@synkro-sh/cli 1.0.10 → 1.0.12

package/dist/bootstrap.js

@@ -360,10 +360,22 @@ esac
 if [ "\${SYNKRO_HEADLESS:-0}" = "1" ]; then IS_HEADLESS=1; fi
 
 USER_INTENT=""
+RECENT_USER_MESSAGES="[]"
 RECENT_ACTIONS="[]"
 if [ -n "$TRANSCRIPT_PATH" ] && [ -f "$TRANSCRIPT_PATH" ]; then
-  # Last user message text
-  USER_INTENT=$(tail -200 "$TRANSCRIPT_PATH" | jq -r 'select(.type == "user") | .message.content | if type == "string" then . else (map(.text? // "") | join(" ")) end' 2>/dev/null | tail -1 || echo "")
+  # Last 5 user-role messages, oldest first. Lets the grader see consent
+  # that carried over from a recent prior turn \u2014 saying "i consent" two
+  # turns ago should not require re-prompting on this turn's command.
+  RECENT_USER_MESSAGES=$(tail -400 "$TRANSCRIPT_PATH" | jq -c -s '
+    [.[]
+      | select(.type == "user")
+      | (.message.content
+        | if type == "string" then .
+          else (map(.text? // "") | join(" "))
+          end)
+      | select(. != null and . != "")
+    ] | .[-5:]' 2>/dev/null || echo "[]")
+  USER_INTENT=$(echo "$RECENT_USER_MESSAGES" | jq -r '.[-1] // ""' 2>/dev/null || echo "")
   # Recent agent actions (last 5 tool_use blocks)
   RECENT_ACTIONS=$(tail -200 "$TRANSCRIPT_PATH" | jq -c -s '
     [.[]
@@ -380,6 +392,7 @@ fi
 BODY=$(jq -n \\
   --argjson tool_input "$TOOL_INPUT" \\
   --arg user_intent "$USER_INTENT" \\
+  --argjson recent_user_messages "$RECENT_USER_MESSAGES" \\
   --argjson recent_actions "$RECENT_ACTIONS" \\
   --arg session_id "$SESSION_ID" \\
   --arg tool_use_id "$TOOL_USE_ID" \\
@@ -388,6 +401,7 @@ BODY=$(jq -n \\
     kind: "bash_judge",
     tool_input: $tool_input,
     user_intent: (if ($user_intent | length) > 0 then $user_intent else null end),
+    recent_user_messages: $recent_user_messages,
     recent_actions: $recent_actions,
     session_id: (if ($session_id | length) > 0 then $session_id else null end),
     tool_use_id: (if ($tool_use_id | length) > 0 then $tool_use_id else null end),
@@ -1935,7 +1949,7 @@ __export(install_exports, {
   installCommand: () => installCommand,
   parseArgs: () => parseArgs
 });
-import { mkdirSync as mkdirSync4, writeFileSync as writeFileSync4, chmodSync } from "fs";
+import { existsSync as existsSync5, mkdirSync as mkdirSync4, writeFileSync as writeFileSync4, chmodSync, readFileSync as readFileSync4 } from "fs";
 import { homedir as homedir4 } from "os";
 import { join as join4 } from "path";
 function sanitizeGatewayCandidate(raw) {
@@ -1949,6 +1963,7 @@ function parseArgs(argv) {
     else if (a.startsWith("--gateway=")) opts.gatewayUrl = a.slice("--gateway=".length);
     else if (a === "--skip-auth") opts.skipAuth = true;
     else if (a === "--no-mcp") opts.noMcp = true;
+    else if (a === "--force" || a === "-f") opts.force = true;
   }
   if (!opts.gatewayUrl) {
     const fromEnv = sanitizeGatewayCandidate(process.env.SYNKRO_GATEWAY_URL);
@@ -2020,7 +2035,7 @@ function writeConfigEnv(opts) {
     `SYNKRO_GATEWAY_URL=${shellQuoteSingle(safeGateway)}`,
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.0.10")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.0.12")}`
   ];
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);
   if (safeOrgId) lines.push(`SYNKRO_ORG_ID=${shellQuoteSingle(safeOrgId)}`);
@@ -2051,6 +2066,33 @@ function assertGatewayAllowed(gatewayUrl) {
     throw new Error(`Gateway host not in allowlist (synkro.sh or *.synkro.sh): ${host}`);
   }
 }
+function isAlreadyInstalled() {
+  const requiredScripts = [
+    join4(HOOKS_DIR, "cc-bash-judge.sh"),
+    join4(HOOKS_DIR, "cc-bash-followup.sh"),
+    join4(HOOKS_DIR, "cc-edit-precheck.sh"),
+    join4(HOOKS_DIR, "cc-edit-capture.sh"),
+    join4(HOOKS_DIR, "cc-stop-summary.sh"),
+    join4(HOOKS_DIR, "cc-session-start.sh")
+  ];
