@synkro-sh/cli 1.0.11 → 1.0.12

package/dist/bootstrap.js

@@ -360,10 +360,22 @@ esac
 if [ "\${SYNKRO_HEADLESS:-0}" = "1" ]; then IS_HEADLESS=1; fi
 
 USER_INTENT=""
+RECENT_USER_MESSAGES="[]"
 RECENT_ACTIONS="[]"
 if [ -n "$TRANSCRIPT_PATH" ] && [ -f "$TRANSCRIPT_PATH" ]; then
-  # Last user message text
-  USER_INTENT=$(tail -200 "$TRANSCRIPT_PATH" | jq -r 'select(.type == "user") | .message.content | if type == "string" then . else (map(.text? // "") | join(" ")) end' 2>/dev/null | tail -1 || echo "")
+  # Last 5 user-role messages, oldest first. Lets the grader see consent
+  # that carried over from a recent prior turn \u2014 saying "i consent" two
+  # turns ago should not require re-prompting on this turn's command.
+  RECENT_USER_MESSAGES=$(tail -400 "$TRANSCRIPT_PATH" | jq -c -s '
+    [.[]
+      | select(.type == "user")
+      | (.message.content
+        | if type == "string" then .
+          else (map(.text? // "") | join(" "))
+          end)
+      | select(. != null and . != "")
+    ] | .[-5:]' 2>/dev/null || echo "[]")
+  USER_INTENT=$(echo "$RECENT_USER_MESSAGES" | jq -r '.[-1] // ""' 2>/dev/null || echo "")
   # Recent agent actions (last 5 tool_use blocks)
   RECENT_ACTIONS=$(tail -200 "$TRANSCRIPT_PATH" | jq -c -s '
     [.[]
@@ -380,6 +392,7 @@ fi
 BODY=$(jq -n \\
   --argjson tool_input "$TOOL_INPUT" \\
   --arg user_intent "$USER_INTENT" \\
+  --argjson recent_user_messages "$RECENT_USER_MESSAGES" \\
   --argjson recent_actions "$RECENT_ACTIONS" \\
   --arg session_id "$SESSION_ID" \\
   --arg tool_use_id "$TOOL_USE_ID" \\
@@ -388,6 +401,7 @@ BODY=$(jq -n \\
     kind: "bash_judge",
     tool_input: $tool_input,
     user_intent: (if ($user_intent | length) > 0 then $user_intent else null end),
+    recent_user_messages: $recent_user_messages,
     recent_actions: $recent_actions,
     session_id: (if ($session_id | length) > 0 then $session_id else null end),
     tool_use_id: (if ($tool_use_id | length) > 0 then $tool_use_id else null end),
@@ -2021,7 +2035,7 @@ function writeConfigEnv(opts) {
     `SYNKRO_GATEWAY_URL=${shellQuoteSingle(safeGateway)}`,
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.0.11")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.0.12")}`
   ];
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);
   if (safeOrgId) lines.push(`SYNKRO_ORG_ID=${shellQuoteSingle(safeOrgId)}`);
@@ -2422,31 +2436,17 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Cache Synkro CLI
-        id: cache-synkro
-        uses: actions/cache@v4
-        with:
-          path: ~/.local/bin/synkro
-          key: synkro-\${{ runner.os }}-latest
-
-      - name: Install Synkro CLI
-        if: steps.cache-synkro.outputs.cache-hit != 'true'
-        run: |
-          mkdir -p ~/.local/bin
-          curl -fsSL https://get.synkro.sh | SYNKRO_INSTALL_DIR=~/.local/bin bash
-          echo "~/.local/bin" >> $GITHUB_PATH
-
-      - name: Cache Claude Code CLI
-        id: cache-claude
+      - name: Cache npm globals
+        id: cache-npm-global
         uses: actions/cache@v4
         with:
           path: ~/.npm-global
