mobbdev 1.4.22 → 1.4.25

package/dist/args/commands/upload_ai_blame.mjs

@@ -138,10 +138,16 @@ function getSdk(client, withWrapper = defaultWrapper) {
     },
     SkillVerdictsByMd5(variables, requestHeaders, signal) {
       return withWrapper((wrappedRequestHeaders) => client.request({ document: SkillVerdictsByMd5Document, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "SkillVerdictsByMd5", "query", variables);
+    },
+    LogMvsEvent(variables, requestHeaders, signal) {
+      return withWrapper((wrappedRequestHeaders) => client.request({ document: LogMvsEventDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "LogMvsEvent", "mutation", variables);
+    },
+    getMvsProject(variables, requestHeaders, signal) {
+      return withWrapper((wrappedRequestHeaders) => client.request({ document: GetMvsProjectDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "getMvsProject", "mutation", variables);
     }
   };
 }
-var AiBlameInferenceType, FixQuestionInputType, Language, ManifestAction, Effort_To_Apply_Fix_Enum, Fix_Rating_Tag_Enum, Fix_Report_State_Enum, Fix_State_Enum, IssueLanguage_Enum, IssueType_Enum, Pr_Status_Enum, Project_Role_Type_Enum, Vulnerability_Report_Issue_Category_Enum, Vulnerability_Report_Issue_State_Enum, Vulnerability_Report_Issue_Tag_Enum, Vulnerability_Report_Vendor_Enum, Vulnerability_Severity_Enum, FixDetailsFragmentDoc, FixReportSummaryFieldsFragmentDoc, MeDocument, GetLastOrgAndNamedProjectDocument, GetLastOrgDocument, GetEncryptedApiTokenDocument, FixReportStateDocument, GetVulnerabilityReportPathsDocument, GetAnalysisSubscriptionDocument, GetAnalysisDocument, GetFixesDocument, GetVulByNodesMetadataDocument, GetFalsePositiveDocument, UpdateScmTokenDocument, UploadS3BucketInfoDocument, GetTracyDiffUploadUrlDocument, AnalyzeCommitForExtensionAiBlameDocument, GetAiBlameInferenceDocument, GetAiBlameAttributionPromptDocument, GetPromptSummaryDocument, UploadAiBlameInferencesInitDocument, FinalizeAiBlameInferencesUploadDocument, UploadTracyRecordsDocument, GetTracyRawDataUploadUrlDocument, DigestVulnerabilityReportDocument, SubmitVulnerabilityReportDocument, CreateCommunityUserDocument, CreateCliLoginDocument, PerformCliLoginDocument, SetQuarantineEnabledDocument, CreateProjectDocument, ValidateRepoUrlDocument, GitReferenceDocument, AutoPrAnalysisDocument, GetFixWithAnswersDocument, GetFixReportsByRepoUrlDocument, GetReportFixesDocument, GetLatestReportByRepoUrlDocument, UpdateDownloadedFixDataDocument, GetUserMvsAutoFixDocument, StreamBlameAiAnalysisRequestsDocument, StreamCommitBlameRequestsDocument, ScanSkillDocument, SkillVerdictsByMd5Document, defaultWrapper;
+var AiBlameInferenceType, FixQuestionInputType, Language, ManifestAction, Effort_To_Apply_Fix_Enum, Fix_Rating_Tag_Enum, Fix_Report_State_Enum, Fix_State_Enum, IssueLanguage_Enum, IssueType_Enum, Pr_Status_Enum, Project_Role_Type_Enum, Vulnerability_Report_Issue_Category_Enum, Vulnerability_Report_Issue_State_Enum, Vulnerability_Report_Issue_Tag_Enum, Vulnerability_Report_Vendor_Enum, Vulnerability_Severity_Enum, FixDetailsFragmentDoc, FixReportSummaryFieldsFragmentDoc, MeDocument, GetLastOrgAndNamedProjectDocument, GetLastOrgDocument, GetEncryptedApiTokenDocument, FixReportStateDocument, GetVulnerabilityReportPathsDocument, GetAnalysisSubscriptionDocument, GetAnalysisDocument, GetFixesDocument, GetVulByNodesMetadataDocument, GetFalsePositiveDocument, UpdateScmTokenDocument, UploadS3BucketInfoDocument, GetTracyDiffUploadUrlDocument, AnalyzeCommitForExtensionAiBlameDocument, GetAiBlameInferenceDocument, GetAiBlameAttributionPromptDocument, GetPromptSummaryDocument, UploadAiBlameInferencesInitDocument, FinalizeAiBlameInferencesUploadDocument, UploadTracyRecordsDocument, GetTracyRawDataUploadUrlDocument, DigestVulnerabilityReportDocument, SubmitVulnerabilityReportDocument, CreateCommunityUserDocument, CreateCliLoginDocument, PerformCliLoginDocument, SetQuarantineEnabledDocument, CreateProjectDocument, ValidateRepoUrlDocument, GitReferenceDocument, AutoPrAnalysisDocument, GetFixWithAnswersDocument, GetFixReportsByRepoUrlDocument, GetReportFixesDocument, GetLatestReportByRepoUrlDocument, UpdateDownloadedFixDataDocument, GetUserMvsAutoFixDocument, StreamBlameAiAnalysisRequestsDocument, StreamCommitBlameRequestsDocument, ScanSkillDocument, SkillVerdictsByMd5Document, LogMvsEventDocument, GetMvsProjectDocument, defaultWrapper;
 var init_client_generates = __esm({
   "src/features/analysis/scm/generates/client_generates.ts"() {
     "use strict";
@@ -1077,7 +1083,7 @@ var init_client_generates = __esm({
 }
     `;
     SubmitVulnerabilityReportDocument = `
-    mutation SubmitVulnerabilityReport($fixReportId: String!, $repoUrl: String!, $reference: String!, $projectId: String!, $scanSource: String!, $sha: String, $experimentalEnabled: Boolean, $vulnerabilityReportFileName: String, $pullRequest: Int, $isFullScan: Boolean, $scanContext: String!, $fileCount: Int) {
+    mutation SubmitVulnerabilityReport($fixReportId: String!, $repoUrl: String!, $reference: String!, $projectId: String!, $scanSource: String!, $sha: String, $experimentalEnabled: Boolean, $vulnerabilityReportFileName: String, $pullRequest: Int, $isFullScan: Boolean, $scanContext: String!, $fileCount: Int, $computerName: String, $computerUser: String, $clientVersion: String) {
   submitVulnerabilityReport(
     fixReportId: $fixReportId
     repoUrl: $repoUrl
@@ -1091,6 +1097,9 @@ var init_client_generates = __esm({
     scanSource: $scanSource
     scanContext: $scanContext
     fileCount: $fileCount
+    computerName: $computerName
+    computerUser: $computerUser
+    clientVersion: $clientVersion
   ) {
     __typename
     ... on VulnerabilityReport {
@@ -1365,6 +1374,29 @@ var init_client_generates = __esm({
       scannedAt
     }
   }
+}
+    `;
+    LogMvsEventDocument = `
+    mutation LogMvsEvent($eventType: String!, $fixReportId: String, $projectId: String, $repoUrl: String, $riskCount: Int, $computerName: String, $computerUser: String, $clientVersion: String) {
+  logMvsEvent(
+    eventType: $eventType
+    fixReportId: $fixReportId
+    projectId: $projectId
+    repoUrl: $repoUrl
+    riskCount: $riskCount
+    computerName: $computerName
+    computerUser: $computerUser
+    clientVersion: $clientVersion
+  ) {
+    status
+  }
+}
+    `;
+    GetMvsProjectDocument = `
+    mutation getMvsProject($organizationId: String!) {
+  getMvsProject(organizationId: $organizationId) {
+    projectId
+  }
 }
     `;
     defaultWrapper = (action, _operationName, _operationType, _variables) => action();
@@ -4494,7 +4526,6 @@ var CliError = class extends Error {
 
