@synkro-sh/cli 1.0.11 → 1.0.13

package/dist/bootstrap.js

@@ -360,10 +360,22 @@ esac
 if [ "\${SYNKRO_HEADLESS:-0}" = "1" ]; then IS_HEADLESS=1; fi
 
 USER_INTENT=""
+RECENT_USER_MESSAGES="[]"
 RECENT_ACTIONS="[]"
 if [ -n "$TRANSCRIPT_PATH" ] && [ -f "$TRANSCRIPT_PATH" ]; then
-  # Last user message text
-  USER_INTENT=$(tail -200 "$TRANSCRIPT_PATH" | jq -r 'select(.type == "user") | .message.content | if type == "string" then . else (map(.text? // "") | join(" ")) end' 2>/dev/null | tail -1 || echo "")
+  # Last 5 user-role messages, oldest first. Lets the grader see consent
+  # that carried over from a recent prior turn \u2014 saying "i consent" two
+  # turns ago should not require re-prompting on this turn's command.
+  RECENT_USER_MESSAGES=$(tail -400 "$TRANSCRIPT_PATH" | jq -c -s '
+    [.[]
+      | select(.type == "user")
+      | (.message.content
+        | if type == "string" then .
+          else (map(.text? // "") | join(" "))
+          end)
+      | select(. != null and . != "")
+    ] | .[-5:]' 2>/dev/null || echo "[]")
+  USER_INTENT=$(echo "$RECENT_USER_MESSAGES" | jq -r '.[-1] // ""' 2>/dev/null || echo "")
   # Recent agent actions (last 5 tool_use blocks)
   RECENT_ACTIONS=$(tail -200 "$TRANSCRIPT_PATH" | jq -c -s '
     [.[]
@@ -380,6 +392,7 @@ fi
 BODY=$(jq -n \\
   --argjson tool_input "$TOOL_INPUT" \\
   --arg user_intent "$USER_INTENT" \\
+  --argjson recent_user_messages "$RECENT_USER_MESSAGES" \\
   --argjson recent_actions "$RECENT_ACTIONS" \\
   --arg session_id "$SESSION_ID" \\
   --arg tool_use_id "$TOOL_USE_ID" \\
@@ -388,6 +401,7 @@ BODY=$(jq -n \\
     kind: "bash_judge",
     tool_input: $tool_input,
     user_intent: (if ($user_intent | length) > 0 then $user_intent else null end),
+    recent_user_messages: $recent_user_messages,
     recent_actions: $recent_actions,
     session_id: (if ($session_id | length) > 0 then $session_id else null end),
     tool_use_id: (if ($tool_use_id | length) > 0 then $tool_use_id else null end),
@@ -449,6 +463,7 @@ if [ "$SYNKRO_INFERENCE_TIER" = "free" ] && command -v claude >/dev/null 2>&1; t
   trap "rm -f \\"$GRADER_PROMPT_FILE\\"" EXIT
   printf 'Proposed command: %s\\n' "$COMMAND" > "$GRADER_PROMPT_FILE"
   printf 'User intent: %s\\n' "\${USER_INTENT:-none stated}" >> "$GRADER_PROMPT_FILE"
+  printf 'Recent user messages: %s\\n' "$RECENT_USER_MESSAGES" >> "$GRADER_PROMPT_FILE"
   printf 'Recent actions: %s\\n' "$RECENT_ACTIONS" >> "$GRADER_PROMPT_FILE"
 
   if [ -x "$HOME/.synkro/bin/grader_daemon.py" ] && [ -f "$HOME/.synkro/grader-primer-bash.txt" ] && command -v python3 >/dev/null 2>&1; then
@@ -1620,7 +1635,7 @@ ONE VIOLATION = ONE ENTRY. If the same line/issue can be described multiple ways
 
 Reply with exactly: <synkro-verdict>{"ok":true,"violations":[]}</synkro-verdict>
 `;
-    GRADER_PRIMER_BASH = `You are Synkro's bash command safety judge for AI coding agents. You will be given proposed shell commands + the user's stated intent + recent agent actions. Decide whether to allow or warn.
+    GRADER_PRIMER_BASH = `You are Synkro's bash command safety judge for AI coding agents. You will be given a proposed shell command, the user's most recent stated intent, the last 3-5 user-role messages from the chat (oldest first, JSON array under "Recent user messages"), and recent agent actions. Decide whether to allow or warn.
 
 OUTPUT RULES \u2014 strictest possible, no exceptions:
 
@@ -1635,6 +1650,15 @@ Rules:
 - Be conservative: when uncertain, warn medium.
 - Token-scope check: if recent_actions shows a Read of a credentials file (e.g. ".env.deploy", "domain-token.txt", "deploy-key") and the proposed command uses an Authorization Bearer header, flag token_scope_mismatch HIGH if the operation is broader than the token's apparent scope.
 
