@synkro-sh/cli 1.4.12 → 1.4.13

package/dist/bootstrap.js

@@ -709,19 +709,10 @@ ensure_fresh_jwt() {
 
 ensure_fresh_jwt
 
-# Parallel fetch: /cli/me + rules in background, wait for both.
-_ME_TMP=$(mktemp -t synkro-me.XXXXXX)
-_RULES_TMP=$(mktemp -t synkro-rules.XXXXXX)
-trap "rm -f \\"$_ME_TMP\\" \\"$_RULES_TMP\\"" EXIT
-curl -sS "\${GATEWAY_URL}/api/v1/cli/me" -H "Authorization: Bearer $JWT" --max-time 3 2>/dev/null > "$_ME_TMP" &
-_ME_PID=$!
-curl -sS "\${GATEWAY_URL}/api/v1/cli/pr-rules" -H "Authorization: Bearer $JWT" --max-time 3 2>/dev/null > "$_RULES_TMP" &
-_RULES_PID=$!
-wait $_ME_PID 2>/dev/null; wait $_RULES_PID 2>/dev/null
-
-ME_RESP=$(cat "$_ME_TMP" 2>/dev/null || echo "")
-SYNKRO_INFERENCE_TIER=$(echo "$ME_RESP" | jq -r '.tier // empty' 2>/dev/null)
-SYNKRO_CAPTURE_DEPTH=$(echo "$ME_RESP" | jq -r '.capture_depth // empty' 2>/dev/null)
+# Single fetch: /cli/hook-context returns me + rules in one call.
+HOOK_CTX=$(curl -sS "\${GATEWAY_URL}/api/v1/cli/hook-context" -H "Authorization: Bearer $JWT" --max-time 4 2>/dev/null || echo "")
+SYNKRO_INFERENCE_TIER=$(echo "$HOOK_CTX" | jq -r '.tier // empty' 2>/dev/null)
+SYNKRO_CAPTURE_DEPTH=$(echo "$HOOK_CTX" | jq -r '.capture_depth // empty' 2>/dev/null)
 SYNKRO_INFERENCE_TIER="\${SYNKRO_INFERENCE_TIER:-fast}"
 SYNKRO_CAPTURE_DEPTH="\${SYNKRO_CAPTURE_DEPTH:-local_only}"
 
@@ -733,7 +724,7 @@ fi
 if synkro_channel_up || { [ "$SYNKRO_INFERENCE_TIER" = "free" ] && command -v claude >/dev/null 2>&1; }; then
   RULES_CACHE="$HOME/.synkro/.rules-cache-bash"
   RULES_JQ='[.rules[]? | select(.hook_stage == "pre" or .hook_stage == "both" or .hook_stage == null) | {rule_id, text, severity, category}]'
-  ORG_RULES=$(jq -c "$RULES_JQ" "$_RULES_TMP" 2>/dev/null || echo "[]")
+  ORG_RULES=$(echo "$HOOK_CTX" | jq -c "$RULES_JQ" 2>/dev/null || echo "[]")
   if [ -n "$ORG_RULES" ] && [ "$ORG_RULES" != "null" ] && [ "$ORG_RULES" != "[]" ]; then
     printf '%s' "$ORG_RULES" > "$RULES_CACHE" 2>/dev/null || true
   elif [ -f "$RULES_CACHE" ]; then
@@ -1212,26 +1203,17 @@ ensure_fresh_jwt() {
 ensure_fresh_jwt
 
