npm - @synkro-sh/cli - Versions diffs - 1.3.7 → 1.3.9 - Mend

@synkro-sh/cli 1.3.7 → 1.3.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/bootstrap.js CHANGED Viewed

@@ -2606,7 +2606,9 @@ async function listAccessibleRepos(opts) {
 }
 async function pushSecretsToRepo(opts, owner, repo, secrets) {
   const pubkey = await getRepoPublicKey(opts, owner, repo);
-  await putRepoSecret(opts, owner, repo, "CLAUDE_CODE_OAUTH_TOKEN", secrets.claudeCodeOauthToken, pubkey);
+  if (secrets.claudeCodeOauthToken) {
+    await putRepoSecret(opts, owner, repo, "CLAUDE_CODE_OAUTH_TOKEN", secrets.claudeCodeOauthToken, pubkey);
+  }
   await putRepoSecret(opts, owner, repo, "SYNKRO_API_KEY", secrets.synkroApiKey, pubkey);
 }
 function writeWorkflowFile(repoRootPath) {
@@ -2750,8 +2752,30 @@ async function connectGithubAndSelectRepos() {
     rl.close();
   }
 }
-async function promptRepoConnection() {
+async function promptRepoConnection(opts) {
   const localRepo = detectGitRepo();
+  if (opts?.linkRepo !== void 0) {
+    if (opts.linkRepo && localRepo) {
+      try {
+        const existing = await listProjects();
+        const alreadyLinked = existing.some(
+          (p) => p.repos?.some((r) => r.full_name === localRepo.fullName)
+        );
+        if (!alreadyLinked) {
+          await createProject(localRepo.shortName, [{ full_name: localRepo.fullName }]);
+          console.log(`  \u2713 Created project "${localRepo.shortName}" linked to ${localRepo.fullName}`);
+        } else {
+          console.log(`  \u2713 ${localRepo.fullName} is already linked to a Synkro project.`);
+        }
+      } catch (err) {
+        console.warn(`  \u26A0 Could not link repo: ${err.message}`);
+      }
+    } else if (opts.linkRepo) {
+      console.warn("  \u26A0 --link-repo specified but not in a git repo. Skipping.");
+    }
+    console.log();
+    return;
+  }
   const rl = createInterface({ input: process.stdin, output: process.stdout });
   try {
     console.log("Connect repos to Synkro:\n");
@@ -2829,16 +2853,227 @@ var init_repoConnect = __esm({
   }
 });
+// cli/commands/setupGithub.ts
+var setupGithub_exports = {};
+__export(setupGithub_exports, {
+  setupGithubCommand: () => setupGithubCommand
+});
+import { createInterface as createInterface2 } from "readline/promises";
+import { stdin as input, stdout as output } from "process";
+import { existsSync as existsSync6, readFileSync as readFileSync4 } from "fs";
+import { homedir as homedir4 } from "os";
+import { join as join5 } from "path";
+function readConfig() {
+  if (!existsSync6(CONFIG_PATH)) return {};
+  const out = {};
+  for (const line of readFileSync4(CONFIG_PATH, "utf-8").split("\n")) {
+    const t = line.trim();
+    if (!t || t.startsWith("#")) continue;
+    const eq = t.indexOf("=");
+    if (eq > 0) out[t.slice(0, eq).trim()] = t.slice(eq + 1).trim();
+  }
+  return out;
+}
+async function prompt(rl, q, opts = {}) {
+  if (opts.silent) {
+    process.stdout.write(q);
+    const wasRaw = process.stdin.isRaw;
+    if (process.stdin.setRawMode) process.stdin.setRawMode(true);
+    return await new Promise((resolve2) => {
+      let chunk = "";
+      const onData = (data) => {
+        const s = data.toString("utf-8");
+        if (s === "\r" || s === "\n" || s === "\r\n") {
+          process.stdin.removeListener("data", onData);
+          if (process.stdin.setRawMode) process.stdin.setRawMode(wasRaw ?? false);
+          process.stdout.write("\n");
+          resolve2(chunk);
+          return;
+        }
+        if (s === "") {
+          process.exit(130);
+        }
+        if (s === "\x7F" || s === "\b") {
+          chunk = chunk.slice(0, -1);
+          return;
+        }
+        chunk += s;
+      };
+      process.stdin.on("data", onData);
+    });
+  }
+  return await rl.question(q);
+}
+async function setupGithubCommand(opts = {}) {
+  if (!isAuthenticated()) {
+    console.error("Not authenticated. Run `synkro-cli login` first.");
+    process.exit(1);
+  }
+  const config2 = readConfig();
+  const gatewayUrl = (config2.SYNKRO_GATEWAY_URL || process.env.SYNKRO_GATEWAY_URL || "https://api.synkro.sh").replace(/\/$/, "");
+  const jwt2 = getAccessToken();
+  if (!jwt2) {
+    console.error("Could not load access token from ~/.synkro/credentials.json. Run `synkro-cli login`.");
+    process.exit(1);
+  }
+  console.log("Requesting CI API key from Synkro...");
+  let synkroCiApiKey;
+  try {
+    const resp = await fetch(`${gatewayUrl}/api/v1/cli/ci-api-key`, {
+      method: "POST",
+      headers: {
+        "Authorization": `Bearer ${jwt2}`,
+        "Content-Type": "application/json"
+      },
+      body: "{}"
+    });
+    if (!resp.ok) {
+      const errText = await resp.text().catch(() => "");
+      console.error(`Failed to mint CI API key (${resp.status}): ${errText.slice(0, 200)}`);
+      process.exit(1);
+    }
+    const minted = await resp.json();
+    synkroCiApiKey = minted.api_key;
+    console.log(`  \u2713 Issued CI key (${synkroCiApiKey.slice(0, 18)}\u2026), expires ${minted.expires_at.slice(0, 10)}`);
+  } catch (err) {
+    console.error(`Failed to mint CI API key: ${err.message}`);
+    process.exit(1);
+  }
+  const rl = createInterface2({ input, output });
+  let ghToken = opts.githubToken || "";
+  if (!ghToken) {
+    console.log("Synkro PR scan setup\n");
+    console.log("Requirements:");
+    console.log("  \u2022 A GitHub personal access token with `repo` scope");
