npm - @synkro-sh/cli - Versions diffs - 1.4.37 → 1.4.39 - Mend

@synkro-sh/cli 1.4.37 → 1.4.39

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/bootstrap.js CHANGED Viewed

@@ -508,16 +508,25 @@ synkro_channel_up() {
   (exec 3<>/dev/tcp/127.0.0.1/\${SYNKRO_CHANNEL_PORT:-8929}) 2>/dev/null && exec 3<&- 3>&-
 }
-# Fetch hook config. Sets SYNKRO_CAPTURE_DEPTH, SYNKRO_TIER, SYNKRO_RULES.
+# Fetch hook config. Sets SYNKRO_CAPTURE_DEPTH, SYNKRO_TIER, SYNKRO_RULES, SYNKRO_SILENT, SYNKRO_POLICY_NAME.
 synkro_load_config() {
   local resp
   resp=$(curl -sS "\${GATEWAY_URL}/api/v1/hook/config\${1:+?$1}" -H "Authorization: Bearer $JWT" --max-time 4 2>/dev/null || echo "")
   if [ -z "$resp" ]; then return; fi
   SYNKRO_CAPTURE_DEPTH=$(echo "$resp" | jq -r '.capture_depth // "local_only"' 2>/dev/null)
   SYNKRO_TIER=$(echo "$resp" | jq -r '.tier // "standard"' 2>/dev/null)
+  SYNKRO_SILENT=$(echo "$resp" | jq -r '.silent_mode // false' 2>/dev/null)
+  SYNKRO_POLICY_NAME=$(echo "$resp" | jq -r '.active_policy_name // empty' 2>/dev/null)
   SYNKRO_RULES=$(echo "$resp" | jq -c '[.rules[]? | select(.hook_stage == "pre" or .hook_stage == "both" or .hook_stage == null) | {rule_id,text,severity,category,mode}]' 2>/dev/null || echo "[]")
 }
+# Build the tag prefix for system messages: [synkro] or [synkro:PolicyName] or [synkro:silent]
+synkro_tag() {
+  if [ "$SYNKRO_SILENT" = "true" ]; then echo "[synkro:silent]"; return; fi
+  if [ -n "\${SYNKRO_POLICY_NAME:-}" ]; then echo "[synkro:\${SYNKRO_POLICY_NAME}]"; return; fi
+  echo "[synkro]"
+}
 # Decide routing: "local" (grade on device) or "cloud" (POST to server)
 synkro_route() {
   [ "$SYNKRO_CAPTURE_DEPTH" = "local_only" ] && echo "local" && return
@@ -645,6 +654,8 @@ synkro_rule_mode() {
 SYNKRO_CONSENT_FILE="$HOME/.synkro/.local-consent"
+_TAB=$(printf '\\t')
 synkro_consent_grant() {
   local sid="$1" hash="$2"
   printf '%s\\t%s\\tactive\\n' "$sid" "$hash" >> "$SYNKRO_CONSENT_FILE" 2>/dev/null || true
@@ -652,26 +663,28 @@ synkro_consent_grant() {
 synkro_consent_has_active() {
   local sid="$1" hash="$2"
-  grep -q "^$sid\\\\t$hash\\\\tactive$" "$SYNKRO_CONSENT_FILE" 2>/dev/null
+  grep -q "^\${sid}\${_TAB}\${hash}\${_TAB}active$" "$SYNKRO_CONSENT_FILE" 2>/dev/null
 }
 synkro_consent_consume() {
   local sid="$1" hash="$2"
   [ ! -f "$SYNKRO_CONSENT_FILE" ] && return
   local tmp="\${SYNKRO_CONSENT_FILE}.tmp"
-  sed "s/^$sid\\\\t$hash\\\\tactive$/$sid\\t$hash\\tconsumed/" "$SYNKRO_CONSENT_FILE" > "$tmp" 2>/dev/null && mv "$tmp" "$SYNKRO_CONSENT_FILE" 2>/dev/null || true
+  local pat="\${sid}\${_TAB}\${hash}\${_TAB}active"
+  local rep="\${sid}\${_TAB}\${hash}\${_TAB}consumed"
+  awk -v p="$pat" -v r="$rep" '{if($0==p)print r;else print}' "$SYNKRO_CONSENT_FILE" > "$tmp" 2>/dev/null && mv "$tmp" "$SYNKRO_CONSENT_FILE" 2>/dev/null || true
 }
 synkro_consent_has_consumed() {