 // src/commands/AuthManager.ts
 import crypto from "crypto";
-import os from "os";
 import Debug10 from "debug";
 import open from "open";
 
@@ -5441,6 +5472,48 @@ var languages = {
 init_client_generates();
 import { z as z11 } from "zod";
 
+// src/features/analysis/scm/shared/src/storedQuestionData/cpp/index.ts
+init_client_generates();
+
+// src/features/analysis/scm/shared/src/storedQuestionData/cpp/commandInjection.ts
+var commandInjection = {
+  isUnixShellCommandPart: {
+    content: () => "Is the input data interpolated into a shell command (not the program name or shell structure)?",
+    description: () => `\`system()\` / \`popen()\` hand the whole string to \`/bin/sh -c\`. Answer **yes** when the input is *data* placed into a fixed command, for example:
+
+- \`sprintf(cmd, "grep %s file.txt", input); system(cmd);\`
+- \`sprintf(cmd, "ping -c 5 %s", input); system(cmd);\`
+
+Answer **no** (the input is not plain data) when the input is:
+
+1. The program/executable itself:
+  - \`system(input);\`
+  - \`sprintf(cmd, "%s -x", input);\`
+2. A command after a pipe or redirect:
+  - \`sprintf(cmd, "cat file.txt | %s", input);\`
+3. A part of a non-Unix or cross-platform shell command.
+4. A part of embedded code in another language:
+  - \`sprintf(cmd, "php -r \\"echo '%s';\\"", input);\`
+  - \`sprintf(cmd, "awk '%s' file", input);\`
+5. A flag/option that controls a tool's behaviour:
+  - \`sprintf(cmd, "git --upload-pack %s", input);\``,
+    guidance: () => "If yes and the command can run without a shell, it is rewritten to a no-shell argument-vector call (`posix_spawn`); if it needs the shell, the tainted argument is escaped in place so the shell keeps working. If the answer is no (the input controls the program or shell structure), there is no safe automatic rewrite, so the fix is withheld and the sink is left for manual review."
+  },
+  executableLocationPath: {
+    content: () => "What is the absolute path of the directory containing the executable?",
+    description: () => `When \`system()\` is rewritten to an \`execv()\` argument-vector call, the program is run by its path with **no \`$PATH\` search**, so a relative program name (e.g. \`tail\`) cannot be resolved and a poisoned \`PATH\` cannot be used to run a look-alike binary.
+
+Provide the absolute directory that contains the executable (e.g. \`/usr/bin\`); the fix prepends it to the bare program name to form an absolute path.`,
+    guidance: () => "Only asked when the program name in the command has no `/`. A program that is already an absolute or relative path (contains `/`) is used as written."
+  }
+};
+
+// src/features/analysis/scm/shared/src/storedQuestionData/cpp/index.ts
+var vulnerabilities11 = {
+  ["CMDi" /* CmDi */]: commandInjection
+};
+var cpp_default = vulnerabilities11;
+
 // src/features/analysis/scm/shared/src/storedQuestionData/csharp/index.ts
 init_client_generates();
 
@@ -5737,7 +5810,7 @@ var xxe = {
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/csharp/index.ts
-var vulnerabilities11 = {
+var vulnerabilities12 = {
   ["LOG_FORGING" /* LogForging */]: logForging,
   ["SSRF" /* Ssrf */]: ssrf2,
   ["XXE" /* Xxe */]: xxe,
@@ -5758,7 +5831,7 @@ var vulnerabilities11 = {
   ["SQL_Injection" /* SqlInjection */]: sqlInjection2,
   ["REQUEST_PARAMETERS_BOUND_VIA_INPUT" /* RequestParametersBoundViaInput */]: requestParametersBoundViaInput
 };
-var csharp_default2 = vulnerabilities11;
+var csharp_default2 = vulnerabilities12;
 
 // src/features/analysis/scm/shared/src/storedQuestionData/go/index.ts
 init_client_generates();
@@ -5791,18 +5864,18 @@ var websocketMissingOriginCheck = {
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/go/index.ts
-var vulnerabilities12 = {
+var vulnerabilities13 = {
   ["LOG_FORGING" /* LogForging */]: logForging2,
   ["MISSING_SSL_MINVERSION" /* MissingSslMinversion */]: missingSslMinversion,
   ["WEBSOCKET_MISSING_ORIGIN_CHECK" /* WebsocketMissingOriginCheck */]: websocketMissingOriginCheck
 };
-var go_default2 = vulnerabilities12;
+var go_default2 = vulnerabilities13;
 
 // src/features/analysis/scm/shared/src/storedQuestionData/java/index.ts
 init_client_generates();
 
 // src/features/analysis/scm/shared/src/storedQuestionData/java/commandInjection.ts
-var commandInjection = {
+var commandInjection2 = {
   isUnixShellCommandPart: {
     content: () => "Is the input part of Unix shell command?",
     description: () => `For example:
@@ -6256,10 +6329,10 @@ var xxe2 = {
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/java/index.ts
-var vulnerabilities13 = {
+var vulnerabilities14 = {
   ["SQL_Injection" /* SqlInjection */]: sqlInjection3,
   ["CMDi_relative_path_command" /* CmDiRelativePathCommand */]: relativePathCommand,
-  ["CMDi" /* CmDi */]: commandInjection,
+  ["CMDi" /* CmDi */]: commandInjection2,
   ["CONFUSING_NAMING" /* ConfusingNaming */]: confusingNaming,
   ["ERROR_CONDTION_WITHOUT_ACTION" /* ErrorCondtionWithoutAction */]: errorConditionWithoutAction,
   ["XXE" /* Xxe */]: xxe2,
@@ -6284,7 +6357,7 @@ var vulnerabilities13 = {
   ["ERRONEOUS_STRING_COMPARE" /* ErroneousStringCompare */]: erroneousStringCompare,
   ["DUPLICATED_STRINGS" /* DuplicatedStrings */]: duplicatedStrings
 };
-var java_default2 = vulnerabilities13;
+var java_default2 = vulnerabilities14;
 
 // src/features/analysis/scm/shared/src/storedQuestionData/js/index.ts
 init_client_generates();
@@ -6299,7 +6372,7 @@ var csrf2 = {
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/js/commandInjection.ts
-var commandInjection2 = {
+var commandInjection3 = {
   isCommandExecutable: {
     content: () => "Commands can be intrinsically unsafe if they call out to other executables or run arbitary code",
     description: () => `Does the command fall into one of the following categories:
@@ -6613,8 +6686,8 @@ var xss3 = {
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/js/index.ts
-var vulnerabilities14 = {
-  ["CMDi" /* CmDi */]: commandInjection2,
+var vulnerabilities15 = {
+  ["CMDi" /* CmDi */]: commandInjection3,
   ["GRAPHQL_DEPTH_LIMIT" /* GraphqlDepthLimit */]: graphqlDepthLimit,
   ["INSECURE_RANDOMNESS" /* InsecureRandomness */]: insecureRandomness2,
   ["SSRF" /* Ssrf */]: ssrf4,
@@ -6636,7 +6709,7 @@ var vulnerabilities14 = {
   ["HARDCODED_DOMAIN_IN_HTML" /* HardcodedDomainInHtml */]: hardcodedDomainInHtml,
   ["CSRF" /* Csrf */]: csrf2
 };
-var js_default = vulnerabilities14;
+var js_default = vulnerabilities15;
 