+    console.log("    (create at https://github.com/settings/tokens?type=beta)\n");
+    ghToken = (await prompt(rl, "GitHub token (paste): ", { silent: true })).trim();
+  }
+  if (!ghToken || !ghToken.startsWith("ghp_") && !ghToken.startsWith("github_pat_")) {
+    console.error("Invalid GitHub token format. Expected ghp_... or github_pat_...");
+    rl.close();
+    process.exit(1);
+  }
+  let claudeToken = opts.claudeOauthToken || "";
+  if (!claudeToken && !opts.skipClaudeToken) {
+    try {
+      const { execSync: execSync5 } = await import("child_process");
+      console.log("\nGenerating Claude Code OAuth token \u2014 complete the browser auth...");
+      const tokenOutput = execSync5("claude setup-token", {
+        encoding: "utf-8",
+        timeout: 12e4,
+        stdio: ["inherit", "pipe", "inherit"]
+      }).trim();
+      const tokenLine = tokenOutput.split("\n").find((l) => l.includes("sk-ant-oat01-"));
+      claudeToken = tokenLine?.match(/(sk-ant-oat01-[A-Za-z0-9_-]+)/)?.[1] || "";
+      if (claudeToken) {
+        console.log("  \u2713 Captured Claude Code OAuth token.\n");
+      } else {
+        console.warn("  \u26A0 Could not capture token. PR scans will use BYOK inference only.\n");
+      }
+    } catch {
+      console.warn("  \u26A0 claude setup-token failed. PR scans will use BYOK inference only.\n");
+    }
+  }
+  console.log("\nFetching accessible repos...");
+  const repos = await listAccessibleRepos({ token: ghToken });
+  if (repos.length === 0) {
+    console.error("No accessible repos found. Verify the GitHub token has `repo` scope.");
+    rl.close();
+    process.exit(1);
+  }
+  console.log(`
+Found ${repos.length} accessible repo(s):
+`);
+  repos.slice(0, 100).forEach((r, i) => {
+    console.log(`  ${String(i + 1).padStart(3)}.  ${r.full_name}`);
+  });
+  console.log();
+  const selectionRaw = await prompt(rl, "Select repos to enable (comma-separated numbers, e.g. 1,3,5): ");
+  const selectedIdx = selectionRaw.split(",").map((s) => parseInt(s.trim(), 10) - 1).filter((n) => !isNaN(n) && n >= 0 && n < repos.length);
+  if (selectedIdx.length === 0) {
+    console.error("No valid selections.");
+    rl.close();
+    process.exit(1);
+  }
+  const selected = selectedIdx.map((i) => repos[i]);
+  console.log(`
+Will push secrets to ${selected.length} repo(s):`);
+  for (const r of selected) console.log(`  \u2022 ${r.full_name}`);
+  console.log();
+  const confirm = (await prompt(rl, "Continue? (yes/no): ")).trim().toLowerCase();
+  if (confirm !== "yes" && confirm !== "y") {
+    console.log("Cancelled.");
+    rl.close();
+    process.exit(0);
+  }
+  rl.close();
+  console.log();
+  for (const r of selected) {
+    process.stdout.write(`Pushing secrets to ${r.full_name}... `);
+    try {
+      await pushSecretsToRepo(
+        { token: ghToken },
+        r.owner,
+        r.repo,
+        {
+          claudeCodeOauthToken: claudeToken,
+          synkroApiKey: synkroCiApiKey
+        }
+      );
+      console.log("\u2713");
+    } catch (err) {
+      console.log(`\u2717 (${err.message})`);
+    }
+  }
+  console.log();
+  const gitRoot = findGitRoot(process.cwd());
+  if (gitRoot) {
+    const written = writeWorkflowFile(gitRoot);
+    if (written) {
+      console.log(`Wrote workflow: ${written}`);
+      console.log("Commit and push it to enable PR scanning.");
+    }
+  } else {
+    console.log("Not in a git repo. To enable scanning, add this file to your repo:");
+    console.log(`  Path: ${WORKFLOW_RELATIVE_PATH}`);
+    console.log(`  Content: run \`synkro-cli setup-github\` from inside a repo to write it automatically`);
+  }
+  console.log();
+  console.log("\u2713 PR scan setup complete.");
+  console.log(`Secrets pushed: ${SECRET_NAMES.CLAUDE_OAUTH}, ${SECRET_NAMES.SYNKRO_API_KEY}`);
+  console.log("Open a PR on any selected repo to trigger your first Synkro scan.");
+}
+var SYNKRO_DIR, CONFIG_PATH;
+var init_setupGithub = __esm({
+  "cli/commands/setupGithub.ts"() {
+    "use strict";
+    init_githubSetup();
+    init_stub();
+    SYNKRO_DIR = join5(homedir4(), ".synkro");
+    CONFIG_PATH = join5(SYNKRO_DIR, "config.env");
+  }
+});
 // cli/commands/install.ts
 var install_exports = {};
 __export(install_exports, {
   installCommand: () => installCommand,
   parseArgs: () => parseArgs
 });
-import { existsSync as existsSync6, mkdirSync as mkdirSync5, writeFileSync as writeFileSync5, chmodSync, readFileSync as readFileSync4, readdirSync } from "fs";
-import { homedir as homedir4 } from "os";
-import { join as join5 } from "path";
+import { existsSync as existsSync7, mkdirSync as mkdirSync5, writeFileSync as writeFileSync5, chmodSync, readFileSync as readFileSync5, readdirSync } from "fs";
+import { createInterface as createInterface3 } from "readline/promises";
+import { stdin as stdinStream, stdout as stdoutStream } from "process";
+import { homedir as homedir5 } from "os";
+import { join as join6 } from "path";
 import { execSync as execSync3 } from "child_process";
+async function promptYesNo(question, defaultYes = true) {
+  const rl = createInterface3({ input: stdinStream, output: stdoutStream });
+  const suffix = defaultYes ? "[Y/n]" : "[y/N]";
+  const answer = (await rl.question(`${question} ${suffix} `)).trim().toLowerCase();
+  rl.close();
+  if (answer === "") return defaultYes;
+  return answer === "y" || answer === "yes";
+}
 function sanitizeGatewayCandidate(raw) {
