npm - @synkro-sh/cli - Versions diffs - 1.4.41 → 1.4.43 - Mend

@synkro-sh/cli 1.4.41 → 1.4.43

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/bootstrap.js CHANGED Viewed

@@ -170,6 +170,17 @@ function installCCHooks(settingsPath, config) {
     ],
     [SYNKRO_MARKER]: true
   });
+  settings.hooks.PostToolUse.push({
+    matcher: "Edit|Write|MultiEdit|NotebookEdit",
+    hooks: [
+      {
+        type: "command",
+        command: config.cveScanScriptPath,
+        timeout: 10
+      }
+    ],
+    [SYNKRO_MARKER]: true
+  });
   settings.hooks.PostToolUse.push({
     matcher: "Bash",
     hooks: [
@@ -441,7 +452,7 @@ var init_mcpConfig = __esm({
 });
 // cli/installer/hookScripts.ts
-var SYNKRO_COMMON_SCRIPT, CC_BASH_JUDGE_SCRIPT, CC_EDIT_PRECHECK_SCRIPT, CC_EDIT_CAPTURE_SCRIPT, CC_PLAN_JUDGE_SCRIPT, CC_STOP_SUMMARY_SCRIPT, CC_SESSION_START_SCRIPT, CC_BASH_FOLLOWUP_SCRIPT, CC_TRANSCRIPT_SYNC_SCRIPT, CURSOR_BASH_JUDGE_SCRIPT, CURSOR_EDIT_PRECHECK_SCRIPT, CURSOR_EDIT_CAPTURE_SCRIPT, CURSOR_BASH_FOLLOWUP_SCRIPT;
+var SYNKRO_COMMON_SCRIPT, CC_BASH_JUDGE_SCRIPT, CC_EDIT_PRECHECK_SCRIPT, CC_EDIT_CAPTURE_SCRIPT, CC_PLAN_JUDGE_SCRIPT, CC_STOP_SUMMARY_SCRIPT, CC_SESSION_START_SCRIPT, CC_BASH_FOLLOWUP_SCRIPT, CC_CVE_SCAN_SCRIPT, CC_TRANSCRIPT_SYNC_SCRIPT, CURSOR_BASH_JUDGE_SCRIPT, CURSOR_EDIT_PRECHECK_SCRIPT, CURSOR_EDIT_CAPTURE_SCRIPT, CURSOR_BASH_FOLLOWUP_SCRIPT;
 var init_hookScripts = __esm({
   "cli/installer/hookScripts.ts"() {
     "use strict";
@@ -557,7 +568,7 @@ synkro_local_grade() {
 # Sets LOCAL_OK, LOCAL_REASON, LOCAL_RULE_ID, LOCAL_RULE_MODE, LOCAL_SEV, LOCAL_CAT.
 synkro_parse_local_verdict() {
   local resp="$1"
-  LOCAL_OK="true"; LOCAL_REASON=""; LOCAL_RULE_ID=""; LOCAL_RULE_MODE=""; LOCAL_SEV="low"; LOCAL_CAT="general"
+  LOCAL_OK="true"; LOCAL_REASON=""; LOCAL_RULE_ID=""; LOCAL_RULE_MODE=""; LOCAL_SEV="low"; LOCAL_CAT="clean"
   local inner
   inner=$(printf '%s' "$resp" | tr '\\n' ' ' | sed -nE 's|.*<synkro-verdict>(.*)</synkro-verdict>.*|\\1|p' | tail -1)
   [ -z "$inner" ] && return
@@ -570,16 +581,16 @@ synkro_parse_local_verdict() {
     LOCAL_RULE_ID=$(printf '%s' "$inner" | sed -nE 's|.*<rule_id>(.*)</rule_id>.*|\\1|p' | head -1)