 // src/features/analysis/scm/shared/src/storedQuestionData/python/index.ts
 init_client_generates();
@@ -6710,7 +6783,7 @@ var uncheckedLoopCondition3 = {
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/python/index.ts
-var vulnerabilities15 = {
+var vulnerabilities16 = {
   ["CSRF" /* Csrf */]: csrf2,
   ["LOG_FORGING" /* LogForging */]: logForging5,
   ["OPEN_REDIRECT" /* OpenRedirect */]: openRedirect3,
@@ -6719,7 +6792,7 @@ var vulnerabilities15 = {
   ["MISSING_ENCODING_FILE_OPEN" /* MissingEncodingFileOpen */]: missingEncoding,
   ["SSRF" /* Ssrf */]: ssrf5
 };
-var python_default2 = vulnerabilities15;
+var python_default2 = vulnerabilities16;
 
 // src/features/analysis/scm/shared/src/storedQuestionData/xml/index.ts
 init_client_generates();
@@ -6736,10 +6809,10 @@ A value too high will cause performance issues up to and including denial of ser
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/xml/index.ts
-var vulnerabilities16 = {
+var vulnerabilities17 = {
   ["WEAK_XML_SCHEMA_UNBOUNDED_OCCURRENCES" /* WeakXmlSchemaUnboundedOccurrences */]: unboundedOccurrences
 };
-var xml_default2 = vulnerabilities16;
+var xml_default2 = vulnerabilities17;
 
 // src/features/analysis/scm/shared/src/storedQuestionData/yaml/index.ts
 init_client_generates();
@@ -6772,12 +6845,12 @@ var writableFilesystemService = {
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/yaml/index.ts
-var vulnerabilities17 = {
+var vulnerabilities18 = {
   ["PORT_ALL_INTERFACES" /* PortAllInterfaces */]: portAllInterfaces,
   ["WRITABLE_FILESYSTEM_SERVICE" /* WritableFilesystemService */]: writableFilesystemService,
   ["NO_NEW_PRIVILEGES" /* NoNewPrivileges */]: noNewPrivileges
 };
-var yaml_default = vulnerabilities17;
+var yaml_default = vulnerabilities18;
 
 // src/features/analysis/scm/shared/src/storedQuestionData/index.ts
 var StoredQuestionDataItemZ = z11.object({
@@ -6792,6 +6865,7 @@ var languages2 = {
   ["CSharp" /* CSharp */]: csharp_default2,
   ["Python" /* Python */]: python_default2,
   ["Go" /* Go */]: go_default2,
+  ["Cpp" /* Cpp */]: cpp_default,
   ["YAML" /* Yaml */]: yaml_default
 };
 
@@ -7842,16 +7916,42 @@ var URL_REFRESH_MS = 20 * 60 * 1e3;
 var debug10 = Debug9("mobbdev:tracy-batch-upload");
 
 // src/mcp/services/types.ts
-function buildLoginUrl(baseUrl, loginId, hostname, context) {
+import os from "os";
+function buildLoginUrl(baseUrl, loginId, machine, context) {
   const url = new URL(`${baseUrl}/${loginId}`);
-  url.searchParams.set("hostname", hostname);
-  url.searchParams.set("trigger", context.trigger);
-  url.searchParams.set("source", context.source);
-  if (context.ide) {
-    url.searchParams.set("ide", context.ide);
+  url.searchParams.set("hostname", machine.hostname);
+  if (machine.computerUser) {
+    url.searchParams.set("computerUser", machine.computerUser);
+  }
+  if (machine.clientVersion) {
+    url.searchParams.set("clientVersion", machine.clientVersion);
+  }
+  if (context) {
+    url.searchParams.set("trigger", context.trigger);
+    url.searchParams.set("source", context.source);
+    if (context.ide) {
+      url.searchParams.set("ide", context.ide);
+    }
   }
   return url.toString();
 }
+function getComputerUser() {
+  try {
+    return os.userInfo().username || void 0;
+  } catch {
+    return void 0;
+  }
+}
+function getLoginMachineInfo() {
+  return {
+    hostname: os.hostname(),
+    computerUser: getComputerUser(),
+    clientVersion: packageJson.version
+  };
+}
+function buildLoginBrowserUrl(baseUrl, loginId, context) {
+  return buildLoginUrl(baseUrl, loginId, getLoginMachineInfo(), context);
+}
 
 // src/utils/ConfigStoreService.ts
 import Configstore from "configstore";
@@ -8014,7 +8114,11 @@ var _AuthManager = class _AuthManager {
         publicKey: this.publicKey.export({ format: "pem", type: "pkcs1" }).toString()
       });
       const webLoginUrl = `${this.resolvedWebAppUrl}${loginPath || "/cli-login"}`;
-      const browserUrl = loginContext ? buildLoginUrl(webLoginUrl, this.loginId, os.hostname(), loginContext) : `${webLoginUrl}/${this.loginId}?hostname=${os.hostname()}`;
+      const browserUrl = buildLoginBrowserUrl(
+        webLoginUrl,
+        this.loginId,
+        loginContext
+      );
       this.currentBrowserUrl = browserUrl;
       return browserUrl;
     } catch (error) {

package/dist/index.mjs

@@ -138,10 +138,16 @@ function getSdk(client, withWrapper = defaultWrapper) {
     },
     SkillVerdictsByMd5(variables, requestHeaders, signal) {
       return withWrapper((wrappedRequestHeaders) => client.request({ document: SkillVerdictsByMd5Document, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "SkillVerdictsByMd5", "query", variables);
+    },
+    LogMvsEvent(variables, requestHeaders, signal) {
+      return withWrapper((wrappedRequestHeaders) => client.request({ document: LogMvsEventDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "LogMvsEvent", "mutation", variables);
+    },
+    getMvsProject(variables, requestHeaders, signal) {
+      return withWrapper((wrappedRequestHeaders) => client.request({ document: GetMvsProjectDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "getMvsProject", "mutation", variables);
     }
   };
 }
-var AiBlameInferenceType, FixQuestionInputType, Language, ManifestAction, Effort_To_Apply_Fix_Enum, Fix_Rating_Tag_Enum, Fix_Report_State_Enum, Fix_State_Enum, IssueLanguage_Enum, IssueType_Enum, Pr_Status_Enum, Project_Role_Type_Enum, Vulnerability_Report_Issue_Category_Enum, Vulnerability_Report_Issue_State_Enum, Vulnerability_Report_Issue_Tag_Enum, Vulnerability_Report_Vendor_Enum, Vulnerability_Severity_Enum, FixDetailsFragmentDoc, FixReportSummaryFieldsFragmentDoc, MeDocument, GetLastOrgAndNamedProjectDocument, GetLastOrgDocument, GetEncryptedApiTokenDocument, FixReportStateDocument, GetVulnerabilityReportPathsDocument, GetAnalysisSubscriptionDocument, GetAnalysisDocument, GetFixesDocument, GetVulByNodesMetadataDocument, GetFalsePositiveDocument, UpdateScmTokenDocument, UploadS3BucketInfoDocument, GetTracyDiffUploadUrlDocument, AnalyzeCommitForExtensionAiBlameDocument, GetAiBlameInferenceDocument, GetAiBlameAttributionPromptDocument, GetPromptSummaryDocument, UploadAiBlameInferencesInitDocument, FinalizeAiBlameInferencesUploadDocument, UploadTracyRecordsDocument, GetTracyRawDataUploadUrlDocument, DigestVulnerabilityReportDocument, SubmitVulnerabilityReportDocument, CreateCommunityUserDocument, CreateCliLoginDocument, PerformCliLoginDocument, SetQuarantineEnabledDocument, CreateProjectDocument, ValidateRepoUrlDocument, GitReferenceDocument, AutoPrAnalysisDocument, GetFixWithAnswersDocument, GetFixReportsByRepoUrlDocument, GetReportFixesDocument, GetLatestReportByRepoUrlDocument, UpdateDownloadedFixDataDocument, GetUserMvsAutoFixDocument, StreamBlameAiAnalysisRequestsDocument, StreamCommitBlameRequestsDocument, ScanSkillDocument, SkillVerdictsByMd5Document, defaultWrapper;
+var AiBlameInferenceType, FixQuestionInputType, Language, ManifestAction, Effort_To_Apply_Fix_Enum, Fix_Rating_Tag_Enum, Fix_Report_State_Enum, Fix_State_Enum, IssueLanguage_Enum, IssueType_Enum, Pr_Status_Enum, Project_Role_Type_Enum, Vulnerability_Report_Issue_Category_Enum, Vulnerability_Report_Issue_State_Enum, Vulnerability_Report_Issue_Tag_Enum, Vulnerability_Report_Vendor_Enum, Vulnerability_Severity_Enum, FixDetailsFragmentDoc, FixReportSummaryFieldsFragmentDoc, MeDocument, GetLastOrgAndNamedProjectDocument, GetLastOrgDocument, GetEncryptedApiTokenDocument, FixReportStateDocument, GetVulnerabilityReportPathsDocument, GetAnalysisSubscriptionDocument, GetAnalysisDocument, GetFixesDocument, GetVulByNodesMetadataDocument, GetFalsePositiveDocument, UpdateScmTokenDocument, UploadS3BucketInfoDocument, GetTracyDiffUploadUrlDocument, AnalyzeCommitForExtensionAiBlameDocument, GetAiBlameInferenceDocument, GetAiBlameAttributionPromptDocument, GetPromptSummaryDocument, UploadAiBlameInferencesInitDocument, FinalizeAiBlameInferencesUploadDocument, UploadTracyRecordsDocument, GetTracyRawDataUploadUrlDocument, DigestVulnerabilityReportDocument, SubmitVulnerabilityReportDocument, CreateCommunityUserDocument, CreateCliLoginDocument, PerformCliLoginDocument, SetQuarantineEnabledDocument, CreateProjectDocument, ValidateRepoUrlDocument, GitReferenceDocument, AutoPrAnalysisDocument, GetFixWithAnswersDocument, GetFixReportsByRepoUrlDocument, GetReportFixesDocument, GetLatestReportByRepoUrlDocument, UpdateDownloadedFixDataDocument, GetUserMvsAutoFixDocument, StreamBlameAiAnalysisRequestsDocument, StreamCommitBlameRequestsDocument, ScanSkillDocument, SkillVerdictsByMd5Document, LogMvsEventDocument, GetMvsProjectDocument, defaultWrapper;
 var init_client_generates = __esm({
   "src/features/analysis/scm/generates/client_generates.ts"() {
     "use strict";
@@ -1077,7 +1083,7 @@ var init_client_generates = __esm({
 }
     `;
     SubmitVulnerabilityReportDocument = `
-    mutation SubmitVulnerabilityReport($fixReportId: String!, $repoUrl: String!, $reference: String!, $projectId: String!, $scanSource: String!, $sha: String, $experimentalEnabled: Boolean, $vulnerabilityReportFileName: String, $pullRequest: Int, $isFullScan: Boolean, $scanContext: String!, $fileCount: Int) {
+    mutation SubmitVulnerabilityReport($fixReportId: String!, $repoUrl: String!, $reference: String!, $projectId: String!, $scanSource: String!, $sha: String, $experimentalEnabled: Boolean, $vulnerabilityReportFileName: String, $pullRequest: Int, $isFullScan: Boolean, $scanContext: String!, $fileCount: Int, $computerName: String, $computerUser: String, $clientVersion: String) {
   submitVulnerabilityReport(
     fixReportId: $fixReportId
     repoUrl: $repoUrl
@@ -1091,6 +1097,9 @@ var init_client_generates = __esm({
     scanSource: $scanSource
     scanContext: $scanContext
     fileCount: $fileCount
+    computerName: $computerName
+    computerUser: $computerUser
+    clientVersion: $clientVersion
   ) {
     __typename
     ... on VulnerabilityReport {
@@ -1365,6 +1374,29 @@ var init_client_generates = __esm({
       scannedAt
     }
   }
+}
+    `;
+    LogMvsEventDocument = `
+    mutation LogMvsEvent($eventType: String!, $fixReportId: String, $projectId: String, $repoUrl: String, $riskCount: Int, $computerName: String, $computerUser: String, $clientVersion: String) {
+  logMvsEvent(
+    eventType: $eventType
+    fixReportId: $fixReportId
+    projectId: $projectId
+    repoUrl: $repoUrl
+    riskCount: $riskCount
+    computerName: $computerName
+    computerUser: $computerUser
+    clientVersion: $clientVersion
+  ) {
+    status
+  }
+}
+    `;
+    GetMvsProjectDocument = `
+    mutation getMvsProject($organizationId: String!) {
+  getMvsProject(organizationId: $organizationId) {
+    projectId
+  }
 }
     `;
     defaultWrapper = (action, _operationName, _operationType, _variables) => action();
@@ -5233,6 +5265,48 @@ var languages = {
 init_client_generates();
 import { z as z4 } from "zod";
 
+// src/features/analysis/scm/shared/src/storedQuestionData/cpp/index.ts
+init_client_generates();
+
+// src/features/analysis/scm/shared/src/storedQuestionData/cpp/commandInjection.ts
+var commandInjection = {
+  isUnixShellCommandPart: {
+    content: () => "Is the input data interpolated into a shell command (not the program name or shell structure)?",
+    description: () => `\`system()\` / \`popen()\` hand the whole string to \`/bin/sh -c\`. Answer **yes** when the input is *data* placed into a fixed command, for example:
+
+- \`sprintf(cmd, "grep %s file.txt", input); system(cmd);\`
+- \`sprintf(cmd, "ping -c 5 %s", input); system(cmd);\`
+
+Answer **no** (the input is not plain data) when the input is:
+
+1. The program/executable itself:
+  - \`system(input);\`
+  - \`sprintf(cmd, "%s -x", input);\`
+2. A command after a pipe or redirect:
+  - \`sprintf(cmd, "cat file.txt | %s", input);\`
+3. A part of a non-Unix or cross-platform shell command.
+4. A part of embedded code in another language:
+  - \`sprintf(cmd, "php -r \\"echo '%s';\\"", input);\`
+  - \`sprintf(cmd, "awk '%s' file", input);\`
+5. A flag/option that controls a tool's behaviour:
+  - \`sprintf(cmd, "git --upload-pack %s", input);\``,
+    guidance: () => "If yes and the command can run without a shell, it is rewritten to a no-shell argument-vector call (`posix_spawn`); if it needs the shell, the tainted argument is escaped in place so the shell keeps working. If the answer is no (the input controls the program or shell structure), there is no safe automatic rewrite, so the fix is withheld and the sink is left for manual review."
+  },
+  executableLocationPath: {
+    content: () => "What is the absolute path of the directory containing the executable?",
+    description: () => `When \`system()\` is rewritten to an \`execv()\` argument-vector call, the program is run by its path with **no \`$PATH\` search**, so a relative program name (e.g. \`tail\`) cannot be resolved and a poisoned \`PATH\` cannot be used to run a look-alike binary.
+
+Provide the absolute directory that contains the executable (e.g. \`/usr/bin\`); the fix prepends it to the bare program name to form an absolute path.`,
+    guidance: () => "Only asked when the program name in the command has no `/`. A program that is already an absolute or relative path (contains `/`) is used as written."
+  }
+};
+
+// src/features/analysis/scm/shared/src/storedQuestionData/cpp/index.ts
+var vulnerabilities11 = {
+  ["CMDi" /* CmDi */]: commandInjection
+};
+var cpp_default = vulnerabilities11;
+
 // src/features/analysis/scm/shared/src/storedQuestionData/csharp/index.ts
 init_client_generates();
 
