npm - @synkro-sh/cli - Versions diffs - 1.3.39 → 1.3.41 - Mend

@synkro-sh/cli 1.3.39 → 1.3.41

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/bootstrap.js CHANGED Viewed

@@ -388,12 +388,7 @@ fi
 CMD_SHORT=$(printf '%s' "$COMMAND" | head -c 80)
 synkro_log "bashGuard checking: $CMD_SHORT"
-# NO hard regex gate \u2014 server-side bashShapes runs the universal pattern set
-# (including HTTP-payload destructive shapes like graphql_destructive_mutation
-# and http_method_delete) and returns a "trivial" fast-path verdict for boring
-# read-only commands (ls, pwd, git status, --version, etc.). Anything ambiguous
-# goes to Cerebras for grading. This closes the gap that verb-only filters miss
-# (e.g. a curl POST whose JSON body contains a destructive mutation).
+# All commands are graded; no client-side regex gate.
 # Extract context from the transcript file
 TRANSCRIPT_PATH=$(echo "$PAYLOAD" | jq -r '.transcript_path // empty' 2>/dev/null)
@@ -455,7 +450,7 @@ if [ -n "$TRANSCRIPT_PATH" ] && [ -f "$TRANSCRIPT_PATH" ]; then
     ] | .[-10:]' 2>/dev/null || echo "[]")
   # Recent agent actions (last 5 tool_use blocks paired with results)
   RECENT_ACTIONS=$(tail -400 "$TRANSCRIPT_PATH" | jq -c -s '
-    # tool_result blocks live in USER messages (Anthropic API format)
+    # tool_result blocks live in USER messages
     ([ .[]
        | select(.type == "user")
        | .message.content[]?
@@ -571,6 +566,24 @@ refresh_jwt() {
   return 0
 }
+ensure_fresh_jwt() {
+  [ -z "$JWT" ] && return 1
+  local payload exp now remaining
+  payload=$(printf '%s' "$JWT" | cut -d. -f2)
+  case $((\${#payload} % 4)) in
+    2) payload="\${payload}==" ;;
+    3) payload="\${payload}=" ;;
+  esac
+  exp=$(printf '%s' "$payload" | tr '_-' '/+' | base64 -D 2>/dev/null | jq -r '.exp // 0' 2>/dev/null)
+  now=$(date -u +%s)
+  remaining=$((exp - now))
+  if [ "$remaining" -lt 60 ]; then
+    refresh_jwt
+  fi
+}
+ensure_fresh_jwt
 # Resolve tier + capture_depth (cached 60 min) \u2014 server is canonical via /cli/me.
 TIER_CACHE_FILE="$HOME/.synkro/.tier-cache-\${SYNKRO_USER_ID:-default}"
 CD_CACHE_FILE="\${TIER_CACHE_FILE}.cd"
@@ -656,7 +669,7 @@ if [ "$USE_LOCAL" = "true" ]; then
   ALTERNATIVE=$(xtag "$V_INNER" alternative)
   # Fail-open on no verdict \u2014 daemon handles cold fallback internally; if it
-  # still came back empty (network/Anthropic outage), don't block the user.
+  # still came back empty (grader unavailable), don't block the user.
   if [ -z "$VERDICT_KIND" ] || [ -z "$SEVERITY" ]; then
     synkro_log "bashGuard $CMD_SHORT \u2192 pass (grader unavailable)"
     jq -n --arg m "[synkro] bashGuard \u2192 pass (grader unavailable)" '{systemMessage: $m}'
@@ -666,7 +679,7 @@ if [ "$USE_LOCAL" = "true" ]; then
   # already populated above. Server-side path (else branch) keeps using JSON.
   VERDICT="__LOCAL_XML_PARSED__"
 else
-  # \u2500\u2500\u2500 FAST TIER: server-side Cerebras grading. \u2500\u2500\u2500
+  # \u2500\u2500\u2500 Server-side grading. \u2500\u2500\u2500
   VERDICT=$(curl -sS -X POST "\${GATEWAY_URL}/api/v1/judge" \\
     -H "Content-Type: application/json" \\
@@ -814,18 +827,7 @@ exit 0
 `;
     CC_EDIT_PRECHECK_SCRIPT = `#!/bin/bash
 # Synkro PreToolUse Edit/Write/MultiEdit/NotebookEdit pre-check hook.
-#
-# Steering-at-violation: thin shim that POSTs the proposed file content to
-# /api/v1/precheck-edit. The server cosines it against the org's active
-# agent_runtime rules in Timescale and returns the CC hook JSON shape
-# directly (permissionDecision: "deny" + retry guidance, or empty {} to allow).