   if (!raw) return void 0;
   return /^https?:\/\//.test(raw) ? raw : void 0;
@@ -2851,6 +3086,17 @@ function parseArgs(argv) {
     else if (a === "--skip-auth") opts.skipAuth = true;
     else if (a === "--no-mcp") opts.noMcp = true;
     else if (a === "--force" || a === "-f") opts.force = true;
+    else if (a === "--non-interactive") opts.nonInteractive = true;
+    else if (a === "--link-repo") opts.linkRepo = true;
+    else if (a === "--sync-transcripts") opts.syncTranscripts = true;
+    else if (a === "--no-sync-transcripts") opts.syncTranscripts = false;
+    else if (a === "--pr-scan=claude-oauth") opts.prScan = "claude-oauth";
+    else if (a === "--pr-scan=byok") opts.prScan = "byok";
+    else if (a === "--pr-scan=skip") opts.prScan = "skip";
+    else if (a.startsWith("--pr-scan=")) opts.prScan = a.slice("--pr-scan=".length);
+    else if (a.startsWith("--inference-key=")) opts.inferenceKey = a.slice("--inference-key=".length);
+    else if (a.startsWith("--inference-model=")) opts.inferenceModel = a.slice("--inference-model=".length);
+    else if (a.startsWith("--github-token=")) opts.githubToken = a.slice("--github-token=".length);
   }
   if (!opts.gatewayUrl) {
     const fromEnv = sanitizeGatewayCandidate(process.env.SYNKRO_GATEWAY_URL);
@@ -2859,7 +3105,7 @@ function parseArgs(argv) {
   return opts;
 }
 function ensureSynkroDir() {
-  mkdirSync5(SYNKRO_DIR, { recursive: true });
+  mkdirSync5(SYNKRO_DIR2, { recursive: true });
   mkdirSync5(HOOKS_DIR, { recursive: true });
   mkdirSync5(BIN_DIR, { recursive: true });
   mkdirSync5(OFFSETS_DIR, { recursive: true });
@@ -2873,13 +3119,13 @@ function writeGraderDaemon() {
   chmodSync(GRADER_PRIMER_BASH_PATH, 420);
 }
 function writeHookScripts() {
-  const bashScriptPath = join5(HOOKS_DIR, "cc-bash-judge.sh");
-  const bashFollowupScriptPath = join5(HOOKS_DIR, "cc-bash-followup.sh");
-  const editCaptureScriptPath = join5(HOOKS_DIR, "cc-edit-capture.sh");
-  const editPrecheckScriptPath = join5(HOOKS_DIR, "cc-edit-precheck.sh");
-  const stopSummaryScriptPath = join5(HOOKS_DIR, "cc-stop-summary.sh");
-  const sessionStartScriptPath = join5(HOOKS_DIR, "cc-session-start.sh");
-  const transcriptSyncScriptPath = join5(HOOKS_DIR, "cc-transcript-sync.sh");
+  const bashScriptPath = join6(HOOKS_DIR, "cc-bash-judge.sh");
+  const bashFollowupScriptPath = join6(HOOKS_DIR, "cc-bash-followup.sh");
+  const editCaptureScriptPath = join6(HOOKS_DIR, "cc-edit-capture.sh");
+  const editPrecheckScriptPath = join6(HOOKS_DIR, "cc-edit-precheck.sh");
+  const stopSummaryScriptPath = join6(HOOKS_DIR, "cc-stop-summary.sh");
+  const sessionStartScriptPath = join6(HOOKS_DIR, "cc-session-start.sh");
+  const transcriptSyncScriptPath = join6(HOOKS_DIR, "cc-transcript-sync.sh");
   writeFileSync5(bashScriptPath, CC_BASH_JUDGE_SCRIPT, "utf-8");
   writeFileSync5(bashFollowupScriptPath, CC_BASH_FOLLOWUP_SCRIPT, "utf-8");
   writeFileSync5(editCaptureScriptPath, CC_EDIT_CAPTURE_SCRIPT, "utf-8");
@@ -2912,7 +3158,7 @@ function shellQuoteSingle(value) {
   return `'${value.replace(/'/g, "'\\''")}'`;
 }
 function writeConfigEnv(opts) {
-  const credsPath = join5(SYNKRO_DIR, "credentials.json");
+  const credsPath = join6(SYNKRO_DIR2, "credentials.json");
   const safeGateway = sanitizeConfigValue(opts.gatewayUrl);
   const safeUserId = sanitizeConfigValue(opts.userId);
   const safeOrgId = sanitizeConfigValue(opts.orgId);
@@ -2925,14 +3171,14 @@ function writeConfigEnv(opts) {
     `SYNKRO_GATEWAY_URL=${shellQuoteSingle(safeGateway)}`,
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.3.7")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.3.9")}`
   ];
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);
   if (safeOrgId) lines.push(`SYNKRO_ORG_ID=${shellQuoteSingle(safeOrgId)}`);
   if (safeEmail) lines.push(`SYNKRO_EMAIL=${shellQuoteSingle(safeEmail)}`);
   lines.push("");
-  writeFileSync5(CONFIG_PATH, lines.join("\n"), "utf-8");
-  chmodSync(CONFIG_PATH, 384);
+  writeFileSync5(CONFIG_PATH2, lines.join("\n"), "utf-8");
+  chmodSync(CONFIG_PATH2, 384);
 }
 function assertGatewayAllowed(gatewayUrl) {
   let parsed;
@@ -2957,19 +3203,19 @@ function assertGatewayAllowed(gatewayUrl) {
 }
 function isAlreadyInstalled() {
   const requiredScripts = [
-    join5(HOOKS_DIR, "cc-bash-judge.sh"),
-    join5(HOOKS_DIR, "cc-bash-followup.sh"),
-    join5(HOOKS_DIR, "cc-edit-precheck.sh"),
-    join5(HOOKS_DIR, "cc-edit-capture.sh"),
-    join5(HOOKS_DIR, "cc-stop-summary.sh"),
-    join5(HOOKS_DIR, "cc-session-start.sh")
+    join6(HOOKS_DIR, "cc-bash-judge.sh"),
+    join6(HOOKS_DIR, "cc-bash-followup.sh"),
+    join6(HOOKS_DIR, "cc-edit-precheck.sh"),
+    join6(HOOKS_DIR, "cc-edit-capture.sh"),
+    join6(HOOKS_DIR, "cc-stop-summary.sh"),
+    join6(HOOKS_DIR, "cc-session-start.sh")
   ];
-  if (!requiredScripts.every((p) => existsSync6(p))) return false;
-  if (!existsSync6(CONFIG_PATH)) return false;
-  const settingsPath = join5(homedir4(), ".claude", "settings.json");
-  if (!existsSync6(settingsPath)) return false;
+  if (!requiredScripts.every((p) => existsSync7(p))) return false;
+  if (!existsSync7(CONFIG_PATH2)) return false;
+  const settingsPath = join6(homedir5(), ".claude", "settings.json");
+  if (!existsSync7(settingsPath)) return false;
   try {
-    const settings = JSON.parse(readFileSync4(settingsPath, "utf-8"));
+    const settings = JSON.parse(readFileSync5(settingsPath, "utf-8"));
     const hooks = settings?.hooks;
