@synkro-sh/cli 1.1.2 → 1.1.4

package/dist/bootstrap.js

@@ -801,22 +801,17 @@ if [ "$SYNKRO_INFERENCE_TIER" = "free" ] && command -v claude >/dev/null 2>&1; t
   # ~14s for cold \`claude --print\`. Falls back to direct \`claude --print\`
   # if the daemon binary or primer is missing.
 
-  # Fetch the caller's visible org rules so the grader can evaluate against
-  # custom policies, not just the primer's hardcoded baseline. Without this,
-  # audit-mode rules silently pass on free tier \u2014 the rule exists in the DB
-  # but never reaches the model. Bounded at 1.5s; on failure proceed with
-  # an empty rules array (degrades to baseline-only judging).
-  ORG_RULES=$(curl -sS "\${GATEWAY_URL}/api/v1/cli/pr-rules" \\
-    -H "Authorization: Bearer $JWT" \\
-    --max-time 1.5 2>/dev/null \\
-    | jq -c '[.rules[]? | {rule_id, text, severity, category, mode}]' 2>/dev/null || echo "[]")
-  if [ -z "$ORG_RULES" ] || [ "$ORG_RULES" = "null" ]; then ORG_RULES="[]"; fi
-
+  # The grader retrieves org rules ON DEMAND via the synkro-guardrails MCP
+  # server (registered in ~/.claude.json by \`synkro install\`). The primer
+  # tells the model to call get_guardrails before judging. We do NOT
+  # pre-stuff every rule into the prompt \u2014 that bloats the token budget,
+  # confuses the model with irrelevant rules, and breaks at scale. Cosine
+  # retrieval inside the MCP server returns only semantically-relevant
+  # rules per diff.
   GRADER_PROMPT_FILE=$(mktemp -t synkro-grade.XXXXXX)
   trap "rm -f \\"$GRADER_PROMPT_FILE\\"" EXIT
   printf 'File: %s\\n' "$FILE_PATH" > "$GRADER_PROMPT_FILE"
-  printf 'User intent: %s\\n' "\${USER_INTENT:-none stated}" >> "$GRADER_PROMPT_FILE"
-  printf 'Org rules: %s\\n\\n' "$ORG_RULES" >> "$GRADER_PROMPT_FILE"
+  printf 'User intent: %s\\n\\n' "\${USER_INTENT:-none stated}" >> "$GRADER_PROMPT_FILE"
   printf 'Diff:\\n' >> "$GRADER_PROMPT_FILE"
   printf '%s\\n' "$PROPOSED" >> "$GRADER_PROMPT_FILE"
 
@@ -828,9 +823,17 @@ if [ "$SYNKRO_INFERENCE_TIER" = "free" ] && command -v claude >/dev/null 2>&1; t
 
   VERDICT_JSON=$(printf '%s' "$CC_RESP" | tr '\\n' ' ' | grep -oE '<synkro-verdict>[^<]*</synkro-verdict>' | tail -1 | sed -E 's|^<synkro-verdict>||; s|</synkro-verdict>$||')
 
+  # If the local grader failed (timed out, crashed, returned malformed text,
+  # prompt overflowed) we MUST still POST to /local-verdict \u2014 server-side
+  # STEP 0 literal_match is the deterministic floor for absence-of-feature
+  # rules ("every TS file must start with // :)", "never use op inject",
+  # etc.) and has to fire regardless of LLM grader success. Falling through
+  # with a silent allow here was the bug \u2014 the server never saw the file
+  # so literal_match never ran. Default to ok:true so the server's audit
+  # path stays out of the way; literal_match runs on truncated content
+  # anyway in STEP 0.
   if [ -z "$VERDICT_JSON" ]; then
-    echo '{}'
-    exit 0
+    VERDICT_JSON='{"ok":true,"violations":[]}'
   fi
 
