@synkro-sh/cli 1.4.42 → 1.4.45

package/dist/bootstrap.js

@@ -121,11 +121,13 @@ function installCCHooks(settingsPath, config) {
   removeSynkroEntries(settings.hooks, "PostToolUse");
   removeSynkroEntries(settings.hooks, "SessionEnd");
   removeSynkroEntries(settings.hooks, "SessionStart");
+  removeSynkroEntries(settings.hooks, "UserPromptSubmit");
   removeSynkroEntries(settings.hooks, "Stop");
   settings.hooks.PreToolUse = settings.hooks.PreToolUse ?? [];
   settings.hooks.PostToolUse = settings.hooks.PostToolUse ?? [];
   settings.hooks.SessionEnd = settings.hooks.SessionEnd ?? [];
   settings.hooks.SessionStart = settings.hooks.SessionStart ?? [];
+  settings.hooks.UserPromptSubmit = settings.hooks.UserPromptSubmit ?? [];
   settings.hooks.PreToolUse.push({
     matcher: "Bash|Read|Grep|Glob",
     hooks: [
@@ -181,6 +183,17 @@ function installCCHooks(settingsPath, config) {
     ],
     [SYNKRO_MARKER]: true
   });
+  settings.hooks.PostToolUse.push({
+    matcher: "Edit|Write|MultiEdit|NotebookEdit",
+    hooks: [
+      {
+        type: "command",
+        command: config.cweScanScriptPath,
+        timeout: 15
+      }
+    ],
+    [SYNKRO_MARKER]: true
+  });
   settings.hooks.PostToolUse.push({
     matcher: "Bash",
     hooks: [
@@ -209,6 +222,16 @@ function installCCHooks(settingsPath, config) {
     ],
     [SYNKRO_MARKER]: true
   });
+  settings.hooks.UserPromptSubmit.push({
+    hooks: [
+      {
+        type: "command",
+        command: config.userPromptSubmitScriptPath,
+        timeout: 5
+      }
+    ],
+    [SYNKRO_MARKER]: true
+  });
   settings.hooks.Stop = settings.hooks.Stop ?? [];
   removeSynkroEntries(settings.hooks, "Stop");
   settings.hooks.Stop.push({
@@ -452,7 +475,7 @@ var init_mcpConfig = __esm({
 });
 
 // cli/installer/hookScripts.ts
-var SYNKRO_COMMON_SCRIPT, CC_BASH_JUDGE_SCRIPT, CC_EDIT_PRECHECK_SCRIPT, CC_EDIT_CAPTURE_SCRIPT, CC_PLAN_JUDGE_SCRIPT, CC_STOP_SUMMARY_SCRIPT, CC_SESSION_START_SCRIPT, CC_BASH_FOLLOWUP_SCRIPT, CC_CVE_SCAN_SCRIPT, CC_TRANSCRIPT_SYNC_SCRIPT, CURSOR_BASH_JUDGE_SCRIPT, CURSOR_EDIT_PRECHECK_SCRIPT, CURSOR_EDIT_CAPTURE_SCRIPT, CURSOR_BASH_FOLLOWUP_SCRIPT;
+var SYNKRO_COMMON_SCRIPT, CC_BASH_JUDGE_SCRIPT, CC_EDIT_PRECHECK_SCRIPT, CC_EDIT_CAPTURE_SCRIPT, CC_PLAN_JUDGE_SCRIPT, CC_STOP_SUMMARY_SCRIPT, CC_SESSION_START_SCRIPT, CC_BASH_FOLLOWUP_SCRIPT, CC_CVE_SCAN_SCRIPT, CC_CWE_SCAN_SCRIPT, CC_TRANSCRIPT_SYNC_SCRIPT, CURSOR_BASH_JUDGE_SCRIPT, CURSOR_EDIT_PRECHECK_SCRIPT, CURSOR_EDIT_CAPTURE_SCRIPT, CURSOR_BASH_FOLLOWUP_SCRIPT, CC_USER_PROMPT_SUBMIT_SCRIPT;
 var init_hookScripts = __esm({
   "cli/installer/hookScripts.ts"() {
     "use strict";
@@ -519,6 +542,10 @@ synkro_channel_up() {
   (exec 3<>/dev/tcp/127.0.0.1/\${SYNKRO_CHANNEL_PORT:-8929}) 2>/dev/null && exec 3<&- 3>&-
 }
 
+synkro_cwe_channel_up() {
+  (exec 3<>/dev/tcp/127.0.0.1/8930) 2>/dev/null && exec 3<&- 3>&-
+}
+
 # Fetch hook config. Sets SYNKRO_CAPTURE_DEPTH, SYNKRO_TIER, SYNKRO_RULES, SYNKRO_SILENT, SYNKRO_POLICY_NAME.
 synkro_load_config() {
   local resp
@@ -547,6 +574,13 @@ synkro_route() {
   echo "cloud"
 }
 
+# Routing for CWE channel (port 8930).
+synkro_cwe_route() {
+  [ "$SYNKRO_CAPTURE_DEPTH" = "local_only" ] && echo "local" && return
+  synkro_cwe_channel_up && echo "local" && return
+  echo "cloud"
+}
+
 # Grade locally via synkro CLI channel. Reads prompt from stdin.
 synkro_local_grade() {
   local surface="$1"
@@ -564,11 +598,37 @@ synkro_local_grade() {
   fi
 }
 