     if (!hooks || typeof hooks !== "object") return false;
     const hasManaged = (kind) => Array.isArray(hooks[kind]) && hooks[kind].some((entry) => entry?.__synkro_managed__ === true);
@@ -3028,7 +3274,11 @@ async function installCommand(opts = {}) {
     console.error("No access token available after auth.");
     process.exit(1);
   }
-  await promptRepoConnection();
+  if (opts.nonInteractive) {
+    await promptRepoConnection({ linkRepo: opts.linkRepo ?? true });
+  } else {
+    await promptRepoConnection();
+  }
   const agents = detectAgents();
   if (agents.length === 0) {
     console.error("No AI coding agents detected. Install Claude Code first: https://docs.claude.com/claude-code");
@@ -3052,9 +3302,9 @@ async function installCommand(opts = {}) {
 `);
   writeGraderDaemon();
   for (const mode of ["edit", "bash"]) {
-    const pidFile = join5(SYNKRO_DIR, "daemon", mode, "daemon.pid");
+    const pidFile = join6(SYNKRO_DIR2, "daemon", mode, "daemon.pid");
     try {
-      const pid = parseInt(readFileSync4(pidFile, "utf-8").trim(), 10);
+      const pid = parseInt(readFileSync5(pidFile, "utf-8").trim(), 10);
       if (pid > 0) {
         process.kill(pid, "SIGTERM");
         console.log(`Stopped stale ${mode} daemon (pid ${pid})`);
@@ -3122,38 +3372,158 @@ async function installCommand(opts = {}) {
   } catch {
   }
   writeConfigEnv({ gatewayUrl, userId, orgId, email });
-  console.log(`Wrote config to ${CONFIG_PATH}
+  console.log(`Wrote config to ${CONFIG_PATH2}
+`);
+  const repo = detectGitRepo2();
+  if (repo && getClaudeProjectsFolder()) {
+    const syncHistory = opts.nonInteractive ? opts.syncTranscripts ?? true : await promptYesNo("Sync Claude Code session history for this repo?");
+    if (syncHistory) {
+      try {
+        const ingested = await ingestSessionTranscripts(gatewayUrl, token, repo);
+        if (ingested > 0) {
+          console.log(`Indexed ${ingested} session insights from Claude Code history for ${repo}.`);
+          console.log("  This helps the safety judge understand your workflow.\n");
+        }
+      } catch (err) {
+        console.warn(`  \u26A0 Session indexing skipped: ${err.message}
 `);
-  try {
-    const repo = detectGitRepo2();
-    if (repo) {
-      const ingested = await ingestSessionTranscripts(gatewayUrl, token, repo);
-      if (ingested > 0) {
-        console.log(`Indexed ${ingested} session insights from Claude Code history for ${repo}.`);
-        console.log("  This helps the safety judge understand your workflow.\n");
       }
-    }
-  } catch (err) {
-    console.warn(`  \u26A0 Session indexing skipped: ${err.message}
+      try {
+        const result = await syncTranscriptsBulk(gatewayUrl, token, repo);
+        if (result.messages > 0) {
+          console.log(`Synced ${result.sessions} sessions (${result.messages} messages) from Claude Code history.`);
+          console.log("  This data will be used to suggest guardrail rules.\n");
+        }
+      } catch (err) {
+        console.warn(`  \u26A0 Transcript sync skipped: ${err.message}
 `);
+      }
+    } else {
+      console.log("  Skipped session history sync.\n");
+    }
   }
-  try {
-    const repo = detectGitRepo2();
-    if (repo) {
-      const result = await syncTranscriptsBulk(gatewayUrl, token, repo);
-      if (result.messages > 0) {
-        console.log(`Synced ${result.sessions} sessions (${result.messages} messages) from Claude Code history.`);
-        console.log("  This data will be used to suggest guardrail rules.\n");
+  function detectProviderFromKey(key) {
+    if (key.startsWith("sk-ant-")) return "anthropic";
+    if (key.startsWith("sk-") || key.startsWith("sk-proj-")) return "openai";
+    if (key.startsWith("AIza")) return "gemini";
+    return null;
+  }
+  const PROVIDER_MODELS = {
+    anthropic: ["claude-sonnet-4-6", "claude-opus-4-6", "claude-haiku-4-5"],
+    openai: ["gpt-5.5", "gpt-5.4", "gpt-5.4-mini"],
+    gemini: ["gemini-3.1-pro-preview", "gemini-3-flash-preview", "gemini-3.1-flash-lite-preview"]
+  };
+  if (repo) {
+    let ghConnected = false;
+    let ghLogin = "";
+    try {
+      const resp = await fetch(`${gatewayUrl}/api/v1/integrations/github/connect`, {
+        headers: { "Authorization": `Bearer ${token}` }
+      });
+      if (resp.ok) {
+        const data = await resp.json();
+        ghConnected = data.connected;
+        ghLogin = data.github_login || "";
       }
+    } catch {
     }
-  } catch (err) {
-    console.warn(`  \u26A0 Transcript sync skipped: ${err.message}
+    if (ghConnected) {
+      console.log(`GitHub is connected (${ghLogin || "linked via dashboard"}).`);
+    }
+    const prScanChoice = opts.nonInteractive ? opts.prScan ?? "skip" : null;
+    const setupGh = prScanChoice !== null ? prScanChoice !== "skip" : await promptYesNo("Set up GitHub PR scanning?");
+    if (setupGh) {
+      let choice;
+      if (prScanChoice) {
+        choice = prScanChoice === "claude-oauth" ? "1" : prScanChoice === "byok" ? "2" : "3";
+      } else {
+        const rl = createInterface3({ input: stdinStream, output: stdoutStream });
+        console.log("\nHow should PR scans authenticate for AI review?\n");
+        console.log("  1. Claude Code OAuth  \u2014 opens browser, auto-captures token");
+        console.log("  2. Use your own API key  \u2014 paste an Anthropic, OpenAI, or Gemini key");
+        console.log("  3. Skip for now\n");