+  if (!requiredScripts.every((p) => existsSync5(p))) return false;
+  if (!existsSync5(CONFIG_PATH)) return false;
+  const settingsPath = join4(homedir4(), ".claude", "settings.json");
+  if (!existsSync5(settingsPath)) return false;
+  try {
+    const settings = JSON.parse(readFileSync4(settingsPath, "utf-8"));
+    const hooks = settings?.hooks;
+    if (!hooks || typeof hooks !== "object") return false;
+    const hasManaged = (kind) => Array.isArray(hooks[kind]) && hooks[kind].some((entry) => entry?.__synkro_managed__ === true);
+    if (!hasManaged("PreToolUse")) return false;
+    if (!hasManaged("PostToolUse")) return false;
+    if (!hasManaged("SessionEnd")) return false;
+    if (!hasManaged("SessionStart")) return false;
+  } catch {
+    return false;
+  }
+  return true;
+}
 async function installCommand(opts = {}) {
   const gatewayUrl = opts.gatewayUrl || sanitizeGatewayCandidate(process.env.SYNKRO_GATEWAY_URL) || "https://api.synkro.sh";
   try {
@@ -2059,6 +2101,12 @@ async function installCommand(opts = {}) {
     console.error(err.message);
     process.exit(1);
   }
+  if (!opts.force && isAuthenticated() && isAlreadyInstalled()) {
+    console.log("\u2713 Synkro is already installed and configured.");
+    console.log("  Run `synkro update` to refresh hook scripts and judge prompts.");
+    console.log("  Run `synkro install --force` to reinstall from scratch.");
+    return;
+  }
   console.log("Synkro install starting...\n");
   if (!isAuthenticated()) {
     console.log("Opening browser for Synkro auth...");
@@ -2112,7 +2160,7 @@ async function installCommand(opts = {}) {
   console.log(`  ${scripts.sessionStartScript}
 `);
   writeGraderDaemon();
-  console.log("Wrote free-tier grader daemon:");
+  console.log("Wrote local-tier grader daemon:");
   console.log(`  ${GRADER_DAEMON_PATH}`);
   console.log(`  ${GRADER_PRIMER_EDIT_PATH}`);
   console.log(`  ${GRADER_PRIMER_BASH_PATH}
@@ -2130,8 +2178,6 @@ async function installCommand(opts = {}) {
         sessionStartScriptPath: scripts.sessionStartScript
       });
       console.log(`Configured ${agent.name} hooks at ${agent.settingsPath}`);
-    } else if (agent.kind === "codex") {
-      console.log(`Skipping ${agent.name} for now (v1.1 \u2014 Codex hook config coming soon)`);
     }
   }
   console.log();
@@ -2153,7 +2199,6 @@ async function installCommand(opts = {}) {
       const mcp = installMcpConfig({ gatewayUrl, bearerToken: minted.token });
       console.log(`Registered Synkro guardrails MCP server in ${mcp.path}`);
       console.log(`  url:        ${mcp.url}`);
-      console.log(`  token:      Synkro-signed JWT, scope=mcp:guardrails`);
       console.log(`  expires:    ${minted.expires_at} (~1 year)`);
       console.log("  (restart any running Claude Code session for it to load)");
       console.log();
@@ -2178,21 +2223,9 @@ async function installCommand(opts = {}) {
 `);
   console.log("\u2713 Synkro installed.");
   console.log();
-  console.log("Try it:");
-  console.log("  $ claude");
-  console.log('  > Run "echo hello" for me');
-  console.log("  (no warning \u2014 safe command)");
-  console.log();
-  console.log("  > Now propose: kubectl delete namespace production");
-  console.log("  (Synkro will block with a warning)");
-  console.log();
   console.log("Next steps:");
   console.log("  \u2022 synkro setup-github   (enable PR scanning)");
   console.log("  \u2022 synkro status         (check what is configured)");
-  if (hasClaudeCode && !opts.noMcp) {
-    console.log('  \u2022 Try in CC: "Add a Stripe webhook handler" \u2014 CC should call');
-    console.log("    synkro-guardrails.get_guardrails to fetch org-specific rules.");
-  }
 }
 var SYNKRO_DIR, HOOKS_DIR, BIN_DIR, CONFIG_PATH, GRADER_DAEMON_PATH, GRADER_PRIMER_EDIT_PATH, GRADER_PRIMER_BASH_PATH;