+# Grade CWE locally via channel 2 (port 8930). Reads prompt from stdin.
+synkro_local_grade_cwe() {
+  if ! synkro_cwe_channel_up; then
+    echo "SYNKRO_CHANNEL_DOWN" >&2
+    return 1
+  fi
+  if [ -n "\${SYNKRO_CLI_BIN:-}" ] && [ -f "$SYNKRO_CLI_BIN" ] && command -v node >/dev/null 2>&1; then
+    SYNKRO_CHANNEL_PORT=8930 node "$SYNKRO_CLI_BIN" grade cwe 2>/dev/null
+  elif command -v synkro >/dev/null 2>&1; then
+    SYNKRO_CHANNEL_PORT=8930 synkro grade cwe 2>/dev/null
+  else
+    echo "SYNKRO_CLI_NOT_FOUND" >&2
+    return 1
+  fi
+}
+
+# Extract the CC model from the current turn's transcript. Call after reading PAYLOAD.
+# Sets CC_MODEL to the model used in the most recent assistant message.
+synkro_detect_cc_model() {
+  CC_MODEL=""
+  local tp
+  tp=$(echo "\${1:-$PAYLOAD}" | jq -r '.transcript_path // empty' 2>/dev/null)
+  [ -z "$tp" ] || [ ! -f "$tp" ] && return
+  CC_MODEL=$(grep '"type":"assistant"' "$tp" 2>/dev/null | tail -1 | jq -r '.message.model // empty' 2>/dev/null)
+}
+
 # Parse <synkro-verdict>...</synkro-verdict> XML from local grader output.
 # Sets LOCAL_OK, LOCAL_REASON, LOCAL_RULE_ID, LOCAL_RULE_MODE, LOCAL_SEV, LOCAL_CAT.
 synkro_parse_local_verdict() {
   local resp="$1"
-  LOCAL_OK="true"; LOCAL_REASON=""; LOCAL_RULE_ID=""; LOCAL_RULE_MODE=""; LOCAL_SEV="low"; LOCAL_CAT="general"
+  LOCAL_OK="true"; LOCAL_REASON=""; LOCAL_RULE_ID=""; LOCAL_RULE_MODE=""; LOCAL_SEV="low"; LOCAL_CAT="clean"
   local inner
   inner=$(printf '%s' "$resp" | tr '\\n' ' ' | sed -nE 's|.*<synkro-verdict>(.*)</synkro-verdict>.*|\\1|p' | tail -1)
   [ -z "$inner" ] && return
@@ -581,16 +641,16 @@ synkro_parse_local_verdict() {
     LOCAL_RULE_ID=$(printf '%s' "$inner" | sed -nE 's|.*<rule_id>(.*)</rule_id>.*|\\1|p' | head -1)
     LOCAL_RULE_MODE=$(printf '%s' "$inner" | sed -nE 's|.*<rule_mode>(.*)</rule_mode>.*|\\1|p' | head -1)
     LOCAL_SEV=$(printf '%s' "$inner" | sed -nE 's|.*<risk_level>(.*)</risk_level>.*|\\1|p' | head -1)
-    LOCAL_CAT=$(printf '%s' "$inner" | sed -nE 's|.*<category>(.*)</category>.*|\\1|p' | head -1)
     if [ -z "$LOCAL_RULE_ID" ]; then
       local fv
       fv=$(printf '%s' "$inner" | awk -v RS='</violation>' '/<violation>/{print; exit}')
       LOCAL_RULE_ID=$(printf '%s' "$fv" | sed -nE 's|.*<rule_id>(.*)</rule_id>.*|\\1|p' | head -1)
       [ -z "$LOCAL_REASON" ] && LOCAL_REASON=$(printf '%s' "$fv" | sed -nE 's|.*<reason>(.*)</reason>.*|\\1|p' | head -1)
       [ -z "$LOCAL_SEV" ] && LOCAL_SEV=$(printf '%s' "$fv" | sed -nE 's|.*<severity>(.*)</severity>.*|\\1|p' | head -1)
-      [ -z "$LOCAL_CAT" ] && LOCAL_CAT=$(printf '%s' "$fv" | sed -nE 's|.*<category>(.*)</category>.*|\\1|p' | head -1)
     fi
-    LOCAL_SEV="\${LOCAL_SEV:-high}"; LOCAL_CAT="\${LOCAL_CAT:-policy_violation}"
+    LOCAL_SEV="\${LOCAL_SEV:-high}"
+    LOCAL_CAT=$(printf '%s' "$inner" | sed -nE 's|.*<category>(.*)</category>.*|\\1|p' | head -1)
+    LOCAL_CAT="\${LOCAL_CAT:-uncategorized}"
     [ -z "$LOCAL_RULE_ID" ] && LOCAL_RULE_ID=$(printf '%s' "$LOCAL_REASON" | grep -oE '[Rr][0-9]{3}' | head -1)
   fi
 }
@@ -598,12 +658,13 @@ synkro_parse_local_verdict() {
 # Fire anonymized telemetry for local verdicts. All args positional.
 synkro_capture_local() {
   local hook_type="$1" verdict="$2" severity="$3" category="$4" tool_name="$5" repo="$6" session_id="$7"
+  local cc_model="\${CC_MODEL:-unknown}"
   (
     BODY=$(jq -n \\
       --arg eid "$(uuidgen 2>/dev/null || echo "evt_$(date +%s)_$$")" \\
       --arg ht "$hook_type" --arg v "$verdict" --arg s "$severity" --arg c "$category" \\
-      --arg tn "$tool_name" --arg r "$repo" --arg sid "$session_id" \\
-      '{capture_type:"local_verdict",event_id:$eid,hook_type:$ht,verdict:$v,severity:$s,category:$c,model:"claude-sonnet-4-6",tool_name:$tn}
+      --arg tn "$tool_name" --arg r "$repo" --arg sid "$session_id" --arg mdl "$cc_model" \\
+      '{capture_type:"local_verdict",event_id:$eid,hook_type:$ht,verdict:$v,severity:$s,category:$c,cc_model:$mdl,model:$mdl,tool_name:$tn}
         + (if $r != "" then {repo:$r} else {} end)
         + (if $sid != "" then {session_id:$sid} else {} end)')
     curl -sS -X POST "\${GATEWAY_URL}/api/v1/hook/capture" \\
@@ -616,15 +677,16 @@ synkro_capture_local() {
 synkro_capture_local_full() {
   local hook_type="$1" verdict="$2" severity="$3" category="$4" tool_name="$5" repo="$6" session_id="$7"
   local command="$8" reasoning="$9" rules_checked="\${10:-[]}" violated_rules="\${11:-[]}" recent_user_messages="\${12:-[]}"
+  local cc_model="\${CC_MODEL:-unknown}"
   (
     BODY=$(jq -n \\
       --arg eid "$(uuidgen 2>/dev/null || echo "evt_$(date +%s)_$$")" \\
       --arg ht "$hook_type" --arg v "$verdict" --arg s "$severity" --arg c "$category" \\
-      --arg tn "$tool_name" --arg r "$repo" --arg sid "$session_id" \\
+      --arg tn "$tool_name" --arg r "$repo" --arg sid "$session_id" --arg mdl "$cc_model" \\
       --arg cmd "$command" --arg rsn "$reasoning" --arg cd "$SYNKRO_CAPTURE_DEPTH" \\
       --argjson rc "$rules_checked" --argjson vr "$violated_rules" --argjson rum "$recent_user_messages" \\
       '{capture_type:"local_verdict",event_id:$eid,hook_type:$ht,verdict:$v,severity:$s,category:$c,
-        model:"claude-sonnet-4-6",tool_name:$tn,capture_depth:$cd,
+        cc_model:$mdl,model:$mdl,tool_name:$tn,capture_depth:$cd,
         command:(if ($cmd|length) > 0 then $cmd else null end),
         reasoning:(if ($rsn|length) > 0 then $rsn else null end),
         rules_checked:$rc, violated_rules:$vr, recent_user_messages:$rum}
@@ -700,6 +762,13 @@ synkro_consent_clear_consumed() {
   grep -v "^\${sid}\${_TAB}\${hash}\${_TAB}consumed$" "$SYNKRO_CONSENT_FILE" > "$tmp" 2>/dev/null && mv "$tmp" "$SYNKRO_CONSENT_FILE" 2>/dev/null || true
 }
 
+SYNKRO_LAST_PROMPT_FILE="$HOME/.synkro/.last-prompt"
+
+synkro_read_last_prompt() {
+  [ -f "$SYNKRO_LAST_PROMPT_FILE" ] || return
+  cat "$SYNKRO_LAST_PROMPT_FILE" 2>/dev/null
+}
+
 synkro_post_with_retry() {
   local url="$1" body="$2" timeout="\${3:-8}"
   local resp
@@ -737,6 +806,7 @@ TOOL_USE_ID=$(echo "$PAYLOAD" | jq -r '.tool_use_id // empty' 2>/dev/null)
 CWD=$(echo "$PAYLOAD" | jq -r '.cwd // empty' 2>/dev/null)
 GIT_REPO=$(synkro_detect_repo "\${CWD:-.}")
 PERMISSION_MODE=$(echo "$PAYLOAD" | jq -r '.permission_mode // empty' 2>/dev/null)
+synkro_detect_cc_model
 
 # Translate tool calls to command string for logging
 case "$TOOL_NAME" in
@@ -762,6 +832,8 @@ fi
 IS_HEADLESS="\${SYNKRO_HEADLESS:-0}"
 case "$PERMISSION_MODE" in acceptEdits|bypassPermissions|plan|auto) IS_HEADLESS="1" ;; esac
 
+LAST_PROMPT=$(synkro_read_last_prompt)
+
 synkro_load_config
 ROUTE=$(synkro_route)
 TAG=$(synkro_tag "$ROUTE")
@@ -775,7 +847,7 @@ if [ "$ROUTE" = "local" ]; then
   # \u2500\u2500\u2500 Local grading (local_only privacy or local-cc channel) \u2500\u2500\u2500
   GRADER_FILE=$(mktemp -t synkro-bash.XXXXXX)
   trap "rm -f \\"$GRADER_FILE\\"" EXIT
-  printf 'Working directory: %s\\nRepo: %s\\nCommand: %s\\nUser intent (last human message): %s\\nOrg rules: %s\\n' "\${CWD:-.}" "\${GIT_REPO:-unknown}" "$COMMAND" "\${USER_INTENT:-none stated}" "\${SYNKRO_RULES:-[]}" > "$GRADER_FILE"
+  printf 'Working directory: %s\\nRepo: %s\\nCommand: %s\\nUser intent (last human message): %s\\nLast user prompt: %s\\nOrg rules: %s\\n' "\${CWD:-.}" "\${GIT_REPO:-unknown}" "$COMMAND" "\${USER_INTENT:-none stated}" "\${LAST_PROMPT:-none}" "\${SYNKRO_RULES:-[]}" > "$GRADER_FILE"
 
   CC_RESP=$(synkro_local_grade bash < "$GRADER_FILE" 2>&1)
   if [ $? -ne 0 ]; then
@@ -811,7 +883,6 @@ if [ "$ROUTE" = "local" ]; then
 fi
 
 # \u2500\u2500\u2500 Cloud grading \u2500\u2500\u2500
-CC_MODEL=""
 CC_USAGE="{}"
 RECENT_MESSAGES="[]"
 RECENT_ACTIONS="[]"
@@ -819,7 +890,6 @@ SESSION_SUMMARY=""
 if [ -n "$TRANSCRIPT_PATH" ] && [ -f "$TRANSCRIPT_PATH" ]; then
   _LAST=$(grep '"type":"assistant"' "$TRANSCRIPT_PATH" 2>/dev/null | tail -1)
   if [ -n "$_LAST" ]; then
-    CC_MODEL=$(echo "$_LAST" | jq -r '.message.model // empty' 2>/dev/null)
     CC_USAGE=$(echo "$_LAST" | jq -c '{input_tokens:.message.usage.input_tokens,output_tokens:.message.usage.output_tokens,cache_creation_input_tokens:.message.usage.cache_creation_input_tokens,cache_read_input_tokens:.message.usage.cache_read_input_tokens}' 2>/dev/null || echo "{}")
   fi
   RECENT_MESSAGES=$(tail -400 "$TRANSCRIPT_PATH" | jq -c -s '[.[] | select(.type == "user" or .type == "assistant") | {type, text: (.message.content | if type == "string" then .[0:500] else ([.[]? | (.text? // "") | .[0:300]] | join(" ")) end)}] | .[-10:]' 2>/dev/null || echo "[]")
@@ -843,11 +913,13 @@ BODY=$(jq -n \\
   --arg cc_model "$CC_MODEL" \\
   --argjson cc_usage "$CC_USAGE" \\
   --arg session_summary "$SESSION_SUMMARY" \\
+  --arg last_prompt "\${LAST_PROMPT:-}" \\
   '{
     hook_event: $hook_event,
     tool_name: $tool_name,
     tool_input: $tool_input,
     user_intent: (if ($user_intent | length) > 0 then $user_intent else null end),
+    last_user_message: (if ($last_prompt | length) > 0 then $last_prompt else null end),
     recent_user_messages: $recent_user_messages,
     recent_messages: $recent_messages,
     recent_actions: $recent_actions,
@@ -898,6 +970,7 @@ TOOL_USE_ID=$(echo "$PAYLOAD" | jq -r '.tool_use_id // empty' 2>/dev/null)
 CWD=$(echo "$PAYLOAD" | jq -r '.cwd // empty' 2>/dev/null)
 GIT_REPO=$(synkro_detect_repo "\${CWD:-.}")
 PERMISSION_MODE=$(echo "$PAYLOAD" | jq -r '.permission_mode // empty' 2>/dev/null)
+synkro_detect_cc_model
 
