npm - @synkro-sh/cli - Versions diffs - 1.4.40 → 1.4.42 - Mend

@synkro-sh/cli 1.4.40 → 1.4.42

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/bootstrap.js CHANGED Viewed

@@ -170,6 +170,17 @@ function installCCHooks(settingsPath, config) {
     ],
     [SYNKRO_MARKER]: true
   });
+  settings.hooks.PostToolUse.push({
+    matcher: "Edit|Write|MultiEdit|NotebookEdit",
+    hooks: [
+      {
+        type: "command",
+        command: config.cveScanScriptPath,
+        timeout: 10
+      }
+    ],
+    [SYNKRO_MARKER]: true
+  });
   settings.hooks.PostToolUse.push({
     matcher: "Bash",
     hooks: [
@@ -441,7 +452,7 @@ var init_mcpConfig = __esm({
 });
 // cli/installer/hookScripts.ts
-var SYNKRO_COMMON_SCRIPT, CC_BASH_JUDGE_SCRIPT, CC_EDIT_PRECHECK_SCRIPT, CC_EDIT_CAPTURE_SCRIPT, CC_PLAN_JUDGE_SCRIPT, CC_STOP_SUMMARY_SCRIPT, CC_SESSION_START_SCRIPT, CC_BASH_FOLLOWUP_SCRIPT, CC_TRANSCRIPT_SYNC_SCRIPT, CURSOR_BASH_JUDGE_SCRIPT, CURSOR_EDIT_PRECHECK_SCRIPT, CURSOR_EDIT_CAPTURE_SCRIPT, CURSOR_BASH_FOLLOWUP_SCRIPT;
+var SYNKRO_COMMON_SCRIPT, CC_BASH_JUDGE_SCRIPT, CC_EDIT_PRECHECK_SCRIPT, CC_EDIT_CAPTURE_SCRIPT, CC_PLAN_JUDGE_SCRIPT, CC_STOP_SUMMARY_SCRIPT, CC_SESSION_START_SCRIPT, CC_BASH_FOLLOWUP_SCRIPT, CC_CVE_SCAN_SCRIPT, CC_TRANSCRIPT_SYNC_SCRIPT, CURSOR_BASH_JUDGE_SCRIPT, CURSOR_EDIT_PRECHECK_SCRIPT, CURSOR_EDIT_CAPTURE_SCRIPT, CURSOR_BASH_FOLLOWUP_SCRIPT;
 var init_hookScripts = __esm({
   "cli/installer/hookScripts.ts"() {
     "use strict";
@@ -520,11 +531,13 @@ synkro_load_config() {
   SYNKRO_RULES=$(echo "$resp" | jq -c '[.rules[]? | select(.hook_stage == "pre" or .hook_stage == "both" or .hook_stage == null) | {rule_id,text,severity,category,mode}]' 2>/dev/null || echo "[]")
 }
-# Build the tag prefix for system messages: [synkro] or [synkro:PolicyName] or [synkro:silent]
+# Build the tag prefix: [synkro:route:ruleset] or [synkro:silent]
+# Accepts optional $1 = route override; otherwise calls synkro_route().
 synkro_tag() {
   if [ "$SYNKRO_SILENT" = "true" ]; then echo "[synkro:silent]"; return; fi
-  if [ -n "\${SYNKRO_POLICY_NAME:-}" ]; then echo "[synkro:\${SYNKRO_POLICY_NAME}]"; return; fi
-  echo "[synkro]"
+  local route="\${1:-$(synkro_route)}"
+  local rs="\${SYNKRO_POLICY_NAME:-all}"
+  echo "[synkro:\${route}:\${rs}]"
 }
 # Decide routing: "local" (grade on device) or "cloud" (POST to server)
@@ -750,15 +763,14 @@ IS_HEADLESS="\${SYNKRO_HEADLESS:-0}"
 case "$PERMISSION_MODE" in acceptEdits|bypassPermissions|plan|auto) IS_HEADLESS="1" ;; esac
 synkro_load_config
-TAG=$(synkro_tag)
+ROUTE=$(synkro_route)
+TAG=$(synkro_tag "$ROUTE")
 if [ "$SYNKRO_SILENT" = "true" ]; then
   jq -n --arg m "$TAG bashGuard \u2192 skipped (silent mode)" '{systemMessage: $m}'
   exit 0
 fi
-ROUTE=$(synkro_route)