 var init_install = __esm({
@@ -2286,13 +2319,13 @@ var status_exports = {};
 __export(status_exports, {
   statusCommand: () => statusCommand
 });
-import { existsSync as existsSync6, readFileSync as readFileSync4 } from "fs";
+import { existsSync as existsSync6, readFileSync as readFileSync5 } from "fs";
 import { homedir as homedir5 } from "os";
 import { join as join5 } from "path";
 function readConfigEnv() {
   if (!existsSync6(CONFIG_PATH2)) return {};
   const out = {};
-  const raw = readFileSync4(CONFIG_PATH2, "utf-8");
+  const raw = readFileSync5(CONFIG_PATH2, "utf-8");
   for (const line of raw.split("\n")) {
     const trimmed = line.trim();
     if (!trimmed || trimmed.startsWith("#")) continue;
@@ -2403,31 +2436,17 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Cache Synkro CLI
-        id: cache-synkro
-        uses: actions/cache@v4
-        with:
-          path: ~/.local/bin/synkro
-          key: synkro-\${{ runner.os }}-latest
-
-      - name: Install Synkro CLI
-        if: steps.cache-synkro.outputs.cache-hit != 'true'
-        run: |
-          mkdir -p ~/.local/bin
-          curl -fsSL https://get.synkro.sh | SYNKRO_INSTALL_DIR=~/.local/bin bash
-          echo "~/.local/bin" >> $GITHUB_PATH
-
-      - name: Cache Claude Code CLI
-        id: cache-claude
+      - name: Cache npm globals
+        id: cache-npm-global
         uses: actions/cache@v4
         with:
           path: ~/.npm-global
-          key: claude-code-\${{ runner.os }}-v1
+          key: synkro-cli-\${{ runner.os }}-v1
 
-      - name: Install Claude Code CLI
+      - name: Install Synkro CLI + Claude Code CLI
         run: |
           npm config set prefix ~/.npm-global
-          npm install -g @anthropic-ai/claude-code
+          npm install -g @synkro-sh/cli @anthropic-ai/claude-code
           echo "~/.npm-global/bin" >> $GITHUB_PATH
 
       - name: Run Synkro PR scan
@@ -2559,13 +2578,13 @@ __export(setupGithub_exports, {
 });
 import { createInterface } from "readline/promises";
 import { stdin as input, stdout as output } from "process";
-import { existsSync as existsSync8, readFileSync as readFileSync5 } from "fs";
+import { existsSync as existsSync8, readFileSync as readFileSync6 } from "fs";
 import { homedir as homedir6 } from "os";
 import { join as join7 } from "path";
 function readConfig() {
   if (!existsSync8(CONFIG_PATH3)) return {};
   const out = {};
-  for (const line of readFileSync5(CONFIG_PATH3, "utf-8").split("\n")) {
+  for (const line of readFileSync6(CONFIG_PATH3, "utf-8").split("\n")) {
     const t = line.trim();
     if (!t || t.startsWith("#")) continue;
     const eq = t.indexOf("=");
@@ -2609,8 +2628,33 @@ async function setupGithubCommand() {
     process.exit(1);
   }
   const config = readConfig();
-  if (!config.SYNKRO_API_KEY) {
-    console.error("Missing SYNKRO_API_KEY in ~/.synkro/config.env. Run `synkro install` first.");
+  const gatewayUrl = (config.SYNKRO_GATEWAY_URL || process.env.SYNKRO_GATEWAY_URL || "https://api.synkro.sh").replace(/\/$/, "");
+  const jwt2 = getAccessToken();
+  if (!jwt2) {
+    console.error("Could not load access token from ~/.synkro/credentials.json. Run `synkro login`.");
+    process.exit(1);
+  }
+  console.log("Requesting CI API key from Synkro...");
+  let synkroCiApiKey;
+  try {
+    const resp = await fetch(`${gatewayUrl}/api/v1/cli/ci-api-key`, {
+      method: "POST",
+      headers: {
+        "Authorization": `Bearer ${jwt2}`,
+        "Content-Type": "application/json"
+      },
+      body: "{}"
+    });
+    if (!resp.ok) {
+      const errText = await resp.text().catch(() => "");
+      console.error(`Failed to mint CI API key (${resp.status}): ${errText.slice(0, 200)}`);
+      process.exit(1);
+    }
