@synkro-sh/cli 1.4.66 → 1.4.68

package/dist/bootstrap.js

@@ -283,22 +283,41 @@ var init_ccHookConfig = __esm({
 });
 
 // cli/installer/cursorHookConfig.ts
-import { existsSync as existsSync3, readFileSync as readFileSync2, writeFileSync as writeFileSync2, renameSync as renameSync2, mkdirSync as mkdirSync2 } from "fs";
-import { dirname as dirname2 } from "path";
-function readHooksFile(path) {
-  if (!existsSync3(path)) return { version: 1, hooks: {} };
+import { readFileSync as readFileSync2, writeFileSync as writeFileSync2, renameSync as renameSync2, mkdirSync as mkdirSync2 } from "fs";
+import { dirname as dirname2, resolve, normalize } from "path";
+import { homedir as homedir2 } from "os";
+function shellQuote(s) {
+  return "'" + s.replace(/'/g, "'\\''") + "'";
+}
+function cursorCcCmd(scriptPath) {
+  return "env SYNKRO_HOOK_FORMAT=cursor bun run " + shellQuote(scriptPath);
+}
+function bunRunCmd(scriptPath) {
+  return "bun run " + shellQuote(scriptPath);
+}
+function validateHooksPath(path) {
+  const resolved = resolve(normalize(path));
+  if (!ALLOWED_PARENT_DIRS.some((dir) => resolved.startsWith(dir + "/") || resolved === dir)) {
+    throw new Error(`Hooks path must be under ~/.cursor or ~/.config/cursor, got: ${resolved}`);
+  }
+  return resolved;
+}
+function readHooksFile(rawPath) {
+  const safePath = validateHooksPath(rawPath);
   try {
-    const raw = readFileSync2(path, "utf-8");
+    const raw = readFileSync2(safePath, "utf-8");
     return JSON.parse(raw);
   } catch (err) {
-    throw new Error(`Failed to parse ${path}: ${err.message}`);
+    if (err?.code === "ENOENT") return { version: 1, hooks: {} };
+    throw new Error(`Failed to parse ${safePath}: ${err.message}`);
   }
 }
-function writeHooksFileAtomic(path, data) {
-  mkdirSync2(dirname2(path), { recursive: true });
-  const tmpPath = `${path}.synkro.tmp`;
-  writeFileSync2(tmpPath, JSON.stringify(data, null, 2) + "\n", "utf-8");
-  renameSync2(tmpPath, path);
+function writeHooksFileAtomic(rawPath, data) {
+  const safePath = validateHooksPath(rawPath);
+  mkdirSync2(dirname2(safePath), { recursive: true });
+  const tmpPath = `${safePath}.synkro.tmp`;
+  writeFileSync2(tmpPath, JSON.stringify(data, null, 2) + "\n", { encoding: "utf-8", mode: 384 });
+  renameSync2(tmpPath, safePath);
 }
 function isSynkroEntry2(entry) {
   if (entry?.[SYNKRO_MARKER2]) return true;
@@ -310,50 +329,89 @@ function removeSynkroEntries2(hooks, event) {
   if (!Array.isArray(arr)) return;
   hooks[event] = arr.filter((entry) => !isSynkroEntry2(entry));
 }
+function pushCcHook(hooks, event, scriptPath, opts) {
+  hooks[event] = hooks[event] ?? [];
+  hooks[event].push({
+    command: cursorCcCmd(scriptPath),
+    timeout: opts.timeout,
+    failClosed: opts.failClosed ?? false,
+    ...opts.matcher ? { matcher: opts.matcher } : {},
+    [SYNKRO_MARKER2]: true
+  });
+}
 function installCursorHooks(hooksJsonPath, config) {
   const file = readHooksFile(hooksJsonPath);
   file.version = file.version ?? 1;
   file.hooks = file.hooks ?? {};
-  const events = ["beforeShellExecution", "preToolUse", "afterFileEdit", "postToolUse"];
-  for (const evt of events) {
+  for (const evt of ALL_EVENTS) {
     removeSynkroEntries2(file.hooks, evt);
   }
-  file.hooks.beforeShellExecution = file.hooks.beforeShellExecution ?? [];
-  file.hooks.beforeShellExecution.push({
-    command: config.bashJudgeScriptPath,
-    timeout: 10,
-    failClosed: true,
+  const h = file.hooks;
+  pushCcHook(h, "sessionStart", config.sessionStartScriptPath, { timeout: 5 });
+  pushCcHook(h, "sessionEnd", config.stopSummaryScriptPath, { timeout: 10 });
+  pushCcHook(h, "beforeSubmitPrompt", config.userPromptSubmitScriptPath, { timeout: 5 });
+  pushCcHook(h, "stop", config.transcriptSyncScriptPath, { timeout: 3 });
+  h.beforeShellExecution = h.beforeShellExecution ?? [];
+  h.beforeShellExecution.push({
+    command: bunRunCmd(config.bashJudgeScriptPath),
+    timeout: 15,
+    failClosed: false,
     [SYNKRO_MARKER2]: true
   });
-  file.hooks.preToolUse = file.hooks.preToolUse ?? [];
-  file.hooks.preToolUse.push({
-    command: config.editPrecheckScriptPath,
+  pushCcHook(h, "afterShellExecution", config.bashFollowupScriptPath, { timeout: 10 });
+  h.preToolUse = h.preToolUse ?? [];
+  h.preToolUse.push({
+    command: bunRunCmd(config.bashJudgeScriptPath),
     timeout: 15,
+    failClosed: false,
+    matcher: "Shell|Bash|Read|Grep|Glob",
     [SYNKRO_MARKER2]: true
   });
-  file.hooks.afterFileEdit = file.hooks.afterFileEdit ?? [];
-  file.hooks.afterFileEdit.push({
-    command: config.editCaptureScriptPath,
+  pushCcHook(h, "preToolUse", config.editPrecheckScriptPath, {
     timeout: 15,
-    [SYNKRO_MARKER2]: true
+    matcher: "Write|Edit|StrReplace|MultiEdit|NotebookEdit"
   });
-  file.hooks.postToolUse = file.hooks.postToolUse ?? [];
-  file.hooks.postToolUse.push({
-    command: config.bashFollowupScriptPath,
+  pushCcHook(h, "preToolUse", config.cwePrecheckScriptPath, {
+    timeout: 15,
+    matcher: "Write|Edit|StrReplace|MultiEdit|NotebookEdit"
+  });
+  pushCcHook(h, "preToolUse", config.cvePrecheckScriptPath, {
     timeout: 10,
+    matcher: "Write|Edit|StrReplace|MultiEdit|NotebookEdit"
+  });
+  pushCcHook(h, "preToolUse", config.agentJudgeScriptPath, {
+    timeout: 15,
+    matcher: "Agent|Task"
+  });
+  pushCcHook(h, "preToolUse", config.planJudgeScriptPath, {
+    timeout: 20,
+    matcher: "ExitPlanMode|SwitchMode|CreatePlan"
+  });
+  h.afterFileEdit = h.afterFileEdit ?? [];
+  h.afterFileEdit.push({
+    command: bunRunCmd(config.editCaptureScriptPath),
+    timeout: 15,
+    failClosed: false,
     [SYNKRO_MARKER2]: true
   });
+  pushCcHook(h, "postToolUse", config.bashFollowupScriptPath, {
+    timeout: 10,
+    matcher: "Shell|Bash"
+  });
   writeHooksFileAtomic(hooksJsonPath, file);
 }
 function uninstallCursorHooks(hooksJsonPath) {
-  if (!existsSync3(hooksJsonPath)) return false;
-  const file = readHooksFile(hooksJsonPath);
+  let file;
+  try {
+    file = readHooksFile(hooksJsonPath);
+  } catch {
+    return false;
+  }
   if (!file.hooks) return false;
-  const events = ["beforeShellExecution", "preToolUse", "afterFileEdit", "postToolUse"];
-  for (const evt of events) {
+  for (const evt of ALL_EVENTS) {
     removeSynkroEntries2(file.hooks, evt);
   }
-  for (const evt of events) {
+  for (const evt of ALL_EVENTS) {
     if (Array.isArray(file.hooks[evt]) && file.hooks[evt].length === 0) {
       delete file.hooks[evt];
     }
@@ -364,38 +422,100 @@ function uninstallCursorHooks(hooksJsonPath) {
   writeHooksFileAtomic(hooksJsonPath, file);
   return true;
 }
+function preToolUseUsesScript(hooks, scriptBasename) {
+  return (hooks ?? []).some(
+    (e) => isSynkroEntry2(e) && typeof e.command === "string" && e.command.includes(scriptBasename)
+  );
+}
 function inspectCursorHooks(hooksJsonPath) {
-  if (!existsSync3(hooksJsonPath)) {
-    return { installed: false, beforeShellExecution: false, preToolUse: false, afterFileEdit: false, postToolUse: false };
+  let file;
+  try {
+    file = readHooksFile(hooksJsonPath);
+  } catch {
+    return {
+      installed: false,
+      sessionStart: false,
+      sessionEnd: false,
+      beforeSubmitPrompt: false,
+      stop: false,
+      beforeShellExecution: false,
+      afterShellExecution: false,
+      preToolUse: false,
+      preToolUseBash: false,
+      preToolUseEdit: false,
+      preToolUseCwe: false,
+      preToolUseCve: false,
+      preToolUseAgent: false,
+      preToolUsePlan: false,
+      afterFileEdit: false,
+      postToolUse: false
+    };
   }
-  const file = readHooksFile(hooksJsonPath);
   const h = file.hooks ?? {};
+  const sessionStart = (h.sessionStart ?? []).some((e) => isSynkroEntry2(e));
+  const sessionEnd = (h.sessionEnd ?? []).some((e) => isSynkroEntry2(e));
+  const beforeSubmitPrompt = (h.beforeSubmitPrompt ?? []).some((e) => isSynkroEntry2(e));
+  const stop = (h.stop ?? []).some((e) => isSynkroEntry2(e));
   const beforeShellExecution = (h.beforeShellExecution ?? []).some((e) => isSynkroEntry2(e));
-  const preToolUse = (h.preToolUse ?? []).some((e) => isSynkroEntry2(e));
+  const afterShellExecution = (h.afterShellExecution ?? []).some((e) => isSynkroEntry2(e));
+  const pre = h.preToolUse ?? [];
+  const preToolUseBash = preToolUseUsesScript(pre, "cc-bash-judge") || preToolUseUsesScript(pre, "cursor-bash-judge");
+  const preToolUseEdit = preToolUseUsesScript(pre, "cc-edit-precheck") || preToolUseUsesScript(pre, "cursor-edit-precheck");
+  const preToolUseCwe = preToolUseUsesScript(pre, "cc-cwe-precheck");
+  const preToolUseCve = preToolUseUsesScript(pre, "cc-cve-precheck");
+  const preToolUseAgent = preToolUseUsesScript(pre, "cc-agent-judge");
+  const preToolUsePlan = preToolUseUsesScript(pre, "cc-plan-judge");
+  const preToolUse = preToolUseBash || preToolUseEdit || preToolUseCwe || preToolUseCve || preToolUseAgent || preToolUsePlan;
   const afterFileEdit = (h.afterFileEdit ?? []).some((e) => isSynkroEntry2(e));
   const postToolUse = (h.postToolUse ?? []).some((e) => isSynkroEntry2(e));
   return {
-    installed: beforeShellExecution || preToolUse || afterFileEdit || postToolUse,
+    installed: sessionStart || sessionEnd || beforeSubmitPrompt || stop || beforeShellExecution || afterShellExecution || preToolUse || afterFileEdit || postToolUse,
+    sessionStart,
+    sessionEnd,
+    beforeSubmitPrompt,
+    stop,
     beforeShellExecution,
+    afterShellExecution,
     preToolUse,
+    preToolUseBash,
+    preToolUseEdit,
+    preToolUseCwe,
+    preToolUseCve,
+    preToolUseAgent,
+    preToolUsePlan,
     afterFileEdit,
     postToolUse
   };
 }
-var SYNKRO_MARKER2;
+var SYNKRO_MARKER2, ALLOWED_PARENT_DIRS, ALL_EVENTS;
 var init_cursorHookConfig = __esm({
   "cli/installer/cursorHookConfig.ts"() {
     "use strict";
     SYNKRO_MARKER2 = "__synkro_managed__";
+    ALLOWED_PARENT_DIRS = [
+      resolve(homedir2(), ".cursor"),
+      resolve(homedir2(), ".config", "cursor")
+    ];
+    ALL_EVENTS = [
+      "sessionStart",
+      "sessionEnd",
+      "beforeSubmitPrompt",
+      "stop",
+      "beforeShellExecution",
+      "afterShellExecution",
+      "preToolUse",
+      "afterFileEdit",
+      "postToolUse"
+    ];
   }
 });
 