@@ -5529,7 +5603,7 @@ var xxe = {
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/csharp/index.ts
-var vulnerabilities11 = {
+var vulnerabilities12 = {
   ["LOG_FORGING" /* LogForging */]: logForging,
   ["SSRF" /* Ssrf */]: ssrf2,
   ["XXE" /* Xxe */]: xxe,
@@ -5550,7 +5624,7 @@ var vulnerabilities11 = {
   ["SQL_Injection" /* SqlInjection */]: sqlInjection2,
   ["REQUEST_PARAMETERS_BOUND_VIA_INPUT" /* RequestParametersBoundViaInput */]: requestParametersBoundViaInput
 };
-var csharp_default2 = vulnerabilities11;
+var csharp_default2 = vulnerabilities12;
 
 // src/features/analysis/scm/shared/src/storedQuestionData/go/index.ts
 init_client_generates();
@@ -5583,18 +5657,18 @@ var websocketMissingOriginCheck = {
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/go/index.ts
-var vulnerabilities12 = {
+var vulnerabilities13 = {
   ["LOG_FORGING" /* LogForging */]: logForging2,
   ["MISSING_SSL_MINVERSION" /* MissingSslMinversion */]: missingSslMinversion,
   ["WEBSOCKET_MISSING_ORIGIN_CHECK" /* WebsocketMissingOriginCheck */]: websocketMissingOriginCheck
 };
-var go_default2 = vulnerabilities12;
+var go_default2 = vulnerabilities13;
 
 // src/features/analysis/scm/shared/src/storedQuestionData/java/index.ts
 init_client_generates();
 
 // src/features/analysis/scm/shared/src/storedQuestionData/java/commandInjection.ts
-var commandInjection = {
+var commandInjection2 = {
   isUnixShellCommandPart: {
     content: () => "Is the input part of Unix shell command?",
     description: () => `For example:
@@ -6048,10 +6122,10 @@ var xxe2 = {
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/java/index.ts
-var vulnerabilities13 = {
+var vulnerabilities14 = {
   ["SQL_Injection" /* SqlInjection */]: sqlInjection3,
   ["CMDi_relative_path_command" /* CmDiRelativePathCommand */]: relativePathCommand,
-  ["CMDi" /* CmDi */]: commandInjection,
+  ["CMDi" /* CmDi */]: commandInjection2,
   ["CONFUSING_NAMING" /* ConfusingNaming */]: confusingNaming,
   ["ERROR_CONDTION_WITHOUT_ACTION" /* ErrorCondtionWithoutAction */]: errorConditionWithoutAction,
   ["XXE" /* Xxe */]: xxe2,
@@ -6076,7 +6150,7 @@ var vulnerabilities13 = {
   ["ERRONEOUS_STRING_COMPARE" /* ErroneousStringCompare */]: erroneousStringCompare,
   ["DUPLICATED_STRINGS" /* DuplicatedStrings */]: duplicatedStrings
 };
-var java_default2 = vulnerabilities13;
+var java_default2 = vulnerabilities14;
 
 // src/features/analysis/scm/shared/src/storedQuestionData/js/index.ts
 init_client_generates();
@@ -6091,7 +6165,7 @@ var csrf2 = {
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/js/commandInjection.ts
-var commandInjection2 = {
+var commandInjection3 = {
   isCommandExecutable: {
     content: () => "Commands can be intrinsically unsafe if they call out to other executables or run arbitary code",
     description: () => `Does the command fall into one of the following categories:
@@ -6405,8 +6479,8 @@ var xss3 = {
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/js/index.ts
-var vulnerabilities14 = {
-  ["CMDi" /* CmDi */]: commandInjection2,
+var vulnerabilities15 = {
+  ["CMDi" /* CmDi */]: commandInjection3,
   ["GRAPHQL_DEPTH_LIMIT" /* GraphqlDepthLimit */]: graphqlDepthLimit,
   ["INSECURE_RANDOMNESS" /* InsecureRandomness */]: insecureRandomness2,
   ["SSRF" /* Ssrf */]: ssrf4,
@@ -6428,7 +6502,7 @@ var vulnerabilities14 = {
   ["HARDCODED_DOMAIN_IN_HTML" /* HardcodedDomainInHtml */]: hardcodedDomainInHtml,
   ["CSRF" /* Csrf */]: csrf2
 };
-var js_default = vulnerabilities14;
+var js_default = vulnerabilities15;
 
 // src/features/analysis/scm/shared/src/storedQuestionData/python/index.ts
 init_client_generates();
@@ -6502,7 +6576,7 @@ var uncheckedLoopCondition3 = {
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/python/index.ts
-var vulnerabilities15 = {
+var vulnerabilities16 = {
   ["CSRF" /* Csrf */]: csrf2,
   ["LOG_FORGING" /* LogForging */]: logForging5,
   ["OPEN_REDIRECT" /* OpenRedirect */]: openRedirect3,
@@ -6511,7 +6585,7 @@ var vulnerabilities15 = {
   ["MISSING_ENCODING_FILE_OPEN" /* MissingEncodingFileOpen */]: missingEncoding,
   ["SSRF" /* Ssrf */]: ssrf5
 };
-var python_default2 = vulnerabilities15;
+var python_default2 = vulnerabilities16;
 
 // src/features/analysis/scm/shared/src/storedQuestionData/xml/index.ts
 init_client_generates();
@@ -6528,10 +6602,10 @@ A value too high will cause performance issues up to and including denial of ser
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/xml/index.ts
-var vulnerabilities16 = {
+var vulnerabilities17 = {
   ["WEAK_XML_SCHEMA_UNBOUNDED_OCCURRENCES" /* WeakXmlSchemaUnboundedOccurrences */]: unboundedOccurrences
 };
-var xml_default2 = vulnerabilities16;
+var xml_default2 = vulnerabilities17;
 
 // src/features/analysis/scm/shared/src/storedQuestionData/yaml/index.ts
 init_client_generates();
@@ -6564,12 +6638,12 @@ var writableFilesystemService = {
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/yaml/index.ts
-var vulnerabilities17 = {
+var vulnerabilities18 = {
   ["PORT_ALL_INTERFACES" /* PortAllInterfaces */]: portAllInterfaces,
   ["WRITABLE_FILESYSTEM_SERVICE" /* WritableFilesystemService */]: writableFilesystemService,
   ["NO_NEW_PRIVILEGES" /* NoNewPrivileges */]: noNewPrivileges
 };
-var yaml_default = vulnerabilities17;
+var yaml_default = vulnerabilities18;
 