 if [ "$ROUTE" = "local" ]; then
   # \u2500\u2500\u2500 Local grading (local_only privacy or local-cc channel) \u2500\u2500\u2500
   GRADER_FILE=$(mktemp -t synkro-bash.XXXXXX)
@@ -946,15 +958,14 @@ if [ -n "$TRANSCRIPT_PATH" ] && [ -f "$TRANSCRIPT_PATH" ]; then
 fi
 synkro_load_config
-TAG=$(synkro_tag)
+ROUTE=$(synkro_route)
+TAG=$(synkro_tag "$ROUTE")
 if [ "$SYNKRO_SILENT" = "true" ]; then
   jq -n --arg m "$TAG editGuard \u2192 skipped (silent mode)" '{systemMessage: $m}'
   exit 0
 fi
-ROUTE=$(synkro_route)
 if [ "$ROUTE" = "local" ]; then
   # \u2500\u2500\u2500 Local grading (local_only privacy or local-cc channel) \u2500\u2500\u2500
   GRADER_FILE=$(mktemp -t synkro-edit.XXXXXX)
@@ -1113,14 +1124,13 @@ while [ "$_PKG_DIR" != "/" ]; do
 done
 synkro_load_config
-TAG=$(synkro_tag)
+ROUTE=$(synkro_route)
+TAG=$(synkro_tag "$ROUTE")
 if [ "$SYNKRO_SILENT" = "true" ]; then
   echo '{}'; exit 0
 fi
-ROUTE=$(synkro_route)
 if [ "$ROUTE" = "local" ]; then
   # \u2500\u2500\u2500 Local edit scan (local_only privacy or local-cc channel) \u2500\u2500\u2500
   GRADER_FILE=$(mktemp -t synkro-escan.XXXXXX)
@@ -1214,7 +1224,12 @@ if [ -z "$PAYLOAD" ]; then echo '{}'; exit 0; fi
 TOOL_NAME=$(echo "$PAYLOAD" | jq -r '.tool_name // empty' 2>/dev/null)
 if [ "$TOOL_NAME" != "ExitPlanMode" ]; then echo '{}'; exit 0; fi
-PLAN=$(echo "$PAYLOAD" | jq -r '.tool_input.plan // empty' 2>/dev/null)
+# ExitPlanMode's tool_input contains {allowedPrompts:[...]}, not plan content.
+# Read from the most recently modified plan file instead.
+PLANS_DIR="$HOME/.claude/plans"
+PLAN_FILE=$(ls -t "$PLANS_DIR"/*.md 2>/dev/null | head -1)
+if [ -z "$PLAN_FILE" ] || [ ! -f "$PLAN_FILE" ]; then echo '{}'; exit 0; fi
+PLAN=$(cat "$PLAN_FILE" 2>/dev/null)
 if [ -z "$PLAN" ] || [ \${#PLAN} -lt 20 ]; then echo '{}'; exit 0; fi
 SESSION_ID=$(echo "$PAYLOAD" | jq -r '.session_id // empty' 2>/dev/null)
@@ -1224,16 +1239,24 @@ GIT_REPO=$(synkro_detect_repo "\${CWD:-.}")
 PLAN_SHORT=$(printf '%s' "$PLAN" | head -c 80)
 synkro_log "planReview checking: $PLAN_SHORT..."
+# Write review verdict into the plan file so it survives ExitPlanMode rejection
+append_review_to_plan() {
+  local verdict="$1"
+  local tmp="\${PLAN_FILE}.synkro.tmp"
+  sed '/^<!-- synkro-plan-review -->$/,/^<!-- \\/synkro-plan-review -->$/d' "$PLAN_FILE" | sed -e :a -e '/^\\n*$/{$d;N;ba' -e '}' > "$tmp" 2>/dev/null
+  printf '\\n\\n<!-- synkro-plan-review -->\\n\\n---\\n\\n**Synkro Plan Review** \u2014 %s\\n\\n%s\\n\\n<!-- /synkro-plan-review -->\\n' "$(date '+%Y-%m-%d %H:%M')" "$verdict" >> "$tmp"
+  mv "$tmp" "$PLAN_FILE" 2>/dev/null
+}
 synkro_load_config
-TAG=$(synkro_tag)
+ROUTE=$(synkro_route)
+TAG=$(synkro_tag "$ROUTE")
 if [ "$SYNKRO_SILENT" = "true" ]; then