-          key: claude-code-\${{ runner.os }}-v1
+          key: synkro-cli-\${{ runner.os }}-v1
 
-      - name: Install Claude Code CLI
+      - name: Install Synkro CLI + Claude Code CLI
         run: |
           npm config set prefix ~/.npm-global
-          npm install -g @anthropic-ai/claude-code
+          npm install -g @synkro-sh/cli @anthropic-ai/claude-code
           echo "~/.npm-global/bin" >> $GITHUB_PATH
 
       - name: Run Synkro PR scan
@@ -2628,8 +2628,33 @@ async function setupGithubCommand() {
     process.exit(1);
   }
   const config = readConfig();
-  if (!config.SYNKRO_API_KEY) {
-    console.error("Missing SYNKRO_API_KEY in ~/.synkro/config.env. Run `synkro install` first.");
+  const gatewayUrl = (config.SYNKRO_GATEWAY_URL || process.env.SYNKRO_GATEWAY_URL || "https://api.synkro.sh").replace(/\/$/, "");
+  const jwt2 = getAccessToken();
+  if (!jwt2) {
+    console.error("Could not load access token from ~/.synkro/credentials.json. Run `synkro login`.");
+    process.exit(1);
+  }
+  console.log("Requesting CI API key from Synkro...");
+  let synkroCiApiKey;
+  try {
+    const resp = await fetch(`${gatewayUrl}/api/v1/cli/ci-api-key`, {
+      method: "POST",
+      headers: {
+        "Authorization": `Bearer ${jwt2}`,
+        "Content-Type": "application/json"
+      },
+      body: "{}"
+    });
+    if (!resp.ok) {
+      const errText = await resp.text().catch(() => "");
+      console.error(`Failed to mint CI API key (${resp.status}): ${errText.slice(0, 200)}`);
+      process.exit(1);
+    }
+    const minted = await resp.json();
+    synkroCiApiKey = minted.api_key;
+    console.log(`  \u2713 Issued CI key (${synkroCiApiKey.slice(0, 18)}\u2026), expires ${minted.expires_at.slice(0, 10)}`);
+  } catch (err) {
+    console.error(`Failed to mint CI API key: ${err.message}`);
     process.exit(1);
   }
   const rl = createInterface({ input, output });
@@ -2697,7 +2722,7 @@ Will push secrets to ${selected.length} repo(s):`);
         r.repo,
         {
           claudeCodeOauthToken: claudeToken,
-          synkroApiKey: config.SYNKRO_API_KEY
+          synkroApiKey: synkroCiApiKey
         }
       );
       console.log("\u2713");
@@ -2740,6 +2765,107 @@ __export(scanPr_exports, {
   scanPrCommand: () => scanPrCommand
 });
 import { execSync as execSync2, spawn } from "child_process";
+function parseMatchSpec(condition) {
+  if (!condition.startsWith("match_spec:")) return null;
+  try {
+    const parsed = JSON.parse(condition.slice("match_spec:".length));
+    if (typeof parsed?.selector !== "string" || typeof parsed?.requires !== "string" || parsed.position !== "start" && parsed.position !== "anywhere") return null;
+    return {
+      selector: parsed.selector,
+      requires: parsed.requires,
+      position: parsed.position,
+      negate: parsed.negate === true
+    };
+  } catch {
+    return null;
+  }
+}
+function selectorMatches(selector, filePath) {
+  const m = selector.match(/^\*\*\/\*\.([a-z0-9]+)$/i);
+  if (!m) return false;
+  return filePath.toLowerCase().endsWith("." + m[1].toLowerCase());
+}