 // cli/installer/mcpConfig.ts
-import { existsSync as existsSync4, readFileSync as readFileSync3, writeFileSync as writeFileSync3, renameSync as renameSync3, mkdirSync as mkdirSync3 } from "fs";
-import { homedir as homedir2 } from "os";
+import { existsSync as existsSync3, readFileSync as readFileSync3, writeFileSync as writeFileSync3, renameSync as renameSync3, mkdirSync as mkdirSync3 } from "fs";
+import { homedir as homedir3 } from "os";
 import { dirname as dirname3, join as join2 } from "path";
 function readClaudeJson() {
-  if (!existsSync4(CC_CONFIG_PATH)) return {};
+  if (!existsSync3(CC_CONFIG_PATH)) return {};
   try {
     const raw = readFileSync3(CC_CONFIG_PATH, "utf-8");
     return JSON.parse(raw);
@@ -417,7 +537,7 @@ function installMcpConfig(opts) {
   }
   if (opts.local) {
     const url2 = "http://127.0.0.1:8931/";
-    const tokenPath = join2(homedir2(), ".synkro", ".mcp-local-token");
+    const tokenPath = join2(homedir3(), ".synkro", ".mcp-local-token");
     let localToken = "";
     try {
       localToken = readFileSync3(tokenPath, "utf-8").trim();
@@ -443,7 +563,7 @@ function installMcpConfig(opts) {
   return { path: CC_CONFIG_PATH, url };
 }
 function uninstallMcpConfig() {
-  if (!existsSync4(CC_CONFIG_PATH)) return false;
+  if (!existsSync3(CC_CONFIG_PATH)) return false;
   const config = readClaudeJson();
   if (!config.mcpServers || Object.keys(config.mcpServers).length === 0) return false;
   let removed = false;
@@ -459,7 +579,7 @@ function uninstallMcpConfig() {
   return true;
 }
 function inspectMcpConfig() {
-  if (!existsSync4(CC_CONFIG_PATH)) {
+  if (!existsSync3(CC_CONFIG_PATH)) {
     return { installed: false, configPath: CC_CONFIG_PATH };
   }
   const config = readClaudeJson();
@@ -475,7 +595,7 @@ var init_mcpConfig = __esm({
     "use strict";
     SYNKRO_MARKER3 = "__synkro_managed__";
     SYNKRO_SERVER_NAME = "synkro-guardrails";
-    CC_CONFIG_PATH = join2(homedir2(), ".claude.json");
+    CC_CONFIG_PATH = join2(homedir3(), ".claude.json");
   }
 });
 
@@ -675,7 +795,7 @@ synkro_post_with_retry() {
 });
 
 // cli/installer/hookScriptsTs.ts
-var SYNKRO_COMMON_TS, EDIT_PRECHECK_TS, CWE_PRECHECK_TS, CVE_PRECHECK_TS, BASH_JUDGE_TS, AGENT_JUDGE_TS, PLAN_JUDGE_TS, STOP_SUMMARY_TS, SESSION_START_TS, BASH_FOLLOWUP_TS, TRANSCRIPT_SYNC_TS, USER_PROMPT_SUBMIT_TS, CURSOR_BASH_JUDGE_TS, CURSOR_EDIT_PRECHECK_TS, CURSOR_EDIT_CAPTURE_TS, CURSOR_BASH_FOLLOWUP_TS;
+var SYNKRO_COMMON_TS, EDIT_PRECHECK_TS, CWE_PRECHECK_TS, CVE_PRECHECK_TS, BASH_JUDGE_TS, AGENT_JUDGE_TS, PLAN_JUDGE_TS, STOP_SUMMARY_TS, SESSION_START_TS, BASH_FOLLOWUP_TS, TRANSCRIPT_SYNC_TS, USER_PROMPT_SUBMIT_TS, CURSOR_BASH_JUDGE_TS, CURSOR_EDIT_CAPTURE_TS;
 var init_hookScriptsTs = __esm({
   "cli/installer/hookScriptsTs.ts"() {
     "use strict";
@@ -712,7 +832,17 @@ if (existsSync(CONFIG_PATH)) {
   } catch {}
 }
 
-export const GATEWAY_URL = process.env.SYNKRO_GATEWAY_URL || 'https://api.synkro.sh';
+const ALLOWED_GATEWAY_HOSTS = new Set(['api.synkro.sh', 'localhost', '127.0.0.1']);
+function validateGatewayUrl(raw: string): string {
+  try {
+    const u = new URL(raw);
+    if (!ALLOWED_GATEWAY_HOSTS.has(u.hostname)) return 'https://api.synkro.sh';
+    return raw.replace(/\\/+$/, '');
+  } catch {
+    return 'https://api.synkro.sh';
+  }
+}
+export const GATEWAY_URL = validateGatewayUrl(process.env.SYNKRO_GATEWAY_URL || 'https://api.synkro.sh');
 export const CREDS_PATH = process.env.SYNKRO_CREDENTIALS_PATH || join(HOME, '.synkro', 'credentials.json');
 const LAST_PROMPT_FILE = join(HOME, '.synkro', '.last-prompt');
 
@@ -855,7 +985,7 @@ export async function ensureFreshJwt(jwt: string): Promise<string> {
 
 export function detectRepo(cwd: string): string {
   try {
-    const url = execSync('git remote get-url origin', { cwd, timeout: 3000, encoding: 'utf-8' }).trim();
+    const url = execSync('git remote get-url origin 2>/dev/null', { cwd, timeout: 3000, encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] }).trim();
     if (!url) return '';
     return url
       .replace(/^git@[^:]+:/, '')
@@ -1056,11 +1186,11 @@ async function channelGrade(role: GradeRole, prompt: string, jwt: string, port:
   return String(data.result || '');
 }
 
-export async function localGrade(surface: string, prompt: string): Promise<string> {
+export async function localGrade(surface: string, prompt: string, timeoutMs = 20000): Promise<string> {
   if (!(await channelUp())) throw new Error('SYNKRO_CHANNEL_DOWN');
   const jwt = loadJwt();
   if (!jwt) throw new Error('NO_JWT');
-  return channelGrade(ROLE_MAP[surface] || 'grade-edit', prompt, jwt, 8929);
+  return channelGrade(ROLE_MAP[surface] || 'grade-edit', prompt, jwt, 8929, timeoutMs);
 }
 
 export async function localGradeCwe(prompt: string): Promise<string> {
@@ -1074,6 +1204,7 @@ export async function localGradeCwe(prompt: string): Promise<string> {
 export interface Verdict {
   ok: boolean;
   reason: string;
+  suggestedFix: string;
   ruleId: string;
   ruleMode: string;
   severity: string;
@@ -1084,6 +1215,7 @@ export function parseVerdict(resp: string): Verdict {
   const verdict: Verdict = {
     ok: true,
     reason: '',
+    suggestedFix: '',
     ruleId: '',
     ruleMode: '',
     severity: 'low',
@@ -1102,6 +1234,9 @@ export function parseVerdict(resp: string): Verdict {
   const reasonMatch = inner.match(/<reason>(.*?)<\\/reason>/) || inner.match(/<reasoning>(.*?)<\\/reasoning>/);
   if (reasonMatch) verdict.reason = reasonMatch[1].trim();
 
+  const fixMatch = inner.match(/<suggested_fix>(.*?)<\\/suggested_fix>/);
+  if (fixMatch) verdict.suggestedFix = fixMatch[1].trim();
+
   if (!verdict.ok) {
     const ruleIdMatch = inner.match(/<rule_id>(.*?)<\\/rule_id>/);
     const ruleModeMatch = inner.match(/<rule_mode>(.*?)<\\/rule_mode>/);
@@ -1120,6 +1255,10 @@ export function parseVerdict(resp: string): Verdict {
           const vReason = vBlock.match(/<reason>(.*?)<\\/reason>/);
           if (vReason) verdict.reason = vReason[1].trim();
         }
+        if (!verdict.suggestedFix) {
+          const vFix = vBlock.match(/<suggested_fix>(.*?)<\\/suggested_fix>/);
+          if (vFix) verdict.suggestedFix = vFix[1].trim();
+        }
         if (!sevMatch) {
           const vSev = vBlock.match(/<severity>(.*?)<\\/severity>/);
           if (vSev) verdict.severity = vSev[1].trim();
@@ -1274,8 +1413,10 @@ export function reconstructContent(toolName: string, toolInput: any, filePath: s
     }
     case 'NotebookEdit':
       return toolInput.new_source || '';
+    case 'StrReplace':
+      return toolInput.new_string || toolInput.content || toolInput.code_edit || '';
     default:
-      return '';
+      return toolInput.content || toolInput.new_string || toolInput.code_edit || '';
   }
 }
 
@@ -1589,13 +1730,90 @@ export function dispatchFinding(
   }).catch(() => {});
 }
 
+// \u2500\u2500\u2500 Hook tool-name sets (CC + Cursor) \u2500\u2500\u2500
+
+export const EDIT_TOOL_NAMES = new Set([
+  'Edit', 'Write', 'MultiEdit', 'NotebookEdit', 'StrReplace',
+]);
+export const SHELL_TOOL_NAMES = new Set([
+  'Bash', 'Shell', 'Read', 'Grep', 'Glob', 'terminal', 'run_terminal_cmd', 'execute_command',
+]);
+export const AGENT_TOOL_NAMES = new Set(['Agent', 'Task']);
+export const PLAN_TOOL_NAMES = new Set(['ExitPlanMode', 'SwitchMode', 'CreatePlan']);
+
+export function isEditTool(toolName: string): boolean {
+  return EDIT_TOOL_NAMES.has(toolName);
+}
+export function isShellTool(toolName: string): boolean {
+  return SHELL_TOOL_NAMES.has(toolName);
+}
+export function isAgentTool(toolName: string): boolean {
+  return AGENT_TOOL_NAMES.has(toolName);
+}
+export function isPlanTool(toolName: string): boolean {
+  return PLAN_TOOL_NAMES.has(toolName);
+}
+
+export function hookSessionId(payload: Record<string, unknown>): string {
+  return String(payload.session_id ?? payload.conversation_id ?? '');
+}
+
+export function isCursorHookFormat(): boolean {
+  return process.env.SYNKRO_HOOK_FORMAT === 'cursor';
+}
+
+let cursorHookExited = false;
+
+export function setupCursorHookSignals(): void {
+  if (!isCursorHookFormat()) return;
+  process.on('SIGTERM', () => outputEmpty());
+}
+
+function cursorHookExit(): never {
+  cursorHookExited = true;
+  process.exit(0);
+}
+
 // \u2500\u2500\u2500 Output Helpers \u2500\u2500\u2500
 
 export function outputJson(obj: any): void {
+  if (isCursorHookFormat()) {
+    const hso = obj?.hookSpecificOutput;
+    const sys = typeof obj?.systemMessage === 'string' ? obj.systemMessage : '';
+    if (hso?.permissionDecision === 'deny') {
+      const reason = hso.permissionDecisionReason || hso.additionalContext || sys;
+      if (!cursorHookExited) {
+        cursorHookExited = true;
+        process.stdout.write(JSON.stringify({
+          permission: 'deny',
+          user_message: sys || reason,
+          agent_message: hso.additionalContext || reason,
+        }) + '\\n');
+      }
+      cursorHookExit();
+    }
+    const ctx = sys || hso?.additionalContext;
+    if (ctx) {
+      if (!cursorHookExited) {
+        cursorHookExited = true;
+        process.stdout.write(JSON.stringify({ additional_context: ctx }) + '\\n');
+      }
+      cursorHookExit();
+    }
+    outputEmpty();
+    return;
+  }
   console.log(JSON.stringify(obj));
 }
 
 export function outputEmpty(): void {
+  if (isCursorHookFormat()) {
+    if (!cursorHookExited) {
+      cursorHookExited = true;
+      try { process.stdout.write('{}\\n'); } catch {}
+    }
+    cursorHookExit();
+  }
   console.log('{}');
 }
 `;
@@ -1604,26 +1822,27 @@ import {
   loadJwt, ensureFreshJwt, detectRepo, loadConfig, route, tag, localGrade,
   parseVerdict, dispatchCapture, ruleMode, reconstructContent, isPathUnder, postWithRetry,
   readStdin, extractTranscript, readLastPrompt, findNearestDeps, log,
-  outputJson, outputEmpty, GATEWAY_URL,
+  outputJson, outputEmpty, setupCursorHookSignals, isEditTool, hookSessionId, GATEWAY_URL,
   type HookConfig, type Rule,
 } from './_synkro-common.ts';
 import { existsSync, readFileSync } from 'node:fs';
 import { basename, dirname, join } from 'node:path';
 
 async function main() {
+  setupCursorHookSignals();
   try {
     const input = await readStdin();
     if (!input.trim()) { outputEmpty(); return; }
 
     const payload = JSON.parse(input);
     const toolName = payload.tool_name || '';
-    if (!['Edit', 'Write', 'MultiEdit', 'NotebookEdit'].includes(toolName)) {
+    if (!isEditTool(toolName)) {
       outputEmpty();
       return;
     }
 
     const toolInput = payload.tool_input || {};
-    const sessionId = payload.session_id || '';
+    const sessionId = hookSessionId(payload);
     const toolUseId = payload.tool_use_id || '';
     const cwd = payload.cwd || '';
     const permissionMode = payload.permission_mode || '';
@@ -1814,24 +2033,25 @@ main();
 import {
   loadJwt, ensureFreshJwt, detectRepo, loadConfig, cweRoute, tag,
   localGradeCwe, parseVerdict, reconstructContent, readStdin, log,
-  outputJson, outputEmpty, dispatchFinding, GATEWAY_URL,
+  outputJson, outputEmpty, setupCursorHookSignals, isEditTool, hookSessionId, dispatchFinding, GATEWAY_URL,
 } from './_synkro-common.ts';
 import { basename, extname } from 'node:path';
 
 async function main() {
+  setupCursorHookSignals();
   try {
     const input = await readStdin();
     if (!input.trim()) { outputEmpty(); return; }
 
     const payload = JSON.parse(input);
     const toolName = payload.tool_name || '';
-    if (!['Edit', 'Write', 'MultiEdit', 'NotebookEdit'].includes(toolName)) {
+    if (!isEditTool(toolName)) {
       outputEmpty();
       return;
     }
 
     const toolInput = payload.tool_input || {};
-    const sessionId = payload.session_id || '';
+    const sessionId = hookSessionId(payload);
     const cwd = payload.cwd || '';
     const gitRepo = detectRepo(cwd || '.');
 
@@ -1932,6 +2152,12 @@ async function main() {
           if (id && !cweIds.includes(id)) cweIds.push(id);
         }
 
+        const fixMatches = gradeResp.match(/<suggested_fix>([^<]+)<\\/suggested_fix>/g) || [];
+        const fixes: Record<string, string> = {};
+        for (let i = 0; i < Math.min(cweIds.length, fixMatches.length); i++) {
+          fixes[cweIds[i]] = fixMatches[i].replace(/<\\/?suggested_fix>/g, '').trim();
+        }
+
         // Filter out exempted CWEs for this file
         const activeCweIds = cweIds.filter(id => !exemptedCwes.has(id.toUpperCase()));
 
