@synkro-sh/cli 1.4.59 → 1.4.60

package/dist/bootstrap.js

@@ -834,10 +834,11 @@ var init_hookScriptsTs = __esm({
     "use strict";
     SYNKRO_COMMON_TS = `
 // Shared Synkro hook utilities \u2014 imported by all hook scripts.
-import { readFileSync, writeFileSync, appendFileSync, mkdirSync, rmdirSync, existsSync, renameSync } from 'node:fs';
-import { join, dirname, basename, extname } from 'node:path';
+import { readFileSync, writeFileSync, appendFileSync, mkdirSync, existsSync, renameSync, openSync, closeSync, unlinkSync } from 'node:fs';
+import { join, dirname, basename, extname, resolve as resolvePath } from 'node:path';
 import { homedir } from 'node:os';
 import { execSync, spawn } from 'node:child_process';
+import { constants as FS_CONSTANTS } from 'node:fs';
 
 // \u2500\u2500\u2500 Config \u2500\u2500\u2500
 
@@ -868,6 +869,15 @@ export const GATEWAY_URL = process.env.SYNKRO_GATEWAY_URL || 'https://api.synkro
 export const CREDS_PATH = process.env.SYNKRO_CREDENTIALS_PATH || join(HOME, '.synkro', 'credentials.json');
 const LAST_PROMPT_FILE = join(HOME, '.synkro', '.last-prompt');
 
+// \u2500\u2500\u2500 Path Validation \u2500\u2500\u2500
+
+export function isPathUnder(filePath: string, cwd: string): boolean {
+  if (!filePath || !cwd) return false;
+  const resolved = resolvePath(filePath);
+  const base = resolvePath(cwd);
+  return resolved.startsWith(base + '/') || resolved === base;
+}
+
 // \u2500\u2500\u2500 Logging \u2500\u2500\u2500
 
 export function log(msg: string): void {
@@ -936,24 +946,22 @@ export async function ensureFreshJwt(jwt: string): Promise<string> {
   const now = Math.floor(Date.now() / 1000);
   if (exp - now >= 60) return jwt;
 
-  const lockdir = CREDS_PATH + '.lockdir';
-  let acquired = false;
+  const lockfile = CREDS_PATH + '.lock';
+  let fd = -1;
   try {
-    mkdirSync(lockdir);
-    acquired = true;
+    fd = openSync(lockfile, FS_CONSTANTS.O_WRONLY | FS_CONSTANTS.O_CREAT | FS_CONSTANTS.O_EXCL, 0o644);
   } catch {
-    // Another process is refreshing \u2014 wait and re-read
-    for (let i = 0; i < 5; i++) {
-      await new Promise(r => setTimeout(r, 500));
-      if (!existsSync(lockdir)) break;
+    // Another process holds the lock \u2014 wait for it to finish and re-read
+    for (let i = 0; i < 10; i++) {
+      await new Promise(r => setTimeout(r, 300));
+      if (!existsSync(lockfile)) break;
     }
-    // Re-read creds
     const fresh = loadJwt();
     return fresh || jwt;
   }
 
   try {
-    // Re-check \u2014 another hook may have just refreshed
+    // Re-check \u2014 another hook may have just refreshed while we waited
     const freshJwt = loadJwt();
     if (freshJwt) {
       const freshExp = decodeJwtExp(freshJwt);
@@ -961,9 +969,8 @@ export async function ensureFreshJwt(jwt: string): Promise<string> {
     }
     return await refreshJwt(jwt);
   } finally {
-    if (acquired) {
-      try { rmdirSync(lockdir); } catch {}
-    }
+    try { closeSync(fd); } catch {}
+    try { unlinkSync(lockfile); } catch {}
   }
 }
 
@@ -1014,7 +1021,7 @@ export interface HookConfig {
   silent: boolean;
   policyName: string;
   rules: Rule[];
-  scanExemptions: string[];
+  scanExemptions: Array<{ path: string; cwe_id: string }>;
 }
 
 export async function loadConfig(jwt: string, query?: string): Promise<HookConfig> {
@@ -1038,7 +1045,9 @@ export async function loadConfig(jwt: string, query?: string): Promise<HookConfi
     config.silent = data.silent_mode === true || data.silent_mode === 'true';
     config.policyName = data.active_policy_name || '';
     if (Array.isArray(data.scan_exemptions)) {
-      config.scanExemptions = data.scan_exemptions.filter((s: any) => typeof s === 'string');
+      config.scanExemptions = data.scan_exemptions
+        .filter((e: any) => e && typeof e.path === 'string')
+        .map((e: any) => ({ path: e.path, cwe_id: e.cwe_id || '' }));
     }
     if (Array.isArray(data.rules)) {
       config.rules = data.rules
@@ -1283,14 +1292,15 @@ export function ruleMode(ruleId: string, rules: Rule[]): 'blocking' | 'audit' {
 
