npm - @synkro-sh/cli - Versions diffs - 1.4.67 → 1.4.68 - Mend

@synkro-sh/cli 1.4.67 → 1.4.68

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/bootstrap.js CHANGED Viewed

@@ -286,6 +286,15 @@ var init_ccHookConfig = __esm({
 import { readFileSync as readFileSync2, writeFileSync as writeFileSync2, renameSync as renameSync2, mkdirSync as mkdirSync2 } from "fs";
 import { dirname as dirname2, resolve, normalize } from "path";
 import { homedir as homedir2 } from "os";
+function shellQuote(s) {
+  return "'" + s.replace(/'/g, "'\\''") + "'";
+}
+function cursorCcCmd(scriptPath) {
+  return "env SYNKRO_HOOK_FORMAT=cursor bun run " + shellQuote(scriptPath);
+}
+function bunRunCmd(scriptPath) {
+  return "bun run " + shellQuote(scriptPath);
+}
 function validateHooksPath(path) {
   const resolved = resolve(normalize(path));
   if (!ALLOWED_PARENT_DIRS.some((dir) => resolved.startsWith(dir + "/") || resolved === dir)) {
@@ -320,6 +329,16 @@ function removeSynkroEntries2(hooks, event) {
   if (!Array.isArray(arr)) return;
   hooks[event] = arr.filter((entry) => !isSynkroEntry2(entry));
 }
+function pushCcHook(hooks, event, scriptPath, opts) {
+  hooks[event] = hooks[event] ?? [];
+  hooks[event].push({
+    command: cursorCcCmd(scriptPath),
+    timeout: opts.timeout,
+    failClosed: opts.failClosed ?? false,
+    ...opts.matcher ? { matcher: opts.matcher } : {},
+    [SYNKRO_MARKER2]: true
+  });
+}
 function installCursorHooks(hooksJsonPath, config) {
   const file = readHooksFile(hooksJsonPath);
   file.version = file.version ?? 1;
@@ -327,37 +346,58 @@ function installCursorHooks(hooksJsonPath, config) {
   for (const evt of ALL_EVENTS) {
     removeSynkroEntries2(file.hooks, evt);
   }
-  file.hooks.sessionStart = file.hooks.sessionStart ?? [];
-  file.hooks.sessionStart.push({
-    command: config.sessionStartScriptPath,
-    timeout: 5,
+  const h = file.hooks;
+  pushCcHook(h, "sessionStart", config.sessionStartScriptPath, { timeout: 5 });
+  pushCcHook(h, "sessionEnd", config.stopSummaryScriptPath, { timeout: 10 });
+  pushCcHook(h, "beforeSubmitPrompt", config.userPromptSubmitScriptPath, { timeout: 5 });
+  pushCcHook(h, "stop", config.transcriptSyncScriptPath, { timeout: 3 });
+  h.beforeShellExecution = h.beforeShellExecution ?? [];
+  h.beforeShellExecution.push({
+    command: bunRunCmd(config.bashJudgeScriptPath),
+    timeout: 15,
+    failClosed: false,
     [SYNKRO_MARKER2]: true
   });
-  file.hooks.beforeShellExecution = file.hooks.beforeShellExecution ?? [];
-  file.hooks.beforeShellExecution.push({
-    command: config.bashJudgeScriptPath,
-    timeout: 10,
-    failClosed: true,
+  pushCcHook(h, "afterShellExecution", config.bashFollowupScriptPath, { timeout: 10 });
+  h.preToolUse = h.preToolUse ?? [];
+  h.preToolUse.push({
+    command: bunRunCmd(config.bashJudgeScriptPath),
+    timeout: 15,
+    failClosed: false,
+    matcher: "Shell|Bash|Read|Grep|Glob",
     [SYNKRO_MARKER2]: true
   });
-  file.hooks.preToolUse = file.hooks.preToolUse ?? [];
-  file.hooks.preToolUse.push({
-    command: config.editPrecheckScriptPath,
+  pushCcHook(h, "preToolUse", config.editPrecheckScriptPath, {
     timeout: 15,
-    [SYNKRO_MARKER2]: true
+    matcher: "Write|Edit|StrReplace|MultiEdit|NotebookEdit"
   });
-  file.hooks.afterFileEdit = file.hooks.afterFileEdit ?? [];
-  file.hooks.afterFileEdit.push({
-    command: config.editCaptureScriptPath,
+  pushCcHook(h, "preToolUse", config.cwePrecheckScriptPath, {
     timeout: 15,
-    [SYNKRO_MARKER2]: true
+    matcher: "Write|Edit|StrReplace|MultiEdit|NotebookEdit"
   });
-  file.hooks.postToolUse = file.hooks.postToolUse ?? [];
-  file.hooks.postToolUse.push({
-    command: config.bashFollowupScriptPath,
+  pushCcHook(h, "preToolUse", config.cvePrecheckScriptPath, {
     timeout: 10,
+    matcher: "Write|Edit|StrReplace|MultiEdit|NotebookEdit"
+  });
+  pushCcHook(h, "preToolUse", config.agentJudgeScriptPath, {
+    timeout: 15,
+    matcher: "Agent|Task"
+  });
+  pushCcHook(h, "preToolUse", config.planJudgeScriptPath, {
+    timeout: 20,
+    matcher: "ExitPlanMode|SwitchMode|CreatePlan"
+  });
+  h.afterFileEdit = h.afterFileEdit ?? [];
+  h.afterFileEdit.push({