@@ -1950,7 +2176,11 @@ async function main() {
         const label = count === 1 ? 'match' : 'matches';
         const cweMsg = cweTag + ' ' + fileShort + ' \\u2192 ' + count + ' CWE ' + label + ' (' + displayIds + ')';
         const denyDetail = '[' + displayIds + '] ' + (verdict.reason || 'code weakness detected');
-        const ctx = 'CWE: ' + denyDetail + '\\nFix all issues before retrying. Do NOT ask the user to make the edit manually \u2014 resolve the weakness in code yourself.';
+        const fixLines = activeCweIds
+          .filter(id => fixes[id])
+          .map(id => '[' + id + '] Fix: ' + fixes[id]);
+        const fixHint = fixLines.length > 0 ? '\\n' + fixLines.join('\\n') : '';
+        const ctx = 'CWE: ' + denyDetail + fixHint + '\\nFix all issues before retrying. Do NOT ask the user to make the edit manually \u2014 resolve the weakness in code yourself.';
 
         for (const cweId of activeCweIds) {
           dispatchFinding(jwt, {
@@ -1999,7 +2229,7 @@ main();
 import {
   loadJwt, ensureFreshJwt, detectRepo, loadConfig, route, tag,
   reconstructContent, readStdin, findNearestDeps, log,
-  outputJson, outputEmpty, dispatchFinding, GATEWAY_URL,
+  outputJson, outputEmpty, setupCursorHookSignals, isEditTool, hookSessionId, dispatchFinding, GATEWAY_URL,
 } from './_synkro-common.ts';
 import { basename } from 'node:path';
 
@@ -2017,19 +2247,20 @@ function isManifest(filename: string): boolean {
 }
 
 async function main() {
+  setupCursorHookSignals();
   try {
     const input = await readStdin();
     if (!input.trim()) { outputEmpty(); return; }
 
     const payload = JSON.parse(input);
     const toolName = payload.tool_name || '';
-    if (!['Edit', 'Write', 'MultiEdit', 'NotebookEdit'].includes(toolName)) {
+    if (!isEditTool(toolName)) {
       outputEmpty();
       return;
     }
 
     const toolInput = payload.tool_input || {};
-    const sessionId = payload.session_id || '';
+    const sessionId = hookSessionId(payload);
     const cwd = payload.cwd || '';
 
     const filePath = toolInput.file_path || toolInput.notebook_path || toolInput.path || '';
@@ -2146,7 +2377,7 @@ import {
   loadJwt, ensureFreshJwt, detectRepo, loadConfig, route, tag, localGrade,
   parseVerdict, dispatchCapture, dispatchFinding, ruleMode, postWithRetry, readStdin,
   extractTranscript, readLastPrompt, log,
-  outputJson, outputEmpty, GATEWAY_URL,
+  outputJson, outputEmpty, setupCursorHookSignals, isShellTool, hookSessionId, GATEWAY_URL,
   type HookConfig, type Rule,
 } from './_synkro-common.ts';
 
@@ -2222,19 +2453,20 @@ interface PkgMeta {
 }
 
 async function main() {
+  setupCursorHookSignals();
   try {
     const input = await readStdin();
     if (!input.trim()) { outputEmpty(); return; }
 
     const payload = JSON.parse(input);
     const toolName = payload.tool_name || '';
-    if (!['Bash', 'Read', 'Grep', 'Glob'].includes(toolName)) {
+    if (!isShellTool(toolName)) {
       outputEmpty();
       return;
     }
 
     const toolInput = payload.tool_input || {};
-    const sessionId = payload.session_id || '';
+    const sessionId = hookSessionId(payload);
     const toolUseId = payload.tool_use_id || '';
     const cwd = payload.cwd || '';
     const permissionMode = payload.permission_mode || '';
@@ -2243,7 +2475,12 @@ async function main() {
 
     let command = '';
     switch (toolName) {
-      case 'Bash': command = toolInput.command || ''; break;
+      case 'Bash':
+      case 'Shell':
+      case 'terminal':
+      case 'run_terminal_cmd':
+      case 'execute_command':
+        command = toolInput.command || ''; break;
       case 'Read': command = 'cat ' + (toolInput.file_path || ''); break;
       case 'Grep': command = "grep -r '" + (toolInput.pattern || '') + "' " + (toolInput.path || '.'); break;
       case 'Glob': command = "find . -name '" + (toolInput.pattern || '') + "'"; break;
@@ -2261,7 +2498,7 @@ async function main() {
     let installScanMsg = '';
     if (toolName === 'Bash') {
       const pkgInstallMatch = command.match(
-        /(?:npm\\s+(?:install|i|add)|pnpm\\s+(?:add|install|i)|yarn\\s+add|bun\\s+(?:add|install|i)|(?:uv\\s+)?pip3?\\s+install|go\\s+get|cargo\\s+add|gem\\s+install|composer\\s+require)\\s+(.+)/
+        /(?:npm\\s+(?:install|i|add)|pnpm\\s+(?:add|install|i)|yarn\\s+add|bun\\s+(?:add|install|i)|(?:uv\\s+)?pip3?\\s+install|go\\s+get|cargo\\s+add|gem\\s+install|composer\\s+require)\\s+([^|;&><]+)/
       );
       const isPip = /(?:uv\\s+)?pip3?\\s+install/.test(command);
       const isGo = command.match(/^go\\s+get/);
@@ -2275,6 +2512,7 @@ async function main() {
         let skipNext = false;
         for (const token of tokens) {
           if (skipNext) { skipNext = false; continue; }
+          if (!token || !/^[@a-zA-Z]/.test(token)) continue;
           if (token.startsWith('-')) {
             if (/^--(python|target|prefix|root|constraint|requirement|index-url|extra-index-url|find-links|build|src|cache-dir|filter|workspace)$/.test(token)) skipNext = true;
             continue;
@@ -2313,8 +2551,9 @@ async function main() {
                   warnings.push('\\u26a0 ' + pkg + ': package not found on PyPI \\u2014 may not exist');
                 }
               } else {
+                const verSlug = deps[pkg] !== '*' ? deps[pkg] : 'latest';
                 const [metaResp, dlResp] = await Promise.all([
-                  fetch('https://registry.npmjs.org/' + encodeURIComponent(pkg) + '/latest', { signal: AbortSignal.timeout(4000) }),
+                  fetch('https://registry.npmjs.org/' + encodeURIComponent(pkg) + '/' + verSlug, { signal: AbortSignal.timeout(4000) }),
                   fetch('https://api.npmjs.org/downloads/point/last-week/' + encodeURIComponent(pkg), { signal: AbortSignal.timeout(4000) }),
                 ]);
                 if (metaResp.ok) {
@@ -2572,24 +2811,25 @@ import {
   loadJwt, ensureFreshJwt, detectRepo, loadConfig, route, tag, localGrade,
   parseVerdict, dispatchCapture, ruleMode, postWithRetry, readStdin,
   extractTranscript, readLastPrompt, log,
-  outputJson, outputEmpty, GATEWAY_URL,
+  outputJson, outputEmpty, setupCursorHookSignals, isAgentTool, hookSessionId, GATEWAY_URL,
   type HookConfig, type Rule,
 } from './_synkro-common.ts';
 
 async function main() {
+  setupCursorHookSignals();
   try {
     const input = await readStdin();
     if (!input.trim()) { outputEmpty(); return; }
 
     const payload = JSON.parse(input);
     const toolName = payload.tool_name || '';
-    if (toolName !== 'Agent') {
+    if (!isAgentTool(toolName)) {
       outputEmpty();
       return;
     }
 
     const toolInput = payload.tool_input || {};
-    const sessionId = payload.session_id || '';
+    const sessionId = hookSessionId(payload);
     const toolUseId = payload.tool_use_id || '';
     const cwd = payload.cwd || '';
     const permissionMode = payload.permission_mode || '';
@@ -2735,14 +2975,13 @@ main();
 import {
   loadJwt, ensureFreshJwt, detectRepo, loadConfig, route, tag, localGrade,
   parseVerdict, dispatchCapture, postWithRetry, readStdin, log,
-  outputJson, outputEmpty, GATEWAY_URL,
+  outputJson, outputEmpty, setupCursorHookSignals, isPlanTool, hookSessionId, GATEWAY_URL,
 } from './_synkro-common.ts';
 import { existsSync, readFileSync, writeFileSync, readdirSync, statSync } from 'node:fs';
 import { join } from 'node:path';
 import { homedir } from 'node:os';
 
-function findLatestPlan(): string | null {
-  const plansDir = join(homedir(), '.claude', 'plans');
+function findLatestPlanInDir(plansDir: string): string | null {
   if (!existsSync(plansDir)) return null;
   try {
     const files = readdirSync(plansDir)
@@ -2755,6 +2994,23 @@ function findLatestPlan(): string | null {
   }
 }
 
+function findLatestPlan(): string | null {
+  const dirs = [
+    join(homedir(), '.claude', 'plans'),
+    join(homedir(), '.cursor', 'plans'),
+  ];
+  let best: { path: string; mtime: number } | null = null;
+  for (const dir of dirs) {
+    const p = findLatestPlanInDir(dir);
+    if (!p) continue;
+    try {
+      const mtime = statSync(p).mtimeMs;
+      if (!best || mtime > best.mtime) best = { path: p, mtime };
+    } catch {}
+  }
+  return best?.path ?? null;
+}
+
 function appendReviewToPlan(planFile: string, verdict: string): void {
   try {
     let content = readFileSync(planFile, 'utf-8');
@@ -2766,20 +3022,21 @@ function appendReviewToPlan(planFile: string, verdict: string): void {
 }
 
 async function main() {
+  setupCursorHookSignals();
   try {
     const input = await readStdin();
     if (!input.trim()) { outputEmpty(); return; }
 
     const payload = JSON.parse(input);
     const toolName = payload.tool_name || '';
-    if (toolName !== 'ExitPlanMode') { outputEmpty(); return; }
+    if (!isPlanTool(toolName)) { outputEmpty(); return; }
 
     const planFile = findLatestPlan();
     if (!planFile) { outputEmpty(); return; }
     const plan = readFileSync(planFile, 'utf-8');
     if (plan.length < 20) { outputEmpty(); return; }
 
-    const sessionId = payload.session_id || '';
+    const sessionId = hookSessionId(payload);
     const cwd = payload.cwd || '';
     const gitRepo = detectRepo(cwd || '.');
 
@@ -2884,16 +3141,17 @@ main();
     STOP_SUMMARY_TS = `#!/usr/bin/env bun
 import {
   loadJwt, detectRepo, loadConfig, tag, readStdin, aggregateUsage,
-  outputJson, outputEmpty, appendLocalTelemetry, GATEWAY_URL,
+  outputJson, outputEmpty, appendLocalTelemetry, setupCursorHookSignals, hookSessionId, GATEWAY_URL,
 } from './_synkro-common.ts';
 
 async function main() {
+  setupCursorHookSignals();
   try {
     const input = await readStdin();
     if (!input.trim()) { outputEmpty(); return; }
 
     const payload = JSON.parse(input);
-    const sessionId = payload.session_id || '';
+    const sessionId = hookSessionId(payload);
     if (!sessionId) { outputEmpty(); return; }
 
     const cwd = payload.cwd || '';
@@ -2971,18 +3229,19 @@ main();
     SESSION_START_TS = `#!/usr/bin/env bun
 import {
   loadJwt, detectRepo, channelUp, tag, readStdin,
-  outputJson, outputEmpty, GATEWAY_URL,
+  outputJson, outputEmpty, setupCursorHookSignals, hookSessionId, GATEWAY_URL,
   type HookConfig,
 } from './_synkro-common.ts';
 
 async function main() {
+  setupCursorHookSignals();
   try {
     const input = await readStdin();
     if (!input.trim()) { outputEmpty(); return; }
 
     const payload = JSON.parse(input);
     const cwd = payload.cwd || '';
-    const sessionId = payload.session_id || '';
+    const sessionId = hookSessionId(payload);
     const gitRepo = detectRepo(cwd || '.');
 
     let jwt = loadJwt();
@@ -3035,27 +3294,33 @@ main();
     BASH_FOLLOWUP_TS = `#!/usr/bin/env bun
 import {
   loadJwt, loadConfig, readStdin, hashCommand, consentGrant, consentHasActive, consentConsume,
-  outputEmpty, appendLocalTelemetry, GATEWAY_URL,
+  outputEmpty, appendLocalTelemetry, setupCursorHookSignals, isShellTool, hookSessionId, GATEWAY_URL,
 } from './_synkro-common.ts';
 
 async function main() {
+  setupCursorHookSignals();
   try {
     const input = await readStdin();
     if (!input.trim()) { outputEmpty(); return; }
 
     const payload = JSON.parse(input);
     const toolName = payload.tool_name || '';
-    if (toolName !== 'Bash') { outputEmpty(); return; }
+    const shellCmd = typeof payload.command === 'string' ? payload.command : (payload.tool_input?.command || '');
+    if (!isShellTool(toolName) && !shellCmd) { outputEmpty(); return; }
 
     const jwt = loadJwt();
     if (!jwt) { outputEmpty(); return; }
 
-    const sessionId = payload.session_id || '';
-    const toolUseId = payload.tool_use_id || '';
-    if (!sessionId || !toolUseId) { outputEmpty(); return; }
+    const sessionId = hookSessionId(payload);
+    const toolUseId = payload.tool_use_id || payload.tool_call_id || 'cursor-shell';
+    if (!sessionId) { outputEmpty(); return; }
 
