npm - @synkro-sh/cli - Versions diffs - 1.4.37 → 1.4.38 - Mend

@synkro-sh/cli 1.4.37 → 1.4.38

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/bootstrap.js CHANGED Viewed

@@ -508,16 +508,25 @@ synkro_channel_up() {
   (exec 3<>/dev/tcp/127.0.0.1/\${SYNKRO_CHANNEL_PORT:-8929}) 2>/dev/null && exec 3<&- 3>&-
 }
-# Fetch hook config. Sets SYNKRO_CAPTURE_DEPTH, SYNKRO_TIER, SYNKRO_RULES.
+# Fetch hook config. Sets SYNKRO_CAPTURE_DEPTH, SYNKRO_TIER, SYNKRO_RULES, SYNKRO_SILENT, SYNKRO_POLICY_NAME.
 synkro_load_config() {
   local resp
   resp=$(curl -sS "\${GATEWAY_URL}/api/v1/hook/config\${1:+?$1}" -H "Authorization: Bearer $JWT" --max-time 4 2>/dev/null || echo "")
   if [ -z "$resp" ]; then return; fi
   SYNKRO_CAPTURE_DEPTH=$(echo "$resp" | jq -r '.capture_depth // "local_only"' 2>/dev/null)
   SYNKRO_TIER=$(echo "$resp" | jq -r '.tier // "standard"' 2>/dev/null)
+  SYNKRO_SILENT=$(echo "$resp" | jq -r '.silent_mode // false' 2>/dev/null)
+  SYNKRO_POLICY_NAME=$(echo "$resp" | jq -r '.active_policy_name // empty' 2>/dev/null)
   SYNKRO_RULES=$(echo "$resp" | jq -c '[.rules[]? | select(.hook_stage == "pre" or .hook_stage == "both" or .hook_stage == null) | {rule_id,text,severity,category,mode}]' 2>/dev/null || echo "[]")
 }
+# Build the tag prefix for system messages: [synkro] or [synkro:PolicyName] or [synkro:silent]
+synkro_tag() {
+  if [ "$SYNKRO_SILENT" = "true" ]; then echo "[synkro:silent]"; return; fi
+  if [ -n "\${SYNKRO_POLICY_NAME:-}" ]; then echo "[synkro:\${SYNKRO_POLICY_NAME}]"; return; fi
+  echo "[synkro]"
+}
 # Decide routing: "local" (grade on device) or "cloud" (POST to server)
 synkro_route() {
   [ "$SYNKRO_CAPTURE_DEPTH" = "local_only" ] && echo "local" && return
@@ -737,6 +746,20 @@ IS_HEADLESS="\${SYNKRO_HEADLESS:-0}"
 case "$PERMISSION_MODE" in acceptEdits|bypassPermissions|plan|auto) IS_HEADLESS="1" ;; esac
 synkro_load_config
+TAG=$(synkro_tag)
+if [ "$SYNKRO_SILENT" = "true" ]; then
+  jq -n --arg m "$TAG bashGuard \u2192 skipped (silent mode)" '{systemMessage: $m}'
+  exit 0
+fi
+# Pre-grade consent check: skip grading if user already approved this command in this session
+CMD_HASH=$(printf '%s' "$COMMAND" | shasum -a 256 | cut -c1-16)
+if [ -n "$SESSION_ID" ] && [ -n "$CMD_HASH" ] && synkro_consent_has_active "$SESSION_ID" "$CMD_HASH"; then
+  jq -n --arg m "$TAG bashGuard \u2192 pass (previously approved)" '{systemMessage: $m}'
+  exit 0
+fi
 ROUTE=$(synkro_route)
 if [ "$ROUTE" = "local" ]; then
@@ -747,7 +770,7 @@ if [ "$ROUTE" = "local" ]; then
   CC_RESP=$(synkro_local_grade bash < "$GRADER_FILE" 2>&1)
   if [ $? -ne 0 ]; then
-    jq -n --arg m "[synkro:local] bashGuard \u2192 pass: local grader unavailable (run synkro local-cc start)" '{systemMessage: $m}'
