@synkro-sh/cli 1.1.7 → 1.2.0

package/dist/bootstrap.js

@@ -301,6 +301,8 @@ var init_hookScripts = __esm({
 # Auth: reads access_token from ~/.synkro/credentials.json, sends Authorization: Bearer.
 set -e
 
+synkro_log() { echo "[synkro] $1" >&2; }
+
 # Load config
 CONFIG_FILE="$HOME/.synkro/config.env"
 if [ -f "$CONFIG_FILE" ]; then
@@ -315,11 +317,13 @@ CREDS_PATH="\${SYNKRO_CREDENTIALS_PATH:-$HOME/.synkro/credentials.json}"
 
 # Fail open if not authed
 if [ ! -f "$CREDS_PATH" ]; then
+
   echo '{}'
   exit 0
 fi
 JWT=$(jq -r '.access_token // empty' "$CREDS_PATH" 2>/dev/null)
 if [ -z "$JWT" ]; then
+
   echo '{}'
   exit 0
 fi
@@ -344,6 +348,9 @@ if [ -z "$COMMAND" ]; then
   exit 0
 fi
 
+CMD_SHORT=$(printf '%s' "$COMMAND" | head -c 80)
+synkro_log "bashGuard checking: $CMD_SHORT"
+
 # NO hard regex gate \u2014 server-side bashShapes runs the universal pattern set
 # (including HTTP-payload destructive shapes like graphql_destructive_mutation
 # and http_method_delete) and returns a "trivial" fast-path verdict for boring
@@ -357,6 +364,14 @@ SESSION_ID=$(echo "$PAYLOAD" | jq -r '.session_id // empty' 2>/dev/null)
 TOOL_USE_ID=$(echo "$PAYLOAD" | jq -r '.tool_use_id // empty' 2>/dev/null)
 CWD=$(echo "$PAYLOAD" | jq -r '.cwd // empty' 2>/dev/null)
 TOOL_INPUT=$(echo "$PAYLOAD" | jq -c '.tool_input // {}' 2>/dev/null)
+# Detect git remote origin \u2192 repo identity (e.g. "owner/repo")
+GIT_REPO=""
+if command -v git >/dev/null 2>&1; then
+  _REMOTE=$(git -C "\${CWD:-.}" remote get-url origin 2>/dev/null || true)
+  if [ -n "$_REMOTE" ]; then
+    GIT_REPO=$(echo "$_REMOTE" | sed -E 's|^git@[^:]+:||; s|^https?://[^/]+/||; s|\\.git$||')
+  fi
+fi
 # Headless detection \u2014 when no human is in the loop, ASK is a no-op so we
 # fail-closed by upgrading high-tier findings to deny.
 PERMISSION_MODE=$(echo "$PAYLOAD" | jq -r '.permission_mode // empty' 2>/dev/null)
@@ -404,6 +419,7 @@ BODY=$(jq -n \\
   --arg session_id "$SESSION_ID" \\
   --arg tool_use_id "$TOOL_USE_ID" \\
   --arg cwd "$CWD" \\
+  --arg repo "$GIT_REPO" \\
   '{
     kind: "bash_judge",
     tool_input: $tool_input,
@@ -412,7 +428,8 @@ BODY=$(jq -n \\
     recent_actions: $recent_actions,
     session_id: (if ($session_id | length) > 0 then $session_id else null end),
     tool_use_id: (if ($tool_use_id | length) > 0 then $tool_use_id else null end),
-    cwd: (if ($cwd | length) > 0 then $cwd else null end)
+    cwd: (if ($cwd | length) > 0 then $cwd else null end),
+    repo: (if ($repo | length) > 0 then $repo else null end)
   }')
 
 # Helper: refresh JWT via /api/auth/refresh and rewrite credentials.json.
@@ -464,28 +481,45 @@ if [ -z "$SYNKRO_INFERENCE_TIER" ]; then
 fi
 SYNKRO_INFERENCE_TIER="\${SYNKRO_INFERENCE_TIER:-free}"
 
+
 if [ "$SYNKRO_INFERENCE_TIER" = "free" ] && command -v claude >/dev/null 2>&1; then
   # \u2500\u2500\u2500 FREE TIER: grade via the persistent claude daemon (mode=bash). \u2500\u2500\u2500
+
+  # Fetch org guardrail rules relevant to this command (same as edit hook).
+  ORG_RULES=$(printf '%s' "$COMMAND" | head -c 4000 \\
+    | jq -Rs '{content: .}' \\
+    | curl -sS "\${GATEWAY_URL}/api/v1/cli/pr-rules?top_k=15" \\
+    -X POST -H "Content-Type: application/json" \\
+    -H "Authorization: Bearer $JWT" \\
+    -d @- --max-time 2 2>/dev/null \\
+    | jq -c '[.rules[]? | {rule_id, text, severity, category}]' 2>/dev/null || echo "[]")
+  if [ -z "$ORG_RULES" ] || [ "$ORG_RULES" = "null" ]; then ORG_RULES="[]"; fi
+
   GRADER_PROMPT_FILE=$(mktemp -t synkro-bash-prompt.XXXXXX)
   trap "rm -f \\"$GRADER_PROMPT_FILE\\"" EXIT
   printf 'Proposed command: %s\\n' "$COMMAND" > "$GRADER_PROMPT_FILE"
   printf 'User intent: %s\\n' "\${USER_INTENT:-none stated}" >> "$GRADER_PROMPT_FILE"
   printf 'Recent user messages: %s\\n' "$RECENT_USER_MESSAGES" >> "$GRADER_PROMPT_FILE"
   printf 'Recent actions: %s\\n' "$RECENT_ACTIONS" >> "$GRADER_PROMPT_FILE"
+  printf 'Org rules: %s\\n\\n' "$ORG_RULES" >> "$GRADER_PROMPT_FILE"
 