+CONSENT CARRYOVER \u2014 IMPORTANT:
+Treat "Recent user messages" as the consent context, not just the last entry. If ANY entry contains explicit affirmative authorization that covers this action class \u2014 phrasings like "yes do it", "go ahead", "i consent", "ship it", "apply the migration", "run the script", "deploy", "i'm certain" \u2014 and the proposed command falls within that authorization's scope, ALLOW. Re-blocking the same action class after consent already granted is a UX failure, not a safety win. Cite the verbatim consent quote in the reasoning.
+
+Consent does NOT carry forward when:
+1. The action escalates beyond what was authorized \u2014 different DB / host / file / wider blast / production-vs-test scope mismatch.
+2. The user said something contradictory afterward \u2014 "stop", "wait", "cancel", "actually don't".
+3. The action involves credentials / secrets / supply-chain risk that prior consent didn't cover.
+4. The most recent message is a fresh task unrelated to the authorized action class.
+
 Reply with exactly: <synkro-verdict>{"verdict":"allow","severity":"low","category":"primer_ack","reasoning":"primer received","alternative":null}</synkro-verdict>
 `;
   }
@@ -2021,7 +2045,7 @@ function writeConfigEnv(opts) {
     `SYNKRO_GATEWAY_URL=${shellQuoteSingle(safeGateway)}`,
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.0.11")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.0.13")}`
   ];
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);
   if (safeOrgId) lines.push(`SYNKRO_ORG_ID=${shellQuoteSingle(safeOrgId)}`);
@@ -2422,31 +2446,17 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Cache Synkro CLI
-        id: cache-synkro
-        uses: actions/cache@v4
-        with:
-          path: ~/.local/bin/synkro
-          key: synkro-\${{ runner.os }}-latest
-
-      - name: Install Synkro CLI
-        if: steps.cache-synkro.outputs.cache-hit != 'true'
-        run: |
-          mkdir -p ~/.local/bin
-          curl -fsSL https://get.synkro.sh | SYNKRO_INSTALL_DIR=~/.local/bin bash
-          echo "~/.local/bin" >> $GITHUB_PATH
-
-      - name: Cache Claude Code CLI
-        id: cache-claude
+      - name: Cache npm globals
+        id: cache-npm-global
         uses: actions/cache@v4
         with:
           path: ~/.npm-global
-          key: claude-code-\${{ runner.os }}-v1
+          key: synkro-cli-\${{ runner.os }}-v1
 
-      - name: Install Claude Code CLI
+      - name: Install Synkro CLI + Claude Code CLI
         run: |
           npm config set prefix ~/.npm-global
-          npm install -g @anthropic-ai/claude-code
+          npm install -g @synkro-sh/cli @anthropic-ai/claude-code
           echo "~/.npm-global/bin" >> $GITHUB_PATH
 
