@synkro-sh/cli 1.4.64 → 1.4.65

package/dist/bootstrap.js

@@ -160,6 +160,17 @@ function installCCHooks(settingsPath, config) {
     ],
     [SYNKRO_MARKER]: true
   });
+  settings.hooks.PreToolUse.push({
+    matcher: "Agent",
+    hooks: [
+      {
+        type: "command",
+        command: config.agentJudgeScriptPath,
+        timeout: 30
+      }
+    ],
+    [SYNKRO_MARKER]: true
+  });
   settings.hooks.PreToolUse.push({
     matcher: "ExitPlanMode",
     hooks: [
@@ -828,7 +839,7 @@ exit 0
 });
 
 // cli/installer/hookScriptsTs.ts
-var SYNKRO_COMMON_TS, EDIT_PRECHECK_TS, CWE_PRECHECK_TS, CVE_PRECHECK_TS, BASH_JUDGE_TS, PLAN_JUDGE_TS, STOP_SUMMARY_TS, SESSION_START_TS, BASH_FOLLOWUP_TS, TRANSCRIPT_SYNC_TS, USER_PROMPT_SUBMIT_TS;
+var SYNKRO_COMMON_TS, EDIT_PRECHECK_TS, CWE_PRECHECK_TS, CVE_PRECHECK_TS, BASH_JUDGE_TS, AGENT_JUDGE_TS, PLAN_JUDGE_TS, STOP_SUMMARY_TS, SESSION_START_TS, BASH_FOLLOWUP_TS, TRANSCRIPT_SYNC_TS, USER_PROMPT_SUBMIT_TS;
 var init_hookScriptsTs = __esm({
   "cli/installer/hookScriptsTs.ts"() {
     "use strict";
@@ -1134,7 +1145,7 @@ const PRIMER_KEY: Record<GradeRole, string> = {
 let primerCache: { data: Record<string, string>; ts: number } | null = null;
 
 async function fetchPrimer(role: GradeRole, jwt: string): Promise<string> {
-  if (primerCache && Date.now() - primerCache.ts < 60_000) {
+  if (primerCache && Date.now() - primerCache.ts < 300_000) {
     const cached = primerCache.data[PRIMER_KEY[role]];
     if (cached) return cached;
   }
@@ -1188,7 +1199,7 @@ export async function localGrade(surface: string, prompt: string): Promise<strin
 export async function localGradeCwe(prompt: string): Promise<string> {
   const jwt = loadJwt();
   if (!jwt) throw new Error('NO_JWT');
-  return channelGrade('grade-cwe', prompt, jwt, 8930, 20000);
+  return channelGrade('grade-cwe', prompt, jwt, 8930, 45000);
 }
 
 // \u2500\u2500\u2500 Verdict Parsing \u2500\u2500\u2500
@@ -2266,7 +2277,7 @@ main();
     BASH_JUDGE_TS = `#!/usr/bin/env bun
 import {
   loadJwt, ensureFreshJwt, detectRepo, loadConfig, route, tag, localGrade,
-  parseVerdict, dispatchCapture, ruleMode, postWithRetry, readStdin,
+  parseVerdict, dispatchCapture, dispatchFinding, ruleMode, postWithRetry, readStdin,
   extractTranscript, readLastPrompt, log,
   outputJson, outputEmpty, GATEWAY_URL,
   type HookConfig, type Rule,
@@ -2309,6 +2320,7 @@ async function main() {
     jwt = await ensureFreshJwt(jwt);
 