+    const minted = await resp.json();
+    synkroCiApiKey = minted.api_key;
+    console.log(`  \u2713 Issued CI key (${synkroCiApiKey.slice(0, 18)}\u2026), expires ${minted.expires_at.slice(0, 10)}`);
+  } catch (err) {
+    console.error(`Failed to mint CI API key: ${err.message}`);
     process.exit(1);
   }
   const rl = createInterface({ input, output });
@@ -2678,7 +2722,7 @@ Will push secrets to ${selected.length} repo(s):`);
         r.repo,
         {
           claudeCodeOauthToken: claudeToken,
-          synkroApiKey: config.SYNKRO_API_KEY
+          synkroApiKey: synkroCiApiKey
         }
       );
       console.log("\u2713");
@@ -2721,6 +2765,107 @@ __export(scanPr_exports, {
   scanPrCommand: () => scanPrCommand
 });
 import { execSync as execSync2, spawn } from "child_process";
+function parseMatchSpec(condition) {
+  if (!condition.startsWith("match_spec:")) return null;
+  try {
+    const parsed = JSON.parse(condition.slice("match_spec:".length));
+    if (typeof parsed?.selector !== "string" || typeof parsed?.requires !== "string" || parsed.position !== "start" && parsed.position !== "anywhere") return null;
+    return {
+      selector: parsed.selector,
+      requires: parsed.requires,
+      position: parsed.position,
+      negate: parsed.negate === true
+    };
+  } catch {
+    return null;
+  }
+}
+function selectorMatches(selector, filePath) {
+  const m = selector.match(/^\*\*\/\*\.([a-z0-9]+)$/i);
+  if (!m) return false;
+  return filePath.toLowerCase().endsWith("." + m[1].toLowerCase());
+}
+async function fetchOrgRules(gatewayUrl, apiKey) {
+  try {
+    const resp = await fetch(`${gatewayUrl.replace(/\/$/, "")}/api/v1/cli/pr-rules`, {
+      headers: { "x-synkro-api-key": apiKey }
+    });
+    if (!resp.ok) {
+      console.warn(`[scan-pr] failed to fetch org rules: HTTP ${resp.status}`);
+      return [];
+    }
+    const data = await resp.json();
+    return Array.isArray(data?.rules) ? data.rules : [];
+  } catch (err) {
+    console.warn(`[scan-pr] could not fetch org rules: ${err.message}`);
+    return [];
+  }
+}
+function applyLiteralMatchNegative(rules, file) {
+  if (!file.patch) return [];
+  const findings = [];
+  const lines = file.patch.split("\n");
+  let currentNewLine = 0;
+  for (const line of lines) {
+    if (line.startsWith("@@")) {
+      const m = line.match(/\+(\d+)(?:,\d+)?/);
+      if (m) currentNewLine = parseInt(m[1], 10);
+      continue;
+    }
+    if (line.startsWith("+++") || line.startsWith("---")) continue;
+    if (!line.startsWith("+")) {
+      if (!line.startsWith("-")) currentNewLine++;
+      continue;
+    }
+    const addedContent = line.slice(1);
+    for (const r of rules) {
+      if (r.mode !== "literal_match") continue;
+      const spec = parseMatchSpec(r.condition);
+      if (!spec || !spec.negate) continue;
+      if (!selectorMatches(spec.selector, file.filename)) continue;
+      if (!addedContent.includes(spec.requires)) continue;
+      findings.push({
+        file: file.filename,
+        line: currentNewLine,
+        severity: r.severity ?? "high",
+        category: r.category || "literal_match",
+        description: r.text,
+        fix: `Remove \`${spec.requires}\` from ${file.filename} (rule ${r.rule_id}).`
+      });
+    }
+    currentNewLine++;
+  }
+  return findings;
+}
+function buildPrPrompt(orgAuditRules) {
+  const orgRulesBlock = orgAuditRules.length === 0 ? "" : `
+ORG-SPECIFIC RULES (these are the customer's policies \u2014 flag any violation found in the diff):
+` + orgAuditRules.map((r, i) => `  ${i + 1}. [${r.severity}/${r.category}] ${r.text}`).join("\n") + "\n";
+  return `You are a security code reviewer analyzing a pull request diff for one file. Identify security issues + org-policy violations introduced by this diff.