 // src/features/analysis/scm/shared/src/storedQuestionData/index.ts
 var StoredQuestionDataItemZ = z4.object({
@@ -6584,6 +6658,7 @@ var languages2 = {
   ["CSharp" /* CSharp */]: csharp_default2,
   ["Python" /* Python */]: python_default2,
   ["Go" /* Go */]: go_default2,
+  ["Cpp" /* Cpp */]: cpp_default,
   ["YAML" /* Yaml */]: yaml_default
 };
 var storedQuestionData_default = languages2;
@@ -9598,48 +9673,65 @@ function getGithubSdk(params = {}) {
         return false;
       }
     },
-    async getGithubRepoList() {
+    async listAuthenticatedUserReposPage(params2) {
+      const {
+        sort = { field: "updated", order: "desc" },
+        perPage = 10,
+        page = 1
+      } = params2;
+      const githubSort = sort.field === "name" ? "full_name" : sort.field === "created" ? "created" : "updated";
       try {
-        const allRepos = [];
-        let page = 1;
-        const perPage = 100;
-        let hasMore = true;
-        while (hasMore) {
-          const githubRepos = await octokit.request(GET_USER_REPOS, {
-            sort: "updated",
-            per_page: perPage,
-            page
-          });
-          for (const repo of githubRepos.data) {
-            allRepos.push({
-              repoName: repo.name,
-              repoUrl: repo.html_url,
-              repoOwner: repo.owner.login,
-              repoLanguages: repo.language ? [repo.language] : [],
-              repoIsPublic: !repo.private,
-              repoUpdatedAt: repo.updated_at
-            });
-          }
-          hasMore = githubRepos.data.length >= perPage;
-          page++;
-        }
-        return allRepos;
+        const githubRepos = await octokit.request(GET_USER_REPOS, {
+          sort: githubSort,
+          direction: sort.order,
+          per_page: perPage,
+          page
+        });
+        const items = githubRepos.data.map((repo) => ({
+          repoName: repo.name,
+          repoUrl: repo.html_url,
+          repoOwner: repo.owner.login,
+          repoLanguages: repo.language ? [repo.language] : [],
+          repoIsPublic: !repo.private,
+          repoUpdatedAt: repo.updated_at
+        }));
+        return {
+          items,
+          hasMore: githubRepos.data.length >= perPage
+        };
       } catch (e) {
         if (e instanceof RequestError && e.status === 401) {
           console.warn(
             "GitHub API returned 401 Unauthorized when listing repos - token may be expired or lack repo scope"
           );
-          return [];
+          return { items: [], hasMore: false };
         }
         if (e instanceof RequestError && e.status === 404) {
           console.warn(
             "GitHub API returned 404 Not Found when listing repos - user may not exist"
           );
-          return [];
+          return { items: [], hasMore: false };
         }
         throw e;
       }
     },
+    async getGithubRepoList() {
+      const allRepos = [];
+      let page = 1;
+      const perPage = 100;
+      let hasMore = true;
+      while (hasMore) {
+        const pageResult = await this.listAuthenticatedUserReposPage({
+          sort: { field: "updated", order: "desc" },
+          perPage,
+          page
+        });
+        allRepos.push(...pageResult.items);
+        hasMore = pageResult.hasMore;
+        page++;
+      }
+      return allRepos;
+    },
     async getGithubRepoDefaultBranch(repoUrl) {
       const { owner, repo } = parseGithubOwnerAndRepo(repoUrl);
       const repos = await octokit.rest.repos.get({ repo, owner });
@@ -10699,23 +10791,25 @@ var GithubSCMLib = class extends SCMLib {
     });
   }
   /**
-   * Override searchRepos to use GitHub's Search API for efficient pagination.
-   * This is much faster than fetching all repos and filtering in-memory.
-   *
-   * Note: GitHub Search API doesn't support sorting by name, so when name sorting
-   * is requested, we fall back to fetching all repos and sorting in-memory.
+   * Override searchRepos for efficient server-side pagination.
+   * - With scmOrg: GitHub Search API (`org:…`)
+   * - Without scmOrg: paginated `GET /user/repos`
+   * - Name sort: in-memory over full list
    */
   async searchRepos(params) {
     this._validateAccessToken();
     const sort = params.sort || { field: "updated", order: "desc" };
-    if (!params.scmOrg || sort.field === "name") {
+    if (sort.field === "name") {
       return this.searchReposInMemory(params);
     }
+    if (!params.scmOrg) {
+      return this.searchReposWithUserReposApi(params);
+    }
     return this.searchReposWithApi(params);
   }
   /**
    * Search repos by fetching all and sorting/paginating in-memory.
-   * Used when name sorting is requested or no organization is provided.
+   * Used only when name sorting is requested.
    */
   async searchReposInMemory(params) {
     const repos = await this.getRepoList(params.scmOrg);
@@ -10743,6 +10837,24 @@ var GithubSCMLib = class extends SCMLib {
       hasMore: nextOffset < sortedRepos.length
     };
   }
+  /**
+   * Paginated repo list for authenticated user when no GitHub org is configured.
+   */
+  async searchReposWithUserReposApi(params) {
+    const page = parseCursorSafe(params.cursor, 1);
+    const perPage = params.limit || 10;
+    const sort = params.sort || { field: "updated", order: "desc" };
+    const pageResult = await this.githubSdk.listAuthenticatedUserReposPage({
+      sort,
+      perPage,
+      page
+    });
+    return {
+      results: pageResult.items,
+      nextCursor: pageResult.hasMore ? String(page + 1) : void 0,
+      hasMore: pageResult.hasMore
+    };
+  }
   /**
    * Search repos using GitHub Search API for efficient server-side pagination.
    * Only supports date-based sorting (updated/created).
@@ -13124,7 +13236,6 @@ import { z as z31 } from "zod";
 
 // src/commands/AuthManager.ts
 import crypto from "crypto";
-import os3 from "os";
 import Debug11 from "debug";
 import open from "open";
 
@@ -15143,6 +15254,7 @@ async function prepareAndSendTracyRecords(client, rawRecords, workingDir, option
 }
 
 // src/mcp/services/types.ts
+import os3 from "os";
 function detectIDE() {
   const env3 = process.env;
   if (env3["CURSOR_TRACE_ID"] || env3["CURSOR_SESSION_ID"]) return "cursor";
@@ -15163,16 +15275,41 @@ function createMcpLoginContext(trigger) {
     ide: detectIDE()
   };
 }
-function buildLoginUrl(baseUrl, loginId, hostname, context) {
+function buildLoginUrl(baseUrl, loginId, machine, context) {
   const url = new URL(`${baseUrl}/${loginId}`);
-  url.searchParams.set("hostname", hostname);
-  url.searchParams.set("trigger", context.trigger);
-  url.searchParams.set("source", context.source);
-  if (context.ide) {
-    url.searchParams.set("ide", context.ide);
+  url.searchParams.set("hostname", machine.hostname);
+  if (machine.computerUser) {
+    url.searchParams.set("computerUser", machine.computerUser);
+  }
+  if (machine.clientVersion) {
+    url.searchParams.set("clientVersion", machine.clientVersion);
+  }
+  if (context) {
+    url.searchParams.set("trigger", context.trigger);
+    url.searchParams.set("source", context.source);
+    if (context.ide) {
+      url.searchParams.set("ide", context.ide);
+    }
   }
   return url.toString();
 }
+function getComputerUser() {
+  try {
+    return os3.userInfo().username || void 0;
+  } catch {
+    return void 0;
+  }
+}
+function getLoginMachineInfo() {
+  return {
+    hostname: os3.hostname(),
+    computerUser: getComputerUser(),
+    clientVersion: packageJson.version
+  };
+}
+function buildLoginBrowserUrl(baseUrl, loginId, context) {
+  return buildLoginUrl(baseUrl, loginId, getLoginMachineInfo(), context);
+}
 
 // src/commands/AuthManager.ts
 var debug12 = Debug11("mobbdev:auth");
@@ -15317,7 +15454,11 @@ var _AuthManager = class _AuthManager {
         publicKey: this.publicKey.export({ format: "pem", type: "pkcs1" }).toString()
       });
       const webLoginUrl = `${this.resolvedWebAppUrl}${loginPath || "/cli-login"}`;
-      const browserUrl = loginContext ? buildLoginUrl(webLoginUrl, this.loginId, os3.hostname(), loginContext) : `${webLoginUrl}/${this.loginId}?hostname=${os3.hostname()}`;
+      const browserUrl = buildLoginBrowserUrl(
+        webLoginUrl,
+        this.loginId,
+        loginContext
+      );
       this.currentBrowserUrl = browserUrl;
       return browserUrl;
     } catch (error) {
@@ -16355,8 +16496,8 @@ if (typeof __filename !== "undefined") {
 }
 var costumeRequire = createRequire(moduleUrl);
 var getCheckmarxPath = () => {
-  const os17 = type();
-  const cxFileName = os17 === "Windows_NT" ? "cx.exe" : "cx";
+  const os19 = type();
+  const cxFileName = os19 === "Windows_NT" ? "cx.exe" : "cx";
   try {
     return costumeRequire.resolve(`.bin/${cxFileName}`);
   } catch (e) {
@@ -19641,7 +19782,7 @@ function createLogger(config2) {
 