     // \u2500\u2500\u2500 CVE scan for package install commands \u2500\u2500\u2500
+    let cveScanMsg = '';
     if (toolName === 'Bash') {
       const pkgInstallMatch = command.match(
         /(?:npm\\s+(?:install|i|add)|pnpm\\s+(?:add|install|i)|yarn\\s+add|bun\\s+(?:add|install|i)|(?:uv\\s+)?pip3?\\s+install|go\\s+get|cargo\\s+add|gem\\s+install|composer\\s+require)\\s+(.+)/
@@ -2326,7 +2338,7 @@ async function main() {
         for (const token of tokens) {
           if (skipNext) { skipNext = false; continue; }
           if (token.startsWith('-')) {
-            if (/^--(python|target|prefix|root|constraint|requirement|index-url|extra-index-url|find-links|build|src|cache-dir)$/.test(token)) skipNext = true;
+            if (/^--(python|target|prefix|root|constraint|requirement|index-url|extra-index-url|find-links|build|src|cache-dir|filter|workspace)$/.test(token)) skipNext = true;
             continue;
           }
           if (isPip) {
@@ -2344,6 +2356,23 @@ async function main() {
             deps[token] = '*';
           }
         }
+        const unversioned = Object.keys(deps).filter(k => deps[k] === '*');
+        if (unversioned.length > 0) {
+          const lookups = unversioned.map(async (pkg) => {
+            try {
+              let ver: string | null = null;
+              if (isPip) {
+                const r = await fetch('https://pypi.org/pypi/' + encodeURIComponent(pkg) + '/json', { signal: AbortSignal.timeout(4000) });
+                if (r.ok) { const d = await r.json() as any; ver = d?.info?.version || null; }
+              } else {
+                const r = await fetch('https://registry.npmjs.org/' + encodeURIComponent(pkg) + '/latest', { signal: AbortSignal.timeout(4000) });
+                if (r.ok) { const d = await r.json() as any; ver = d?.version || null; }
+              }
+              if (ver) deps[pkg] = ver;
+            } catch {}
+          });
+          await Promise.all(lookups);
+        }
         const manifestFile = isPip ? 'requirements.txt'
           : isGo ? 'go.mod'
           : isCargo ? 'Cargo.toml'
@@ -2364,7 +2393,11 @@ async function main() {
             }).then(r => r.json()) as any;
 
             const findings = Array.isArray(cveResp?.findings) ? cveResp.findings : [];
-            if (findings.length > 0) {
+            const scannedPkgs = Object.entries(deps).map(([k, v]) => k + '@' + v).join(', ');
+            if (findings.length === 0) {
+              cveScanMsg = '[synkro:cveScan] ' + scannedPkgs + ' \\u2192 clean, no known vulnerabilities';
+            }
+            else if (findings.length > 0) {
               const top3 = findings.slice(0, 3).map((f: any) => {
                 const id = f.cve || f.id || '?';
                 const pkg = f.package || '?';
@@ -2376,6 +2409,26 @@ async function main() {
               const label = count === 1 ? 'advisory' : 'advisories';
               const cveMsg = '[synkro:cveScan] ' + cmdShort + ' \\u2192 ' + count + ' ' + label;
               const ctx = 'CVE: ' + top3 + '\\nDo NOT install packages with known vulnerabilities. Use a patched version or a different package.';
+
+              const config = await loadConfig(jwt);
+              for (const f of findings) {
+                dispatchFinding(jwt, {
+                  session_id: sessionId,
+                  file_path: command,
+                  finding_type: 'cve',
+                  finding_id: f.cve || f.id || f.package,
+                  severity: typeof f.severity === 'number' ? (f.severity >= 9 ? 'critical' : f.severity >= 7 ? 'high' : f.severity >= 4 ? 'medium' : 'low') : (f.severity || 'medium'),
+                  status: 'open',
+                  detail: f.details || f.summary || null,
+                  description: f.summary || null,
+                  package_name: f.package || null,
+                  package_version: f.version || null,
+                  fixed_version: f.fixed || null,
+                  aliases: f.aliases || [],
+                  references: f.references || [],
+                }, config.captureDepth);
+              }
+
               outputJson({
                 systemMessage: cveMsg,
                 hookSpecificOutput: { hookEventName: 'PreToolUse', permissionDecision: 'deny', permissionDecisionReason: ctx, additionalContext: ctx },
@@ -2397,7 +2450,8 @@ async function main() {
     const tagStr = tag(rt, config);
 
     if (config.silent) {
-      outputJson({ systemMessage: tagStr + ' bashGuard \\u2192 skipped (silent mode)' });
+      const msg = (cveScanMsg ? cveScanMsg + '\\n' : '') + tagStr + ' bashGuard \\u2192 skipped (silent mode)';
+      outputJson({ systemMessage: msg, hookSpecificOutput: { hookEventName: 'PreToolUse', additionalContext: msg } });
       return;
     }
 
