@synkro-sh/cli 1.4.62 → 1.4.64

package/dist/bootstrap.js

@@ -837,7 +837,7 @@ var init_hookScriptsTs = __esm({
 import { readFileSync, writeFileSync, appendFileSync, mkdirSync, existsSync, renameSync, openSync, closeSync, unlinkSync } from 'node:fs';
 import { join, dirname, basename, extname, resolve as resolvePath } from 'node:path';
 import { homedir } from 'node:os';
-import { execSync, spawn } from 'node:child_process';
+import { execSync } from 'node:child_process';
 import { constants as FS_CONSTANTS } from 'node:fs';
 
 // \u2500\u2500\u2500 Config \u2500\u2500\u2500
@@ -1116,56 +1116,79 @@ export function tag(rt: string, config: HookConfig): string {
   return '[synkro:' + rt + ':' + rs + ']';
 }
 
-// \u2500\u2500\u2500 Local Grading \u2500\u2500\u2500
+// \u2500\u2500\u2500 Local Grading (direct channel call) \u2500\u2500\u2500
 
-function spawnGrade(surface: string, prompt: string, envOverride?: Record<string, string>, timeoutMs = 22000): Promise<string> {
-  return new Promise((resolve, reject) => {
-    const cliBin = process.env.SYNKRO_CLI_BIN;
-    let cmd: string;
-    let args: string[];
+type GradeRole = 'grade-edit' | 'grade-bash' | 'grade-plan' | 'grade-cwe';
 
-    if (cliBin && existsSync(cliBin)) {
-      // Use the CLI binary directly with bun/node
-      cmd = 'node';
-      args = [cliBin, 'grade', surface];
-    } else {
-      cmd = 'synkro';
-      args = ['grade', surface];
-    }
+const ROLE_MAP: Record<string, GradeRole> = {
+  edit: 'grade-edit', bash: 'grade-bash', plan: 'grade-plan', cwe: 'grade-cwe',
+};
 
-    const child = spawn(cmd, args, {
-      stdio: ['pipe', 'pipe', 'pipe'],
-      env: { ...process.env, ...envOverride },
-    });
+const PRIMER_KEY: Record<GradeRole, string> = {
+  'grade-edit': 'grader_primer_edit',
+  'grade-bash': 'grader_primer_bash',
+  'grade-plan': 'grader_primer_plan',
+  'grade-cwe': 'grader_primer_cwe',
+};
 
-    let stdout = '';
-    let stderr = '';
-    child.stdout.on('data', (d: Buffer) => { stdout += d.toString(); });
-    child.stderr.on('data', (d: Buffer) => { stderr += d.toString(); });
-    child.stdin.write(prompt);
-    child.stdin.end();
-
-    const timer = setTimeout(() => {
-      child.kill();
-      reject(new Error('SYNKRO_GRADE_TIMEOUT'));
-    }, timeoutMs);
-
-    child.on('close', (code: number | null) => {
-      clearTimeout(timer);
-      if (code === 0) resolve(stdout);
-      else reject(new Error(stderr || 'exit ' + code));
-    });
-    child.on('error', (err: Error) => { clearTimeout(timer); reject(err); });
+let primerCache: { data: Record<string, string>; ts: number } | null = null;
+
+async function fetchPrimer(role: GradeRole, jwt: string): Promise<string> {
+  if (primerCache && Date.now() - primerCache.ts < 60_000) {
+    const cached = primerCache.data[PRIMER_KEY[role]];
+    if (cached) return cached;
+  }
+  const resp = await fetch(GATEWAY_URL + '/api/v1/cli/judge-prompts', {
+    headers: { Authorization: 'Bearer ' + jwt },
+    signal: AbortSignal.timeout(4000),
+  });
+  if (!resp.ok) throw new Error('primer fetch failed: ' + resp.status);
+  const data = await resp.json() as Record<string, string>;
+  primerCache = { data, ts: Date.now() };
+  return data[PRIMER_KEY[role]] || '';
+}
+
+const CHANNEL_REPLY_INSTRUCTIONS = \`
+DELIVERY METHOD \u2014 MANDATORY, OVERRIDES ALL OTHER OUTPUT RULES:
+You are running inside a Synkro MCP channel. Do NOT output your verdict as text.
+Instead, after generating your verdict, call the reply tool EXACTLY ONCE with:
+  - req_id: the req_id from this channel event's meta
+  - result: your complete verdict block as a string (the <synkro-verdict>\u2026</synkro-verdict> XML)
+Any text output is silently discarded. Only the reply tool call is captured.\`;
+
+async function channelGrade(role: GradeRole, prompt: string, jwt: string, port: number, timeoutMs = 20000): Promise<string> {
+  const primer = await fetchPrimer(role, jwt);
+  const content = primer + '\\n\\n' + CHANNEL_REPLY_INSTRUCTIONS + '\\n\\n---\\nPAYLOAD (the input to evaluate):\\n\\n' + prompt;
+  const body = JSON.stringify({ role, content });
+
+  const resp = await fetch('http://127.0.0.1:' + port + '/submit', {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body,
+    signal: AbortSignal.timeout(timeoutMs),
   });
+
+  if (!resp.ok) {
+    const text = await resp.text().catch(() => '');
+    throw new Error('channel ' + resp.status + ': ' + text.slice(0, 200));
+  }
+
+  const data = await resp.json() as { result?: string; error?: string };
+  if (data.error) throw new Error(data.error);
+  return String(data.result || '');
 }
 