+    jq -n --arg m "$TAG bashGuard \u2192 pass: local grader unavailable (run synkro local-cc start)" '{systemMessage: $m}'
     exit 0
   fi
   synkro_parse_local_verdict "$CC_RESP"
@@ -759,31 +782,20 @@ if [ "$ROUTE" = "local" ]; then
   if [ "$LOCAL_OK" = "false" ]; then
     RULE_MODE="\${LOCAL_RULE_MODE:-$(synkro_rule_mode "\${LOCAL_RULE_ID}")}"
     if [ "$RULE_MODE" = "audit" ]; then
-      REASON="[synkro:local] bashGuard \u2192 warning\${LOCAL_RULE_ID:+ ($LOCAL_RULE_ID)}: \${LOCAL_REASON:-policy violation}"
+      REASON="$TAG bashGuard \u2192 warning\${LOCAL_RULE_ID:+ ($LOCAL_RULE_ID)}: \${LOCAL_REASON:-policy violation}"
       jq -n --arg m "$REASON" '{systemMessage: $m}'
       synkro_dispatch_capture "bash" "warning" "\${LOCAL_SEV}" "\${LOCAL_CAT}" "$TOOL_NAME" "$GIT_REPO" "$SESSION_ID" \\
         "$COMMAND" "$LOCAL_REASON" "\${SYNKRO_RULES:-[]}" "$VIOLATED_JSON" "\${RECENT_USER_MESSAGES:-[]}"
     else
-      CMD_HASH=$(printf '%s' "$COMMAND" | shasum -a 256 | cut -c1-16)
-      if [ -n "$SESSION_ID" ] && synkro_consent_has_active "$SESSION_ID" "$CMD_HASH"; then
-        REASON="[synkro:local] bashGuard \u2192 pass (consented retry): \${LOCAL_REASON:-retrying previously consented command}"
-        jq -n --arg m "$REASON" '{systemMessage: $m}'
-        synkro_dispatch_capture "bash" "pass" "\${LOCAL_SEV}" "\${LOCAL_CAT}" "$TOOL_NAME" "$GIT_REPO" "$SESSION_ID" \\
-          "$COMMAND" "$LOCAL_REASON" "\${SYNKRO_RULES:-[]}" "$VIOLATED_JSON" "\${RECENT_USER_MESSAGES:-[]}"
-      else
-        if [ -n "$SESSION_ID" ] && synkro_consent_has_consumed "$SESSION_ID" "$CMD_HASH"; then
-          synkro_consent_clear_consumed "$SESSION_ID" "$CMD_HASH"
-        fi
-        if [ "$IS_HEADLESS" = "1" ]; then DEC="deny"; else DEC="ask"; fi
-        REASON="[synkro:local] bashGuard \u2192 block\${LOCAL_RULE_ID:+ ($LOCAL_RULE_ID)}: \${LOCAL_REASON:-policy violation}"
-        jq -n --arg dec "$DEC" --arg reason "$REASON" --arg ctx "$REASON" \\
-          '{systemMessage:$reason,hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:$dec,permissionDecisionReason:$reason,additionalContext:$ctx}}'
-        synkro_dispatch_capture "bash" "block" "\${LOCAL_SEV}" "\${LOCAL_CAT}" "$TOOL_NAME" "$GIT_REPO" "$SESSION_ID" \\
-          "$COMMAND" "$LOCAL_REASON" "\${SYNKRO_RULES:-[]}" "$VIOLATED_JSON" "\${RECENT_USER_MESSAGES:-[]}"
-      fi
+      if [ "$IS_HEADLESS" = "1" ]; then DEC="deny"; else DEC="ask"; fi
+      REASON="$TAG bashGuard \u2192 block\${LOCAL_RULE_ID:+ ($LOCAL_RULE_ID)}: \${LOCAL_REASON:-policy violation}"
+      jq -n --arg dec "$DEC" --arg reason "$REASON" --arg ctx "$REASON" \\
+        '{systemMessage:$reason,hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:$dec,permissionDecisionReason:$reason,additionalContext:$ctx}}'