 // src/features/claude_code/hook_logger.ts
 var DD_RUM_TOKEN = true ? "pubf59c0182545bfb4c299175119f1abf9b" : "";
-var CLI_VERSION = true ? "1.4.22" : "unknown";
+var CLI_VERSION = true ? "1.4.25" : "unknown";
 var NAMESPACE = "mobbdev-claude-code-hook-logs";
 var claudeCodeVersion;
 function buildDdTags() {
@@ -21166,7 +21307,7 @@ var logDebug = (message, data) => logger2.log(message, "debug", data);
 var log = logger2.log.bind(logger2);
 
 // src/mcp/services/McpGQLClient.ts
-import crypto2 from "crypto";
+import os9 from "os";
 init_client_generates();
 init_configs();
 
@@ -21548,85 +21689,20 @@ var McpGQLClient = class extends GQLClient {
       if (!userEmail) {
         throw new Error("User email not found");
       }
-      const shortEmailHash = crypto2.createHash("sha256").update(userEmail).digest("hex").slice(0, 8).toUpperCase();
-      const projectName = `MCP Scans ${shortEmailHash}`;
-      logDebug("[GraphQL] Calling getLastOrgAndNamedProject query", {
-        projectName
-      });
-      const orgAndProjectRes = await this._clientSdk.getLastOrgAndNamedProject({
-        email: userEmail,
-        projectName
-      });
-      logDebug("[GraphQL] getLastOrgAndNamedProject successful", {
-        result: orgAndProjectRes
-      });
-      if (!orgAndProjectRes.user?.[0]?.userOrganizationsAndUserOrganizationRoles?.[0]?.organization?.id) {
+      const orgRes = await this._clientSdk.getLastOrg({ email: userEmail });
+      const organizationId = orgRes.user?.[0]?.userOrganizationsAndUserOrganizationRoles?.[0]?.organization?.id;
+      if (!organizationId) {
         throw new Error(
-          `The user with email:${userEmail}  is not associated with any organization`
+          `The user with email:${userEmail} is not associated with any organization`
         );
       }
-      const organization = orgAndProjectRes.user?.[0]?.userOrganizationsAndUserOrganizationRoles?.[0]?.organization;
-      const projectId = organization?.projects?.[0]?.id;
-      if (projectId) {
-        logDebug("[GraphQL] Found existing project", {
-          projectId,
-          projectName
-        });
-        return projectId;
-      }
-      logDebug("[GraphQL] Project not found, creating new project", {
-        organizationId: organization.id,
-        projectName
-      });
-      try {
-        const createdProject = await this._clientSdk.CreateProject({
-          organizationId: organization.id,
-          projectName
-        });
-        logDebug("[GraphQL] CreateProject successful", {
-          result: createdProject
-        });
-        return createdProject.createProject.projectId;
-      } catch (createError) {
-        const errorMessage3 = createError instanceof Error ? createError.message : String(createError);
-        const isConstraintViolation = errorMessage3.includes(
-          "duplicate key value violates unique constraint"
-        ) && errorMessage3.includes("project_name_organization_id_key");
-        if (isConstraintViolation) {
-          logDebug(
-            "[GraphQL] Project creation failed due to constraint violation, retrying fetch",
-            {
-              organizationId: organization.id,
-              projectName,
-              error: errorMessage3
-            }
-          );
-          const retryOrgAndProjectRes = await this._clientSdk.getLastOrgAndNamedProject({
-            email: userEmail,
-            projectName
-          });
-          const retryProjectId = retryOrgAndProjectRes.user?.[0]?.userOrganizationsAndUserOrganizationRoles?.[0]?.organization?.projects?.[0]?.id;
-          if (retryProjectId) {
-            logDebug(
-              "[GraphQL] Successfully found existing project after constraint violation",
-              {
-                projectId: retryProjectId,
-                projectName
-              }
-            );
-            return retryProjectId;
-          }
-          logError(
-            "[GraphQL] Failed to find project even after constraint violation retry",
-            {
-              organizationId: organization.id,
-              projectName,
-              retryResult: retryOrgAndProjectRes
-            }
-          );
-        }
-        throw createError;
+      const mvsRes = await this._clientSdk.getMvsProject({ organizationId });
+      const projectId = mvsRes.getMvsProject?.projectId;
+      if (!projectId) {
+        throw new Error("Failed to resolve the MVS project");
       }
+      logDebug("[GraphQL] Resolved MVS project", { projectId });
+      return projectId;
     } catch (e) {
       logError("[GraphQL] getProjectId failed", {
         error: e,
@@ -21723,6 +21799,26 @@ var McpGQLClient = class extends GQLClient {
       logDebug("[GraphQL] No auto-applied fixes to update status");
     }
   }
+  /** Best-effort: a telemetry failure must never break a scan/fix, so errors are swallowed. */
+  async logMvsEvent(params) {
+    try {
+      await this._clientSdk.LogMvsEvent({
+        eventType: params.eventType,
+        fixReportId: params.fixReportId ?? null,
+        projectId: params.projectId ?? null,
+        repoUrl: params.repoUrl ?? null,
+        riskCount: params.riskCount ?? null,
+        computerName: os9.hostname(),
+        computerUser: getComputerUser() ?? null,
+        clientVersion: packageJson.version
+      });
+    } catch (error) {
+      logDebug("[GraphQL] logMvsEvent failed (ignored)", {
+        eventType: params.eventType,
+        error: error.message
+      });
+    }
+  }
   async getMvsAutoFixSettings() {
     try {
       const envOverride = process.env["MVS_AUTO_FIX"];
@@ -21996,7 +22092,7 @@ async function createAuthenticatedMcpGQLClient({
 // src/mcp/services/McpUsageService/host.ts
 import { execSync as execSync2 } from "child_process";
 import fs15 from "fs";
-import os9 from "os";
+import os10 from "os";
 import path25 from "path";
 var IDEs = ["cursor", "windsurf", "webstorm", "vscode", "claude"];
 var runCommand = (cmd) => {
@@ -22011,7 +22107,7 @@ var gitInfo = {
   email: runCommand("git config user.email")
 };
 var getClaudeWorkspacePaths = () => {
-  const home = os9.homedir();
+  const home = os10.homedir();
   const claudeIdePath = path25.join(home, ".claude", "ide");
   const workspacePaths = [];
   if (!fs15.existsSync(claudeIdePath)) {
@@ -22040,7 +22136,7 @@ var getClaudeWorkspacePaths = () => {
   return workspacePaths;
 };
 var getMCPConfigPaths = (hostName) => {
-  const home = os9.homedir();
+  const home = os10.homedir();
   const currentDir = process.env["WORKSPACE_FOLDER_PATHS"] || process.env["PWD"] || process.cwd();
   switch (hostName.toLowerCase()) {
     case "cursor":
@@ -22130,7 +22226,7 @@ var readMCPConfig = (hostName) => {
 };
 var getRunningProcesses = () => {
   try {
-    return os9.platform() === "win32" ? execSync2("tasklist", { encoding: "utf8" }) : execSync2("ps aux", { encoding: "utf8" });
+    return os10.platform() === "win32" ? execSync2("tasklist", { encoding: "utf8" }) : execSync2("ps aux", { encoding: "utf8" });
   } catch {
     return "";
   }
@@ -22205,7 +22301,7 @@ var versionCommands = {
   }
 };
 var getProcessInfo = (pid) => {
-  const platform2 = os9.platform();
+  const platform2 = os10.platform();
   try {
     if (platform2 === "linux" || platform2 === "darwin") {
       const output = execSync2(`ps -o pid=,ppid=,comm= -p ${pid}`, {
@@ -22324,7 +22420,7 @@ var getHostInfo = (additionalMcpList) => {
     const config2 = allConfigs[ide] || null;
     const ideName = ide.charAt(0).toUpperCase() + ide.slice(1) || "Unknown";
     let ideVersion = "Unknown";
-    const platform2 = os9.platform();
+    const platform2 = os10.platform();
     const cmds = versionCommands[ideName]?.[platform2] ?? [];
     for (const cmd of cmds) {
       try {
@@ -22357,14 +22453,14 @@ var getHostInfo = (additionalMcpList) => {
 
