@synkro-sh/cli 1.2.6 → 1.3.3

package/dist/bootstrap.js

@@ -1,13 +1,42 @@
 #!/usr/bin/env node
+var __create = Object.create;
 var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
 var __esm = (fn, res) => function __init() {
   return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
 };
+var __commonJS = (cb, mod) => function __require2() {
+  return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
+};
 var __export = (target, all) => {
   for (var name in all)
     __defProp(target, name, { get: all[name], enumerable: true });
 };
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
 
 // cli/installer/agentDetect.ts
 import { existsSync } from "fs";
@@ -96,7 +125,7 @@ function removeSynkroEntries(events, eventName) {
   if (!Array.isArray(arr)) return;
   events[eventName] = arr.filter((entry) => !isSynkroEntry(entry));
 }
-function installCCHooks(settingsPath, config) {
+function installCCHooks(settingsPath, config2) {
   const settings = readSettings(settingsPath);
   settings.hooks = settings.hooks ?? {};
   removeSynkroEntries(settings.hooks, "PreToolUse");
@@ -109,11 +138,11 @@ function installCCHooks(settingsPath, config) {
   settings.hooks.SessionEnd = settings.hooks.SessionEnd ?? [];
   settings.hooks.SessionStart = settings.hooks.SessionStart ?? [];
   settings.hooks.PreToolUse.push({
-    matcher: "Bash",
+    matcher: "Bash|Read|Grep|Glob",
     hooks: [
       {
         type: "command",
-        command: config.bashJudgeScriptPath,
+        command: config2.bashJudgeScriptPath,
         timeout: 15
       }
     ],
@@ -124,7 +153,7 @@ function installCCHooks(settingsPath, config) {
     hooks: [
       {
         type: "command",
-        command: config.editPrecheckScriptPath,
+        command: config2.editPrecheckScriptPath,
         timeout: 15
       }
     ],
@@ -135,7 +164,7 @@ function installCCHooks(settingsPath, config) {
     hooks: [
       {
         type: "command",
-        command: config.editCaptureScriptPath,
+        command: config2.editCaptureScriptPath,
         timeout: 20
       }
     ],
@@ -146,7 +175,7 @@ function installCCHooks(settingsPath, config) {
     hooks: [
       {
         type: "command",
-        command: config.bashFollowupScriptPath
+        command: config2.bashFollowupScriptPath
       }
     ],
     [SYNKRO_MARKER]: true
@@ -155,7 +184,7 @@ function installCCHooks(settingsPath, config) {
     hooks: [
       {
         type: "command",
-        command: config.stopSummaryScriptPath
+        command: config2.stopSummaryScriptPath
       }
     ],
     [SYNKRO_MARKER]: true
@@ -164,7 +193,7 @@ function installCCHooks(settingsPath, config) {
     hooks: [
       {
         type: "command",
-        command: config.sessionStartScriptPath
+        command: config2.sessionStartScriptPath
       }
     ],
     [SYNKRO_MARKER]: true
@@ -232,50 +261,50 @@ function readClaudeJson() {
     throw new Error(`Failed to parse ${CC_CONFIG_PATH}: ${err.message}`);
   }
 }
-function writeClaudeJsonAtomic(config) {
+function writeClaudeJsonAtomic(config2) {
   mkdirSync2(dirname2(CC_CONFIG_PATH), { recursive: true });
   const tmpPath = `${CC_CONFIG_PATH}.synkro.tmp`;
-  writeFileSync2(tmpPath, JSON.stringify(config, null, 2) + "\n", "utf-8");
+  writeFileSync2(tmpPath, JSON.stringify(config2, null, 2) + "\n", "utf-8");
   renameSync2(tmpPath, CC_CONFIG_PATH);
 }
 function installMcpConfig(opts) {
-  const config = readClaudeJson();
-  config.mcpServers = config.mcpServers ?? {};
-  for (const [name, entry] of Object.entries(config.mcpServers)) {
-    if (entry?.[SYNKRO_MARKER2] === true) delete config.mcpServers[name];
+  const config2 = readClaudeJson();
+  config2.mcpServers = config2.mcpServers ?? {};
+  for (const [name, entry] of Object.entries(config2.mcpServers)) {
+    if (entry?.[SYNKRO_MARKER2] === true) delete config2.mcpServers[name];
   }
   const url = `${opts.gatewayUrl.replace(/\/$/, "")}/api/v1/mcp/guardrails`;
-  config.mcpServers[SYNKRO_SERVER_NAME] = {
+  config2.mcpServers[SYNKRO_SERVER_NAME] = {
     type: "http",
     url,
     headers: { Authorization: `Bearer ${opts.bearerToken}` },
     [SYNKRO_MARKER2]: true
   };
-  writeClaudeJsonAtomic(config);
+  writeClaudeJsonAtomic(config2);
   return { path: CC_CONFIG_PATH, url };
 }
 function uninstallMcpConfig() {
   if (!existsSync3(CC_CONFIG_PATH)) return false;
-  const config = readClaudeJson();
-  if (!config.mcpServers || Object.keys(config.mcpServers).length === 0) return false;
+  const config2 = readClaudeJson();
+  if (!config2.mcpServers || Object.keys(config2.mcpServers).length === 0) return false;
   let removed = false;
-  for (const [name, entry] of Object.entries(config.mcpServers)) {
+  for (const [name, entry] of Object.entries(config2.mcpServers)) {
     if (entry?.[SYNKRO_MARKER2] === true) {
-      delete config.mcpServers[name];
+      delete config2.mcpServers[name];
       removed = true;
     }
   }
   if (!removed) return false;
-  if (Object.keys(config.mcpServers).length === 0) delete config.mcpServers;
-  writeClaudeJsonAtomic(config);
+  if (Object.keys(config2.mcpServers).length === 0) delete config2.mcpServers;
+  writeClaudeJsonAtomic(config2);
   return true;
 }
 function inspectMcpConfig() {
   if (!existsSync3(CC_CONFIG_PATH)) {
     return { installed: false, configPath: CC_CONFIG_PATH };
   }
-  const config = readClaudeJson();
-  const entry = config.mcpServers?.[SYNKRO_SERVER_NAME];
+  const config2 = readClaudeJson();
+  const entry = config2.mcpServers?.[SYNKRO_SERVER_NAME];
   if (!entry || entry[SYNKRO_MARKER2] !== true) {
     return { installed: false, configPath: CC_CONFIG_PATH };
   }
@@ -336,14 +365,30 @@ if [ -z "$PAYLOAD" ]; then
   exit 0
 fi
 
-# Only run on Bash tool calls
+# Translate tool calls into a command string for the judge
 TOOL_NAME=$(echo "$PAYLOAD" | jq -r '.tool_name // empty' 2>/dev/null)
-if [ "$TOOL_NAME" != "Bash" ]; then
-  echo '{}'
-  exit 0
-fi
-
-COMMAND=$(echo "$PAYLOAD" | jq -r '.tool_input.command // empty' 2>/dev/null)
+case "$TOOL_NAME" in
+  Bash)
+    COMMAND=$(echo "$PAYLOAD" | jq -r '.tool_input.command // empty' 2>/dev/null)
+    ;;
+  Read)
+    FILE_PATH=$(echo "$PAYLOAD" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+    COMMAND="cat \${FILE_PATH}"
+    ;;
+  Grep)
+    PATTERN=$(echo "$PAYLOAD" | jq -r '.tool_input.pattern // empty' 2>/dev/null)
+    GREP_PATH=$(echo "$PAYLOAD" | jq -r '.tool_input.path // "."' 2>/dev/null)
+    COMMAND="grep -r '\${PATTERN}' \${GREP_PATH}"
+    ;;
+  Glob)
+    PATTERN=$(echo "$PAYLOAD" | jq -r '.tool_input.pattern // empty' 2>/dev/null)
+    COMMAND="find . -name '\${PATTERN}'"
+    ;;
+  *)
+    echo '{}'
+    exit 0
+    ;;
+esac
 if [ -z "$COMMAND" ]; then
   echo '{}'
   exit 0
@@ -364,7 +409,7 @@ TRANSCRIPT_PATH=$(echo "$PAYLOAD" | jq -r '.transcript_path // empty' 2>/dev/nul
 SESSION_ID=$(echo "$PAYLOAD" | jq -r '.session_id // empty' 2>/dev/null)
 TOOL_USE_ID=$(echo "$PAYLOAD" | jq -r '.tool_use_id // empty' 2>/dev/null)
 CWD=$(echo "$PAYLOAD" | jq -r '.cwd // empty' 2>/dev/null)
-TOOL_INPUT=$(echo "$PAYLOAD" | jq -c '.tool_input // {}' 2>/dev/null)
+TOOL_INPUT=$(echo "$PAYLOAD" | jq -c --arg cmd "$COMMAND" '.tool_input // {} | . + {command: $cmd}' 2>/dev/null)
 # Detect git remote origin \u2192 repo identity (e.g. "owner/repo")
 GIT_REPO=""
 if command -v git >/dev/null 2>&1; then
@@ -384,11 +429,9 @@ if [ "\${SYNKRO_HEADLESS:-0}" = "1" ]; then IS_HEADLESS=1; fi
 
 USER_INTENT=""
 RECENT_USER_MESSAGES="[]"
+RECENT_MESSAGES="[]"
 RECENT_ACTIONS="[]"
 if [ -n "$TRANSCRIPT_PATH" ] && [ -f "$TRANSCRIPT_PATH" ]; then
-  # Last 5 user-role messages, oldest first. Lets the grader see consent
-  # that carried over from a recent prior turn \u2014 saying "i consent" two
-  # turns ago should not require re-prompting on this turn's command.
   RECENT_USER_MESSAGES=$(tail -400 "$TRANSCRIPT_PATH" | jq -c -s '
     [.[]
       | select(.type == "user")
@@ -399,16 +442,78 @@ if [ -n "$TRANSCRIPT_PATH" ] && [ -f "$TRANSCRIPT_PATH" ]; then
       | select(. != null and . != "")
     ] | .[-5:]' 2>/dev/null || echo "[]")
   USER_INTENT=$(echo "$RECENT_USER_MESSAGES" | jq -r '.[-1] // ""' 2>/dev/null || echo "")
-  # Recent agent actions (last 5 tool_use blocks)
-  RECENT_ACTIONS=$(tail -200 "$TRANSCRIPT_PATH" | jq -c -s '
+  # Interleaved assistant+user messages \u2014 lets the grader see what question
+  # each "yes" was answering (assistant text before user reply).
+  RECENT_MESSAGES=$(tail -400 "$TRANSCRIPT_PATH" | jq -c -s '
     [.[]
+      | select(.type == "assistant" or .type == "user")
+      | {
+          role: .type,
+          text: (
+            if .type == "assistant" then
+              [.message.content[]? | select(type == "object" and .type == "text") | .text // ""] | join(" ") | .[0:500]
+            else
+              (.message.content
+                | if type == "string" then .[0:500]
+                  else ([.[]? | if type == "string" then . elif (type == "object" and .type == "text") then (.text // "") else "" end] | join(" ") | .[0:500])
+                  end)
+            end
+          )
+        }
+      | select(.text != "" and .text != null and (.text | length) > 0)
+    ] | .[-10:]' 2>/dev/null || echo "[]")
+  # Recent agent actions (last 5 tool_use blocks paired with results)
+  RECENT_ACTIONS=$(tail -400 "$TRANSCRIPT_PATH" | jq -c -s '
+    # tool_result blocks live in USER messages (Anthropic API format)
+    ([ .[]
+       | select(.type == "user")
+       | .message.content[]?
+       | select(type == "object" and .type == "tool_result")
+       | { (.tool_use_id): (.content // "" | tostring | .[0:300]) }
+     ] | add // {}) as $results
+    |
+    [ .[]
       | select(.type == "assistant")
       | .message.content[]?
       | select(.type == "tool_use")
-      | { tool: .name, input: (.input // {} | tostring | .[0:200]) }
+      | {
+          tool: .name,
+          input: (.input // {} | tostring | .[0:200]),
+          result: ($results[.id] // null)
+        }
     ] | .[-5:]' 2>/dev/null || echo "[]")
 fi
 