+      synkro_dispatch_capture "bash" "block" "\${LOCAL_SEV}" "\${LOCAL_CAT}" "$TOOL_NAME" "$GIT_REPO" "$SESSION_ID" \\
+        "$COMMAND" "$LOCAL_REASON" "\${SYNKRO_RULES:-[]}" "$VIOLATED_JSON" "\${RECENT_USER_MESSAGES:-[]}"
     fi
   else
-    jq -n --arg m "[synkro:local] bashGuard \u2192 pass: \${LOCAL_REASON:-no policy violations detected}" '{systemMessage: $m}'
+    jq -n --arg m "$TAG bashGuard \u2192 pass: \${LOCAL_REASON:-no policy violations detected}" '{systemMessage: $m}'
     synkro_dispatch_capture "bash" "pass" "audit" "\${LOCAL_CAT:-trivial_utility}" "$TOOL_NAME" "$GIT_REPO" "$SESSION_ID" \\
       "$COMMAND" "$LOCAL_REASON" "\${SYNKRO_RULES:-[]}" "[]" "\${RECENT_USER_MESSAGES:-[]}"
   fi
@@ -938,6 +950,13 @@ if [ -n "$TRANSCRIPT_PATH" ] && [ -f "$TRANSCRIPT_PATH" ]; then
 fi
 synkro_load_config
+TAG=$(synkro_tag)
+if [ "$SYNKRO_SILENT" = "true" ]; then
+  jq -n --arg m "$TAG editGuard \u2192 skipped (silent mode)" '{systemMessage: $m}'
+  exit 0
+fi
 ROUTE=$(synkro_route)
 if [ "$ROUTE" = "local" ]; then
@@ -948,7 +967,7 @@ if [ "$ROUTE" = "local" ]; then
   CC_RESP=$(synkro_local_grade edit < "$GRADER_FILE" 2>&1)
   if [ $? -ne 0 ]; then
-    jq -n --arg m "[synkro:local] editGuard \u2192 pass: local grader unavailable (run synkro local-cc start)" '{systemMessage: $m}'
+    jq -n --arg m "$TAG editGuard \u2192 pass: local grader unavailable (run synkro local-cc start)" '{systemMessage: $m}'
     exit 0
   fi
   synkro_parse_local_verdict "$CC_RESP"
@@ -961,20 +980,20 @@ if [ "$ROUTE" = "local" ]; then
   if [ "$LOCAL_OK" = "false" ]; then
     RULE_MODE="\${LOCAL_RULE_MODE:-$(synkro_rule_mode "\${LOCAL_RULE_ID}")}"
     if [ "$RULE_MODE" = "audit" ]; then
-      REASON="[synkro:local] editGuard $FILE_SHORT \u2192 warning\${LOCAL_RULE_ID:+ ($LOCAL_RULE_ID)}: \${LOCAL_REASON:-policy violation}"
+      REASON="$TAG editGuard $FILE_SHORT \u2192 warning\${LOCAL_RULE_ID:+ ($LOCAL_RULE_ID)}: \${LOCAL_REASON:-policy violation}"
       jq -n --arg m "$REASON" '{systemMessage: $m}'
       synkro_dispatch_capture "edit" "warning" "\${LOCAL_SEV}" "\${LOCAL_CAT}" "$TOOL_NAME" "$GIT_REPO" "$SESSION_ID" \\
         "$EDIT_CONTENT" "$LOCAL_REASON" "\${SYNKRO_RULES:-[]}" "$VIOLATED_JSON" "[]"
     else
       if [ "$IS_HEADLESS" = "1" ]; then DEC="deny"; else DEC="ask"; fi
-      REASON="[synkro:local] editGuard $FILE_SHORT \u2192 block\${LOCAL_RULE_ID:+ ($LOCAL_RULE_ID)}: \${LOCAL_REASON:-policy violation}"
+      REASON="$TAG editGuard $FILE_SHORT \u2192 block\${LOCAL_RULE_ID:+ ($LOCAL_RULE_ID)}: \${LOCAL_REASON:-policy violation}"
       jq -n --arg dec "$DEC" --arg reason "$REASON" --arg ctx "$REASON" \\
         '{hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:$dec,permissionDecisionReason:$reason,additionalContext:$ctx}}'