 FILE_PATH=$(echo "$TOOL_INPUT" | jq -r '.file_path // .notebook_path // .path // empty' 2>/dev/null)
 if [ -z "$FILE_PATH" ]; then echo '{}'; exit 0; fi
@@ -950,13 +1023,19 @@ DIFF_FIELD=$(echo "$TOOL_INPUT" | jq -c '{old_string, new_string, edits} | with_
 
 # Extract user intent from transcript
 USER_INTENT=""
+RECENT_USER_MESSAGES="[]"
+RECENT_MESSAGES="[]"
 RECENT_ACTIONS="[]"
 TRANSCRIPT_PATH=$(echo "$PAYLOAD" | jq -r '.transcript_path // empty' 2>/dev/null)
 if [ -n "$TRANSCRIPT_PATH" ] && [ -f "$TRANSCRIPT_PATH" ]; then
-  USER_INTENT=$(tail -200 "$TRANSCRIPT_PATH" | jq -r 'select(.type == "user") | .message.content | if type == "string" then . else (map(.text? // "") | join(" ")) end' 2>/dev/null | tail -1 || echo "")
+  RECENT_USER_MESSAGES=$(tail -400 "$TRANSCRIPT_PATH" | jq -c -s '[.[] | select(.type == "user") | (.message.content | if type == "string" then . else (map(.text? // "") | join(" ")) end) | select(. != null and . != "")] | .[-5:]' 2>/dev/null || echo "[]")
+  USER_INTENT=$(echo "$RECENT_USER_MESSAGES" | jq -r '.[-1] // ""' 2>/dev/null || echo "")
+  RECENT_MESSAGES=$(tail -400 "$TRANSCRIPT_PATH" | jq -c -s '[.[] | select(.type == "user" or .type == "assistant") | {type, text: (.message.content | if type == "string" then .[0:500] else ([.[]? | (.text? // "") | .[0:300]] | join(" ")) end)}] | .[-10:]' 2>/dev/null || echo "[]")
   RECENT_ACTIONS=$(tail -200 "$TRANSCRIPT_PATH" | jq -c -s '[.[] | select(.type == "assistant") | .message.content[]? | select(.type == "tool_use") | {tool: .name, input: (.input // {} | tostring | .[0:200])}] | .[-5:]' 2>/dev/null || echo "[]")
 fi
 
+LAST_PROMPT=$(synkro_read_last_prompt)
+
 synkro_load_config
 ROUTE=$(synkro_route)
 TAG=$(synkro_tag "$ROUTE")
@@ -970,7 +1049,7 @@ if [ "$ROUTE" = "local" ]; then
   # \u2500\u2500\u2500 Local grading (local_only privacy or local-cc channel) \u2500\u2500\u2500
   GRADER_FILE=$(mktemp -t synkro-edit.XXXXXX)
   trap "rm -f \\"$GRADER_FILE\\"" EXIT
-  printf 'Working directory: %s\\nRepo: %s\\nFile: %s\\nProposed content (first 4000 chars):\\n%s\\nUser intent (last human message): %s\\nOrg rules: %s\\n' "\${CWD:-.}" "\${GIT_REPO:-unknown}" "$FILE_PATH" "$(printf '%s' "$PROPOSED" | head -c 4000)" "\${USER_INTENT:-none stated}" "\${SYNKRO_RULES:-[]}" > "$GRADER_FILE"
+  printf 'Working directory: %s\\nRepo: %s\\nFile: %s\\nProposed content (first 4000 chars):\\n%s\\nUser intent (last human message): %s\\nLast user prompt: %s\\nOrg rules: %s\\n' "\${CWD:-.}" "\${GIT_REPO:-unknown}" "$FILE_PATH" "$(printf '%s' "$PROPOSED" | head -c 4000)" "\${USER_INTENT:-none stated}" "\${LAST_PROMPT:-none}" "\${SYNKRO_RULES:-[]}" > "$GRADER_FILE"
 
   CC_RESP=$(synkro_local_grade edit < "$GRADER_FILE" 2>&1)
   if [ $? -ne 0 ]; then
@@ -1016,6 +1095,8 @@ BODY=$(jq -n \\
   --arg file_before "$FILE_BEFORE" \\
   --argjson diff "$DIFF_FIELD" \\
   --arg user_intent "$USER_INTENT" \\
+  --argjson recent_user_messages "$RECENT_USER_MESSAGES" \\
+  --argjson recent_messages "$RECENT_MESSAGES" \\
   --argjson recent_actions "$RECENT_ACTIONS" \\
   --arg session_id "$SESSION_ID" \\
   --arg tool_use_id "$TOOL_USE_ID" \\
@@ -1023,6 +1104,7 @@ BODY=$(jq -n \\
   --arg repo "$GIT_REPO" \\
   --arg permission_mode "$PERMISSION_MODE" \\
   --arg headless_flag "\${SYNKRO_HEADLESS:-0}" \\
+  --arg last_prompt "\${LAST_PROMPT:-}" \\
   '{
     hook_event: $hook_event,
     tool_name: $tool_name,
@@ -1032,6 +1114,9 @@ BODY=$(jq -n \\
     file_before: (if ($file_before | length) > 0 then $file_before else null end),
     diff: $diff,
     user_intent: (if ($user_intent | length) > 0 then $user_intent else null end),
+    last_user_message: (if ($last_prompt | length) > 0 then $last_prompt else null end),
+    recent_user_messages: $recent_user_messages,
+    recent_messages: $recent_messages,
     recent_actions: $recent_actions,
     session_id: (if ($session_id | length) > 0 then $session_id else null end),
     tool_use_id: (if ($tool_use_id | length) > 0 then $tool_use_id else null end),
@@ -1089,6 +1174,7 @@ SESSION_ID=$(echo "$PAYLOAD" | jq -r '.session_id // empty' 2>/dev/null)
 TOOL_USE_ID=$(echo "$PAYLOAD" | jq -r '.tool_use_id // empty' 2>/dev/null)
 CWD=$(echo "$PAYLOAD" | jq -r '.cwd // empty' 2>/dev/null)
 GIT_REPO=$(synkro_detect_repo "\${CWD:-.}")
+synkro_detect_cc_model
 
 # Correction followup (backgrounded)
 if [ -n "$SESSION_ID" ] && [ -n "$TOOL_USE_ID" ]; then
@@ -1235,6 +1321,7 @@ if [ -z "$PLAN" ] || [ \${#PLAN} -lt 20 ]; then echo '{}'; exit 0; fi
 SESSION_ID=$(echo "$PAYLOAD" | jq -r '.session_id // empty' 2>/dev/null)
 CWD=$(echo "$PAYLOAD" | jq -r '.cwd // empty' 2>/dev/null)
 GIT_REPO=$(synkro_detect_repo "\${CWD:-.}")
+synkro_detect_cc_model
 