   if [ -x "$HOME/.synkro/bin/grader_daemon.py" ] && [ -f "$HOME/.synkro/grader-primer-bash.txt" ] && command -v python3 >/dev/null 2>&1; then
+
     CC_RESP=$(python3 "$HOME/.synkro/bin/grader_daemon.py" --mode bash grade "$HOME/.synkro/grader-primer-bash.txt" < "$GRADER_PROMPT_FILE" 2>/dev/null || echo "")
   else
+
     CC_RESP=$(claude --print --model claude-sonnet-4-6 --no-session-persistence < "$GRADER_PROMPT_FILE" 2>/dev/null || echo "")
   fi
   V_INNER=$(printf '%s' "$CC_RESP" | tr '\\n' ' ' | grep -oE '<synkro-verdict>[^<]*</synkro-verdict>' | tail -1 | sed -E 's|^<synkro-verdict>||; s|</synkro-verdict>$||')
   if [ -z "$V_INNER" ] || ! echo "$V_INNER" | jq -e '.severity' >/dev/null 2>&1; then
+    synkro_log "bashGuard $CMD_SHORT \u2192 error (no verdict)"
     echo '{}'
     exit 0
   fi
   VERDICT="$V_INNER"
 else
   # \u2500\u2500\u2500 FAST TIER: server-side Cerebras grading. \u2500\u2500\u2500
+
   VERDICT=$(curl -sS -X POST "\${GATEWAY_URL}/api/v1/judge" \\
     -H "Content-Type: application/json" \\
     -H "Authorization: Bearer $JWT" \\
@@ -493,6 +527,7 @@ else
     --max-time 6 2>/dev/null || echo "")
 
   if echo "$VERDICT" | grep -qE '"detail":"Token has expired|"detail":"Invalid or expired token'; then
+
     if refresh_jwt; then
       VERDICT=$(curl -sS -X POST "\${GATEWAY_URL}/api/v1/judge" \\
         -H "Content-Type: application/json" \\
@@ -504,6 +539,7 @@ else
 fi
 
 if [ -z "$VERDICT" ]; then
+  synkro_log "bashGuard $CMD_SHORT \u2192 error (timeout)"
   echo '{}'
   exit 0
 fi
@@ -529,6 +565,7 @@ CATEGORY=$(echo "$VERDICT" | jq -r '.category // "destructive_command"' 2>/dev/n
 
 case "$SEVERITY" in
   critical)
+    synkro_log "bashGuard $CMD_SHORT \u2192 BLOCKED ($CATEGORY): $REASONING"
     SYS_MSG="[synkro] bashGuard \u2192 critical: \${REASONING}"
     if [ -n "$ALTERNATIVE" ] && [ "$ALTERNATIVE" != "null" ]; then
       SYS_MSG="\${SYS_MSG}\\n[synkro] suggested \u2192 \${ALTERNATIVE}"
@@ -553,6 +590,7 @@ case "$SEVERITY" in
       }'
     ;;
   high)
+    synkro_log "bashGuard $CMD_SHORT \u2192 FLAGGED ($CATEGORY): $REASONING"
     SYS_MSG="[synkro] bashGuard \u2192 high: \${REASONING}"
     if [ -n "$ALTERNATIVE" ] && [ "$ALTERNATIVE" != "null" ]; then
       SYS_MSG="\${SYS_MSG}\\n[synkro] suggested \u2192 \${ALTERNATIVE}"
@@ -584,6 +622,7 @@ case "$SEVERITY" in
     ;;
   *)
     # low / medium / anything else \u2192 silent allow
+    synkro_log "bashGuard $CMD_SHORT \u2192 pass"
     echo '{}'
     ;;
 esac
@@ -605,6 +644,8 @@ exit 0
 # Always exits 0 with valid JSON. Fails open on any error.
 set -e
 
+synkro_log() { echo "[synkro] $1" >&2; }
+
 CONFIG_FILE="$HOME/.synkro/config.env"
 if [ -f "$CONFIG_FILE" ]; then
   set -a
@@ -643,6 +684,14 @@ SESSION_ID=$(echo "$PAYLOAD" | jq -r '.session_id // empty' 2>/dev/null)
 TOOL_USE_ID=$(echo "$PAYLOAD" | jq -r '.tool_use_id // empty' 2>/dev/null)
 CWD=$(echo "$PAYLOAD" | jq -r '.cwd // empty' 2>/dev/null)
 TRANSCRIPT_PATH=$(echo "$PAYLOAD" | jq -r '.transcript_path // empty' 2>/dev/null)
+# Detect git remote origin \u2192 repo identity (e.g. "owner/repo")
+GIT_REPO=""
+if command -v git >/dev/null 2>&1; then
+  _REMOTE=$(git -C "\${CWD:-.}" remote get-url origin 2>/dev/null || true)
+  if [ -n "$_REMOTE" ]; then
+    GIT_REPO=$(echo "$_REMOTE" | sed -E 's|^git@[^:]+:||; s|^https?://[^/]+/||; s|\\.git$||')
+  fi
+fi
 # Headless / non-interactive detection \u2014 when CC won't actually prompt the
 # human, our "ask" verdict is a no-op. Server uses these to fall back to
 # "deny" so we fail-closed instead of silently letting findings through.
@@ -655,6 +704,9 @@ if [ -z "$FILE_PATH" ]; then
   exit 0
 fi
 