+        choice = (await rl.question("Choice [1/2/3]: ")).trim();
+        rl.close();
+      }
+      if (choice === "1") {
+        try {
+          await setupGithubCommand({ githubToken: opts.githubToken });
+        } catch (err) {
+          console.warn(`  \u26A0 GitHub setup failed: ${err.message}`);
+          console.warn("  Run `synkro-cli setup-github` to retry.\n");
+        }
+      } else if (choice === "2") {
+        let apiKey = opts.inferenceKey || "";
+        if (!apiKey) {
+          const rl2 = createInterface3({ input: stdinStream, output: stdoutStream });
+          apiKey = (await rl2.question("Paste your API key: ")).trim();
+          rl2.close();
+        }
+        if (apiKey) {
+          const provider = detectProviderFromKey(apiKey);
+          if (provider) {
+            let selectedModel = opts.inferenceModel || "";
+            if (!selectedModel) {
+              const models = PROVIDER_MODELS[provider];
+              console.log(`
+  Detected provider: ${provider}`);
+              console.log("  Select a model for classification + grading:\n");
+              models.forEach((m, i) => console.log(`    ${i + 1}. ${m}`));
+              console.log();
+              const rl3 = createInterface3({ input: stdinStream, output: stdoutStream });
+              const modelChoice = (await rl3.question(`  Model [1-${models.length}]: `)).trim();
+              rl3.close();
+              const modelIdx = parseInt(modelChoice, 10) - 1;
+              selectedModel = modelIdx >= 0 && modelIdx < models.length ? models[modelIdx] : models[0];
+            }
+            console.log(`  Using: ${selectedModel}`);
+            try {
+              const resp = await fetch(`${gatewayUrl}/api/v1/settings/inference`, {
+                method: "PUT",
+                headers: {
+                  "Authorization": `Bearer ${token}`,
+                  "Content-Type": "application/json"
+                },
+                body: JSON.stringify({
+                  providers: { [provider]: { api_key: apiKey } },
+                  roles: {
+                    classification: { provider, model: selectedModel },
+                    grading: { provider, model: selectedModel }
+                  }
+                })
+              });
+              if (resp.ok) {
+                console.log(`  \u2713 Saved ${provider} key and configured classification + grading with ${selectedModel}.
+`);
+              } else {
+                const err = await resp.text().catch(() => "");
+                console.warn(`  \u26A0 Failed to save key: ${err.slice(0, 200)}
 `);
+              }
+            } catch (err) {
+              console.warn(`  \u26A0 Failed to save key: ${err.message}
+`);
+            }
+          } else {
+            console.warn("  \u26A0 Could not detect provider from key format. Configure manually in the dashboard.\n");
+          }
+        }
+        try {
+          await setupGithubCommand({ skipClaudeToken: true, githubToken: opts.githubToken });
+        } catch (err) {
+          console.warn(`  \u26A0 GitHub setup failed: ${err.message}`);
+          console.warn("  Run `synkro-cli setup-github` to retry.\n");
+        }
+      } else {
+        console.log("  Skipped. Run `synkro-cli setup-github` anytime to enable PR scanning.\n");
+      }
+    } else {
+      console.log("  Skipped. Run `synkro-cli setup-github` anytime to enable PR scanning.\n");
+    }
   }
   console.log("\u2713 Synkro installed.");
   console.log();
   console.log("Next steps:");
-  console.log("  \u2022 synkro-cli setup-github   (enable PR scanning)");
   console.log("  \u2022 synkro-cli status         (check what is configured)");
 }
 function detectGitRepo2() {
@@ -3168,17 +3538,17 @@ function detectGitRepo2() {
 function getClaudeProjectsFolder() {
   const cwd = process.cwd();
   const sanitized = cwd.replace(/\//g, "-");
-  const projectsDir = join5(homedir4(), ".claude", "projects", sanitized);
-  return existsSync6(projectsDir) ? projectsDir : null;
+  const projectsDir = join6(homedir5(), ".claude", "projects", sanitized);
+  return existsSync7(projectsDir) ? projectsDir : null;
 }
 function extractSessionInsights(projectsDir) {
   const insights = [];
   const files = readdirSync(projectsDir).filter((f) => f.endsWith(".jsonl"));
   for (const file of files) {
     const sessionId = file.replace(".jsonl", "");
-    const filePath = join5(projectsDir, file);
+    const filePath = join6(projectsDir, file);
     try {
-      const content = readFileSync4(filePath, "utf-8");
+      const content = readFileSync5(filePath, "utf-8");
       const lines = content.split("\n").filter(Boolean);
       for (let i = 0; i < lines.length; i++) {
         try {
@@ -3254,7 +3624,7 @@ function extractTextContent(content) {
   return "";
 }
 function parseTranscriptFile(filePath) {
-  const content = readFileSync4(filePath, "utf-8");
+  const content = readFileSync5(filePath, "utf-8");
   const lines = content.split("\n").filter(Boolean);
   const messages = [];
   for (let i = 0; i < lines.length; i++) {
@@ -3305,7 +3675,7 @@ async function syncTranscriptsBulk(gatewayUrl, token, repo) {
     const sessions = [];
     for (const file of batch) {
       const sessionId = file.replace(".jsonl", "");
-      const filePath = join5(projectsDir, file);
+      const filePath = join6(projectsDir, file);
       try {
         const allMessages = parseTranscriptFile(filePath);