+    command: bunRunCmd(config.editCaptureScriptPath),
+    timeout: 15,
+    failClosed: false,
     [SYNKRO_MARKER2]: true
   });
+  pushCcHook(h, "postToolUse", config.bashFollowupScriptPath, {
+    timeout: 10,
+    matcher: "Shell|Bash"
+  });
   writeHooksFileAtomic(hooksJsonPath, file);
 }
 function uninstallCursorHooks(hooksJsonPath) {
@@ -382,24 +422,67 @@ function uninstallCursorHooks(hooksJsonPath) {
   writeHooksFileAtomic(hooksJsonPath, file);
   return true;
 }
+function preToolUseUsesScript(hooks, scriptBasename) {
+  return (hooks ?? []).some(
+    (e) => isSynkroEntry2(e) && typeof e.command === "string" && e.command.includes(scriptBasename)
+  );
+}
 function inspectCursorHooks(hooksJsonPath) {
   let file;
   try {
     file = readHooksFile(hooksJsonPath);
   } catch {
-    return { installed: false, sessionStart: false, beforeShellExecution: false, preToolUse: false, afterFileEdit: false, postToolUse: false };
+    return {
+      installed: false,
+      sessionStart: false,
+      sessionEnd: false,
+      beforeSubmitPrompt: false,
+      stop: false,
+      beforeShellExecution: false,
+      afterShellExecution: false,
+      preToolUse: false,
+      preToolUseBash: false,
+      preToolUseEdit: false,
+      preToolUseCwe: false,
+      preToolUseCve: false,
+      preToolUseAgent: false,
+      preToolUsePlan: false,
+      afterFileEdit: false,
+      postToolUse: false
+    };
   }
   const h = file.hooks ?? {};
   const sessionStart = (h.sessionStart ?? []).some((e) => isSynkroEntry2(e));
+  const sessionEnd = (h.sessionEnd ?? []).some((e) => isSynkroEntry2(e));
+  const beforeSubmitPrompt = (h.beforeSubmitPrompt ?? []).some((e) => isSynkroEntry2(e));
+  const stop = (h.stop ?? []).some((e) => isSynkroEntry2(e));
   const beforeShellExecution = (h.beforeShellExecution ?? []).some((e) => isSynkroEntry2(e));
-  const preToolUse = (h.preToolUse ?? []).some((e) => isSynkroEntry2(e));
+  const afterShellExecution = (h.afterShellExecution ?? []).some((e) => isSynkroEntry2(e));
+  const pre = h.preToolUse ?? [];
+  const preToolUseBash = preToolUseUsesScript(pre, "cc-bash-judge") || preToolUseUsesScript(pre, "cursor-bash-judge");
+  const preToolUseEdit = preToolUseUsesScript(pre, "cc-edit-precheck") || preToolUseUsesScript(pre, "cursor-edit-precheck");
+  const preToolUseCwe = preToolUseUsesScript(pre, "cc-cwe-precheck");
+  const preToolUseCve = preToolUseUsesScript(pre, "cc-cve-precheck");
+  const preToolUseAgent = preToolUseUsesScript(pre, "cc-agent-judge");
+  const preToolUsePlan = preToolUseUsesScript(pre, "cc-plan-judge");
+  const preToolUse = preToolUseBash || preToolUseEdit || preToolUseCwe || preToolUseCve || preToolUseAgent || preToolUsePlan;
   const afterFileEdit = (h.afterFileEdit ?? []).some((e) => isSynkroEntry2(e));
   const postToolUse = (h.postToolUse ?? []).some((e) => isSynkroEntry2(e));
   return {
-    installed: sessionStart || beforeShellExecution || preToolUse || afterFileEdit || postToolUse,
+    installed: sessionStart || sessionEnd || beforeSubmitPrompt || stop || beforeShellExecution || afterShellExecution || preToolUse || afterFileEdit || postToolUse,
     sessionStart,
+    sessionEnd,
+    beforeSubmitPrompt,
+    stop,
     beforeShellExecution,
+    afterShellExecution,
     preToolUse,
+    preToolUseBash,
+    preToolUseEdit,
+    preToolUseCwe,
+    preToolUseCve,
+    preToolUseAgent,
+    preToolUsePlan,
     afterFileEdit,
     postToolUse
   };
@@ -413,7 +496,17 @@ var init_cursorHookConfig = __esm({
       resolve(homedir2(), ".cursor"),
       resolve(homedir2(), ".config", "cursor")
     ];
-    ALL_EVENTS = ["sessionStart", "beforeShellExecution", "preToolUse", "afterFileEdit", "postToolUse"];
+    ALL_EVENTS = [
+      "sessionStart",
+      "sessionEnd",
+      "beforeSubmitPrompt",
+      "stop",
+      "beforeShellExecution",
+      "afterShellExecution",
+      "preToolUse",
+      "afterFileEdit",
+      "postToolUse"
+    ];
   }
 });
@@ -702,7 +795,7 @@ synkro_post_with_retry() {
 });
 // cli/installer/hookScriptsTs.ts