 export async function localGrade(surface: string, prompt: string): Promise<string> {
   if (!(await channelUp())) throw new Error('SYNKRO_CHANNEL_DOWN');
-  return spawnGrade(surface, prompt);
+  const jwt = loadJwt();
+  if (!jwt) throw new Error('NO_JWT');
+  return channelGrade(ROLE_MAP[surface] || 'grade-edit', prompt, jwt, 8929);
 }
 
 export async function localGradeCwe(prompt: string): Promise<string> {
-  return spawnGrade('cwe', prompt, { SYNKRO_CHANNEL_PORT: '8930' }, 22000);
+  const jwt = loadJwt();
+  if (!jwt) throw new Error('NO_JWT');
+  return channelGrade('grade-cwe', prompt, jwt, 8930, 20000);
 }
 
 // \u2500\u2500\u2500 Verdict Parsing \u2500\u2500\u2500
@@ -1335,7 +1358,7 @@ export function ruleMode(ruleId: string, rules: Rule[]): 'blocking' | 'audit' {
 // \u2500\u2500\u2500 Content Reconstruction \u2500\u2500\u2500
 
 export function reconstructContent(toolName: string, toolInput: any, filePath: string, cwd?: string): string {
-  const canRead = filePath && (!cwd || isPathUnder(filePath, cwd));
+  const canRead = filePath && cwd && isPathUnder(filePath, cwd);
   switch (toolName) {
     case 'Write':
       return toolInput.content || '';
@@ -1628,6 +1651,66 @@ export function aggregateUsage(transcriptPath: string): { model: string; totals:
   return result;
 }
 