+FILE_SHORT=$(basename "$FILE_PATH")
+synkro_log "editGuard checking: $FILE_SHORT"
+
 # Pull conversation context from the transcript file. CC writes one JSON line
 # per message; we read the tail and extract the most recent user message + the
 # last 5 tool_use blocks. The server uses these as anchors for cosine ranking
@@ -758,6 +810,7 @@ BODY=$(jq -n \\
   --arg cwd "$CWD" \\
   --arg permission_mode "$PERMISSION_MODE" \\
   --arg headless_flag "$HEADLESS_FLAG" \\
+  --arg repo "$GIT_REPO" \\
   '{
     file_path: $file_path,
     tool_name: $tool_name,
@@ -770,7 +823,8 @@ BODY=$(jq -n \\
     tool_use_id: (if ($tool_use_id | length) > 0 then $tool_use_id else null end),
     cwd: (if ($cwd | length) > 0 then $cwd else null end),
     permission_mode: (if ($permission_mode | length) > 0 then $permission_mode else null end),
-    headless: ($headless_flag == "1")
+    headless: ($headless_flag == "1"),
+    repo: (if ($repo | length) > 0 then $repo else null end)
   }')
 
 # Refresh JWT on 401 (mirrors the bash judge pattern).
@@ -799,25 +853,15 @@ refresh_jwt() {
   return 0
 }
 
+
 if [ "$SYNKRO_INFERENCE_TIER" = "free" ] && command -v claude >/dev/null 2>&1; then
   # \u2500\u2500\u2500 FREE TIER: grade via the persistent claude daemon (Python helper).
-  # The daemon at $HOME/.synkro/bin/grader_daemon.py keeps one
-  # \`claude --print --input-format=stream-json\` process alive, primed once
-  # with the role/format. Hook ships a thin grading prompt over Unix socket
-  # and gets the verdict text back. Steady-state ~1.5\u20133s per grading vs
-  # ~14s for cold \`claude --print\`. Falls back to direct \`claude --print\`
-  # if the daemon binary or primer is missing.
-
-  # Fetch the caller's visible org rules and inject into the grader prompt.
-  # On-demand MCP retrieval inside the grader was the cleaner architecture
-  # but added 20+ seconds of latency per grade because the model has to
-  # call get_guardrails, wait for cosine ranking, then reason. For free-tier
-  # local CC inference that's unacceptable. Pre-stuffing the rules costs
-  # tokens but keeps grade latency in the 1-3s range. Bounded at 1.5s; on
-  # failure proceed with empty rules (degrades to baseline-only judging).
-  ORG_RULES=$(curl -sS "\${GATEWAY_URL}/api/v1/cli/pr-rules" \\
+  ORG_RULES=$(printf '%s' "$PROPOSED" | head -c 8000 \\
+    | jq -Rs '{content: .}' \\
+    | curl -sS "\${GATEWAY_URL}/api/v1/cli/pr-rules?top_k=20" \\
+    -X POST -H "Content-Type: application/json" \\
     -H "Authorization: Bearer $JWT" \\
-    --max-time 1.5 2>/dev/null \\
+    -d @- --max-time 2 2>/dev/null \\
     | jq -c '[.rules[]? | {rule_id, text, severity, category, mode}]' 2>/dev/null || echo "[]")
   if [ -z "$ORG_RULES" ] || [ "$ORG_RULES" = "null" ]; then ORG_RULES="[]"; fi
 
@@ -864,6 +908,7 @@ if [ "$SYNKRO_INFERENCE_TIER" = "free" ] && command -v claude >/dev/null 2>&1; t
     --arg cwd "$CWD" \\
     --arg permission_mode "$PERMISSION_MODE" \\
     --arg headless_flag "$HEADLESS_FLAG" \\
+    --arg repo "$GIT_REPO" \\
     '{
       verdict: $verdict,
       file_path: $file_path,
@@ -877,7 +922,8 @@ if [ "$SYNKRO_INFERENCE_TIER" = "free" ] && command -v claude >/dev/null 2>&1; t
       tool_use_id: (if ($tool_use_id | length) > 0 then $tool_use_id else null end),
       cwd: (if ($cwd | length) > 0 then $cwd else null end),
       permission_mode: (if ($permission_mode | length) > 0 then $permission_mode else null end),
-      headless: ($headless_flag == "1")
+      headless: ($headless_flag == "1"),
+      repo: (if ($repo | length) > 0 then $repo else null end)
     }')
 
   RESP=$(curl -sS -X POST "\${GATEWAY_URL}/api/v1/precheck-edit/local-verdict" \\
@@ -914,20 +960,26 @@ else
   fi
 fi
 
-# Server returns the literal CC hook JSON shape ({} for allow, or
-# hookSpecificOutput.permissionDecision: "deny" + reason). If the call failed
-# entirely or returned non-JSON, fail open with empty {}.
 if [ -z "$RESP" ]; then
+  synkro_log "editGuard $FILE_SHORT \u2192 error (timeout)"
   echo '{}'
   exit 0
 fi
 