-var SYNKRO_COMMON_TS, EDIT_PRECHECK_TS, CWE_PRECHECK_TS, CVE_PRECHECK_TS, BASH_JUDGE_TS, AGENT_JUDGE_TS, PLAN_JUDGE_TS, STOP_SUMMARY_TS, SESSION_START_TS, BASH_FOLLOWUP_TS, TRANSCRIPT_SYNC_TS, USER_PROMPT_SUBMIT_TS, CURSOR_BASH_JUDGE_TS, CURSOR_EDIT_PRECHECK_TS, CURSOR_EDIT_CAPTURE_TS, CURSOR_BASH_FOLLOWUP_TS, CURSOR_SESSION_START_TS;
+var SYNKRO_COMMON_TS, EDIT_PRECHECK_TS, CWE_PRECHECK_TS, CVE_PRECHECK_TS, BASH_JUDGE_TS, AGENT_JUDGE_TS, PLAN_JUDGE_TS, STOP_SUMMARY_TS, SESSION_START_TS, BASH_FOLLOWUP_TS, TRANSCRIPT_SYNC_TS, USER_PROMPT_SUBMIT_TS, CURSOR_BASH_JUDGE_TS, CURSOR_EDIT_CAPTURE_TS;
 var init_hookScriptsTs = __esm({
   "cli/installer/hookScriptsTs.ts"() {
     "use strict";
@@ -739,7 +832,17 @@ if (existsSync(CONFIG_PATH)) {
   } catch {}
 }
-export const GATEWAY_URL = process.env.SYNKRO_GATEWAY_URL || 'https://api.synkro.sh';
+const ALLOWED_GATEWAY_HOSTS = new Set(['api.synkro.sh', 'localhost', '127.0.0.1']);
+function validateGatewayUrl(raw: string): string {
+  try {
+    const u = new URL(raw);
+    if (!ALLOWED_GATEWAY_HOSTS.has(u.hostname)) return 'https://api.synkro.sh';
+    return raw.replace(/\\/+$/, '');
+  } catch {
+    return 'https://api.synkro.sh';
+  }
+}
+export const GATEWAY_URL = validateGatewayUrl(process.env.SYNKRO_GATEWAY_URL || 'https://api.synkro.sh');
 export const CREDS_PATH = process.env.SYNKRO_CREDENTIALS_PATH || join(HOME, '.synkro', 'credentials.json');
 const LAST_PROMPT_FILE = join(HOME, '.synkro', '.last-prompt');
@@ -1083,11 +1186,11 @@ async function channelGrade(role: GradeRole, prompt: string, jwt: string, port:
   return String(data.result || '');
 }
-export async function localGrade(surface: string, prompt: string): Promise<string> {
+export async function localGrade(surface: string, prompt: string, timeoutMs = 20000): Promise<string> {
   if (!(await channelUp())) throw new Error('SYNKRO_CHANNEL_DOWN');
   const jwt = loadJwt();
   if (!jwt) throw new Error('NO_JWT');
-  return channelGrade(ROLE_MAP[surface] || 'grade-edit', prompt, jwt, 8929);
+  return channelGrade(ROLE_MAP[surface] || 'grade-edit', prompt, jwt, 8929, timeoutMs);
 }
 export async function localGradeCwe(prompt: string): Promise<string> {
@@ -1101,6 +1204,7 @@ export async function localGradeCwe(prompt: string): Promise<string> {
 export interface Verdict {
   ok: boolean;
   reason: string;
+  suggestedFix: string;
   ruleId: string;
   ruleMode: string;
   severity: string;
@@ -1111,6 +1215,7 @@ export function parseVerdict(resp: string): Verdict {
   const verdict: Verdict = {
     ok: true,
     reason: '',
+    suggestedFix: '',
     ruleId: '',
     ruleMode: '',
     severity: 'low',
@@ -1129,6 +1234,9 @@ export function parseVerdict(resp: string): Verdict {
   const reasonMatch = inner.match(/<reason>(.*?)<\\/reason>/) || inner.match(/<reasoning>(.*?)<\\/reasoning>/);
   if (reasonMatch) verdict.reason = reasonMatch[1].trim();
+  const fixMatch = inner.match(/<suggested_fix>(.*?)<\\/suggested_fix>/);
+  if (fixMatch) verdict.suggestedFix = fixMatch[1].trim();
   if (!verdict.ok) {
     const ruleIdMatch = inner.match(/<rule_id>(.*?)<\\/rule_id>/);
     const ruleModeMatch = inner.match(/<rule_mode>(.*?)<\\/rule_mode>/);
@@ -1147,6 +1255,10 @@ export function parseVerdict(resp: string): Verdict {
           const vReason = vBlock.match(/<reason>(.*?)<\\/reason>/);
           if (vReason) verdict.reason = vReason[1].trim();
         }
+        if (!verdict.suggestedFix) {
+          const vFix = vBlock.match(/<suggested_fix>(.*?)<\\/suggested_fix>/);
+          if (vFix) verdict.suggestedFix = vFix[1].trim();
+        }
         if (!sevMatch) {
           const vSev = vBlock.match(/<severity>(.*?)<\\/severity>/);
           if (vSev) verdict.severity = vSev[1].trim();
@@ -1301,8 +1413,10 @@ export function reconstructContent(toolName: string, toolInput: any, filePath: s
     }
     case 'NotebookEdit':
       return toolInput.new_source || '';
+    case 'StrReplace':
+      return toolInput.new_string || toolInput.content || toolInput.code_edit || '';
     default:
-      return '';
+      return toolInput.content || toolInput.new_string || toolInput.code_edit || '';
   }
 }
@@ -1616,13 +1730,90 @@ export function dispatchFinding(
   }).catch(() => {});
 }
+// \u2500\u2500\u2500 Hook tool-name sets (CC + Cursor) \u2500\u2500\u2500
+export const EDIT_TOOL_NAMES = new Set([