@@ -2428,7 +2482,8 @@ async function main() {
 
         if (mode === 'audit') {
           const reason = tagStr + ' bashGuard \\u2192 warning' + (verdict.ruleId ? ' (' + verdict.ruleId + ')' : '') + ': ' + (verdict.reason || 'policy violation');
-          outputJson({ systemMessage: reason });
+          const combined = (cveScanMsg ? cveScanMsg + '\\n' : '') + reason;
+          outputJson({ systemMessage: combined, hookSpecificOutput: { hookEventName: 'PreToolUse', additionalContext: combined } });
           dispatchCapture(jwt, 'bash', 'warning', verdict.severity || 'medium', verdict.category || 'security',
             toolName, gitRepo, sessionId, config.captureDepth, {
               command, reasoning: guardReason, rulesChecked: config.rules, violatedRules,
@@ -2436,9 +2491,10 @@ async function main() {
             });
         } else {
           const reason = tagStr + ' bashGuard \\u2192 blocked' + (verdict.ruleId ? ' (' + verdict.ruleId + ')' : '') + ': ' + (verdict.reason || 'policy violation') + '. Ask the user for explicit consent before retrying.';
+          const combined = (cveScanMsg ? cveScanMsg + '\\n' : '') + reason;
           outputJson({
-            systemMessage: reason,
-            hookSpecificOutput: { hookEventName: 'PreToolUse', permissionDecision: 'deny', permissionDecisionReason: reason, additionalContext: reason },
+            systemMessage: combined,
+            hookSpecificOutput: { hookEventName: 'PreToolUse', permissionDecision: 'deny', permissionDecisionReason: reason, additionalContext: combined },
           });
           dispatchCapture(jwt, 'bash', 'block', verdict.severity || 'critical', verdict.category || 'security',
             toolName, gitRepo, sessionId, config.captureDepth, {
@@ -2447,7 +2503,9 @@ async function main() {
             });
         }
       } else {
-        outputJson({ systemMessage: tagStr + ' bashGuard \\u2192 pass: ' + (verdict.reason || 'no policy violations detected') });
+        const reason = tagStr + ' bashGuard \\u2192 pass: ' + (verdict.reason || 'no policy violations detected');
+        const combined = (cveScanMsg ? cveScanMsg + '\\n' : '') + reason;
+        outputJson({ systemMessage: combined, hookSpecificOutput: { hookEventName: 'PreToolUse', additionalContext: combined } });
         dispatchCapture(jwt, 'bash', 'pass', 'audit', verdict.category || 'trivial_utility',
           toolName, gitRepo, sessionId, config.captureDepth, {
             command, reasoning: verdict.reason || 'no policy violations detected',
@@ -2486,16 +2544,30 @@ async function main() {
 
     if (!resp) {
       log('bashGuard ' + cmdShort + ' \\u2192 error (timeout)');
-      outputEmpty();
+      if (cveScanMsg) {
+        outputJson({ systemMessage: cveScanMsg, hookSpecificOutput: { hookEventName: 'PreToolUse', additionalContext: cveScanMsg } });
+      } else { outputEmpty(); }
       return;
     }
 
     if (!resp.hook_response || typeof resp.hook_response !== 'object') {
       log('bashGuard ' + cmdShort + ' \\u2192 pass (no hook_response)');
-      outputEmpty();
+      if (cveScanMsg) {
+        outputJson({ systemMessage: cveScanMsg, hookSpecificOutput: { hookEventName: 'PreToolUse', additionalContext: cveScanMsg } });
+      } else { outputEmpty(); }
       return;
     }
 
