@synkro-sh/cli 1.3.41 → 1.3.43

package/dist/bootstrap.js

@@ -793,6 +793,26 @@ esac
 # Fire-and-forget anonymized telemetry for local_only mode
 if [ "$SYNKRO_CAPTURE_DEPTH" = "local_only" ] && [ -n "$VERDICT_KIND" ]; then
   (
+    MECH_CAT=""
+    BIZ_CAT=""
+    # For violations, run OWASP classification on user's machine
+    if [ "$VERDICT_KIND" = "warn" ]; then
+      CLASS_CACHE="$HOME/.synkro/.classification-prompt"
+      CLASS_PROMPT=""
+      if [ -f "$CLASS_CACHE" ] && find "$CLASS_CACHE" -mmin -1440 2>/dev/null | grep -q .; then
+        CLASS_PROMPT=$(cat "$CLASS_CACHE" 2>/dev/null)
+      else
+        CLASS_PROMPT=$(curl -sS "\${GATEWAY_URL}/api/v1/cli/judge-prompts" \\
+          -H "Authorization: Bearer $JWT" --max-time 3 2>/dev/null | jq -r '.classification_prompt // empty')
+        [ -n "$CLASS_PROMPT" ] && echo "$CLASS_PROMPT" > "$CLASS_CACHE"
+      fi
+      if [ -n "$CLASS_PROMPT" ]; then
+        CLASS_INPUT=$(printf '%s\\n\\nViolation context:\\n- Tool: %s\\n- Category: %s\\n- Severity: %s\\n- Hook type: bash command judge' "$CLASS_PROMPT" "$TOOL_NAME" "$CATEGORY" "$SEVERITY")
+        CLASS_RESP=$(echo "$CLASS_INPUT" | claude --print --model claude-sonnet-4-6 --no-session-persistence 2>/dev/null || echo "")
+        MECH_CAT=$(echo "$CLASS_RESP" | jq -r '.mechanism_category // empty' 2>/dev/null)
+        BIZ_CAT=$(echo "$CLASS_RESP" | jq -r '.business_category // empty' 2>/dev/null)
+      fi
+    fi
     ANON_BODY=$(jq -n \\
       --arg event_id "$(uuidgen 2>/dev/null || echo "evt_$(date +%s)_$$")" \\
       --arg timestamp "$(date -u +%Y-%m-%dT%H:%M:%SZ)" \\
@@ -804,6 +824,9 @@ if [ "$SYNKRO_CAPTURE_DEPTH" = "local_only" ] && [ -n "$VERDICT_KIND" ]; then
       --arg model "\${CC_MODEL:-claude-sonnet-4-6}" \\
       --arg tool_name "$TOOL_NAME" \\
       --arg repo "\${GIT_REPO:-}" \\
+      --arg session_id "$SESSION_ID" \\
+      --arg mech_cat "$MECH_CAT" \\
+      --arg biz_cat "$BIZ_CAT" \\
       '{
         event_id: $event_id,
         timestamp: $timestamp,
@@ -814,7 +837,10 @@ if [ "$SYNKRO_CAPTURE_DEPTH" = "local_only" ] && [ -n "$VERDICT_KIND" ]; then
         category: $category,
         model: $model,
         tool_name: $tool_name
-      } + (if $repo != "" then {repo: $repo} else {} end)')
+      } + (if $repo != "" then {repo: $repo} else {} end)
+        + (if $session_id != "" then {session_id: $session_id} else {} end)
+        + (if $mech_cat != "" then {mechanism_category: $mech_cat} else {} end)
+        + (if $biz_cat != "" then {business_category: $biz_cat} else {} end)')
     curl -sS -X POST "\${GATEWAY_URL}/api/v1/events/local-verdict" \\
       -H "Content-Type: application/json" \\
       -H "Authorization: Bearer $JWT" \\
@@ -1279,6 +1305,25 @@ if [ "$SYNKRO_CAPTURE_DEPTH" = "local_only" ] && [ -n "$DECISION" ]; then
     LOCAL_CATEGORY="edit_violation"
   fi
   (
+    MECH_CAT=""
+    BIZ_CAT=""
+    if [ "$LOCAL_VERDICT" = "warn" ]; then
+      CLASS_CACHE="$HOME/.synkro/.classification-prompt"
+      CLASS_PROMPT=""
+      if [ -f "$CLASS_CACHE" ] && find "$CLASS_CACHE" -mmin -1440 2>/dev/null | grep -q .; then
+        CLASS_PROMPT=$(cat "$CLASS_CACHE" 2>/dev/null)
+      else
+        CLASS_PROMPT=$(curl -sS "\${GATEWAY_URL}/api/v1/cli/judge-prompts" \\
+          -H "Authorization: Bearer $JWT" --max-time 3 2>/dev/null | jq -r '.classification_prompt // empty')
+        [ -n "$CLASS_PROMPT" ] && echo "$CLASS_PROMPT" > "$CLASS_CACHE"
+      fi
+      if [ -n "$CLASS_PROMPT" ]; then
+        CLASS_INPUT=$(printf '%s\\n\\nViolation context:\\n- Tool: %s\\n- Category: %s\\n- Severity: %s\\n- Hook type: edit pre-check judge' "$CLASS_PROMPT" "$TOOL_NAME" "$LOCAL_CATEGORY" "$LOCAL_SEVERITY")
+        CLASS_RESP=$(echo "$CLASS_INPUT" | claude --print --model claude-sonnet-4-6 --no-session-persistence 2>/dev/null || echo "")
+        MECH_CAT=$(echo "$CLASS_RESP" | jq -r '.mechanism_category // empty' 2>/dev/null)
