npm - @synkro-sh/cli - Versions diffs - 1.3.24 → 1.3.26 - Mend

@synkro-sh/cli 1.3.24 → 1.3.26

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/bootstrap.js CHANGED Viewed

@@ -2508,7 +2508,7 @@ jobs:
   scan:
     runs-on: ubuntu-latest
     permissions:
-      contents: read
+      contents: write
       pull-requests: write
       checks: write
     steps:
@@ -3333,7 +3333,7 @@ function writeConfigEnv(opts) {
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
     `SYNKRO_INFERENCE=${shellQuoteSingle(safeInference)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.3.24")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.3.26")}`
   ];
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);
   if (safeOrgId) lines.push(`SYNKRO_ORG_ID=${shellQuoteSingle(safeOrgId)}`);
@@ -4374,6 +4374,60 @@ function ghJson(args2) {
   });
   return JSON.parse(out);
 }
+async function ensureOpenPr(repo, prNumber, sha) {
+  let pr;
+  try {
+    pr = ghJson(["api", `/repos/${repo}/pulls/${prNumber}`]);
+  } catch {
+    return { prNumber, sha, branched: false };
+  }
+  if (pr.state === "open") {
+    return { prNumber, sha, branched: false };
+  }
+  if (pr.merged) {
+    console.log(`PR #${prNumber} is merged. Scanning original diff and posting findings there.
+`);
+    return { prNumber, sha: pr.head.sha, branched: false };
+  }
+  console.log(`PR #${prNumber} is closed. Creating a scan branch...
+`);
+  const scanBranch = `synkro/scan-${pr.head.ref}-${Date.now()}`;
+  try {
+    execSync5(`gh api -X POST /repos/${repo}/git/refs --input -`, {
+      encoding: "utf-8",
+      input: JSON.stringify({ ref: `refs/heads/${scanBranch}`, sha: pr.head.sha }),
+      stdio: ["pipe", "pipe", "pipe"]
+    });
+  } catch (err) {
+    console.warn(`Failed to create scan branch: ${err.message}`);
+    return { prNumber, sha, branched: false };
+  }
+  try {
+    const newPrBody = `Security scan of closed PR #${prNumber} (\`${pr.head.ref}\`).
+This PR contains no code changes \u2014 it exists so Synkro can post review findings on an active PR.`;
+    const result = ghJson([
+      "api",
+      "-X",
+      "POST",
+      `/repos/${repo}/pulls`,
+      "-f",
+      `title=Synkro Scan: ${pr.title}`,
+      "-f",
+      `body=${newPrBody}`,
+      "-f",
+      `head=${scanBranch}`,
+      "-f",
+      `base=${pr.base.ref}`
+    ]);
+    console.log(`Opened PR #${result.number} for scan findings.
+`);
+    return { prNumber: result.number, sha: result.head.sha, branched: true };
+  } catch (err) {
+    console.warn(`Failed to open scan PR: ${err.message}`);
+    return { prNumber, sha, branched: false };
+  }
+}
 function getPrFiles(repo, prNumber) {
   const data = ghJson([
     "api",
@@ -4381,23 +4435,43 @@ function getPrFiles(repo, prNumber) {
   ]);
   return data;
 }
+function getLastReviewedSha(repo, prNumber) {
+  try {
+    const reviews = ghJson([
+      "api",
+      `/repos/${repo}/pulls/${prNumber}/reviews?per_page=100`
+    ]);
+    const synkro = reviews.filter((r) => r.body?.includes("Synkro Security Review")).sort((a, b) => new Date(b.submitted_at).getTime() - new Date(a.submitted_at).getTime());
+    return synkro.length > 0 ? synkro[0].commit_id : null;
+  } catch {
+    return null;
+  }
+}
+function getChangedFilesSince(repo, baseSha, headSha) {
+  try {
+    const data = ghJson([
+      "api",
+      `/repos/${repo}/compare/${baseSha}...${headSha}`
+    ]);
+    return (data.files || []).map((f) => f.filename);
+  } catch {
+    return null;
+  }
+}
 async function fetchScanContext(gatewayUrl, apiKey, repo, prNumber, sha) {
+  const lastSha = getLastReviewedSha(repo, prNumber);
+  const changedFiles = lastSha && lastSha !== sha ? getChangedFilesSince(repo, lastSha, sha) : void 0;
   try {
-    const url = `${gatewayUrl.replace(/\/$/, "")}/api/pr-scans/scan-context?repo=${encodeURIComponent(repo)}&pr_number=${prNumber}&sha=${sha}`;