 PLAN_SHORT=$(printf '%s' "$PLAN" | head -c 80)
 synkro_log "planReview checking: $PLAN_SHORT..."
@@ -1368,7 +1455,7 @@ if [ -n "$TRANSCRIPT_PATH" ] && [ -f "$TRANSCRIPT_PATH" ]; then
       BODY=$(jq -n \\
         --arg event_id "usage_$(date +%s)_$$" \\
         --arg hook_type "stop" --arg verdict "allow" --arg severity "none" \\
-        --arg model "\${CC_MODEL:-claude-sonnet-4-6}" \\
+        --arg model "\${CC_MODEL:-unknown}" \\
         --arg cc_model "\${CC_MODEL:-}" \\
         --arg repo "\${GIT_REPO:-}" --arg session_id "$SESSION_ID" \\
         --argjson cc_usage "$CC_USAGE" \\
@@ -1581,6 +1668,121 @@ else
   jq -n --arg m "[synkro:\${ROUTE}:cveScan] clean" '{systemMessage: $m}'
 fi
 exit 0
+`;
+    CC_CWE_SCAN_SCRIPT = `#!/bin/bash
+SCRIPT_DIR="$(cd "$(dirname "\${BASH_SOURCE[0]}")" && pwd)"
+. "$SCRIPT_DIR/_synkro-common.sh"
+
+JWT=$(synkro_load_jwt)
+if [ -z "$JWT" ]; then echo '{}'; exit 0; fi
+synkro_ensure_fresh_jwt
+
+PAYLOAD=$(cat)
+if [ -z "$PAYLOAD" ]; then echo '{}'; exit 0; fi
+
+TOOL_NAME=$(echo "$PAYLOAD" | jq -r '.tool_name // empty' 2>/dev/null)
+case "$TOOL_NAME" in Edit|Write|MultiEdit|NotebookEdit) ;; *) echo '{}'; exit 0 ;; esac
+
+TOOL_INPUT=$(echo "$PAYLOAD" | jq -c '.tool_input // {}' 2>/dev/null)
+CWD=$(echo "$PAYLOAD" | jq -r '.cwd // empty' 2>/dev/null)
+
+FILE_PATH=$(echo "$TOOL_INPUT" | jq -r '.file_path // .notebook_path // .path // empty' 2>/dev/null)
+if [ -z "$FILE_PATH" ] || [ ! -f "$FILE_PATH" ]; then echo '{}'; exit 0; fi
+
+FILE_CONTENT=$(head -c 65536 "$FILE_PATH" 2>/dev/null || echo "")
+if [ -z "$FILE_CONTENT" ]; then echo '{}'; exit 0; fi
+
+synkro_load_config
+ROUTE=$(synkro_route)
+TAG=$(synkro_tag "$ROUTE")
+
+if [ "$SYNKRO_SILENT" = "true" ]; then echo '{}'; exit 0; fi
+
+BASENAME=$(basename "$FILE_PATH")
+FILE_EXT=".\${FILE_PATH##*.}"
+
+# \u2500\u2500\u2500 Helper: format CWE findings into system message \u2500\u2500\u2500
+format_cwe_result() {
+  local count="$1" crit="$2" ids="$3" total="$4"
+  [ "$count" = "1" ] && local label="match" || local label="matches"
+  if [ "$crit" -gt 0 ] 2>/dev/null; then
+    [ "$total" -gt 3 ] && ids="\${ids}, ..."
+    jq -n --arg m "[synkro:\${ROUTE}:cweScan] \${count} CWE \${label}, \${crit} critical (\${ids})" '{systemMessage: $m}'
+  else
+    [ "$total" -gt 3 ] && ids="\${ids}, ..."
+    jq -n --arg m "[synkro:\${ROUTE}:cweScan] \${count} CWE \${label} (\${ids})" '{systemMessage: $m}'
+  fi
+}
+
+if [ "$ROUTE" = "local" ]; then
+  # \u2500\u2500\u2500 Local CWE scan: deterministic Top 25 filter + local-cc grader \u2500\u2500\u2500
+  CWE_RULES=$(curl -sS -X GET "\${GATEWAY_URL}/api/v1/cwe-rules?ext=$FILE_EXT" \\
+    -H "Authorization: Bearer $JWT" --max-time 4 2>/dev/null || echo "")
+  CWE_LIST=$(echo "$CWE_RULES" | jq -c '.rules // []' 2>/dev/null || echo "[]")
+  CWE_RULE_COUNT=$(echo "$CWE_LIST" | jq 'length' 2>/dev/null || echo "0")
+  if [ "$CWE_RULE_COUNT" -eq 0 ] 2>/dev/null; then
+    jq -n --arg m "[synkro:\${ROUTE}:cweScan] clean (no CWEs for $FILE_EXT)" '{systemMessage: $m}'
+    exit 0
+  fi
+
+  GRADER_FILE=$(mktemp -t synkro-cwescan.XXXXXX)
+  trap "rm -f \\"$GRADER_FILE\\"" EXIT
+  printf 'File: %s\\nContent (first 4000 chars):\\n%s\\n\\nCWE rules to check against:\\n%s\\n' "$FILE_PATH" "$(printf '%s' "$FILE_CONTENT" | head -c 4000)" "$CWE_LIST" > "$GRADER_FILE"
+
+  CC_RESP=$(synkro_local_grade_cwe < "$GRADER_FILE" 2>&1)
+  if [ $? -ne 0 ]; then
+    jq -n --arg m "[synkro:\${ROUTE}:cweScan] pass: local grader unavailable" '{systemMessage: $m}'
+    exit 0
+  fi
+  synkro_parse_local_verdict "$CC_RESP"
+
+  if [ "$LOCAL_OK" = "false" ]; then
+    CWE_IDS=""
+    CWE_COUNT=0
+    CWE_CRIT=0
+    while IFS= read -r vid; do
+      [ -z "$vid" ] && continue
+      CWE_COUNT=$((CWE_COUNT + 1))
+      cwe_tag=$(printf '%s' "$CC_RESP" | tr '\\n' ' ' | grep -oE "<violation>[^<]*<rule_id>$vid</rule_id>[^<]*<severity>[^<]*</severity>" | head -1)
+      sev=$(printf '%s' "$cwe_tag" | sed -nE 's|.*<severity>(.*)</severity>.*|\\1|p')
+      [ "$sev" = "critical" ] && CWE_CRIT=$((CWE_CRIT + 1))
+      CWE_ID=$(echo "$vid" | sed 's/cwe-/CWE-/')
+      [ "$CWE_COUNT" -le 3 ] && { [ -n "$CWE_IDS" ] && CWE_IDS="$CWE_IDS, $CWE_ID" || CWE_IDS="$CWE_ID"; }
+    done <<< "$(printf '%s' "$CC_RESP" | tr '\\n' ' ' | grep -oE '<rule_id>[^<]+</rule_id>' | sed 's/<[^>]*>//g')"
+
+    if [ "$CWE_COUNT" -gt 0 ]; then
+      format_cwe_result "$CWE_COUNT" "$CWE_CRIT" "$CWE_IDS" "$CWE_COUNT"
+    else
+      jq -n --arg m "[synkro:\${ROUTE}:cweScan] clean" '{systemMessage: $m}'
+    fi
+  else
+    jq -n --arg m "[synkro:\${ROUTE}:cweScan] clean" '{systemMessage: $m}'
+  fi
+  exit 0
+fi
+
+# \u2500\u2500\u2500 Cloud CWE scan: cosine similarity against full CWE catalog \u2500\u2500\u2500
+BODY=$(jq -n --arg fp "$FILE_PATH" --arg c "$FILE_CONTENT" \\
+  '{file_path:$fp, content:$c}')
+
+RESP=$(curl -sS -X POST "\${GATEWAY_URL}/api/v1/cwe-scan" \\
+  -H "Content-Type: application/json" -H "Authorization: Bearer $JWT" \\
+  -d "$BODY" --max-time 8 2>/dev/null || echo "")
+
+if [ -z "$RESP" ] || ! echo "$RESP" | jq -e 'type == "object"' >/dev/null 2>&1; then
+  echo '{}'; exit 0
+fi
+
+CWE_COUNT=$(echo "$RESP" | jq -r '.findings | length' 2>/dev/null || echo "0")
+if [ "$CWE_COUNT" -gt 0 ] 2>/dev/null; then
+  CWE_CRIT=$(echo "$RESP" | jq '[.findings[] | select(.severity == "critical" or .mode == "blocking")] | length' 2>/dev/null || echo "0")
+  CWE_IDS=$(echo "$RESP" | jq -r '[.findings[:3][] | .cwe] | join(", ")' 2>/dev/null || echo "")
+  CWE_TOTAL=$(echo "$RESP" | jq -r '.findings | length' 2>/dev/null || echo "0")
+  format_cwe_result "$CWE_COUNT" "$CWE_CRIT" "$CWE_IDS" "$CWE_TOTAL"
+else
+  jq -n --arg m "[synkro:\${ROUTE}:cweScan] clean" '{systemMessage: $m}'
+fi
+exit 0
 `;
     CC_TRANSCRIPT_SYNC_SCRIPT = `#!/bin/bash
 SCRIPT_DIR="$(cd "$(dirname "\${BASH_SOURCE[0]}")" && pwd)"
@@ -1612,7 +1814,7 @@ if [ -n "$_LAST_ASST" ]; then
       _BODY=$(jq -n \\
         --arg event_id "usage_$(date +%s)_$$" \\
         --arg hook_type "stop" --arg verdict "allow" --arg severity "none" \\
-        --arg model "\${_CC_MODEL:-claude-sonnet-4-6}" \\
+        --arg model "\${_CC_MODEL:-unknown}" \\
         --arg cc_model "\${_CC_MODEL:-}" \\
         --arg session_id "$SESSION_ID" \\
         --argjson cc_usage "$_USAGE" \\
@@ -1895,6 +2097,19 @@ fi
 