+
+Output ONLY a JSON object (no prose, no markdown fences):
+{
+  "findings": [
+    {
+      "line": <int \u2014 line number in the NEW file, prefixed with L in the diff>,
+      "severity": "low" | "medium" | "high" | "critical",
+      "category": "<snake_case>",
+      "description": "<1 sentence>",
+      "fix": "<concrete suggestion>"
+    }
+  ],
+  "summary": "<one-line: 'X findings' or 'clean'>"
+}
+
+Baseline security categories: hardcoded_secret, sql_injection, insecure_crypto, eval_exec, unsafe_deserialization, missing_validation, exposed_internal, missing_auth_check, cors_misconfig, path_traversal, command_injection, weak_random, broken_jwt.
+${orgRulesBlock}
+Rules:
+- Only flag NEW issues (lines starting with +).
+- Use the L<num> line numbers I prefixed.
+- Be specific. If clean, return {"findings": [], "summary": "clean"}.
+
+`;
+}
 function shouldSkipFile(filename) {
   return SKIP_FILE_PATTERNS.some((p) => p.test(filename));
 }
@@ -2770,13 +2915,13 @@ function getFileDiffWithLines(file) {
   }
   return { hunks: annotated.join("\n"), newFileLineMap: lineMap };
 }
-function spawnClaudeJudge(file, claudeToken) {
+function spawnClaudeJudge(file, claudeToken, promptHeader) {
   const { hunks } = getFileDiffWithLines(file);
   const userMessage = `File: ${file.filename}
 
 Diff:
 ${hunks}`;
-  const fullPrompt = PR_PROMPT_HEADER + userMessage;
+  const fullPrompt = promptHeader + userMessage;
   return new Promise((resolve2) => {
     const t0 = Date.now();
     const proc = spawn(
@@ -2918,6 +3063,14 @@ async function scanPrCommand() {
   }
   console.log(`Synkro scan-pr: ${repo}#${prNumber} @ ${sha.slice(0, 7)}
 `);
+  const orgRules = await fetchOrgRules(gatewayUrl, synkroApiKey);
+  const auditRules = orgRules.filter((r) => r.mode === "audit");
+  const literalNegativeRules = orgRules.filter((r) => {
+    const spec = parseMatchSpec(r.condition);
+    return r.mode === "literal_match" && spec?.negate === true;
+  });
+  console.log(`Loaded ${orgRules.length} org rule(s): ${auditRules.length} audit, ${literalNegativeRules.length} literal_match (negative).`);
+  const promptHeader = buildPrPrompt(auditRules);
   let files;
   try {
     files = getPrFiles(repo, prNumber);
@@ -2952,9 +3105,11 @@ async function scanPrCommand() {
   const t0 = Date.now();
   const results = await processInBatches(eligible, MAX_PARALLEL_FILES, async (file) => {
     process.stdout.write(`Scanning ${file.filename}...`);
-    const result = await spawnClaudeJudge(file, claudeToken);
-    console.log(` ${result.findings.length} finding(s) (${result.latencyMs}ms)`);
-    return result;
+    const literalFindings = applyLiteralMatchNegative(literalNegativeRules, file);
+    const llmResult = await spawnClaudeJudge(file, claudeToken, promptHeader);
+    const merged = [...literalFindings, ...llmResult.findings];
+    console.log(` ${merged.length} finding(s) (${literalFindings.length} literal, ${llmResult.findings.length} llm; ${llmResult.latencyMs}ms)`);
+    return { findings: merged, latencyMs: llmResult.latencyMs };
   });
   const totalLatencyMs = Date.now() - t0;
   const allFindings = results.flatMap((r) => r.findings);
@@ -2982,7 +3137,7 @@ Total: ${allFindings.length} finding(s) across ${eligible.length} file(s) in ${t
     process.exit(1);
   }
 }
-var SKIP_FILE_PATTERNS, MAX_DIFF_LINES_PER_FILE, MAX_PARALLEL_FILES, PR_PROMPT_HEADER;
+var SKIP_FILE_PATTERNS, MAX_DIFF_LINES_PER_FILE, MAX_PARALLEL_FILES;
 var init_scanPr = __esm({
   "cli/commands/scanPr.ts"() {
     "use strict";
@@ -3003,30 +3158,6 @@ var init_scanPr = __esm({
     ];
     MAX_DIFF_LINES_PER_FILE = 1e3;
     MAX_PARALLEL_FILES = 5;
-    PR_PROMPT_HEADER = `You are a security code reviewer analyzing a pull request diff for one file. Identify security issues introduced by this diff.