   jq -n --arg m "$TAG planReview \u2192 skipped (silent mode)" '{systemMessage: $m}'
   exit 0
 fi
-ROUTE=$(synkro_route)
 if [ "$ROUTE" = "local" ]; then
   GRADER_FILE=$(mktemp -t synkro-plan.XXXXXX)
   trap "rm -f \\"$GRADER_FILE\\"" EXIT
@@ -1252,11 +1275,15 @@ if [ "$ROUTE" = "local" ]; then
   if [ "$LOCAL_OK" = "false" ]; then
     VCOUNT=$(printf '%s' "$CC_RESP" | grep -c '<violation>' 2>/dev/null || echo "0")
     [ "$VCOUNT" = "0" ] && VCOUNT="1"
-    MSG="$TAG planReview \u2192 \${VCOUNT} rule(s) relevant\${LOCAL_RULE_ID:+ (first: $LOCAL_RULE_ID)}: \${LOCAL_REASON:-check org rules during implementation}"
+    REVIEW_MSG="\${VCOUNT} rule(s) relevant\${LOCAL_RULE_ID:+ (first: $LOCAL_RULE_ID)}: \${LOCAL_REASON:-check org rules during implementation}"
+    append_review_to_plan "\u26A0\uFE0F Advisory \u2014 $REVIEW_MSG"
+    MSG="$TAG planReview \u2192 $REVIEW_MSG"
     jq -n --arg m "$MSG" '{systemMessage: $m}'
     synkro_dispatch_capture "plan_review" "advisory" "\${LOCAL_SEV}" "\${LOCAL_CAT}" "ExitPlanMode" "$GIT_REPO" "$SESSION_ID" \\
       "$PLAN_CONTENT" "$LOCAL_REASON" "\${SYNKRO_RULES:-[]}" "$PLAN_VIOLATED" "[]"
   else
+    REVIEW_MSG="Clean \u2014 \${LOCAL_REASON:-no relevant org rules for this plan}"
+    append_review_to_plan "\u2705 $REVIEW_MSG"
     jq -n --arg m "$TAG planReview \u2192 clean: \${LOCAL_REASON:-no relevant org rules for this plan}" '{systemMessage: $m}'
     synkro_dispatch_capture "plan_review" "clean" "audit" "\${LOCAL_CAT:-general}" "ExitPlanMode" "$GIT_REPO" "$SESSION_ID" \\
       "$PLAN_CONTENT" "$LOCAL_REASON" "\${SYNKRO_RULES:-[]}" "[]" "[]"
@@ -1298,8 +1325,11 @@ fi
 HR=$(echo "$RESP" | jq -c '.hook_response')
 if echo "$HR" | jq -e '.hookSpecificOutput.permissionDecision' >/dev/null 2>&1; then
   REASON=$(echo "$HR" | jq -r '.hookSpecificOutput.permissionDecisionReason // "check org rules"' 2>/dev/null)
+  append_review_to_plan "\u26A0\uFE0F Advisory \u2014 $REASON"
   jq -n --arg m "$TAG planReview \u2192 advisory: $REASON" '{systemMessage: $m}'
 else
+  CLOUD_MSG=$(echo "$HR" | jq -r '.systemMessage // empty' 2>/dev/null)
+  [ -n "$CLOUD_MSG" ] && append_review_to_plan "\u2705 $CLOUD_MSG"
   echo "$HR"
 fi
 exit 0
@@ -1402,12 +1432,12 @@ if [ -n "$JWT" ]; then
   fi
 fi
-TAG=$(synkro_tag)
 if (exec 3<>/dev/tcp/127.0.0.1/"$SYNKRO_PORT") 2>/dev/null; then
   exec 3<&- 3>&- 2>/dev/null || true
+  TAG=$(synkro_tag "local")
   ROUTE_LINE="$TAG inference: local-cc (channel reachable on 127.0.0.1:$SYNKRO_PORT)"
 else
+  TAG=$(synkro_tag "cloud")
   ROUTE_LINE="$TAG inference: cloud (local-cc channel not reachable)"
 fi
@@ -1480,6 +1510,77 @@ curl -sS -X POST "\${GATEWAY_URL}/api/v1/hook/capture" \\
 echo '{}'
 exit 0
+`;
+    CC_CVE_SCAN_SCRIPT = `#!/bin/bash