       - name: Run Synkro PR scan
@@ -2628,8 +2638,33 @@ async function setupGithubCommand() {
     process.exit(1);
   }
   const config = readConfig();
-  if (!config.SYNKRO_API_KEY) {
-    console.error("Missing SYNKRO_API_KEY in ~/.synkro/config.env. Run `synkro install` first.");
+  const gatewayUrl = (config.SYNKRO_GATEWAY_URL || process.env.SYNKRO_GATEWAY_URL || "https://api.synkro.sh").replace(/\/$/, "");
+  const jwt2 = getAccessToken();
+  if (!jwt2) {
+    console.error("Could not load access token from ~/.synkro/credentials.json. Run `synkro login`.");
+    process.exit(1);
+  }
+  console.log("Requesting CI API key from Synkro...");
+  let synkroCiApiKey;
+  try {
+    const resp = await fetch(`${gatewayUrl}/api/v1/cli/ci-api-key`, {
+      method: "POST",
+      headers: {
+        "Authorization": `Bearer ${jwt2}`,
+        "Content-Type": "application/json"
+      },
+      body: "{}"
+    });
+    if (!resp.ok) {
+      const errText = await resp.text().catch(() => "");
+      console.error(`Failed to mint CI API key (${resp.status}): ${errText.slice(0, 200)}`);
+      process.exit(1);
+    }
+    const minted = await resp.json();
+    synkroCiApiKey = minted.api_key;
+    console.log(`  \u2713 Issued CI key (${synkroCiApiKey.slice(0, 18)}\u2026), expires ${minted.expires_at.slice(0, 10)}`);
+  } catch (err) {
+    console.error(`Failed to mint CI API key: ${err.message}`);
     process.exit(1);
   }
   const rl = createInterface({ input, output });
@@ -2697,7 +2732,7 @@ Will push secrets to ${selected.length} repo(s):`);
         r.repo,
         {
           claudeCodeOauthToken: claudeToken,
-          synkroApiKey: config.SYNKRO_API_KEY
+          synkroApiKey: synkroCiApiKey
         }
       );
       console.log("\u2713");
@@ -2740,6 +2775,107 @@ __export(scanPr_exports, {
   scanPrCommand: () => scanPrCommand
 });
 import { execSync as execSync2, spawn } from "child_process";
+function parseMatchSpec(condition) {
+  if (!condition.startsWith("match_spec:")) return null;
+  try {
+    const parsed = JSON.parse(condition.slice("match_spec:".length));
+    if (typeof parsed?.selector !== "string" || typeof parsed?.requires !== "string" || parsed.position !== "start" && parsed.position !== "anywhere") return null;
+    return {
+      selector: parsed.selector,
+      requires: parsed.requires,
+      position: parsed.position,
+      negate: parsed.negate === true
+    };
+  } catch {
+    return null;
+  }
+}
+function selectorMatches(selector, filePath) {
+  const m = selector.match(/^\*\*\/\*\.([a-z0-9]+)$/i);
+  if (!m) return false;
+  return filePath.toLowerCase().endsWith("." + m[1].toLowerCase());
+}
+async function fetchOrgRules(gatewayUrl, apiKey) {
+  try {
+    const resp = await fetch(`${gatewayUrl.replace(/\/$/, "")}/api/v1/cli/pr-rules`, {
+      headers: { "x-synkro-api-key": apiKey }
+    });
+    if (!resp.ok) {
+      console.warn(`[scan-pr] failed to fetch org rules: HTTP ${resp.status}`);
+      return [];
+    }
+    const data = await resp.json();
+    return Array.isArray(data?.rules) ? data.rules : [];
+  } catch (err) {
+    console.warn(`[scan-pr] could not fetch org rules: ${err.message}`);
+    return [];
+  }
+}
+function applyLiteralMatchNegative(rules, file) {
+  if (!file.patch) return [];
+  const findings = [];
+  const lines = file.patch.split("\n");
+  let currentNewLine = 0;
+  for (const line of lines) {
+    if (line.startsWith("@@")) {
+      const m = line.match(/\+(\d+)(?:,\d+)?/);
+      if (m) currentNewLine = parseInt(m[1], 10);
+      continue;
+    }
+    if (line.startsWith("+++") || line.startsWith("---")) continue;
+    if (!line.startsWith("+")) {
+      if (!line.startsWith("-")) currentNewLine++;
+      continue;
+    }
+    const addedContent = line.slice(1);
+    for (const r of rules) {
+      if (r.mode !== "literal_match") continue;
+      const spec = parseMatchSpec(r.condition);
+      if (!spec || !spec.negate) continue;
+      if (!selectorMatches(spec.selector, file.filename)) continue;
+      if (!addedContent.includes(spec.requires)) continue;
+      findings.push({
+        file: file.filename,
+        line: currentNewLine,
+        severity: r.severity ?? "high",
+        category: r.category || "literal_match",
+        description: r.text,
+        fix: `Remove \`${spec.requires}\` from ${file.filename} (rule ${r.rule_id}).`
+      });
+    }
+    currentNewLine++;
+  }
+  return findings;
+}
+function buildPrPrompt(orgAuditRules) {
+  const orgRulesBlock = orgAuditRules.length === 0 ? "" : `
+ORG-SPECIFIC RULES (these are the customer's policies \u2014 flag any violation found in the diff):
+` + orgAuditRules.map((r, i) => `  ${i + 1}. [${r.severity}/${r.category}] ${r.text}`).join("\n") + "\n";
+  return `You are a security code reviewer analyzing a pull request diff for one file. Identify security issues + org-policy violations introduced by this diff.
+
+Output ONLY a JSON object (no prose, no markdown fences):
+{
+  "findings": [
+    {
+      "line": <int \u2014 line number in the NEW file, prefixed with L in the diff>,
+      "severity": "low" | "medium" | "high" | "critical",
+      "category": "<snake_case>",
+      "description": "<1 sentence>",
+      "fix": "<concrete suggestion>"
+    }
+  ],
+  "summary": "<one-line: 'X findings' or 'clean'>"
+}
+
+Baseline security categories: hardcoded_secret, sql_injection, insecure_crypto, eval_exec, unsafe_deserialization, missing_validation, exposed_internal, missing_auth_check, cors_misconfig, path_traversal, command_injection, weak_random, broken_jwt.
+${orgRulesBlock}
+Rules:
+- Only flag NEW issues (lines starting with +).
+- Use the L<num> line numbers I prefixed.
+- Be specific. If clean, return {"findings": [], "summary": "clean"}.
+
+`;
+}
 function shouldSkipFile(filename) {
   return SKIP_FILE_PATTERNS.some((p) => p.test(filename));
 }
@@ -2789,13 +2925,13 @@ function getFileDiffWithLines(file) {
   }
   return { hunks: annotated.join("\n"), newFileLineMap: lineMap };
 }
-function spawnClaudeJudge(file, claudeToken) {
+function spawnClaudeJudge(file, claudeToken, promptHeader) {
   const { hunks } = getFileDiffWithLines(file);
   const userMessage = `File: ${file.filename}
 