         const messages = allMessages.length > maxMessagesPerSession ? allMessages.slice(-maxMessagesPerSession) : allMessages;
@@ -3334,18 +3704,18 @@ async function syncTranscriptsBulk(gatewayUrl, token, repo) {
     }
     for (const file of batch) {
       const sessionId = file.replace(".jsonl", "");
-      const filePath = join5(projectsDir, file);
+      const filePath = join6(projectsDir, file);
       try {
-        const content = readFileSync4(filePath, "utf-8");
+        const content = readFileSync5(filePath, "utf-8");
         const lineCount = content.split("\n").filter(Boolean).length;
-        writeFileSync5(join5(OFFSETS_DIR, sessionId), String(lineCount), "utf-8");
+        writeFileSync5(join6(OFFSETS_DIR, sessionId), String(lineCount), "utf-8");
       } catch {
       }
     }
   }
   return { sessions: totalSessions, messages: totalMessages };
 }
-var SYNKRO_DIR, HOOKS_DIR, BIN_DIR, CONFIG_PATH, GRADER_DAEMON_PATH, GRADER_PRIMER_EDIT_PATH, GRADER_PRIMER_BASH_PATH, OFFSETS_DIR;
+var SYNKRO_DIR2, HOOKS_DIR, BIN_DIR, CONFIG_PATH2, GRADER_DAEMON_PATH, GRADER_PRIMER_EDIT_PATH, GRADER_PRIMER_BASH_PATH, OFFSETS_DIR;
 var init_install = __esm({
   "cli/commands/install.ts"() {
     "use strict";
@@ -3356,14 +3726,15 @@ var init_install = __esm({
     init_graderDaemon();
     init_stub();
     init_repoConnect();
-    SYNKRO_DIR = join5(homedir4(), ".synkro");
-    HOOKS_DIR = join5(SYNKRO_DIR, "hooks");
-    BIN_DIR = join5(SYNKRO_DIR, "bin");
-    CONFIG_PATH = join5(SYNKRO_DIR, "config.env");
-    GRADER_DAEMON_PATH = join5(BIN_DIR, "grader_daemon.py");
-    GRADER_PRIMER_EDIT_PATH = join5(SYNKRO_DIR, "grader-primer-edit.txt");
-    GRADER_PRIMER_BASH_PATH = join5(SYNKRO_DIR, "grader-primer-bash.txt");
-    OFFSETS_DIR = join5(SYNKRO_DIR, ".transcript-offsets");
+    init_setupGithub();
+    SYNKRO_DIR2 = join6(homedir5(), ".synkro");
+    HOOKS_DIR = join6(SYNKRO_DIR2, "hooks");
+    BIN_DIR = join6(SYNKRO_DIR2, "bin");
+    CONFIG_PATH2 = join6(SYNKRO_DIR2, "config.env");
+    GRADER_DAEMON_PATH = join6(BIN_DIR, "grader_daemon.py");
+    GRADER_PRIMER_EDIT_PATH = join6(SYNKRO_DIR2, "grader-primer-edit.txt");
+    GRADER_PRIMER_BASH_PATH = join6(SYNKRO_DIR2, "grader-primer-bash.txt");
+    OFFSETS_DIR = join6(SYNKRO_DIR2, ".transcript-offsets");
   }
 });
@@ -3439,13 +3810,13 @@ var status_exports = {};
 __export(status_exports, {
   statusCommand: () => statusCommand
 });
-import { existsSync as existsSync7, readFileSync as readFileSync5 } from "fs";
-import { homedir as homedir5 } from "os";
-import { join as join6 } from "path";
+import { existsSync as existsSync8, readFileSync as readFileSync6 } from "fs";
+import { homedir as homedir6 } from "os";
+import { join as join7 } from "path";
 function readConfigEnv() {
-  if (!existsSync7(CONFIG_PATH2)) return {};
+  if (!existsSync8(CONFIG_PATH3)) return {};
   const out = {};
-  const raw = readFileSync5(CONFIG_PATH2, "utf-8");
+  const raw = readFileSync6(CONFIG_PATH3, "utf-8");
   for (const line of raw.split("\n")) {
     const trimmed = line.trim();
     if (!trimmed || trimmed.startsWith("#")) continue;
@@ -3476,10 +3847,10 @@ function statusCommand() {
   console.log(`  tier:        ${config2.SYNKRO_TIER ?? "(unset)"}`);
   const info2 = getUserInfo();
   const userId = info2?.id ?? config2.SYNKRO_USER_ID ?? "default";
-  const tierCacheFile = join6(SYNKRO_DIR2, `.tier-cache-${userId}`);
+  const tierCacheFile = join7(SYNKRO_DIR3, `.tier-cache-${userId}`);
   let inferenceTier = config2.SYNKRO_INFERENCE_TIER || null;
-  if (!inferenceTier && existsSync7(tierCacheFile)) {
-    inferenceTier = readFileSync5(tierCacheFile, "utf-8").trim() || null;
+  if (!inferenceTier && existsSync8(tierCacheFile)) {
+    inferenceTier = readFileSync6(tierCacheFile, "utf-8").trim() || null;
   }
   const tierLabel = inferenceTier === "fast" ? "'fast' (server-side grading)" : inferenceTier === "free" ? "'free' (local daemon grading)" : "(unknown \u2014 fires on next hook)";
   console.log(`  inference:   ${tierLabel}`);
@@ -3506,19 +3877,19 @@ function statusCommand() {
     }
   }
   console.log();
-  const bashScript = join6(SYNKRO_DIR2, "hooks", "cc-bash-judge.sh");
-  const bashFollowupScript = join6(SYNKRO_DIR2, "hooks", "cc-bash-followup.sh");
-  const editPrecheckScript = join6(SYNKRO_DIR2, "hooks", "cc-edit-precheck.sh");
-  const editCaptureScript = join6(SYNKRO_DIR2, "hooks", "cc-edit-capture.sh");
-  const stopSummaryScript = join6(SYNKRO_DIR2, "hooks", "cc-stop-summary.sh");
-  const sessionStartScript = join6(SYNKRO_DIR2, "hooks", "cc-session-start.sh");
+  const bashScript = join7(SYNKRO_DIR3, "hooks", "cc-bash-judge.sh");
+  const bashFollowupScript = join7(SYNKRO_DIR3, "hooks", "cc-bash-followup.sh");
+  const editPrecheckScript = join7(SYNKRO_DIR3, "hooks", "cc-edit-precheck.sh");
+  const editCaptureScript = join7(SYNKRO_DIR3, "hooks", "cc-edit-capture.sh");
+  const stopSummaryScript = join7(SYNKRO_DIR3, "hooks", "cc-stop-summary.sh");
+  const sessionStartScript = join7(SYNKRO_DIR3, "hooks", "cc-session-start.sh");
   console.log("Hook scripts:");
-  console.log(`  ${existsSync7(bashScript) ? "\u2713" : "\u2717"} ${bashScript}`);
-  console.log(`  ${existsSync7(bashFollowupScript) ? "\u2713" : "\u2717"} ${bashFollowupScript}`);
-  console.log(`  ${existsSync7(editPrecheckScript) ? "\u2713" : "\u2717"} ${editPrecheckScript}`);
-  console.log(`  ${existsSync7(editCaptureScript) ? "\u2713" : "\u2717"} ${editCaptureScript}`);