   local sid="$1" hash="$2"
-  grep -q "^$sid\\\\t$hash\\\\tconsumed$" "$SYNKRO_CONSENT_FILE" 2>/dev/null
+  grep -q "^\${sid}\${_TAB}\${hash}\${_TAB}consumed$" "$SYNKRO_CONSENT_FILE" 2>/dev/null
 }
 synkro_consent_clear_consumed() {
   local sid="$1" hash="$2"
   [ ! -f "$SYNKRO_CONSENT_FILE" ] && return
   local tmp="\${SYNKRO_CONSENT_FILE}.tmp"
-  grep -v "^$sid\\\\t$hash\\\\tconsumed$" "$SYNKRO_CONSENT_FILE" > "$tmp" 2>/dev/null && mv "$tmp" "$SYNKRO_CONSENT_FILE" 2>/dev/null || true
+  grep -v "^\${sid}\${_TAB}\${hash}\${_TAB}consumed$" "$SYNKRO_CONSENT_FILE" > "$tmp" 2>/dev/null && mv "$tmp" "$SYNKRO_CONSENT_FILE" 2>/dev/null || true
 }
 synkro_post_with_retry() {
@@ -737,17 +750,24 @@ IS_HEADLESS="\${SYNKRO_HEADLESS:-0}"
 case "$PERMISSION_MODE" in acceptEdits|bypassPermissions|plan|auto) IS_HEADLESS="1" ;; esac
 synkro_load_config
+TAG=$(synkro_tag)
+if [ "$SYNKRO_SILENT" = "true" ]; then
+  jq -n --arg m "$TAG bashGuard \u2192 skipped (silent mode)" '{systemMessage: $m}'
+  exit 0
+fi
 ROUTE=$(synkro_route)
 if [ "$ROUTE" = "local" ]; then
   # \u2500\u2500\u2500 Local grading (local_only privacy or local-cc channel) \u2500\u2500\u2500
   GRADER_FILE=$(mktemp -t synkro-bash.XXXXXX)
   trap "rm -f \\"$GRADER_FILE\\"" EXIT
-  printf 'Command: %s\\nUser intent: %s\\nOrg rules: %s\\n' "$COMMAND" "\${USER_INTENT:-none stated}" "\${SYNKRO_RULES:-[]}" > "$GRADER_FILE"
+  printf 'Working directory: %s\\nRepo: %s\\nCommand: %s\\nUser intent: %s\\nOrg rules: %s\\n' "\${CWD:-.}" "\${GIT_REPO:-unknown}" "$COMMAND" "\${USER_INTENT:-none stated}" "\${SYNKRO_RULES:-[]}" > "$GRADER_FILE"
   CC_RESP=$(synkro_local_grade bash < "$GRADER_FILE" 2>&1)
   if [ $? -ne 0 ]; then
-    jq -n --arg m "[synkro:local] bashGuard \u2192 pass: local grader unavailable (run synkro local-cc start)" '{systemMessage: $m}'
+    jq -n --arg m "$TAG bashGuard \u2192 pass: local grader unavailable (run synkro local-cc start)" '{systemMessage: $m}'
     exit 0
   fi
   synkro_parse_local_verdict "$CC_RESP"
@@ -759,31 +779,20 @@ if [ "$ROUTE" = "local" ]; then
   if [ "$LOCAL_OK" = "false" ]; then
     RULE_MODE="\${LOCAL_RULE_MODE:-$(synkro_rule_mode "\${LOCAL_RULE_ID}")}"
     if [ "$RULE_MODE" = "audit" ]; then
-      REASON="[synkro:local] bashGuard \u2192 warning\${LOCAL_RULE_ID:+ ($LOCAL_RULE_ID)}: \${LOCAL_REASON:-policy violation}"
+      REASON="$TAG bashGuard \u2192 warning\${LOCAL_RULE_ID:+ ($LOCAL_RULE_ID)}: \${LOCAL_REASON:-policy violation}"
       jq -n --arg m "$REASON" '{systemMessage: $m}'
       synkro_dispatch_capture "bash" "warning" "\${LOCAL_SEV}" "\${LOCAL_CAT}" "$TOOL_NAME" "$GIT_REPO" "$SESSION_ID" \\
         "$COMMAND" "$LOCAL_REASON" "\${SYNKRO_RULES:-[]}" "$VIOLATED_JSON" "\${RECENT_USER_MESSAGES:-[]}"
     else
-      CMD_HASH=$(printf '%s' "$COMMAND" | shasum -a 256 | cut -c1-16)
-      if [ -n "$SESSION_ID" ] && synkro_consent_has_active "$SESSION_ID" "$CMD_HASH"; then