-#
-# No LLM in this path \u2014 just embedding + cosine. Customer's CC pays for the
-# retry generation when the agent reads the denial reason and rewrites.
-# Synkro's COGS = ~$0.00001 per edit (one Gemini embedding call).
-#
 # Always exits 0 with valid JSON. Fails open on any error.
-# No set -e: hook must ALWAYS produce JSON output. Silent death = CC timeout.
 synkro_log() { echo "[synkro] $1" >&2; }
@@ -1036,6 +1038,24 @@ refresh_jwt() {
   return 0
 }
+ensure_fresh_jwt() {
+  [ -z "$JWT" ] && return 1
+  local payload exp now remaining
+  payload=$(printf '%s' "$JWT" | cut -d. -f2)
+  case $((\${#payload} % 4)) in
+    2) payload="\${payload}==" ;;
+    3) payload="\${payload}=" ;;
+  esac
+  exp=$(printf '%s' "$payload" | tr '_-' '/+' | base64 -D 2>/dev/null | jq -r '.exp // 0' 2>/dev/null)
+  now=$(date -u +%s)
+  remaining=$((exp - now))
+  if [ "$remaining" -lt 60 ]; then
+    refresh_jwt
+  fi
+}
+ensure_fresh_jwt
 # Resolve tier + capture_depth (cached 60 min) \u2014 server is canonical via /cli/me.
 TIER_CACHE_FILE="$HOME/.synkro/.tier-cache-\${SYNKRO_USER_ID:-default}"
@@ -1201,7 +1221,7 @@ if [ "$USE_LOCAL" = "true" ]; then
     fi
   fi
 else
-  # \u2500\u2500\u2500 FAST TIER: server-side Cerebras grading (~500ms) \u2500\u2500\u2500
+  # \u2500\u2500\u2500 Server-side grading. \u2500\u2500\u2500
   RESP=$(curl -sS -X POST "\${GATEWAY_URL}/api/v1/precheck-edit" \\
     -H "Content-Type: application/json" \\
     -H "Authorization: Bearer $JWT" \\
@@ -1291,19 +1311,8 @@ exit 0
 `;
     CC_EDIT_CAPTURE_SCRIPT = `#!/bin/bash
 # Synkro PostToolUse Edit/Write afterFileEdit hook.
-#
-# Reads the file from disk after the edit lands, sends to /api/v1/judge-edit
-# for Cerebras grading against the org's rules. On ok=false, emits a system
-# message that surfaces inline in CC ("[synkro] afterFileEdit \u2192 Finding: \u2026").
-# The agent reads the finding via transcript and re-edits on its own
-# inference \u2014 same retry pattern as PreToolUse precheck, looser/asynchronous.
-#
-# Complementary to the PreToolUse precheck: precheck blocks unsafe writes
-# before disk; this hook catches issues that only become visible AFTER the
-# edit lands (cross-file shapes, real disk state, post-edit semantic effects).
-#
+# On ok=false, emits a system message that surfaces inline in CC.