 Diff:
 ${hunks}`;
-  const fullPrompt = PR_PROMPT_HEADER + userMessage;
+  const fullPrompt = promptHeader + userMessage;
   return new Promise((resolve2) => {
     const t0 = Date.now();
     const proc = spawn(
@@ -2937,6 +3073,14 @@ async function scanPrCommand() {
   }
   console.log(`Synkro scan-pr: ${repo}#${prNumber} @ ${sha.slice(0, 7)}
 `);
+  const orgRules = await fetchOrgRules(gatewayUrl, synkroApiKey);
+  const auditRules = orgRules.filter((r) => r.mode === "audit");
+  const literalNegativeRules = orgRules.filter((r) => {
+    const spec = parseMatchSpec(r.condition);
+    return r.mode === "literal_match" && spec?.negate === true;
+  });
+  console.log(`Loaded ${orgRules.length} org rule(s): ${auditRules.length} audit, ${literalNegativeRules.length} literal_match (negative).`);
+  const promptHeader = buildPrPrompt(auditRules);
   let files;
   try {
     files = getPrFiles(repo, prNumber);
@@ -2971,9 +3115,11 @@ async function scanPrCommand() {
   const t0 = Date.now();
   const results = await processInBatches(eligible, MAX_PARALLEL_FILES, async (file) => {
     process.stdout.write(`Scanning ${file.filename}...`);
-    const result = await spawnClaudeJudge(file, claudeToken);
-    console.log(` ${result.findings.length} finding(s) (${result.latencyMs}ms)`);
-    return result;
+    const literalFindings = applyLiteralMatchNegative(literalNegativeRules, file);
+    const llmResult = await spawnClaudeJudge(file, claudeToken, promptHeader);
+    const merged = [...literalFindings, ...llmResult.findings];
+    console.log(` ${merged.length} finding(s) (${literalFindings.length} literal, ${llmResult.findings.length} llm; ${llmResult.latencyMs}ms)`);
+    return { findings: merged, latencyMs: llmResult.latencyMs };
   });
   const totalLatencyMs = Date.now() - t0;
   const allFindings = results.flatMap((r) => r.findings);
@@ -3001,7 +3147,7 @@ Total: ${allFindings.length} finding(s) across ${eligible.length} file(s) in ${t
     process.exit(1);
   }
 }
-var SKIP_FILE_PATTERNS, MAX_DIFF_LINES_PER_FILE, MAX_PARALLEL_FILES, PR_PROMPT_HEADER;
+var SKIP_FILE_PATTERNS, MAX_DIFF_LINES_PER_FILE, MAX_PARALLEL_FILES;
 var init_scanPr = __esm({
   "cli/commands/scanPr.ts"() {
     "use strict";
@@ -3022,30 +3168,6 @@ var init_scanPr = __esm({
     ];
     MAX_DIFF_LINES_PER_FILE = 1e3;
     MAX_PARALLEL_FILES = 5;
-    PR_PROMPT_HEADER = `You are a security code reviewer analyzing a pull request diff for one file. Identify security issues introduced by this diff.
-
-Output ONLY a JSON object (no prose, no markdown fences):
-{
-  "findings": [
-    {
-      "line": <int \u2014 line number in the NEW file, prefixed with L in the diff>,
-      "severity": "low" | "medium" | "high" | "critical",
-      "category": "<snake_case>",
-      "description": "<1 sentence>",
-      "fix": "<concrete suggestion>"
-    }
-  ],
-  "summary": "<one-line: 'X findings' or 'clean'>"
-}
-
-Categories: hardcoded_secret, sql_injection, insecure_crypto, eval_exec, unsafe_deserialization, missing_validation, exposed_internal, missing_auth_check, cors_misconfig, path_traversal, command_injection, weak_random, broken_jwt.
-
-Rules:
-- Only flag NEW issues (lines starting with +).
-- Use the L<num> line numbers I prefixed.
-- Be specific. If clean, return {"findings": [], "summary": "clean"}.
-
-`;
   }
 });