     LOCAL_RULE_MODE=$(printf '%s' "$inner" | sed -nE 's|.*<rule_mode>(.*)</rule_mode>.*|\\1|p' | head -1)
     LOCAL_SEV=$(printf '%s' "$inner" | sed -nE 's|.*<risk_level>(.*)</risk_level>.*|\\1|p' | head -1)
-    LOCAL_CAT=$(printf '%s' "$inner" | sed -nE 's|.*<category>(.*)</category>.*|\\1|p' | head -1)
     if [ -z "$LOCAL_RULE_ID" ]; then
       local fv
       fv=$(printf '%s' "$inner" | awk -v RS='</violation>' '/<violation>/{print; exit}')
       LOCAL_RULE_ID=$(printf '%s' "$fv" | sed -nE 's|.*<rule_id>(.*)</rule_id>.*|\\1|p' | head -1)
       [ -z "$LOCAL_REASON" ] && LOCAL_REASON=$(printf '%s' "$fv" | sed -nE 's|.*<reason>(.*)</reason>.*|\\1|p' | head -1)
       [ -z "$LOCAL_SEV" ] && LOCAL_SEV=$(printf '%s' "$fv" | sed -nE 's|.*<severity>(.*)</severity>.*|\\1|p' | head -1)
-      [ -z "$LOCAL_CAT" ] && LOCAL_CAT=$(printf '%s' "$fv" | sed -nE 's|.*<category>(.*)</category>.*|\\1|p' | head -1)
     fi
-    LOCAL_SEV="\${LOCAL_SEV:-high}"; LOCAL_CAT="\${LOCAL_CAT:-policy_violation}"
+    LOCAL_SEV="\${LOCAL_SEV:-high}"
+    LOCAL_CAT=$(printf '%s' "$inner" | sed -nE 's|.*<category>(.*)</category>.*|\\1|p' | head -1)
+    LOCAL_CAT="\${LOCAL_CAT:-uncategorized}"
     [ -z "$LOCAL_RULE_ID" ] && LOCAL_RULE_ID=$(printf '%s' "$LOCAL_REASON" | grep -oE '[Rr][0-9]{3}' | head -1)
   fi
 }
@@ -1213,7 +1224,12 @@ if [ -z "$PAYLOAD" ]; then echo '{}'; exit 0; fi
 TOOL_NAME=$(echo "$PAYLOAD" | jq -r '.tool_name // empty' 2>/dev/null)
 if [ "$TOOL_NAME" != "ExitPlanMode" ]; then echo '{}'; exit 0; fi
-PLAN=$(echo "$PAYLOAD" | jq -r '.tool_input.plan // empty' 2>/dev/null)
+# ExitPlanMode's tool_input contains {allowedPrompts:[...]}, not plan content.
+# Read from the most recently modified plan file instead.
+PLANS_DIR="$HOME/.claude/plans"
+PLAN_FILE=$(ls -t "$PLANS_DIR"/*.md 2>/dev/null | head -1)
+if [ -z "$PLAN_FILE" ] || [ ! -f "$PLAN_FILE" ]; then echo '{}'; exit 0; fi
+PLAN=$(cat "$PLAN_FILE" 2>/dev/null)
 if [ -z "$PLAN" ] || [ \${#PLAN} -lt 20 ]; then echo '{}'; exit 0; fi
 SESSION_ID=$(echo "$PAYLOAD" | jq -r '.session_id // empty' 2>/dev/null)
@@ -1223,6 +1239,15 @@ GIT_REPO=$(synkro_detect_repo "\${CWD:-.}")
 PLAN_SHORT=$(printf '%s' "$PLAN" | head -c 80)
 synkro_log "planReview checking: $PLAN_SHORT..."