+  'Edit', 'Write', 'MultiEdit', 'NotebookEdit', 'StrReplace',
+]);
+export const SHELL_TOOL_NAMES = new Set([
+  'Bash', 'Shell', 'Read', 'Grep', 'Glob', 'terminal', 'run_terminal_cmd', 'execute_command',
+]);
+export const AGENT_TOOL_NAMES = new Set(['Agent', 'Task']);
+export const PLAN_TOOL_NAMES = new Set(['ExitPlanMode', 'SwitchMode', 'CreatePlan']);
+export function isEditTool(toolName: string): boolean {
+  return EDIT_TOOL_NAMES.has(toolName);
+}
+export function isShellTool(toolName: string): boolean {
+  return SHELL_TOOL_NAMES.has(toolName);
+}
+export function isAgentTool(toolName: string): boolean {
+  return AGENT_TOOL_NAMES.has(toolName);
+}
+export function isPlanTool(toolName: string): boolean {
+  return PLAN_TOOL_NAMES.has(toolName);
+}
+export function hookSessionId(payload: Record<string, unknown>): string {
+  return String(payload.session_id ?? payload.conversation_id ?? '');
+}
+export function isCursorHookFormat(): boolean {
+  return process.env.SYNKRO_HOOK_FORMAT === 'cursor';
+}
+let cursorHookExited = false;
+export function setupCursorHookSignals(): void {
+  if (!isCursorHookFormat()) return;
+  process.on('SIGTERM', () => outputEmpty());
+}
+function cursorHookExit(): never {
+  cursorHookExited = true;
+  process.exit(0);
+}
 // \u2500\u2500\u2500 Output Helpers \u2500\u2500\u2500
 export function outputJson(obj: any): void {
+  if (isCursorHookFormat()) {
+    const hso = obj?.hookSpecificOutput;
+    const sys = typeof obj?.systemMessage === 'string' ? obj.systemMessage : '';
+    if (hso?.permissionDecision === 'deny') {
+      const reason = hso.permissionDecisionReason || hso.additionalContext || sys;
+      if (!cursorHookExited) {
+        cursorHookExited = true;
+        process.stdout.write(JSON.stringify({
+          permission: 'deny',
+          user_message: sys || reason,
+          agent_message: hso.additionalContext || reason,
+        }) + '\\n');
+      }
+      cursorHookExit();
+    }
+    const ctx = sys || hso?.additionalContext;
+    if (ctx) {
+      if (!cursorHookExited) {
+        cursorHookExited = true;
+        process.stdout.write(JSON.stringify({ additional_context: ctx }) + '\\n');
+      }
+      cursorHookExit();
+    }
+    outputEmpty();
+    return;
+  }
   console.log(JSON.stringify(obj));
 }
 export function outputEmpty(): void {
+  if (isCursorHookFormat()) {
+    if (!cursorHookExited) {
+      cursorHookExited = true;
+      try { process.stdout.write('{}\\n'); } catch {}
+    }
+    cursorHookExit();
+  }
   console.log('{}');
 }
 `;
@@ -1631,26 +1822,27 @@ import {
   loadJwt, ensureFreshJwt, detectRepo, loadConfig, route, tag, localGrade,
   parseVerdict, dispatchCapture, ruleMode, reconstructContent, isPathUnder, postWithRetry,
   readStdin, extractTranscript, readLastPrompt, findNearestDeps, log,
-  outputJson, outputEmpty, GATEWAY_URL,
+  outputJson, outputEmpty, setupCursorHookSignals, isEditTool, hookSessionId, GATEWAY_URL,
   type HookConfig, type Rule,
 } from './_synkro-common.ts';
 import { existsSync, readFileSync } from 'node:fs';
 import { basename, dirname, join } from 'node:path';
 async function main() {
+  setupCursorHookSignals();
   try {
     const input = await readStdin();
     if (!input.trim()) { outputEmpty(); return; }
     const payload = JSON.parse(input);
     const toolName = payload.tool_name || '';
-    if (!['Edit', 'Write', 'MultiEdit', 'NotebookEdit'].includes(toolName)) {
+    if (!isEditTool(toolName)) {
       outputEmpty();
       return;
     }
     const toolInput = payload.tool_input || {};
-    const sessionId = payload.session_id || '';
+    const sessionId = hookSessionId(payload);
     const toolUseId = payload.tool_use_id || '';
     const cwd = payload.cwd || '';
     const permissionMode = payload.permission_mode || '';
@@ -1841,24 +2033,25 @@ main();
 import {
   loadJwt, ensureFreshJwt, detectRepo, loadConfig, cweRoute, tag,
   localGradeCwe, parseVerdict, reconstructContent, readStdin, log,
-  outputJson, outputEmpty, dispatchFinding, GATEWAY_URL,
+  outputJson, outputEmpty, setupCursorHookSignals, isEditTool, hookSessionId, dispatchFinding, GATEWAY_URL,
 } from './_synkro-common.ts';
 import { basename, extname } from 'node:path';