 echo '{}'
 exit 0
+`;
+    CC_USER_PROMPT_SUBMIT_SCRIPT = `#!/bin/bash
+# Synkro UserPromptSubmit hook \u2014 stashes the user's last message so PreToolUse
+# hooks can pass it to the grader for consent detection. No regex matching here;
+# the grader (local or cloud) decides whether the message constitutes consent.
+PROMPT_FILE="$HOME/.synkro/.last-prompt"
+PAYLOAD=$(cat)
+if [ -z "$PAYLOAD" ]; then exit 0; fi
+MSG=$(echo "$PAYLOAD" | jq -r '.message // .prompt // .content // empty' 2>/dev/null)
+if [ -n "$MSG" ]; then
+  printf '%s' "$MSG" > "$PROMPT_FILE" 2>/dev/null || true
+fi
+exit 0
 `;
   }
 });
@@ -3223,27 +3438,40 @@ function writePluginFiles() {
     PLUGIN_SETTINGS_PATH,
     JSON.stringify({
       fastMode: true,
-      // Pre-approve the project-local synkro-local MCP server so claude doesn't
-      // block on a consent prompt at startup. Lives in the PROJECT settings so
-      // it's still picked up under --setting-sources project,local (which
-      // skips user settings to avoid synkro-hook recursion in the grader).
       enabledMcpjsonServers: ["synkro-local"]
     }, null, 2) + "\n",
     "utf-8"
   );
   writeFileSync6(RUN_SCRIPT_PATH, RUN_SCRIPT_SOURCE, "utf-8");
   chmodSync(RUN_SCRIPT_PATH, 493);
+  mkdirSync6(SESSION_DIR_2, { recursive: true });
+  mkdirSync6(PLUGIN_SETTINGS_DIR_2, { recursive: true });
+  writeFileSync6(PLUGIN_PATH_2, CHANNEL_PLUGIN_SOURCE, "utf-8");
+  chmodSync(PLUGIN_PATH_2, 493);
+  writeFileSync6(PLUGIN_PKG_PATH_2, PLUGIN_PACKAGE_JSON, "utf-8");
+  writeFileSync6(
+    PLUGIN_SETTINGS_PATH_2,
+    JSON.stringify({
+      fastMode: true,
+      enabledMcpjsonServers: ["synkro-local"]
+    }, null, 2) + "\n",
+    "utf-8"
+  );
+  writeFileSync6(RUN_SCRIPT_PATH_2, RUN_SCRIPT_SOURCE_2, "utf-8");
+  chmodSync(RUN_SCRIPT_PATH_2, 493);
 }
 function runBunInstall() {
-  const r = spawnSync("bun", ["install", "--silent"], {
-    cwd: SESSION_DIR,
-    encoding: "utf-8",
-    timeout: 12e4
-  });
-  if (r.status !== 0) {
-    throw new LocalCCInstallError(
-      `bun install failed in ${SESSION_DIR}: ${r.stderr || r.stdout || "unknown"}`
-    );
+  for (const dir of [SESSION_DIR, SESSION_DIR_2]) {
+    const r = spawnSync("bun", ["install", "--silent"], {
+      cwd: dir,
+      encoding: "utf-8",
+      timeout: 12e4
+    });
+    if (r.status !== 0) {
+      throw new LocalCCInstallError(
+        `bun install failed in ${dir}: ${r.stderr || r.stdout || "unknown"}`
+      );
+    }
   }
 }
 function safelyMutateClaudeJson(mutator) {
@@ -3315,6 +3543,15 @@ function writeProjectMcpJson() {
     }
   };
   writeFileSync6(PROJECT_MCP_PATH, JSON.stringify(mcp, null, 2) + "\n", "utf-8");
+  const mcp2 = {
+    mcpServers: {
+      [MCP_SERVER_NAME]: {
+        command: "bun",
+        args: [PLUGIN_PATH_2]
+      }
+    }
+  };
+  writeFileSync6(PROJECT_MCP_PATH_2, JSON.stringify(mcp2, null, 2) + "\n", "utf-8");
 }
 function patchClaudeJson() {
   safelyMutateClaudeJson((parsed) => {
@@ -3327,20 +3564,22 @@ function patchClaudeJson() {
       parsed.projects = {};
     }
     const projects = parsed.projects;
-    const existing = projects[SESSION_DIR] && typeof projects[SESSION_DIR] === "object" ? projects[SESSION_DIR] : {};
-    const wantEnabled = Array.from(/* @__PURE__ */ new Set([
-      ...existing.enabledMcpjsonServers ?? [],
-      MCP_SERVER_NAME
-    ]));
-    const next = {
-      ...existing,
-      hasTrustDialogAccepted: true,
-      hasCompletedProjectOnboarding: true,
-      enabledMcpjsonServers: wantEnabled
-    };
-    if (existing.hasTrustDialogAccepted !== true || existing.hasCompletedProjectOnboarding !== true || JSON.stringify(existing.enabledMcpjsonServers ?? []) !== JSON.stringify(wantEnabled)) {
-      projects[SESSION_DIR] = next;
-      dirty = true;
+    for (const dir of [SESSION_DIR, SESSION_DIR_2]) {
+      const existing = projects[dir] && typeof projects[dir] === "object" ? projects[dir] : {};
+      const wantEnabled = Array.from(/* @__PURE__ */ new Set([
+        ...existing.enabledMcpjsonServers ?? [],
+        MCP_SERVER_NAME
+      ]));
+      const next = {
+        ...existing,
+        hasTrustDialogAccepted: true,
+        hasCompletedProjectOnboarding: true,
+        enabledMcpjsonServers: wantEnabled
+      };
+      if (existing.hasTrustDialogAccepted !== true || existing.hasCompletedProjectOnboarding !== true || JSON.stringify(existing.enabledMcpjsonServers ?? []) !== JSON.stringify(wantEnabled)) {
+        projects[dir] = next;
+        dirty = true;
+      }
     }
     return dirty;
   });
@@ -3375,14 +3614,16 @@ function uninstallLocalCC() {
       delete parsed.mcpServers[MCP_SERVER_NAME];
       dirty = true;
     }
-    if (parsed.projects && typeof parsed.projects === "object" && parsed.projects[SESSION_DIR]) {
-      delete parsed.projects[SESSION_DIR];
-      dirty = true;
+    for (const dir of [SESSION_DIR, SESSION_DIR_2]) {
+      if (parsed.projects && typeof parsed.projects === "object" && parsed.projects[dir]) {
+        delete parsed.projects[dir];
+        dirty = true;
+      }
     }
     return dirty;
   });
 }
-var CLAUDE_JSON_BACKUP_PATH, SESSION_DIR, PLUGIN_PATH, PLUGIN_PKG_PATH, PLUGIN_SETTINGS_DIR, PLUGIN_SETTINGS_PATH, PROJECT_MCP_PATH, CLAUDE_JSON_PATH, RUN_SCRIPT_PATH, TMUX_SESSION_NAME, RUN_SCRIPT_SOURCE, MCP_SERVER_NAME, PLUGIN_PACKAGE_JSON, LocalCCInstallError;
+var CLAUDE_JSON_BACKUP_PATH, SESSION_DIR, PLUGIN_PATH, PLUGIN_PKG_PATH, PLUGIN_SETTINGS_DIR, PLUGIN_SETTINGS_PATH, PROJECT_MCP_PATH, CLAUDE_JSON_PATH, RUN_SCRIPT_PATH, TMUX_SESSION_NAME, SESSION_DIR_2, PLUGIN_PATH_2, PLUGIN_PKG_PATH_2, PLUGIN_SETTINGS_DIR_2, PLUGIN_SETTINGS_PATH_2, PROJECT_MCP_PATH_2, RUN_SCRIPT_PATH_2, TMUX_SESSION_NAME_2, CHANNEL_2_PORT, RUN_SCRIPT_SOURCE, RUN_SCRIPT_SOURCE_2, MCP_SERVER_NAME, PLUGIN_PACKAGE_JSON, LocalCCInstallError;
 var init_install = __esm({
   "cli/local-cc/install.ts"() {
     "use strict";
@@ -3397,6 +3638,15 @@ var init_install = __esm({
     CLAUDE_JSON_PATH = join7(homedir6(), ".claude.json");
     RUN_SCRIPT_PATH = join7(SESSION_DIR, "run-claude.sh");
     TMUX_SESSION_NAME = "synkro-local-cc";
+    SESSION_DIR_2 = join7(homedir6(), ".synkro", "cc_sessions_2");
+    PLUGIN_PATH_2 = join7(SESSION_DIR_2, "synkro-channel.ts");
+    PLUGIN_PKG_PATH_2 = join7(SESSION_DIR_2, "package.json");
+    PLUGIN_SETTINGS_DIR_2 = join7(SESSION_DIR_2, ".claude");
+    PLUGIN_SETTINGS_PATH_2 = join7(PLUGIN_SETTINGS_DIR_2, "settings.json");
+    PROJECT_MCP_PATH_2 = join7(SESSION_DIR_2, ".mcp.json");
+    RUN_SCRIPT_PATH_2 = join7(SESSION_DIR_2, "run-claude.sh");
+    TMUX_SESSION_NAME_2 = "synkro-local-cc-2";
+    CHANNEL_2_PORT = 8930;
     RUN_SCRIPT_SOURCE = `#!/usr/bin/env bash
 # Auto-generated by \`synkro install\`. Do not edit.
 set -uo pipefail
@@ -3462,6 +3712,62 @@ while tmux has-session -t "$SESSION" 2>/dev/null; do
   sleep 5
 done
 
