mobbdev 1.4.22 → 1.4.23

package/dist/args/commands/upload_ai_blame.mjs

@@ -5441,6 +5441,48 @@ var languages = {
 init_client_generates();
 import { z as z11 } from "zod";
 
+// src/features/analysis/scm/shared/src/storedQuestionData/cpp/index.ts
+init_client_generates();
+
+// src/features/analysis/scm/shared/src/storedQuestionData/cpp/commandInjection.ts
+var commandInjection = {
+  isUnixShellCommandPart: {
+    content: () => "Is the input data interpolated into a shell command (not the program name or shell structure)?",
+    description: () => `\`system()\` / \`popen()\` hand the whole string to \`/bin/sh -c\`. Answer **yes** when the input is *data* placed into a fixed command, for example:
+
+- \`sprintf(cmd, "grep %s file.txt", input); system(cmd);\`
+- \`sprintf(cmd, "ping -c 5 %s", input); system(cmd);\`
+
+Answer **no** (the input is not plain data) when the input is:
+
+1. The program/executable itself:
+  - \`system(input);\`
+  - \`sprintf(cmd, "%s -x", input);\`
+2. A command after a pipe or redirect:
+  - \`sprintf(cmd, "cat file.txt | %s", input);\`
+3. A part of a non-Unix or cross-platform shell command.
+4. A part of embedded code in another language:
+  - \`sprintf(cmd, "php -r \\"echo '%s';\\"", input);\`
+  - \`sprintf(cmd, "awk '%s' file", input);\`
+5. A flag/option that controls a tool's behaviour:
+  - \`sprintf(cmd, "git --upload-pack %s", input);\``,
+    guidance: () => "If yes and the command can run without a shell, it is rewritten to a no-shell argument-vector call (`posix_spawn`); if it needs the shell, the tainted argument is escaped in place so the shell keeps working. If the answer is no (the input controls the program or shell structure), there is no safe automatic rewrite, so the fix is withheld and the sink is left for manual review."
+  },
+  executableLocationPath: {
+    content: () => "What is the absolute path of the directory containing the executable?",
+    description: () => `When \`system()\` is rewritten to an \`execv()\` argument-vector call, the program is run by its path with **no \`$PATH\` search**, so a relative program name (e.g. \`tail\`) cannot be resolved and a poisoned \`PATH\` cannot be used to run a look-alike binary.
+
+Provide the absolute directory that contains the executable (e.g. \`/usr/bin\`); the fix prepends it to the bare program name to form an absolute path.`,
+    guidance: () => "Only asked when the program name in the command has no `/`. A program that is already an absolute or relative path (contains `/`) is used as written."
+  }
+};
+
+// src/features/analysis/scm/shared/src/storedQuestionData/cpp/index.ts
+var vulnerabilities11 = {
+  ["CMDi" /* CmDi */]: commandInjection
+};
+var cpp_default = vulnerabilities11;
+
 // src/features/analysis/scm/shared/src/storedQuestionData/csharp/index.ts
 init_client_generates();
 
@@ -5737,7 +5779,7 @@ var xxe = {
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/csharp/index.ts
-var vulnerabilities11 = {
+var vulnerabilities12 = {
   ["LOG_FORGING" /* LogForging */]: logForging,
   ["SSRF" /* Ssrf */]: ssrf2,
   ["XXE" /* Xxe */]: xxe,
@@ -5758,7 +5800,7 @@ var vulnerabilities11 = {
   ["SQL_Injection" /* SqlInjection */]: sqlInjection2,
   ["REQUEST_PARAMETERS_BOUND_VIA_INPUT" /* RequestParametersBoundViaInput */]: requestParametersBoundViaInput
 };
-var csharp_default2 = vulnerabilities11;
+var csharp_default2 = vulnerabilities12;
 
 // src/features/analysis/scm/shared/src/storedQuestionData/go/index.ts
 init_client_generates();
@@ -5791,18 +5833,18 @@ var websocketMissingOriginCheck = {
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/go/index.ts
-var vulnerabilities12 = {
+var vulnerabilities13 = {
   ["LOG_FORGING" /* LogForging */]: logForging2,
   ["MISSING_SSL_MINVERSION" /* MissingSslMinversion */]: missingSslMinversion,
   ["WEBSOCKET_MISSING_ORIGIN_CHECK" /* WebsocketMissingOriginCheck */]: websocketMissingOriginCheck
 };
-var go_default2 = vulnerabilities12;
+var go_default2 = vulnerabilities13;
 