 
-# Parallel fetch: /cli/me + rules in background, wait for both.
-_ME_TMP=$(mktemp -t synkro-me.XXXXXX)
-_RULES_TMP=$(mktemp -t synkro-rules.XXXXXX)
-trap "rm -f \\"$_ME_TMP\\" \\"$_RULES_TMP\\"" EXIT
-curl -sS "\${GATEWAY_URL}/api/v1/cli/me" -H "Authorization: Bearer $JWT" --max-time 3 2>/dev/null > "$_ME_TMP" &
-_ME_PID=$!
-curl -sS "\${GATEWAY_URL}/api/v1/cli/pr-rules" -H "Authorization: Bearer $JWT" --max-time 3 2>/dev/null > "$_RULES_TMP" &
-_RULES_PID=$!
-wait $_ME_PID 2>/dev/null; wait $_RULES_PID 2>/dev/null
-
-ME_RESP=$(cat "$_ME_TMP" 2>/dev/null || echo "")
-SYNKRO_INFERENCE_TIER=$(echo "$ME_RESP" | jq -r '.tier // empty' 2>/dev/null)
-SYNKRO_CAPTURE_DEPTH=$(echo "$ME_RESP" | jq -r '.capture_depth // empty' 2>/dev/null)
+# Single fetch: /cli/hook-context returns me + rules in one call.
+HOOK_CTX=$(curl -sS "\${GATEWAY_URL}/api/v1/cli/hook-context" -H "Authorization: Bearer $JWT" --max-time 4 2>/dev/null || echo "")
+SYNKRO_INFERENCE_TIER=$(echo "$HOOK_CTX" | jq -r '.tier // empty' 2>/dev/null)
+SYNKRO_CAPTURE_DEPTH=$(echo "$HOOK_CTX" | jq -r '.capture_depth // empty' 2>/dev/null)
 SYNKRO_INFERENCE_TIER="\${SYNKRO_INFERENCE_TIER:-fast}"
 SYNKRO_CAPTURE_DEPTH="\${SYNKRO_CAPTURE_DEPTH:-local_only}"
 
 if synkro_channel_up || { [ "$SYNKRO_INFERENCE_TIER" = "free" ] && command -v claude >/dev/null 2>&1; }; then
   RULES_CACHE="$HOME/.synkro/.rules-cache-edit"
   RULES_JQ='[.rules[]? | select(.hook_stage == "pre" or .hook_stage == "both" or .hook_stage == null) | {rule_id, text, severity, category, mode}]'
-  ORG_RULES=$(jq -c "$RULES_JQ" "$_RULES_TMP" 2>/dev/null || echo "[]")
+  ORG_RULES=$(echo "$HOOK_CTX" | jq -c "$RULES_JQ" 2>/dev/null || echo "[]")
   if [ -n "$ORG_RULES" ] && [ "$ORG_RULES" != "null" ] && [ "$ORG_RULES" != "[]" ]; then
     printf '%s' "$ORG_RULES" > "$RULES_CACHE" 2>/dev/null || true
   elif [ -f "$RULES_CACHE" ]; then
@@ -1658,25 +1640,16 @@ if [ -n "$SESSION_ID" ] && [ -n "$TOOL_USE_ID" ]; then
   ) &
 fi
 
-# Parallel fetch: /cli/me + rules in background, wait for both.
-_ME_TMP=$(mktemp -t synkro-me.XXXXXX)
-_RULES_TMP=$(mktemp -t synkro-rules.XXXXXX)
-trap "rm -f \\"$_ME_TMP\\" \\"$_RULES_TMP\\"" EXIT
-curl -sS "\${GATEWAY_URL}/api/v1/cli/me" -H "Authorization: Bearer $JWT" --max-time 3 2>/dev/null > "$_ME_TMP" &
-_ME_PID=$!
-curl -sS "\${GATEWAY_URL}/api/v1/cli/pr-rules" -H "Authorization: Bearer $JWT" --max-time 3 2>/dev/null > "$_RULES_TMP" &
-_RULES_PID=$!
-wait $_ME_PID 2>/dev/null; wait $_RULES_PID 2>/dev/null
-
-ME_RESP=$(cat "$_ME_TMP" 2>/dev/null || echo "")
-SYNKRO_INFERENCE_TIER=$(echo "$ME_RESP" | jq -r '.tier // empty' 2>/dev/null)
-SYNKRO_CAPTURE_DEPTH=$(echo "$ME_RESP" | jq -r '.capture_depth // empty' 2>/dev/null)
+# Single fetch: /cli/hook-context returns me + rules in one call.
+HOOK_CTX=$(curl -sS "\${GATEWAY_URL}/api/v1/cli/hook-context" -H "Authorization: Bearer $JWT" --max-time 4 2>/dev/null || echo "")
+SYNKRO_INFERENCE_TIER=$(echo "$HOOK_CTX" | jq -r '.tier // empty' 2>/dev/null)
+SYNKRO_CAPTURE_DEPTH=$(echo "$HOOK_CTX" | jq -r '.capture_depth // empty' 2>/dev/null)
 SYNKRO_INFERENCE_TIER="\${SYNKRO_INFERENCE_TIER:-fast}"
 SYNKRO_CAPTURE_DEPTH="\${SYNKRO_CAPTURE_DEPTH:-local_only}"
 