 # Always exits 0 with valid JSON \u2014 never breaks CC's flow.
-# No set -e: hook must ALWAYS produce JSON output. Silent death = CC timeout.
 synkro_log() { echo "[synkro] $1" >&2; }
@@ -1422,6 +1431,24 @@ refresh_jwt() {
   return 0
 }
+ensure_fresh_jwt() {
+  [ -z "$JWT" ] && return 1
+  local payload exp now remaining
+  payload=$(printf '%s' "$JWT" | cut -d. -f2)
+  case $((\${#payload} % 4)) in
+    2) payload="\${payload}==" ;;
+    3) payload="\${payload}=" ;;
+  esac
+  exp=$(printf '%s' "$payload" | tr '_-' '/+' | base64 -D 2>/dev/null | jq -r '.exp // 0' 2>/dev/null)
+  now=$(date -u +%s)
+  remaining=$((exp - now))
+  if [ "$remaining" -lt 60 ]; then
+    refresh_jwt
+  fi
+}
+ensure_fresh_jwt
 # Fire-and-forget correction-followup (backgrounded \u2014 must not block grading).
 if [ -n "$SESSION_ID" ] && [ -n "$TOOL_USE_ID" ]; then
   (
@@ -1533,7 +1560,7 @@ if [ "$USE_LOCAL" = "true" ]; then
     RESP=""
   fi
 else
-  # \u2500\u2500\u2500 FAST TIER: server-side Cerebras (~500ms). \u2500\u2500\u2500
+  # \u2500\u2500\u2500 Server-side grading. \u2500\u2500\u2500
   RESP=$(curl -sS -X POST "\${GATEWAY_URL}/api/v1/judge-edit" \\
     -H "Content-Type: application/json" \\
     -H "Authorization: Bearer $JWT" \\
@@ -2235,11 +2262,7 @@ class WarmGrader:
             self._warm_proc = None
             self._warm_ready_at = 0.0
-        # Warm-process TTL: claude --print holds an HTTP/2 conn to Anthropic
-        # that goes stale after ~20s idle. The subprocess doesn't notice the
-        # broken pipe and just hangs forever when given a prompt. Force cold
-        # if the warm has been sitting idle too long \u2014 still faster than
-        # eating a 10s stall timeout + cold fallback.
+        # Discard warm processes that have been idle too long.
         WARM_TTL_SEC = int(os.environ.get("SYNKRO_DAEMON_WARM_TTL", "15"))
         warm = True
         if not proc or proc.poll() is not None:
@@ -3723,7 +3746,7 @@ function writeConfigEnv(opts) {
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
     `SYNKRO_INFERENCE=${shellQuoteSingle(safeInference)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.3.39")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.3.41")}`
   ];
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);
   if (safeOrgId) lines.push(`SYNKRO_ORG_ID=${shellQuoteSingle(safeOrgId)}`);
@@ -4770,54 +4793,9 @@ async function ensureOpenPr(repo, prNumber, sha) {
   try {
     pr = ghJson(["api", `/repos/${repo}/pulls/${prNumber}`]);
   } catch {
-    return { prNumber, sha, branched: false };
-  }
-  if (pr.state === "open") {
-    return { prNumber, sha, branched: false };
-  }
-  if (pr.merged) {
-    console.log(`PR #${prNumber} is merged. Scanning original diff and posting findings there.
-`);
-    return { prNumber, sha: pr.head.sha, branched: false };
-  }
-  console.log(`PR #${prNumber} is closed. Creating a scan branch...
-`);
-  const scanBranch = `synkro/scan-${pr.head.ref}-${Date.now()}`;
-  try {
-    execSync5(`gh api -X POST /repos/${repo}/git/refs --input -`, {
-      encoding: "utf-8",
-      input: JSON.stringify({ ref: `refs/heads/${scanBranch}`, sha: pr.head.sha }),
-      stdio: ["pipe", "pipe", "pipe"]
-    });
-  } catch (err) {
-    console.warn(`Failed to create scan branch: ${err.message}`);
-    return { prNumber, sha, branched: false };
-  }
-  try {
-    const newPrBody = `Security scan of closed PR #${prNumber} (\`${pr.head.ref}\`).
-This PR contains no code changes \u2014 it exists so Synkro can post review findings on an active PR.`;
-    const result = ghJson([
-      "api",
-      "-X",
-      "POST",
-      `/repos/${repo}/pulls`,
-      "-f",
-      `title=Synkro Scan: ${pr.title}`,
-      "-f",
-      `body=${newPrBody}`,
-      "-f",
-      `head=${scanBranch}`,
-      "-f",
-      `base=${pr.base.ref}`
-    ]);
-    console.log(`Opened PR #${result.number} for scan findings.