 // src/features/analysis/scm/shared/src/storedQuestionData/java/index.ts
 init_client_generates();
 
 // src/features/analysis/scm/shared/src/storedQuestionData/java/commandInjection.ts
-var commandInjection = {
+var commandInjection2 = {
   isUnixShellCommandPart: {
     content: () => "Is the input part of Unix shell command?",
     description: () => `For example:
@@ -6256,10 +6298,10 @@ var xxe2 = {
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/java/index.ts
-var vulnerabilities13 = {
+var vulnerabilities14 = {
   ["SQL_Injection" /* SqlInjection */]: sqlInjection3,
   ["CMDi_relative_path_command" /* CmDiRelativePathCommand */]: relativePathCommand,
-  ["CMDi" /* CmDi */]: commandInjection,
+  ["CMDi" /* CmDi */]: commandInjection2,
   ["CONFUSING_NAMING" /* ConfusingNaming */]: confusingNaming,
   ["ERROR_CONDTION_WITHOUT_ACTION" /* ErrorCondtionWithoutAction */]: errorConditionWithoutAction,
   ["XXE" /* Xxe */]: xxe2,
@@ -6284,7 +6326,7 @@ var vulnerabilities13 = {
   ["ERRONEOUS_STRING_COMPARE" /* ErroneousStringCompare */]: erroneousStringCompare,
   ["DUPLICATED_STRINGS" /* DuplicatedStrings */]: duplicatedStrings
 };
-var java_default2 = vulnerabilities13;
+var java_default2 = vulnerabilities14;
 
 // src/features/analysis/scm/shared/src/storedQuestionData/js/index.ts
 init_client_generates();
@@ -6299,7 +6341,7 @@ var csrf2 = {
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/js/commandInjection.ts
-var commandInjection2 = {
+var commandInjection3 = {
   isCommandExecutable: {
     content: () => "Commands can be intrinsically unsafe if they call out to other executables or run arbitary code",
     description: () => `Does the command fall into one of the following categories:
@@ -6613,8 +6655,8 @@ var xss3 = {
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/js/index.ts
-var vulnerabilities14 = {
-  ["CMDi" /* CmDi */]: commandInjection2,
+var vulnerabilities15 = {
+  ["CMDi" /* CmDi */]: commandInjection3,
   ["GRAPHQL_DEPTH_LIMIT" /* GraphqlDepthLimit */]: graphqlDepthLimit,
   ["INSECURE_RANDOMNESS" /* InsecureRandomness */]: insecureRandomness2,
   ["SSRF" /* Ssrf */]: ssrf4,
@@ -6636,7 +6678,7 @@ var vulnerabilities14 = {
   ["HARDCODED_DOMAIN_IN_HTML" /* HardcodedDomainInHtml */]: hardcodedDomainInHtml,
   ["CSRF" /* Csrf */]: csrf2
 };
-var js_default = vulnerabilities14;
+var js_default = vulnerabilities15;
 
 // src/features/analysis/scm/shared/src/storedQuestionData/python/index.ts
 init_client_generates();
@@ -6710,7 +6752,7 @@ var uncheckedLoopCondition3 = {
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/python/index.ts
-var vulnerabilities15 = {
+var vulnerabilities16 = {
   ["CSRF" /* Csrf */]: csrf2,
   ["LOG_FORGING" /* LogForging */]: logForging5,
   ["OPEN_REDIRECT" /* OpenRedirect */]: openRedirect3,
@@ -6719,7 +6761,7 @@ var vulnerabilities15 = {
   ["MISSING_ENCODING_FILE_OPEN" /* MissingEncodingFileOpen */]: missingEncoding,
   ["SSRF" /* Ssrf */]: ssrf5
 };
-var python_default2 = vulnerabilities15;
+var python_default2 = vulnerabilities16;
 
 // src/features/analysis/scm/shared/src/storedQuestionData/xml/index.ts
 init_client_generates();
@@ -6736,10 +6778,10 @@ A value too high will cause performance issues up to and including denial of ser
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/xml/index.ts
-var vulnerabilities16 = {
+var vulnerabilities17 = {
   ["WEAK_XML_SCHEMA_UNBOUNDED_OCCURRENCES" /* WeakXmlSchemaUnboundedOccurrences */]: unboundedOccurrences
 };
-var xml_default2 = vulnerabilities16;
+var xml_default2 = vulnerabilities17;
 