 // \u2500\u2500\u2500 Content Reconstruction \u2500\u2500\u2500
 
-export function reconstructContent(toolName: string, toolInput: any, filePath: string): string {
+export function reconstructContent(toolName: string, toolInput: any, filePath: string, cwd?: string): string {
+  const canRead = filePath && (!cwd || isPathUnder(filePath, cwd));
   switch (toolName) {
     case 'Write':
       return toolInput.content || '';
     case 'Edit': {
       let content = '';
       try {
-        if (filePath && existsSync(filePath)) {
+        if (canRead && existsSync(filePath)) {
           content = readFileSync(filePath, 'utf-8').slice(0, 65536);
         }
       } catch {}
@@ -1304,7 +1314,7 @@ export function reconstructContent(toolName: string, toolInput: any, filePath: s
     case 'MultiEdit': {
       let content = '';
       try {
-        if (filePath && existsSync(filePath)) {
+        if (canRead && existsSync(filePath)) {
           content = readFileSync(filePath, 'utf-8').slice(0, 65536);
         }
       } catch {}
@@ -1589,7 +1599,7 @@ export function outputEmpty(): void {
     EDIT_PRECHECK_TS = `#!/usr/bin/env bun
 import {
   loadJwt, ensureFreshJwt, detectRepo, loadConfig, route, tag, localGrade,
-  parseVerdict, dispatchCapture, ruleMode, reconstructContent, postWithRetry,
+  parseVerdict, dispatchCapture, ruleMode, reconstructContent, isPathUnder, postWithRetry,
   readStdin, extractTranscript, readLastPrompt, findNearestDeps, log,
   outputJson, outputEmpty, GATEWAY_URL,
   type HookConfig, type Rule,
@@ -1631,7 +1641,7 @@ async function main() {
     jwt = await ensureFreshJwt(jwt);
 
     // Reconstruct proposed content
-    const proposed = reconstructContent(toolName, toolInput, filePath);
+    const proposed = reconstructContent(toolName, toolInput, filePath, cwd);
     if (!proposed) { outputEmpty(); return; }
 
     // Build diff field
@@ -1645,7 +1655,7 @@ async function main() {
 
     // Read file before edit for cloud payload
     let fileBefore = '';
-    if (toolName !== 'Write' && filePath && existsSync(filePath)) {
+    if (toolName !== 'Write' && filePath && isPathUnder(filePath, cwd || '.') && existsSync(filePath)) {
       try { fileBefore = readFileSync(filePath, 'utf-8').slice(0, 65536); } catch {}
     }
 
@@ -1835,17 +1845,19 @@ async function main() {
     jwt = await ensureFreshJwt(jwt);
 
     // Reconstruct proposed content
-    const proposed = reconstructContent(toolName, toolInput, filePath);
+    const proposed = reconstructContent(toolName, toolInput, filePath, cwd);
     if (!proposed) { outputEmpty(); return; }
 
     const config = await loadConfig(jwt);
     const rt = await cweRoute(config);
 
-    // Check scan exemptions from server
-    if (config.scanExemptions.length > 0 && config.scanExemptions.some(ex => filePath.includes(ex))) {
-      outputEmpty(); return;
+    // Build set of exempted CWE IDs for this file path
+    const exemptedCwes = new Set<string>();
+    for (const ex of config.scanExemptions) {
+      if (ex.cwe_id && filePath.includes(ex.path)) {
+        exemptedCwes.add(ex.cwe_id.toUpperCase());
+      }
     }
-
     if (config.silent) {
       outputJson({ systemMessage: '[synkro:' + rt + ':cweScan] ' + fileShort + ' \\u2192 skipped (silent mode)' });
       return;
@@ -1891,15 +1903,23 @@ async function main() {
       const verdict = parseVerdict(gradeResp);
 