+        BIZ_CAT=$(echo "$CLASS_RESP" | jq -r '.business_category // empty' 2>/dev/null)
+      fi
+    fi
     ANON_BODY=$(jq -n \\
       --arg event_id "$(uuidgen 2>/dev/null || echo "evt_$(date +%s)_$$")" \\
       --arg timestamp "$(date -u +%Y-%m-%dT%H:%M:%SZ)" \\
@@ -1289,6 +1334,9 @@ if [ "$SYNKRO_CAPTURE_DEPTH" = "local_only" ] && [ -n "$DECISION" ]; then
       --arg model "\${CC_MODEL:-claude-sonnet-4-6}" \\
       --arg tool_name "$TOOL_NAME" \\
       --arg repo "\${GIT_REPO:-}" \\
+      --arg session_id "$SESSION_ID" \\
+      --arg mech_cat "$MECH_CAT" \\
+      --arg biz_cat "$BIZ_CAT" \\
       '{
         event_id: $event_id,
         timestamp: $timestamp,
@@ -1298,7 +1346,10 @@ if [ "$SYNKRO_CAPTURE_DEPTH" = "local_only" ] && [ -n "$DECISION" ]; then
         category: $category,
         model: $model,
         tool_name: $tool_name
-      } + (if $repo != "" then {repo: $repo} else {} end)')
+      } + (if $repo != "" then {repo: $repo} else {} end)
+        + (if $session_id != "" then {session_id: $session_id} else {} end)
+        + (if $mech_cat != "" then {mechanism_category: $mech_cat} else {} end)
+        + (if $biz_cat != "" then {business_category: $biz_cat} else {} end)')
     curl -sS -X POST "\${GATEWAY_URL}/api/v1/events/local-verdict" \\
       -H "Content-Type: application/json" \\
       -H "Authorization: Bearer $JWT" \\
@@ -1597,6 +1648,25 @@ if [ "$SYNKRO_CAPTURE_DEPTH" = "local_only" ]; then
     LOCAL_VERDICT="allow"; LOCAL_SEVERITY="audit"; LOCAL_RISK="low"
   fi
   (
+    MECH_CAT=""
+    BIZ_CAT=""
+    if [ "$LOCAL_VERDICT" = "warn" ]; then
+      CLASS_CACHE="$HOME/.synkro/.classification-prompt"
+      CLASS_PROMPT=""
+      if [ -f "$CLASS_CACHE" ] && find "$CLASS_CACHE" -mmin -1440 2>/dev/null | grep -q .; then
+        CLASS_PROMPT=$(cat "$CLASS_CACHE" 2>/dev/null)
+      else
+        CLASS_PROMPT=$(curl -sS "\${GATEWAY_URL}/api/v1/cli/judge-prompts" \\
+          -H "Authorization: Bearer $JWT" --max-time 3 2>/dev/null | jq -r '.classification_prompt // empty')
+        [ -n "$CLASS_PROMPT" ] && echo "$CLASS_PROMPT" > "$CLASS_CACHE"
+      fi
+      if [ -n "$CLASS_PROMPT" ]; then
+        CLASS_INPUT=$(printf '%s\\n\\nViolation context:\\n- Tool: %s\\n- Category: %s\\n- Severity: %s\\n- Hook type: post-edit capture grader' "$CLASS_PROMPT" "$TOOL_NAME" "$CATEGORY" "$LOCAL_SEVERITY")
+        CLASS_RESP=$(echo "$CLASS_INPUT" | claude --print --model claude-sonnet-4-6 --no-session-persistence 2>/dev/null || echo "")
+        MECH_CAT=$(echo "$CLASS_RESP" | jq -r '.mechanism_category // empty' 2>/dev/null)
+        BIZ_CAT=$(echo "$CLASS_RESP" | jq -r '.business_category // empty' 2>/dev/null)
+      fi
+    fi
     ANON_BODY=$(jq -n \\
       --arg event_id "$(uuidgen 2>/dev/null || echo "evt_$(date +%s)_$$")" \\
       --arg timestamp "$(date -u +%Y-%m-%dT%H:%M:%SZ)" \\
@@ -1608,11 +1678,17 @@ if [ "$SYNKRO_CAPTURE_DEPTH" = "local_only" ]; then
       --arg model "\${CC_MODEL:-claude-sonnet-4-6}" \\
       --arg tool_name "$TOOL_NAME" \\
       --arg repo "\${GIT_REPO:-}" \\
+      --arg session_id "$SESSION_ID" \\
+      --arg mech_cat "$MECH_CAT" \\
+      --arg biz_cat "$BIZ_CAT" \\
       '{
         event_id: $event_id, timestamp: $timestamp, hook_type: $hook_type,
         verdict: $verdict, severity: $severity, risk_level: $risk_level,
         category: $category, model: $model, tool_name: $tool_name
-      } + (if $repo != "" then {repo: $repo} else {} end)')
+      } + (if $repo != "" then {repo: $repo} else {} end)
+        + (if $session_id != "" then {session_id: $session_id} else {} end)
+        + (if $mech_cat != "" then {mechanism_category: $mech_cat} else {} end)
+        + (if $biz_cat != "" then {business_category: $biz_cat} else {} end)')
     curl -sS -X POST "\${GATEWAY_URL}/api/v1/events/local-verdict" \\
       -H "Content-Type: application/json" \\
       -H "Authorization: Bearer $JWT" \\
@@ -1988,7 +2064,7 @@ Commands:
   status   - print "running"/"stopped"
 """
 