 // src/features/analysis/scm/shared/src/storedQuestionData/yaml/index.ts
 init_client_generates();
@@ -6772,12 +6814,12 @@ var writableFilesystemService = {
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/yaml/index.ts
-var vulnerabilities17 = {
+var vulnerabilities18 = {
   ["PORT_ALL_INTERFACES" /* PortAllInterfaces */]: portAllInterfaces,
   ["WRITABLE_FILESYSTEM_SERVICE" /* WritableFilesystemService */]: writableFilesystemService,
   ["NO_NEW_PRIVILEGES" /* NoNewPrivileges */]: noNewPrivileges
 };
-var yaml_default = vulnerabilities17;
+var yaml_default = vulnerabilities18;
 
 // src/features/analysis/scm/shared/src/storedQuestionData/index.ts
 var StoredQuestionDataItemZ = z11.object({
@@ -6792,6 +6834,7 @@ var languages2 = {
   ["CSharp" /* CSharp */]: csharp_default2,
   ["Python" /* Python */]: python_default2,
   ["Go" /* Go */]: go_default2,
+  ["Cpp" /* Cpp */]: cpp_default,
   ["YAML" /* Yaml */]: yaml_default
 };
 

package/dist/index.mjs

@@ -5233,6 +5233,48 @@ var languages = {
 init_client_generates();
 import { z as z4 } from "zod";
 
+// src/features/analysis/scm/shared/src/storedQuestionData/cpp/index.ts
+init_client_generates();
+
+// src/features/analysis/scm/shared/src/storedQuestionData/cpp/commandInjection.ts
+var commandInjection = {
+  isUnixShellCommandPart: {
+    content: () => "Is the input data interpolated into a shell command (not the program name or shell structure)?",
+    description: () => `\`system()\` / \`popen()\` hand the whole string to \`/bin/sh -c\`. Answer **yes** when the input is *data* placed into a fixed command, for example:
+
+- \`sprintf(cmd, "grep %s file.txt", input); system(cmd);\`
+- \`sprintf(cmd, "ping -c 5 %s", input); system(cmd);\`
+
+Answer **no** (the input is not plain data) when the input is:
+
+1. The program/executable itself:
+  - \`system(input);\`
+  - \`sprintf(cmd, "%s -x", input);\`
+2. A command after a pipe or redirect:
+  - \`sprintf(cmd, "cat file.txt | %s", input);\`
+3. A part of a non-Unix or cross-platform shell command.
+4. A part of embedded code in another language:
+  - \`sprintf(cmd, "php -r \\"echo '%s';\\"", input);\`
+  - \`sprintf(cmd, "awk '%s' file", input);\`
+5. A flag/option that controls a tool's behaviour:
+  - \`sprintf(cmd, "git --upload-pack %s", input);\``,
+    guidance: () => "If yes and the command can run without a shell, it is rewritten to a no-shell argument-vector call (`posix_spawn`); if it needs the shell, the tainted argument is escaped in place so the shell keeps working. If the answer is no (the input controls the program or shell structure), there is no safe automatic rewrite, so the fix is withheld and the sink is left for manual review."
+  },
+  executableLocationPath: {
+    content: () => "What is the absolute path of the directory containing the executable?",
+    description: () => `When \`system()\` is rewritten to an \`execv()\` argument-vector call, the program is run by its path with **no \`$PATH\` search**, so a relative program name (e.g. \`tail\`) cannot be resolved and a poisoned \`PATH\` cannot be used to run a look-alike binary.
+
+Provide the absolute directory that contains the executable (e.g. \`/usr/bin\`); the fix prepends it to the bare program name to form an absolute path.`,
+    guidance: () => "Only asked when the program name in the command has no `/`. A program that is already an absolute or relative path (contains `/`) is used as written."
+  }
+};
+
+// src/features/analysis/scm/shared/src/storedQuestionData/cpp/index.ts
+var vulnerabilities11 = {
+  ["CMDi" /* CmDi */]: commandInjection
+};
+var cpp_default = vulnerabilities11;
+
 // src/features/analysis/scm/shared/src/storedQuestionData/csharp/index.ts
 init_client_generates();
 