+// \u2500\u2500\u2500 Scan Finding Dispatch \u2500\u2500\u2500
+
+export function dispatchFinding(
+  jwt: string,
+  finding: {
+    session_id: string;
+    file_path: string;
+    finding_type: 'cwe' | 'cve';
+    finding_id: string;
+    severity?: string;
+    status: 'open' | 'resolved' | 'exempted';
+    detail?: string;
+    description?: string;
+    package_name?: string;
+    package_version?: string;
+    fixed_version?: string;
+    aliases?: string[];
+    references?: Array<{ type: string; url: string }>;
+    cwe_name?: string;
+  },
+  captureDepth: string,
+): void {
+  const localEntry: Record<string, any> = {
+    capture_type: 'scan_finding',
+    ...finding,
+  };
+  appendLocalTelemetry(localEntry);
+
+  if (captureDepth === 'local_only') return;
+
+  const cloudBody: Record<string, any> = {
+    finding_type: finding.finding_type,
+    finding_id: finding.finding_id,
+    severity: finding.severity,
+    status: finding.status,
+    session_id: finding.session_id,
+  };
+
+  if (captureDepth === 'evidence_on_violation' || captureDepth === 'full') {
+    cloudBody.file_path = finding.file_path;
+    cloudBody.package_name = finding.package_name;
+    cloudBody.package_version = finding.package_version;
+    cloudBody.fixed_version = finding.fixed_version;
+    cloudBody.aliases = finding.aliases;
+    cloudBody.references = finding.references;
+    cloudBody.cwe_name = finding.cwe_name;
+  }
+  if (captureDepth === 'full') {
+    cloudBody.detail = finding.detail;
+    cloudBody.description = finding.description;
+  }
+
+  fetch(GATEWAY_URL + '/api/v1/hook/finding', {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json', Authorization: 'Bearer ' + jwt },
+    body: JSON.stringify(cloudBody),
+    signal: AbortSignal.timeout(3000),
+  }).catch(() => {});
+}
+
 // \u2500\u2500\u2500 Output Helpers \u2500\u2500\u2500
 
 export function outputJson(obj: any): void {
@@ -1853,7 +1936,7 @@ main();
 import {
   loadJwt, ensureFreshJwt, detectRepo, loadConfig, cweRoute, tag,
   localGradeCwe, parseVerdict, reconstructContent, readStdin, log,
-  outputJson, outputEmpty, GATEWAY_URL,
+  outputJson, outputEmpty, dispatchFinding, GATEWAY_URL,
 } from './_synkro-common.ts';
 import { basename, extname } from 'node:path';
 
@@ -1979,6 +2062,11 @@ async function main() {
           return;
         }
 
+        const cweNameMap = new Map<string, string>();
+        for (const r of cweRules) {
+          if (r.cwe && r.name) cweNameMap.set(r.cwe.toUpperCase(), r.name);
+        }
+
         const displayIds = activeCweIds.slice(0, 3).join(', ');
         const count = activeCweIds.length;
         const label = count === 1 ? 'match' : 'matches';
@@ -1986,6 +2074,19 @@ async function main() {
         const denyDetail = '[' + displayIds + '] ' + (verdict.reason || 'code weakness detected');
         const ctx = 'CWE: ' + denyDetail + '\\nFix all issues before retrying. Do NOT ask the user to make the edit manually \u2014 resolve the weakness in code yourself.';
 
+        for (const cweId of activeCweIds) {
+          dispatchFinding(jwt, {
+            session_id: sessionId,
+            file_path: filePath,
+            finding_type: 'cwe',
+            finding_id: cweId,
+            severity: verdict.severity || 'high',
+            status: 'open',
+            detail: verdict.reason || 'code weakness detected',
+            cwe_name: cweNameMap.get(cweId.toUpperCase()) || undefined,
+          }, config.captureDepth);
+        }
+
         outputJson({
           systemMessage: cweMsg,
           hookSpecificOutput: { hookEventName: 'PreToolUse', permissionDecision: 'deny', permissionDecisionReason: ctx, additionalContext: ctx },
@@ -1993,6 +2094,14 @@ async function main() {
         return;
       }
 
+      dispatchFinding(jwt, {
+        session_id: sessionId,
+        file_path: filePath,
+        finding_type: 'cwe',
+        finding_id: 'pass',
+        status: 'resolved',
+      }, config.captureDepth);
+
       outputJson({ systemMessage: cweTag + ' ' + fileShort + ' \\u2192 clean' });
       return;
     }
@@ -2012,7 +2121,7 @@ main();
 import {
   loadJwt, ensureFreshJwt, detectRepo, loadConfig, route, tag,
   reconstructContent, readStdin, findNearestDeps, log,
-  outputJson, outputEmpty, GATEWAY_URL,
+  outputJson, outputEmpty, dispatchFinding, GATEWAY_URL,
 } from './_synkro-common.ts';
 import { basename } from 'node:path';
 