-        REASON="[synkro:local] bashGuard \u2192 pass (consented retry): \${LOCAL_REASON:-retrying previously consented command}"
-        jq -n --arg m "$REASON" '{systemMessage: $m}'
-        synkro_dispatch_capture "bash" "pass" "\${LOCAL_SEV}" "\${LOCAL_CAT}" "$TOOL_NAME" "$GIT_REPO" "$SESSION_ID" \\
-          "$COMMAND" "$LOCAL_REASON" "\${SYNKRO_RULES:-[]}" "$VIOLATED_JSON" "\${RECENT_USER_MESSAGES:-[]}"
-      else
-        if [ -n "$SESSION_ID" ] && synkro_consent_has_consumed "$SESSION_ID" "$CMD_HASH"; then
-          synkro_consent_clear_consumed "$SESSION_ID" "$CMD_HASH"
-        fi
-        if [ "$IS_HEADLESS" = "1" ]; then DEC="deny"; else DEC="ask"; fi
-        REASON="[synkro:local] bashGuard \u2192 block\${LOCAL_RULE_ID:+ ($LOCAL_RULE_ID)}: \${LOCAL_REASON:-policy violation}"
-        jq -n --arg dec "$DEC" --arg reason "$REASON" --arg ctx "$REASON" \\
-          '{systemMessage:$reason,hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:$dec,permissionDecisionReason:$reason,additionalContext:$ctx}}'
-        synkro_dispatch_capture "bash" "block" "\${LOCAL_SEV}" "\${LOCAL_CAT}" "$TOOL_NAME" "$GIT_REPO" "$SESSION_ID" \\
-          "$COMMAND" "$LOCAL_REASON" "\${SYNKRO_RULES:-[]}" "$VIOLATED_JSON" "\${RECENT_USER_MESSAGES:-[]}"
-      fi
+      if [ "$IS_HEADLESS" = "1" ]; then DEC="deny"; else DEC="ask"; fi
+      REASON="$TAG bashGuard \u2192 block\${LOCAL_RULE_ID:+ ($LOCAL_RULE_ID)}: \${LOCAL_REASON:-policy violation}"
+      jq -n --arg dec "$DEC" --arg reason "$REASON" --arg ctx "$REASON" \\
+        '{systemMessage:$reason,hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:$dec,permissionDecisionReason:$reason,additionalContext:$ctx}}'
+      synkro_dispatch_capture "bash" "block" "\${LOCAL_SEV}" "\${LOCAL_CAT}" "$TOOL_NAME" "$GIT_REPO" "$SESSION_ID" \\
+        "$COMMAND" "$LOCAL_REASON" "\${SYNKRO_RULES:-[]}" "$VIOLATED_JSON" "\${RECENT_USER_MESSAGES:-[]}"
     fi
   else
-    jq -n --arg m "[synkro:local] bashGuard \u2192 pass: \${LOCAL_REASON:-no policy violations detected}" '{systemMessage: $m}'
+    jq -n --arg m "$TAG bashGuard \u2192 pass: \${LOCAL_REASON:-no policy violations detected}" '{systemMessage: $m}'
     synkro_dispatch_capture "bash" "pass" "audit" "\${LOCAL_CAT:-trivial_utility}" "$TOOL_NAME" "$GIT_REPO" "$SESSION_ID" \\
       "$COMMAND" "$LOCAL_REASON" "\${SYNKRO_RULES:-[]}" "[]" "\${RECENT_USER_MESSAGES:-[]}"
   fi
@@ -938,17 +947,24 @@ if [ -n "$TRANSCRIPT_PATH" ] && [ -f "$TRANSCRIPT_PATH" ]; then
 fi
 synkro_load_config
+TAG=$(synkro_tag)
+if [ "$SYNKRO_SILENT" = "true" ]; then
+  jq -n --arg m "$TAG editGuard \u2192 skipped (silent mode)" '{systemMessage: $m}'
+  exit 0
+fi
 ROUTE=$(synkro_route)
 if [ "$ROUTE" = "local" ]; then
   # \u2500\u2500\u2500 Local grading (local_only privacy or local-cc channel) \u2500\u2500\u2500
   GRADER_FILE=$(mktemp -t synkro-edit.XXXXXX)