       if (!verdict.ok) {
-        // Extract all CWE rule_ids from the raw response
         const ruleIdMatches = gradeResp.match(/<rule_id>([^<]+)<\\/rule_id>/g) || [];
         const cweIds: string[] = [];
         for (const match of ruleIdMatches.slice(0, 5)) {
           const id = match.replace(/<\\/?rule_id>/g, '').trim().replace(/^cwe-/, 'CWE-');
           if (id && !cweIds.includes(id)) cweIds.push(id);
         }
-        const displayIds = cweIds.slice(0, 3).join(', ');
-        const count = cweIds.length;
+
+        // Filter out exempted CWEs for this file
+        const activeCweIds = cweIds.filter(id => !exemptedCwes.has(id.toUpperCase()));
+
+        if (activeCweIds.length === 0) {
+          outputJson({ systemMessage: cweTag + ' ' + fileShort + ' \\u2192 clean (exempted: ' + cweIds.join(', ') + ')' });
+          return;
+        }
+
+        const displayIds = activeCweIds.slice(0, 3).join(', ');
+        const count = activeCweIds.length;
         const label = count === 1 ? 'match' : 'matches';
         const cweMsg = cweTag + ' ' + fileShort + ' \\u2192 ' + count + ' CWE ' + label + ' (' + displayIds + ')';
         const denyDetail = '[' + displayIds + '] ' + (verdict.reason || 'code weakness detected');
@@ -1985,7 +2005,7 @@ async function main() {
     const cveTag = '[synkro:' + rt + ':cveScan]';
 
     // Reconstruct proposed content
-    const proposed = reconstructContent(toolName, toolInput, filePath);
+    const proposed = reconstructContent(toolName, toolInput, filePath, cwd);
     if (!proposed) {
       outputJson({ systemMessage: cveTag + ' ' + fileShort + ' \\u2192 skip (no content)' });
       return;
@@ -2420,7 +2440,7 @@ main();
     STOP_SUMMARY_TS = `#!/usr/bin/env bun
 import {
   loadJwt, detectRepo, loadConfig, tag, readStdin, aggregateUsage,
-  outputJson, outputEmpty, GATEWAY_URL,
+  outputJson, outputEmpty, appendLocalTelemetry, GATEWAY_URL,
 } from './_synkro-common.ts';
 
 async function main() {
@@ -2459,6 +2479,7 @@ async function main() {
           ...(gitRepo ? { repo: gitRepo } : {}),
           ...(sessionId ? { session_id: sessionId } : {}),
         };
+        appendLocalTelemetry(usageBody);
         fetch(GATEWAY_URL + '/api/v1/hook/capture', {
           method: 'POST',
           headers: { 'Content-Type': 'application/json', Authorization: 'Bearer ' + jwt },
@@ -2570,7 +2591,7 @@ main();
     BASH_FOLLOWUP_TS = `#!/usr/bin/env bun
 import {
   loadJwt, readStdin, hashCommand, consentGrant, consentHasActive, consentConsume,
-  outputEmpty, GATEWAY_URL,
+  outputEmpty, appendLocalTelemetry, GATEWAY_URL,
 } from './_synkro-common.ts';
 
 async function main() {
@@ -2611,6 +2632,8 @@ async function main() {
       command_hash: cmdHash,
     };
 
+    appendLocalTelemetry(body);
+
     fetch(GATEWAY_URL + '/api/v1/hook/capture', {
       method: 'POST',
       headers: { 'Content-Type': 'application/json', Authorization: 'Bearer ' + jwt },
@@ -2628,7 +2651,7 @@ main();
 `;
     TRANSCRIPT_SYNC_TS = `#!/usr/bin/env bun
 import {
-  loadJwt, detectRepo, readStdin, aggregateUsage,
+  loadJwt, detectRepo, readStdin, aggregateUsage, appendLocalTelemetry,
   outputEmpty, GATEWAY_URL,
 } from './_synkro-common.ts';
 import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'node:fs';
@@ -2671,6 +2694,7 @@ async function main() {
         },
         session_id: sessionId,
       };
+      appendLocalTelemetry(usageBody);
       fetch(GATEWAY_URL + '/api/v1/hook/capture', {
         method: 'POST',
         headers: { 'Content-Type': 'application/json', Authorization: 'Bearer ' + jwt },
@@ -5113,7 +5137,7 @@ function writeConfigEnv(opts) {
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
     `SYNKRO_INFERENCE=${shellQuoteSingle(safeInference)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.4.59")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.4.60")}`
   ];
   if (safeSynkroBin) lines.push(`SYNKRO_CLI_BIN=${shellQuoteSingle(safeSynkroBin)}`);
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);