       synkro_dispatch_capture "edit" "block" "\${LOCAL_SEV}" "\${LOCAL_CAT}" "$TOOL_NAME" "$GIT_REPO" "$SESSION_ID" \\
         "$EDIT_CONTENT" "$LOCAL_REASON" "\${SYNKRO_RULES:-[]}" "$VIOLATED_JSON" "[]"
     fi
   else
-    jq -n --arg m "[synkro:local] editGuard $FILE_SHORT \u2192 pass: \${LOCAL_REASON:-no policy violations detected}" '{systemMessage: $m}'
+    jq -n --arg m "$TAG editGuard $FILE_SHORT \u2192 pass: \${LOCAL_REASON:-no policy violations detected}" '{systemMessage: $m}'
     synkro_dispatch_capture "edit" "pass" "audit" "\${LOCAL_CAT:-trivial_edit}" "$TOOL_NAME" "$GIT_REPO" "$SESSION_ID" \\
       "$EDIT_CONTENT" "$LOCAL_REASON" "\${SYNKRO_RULES:-[]}" "[]" "[]"
   fi
@@ -1099,6 +1118,12 @@ while [ "$_PKG_DIR" != "/" ]; do
 done
 synkro_load_config
+TAG=$(synkro_tag)
+if [ "$SYNKRO_SILENT" = "true" ]; then
+  echo '{}'; exit 0
+fi
 ROUTE=$(synkro_route)
 if [ "$ROUTE" = "local" ]; then
@@ -1120,18 +1145,18 @@ if [ "$ROUTE" = "local" ]; then
   if [ "$LOCAL_OK" = "false" ]; then
     RULE_MODE="\${LOCAL_RULE_MODE:-$(synkro_rule_mode "\${LOCAL_RULE_ID}")}"
     if [ "$RULE_MODE" = "audit" ]; then
-      REASON="[synkro:local] editScan $BASENAME \u2192 warning\${LOCAL_RULE_ID:+ ($LOCAL_RULE_ID)}: \${LOCAL_REASON:-policy violation}"
+      REASON="$TAG editScan $BASENAME \u2192 warning\${LOCAL_RULE_ID:+ ($LOCAL_RULE_ID)}: \${LOCAL_REASON:-policy violation}"
       jq -n --arg m "$REASON" '{systemMessage: $m}'
       synkro_dispatch_capture "edit_scan" "warning" "\${LOCAL_SEV}" "\${LOCAL_CAT}" "$TOOL_NAME" "$GIT_REPO" "$SESSION_ID" \\
         "$SCAN_CONTENT" "$LOCAL_REASON" "\${SYNKRO_RULES:-[]}" "$SCAN_VIOLATED" "[]"
     else
-      REASON="[synkro:local] editScan $BASENAME \u2192 block: \${LOCAL_REASON:-policy violation}"
+      REASON="$TAG editScan $BASENAME \u2192 block: \${LOCAL_REASON:-policy violation}"
       jq -n --arg m "$REASON" '{systemMessage: $m, additionalContext: $m}'
       synkro_dispatch_capture "edit_scan" "block" "\${LOCAL_SEV}" "\${LOCAL_CAT}" "$TOOL_NAME" "$GIT_REPO" "$SESSION_ID" \\
         "$SCAN_CONTENT" "$LOCAL_REASON" "\${SYNKRO_RULES:-[]}" "$SCAN_VIOLATED" "[]"
     fi
   else
-    jq -n --arg m "[synkro:local] editScan $BASENAME \u2192 pass: \${LOCAL_REASON:-no policy violations detected}" '{systemMessage: $m}'
+    jq -n --arg m "$TAG editScan $BASENAME \u2192 pass: \${LOCAL_REASON:-no policy violations detected}" '{systemMessage: $m}'
     synkro_dispatch_capture "edit_scan" "pass" "audit" "\${LOCAL_CAT:-trivial_edit}" "$TOOL_NAME" "$GIT_REPO" "$SESSION_ID" \\
       "$SCAN_CONTENT" "$LOCAL_REASON" "\${SYNKRO_RULES:-[]}" "[]" "[]"
   fi
@@ -1205,6 +1230,13 @@ PLAN_SHORT=$(printf '%s' "$PLAN" | head -c 80)
 synkro_log "planReview checking: $PLAN_SHORT..."
