_SCAN_AND_FIX_VULNERABILITIES} when you only
         `Invalid path: potential security risk detected in path: ${pathValidationResult.error}`
       );
     }
-    const path36 = pathValidationResult.path;
-    const gitService = new GitService(path36, log);
+    const path37 = pathValidationResult.path;
+    const gitService = new GitService(path37, log);
     const gitValidation = await gitService.validateRepository();
     if (!gitValidation.isValid) {
       throw new Error(`Invalid git repository: ${gitValidation.error}`);
@@ -27906,9 +28331,9 @@ Example payload:
         `Invalid path: potential security risk detected in path: ${pathValidationResult.error}`
       );
     }
-    const path36 = pathValidationResult.path;
+    const path37 = pathValidationResult.path;
     const files = await getLocalFiles({
-      path: path36,
+      path: path37,
       maxFileSize: MCP_MAX_FILE_SIZE,
       maxFiles: args.maxFiles,
       scanContext: ScanContext.USER_REQUEST,
@@ -27928,7 +28353,7 @@ Example payload:
     try {
       const fixResult = await this.vulnerabilityFixService.processVulnerabilities({
         fileList: files.map((file) => file.relativePath),
-        repositoryPath: path36,
+        repositoryPath: path37,
         offset: args.offset,
         limit: args.limit,
         isRescan: args.rescan || !!args.maxFiles
@@ -28229,10 +28654,10 @@ init_client_generates();
 init_urlParser2();
 
 // src/features/codeium_intellij/codeium_language_server_grpc_client.ts
-import path33 from "path";
+import path34 from "path";
 import * as grpc from "@grpc/grpc-js";
 import * as protoLoader from "@grpc/proto-loader";
-var PROTO_PATH = path33.join(
+var PROTO_PATH = path34.join(
   getModuleRootDir(),
   "src/features/codeium_intellij/proto/exa/language_server_pb/language_server.proto"
 );
@@ -28244,7 +28669,7 @@ function loadProto() {
     defaults: true,
     oneofs: true,
     includeDirs: [
-      path33.join(getModuleRootDir(), "src/features/codeium_intellij/proto")
+      path34.join(getModuleRootDir(), "src/features/codeium_intellij/proto")
     ]
   });
   return grpc.loadPackageDefinition(
@@ -28299,29 +28724,29 @@ async function getGrpcClient(port, csrf3) {
 
 // src/features/codeium_intellij/parse_intellij_logs.ts
 import fs27 from "fs";
-import os14 from "os";
-import path34 from "path";
+import os15 from "os";
+import path35 from "path";
 function getLogsDir() {
   if (process.platform === "darwin") {
-    return path34.join(os14.homedir(), "Library/Logs/JetBrains");
+    return path35.join(os15.homedir(), "Library/Logs/JetBrains");
   } else if (process.platform === "win32") {
-    return path34.join(
-      process.env["LOCALAPPDATA"] || path34.join(os14.homedir(), "AppData/Local"),
+    return path35.join(
+      process.env["LOCALAPPDATA"] || path35.join(os15.homedir(), "AppData/Local"),
       "JetBrains"
     );
   } else {
-    return path34.join(os14.homedir(), ".cache/JetBrains");
+    return path35.join(os15.homedir(), ".cache/JetBrains");
   }
 }
 function parseIdeLogDir(ideLogDir) {
   const logFiles = fs27.readdirSync(ideLogDir).filter((f) => /^idea(\.\d+)?\.log$/.test(f)).map((f) => ({
     name: f,
-    mtime: fs27.statSync(path34.join(ideLogDir, f)).mtimeMs
+    mtime: fs27.statSync(path35.join(ideLogDir, f)).mtimeMs
   })).sort((a, b) => a.mtime - b.mtime).map((f) => f.name);
   let latestCsrf = null;
   let latestPort = null;
   for (const logFile of logFiles) {
-    const lines = fs27.readFileSync(path34.join(ideLogDir, logFile), "utf-8").split("\n");
+    const lines = fs27.readFileSync(path35.join(ideLogDir, logFile), "utf-8").split("\n");
     for (const line of lines) {
       if (!line.includes(
         "com.codeium.intellij.language_server.LanguageServerProcessHandler"
@@ -28349,9 +28774,9 @@ function findRunningCodeiumLanguageServers() {
   const logsDir = getLogsDir();
   if (!fs27.existsSync(logsDir)) return results;
   for (const ide of fs27.readdirSync(logsDir)) {
-    let ideLogDir = path34.join(logsDir, ide);
+    let ideLogDir = path35.join(logsDir, ide);
     if (process.platform !== "darwin") {
-      ideLogDir = path34.join(ideLogDir, "log");
+      ideLogDir = path35.join(ideLogDir, "log");
     }
     if (!fs27.existsSync(ideLogDir) || !fs27.statSync(ideLogDir).isDirectory()) {
       continue;
@@ -28533,11 +28958,11 @@ function processChatStepCodeAction(step) {
 
 // src/features/codeium_intellij/install_hook.ts
 import fsPromises5 from "fs/promises";
-import os15 from "os";
-import path35 from "path";
+import os16 from "os";
+import path36 from "path";
 import chalk14 from "chalk";
 function getCodeiumHooksPath() {
-  return path35.join(os15.homedir(), ".codeium", "hooks.json");
+  return path36.join(os16.homedir(), ".codeium", "hooks.json");
 }
 async function readCodeiumHooks() {
   const hooksPath = getCodeiumHooksPath();
@@ -28550,7 +28975,7 @@ async function readCodeiumHooks() {
 }
 async function writeCodeiumHooks(config2) {
   const hooksPath = getCodeiumHooksPath();
-  const dir = path35.dirname(hooksPath);
+  const dir = path36.dirname(hooksPath);
   await fsPromises5.mkdir(dir, { recursive: true });
   await fsPromises5.writeFile(
     hooksPath,