+# Write review verdict into the plan file so it survives ExitPlanMode rejection
+append_review_to_plan() {
+  local verdict="$1"
+  local tmp="\${PLAN_FILE}.synkro.tmp"
+  sed '/^<!-- synkro-plan-review -->$/,/^<!-- \\/synkro-plan-review -->$/d' "$PLAN_FILE" | sed -e :a -e '/^\\n*$/{$d;N;ba' -e '}' > "$tmp" 2>/dev/null
+  printf '\\n\\n<!-- synkro-plan-review -->\\n\\n---\\n\\n**Synkro Plan Review** \u2014 %s\\n\\n%s\\n\\n<!-- /synkro-plan-review -->\\n' "$(date '+%Y-%m-%d %H:%M')" "$verdict" >> "$tmp"
+  mv "$tmp" "$PLAN_FILE" 2>/dev/null
+}
 synkro_load_config
 ROUTE=$(synkro_route)
 TAG=$(synkro_tag "$ROUTE")
@@ -1250,11 +1275,15 @@ if [ "$ROUTE" = "local" ]; then
   if [ "$LOCAL_OK" = "false" ]; then
     VCOUNT=$(printf '%s' "$CC_RESP" | grep -c '<violation>' 2>/dev/null || echo "0")
     [ "$VCOUNT" = "0" ] && VCOUNT="1"
-    MSG="$TAG planReview \u2192 \${VCOUNT} rule(s) relevant\${LOCAL_RULE_ID:+ (first: $LOCAL_RULE_ID)}: \${LOCAL_REASON:-check org rules during implementation}"
+    REVIEW_MSG="\${VCOUNT} rule(s) relevant\${LOCAL_RULE_ID:+ (first: $LOCAL_RULE_ID)}: \${LOCAL_REASON:-check org rules during implementation}"
+    append_review_to_plan "\u26A0\uFE0F Advisory \u2014 $REVIEW_MSG"
+    MSG="$TAG planReview \u2192 $REVIEW_MSG"
     jq -n --arg m "$MSG" '{systemMessage: $m}'
     synkro_dispatch_capture "plan_review" "advisory" "\${LOCAL_SEV}" "\${LOCAL_CAT}" "ExitPlanMode" "$GIT_REPO" "$SESSION_ID" \\
       "$PLAN_CONTENT" "$LOCAL_REASON" "\${SYNKRO_RULES:-[]}" "$PLAN_VIOLATED" "[]"
   else
+    REVIEW_MSG="Clean \u2014 \${LOCAL_REASON:-no relevant org rules for this plan}"
+    append_review_to_plan "\u2705 $REVIEW_MSG"
     jq -n --arg m "$TAG planReview \u2192 clean: \${LOCAL_REASON:-no relevant org rules for this plan}" '{systemMessage: $m}'
     synkro_dispatch_capture "plan_review" "clean" "audit" "\${LOCAL_CAT:-general}" "ExitPlanMode" "$GIT_REPO" "$SESSION_ID" \\
       "$PLAN_CONTENT" "$LOCAL_REASON" "\${SYNKRO_RULES:-[]}" "[]" "[]"
@@ -1296,8 +1325,11 @@ fi
 HR=$(echo "$RESP" | jq -c '.hook_response')
 if echo "$HR" | jq -e '.hookSpecificOutput.permissionDecision' >/dev/null 2>&1; then
   REASON=$(echo "$HR" | jq -r '.hookSpecificOutput.permissionDecisionReason // "check org rules"' 2>/dev/null)
+  append_review_to_plan "\u26A0\uFE0F Advisory \u2014 $REASON"
   jq -n --arg m "$TAG planReview \u2192 advisory: $REASON" '{systemMessage: $m}'
 else
+  CLOUD_MSG=$(echo "$HR" | jq -r '.systemMessage // empty' 2>/dev/null)
+  [ -n "$CLOUD_MSG" ] && append_review_to_plan "\u2705 $CLOUD_MSG"
   echo "$HR"
 fi
 exit 0
@@ -1478,6 +1510,77 @@ curl -sS -X POST "\${GATEWAY_URL}/api/v1/hook/capture" \\
 echo '{}'
 exit 0
+`;
+    CC_CVE_SCAN_SCRIPT = `#!/bin/bash