 synkro_load_config
+TAG=$(synkro_tag)
+if [ "$SYNKRO_SILENT" = "true" ]; then
+  jq -n --arg m "$TAG planReview \u2192 skipped (silent mode)" '{systemMessage: $m}'
+  exit 0
+fi
 ROUTE=$(synkro_route)
 if [ "$ROUTE" = "local" ]; then
@@ -1225,12 +1257,12 @@ if [ "$ROUTE" = "local" ]; then
   if [ "$LOCAL_OK" = "false" ]; then
     VCOUNT=$(printf '%s' "$CC_RESP" | grep -c '<violation>' 2>/dev/null || echo "0")
     [ "$VCOUNT" = "0" ] && VCOUNT="1"
-    MSG="[synkro:local] planReview \u2192 \${VCOUNT} rule(s) relevant\${LOCAL_RULE_ID:+ (first: $LOCAL_RULE_ID)}: \${LOCAL_REASON:-check org rules during implementation}"
+    MSG="$TAG planReview \u2192 \${VCOUNT} rule(s) relevant\${LOCAL_RULE_ID:+ (first: $LOCAL_RULE_ID)}: \${LOCAL_REASON:-check org rules during implementation}"
     jq -n --arg m "$MSG" '{systemMessage: $m}'
     synkro_dispatch_capture "plan_review" "advisory" "\${LOCAL_SEV}" "\${LOCAL_CAT}" "ExitPlanMode" "$GIT_REPO" "$SESSION_ID" \\
       "$PLAN_CONTENT" "$LOCAL_REASON" "\${SYNKRO_RULES:-[]}" "$PLAN_VIOLATED" "[]"
   else
-    jq -n --arg m "[synkro:local] planReview \u2192 clean: \${LOCAL_REASON:-no relevant org rules for this plan}" '{systemMessage: $m}'
+    jq -n --arg m "$TAG planReview \u2192 clean: \${LOCAL_REASON:-no relevant org rules for this plan}" '{systemMessage: $m}'
     synkro_dispatch_capture "plan_review" "clean" "audit" "\${LOCAL_CAT:-general}" "ExitPlanMode" "$GIT_REPO" "$SESSION_ID" \\
       "$PLAN_CONTENT" "$LOCAL_REASON" "\${SYNKRO_RULES:-[]}" "[]" "[]"
   fi
@@ -1271,7 +1303,7 @@ fi
 HR=$(echo "$RESP" | jq -c '.hook_response')
 if echo "$HR" | jq -e '.hookSpecificOutput.permissionDecision' >/dev/null 2>&1; then
   REASON=$(echo "$HR" | jq -r '.hookSpecificOutput.permissionDecisionReason // "check org rules"' 2>/dev/null)
-  jq -n --arg m "[synkro:cloud] planReview \u2192 advisory: $REASON" '{systemMessage: $m}'
+  jq -n --arg m "$TAG planReview \u2192 advisory: $REASON" '{systemMessage: $m}'
 else
   echo "$HR"
 fi
@@ -1339,10 +1371,12 @@ OPEN=$(echo "$RESP" | jq -r '.open // 0' 2>/dev/null)
 if [ "\${EDITS:-0}" = "0" ] || [ -z "$EDITS" ]; then echo '{}'; exit 0; fi
+synkro_load_config
+TAG=$(synkro_tag)
 if [ "\${FINDINGS:-0}" = "0" ] || [ -z "$FINDINGS" ]; then
-  SYS_MSG="[synkro] stop \u2192 0 issues across \${EDITS} edit(s), session complete"
+  SYS_MSG="$TAG stop \u2192 0 issues across \${EDITS} edit(s), session complete"
 else
-  SYS_MSG="[synkro] stop \u2192 \${FINDINGS} finding(s): \${AUTO_FIXED} auto-fixed, \${OPEN} open"