@@ -5529,7 +5571,7 @@ var xxe = {
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/csharp/index.ts
-var vulnerabilities11 = {
+var vulnerabilities12 = {
   ["LOG_FORGING" /* LogForging */]: logForging,
   ["SSRF" /* Ssrf */]: ssrf2,
   ["XXE" /* Xxe */]: xxe,
@@ -5550,7 +5592,7 @@ var vulnerabilities11 = {
   ["SQL_Injection" /* SqlInjection */]: sqlInjection2,
   ["REQUEST_PARAMETERS_BOUND_VIA_INPUT" /* RequestParametersBoundViaInput */]: requestParametersBoundViaInput
 };
-var csharp_default2 = vulnerabilities11;
+var csharp_default2 = vulnerabilities12;
 
 // src/features/analysis/scm/shared/src/storedQuestionData/go/index.ts
 init_client_generates();
@@ -5583,18 +5625,18 @@ var websocketMissingOriginCheck = {
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/go/index.ts
-var vulnerabilities12 = {
+var vulnerabilities13 = {
   ["LOG_FORGING" /* LogForging */]: logForging2,
   ["MISSING_SSL_MINVERSION" /* MissingSslMinversion */]: missingSslMinversion,
   ["WEBSOCKET_MISSING_ORIGIN_CHECK" /* WebsocketMissingOriginCheck */]: websocketMissingOriginCheck
 };
-var go_default2 = vulnerabilities12;
+var go_default2 = vulnerabilities13;
 
 // src/features/analysis/scm/shared/src/storedQuestionData/java/index.ts
 init_client_generates();
 
 // src/features/analysis/scm/shared/src/storedQuestionData/java/commandInjection.ts
-var commandInjection = {
+var commandInjection2 = {
   isUnixShellCommandPart: {
     content: () => "Is the input part of Unix shell command?",
     description: () => `For example:
@@ -6048,10 +6090,10 @@ var xxe2 = {
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/java/index.ts
-var vulnerabilities13 = {
+var vulnerabilities14 = {
   ["SQL_Injection" /* SqlInjection */]: sqlInjection3,
   ["CMDi_relative_path_command" /* CmDiRelativePathCommand */]: relativePathCommand,
-  ["CMDi" /* CmDi */]: commandInjection,
+  ["CMDi" /* CmDi */]: commandInjection2,
   ["CONFUSING_NAMING" /* ConfusingNaming */]: confusingNaming,
   ["ERROR_CONDTION_WITHOUT_ACTION" /* ErrorCondtionWithoutAction */]: errorConditionWithoutAction,
   ["XXE" /* Xxe */]: xxe2,
@@ -6076,7 +6118,7 @@ var vulnerabilities13 = {
   ["ERRONEOUS_STRING_COMPARE" /* ErroneousStringCompare */]: erroneousStringCompare,
   ["DUPLICATED_STRINGS" /* DuplicatedStrings */]: duplicatedStrings
 };
-var java_default2 = vulnerabilities13;
+var java_default2 = vulnerabilities14;
 
 // src/features/analysis/scm/shared/src/storedQuestionData/js/index.ts
 init_client_generates();
@@ -6091,7 +6133,7 @@ var csrf2 = {
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/js/commandInjection.ts
-var commandInjection2 = {
+var commandInjection3 = {
   isCommandExecutable: {
     content: () => "Commands can be intrinsically unsafe if they call out to other executables or run arbitary code",
     description: () => `Does the command fall into one of the following categories:
@@ -6405,8 +6447,8 @@ var xss3 = {
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/js/index.ts
-var vulnerabilities14 = {
-  ["CMDi" /* CmDi */]: commandInjection2,
+var vulnerabilities15 = {
+  ["CMDi" /* CmDi */]: commandInjection3,
   ["GRAPHQL_DEPTH_LIMIT" /* GraphqlDepthLimit */]: graphqlDepthLimit,
   ["INSECURE_RANDOMNESS" /* InsecureRandomness */]: insecureRandomness2,
   ["SSRF" /* Ssrf */]: ssrf4,
@@ -6428,7 +6470,7 @@ var vulnerabilities14 = {
   ["HARDCODED_DOMAIN_IN_HTML" /* HardcodedDomainInHtml */]: hardcodedDomainInHtml,
   ["CSRF" /* Csrf */]: csrf2
 };
-var js_default = vulnerabilities14;
+var js_default = vulnerabilities15;
 