+log "tmux session ended."
+`;
+    RUN_SCRIPT_SOURCE_2 = `#!/usr/bin/env bash
+# Auto-generated by \`synkro install\`. Channel 2 (CWE scan, port ${CHANNEL_2_PORT}).
+set -uo pipefail
+
+SESSION=${TMUX_SESSION_NAME_2}
+LOG="$HOME/.synkro/cc_sessions_2/run-claude.log"
+
+log() { echo "[$(date '+%H:%M:%S')] $*" >> "$LOG"; echo "$*"; }
+
+if ! command -v claude >/dev/null 2>&1; then
+  log "ERROR: claude CLI not found on PATH."
+  exit 1
+fi
+
+if ! command -v tmux >/dev/null 2>&1; then
+  log "ERROR: tmux not found on PATH."
+  exit 1
+fi
+
+if ! claude --version >/dev/null 2>&1; then
+  log "ERROR: claude --version failed."
+  exit 1
+fi
+
+log "Starting local-CC channel 2 (port ${CHANNEL_2_PORT})..."
+log "claude version: $(claude --version 2>&1 | head -1)"
+
+tmux kill-session -t "$SESSION" 2>/dev/null || true
+
+tmux new-session -d -s "$SESSION" \\
+  "SYNKRO_CHANNEL_PORT=${CHANNEL_2_PORT} claude --dangerously-load-development-channels server:synkro-local --dangerously-skip-permissions --setting-sources project,local --model claude-sonnet-4-6 2>>$LOG; echo 'claude exited with code '$'?' >> $LOG"
+
+sleep 3
+if tmux has-session -t "$SESSION" 2>/dev/null; then
+  tmux send-keys -t "$SESSION" '1' 2>/dev/null || true
+  sleep 1
+  tmux send-keys -t "$SESSION" Enter 2>/dev/null || true
+  sleep 1
+  tmux send-keys -t "$SESSION" Enter 2>/dev/null || true
+  log "Sent auto-accept keys to channel 2 session."
+fi
+
+sleep 2
+if ! tmux has-session -t "$SESSION" 2>/dev/null; then
+  log "ERROR: tmux session died immediately. Check $LOG for details."
+  exit 1
+fi
+
+log "tmux session started successfully (port ${CHANNEL_2_PORT})."
+
+while tmux has-session -t "$SESSION" 2>/dev/null; do
+  sleep 5
+done
+
 log "tmux session ended."
 `;
     MCP_SERVER_NAME = "synkro-local";
@@ -3526,10 +3832,10 @@ function statusName(s) {
   }
   return "unknown";
 }
-function findTask() {
+function findTask(channel = CHANNEL_PRIMARY) {
   const data = statusJson();
   for (const [id, t] of Object.entries(data.tasks)) {
-    if (t.label === TASK_LABEL) {
+    if (t.label === channel.taskLabel) {
       return {
         id: Number(id),
         label: t.label,
@@ -3542,8 +3848,9 @@ function findTask() {
   return null;
 }
 function startTask(opts = {}) {
-  const cwd = opts.cwd ?? SESSION_DIR2;
-  const existing = findTask();
+  const ch = opts.channel ?? CHANNEL_PRIMARY;
+  const cwd = opts.cwd ?? ch.sessionDir;
+  const existing = findTask(ch);
   if (existing) {
     spawnSync2("pueue", ["remove", String(existing.id)], { encoding: "utf-8" });
   }
@@ -3551,7 +3858,7 @@ function startTask(opts = {}) {
   const args2 = [
     "add",
     "--label",
-    TASK_LABEL,
+    ch.taskLabel,
     "--working-directory",
     cwd,
     "--",
@@ -3562,27 +3869,28 @@ function startTask(opts = {}) {
   if (r.status !== 0) {
     throw new PueueError(`pueue add failed: ${r.stderr || r.stdout}`);
   }
-  const created = findTask();
+  const created = findTask(ch);
   if (!created) {
-    throw new PueueError(`pueue add succeeded but no task with label ${TASK_LABEL} found`);
+    throw new PueueError(`pueue add succeeded but no task with label ${ch.taskLabel} found`);
   }
   return created;
 }
-function stopTask() {
-  spawnSync2("tmux", ["kill-session", "-t", TMUX_SESSION], { encoding: "utf-8" });
-  const t = findTask();
+function stopTask(channel = CHANNEL_PRIMARY) {
+  spawnSync2("tmux", ["kill-session", "-t", channel.tmuxSession], { encoding: "utf-8" });
+  const t = findTask(channel);
   if (!t) return;
   spawnSync2("pueue", ["kill", String(t.id)], { encoding: "utf-8" });
   spawnSync2("pueue", ["remove", String(t.id)], { encoding: "utf-8" });
 }
-function tailLogs(lines = 80) {
-  const t = findTask();
-  if (!t) return "(no synkro local-cc task)";
+function tailLogs(lines = 80, channel = CHANNEL_PRIMARY) {
+  const t = findTask(channel);
+  if (!t) return `(no ${channel.taskLabel} task)`;
   const r = spawnSync2("pueue", ["log", "--lines", String(lines), String(t.id)], { encoding: "utf-8" });
   return r.stdout || r.stderr || "(no output)";
 }
 function ensureRunning(opts = {}) {
-  const t = findTask();
+  const ch = opts.channel ?? CHANNEL_PRIMARY;
+  const t = findTask(ch);
   if (t && t.status === "Running") return t;
   return startTask(opts);
 }
@@ -3601,15 +3909,15 @@ function probePort(host, port, timeoutMs = 500) {
     sock.setTimeout(timeoutMs, () => done(false));
   });
 }
-function tmuxDismissPrompts() {
-  spawnSync2("tmux", ["send-keys", "-t", TMUX_SESSION, "1"], { encoding: "utf-8" });
-  spawnSync2("tmux", ["send-keys", "-t", TMUX_SESSION, "Enter"], { encoding: "utf-8" });
+function tmuxDismissPrompts(tmuxSession = TMUX_SESSION) {
+  spawnSync2("tmux", ["send-keys", "-t", tmuxSession, "1"], { encoding: "utf-8" });
+  spawnSync2("tmux", ["send-keys", "-t", tmuxSession, "Enter"], { encoding: "utf-8" });
 }
-async function waitForChannelReady(port, timeoutMs = 6e4, host = "127.0.0.1") {
+async function waitForChannelReady(port, timeoutMs = 6e4, host = "127.0.0.1", tmuxSession = TMUX_SESSION) {
   const deadline = Date.now() + timeoutMs;
   while (Date.now() < deadline) {
     if (await probePort(host, port)) return true;
-    tmuxDismissPrompts();
+    tmuxDismissPrompts(tmuxSession);
     await new Promise((r) => setTimeout(r, 1e3));
   }
   return probePort(host, port);
@@ -3642,6 +3950,7 @@ function assertPueueInstalled() {
       throw new PueueError("pueue daemon not reachable after starting pueued. Check `pueued` manually.");
     }
   }
+  spawnSync2("pueue", ["parallel", "2"], { encoding: "utf-8" });
 }
 function assertClaudeInstalled() {
   const r = spawnSync2("claude", ["--version"], { encoding: "utf-8" });
@@ -3660,13 +3969,16 @@ function assertTmuxInstalled() {
     }
   }
 }
-var TASK_LABEL, TMUX_SESSION, SESSION_DIR2, PueueError;
+var TASK_LABEL, TMUX_SESSION, SESSION_DIR2, TASK_LABEL_2, TMUX_SESSION_2, SESSION_DIR_22, PueueError, CHANNEL_PRIMARY, CHANNEL_SECONDARY;
 var init_pueue = __esm({
   "cli/local-cc/pueue.ts"() {
     "use strict";
     TASK_LABEL = "synkro-local-cc";
     TMUX_SESSION = "synkro-local-cc";
     SESSION_DIR2 = join8(homedir7(), ".synkro", "cc_sessions");
+    TASK_LABEL_2 = "synkro-local-cc-2";
+    TMUX_SESSION_2 = "synkro-local-cc-2";
+    SESSION_DIR_22 = join8(homedir7(), ".synkro", "cc_sessions_2");
     PueueError = class extends Error {
       constructor(message, cause) {
         super(message);
@@ -3675,6 +3987,8 @@ var init_pueue = __esm({
       }
       cause;
     };
+    CHANNEL_PRIMARY = { taskLabel: TASK_LABEL, tmuxSession: TMUX_SESSION, sessionDir: SESSION_DIR2 };
+    CHANNEL_SECONDARY = { taskLabel: TASK_LABEL_2, tmuxSession: TMUX_SESSION_2, sessionDir: SESSION_DIR_22 };
   }
 });
 