   LOCAL_BODY=$(jq -n \\
@@ -1629,14 +1632,23 @@ if __name__ == "__main__":
 EACH GRADING REQUEST INCLUDES:
 - File: the path being written
 - User intent: what the user told the agent to do
-- Org rules: a JSON array of this organization's active policies, each with rule_id, text, severity, category. THESE ARE THE PRIMARY SOURCE OF TRUTH. If a rule's text describes behavior that matches the diff, flag it. Use that rule's rule_id verbatim, not a synthesized one.
 - Diff: the proposed file content
 
-PRIORITY ORDER:
-1. ORG RULES first. If the diff matches the prose of any org rule, that's a violation \u2014 emit the rule's rule_id, the rule's severity, and a one-line reason citing file:line + the matching behavior + a concrete fix. Don't second-guess the org's rules \u2014 if the rule says "Agents must not iterate 1Password vaults" and the diff loops over \`op item list\`, that's a hit.
-2. BASELINE security issues (hardcoded real-looking secrets, eval/exec on user input, SQL string concat, MD5/SHA1 for security, unsafe deserialization, command injection, path traversal, env-dump logging). Flag these even if no org rule covers them \u2014 they're universally bad. Use a sensible snake_case rule_id like \`no-hardcoded-secrets\`, \`eval-on-user-input\`.
+WORKFLOW \u2014 TWO STEPS, IN THIS ORDER:
+
+STEP 1: Retrieve the org's relevant rules via the synkro-guardrails MCP server. Call mcp__synkro-guardrails__get_guardrails ONCE with:
+  - query: a one-sentence summary of WHAT THE DIFF DOES \u2014 describe the file's behavior in plain language. Focus on the action, the data flowing in, and the data flowing out (e.g. "route handler that takes user input and runs a database query", "component that reads a token from disk and includes it in an outbound HTTP request", "function that hashes a password before storing it").
+  - top_k: 8
+
+The server returns the most semantically-relevant rules (mix of cosine + keyword), each with rule_id, text, severity, category. THESE ARE YOUR PRIMARY SOURCE OF TRUTH for this org. If get_guardrails returns nothing or errors, proceed with baseline-only judging.
+
+STEP 2: Judge the diff. Priority order:
+1. ORG RULES first. If the diff matches the prose of any returned rule, flag it \u2014 emit the rule's rule_id verbatim and the rule's severity. Don't second-guess the org's rules: a rule that bans an action class covers ALL forms of that action \u2014 splitting arguments across function calls, wrapping in helpers, or renaming a variable does NOT bypass it. The semantic intent of the rule and the diff is what matters, not the literal substring.
+2. BASELINE security issues (hardcoded real-looking secrets, eval/exec on user input, SQL string concat with untrusted input, MD5/SHA1 for security-sensitive purposes, unsafe deserialization, command injection, path traversal, missing auth on routes that mutate user/billing data, weak random for tokens, broken JWT verification, CORS misconfig, env-dump logging). Flag these even if no org rule covers them \u2014 they're universally bad. Use a sensible snake_case rule_id like \`no-hardcoded-secrets\`, \`eval-on-user-input\`, \`sql-string-concat\`.
 3. Stylistic issues, placeholder fixtures, test files (path under /tests/, /__tests__/, *.test.*), and config-only files are NOT security issues \u2014 return ok=true.
 
+INDEPENDENCE: Each grade request is INDEPENDENT. Even if you can see prior turns in your context (the daemon reuses one process across grades), treat them as irrelevant. Judge ONLY the current request's File / User intent / Diff plus rules retrieved THIS turn. Prior "allows" do NOT authorize the current request \u2014 re-do the get_guardrails call every grade.
+
 OUTPUT RULES \u2014 strictest possible, no exceptions:
 
 1. NO reasoning. NO preamble. NO commentary.
@@ -2071,7 +2083,7 @@ function writeConfigEnv(opts) {
     `SYNKRO_GATEWAY_URL=${shellQuoteSingle(safeGateway)}`,
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.1.2")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.1.4")}`
   ];
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);
   if (safeOrgId) lines.push(`SYNKRO_ORG_ID=${shellQuoteSingle(safeOrgId)}`);