+  SYS_MSG="$TAG stop \u2192 \${FINDINGS} finding(s): \${AUTO_FIXED} auto-fixed, \${OPEN} open"
 fi
 jq -n --arg m "$SYS_MSG" '{systemMessage: $m}'
@@ -1356,11 +1390,30 @@ JWT=$(synkro_load_jwt)
 # Route preamble
 SYNKRO_PORT="\${SYNKRO_CHANNEL_PORT:-8929}"
+PAYLOAD=$(cat)
+CWD=$(echo "$PAYLOAD" | jq -r '.cwd // empty' 2>/dev/null)
+SESSION_ID=$(echo "$PAYLOAD" | jq -r '.session_id // empty' 2>/dev/null)
+GIT_REPO=$(synkro_detect_repo "\${CWD:-.}")
+RESP=""
+if [ -n "$JWT" ]; then
+  RESP=$(curl -sS -G "\${GATEWAY_URL}/api/v1/hook/config" \\
+    --data-urlencode "session_id=\${SESSION_ID:-}" \\
+    --data-urlencode "repo=\${GIT_REPO:-}" \\
+    -H "Authorization: Bearer $JWT" --max-time 3 2>/dev/null || echo "")
+  if [ -n "$RESP" ]; then
+    SYNKRO_SILENT=$(echo "$RESP" | jq -r '.silent_mode // false' 2>/dev/null)
+    SYNKRO_POLICY_NAME=$(echo "$RESP" | jq -r '.active_policy_name // empty' 2>/dev/null)
+  fi
+fi
+TAG=$(synkro_tag)
 if (exec 3<>/dev/tcp/127.0.0.1/"$SYNKRO_PORT") 2>/dev/null; then
   exec 3<&- 3>&- 2>/dev/null || true
-  ROUTE_LINE="[synkro] inference: local-cc (channel reachable on 127.0.0.1:$SYNKRO_PORT)"
+  ROUTE_LINE="$TAG inference: local-cc (channel reachable on 127.0.0.1:$SYNKRO_PORT)"
 else
-  ROUTE_LINE="[synkro] inference: cloud (local-cc channel not reachable)"
+  ROUTE_LINE="$TAG inference: cloud (local-cc channel not reachable)"
 fi
 if [ -z "$JWT" ]; then
@@ -1368,16 +1421,6 @@ if [ -z "$JWT" ]; then
   exit 0
 fi
-PAYLOAD=$(cat)
-CWD=$(echo "$PAYLOAD" | jq -r '.cwd // empty' 2>/dev/null)
-SESSION_ID=$(echo "$PAYLOAD" | jq -r '.session_id // empty' 2>/dev/null)
-GIT_REPO=$(synkro_detect_repo "\${CWD:-.}")
-RESP=$(curl -sS -G "\${GATEWAY_URL}/api/v1/hook/config" \\
-  --data-urlencode "session_id=\${SESSION_ID:-}" \\
-  --data-urlencode "repo=\${GIT_REPO:-}" \\
-  -H "Authorization: Bearer $JWT" --max-time 3 2>/dev/null || echo "")
 OPEN=0
 if [ -n "$RESP" ]; then
   OPEN=$(echo "$RESP" | jq -r '.session_context.open_findings // 0' 2>/dev/null)
@@ -1387,9 +1430,9 @@ if [ "$OPEN" = "0" ] || [ -z "$OPEN" ]; then
   jq -n --arg m "$ROUTE_LINE" '{systemMessage: $m}'
 else
   if [ "$OPEN" = "1" ]; then
-    SYS_MSG="$ROUTE_LINE"$'\\n'"[synkro] session start \u2192 1 open finding in this repo from a prior session."
+    SYS_MSG="$ROUTE_LINE"$'\\n'"$TAG session start \u2192 1 open finding in this repo from a prior session."
   else
-    SYS_MSG="$ROUTE_LINE"$'\\n'"[synkro] session start \u2192 \${OPEN} open findings in this repo from prior sessions."