+CC_MODEL=""
+CC_USAGE="{}"
+if [ -n "$TRANSCRIPT_PATH" ] && [ -f "$TRANSCRIPT_PATH" ]; then
+  _LAST_ASSISTANT=$(tail -50 "$TRANSCRIPT_PATH" | jq -c 'select(.type == "assistant")' 2>/dev/null | tail -1)
+  if [ -n "$_LAST_ASSISTANT" ]; then
+    CC_MODEL=$(echo "$_LAST_ASSISTANT" | jq -r '.message.model // empty' 2>/dev/null)
+    CC_USAGE=$(echo "$_LAST_ASSISTANT" | jq -c '{
+      input_tokens: .message.usage.input_tokens,
+      output_tokens: .message.usage.output_tokens,
+      cache_creation_input_tokens: .message.usage.cache_creation_input_tokens,
+      cache_read_input_tokens: .message.usage.cache_read_input_tokens,
+      service_tier: .message.usage.service_tier,
+      speed: .message.usage.speed
+    }' 2>/dev/null || echo "{}")
+  fi
+fi
+
+# Extract session summary from CC compaction (free broad context)
+SESSION_SUMMARY=""
+if [ -n "$TRANSCRIPT_PATH" ] && [ -f "$TRANSCRIPT_PATH" ]; then
+  _SUMMARY_LINE=$(grep -n '"This session is being continued' "$TRANSCRIPT_PATH" 2>/dev/null | tail -1 | cut -d: -f1)
+  if [ -n "$_SUMMARY_LINE" ]; then
+    SESSION_SUMMARY=$(sed -n "\${_SUMMARY_LINE}p" "$TRANSCRIPT_PATH" | jq -r '
+      .message.content
+      | if type == "string" then .[0:2000]
+        else ([.[]? | if type == "string" then . elif (type == "object" and .type == "text") then (.text // "") else "" end] | join(" ") | .[0:2000])
+        end' 2>/dev/null || echo "")
+  fi
+fi
+
 # Build POST body \u2014 always emit all fields (use null for empty optionals)
 # Earlier version used \`select(length > 0)\` which made the entire object
 # evaluate to nothing when any optional was empty. Don't do that.
@@ -416,21 +521,29 @@ BODY=$(jq -n \\
   --argjson tool_input "$TOOL_INPUT" \\
   --arg user_intent "$USER_INTENT" \\
   --argjson recent_user_messages "$RECENT_USER_MESSAGES" \\
+  --argjson recent_messages "$RECENT_MESSAGES" \\
   --argjson recent_actions "$RECENT_ACTIONS" \\
   --arg session_id "$SESSION_ID" \\
   --arg tool_use_id "$TOOL_USE_ID" \\
   --arg cwd "$CWD" \\
   --arg repo "$GIT_REPO" \\
+  --arg cc_model "$CC_MODEL" \\
+  --argjson cc_usage "$CC_USAGE" \\
+  --arg session_summary "$SESSION_SUMMARY" \\
   '{
     kind: "bash_judge",
     tool_input: $tool_input,
     user_intent: (if ($user_intent | length) > 0 then $user_intent else null end),
     recent_user_messages: $recent_user_messages,
+    recent_messages: $recent_messages,
     recent_actions: $recent_actions,
     session_id: (if ($session_id | length) > 0 then $session_id else null end),
     tool_use_id: (if ($tool_use_id | length) > 0 then $tool_use_id else null end),
     cwd: (if ($cwd | length) > 0 then $cwd else null end),
-    repo: (if ($repo | length) > 0 then $repo else null end)
+    repo: (if ($repo | length) > 0 then $repo else null end),
+    cc_model: (if ($cc_model | length) > 0 then $cc_model else null end),
+    cc_usage: $cc_usage,
+    session_summary: (if ($session_summary | length) > 0 then $session_summary else null end)
   }')
 
 # Helper: refresh JWT via /api/auth/refresh and rewrite credentials.json.
@@ -546,23 +659,15 @@ if [ -z "$VERDICT" ]; then
 fi
 
 # Parse verdict \u2014 fail open on any parse error
-SEVERITY=$(echo "$VERDICT" | jq -r '.severity // "medium"' 2>/dev/null)
+SEVERITY=$(echo "$VERDICT" | jq -r '.severity // "audit"' 2>/dev/null)
 VERDICT_KIND=$(echo "$VERDICT" | jq -r '.verdict // "warn"' 2>/dev/null)
 REASONING=$(echo "$VERDICT" | jq -r '.reasoning // "matched dangerous-verb regex"' 2>/dev/null)
 ALTERNATIVE=$(echo "$VERDICT" | jq -r '.alternative // ""' 2>/dev/null)
 CATEGORY=$(echo "$VERDICT" | jq -r '.category // "destructive_command"' 2>/dev/null)
 
 # Severity-driven surfacing:
-#   critical \u2192 permissionDecision: "deny"  \u2014 block outright
-#   high     \u2192 permissionDecision: "ask"   \u2014 force user confirmation
-#   medium   \u2192 silent allow (echo {})      \u2014 Cerebras saw it, judged the
-#                                            intent fits, no surface
-#   low      \u2192 silent allow (echo {})      \u2014 same
-#
-# The grader is fully context-aware now (intent + recent_actions + shape
-# labels), so its severity grade is trustworthy. Low/medium decisions don't
-# need to interrupt the user \u2014 surfacing them creates alert fatigue and
-# trains the user to click-through on warnings that turn out to be benign.
+#   block \u2192 permissionDecision: "ask" (interactive) or "deny" (headless)
+#   audit \u2192 silent allow \u2014 logged but no interruption
 
 ALT_SUFFIX=""
 if [ -n "$ALTERNATIVE" ] && [ "$ALTERNATIVE" != "null" ]; then
@@ -570,26 +675,9 @@ if [ -n "$ALTERNATIVE" ] && [ "$ALTERNATIVE" != "null" ]; then
 fi
 
 case "$SEVERITY" in
-  critical)
-    synkro_log "bashGuard $CMD_SHORT \u2192 BLOCKED ($CATEGORY)"
-    PERMISSION_REASON="[synkro] BLOCKED \u2014 \${REASONING}\${ALT_SUFFIX}"
-    ADDITIONAL_CTX="Synkro safety judge (severity: critical, category: \${CATEGORY}).\${ALT_SUFFIX}"
-    jq -n \\
-      --arg ctx "$ADDITIONAL_CTX" \\
-      --arg reason "$PERMISSION_REASON" \\
-      '{
-        hookSpecificOutput: {
-          hookEventName: "PreToolUse",
-          permissionDecision: "deny",
-          permissionDecisionReason: $reason,
-          additionalContext: $ctx
-        }
-      }'
-    ;;
-  high)
-    synkro_log "bashGuard $CMD_SHORT \u2192 FLAGGED ($CATEGORY)"
+  block)
     PERMISSION_REASON="[synkro] \${REASONING}\${ALT_SUFFIX}"
-    ADDITIONAL_CTX="Synkro safety judge (severity: high, category: \${CATEGORY}).\${ALT_SUFFIX}"
+    ADDITIONAL_CTX="Synkro safety judge (severity: \${SEVERITY}, category: \${CATEGORY}). Reasoning: \${REASONING}.\${ALT_SUFFIX}"
     if [ "$IS_HEADLESS" = "1" ]; then DECISION="deny"; else DECISION="ask"; fi
     jq -n \\
       --arg ctx "$ADDITIONAL_CTX" \\
@@ -604,7 +692,7 @@ case "$SEVERITY" in
         }
       }'
     ;;
-  *)
+  audit)
     synkro_log "bashGuard $CMD_SHORT \u2192 pass ($CATEGORY): $REASONING"
     case "$CATEGORY" in
       trivial_utility)
@@ -615,6 +703,21 @@ case "$SEVERITY" in
         jq -n --arg m "[synkro] bashGuard \u2192 pass ($CATEGORY): $REASONING" '{systemMessage: $m}' ;;
     esac
     ;;
+  *)
+    synkro_log "bashGuard $CMD_SHORT \u2192 UNEXPECTED SEVERITY ($SEVERITY), blocking by default"
+    if [ "$IS_HEADLESS" = "1" ]; then DECISION="deny"; else DECISION="ask"; fi
+    jq -n \\
+      --arg decision "$DECISION" \\
+      --arg reason "[synkro] unexpected severity '\${SEVERITY}' \u2014 blocking by default. Please email team@synkro.sh to report this issue." \\
+      '{
+        hookSpecificOutput: {
+          hookEventName: "PreToolUse",
+          permissionDecision: $decision,
+          permissionDecisionReason: $reason,
+          additionalContext: "Synkro safety judge returned an unexpected severity value. This command has been blocked as a precaution. Please email team@synkro.sh with details of the command you were running."
+        }
+      }'
+    ;;
 esac
 
 exit 0
@@ -983,8 +1086,14 @@ if [ "$DECISION" = "deny" ]; then
   synkro_log "editGuard $FILE_SHORT \u2192 BLOCKED: $DENY_REASON"
   echo "$RESP"
 else
-  synkro_log "editGuard $FILE_SHORT \u2192 pass"
-  RESP_WITH_MSG=$(echo "$RESP" | jq --arg m "[synkro] editGuard $FILE_SHORT \u2192 pass" '. + {systemMessage: $m}')
+  VERDICT_REASON=$(echo "$RESP" | jq -r '.reason // empty' 2>/dev/null)
+  if [ -n "$VERDICT_REASON" ]; then
+    synkro_log "editGuard $FILE_SHORT \u2192 pass: $VERDICT_REASON"
+    RESP_WITH_MSG=$(echo "$RESP" | jq --arg m "[synkro] editGuard $FILE_SHORT \u2192 pass: $VERDICT_REASON" '. + {systemMessage: $m}')
+  else
+    synkro_log "editGuard $FILE_SHORT \u2192 pass"
+    RESP_WITH_MSG=$(echo "$RESP" | jq --arg m "[synkro] editGuard $FILE_SHORT \u2192 pass" '. + {systemMessage: $m}')
+  fi
   echo "$RESP_WITH_MSG"
 fi
 
@@ -1232,8 +1341,13 @@ if [ "$OK" = "false" ] && [ -n "$REASON" ]; then
   exit 0
 fi
 
-synkro_log "editScan $BASENAME \u2192 pass"
-jq -n --arg m "[synkro] editScan $BASENAME \u2192 pass" '{systemMessage: $m}'
+if [ -n "$REASON" ]; then
+  synkro_log "editScan $BASENAME \u2192 pass ($CATEGORY): $REASON"
+  jq -n --arg m "[synkro] editScan $BASENAME \u2192 pass ($CATEGORY): $REASON" '{systemMessage: $m}'
+else
+  synkro_log "editScan $BASENAME \u2192 pass"
+  jq -n --arg m "[synkro] editScan $BASENAME \u2192 pass" '{systemMessage: $m}'
+fi
 exit 0
 `;
     CC_STOP_SUMMARY_SCRIPT = `#!/bin/bash
@@ -1335,8 +1449,17 @@ if [ -z "$CWD" ]; then
   exit 0
 fi
 
+GIT_REPO=""
+if command -v git >/dev/null 2>&1; then
+  _REMOTE=$(git -C "\${CWD:-.}" remote get-url origin 2>/dev/null || true)
+  if [ -n "$_REMOTE" ]; then
+    GIT_REPO=$(echo "$_REMOTE" | sed -E 's|^git@[^:]+:||; s|^https?://[^/]+/||; s|\\.git$||')
+  fi
+fi
+
 RESP=$(curl -sS -G "\${GATEWAY_URL}/api/v1/cli/session-context" \\
   --data-urlencode "cwd=$CWD" \\
+  --data-urlencode "repo=$GIT_REPO" \\
   -H "Authorization: Bearer $JWT" \\
   --max-time 2 2>/dev/null || echo "")
 
@@ -2075,12 +2198,64 @@ function getAccessToken() {
   const creds = loadCredentials();
   return creds?.access_token || null;
 }
+function isTokenExpired() {
+  const creds = loadCredentials();
+  if (!creds) return true;
+  try {
+    const decoded = jwt.decode(creds.access_token);
+    if (!decoded?.exp) return true;
+    const expiresAt = decoded.exp * 1e3;
+    const buffer = 5 * 60 * 1e3;
+    return Date.now() > expiresAt - buffer;
+  } catch {
+    return true;
+  }
+}
+async function refreshToken() {
+  const creds = loadCredentials();
+  if (!creds?.refresh_token) return false;
+  try {
+    const response = await fetch(`${SYNKRO_WEB_AUTH_URL}/api/auth/refresh`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ refresh_token: creds.refresh_token })
+    });
+    if (!response.ok) return false;
+    const data = await response.json();
+    if (data.access_token) {
+      saveCredentials({
+        access_token: data.access_token,
+        refresh_token: data.refresh_token || creds.refresh_token
+      });
+      return true;
+    }
+    return false;
+  } catch {
+    return false;
+  }
+}
+async function ensureValidToken() {
+  if (!isAuthenticated()) return false;
+  if (isTokenExpired()) {
+    if (!refreshPromise) {
+      refreshPromise = refreshToken().finally(() => {
+        refreshPromise = null;
+      });
+    }
+    const refreshed = await refreshPromise;
+    if (!refreshed) {
+      clearCredentials();
+      return false;
+    }
+  }
+  return true;
+}
 function clearCredentials() {
   if (existsSync4(AUTH_FILE)) {
     unlinkSync2(AUTH_FILE);
   }
 }
-var PORT, RAW_WEB_AUTH_URL, SYNKRO_WEB_AUTH_URL, AUTH_FILE, ERROR_HTML;
+var PORT, RAW_WEB_AUTH_URL, SYNKRO_WEB_AUTH_URL, AUTH_FILE, ERROR_HTML, refreshPromise;
 var init_stub = __esm({
   "cli/auth/stub.ts"() {
     "use strict";
@@ -2128,112 +2303,913 @@ var init_stub = __esm({
 </body>
 </html>
 `;
+    refreshPromise = null;
   }
 });
 
-// cli/commands/install.ts
-var install_exports = {};
-__export(install_exports, {
-  installCommand: () => installCommand,
-  parseArgs: () => parseArgs
+// ../../node_modules/.pnpm/dotenv@17.2.4/node_modules/dotenv/package.json
+var require_package = __commonJS({
+  "../../node_modules/.pnpm/dotenv@17.2.4/node_modules/dotenv/package.json"(exports, module) {
+    module.exports = {
+      name: "dotenv",
+      version: "17.2.4",
+      description: "Loads environment variables from .env file",
+      main: "lib/main.js",
+      types: "lib/main.d.ts",
+      exports: {
+        ".": {
+          types: "./lib/main.d.ts",
+          require: "./lib/main.js",
+          default: "./lib/main.js"
+        },
+        "./config": "./config.js",
+        "./config.js": "./config.js",
+        "./lib/env-options": "./lib/env-options.js",
+        "./lib/env-options.js": "./lib/env-options.js",
+        "./lib/cli-options": "./lib/cli-options.js",
+        "./lib/cli-options.js": "./lib/cli-options.js",
+        "./package.json": "./package.json"
+      },
+      scripts: {
+        "dts-check": "tsc --project tests/types/tsconfig.json",
+        lint: "standard",
+        pretest: "npm run lint && npm run dts-check",
+        test: "tap run tests/**/*.js --allow-empty-coverage --disable-coverage --timeout=60000",
+        "test:coverage": "tap run tests/**/*.js --show-full-coverage --timeout=60000 --coverage-report=text --coverage-report=lcov",
+        prerelease: "npm test",
+        release: "standard-version"
+      },
+      repository: {
+        type: "git",
+        url: "git://github.com/motdotla/dotenv.git"
+      },
+      homepage: "https://github.com/motdotla/dotenv#readme",
+      funding: "https://dotenvx.com",
+      keywords: [
+        "dotenv",
+        "env",
+        ".env",
+        "environment",
+        "variables",
+        "config",
+        "settings"
+      ],
+      readmeFilename: "README.md",
+      license: "BSD-2-Clause",
+      devDependencies: {
+        "@types/node": "^18.11.3",
+        decache: "^4.6.2",
+        sinon: "^14.0.1",
+        standard: "^17.0.0",
+        "standard-version": "^9.5.0",
+        tap: "^19.2.0",
+        typescript: "^4.8.4"
+      },
+      engines: {
+        node: ">=12"
+      },
+      browser: {
+        fs: false
+      }
+    };
+  }
 });
-import { existsSync as existsSync5, mkdirSync as mkdirSync4, writeFileSync as writeFileSync4, chmodSync, readFileSync as readFileSync4 } from "fs";
-import { homedir as homedir4 } from "os";
-import { join as join4 } from "path";
-function sanitizeGatewayCandidate(raw) {
-  if (!raw) return void 0;
-  return /^https?:\/\//.test(raw) ? raw : void 0;
-}
-function parseArgs(argv) {
-  const opts = {};
-  for (const a of argv) {
-    if (a.startsWith("--api-key=")) opts.apiKey = a.slice("--api-key=".length);
-    else if (a.startsWith("--gateway=")) opts.gatewayUrl = a.slice("--gateway=".length);
-    else if (a === "--skip-auth") opts.skipAuth = true;
-    else if (a === "--no-mcp") opts.noMcp = true;
-    else if (a === "--force" || a === "-f") opts.force = true;
+
+// ../../node_modules/.pnpm/dotenv@17.2.4/node_modules/dotenv/lib/main.js
+var require_main = __commonJS({
+  "../../node_modules/.pnpm/dotenv@17.2.4/node_modules/dotenv/lib/main.js"(exports, module) {
+    "use strict";
+    var fs = __require("fs");
+    var path = __require("path");
+    var os = __require("os");
+    var crypto = __require("crypto");
+    var packageJson = require_package();
+    var version = packageJson.version;
+    var TIPS = [
+      "\u{1F510} encrypt with Dotenvx: https://dotenvx.com",
+      "\u{1F510} prevent committing .env to code: https://dotenvx.com/precommit",
+      "\u{1F510} prevent building .env in docker: https://dotenvx.com/prebuild",
+      "\u{1F4E1} add observability to secrets: https://dotenvx.com/ops",
+      "\u{1F465} sync secrets across teammates & machines: https://dotenvx.com/ops",
+      "\u{1F5C2}\uFE0F backup and recover secrets: https://dotenvx.com/ops",
+      "\u2705 audit secrets and track compliance: https://dotenvx.com/ops",
+      "\u{1F504} add secrets lifecycle management: https://dotenvx.com/ops",
+      "\u{1F511} add access controls to secrets: https://dotenvx.com/ops",
+      "\u{1F6E0}\uFE0F  run anywhere with `dotenvx run -- yourcommand`",
+      "\u2699\uFE0F  specify custom .env file path with { path: '/custom/path/.env' }",
+      "\u2699\uFE0F  enable debug logging with { debug: true }",
+      "\u2699\uFE0F  override existing env vars with { override: true }",
+      "\u2699\uFE0F  suppress all logs with { quiet: true }",
+      "\u2699\uFE0F  write to custom object with { processEnv: myObject }",
+      "\u2699\uFE0F  load multiple .env files with { path: ['.env.local', '.env'] }"
+    ];
+    function _getRandomTip() {
+      return TIPS[Math.floor(Math.random() * TIPS.length)];
+    }
+    function parseBoolean(value) {
+      if (typeof value === "string") {
+        return !["false", "0", "no", "off", ""].includes(value.toLowerCase());
+      }
+      return Boolean(value);
+    }
+    function supportsAnsi() {
+      return process.stdout.isTTY;
+    }
+    function dim(text) {
+      return supportsAnsi() ? `\x1B[2m${text}\x1B[0m` : text;
+    }
+    var LINE = /(?:^|^)\s*(?:export\s+)?([\w.-]+)(?:\s*=\s*?|:\s+?)(\s*'(?:\\'|[^'])*'|\s*"(?:\\"|[^"])*"|\s*`(?:\\`|[^`])*`|[^#\r\n]+)?\s*(?:#.*)?(?:$|$)/mg;
+    function parse(src) {
+      const obj = {};
+      let lines = src.toString();
+      lines = lines.replace(/\r\n?/mg, "\n");
+      let match;
+      while ((match = LINE.exec(lines)) != null) {
+        const key = match[1];
+        let value = match[2] || "";
+        value = value.trim();
+        const maybeQuote = value[0];
+        value = value.replace(/^(['"`])([\s\S]*)\1$/mg, "$2");
+        if (maybeQuote === '"') {
+          value = value.replace(/\\n/g, "\n");
+          value = value.replace(/\\r/g, "\r");
+        }
+        obj[key] = value;
+      }
+      return obj;
+    }
+    function _parseVault(options) {
+      options = options || {};
+      const vaultPath = _vaultPath(options);
+      options.path = vaultPath;
+      const result = DotenvModule.configDotenv(options);
+      if (!result.parsed) {
+        const err = new Error(`MISSING_DATA: Cannot parse ${vaultPath} for an unknown reason`);
+        err.code = "MISSING_DATA";
+        throw err;
+      }
+      const keys = _dotenvKey(options).split(",");
+      const length = keys.length;
+      let decrypted;
+      for (let i = 0; i < length; i++) {
+        try {
+          const key = keys[i].trim();
+          const attrs = _instructions(result, key);
+          decrypted = DotenvModule.decrypt(attrs.ciphertext, attrs.key);
+          break;
+        } catch (error) {
+          if (i + 1 >= length) {
+            throw error;
+          }
+        }
+      }
+      return DotenvModule.parse(decrypted);
+    }
+    function _warn(message) {
+      console.error(`[dotenv@${version}][WARN] ${message}`);
+    }
+    function _debug(message) {
+      console.log(`[dotenv@${version}][DEBUG] ${message}`);
+    }
+    function _log(message) {
+      console.log(`[dotenv@${version}] ${message}`);
+    }
+    function _dotenvKey(options) {
+      if (options && options.DOTENV_KEY && options.DOTENV_KEY.length > 0) {
+        return options.DOTENV_KEY;
+      }
+      if (process.env.DOTENV_KEY && process.env.DOTENV_KEY.length > 0) {
+        return process.env.DOTENV_KEY;
+      }
+      return "";
+    }
+    function _instructions(result, dotenvKey) {
+      let uri;
+      try {
+        uri = new URL(dotenvKey);
+      } catch (error) {
+        if (error.code === "ERR_INVALID_URL") {
+          const err = new Error("INVALID_DOTENV_KEY: Wrong format. Must be in valid uri format like dotenv://:key_1234@dotenvx.com/vault/.env.vault?environment=development");
+          err.code = "INVALID_DOTENV_KEY";
+          throw err;
+        }
+        throw error;
+      }
+      const key = uri.password;
+      if (!key) {
+        const err = new Error("INVALID_DOTENV_KEY: Missing key part");
+        err.code = "INVALID_DOTENV_KEY";
+        throw err;
+      }
+      const environment = uri.searchParams.get("environment");
+      if (!environment) {
+        const err = new Error("INVALID_DOTENV_KEY: Missing environment part");
+        err.code = "INVALID_DOTENV_KEY";
+        throw err;
+      }
+      const environmentKey = `DOTENV_VAULT_${environment.toUpperCase()}`;
+      const ciphertext = result.parsed[environmentKey];
+      if (!ciphertext) {
+        const err = new Error(`NOT_FOUND_DOTENV_ENVIRONMENT: Cannot locate environment ${environmentKey} in your .env.vault file.`);
+        err.code = "NOT_FOUND_DOTENV_ENVIRONMENT";
+        throw err;
+      }
+      return { ciphertext, key };
+    }
+    function _vaultPath(options) {
+      let possibleVaultPath = null;
+      if (options && options.path && options.path.length > 0) {
+        if (Array.isArray(options.path)) {
+          for (const filepath of options.path) {
+            if (fs.existsSync(filepath)) {
+              possibleVaultPath = filepath.endsWith(".vault") ? filepath : `${filepath}.vault`;
+            }
+          }
+        } else {
+          possibleVaultPath = options.path.endsWith(".vault") ? options.path : `${options.path}.vault`;
+        }
+      } else {
+        possibleVaultPath = path.resolve(process.cwd(), ".env.vault");
+      }
+      if (fs.existsSync(possibleVaultPath)) {
+        return possibleVaultPath;
+      }
+      return null;
+    }
+    function _resolveHome(envPath) {
+      return envPath[0] === "~" ? path.join(os.homedir(), envPath.slice(1)) : envPath;
+    }
+    function _configVault(options) {
+      const debug = parseBoolean(process.env.DOTENV_CONFIG_DEBUG || options && options.debug);
+      const quiet = parseBoolean(process.env.DOTENV_CONFIG_QUIET || options && options.quiet);
+      if (debug || !quiet) {
+        _log("Loading env from encrypted .env.vault");
+      }
+      const parsed = DotenvModule._parseVault(options);
+      let processEnv = process.env;
+      if (options && options.processEnv != null) {
+        processEnv = options.processEnv;
+      }
+      DotenvModule.populate(processEnv, parsed, options);
+      return { parsed };
+    }
+    function configDotenv(options) {
+      const dotenvPath = path.resolve(process.cwd(), ".env");
+      let encoding = "utf8";
+      let processEnv = process.env;
+      if (options && options.processEnv != null) {
+        processEnv = options.processEnv;
+      }
+      let debug = parseBoolean(processEnv.DOTENV_CONFIG_DEBUG || options && options.debug);
+      let quiet = parseBoolean(processEnv.DOTENV_CONFIG_QUIET || options && options.quiet);
+      if (options && options.encoding) {
+        encoding = options.encoding;
+      } else {
+        if (debug) {
+          _debug("No encoding is specified. UTF-8 is used by default");
+        }
+      }
+      let optionPaths = [dotenvPath];
+      if (options && options.path) {
+        if (!Array.isArray(options.path)) {
+          optionPaths = [_resolveHome(options.path)];
+        } else {
+          optionPaths = [];
+          for (const filepath of options.path) {
+            optionPaths.push(_resolveHome(filepath));
+          }
+        }
+      }
+      let lastError;
+      const parsedAll = {};
+      for (const path2 of optionPaths) {
+        try {
+          const parsed = DotenvModule.parse(fs.readFileSync(path2, { encoding }));
+          DotenvModule.populate(parsedAll, parsed, options);
+        } catch (e) {
+          if (debug) {
+            _debug(`Failed to load ${path2} ${e.message}`);
+          }
+          lastError = e;
+        }
+      }
+      const populated = DotenvModule.populate(processEnv, parsedAll, options);
+      debug = parseBoolean(processEnv.DOTENV_CONFIG_DEBUG || debug);
+      quiet = parseBoolean(processEnv.DOTENV_CONFIG_QUIET || quiet);
+      if (debug || !quiet) {
+        const keysCount = Object.keys(populated).length;
+        const shortPaths = [];
+        for (const filePath of optionPaths) {
+          try {
+            const relative = path.relative(process.cwd(), filePath);
+            shortPaths.push(relative);
+          } catch (e) {
+            if (debug) {
+              _debug(`Failed to load ${filePath} ${e.message}`);
+            }
+            lastError = e;
+          }
+        }
+        _log(`injecting env (${keysCount}) from ${shortPaths.join(",")} ${dim(`-- tip: ${_getRandomTip()}`)}`);
+      }
+      if (lastError) {
+        return { parsed: parsedAll, error: lastError };
+      } else {
+        return { parsed: parsedAll };
+      }
+    }
+    function config2(options) {
+      if (_dotenvKey(options).length === 0) {
+        return DotenvModule.configDotenv(options);
+      }
+      const vaultPath = _vaultPath(options);
+      if (!vaultPath) {
+        _warn(`You set DOTENV_KEY but you are missing a .env.vault file at ${vaultPath}. Did you forget to build it?`);
+        return DotenvModule.configDotenv(options);
+      }
+      return DotenvModule._configVault(options);
+    }
+    function decrypt(encrypted, keyStr) {
+      const key = Buffer.from(keyStr.slice(-64), "hex");
+      let ciphertext = Buffer.from(encrypted, "base64");
+      const nonce = ciphertext.subarray(0, 12);
+      const authTag = ciphertext.subarray(-16);
+      ciphertext = ciphertext.subarray(12, -16);
+      try {
+        const aesgcm = crypto.createDecipheriv("aes-256-gcm", key, nonce);
+        aesgcm.setAuthTag(authTag);
+        return `${aesgcm.update(ciphertext)}${aesgcm.final()}`;
+      } catch (error) {
+        const isRange = error instanceof RangeError;
+        const invalidKeyLength = error.message === "Invalid key length";
+        const decryptionFailed = error.message === "Unsupported state or unable to authenticate data";
+        if (isRange || invalidKeyLength) {
+          const err = new Error("INVALID_DOTENV_KEY: It must be 64 characters long (or more)");
+          err.code = "INVALID_DOTENV_KEY";
+          throw err;
+        } else if (decryptionFailed) {
+          const err = new Error("DECRYPTION_FAILED: Please check your DOTENV_KEY");
+          err.code = "DECRYPTION_FAILED";
+          throw err;
+        } else {
+          throw error;
+        }
+      }
+    }
+    function populate(processEnv, parsed, options = {}) {
+      const debug = Boolean(options && options.debug);
+      const override = Boolean(options && options.override);
+      const populated = {};
+      if (typeof parsed !== "object") {
+        const err = new Error("OBJECT_REQUIRED: Please check the processEnv argument being passed to populate");
+        err.code = "OBJECT_REQUIRED";
+        throw err;
+      }
+      for (const key of Object.keys(parsed)) {
+        if (Object.prototype.hasOwnProperty.call(processEnv, key)) {
+          if (override === true) {
+            processEnv[key] = parsed[key];
+            populated[key] = parsed[key];
+          }
+          if (debug) {
+            if (override === true) {
+              _debug(`"${key}" is already defined and WAS overwritten`);
+            } else {
+              _debug(`"${key}" is already defined and was NOT overwritten`);
+            }
+          }
+        } else {
+          processEnv[key] = parsed[key];
+          populated[key] = parsed[key];
+        }
+      }
+      return populated;
+    }
+    var DotenvModule = {
+      configDotenv,
+      _configVault,
+      _parseVault,
+      config: config2,
+      decrypt,
+      parse,
+      populate
+    };
+    module.exports.configDotenv = DotenvModule.configDotenv;
+    module.exports._configVault = DotenvModule._configVault;
+    module.exports._parseVault = DotenvModule._parseVault;
+    module.exports.config = DotenvModule.config;
+    module.exports.decrypt = DotenvModule.decrypt;
+    module.exports.parse = DotenvModule.parse;
+    module.exports.populate = DotenvModule.populate;
+    module.exports = DotenvModule;
   }
-  if (!opts.gatewayUrl) {
-    const fromEnv = sanitizeGatewayCandidate(process.env.SYNKRO_GATEWAY_URL);
-    if (fromEnv) opts.gatewayUrl = fromEnv;
+});
+
+// cli/auth/index.ts
+var init_auth = __esm({
+  "cli/auth/index.ts"() {
+    "use strict";
+    init_stub();
   }
-  return opts;
-}
-function ensureSynkroDir() {
-  mkdirSync4(SYNKRO_DIR, { recursive: true });
-  mkdirSync4(HOOKS_DIR, { recursive: true });
-  mkdirSync4(BIN_DIR, { recursive: true });
-}
-function writeGraderDaemon() {
-  writeFileSync4(GRADER_DAEMON_PATH, GRADER_DAEMON_PY, "utf-8");
-  chmodSync(GRADER_DAEMON_PATH, 493);
-  writeFileSync4(GRADER_PRIMER_EDIT_PATH, GRADER_PRIMER_EDIT, "utf-8");
-  chmodSync(GRADER_PRIMER_EDIT_PATH, 420);
-  writeFileSync4(GRADER_PRIMER_BASH_PATH, GRADER_PRIMER_BASH, "utf-8");
-  chmodSync(GRADER_PRIMER_BASH_PATH, 420);
-}
-function writeHookScripts() {
-  const bashScriptPath = join4(HOOKS_DIR, "cc-bash-judge.sh");
-  const bashFollowupScriptPath = join4(HOOKS_DIR, "cc-bash-followup.sh");
-  const editCaptureScriptPath = join4(HOOKS_DIR, "cc-edit-capture.sh");
-  const editPrecheckScriptPath = join4(HOOKS_DIR, "cc-edit-precheck.sh");
-  const stopSummaryScriptPath = join4(HOOKS_DIR, "cc-stop-summary.sh");
-  const sessionStartScriptPath = join4(HOOKS_DIR, "cc-session-start.sh");
-  writeFileSync4(bashScriptPath, CC_BASH_JUDGE_SCRIPT, "utf-8");
-  writeFileSync4(bashFollowupScriptPath, CC_BASH_FOLLOWUP_SCRIPT, "utf-8");
-  writeFileSync4(editCaptureScriptPath, CC_EDIT_CAPTURE_SCRIPT, "utf-8");
-  writeFileSync4(editPrecheckScriptPath, CC_EDIT_PRECHECK_SCRIPT, "utf-8");
-  writeFileSync4(stopSummaryScriptPath, CC_STOP_SUMMARY_SCRIPT, "utf-8");
-  writeFileSync4(sessionStartScriptPath, CC_SESSION_START_SCRIPT, "utf-8");
-  chmodSync(bashScriptPath, 493);
-  chmodSync(bashFollowupScriptPath, 493);
-  chmodSync(editCaptureScriptPath, 493);
-  chmodSync(editPrecheckScriptPath, 493);
-  chmodSync(stopSummaryScriptPath, 493);
-  chmodSync(sessionStartScriptPath, 493);
-  return {
-    bashScript: bashScriptPath,
-    bashFollowupScript: bashFollowupScriptPath,
-    editCaptureScript: editCaptureScriptPath,
-    editPrecheckScript: editPrecheckScriptPath,
-    stopSummaryScript: stopSummaryScriptPath,
-    sessionStartScript: sessionStartScriptPath
+});
+
+// cli/api/projects.ts
+async function callApi(method, endpoint, body) {
+  if (!API_URL) {
+    throw new Error("SYNKRO_CRUD_URL (or SYNKRO_API_URL) is not set. Add it to your .env file.");
+  }
+  const url = `${API_URL}${endpoint}`;
+  const accessToken = getAccessToken();
+  const headers = {
+    "Content-Type": "application/json"
   };
+  if (accessToken) {
+    headers["Authorization"] = `Bearer ${accessToken}`;
+  }
+  const response = await fetch(url, {
+    method,
+    headers,
+    body: body ? JSON.stringify(body) : void 0
+  });
+  if (!response.ok) {
+    const error = await response.json().catch(() => ({ detail: response.statusText }));
+    throw new Error(error.detail || `API error: ${response.status}`);
+  }
+  return response.json();
 }
-function sanitizeConfigValue(raw, maxLen = 256) {
-  if (!raw) return "";
-  return raw.replace(/[^\x20-\x7E]/g, "").slice(0, maxLen);
+async function createProject(name, repos) {
+  const body = { name };
+  if (repos && repos.length > 0) body.repos = repos;
+  return callApi("POST", "/projects", body);
 }
-function shellQuoteSingle(value) {
-  return `'${value.replace(/'/g, "'\\''")}'`;
+async function listProjects() {
+  return callApi("GET", "/projects");
 }
-function writeConfigEnv(opts) {
-  const credsPath = join4(SYNKRO_DIR, "credentials.json");
-  const safeGateway = sanitizeConfigValue(opts.gatewayUrl);
-  const safeUserId = sanitizeConfigValue(opts.userId);
-  const safeOrgId = sanitizeConfigValue(opts.orgId);
-  const safeEmail = sanitizeConfigValue(opts.email);
-  const safeTier = sanitizeConfigValue(opts.tier ?? "pro", 32);
-  const lines = [
-    "# Synkro CLI config (managed by synkro install)",
-    "# JWT auth \u2014 the hook scripts read SYNKRO_CREDENTIALS_PATH at runtime",
-    "# and send Authorization: Bearer <access_token> on every gateway call.",
-    `SYNKRO_GATEWAY_URL=${shellQuoteSingle(safeGateway)}`,
-    `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
-    `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.2.6")}`
-  ];
-  if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);
-  if (safeOrgId) lines.push(`SYNKRO_ORG_ID=${shellQuoteSingle(safeOrgId)}`);
-  if (safeEmail) lines.push(`SYNKRO_EMAIL=${shellQuoteSingle(safeEmail)}`);
-  lines.push("");
-  writeFileSync4(CONFIG_PATH, lines.join("\n"), "utf-8");
-  chmodSync(CONFIG_PATH, 384);
+async function unlinkRepo(projectId, repoId) {
+  return callApi("DELETE", `/projects/${projectId}/repos/${repoId}`);
 }
-function assertGatewayAllowed(gatewayUrl) {
-  let parsed;
-  try {
-    parsed = new URL(gatewayUrl);
+var import_dotenv, API_URL;
+var init_projects = __esm({
+  "cli/api/projects.ts"() {
+    "use strict";
+    import_dotenv = __toESM(require_main(), 1);
+    init_auth();
+    (0, import_dotenv.config)({ quiet: true });
+    API_URL = process.env.SYNKRO_CRUD_URL || process.env.SYNKRO_API_URL;
+  }
+});
+
+// cli/installer/workflowTemplate.ts
+var SYNKRO_WORKFLOW_YAML, WORKFLOW_PATH;
+var init_workflowTemplate = __esm({
+  "cli/installer/workflowTemplate.ts"() {
+    "use strict";
+    SYNKRO_WORKFLOW_YAML = `name: Synkro Security Review
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      checks: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Cache npm globals
+        id: cache-npm-global
+        uses: actions/cache@v4
+        with:
+          path: ~/.npm-global
+          key: synkro-cli-\${{ runner.os }}-v1
+
+      - name: Install Synkro CLI + Claude Code CLI
+        run: |
+          npm config set prefix ~/.npm-global
+          npm install -g @synkro-sh/cli @anthropic-ai/claude-code
+          echo "~/.npm-global/bin" >> $GITHUB_PATH
+
+      - name: Run Synkro PR scan
+        run: synkro-cli scan-pr
+        env:
+          CLAUDE_CODE_OAUTH_TOKEN: \${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+          SYNKRO_API_KEY: \${{ secrets.SYNKRO_API_KEY }}
+          GH_TOKEN: \${{ secrets.GITHUB_TOKEN }}
+          SYNKRO_PR_NUMBER: \${{ github.event.pull_request.number }}
+          SYNKRO_REPO: \${{ github.repository }}
+          SYNKRO_SHA: \${{ github.event.pull_request.head.sha }}
+          SYNKRO_GATEWAY_URL: \${{ vars.SYNKRO_GATEWAY_URL || 'https://api.synkro.sh' }}
+`;
+    WORKFLOW_PATH = ".github/workflows/synkro.yml";
+  }
+});
+
+// cli/installer/githubSetup.ts
+import { existsSync as existsSync5, mkdirSync as mkdirSync4, writeFileSync as writeFileSync4 } from "fs";
+import { join as join4 } from "path";
+async function encryptSecret(publicKeyBase64, secret) {
+  const sodium = await import("libsodium-wrappers").then((m) => m.default ?? m);
+  await sodium.ready;
+  const keyBytes = sodium.from_base64(publicKeyBase64, sodium.base64_variants.ORIGINAL);
+  const messageBytes = sodium.from_string(secret);
+  const encryptedBytes = sodium.crypto_box_seal(messageBytes, keyBytes);
+  return sodium.to_base64(encryptedBytes, sodium.base64_variants.ORIGINAL);
+}
+async function getRepoPublicKey(opts, owner, repo) {
+  const url = `https://api.github.com/repos/${owner}/${repo}/actions/secrets/public-key`;
+  const resp = await fetch(url, {
+    headers: {
+      Authorization: `Bearer ${opts.token}`,
+      Accept: "application/vnd.github+json",
+      "X-GitHub-Api-Version": "2022-11-28"
+    }
+  });
+  if (!resp.ok) {
+    const text = await resp.text().catch(() => "");
+    throw new Error(`GitHub API ${resp.status} fetching public key for ${owner}/${repo}: ${text.slice(0, 200)}`);
+  }
+  return await resp.json();
+}
+async function putRepoSecret(opts, owner, repo, secretName, secretValue, publicKey) {
+  const encryptedValue = await encryptSecret(publicKey.key, secretValue);
+  const url = `https://api.github.com/repos/${owner}/${repo}/actions/secrets/${encodeURIComponent(secretName)}`;
+  const resp = await fetch(url, {
+    method: "PUT",
+    headers: {
+      Authorization: `Bearer ${opts.token}`,
+      Accept: "application/vnd.github+json",
+      "X-GitHub-Api-Version": "2022-11-28",
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify({
+      encrypted_value: encryptedValue,
+      key_id: publicKey.key_id
+    })
+  });
+  if (!resp.ok) {
+    const text = await resp.text().catch(() => "");
+    throw new Error(`GitHub API ${resp.status} setting secret ${secretName}: ${text.slice(0, 200)}`);
+  }
+}
+async function listAccessibleRepos(opts) {
+  const repos = [];
+  let page = 1;
+  while (page <= 5) {
+    const url = `https://api.github.com/user/repos?per_page=100&page=${page}&affiliation=owner,collaborator`;
+    const resp = await fetch(url, {
+      headers: {
+        Authorization: `Bearer ${opts.token}`,
+        Accept: "application/vnd.github+json",
+        "X-GitHub-Api-Version": "2022-11-28"
+      }
+    });
+    if (!resp.ok) {
+      throw new Error(`GitHub API ${resp.status} listing repos`);
+    }
+    const data = await resp.json();
+    if (data.length === 0) break;
+    for (const r of data) {
+      repos.push({ owner: r.owner.login, repo: r.name, full_name: r.full_name });
+    }
+    if (data.length < 100) break;
+    page++;
+  }
+  return repos;
+}
+async function pushSecretsToRepo(opts, owner, repo, secrets) {
+  const pubkey = await getRepoPublicKey(opts, owner, repo);
+  await putRepoSecret(opts, owner, repo, "CLAUDE_CODE_OAUTH_TOKEN", secrets.claudeCodeOauthToken, pubkey);
+  await putRepoSecret(opts, owner, repo, "SYNKRO_API_KEY", secrets.synkroApiKey, pubkey);
+}
+function writeWorkflowFile(repoRootPath) {
+  const workflowDir = join4(repoRootPath, ".github", "workflows");
+  mkdirSync4(workflowDir, { recursive: true });
+  const workflowFile = join4(workflowDir, "synkro.yml");
+  writeFileSync4(workflowFile, SYNKRO_WORKFLOW_YAML, "utf-8");
+  return workflowFile;
+}
+function findGitRoot(startCwd) {
+  let cur = startCwd;
+  while (cur && cur !== "/") {
+    if (existsSync5(join4(cur, ".git"))) return cur;
+    const parent = join4(cur, "..");
+    if (parent === cur) break;
+    cur = parent;
+  }
+  return null;
+}
+var SECRET_NAMES, WORKFLOW_RELATIVE_PATH;
+var init_githubSetup = __esm({
+  "cli/installer/githubSetup.ts"() {
+    "use strict";
+    init_workflowTemplate();
+    SECRET_NAMES = {
+      CLAUDE_OAUTH: "CLAUDE_CODE_OAUTH_TOKEN",
+      SYNKRO_API_KEY: "SYNKRO_API_KEY"
+    };
+    WORKFLOW_RELATIVE_PATH = WORKFLOW_PATH;
+  }
+});
+
+// cli/commands/repoConnect.ts
+import { execSync as execSync2 } from "child_process";
+import { createServer as createServer2 } from "http";
+import { createInterface } from "readline";
+function detectGitRepo() {
+  try {
+    const remoteUrl = execSync2("git remote get-url origin", { encoding: "utf-8", timeout: 5e3 }).trim();
+    const match = remoteUrl.match(/(?:github\.com|gitlab\.com|bitbucket\.org)[:/](.+?)(?:\.git)?$/);
+    if (!match) return null;
+    const fullName = match[1];
+    return { fullName, shortName: fullName.split("/").pop() || fullName };
+  } catch {
+    return null;
+  }
+}
+function ask(rl, question) {
+  return new Promise((resolve2) => rl.question(question, resolve2));
+}
+function waitForGithubToken() {
+  return new Promise((resolve2, reject) => {
+    const server = createServer2((req, res) => {
+      if (req.method === "OPTIONS") {
+        res.writeHead(204, {
+          "Access-Control-Allow-Origin": SYNKRO_WEB_AUTH_URL2,
+          "Access-Control-Allow-Methods": "POST, OPTIONS",
+          "Access-Control-Allow-Headers": "Content-Type"
+        });
+        res.end();
+        return;
+      }
+      if (req.url !== "/auth" || req.method !== "POST") {
+        res.writeHead(404);
+        res.end();
+        return;
+      }
+      let body = "";
+      req.on("data", (chunk) => {
+        body += chunk;
+      });
+      req.on("end", () => {
+        try {
+          const parsed = JSON.parse(body);
+          if (!parsed.github_token) {
+            res.writeHead(400, {
+              "Content-Type": "application/json",
+              "Access-Control-Allow-Origin": SYNKRO_WEB_AUTH_URL2
+            });
+            res.end(JSON.stringify({ error: "missing github_token" }));
+            return;
+          }
+          res.writeHead(200, {
+            "Content-Type": "application/json",
+            "Access-Control-Allow-Origin": SYNKRO_WEB_AUTH_URL2
+          });
+          res.end(JSON.stringify({ ok: true }));
+          setTimeout(() => server.close(), 200);
+          resolve2(parsed.github_token);
+        } catch {
+          res.writeHead(400, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({ error: "invalid json" }));
+        }
+      });
+    });
+    server.on("error", (err) => {
+      if (err.code === "EADDRINUSE") {
+        reject(new Error(`Port ${GITHUB_PORT} is in use. Close other processes and try again.`));
+      } else {
+        reject(err);
+      }
+    });
+    server.listen(GITHUB_PORT);
+  });
+}
+function openBrowser2(url) {
+  const { execFile: execFile2 } = __require("child_process");
+  const plat = process.platform;
+  if (plat === "darwin") execFile2("open", [url]);
+  else if (plat === "win32") execFile2("cmd", ["/c", "start", "", url]);
+  else execFile2("xdg-open", [url]);
+}
+async function connectGithubAndSelectRepos() {
+  const url = `${SYNKRO_WEB_AUTH_URL2}/cli-github?port=${GITHUB_PORT}`;
+  console.log("  Opening browser for GitHub authorization...");
+  openBrowser2(url);
+  console.log("  Waiting for GitHub authorization...");
+  const ghToken = await waitForGithubToken();
+  console.log("  \u2713 GitHub connected\n");
+  const repos = await listAccessibleRepos({ token: ghToken });
+  if (repos.length === 0) {
+    console.log("  No accessible repos found on GitHub.");
+    return [];
+  }
+  console.log(`  Found ${repos.length} repos:
+`);
+  repos.forEach((r, i) => {
+    console.log(`    ${String(i + 1).padStart(3)}. ${r.full_name}`);
+  });
+  console.log();
+  const rl = createInterface({ input: process.stdin, output: process.stdout });
+  try {
+    const selection = await ask(rl, "  Select repos (comma-separated numbers, e.g. 1,3,5): ");
+    const indices = selection.split(",").map((s) => parseInt(s.trim(), 10) - 1).filter((n) => !isNaN(n) && n >= 0 && n < repos.length);
+    if (indices.length === 0) {
+      console.log("  No repos selected.");
+      return [];
+    }
+    return indices.map((i) => ({ full_name: repos[i].full_name }));
+  } finally {
+    rl.close();
+  }
+}
+async function promptRepoConnection() {
+  const localRepo = detectGitRepo();
+  const rl = createInterface({ input: process.stdin, output: process.stdout });
+  try {
+    console.log("Connect repos to Synkro:\n");
+    const options = [];
+    if (localRepo) {
+      options.push(`Link this repo (${localRepo.fullName})`);
+    }
+    options.push("Connect GitHub to select repos");
+    options.push("Skip for now");
+    options.forEach((opt, i) => {
+      console.log(`  ${i + 1}. ${opt}`);
+    });
+    console.log();
+    const choice = await ask(rl, "  Choose (number): ");
+    const choiceNum = parseInt(choice.trim(), 10);
+    console.log();
+    rl.close();
+    const localIdx = localRepo ? 1 : -1;
+    const githubIdx = localRepo ? 2 : 1;
+    const skipIdx = localRepo ? 3 : 2;
+    if (choiceNum === localIdx && localRepo) {
+      try {
+        const existing = await listProjects();
+        const alreadyLinked = existing.some(
+          (p) => p.repos?.some((r) => r.full_name === localRepo.fullName)
+        );
+        if (!alreadyLinked) {
+          await createProject(localRepo.shortName, [{ full_name: localRepo.fullName }]);
+          console.log(`  \u2713 Created project "${localRepo.shortName}" linked to ${localRepo.fullName}`);
+        } else {
+          console.log(`  \u2713 ${localRepo.fullName} is already linked to a Synkro project.`);
+        }
+      } catch (err) {
+        console.warn(`  \u26A0 Could not link repo: ${err.message}`);
+      }
+    } else if (choiceNum === githubIdx) {
+      const selectedRepos = await connectGithubAndSelectRepos();
+      if (selectedRepos.length > 0) {
+        try {
+          const existing = await listProjects();
+          const existingFullNames = new Set(
+            existing.flatMap((p) => (p.repos || []).map((r) => r.full_name))
+          );
+          const newRepos = selectedRepos.filter((r) => !existingFullNames.has(r.full_name));
+          if (newRepos.length === 0) {
+            console.log("  \u2713 All selected repos are already linked.");
+          } else {
+            const projectName = newRepos.length === 1 ? newRepos[0].full_name.split("/").pop() || "Project" : "Multi-Repo Project";
+            await createProject(projectName, newRepos);
+            console.log(`  \u2713 Linked ${newRepos.length} repo(s) to project "${projectName}"`);
+          }
+        } catch (err) {
+          console.warn(`  \u26A0 Could not link repos: ${err.message}`);
+        }
+      }
+    } else if (choiceNum === skipIdx) {
+      console.log("  Skipped. Run `synkro link` later to connect repos.");
+    } else {
+      console.log("  Invalid choice. Skipping repo connection.");
+    }
+  } catch {
+    rl.close();
+  }
+  console.log();
+}
+var RAW_WEB_AUTH_URL2, SYNKRO_WEB_AUTH_URL2, GITHUB_PORT;
+var init_repoConnect = __esm({
+  "cli/commands/repoConnect.ts"() {
+    "use strict";
+    init_projects();
+    init_githubSetup();
+    RAW_WEB_AUTH_URL2 = process.env.SYNKRO_WEB_AUTH_URL;
+    SYNKRO_WEB_AUTH_URL2 = RAW_WEB_AUTH_URL2 && /^https?:\/\//.test(RAW_WEB_AUTH_URL2) ? RAW_WEB_AUTH_URL2 : "https://app.synkro.sh";
+    GITHUB_PORT = 8101;
+  }
+});
+
+// cli/commands/install.ts
+var install_exports = {};
+__export(install_exports, {
+  installCommand: () => installCommand,
+  parseArgs: () => parseArgs
+});
+import { existsSync as existsSync6, mkdirSync as mkdirSync5, writeFileSync as writeFileSync5, chmodSync, readFileSync as readFileSync4, readdirSync } from "fs";
+import { homedir as homedir4 } from "os";
+import { join as join5 } from "path";
+import { execSync as execSync3 } from "child_process";
+function sanitizeGatewayCandidate(raw) {
+  if (!raw) return void 0;
+  return /^https?:\/\//.test(raw) ? raw : void 0;
+}
+function parseArgs(argv) {
+  const opts = {};
+  for (const a of argv) {
+    if (a.startsWith("--api-key=")) opts.apiKey = a.slice("--api-key=".length);
+    else if (a.startsWith("--gateway=")) opts.gatewayUrl = a.slice("--gateway=".length);
+    else if (a === "--skip-auth") opts.skipAuth = true;
+    else if (a === "--no-mcp") opts.noMcp = true;
+    else if (a === "--force" || a === "-f") opts.force = true;
+  }
+  if (!opts.gatewayUrl) {
+    const fromEnv = sanitizeGatewayCandidate(process.env.SYNKRO_GATEWAY_URL);
+    if (fromEnv) opts.gatewayUrl = fromEnv;
+  }
+  return opts;
+}
+function ensureSynkroDir() {
+  mkdirSync5(SYNKRO_DIR, { recursive: true });
+  mkdirSync5(HOOKS_DIR, { recursive: true });
+  mkdirSync5(BIN_DIR, { recursive: true });
+}
+function writeGraderDaemon() {
+  writeFileSync5(GRADER_DAEMON_PATH, GRADER_DAEMON_PY, "utf-8");
+  chmodSync(GRADER_DAEMON_PATH, 493);
+  writeFileSync5(GRADER_PRIMER_EDIT_PATH, GRADER_PRIMER_EDIT, "utf-8");
+  chmodSync(GRADER_PRIMER_EDIT_PATH, 420);
+  writeFileSync5(GRADER_PRIMER_BASH_PATH, GRADER_PRIMER_BASH, "utf-8");
+  chmodSync(GRADER_PRIMER_BASH_PATH, 420);
+}
+function writeHookScripts() {
+  const bashScriptPath = join5(HOOKS_DIR, "cc-bash-judge.sh");
+  const bashFollowupScriptPath = join5(HOOKS_DIR, "cc-bash-followup.sh");
+  const editCaptureScriptPath = join5(HOOKS_DIR, "cc-edit-capture.sh");
+  const editPrecheckScriptPath = join5(HOOKS_DIR, "cc-edit-precheck.sh");
+  const stopSummaryScriptPath = join5(HOOKS_DIR, "cc-stop-summary.sh");
+  const sessionStartScriptPath = join5(HOOKS_DIR, "cc-session-start.sh");
+  writeFileSync5(bashScriptPath, CC_BASH_JUDGE_SCRIPT, "utf-8");
+  writeFileSync5(bashFollowupScriptPath, CC_BASH_FOLLOWUP_SCRIPT, "utf-8");
+  writeFileSync5(editCaptureScriptPath, CC_EDIT_CAPTURE_SCRIPT, "utf-8");
+  writeFileSync5(editPrecheckScriptPath, CC_EDIT_PRECHECK_SCRIPT, "utf-8");
+  writeFileSync5(stopSummaryScriptPath, CC_STOP_SUMMARY_SCRIPT, "utf-8");
+  writeFileSync5(sessionStartScriptPath, CC_SESSION_START_SCRIPT, "utf-8");
+  chmodSync(bashScriptPath, 493);
+  chmodSync(bashFollowupScriptPath, 493);
+  chmodSync(editCaptureScriptPath, 493);
+  chmodSync(editPrecheckScriptPath, 493);
+  chmodSync(stopSummaryScriptPath, 493);
+  chmodSync(sessionStartScriptPath, 493);
+  return {
+    bashScript: bashScriptPath,
+    bashFollowupScript: bashFollowupScriptPath,
+    editCaptureScript: editCaptureScriptPath,
+    editPrecheckScript: editPrecheckScriptPath,
+    stopSummaryScript: stopSummaryScriptPath,
+    sessionStartScript: sessionStartScriptPath
+  };
+}
+function sanitizeConfigValue(raw, maxLen = 256) {
+  if (!raw) return "";
+  return raw.replace(/[^\x20-\x7E]/g, "").slice(0, maxLen);
+}
+function shellQuoteSingle(value) {
+  return `'${value.replace(/'/g, "'\\''")}'`;
+}
+function writeConfigEnv(opts) {
+  const credsPath = join5(SYNKRO_DIR, "credentials.json");
+  const safeGateway = sanitizeConfigValue(opts.gatewayUrl);
+  const safeUserId = sanitizeConfigValue(opts.userId);
+  const safeOrgId = sanitizeConfigValue(opts.orgId);
+  const safeEmail = sanitizeConfigValue(opts.email);
+  const safeTier = sanitizeConfigValue(opts.tier ?? "pro", 32);
+  const lines = [
+    "# Synkro CLI config (managed by synkro install)",
+    "# JWT auth \u2014 the hook scripts read SYNKRO_CREDENTIALS_PATH at runtime",
+    "# and send Authorization: Bearer <access_token> on every gateway call.",
+    `SYNKRO_GATEWAY_URL=${shellQuoteSingle(safeGateway)}`,
+    `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
+    `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
+    `SYNKRO_VERSION=${shellQuoteSingle("1.3.3")}`
+  ];
+  if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);
+  if (safeOrgId) lines.push(`SYNKRO_ORG_ID=${shellQuoteSingle(safeOrgId)}`);
+  if (safeEmail) lines.push(`SYNKRO_EMAIL=${shellQuoteSingle(safeEmail)}`);
+  lines.push("");
+  writeFileSync5(CONFIG_PATH, lines.join("\n"), "utf-8");
+  chmodSync(CONFIG_PATH, 384);
+}
+function assertGatewayAllowed(gatewayUrl) {
+  let parsed;
+  try {
+    parsed = new URL(gatewayUrl);
   } catch {
     throw new Error(`Invalid gateway URL: ${gatewayUrl}`);
   }
@@ -2253,17 +3229,17 @@ function assertGatewayAllowed(gatewayUrl) {
 }
 function isAlreadyInstalled() {
   const requiredScripts = [
-    join4(HOOKS_DIR, "cc-bash-judge.sh"),
-    join4(HOOKS_DIR, "cc-bash-followup.sh"),
-    join4(HOOKS_DIR, "cc-edit-precheck.sh"),
-    join4(HOOKS_DIR, "cc-edit-capture.sh"),
-    join4(HOOKS_DIR, "cc-stop-summary.sh"),
-    join4(HOOKS_DIR, "cc-session-start.sh")
+    join5(HOOKS_DIR, "cc-bash-judge.sh"),
+    join5(HOOKS_DIR, "cc-bash-followup.sh"),
+    join5(HOOKS_DIR, "cc-edit-precheck.sh"),
+    join5(HOOKS_DIR, "cc-edit-capture.sh"),
+    join5(HOOKS_DIR, "cc-stop-summary.sh"),
+    join5(HOOKS_DIR, "cc-session-start.sh")
   ];
-  if (!requiredScripts.every((p) => existsSync5(p))) return false;
-  if (!existsSync5(CONFIG_PATH)) return false;
-  const settingsPath = join4(homedir4(), ".claude", "settings.json");
-  if (!existsSync5(settingsPath)) return false;
+  if (!requiredScripts.every((p) => existsSync6(p))) return false;
+  if (!existsSync6(CONFIG_PATH)) return false;
+  const settingsPath = join5(homedir4(), ".claude", "settings.json");
+  if (!existsSync6(settingsPath)) return false;
   try {
     const settings = JSON.parse(readFileSync4(settingsPath, "utf-8"));
     const hooks = settings?.hooks;
@@ -2324,6 +3300,7 @@ async function installCommand(opts = {}) {
     console.error("No access token available after auth.");
     process.exit(1);
   }
+  await promptRepoConnection();
   const agents = detectAgents();
   if (agents.length === 0) {
     console.error("No AI coding agents detected. Install Claude Code first: https://docs.claude.com/claude-code");
@@ -2346,7 +3323,7 @@ async function installCommand(opts = {}) {
 `);
   writeGraderDaemon();
   for (const mode of ["edit", "bash"]) {
-    const pidFile = join4(SYNKRO_DIR, "daemon", mode, "daemon.pid");
+    const pidFile = join5(SYNKRO_DIR, "daemon", mode, "daemon.pid");
     try {
       const pid = parseInt(readFileSync4(pidFile, "utf-8").trim(), 10);
       if (pid > 0) {
@@ -2417,12 +3394,115 @@ async function installCommand(opts = {}) {
   writeConfigEnv({ gatewayUrl, userId, orgId, email });
   console.log(`Wrote config to ${CONFIG_PATH}
 `);
+  try {
+    const repo = detectGitRepo2();
+    if (repo) {
+      const ingested = await ingestSessionTranscripts(gatewayUrl, token, repo);
+      if (ingested > 0) {
+        console.log(`Indexed ${ingested} session insights from Claude Code history for ${repo}.`);
+        console.log("  This helps the safety judge understand your workflow.\n");
+      }
+    }
+  } catch (err) {
+    console.warn(`  \u26A0 Session indexing skipped: ${err.message}
+`);
+  }
   console.log("\u2713 Synkro installed.");
   console.log();
   console.log("Next steps:");
   console.log("  \u2022 synkro-cli setup-github   (enable PR scanning)");
   console.log("  \u2022 synkro-cli status         (check what is configured)");
 }
+function detectGitRepo2() {
+  try {
+    const remoteUrl = execSync3("git remote get-url origin", { encoding: "utf-8", timeout: 5e3 }).trim();
+    const match = remoteUrl.match(/(?:github\.com|gitlab\.com|bitbucket\.org)[:/](.+?)(?:\.git)?$/);
+    return match ? match[1] : null;
+  } catch {
+    return null;
+  }
+}
+function getClaudeProjectsFolder() {
+  const cwd = process.cwd();
+  const sanitized = "-" + cwd.replace(/\//g, "-");
+  const projectsDir = join5(homedir4(), ".claude", "projects", sanitized);
+  return existsSync6(projectsDir) ? projectsDir : null;
+}
+function extractSessionInsights(projectsDir) {
+  const insights = [];
+  const files = readdirSync(projectsDir).filter((f) => f.endsWith(".jsonl"));
+  for (const file of files) {
+    const sessionId = file.replace(".jsonl", "");
+    const filePath = join5(projectsDir, file);
+    try {
+      const content = readFileSync4(filePath, "utf-8");
+      const lines = content.split("\n").filter(Boolean);
+      for (let i = 0; i < lines.length; i++) {
+        try {
+          const entry = JSON.parse(lines[i]);
+          if (entry.type === "user" && typeof entry.message?.content === "string" && entry.message.content.startsWith("This session is being continued")) {
+            insights.push({
+              session_id: sessionId,
+              insight_type: "summary",
+              content: entry.message.content.slice(0, 4e3),
+              metadata: { source: "compaction_summary" }
+            });
+          }
+        } catch {
+        }
+      }
+      const userMessages = [];
+      for (let i = lines.length - 1; i >= 0 && userMessages.length < 20; i--) {
+        try {
+          const entry = JSON.parse(lines[i]);
+          if (entry.type === "user") {
+            const text = typeof entry.message?.content === "string" ? entry.message.content : Array.isArray(entry.message?.content) ? entry.message.content.map((b) => b.text ?? b).filter((t) => typeof t === "string").join(" ") : null;
+            if (text && text.length > 10 && text.length < 2e3 && !text.startsWith("This session is being continued")) {
+              userMessages.push(text);
+            }
+          }
+        } catch {
+        }
+      }
+      for (const msg of userMessages.reverse()) {
+        insights.push({
+          session_id: sessionId,
+          insight_type: "user_message",
+          content: msg.slice(0, 2e3)
+        });
+      }
+    } catch {
+    }
+  }
+  return insights;
+}
+async function ingestSessionTranscripts(gatewayUrl, token, repo) {
+  const projectsDir = getClaudeProjectsFolder();
+  if (!projectsDir) return 0;
+  const insights = extractSessionInsights(projectsDir);
+  if (insights.length === 0) return 0;
+  console.log(`Found ${insights.length} session insights from Claude Code history...`);
+  let total = 0;
+  for (let i = 0; i < insights.length; i += 100) {
+    const batch = insights.slice(i, i + 100);
+    try {
+      const resp = await fetch(`${gatewayUrl}/api/v1/cli/ingest-sessions`, {
+        method: "POST",
+        headers: {
+          "Authorization": `Bearer ${token}`,
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify({ repo, sessions: batch })
+      });
+      if (resp.ok) {
+        const result = await resp.json();
+        total += result.ingested;
+      }
+    } catch {
+    }
+  }
+  return total;
+}
 var SYNKRO_DIR, HOOKS_DIR, BIN_DIR, CONFIG_PATH, GRADER_DAEMON_PATH, GRADER_PRIMER_EDIT_PATH, GRADER_PRIMER_BASH_PATH;
 var init_install = __esm({
   "cli/commands/install.ts"() {
@@ -2433,13 +3513,14 @@ var init_install = __esm({
     init_hookScripts();
     init_graderDaemon();
     init_stub();
-    SYNKRO_DIR = join4(homedir4(), ".synkro");
-    HOOKS_DIR = join4(SYNKRO_DIR, "hooks");
-    BIN_DIR = join4(SYNKRO_DIR, "bin");
-    CONFIG_PATH = join4(SYNKRO_DIR, "config.env");
-    GRADER_DAEMON_PATH = join4(BIN_DIR, "grader_daemon.py");
-    GRADER_PRIMER_EDIT_PATH = join4(SYNKRO_DIR, "grader-primer-edit.txt");
-    GRADER_PRIMER_BASH_PATH = join4(SYNKRO_DIR, "grader-primer-bash.txt");
+    init_repoConnect();
+    SYNKRO_DIR = join5(homedir4(), ".synkro");
+    HOOKS_DIR = join5(SYNKRO_DIR, "hooks");
+    BIN_DIR = join5(SYNKRO_DIR, "bin");
+    CONFIG_PATH = join5(SYNKRO_DIR, "config.env");
+    GRADER_DAEMON_PATH = join5(BIN_DIR, "grader_daemon.py");
+    GRADER_PRIMER_EDIT_PATH = join5(SYNKRO_DIR, "grader-primer-edit.txt");
+    GRADER_PRIMER_BASH_PATH = join5(SYNKRO_DIR, "grader-primer-bash.txt");
   }
 });
 
@@ -2515,11 +3596,11 @@ var status_exports = {};
 __export(status_exports, {
   statusCommand: () => statusCommand
 });
-import { existsSync as existsSync6, readFileSync as readFileSync5 } from "fs";
+import { existsSync as existsSync7, readFileSync as readFileSync5 } from "fs";
 import { homedir as homedir5 } from "os";
-import { join as join5 } from "path";
+import { join as join6 } from "path";
 function readConfigEnv() {
-  if (!existsSync6(CONFIG_PATH2)) return {};
+  if (!existsSync7(CONFIG_PATH2)) return {};
   const out = {};
   const raw = readFileSync5(CONFIG_PATH2, "utf-8");
   for (const line of raw.split("\n")) {
@@ -2545,21 +3626,21 @@ function statusCommand() {
     console.log("Authentication: \u2717 not logged in (run: synkro-cli login)");
   }
   console.log();
-  const config = readConfigEnv();
+  const config2 = readConfigEnv();
   console.log("Config:");
-  console.log(`  gateway:     ${config.SYNKRO_GATEWAY_URL ?? "(unset)"}`);
-  console.log(`  credentials: ${config.SYNKRO_CREDENTIALS_PATH ?? "(unset)"}`);
-  console.log(`  tier:        ${config.SYNKRO_TIER ?? "(unset)"}`);
+  console.log(`  gateway:     ${config2.SYNKRO_GATEWAY_URL ?? "(unset)"}`);
+  console.log(`  credentials: ${config2.SYNKRO_CREDENTIALS_PATH ?? "(unset)"}`);
+  console.log(`  tier:        ${config2.SYNKRO_TIER ?? "(unset)"}`);
   const info2 = getUserInfo();
-  const userId = info2?.id ?? config.SYNKRO_USER_ID ?? "default";
-  const tierCacheFile = join5(SYNKRO_DIR2, `.tier-cache-${userId}`);
-  let inferenceTier = config.SYNKRO_INFERENCE_TIER || null;
-  if (!inferenceTier && existsSync6(tierCacheFile)) {
+  const userId = info2?.id ?? config2.SYNKRO_USER_ID ?? "default";
+  const tierCacheFile = join6(SYNKRO_DIR2, `.tier-cache-${userId}`);
+  let inferenceTier = config2.SYNKRO_INFERENCE_TIER || null;
+  if (!inferenceTier && existsSync7(tierCacheFile)) {
     inferenceTier = readFileSync5(tierCacheFile, "utf-8").trim() || null;
   }
   const tierLabel = inferenceTier === "fast" ? "'fast' (server-side grading)" : inferenceTier === "free" ? "'free' (local daemon grading)" : "(unknown \u2014 fires on next hook)";
   console.log(`  inference:   ${tierLabel}`);
-  console.log(`  version:     ${config.SYNKRO_VERSION ?? "(unset)"}`);
+  console.log(`  version:     ${config2.SYNKRO_VERSION ?? "(unset)"}`);
   console.log();
   const agents = detectAgents();
   console.log("Detected agents:");
@@ -2582,19 +3663,19 @@ function statusCommand() {
     }
   }
   console.log();
-  const bashScript = join5(SYNKRO_DIR2, "hooks", "cc-bash-judge.sh");
-  const bashFollowupScript = join5(SYNKRO_DIR2, "hooks", "cc-bash-followup.sh");
-  const editPrecheckScript = join5(SYNKRO_DIR2, "hooks", "cc-edit-precheck.sh");
-  const editCaptureScript = join5(SYNKRO_DIR2, "hooks", "cc-edit-capture.sh");
-  const stopSummaryScript = join5(SYNKRO_DIR2, "hooks", "cc-stop-summary.sh");
-  const sessionStartScript = join5(SYNKRO_DIR2, "hooks", "cc-session-start.sh");
+  const bashScript = join6(SYNKRO_DIR2, "hooks", "cc-bash-judge.sh");
+  const bashFollowupScript = join6(SYNKRO_DIR2, "hooks", "cc-bash-followup.sh");
+  const editPrecheckScript = join6(SYNKRO_DIR2, "hooks", "cc-edit-precheck.sh");
+  const editCaptureScript = join6(SYNKRO_DIR2, "hooks", "cc-edit-capture.sh");
+  const stopSummaryScript = join6(SYNKRO_DIR2, "hooks", "cc-stop-summary.sh");
+  const sessionStartScript = join6(SYNKRO_DIR2, "hooks", "cc-session-start.sh");
   console.log("Hook scripts:");
-  console.log(`  ${existsSync6(bashScript) ? "\u2713" : "\u2717"} ${bashScript}`);
-  console.log(`  ${existsSync6(bashFollowupScript) ? "\u2713" : "\u2717"} ${bashFollowupScript}`);
-  console.log(`  ${existsSync6(editPrecheckScript) ? "\u2713" : "\u2717"} ${editPrecheckScript}`);
-  console.log(`  ${existsSync6(editCaptureScript) ? "\u2713" : "\u2717"} ${editCaptureScript}`);
-  console.log(`  ${existsSync6(stopSummaryScript) ? "\u2713" : "\u2717"} ${stopSummaryScript}`);
-  console.log(`  ${existsSync6(sessionStartScript) ? "\u2713" : "\u2717"} ${sessionStartScript}`);
+  console.log(`  ${existsSync7(bashScript) ? "\u2713" : "\u2717"} ${bashScript}`);
+  console.log(`  ${existsSync7(bashFollowupScript) ? "\u2713" : "\u2717"} ${bashFollowupScript}`);
+  console.log(`  ${existsSync7(editPrecheckScript) ? "\u2713" : "\u2717"} ${editPrecheckScript}`);
+  console.log(`  ${existsSync7(editCaptureScript) ? "\u2713" : "\u2717"} ${editCaptureScript}`);
+  console.log(`  ${existsSync7(stopSummaryScript) ? "\u2713" : "\u2717"} ${stopSummaryScript}`);
+  console.log(`  ${existsSync7(sessionStartScript) ? "\u2713" : "\u2717"} ${sessionStartScript}`);
   console.log();
   const mcp = inspectMcpConfig();
   console.log("Guardrails MCP server (Claude Code):");
@@ -2614,165 +3695,88 @@ var init_status = __esm({
     init_agentDetect();
     init_ccHookConfig();
     init_mcpConfig();
-    SYNKRO_DIR2 = join5(homedir5(), ".synkro");
-    CONFIG_PATH2 = join5(SYNKRO_DIR2, "config.env");
+    SYNKRO_DIR2 = join6(homedir5(), ".synkro");
+    CONFIG_PATH2 = join6(SYNKRO_DIR2, "config.env");
   }
 });
 
-// cli/installer/workflowTemplate.ts
-var SYNKRO_WORKFLOW_YAML, WORKFLOW_PATH;
-var init_workflowTemplate = __esm({
-  "cli/installer/workflowTemplate.ts"() {
+// cli/commands/link.ts
+var link_exports = {};
+__export(link_exports, {
+  linkCommand: () => linkCommand
+});
+async function linkCommand() {
+  if (!isAuthenticated()) {
+    console.error("Not authenticated. Run `synkro install` or `synkro login` first.");
+    process.exit(1);
+  }
+  await ensureValidToken();
+  await promptRepoConnection();
+}
+var init_link = __esm({
+  "cli/commands/link.ts"() {
     "use strict";
-    SYNKRO_WORKFLOW_YAML = `name: Synkro Security Review
-on:
-  pull_request:
-    types: [opened, synchronize, reopened]
-
-jobs:
-  scan:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      pull-requests: write
-      checks: write
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Cache npm globals
-        id: cache-npm-global
-        uses: actions/cache@v4
-        with:
-          path: ~/.npm-global
-          key: synkro-cli-\${{ runner.os }}-v1
-
-      - name: Install Synkro CLI + Claude Code CLI
-        run: |
-          npm config set prefix ~/.npm-global
-          npm install -g @synkro-sh/cli @anthropic-ai/claude-code
-          echo "~/.npm-global/bin" >> $GITHUB_PATH
-
-      - name: Run Synkro PR scan
-        run: synkro-cli scan-pr
-        env:
-          CLAUDE_CODE_OAUTH_TOKEN: \${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
-          SYNKRO_API_KEY: \${{ secrets.SYNKRO_API_KEY }}
-          GH_TOKEN: \${{ secrets.GITHUB_TOKEN }}
-          SYNKRO_PR_NUMBER: \${{ github.event.pull_request.number }}
-          SYNKRO_REPO: \${{ github.repository }}
-          SYNKRO_SHA: \${{ github.event.pull_request.head.sha }}
-          SYNKRO_GATEWAY_URL: \${{ vars.SYNKRO_GATEWAY_URL || 'https://api.synkro.sh' }}
-`;
-    WORKFLOW_PATH = ".github/workflows/synkro.yml";
+    init_stub();
+    init_repoConnect();
   }
 });
 
-// cli/installer/githubSetup.ts
-import { existsSync as existsSync7, mkdirSync as mkdirSync5, writeFileSync as writeFileSync5 } from "fs";
-import { join as join6 } from "path";
-async function encryptSecret(publicKeyBase64, secret) {
-  const sodium = await import("libsodium-wrappers").then((m) => m.default ?? m);
-  await sodium.ready;
-  const keyBytes = sodium.from_base64(publicKeyBase64, sodium.base64_variants.ORIGINAL);
-  const messageBytes = sodium.from_string(secret);
-  const encryptedBytes = sodium.crypto_box_seal(messageBytes, keyBytes);
-  return sodium.to_base64(encryptedBytes, sodium.base64_variants.ORIGINAL);
+// cli/commands/unlink.ts
+var unlink_exports = {};
+__export(unlink_exports, {
+  unlinkCommand: () => unlinkCommand
+});
+import { createInterface as createInterface2 } from "readline";
+function ask2(rl, question) {
+  return new Promise((resolve2) => rl.question(question, resolve2));
 }
-async function getRepoPublicKey(opts, owner, repo) {
-  const url = `https://api.github.com/repos/${owner}/${repo}/actions/secrets/public-key`;
-  const resp = await fetch(url, {
-    headers: {
-      Authorization: `Bearer ${opts.token}`,
-      Accept: "application/vnd.github+json",
-      "X-GitHub-Api-Version": "2022-11-28"
+async function unlinkCommand() {
+  if (!isAuthenticated()) {
+    console.error("Not authenticated. Run `synkro install` or `synkro login` first.");
+    process.exit(1);
+  }
+  await ensureValidToken();
+  const projects = await listProjects();
+  const linked = [];
+  for (const p of projects) {
+    for (const r of p.repos || []) {
+      if (r.full_name && r.id) {
+        linked.push({ projectId: p.id, projectName: p.name, repoId: r.id, fullName: r.full_name });
+      }
     }
-  });
-  if (!resp.ok) {
-    const text = await resp.text().catch(() => "");
-    throw new Error(`GitHub API ${resp.status} fetching public key for ${owner}/${repo}: ${text.slice(0, 200)}`);
   }
-  return await resp.json();
-}
-async function putRepoSecret(opts, owner, repo, secretName, secretValue, publicKey) {
-  const encryptedValue = await encryptSecret(publicKey.key, secretValue);
-  const url = `https://api.github.com/repos/${owner}/${repo}/actions/secrets/${encodeURIComponent(secretName)}`;
-  const resp = await fetch(url, {
-    method: "PUT",
-    headers: {
-      Authorization: `Bearer ${opts.token}`,
-      Accept: "application/vnd.github+json",
-      "X-GitHub-Api-Version": "2022-11-28",
-      "Content-Type": "application/json"
-    },
-    body: JSON.stringify({
-      encrypted_value: encryptedValue,
-      key_id: publicKey.key_id
-    })
-  });
-  if (!resp.ok) {
-    const text = await resp.text().catch(() => "");
-    throw new Error(`GitHub API ${resp.status} setting secret ${secretName}: ${text.slice(0, 200)}`);
+  if (linked.length === 0) {
+    console.log("No linked repos found.");
+    return;
   }
-}
-async function listAccessibleRepos(opts) {
-  const repos = [];
-  let page = 1;
-  while (page <= 5) {
-    const url = `https://api.github.com/user/repos?per_page=100&page=${page}&affiliation=owner,collaborator`;
-    const resp = await fetch(url, {
-      headers: {
-        Authorization: `Bearer ${opts.token}`,
-        Accept: "application/vnd.github+json",
-        "X-GitHub-Api-Version": "2022-11-28"
-      }
-    });
-    if (!resp.ok) {
-      throw new Error(`GitHub API ${resp.status} listing repos`);
+  console.log("\nLinked repos:\n");
+  linked.forEach((r, i) => {
+    console.log(`  ${i + 1}. ${r.fullName} (${r.projectName})`);
+  });
+  console.log();
+  const rl = createInterface2({ input: process.stdin, output: process.stdout });
+  try {
+    const selection = await ask2(rl, "  Select repos to unlink (comma-separated numbers): ");
+    const indices = selection.split(",").map((s) => parseInt(s.trim(), 10) - 1).filter((n) => !isNaN(n) && n >= 0 && n < linked.length);
+    if (indices.length === 0) {
+      console.log("  No repos selected.");
+      return;
     }
-    const data = await resp.json();
-    if (data.length === 0) break;
-    for (const r of data) {
-      repos.push({ owner: r.owner.login, repo: r.name, full_name: r.full_name });
+    for (const idx of indices) {
+      const r = linked[idx];
+      await unlinkRepo(r.projectId, r.repoId);
+      console.log(`  \u2713 Unlinked ${r.fullName} from ${r.projectName}`);
     }
-    if (data.length < 100) break;
-    page++;
-  }
-  return repos;
-}
-async function pushSecretsToRepo(opts, owner, repo, secrets) {
-  const pubkey = await getRepoPublicKey(opts, owner, repo);
-  await putRepoSecret(opts, owner, repo, "CLAUDE_CODE_OAUTH_TOKEN", secrets.claudeCodeOauthToken, pubkey);
-  await putRepoSecret(opts, owner, repo, "SYNKRO_API_KEY", secrets.synkroApiKey, pubkey);
-}
-function writeWorkflowFile(repoRootPath) {
-  const workflowDir = join6(repoRootPath, ".github", "workflows");
-  mkdirSync5(workflowDir, { recursive: true });
-  const workflowFile = join6(workflowDir, "synkro.yml");
-  writeFileSync5(workflowFile, SYNKRO_WORKFLOW_YAML, "utf-8");
-  return workflowFile;
-}
-function findGitRoot(startCwd) {
-  let cur = startCwd;
-  while (cur && cur !== "/") {
-    if (existsSync7(join6(cur, ".git"))) return cur;
-    const parent = join6(cur, "..");
-    if (parent === cur) break;
-    cur = parent;
+  } finally {
+    rl.close();
   }
-  return null;
+  console.log();
 }
-var SECRET_NAMES, WORKFLOW_RELATIVE_PATH;
-var init_githubSetup = __esm({
-  "cli/installer/githubSetup.ts"() {
+var init_unlink = __esm({
+  "cli/commands/unlink.ts"() {
     "use strict";
-    init_workflowTemplate();
-    SECRET_NAMES = {
-      CLAUDE_OAUTH: "CLAUDE_CODE_OAUTH_TOKEN",
-      SYNKRO_API_KEY: "SYNKRO_API_KEY"
-    };
-    WORKFLOW_RELATIVE_PATH = WORKFLOW_PATH;
+    init_stub();
+    init_projects();
   }
 });
 
@@ -2781,7 +3785,7 @@ var setupGithub_exports = {};
 __export(setupGithub_exports, {
   setupGithubCommand: () => setupGithubCommand
 });
-import { createInterface } from "readline/promises";
+import { createInterface as createInterface3 } from "readline/promises";
 import { stdin as input, stdout as output } from "process";
 import { existsSync as existsSync8, readFileSync as readFileSync6 } from "fs";
 import { homedir as homedir6 } from "os";
@@ -2832,8 +3836,8 @@ async function setupGithubCommand() {
     console.error("Not authenticated. Run `synkro-cli login` first.");
     process.exit(1);
   }
-  const config = readConfig();
-  const gatewayUrl = (config.SYNKRO_GATEWAY_URL || process.env.SYNKRO_GATEWAY_URL || "https://api.synkro.sh").replace(/\/$/, "");
+  const config2 = readConfig();
+  const gatewayUrl = (config2.SYNKRO_GATEWAY_URL || process.env.SYNKRO_GATEWAY_URL || "https://api.synkro.sh").replace(/\/$/, "");
   const jwt2 = getAccessToken();
   if (!jwt2) {
     console.error("Could not load access token from ~/.synkro/credentials.json. Run `synkro-cli login`.");
@@ -2862,7 +3866,7 @@ async function setupGithubCommand() {
     console.error(`Failed to mint CI API key: ${err.message}`);
     process.exit(1);
   }
-  const rl = createInterface({ input, output });
+  const rl = createInterface3({ input, output });
   console.log("Synkro PR scan setup\n");
   console.log("Requirements:");
   console.log("  \u2022 Claude Code Pro or Max subscription (for `claude setup-token`)");
@@ -2969,7 +3973,7 @@ var scanPr_exports = {};
 __export(scanPr_exports, {
   scanPrCommand: () => scanPrCommand
 });
-import { execSync as execSync2, spawn } from "child_process";
+import { execSync as execSync4, spawn } from "child_process";
 function parseMatchSpec(condition) {
   if (!condition.startsWith("match_spec:")) return null;
   try {
@@ -3075,7 +4079,7 @@ function shouldSkipFile(filename) {
   return SKIP_FILE_PATTERNS.some((p) => p.test(filename));
 }
 function ghJson(args2) {
-  const out = execSync2(`gh ${args2.map((a) => `'${a.replace(/'/g, "'\\''")}'`).join(" ")}`, {
+  const out = execSync4(`gh ${args2.map((a) => `'${a.replace(/'/g, "'\\''")}'`).join(" ")}`, {
     encoding: "utf-8",
     maxBuffer: 16 * 1024 * 1024
   });
@@ -3191,7 +4195,7 @@ ${finding.description}
 
 **Fix:** ${finding.fix}`;
   try {
-    execSync2(
+    execSync4(
       `gh api -X POST /repos/${repo}/pulls/${prNumber}/comments -f body=${JSON.stringify(body)} -f commit_id=${sha} -f path=${JSON.stringify(finding.file)} -F line=${finding.line} -f side=RIGHT`,
       { encoding: "utf-8", stdio: ["ignore", "ignore", "pipe"] }
     );
@@ -3213,7 +4217,7 @@ function postCheckRun(repo, sha, conclusion, findings) {
     }
   });
   try {
-    execSync2(`gh api -X POST /repos/${repo}/check-runs --input -`, {
+    execSync4(`gh api -X POST /repos/${repo}/check-runs --input -`, {
       encoding: "utf-8",
       input: body,
       stdio: ["pipe", "ignore", "pipe"]
@@ -3431,6 +4435,43 @@ var init_disconnect = __esm({
   }
 });
 
+// cli/commands/uninstall.ts
+var uninstall_exports = {};
+__export(uninstall_exports, {
+  uninstallCommand: () => uninstallCommand
+});
+function uninstallCommand() {
+  console.log("Uninstalling Synkro...\n");
+  disconnectCommand(["--purge"]);
+  console.log("\nTo reinstall later: synkro install");
+}
+var init_uninstall = __esm({
+  "cli/commands/uninstall.ts"() {
+    "use strict";
+    init_disconnect();
+  }
+});
+
+// cli/commands/reinstall.ts
+var reinstall_exports = {};
+__export(reinstall_exports, {
+  reinstallCommand: () => reinstallCommand
+});
+async function reinstallCommand() {
+  console.log("Reinstalling Synkro...\n");
+  disconnectCommand(["--purge"]);
+  console.log("");
+  await installCommand({ force: true });
+  console.log("\n\u2713 Synkro reinstalled.");
+}
+var init_reinstall = __esm({
+  "cli/commands/reinstall.ts"() {
+    "use strict";
+    init_disconnect();
+    init_install();
+  }
+});
+
 // cli/bootstrap.js
 import { readFileSync as readFileSync7, existsSync as existsSync10 } from "fs";
 import { resolve } from "path";
@@ -3466,10 +4507,14 @@ Commands:
   login                Authenticate with Synkro (browser OAuth via WorkOS)
   logout               Clear local credentials
   status               Show current setup state
+  link                 Link repos to a Synkro project (local git or GitHub OAuth)
+  unlink               Remove repo links from Synkro projects
   setup-github         Configure GitHub PR scanning (push secrets + workflow file)
   scan-pr              Run a PR scan (used by GitHub Actions, not for direct invocation)
   update               Refresh hook configs and judge prompts
   disconnect [--purge] Remove Synkro hooks from agents (--purge also removes ~/.synkro)
+  uninstall            Fully remove Synkro from this machine
+  reinstall            Clean uninstall + fresh install
   help                 Show this message
 
 Quick start:
@@ -3502,6 +4547,16 @@ async function main() {
       statusCommand2();
       break;
     }
+    case "link": {
+      const { linkCommand: linkCommand2 } = await Promise.resolve().then(() => (init_link(), link_exports));
+      await linkCommand2();
+      break;
+    }
+    case "unlink": {
+      const { unlinkCommand: unlinkCommand2 } = await Promise.resolve().then(() => (init_unlink(), unlink_exports));
+      await unlinkCommand2();
+      break;
+    }
     case "setup-github": {
       const { setupGithubCommand: setupGithubCommand2 } = await Promise.resolve().then(() => (init_setupGithub(), setupGithub_exports));
       await setupGithubCommand2();
@@ -3522,6 +4577,16 @@ async function main() {
       disconnectCommand2(subArgs);
       break;
     }
+    case "uninstall": {
+      const { uninstallCommand: uninstallCommand2 } = await Promise.resolve().then(() => (init_uninstall(), uninstall_exports));
+      uninstallCommand2();
+      break;
+    }
+    case "reinstall": {
+      const { reinstallCommand: reinstallCommand2 } = await Promise.resolve().then(() => (init_reinstall(), reinstall_exports));
+      await reinstallCommand2();
+      break;
+    }
     case "help":
     case "--help":
     case "-h":