-  console.log(`  ${existsSync7(stopSummaryScript) ? "\u2713" : "\u2717"} ${stopSummaryScript}`);
-  console.log(`  ${existsSync7(sessionStartScript) ? "\u2713" : "\u2717"} ${sessionStartScript}`);
+  console.log(`  ${existsSync8(bashScript) ? "\u2713" : "\u2717"} ${bashScript}`);
+  console.log(`  ${existsSync8(bashFollowupScript) ? "\u2713" : "\u2717"} ${bashFollowupScript}`);
+  console.log(`  ${existsSync8(editPrecheckScript) ? "\u2713" : "\u2717"} ${editPrecheckScript}`);
+  console.log(`  ${existsSync8(editCaptureScript) ? "\u2713" : "\u2717"} ${editCaptureScript}`);
+  console.log(`  ${existsSync8(stopSummaryScript) ? "\u2713" : "\u2717"} ${stopSummaryScript}`);
+  console.log(`  ${existsSync8(sessionStartScript) ? "\u2713" : "\u2717"} ${sessionStartScript}`);
   console.log();
   const mcp = inspectMcpConfig();
   console.log("Guardrails MCP server (Claude Code):");
@@ -3530,7 +3901,7 @@ function statusCommand() {
     console.log(`    expected at ${mcp.configPath} \u2192 mcpServers.synkro-guardrails`);
   }
 }
-var SYNKRO_DIR2, CONFIG_PATH2;
+var SYNKRO_DIR3, CONFIG_PATH3;
 var init_status = __esm({
   "cli/commands/status.ts"() {
     "use strict";
@@ -3538,8 +3909,8 @@ var init_status = __esm({
     init_agentDetect();
     init_ccHookConfig();
     init_mcpConfig();
-    SYNKRO_DIR2 = join6(homedir5(), ".synkro");
-    CONFIG_PATH2 = join6(SYNKRO_DIR2, "config.env");
+    SYNKRO_DIR3 = join7(homedir6(), ".synkro");
+    CONFIG_PATH3 = join7(SYNKRO_DIR3, "config.env");
   }
 });
@@ -3569,7 +3940,7 @@ var unlink_exports = {};
 __export(unlink_exports, {
   unlinkCommand: () => unlinkCommand
 });
-import { createInterface as createInterface2 } from "readline";
+import { createInterface as createInterface4 } from "readline";
 function ask2(rl, question) {
   return new Promise((resolve2) => rl.question(question, resolve2));
 }
@@ -3597,7 +3968,7 @@ async function unlinkCommand() {
     console.log(`  ${i + 1}. ${r.fullName} (${r.projectName})`);
   });
   console.log();
-  const rl = createInterface2({ input: process.stdin, output: process.stdout });
+  const rl = createInterface4({ input: process.stdin, output: process.stdout });
   try {
     const selection = await ask2(rl, "  Select repos to unlink (comma-separated numbers): ");
     const indices = selection.split(",").map((s) => parseInt(s.trim(), 10) - 1).filter((n) => !isNaN(n) && n >= 0 && n < linked.length);
@@ -3623,194 +3994,6 @@ var init_unlink = __esm({
   }
 });
-// cli/commands/setupGithub.ts
-var setupGithub_exports = {};
-__export(setupGithub_exports, {
-  setupGithubCommand: () => setupGithubCommand
-});
-import { createInterface as createInterface3 } from "readline/promises";
-import { stdin as input, stdout as output } from "process";
-import { existsSync as existsSync8, readFileSync as readFileSync6 } from "fs";
-import { homedir as homedir6 } from "os";
-import { join as join7 } from "path";
-function readConfig() {
-  if (!existsSync8(CONFIG_PATH3)) return {};
-  const out = {};
-  for (const line of readFileSync6(CONFIG_PATH3, "utf-8").split("\n")) {
-    const t = line.trim();
-    if (!t || t.startsWith("#")) continue;
-    const eq = t.indexOf("=");
-    if (eq > 0) out[t.slice(0, eq).trim()] = t.slice(eq + 1).trim();
-  }
-  return out;
-}
-async function prompt(rl, q, opts = {}) {
-  if (opts.silent) {
-    process.stdout.write(q);
-    const wasRaw = process.stdin.isRaw;
-    if (process.stdin.setRawMode) process.stdin.setRawMode(true);
-    return await new Promise((resolve2) => {
-      let chunk = "";
-      const onData = (data) => {
-        const s = data.toString("utf-8");
-        if (s === "\r" || s === "\n" || s === "\r\n") {
-          process.stdin.removeListener("data", onData);
-          if (process.stdin.setRawMode) process.stdin.setRawMode(wasRaw ?? false);
-          process.stdout.write("\n");
-          resolve2(chunk);
-          return;
-        }
-        if (s === "") {
-          process.exit(130);
-        }
-        if (s === "\x7F" || s === "\b") {
-          chunk = chunk.slice(0, -1);
-          return;
-        }
-        chunk += s;
-      };
-      process.stdin.on("data", onData);
-    });
-  }
-  return await rl.question(q);
-}
-async function setupGithubCommand() {
-  if (!isAuthenticated()) {
-    console.error("Not authenticated. Run `synkro-cli login` first.");
-    process.exit(1);
-  }
-  const config2 = readConfig();
-  const gatewayUrl = (config2.SYNKRO_GATEWAY_URL || process.env.SYNKRO_GATEWAY_URL || "https://api.synkro.sh").replace(/\/$/, "");
-  const jwt2 = getAccessToken();
-  if (!jwt2) {
-    console.error("Could not load access token from ~/.synkro/credentials.json. Run `synkro-cli login`.");
-    process.exit(1);
-  }
-  console.log("Requesting CI API key from Synkro...");
-  let synkroCiApiKey;
-  try {
-    const resp = await fetch(`${gatewayUrl}/api/v1/cli/ci-api-key`, {
-      method: "POST",
-      headers: {
-        "Authorization": `Bearer ${jwt2}`,
-        "Content-Type": "application/json"
-      },
-      body: "{}"
-    });
-    if (!resp.ok) {
-      const errText = await resp.text().catch(() => "");
-      console.error(`Failed to mint CI API key (${resp.status}): ${errText.slice(0, 200)}`);
-      process.exit(1);
-    }
-    const minted = await resp.json();
-    synkroCiApiKey = minted.api_key;
-    console.log(`  \u2713 Issued CI key (${synkroCiApiKey.slice(0, 18)}\u2026), expires ${minted.expires_at.slice(0, 10)}`);