@@ -3702,7 +4016,7 @@ async function fetchPrimers() {
 }
 async function getPrimer(role) {
   const prompts = await fetchPrimers();
-  const primer = role === "grade-edit" ? prompts.grader_primer_edit : role === "grade-plan" ? prompts.grader_primer_plan : prompts.grader_primer_bash;
+  const primer = role === "grade-edit" ? prompts.grader_primer_edit : role === "grade-plan" ? prompts.grader_primer_plan : role === "grade-cwe" ? prompts.grader_primer_cwe : prompts.grader_primer_bash;
   if (!primer) {
     throw new Error(`No primer for role "${role}" returned from API.`);
   }
@@ -3868,12 +4182,13 @@ async function submitToChannel(role, payload, opts = {}) {
   const content = await buildChannelContent(role, payload);
   const body = JSON.stringify({ role, content });
   const timeoutMs = opts.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+  const port = opts.port ?? CHANNEL_PORT;
   const startedAt = Date.now();
   try {
     const result = await new Promise((resolve2, reject) => {
       const req = httpRequest({
         host: CHANNEL_HOST,
-        port: CHANNEL_PORT,
+        port,
         method: "POST",
         path: "/submit",
         headers: {
@@ -3921,9 +4236,9 @@ async function submitToChannel(role, payload, opts = {}) {
     throw err;
   }
 }
-function isChannelAvailable(timeoutMs = 500) {
+function isChannelAvailable(port = CHANNEL_PORT, timeoutMs = 500) {
   return new Promise((resolve2) => {
-    const sock = connect2(CHANNEL_PORT, CHANNEL_HOST);
+    const sock = connect2(port, CHANNEL_HOST);
     const done = (ok) => {
       try {
         sock.destroy();
@@ -4012,10 +4327,12 @@ function writeHookScripts() {
   const editCaptureScriptPath = join11(HOOKS_DIR, "cc-edit-capture.sh");
   const editPrecheckScriptPath = join11(HOOKS_DIR, "cc-edit-precheck.sh");
   const cveScanScriptPath = join11(HOOKS_DIR, "cc-cve-scan.sh");
+  const cweScanScriptPath = join11(HOOKS_DIR, "cc-cwe-scan.sh");
   const planJudgeScriptPath = join11(HOOKS_DIR, "cc-plan-judge.sh");
   const stopSummaryScriptPath = join11(HOOKS_DIR, "cc-stop-summary.sh");
   const sessionStartScriptPath = join11(HOOKS_DIR, "cc-session-start.sh");
   const transcriptSyncScriptPath = join11(HOOKS_DIR, "cc-transcript-sync.sh");
+  const userPromptSubmitScriptPath = join11(HOOKS_DIR, "cc-user-prompt-submit.sh");
   const commonScriptPath = join11(HOOKS_DIR, "_synkro-common.sh");
   const cursorBashJudgePath = join11(HOOKS_DIR, "cursor-bash-judge.sh");
   const cursorEditPrecheckPath = join11(HOOKS_DIR, "cursor-edit-precheck.sh");
@@ -4026,10 +4343,12 @@ function writeHookScripts() {
   writeFileSync7(editCaptureScriptPath, CC_EDIT_CAPTURE_SCRIPT, "utf-8");
   writeFileSync7(editPrecheckScriptPath, CC_EDIT_PRECHECK_SCRIPT, "utf-8");
   writeFileSync7(cveScanScriptPath, CC_CVE_SCAN_SCRIPT, "utf-8");
+  writeFileSync7(cweScanScriptPath, CC_CWE_SCAN_SCRIPT, "utf-8");
   writeFileSync7(planJudgeScriptPath, CC_PLAN_JUDGE_SCRIPT, "utf-8");
   writeFileSync7(stopSummaryScriptPath, CC_STOP_SUMMARY_SCRIPT, "utf-8");
   writeFileSync7(sessionStartScriptPath, CC_SESSION_START_SCRIPT, "utf-8");
   writeFileSync7(transcriptSyncScriptPath, CC_TRANSCRIPT_SYNC_SCRIPT, "utf-8");
+  writeFileSync7(userPromptSubmitScriptPath, CC_USER_PROMPT_SUBMIT_SCRIPT, "utf-8");
   writeFileSync7(commonScriptPath, SYNKRO_COMMON_SCRIPT, "utf-8");
   writeFileSync7(cursorBashJudgePath, CURSOR_BASH_JUDGE_SCRIPT, "utf-8");
   writeFileSync7(cursorEditPrecheckPath, CURSOR_EDIT_PRECHECK_SCRIPT, "utf-8");
@@ -4040,10 +4359,12 @@ function writeHookScripts() {
   chmodSync2(editCaptureScriptPath, 493);
   chmodSync2(editPrecheckScriptPath, 493);
   chmodSync2(cveScanScriptPath, 493);
+  chmodSync2(cweScanScriptPath, 493);
   chmodSync2(planJudgeScriptPath, 493);
   chmodSync2(stopSummaryScriptPath, 493);
   chmodSync2(sessionStartScriptPath, 493);
   chmodSync2(transcriptSyncScriptPath, 493);
+  chmodSync2(userPromptSubmitScriptPath, 493);
   chmodSync2(commonScriptPath, 493);
   chmodSync2(cursorBashJudgePath, 493);
   chmodSync2(cursorEditPrecheckPath, 493);
@@ -4055,10 +4376,12 @@ function writeHookScripts() {
     editCaptureScript: editCaptureScriptPath,
     editPrecheckScript: editPrecheckScriptPath,
     cveScanScript: cveScanScriptPath,
+    cweScanScript: cweScanScriptPath,
     planJudgeScript: planJudgeScriptPath,
     stopSummaryScript: stopSummaryScriptPath,
     sessionStartScript: sessionStartScriptPath,
     transcriptSyncScript: transcriptSyncScriptPath,
+    userPromptSubmitScript: userPromptSubmitScriptPath,
     cursorBashJudgeScript: cursorBashJudgePath,
     cursorEditPrecheckScript: cursorEditPrecheckPath,
     cursorEditCaptureScript: cursorEditCapturePath,
@@ -4094,7 +4417,7 @@ function writeConfigEnv(opts) {
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
     `SYNKRO_INFERENCE=${shellQuoteSingle(safeInference)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.4.42")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.4.45")}`
   ];
   if (safeSynkroBin) lines.push(`SYNKRO_CLI_BIN=${shellQuoteSingle(safeSynkroBin)}`);
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);
@@ -4288,6 +4611,11 @@ async function installCommand(opts = {}) {
           const ready = await waitForChannelReady(CHANNEL_PORT, 6e4, CHANNEL_HOST);
           if (ready) console.log(`  channel ready at ${CHANNEL_HOST}:${CHANNEL_PORT}`);
           else console.warn("  \u26A0 channel did not come up within 60s \u2014 check `synkro local-cc logs`");
+          const t2 = ensureRunning({ channel: CHANNEL_SECONDARY });
+          console.log(`  CWE channel: id=${t2.id} status=${t2.status}`);
+          const ready2 = await waitForChannelReady(CHANNEL_2_PORT, 6e4, CHANNEL_HOST, CHANNEL_SECONDARY.tmuxSession);
+          if (ready2) console.log(`  CWE channel ready at ${CHANNEL_HOST}:${CHANNEL_2_PORT}`);
+          else console.warn("  \u26A0 CWE channel did not come up within 60s");
           updateLocalInferenceFlag(true);
         } catch (err) {
           console.warn(`  \u26A0 Local-CC setup skipped: ${err.message}`);
@@ -4398,10 +4726,12 @@ async function installCommand(opts = {}) {
         editCaptureScriptPath: scripts.editCaptureScript,
         editPrecheckScriptPath: scripts.editPrecheckScript,
         cveScanScriptPath: scripts.cveScanScript,
+        cweScanScriptPath: scripts.cweScanScript,
         planJudgeScriptPath: scripts.planJudgeScript,
         stopSummaryScriptPath: scripts.stopSummaryScript,
         sessionStartScriptPath: scripts.sessionStartScript,
         transcriptSyncScriptPath: scripts.transcriptSyncScript,
+        userPromptSubmitScriptPath: scripts.userPromptSubmitScript,
         skipTranscriptSync: !transcriptConsent
       });
       console.log(`Configured ${agent.name} hooks at ${agent.settingsPath}`);
@@ -4542,6 +4872,24 @@ async function installCommand(opts = {}) {
         } catch {
         }
         console.warn(`    Run \`synkro local-cc status\` and \`synkro local-cc logs --tmux\` to debug.
+`);
+      }
+      const t2 = ensureRunning({ channel: CHANNEL_SECONDARY });
+      console.log(`Local-CC CWE channel: id=${t2.id} status=${t2.status}`);
+      console.log("Waiting for CWE channel (up to 60s)...");
+      const ready2 = await waitForChannelReady(CHANNEL_2_PORT, 6e4, CHANNEL_HOST, CHANNEL_SECONDARY.tmuxSession);
+      if (ready2) {
+        console.log(`  CWE channel ready at ${CHANNEL_HOST}:${CHANNEL_2_PORT}`);
+        try {
+          console.log("  warming up CWE inference...");
+          await submitToChannel("grade-cwe", 'File: /tmp/warmup.ts\nContent (first 4000 chars):\nconsole.log("hello");\n\nCWE rules to check against:\n[]\n', { timeoutMs: 3e4, port: CHANNEL_2_PORT });
+          console.log("  CWE inference warm\n");
+        } catch {
+          console.log("  CWE warmup skipped (non-fatal)\n");
+        }
+      } else {
