Skip to content

Feat/additional metrics studio remy split#46

Closed
MaVictor wants to merge 5 commits into
mainfrom
feat/additional-metrics-studio-remy-split
Closed

Feat/additional metrics studio remy split#46
MaVictor wants to merge 5 commits into
mainfrom
feat/additional-metrics-studio-remy-split

Conversation

@MaVictor

@MaVictor MaVictor commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Description

Extends the snyk_send_feedback MCP tool to capture richer, more trustworthy remediation/prevention analytics.

Changes:

  • Schema builder support for enum/object params (utils.go, tools.go) — needed to declare the new structured fields below.
  • New optional snyk_send_feedback fields: fixedIssueIds, fixedIssuesBySeverity, preventedIssuesBySeverity, fixedIssuesByScanType, outcome, breakabilityRisk/Source, strategy, testsPassed — all optional and additive to the existing counts, which remain authoritative.
  • Verification of remediation/prevention claims — cross-checks reported fixed/prevented issue IDs against actual scan results before recording feedback, improving analytics data quality.
  • Session-scoped correlation ID (llm_binding.go, analytics.go) — a UUID minted once per MCP process and stamped on every snyk_send_feedback event, so events from the same session can be joined downstream.

Checklist

  • Tests added and all succeed
  • Regenerated mocks, etc. (make generate)
  • Linted (make lint-fix)
  • README.md updated, if user-facing
  • License file updated, if new 3rd-party dependency is introduced

Note

Medium Risk
Adds new analytics behavior and a breaking signature on NewAnalyticsEventParam (fourth arg); verification is heuristic and in-memory only, so mismatch/unverifiable tags can misrepresent edge cases without affecting user-facing tool success.

Overview
Extends snyk_send_feedback so remediation/prevention telemetry is richer and easier to trust downstream, without changing the existing count fields as the source of truth.

Session correlation: A UUID is minted once per MCP process at Start() and passed into NewAnalyticsEventParam as InteractionUUID, so multiple feedback events in the same IDE session share one interaction URN instead of each call getting a new ID.

Scan-result cache & verification: Successful snyk_code_scan / snyk_sca_scan runs (before output enhancement) populate an in-process, LRU-capped cache of findings per file. snyk_send_feedback best-effort checks fixedIssueIds / preventedIssueIds against that cache and adds mcp::verification (verified | unverifiable | mismatch); it never blocks the tool.

Schema & payload: Tool JSON and MCP schema building gain object / enum params. New optional feedback args (e.g. fixedIssueIds, severity/scan-type breakdowns, outcome, breakability, strategy, testsPassed) are forwarded into the analytics extension when present. golangci-lint is bumped in the Makefile.

Reviewed by Cursor Bugbot for commit da9bd29. Bugbot is set up for automated code reviews on this repo. Configure here.

MaVictor added 5 commits July 10, 2026 10:00
Dedupes the required/not-required branching in createToolFromDefinition
and adds enum/object property support, so tool definitions can declare
constrained string values and nested object parameters. Unused until a
later commit adds schema entries that need it.
Mint one correlation ID per studio-mcp process (each IDE connection gets
a fresh process) and stamp it on every snyk_send_feedback analytics
event via NewAnalyticsEventParam, so events emitted by the same session
can be joined downstream instead of each call minting its own random ID.
…an-result cache

Cache the freshest scan findings per file path from successful
snyk_code_scan/snyk_sca_scan calls, then check snyk_send_feedback's
claimed IDs against that cache and stamp the result
(verified/unverifiable/mismatch) on the analytics event. Verification
never blocks or delays the feedback call - it's a best-effort,
observational check only.
Add optional severity/scan-type breakdowns, outcome, breakabilityRisk(+source),
strategy, and testsPassed fields to snyk_send_feedback, populated by
remediation callers (snyk-fix.md, snyk-batch-fix.md,
skills/snyk-fix/SKILL.md) and the secure-at-inception Stop Hook. All
fields are optional and additive: counts remain the authoritative
metric.
@MaVictor MaVictor requested review from a team as code owners July 14, 2026 17:56
@snyk-io

snyk-io Bot commented Jul 14, 2026

Copy link
Copy Markdown

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@CLAassistant

Copy link
Copy Markdown

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit da9bd29. Configure here.

if isWithinDir(filePath, workDir) {
idsByFile[filePath] = make(map[string]struct{})
}
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

File scan clears sibling cache

Medium Severity

When a scan tool is invoked with a file path, workingDir is the file’s parent directory, but updateScanCache treats any existing directory workDir as a full-tree authoritative scan and zeroes cached findings for every same-type file under that directory not present in the current SARIF/SCA output. A narrow re-scan can therefore wipe still-vulnerable siblings and make verifyIDs report verified for fixes that were not validated.

Additional Locations (1)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit da9bd29. Configure here.

@MaVictor MaVictor closed this Jul 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants