@synkro-sh/cli 1.3.20 → 1.3.22

package/dist/bootstrap.js

@@ -2495,6 +2495,14 @@ var init_workflowTemplate = __esm({
 on:
   pull_request:
     types: [opened, synchronize, reopened]
+  workflow_dispatch:
+    inputs:
+      pr_number:
+        description: PR number to scan
+        required: true
+      sha:
+        description: Commit SHA to scan
+        required: true
 
 jobs:
   scan:
@@ -2507,6 +2515,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          ref: \${{ inputs.sha || github.event.pull_request.head.sha }}
 
       - name: Cache npm globals
         id: cache-npm-global
@@ -2527,9 +2536,9 @@ jobs:
           CLAUDE_CODE_OAUTH_TOKEN: \${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
           SYNKRO_API_KEY: \${{ secrets.SYNKRO_API_KEY }}
           GH_TOKEN: \${{ secrets.GITHUB_TOKEN }}
-          SYNKRO_PR_NUMBER: \${{ github.event.pull_request.number }}
+          SYNKRO_PR_NUMBER: \${{ inputs.pr_number || github.event.pull_request.number }}
           SYNKRO_REPO: \${{ github.repository }}
-          SYNKRO_SHA: \${{ github.event.pull_request.head.sha }}
+          SYNKRO_SHA: \${{ inputs.sha || github.event.pull_request.head.sha }}
           SYNKRO_GATEWAY_URL: \${{ vars.SYNKRO_GATEWAY_URL || 'https://api.synkro.sh' }}
 `;
     WORKFLOW_PATH = ".github/workflows/synkro.yml";
@@ -2721,14 +2730,14 @@ function waitForGithubToken() {
   });
 }
 function openBrowser2(url) {
-  const { execFile: execFile2 } = __require("child_process");
+  const { execFile: execFile3 } = __require("child_process");
   const plat = process.platform;
   const cb = (err) => {
     if (err) console.log(`  Open this URL manually: ${url}`);
   };
-  if (plat === "darwin") execFile2("open", [url], cb);
-  else if (plat === "win32") execFile2("cmd", ["/c", "start", "", url], cb);
-  else execFile2("xdg-open", [url], cb);
+  if (plat === "darwin") execFile3("open", [url], cb);
+  else if (plat === "win32") execFile3("cmd", ["/c", "start", "", url], cb);
+  else execFile3("xdg-open", [url], cb);
 }
 async function connectGithubAndSelectRepos() {
   const url = `${SYNKRO_WEB_AUTH_URL2}/cli-github?port=${GITHUB_PORT}`;
@@ -2862,14 +2871,16 @@ var init_repoConnect = __esm({
 // cli/commands/setupGithub.ts
 var setupGithub_exports = {};
 __export(setupGithub_exports, {
+  connectGitHub: () => connectGitHub,
   setupGithubCommand: () => setupGithubCommand
 });
 import { createInterface as createInterface2 } from "readline/promises";
 import { stdin as input, stdout as output } from "process";
 import { execSync as execSync3, spawn as nodeSpawn } from "child_process";
 import { existsSync as existsSync6, readFileSync as readFileSync4 } from "fs";
-import { homedir as homedir4 } from "os";
+import { homedir as homedir4, platform as platform2 } from "os";
 import { join as join5 } from "path";
+import { execFile as execFile2 } from "child_process";
 function readConfig() {
   if (!existsSync6(CONFIG_PATH)) return {};
   const out = {};
@@ -2897,9 +2908,7 @@ async function prompt(rl, q, opts = {}) {
           resolve2(chunk);
           return;
         }
-        if (s === "") {
-          process.exit(130);
-        }
+        if (s === "") process.exit(130);
         if (s === "\x7F" || s === "\b") {
           chunk = chunk.slice(0, -1);
           return;
@@ -2911,6 +2920,30 @@ async function prompt(rl, q, opts = {}) {
   }
   return await rl.question(q);
 }
+function openBrowser3(url) {
+  const os = platform2();
+  let bin;
+  let args2;
+  switch (os) {
+    case "darwin":
+      bin = "open";
+      args2 = [url];
+      break;
+    case "win32":
+      bin = "cmd";