-    const isError = payload.tool_result?.is_error === true;
-    const cmd = payload.tool_input?.command || '';
+    let isError = payload.tool_result?.is_error === true;
+    try {
+      const out = JSON.parse(payload.tool_output || '{}');
+      if (out.exitCode !== 0 || out.is_error === true) isError = true;
+    } catch {}
+    const cmd = shellCmd;
     const cmdHash = cmd ? hashCommand(cmd) : '';
 
     if (cmdHash && sessionId) {
@@ -3099,19 +3364,20 @@ main();
     TRANSCRIPT_SYNC_TS = `#!/usr/bin/env bun
 import {
   loadJwt, detectRepo, readStdin, aggregateUsage, appendLocalTelemetry,
-  outputEmpty, GATEWAY_URL,
+  outputEmpty, setupCursorHookSignals, hookSessionId, GATEWAY_URL,
 } from './_synkro-common.ts';
 import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'node:fs';
 import { join, dirname } from 'node:path';
 import { homedir } from 'node:os';
 
 async function main() {
+  setupCursorHookSignals();
   try {
     const input = await readStdin();
     if (!input.trim()) { outputEmpty(); return; }
 
     const payload = JSON.parse(input);
-    const sessionId = payload.session_id || '';
+    const sessionId = hookSessionId(payload);
     const transcriptPath = payload.transcript_path || '';
     const cwd = payload.cwd || '';
 
@@ -3239,15 +3505,16 @@ async function main() {
 main();
 `;
     USER_PROMPT_SUBMIT_TS = `#!/usr/bin/env bun
-import { readStdin, appendLocalTelemetry, aggregateUsage } from './_synkro-common.ts';
+import { readStdin, appendLocalTelemetry, aggregateUsage, outputEmpty, setupCursorHookSignals, hookSessionId } from './_synkro-common.ts';
 import { writeFileSync, mkdirSync } from 'node:fs';
 import { join, dirname } from 'node:path';
 import { homedir } from 'node:os';
 
 async function main() {
+  setupCursorHookSignals();
   try {
     const input = await readStdin();
-    if (!input.trim()) return;
+    if (!input.trim()) { outputEmpty(); return; }
     const payload = JSON.parse(input);
     const msg = payload.message || payload.prompt || payload.content || '';
     if (msg) {
@@ -3256,7 +3523,7 @@ async function main() {
       writeFileSync(promptFile, msg, 'utf-8');
     }
 
-    const sessionId = payload.session_id || '';
+    const sessionId = hookSessionId(payload);
     const transcriptPath = payload.transcript_path || '';
     if (sessionId && transcriptPath) {
       const usage = aggregateUsage(transcriptPath);
@@ -3277,7 +3544,10 @@ async function main() {
         });
       }
     }
-  } catch {}
+    outputEmpty();
+  } catch {
+    outputEmpty();
+  }
 }
 
 main();
@@ -3286,38 +3556,99 @@ main();
 import {
   loadJwt, ensureFreshJwt, detectRepo, loadConfig, route, tag, localGrade,
   parseVerdict, dispatchCapture, ruleMode, postWithRetry, readStdin,
-  appendLocalTelemetry, log, GATEWAY_URL,
-  type HookConfig, type Rule,
+  extractTranscript, readLastPrompt, log, GATEWAY_URL,
+  type Rule,
 } from './_synkro-common.ts';
 
+// Cursor beforeShellExecution timeout is 15s; stay under it (JWT refresh + grade).
+const CURSOR_GRADE_TIMEOUT_MS = 7500;
+const CURSOR_CLOUD_TIMEOUT_MS = 6000;
+
+let hookDone = false;
+
+function finishAllow(): never {
+  if (!hookDone) {
+    hookDone = true;
+    try { process.stdout.write('{}\\n'); } catch {}
+  }
+  process.exit(0);
+}
+
+function finishWith(payload: Record<string, unknown>): never {
+  hookDone = true;
+  process.stdout.write(JSON.stringify(payload) + '\\n');
+  process.exit(0);
+}
+
+process.on('SIGTERM', () => finishAllow());
+
+const SHELL_TOOL_NAMES = new Set(['Bash', 'Shell', 'terminal', 'run_terminal_cmd', 'execute_command']);
+const BASH_PRE_TOOL_NAMES = new Set(['Bash', 'Shell', 'Read', 'Grep', 'Glob', ...SHELL_TOOL_NAMES]);
+
+function extractCommand(payload: Record<string, unknown>): { command: string; toolName: string } {
+  const direct = typeof payload.command === 'string' ? payload.command : '';
+  if (direct) return { command: direct, toolName: 'Bash' };
+
+  const toolName = typeof payload.tool_name === 'string' ? payload.tool_name : '';
+  if (!BASH_PRE_TOOL_NAMES.has(toolName)) return { command: '', toolName };
+
+  const toolInput = (payload.tool_input && typeof payload.tool_input === 'object')
+    ? payload.tool_input as Record<string, unknown>
+    : {};
+
+  let command = '';
+  switch (toolName) {
+    case 'Bash':
+    case 'Shell':
+    case 'terminal':
+    case 'run_terminal_cmd':
+    case 'execute_command':
+      command = String(toolInput.command ?? '');
+      break;
+    case 'Read':
+      command = 'cat ' + String(toolInput.file_path ?? toolInput.path ?? '');
+      break;
+    case 'Grep':
+      command = "grep -r '" + String(toolInput.pattern ?? '') + "' " + String(toolInput.path ?? '.');
+      break;
+    case 'Glob':
+      command = "find . -name '" + String(toolInput.pattern ?? '') + "'";
+      break;
+  }
+  return { command, toolName: toolName || 'Bash' };
+}
+
 async function main() {
   try {
     const input = await readStdin();
-    if (!input.trim()) { process.stdout.write('{}\\n'); return; }
+    if (!input.trim()) finishAllow();
 
-    const payload = JSON.parse(input);
-    const command = payload.command || '';
-    if (!command) { process.stdout.write('{}\\n'); return; }
+    const payload = JSON.parse(input) as Record<string, unknown>;
+    const { command, toolName } = extractCommand(payload);
+    if (!command) finishAllow();
 
-    const cwd = payload.cwd || '';
-    const sessionId = payload.conversation_id || '';
+    const cwd = typeof payload.cwd === 'string' ? payload.cwd : '';
+    const sessionId = String(payload.conversation_id ?? payload.session_id ?? '');
+    const transcriptPath = typeof payload.transcript_path === 'string' ? payload.transcript_path : '';
     const repo = detectRepo(cwd || '.');
 
     const cmdShort = command.slice(0, 80);
     log('bashGuard checking: ' + cmdShort);
 
     let jwt = loadJwt();
-    if (!jwt) { process.stdout.write('{}\\n'); return; }
+    if (!jwt) finishAllow();
     jwt = await ensureFreshJwt(jwt);
 
+    const transcript = extractTranscript(transcriptPath);
+    const lastPrompt = readLastPrompt();
+
     const config = await loadConfig(jwt);
-    if (config.silent) { process.stdout.write('{}\\n'); return; }
+    if (config.silent) finishAllow();
 
     const rt = await route(config);
     const tagStr = tag(rt, config);
 
     if (rt === 'local') {
-      // Build grading prompt with rules
       const rulesBlock = config.rules.map((r: Rule, i: number) =>
         (i + 1) + '. [' + r.rule_id + '] (' + r.severity + '/' + r.mode + ') ' + r.text
       ).join('\\n');
@@ -3328,14 +3659,17 @@ async function main() {
         '',
         'COMMAND TO EVALUATE:',
         command,
+        '',
+        'User intent (last human message): ' + (transcript.userIntent || lastPrompt || 'none stated'),
+        'Last user prompt: ' + (lastPrompt || 'none'),
       ].join('\\n');
 
       let gradeResp: string;
       try {
-        gradeResp = await localGrade('bash', graderPrompt);
-      } catch {
-        process.stdout.write('{}\\n');
-        return;
+        gradeResp = await localGrade('bash', graderPrompt, CURSOR_GRADE_TIMEOUT_MS);
+      } catch (e) {
+        log('bashGuard ' + cmdShort + ' \u2192 pass (grade unavailable): ' + String(e));
+        finishAllow();
       }
 
       const verdict = parseVerdict(gradeResp);
@@ -3350,16 +3684,13 @@ async function main() {
               command, reasoning: guardReason,
               rulesChecked: config.rules, violatedRules: verdict.ruleId ? [verdict.ruleId] : [],
             });
-          const result = {
+          finishWith({
             permission: 'deny',
-            user_message: tagStr + ' bashGuard \\u2192 block: ' + guardReason,
+            user_message: tagStr + ' bashGuard \u2192 block: ' + guardReason,
             agent_message: 'Synkro safety judge. Reasoning: ' + (verdict.reason || guardReason),
-          };
-          process.stdout.write(JSON.stringify(result) + '\\n');
-          return;
+          });
         }
 
-        // Audit mode \u2014 warn but allow
         dispatchCapture(jwt, 'bash', 'warning', verdict.severity || 'medium', verdict.category || 'security',
           'Bash', repo, sessionId, config.captureDepth, {
             command, reasoning: guardReason,
@@ -3373,177 +3704,46 @@ async function main() {
           });
       }
 
-      process.stdout.write('{}\\n');
-      return;
+      log('bashGuard ' + cmdShort + ' \u2192 pass');
+      finishAllow();
     }
 
-    // \u2500\u2500\u2500 Cloud grading \u2500\u2500\u2500
-    const body = {
+    const body: Record<string, any> = {
       hook_event: 'PreToolUse',
-      tool_name: 'Bash',
+      tool_name: toolName || 'Bash',
       tool_input: { command },
       response_format: 'cursor',
+      user_intent: transcript.userIntent || null,
+      last_user_message: lastPrompt || null,
+      recent_user_messages: transcript.recentUserMessages,
+      recent_messages: transcript.recentMessages,
       session_id: sessionId || null,
       cwd: cwd || null,
       repo: repo || null,
     };
 
-    const resp = await postWithRetry(GATEWAY_URL + '/api/v1/hook/judge', body, jwt, 6000);
-
-    if (!resp) {
-      log('bashGuard ' + cmdShort + ' \\u2192 error (timeout)');
-      process.stdout.write('{}\\n');
-      return;
-    }
-
-    if (resp.hook_response) {
-      process.stdout.write(JSON.stringify(resp.hook_response) + '\\n');
-    } else {
-      process.stdout.write('{}\\n');
-    }
-  } catch {
-    process.stdout.write('{}\\n');
-  }
-}
-
-main();
-`;
-    CURSOR_EDIT_PRECHECK_TS = `#!/usr/bin/env bun
-import {
-  loadJwt, ensureFreshJwt, detectRepo, loadConfig, route, tag, localGrade,
-  parseVerdict, dispatchCapture, ruleMode, postWithRetry, readStdin,
-  appendLocalTelemetry, log, GATEWAY_URL,
-  type HookConfig, type Rule,
-} from './_synkro-common.ts';
-import { basename } from 'node:path';
-
-async function main() {
-  try {
-    const input = await readStdin();
-    if (!input.trim()) { process.stdout.write('{}\\n'); return; }
-
-    const payload = JSON.parse(input);
-    const toolName = payload.tool_name || '';
-    const toolInput = payload.tool_input || {};
-    const cwd = payload.cwd || '';
-    const sessionId = payload.conversation_id || '';
-
-    const filePath = toolInput.file_path || toolInput.path || toolInput.target_file || '';
-    const content = toolInput.content || toolInput.new_string || toolInput.code_edit || '';
-    if (!filePath) { process.stdout.write('{}\\n'); return; }
-
-    const fileShort = basename(filePath);
-    log('editGuard checking: ' + fileShort);
-
-    const repo = detectRepo(cwd || '.');
-
-    let jwt = loadJwt();
-    if (!jwt) { process.stdout.write('{}\\n'); return; }
-    jwt = await ensureFreshJwt(jwt);
-
-    const config = await loadConfig(jwt);
-    if (config.silent) { process.stdout.write('{}\\n'); return; }
-
-    const rt = await route(config);
-    const tagStr = tag(rt, config);
-
-    if (rt === 'local') {
-      const contentShort = content.slice(0, 4000);
-      const rulesBlock = config.rules.map((r: Rule, i: number) =>
-        (i + 1) + '. [' + r.rule_id + '] (' + r.severity + '/' + r.mode + ') ' + r.text
-      ).join('\\n');
-
-      const graderPrompt = [
-        'RULES:',
-        rulesBlock || '(none)',
-        '',
-        'FILE: ' + filePath,
-        '',
-        'CONTENT TO EVALUATE (first 4000 chars):',
-        contentShort,
-      ].join('\\n');
-
-      let gradeResp: string;
-      try {
-        gradeResp = await localGrade('edit', graderPrompt);
-      } catch {
-        process.stdout.write('{}\\n');
-        return;
-      }
-
-      const verdict = parseVerdict(gradeResp);
-      const editContent = 'file=' + filePath + ' content=' + content.slice(0, 2000);
-
-      if (!verdict.ok) {
-        const mode = verdict.ruleMode || ruleMode(verdict.ruleId, config.rules);
-        const guardReason = (verdict.ruleId ? '(' + verdict.ruleId + ') ' : '') + (verdict.reason || 'policy violation');
-
-        if (mode !== 'audit') {
-          dispatchCapture(jwt, 'edit', 'block', verdict.severity || 'critical', verdict.category || 'security',
-            toolName || 'Edit', repo, sessionId, config.captureDepth, {
-              command: editContent, reasoning: guardReason,
-              rulesChecked: config.rules, violatedRules: verdict.ruleId ? [verdict.ruleId] : [],
-            });
-          const result = {
-            permission: 'deny',
-            user_message: tagStr + ' editGuard ' + fileShort + ' \\u2192 block: ' + guardReason,
-            agent_message: 'Synkro safety judge. Reasoning: ' + (verdict.reason || guardReason),
-          };
-          process.stdout.write(JSON.stringify(result) + '\\n');
-          return;
-        }
-
-        // Audit mode
-        dispatchCapture(jwt, 'edit', 'warning', verdict.severity || 'medium', verdict.category || 'security',
-          toolName || 'Edit', repo, sessionId, config.captureDepth, {
-            command: editContent, reasoning: guardReason,
-            rulesChecked: config.rules, violatedRules: verdict.ruleId ? [verdict.ruleId] : [],
-          });
-      } else {
-        dispatchCapture(jwt, 'edit', 'pass', 'audit', verdict.category || 'trivial_edit',
-          toolName || 'Edit', repo, sessionId, config.captureDepth, {
-            command: editContent, reasoning: verdict.reason || 'no policy violations detected',
-            rulesChecked: config.rules, violatedRules: [],
-          });
-      }
-
-      process.stdout.write('{}\\n');
-      return;
-    }
-
-    // \u2500\u2500\u2500 Cloud grading \u2500\u2500\u2500
-    const body = {
-      hook_event: 'PreToolUse',
-      tool_name: toolName || 'Edit',
-      tool_input: { file_path: filePath, content },
-      file_path: filePath,
-      content,
-      response_format: 'cursor',
-      session_id: sessionId || null,
-      cwd: cwd || null,
-      repo: repo || null,
-    };
-
-    const resp = await postWithRetry(GATEWAY_URL + '/api/v1/hook/judge', body, jwt, 8000);
+    const resp = await postWithRetry(GATEWAY_URL + '/api/v1/hook/judge', body, jwt, CURSOR_CLOUD_TIMEOUT_MS);
 