+SCRIPT_DIR="$(cd "$(dirname "\${BASH_SOURCE[0]}")" && pwd)"
+. "$SCRIPT_DIR/_synkro-common.sh"
+JWT=$(synkro_load_jwt)
+if [ -z "$JWT" ]; then echo '{}'; exit 0; fi
+synkro_ensure_fresh_jwt
+PAYLOAD=$(cat)
+if [ -z "$PAYLOAD" ]; then echo '{}'; exit 0; fi
+TOOL_NAME=$(echo "$PAYLOAD" | jq -r '.tool_name // empty' 2>/dev/null)
+case "$TOOL_NAME" in Edit|Write|MultiEdit|NotebookEdit) ;; *) echo '{}'; exit 0 ;; esac
+TOOL_INPUT=$(echo "$PAYLOAD" | jq -c '.tool_input // {}' 2>/dev/null)
+CWD=$(echo "$PAYLOAD" | jq -r '.cwd // empty' 2>/dev/null)
+FILE_PATH=$(echo "$TOOL_INPUT" | jq -r '.file_path // .notebook_path // .path // empty' 2>/dev/null)
+if [ -z "$FILE_PATH" ] || [ ! -f "$FILE_PATH" ]; then echo '{}'; exit 0; fi
+FILE_CONTENT=$(head -c 65536 "$FILE_PATH" 2>/dev/null || echo "")
+if [ -z "$FILE_CONTENT" ]; then echo '{}'; exit 0; fi
+DEPS_JSON="{}"
+_PKG_DIR=$(dirname "$FILE_PATH")
+while [ "$_PKG_DIR" != "/" ]; do
+  if [ -f "$_PKG_DIR/package.json" ]; then
+    DEPS_JSON=$(jq -c '(.dependencies // {}) + (.devDependencies // {})' "$_PKG_DIR/package.json" 2>/dev/null || echo "{}")
+    break
+  fi
+  _PKG_DIR=$(dirname "$_PKG_DIR")
+done
+synkro_load_config
+ROUTE=$(synkro_route)
+TAG=$(synkro_tag "$ROUTE")
+if [ "$SYNKRO_SILENT" = "true" ]; then echo '{}'; exit 0; fi
+BASENAME=$(basename "$FILE_PATH")
+BODY=$(jq -n --arg fp "$FILE_PATH" --arg c "$FILE_CONTENT" --argjson deps "$DEPS_JSON" \\
+  '{file_path:$fp, content:$c, dependencies:$deps}')
+RESP=$(curl -sS -X POST "\${GATEWAY_URL}/api/v1/cve-scan" \\
+  -H "Content-Type: application/json" -H "Authorization: Bearer $JWT" \\
+  -d "$BODY" --max-time 6 2>/dev/null || echo "")
+if [ -z "$RESP" ] || ! echo "$RESP" | jq -e 'type == "object"' >/dev/null 2>&1; then
+  echo '{}'; exit 0
+fi
+CVE_COUNT=$(echo "$RESP" | jq -r '.findings | length' 2>/dev/null || echo "0")
+if [ "$CVE_COUNT" -gt 0 ] 2>/dev/null; then
+  CVE_CRIT=$(echo "$RESP" | jq '[.findings[] | select((.severity | tonumber? // 0) >= 7.0)] | length' 2>/dev/null || echo "0")
+  CRIT_PKGS=$(echo "$RESP" | jq -r '[.findings[] | select((.severity | tonumber? // 0) >= 7.0) | .package] | unique | .[:3] | join(", ")' 2>/dev/null || echo "")
+  ALL_PKGS=$(echo "$RESP" | jq -r '[.findings[].package] | unique | .[:3] | join(", ")' 2>/dev/null || echo "")
+  ALL_TOTAL=$(echo "$RESP" | jq -r '[.findings[].package] | unique | length' 2>/dev/null || echo "0")
+  [ "$CVE_COUNT" = "1" ] && LABEL="advisory" || LABEL="advisories"
+  if [ "$CVE_CRIT" -gt 0 ]; then
+    [ "$ALL_TOTAL" -gt 3 ] && CRIT_PKGS="\${CRIT_PKGS}, ..."
+    jq -n --arg m "[synkro:\${ROUTE}:cveScan] \${CVE_COUNT} \${LABEL}, \${CVE_CRIT} critical/high (\${CRIT_PKGS})" '{systemMessage: $m}'
+  else
+    [ "$ALL_TOTAL" -gt 3 ] && ALL_PKGS="\${ALL_PKGS}, ..."