 async function main() {
+  setupCursorHookSignals();
   try {
     const input = await readStdin();
     if (!input.trim()) { outputEmpty(); return; }
     const payload = JSON.parse(input);
     const toolName = payload.tool_name || '';
-    if (!['Edit', 'Write', 'MultiEdit', 'NotebookEdit'].includes(toolName)) {
+    if (!isEditTool(toolName)) {
       outputEmpty();
       return;
     }
     const toolInput = payload.tool_input || {};
-    const sessionId = payload.session_id || '';
+    const sessionId = hookSessionId(payload);
     const cwd = payload.cwd || '';
     const gitRepo = detectRepo(cwd || '.');
@@ -1959,6 +2152,12 @@ async function main() {
           if (id && !cweIds.includes(id)) cweIds.push(id);
         }
+        const fixMatches = gradeResp.match(/<suggested_fix>([^<]+)<\\/suggested_fix>/g) || [];
+        const fixes: Record<string, string> = {};
+        for (let i = 0; i < Math.min(cweIds.length, fixMatches.length); i++) {
+          fixes[cweIds[i]] = fixMatches[i].replace(/<\\/?suggested_fix>/g, '').trim();
+        }
         // Filter out exempted CWEs for this file
         const activeCweIds = cweIds.filter(id => !exemptedCwes.has(id.toUpperCase()));
@@ -1977,7 +2176,11 @@ async function main() {
         const label = count === 1 ? 'match' : 'matches';
         const cweMsg = cweTag + ' ' + fileShort + ' \\u2192 ' + count + ' CWE ' + label + ' (' + displayIds + ')';
         const denyDetail = '[' + displayIds + '] ' + (verdict.reason || 'code weakness detected');
-        const ctx = 'CWE: ' + denyDetail + '\\nFix all issues before retrying. Do NOT ask the user to make the edit manually \u2014 resolve the weakness in code yourself.';
+        const fixLines = activeCweIds
+          .filter(id => fixes[id])
+          .map(id => '[' + id + '] Fix: ' + fixes[id]);
+        const fixHint = fixLines.length > 0 ? '\\n' + fixLines.join('\\n') : '';
+        const ctx = 'CWE: ' + denyDetail + fixHint + '\\nFix all issues before retrying. Do NOT ask the user to make the edit manually \u2014 resolve the weakness in code yourself.';
         for (const cweId of activeCweIds) {
           dispatchFinding(jwt, {
@@ -2026,7 +2229,7 @@ main();
 import {
   loadJwt, ensureFreshJwt, detectRepo, loadConfig, route, tag,
   reconstructContent, readStdin, findNearestDeps, log,
-  outputJson, outputEmpty, dispatchFinding, GATEWAY_URL,
+  outputJson, outputEmpty, setupCursorHookSignals, isEditTool, hookSessionId, dispatchFinding, GATEWAY_URL,
 } from './_synkro-common.ts';
 import { basename } from 'node:path';
@@ -2044,19 +2247,20 @@ function isManifest(filename: string): boolean {
 }
 async function main() {
+  setupCursorHookSignals();
   try {
     const input = await readStdin();
     if (!input.trim()) { outputEmpty(); return; }
     const payload = JSON.parse(input);
     const toolName = payload.tool_name || '';
-    if (!['Edit', 'Write', 'MultiEdit', 'NotebookEdit'].includes(toolName)) {
+    if (!isEditTool(toolName)) {
       outputEmpty();
       return;
     }
     const toolInput = payload.tool_input || {};
-    const sessionId = payload.session_id || '';
+    const sessionId = hookSessionId(payload);
     const cwd = payload.cwd || '';
     const filePath = toolInput.file_path || toolInput.notebook_path || toolInput.path || '';
@@ -2173,7 +2377,7 @@ import {
   loadJwt, ensureFreshJwt, detectRepo, loadConfig, route, tag, localGrade,
   parseVerdict, dispatchCapture, dispatchFinding, ruleMode, postWithRetry, readStdin,
   extractTranscript, readLastPrompt, log,
-  outputJson, outputEmpty, GATEWAY_URL,
+  outputJson, outputEmpty, setupCursorHookSignals, isShellTool, hookSessionId, GATEWAY_URL,
   type HookConfig, type Rule,
 } from './_synkro-common.ts';
@@ -2249,19 +2453,20 @@ interface PkgMeta {
 }
 async function main() {
+  setupCursorHookSignals();
   try {
     const input = await readStdin();
     if (!input.trim()) { outputEmpty(); return; }
     const payload = JSON.parse(input);
     const toolName = payload.tool_name || '';
-    if (!['Bash', 'Read', 'Grep', 'Glob'].includes(toolName)) {
+    if (!isShellTool(toolName)) {
       outputEmpty();
       return;
     }