-import os, sys, json, socket, time, signal, fcntl, re, select
+import os, sys, json, socket, time, signal, fcntl, re, select, queue
 import subprocess, threading, urllib.request, urllib.error
 from pathlib import Path
 
@@ -2119,13 +2195,18 @@ def log(msg):
 
 STALL_TIMEOUT_SEC = int(os.environ.get("SYNKRO_DAEMON_STALL_TIMEOUT", "10"))
 
-def _read_response(proc, timeout=45):
+def _read_response(proc, timeout=45, stop_event=None):
+    """Read stream-json from proc.stdout until a 'result' message arrives.
+    If stop_event is set externally, returns immediately with empty string \u2014
+    used by the parallel-race grade path to abort the loser."""
     acc = []
     deadline = time.time() + timeout
     last_data = time.time()
     fd = proc.stdout.fileno()
     buf = ""
     while True:
+        if stop_event is not None and stop_event.is_set():
+            return ""
         remaining = deadline - time.time()
         if remaining <= 0:
             log("read timeout")
@@ -2133,7 +2214,7 @@ def _read_response(proc, timeout=45):
         if time.time() - last_data > STALL_TIMEOUT_SEC:
             log(f"stall timeout: no data for {STALL_TIMEOUT_SEC}s")
             return ""
-        ready, _, _ = select.select([fd], [], [], min(remaining, 2.0))
+        ready, _, _ = select.select([fd], [], [], min(remaining, 1.0))
         if not ready:
             if proc.poll() is not None:
                 log("process exited during read")
@@ -2262,39 +2343,71 @@ class WarmGrader:
             self._warm_proc = None
             self._warm_ready_at = 0.0
 