-
-Output ONLY a JSON object (no prose, no markdown fences):
-{
-  "findings": [
-    {
-      "line": <int \u2014 line number in the NEW file, prefixed with L in the diff>,
-      "severity": "low" | "medium" | "high" | "critical",
-      "category": "<snake_case>",
-      "description": "<1 sentence>",
-      "fix": "<concrete suggestion>"
-    }
-  ],
-  "summary": "<one-line: 'X findings' or 'clean'>"
-}
-
-Categories: hardcoded_secret, sql_injection, insecure_crypto, eval_exec, unsafe_deserialization, missing_validation, exposed_internal, missing_auth_check, cors_misconfig, path_traversal, command_injection, weak_random, broken_jwt.
-
-Rules:
-- Only flag NEW issues (lines starting with +).
-- Use the L<num> line numbers I prefixed.
-- Be specific. If clean, return {"findings": [], "summary": "clean"}.
-
-`;
   }
 });
 
@@ -3072,13 +3203,17 @@ function disconnectCommand(args2 = []) {
     const mcpRemoved = uninstallMcpConfig();
     console.log(`${mcpRemoved ? "\u2713" : "\xB7"} MCP guardrails server: ${mcpRemoved ? "removed entry from ~/.claude.json" : "no Synkro MCP entry found"}`);
   }
-  if (purge && existsSync9(SYNKRO_DIR4)) {
-    rmSync(SYNKRO_DIR4, { recursive: true, force: true });
-    console.log(`\u2713 Removed ${SYNKRO_DIR4} (--purge)`);
-  } else {
+  if (purge) {
+    if (existsSync9(SYNKRO_DIR4)) {
+      rmSync(SYNKRO_DIR4, { recursive: true, force: true });
+      console.log(`\u2713 Removed ${SYNKRO_DIR4}`);
+    } else {
+      console.log(`\xB7 ${SYNKRO_DIR4} already gone, nothing to remove`);
+    }
+  } else if (existsSync9(SYNKRO_DIR4)) {
     console.log(`Config preserved at ${SYNKRO_DIR4}. Run with --purge to remove.`);
   }
-  console.log("\nSynkro disconnected. Your AI agents will no longer be judged.");
+  console.log("\nSynkro disconnected.");
 }
 var SYNKRO_DIR4;
 var init_disconnect = __esm({
@@ -3092,7 +3227,7 @@ var init_disconnect = __esm({
 });
 
 // cli/bootstrap.js
-import { readFileSync as readFileSync6, existsSync as existsSync10 } from "fs";
+import { readFileSync as readFileSync7, existsSync as existsSync10 } from "fs";
 import { resolve } from "path";
 var envCandidates = [
   resolve(process.cwd(), ".env"),
@@ -3100,7 +3235,7 @@ var envCandidates = [
 ];
 for (const envPath of envCandidates) {
   if (!existsSync10(envPath)) continue;
-  const envContent = readFileSync6(envPath, "utf-8");
+  const envContent = readFileSync7(envPath, "utf-8");
   for (const line of envContent.split("\n")) {
     const trimmed = line.trim();
     if (!trimmed || trimmed.startsWith("#")) continue;
@@ -3121,7 +3256,7 @@ Usage:
   synkro <command> [options]
 
 Commands:
-  install              Install Synkro hooks for detected agents (Claude Code, etc.)
+  install [--force]    Install Synkro hooks for detected agents (Claude Code, etc.)
   login                Authenticate with Synkro (browser OAuth via WorkOS)
   logout               Clear local credentials
   status               Show current setup state
@@ -3135,8 +3270,6 @@ Quick start:
   $ synkro install              # one-time setup
   $ synkro setup-github         # enable PR scanning (optional)
   $ claude                      # use Claude Code normally; Synkro judges in real time
-
-Docs: https://docs.synkro.sh
 `);
 }
 async function main() {