-    const headers = { "x-synkro-api-key": apiKey };
-    const ghToken = process.env.GH_TOKEN || process.env.GITHUB_TOKEN || "";
-    if (ghToken) headers["x-github-token"] = ghToken;
-    console.log(`[scan-context] POST ${url}`);
+    const url = `${gatewayUrl.replace(/\/$/, "")}/api/pr-scans/scan-context`;
     const resp = await fetch(url, {
-      headers,
+      method: "POST",
+      headers: { "x-synkro-api-key": apiKey, "Content-Type": "application/json" },
+      body: JSON.stringify({ sha, last_reviewed_sha: lastSha, changed_files: changedFiles }),
       signal: AbortSignal.timeout(15e3)
     });
-    const body = await resp.text();
-    console.log(`[scan-context] ${resp.status}: ${body.slice(0, 300)}`);
     if (!resp.ok) return { scan_all: true };
-    return JSON.parse(body);
-  } catch (err) {
-    console.warn(`[scan-context] error: ${err.message}`);
+    return await resp.json();
+  } catch {
     return { scan_all: true };
   }
 }
@@ -4746,6 +4820,9 @@ async function scanPrCommand() {
   }
   console.log(`Synkro scan-pr: ${repo}#${prNumber} @ ${sha.slice(0, 7)}
 `);
+  const prTarget = await ensureOpenPr(repo, prNumber, sha);
+  const activePrNumber = prTarget.prNumber;
+  const activeSha = prTarget.sha;
   const orgRules = await fetchOrgRules(gatewayUrl, synkroApiKey);
   const auditRules = orgRules.filter((r) => r.mode === "audit");
   const literalNegativeRules = orgRules.filter((r) => {
@@ -4756,22 +4833,22 @@ async function scanPrCommand() {
   const promptHeader = buildPrPrompt(auditRules);
   let files;
   try {
-    files = getPrFiles(repo, prNumber);
+    files = getPrFiles(repo, activePrNumber);
   } catch (err) {
     console.error("Failed to fetch PR files:", err.message);
     process.exit(2);
   }
-  const scanCtx = await fetchScanContext(gatewayUrl, synkroApiKey, repo, prNumber, sha);
+  const scanCtx = await fetchScanContext(gatewayUrl, synkroApiKey, repo, activePrNumber, activeSha);
   if (scanCtx.skip) {
-    console.log(`Already scanned at ${sha.slice(0, 7)}, skipping.
+    console.log(`Already scanned at ${activeSha.slice(0, 7)}, skipping.
 `);
-    postCheckRun(repo, sha, "success", []);
+    postCheckRun(repo, activeSha, "success", []);
     await postEventToBackend({
       gatewayUrl,
       apiKey: synkroApiKey,
       repo,
-      prNumber,
-      sha,
+      prNumber: activePrNumber,
+      sha: activeSha,
       findings: [],
       filesScanned: 0,
       totalLatencyMs: 0
@@ -4794,13 +4871,13 @@ async function scanPrCommand() {
   console.log(`${files.length} files in PR, ${eligible.length} eligible for scan.
 `);
   if (eligible.length === 0) {
-    postCheckRun(repo, sha, "success", []);
+    postCheckRun(repo, activeSha, "success", []);
     await postEventToBackend({
       gatewayUrl,
       apiKey: synkroApiKey,
       repo,
-      prNumber,
-      sha,
+      prNumber: activePrNumber,
+      sha: activeSha,
       findings: [],
       filesScanned: 0,
       totalLatencyMs: 0
@@ -4827,17 +4904,17 @@ Total: ${allFindings.length} finding(s) across ${eligible.length} file(s) in ${t
     const review = await spawnOpusConsolidator(allFindings, claudeToken);
     console.log(`  \u2192 ${review.comments.length} review comment(s), severity: ${review.severity}`);
     if (review.comments.length > 0) {
-      postPrReview(repo, prNumber, sha, review);
+      postPrReview(repo, activePrNumber, activeSha, review);
     }
   }
   const conclusion = shouldFail(allFindings, failThreshold) ? "failure" : "success";
-  postCheckRun(repo, sha, conclusion, allFindings);
+  postCheckRun(repo, activeSha, conclusion, allFindings);
   await postEventToBackend({
     gatewayUrl,
     apiKey: synkroApiKey,
     repo,
-    prNumber,
-    sha,
+    prNumber: activePrNumber,
+    sha: activeSha,
     findings: allFindings,
     filesScanned: eligible.length,
     totalLatencyMs