     if (!resp) {
-      log('editGuard ' + fileShort + ' \\u2192 error (timeout)');
-      process.stdout.write('{}\\n');
-      return;
+      log('bashGuard ' + cmdShort + ' \u2192 pass (cloud timeout)');
+      finishAllow();
     }
 
     if (resp.hook_response) {
-      process.stdout.write(JSON.stringify(resp.hook_response) + '\\n');
-    } else {
-      process.stdout.write('{}\\n');
+      finishWith(resp.hook_response as Record<string, unknown>);
     }
-  } catch {
-    process.stdout.write('{}\\n');
+    log('bashGuard ' + cmdShort + ' \u2192 pass (no hook_response)');
+    finishAllow();
+  } catch (e) {
+    log('bashGuard error: ' + String(e));
+    finishAllow();
   }
 }
 
-main();
-`;
+main().catch((e) => {
+  log('bashGuard fatal: ' + String(e));
+  finishAllow();
+});`;
     CURSOR_EDIT_CAPTURE_TS = `#!/usr/bin/env bun
 import {
   loadJwt, ensureFreshJwt, detectRepo, readStdin,
@@ -3553,26 +3753,37 @@ import { existsSync, readFileSync } from 'node:fs';
 import { basename, dirname, join } from 'node:path';
 import { homedir } from 'node:os';
 
+let hookDone = false;
+
+function finish(): never {
+  if (!hookDone) {
+    hookDone = true;
+    try { process.stdout.write('{}\\n'); } catch {}
+  }
+  process.exit(0);
+}
+
+process.on('SIGTERM', () => finish());
+
 async function main() {
   try {
     const input = await readStdin();
-    if (!input.trim()) { process.stdout.write('{}\\n'); return; }
+    if (!input.trim()) finish();
 
     const payload = JSON.parse(input);
     const filePath = payload.file_path || '';
-    if (!filePath) { process.stdout.write('{}\\n'); return; }
+    if (!filePath) finish();
 
-    const cwd = payload.cwd || '';
+    const cwd = payload.cwd || payload.workspace_roots?.[0] || '';
     const sessionId = payload.conversation_id || '';
     const repo = detectRepo(cwd || '.');
 
     log('editScan ' + basename(filePath));
 
     let jwt = loadJwt();
-    if (!jwt) { process.stdout.write('{}\\n'); return; }
+    if (!jwt) finish();
     jwt = await ensureFreshJwt(jwt);
 
-    // Read actual file content (up to 50KB)
     let fileContent = '';
     const fullPath = filePath.startsWith('/') ? filePath : (cwd ? join(cwd, filePath) : filePath);
     try {
@@ -3582,7 +3793,6 @@ async function main() {
       }
     } catch {}
 
-    // Walk up to find package.json dependencies
     let dependencies: Record<string, string> = {};
     let pkgDir = cwd || dirname(fullPath);
     while (pkgDir !== '/' && pkgDir !== '.') {
@@ -3609,12 +3819,10 @@ async function main() {
     if (cwd) captureBody.cwd = cwd;
     if (repo) captureBody.repo = repo;
 
-    // Check if local_only
     const rulesPath = join(homedir(), '.synkro', 'rules.json');
     if (existsSync(rulesPath)) {
       appendLocalTelemetry(captureBody);
     } else {
-      // Fire-and-forget to cloud
       fetch(GATEWAY_URL + '/api/v1/hook/capture', {
         method: 'POST',
         headers: { 'Content-Type': 'application/json', Authorization: 'Bearer ' + jwt },
@@ -3624,128 +3832,24 @@ async function main() {
       appendLocalTelemetry(captureBody);
     }
 
-    process.stdout.write('{}\\n');
-  } catch {
-    process.stdout.write('{}\\n');
+    finish();
+  } catch (e) {
+    log('editScan error: ' + String(e));
+    finish();
   }
 }
 
-main();
-`;
-    CURSOR_BASH_FOLLOWUP_TS = `#!/usr/bin/env bun
-import {
-  loadJwt, readStdin, appendLocalTelemetry, log, GATEWAY_URL,
-} from './_synkro-common.ts';
-import { existsSync, readFileSync, writeFileSync, appendFileSync, mkdirSync } from 'node:fs';
-import { join, dirname } from 'node:path';
-import { createHash } from 'node:crypto';
-import { homedir } from 'node:os';
-
-const CONSENT_FILE = join(homedir(), '.synkro', '.local-consent');
-
-function hashCmd(cmd: string): string {
-  return createHash('sha256').update(cmd).digest('hex').slice(0, 16);
-}
-
-function consentGrant(sid: string, hash: string): void {
-  try {
-    const dir = dirname(CONSENT_FILE);
-    if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
-    appendFileSync(CONSENT_FILE, sid + '\\t' + hash + '\\tactive\\n', 'utf-8');
-  } catch {}
-}
-
-function consentHasActive(sid: string, hash: string): boolean {
-  try {
-    if (!existsSync(CONSENT_FILE)) return false;
-    const content = readFileSync(CONSENT_FILE, 'utf-8');
-    return content.includes(sid + '\\t' + hash + '\\tactive');
-  } catch {
-    return false;
-  }
-}
-
-function consentConsume(sid: string, hash: string): void {
-  try {
-    if (!existsSync(CONSENT_FILE)) return;
-    const content = readFileSync(CONSENT_FILE, 'utf-8');
-    const target = sid + '\\t' + hash + '\\tactive';
-    const replacement = sid + '\\t' + hash + '\\tconsumed';
-    const updated = content.split('\\n').map((l: string) => l === target ? replacement : l).join('\\n');
-    writeFileSync(CONSENT_FILE, updated, 'utf-8');
-  } catch {}
-}
-
-async function main() {
-  try {
-    const input = await readStdin();
-    if (!input.trim()) { process.stdout.write('{}\\n'); return; }
-
-    const payload = JSON.parse(input);
-    const toolName = payload.tool_name || '';
-
-    // Only process shell/bash tool types
-    const shellTools = ['Shell', 'Bash', 'terminal', 'run_terminal_cmd', 'execute_command'];
-    if (!shellTools.includes(toolName)) { process.stdout.write('{}\\n'); return; }
-
-    const sessionId = payload.conversation_id || '';
-    const toolUseId = payload.tool_use_id || '';
-    const isError = payload.tool_result?.is_error === true;
-    const command = payload.tool_input?.command || '';
-    const cmdHash = command ? hashCmd(command) : '';
-
-    // Consent tracking
-    if (cmdHash && sessionId) {
-      if (!isError) {
-        consentConsume(sessionId, cmdHash);
-      } else {
-        if (!consentHasActive(sessionId, cmdHash)) {
-          consentGrant(sessionId, cmdHash);
-        }
-      }
-    }
-
-    // Build capture body
-    const captureBody: Record<string, any> = {
-      capture_type: 'bash_followup',
-      session_id: sessionId || null,
-      tool_use_id: toolUseId || null,
-      is_error: isError,
-      command_hash: cmdHash,
-    };
-
-    // Check if local_only
-    const rulesPath = join(homedir(), '.synkro', 'rules.json');
-    if (existsSync(rulesPath)) {
-      appendLocalTelemetry(captureBody);
-    } else {
-      const jwt = loadJwt();
-      if (jwt && sessionId && toolUseId) {
-        fetch(GATEWAY_URL + '/api/v1/hook/capture', {
-          method: 'POST',
-          headers: { 'Content-Type': 'application/json', Authorization: 'Bearer ' + jwt },
-          body: JSON.stringify(captureBody),
-          signal: AbortSignal.timeout(3000),
-        }).catch(() => {});
-      }
-      appendLocalTelemetry(captureBody);
-    }
-
-    process.stdout.write('{}\\n');
-  } catch {
-    process.stdout.write('{}\\n');
-  }
-}
-
-main();
-`;
+main().catch((e) => {
+  log('editScan fatal: ' + String(e));
+  finish();
+});`;
   }
 });
 
 // cli/auth/stub.ts
 import { createServer } from "http";
-import { writeFileSync as writeFileSync4, readFileSync as readFileSync4, existsSync as existsSync5, mkdirSync as mkdirSync4, unlinkSync as unlinkSync2 } from "fs";
-import { homedir as homedir3, platform } from "os";
+import { writeFileSync as writeFileSync4, readFileSync as readFileSync4, existsSync as existsSync4, mkdirSync as mkdirSync4, unlinkSync as unlinkSync2 } from "fs";
+import { homedir as homedir4, platform } from "os";
 import { join as join3, dirname as dirname4 } from "path";
 import { execFile } from "child_process";
 import jwt from "jsonwebtoken";
@@ -3775,13 +3879,13 @@ function openBrowser(url) {
 }
 function saveCredentials(data) {
   const dir = dirname4(AUTH_FILE);
-  if (!existsSync5(dir)) {
+  if (!existsSync4(dir)) {
     mkdirSync4(dir, { recursive: true, mode: 448 });
   }
   writeFileSync4(AUTH_FILE, JSON.stringify(data, null, 2), { mode: 384 });
 }
 function loadCredentials() {
-  if (!existsSync5(AUTH_FILE)) {
+  if (!existsSync4(AUTH_FILE)) {
     return null;
   }
   try {
@@ -3798,7 +3902,7 @@ function createCallbackServer() {
     "Access-Control-Allow-Headers": "Content-Type",
     "Vary": "Origin"
   };
-  return new Promise((resolve2, reject) => {
+  return new Promise((resolve3, reject) => {
     const server = createServer((req, res) => {
       if (req.method === "OPTIONS") {
         const origin = req.headers.origin;
@@ -3887,7 +3991,7 @@ function createCallbackServer() {
         res.end(JSON.stringify({ ok: true }));
         setTimeout(() => {
           server.close();
-          resolve2(authData);
+          resolve3(authData);
         }, 200);
       });
       req.on("error", (e) => {
@@ -4029,7 +4133,7 @@ async function ensureValidToken() {
   return true;
 }
 function clearCredentials() {
-  if (existsSync5(AUTH_FILE)) {
+  if (existsSync4(AUTH_FILE)) {
     unlinkSync2(AUTH_FILE);
   }
 }
@@ -4040,7 +4144,7 @@ var init_stub = __esm({
     PORT = 8100;
     RAW_WEB_AUTH_URL = process.env.SYNKRO_WEB_AUTH_URL;
     SYNKRO_WEB_AUTH_URL = RAW_WEB_AUTH_URL && /^https?:\/\//.test(RAW_WEB_AUTH_URL) ? RAW_WEB_AUTH_URL : "https://app.synkro.sh";
-    AUTH_FILE = process.env.SYNKRO_AUTH_FILE || join3(homedir3(), ".synkro", "credentials.json");
+    AUTH_FILE = process.env.SYNKRO_AUTH_FILE || join3(homedir4(), ".synkro", "credentials.json");
     RAW_API_URL = process.env.SYNKRO_CRUD_URL || process.env.SYNKRO_API_URL;
     SYNKRO_API_URL = RAW_API_URL && /^https?:\/\//.test(RAW_API_URL) ? RAW_API_URL : "https://api.synkro.sh";
     ERROR_HTML = `
@@ -4203,7 +4307,7 @@ jobs:
 });
 