 // src/features/analysis/scm/shared/src/storedQuestionData/python/index.ts
 init_client_generates();
@@ -6502,7 +6544,7 @@ var uncheckedLoopCondition3 = {
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/python/index.ts
-var vulnerabilities15 = {
+var vulnerabilities16 = {
   ["CSRF" /* Csrf */]: csrf2,
   ["LOG_FORGING" /* LogForging */]: logForging5,
   ["OPEN_REDIRECT" /* OpenRedirect */]: openRedirect3,
@@ -6511,7 +6553,7 @@ var vulnerabilities15 = {
   ["MISSING_ENCODING_FILE_OPEN" /* MissingEncodingFileOpen */]: missingEncoding,
   ["SSRF" /* Ssrf */]: ssrf5
 };
-var python_default2 = vulnerabilities15;
+var python_default2 = vulnerabilities16;
 
 // src/features/analysis/scm/shared/src/storedQuestionData/xml/index.ts
 init_client_generates();
@@ -6528,10 +6570,10 @@ A value too high will cause performance issues up to and including denial of ser
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/xml/index.ts
-var vulnerabilities16 = {
+var vulnerabilities17 = {
   ["WEAK_XML_SCHEMA_UNBOUNDED_OCCURRENCES" /* WeakXmlSchemaUnboundedOccurrences */]: unboundedOccurrences
 };
-var xml_default2 = vulnerabilities16;
+var xml_default2 = vulnerabilities17;
 
 // src/features/analysis/scm/shared/src/storedQuestionData/yaml/index.ts
 init_client_generates();
@@ -6564,12 +6606,12 @@ var writableFilesystemService = {
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/yaml/index.ts
-var vulnerabilities17 = {
+var vulnerabilities18 = {
   ["PORT_ALL_INTERFACES" /* PortAllInterfaces */]: portAllInterfaces,
   ["WRITABLE_FILESYSTEM_SERVICE" /* WritableFilesystemService */]: writableFilesystemService,
   ["NO_NEW_PRIVILEGES" /* NoNewPrivileges */]: noNewPrivileges
 };
-var yaml_default = vulnerabilities17;
+var yaml_default = vulnerabilities18;
 