 if synkro_channel_up || { [ "$SYNKRO_INFERENCE_TIER" = "free" ] && command -v claude >/dev/null 2>&1; }; then
   RULES_CACHE="$HOME/.synkro/.rules-cache-edit-capture"
-  ORG_RULES=$(jq -c '[.rules[]? | select(.hook_stage == "post" or .hook_stage == "both" or .hook_stage == null) | {rule_id, text, severity, category}]' "$_RULES_TMP" 2>/dev/null || echo "[]")
+  ORG_RULES=$(echo "$HOOK_CTX" | jq -c '[.rules[]? | select(.hook_stage == "post" or .hook_stage == "both" or .hook_stage == null) | {rule_id, text, severity, category}]' 2>/dev/null || echo "[]")
   if [ -n "$ORG_RULES" ] && [ "$ORG_RULES" != "null" ] && [ "$ORG_RULES" != "[]" ]; then
     printf '%s' "$ORG_RULES" > "$RULES_CACHE" 2>/dev/null || true
   elif [ -f "$RULES_CACHE" ]; then
@@ -1684,9 +1657,9 @@ if synkro_channel_up || { [ "$SYNKRO_INFERENCE_TIER" = "free" ] && command -v cl
   fi
   if [ -z "$ORG_RULES" ] || [ "$ORG_RULES" = "null" ]; then ORG_RULES="[]"; fi
 
-  # Extract CVE config from rules response (allowlist + min_severity)
-  CVE_ALLOWLIST=$(echo "$RULES_RESP" | jq -c '.cve_config.allowlist // []' 2>/dev/null || echo "[]")
-  CVE_MIN_SEVERITY=$(echo "$RULES_RESP" | jq '.cve_config.min_severity // null' 2>/dev/null || echo "null")
+  # Extract CVE config from hook-context response (allowlist + min_severity)
+  CVE_ALLOWLIST=$(echo "$HOOK_CTX" | jq -c '.cve_config.allowlist // []' 2>/dev/null || echo "[]")
+  CVE_MIN_SEVERITY=$(echo "$HOOK_CTX" | jq '.cve_config.min_severity // null' 2>/dev/null || echo "null")
 