   trap "rm -f \\"$GRADER_FILE\\"" EXIT
-  printf 'File: %s\\nProposed content (first 4000 chars):\\n%s\\nUser intent: %s\\nOrg rules: %s\\n' "$FILE_PATH" "$(printf '%s' "$PROPOSED" | head -c 4000)" "\${USER_INTENT:-none stated}" "\${SYNKRO_RULES:-[]}" > "$GRADER_FILE"
+  printf 'Working directory: %s\\nRepo: %s\\nFile: %s\\nProposed content (first 4000 chars):\\n%s\\nUser intent: %s\\nOrg rules: %s\\n' "\${CWD:-.}" "\${GIT_REPO:-unknown}" "$FILE_PATH" "$(printf '%s' "$PROPOSED" | head -c 4000)" "\${USER_INTENT:-none stated}" "\${SYNKRO_RULES:-[]}" > "$GRADER_FILE"
   CC_RESP=$(synkro_local_grade edit < "$GRADER_FILE" 2>&1)
   if [ $? -ne 0 ]; then
-    jq -n --arg m "[synkro:local] editGuard \u2192 pass: local grader unavailable (run synkro local-cc start)" '{systemMessage: $m}'
+    jq -n --arg m "$TAG editGuard \u2192 pass: local grader unavailable (run synkro local-cc start)" '{systemMessage: $m}'
     exit 0
   fi
   synkro_parse_local_verdict "$CC_RESP"
@@ -961,20 +977,20 @@ if [ "$ROUTE" = "local" ]; then
   if [ "$LOCAL_OK" = "false" ]; then
     RULE_MODE="\${LOCAL_RULE_MODE:-$(synkro_rule_mode "\${LOCAL_RULE_ID}")}"
     if [ "$RULE_MODE" = "audit" ]; then
-      REASON="[synkro:local] editGuard $FILE_SHORT \u2192 warning\${LOCAL_RULE_ID:+ ($LOCAL_RULE_ID)}: \${LOCAL_REASON:-policy violation}"
+      REASON="$TAG editGuard $FILE_SHORT \u2192 warning\${LOCAL_RULE_ID:+ ($LOCAL_RULE_ID)}: \${LOCAL_REASON:-policy violation}"
       jq -n --arg m "$REASON" '{systemMessage: $m}'
       synkro_dispatch_capture "edit" "warning" "\${LOCAL_SEV}" "\${LOCAL_CAT}" "$TOOL_NAME" "$GIT_REPO" "$SESSION_ID" \\
         "$EDIT_CONTENT" "$LOCAL_REASON" "\${SYNKRO_RULES:-[]}" "$VIOLATED_JSON" "[]"
     else
       if [ "$IS_HEADLESS" = "1" ]; then DEC="deny"; else DEC="ask"; fi
-      REASON="[synkro:local] editGuard $FILE_SHORT \u2192 block\${LOCAL_RULE_ID:+ ($LOCAL_RULE_ID)}: \${LOCAL_REASON:-policy violation}"
+      REASON="$TAG editGuard $FILE_SHORT \u2192 block\${LOCAL_RULE_ID:+ ($LOCAL_RULE_ID)}: \${LOCAL_REASON:-policy violation}"
       jq -n --arg dec "$DEC" --arg reason "$REASON" --arg ctx "$REASON" \\
         '{hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:$dec,permissionDecisionReason:$reason,additionalContext:$ctx}}'
       synkro_dispatch_capture "edit" "block" "\${LOCAL_SEV}" "\${LOCAL_CAT}" "$TOOL_NAME" "$GIT_REPO" "$SESSION_ID" \\
         "$EDIT_CONTENT" "$LOCAL_REASON" "\${SYNKRO_RULES:-[]}" "$VIOLATED_JSON" "[]"
     fi
   else
-    jq -n --arg m "[synkro:local] editGuard $FILE_SHORT \u2192 pass: \${LOCAL_REASON:-no policy violations detected}" '{systemMessage: $m}'
+    jq -n --arg m "$TAG editGuard $FILE_SHORT \u2192 pass: \${LOCAL_REASON:-no policy violations detected}" '{systemMessage: $m}'
     synkro_dispatch_capture "edit" "pass" "audit" "\${LOCAL_CAT:-trivial_edit}" "$TOOL_NAME" "$GIT_REPO" "$SESSION_ID" \\