     const toolInput = payload.tool_input || {};
-    const sessionId = payload.session_id || '';
+    const sessionId = hookSessionId(payload);
     const toolUseId = payload.tool_use_id || '';
     const cwd = payload.cwd || '';
     const permissionMode = payload.permission_mode || '';
@@ -2270,7 +2475,12 @@ async function main() {
     let command = '';
     switch (toolName) {
-      case 'Bash': command = toolInput.command || ''; break;
+      case 'Bash':
+      case 'Shell':
+      case 'terminal':
+      case 'run_terminal_cmd':
+      case 'execute_command':
+        command = toolInput.command || ''; break;
       case 'Read': command = 'cat ' + (toolInput.file_path || ''); break;
       case 'Grep': command = "grep -r '" + (toolInput.pattern || '') + "' " + (toolInput.path || '.'); break;
       case 'Glob': command = "find . -name '" + (toolInput.pattern || '') + "'"; break;
@@ -2601,24 +2811,25 @@ import {
   loadJwt, ensureFreshJwt, detectRepo, loadConfig, route, tag, localGrade,
   parseVerdict, dispatchCapture, ruleMode, postWithRetry, readStdin,
   extractTranscript, readLastPrompt, log,
-  outputJson, outputEmpty, GATEWAY_URL,
+  outputJson, outputEmpty, setupCursorHookSignals, isAgentTool, hookSessionId, GATEWAY_URL,
   type HookConfig, type Rule,
 } from './_synkro-common.ts';
 async function main() {
+  setupCursorHookSignals();
   try {
     const input = await readStdin();
     if (!input.trim()) { outputEmpty(); return; }
     const payload = JSON.parse(input);
     const toolName = payload.tool_name || '';
-    if (toolName !== 'Agent') {
+    if (!isAgentTool(toolName)) {
       outputEmpty();
       return;
     }
     const toolInput = payload.tool_input || {};
-    const sessionId = payload.session_id || '';
+    const sessionId = hookSessionId(payload);
     const toolUseId = payload.tool_use_id || '';
     const cwd = payload.cwd || '';
     const permissionMode = payload.permission_mode || '';
@@ -2764,14 +2975,13 @@ main();
 import {
   loadJwt, ensureFreshJwt, detectRepo, loadConfig, route, tag, localGrade,
   parseVerdict, dispatchCapture, postWithRetry, readStdin, log,
-  outputJson, outputEmpty, GATEWAY_URL,
+  outputJson, outputEmpty, setupCursorHookSignals, isPlanTool, hookSessionId, GATEWAY_URL,
 } from './_synkro-common.ts';
 import { existsSync, readFileSync, writeFileSync, readdirSync, statSync } from 'node:fs';
 import { join } from 'node:path';
 import { homedir } from 'node:os';
-function findLatestPlan(): string | null {
-  const plansDir = join(homedir(), '.claude', 'plans');
+function findLatestPlanInDir(plansDir: string): string | null {
   if (!existsSync(plansDir)) return null;
   try {
     const files = readdirSync(plansDir)
@@ -2784,6 +2994,23 @@ function findLatestPlan(): string | null {
   }
 }
+function findLatestPlan(): string | null {
+  const dirs = [
+    join(homedir(), '.claude', 'plans'),
+    join(homedir(), '.cursor', 'plans'),
+  ];
+  let best: { path: string; mtime: number } | null = null;
+  for (const dir of dirs) {
+    const p = findLatestPlanInDir(dir);
+    if (!p) continue;
+    try {
+      const mtime = statSync(p).mtimeMs;
+      if (!best || mtime > best.mtime) best = { path: p, mtime };
+    } catch {}
+  }
+  return best?.path ?? null;
+}
 function appendReviewToPlan(planFile: string, verdict: string): void {
   try {
     let content = readFileSync(planFile, 'utf-8');
@@ -2795,20 +3022,21 @@ function appendReviewToPlan(planFile: string, verdict: string): void {
 }
 async function main() {
+  setupCursorHookSignals();
   try {
     const input = await readStdin();
     if (!input.trim()) { outputEmpty(); return; }
     const payload = JSON.parse(input);
     const toolName = payload.tool_name || '';
-    if (toolName !== 'ExitPlanMode') { outputEmpty(); return; }
+    if (!isPlanTool(toolName)) { outputEmpty(); return; }
     const planFile = findLatestPlan();
     if (!planFile) { outputEmpty(); return; }
     const plan = readFileSync(planFile, 'utf-8');
     if (plan.length < 20) { outputEmpty(); return; }
-    const sessionId = payload.session_id || '';
+    const sessionId = hookSessionId(payload);
     const cwd = payload.cwd || '';
     const gitRepo = detectRepo(cwd || '.');