+    SYS_MSG="$ROUTE_LINE"$'\\n'"$TAG session start \u2192 \${OPEN} open findings in this repo from prior sessions."
   fi
   jq -n --arg m "$SYS_MSG" '{systemMessage: $m}'
 fi
@@ -1425,13 +1468,10 @@ BODY=$(jq -n --arg sid "$SESSION_ID" --arg tid "$TOOL_USE_ID" \\
 # Local consent tracking: command ran = user consented
 # On success \u2192 consume (next attempt blocks fresh)
 # On failure \u2192 grant active (retry allowed)
+# Command ran (user approved it) \u2014 grant persistent consent for this session
 if [ -n "$CMD_HASH" ] && [ -n "$SESSION_ID" ]; then
-  if [ "$IS_ERROR" = "false" ]; then
-    synkro_consent_consume "$SESSION_ID" "$CMD_HASH"
-  else
-    if ! synkro_consent_has_active "$SESSION_ID" "$CMD_HASH"; then
-      synkro_consent_grant "$SESSION_ID" "$CMD_HASH"
-    fi
+  if ! synkro_consent_has_active "$SESSION_ID" "$CMD_HASH"; then
+    synkro_consent_grant "$SESSION_ID" "$CMD_HASH"
   fi
 fi
@@ -1459,7 +1499,7 @@ if [ -z "$SESSION_ID" ] || [ -z "$TRANSCRIPT_PATH" ] || [ ! -f "$TRANSCRIPT_PATH
 fi
 # Usage telemetry \u2014 last turn only (metadata, ungated by privacy/consent)
-_LAST_ASST=$(tail -20 "$TRANSCRIPT_PATH" 2>/dev/null | grep '"type":"assistant"' | tail -1)
+_LAST_ASST=$(grep '"type":"assistant"' "$TRANSCRIPT_PATH" 2>/dev/null | tail -1)
 if [ -n "$_LAST_ASST" ]; then
   _CC_MODEL=$(echo "$_LAST_ASST" | jq -r '.message.model // empty' 2>/dev/null)
   _TI=$(echo "$_LAST_ASST" | jq -r '.message.usage.input_tokens // 0' 2>/dev/null)
@@ -1562,6 +1602,9 @@ GIT_REPO=$(synkro_detect_repo "\${CWD:-.}")
 CMD_SHORT=$(printf '%s' "$COMMAND" | head -c 80)
 synkro_log "bashGuard checking: $CMD_SHORT"
+synkro_load_config
+if [ "$SYNKRO_SILENT" = "true" ]; then echo '{}'; exit 0; fi
 BODY=$(jq -n \\
   --arg cmd "$COMMAND" \\
   --arg session_id "$SESSION_ID" \\
@@ -1615,6 +1658,9 @@ if [ -z "$FILE_PATH" ]; then echo '{}'; exit 0; fi
 BASENAME=$(basename "$FILE_PATH" 2>/dev/null || echo "$FILE_PATH")
 synkro_log "editGuard checking: $BASENAME"
+synkro_load_config
+if [ "$SYNKRO_SILENT" = "true" ]; then echo '{}'; exit 0; fi
 BODY=$(jq -n \\
   --arg file_path "$FILE_PATH" \\
   --arg content "$CONTENT" \\
@@ -1722,12 +1768,8 @@ if [ -n "$CMD" ]; then
 fi
 if [ -n "$CMD_HASH" ] && [ -n "$SESSION_ID" ]; then
-  if [ "$IS_ERROR" = "false" ]; then
-    synkro_consent_consume "$SESSION_ID" "$CMD_HASH"
-  else
-    if ! synkro_consent_has_active "$SESSION_ID" "$CMD_HASH"; then
-      synkro_consent_grant "$SESSION_ID" "$CMD_HASH"
-    fi
+  if ! synkro_consent_has_active "$SESSION_ID" "$CMD_HASH"; then
+    synkro_consent_grant "$SESSION_ID" "$CMD_HASH"
   fi
 fi
@@ -3940,7 +3982,7 @@ function writeConfigEnv(opts) {
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
     `SYNKRO_INFERENCE=${shellQuoteSingle(safeInference)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.4.37")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.4.38")}`
   ];
   if (safeSynkroBin) lines.push(`SYNKRO_CLI_BIN=${shellQuoteSingle(safeSynkroBin)}`);
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);