-# Cheap validation \u2014 only forward if it parses as a JSON object.
 if ! echo "$RESP" | jq -e 'type == "object"' >/dev/null 2>&1; then
+  synkro_log "editGuard $FILE_SHORT \u2192 error (bad response)"
   echo '{}'
   exit 0
 fi
 
+DECISION=$(echo "$RESP" | jq -r '.hookSpecificOutput.permissionDecision // "allow"' 2>/dev/null)
+if [ "$DECISION" = "deny" ]; then
+  DENY_REASON=$(echo "$RESP" | jq -r '.hookSpecificOutput.permissionDecisionReason // ""' 2>/dev/null)
+  synkro_log "editGuard $FILE_SHORT \u2192 BLOCKED: $DENY_REASON"
+else
+  synkro_log "editGuard $FILE_SHORT \u2192 pass"
+fi
+
 echo "$RESP"
 exit 0
 `;
@@ -947,6 +999,8 @@ exit 0
 # Always exits 0 with valid JSON \u2014 never breaks CC's flow.
 set -e
 
+synkro_log() { echo "[synkro] $1" >&2; }
+
 CONFIG_FILE="$HOME/.synkro/config.env"
 if [ -f "$CONFIG_FILE" ]; then
   set -a
@@ -984,6 +1038,14 @@ TOOL_INPUT=$(echo "$PAYLOAD" | jq -c '.tool_input // {}' 2>/dev/null)
 SESSION_ID=$(echo "$PAYLOAD" | jq -r '.session_id // empty' 2>/dev/null)
 TOOL_USE_ID=$(echo "$PAYLOAD" | jq -r '.tool_use_id // empty' 2>/dev/null)
 CWD=$(echo "$PAYLOAD" | jq -r '.cwd // empty' 2>/dev/null)
+# Detect git remote origin \u2192 repo identity (e.g. "owner/repo")
+GIT_REPO=""
+if command -v git >/dev/null 2>&1; then
+  _REMOTE=$(git -C "\${CWD:-.}" remote get-url origin 2>/dev/null || true)
+  if [ -n "$_REMOTE" ]; then
+    GIT_REPO=$(echo "$_REMOTE" | sed -E 's|^git@[^:]+:||; s|^https?://[^/]+/||; s|\\.git$||')
+  fi
+fi
 
 FILE_PATH=$(echo "$TOOL_INPUT" | jq -r '.file_path // .notebook_path // .path // empty' 2>/dev/null)
 if [ -z "$FILE_PATH" ] || [ ! -f "$FILE_PATH" ]; then
@@ -992,6 +1054,7 @@ if [ -z "$FILE_PATH" ] || [ ! -f "$FILE_PATH" ]; then
 fi
 
 BASENAME=$(basename "$FILE_PATH")
+synkro_log "editScan checking: $BASENAME"
 
 # Read post-edit file content (cap 64KB).
 FILE_CONTENT=$(head -c 65536 "$FILE_PATH" 2>/dev/null || echo "")
@@ -1012,13 +1075,15 @@ BODY=$(jq -n \\
   --arg session_id "$SESSION_ID" \\
   --arg tool_use_id "$TOOL_USE_ID" \\
   --arg cwd "$CWD" \\
+  --arg repo "$GIT_REPO" \\
   '{
     file_path: $file_path,
     content: $content,
     diff: $diff,
     session_id: (if ($session_id | length) > 0 then $session_id else null end),
     tool_use_id: (if ($tool_use_id | length) > 0 then $tool_use_id else null end),
-    cwd: (if ($cwd | length) > 0 then $cwd else null end)
+    cwd: (if ($cwd | length) > 0 then $cwd else null end),
+    repo: (if ($repo | length) > 0 then $repo else null end)
   }')
 
 refresh_jwt() {
@@ -1078,9 +1143,22 @@ SYNKRO_INFERENCE_TIER="\${SYNKRO_INFERENCE_TIER:-free}"
 
 if [ "$SYNKRO_INFERENCE_TIER" = "free" ] && command -v claude >/dev/null 2>&1; then
   # \u2500\u2500\u2500 FREE TIER: grade via the persistent claude daemon (mode=edit). \u2500\u2500\u2500
+
+  # Fetch org guardrail rules relevant to this file content.
+  ORG_RULES=$(printf '%s' "$FILE_CONTENT" | head -c 8000 \\
+    | jq -Rs '{content: .}' \\
+    | curl -sS "\${GATEWAY_URL}/api/v1/cli/pr-rules?top_k=20" \\
+    -X POST -H "Content-Type: application/json" \\
+    -H "Authorization: Bearer $JWT" \\
+    -d @- --max-time 2 2>/dev/null \\
+    | jq -c '[.rules[]? | {rule_id, text, severity, category}]' 2>/dev/null || echo "[]")
+  if [ -z "$ORG_RULES" ] || [ "$ORG_RULES" = "null" ]; then ORG_RULES="[]"; fi
+
   GRADER_PROMPT_FILE=$(mktemp -t synkro-edit-capture.XXXXXX)
   trap "rm -f \\"$GRADER_PROMPT_FILE\\"" EXIT
-  printf 'File: %s\\n\\nContent:\\n' "$FILE_PATH" > "$GRADER_PROMPT_FILE"
+  printf 'File: %s\\n' "$FILE_PATH" > "$GRADER_PROMPT_FILE"
+  printf 'Org rules: %s\\n\\n' "$ORG_RULES" >> "$GRADER_PROMPT_FILE"
+  printf 'Content:\\n' >> "$GRADER_PROMPT_FILE"
   printf '%s\\n' "$FILE_CONTENT" >> "$GRADER_PROMPT_FILE"
 