+    if (cveScanMsg) {
+      const existing = resp.hook_response.systemMessage || '';
+      resp.hook_response.systemMessage = cveScanMsg + (existing ? '\\n' + existing : '');
+      if (resp.hook_response.hookSpecificOutput) {
+        const existingCtx = resp.hook_response.hookSpecificOutput.additionalContext || '';
+        resp.hook_response.hookSpecificOutput.additionalContext = cveScanMsg + (existingCtx ? '\\n' + existingCtx : '');
+      } else {
+        resp.hook_response.hookSpecificOutput = { hookEventName: 'PreToolUse', additionalContext: resp.hook_response.systemMessage };
+      }
+    }
     outputJson(resp.hook_response);
   } catch (err) {
     process.stderr.write('[synkro] bashGuard error: ' + String(err) + '\\n');
@@ -2503,6 +2575,170 @@ async function main() {
   }
 }
 
+main();
+`;
+    AGENT_JUDGE_TS = `#!/usr/bin/env bun
+import {
+  loadJwt, ensureFreshJwt, detectRepo, loadConfig, route, tag, localGrade,
+  parseVerdict, dispatchCapture, ruleMode, postWithRetry, readStdin,
+  extractTranscript, readLastPrompt, log,
+  outputJson, outputEmpty, GATEWAY_URL,
+  type HookConfig, type Rule,
+} from './_synkro-common.ts';
+
+async function main() {
+  try {
+    const input = await readStdin();
+    if (!input.trim()) { outputEmpty(); return; }
+
+    const payload = JSON.parse(input);
+    const toolName = payload.tool_name || '';
+    if (toolName !== 'Agent') {
+      outputEmpty();
+      return;
+    }
+
+    const toolInput = payload.tool_input || {};
+    const sessionId = payload.session_id || '';
+    const toolUseId = payload.tool_use_id || '';
+    const cwd = payload.cwd || '';
+    const permissionMode = payload.permission_mode || '';
+    const transcriptPath = payload.transcript_path || '';
+    const gitRepo = detectRepo(cwd || '.');
+
+    const prompt = toolInput.prompt || '';
+    const description = toolInput.description || '';
+    const subagentType = toolInput.subagent_type || 'general-purpose';
+    if (!prompt) { outputEmpty(); return; }
+
+    const promptShort = prompt.slice(0, 80);
+    log('agentGuard checking: ' + description + ' (' + subagentType + ')');
+
+    let jwt = loadJwt();
+    if (!jwt) { outputEmpty(); return; }
+    jwt = await ensureFreshJwt(jwt);
+
+    const transcript = extractTranscript(transcriptPath);
+    const lastPrompt = readLastPrompt();
+
+    const config = await loadConfig(jwt);
+    const rt = await route(config);
+    const tagStr = tag(rt, config);
+
+    if (config.silent) {
+      const msg = tagStr + ' agentGuard \\u2192 skipped (silent mode)';
+      outputJson({ systemMessage: msg, hookSpecificOutput: { hookEventName: 'PreToolUse', additionalContext: msg } });
+      return;
+    }
+
+    if (rt === 'local') {
+      const graderPrompt = [
+        'Working directory: ' + (cwd || '.'),
+        'Repo: ' + (gitRepo || 'unknown'),
+        'Tool: Agent (subagent spawn)',
+        'Subagent type: ' + subagentType,
+        'Description: ' + description,
+        'Subagent prompt (first 4000 chars):',
+        prompt.slice(0, 4000),
+        'User intent (last human message): ' + (transcript.userIntent || 'none stated'),
+        'Last user prompt: ' + (lastPrompt || 'none'),
+        'Org rules: ' + JSON.stringify(config.rules),
+      ].join('\\n');
+
+      let gradeResp: string;
+      try {
+        gradeResp = await localGrade('bash', graderPrompt);
+      } catch {
+        outputEmpty();
+        return;
+      }
+
+      const verdict = parseVerdict(gradeResp);
+      const agentContent = 'agent=' + subagentType + ' desc=' + description + ' prompt=' + prompt.slice(0, 2000);
+      const violatedRules = verdict.ruleId ? [verdict.ruleId] : [];