       "$EDIT_CONTENT" "$LOCAL_REASON" "\${SYNKRO_RULES:-[]}" "[]" "[]"
   fi
@@ -1099,13 +1115,19 @@ while [ "$_PKG_DIR" != "/" ]; do
 done
 synkro_load_config
+TAG=$(synkro_tag)
+if [ "$SYNKRO_SILENT" = "true" ]; then
+  echo '{}'; exit 0
+fi
 ROUTE=$(synkro_route)
 if [ "$ROUTE" = "local" ]; then
   # \u2500\u2500\u2500 Local edit scan (local_only privacy or local-cc channel) \u2500\u2500\u2500
   GRADER_FILE=$(mktemp -t synkro-escan.XXXXXX)
   trap "rm -f \\"$GRADER_FILE\\"" EXIT
-  printf 'File: %s\\nContent (first 4000 chars):\\n%s\\nOrg rules: %s\\n' "$FILE_PATH" "$(printf '%s' "$FILE_CONTENT" | head -c 4000)" "\${SYNKRO_RULES:-[]}" > "$GRADER_FILE"
+  printf 'Working directory: %s\\nRepo: %s\\nFile: %s\\nContent (first 4000 chars):\\n%s\\nOrg rules: %s\\n' "\${CWD:-.}" "\${GIT_REPO:-unknown}" "$FILE_PATH" "$(printf '%s' "$FILE_CONTENT" | head -c 4000)" "\${SYNKRO_RULES:-[]}" > "$GRADER_FILE"
   CC_RESP=$(synkro_local_grade edit < "$GRADER_FILE" 2>&1)
   if [ $? -ne 0 ]; then
@@ -1120,18 +1142,18 @@ if [ "$ROUTE" = "local" ]; then
   if [ "$LOCAL_OK" = "false" ]; then
     RULE_MODE="\${LOCAL_RULE_MODE:-$(synkro_rule_mode "\${LOCAL_RULE_ID}")}"
     if [ "$RULE_MODE" = "audit" ]; then
-      REASON="[synkro:local] editScan $BASENAME \u2192 warning\${LOCAL_RULE_ID:+ ($LOCAL_RULE_ID)}: \${LOCAL_REASON:-policy violation}"
+      REASON="$TAG editScan $BASENAME \u2192 warning\${LOCAL_RULE_ID:+ ($LOCAL_RULE_ID)}: \${LOCAL_REASON:-policy violation}"
       jq -n --arg m "$REASON" '{systemMessage: $m}'
       synkro_dispatch_capture "edit_scan" "warning" "\${LOCAL_SEV}" "\${LOCAL_CAT}" "$TOOL_NAME" "$GIT_REPO" "$SESSION_ID" \\
         "$SCAN_CONTENT" "$LOCAL_REASON" "\${SYNKRO_RULES:-[]}" "$SCAN_VIOLATED" "[]"
     else
-      REASON="[synkro:local] editScan $BASENAME \u2192 block: \${LOCAL_REASON:-policy violation}"
+      REASON="$TAG editScan $BASENAME \u2192 block: \${LOCAL_REASON:-policy violation}"
       jq -n --arg m "$REASON" '{systemMessage: $m, additionalContext: $m}'
       synkro_dispatch_capture "edit_scan" "block" "\${LOCAL_SEV}" "\${LOCAL_CAT}" "$TOOL_NAME" "$GIT_REPO" "$SESSION_ID" \\
         "$SCAN_CONTENT" "$LOCAL_REASON" "\${SYNKRO_RULES:-[]}" "$SCAN_VIOLATED" "[]"
     fi
   else
-    jq -n --arg m "[synkro:local] editScan $BASENAME \u2192 pass: \${LOCAL_REASON:-no policy violations detected}" '{systemMessage: $m}'
+    jq -n --arg m "$TAG editScan $BASENAME \u2192 pass: \${LOCAL_REASON:-no policy violations detected}" '{systemMessage: $m}'
     synkro_dispatch_capture "edit_scan" "pass" "audit" "\${LOCAL_CAT:-trivial_edit}" "$TOOL_NAME" "$GIT_REPO" "$SESSION_ID" \\
       "$SCAN_CONTENT" "$LOCAL_REASON" "\${SYNKRO_RULES:-[]}" "[]" "[]"
   fi
@@ -1205,12 +1227,19 @@ PLAN_SHORT=$(printf '%s' "$PLAN" | head -c 80)
 synkro_log "planReview checking: $PLAN_SHORT..."