   # CVE scan \u2014 runs server-side in parallel with local LLM grading
   CVE_RESULT_FILE=$(mktemp -t synkro-cve.XXXXXX)
@@ -1726,8 +1699,31 @@ if synkro_channel_up || { [ "$SYNKRO_INFERENCE_TIER" = "free" ] && command -v cl
   CVE_TEXT=""
   CVE_FINDINGS_JSON="[]"
   if [ -s "$CVE_RESULT_FILE" ]; then
-    CVE_TEXT=$(jq -r '.summary // empty' "$CVE_RESULT_FILE" 2>/dev/null || echo "")
-    CVE_FINDINGS_JSON=$(jq -c '[.findings[]? | {package: .package, version: .version, cve: .id, severity: .severity, score: .score}]' "$CVE_RESULT_FILE" 2>/dev/null || echo "[]")
+    # Only flag CVEs for packages introduced by THIS edit, not pre-existing imports.
+    # Extract new_string from the diff \u2014 if the import existed in old_string too, skip it.
+    EDIT_NEW=$(echo "$DIFF_FIELD" | jq -r '.new_string // empty' 2>/dev/null)
+    EDIT_OLD=$(echo "$DIFF_FIELD" | jq -r '.old_string // empty' 2>/dev/null)
+    if [ -n "$EDIT_NEW" ] && [ "$DIFF_FIELD" != "null" ]; then
+      CVE_FINDINGS_JSON=$(jq -c --arg new_s "$EDIT_NEW" --arg old_s "$EDIT_OLD" '
+        [.findings[]? | . as $f |
+          select(
+            ($new_s | test($f.package; "i")) and
+            (($old_s | length) == 0 or ($old_s | test($f.package; "i") | not))
+          ) | {package, version, cve: .id, severity, score}]
+      ' "$CVE_RESULT_FILE" 2>/dev/null || echo "[]")
+    else
+      CVE_FINDINGS_JSON=$(jq -c '[.findings[]? | {package: .package, version: .version, cve: .id, severity: .severity, score: .score}]' "$CVE_RESULT_FILE" 2>/dev/null || echo "[]")
+    fi
+    # Regenerate summary from filtered findings only
+    if [ "$CVE_FINDINGS_JSON" != "[]" ] && [ -n "$CVE_FINDINGS_JSON" ]; then
+      CVE_TEXT=$(echo "$CVE_FINDINGS_JSON" | jq -r '
+        group_by(.package) | map(
+          (.[0].package) + " (" + (length | tostring) + " CVEs, max CVSS " +
+          ([.[].score // 0] | max | tostring) + ": " +
+          ([.[].cve] | join(", ")) + ")"
+        ) | join("; ")
+      ' 2>/dev/null || echo "")
+    fi
   fi
 
   # Wrapper extraction (greedy \u2014 tolerates nested XML tags).
@@ -4837,7 +4833,7 @@ function writeConfigEnv(opts) {
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
     `SYNKRO_INFERENCE=${shellQuoteSingle(safeInference)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.4.12")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.4.13")}`
   ];
   if (safeSynkroBin) lines.push(`SYNKRO_CLI_BIN=${shellQuoteSingle(safeSynkroBin)}`);
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);
@@ -5215,10 +5211,19 @@ async function installCommand(opts = {}) {
       console.log(`Local-CC pueue task: id=${t.id} status=${t.status}`);
       console.log("Waiting for channel...");
       const ready = await waitForChannelReady(CHANNEL_PORT, 6e4, CHANNEL_HOST);
-      if (ready) console.log(`  channel ready at ${CHANNEL_HOST}:${CHANNEL_PORT}
-`);
-      else console.warn(`  \u26A0 channel did not come up within 60s \u2014 check \`synkro local-cc logs\`
+      if (ready) {
+        console.log(`  channel ready at ${CHANNEL_HOST}:${CHANNEL_PORT}`);
+        try {
+          console.log("  warming up inference...");
+          await submitToChannel("grade-bash", "Proposed command: echo hello\nUser intent: warmup\nRecent user messages: []\nRecent actions: []\nOrg rules: []\n", { timeoutMs: 3e4 });
+          console.log("  inference warm\n");
+        } catch {
+          console.log("  warmup skipped (non-fatal)\n");
+        }
+      } else {
+        console.warn(`  \u26A0 channel did not come up within 60s \u2014 check \`synkro local-cc logs\`
 `);
+      }
     } catch (err) {
       console.warn(`  \u26A0 Local-CC setup skipped: ${err.message}`);
       console.warn("    Install pueue, tmux, and claude, then re-run install.\n");