@@ -2913,16 +3141,17 @@ main();
     STOP_SUMMARY_TS = `#!/usr/bin/env bun
 import {
   loadJwt, detectRepo, loadConfig, tag, readStdin, aggregateUsage,
-  outputJson, outputEmpty, appendLocalTelemetry, GATEWAY_URL,
+  outputJson, outputEmpty, appendLocalTelemetry, setupCursorHookSignals, hookSessionId, GATEWAY_URL,
 } from './_synkro-common.ts';
 async function main() {
+  setupCursorHookSignals();
   try {
     const input = await readStdin();
     if (!input.trim()) { outputEmpty(); return; }
     const payload = JSON.parse(input);
-    const sessionId = payload.session_id || '';
+    const sessionId = hookSessionId(payload);
     if (!sessionId) { outputEmpty(); return; }
     const cwd = payload.cwd || '';
@@ -3000,18 +3229,19 @@ main();
     SESSION_START_TS = `#!/usr/bin/env bun
 import {
   loadJwt, detectRepo, channelUp, tag, readStdin,
-  outputJson, outputEmpty, GATEWAY_URL,
+  outputJson, outputEmpty, setupCursorHookSignals, hookSessionId, GATEWAY_URL,
   type HookConfig,
 } from './_synkro-common.ts';
 async function main() {
+  setupCursorHookSignals();
   try {
     const input = await readStdin();
     if (!input.trim()) { outputEmpty(); return; }
     const payload = JSON.parse(input);
     const cwd = payload.cwd || '';
-    const sessionId = payload.session_id || '';
+    const sessionId = hookSessionId(payload);
     const gitRepo = detectRepo(cwd || '.');
     let jwt = loadJwt();
@@ -3064,27 +3294,33 @@ main();
     BASH_FOLLOWUP_TS = `#!/usr/bin/env bun
 import {
   loadJwt, loadConfig, readStdin, hashCommand, consentGrant, consentHasActive, consentConsume,
-  outputEmpty, appendLocalTelemetry, GATEWAY_URL,
+  outputEmpty, appendLocalTelemetry, setupCursorHookSignals, isShellTool, hookSessionId, GATEWAY_URL,
 } from './_synkro-common.ts';
 async function main() {
+  setupCursorHookSignals();
   try {
     const input = await readStdin();
     if (!input.trim()) { outputEmpty(); return; }
     const payload = JSON.parse(input);
     const toolName = payload.tool_name || '';
-    if (toolName !== 'Bash') { outputEmpty(); return; }
+    const shellCmd = typeof payload.command === 'string' ? payload.command : (payload.tool_input?.command || '');
+    if (!isShellTool(toolName) && !shellCmd) { outputEmpty(); return; }
     const jwt = loadJwt();
     if (!jwt) { outputEmpty(); return; }
-    const sessionId = payload.session_id || '';
-    const toolUseId = payload.tool_use_id || '';
-    if (!sessionId || !toolUseId) { outputEmpty(); return; }
+    const sessionId = hookSessionId(payload);
+    const toolUseId = payload.tool_use_id || payload.tool_call_id || 'cursor-shell';
+    if (!sessionId) { outputEmpty(); return; }
-    const isError = payload.tool_result?.is_error === true;
-    const cmd = payload.tool_input?.command || '';
+    let isError = payload.tool_result?.is_error === true;
+    try {
+      const out = JSON.parse(payload.tool_output || '{}');
+      if (out.exitCode !== 0 || out.is_error === true) isError = true;
+    } catch {}
+    const cmd = shellCmd;
     const cmdHash = cmd ? hashCommand(cmd) : '';
     if (cmdHash && sessionId) {
@@ -3128,19 +3364,20 @@ main();
     TRANSCRIPT_SYNC_TS = `#!/usr/bin/env bun
 import {
   loadJwt, detectRepo, readStdin, aggregateUsage, appendLocalTelemetry,
-  outputEmpty, GATEWAY_URL,
+  outputEmpty, setupCursorHookSignals, hookSessionId, GATEWAY_URL,
 } from './_synkro-common.ts';
 import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'node:fs';
 import { join, dirname } from 'node:path';
 import { homedir } from 'node:os';
 async function main() {
+  setupCursorHookSignals();
   try {
     const input = await readStdin();
     if (!input.trim()) { outputEmpty(); return; }
     const payload = JSON.parse(input);
-    const sessionId = payload.session_id || '';
+    const sessionId = hookSessionId(payload);
     const transcriptPath = payload.transcript_path || '';
     const cwd = payload.cwd || '';
@@ -3268,15 +3505,16 @@ async function main() {
 main();
 `;
     USER_PROMPT_SUBMIT_TS = `#!/usr/bin/env bun
-import { readStdin, appendLocalTelemetry, aggregateUsage } from './_synkro-common.ts';
+import { readStdin, appendLocalTelemetry, aggregateUsage, outputEmpty, setupCursorHookSignals, hookSessionId } from './_synkro-common.ts';