 synkro_load_config
+TAG=$(synkro_tag)
+if [ "$SYNKRO_SILENT" = "true" ]; then
+  jq -n --arg m "$TAG planReview \u2192 skipped (silent mode)" '{systemMessage: $m}'
+  exit 0
+fi
 ROUTE=$(synkro_route)
 if [ "$ROUTE" = "local" ]; then
   GRADER_FILE=$(mktemp -t synkro-plan.XXXXXX)
   trap "rm -f \\"$GRADER_FILE\\"" EXIT
-  printf 'Plan:\\n%s\\nOrg rules: %s\\n' "$(printf '%s' "$PLAN" | head -c 8000)" "\${SYNKRO_RULES:-[]}" > "$GRADER_FILE"
+  printf 'Working directory: %s\\nRepo: %s\\nPlan:\\n%s\\nOrg rules: %s\\n' "\${CWD:-.}" "\${GIT_REPO:-unknown}" "$(printf '%s' "$PLAN" | head -c 8000)" "\${SYNKRO_RULES:-[]}" > "$GRADER_FILE"
   CC_RESP=$(synkro_local_grade plan < "$GRADER_FILE" 2>&1)
   if [ $? -ne 0 ]; then
@@ -1225,12 +1254,12 @@ if [ "$ROUTE" = "local" ]; then
   if [ "$LOCAL_OK" = "false" ]; then
     VCOUNT=$(printf '%s' "$CC_RESP" | grep -c '<violation>' 2>/dev/null || echo "0")
     [ "$VCOUNT" = "0" ] && VCOUNT="1"
-    MSG="[synkro:local] planReview \u2192 \${VCOUNT} rule(s) relevant\${LOCAL_RULE_ID:+ (first: $LOCAL_RULE_ID)}: \${LOCAL_REASON:-check org rules during implementation}"
+    MSG="$TAG planReview \u2192 \${VCOUNT} rule(s) relevant\${LOCAL_RULE_ID:+ (first: $LOCAL_RULE_ID)}: \${LOCAL_REASON:-check org rules during implementation}"
     jq -n --arg m "$MSG" '{systemMessage: $m}'
     synkro_dispatch_capture "plan_review" "advisory" "\${LOCAL_SEV}" "\${LOCAL_CAT}" "ExitPlanMode" "$GIT_REPO" "$SESSION_ID" \\
       "$PLAN_CONTENT" "$LOCAL_REASON" "\${SYNKRO_RULES:-[]}" "$PLAN_VIOLATED" "[]"
   else
-    jq -n --arg m "[synkro:local] planReview \u2192 clean: \${LOCAL_REASON:-no relevant org rules for this plan}" '{systemMessage: $m}'
+    jq -n --arg m "$TAG planReview \u2192 clean: \${LOCAL_REASON:-no relevant org rules for this plan}" '{systemMessage: $m}'
     synkro_dispatch_capture "plan_review" "clean" "audit" "\${LOCAL_CAT:-general}" "ExitPlanMode" "$GIT_REPO" "$SESSION_ID" \\
       "$PLAN_CONTENT" "$LOCAL_REASON" "\${SYNKRO_RULES:-[]}" "[]" "[]"
   fi
@@ -1271,7 +1300,7 @@ fi
 HR=$(echo "$RESP" | jq -c '.hook_response')
 if echo "$HR" | jq -e '.hookSpecificOutput.permissionDecision' >/dev/null 2>&1; then
   REASON=$(echo "$HR" | jq -r '.hookSpecificOutput.permissionDecisionReason // "check org rules"' 2>/dev/null)
-  jq -n --arg m "[synkro:cloud] planReview \u2192 advisory: $REASON" '{systemMessage: $m}'
+  jq -n --arg m "$TAG planReview \u2192 advisory: $REASON" '{systemMessage: $m}'
 else
   echo "$HR"
 fi
@@ -1339,10 +1368,12 @@ OPEN=$(echo "$RESP" | jq -r '.open // 0' 2>/dev/null)
 if [ "\${EDITS:-0}" = "0" ] || [ -z "$EDITS" ]; then echo '{}'; exit 0; fi