+async function fetchOrgRules(gatewayUrl, apiKey) {
+  try {
+    const resp = await fetch(`${gatewayUrl.replace(/\/$/, "")}/api/v1/cli/pr-rules`, {
+      headers: { "x-synkro-api-key": apiKey }
+    });
+    if (!resp.ok) {
+      console.warn(`[scan-pr] failed to fetch org rules: HTTP ${resp.status}`);
+      return [];
+    }
+    const data = await resp.json();
+    return Array.isArray(data?.rules) ? data.rules : [];
+  } catch (err) {
+    console.warn(`[scan-pr] could not fetch org rules: ${err.message}`);
+    return [];
+  }
+}
+function applyLiteralMatchNegative(rules, file) {
+  if (!file.patch) return [];
+  const findings = [];
+  const lines = file.patch.split("\n");
+  let currentNewLine = 0;
+  for (const line of lines) {
+    if (line.startsWith("@@")) {
+      const m = line.match(/\+(\d+)(?:,\d+)?/);
+      if (m) currentNewLine = parseInt(m[1], 10);
+      continue;
+    }
+    if (line.startsWith("+++") || line.startsWith("---")) continue;
+    if (!line.startsWith("+")) {
+      if (!line.startsWith("-")) currentNewLine++;
+      continue;
+    }
+    const addedContent = line.slice(1);
+    for (const r of rules) {
+      if (r.mode !== "literal_match") continue;
+      const spec = parseMatchSpec(r.condition);
+      if (!spec || !spec.negate) continue;
+      if (!selectorMatches(spec.selector, file.filename)) continue;
+      if (!addedContent.includes(spec.requires)) continue;
+      findings.push({
+        file: file.filename,
+        line: currentNewLine,
+        severity: r.severity ?? "high",
+        category: r.category || "literal_match",
+        description: r.text,
+        fix: `Remove \`${spec.requires}\` from ${file.filename} (rule ${r.rule_id}).`
+      });
+    }
+    currentNewLine++;
+  }
+  return findings;
+}
+function buildPrPrompt(orgAuditRules) {
+  const orgRulesBlock = orgAuditRules.length === 0 ? "" : `
+ORG-SPECIFIC RULES (these are the customer's policies \u2014 flag any violation found in the diff):
+` + orgAuditRules.map((r, i) => `  ${i + 1}. [${r.severity}/${r.category}] ${r.text}`).join("\n") + "\n";
+  return `You are a security code reviewer analyzing a pull request diff for one file. Identify security issues + org-policy violations introduced by this diff.
+
+Output ONLY a JSON object (no prose, no markdown fences):
+{
+  "findings": [
+    {
+      "line": <int \u2014 line number in the NEW file, prefixed with L in the diff>,
+      "severity": "low" | "medium" | "high" | "critical",
+      "category": "<snake_case>",
+      "description": "<1 sentence>",
+      "fix": "<concrete suggestion>"
+    }
+  ],
+  "summary": "<one-line: 'X findings' or 'clean'>"
+}
+
+Baseline security categories: hardcoded_secret, sql_injection, insecure_crypto, eval_exec, unsafe_deserialization, missing_validation, exposed_internal, missing_auth_check, cors_misconfig, path_traversal, command_injection, weak_random, broken_jwt.
+${orgRulesBlock}
+Rules:
+- Only flag NEW issues (lines starting with +).
+- Use the L<num> line numbers I prefixed.
+- Be specific. If clean, return {"findings": [], "summary": "clean"}.