+    jq -n --arg m "[synkro:\${ROUTE}:cveScan] \${CVE_COUNT} \${LABEL} (\${ALL_PKGS})" '{systemMessage: $m}'
+  fi
+else
+  jq -n --arg m "[synkro:\${ROUTE}:cveScan] clean" '{systemMessage: $m}'
+fi
+exit 0
 `;
     CC_TRANSCRIPT_SYNC_SCRIPT = `#!/bin/bash
 SCRIPT_DIR="$(cd "$(dirname "\${BASH_SOURCE[0]}")" && pwd)"
@@ -3908,6 +4011,7 @@ function writeHookScripts() {
   const bashFollowupScriptPath = join11(HOOKS_DIR, "cc-bash-followup.sh");
   const editCaptureScriptPath = join11(HOOKS_DIR, "cc-edit-capture.sh");
   const editPrecheckScriptPath = join11(HOOKS_DIR, "cc-edit-precheck.sh");
+  const cveScanScriptPath = join11(HOOKS_DIR, "cc-cve-scan.sh");
   const planJudgeScriptPath = join11(HOOKS_DIR, "cc-plan-judge.sh");
   const stopSummaryScriptPath = join11(HOOKS_DIR, "cc-stop-summary.sh");
   const sessionStartScriptPath = join11(HOOKS_DIR, "cc-session-start.sh");
@@ -3921,6 +4025,7 @@ function writeHookScripts() {
   writeFileSync7(bashFollowupScriptPath, CC_BASH_FOLLOWUP_SCRIPT, "utf-8");
   writeFileSync7(editCaptureScriptPath, CC_EDIT_CAPTURE_SCRIPT, "utf-8");
   writeFileSync7(editPrecheckScriptPath, CC_EDIT_PRECHECK_SCRIPT, "utf-8");
+  writeFileSync7(cveScanScriptPath, CC_CVE_SCAN_SCRIPT, "utf-8");
   writeFileSync7(planJudgeScriptPath, CC_PLAN_JUDGE_SCRIPT, "utf-8");
   writeFileSync7(stopSummaryScriptPath, CC_STOP_SUMMARY_SCRIPT, "utf-8");
   writeFileSync7(sessionStartScriptPath, CC_SESSION_START_SCRIPT, "utf-8");
@@ -3934,6 +4039,7 @@ function writeHookScripts() {
   chmodSync2(bashFollowupScriptPath, 493);
   chmodSync2(editCaptureScriptPath, 493);
   chmodSync2(editPrecheckScriptPath, 493);
+  chmodSync2(cveScanScriptPath, 493);
   chmodSync2(planJudgeScriptPath, 493);
   chmodSync2(stopSummaryScriptPath, 493);
   chmodSync2(sessionStartScriptPath, 493);
@@ -3948,6 +4054,7 @@ function writeHookScripts() {
     bashFollowupScript: bashFollowupScriptPath,
     editCaptureScript: editCaptureScriptPath,
     editPrecheckScript: editPrecheckScriptPath,
+    cveScanScript: cveScanScriptPath,
     planJudgeScript: planJudgeScriptPath,
     stopSummaryScript: stopSummaryScriptPath,
     sessionStartScript: sessionStartScriptPath,
@@ -3987,7 +4094,7 @@ function writeConfigEnv(opts) {
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
     `SYNKRO_INFERENCE=${shellQuoteSingle(safeInference)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.4.41")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.4.43")}`
   ];
   if (safeSynkroBin) lines.push(`SYNKRO_CLI_BIN=${shellQuoteSingle(safeSynkroBin)}`);
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);
@@ -4290,6 +4397,7 @@ async function installCommand(opts = {}) {
         bashFollowupScriptPath: scripts.bashFollowupScript,
         editCaptureScriptPath: scripts.editCaptureScript,
         editPrecheckScriptPath: scripts.editPrecheckScript,
+        cveScanScriptPath: scripts.cveScanScript,
         planJudgeScriptPath: scripts.planJudgeScript,
         stopSummaryScriptPath: scripts.stopSummaryScript,
         sessionStartScriptPath: scripts.sessionStartScript,