   if [ -x "$HOME/.synkro/bin/grader_daemon.py" ] && [ -f "$HOME/.synkro/grader-primer-edit.txt" ] && command -v python3 >/dev/null 2>&1; then
@@ -1114,6 +1192,7 @@ else
 fi
 
 if [ -z "$RESP" ] || ! echo "$RESP" | jq -e 'type == "object"' >/dev/null 2>&1; then
+  synkro_log "editScan $BASENAME \u2192 error (no response)"
   if [ "\${SYNKRO_VERBOSE:-0}" = "1" ]; then
     SYS_MSG="[synkro] afterFileEdit \u2192 scanned \${BASENAME} (grader unavailable)"
     jq -n --arg sys_msg "$SYS_MSG" '{ systemMessage: $sys_msg }'
@@ -1129,6 +1208,7 @@ CATEGORY=$(echo "$RESP" | jq -r '.category // "unspecified"' 2>/dev/null)
 REASON=$(echo "$RESP" | jq -r '.reason // ""' 2>/dev/null)
 
 if [ "$OK" = "false" ] && [ -n "$REASON" ]; then
+  synkro_log "editScan $BASENAME \u2192 FAIL ($CATEGORY): $REASON"
   SYS_MSG="[synkro] afterFileEdit \u2192 Finding in \${BASENAME}: \${REASON}"
   ADDITIONAL_CTX="Synkro post-edit grader flagged \${BASENAME} (severity: \${SEVERITY}, category: \${CATEGORY}). Re-edit the file applying the retry guidance: \${REASON}"
   jq -n \\
@@ -1144,6 +1224,8 @@ if [ "$OK" = "false" ] && [ -n "$REASON" ]; then
   exit 0
 fi
 
+synkro_log "editScan $BASENAME \u2192 pass"
+
 if [ "\${SYNKRO_VERBOSE:-0}" = "1" ]; then
   SYS_MSG="[synkro] afterFileEdit \u2192 no issues in \${BASENAME}"
   jq -n --arg sys_msg "$SYS_MSG" '{ systemMessage: $sys_msg }'
@@ -1262,16 +1344,18 @@ if [ -z "$RESP" ]; then
   exit 0
 fi
 
+PLAN_NUDGE="Before implementing any multi-step plan, call the synkro-guardrails analyze_plan tool with your implementation plan to check for relevant org coding rules."
+
 OPEN=$(echo "$RESP" | jq -r '.open_count // 0' 2>/dev/null)
 if [ "$OPEN" = "0" ] || [ -z "$OPEN" ]; then
-  echo '{}'
+  jq -n --arg sys_msg "[synkro] $PLAN_NUDGE" '{ systemMessage: $sys_msg }'
   exit 0
 fi
 
 if [ "$OPEN" = "1" ]; then
-  SYS_MSG="[synkro] session start \u2192 1 open finding in this repo from a prior session"
+  SYS_MSG="[synkro] session start \u2192 1 open finding in this repo from a prior session. $PLAN_NUDGE"
 else
-  SYS_MSG="[synkro] session start \u2192 \${OPEN} open findings in this repo from prior sessions"
+  SYS_MSG="[synkro] session start \u2192 \${OPEN} open findings in this repo from prior sessions. $PLAN_NUDGE"
 fi
 
 jq -n --arg sys_msg "$SYS_MSG" '{ systemMessage: $sys_msg }'
@@ -1329,15 +1413,14 @@ var init_graderDaemon = __esm({
     "use strict";
     GRADER_DAEMON_PY = `#!/usr/bin/env python3
 """
-Synkro grader daemon \u2014 long-lived \`claude --print\` process with stream-json
-IPC, fronted by a Unix socket. Hook scripts ship grading prompts to it; it
-returns the assistant's response text. ONE CC startup (~3.5s) amortizes
-across N gradings.
+Synkro warm-pool grader \u2014 pre-warmed \`claude --print --system-prompt\` process
+pool fronted by a Unix socket. Each grade uses one warm process and kills it;
+a replacement is pre-warmed in the background.
 
-Session bloat is bounded: the daemon rotates its claude subprocess every
-ROTATION_CALLS (default 10) gradings or ROTATION_AGE_SEC (default 1h),
-whichever comes first. Each rotation eats a one-time ~5s primer cost; calls
-in between target ~2-3s steady-state.
+Zero context bloat: 1 grade per process, system prompt via --system-prompt flag
+(single inference call, no primer-as-conversation-turn overhead).
+
+Warm steady-state: ~2-3s per grade. Cold fallback: ~5-6s if pre-warm not ready.
 