+SCRIPT_DIR="$(cd "$(dirname "\${BASH_SOURCE[0]}")" && pwd)"
+. "$SCRIPT_DIR/_synkro-common.sh"
+JWT=$(synkro_load_jwt)
+if [ -z "$JWT" ]; then echo '{}'; exit 0; fi
+synkro_ensure_fresh_jwt
+PAYLOAD=$(cat)
+if [ -z "$PAYLOAD" ]; then echo '{}'; exit 0; fi
+TOOL_NAME=$(echo "$PAYLOAD" | jq -r '.tool_name // empty' 2>/dev/null)
+case "$TOOL_NAME" in Edit|Write|MultiEdit|NotebookEdit) ;; *) echo '{}'; exit 0 ;; esac
+TOOL_INPUT=$(echo "$PAYLOAD" | jq -c '.tool_input // {}' 2>/dev/null)
+CWD=$(echo "$PAYLOAD" | jq -r '.cwd // empty' 2>/dev/null)
+FILE_PATH=$(echo "$TOOL_INPUT" | jq -r '.file_path // .notebook_path // .path // empty' 2>/dev/null)
+if [ -z "$FILE_PATH" ] || [ ! -f "$FILE_PATH" ]; then echo '{}'; exit 0; fi
+FILE_CONTENT=$(head -c 65536 "$FILE_PATH" 2>/dev/null || echo "")
+if [ -z "$FILE_CONTENT" ]; then echo '{}'; exit 0; fi
+DEPS_JSON="{}"
+_PKG_DIR=$(dirname "$FILE_PATH")
+while [ "$_PKG_DIR" != "/" ]; do
+  if [ -f "$_PKG_DIR/package.json" ]; then
+    DEPS_JSON=$(jq -c '(.dependencies // {}) + (.devDependencies // {})' "$_PKG_DIR/package.json" 2>/dev/null || echo "{}")
+    break
+  fi
+  _PKG_DIR=$(dirname "$_PKG_DIR")
+done
+synkro_load_config
+ROUTE=$(synkro_route)
+TAG=$(synkro_tag "$ROUTE")
+if [ "$SYNKRO_SILENT" = "true" ]; then echo '{}'; exit 0; fi
+BASENAME=$(basename "$FILE_PATH")
+BODY=$(jq -n --arg fp "$FILE_PATH" --arg c "$FILE_CONTENT" --argjson deps "$DEPS_JSON" \\
+  '{file_path:$fp, content:$c, dependencies:$deps}')
+RESP=$(curl -sS -X POST "\${GATEWAY_URL}/api/v1/cve-scan" \\
+  -H "Content-Type: application/json" -H "Authorization: Bearer $JWT" \\
+  -d "$BODY" --max-time 6 2>/dev/null || echo "")
+if [ -z "$RESP" ] || ! echo "$RESP" | jq -e 'type == "object"' >/dev/null 2>&1; then
+  echo '{}'; exit 0
+fi
+CVE_COUNT=$(echo "$RESP" | jq -r '.findings | length' 2>/dev/null || echo "0")
+if [ "$CVE_COUNT" -gt 0 ] 2>/dev/null; then
+  CVE_CRIT=$(echo "$RESP" | jq '[.findings[] | select((.severity | tonumber? // 0) >= 7.0)] | length' 2>/dev/null || echo "0")
+  CRIT_PKGS=$(echo "$RESP" | jq -r '[.findings[] | select((.severity | tonumber? // 0) >= 7.0) | .package] | unique | .[:3] | join(", ")' 2>/dev/null || echo "")
+  ALL_PKGS=$(echo "$RESP" | jq -r '[.findings[].package] | unique | .[:3] | join(", ")' 2>/dev/null || echo "")
+  ALL_TOTAL=$(echo "$RESP" | jq -r '[.findings[].package] | unique | length' 2>/dev/null || echo "0")
+  [ "$CVE_COUNT" = "1" ] && LABEL="advisory" || LABEL="advisories"
+  if [ "$CVE_CRIT" -gt 0 ]; then
+    [ "$ALL_TOTAL" -gt 3 ] && CRIT_PKGS="\${CRIT_PKGS}, ..."
+    jq -n --arg m "[synkro:\${ROUTE}:cveScan] \${CVE_COUNT} \${LABEL}, \${CVE_CRIT} critical/high (\${CRIT_PKGS})" '{systemMessage: $m}'
+  else
+    [ "$ALL_TOTAL" -gt 3 ] && ALL_PKGS="\${ALL_PKGS}, ..."