-        # Discard warm processes that have been idle too long.
         WARM_TTL_SEC = int(os.environ.get("SYNKRO_DAEMON_WARM_TTL", "15"))
-        warm = True
-        if not proc or proc.poll() is not None:
-            log("no warm process, cold fallback")
-            proc = self._make_proc()
-            warm = False
-        elif proc.stdin.closed:
-            log("warm process stdin closed, cold fallback")
+        # Decide if the warm process is usable for the race.
+        warm_usable = bool(proc) and proc.poll() is None and not proc.stdin.closed
+        if warm_usable and ready_at and (time.time() - ready_at) > WARM_TTL_SEC:
             self._kill_proc(proc)
-            proc = self._make_proc()
-            warm = False
-        elif ready_at and (time.time() - ready_at) > WARM_TTL_SEC:
-            age = time.time() - ready_at
-            log(f"warm process stale ({age:.0f}s > {WARM_TTL_SEC}s), cold fallback")
+            warm_usable = False
+        if not warm_usable and proc:
             self._kill_proc(proc)
-            proc = self._make_proc()
-            warm = False
+            proc = None
 
         wall_limit = int(os.environ.get("SYNKRO_DAEMON_WALL_TIMEOUT", "12"))
+        race_timeout = min(GRADE_TIMEOUT_SEC, wall_limit)
+
+        # Race a warm and a fresh cold process. Whichever returns a non-empty
+        # response first wins; the other is killed. If we have no warm, just
+        # run cold solo (no benefit to racing two cold spawns of the same age).
+        cold_proc = self._make_proc() if warm_usable else proc or self._make_proc()
+        warm_proc = proc if warm_usable else None
+
+        result_q = queue.Queue()
+        stop_event = threading.Event()
+
+        def grade_worker(p, label):
+            try:
+                _send_msg(p, prompt)
+                r = _read_response(p, timeout=race_timeout, stop_event=stop_event)
+                if r:
+                    result_q.put((label, r))
+            except Exception as e:
+                log(f"grade {label} error: {e}")
+
+        threads = []
+        if warm_proc is not None:
+            t = threading.Thread(target=grade_worker, args=(warm_proc, "warm"), daemon=True)
+            t.start()
+            threads.append(t)
+        t = threading.Thread(target=grade_worker, args=(cold_proc, "cold"), daemon=True)
+        t.start()
+        threads.append(t)
+
         t0 = time.time()
+        winner_label = None
+        resp = ""
         try:
-            _send_msg(proc, prompt)
-            resp = _read_response(proc, timeout=min(GRADE_TIMEOUT_SEC, wall_limit))
-        except Exception as e:
-            log(f"grade error: {e}")
-            resp = ""
+            deadline = time.time() + race_timeout + 2
+            while time.time() < deadline:
+                try:
+                    label, r = result_q.get(timeout=0.5)
+                    if r:
+                        resp = r
+                        winner_label = label
+                        break
+                except queue.Empty:
+                    if all(not th.is_alive() for th in threads):
+                        break
         finally:
-            self._kill_proc(proc)
+            stop_event.set()
+            if warm_proc is not None:
+                self._kill_proc(warm_proc)
+            self._kill_proc(cold_proc)
 
         elapsed = (time.time() - t0) * 1000
         self._total_grades += 1
-        log(f"grade #{self._total_grades} {'warm' if warm else 'cold'} elapsed={elapsed:.0f}ms resp={len(resp)}ch")
+        winner = winner_label or "none"
+        log(f"grade #{self._total_grades} race={'warm+cold' if warm_proc else 'cold'} won={winner} elapsed={elapsed:.0f}ms resp={len(resp)}ch")
 
         self._start_prewarm()
         return resp
@@ -3746,7 +3859,7 @@ function writeConfigEnv(opts) {
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
     `SYNKRO_INFERENCE=${shellQuoteSingle(safeInference)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.3.41")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.3.43")}`
   ];
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);
   if (safeOrgId) lines.push(`SYNKRO_ORG_ID=${shellQuoteSingle(safeOrgId)}`);