@synkro-sh/cli 1.4.54 → 1.4.56

package/dist/bootstrap.js

@@ -1617,6 +1617,8 @@ async function main() {
     const filePath = toolInput.file_path || toolInput.notebook_path || toolInput.path || '';
     if (!filePath) { outputEmpty(); return; }
 
+    if (filePath.includes('/.synkro/hooks/')) { outputEmpty(); return; }
+
     const fileShort = basename(filePath);
     log('editGuard checking: ' + fileShort);
 
@@ -1699,7 +1701,7 @@ async function main() {
             });
           outputJson({
             systemMessage: tagStr + ' editGuard ' + fileShort + ' \\u2192 blocked: ' + guardReason,
-            hookSpecificOutput: { hookEventName: 'PreToolUse', additionalContext: denyReason },
+            hookSpecificOutput: { hookEventName: 'PreToolUse', permissionDecision: 'deny', permissionDecisionReason: denyReason, additionalContext: denyReason },
           });
           return;
         }
@@ -1821,6 +1823,8 @@ async function main() {
     const filePath = toolInput.file_path || toolInput.notebook_path || toolInput.path || '';
     if (!filePath) { outputEmpty(); return; }
 
+    if (filePath.includes('/.synkro/hooks/')) { outputEmpty(); return; }
+
     const fileShort = basename(filePath);
     const fileExt = extname(filePath); // e.g. ".ts"
 
@@ -1896,7 +1900,7 @@ async function main() {
 
         outputJson({
           systemMessage: cweMsg,
-          hookSpecificOutput: { hookEventName: 'PreToolUse', additionalContext: ctx },
+          hookSpecificOutput: { hookEventName: 'PreToolUse', permissionDecision: 'deny', permissionDecisionReason: ctx, additionalContext: ctx },
         });
         return;
       }
@@ -1955,6 +1959,8 @@ async function main() {
     const filePath = toolInput.file_path || toolInput.notebook_path || toolInput.path || '';
     if (!filePath) { outputEmpty(); return; }
 
+    if (filePath.includes('/.synkro/hooks/')) { outputEmpty(); return; }
+
     const fileShort = basename(filePath);
 
     let jwt = loadJwt();
@@ -2024,7 +2030,7 @@ async function main() {
 
       outputJson({
         systemMessage: cveMsg,
-        hookSpecificOutput: { hookEventName: 'PreToolUse', additionalContext: ctx },
+        hookSpecificOutput: { hookEventName: 'PreToolUse', permissionDecision: 'deny', permissionDecisionReason: ctx, additionalContext: ctx },
       });
       return;
     }
@@ -2083,6 +2089,60 @@ async function main() {
     if (!jwt) { outputEmpty(); return; }
     jwt = await ensureFreshJwt(jwt);
 
+    // \u2500\u2500\u2500 CVE scan for package install commands \u2500\u2500\u2500
+    if (toolName === 'Bash') {
+      const pkgInstallMatch = command.match(
+        /(?:npm\\s+(?:install|i|add)|pnpm\\s+(?:add|install|i)|yarn\\s+add|bun\\s+(?:add|install|i)|pip\\s+install|pip3\\s+install|go\\s+get|cargo\\s+add|gem\\s+install|composer\\s+require)\\s+(.+)/
+      );
+      if (pkgInstallMatch) {
+        const rawArgs = pkgInstallMatch[1];
+        const deps: Record<string, string> = {};
+        const tokens = rawArgs.split(/\\s+/);
+        for (const token of tokens) {
+          if (token.startsWith('-')) continue;
+          const atIdx = token.lastIndexOf('@');
+          if (atIdx > 0) {
+            deps[token.slice(0, atIdx)] = token.slice(atIdx + 1);
+          } else {
+            deps[token] = '*';
+          }
+        }
+        if (Object.keys(deps).length > 0) {
+          try {
+            const cveBody = { file_path: 'package.json', content: JSON.stringify({ dependencies: deps }), dependencies: deps };
+            const cveResp = await fetch(GATEWAY_URL + '/api/v1/cve-scan', {
+              method: 'POST',
+              headers: { 'Content-Type': 'application/json', Authorization: 'Bearer ' + jwt },
+              body: JSON.stringify(cveBody),
+              signal: AbortSignal.timeout(8000),
+            }).then(r => r.json()) as any;
+
+            const findings = Array.isArray(cveResp?.findings) ? cveResp.findings : [];
+            if (findings.length > 0) {
+              const top3 = findings.slice(0, 3).map((f: any) => {
+                const id = f.cve || f.id || '?';
+                const pkg = f.package || '?';
+                const ver = f.version || '?';
+                const title = f.title || f.summary || 'vulnerable';
+                return '[' + id + '] ' + pkg + '@' + ver + ': ' + title;
+              }).join('; ');
+              const count = findings.length;
+              const label = count === 1 ? 'advisory' : 'advisories';
+              const cveMsg = '[synkro:cveScan] ' + cmdShort + ' \\u2192 ' + count + ' ' + label;
+              const ctx = 'CVE: ' + top3 + '\\nDo NOT install packages with known vulnerabilities. Use a patched version or a different package.';
+              outputJson({
+                systemMessage: cveMsg,
+                hookSpecificOutput: { hookEventName: 'PreToolUse', permissionDecision: 'deny', permissionDecisionReason: ctx, additionalContext: ctx },
+              });
+              return;
+            }
+          } catch (e) {
+            log('bashGuard CVE check failed: ' + String(e));
+          }
+        }
+      }
+    }
+
     const transcript = extractTranscript(transcriptPath);
     const lastPrompt = readLastPrompt();
 
@@ -5045,7 +5105,7 @@ function writeConfigEnv(opts) {
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
     `SYNKRO_INFERENCE=${shellQuoteSingle(safeInference)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.4.54")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.4.56")}`
   ];
   if (safeSynkroBin) lines.push(`SYNKRO_CLI_BIN=${shellQuoteSingle(safeSynkroBin)}`);
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);