@@ -2042,6 +2151,7 @@ async function main() {
     }
 
     const toolInput = payload.tool_input || {};
+    const sessionId = payload.session_id || '';
     const cwd = payload.cwd || '';
 
     const filePath = toolInput.file_path || toolInput.notebook_path || toolInput.path || '';
@@ -2103,15 +2213,35 @@ async function main() {
 
     const findings = Array.isArray(cveResp?.findings) ? cveResp.findings : [];
     if (findings.length > 0) {
-      const top3 = findings.slice(0, 3).map((f: any) => {
-        const id = f.cve || f.id || '?';
+      for (const f of findings.slice(0, 10)) {
+        const cveId = (f.aliases || []).find((a: string) => a.startsWith('CVE-')) || f.id || 'unknown';
+        dispatchFinding(jwt, {
+          session_id: sessionId,
+          file_path: filePath,
+          finding_type: 'cve',
+          finding_id: cveId,
+          severity: f.severity || 'high',
+          status: 'open',
+          detail: f.summary || f.title || 'vulnerable dependency',
+          description: f.details || undefined,
+          package_name: f.package || undefined,
+          package_version: f.version || undefined,
+          fixed_version: f.fixed || undefined,
+          aliases: f.aliases || undefined,
+          references: f.references || undefined,
+        }, config.captureDepth);
+      }
+
+      const formatFinding = (f: any): string => {
+        const id = (f.aliases || []).find((a: string) => a.startsWith('CVE-')) || f.id || '?';
         const pkg = f.package || '?';
         const ver = f.version || '?';
         const title = f.title || f.summary || 'vulnerable';
-        const fix = f.fixed ? ' (fix: >=' + f.fixed + ')' : ' (no safe version \u2014 use an alternative)';
+        const fix = f.fixed ? ' (fix: >=' + f.fixed + ')' : ' (no safe version)';
         return '[' + id + '] ' + pkg + '@' + ver + ': ' + title + fix;
-      }).join('; ');
+      };
 