-  } catch (err) {
-    console.error(`Failed to mint CI API key: ${err.message}`);
-    process.exit(1);
-  }
-  const rl = createInterface3({ input, output });
-  console.log("Synkro PR scan setup\n");
-  console.log("Requirements:");
-  console.log("  \u2022 Claude Code Pro or Max subscription (for `claude setup-token`)");
-  console.log("  \u2022 A GitHub personal access token with `repo` scope");
-  console.log("    (create at https://github.com/settings/tokens?type=beta)\n");
-  const ghToken = (await prompt(rl, "GitHub token (paste): ", { silent: true })).trim();
-  if (!ghToken || !ghToken.startsWith("ghp_") && !ghToken.startsWith("github_pat_")) {
-    console.error("Invalid GitHub token format. Expected ghp_... or github_pat_...");
-    rl.close();
-    process.exit(1);
-  }
-  console.log("\nNow get your Claude Code OAuth token:");
-  console.log("  1. In another terminal, run: claude setup-token");
-  console.log("  2. Complete the browser flow");
-  console.log("  3. Copy the resulting sk-ant-oat01-... token\n");
-  const claudeToken = (await prompt(rl, "Claude Code OAuth token (paste): ", { silent: true })).trim();
-  if (!claudeToken.startsWith("sk-ant-oat01-")) {
-    console.error("Invalid token. Expected sk-ant-oat01-... \u2014 generate one with `claude setup-token`.");
-    rl.close();
-    process.exit(1);
-  }
-  console.log("\nFetching accessible repos...");
-  const repos = await listAccessibleRepos({ token: ghToken });
-  if (repos.length === 0) {
-    console.error("No accessible repos found. Verify the GitHub token has `repo` scope.");
-    rl.close();
-    process.exit(1);
-  }
-  console.log(`
-Found ${repos.length} accessible repo(s):
-`);
-  repos.slice(0, 100).forEach((r, i) => {
-    console.log(`  ${String(i + 1).padStart(3)}.  ${r.full_name}`);
-  });
-  console.log();
-  const selectionRaw = await prompt(rl, "Select repos to enable (comma-separated numbers, e.g. 1,3,5): ");
-  const selectedIdx = selectionRaw.split(",").map((s) => parseInt(s.trim(), 10) - 1).filter((n) => !isNaN(n) && n >= 0 && n < repos.length);
-  if (selectedIdx.length === 0) {
-    console.error("No valid selections.");
-    rl.close();
-    process.exit(1);
-  }
-  const selected = selectedIdx.map((i) => repos[i]);
-  console.log(`
-Will push secrets to ${selected.length} repo(s):`);
-  for (const r of selected) console.log(`  \u2022 ${r.full_name}`);
-  console.log();
-  const confirm = (await prompt(rl, "Continue? (yes/no): ")).trim().toLowerCase();
-  if (confirm !== "yes" && confirm !== "y") {
-    console.log("Cancelled.");
-    rl.close();
-    process.exit(0);
-  }
-  rl.close();
-  console.log();
-  for (const r of selected) {
-    process.stdout.write(`Pushing secrets to ${r.full_name}... `);
-    try {
-      await pushSecretsToRepo(
-        { token: ghToken },
-        r.owner,
-        r.repo,
-        {
-          claudeCodeOauthToken: claudeToken,
-          synkroApiKey: synkroCiApiKey
-        }
-      );
-      console.log("\u2713");
-    } catch (err) {
-      console.log(`\u2717 (${err.message})`);
-    }
-  }
-  console.log();
-  const gitRoot = findGitRoot(process.cwd());
-  if (gitRoot) {
-    const written = writeWorkflowFile(gitRoot);
-    if (written) {
-      console.log(`Wrote workflow: ${written}`);
-      console.log("Commit and push it to enable PR scanning.");
-    }
-  } else {
-    console.log("Not in a git repo. To enable scanning, add this file to your repo:");
-    console.log(`  Path: ${WORKFLOW_RELATIVE_PATH}`);
-    console.log(`  Content: run \`synkro-cli setup-github\` from inside a repo to write it automatically`);
-  }
-  console.log();
-  console.log("\u2713 PR scan setup complete.");
-  console.log(`Secrets pushed: ${SECRET_NAMES.CLAUDE_OAUTH}, ${SECRET_NAMES.SYNKRO_API_KEY}`);
-  console.log("Open a PR on any selected repo to trigger your first Synkro scan.");
-}
-var SYNKRO_DIR3, CONFIG_PATH3;
-var init_setupGithub = __esm({
-  "cli/commands/setupGithub.ts"() {
-    "use strict";
-    init_githubSetup();
-    init_stub();
-    SYNKRO_DIR3 = join7(homedir6(), ".synkro");
-    CONFIG_PATH3 = join7(SYNKRO_DIR3, "config.env");
-  }
-});
 // cli/commands/scanPr.ts
 var scanPr_exports = {};
 __export(scanPr_exports, {
@@ -4346,7 +4529,16 @@ Usage:
   synkro <command> [options]       (alias)
 Commands:
-  install [--force]    Install Synkro hooks for detected agents (Claude Code, etc.)
+  install [options]    Install Synkro hooks for detected agents (Claude Code, etc.)
+                       --force              Reinstall from scratch
+                       --non-interactive    Skip all interactive prompts (use flags)
+                       --link-repo          Auto-link the local git repo
+                       --sync-transcripts   Sync CC session history (default in non-interactive)
+                       --no-sync-transcripts  Skip transcript sync
+                       --pr-scan=MODE       PR scan auth: claude-oauth, byok, or skip
+                       --inference-key=KEY  BYOK API key (Anthropic, OpenAI, or Gemini)
+                       --inference-model=M  Model for classification + grading
+                       --github-token=TOK   GitHub PAT for pushing secrets + workflow
   login                Authenticate with Synkro (browser OAuth via WorkOS)
   logout               Clear local credentials
   status               Show current setup state