+
+      if (!verdict.ok) {
+        const mode = verdict.ruleMode || ruleMode(verdict.ruleId, config.rules);
+        const guardReason = (verdict.ruleId ? '(' + verdict.ruleId + ') ' : '') + (verdict.reason || 'policy violation');
+
+        if (mode === 'audit') {
+          const reason = tagStr + ' agentGuard \\u2192 warning' + (verdict.ruleId ? ' (' + verdict.ruleId + ')' : '') + ': ' + (verdict.reason || 'policy violation');
+          outputJson({ systemMessage: reason, hookSpecificOutput: { hookEventName: 'PreToolUse', additionalContext: reason } });
+          dispatchCapture(jwt, 'agent', 'warning', verdict.severity || 'medium', verdict.category || 'security',
+            toolName, gitRepo, sessionId, config.captureDepth, {
+              command: agentContent, reasoning: guardReason, rulesChecked: config.rules, violatedRules,
+              recentUserMessages: transcript.recentUserMessages, ccModel: transcript.ccModel,
+            });
+        } else {
+          const reason = tagStr + ' agentGuard \\u2192 blocked' + (verdict.ruleId ? ' (' + verdict.ruleId + ')' : '') + ': ' + (verdict.reason || 'policy violation') + '. Ask the user for explicit consent before retrying.';
+          outputJson({
+            systemMessage: reason,
+            hookSpecificOutput: { hookEventName: 'PreToolUse', permissionDecision: 'deny', permissionDecisionReason: reason, additionalContext: reason },
+          });
+          dispatchCapture(jwt, 'agent', 'block', verdict.severity || 'critical', verdict.category || 'security',
+            toolName, gitRepo, sessionId, config.captureDepth, {
+              command: agentContent, reasoning: guardReason, rulesChecked: config.rules, violatedRules,
+              recentUserMessages: transcript.recentUserMessages, ccModel: transcript.ccModel,
+            });
+        }
+      } else {
+        const reason = tagStr + ' agentGuard \\u2192 pass: ' + (verdict.reason || 'no policy violations detected');
+        outputJson({ systemMessage: reason, hookSpecificOutput: { hookEventName: 'PreToolUse', additionalContext: reason } });
+        dispatchCapture(jwt, 'agent', 'pass', 'audit', verdict.category || 'subagent_spawn',
+          toolName, gitRepo, sessionId, config.captureDepth, {
+            command: agentContent, reasoning: verdict.reason || 'no policy violations detected',
+            rulesChecked: config.rules, violatedRules: [],
+            recentUserMessages: transcript.recentUserMessages, ccModel: transcript.ccModel,
+          });
+      }
+      return;
+    }
+
+    // \u2500\u2500\u2500 Cloud grading \u2500\u2500\u2500
+    const isHeadless = ['acceptEdits', 'bypassPermissions', 'plan', 'auto'].includes(permissionMode)
+      || process.env.SYNKRO_HEADLESS === '1';
+
+    const body: Record<string, any> = {
+      hook_event: 'PreToolUse',
+      tool_name: toolName,
+      tool_input: toolInput,
+      user_intent: transcript.userIntent || null,
+      last_user_message: lastPrompt || null,
+      recent_user_messages: transcript.recentUserMessages,
+      recent_messages: transcript.recentMessages,
+      recent_actions: transcript.recentActions,
+      session_id: sessionId || null,
+      tool_use_id: toolUseId || null,
+      cwd: cwd || null,
+      repo: gitRepo || null,
+      permission_mode: permissionMode || null,
+      headless: isHeadless,
+      cc_model: transcript.ccModel || null,
+      cc_usage: transcript.ccUsage || {},
+      session_summary: transcript.sessionSummary || null,
+    };
+
+    const resp = await postWithRetry(GATEWAY_URL + '/api/v1/hook/judge', body, jwt, 8000);
+
+    if (!resp) {