+      const top3 = findings.slice(0, 3).map(formatFinding).join('; ');
       const count = findings.length;
       const label = count === 1 ? 'advisory' : 'advisories';
       const cveMsg = cveTag + ' ' + fileShort + ' \\u2192 ' + count + ' ' + label;
@@ -2181,14 +2311,32 @@ async function main() {
     // \u2500\u2500\u2500 CVE scan for package install commands \u2500\u2500\u2500
     if (toolName === 'Bash') {
       const pkgInstallMatch = command.match(
-        /(?:npm\\s+(?:install|i|add)|pnpm\\s+(?:add|install|i)|yarn\\s+add|bun\\s+(?:add|install|i)|pip\\s+install|pip3\\s+install|go\\s+get|cargo\\s+add|gem\\s+install|composer\\s+require)\\s+(.+)/
+        /(?:npm\\s+(?:install|i|add)|pnpm\\s+(?:add|install|i)|yarn\\s+add|bun\\s+(?:add|install|i)|(?:uv\\s+)?pip3?\\s+install|go\\s+get|cargo\\s+add|gem\\s+install|composer\\s+require)\\s+(.+)/
       );
+      const isPip = /(?:uv\\s+)?pip3?\\s+install/.test(command);
+      const isGo = command.match(/^go\\s+get/);
+      const isCargo = command.match(/^cargo\\s+add/);
+      const isGem = command.match(/^gem\\s+install/);
+      const isComposer = command.match(/^composer\\s+require/);
       if (pkgInstallMatch) {
         const rawArgs = pkgInstallMatch[1];
         const deps: Record<string, string> = {};
         const tokens = rawArgs.split(/\\s+/);
+        let skipNext = false;
         for (const token of tokens) {
-          if (token.startsWith('-')) continue;
+          if (skipNext) { skipNext = false; continue; }
+          if (token.startsWith('-')) {
+            if (/^--(python|target|prefix|root|constraint|requirement|index-url|extra-index-url|find-links|build|src|cache-dir)$/.test(token)) skipNext = true;
+            continue;
+          }
+          if (isPip) {
+            const pipMatch = token.match(/^([a-zA-Z0-9_.-]+)(?:[=~!<>]=?(.+))?$/);
+            if (pipMatch) {
+              deps[pipMatch[1]] = pipMatch[2]?.replace(/^=/, '') || '*';
+              continue;
+            }
+          }
+          // npm/yarn: pkg@1.0
           const atIdx = token.lastIndexOf('@');
           if (atIdx > 0) {
             deps[token.slice(0, atIdx)] = token.slice(atIdx + 1);
@@ -2196,9 +2344,18 @@ async function main() {
             deps[token] = '*';
           }
         }
+        const manifestFile = isPip ? 'requirements.txt'
+          : isGo ? 'go.mod'
+          : isCargo ? 'Cargo.toml'
+          : isGem ? 'Gemfile'
+          : isComposer ? 'composer.json'
+          : 'package.json';
+        const manifestContent = isPip
+          ? Object.entries(deps).map(([k, v]) => v === '*' ? k : k + '==' + v).join('\\n')
+          : JSON.stringify({ dependencies: deps });
         if (Object.keys(deps).length > 0) {
           try {
-            const cveBody = { file_path: 'package.json', content: JSON.stringify({ dependencies: deps }), dependencies: deps };
+            const cveBody = { file_path: manifestFile, content: manifestContent, dependencies: deps };
             const cveResp = await fetch(GATEWAY_URL + '/api/v1/cve-scan', {
               method: 'POST',
               headers: { 'Content-Type': 'application/json', Authorization: 'Bearer ' + jwt },
@@ -2524,7 +2681,7 @@ async function main() {
       const usage = aggregateUsage(transcriptPath);
       if (usage.totals.in + usage.totals.out > 0) {
         const usageBody = {
-          capture_type: 'local_verdict',
+          capture_type: 'usage_tick',
           event_id: 'usage_' + Date.now() + '_' + process.pid,
           hook_type: 'stop',
           verdict: 'allow',
@@ -2856,7 +3013,7 @@ async function main() {
 main();
 `;
     USER_PROMPT_SUBMIT_TS = `#!/usr/bin/env bun
-import { readStdin } from './_synkro-common.ts';
+import { readStdin, appendLocalTelemetry, aggregateUsage } from './_synkro-common.ts';
 import { writeFileSync, mkdirSync } from 'node:fs';
 import { join, dirname } from 'node:path';
 import { homedir } from 'node:os';
@@ -2872,6 +3029,28 @@ async function main() {
       mkdirSync(dirname(promptFile), { recursive: true });
       writeFileSync(promptFile, msg, 'utf-8');
     }
+
+    const sessionId = payload.session_id || '';
+    const transcriptPath = payload.transcript_path || '';
+    if (sessionId && transcriptPath) {
+      const usage = aggregateUsage(transcriptPath);
+      if (usage.totals.in + usage.totals.out > 0) {
+        appendLocalTelemetry({
+          capture_type: 'usage_tick',
+          event_id: 'usage_' + Date.now() + '_' + process.pid,
+          hook_type: 'prompt_submit',
+          session_id: sessionId,
+          model: usage.model || 'unknown',
+          cc_model: usage.model || '',
+          cc_usage: {
+            input_tokens: usage.totals.in,
+            output_tokens: usage.totals.out,
+            cache_creation_input_tokens: usage.totals.cw,
+            cache_read_input_tokens: usage.totals.cr,
+          },
+        });
+      }
+    }
   } catch {}
 }
 
@@ -5201,7 +5380,7 @@ function writeConfigEnv(opts) {
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
     `SYNKRO_INFERENCE=${shellQuoteSingle(safeInference)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.4.62")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.4.64")}`
   ];
   if (safeSynkroBin) lines.push(`SYNKRO_CLI_BIN=${shellQuoteSingle(safeSynkroBin)}`);
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);