 Commands:
   start [primer-path]  - bring up daemon if not running
@@ -1346,13 +1429,10 @@ Commands:
   status               - print "running"/"stopped"
 """
 
-import os, sys, json, socket, time, atexit, signal, fcntl, re
+import os, sys, json, socket, time, signal, fcntl, re
 import subprocess, threading
 from pathlib import Path
 
-# Each "mode" gets its own daemon process: separate socket, pid, log.
-# Modes: "edit" (precheck + post-edit, schema {ok, severity, ...}) and "bash"
-# (schema {verdict, severity, ...}). Selected via --mode <name>; default "edit".
 ALLOWED_MODE_RE = re.compile(r"^[a-z][a-z0-9_-]{0,30}$")
 DAEMON_BASE = Path.home() / ".synkro" / "daemon"
 DAEMON_BASE.mkdir(parents=True, exist_ok=True, mode=0o700)
@@ -1365,11 +1445,10 @@ def mode_paths(mode):
 MODE = "edit"
 PID_FILE, SOCK_PATH, LOG_FILE = mode_paths(MODE)
 
-ROTATION_CALLS = int(os.environ.get("SYNKRO_DAEMON_ROTATE_CALLS", "10"))
-ROTATION_AGE_SEC = int(os.environ.get("SYNKRO_DAEMON_ROTATE_AGE", "3600"))
-GRADE_TIMEOUT_SEC = int(os.environ.get("SYNKRO_DAEMON_GRADE_TIMEOUT", "10"))
+GRADE_TIMEOUT_SEC = int(os.environ.get("SYNKRO_DAEMON_GRADE_TIMEOUT", "45"))
 DEFAULT_MODEL = os.environ.get("SYNKRO_DAEMON_MODEL", "claude-sonnet-4-6")
 MAX_PROMPT_BYTES = 4 * 1024 * 1024
+IDLE_SHUTDOWN_SEC = int(os.environ.get("SYNKRO_DAEMON_IDLE_TIMEOUT", "600"))
 
 
 def log(msg):
@@ -1380,146 +1459,139 @@ def log(msg):
         pass
 
 
-PREWARM_HEADROOM = 4
+def _read_response(proc, timeout=45):
+    acc = []
+    deadline = time.time() + timeout
+    while True:
+        if time.time() > deadline:
+            log("read timeout")
+            return ""
+        line = proc.stdout.readline()
+        if not line:
+            return ""
+        try:
+            obj = json.loads(line)
+        except json.JSONDecodeError:
+            continue
+        t = obj.get("type")
+        if t == "assistant":
+            for c in obj.get("message", {}).get("content", []):
+                if c.get("type") == "text":
+                    acc.append(c["text"])
+        elif t == "result":
+            return "".join(acc)
+
+
+def _send_msg(proc, text):
+    msg = json.dumps({
+        "type": "user",
+        "message": {"role": "user", "content": [{"type": "text", "text": text}]},
+        "parent_tool_use_id": None,
+        "session_id": "",
+    })
+    proc.stdin.write(msg + "\\n")
+    proc.stdin.flush()
+
+
+class WarmGrader:
+    """
+    Keeps one pre-warmed claude process ready. Each grade pulls the warm
+    process, sends one prompt, reads the verdict, kills the process, and
+    starts pre-warming a replacement in the background.
 
-class GraderDaemon:
+    The warm process has the system prompt loaded via --system-prompt and
+    its KV cache primed by a warmup turn. The actual grade is a single
+    inference call that benefits from the cached system prompt tokens.
+    """
     def __init__(self, primer):
         self.primer = primer or ""
-        self.proc = None
-        self.calls = 0
-        self.start_time = 0.0
-        self.lock = threading.Lock()
-        self._next_proc = None
-        self._prewarm_thread = None
-        self._spawn()
+        self._warm_proc = None
+        self._warm_thread = None
+        self._lock = threading.Lock()
+        self._total_grades = 0
+        self._start_prewarm()
 
     def _make_proc(self):
+        cmd = [
+            "claude", "--print", "--model", DEFAULT_MODEL,
+            "--input-format=stream-json",
+            "--output-format=stream-json",
+            "--verbose",
+            "--no-session-persistence",
+        ]
+        if self.primer:
+            cmd += ["--system-prompt", self.primer]
         return subprocess.Popen(
-            [
-                "claude", "--print", "--model", DEFAULT_MODEL,
-                "--input-format=stream-json",
-                "--output-format=stream-json",
-                "--verbose",
-                "--no-session-persistence",
-            ],
+            cmd,
             stdin=subprocess.PIPE, stdout=subprocess.PIPE,
             stderr=subprocess.DEVNULL, text=True, bufsize=1,
         )
 