+        console.warn(`  \u26A0 CWE channel did not come up within 60s.`);
+        console.warn(`    Run \`synkro local-cc status\` to debug.
 `);
       }
     } catch (err) {
@@ -6173,17 +6521,26 @@ async function cmdStatus() {
     console.log(`Pueue: NOT AVAILABLE (${err.message})`);
     return;
   }
-  const t = findTask();
+  const t = findTask(CHANNEL_PRIMARY);
   if (!t) {
-    console.log("Pueue task: not present");
+    console.log("Channel 1 (judge) pueue task: not present");
+  } else {
+    console.log(`Channel 1 (judge) pueue task: id=${t.id} status=${t.status}`);
+  }
+  const ch1Up = await isChannelAvailable();
+  console.log(`Channel 1 ${CHANNEL_HOST}:${CHANNEL_PORT}: ${ch1Up ? "reachable" : "unreachable"}`);
+  const tmux1 = spawnSync3("tmux", ["has-session", "-t", TMUX_SESSION_NAME], { encoding: "utf-8" });
+  console.log(`tmux '${TMUX_SESSION_NAME}': ${tmux1.status === 0 ? "live" : "absent"}`);
+  const t2 = findTask(CHANNEL_SECONDARY);
+  if (!t2) {
+    console.log("Channel 2 (CWE) pueue task: not present");
   } else {
-    console.log(`Pueue task: id=${t.id} status=${t.status} cwd=${t.cwd}`);
-    console.log(`  command: ${t.command}`);
+    console.log(`Channel 2 (CWE) pueue task: id=${t2.id} status=${t2.status}`);
   }
-  const channelUp = await isChannelAvailable();
-  console.log(`Channel ${CHANNEL_HOST}:${CHANNEL_PORT}: ${channelUp ? "reachable" : "unreachable"}`);
-  const tmuxCheck = spawnSync3("tmux", ["has-session", "-t", TMUX_SESSION_NAME], { encoding: "utf-8" });
-  console.log(`tmux session '${TMUX_SESSION_NAME}': ${tmuxCheck.status === 0 ? "live" : "absent"}`);
+  const ch2Up = await isChannelAvailable(CHANNEL_2_PORT);
+  console.log(`Channel 2 ${CHANNEL_HOST}:${CHANNEL_2_PORT}: ${ch2Up ? "reachable" : "unreachable"}`);
+  const tmux2 = spawnSync3("tmux", ["has-session", "-t", TMUX_SESSION_NAME_2], { encoding: "utf-8" });
+  console.log(`tmux '${TMUX_SESSION_NAME_2}': ${tmux2.status === 0 ? "live" : "absent"}`);
 }
 async function cmdEnable() {
   assertClaudeInstalled();
@@ -6193,13 +6550,21 @@ async function cmdEnable() {
   const r = installLocalCC();
   console.log(`  plugin: ${r.pluginPath}`);
   console.log(`  cwd:    ${r.sessionDir}`);
-  console.log("Starting pueue task...");
-  const t = ensureRunning();
-  console.log(`  task: id=${t.id} status=${t.status}`);
-  console.log("Waiting for channel (auto-confirming any CC prompts)...");
-  const ready = await waitForChannelReady(CHANNEL_PORT, 6e4, CHANNEL_HOST);
-  if (ready) console.log(`  channel ready at ${CHANNEL_HOST}:${CHANNEL_PORT}`);
-  else console.warn(`  \u26A0 channel did not come up within 60s \u2014 check \`synkro local-cc logs\``);
+  console.log("Starting channel 1 (judge)...");
+  const t1 = ensureRunning({ channel: CHANNEL_PRIMARY });
+  console.log(`  task: id=${t1.id} status=${t1.status}`);
+  console.log("Starting channel 2 (CWE)...");
+  const t2 = ensureRunning({ channel: CHANNEL_SECONDARY });
+  console.log(`  task: id=${t2.id} status=${t2.status}`);
+  console.log("Waiting for channels (auto-confirming any CC prompts)...");
+  const [ready1, ready2] = await Promise.all([
+    waitForChannelReady(CHANNEL_PORT, 6e4, CHANNEL_HOST, CHANNEL_PRIMARY.tmuxSession),
+    waitForChannelReady(CHANNEL_2_PORT, 6e4, CHANNEL_HOST, CHANNEL_SECONDARY.tmuxSession)
+  ]);
+  if (ready1) console.log(`  channel 1 ready at ${CHANNEL_HOST}:${CHANNEL_PORT}`);
+  else console.warn(`  \u26A0 channel 1 did not come up within 60s \u2014 check \`synkro local-cc logs\``);
+  if (ready2) console.log(`  channel 2 ready at ${CHANNEL_HOST}:${CHANNEL_2_PORT}`);
+  else console.warn(`  \u26A0 channel 2 (CWE) did not come up within 60s`);
   console.log("Updating inference settings...");
   await setServerGradingProvider("claude-code");
   updateLocalInferenceFlag2(true);
@@ -6211,25 +6576,58 @@ async function cmdDisable() {
   updateLocalInferenceFlag2(false);
   console.log("Grading provider cleared (remote inference restored). Pueue task left running \u2014 use `synkro local-cc stop` to terminate.");
 }
+async function warmChannels(ready1, ready2) {
+  const warmups = [];
+  if (ready1) {
+    warmups.push(
+      submitToChannel("grade-bash", "Proposed command: echo hello\nUser intent: warmup\nRecent user messages: []\nRecent actions: []\nOrg rules: []\n", { timeoutMs: 3e4 }).then(() => console.log("  channel 1 warm.")).catch(() => console.log("  channel 1 warmup skipped (non-fatal)."))
+    );
+  }
+  if (ready2) {
+    warmups.push(
+      submitToChannel("grade-cwe", 'File: /tmp/warmup.ts\nContent (first 4000 chars):\nconsole.log("hello");\n\nCWE rules to check against:\n[]\n', { timeoutMs: 3e4, port: CHANNEL_2_PORT }).then(() => console.log("  channel 2 warm.")).catch(() => console.log("  channel 2 warmup skipped (non-fatal)."))
+    );
+  }
+  if (warmups.length) {
+    console.log("Warming up inference...");
+    await Promise.all(warmups);
+  }
+}
 async function cmdStart() {
   assertClaudeInstalled();
   assertPueueInstalled();
   assertTmuxInstalled();
-  const t = ensureRunning();
-  console.log(`Pueue task: id=${t.id} status=${t.status}`);
-  const ready = await waitForChannelReady(CHANNEL_PORT, 6e4, CHANNEL_HOST);
-  console.log(ready ? "channel ready." : "\u26A0 channel did not come up within 60s.");
+  const t1 = ensureRunning({ channel: CHANNEL_PRIMARY });
+  console.log(`Channel 1 (judge): id=${t1.id} status=${t1.status}`);
+  const t2 = ensureRunning({ channel: CHANNEL_SECONDARY });
+  console.log(`Channel 2 (CWE):   id=${t2.id} status=${t2.status}`);
+  const [ready1, ready2] = await Promise.all([
+    waitForChannelReady(CHANNEL_PORT, 6e4, CHANNEL_HOST, CHANNEL_PRIMARY.tmuxSession),
+    waitForChannelReady(CHANNEL_2_PORT, 6e4, CHANNEL_HOST, CHANNEL_SECONDARY.tmuxSession)
+  ]);
+  console.log(ready1 ? `channel 1 ready (${CHANNEL_PORT}).` : "\u26A0 channel 1 did not come up within 60s.");
+  console.log(ready2 ? `channel 2 ready (${CHANNEL_2_PORT}).` : "\u26A0 channel 2 (CWE) did not come up within 60s.");
+  await warmChannels(ready1, ready2);
 }
 function cmdStop() {
-  stopTask();
-  console.log("Pueue task stopped.");
+  stopTask(CHANNEL_PRIMARY);
+  stopTask(CHANNEL_SECONDARY);
+  console.log("Both channels stopped.");
 }
 async function cmdRestart() {
-  stopTask();
-  const t = startTask();
-  console.log(`Pueue task restarted: id=${t.id} status=${t.status}`);
-  const ready = await waitForChannelReady(CHANNEL_PORT, 6e4, CHANNEL_HOST);
-  console.log(ready ? "channel ready." : "\u26A0 channel did not come up within 60s.");
+  stopTask(CHANNEL_PRIMARY);
+  stopTask(CHANNEL_SECONDARY);
+  const t1 = startTask({ channel: CHANNEL_PRIMARY });
+  const t2 = startTask({ channel: CHANNEL_SECONDARY });
+  console.log(`Channel 1 restarted: id=${t1.id} status=${t1.status}`);
+  console.log(`Channel 2 restarted: id=${t2.id} status=${t2.status}`);
+  const [ready1, ready2] = await Promise.all([
+    waitForChannelReady(CHANNEL_PORT, 6e4, CHANNEL_HOST, CHANNEL_PRIMARY.tmuxSession),
+    waitForChannelReady(CHANNEL_2_PORT, 6e4, CHANNEL_HOST, CHANNEL_SECONDARY.tmuxSession)
+  ]);
+  console.log(ready1 ? `channel 1 ready (${CHANNEL_PORT}).` : "\u26A0 channel 1 did not come up within 60s.");
+  console.log(ready2 ? `channel 2 ready (${CHANNEL_2_PORT}).` : "\u26A0 channel 2 (CWE) did not come up within 60s.");
+  await warmChannels(ready1, ready2);
 }
 function relativeTime(iso) {
   const ts = new Date(iso).getTime();
@@ -6445,8 +6843,9 @@ async function gradeCommand(args2) {
   if (mode === "edit") role = "grade-edit";
   else if (mode === "bash") role = "grade-bash";
   else if (mode === "plan") role = "grade-plan";
+  else if (mode === "cwe") role = "grade-cwe";
   else {
-    console.error("Usage: synkro grade <edit|bash|plan>");
+    console.error("Usage: synkro grade <edit|bash|plan|cwe>");
     process.exit(2);
   }
   const payload = await readStdin();