+
+`;
+}
 function shouldSkipFile(filename) {
   return SKIP_FILE_PATTERNS.some((p) => p.test(filename));
 }
@@ -2789,13 +2915,13 @@ function getFileDiffWithLines(file) {
   }
   return { hunks: annotated.join("\n"), newFileLineMap: lineMap };
 }
-function spawnClaudeJudge(file, claudeToken) {
+function spawnClaudeJudge(file, claudeToken, promptHeader) {
   const { hunks } = getFileDiffWithLines(file);
   const userMessage = `File: ${file.filename}
 
 Diff:
 ${hunks}`;
-  const fullPrompt = PR_PROMPT_HEADER + userMessage;
+  const fullPrompt = promptHeader + userMessage;
   return new Promise((resolve2) => {
     const t0 = Date.now();
     const proc = spawn(
@@ -2937,6 +3063,14 @@ async function scanPrCommand() {
   }
   console.log(`Synkro scan-pr: ${repo}#${prNumber} @ ${sha.slice(0, 7)}
 `);
+  const orgRules = await fetchOrgRules(gatewayUrl, synkroApiKey);
+  const auditRules = orgRules.filter((r) => r.mode === "audit");
+  const literalNegativeRules = orgRules.filter((r) => {
+    const spec = parseMatchSpec(r.condition);
+    return r.mode === "literal_match" && spec?.negate === true;
+  });
+  console.log(`Loaded ${orgRules.length} org rule(s): ${auditRules.length} audit, ${literalNegativeRules.length} literal_match (negative).`);
+  const promptHeader = buildPrPrompt(auditRules);
   let files;
   try {
     files = getPrFiles(repo, prNumber);
@@ -2971,9 +3105,11 @@ async function scanPrCommand() {
   const t0 = Date.now();
   const results = await processInBatches(eligible, MAX_PARALLEL_FILES, async (file) => {
     process.stdout.write(`Scanning ${file.filename}...`);
-    const result = await spawnClaudeJudge(file, claudeToken);
-    console.log(` ${result.findings.length} finding(s) (${result.latencyMs}ms)`);
-    return result;
+    const literalFindings = applyLiteralMatchNegative(literalNegativeRules, file);
+    const llmResult = await spawnClaudeJudge(file, claudeToken, promptHeader);
+    const merged = [...literalFindings, ...llmResult.findings];
+    console.log(` ${merged.length} finding(s) (${literalFindings.length} literal, ${llmResult.findings.length} llm; ${llmResult.latencyMs}ms)`);
+    return { findings: merged, latencyMs: llmResult.latencyMs };
   });
   const totalLatencyMs = Date.now() - t0;
   const allFindings = results.flatMap((r) => r.findings);
@@ -3001,7 +3137,7 @@ Total: ${allFindings.length} finding(s) across ${eligible.length} file(s) in ${t
     process.exit(1);
   }
 }
-var SKIP_FILE_PATTERNS, MAX_DIFF_LINES_PER_FILE, MAX_PARALLEL_FILES, PR_PROMPT_HEADER;
+var SKIP_FILE_PATTERNS, MAX_DIFF_LINES_PER_FILE, MAX_PARALLEL_FILES;
 var init_scanPr = __esm({
   "cli/commands/scanPr.ts"() {
     "use strict";
@@ -3022,30 +3158,6 @@ var init_scanPr = __esm({
     ];
     MAX_DIFF_LINES_PER_FILE = 1e3;
     MAX_PARALLEL_FILES = 5;
-    PR_PROMPT_HEADER = `You are a security code reviewer analyzing a pull request diff for one file. Identify security issues introduced by this diff.
-
-Output ONLY a JSON object (no prose, no markdown fences):
-{
-  "findings": [
-    {
-      "line": <int \u2014 line number in the NEW file, prefixed with L in the diff>,
-      "severity": "low" | "medium" | "high" | "critical",
-      "category": "<snake_case>",
-      "description": "<1 sentence>",
-      "fix": "<concrete suggestion>"
-    }
-  ],
-  "summary": "<one-line: 'X findings' or 'clean'>"
-}
-
-Categories: hardcoded_secret, sql_injection, insecure_crypto, eval_exec, unsafe_deserialization, missing_validation, exposed_internal, missing_auth_check, cors_misconfig, path_traversal, command_injection, weak_random, broken_jwt.
-
-Rules:
-- Only flag NEW issues (lines starting with +).
-- Use the L<num> line numbers I prefixed.
-- Be specific. If clean, return {"findings": [], "summary": "clean"}.
-
-`;
   }
 });