-`);
-    return { prNumber: result.number, sha: result.head.sha, branched: true };
-  } catch (err) {
-    console.warn(`Failed to open scan PR: ${err.message}`);
-    return { prNumber, sha, branched: false };
+    return { prNumber, sha, branched: false, prState: "unknown", merged: false };
   }
+  return { prNumber, sha: pr.head.sha, branched: false, prState: pr.state, merged: pr.merged };
 }
 function getPrFiles(repo, prNumber) {
   const data = ghJson([
@@ -5094,7 +5072,28 @@ ${linesStr}: ${first.description}
     severity: maxSeverity
   };
 }
-function postPrReview(repo, prNumber, sha, review) {
+function postPrReview(repo, prNumber, sha, review, skipLineReview = false) {
+  function postIssueComment() {
+    try {
+      const body = `## \u{1F512} Synkro Security Review
+${review.summary}
+` + review.comments.map((c) => `**${c.path}:${c.line}** \u2014 ${c.body}`).join("\n\n");
+      execSync5(`gh api -X POST /repos/${repo}/issues/${prNumber}/comments --input -`, {
+        encoding: "utf-8",
+        input: JSON.stringify({ body }),
+        stdio: ["pipe", "ignore", "pipe"]
+      });
+      console.log("  \u2713 Posted issue comment with findings.");
+    } catch (err) {
+      console.warn("Failed to post issue comment:", err.message);
+    }
+  }
+  if (skipLineReview) {
+    postIssueComment();
+    return;
+  }
   const preferredEvent = review.severity === "critical" || review.severity === "high" ? "REQUEST_CHANGES" : "COMMENT";
   function tryPost(event) {
     const body = JSON.stringify({
@@ -5120,27 +5119,12 @@ ${review.summary}`,
       if (combined.includes("own pull request") && event === "REQUEST_CHANGES") {
         return false;
       }
-      console.warn(`Failed to post review: ${(stderr || stdout || err.message).slice(0, 200)}`);
       return false;
     }
   }
   if (tryPost(preferredEvent)) return;
   if (preferredEvent === "REQUEST_CHANGES" && tryPost("COMMENT")) return;
-  try {
-    const fallbackBody = `## \u{1F512} Synkro Security Review
-${review.summary}
-` + review.comments.map((c) => `**${c.path}:${c.line}** \u2014 ${c.body}`).join("\n\n");
-    execSync5(`gh api -X POST /repos/${repo}/issues/${prNumber}/comments --input -`, {
-      encoding: "utf-8",
-      input: JSON.stringify({ body: fallbackBody }),
-      stdio: ["pipe", "ignore", "pipe"]
-    });
-    console.log("  \u2713 Posted fallback issue comment.");
-  } catch (err2) {
-    console.warn("Failed to post fallback comment:", err2.message);
-  }
+  postIssueComment();
 }
 function postCheckRun(repo, sha, conclusion, findings) {
   const summary = findings.length === 0 ? "No security findings." : `${findings.length} finding(s):
@@ -5295,7 +5279,8 @@ Total: ${allFindings.length} finding(s) across ${eligible.length} file(s) in ${t
     const review = await spawnOpusConsolidator(allFindings, claudeToken);
     console.log(`  \u2192 ${review.comments.length} review comment(s), severity: ${review.severity}`);
     if (review.comments.length > 0) {
-      postPrReview(repo, activePrNumber, activeSha, review);
+      const skipLineReview = prTarget.prState === "closed" && !prTarget.merged;
+      postPrReview(repo, activePrNumber, activeSha, review, skipLineReview);
     }
   }
   const conclusion = shouldFail(allFindings, failThreshold) ? "failure" : "success";
@@ -5474,7 +5459,7 @@ Usage:
 Commands:
   install [--force]    Install Synkro hooks for detected agents (Claude Code, etc.)
-  login                Authenticate with Synkro (browser OAuth via WorkOS)
+  login                Authenticate with Synkro (browser sign-in)
   logout               Clear local credentials
   status               Show current setup state
   link                 Link repos to a Synkro project (local git or GitHub OAuth)