-    def _send_to(self, proc, text):
-        msg = json.dumps({
-            "type": "user",
-            "message": {"role": "user", "content": [{"type": "text", "text": text}]},
-            "parent_tool_use_id": None,
-            "session_id": "",
-        })
-        proc.stdin.write(msg + "\\n")
-        proc.stdin.flush()
-
-    def _recv_from(self, proc):
-        acc = []
-        deadline = time.time() + GRADE_TIMEOUT_SEC
-        while True:
-            if time.time() > deadline:
-                log("recv timeout")
-                return ""
-            line = proc.stdout.readline()
-            if not line:
-                return ""
-            try:
-                obj = json.loads(line)
-            except json.JSONDecodeError:
-                continue
-            t = obj.get("type")
-            if t == "assistant":
-                for c in obj.get("message", {}).get("content", []):
-                    if c.get("type") == "text":
-                        acc.append(c["text"])
-            elif t == "result":
-                return "".join(acc)
-
-    def _spawn(self):
-        if self.proc and self.proc.poll() is None:
-            try: self.proc.terminate(); self.proc.wait(timeout=3)
-            except Exception: self.proc.kill()
-        log("spawning claude subprocess")
-        self.proc = self._make_proc()
-        if self.primer:
-            self._send_to(self.proc, self.primer)
-            primer_resp = self._recv_from(self.proc)
-            log(f"primer ack: {primer_resp[:80]!r}")
-        self.calls = 0
-        self.start_time = time.time()
-        self._next_proc = None
-
-    def _prewarm_worker(self):
+    def _kill_proc(self, proc):
+        try: proc.stdin.close()
+        except Exception: pass
+        try: proc.kill(); proc.wait(timeout=2)
+        except Exception: pass
+
+    def _prewarm(self):
         try:
-            log("pre-warming next subprocess")
+            log("pre-warming process")
             proc = self._make_proc()
-            if self.primer:
-                self._send_to(proc, self.primer)
-                resp = self._recv_from(proc)
-                log(f"pre-warm ack: {resp[:80]!r}")
-            self._next_proc = proc
-            log("pre-warm ready")
+            _send_msg(proc, "Ready")
+            resp = _read_response(proc, timeout=30)
+            if resp:
+                with self._lock:
+                    old = self._warm_proc
+                    self._warm_proc = proc
+                if old:
+                    self._kill_proc(old)
+                log(f"pre-warm ready ({len(resp)} chars)")
+            else:
+                log("pre-warm response empty")
+                self._kill_proc(proc)
         except Exception as e:
             log(f"pre-warm failed: {e}")
-            self._next_proc = None
-
-    def _maybe_prewarm(self):
-        if self._prewarm_thread and self._prewarm_thread.is_alive():
-            return
-        if self._next_proc is not None:
-            return
-        if self.calls >= ROTATION_CALLS - PREWARM_HEADROOM:
-            self._prewarm_thread = threading.Thread(target=self._prewarm_worker, daemon=True)
-            self._prewarm_thread.start()
-
-    def _try_rotate(self):
-        if self._next_proc and self._next_proc.poll() is None:
-            log("hot-swapping to pre-warmed subprocess")
-            old = self.proc
-            self.proc = self._next_proc
-            self._next_proc = None
-            self._prewarm_thread = None
-            self.calls = 0
-            self.start_time = time.time()
-            if old and old.poll() is None:
-                threading.Thread(target=lambda: (old.terminate(), old.wait()), daemon=True).start()
-            return True
-        log("pre-warm not ready, deferring rotation")
-        return False
 
-    def _send(self, text):
+    def _start_prewarm(self):
+        self._warm_thread = threading.Thread(target=self._prewarm, daemon=True)
+        self._warm_thread.start()
+
+    def grade(self, prompt):
+        if self._warm_thread:
+            self._warm_thread.join(timeout=60)
+
+        with self._lock:
+            proc = self._warm_proc
+            self._warm_proc = None
+
+        warm = True
+        if not proc or proc.poll() is not None:
+            log("no warm process, cold fallback")
+            proc = self._make_proc()
+            warm = False
+
+        t0 = time.time()
         try:
-            self._send_to(self.proc, text)
-        except (BrokenPipeError, OSError) as e:
-            log(f"send broke: {e}; respawn")
-            self._spawn()
-            self._send_to(self.proc, text)
-
-    def _recv(self):
-        resp = self._recv_from(self.proc)
-        if not resp and (not self.proc or self.proc.poll() is not None):
-            log("subprocess died; respawn")
-            self._spawn()
+            _send_msg(proc, prompt)
+            resp = _read_response(proc, timeout=GRADE_TIMEOUT_SEC)
+        except Exception as e:
+            log(f"grade error: {e}")
+            resp = ""
+        finally:
+            self._kill_proc(proc)
+
+        elapsed = (time.time() - t0) * 1000
+        self._total_grades += 1
+        log(f"grade #{self._total_grades} {'warm' if warm else 'cold'} elapsed={elapsed:.0f}ms resp={len(resp)}ch")
+
+        self._start_prewarm()
         return resp
 
-    def grade(self, prompt):
-        with self.lock:
-            t0 = time.time()
-            self._send(prompt)
-            resp = self._recv()
-            elapsed = (time.time() - t0) * 1000
-            self.calls += 1
-            log(f"grade #{self.calls} elapsed={elapsed:.0f}ms resp_chars={len(resp)}")
-            age = time.time() - self.start_time
-            if self.calls >= ROTATION_CALLS or age >= ROTATION_AGE_SEC:
-                if not self._try_rotate():
-                    self._maybe_prewarm()
-            else:
-                self._maybe_prewarm()
-            return resp
+    def shutdown(self):
+        with self._lock:
+            if self._warm_proc:
+                self._kill_proc(self._warm_proc)
+                self._warm_proc = None
 
 
 def serve(primer):
@@ -1533,7 +1605,7 @@ def serve(primer):
     os.write(pid_fd, f"{os.getpid()}\\n".encode())
     os.fsync(pid_fd)
 
-    daemon = GraderDaemon(primer)
+    grader = WarmGrader(primer)
 
     if SOCK_PATH.exists():
         SOCK_PATH.unlink()
@@ -1547,24 +1619,30 @@ def serve(primer):
         except Exception: pass
         try: PID_FILE.unlink()
         except Exception: pass
-        try: daemon.proc and daemon.proc.terminate()
-        except Exception: pass
+        grader.shutdown()
         sys.exit(0)
     signal.signal(signal.SIGTERM, cleanup)
     signal.signal(signal.SIGINT, cleanup)
 