 // src/features/analysis/scm/shared/src/storedQuestionData/index.ts
 var StoredQuestionDataItemZ = z4.object({
@@ -6584,6 +6626,7 @@ var languages2 = {
   ["CSharp" /* CSharp */]: csharp_default2,
   ["Python" /* Python */]: python_default2,
   ["Go" /* Go */]: go_default2,
+  ["Cpp" /* Cpp */]: cpp_default,
   ["YAML" /* Yaml */]: yaml_default
 };
 var storedQuestionData_default = languages2;
@@ -9598,48 +9641,65 @@ function getGithubSdk(params = {}) {
         return false;
       }
     },
-    async getGithubRepoList() {
+    async listAuthenticatedUserReposPage(params2) {
+      const {
+        sort = { field: "updated", order: "desc" },
+        perPage = 10,
+        page = 1
+      } = params2;
+      const githubSort = sort.field === "name" ? "full_name" : sort.field === "created" ? "created" : "updated";
       try {
-        const allRepos = [];
-        let page = 1;
-        const perPage = 100;
-        let hasMore = true;
-        while (hasMore) {
-          const githubRepos = await octokit.request(GET_USER_REPOS, {
-            sort: "updated",
-            per_page: perPage,
-            page
-          });
-          for (const repo of githubRepos.data) {
-            allRepos.push({
-              repoName: repo.name,
-              repoUrl: repo.html_url,
-              repoOwner: repo.owner.login,
-              repoLanguages: repo.language ? [repo.language] : [],
-              repoIsPublic: !repo.private,
-              repoUpdatedAt: repo.updated_at
-            });
-          }
-          hasMore = githubRepos.data.length >= perPage;
-          page++;
-        }
-        return allRepos;
+        const githubRepos = await octokit.request(GET_USER_REPOS, {
+          sort: githubSort,
+          direction: sort.order,
+          per_page: perPage,
+          page
+        });
+        const items = githubRepos.data.map((repo) => ({
+          repoName: repo.name,
+          repoUrl: repo.html_url,
+          repoOwner: repo.owner.login,
+          repoLanguages: repo.language ? [repo.language] : [],
+          repoIsPublic: !repo.private,
+          repoUpdatedAt: repo.updated_at
+        }));
+        return {
+          items,
+          hasMore: githubRepos.data.length >= perPage
+        };
       } catch (e) {
         if (e instanceof RequestError && e.status === 401) {
           console.warn(
             "GitHub API returned 401 Unauthorized when listing repos - token may be expired or lack repo scope"
           );
-          return [];
+          return { items: [], hasMore: false };
         }
         if (e instanceof RequestError && e.status === 404) {
           console.warn(
             "GitHub API returned 404 Not Found when listing repos - user may not exist"
           );
-          return [];
+          return { items: [], hasMore: false };
         }
         throw e;
       }
     },
+    async getGithubRepoList() {
+      const allRepos = [];
+      let page = 1;
+      const perPage = 100;
+      let hasMore = true;
+      while (hasMore) {
+        const pageResult = await this.listAuthenticatedUserReposPage({
+          sort: { field: "updated", order: "desc" },
+          perPage,
+          page
+        });
+        allRepos.push(...pageResult.items);
+        hasMore = pageResult.hasMore;
+        page++;
+      }
+      return allRepos;
+    },
     async getGithubRepoDefaultBranch(repoUrl) {
       const { owner, repo } = parseGithubOwnerAndRepo(repoUrl);
       const repos = await octokit.rest.repos.get({ repo, owner });
@@ -10699,23 +10759,25 @@ var GithubSCMLib = class extends SCMLib {
     });
   }
   /**
-   * Override searchRepos to use GitHub's Search API for efficient pagination.
-   * This is much faster than fetching all repos and filtering in-memory.
-   *
-   * Note: GitHub Search API doesn't support sorting by name, so when name sorting
-   * is requested, we fall back to fetching all repos and sorting in-memory.
+   * Override searchRepos for efficient server-side pagination.
+   * - With scmOrg: GitHub Search API (`org:…`)
+   * - Without scmOrg: paginated `GET /user/repos`
+   * - Name sort: in-memory over full list
    */
   async searchRepos(params) {
     this._validateAccessToken();
     const sort = params.sort || { field: "updated", order: "desc" };
-    if (!params.scmOrg || sort.field === "name") {
+    if (sort.field === "name") {
       return this.searchReposInMemory(params);
     }
+    if (!params.scmOrg) {
+      return this.searchReposWithUserReposApi(params);
+    }
     return this.searchReposWithApi(params);
   }
   /**
    * Search repos by fetching all and sorting/paginating in-memory.
-   * Used when name sorting is requested or no organization is provided.
+   * Used only when name sorting is requested.
    */
   async searchReposInMemory(params) {
     const repos = await this.getRepoList(params.scmOrg);
@@ -10743,6 +10805,24 @@ var GithubSCMLib = class extends SCMLib {
       hasMore: nextOffset < sortedRepos.length
     };
   }
+  /**
+   * Paginated repo list for authenticated user when no GitHub org is configured.
+   */
+  async searchReposWithUserReposApi(params) {
+    const page = parseCursorSafe(params.cursor, 1);
+    const perPage = params.limit || 10;
+    const sort = params.sort || { field: "updated", order: "desc" };
+    const pageResult = await this.githubSdk.listAuthenticatedUserReposPage({
+      sort,
+      perPage,
+      page
+    });
+    return {
+      results: pageResult.items,
+      nextCursor: pageResult.hasMore ? String(page + 1) : void 0,
+      hasMore: pageResult.hasMore
+    };
+  }
   /**
    * Search repos using GitHub Search API for efficient server-side pagination.
    * Only supports date-based sorting (updated/created).
@@ -19641,7 +19721,7 @@ function createLogger(config2) {
 
 // src/features/claude_code/hook_logger.ts
 var DD_RUM_TOKEN = true ? "pubf59c0182545bfb4c299175119f1abf9b" : "";
-var CLI_VERSION = true ? "1.4.22" : "unknown";
+var CLI_VERSION = true ? "1.4.23" : "unknown";
 var NAMESPACE = "mobbdev-claude-code-hook-logs";
 var claudeCodeVersion;
 function buildDdTags() {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mobbdev",
-  "version": "1.4.22",
+  "version": "1.4.23",
   "description": "Automated secure code remediation tool",
   "repository": "git+https://github.com/mobb-dev/bugsy.git",
   "main": "dist/index.mjs",