+synkro_load_config
+TAG=$(synkro_tag)
 if [ "\${FINDINGS:-0}" = "0" ] || [ -z "$FINDINGS" ]; then
-  SYS_MSG="[synkro] stop \u2192 0 issues across \${EDITS} edit(s), session complete"
+  SYS_MSG="$TAG stop \u2192 0 issues across \${EDITS} edit(s), session complete"
 else
-  SYS_MSG="[synkro] stop \u2192 \${FINDINGS} finding(s): \${AUTO_FIXED} auto-fixed, \${OPEN} open"
+  SYS_MSG="$TAG stop \u2192 \${FINDINGS} finding(s): \${AUTO_FIXED} auto-fixed, \${OPEN} open"
 fi
 jq -n --arg m "$SYS_MSG" '{systemMessage: $m}'
@@ -1356,11 +1387,30 @@ JWT=$(synkro_load_jwt)
 # Route preamble
 SYNKRO_PORT="\${SYNKRO_CHANNEL_PORT:-8929}"
+PAYLOAD=$(cat)
+CWD=$(echo "$PAYLOAD" | jq -r '.cwd // empty' 2>/dev/null)
+SESSION_ID=$(echo "$PAYLOAD" | jq -r '.session_id // empty' 2>/dev/null)
+GIT_REPO=$(synkro_detect_repo "\${CWD:-.}")
+RESP=""
+if [ -n "$JWT" ]; then
+  RESP=$(curl -sS -G "\${GATEWAY_URL}/api/v1/hook/config" \\
+    --data-urlencode "session_id=\${SESSION_ID:-}" \\
+    --data-urlencode "repo=\${GIT_REPO:-}" \\
+    -H "Authorization: Bearer $JWT" --max-time 3 2>/dev/null || echo "")
+  if [ -n "$RESP" ]; then
+    SYNKRO_SILENT=$(echo "$RESP" | jq -r '.silent_mode // false' 2>/dev/null)
+    SYNKRO_POLICY_NAME=$(echo "$RESP" | jq -r '.active_policy_name // empty' 2>/dev/null)
+  fi
+fi
+TAG=$(synkro_tag)
 if (exec 3<>/dev/tcp/127.0.0.1/"$SYNKRO_PORT") 2>/dev/null; then
   exec 3<&- 3>&- 2>/dev/null || true
-  ROUTE_LINE="[synkro] inference: local-cc (channel reachable on 127.0.0.1:$SYNKRO_PORT)"
+  ROUTE_LINE="$TAG inference: local-cc (channel reachable on 127.0.0.1:$SYNKRO_PORT)"
 else
-  ROUTE_LINE="[synkro] inference: cloud (local-cc channel not reachable)"
+  ROUTE_LINE="$TAG inference: cloud (local-cc channel not reachable)"
 fi
 if [ -z "$JWT" ]; then
@@ -1368,16 +1418,6 @@ if [ -z "$JWT" ]; then
   exit 0
 fi
-PAYLOAD=$(cat)
-CWD=$(echo "$PAYLOAD" | jq -r '.cwd // empty' 2>/dev/null)
-SESSION_ID=$(echo "$PAYLOAD" | jq -r '.session_id // empty' 2>/dev/null)
-GIT_REPO=$(synkro_detect_repo "\${CWD:-.}")
-RESP=$(curl -sS -G "\${GATEWAY_URL}/api/v1/hook/config" \\
-  --data-urlencode "session_id=\${SESSION_ID:-}" \\
-  --data-urlencode "repo=\${GIT_REPO:-}" \\
-  -H "Authorization: Bearer $JWT" --max-time 3 2>/dev/null || echo "")
 OPEN=0
 if [ -n "$RESP" ]; then
   OPEN=$(echo "$RESP" | jq -r '.session_context.open_findings // 0' 2>/dev/null)
@@ -1387,9 +1427,9 @@ if [ "$OPEN" = "0" ] || [ -z "$OPEN" ]; then
   jq -n --arg m "$ROUTE_LINE" '{systemMessage: $m}'
 else
   if [ "$OPEN" = "1" ]; then
-    SYS_MSG="$ROUTE_LINE"$'\\n'"[synkro] session start \u2192 1 open finding in this repo from a prior session."