 // cli/installer/githubSetup.ts
-import { existsSync as existsSync6, mkdirSync as mkdirSync5, writeFileSync as writeFileSync5 } from "fs";
+import { existsSync as existsSync5, mkdirSync as mkdirSync5, writeFileSync as writeFileSync5 } from "fs";
 import { execSync as execSync2 } from "child_process";
 import { join as join4 } from "path";
 function ghSecretSet(token, owner, repo, name, value) {
@@ -4260,7 +4364,7 @@ function writeWorkflowFile(repoRootPath) {
 function findGitRoot(startCwd) {
   let cur = startCwd;
   while (cur && cur !== "/") {
-    if (existsSync6(join4(cur, ".git"))) return cur;
+    if (existsSync5(join4(cur, ".git"))) return cur;
     const parent = join4(cur, "..");
     if (parent === cur) break;
     cur = parent;
@@ -4298,10 +4402,10 @@ function detectGitRepo() {
   }
 }
 function ask(rl, question) {
-  return new Promise((resolve2) => rl.question(question, resolve2));
+  return new Promise((resolve3) => rl.question(question, resolve3));
 }
 function waitForGithubToken() {
-  return new Promise((resolve2, reject) => {
+  return new Promise((resolve3, reject) => {
     const server = createServer2((req, res) => {
       if (req.method === "OPTIONS") {
         res.writeHead(204, {
@@ -4338,7 +4442,7 @@ function waitForGithubToken() {
           });
           res.end(JSON.stringify({ ok: true }));
           setTimeout(() => server.close(), 200);
-          resolve2(parsed.github_token);
+          resolve3(parsed.github_token);
         } catch {
           res.writeHead(400, { "Content-Type": "application/json" });
           res.end(JSON.stringify({ error: "invalid json" }));
@@ -4503,12 +4607,12 @@ __export(setupGithub_exports, {
 import { createInterface as createInterface2 } from "readline/promises";
 import { stdin as input, stdout as output } from "process";
 import { execSync as execSync4, spawn as nodeSpawn } from "child_process";
-import { existsSync as existsSync7, readFileSync as readFileSync5, unlinkSync as unlinkSync3 } from "fs";
-import { homedir as homedir4, platform as platform2 } from "os";
+import { existsSync as existsSync6, readFileSync as readFileSync5, unlinkSync as unlinkSync3 } from "fs";
+import { homedir as homedir5, platform as platform2 } from "os";
 import { join as join5 } from "path";
 import { execFile as execFile2 } from "child_process";
 function readConfig() {
-  if (!existsSync7(CONFIG_PATH)) return {};
+  if (!existsSync6(CONFIG_PATH)) return {};
   const out = {};
   for (const line of readFileSync5(CONFIG_PATH, "utf-8").split("\n")) {
     const t = line.trim();
@@ -4523,7 +4627,7 @@ async function prompt(rl, q, opts = {}) {
     process.stdout.write(q);
     const wasRaw = process.stdin.isRaw;
     if (process.stdin.setRawMode) process.stdin.setRawMode(true);
-    return await new Promise((resolve2) => {
+    return await new Promise((resolve3) => {
       let chunk = "";
       const onData = (data) => {
         const s = data.toString("utf-8");
@@ -4531,7 +4635,7 @@ async function prompt(rl, q, opts = {}) {
           process.stdin.removeListener("data", onData);
           if (process.stdin.setRawMode) process.stdin.setRawMode(wasRaw ?? false);
           process.stdout.write("\n");
-          resolve2(chunk);
+          resolve3(chunk);
           return;
         }
         if (s === "") process.exit(130);
@@ -4572,7 +4676,7 @@ function sleep(ms) {
 }
 function captureClaudeSetupToken() {
   const tmpFile = join5(SYNKRO_DIR, `token-capture-${Date.now()}.raw`);
-  return new Promise((resolve2, reject) => {
+  return new Promise((resolve3, reject) => {
     const proc = nodeSpawn("script", ["-q", tmpFile, "claude", "setup-token"], {
       stdio: "inherit"
     });
@@ -4602,7 +4706,7 @@ function captureClaudeSetupToken() {
         reject(new Error(`Could not find token in claude setup-token output (file=${raw.length}b, yellow=${yellow.length}b)`));
         return;
       }
-      resolve2(token[0]);
+      resolve3(token[0]);
     });
   });
 }
@@ -4852,7 +4956,7 @@ var init_setupGithub = __esm({
     "use strict";
     init_githubSetup();
     init_stub();
-    SYNKRO_DIR = join5(homedir4(), ".synkro");
+    SYNKRO_DIR = join5(homedir5(), ".synkro");
     CONFIG_PATH = join5(SYNKRO_DIR, "config.env");
   }
 });
@@ -4881,11 +4985,11 @@ var init_promptFetcher = __esm({
 });
 
 // cli/local-cc/settings.ts
-import { existsSync as existsSync8, readFileSync as readFileSync6 } from "fs";
-import { homedir as homedir5 } from "os";
+import { existsSync as existsSync7, readFileSync as readFileSync6 } from "fs";
+import { homedir as homedir6 } from "os";
 import { join as join6 } from "path";
 function isLocalCCEnabled() {
-  if (!existsSync8(CONFIG_PATH2)) return false;
+  if (!existsSync7(CONFIG_PATH2)) return false;
   try {
     const content = readFileSync6(CONFIG_PATH2, "utf-8");
     const match = content.match(/^SYNKRO_LOCAL_INFERENCE='([^']*)'/m);
@@ -4898,7 +5002,7 @@ var CONFIG_PATH2;
 var init_settings = __esm({
   "cli/local-cc/settings.ts"() {
     "use strict";
-    CONFIG_PATH2 = join6(homedir5(), ".synkro", "config.env");
+    CONFIG_PATH2 = join6(homedir6(), ".synkro", "config.env");
   }
 });
 
@@ -5052,9 +5156,9 @@ await mcp.connect(new StdioServerTransport());
 });
 
 // cli/local-cc/install.ts
-import { existsSync as existsSync9, mkdirSync as mkdirSync6, writeFileSync as writeFileSync6, readFileSync as readFileSync7, chmodSync, copyFileSync, renameSync as renameSync4, unlinkSync as unlinkSync4, openSync, fsyncSync, closeSync } from "fs";
+import { existsSync as existsSync8, mkdirSync as mkdirSync6, writeFileSync as writeFileSync6, readFileSync as readFileSync7, chmodSync, copyFileSync, renameSync as renameSync4, unlinkSync as unlinkSync4, openSync, fsyncSync, closeSync } from "fs";
 import { join as join7 } from "path";
-import { homedir as homedir6 } from "os";
+import { homedir as homedir7 } from "os";
 import { spawnSync } from "child_process";
 function writePluginFiles() {
   mkdirSync6(SESSION_DIR, { recursive: true });
@@ -5103,7 +5207,7 @@ function runBunInstall() {
   }
 }
 function safelyMutateClaudeJson(mutator) {
-  if (!existsSync9(CLAUDE_JSON_PATH)) {
+  if (!existsSync8(CLAUDE_JSON_PATH)) {
     return;
   }
   const originalText = readFileSync7(CLAUDE_JSON_PATH, "utf-8");
@@ -5256,17 +5360,17 @@ var init_install = __esm({
   "cli/local-cc/install.ts"() {
     "use strict";
     init_channelSource();
-    CLAUDE_JSON_BACKUP_PATH = join7(homedir6(), ".claude.json.synkro-bak");
-    SESSION_DIR = join7(homedir6(), ".synkro", "cc_sessions");
+    CLAUDE_JSON_BACKUP_PATH = join7(homedir7(), ".claude.json.synkro-bak");
+    SESSION_DIR = join7(homedir7(), ".synkro", "cc_sessions");
     PLUGIN_PATH = join7(SESSION_DIR, "synkro-channel.ts");
     PLUGIN_PKG_PATH = join7(SESSION_DIR, "package.json");
     PLUGIN_SETTINGS_DIR = join7(SESSION_DIR, ".claude");
     PLUGIN_SETTINGS_PATH = join7(PLUGIN_SETTINGS_DIR, "settings.json");
     PROJECT_MCP_PATH = join7(SESSION_DIR, ".mcp.json");
-    CLAUDE_JSON_PATH = join7(homedir6(), ".claude.json");
+    CLAUDE_JSON_PATH = join7(homedir7(), ".claude.json");
     RUN_SCRIPT_PATH = join7(SESSION_DIR, "run-claude.sh");
     TMUX_SESSION_NAME = "synkro-local-cc";
-    SESSION_DIR_2 = join7(homedir6(), ".synkro", "cc_sessions_2");
+    SESSION_DIR_2 = join7(homedir7(), ".synkro", "cc_sessions_2");
     PLUGIN_PATH_2 = join7(SESSION_DIR_2, "synkro-channel.ts");
     PLUGIN_PKG_PATH_2 = join7(SESSION_DIR_2, "package.json");
     PLUGIN_SETTINGS_DIR_2 = join7(SESSION_DIR_2, ".claude");
@@ -5425,7 +5529,7 @@ log "tmux session ended."
 
 // cli/local-cc/pueue.ts
 import { execFileSync, spawnSync as spawnSync2, spawn } from "child_process";
-import { homedir as homedir7 } from "os";
+import { homedir as homedir8 } from "os";
 import { join as join8 } from "path";
 import { connect } from "net";
 function pueueAvailable() {
@@ -5542,14 +5646,14 @@ function ensureRunning(opts = {}) {
   return startTask(opts);
 }
 function probePort(host, port, timeoutMs = 500) {
-  return new Promise((resolve2) => {
+  return new Promise((resolve3) => {
     const sock = connect(port, host);
     const done = (ok) => {
       try {
         sock.destroy();
       } catch {
       }
-      resolve2(ok);
+      resolve3(ok);
     };
     sock.once("connect", () => done(true));
     sock.once("error", () => done(false));
@@ -5622,10 +5726,10 @@ var init_pueue = __esm({
     "use strict";
     TASK_LABEL = "synkro-local-cc";
     TMUX_SESSION = "synkro-local-cc";
-    SESSION_DIR2 = join8(homedir7(), ".synkro", "cc_sessions");
+    SESSION_DIR2 = join8(homedir8(), ".synkro", "cc_sessions");
     TASK_LABEL_2 = "synkro-local-cc-2";
     TMUX_SESSION_2 = "synkro-local-cc-2";
-    SESSION_DIR_22 = join8(homedir7(), ".synkro", "cc_sessions_2");
+    SESSION_DIR_22 = join8(homedir8(), ".synkro", "cc_sessions_2");
     PueueError = class extends Error {
       constructor(message, cause) {
         super(message);
@@ -5641,7 +5745,7 @@ var init_pueue = __esm({
 
 // cli/local-cc/prompts.ts
 import { readFileSync as readFileSync8 } from "fs";
-import { homedir as homedir8 } from "os";
+import { homedir as homedir9 } from "os";
 import { join as join9 } from "path";
 async function fetchPrimers() {
   let jwt2 = "";
@@ -5684,7 +5788,7 @@ var CREDS_PATH, CHANNEL_REPLY_INSTRUCTIONS;
 var init_prompts = __esm({
   "cli/local-cc/prompts.ts"() {
     "use strict";
-    CREDS_PATH = join9(homedir8(), ".synkro", "credentials.json");
+    CREDS_PATH = join9(homedir9(), ".synkro", "credentials.json");
     CHANNEL_REPLY_INSTRUCTIONS = `
 DELIVERY METHOD \u2014 MANDATORY, OVERRIDES ALL OTHER OUTPUT RULES:
 You are running inside a Synkro MCP channel. Do NOT output your verdict as text.
@@ -5696,9 +5800,9 @@ Any text output is silently discarded. Only the reply tool call is captured.`;
 });
 