 // src/mcp/services/McpUsageService/McpUsageService.ts
 import fetch6 from "node-fetch";
-import os11 from "os";
+import os12 from "os";
 import { v4 as uuidv42, v5 as uuidv5 } from "uuid";
 init_configs();
 
 // src/mcp/services/McpUsageService/system.ts
 init_configs();
 import fs16 from "fs";
-import os10 from "os";
+import os11 from "os";
 import path26 from "path";
 var MAX_DEPTH = 2;
 var patterns = ["mcp", "claude"];
@@ -22399,8 +22495,8 @@ var searchDir = async (dir, depth = 0) => {
 };
 var findSystemMCPConfigs = async () => {
   try {
-    const home = os10.homedir();
-    const platform2 = os10.platform();
+    const home = os11.homedir();
+    const platform2 = os11.platform();
     const knownDirs = platform2 === "win32" ? [
       path26.join(home, ".cursor"),
       path26.join(home, "Documents"),
@@ -22472,7 +22568,7 @@ var McpUsageService = class {
   generateHostId() {
     const stored = configStore.get(this.configKey);
     if (stored?.mcpHostId) return stored.mcpHostId;
-    const interfaces = os11.networkInterfaces();
+    const interfaces = os12.networkInterfaces();
     const macs = [];
     for (const iface of Object.values(interfaces)) {
       if (!iface) continue;
@@ -22480,7 +22576,7 @@ var McpUsageService = class {
         if (net.mac && net.mac !== "00:00:00:00:00:00") macs.push(net.mac);
       }
     }
-    const macString = macs.length ? macs.sort().join(",") : `${os11.hostname()}-${uuidv42()}`;
+    const macString = macs.length ? macs.sort().join(",") : `${os12.hostname()}-${uuidv42()}`;
     const hostId = uuidv5(macString, uuidv5.DNS);
     logDebug("[UsageService] Generated new host ID", { hostId });
     return hostId;
@@ -22503,7 +22599,7 @@ var McpUsageService = class {
       mcpHostId,
       organizationId,
       mcpVersion: packageJson.version,
-      mcpOsName: os11.platform(),
+      mcpOsName: os12.platform(),
       mcps: JSON.stringify(mcps),
       status,
       userName: user.name,
@@ -24824,7 +24920,7 @@ For a complete security audit workflow, use the \`full-security-audit\` prompt.
 
 // src/mcp/services/McpDetectionService/CursorMcpDetectionService.ts
 import * as fs19 from "fs";
-import * as os13 from "os";
+import * as os14 from "os";
 import * as path28 from "path";
 
 // src/mcp/services/McpDetectionService/BaseMcpDetectionService.ts
@@ -24835,11 +24931,11 @@ import * as path27 from "path";
 
 // src/mcp/services/McpDetectionService/McpDetectionServiceUtils.ts
 import * as fs17 from "fs";
-import * as os12 from "os";
+import * as os13 from "os";
 
 // src/mcp/services/McpDetectionService/VscodeMcpDetectionService.ts
 import * as fs20 from "fs";
-import * as os14 from "os";
+import * as os15 from "os";
 import * as path29 from "path";
 
 // src/mcp/tools/checkForNewAvailableFixes/CheckForNewAvailableFixesTool.ts
@@ -27545,6 +27641,7 @@ var PatchApplicationService = class {
 // src/mcp/services/ScanFiles.ts
 init_client_generates();
 init_GitService();
+import os16 from "os";
 init_configs();
 
 // src/mcp/services/FileOperations.ts
@@ -27818,7 +27915,12 @@ var executeSecurityScan = async ({
     isFullScan: !!isAllDetectionRulesScan,
     sha,
     scanContext,
-    fileCount
+    fileCount,
+    // MVS device attribution: a developer appears in the MVS Developers grid
+    // from scanning alone (no fresh login needed).
+    computerName: os16.hostname(),
+    computerUser: getComputerUser(),
+    clientVersion: packageJson.version
   };
   logInfo(`[${scanContext}] Submitting vulnerability report`);
   logDebug(`[${scanContext}] Submit vulnerability report variables`, {
@@ -28943,6 +29045,7 @@ var _ScanAndFixVulnerabilitiesService = class _ScanAndFixVulnerabilitiesService
         isExpired: this.storedFixReportId ? this.isFixReportIdExpired() : null
       });
       let fixReportId = this.storedFixReportId;
+      let didScan = false;
       if (!fixReportId || isRescan || this.isFixReportIdExpired()) {
         logInfo("Scanning files");
         this.reset();
@@ -28954,6 +29057,7 @@ var _ScanAndFixVulnerabilitiesService = class _ScanAndFixVulnerabilitiesService
           scanContext: ScanContext.USER_REQUEST
         });
         fixReportId = scanResult.fixReportId;
+        didScan = true;
       } else {
         logInfo("Using stored fixReportId");
       }
@@ -28966,6 +29070,23 @@ var _ScanAndFixVulnerabilitiesService = class _ScanAndFixVulnerabilitiesService
         limit: effectiveLimit
       });
       logInfo(`Found ${fixes.totalCount} fixes`);
+      if (fixReportId && effectiveOffset === 0 && fixes.totalCount > 0) {
+        if (didScan) {
+          await this.gqlClient.logMvsEvent({
+            eventType: "RISK_DETECTED",
+            fixReportId,
+            riskCount: fixes.totalCount
+          });
+        }
+        await this.gqlClient.logMvsEvent({
+          eventType: "FIXES_VIEWED",
+          fixReportId,
+          // Count of fixes shown, so the Event Log row mirrors Fixable Issues
+          // Detected ("N issues"). Not summed into the Fixable Issues KPI,
+          // which only counts RISK_DETECTED.
+          riskCount: fixes.totalCount
+        });
+      }
       if (fixes.totalCount > 0) {
         this.storedFixReportId = fixReportId;
         this.fixReportIdTimestamp = Date.now();
@@ -29762,18 +29883,18 @@ async function getGrpcClient(port, csrf3) {
 
 // src/features/codeium_intellij/parse_intellij_logs.ts
 import fs27 from "fs";
-import os15 from "os";
+import os17 from "os";
 import path35 from "path";
 function getLogsDir() {
   if (process.platform === "darwin") {
-    return path35.join(os15.homedir(), "Library/Logs/JetBrains");
+    return path35.join(os17.homedir(), "Library/Logs/JetBrains");
   } else if (process.platform === "win32") {
     return path35.join(
-      process.env["LOCALAPPDATA"] || path35.join(os15.homedir(), "AppData/Local"),
+      process.env["LOCALAPPDATA"] || path35.join(os17.homedir(), "AppData/Local"),
       "JetBrains"
     );
   } else {
-    return path35.join(os15.homedir(), ".cache/JetBrains");
+    return path35.join(os17.homedir(), ".cache/JetBrains");
   }
 }
 function parseIdeLogDir(ideLogDir) {
@@ -29996,11 +30117,11 @@ function processChatStepCodeAction(step) {
 
 // src/features/codeium_intellij/install_hook.ts
 import fsPromises5 from "fs/promises";
-import os16 from "os";
+import os18 from "os";
 import path36 from "path";
 import chalk14 from "chalk";
 function getCodeiumHooksPath() {
-  return path36.join(os16.homedir(), ".codeium", "hooks.json");
+  return path36.join(os18.homedir(), ".codeium", "hooks.json");
 }
 async function readCodeiumHooks() {
   const hooksPath = getCodeiumHooksPath();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mobbdev",
-  "version": "1.4.22",
+  "version": "1.4.25",
   "description": "Automated secure code remediation tool",
   "repository": "git+https://github.com/mobb-dev/bugsy.git",
   "main": "dist/index.mjs",