+      args2 = ["/c", "start", "", url];
+      break;
+    default:
+      bin = "xdg-open";
+      args2 = [url];
+      break;
+  }
+  execFile2(bin, args2, () => {
+  });
+}
+function sleep(ms) {
+  return new Promise((r) => setTimeout(r, ms));
+}
 function captureClaudeSetupToken() {
   return new Promise((resolve2, reject) => {
     const proc = nodeSpawn("script", ["-q", "/dev/null", "claude", "setup-token"], {
@@ -2936,6 +2969,68 @@ function captureClaudeSetupToken() {
     });
   });
 }
+async function apiCall(gatewayUrl, jwt2, path, opts = {}) {
+  const resp = await fetch(`${gatewayUrl}${path}`, {
+    ...opts,
+    headers: {
+      "Authorization": `Bearer ${jwt2}`,
+      "Content-Type": "application/json",
+      ...opts.headers || {}
+    }
+  });
+  if (!resp.ok) {
+    const text = await resp.text().catch(() => "");
+    throw new Error(`API ${resp.status}: ${text.slice(0, 200)}`);
+  }
+  return resp.json();
+}
+async function connectGitHub(gatewayUrl, jwt2, opts = {}) {
+  try {
+    const result = await apiCall(
+      gatewayUrl,
+      jwt2,
+      "/api/v1/cli/github-token"
+    );
+    if (result.connected && result.token) {
+      if (!opts.silent) console.log("  \u2713 GitHub already connected via Synkro.");
+      return result.token;
+    }
+  } catch {
+  }
+  if (!opts.silent) console.log("  Opening browser to authorize GitHub...");
+  try {
+    const authResp = await apiCall(
+      gatewayUrl,
+      jwt2,
+      "/api/pipes-widget/authorize/github",
+      { method: "POST", body: "{}" }
+    );
+    openBrowser3(authResp.url);
+    if (!opts.silent) console.log("  Waiting for authorization...");
+  } catch (err) {
+    if (!opts.silent) console.error(`  Failed to start GitHub authorization: ${err.message}`);
+    return null;
+  }
+  const deadline = Date.now() + 12e4;
+  while (Date.now() < deadline) {
+    await sleep(2e3);
+    try {
+      const result = await apiCall(
+        gatewayUrl,
+        jwt2,
+        "/api/v1/cli/github-token"
+      );
+      if (result.connected && result.token) {
+        if (!opts.silent) console.log("\n  \u2713 GitHub connected!");
+        return result.token;
+      }
+    } catch {
+    }
+    if (!opts.silent) process.stdout.write(".");
+  }
+  if (!opts.silent) console.error("\n  Timed out waiting for GitHub authorization.");
+  return null;
+}
 async function setupGithubCommand(opts = {}) {
   if (!isAuthenticated()) {
     console.error("Not authenticated. Run `synkro-cli login` first.");
@@ -2951,20 +3046,12 @@ async function setupGithubCommand(opts = {}) {
   console.log("Requesting CI API key from Synkro...");
   let synkroCiApiKey;
   try {
-    const resp = await fetch(`${gatewayUrl}/api/v1/cli/ci-api-key`, {
-      method: "POST",
-      headers: {
-        "Authorization": `Bearer ${jwt2}`,
-        "Content-Type": "application/json"
-      },
-      body: "{}"
-    });
-    if (!resp.ok) {
-      const errText = await resp.text().catch(() => "");
-      console.error(`Failed to mint CI API key (${resp.status}): ${errText.slice(0, 200)}`);
-      process.exit(1);
-    }
-    const minted = await resp.json();
+    const minted = await apiCall(
+      gatewayUrl,
+      jwt2,
+      "/api/v1/cli/ci-api-key",
+      { method: "POST", body: "{}" }
+    );
     synkroCiApiKey = minted.api_key;
     console.log(`  \u2713 Issued CI key (${synkroCiApiKey.slice(0, 18)}\u2026), expires ${minted.expires_at.slice(0, 10)}`);
   } catch (err) {
@@ -2976,24 +3063,33 @@ async function setupGithubCommand(opts = {}) {
     ghToken = opts.githubToken;
   } else if (opts.nonInteractive) {
     try {
-      ghToken = execSync3("gh auth token", { encoding: "utf-8", timeout: 5e3 }).trim();
+      const result = await apiCall(
+        gatewayUrl,
+        jwt2,
+        "/api/v1/cli/github-token"
+      );
+      if (result.connected && result.token) {
+        ghToken = result.token;
+      } else {
+        throw new Error("not connected");
+      }
     } catch {
-      console.error("Could not get GitHub token from `gh auth token`. Run `gh auth login` first.");
-      return;
+      try {
+        ghToken = execSync3("gh auth token", { encoding: "utf-8", timeout: 5e3 }).trim();
+      } catch {
+        console.error("GitHub not connected. Run `synkro-cli setup-github` interactively to connect.");
+        return;
+      }
     }
   } else {
-    const rl = createInterface2({ input, output });
-    console.log("Synkro PR scan setup\n");
-    console.log("Requirements:");
-    console.log("  \u2022 Claude Code installed and logged in (Pro, Max, Teams, or Enterprise)");
-    console.log("  \u2022 A GitHub personal access token with `repo` scope");
-    console.log("    (create at https://github.com/settings/tokens?type=beta)\n");
-    ghToken = (await prompt(rl, "GitHub token (paste): ", { silent: true })).trim();
-    rl.close();
-    if (!ghToken || !ghToken.startsWith("ghp_") && !ghToken.startsWith("github_pat_")) {
-      console.error("Invalid GitHub token format. Expected ghp_... or github_pat_...");
+    console.log("\nConnecting to GitHub...");
+    const token = await connectGitHub(gatewayUrl, jwt2);
+    if (!token) {
+      console.error("GitHub connection failed. Try again.");
       process.exit(1);
     }
+    ghToken = token;
+    console.log();
   }
   let claudeToken;
   if (!opts.skipClaudeToken) {
@@ -3043,10 +3139,10 @@ async function setupGithubCommand(opts = {}) {
     selected = [{ owner, repo, full_name: currentFullName }];
     console.log(`  Auto-selected repo: ${currentFullName}`);
   } else {
-    console.log("\nFetching accessible repos...");
+    console.log("Fetching accessible repos...");
     const repos = await listAccessibleRepos({ token: ghToken });
     if (repos.length === 0) {
-      console.error("No accessible repos found. Verify the GitHub token has `repo` scope.");
+      console.error("No accessible repos found. Check your GitHub permissions.");
       process.exit(1);
     }
     console.log(`
@@ -3148,7 +3244,6 @@ function parseArgs(argv) {
     else if (a === "--no-mcp") opts.noMcp = true;
     else if (a === "--force" || a === "-f") opts.force = true;
     else if (a === "--link-repo") opts.linkRepo = true;
-    else if (a === "--pr-scan") opts.prScan = true;
   }
   if (!opts.gatewayUrl) {
     const fromEnv = sanitizeGatewayCandidate(process.env.SYNKRO_GATEWAY_URL);
@@ -3238,7 +3333,7 @@ function writeConfigEnv(opts) {
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
     `SYNKRO_INFERENCE=${shellQuoteSingle(safeInference)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.3.20")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.3.22")}`
   ];
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);
   if (safeOrgId) lines.push(`SYNKRO_ORG_ID=${shellQuoteSingle(safeOrgId)}`);
@@ -3258,10 +3353,48 @@ function collectLocalMetadata() {
   }
   try {
     const remote = execSync4("git remote get-url origin", { encoding: "utf-8", timeout: 3e3 }).trim();
-    const m = remote.match(/(?:github\.com)[:/](.+?)(?:\.git)?$/);
+    const sshMatch = remote.match(/^git@[^:]+:(.+?)(?:\.git)?$/);
+    const httpMatch = remote.match(/^https?:\/\/[^/]+\/(.+?)(?:\.git)?$/);
+    const m = sshMatch || httpMatch;
     if (m) meta.active_repo = m[1];
   } catch {
   }
+  try {
+    meta.cc_version = execSync4("claude --version", { encoding: "utf-8", timeout: 5e3 }).trim().split("\n")[0];
+  } catch {
+  }
+  const claudeDir = join6(homedir5(), ".claude");
+  try {
+    const settings = JSON.parse(readFileSync5(join6(claudeDir, "settings.json"), "utf-8"));
+    const plugins = Object.keys(settings.enabledPlugins ?? {}).filter((k) => settings.enabledPlugins[k]);
+    if (plugins.length) meta.enabled_plugins = plugins;
+    if (settings.permissions?.defaultMode) meta.permissions_mode = settings.permissions.defaultMode;
+  } catch {
+  }
+  try {
+    const mcpCache = JSON.parse(readFileSync5(join6(claudeDir, "mcp-needs-auth-cache.json"), "utf-8"));
+    const mcpNames = Object.keys(mcpCache);
+    if (mcpNames.length) meta.mcp_servers = mcpNames;
+  } catch {
+  }
+  try {
+    const mcpList = execSync4("claude mcp list 2>/dev/null", { encoding: "utf-8", timeout: 1e4 });
+    const connected = mcpList.split("\n").filter((l) => l.includes("Connected")).map((l) => l.split(":")[0].trim()).filter(Boolean);
+    if (connected.length) meta.mcp_servers_connected = connected;
+  } catch {
+  }
+  try {
+    const sessionsDir = join6(claudeDir, "sessions");
+    const files = readdirSync(sessionsDir).filter((f) => f.endsWith(".json")).slice(-5);
+    for (const f of files) {
+      const s = JSON.parse(readFileSync5(join6(sessionsDir, f), "utf-8"));
+      if (s.version) {
+        meta.cc_version = meta.cc_version || s.version;
+        break;
+      }
+    }
+  } catch {
+  }
   return meta;
 }
 async function fetchUserProfile(gatewayUrl, token) {
@@ -3398,6 +3531,13 @@ async function installCommand(opts = {}) {
     console.error("No access token available after auth.");
     process.exit(1);
   }
+  console.log("\nConnecting to GitHub...");
+  const ghToken = await connectGitHub(gatewayUrl, token);
+  if (!ghToken) {
+    console.error("GitHub connection is required. Re-run `synkro-cli install` to try again.");
+    process.exit(1);
+  }
+  console.log();
   setApiBaseUrl(`${gatewayUrl}/api`);
   await promptRepoConnection({ linkRepo: opts.linkRepo });
   const agents = detectAgents();
@@ -3535,18 +3675,9 @@ async function installCommand(opts = {}) {
 `);
     }
   }
-  if (opts.prScan) {
-    console.log();
-    const { setupGithubCommand: setupGithubCommand2 } = await Promise.resolve().then(() => (init_setupGithub(), setupGithub_exports));
-    await setupGithubCommand2({ nonInteractive: true });
-  }
+  const { setupGithubCommand: setupGithubCommand2 } = await Promise.resolve().then(() => (init_setupGithub(), setupGithub_exports));
+  await setupGithubCommand2({ nonInteractive: true, githubToken: ghToken });
   console.log("\u2713 Synkro installed.");
-  console.log();
-  if (!opts.prScan) {
-    console.log("Next steps:");
-    console.log("  \u2022 synkro-cli setup-github   (enable PR scanning)");
-    console.log("  \u2022 synkro-cli status         (check what is configured)");
-  }
 }
 function detectGitRepo2() {
   try {
@@ -3751,6 +3882,7 @@ var init_install = __esm({
     init_stub();
     init_repoConnect();
     init_projects();
+    init_setupGithub();
     SYNKRO_DIR2 = join6(homedir5(), ".synkro");
     HOOKS_DIR = join6(SYNKRO_DIR2, "hooks");
     BIN_DIR = join6(SYNKRO_DIR2, "bin");
@@ -4249,6 +4381,19 @@ function getPrFiles(repo, prNumber) {
   ]);
   return data;
 }
+async function fetchScanContext(gatewayUrl, apiKey, repo, prNumber, sha) {
+  try {
+    const url = `${gatewayUrl.replace(/\/$/, "")}/api/pr-scans/scan-context?repo=${encodeURIComponent(repo)}&pr_number=${prNumber}&sha=${sha}`;
+    const resp = await fetch(url, {
+      headers: { "x-synkro-api-key": apiKey },
+      signal: AbortSignal.timeout(15e3)
+    });
+    if (!resp.ok) return { scan_all: true };
+    return await resp.json();
+  } catch {
+    return { scan_all: true };
+  }
+}
 function getFileDiffWithLines(file) {
   if (!file.patch) return { hunks: "", newFileLineMap: /* @__PURE__ */ new Map() };
   const lines = file.patch.split("\n");
@@ -4343,13 +4488,16 @@ ${hunks}`;
     });
   });
 }
-async function processInBatches(items, batchSize, fn) {
-  const results = [];
-  for (let i = 0; i < items.length; i += batchSize) {
-    const batch = items.slice(i, i + batchSize);
-    const batchResults = await Promise.all(batch.map(fn));
-    results.push(...batchResults);
+async function processInBatches(items, concurrency, fn) {
+  const results = new Array(items.length);
+  let next = 0;
+  async function worker() {
+    while (next < items.length) {
+      const idx = next++;
+      results[idx] = await fn(items[idx], idx, items.length);
+    }
   }
+  await Promise.all(Array.from({ length: Math.min(concurrency, items.length) }, () => worker()));
   return results;
 }
 function buildConsolidationPrompt(findings) {
@@ -4606,11 +4754,34 @@ async function scanPrCommand() {
     console.error("Failed to fetch PR files:", err.message);
     process.exit(2);
   }
+  const scanCtx = await fetchScanContext(gatewayUrl, synkroApiKey, repo, prNumber, sha);
+  if (scanCtx.skip) {
+    console.log(`Already scanned at ${sha.slice(0, 7)}, skipping.
+`);
+    postCheckRun(repo, sha, "success", []);
+    await postEventToBackend({
+      gatewayUrl,
+      apiKey: synkroApiKey,
+      repo,
+      prNumber,
+      sha,
+      findings: [],
+      filesScanned: 0,
+      totalLatencyMs: 0
+    });
+    return;
+  }
+  const changedFiles = !scanCtx.scan_all && scanCtx.files ? new Set(scanCtx.files) : null;
+  if (changedFiles) {
+    console.log(`Incremental scan: ${changedFiles.size} file(s) changed since last scan (${scanCtx.last_sha?.slice(0, 7)}).
+`);
+  }
   const eligible = files.filter((f) => {
     if (f.status === "removed") return false;
     if (shouldSkipFile(f.filename)) return false;
     if (f.additions + f.deletions > MAX_DIFF_LINES_PER_FILE) return false;
     if (!f.patch) return false;
+    if (changedFiles && !changedFiles.has(f.filename)) return false;
     return true;
   });
   console.log(`${files.length} files in PR, ${eligible.length} eligible for scan.
@@ -4631,12 +4802,12 @@ async function scanPrCommand() {
     return;
   }
   const t0 = Date.now();
-  const results = await processInBatches(eligible, MAX_PARALLEL_FILES, async (file) => {
-    process.stdout.write(`Scanning ${file.filename}...`);
+  const results = await processInBatches(eligible, MAX_PARALLEL_FILES, async (file, idx, total) => {
+    process.stdout.write(`[${idx + 1}/${total}] ${file.filename}...`);
     const literalFindings = applyLiteralMatchNegative(literalNegativeRules, file);
     const llmResult = await spawnClaudeJudge(file, claudeToken, promptHeader);
     const merged = [...literalFindings, ...llmResult.findings];
-    console.log(` ${merged.length} finding(s) (${literalFindings.length} literal, ${llmResult.findings.length} llm; ${llmResult.latencyMs}ms)`);
+    console.log(` ${merged.length === 0 ? "clean" : `${merged.length} finding(s)`} (${(llmResult.latencyMs / 1e3).toFixed(1)}s)`);
     return { findings: merged, latencyMs: llmResult.latencyMs };
   });
   const totalLatencyMs = Date.now() - t0;
@@ -4690,7 +4861,7 @@ var init_scanPr = __esm({
       /go\.sum$/
     ];
     MAX_DIFF_LINES_PER_FILE = 1e3;
-    MAX_PARALLEL_FILES = 5;
+    MAX_PARALLEL_FILES = 10;
   }
 });