+    jq -n --arg m "[synkro:\${ROUTE}:cveScan] \${CVE_COUNT} \${LABEL} (\${ALL_PKGS})" '{systemMessage: $m}'
+  fi
+else
+  jq -n --arg m "[synkro:\${ROUTE}:cveScan] clean" '{systemMessage: $m}'
+fi
+exit 0
 `;
     CC_TRANSCRIPT_SYNC_SCRIPT = `#!/bin/bash
 SCRIPT_DIR="$(cd "$(dirname "\${BASH_SOURCE[0]}")" && pwd)"
@@ -1602,7 +1703,9 @@ CMD_SHORT=$(printf '%s' "$COMMAND" | head -c 80)
 synkro_log "bashGuard checking: $CMD_SHORT"
 synkro_load_config
-if [ "$SYNKRO_SILENT" = "true" ]; then echo '{}'; exit 0; fi
+if [ "$SYNKRO_SILENT" = "true" ]; then
+  echo '{}'; exit 0
+fi
 BODY=$(jq -n \\
   --arg cmd "$COMMAND" \\
@@ -1658,7 +1761,9 @@ BASENAME=$(basename "$FILE_PATH" 2>/dev/null || echo "$FILE_PATH")
 synkro_log "editGuard checking: $BASENAME"
 synkro_load_config
-if [ "$SYNKRO_SILENT" = "true" ]; then echo '{}'; exit 0; fi
+if [ "$SYNKRO_SILENT" = "true" ]; then
+  echo '{}'; exit 0
+fi
 BODY=$(jq -n \\
   --arg file_path "$FILE_PATH" \\
@@ -3906,6 +4011,7 @@ function writeHookScripts() {
   const bashFollowupScriptPath = join11(HOOKS_DIR, "cc-bash-followup.sh");
   const editCaptureScriptPath = join11(HOOKS_DIR, "cc-edit-capture.sh");
   const editPrecheckScriptPath = join11(HOOKS_DIR, "cc-edit-precheck.sh");
+  const cveScanScriptPath = join11(HOOKS_DIR, "cc-cve-scan.sh");
   const planJudgeScriptPath = join11(HOOKS_DIR, "cc-plan-judge.sh");
   const stopSummaryScriptPath = join11(HOOKS_DIR, "cc-stop-summary.sh");
   const sessionStartScriptPath = join11(HOOKS_DIR, "cc-session-start.sh");
@@ -3919,6 +4025,7 @@ function writeHookScripts() {
   writeFileSync7(bashFollowupScriptPath, CC_BASH_FOLLOWUP_SCRIPT, "utf-8");
   writeFileSync7(editCaptureScriptPath, CC_EDIT_CAPTURE_SCRIPT, "utf-8");
   writeFileSync7(editPrecheckScriptPath, CC_EDIT_PRECHECK_SCRIPT, "utf-8");
+  writeFileSync7(cveScanScriptPath, CC_CVE_SCAN_SCRIPT, "utf-8");
   writeFileSync7(planJudgeScriptPath, CC_PLAN_JUDGE_SCRIPT, "utf-8");
   writeFileSync7(stopSummaryScriptPath, CC_STOP_SUMMARY_SCRIPT, "utf-8");
   writeFileSync7(sessionStartScriptPath, CC_SESSION_START_SCRIPT, "utf-8");
@@ -3932,6 +4039,7 @@ function writeHookScripts() {
   chmodSync2(bashFollowupScriptPath, 493);
   chmodSync2(editCaptureScriptPath, 493);
   chmodSync2(editPrecheckScriptPath, 493);
+  chmodSync2(cveScanScriptPath, 493);
   chmodSync2(planJudgeScriptPath, 493);
   chmodSync2(stopSummaryScriptPath, 493);
   chmodSync2(sessionStartScriptPath, 493);
@@ -3946,6 +4054,7 @@ function writeHookScripts() {
     bashFollowupScript: bashFollowupScriptPath,
     editCaptureScript: editCaptureScriptPath,
     editPrecheckScript: editPrecheckScriptPath,
+    cveScanScript: cveScanScriptPath,
     planJudgeScript: planJudgeScriptPath,
     stopSummaryScript: stopSummaryScriptPath,
     sessionStartScript: sessionStartScriptPath,
@@ -3985,7 +4094,7 @@ function writeConfigEnv(opts) {
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
     `SYNKRO_INFERENCE=${shellQuoteSingle(safeInference)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.4.40")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.4.42")}`
   ];
   if (safeSynkroBin) lines.push(`SYNKRO_CLI_BIN=${shellQuoteSingle(safeSynkroBin)}`);
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);
@@ -4288,6 +4397,7 @@ async function installCommand(opts = {}) {
         bashFollowupScriptPath: scripts.bashFollowupScript,
         editCaptureScriptPath: scripts.editCaptureScript,
         editPrecheckScriptPath: scripts.editPrecheckScript,
+        cveScanScriptPath: scripts.cveScanScript,
         planJudgeScriptPath: scripts.planJudgeScript,
         stopSummaryScriptPath: scripts.stopSummaryScript,
         sessionStartScriptPath: scripts.sessionStartScript,