+    SYS_MSG="$ROUTE_LINE"$'\\n'"$TAG session start \u2192 1 open finding in this repo from a prior session."
   else
-    SYS_MSG="$ROUTE_LINE"$'\\n'"[synkro] session start \u2192 \${OPEN} open findings in this repo from prior sessions."
+    SYS_MSG="$ROUTE_LINE"$'\\n'"$TAG session start \u2192 \${OPEN} open findings in this repo from prior sessions."
   fi
   jq -n --arg m "$SYS_MSG" '{systemMessage: $m}'
 fi
@@ -1425,6 +1465,7 @@ BODY=$(jq -n --arg sid "$SESSION_ID" --arg tid "$TOOL_USE_ID" \\
 # Local consent tracking: command ran = user consented
 # On success \u2192 consume (next attempt blocks fresh)
 # On failure \u2192 grant active (retry allowed)
+# Consent tracking: on success \u2192 consume (next run blocks fresh), on error \u2192 grant (retry allowed)
 if [ -n "$CMD_HASH" ] && [ -n "$SESSION_ID" ]; then
   if [ "$IS_ERROR" = "false" ]; then
     synkro_consent_consume "$SESSION_ID" "$CMD_HASH"
@@ -1459,7 +1500,7 @@ if [ -z "$SESSION_ID" ] || [ -z "$TRANSCRIPT_PATH" ] || [ ! -f "$TRANSCRIPT_PATH
 fi
 # Usage telemetry \u2014 last turn only (metadata, ungated by privacy/consent)
-_LAST_ASST=$(tail -20 "$TRANSCRIPT_PATH" 2>/dev/null | grep '"type":"assistant"' | tail -1)
+_LAST_ASST=$(grep '"type":"assistant"' "$TRANSCRIPT_PATH" 2>/dev/null | tail -1)
 if [ -n "$_LAST_ASST" ]; then
   _CC_MODEL=$(echo "$_LAST_ASST" | jq -r '.message.model // empty' 2>/dev/null)
   _TI=$(echo "$_LAST_ASST" | jq -r '.message.usage.input_tokens // 0' 2>/dev/null)
@@ -1562,6 +1603,9 @@ GIT_REPO=$(synkro_detect_repo "\${CWD:-.}")
 CMD_SHORT=$(printf '%s' "$COMMAND" | head -c 80)
 synkro_log "bashGuard checking: $CMD_SHORT"
+synkro_load_config
+if [ "$SYNKRO_SILENT" = "true" ]; then echo '{}'; exit 0; fi
 BODY=$(jq -n \\
   --arg cmd "$COMMAND" \\
   --arg session_id "$SESSION_ID" \\
@@ -1615,6 +1659,9 @@ if [ -z "$FILE_PATH" ]; then echo '{}'; exit 0; fi
 BASENAME=$(basename "$FILE_PATH" 2>/dev/null || echo "$FILE_PATH")
 synkro_log "editGuard checking: $BASENAME"
+synkro_load_config
+if [ "$SYNKRO_SILENT" = "true" ]; then echo '{}'; exit 0; fi
 BODY=$(jq -n \\
   --arg file_path "$FILE_PATH" \\
   --arg content "$CONTENT" \\
@@ -3940,7 +3987,7 @@ function writeConfigEnv(opts) {
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
     `SYNKRO_INFERENCE=${shellQuoteSingle(safeInference)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.4.37")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.4.39")}`
   ];
   if (safeSynkroBin) lines.push(`SYNKRO_CLI_BIN=${shellQuoteSingle(safeSynkroBin)}`);
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);