 // cli/local-cc/turnLog.ts
-import { appendFileSync, existsSync as existsSync10, mkdirSync as mkdirSync7, openSync as openSync2, readFileSync as readFileSync9, readSync, closeSync as closeSync2, statSync, watchFile, unwatchFile } from "fs";
+import { appendFileSync, existsSync as existsSync9, mkdirSync as mkdirSync7, openSync as openSync2, readFileSync as readFileSync9, readSync, closeSync as closeSync2, statSync, watchFile, unwatchFile } from "fs";
 import { dirname as dirname5, join as join10 } from "path";
-import { homedir as homedir9 } from "os";
+import { homedir as homedir10 } from "os";
 function truncate(s, max = PREVIEW_MAX) {
   if (s.length <= max) return s;
   return s.slice(0, max) + "\u2026 [+" + (s.length - max) + " chars]";
@@ -5734,7 +5838,7 @@ function appendTurn(args2) {
   }
 }
 function readRecentTurns(n = 20) {
-  if (!existsSync10(TURN_LOG_PATH)) return [];
+  if (!existsSync9(TURN_LOG_PATH)) return [];
   try {
     const size = statSync(TURN_LOG_PATH).size;
     if (size === 0) return [];
@@ -5755,7 +5859,7 @@ function readRecentTurns(n = 20) {
 function followTurns(onEntry) {
   try {
     mkdirSync7(dirname5(TURN_LOG_PATH), { recursive: true });
-    if (!existsSync10(TURN_LOG_PATH)) {
+    if (!existsSync9(TURN_LOG_PATH)) {
       appendFileSync(TURN_LOG_PATH, "", "utf-8");
     }
   } catch {
@@ -5817,7 +5921,7 @@ var TURN_LOG_PATH, PREVIEW_MAX;
 var init_turnLog = __esm({
   "cli/local-cc/turnLog.ts"() {
     "use strict";
-    TURN_LOG_PATH = join10(homedir9(), ".synkro", "cc_sessions", "turns.log");
+    TURN_LOG_PATH = join10(homedir10(), ".synkro", "cc_sessions", "turns.log");
     PREVIEW_MAX = 400;
   }
 });
@@ -5832,7 +5936,7 @@ async function submitToChannel(role, payload, opts = {}) {
   const port = opts.port ?? CHANNEL_PORT;
   const startedAt = Date.now();
   try {
-    const result = await new Promise((resolve2, reject) => {
+    const result = await new Promise((resolve3, reject) => {
       const req = httpRequest({
         host: CHANNEL_HOST,
         port,
@@ -5858,7 +5962,7 @@ async function submitToChannel(role, payload, opts = {}) {
               reject(new LocalCCError(parsed.error));
               return;
             }
-            resolve2(String(parsed.result ?? ""));
+            resolve3(String(parsed.result ?? ""));
           } catch (err) {
             reject(new LocalCCError(`malformed channel response: ${text.slice(0, 200)}`, err));
           }
@@ -5884,14 +5988,14 @@ async function submitToChannel(role, payload, opts = {}) {
   }
 }
 function isChannelAvailable(port = CHANNEL_PORT, timeoutMs = 500) {
-  return new Promise((resolve2) => {
+  return new Promise((resolve3) => {
     const sock = connect2(port, CHANNEL_HOST);
     const done = (ok) => {
       try {
         sock.destroy();
       } catch {
       }
-      resolve2(ok);
+      resolve3(ok);
     };
     sock.once("connect", () => done(true));
     sock.once("error", () => done(false));
@@ -5924,8 +6028,8 @@ __export(install_exports, {
   installCommand: () => installCommand,
   parseArgs: () => parseArgs
 });
-import { existsSync as existsSync11, mkdirSync as mkdirSync8, writeFileSync as writeFileSync7, chmodSync as chmodSync2, readFileSync as readFileSync10, readdirSync, appendFileSync as appendFileSync2, renameSync as renameSync5 } from "fs";
-import { homedir as homedir10 } from "os";
+import { existsSync as existsSync10, mkdirSync as mkdirSync8, writeFileSync as writeFileSync7, chmodSync as chmodSync2, readFileSync as readFileSync10, readdirSync, appendFileSync as appendFileSync2, renameSync as renameSync5 } from "fs";
+import { homedir as homedir11 } from "os";
 import { join as join11 } from "path";
 import { execSync as execSync5, spawnSync as spawnSync3, spawn as spawn2 } from "child_process";
 import { createInterface as createInterface3 } from "readline";
@@ -5951,13 +6055,13 @@ function parseArgs(argv) {
 }
 async function promptTranscriptConsent() {
   const rl = createInterface3({ input: process.stdin, output: process.stdout });
-  return new Promise((resolve2) => {
+  return new Promise((resolve3) => {
     rl.question(
       "Would you like Synkro to use Claude Code session transcripts\nto generate guardrail rules and policies for your team? (Y/n) ",
       (answer) => {
         rl.close();
         const trimmed = answer.trim().toLowerCase();
-        resolve2(trimmed === "" || trimmed === "y" || trimmed === "yes");
+        resolve3(trimmed === "" || trimmed === "y" || trimmed === "yes");
       }
     );
   });
@@ -5983,9 +6087,7 @@ function writeHookScripts() {
   const commonScriptPath = join11(HOOKS_DIR, "_synkro-common.ts");
   const commonBashScriptPath = join11(HOOKS_DIR, "_synkro-common.sh");
   const cursorBashJudgePath = join11(HOOKS_DIR, "cursor-bash-judge.ts");
-  const cursorEditPrecheckPath = join11(HOOKS_DIR, "cursor-edit-precheck.ts");
   const cursorEditCapturePath = join11(HOOKS_DIR, "cursor-edit-capture.ts");
-  const cursorBashFollowupPath = join11(HOOKS_DIR, "cursor-bash-followup.ts");
   const mcpLocalServerPath = join11(HOOKS_DIR, "mcp-local-server.ts");
   writeFileSync7(bashScriptPath, BASH_JUDGE_TS, "utf-8");
   writeFileSync7(bashFollowupScriptPath, BASH_FOLLOWUP_TS, "utf-8");
@@ -6001,9 +6103,7 @@ function writeHookScripts() {
   writeFileSync7(commonScriptPath, SYNKRO_COMMON_TS, "utf-8");
   writeFileSync7(commonBashScriptPath, SYNKRO_COMMON_SCRIPT, "utf-8");
   writeFileSync7(cursorBashJudgePath, CURSOR_BASH_JUDGE_TS, "utf-8");
-  writeFileSync7(cursorEditPrecheckPath, CURSOR_EDIT_PRECHECK_TS, "utf-8");
   writeFileSync7(cursorEditCapturePath, CURSOR_EDIT_CAPTURE_TS, "utf-8");
-  writeFileSync7(cursorBashFollowupPath, CURSOR_BASH_FOLLOWUP_TS, "utf-8");
   writeFileSync7(mcpLocalServerPath, `#!/usr/bin/env bun
 /**
  * Local MCP guardrails server \u2014 runs on port 8931, stores rules in ~/.synkro/rules.json.
@@ -6824,9 +6924,7 @@ console.log(\`[synkro] local MCP guardrails server listening on http://127.0.0.1
   chmodSync2(commonScriptPath, 493);
   chmodSync2(commonBashScriptPath, 493);
   chmodSync2(cursorBashJudgePath, 493);
-  chmodSync2(cursorEditPrecheckPath, 493);
   chmodSync2(cursorEditCapturePath, 493);
-  chmodSync2(cursorBashFollowupPath, 493);
   chmodSync2(mcpLocalServerPath, 493);
   return {
     bashScript: bashScriptPath,
@@ -6841,9 +6939,7 @@ console.log(\`[synkro] local MCP guardrails server listening on http://127.0.0.1
     transcriptSyncScript: transcriptSyncScriptPath,
     userPromptSubmitScript: userPromptSubmitScriptPath,
     cursorBashJudgeScript: cursorBashJudgePath,
-    cursorEditPrecheckScript: cursorEditPrecheckPath,
     cursorEditCaptureScript: cursorEditCapturePath,
-    cursorBashFollowupScript: cursorBashFollowupPath,
     mcpLocalServerScript: mcpLocalServerPath
   };
 }
@@ -6856,7 +6952,7 @@ function shellQuoteSingle(value) {
 }
 function resolveSynkroBundle() {
   const scriptPath = process.argv[1];
-  if (scriptPath && existsSync11(scriptPath)) return scriptPath;
+  if (scriptPath && existsSync10(scriptPath)) return scriptPath;
   return null;
 }
 function writeConfigEnv(opts) {
@@ -6876,7 +6972,7 @@ function writeConfigEnv(opts) {
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
     `SYNKRO_INFERENCE=${shellQuoteSingle(safeInference)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.4.66")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.4.68")}`
   ];
   if (safeSynkroBin) lines.push(`SYNKRO_CLI_BIN=${shellQuoteSingle(safeSynkroBin)}`);
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);
@@ -6891,7 +6987,7 @@ function writeConfigEnv(opts) {
   chmodSync2(CONFIG_PATH3, 384);
 }
 function updateLocalInferenceFlag(enabled) {
-  if (!existsSync11(CONFIG_PATH3)) return;
+  if (!existsSync10(CONFIG_PATH3)) return;
   let content = readFileSync10(CONFIG_PATH3, "utf-8");
   const flag = enabled ? "yes" : "no";
   if (content.includes("SYNKRO_LOCAL_INFERENCE=")) {
@@ -6921,7 +7017,7 @@ function collectLocalMetadata() {
     meta.cc_version = execSync5("claude --version", { encoding: "utf-8", timeout: 5e3 }).trim().split("\n")[0];
   } catch {
   }
-  const claudeDir = join11(homedir10(), ".claude");
+  const claudeDir = join11(homedir11(), ".claude");
   try {
     const settings = JSON.parse(readFileSync10(join11(claudeDir, "settings.json"), "utf-8"));
     const plugins = Object.keys(settings.enabledPlugins ?? {}).filter((k) => settings.enabledPlugins[k]);
@@ -7011,10 +7107,10 @@ function isAlreadyInstalled() {
     join11(HOOKS_DIR, "cc-stop-summary.ts"),
     join11(HOOKS_DIR, "cc-session-start.ts")
   ];
-  if (!requiredScripts.every((p) => existsSync11(p))) return false;
-  if (!existsSync11(CONFIG_PATH3)) return false;
-  const settingsPath = join11(homedir10(), ".claude", "settings.json");
-  if (!existsSync11(settingsPath)) return false;
+  if (!requiredScripts.every((p) => existsSync10(p))) return false;
+  if (!existsSync10(CONFIG_PATH3)) return false;
+  const settingsPath = join11(homedir11(), ".claude", "settings.json");
+  if (!existsSync10(settingsPath)) return false;
   try {
     const settings = JSON.parse(readFileSync10(settingsPath, "utf-8"));
     const hooks = settings?.hooks;
@@ -7048,8 +7144,8 @@ function printChannelDiagnostics() {
         }
       }
     }
-    const logPath = join11(homedir10(), ".synkro", "cc_sessions", "run-claude.log");
-    if (existsSync11(logPath)) {
+    const logPath = join11(homedir11(), ".synkro", "cc_sessions", "run-claude.log");
+    if (existsSync10(logPath)) {
       const logContent = readFileSync10(logPath, "utf-8").trim().split("\n").slice(-10);
       console.warn(`    run-claude.log:`);
       for (const line of logContent) console.warn(`      ${line}`);
@@ -7059,7 +7155,7 @@ function printChannelDiagnostics() {
   console.warn(`    Run \`synkro local-cc status\` and \`synkro local-cc logs --tmux\` to debug.`);
 }
 async function backfillLocalRules(gatewayUrl, token) {
-  if (existsSync11(RULES_PATH)) {
+  if (existsSync10(RULES_PATH)) {
     console.log("  Local rules already exist \u2014 skipping cloud backfill.");
     return;
   }
@@ -7123,7 +7219,7 @@ async function backfillLocalRules(gatewayUrl, token) {
 }
 async function startLocalMcpServer() {
   const serverScript = join11(HOOKS_DIR, "mcp-local-server.ts");
-  if (!existsSync11(serverScript)) {
+  if (!existsSync10(serverScript)) {
     console.warn("  \u26A0 Local MCP server script not found \u2014 skipping.");
     return;
   }
@@ -7327,9 +7423,17 @@ async function installCommand(opts = {}) {
       hasCursor = true;
       installCursorHooks(agent.settingsPath, {
         bashJudgeScriptPath: scripts.cursorBashJudgeScript,
-        editPrecheckScriptPath: scripts.cursorEditPrecheckScript,
         editCaptureScriptPath: scripts.cursorEditCaptureScript,
-        bashFollowupScriptPath: scripts.cursorBashFollowupScript
+        bashFollowupScriptPath: scripts.bashFollowupScript,
+        editPrecheckScriptPath: scripts.editPrecheckScript,
+        cwePrecheckScriptPath: scripts.cwePrecheckScript,
+        cvePrecheckScriptPath: scripts.cvePrecheckScript,
+        planJudgeScriptPath: scripts.planJudgeScript,
+        agentJudgeScriptPath: scripts.agentJudgeScript,
+        stopSummaryScriptPath: scripts.stopSummaryScript,
+        sessionStartScriptPath: scripts.sessionStartScript,
+        userPromptSubmitScriptPath: scripts.userPromptSubmitScript,
+        transcriptSyncScriptPath: scripts.transcriptSyncScript
       });
       console.log(`Configured ${agent.name} hooks at ${agent.settingsPath}`);
     }
@@ -7542,8 +7646,8 @@ function detectGitRepo2() {
 function getClaudeProjectsFolder() {
   const cwd = process.cwd();
   const sanitized = "-" + cwd.replace(/\//g, "-");
-  const projectsDir = join11(homedir10(), ".claude", "projects", sanitized);
-  return existsSync11(projectsDir) ? projectsDir : null;
+  const projectsDir = join11(homedir11(), ".claude", "projects", sanitized);
+  return existsSync10(projectsDir) ? projectsDir : null;
 }
 function extractSessionInsights(projectsDir) {
   const insights = [];
@@ -7738,7 +7842,7 @@ var init_install2 = __esm({
     init_install();
     init_pueue();
     init_client();
-    SYNKRO_DIR2 = join11(homedir10(), ".synkro");
+    SYNKRO_DIR2 = join11(homedir11(), ".synkro");
     HOOKS_DIR = join11(SYNKRO_DIR2, "hooks");
     BIN_DIR = join11(SYNKRO_DIR2, "bin");
     CONFIG_PATH3 = join11(SYNKRO_DIR2, "config.env");
@@ -7820,11 +7924,11 @@ var status_exports = {};
 __export(status_exports, {
   statusCommand: () => statusCommand
 });
-import { existsSync as existsSync12, readFileSync as readFileSync11 } from "fs";
-import { homedir as homedir11 } from "os";
+import { existsSync as existsSync11, readFileSync as readFileSync11 } from "fs";
+import { homedir as homedir12 } from "os";
 import { join as join12 } from "path";
 function readConfigEnv() {
-  if (!existsSync12(CONFIG_PATH4)) return {};
+  if (!existsSync11(CONFIG_PATH4)) return {};
   const out = {};
   const raw = readFileSync11(CONFIG_PATH4, "utf-8");
   for (const line of raw.split("\n")) {
@@ -7901,10 +8005,20 @@ async function statusCommand() {
         const hooks = inspectCursorHooks(a.settingsPath);
         console.log(`    hooks installed: ${hooks.installed ? "\u2713" : "\u2717"}`);
         if (hooks.installed) {
+          console.log(`      \u2022 sessionStart:         ${hooks.sessionStart ? "\u2713" : "\u2717"}`);
+          console.log(`      \u2022 sessionEnd:           ${hooks.sessionEnd ? "\u2713" : "\u2717"}`);
+          console.log(`      \u2022 beforeSubmitPrompt:   ${hooks.beforeSubmitPrompt ? "\u2713" : "\u2717"}`);
           console.log(`      \u2022 beforeShellExecution: ${hooks.beforeShellExecution ? "\u2713" : "\u2717"}`);
-          console.log(`      \u2022 preToolUse:           ${hooks.preToolUse ? "\u2713" : "\u2717"}`);
+          console.log(`      \u2022 afterShellExecution:  ${hooks.afterShellExecution ? "\u2713" : "\u2717"}`);
+          console.log(`      \u2022 PreToolUse Bash:      ${hooks.preToolUseBash ? "\u2713" : "\u2717"}`);
+          console.log(`      \u2022 PreToolUse Edit:      ${hooks.preToolUseEdit ? "\u2713" : "\u2717"}`);
+          console.log(`      \u2022 PreToolUse CWE:       ${hooks.preToolUseCwe ? "\u2713" : "\u2717"}`);
+          console.log(`      \u2022 PreToolUse CVE:       ${hooks.preToolUseCve ? "\u2713" : "\u2717"}`);
+          console.log(`      \u2022 PreToolUse Agent:     ${hooks.preToolUseAgent ? "\u2713" : "\u2717"}`);
+          console.log(`      \u2022 PreToolUse Plan:      ${hooks.preToolUsePlan ? "\u2713" : "\u2717"}`);
           console.log(`      \u2022 afterFileEdit:        ${hooks.afterFileEdit ? "\u2713" : "\u2717"}`);
           console.log(`      \u2022 postToolUse:          ${hooks.postToolUse ? "\u2713" : "\u2717"}`);
+          console.log(`      \u2022 stop (transcript):    ${hooks.stop ? "\u2713" : "\u2717"}`);
         }
       }
     }
@@ -7918,6 +8032,7 @@ async function statusCommand() {
     "cc-cwe-precheck.ts",
     "cc-cve-precheck.ts",
     "cc-plan-judge.ts",
+    "cc-agent-judge.ts",
     "cc-stop-summary.ts",
     "cc-session-start.ts",
     "cc-transcript-sync.ts",
@@ -7925,20 +8040,29 @@ async function statusCommand() {
     "_synkro-common.ts"
   ];
   const cursorHooks = [
-    "cursor-bash-judge.sh",
-    "cursor-edit-precheck.sh",
-    "cursor-bash-followup.sh",
-    "_synkro-common.sh"
+    "cursor-bash-judge.ts",
+    "cursor-edit-capture.ts",
+    "cc-edit-precheck.ts",
+    "cc-cwe-precheck.ts",
+    "cc-cve-precheck.ts",
+    "cc-agent-judge.ts",
+    "cc-plan-judge.ts",
+    "cc-session-start.ts",
+    "cc-stop-summary.ts",
+    "cc-bash-followup.ts",
+    "cc-user-prompt-submit.ts",
+    "cc-transcript-sync.ts",
+    "_synkro-common.ts"
   ];
   console.log("Hook scripts (Claude Code):");
   for (const f of ccHooks) {
     const p = join12(HOOKS_DIR2, f);
-    console.log(`  ${existsSync12(p) ? "\u2713" : "\u2717"} ${p}`);
+    console.log(`  ${existsSync11(p) ? "\u2713" : "\u2717"} ${p}`);
   }
   console.log("Hook scripts (Cursor):");
   for (const f of cursorHooks) {
     const p = join12(HOOKS_DIR2, f);
-    console.log(`  ${existsSync12(p) ? "\u2713" : "\u2717"} ${p}`);
+    console.log(`  ${existsSync11(p) ? "\u2713" : "\u2717"} ${p}`);
   }
   console.log();
   if (localInference) {
@@ -7981,7 +8105,7 @@ var init_status = __esm({
     init_cursorHookConfig();
     init_mcpConfig();
     init_pueue();
-    SYNKRO_DIR3 = join12(homedir11(), ".synkro");
+    SYNKRO_DIR3 = join12(homedir12(), ".synkro");
     CONFIG_PATH4 = join12(SYNKRO_DIR3, "config.env");
   }
 });
@@ -8014,7 +8138,7 @@ __export(unlink_exports, {
 });
 import { createInterface as createInterface4 } from "readline";
 function ask2(rl, question) {
-  return new Promise((resolve2) => rl.question(question, resolve2));
+  return new Promise((resolve3) => rl.question(question, resolve3));
 }
 async function unlinkCommand() {
   if (!isAuthenticated()) {
@@ -8071,11 +8195,11 @@ var config_exports = {};
 __export(config_exports, {
   configCommand: () => configCommand
 });
-import { readFileSync as readFileSync12, writeFileSync as writeFileSync8, existsSync as existsSync13 } from "fs";
+import { readFileSync as readFileSync12, writeFileSync as writeFileSync8, existsSync as existsSync12 } from "fs";
 import { join as join13 } from "path";
-import { homedir as homedir12 } from "os";
+import { homedir as homedir13 } from "os";
 function readConfigEnv2() {
-  if (!existsSync13(CONFIG_PATH5)) return {};
+  if (!existsSync12(CONFIG_PATH5)) return {};
   const out = {};
   for (const line of readFileSync12(CONFIG_PATH5, "utf-8").split("\n")) {
     const t = line.trim();
@@ -8086,7 +8210,7 @@ function readConfigEnv2() {
   return out;
 }
 function updateConfigValue(key, value) {
-  if (!existsSync13(CONFIG_PATH5)) {
+  if (!existsSync12(CONFIG_PATH5)) {
     console.error("No config found. Run `synkro install` first.");
     process.exit(1);
   }
@@ -8157,7 +8281,7 @@ var init_config = __esm({
   "cli/commands/config.ts"() {
     "use strict";
     init_stub();
-    SYNKRO_DIR4 = join13(homedir12(), ".synkro");
+    SYNKRO_DIR4 = join13(homedir13(), ".synkro");
     CONFIG_PATH5 = join13(SYNKRO_DIR4, "config.env");
   }
 });
@@ -8168,7 +8292,7 @@ __export(scanPr_exports, {
   scanPrCommand: () => scanPrCommand
 });
 import { execSync as execSync6, spawn as spawn3 } from "child_process";
-import { readFileSync as readFileSync13, existsSync as existsSync14 } from "fs";
+import { readFileSync as readFileSync13, existsSync as existsSync13 } from "fs";
 import { join as join14 } from "path";
 function parseMatchSpec(condition) {
   if (!condition.startsWith("match_spec:")) return null;
@@ -8376,7 +8500,7 @@ function spawnClaudeJudge(file, claudeToken, promptHeader) {
 Diff:
 ${hunks}`;
   const fullPrompt = promptHeader + userMessage;
-  return new Promise((resolve2) => {
+  return new Promise((resolve3) => {
     const t0 = Date.now();
     const proc = spawn3(
       "claude",
@@ -8404,7 +8528,7 @@ ${hunks}`;
       const latencyMs = Date.now() - t0;
       if (code !== 0) {
         console.warn(`  claude exited ${code}: ${(stderr || stdout).slice(0, 500)}`);
-        resolve2({ findings: [], latencyMs });
+        resolve3({ findings: [], latencyMs });
         return;
       }
       try {
@@ -8423,10 +8547,10 @@ ${hunks}`;
           description: f.description,
           fix: f.fix
         }));
-        resolve2({ findings, latencyMs });
+        resolve3({ findings, latencyMs });
       } catch (parseErr) {
         console.warn(`  failed to parse claude response: ${stdout.slice(0, 300)}`);
-        resolve2({ findings: [], latencyMs });
+        resolve3({ findings: [], latencyMs });
       }
     });
   });
@@ -8475,7 +8599,7 @@ ${JSON.stringify(findings, null, 2)}
 `;
 }
 function spawnOpusConsolidator(findings, claudeToken) {
-  return new Promise((resolve2) => {
+  return new Promise((resolve3) => {
     const prompt2 = buildConsolidationPrompt(findings);
     const proc = spawn3(
       "claude",
@@ -8502,7 +8626,7 @@ function spawnOpusConsolidator(findings, claudeToken) {
     proc.on("close", (code) => {
       if (code !== 0) {
         console.warn(`  opus consolidation exited ${code}: ${(stderr || stdout).slice(0, 300)}`);
-        resolve2(fallbackReview(findings));
+        resolve3(fallbackReview(findings));
         return;
       }
       try {
@@ -8523,10 +8647,10 @@ function spawnOpusConsolidator(findings, claudeToken) {
           const order = ["low", "medium", "high", "critical"];
           return order.indexOf(f.severity) > order.indexOf(max) ? f.severity : max;
         }, "low");
-        resolve2({ summary: review.summary || "", comments, severity: maxSeverity });
+        resolve3({ summary: review.summary || "", comments, severity: maxSeverity });
       } catch {
         console.warn(`  failed to parse opus response, using fallback`);
-        resolve2(fallbackReview(findings));
+        resolve3(fallbackReview(findings));
       }
     });
   });
@@ -8649,7 +8773,7 @@ function shouldFail(findings, threshold) {
 }
 function readRepoDeps() {
   const pkgPath = join14(process.cwd(), "package.json");
-  if (!existsSync14(pkgPath)) return {};
+  if (!existsSync13(pkgPath)) return {};
   try {
     const pkg = JSON.parse(readFileSync13(pkgPath, "utf-8"));
     return { ...pkg.dependencies ?? {}, ...pkg.devDependencies ?? {} };
@@ -8913,8 +9037,8 @@ var disconnect_exports = {};
 __export(disconnect_exports, {
   disconnectCommand: () => disconnectCommand
 });
-import { existsSync as existsSync15, rmSync } from "fs";
-import { homedir as homedir13 } from "os";
+import { existsSync as existsSync14, rmSync } from "fs";
+import { homedir as homedir14 } from "os";
 import { join as join15 } from "path";
 function tearDownLocalCC() {
   let hadTask = false;
@@ -8951,13 +9075,13 @@ function disconnectCommand(args2 = []) {
     console.log(`${mcpRemoved ? "\u2713" : "\xB7"} MCP guardrails server: ${mcpRemoved ? "removed entry from ~/.claude.json" : "no Synkro MCP entry found"}`);
   }
   if (purge) {
-    if (existsSync15(SYNKRO_DIR5)) {
+    if (existsSync14(SYNKRO_DIR5)) {
       rmSync(SYNKRO_DIR5, { recursive: true, force: true });
       console.log(`\u2713 Removed ${SYNKRO_DIR5}`);
     } else {
       console.log(`\xB7 ${SYNKRO_DIR5} already gone, nothing to remove`);
     }
-  } else if (existsSync15(SYNKRO_DIR5)) {
+  } else if (existsSync14(SYNKRO_DIR5)) {
     console.log(`Config preserved at ${SYNKRO_DIR5}. Run with --purge to remove.`);
   }
   console.log("\nSynkro disconnected.");
@@ -8972,7 +9096,7 @@ var init_disconnect = __esm({
     init_mcpConfig();
     init_pueue();
     init_install();
-    SYNKRO_DIR5 = join15(homedir13(), ".synkro");
+    SYNKRO_DIR5 = join15(homedir14(), ".synkro");
   }
 });
 