+      log('agentGuard ' + promptShort + ' \\u2192 error (timeout)');
+      outputEmpty();
+      return;
+    }
+
+    if (!resp.hook_response || typeof resp.hook_response !== 'object') {
+      log('agentGuard ' + promptShort + ' \\u2192 pass (no hook_response)');
+      outputEmpty();
+      return;
+    }
+
+    outputJson(resp.hook_response);
+  } catch (err) {
+    process.stderr.write('[synkro] agentGuard error: ' + String(err) + '\\n');
+    outputEmpty();
+  }
+}
+
 main();
 `;
     PLAN_JUDGE_TS = `#!/usr/bin/env bun
@@ -5292,6 +5528,7 @@ function writeHookScripts() {
   const cwePrecheckScriptPath = join11(HOOKS_DIR, "cc-cwe-precheck.ts");
   const cvePrecheckScriptPath = join11(HOOKS_DIR, "cc-cve-precheck.ts");
   const planJudgeScriptPath = join11(HOOKS_DIR, "cc-plan-judge.ts");
+  const agentJudgeScriptPath = join11(HOOKS_DIR, "cc-agent-judge.ts");
   const stopSummaryScriptPath = join11(HOOKS_DIR, "cc-stop-summary.ts");
   const sessionStartScriptPath = join11(HOOKS_DIR, "cc-session-start.ts");
   const transcriptSyncScriptPath = join11(HOOKS_DIR, "cc-transcript-sync.ts");
@@ -5308,6 +5545,7 @@ function writeHookScripts() {
   writeFileSync7(cwePrecheckScriptPath, CWE_PRECHECK_TS, "utf-8");
   writeFileSync7(cvePrecheckScriptPath, CVE_PRECHECK_TS, "utf-8");
   writeFileSync7(planJudgeScriptPath, PLAN_JUDGE_TS, "utf-8");
+  writeFileSync7(agentJudgeScriptPath, AGENT_JUDGE_TS, "utf-8");
   writeFileSync7(stopSummaryScriptPath, STOP_SUMMARY_TS, "utf-8");
   writeFileSync7(sessionStartScriptPath, SESSION_START_TS, "utf-8");
   writeFileSync7(transcriptSyncScriptPath, TRANSCRIPT_SYNC_TS, "utf-8");
@@ -5324,6 +5562,7 @@ function writeHookScripts() {
   chmodSync2(cwePrecheckScriptPath, 493);
   chmodSync2(cvePrecheckScriptPath, 493);
   chmodSync2(planJudgeScriptPath, 493);
+  chmodSync2(agentJudgeScriptPath, 493);
   chmodSync2(stopSummaryScriptPath, 493);
   chmodSync2(sessionStartScriptPath, 493);
   chmodSync2(transcriptSyncScriptPath, 493);
@@ -5341,6 +5580,7 @@ function writeHookScripts() {
     cwePrecheckScript: cwePrecheckScriptPath,
     cvePrecheckScript: cvePrecheckScriptPath,
     planJudgeScript: planJudgeScriptPath,
+    agentJudgeScript: agentJudgeScriptPath,
     stopSummaryScript: stopSummaryScriptPath,
     sessionStartScript: sessionStartScriptPath,
     transcriptSyncScript: transcriptSyncScriptPath,
@@ -5380,7 +5620,7 @@ function writeConfigEnv(opts) {
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
     `SYNKRO_INFERENCE=${shellQuoteSingle(safeInference)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.4.64")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.4.65")}`
   ];
   if (safeSynkroBin) lines.push(`SYNKRO_CLI_BIN=${shellQuoteSingle(safeSynkroBin)}`);
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);
@@ -5686,6 +5926,7 @@ async function installCommand(opts = {}) {
   console.log(`  ${scripts.bashFollowupScript}`);
   console.log(`  ${scripts.editPrecheckScript}`);
   console.log(`  ${scripts.planJudgeScript}`);
+  console.log(`  ${scripts.agentJudgeScript}`);
   console.log(`  ${scripts.stopSummaryScript}`);
   console.log(`  ${scripts.sessionStartScript}`);
   console.log(`  ${scripts.transcriptSyncScript}
@@ -5722,6 +5963,7 @@ async function installCommand(opts = {}) {
         cwePrecheckScriptPath: scripts.cwePrecheckScript,
         cvePrecheckScriptPath: scripts.cvePrecheckScript,
         planJudgeScriptPath: scripts.planJudgeScript,
+        agentJudgeScriptPath: scripts.agentJudgeScript,
         stopSummaryScriptPath: scripts.stopSummaryScript,
         sessionStartScriptPath: scripts.sessionStartScript,
         transcriptSyncScriptPath: scripts.transcriptSyncScript,