-    log(f"daemon ready model={DEFAULT_MODEL} sock={SOCK_PATH}")
+    log(f"daemon ready model={DEFAULT_MODEL} idle_shutdown={IDLE_SHUTDOWN_SEC}s sock={SOCK_PATH}")
 
+    last_activity = time.time()
+    sock.settimeout(30)
     while True:
         try:
             conn, _ = sock.accept()
-            threading.Thread(target=_handle_conn, args=(conn, daemon), daemon=True).start()
+            last_activity = time.time()
+            threading.Thread(target=_handle_conn, args=(conn, grader), daemon=True).start()
+        except socket.timeout:
+            if time.time() - last_activity > IDLE_SHUTDOWN_SEC:
+                log(f"idle for {IDLE_SHUTDOWN_SEC}s, shutting down")
+                cleanup()
         except Exception as e:
             log(f"accept error: {e}")
             time.sleep(0.1)
 
 
-def _handle_conn(conn, daemon):
+def _handle_conn(conn, grader):
     try:
         with conn:
             length_bytes = b""
@@ -1581,7 +1659,7 @@ def _handle_conn(conn, daemon):
                 chunk = conn.recv(min(65536, length - len(prompt)))
                 if not chunk: break
                 prompt += chunk
-            response = daemon.grade(prompt.decode("utf-8", errors="replace"))
+            response = grader.grade(prompt.decode("utf-8", errors="replace"))
             resp_bytes = response.encode("utf-8")
             conn.sendall(len(resp_bytes).to_bytes(8, "big"))
             conn.sendall(resp_bytes)
@@ -1708,7 +1786,7 @@ JUDGING PRIORITY:
 2. BASELINE security issues \u2014 hardcoded real-looking secrets, eval/exec on user input, SQL string concat with untrusted input, MD5/SHA1 for security-sensitive purposes, unsafe deserialization, command injection, path traversal, missing auth on routes that mutate user/billing data, weak random for tokens, broken JWT verification, CORS misconfig, env-dump logging. Flag these even if no org rule covers them \u2014 they're universally bad. Use a sensible snake_case rule_id like \`no-hardcoded-secrets\`, \`eval-on-user-input\`, \`sql-string-concat\`.
 3. Stylistic issues, placeholder fixtures, test files (path under /tests/, /__tests__/, *.test.*), and config-only files are NOT security issues \u2014 return ok=true.
 
-INDEPENDENCE: Each grade request is INDEPENDENT. Even if you can see prior turns in your context (the daemon reuses one process across grades), treat them as irrelevant. Judge ONLY the current request's File / User intent / Org rules / Diff. Prior "allows" do NOT authorize the current request \u2014 re-evaluate fresh against the rules in THIS prompt.
+INDEPENDENCE: Each grade request is INDEPENDENT. Judge ONLY the current request's File / User intent / Org rules / Diff. Prior "allows" do NOT authorize the current request \u2014 re-evaluate fresh against the rules in THIS prompt.
 
 OUTPUT RULES \u2014 strictest possible, no exceptions:
 
@@ -2144,7 +2222,7 @@ function writeConfigEnv(opts) {
     `SYNKRO_GATEWAY_URL=${shellQuoteSingle(safeGateway)}`,
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.1.7")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.2.0")}`
   ];
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);
   if (safeOrgId) lines.push(`SYNKRO_ORG_ID=${shellQuoteSingle(safeOrgId)}`);
@@ -2269,6 +2347,17 @@ async function installCommand(opts = {}) {
   console.log(`  ${scripts.sessionStartScript}
 `);
   writeGraderDaemon();
+  for (const mode of ["edit", "bash"]) {
+    const pidFile = join4(SYNKRO_DIR, "daemon", mode, "daemon.pid");
+    try {
+      const pid = parseInt(readFileSync4(pidFile, "utf-8").trim(), 10);
+      if (pid > 0) {
+        process.kill(pid, "SIGTERM");
+        console.log(`Stopped stale ${mode} daemon (pid ${pid})`);
+      }
+    } catch {
+    }
+  }
   console.log("Wrote local-tier grader daemon:");
   console.log(`  ${GRADER_DAEMON_PATH}`);
   console.log(`  ${GRADER_PRIMER_EDIT_PATH}`);
@@ -2463,6 +2552,15 @@ function statusCommand() {
   console.log(`  gateway:     ${config.SYNKRO_GATEWAY_URL ?? "(unset)"}`);
   console.log(`  credentials: ${config.SYNKRO_CREDENTIALS_PATH ?? "(unset)"}`);
   console.log(`  tier:        ${config.SYNKRO_TIER ?? "(unset)"}`);
+  const info2 = getUserInfo();
+  const userId = info2?.id ?? config.SYNKRO_USER_ID ?? "default";
+  const tierCacheFile = join5(SYNKRO_DIR2, `.tier-cache-${userId}`);
+  let inferenceTier = config.SYNKRO_INFERENCE_TIER || null;
+  if (!inferenceTier && existsSync6(tierCacheFile)) {
+    inferenceTier = readFileSync5(tierCacheFile, "utf-8").trim() || null;
+  }
+  const tierLabel = inferenceTier === "fast" ? "'fast' (server-side grading)" : inferenceTier === "free" ? "'free' (local daemon grading)" : "(unknown \u2014 fires on next hook)";
+  console.log(`  inference:   ${tierLabel}`);
   console.log(`  version:     ${config.SYNKRO_VERSION ?? "(unset)"}`);
   console.log();
   const agents = detectAgents();