@@ -9019,9 +9143,9 @@ __export(localCc_exports, {
   localCcCommand: () => localCcCommand
 });
 import { spawnSync as spawnSync4 } from "child_process";
-import { homedir as homedir14 } from "os";
+import { homedir as homedir15 } from "os";
 import { join as join16 } from "path";
-import { existsSync as existsSync16, readFileSync as readFileSync14, writeFileSync as writeFileSync9 } from "fs";
+import { existsSync as existsSync15, readFileSync as readFileSync14, writeFileSync as writeFileSync9 } from "fs";
 function printHelp() {
   console.log(`synkro local-cc \u2014 manage the local Claude Code inference session
 
@@ -9111,14 +9235,14 @@ TROUBLESHOOTING
 `);
 }
 function readGatewayUrl() {
-  if (existsSync16(CONFIG_PATH6)) {
+  if (existsSync15(CONFIG_PATH6)) {
     const m = readFileSync14(CONFIG_PATH6, "utf-8").match(/^SYNKRO_GATEWAY_URL='([^']*)'/m);
     if (m) return m[1];
   }
   return "https://api.synkro.sh";
 }
 function updateLocalInferenceFlag2(enabled) {
-  if (!existsSync16(CONFIG_PATH6)) return;
+  if (!existsSync15(CONFIG_PATH6)) return;
   let content = readFileSync14(CONFIG_PATH6, "utf-8");
   const flag = enabled ? "yes" : "no";
   if (content.includes("SYNKRO_LOCAL_INFERENCE=")) {
@@ -9348,7 +9472,7 @@ function cmdLogs(rest) {
     if (!raw) console.log("  " + colorize("(use --raw / -r to see full payloads, --live / -f to follow)", 90));
     return;
   }
-  return new Promise((resolve2) => {
+  return new Promise((resolve3) => {
     console.log("  " + colorize("\u2014 following new turns (Ctrl-C to exit) \u2014", 90));
     const stop = followTurns((t) => {
       console.log("  " + formatTurn(t, raw));
@@ -9356,7 +9480,7 @@ function cmdLogs(rest) {
     const onSigint = () => {
       stop();
       process.removeListener("SIGINT", onSigint);
-      resolve2();
+      resolve3();
     };
     process.on("SIGINT", onSigint);
   });
@@ -9453,7 +9577,7 @@ var init_localCc = __esm({
     init_settings();
     init_client();
     init_stub();
-    CONFIG_PATH6 = join16(homedir14(), ".synkro", "config.env");
+    CONFIG_PATH6 = join16(homedir15(), ".synkro", "config.env");
   }
 });
 
@@ -9463,10 +9587,10 @@ __export(grade_exports, {
   gradeCommand: () => gradeCommand
 });
 async function readStdin() {
-  return new Promise((resolve2, reject) => {
+  return new Promise((resolve3, reject) => {
     const chunks = [];
     process.stdin.on("data", (c) => chunks.push(c));
-    process.stdin.on("end", () => resolve2(Buffer.concat(chunks).toString("utf-8")));
+    process.stdin.on("end", () => resolve3(Buffer.concat(chunks).toString("utf-8")));
     process.stdin.on("error", reject);
   });
 }
@@ -9507,14 +9631,14 @@ var init_grade = __esm({
 });
 
 // cli/bootstrap.js
-import { readFileSync as readFileSync15, existsSync as existsSync17 } from "fs";
-import { resolve } from "path";
+import { readFileSync as readFileSync15, existsSync as existsSync16 } from "fs";
+import { resolve as resolve2 } from "path";
 var envCandidates = [
-  resolve(process.cwd(), ".env"),
-  resolve(process.env.HOME ?? "", ".synkro", "config.env")
+  resolve2(process.cwd(), ".env"),
+  resolve2(process.env.HOME ?? "", ".synkro", "config.env")
 ];
 for (const envPath of envCandidates) {
-  if (!existsSync17(envPath)) continue;
+  if (!existsSync16(envPath)) continue;
   const envContent = readFileSync15(envPath, "utf-8");
   for (const line of envContent.split("\n")) {
     const trimmed = line.trim();