 import { writeFileSync, mkdirSync } from 'node:fs';
 import { join, dirname } from 'node:path';
 import { homedir } from 'node:os';
 async function main() {
+  setupCursorHookSignals();
   try {
     const input = await readStdin();
-    if (!input.trim()) return;
+    if (!input.trim()) { outputEmpty(); return; }
     const payload = JSON.parse(input);
     const msg = payload.message || payload.prompt || payload.content || '';
     if (msg) {
@@ -3285,7 +3523,7 @@ async function main() {
       writeFileSync(promptFile, msg, 'utf-8');
     }
-    const sessionId = payload.session_id || '';
+    const sessionId = hookSessionId(payload);
     const transcriptPath = payload.transcript_path || '';
     if (sessionId && transcriptPath) {
       const usage = aggregateUsage(transcriptPath);
@@ -3306,7 +3544,10 @@ async function main() {
         });
       }
     }
-  } catch {}
+    outputEmpty();
+  } catch {
+    outputEmpty();
+  }
 }
 main();
@@ -3315,38 +3556,99 @@ main();
 import {
   loadJwt, ensureFreshJwt, detectRepo, loadConfig, route, tag, localGrade,
   parseVerdict, dispatchCapture, ruleMode, postWithRetry, readStdin,
-  appendLocalTelemetry, log, GATEWAY_URL,
-  type HookConfig, type Rule,
+  extractTranscript, readLastPrompt, log, GATEWAY_URL,
+  type Rule,
 } from './_synkro-common.ts';
+// Cursor beforeShellExecution timeout is 15s; stay under it (JWT refresh + grade).
+const CURSOR_GRADE_TIMEOUT_MS = 7500;
+const CURSOR_CLOUD_TIMEOUT_MS = 6000;
+let hookDone = false;
+function finishAllow(): never {
+  if (!hookDone) {
+    hookDone = true;
+    try { process.stdout.write('{}\\n'); } catch {}
+  }
+  process.exit(0);
+}
+function finishWith(payload: Record<string, unknown>): never {
+  hookDone = true;
+  process.stdout.write(JSON.stringify(payload) + '\\n');
+  process.exit(0);
+}
+process.on('SIGTERM', () => finishAllow());
+const SHELL_TOOL_NAMES = new Set(['Bash', 'Shell', 'terminal', 'run_terminal_cmd', 'execute_command']);
+const BASH_PRE_TOOL_NAMES = new Set(['Bash', 'Shell', 'Read', 'Grep', 'Glob', ...SHELL_TOOL_NAMES]);
+function extractCommand(payload: Record<string, unknown>): { command: string; toolName: string } {
+  const direct = typeof payload.command === 'string' ? payload.command : '';
+  if (direct) return { command: direct, toolName: 'Bash' };
+  const toolName = typeof payload.tool_name === 'string' ? payload.tool_name : '';
+  if (!BASH_PRE_TOOL_NAMES.has(toolName)) return { command: '', toolName };
+  const toolInput = (payload.tool_input && typeof payload.tool_input === 'object')
+    ? payload.tool_input as Record<string, unknown>
+    : {};
+  let command = '';
+  switch (toolName) {
+    case 'Bash':
+    case 'Shell':
+    case 'terminal':
+    case 'run_terminal_cmd':
+    case 'execute_command':
+      command = String(toolInput.command ?? '');
+      break;
+    case 'Read':
+      command = 'cat ' + String(toolInput.file_path ?? toolInput.path ?? '');
+      break;
+    case 'Grep':
+      command = "grep -r '" + String(toolInput.pattern ?? '') + "' " + String(toolInput.path ?? '.');
+      break;
+    case 'Glob':
+      command = "find . -name '" + String(toolInput.pattern ?? '') + "'";
+      break;
+  }
+  return { command, toolName: toolName || 'Bash' };
+}
 async function main() {
   try {
     const input = await readStdin();
-    if (!input.trim()) { process.stdout.write('{}\\n'); return; }
+    if (!input.trim()) finishAllow();
-    const payload = JSON.parse(input);
-    const command = payload.command || '';
-    if (!command) { process.stdout.write('{}\\n'); return; }
+    const payload = JSON.parse(input) as Record<string, unknown>;
+    const { command, toolName } = extractCommand(payload);
+    if (!command) finishAllow();
-    const cwd = payload.cwd || '';
-    const sessionId = payload.conversation_id || '';
+    const cwd = typeof payload.cwd === 'string' ? payload.cwd : '';
+    const sessionId = String(payload.conversation_id ?? payload.session_id ?? '');
+    const transcriptPath = typeof payload.transcript_path === 'string' ? payload.transcript_path : '';
     const repo = detectRepo(cwd || '.');
     const cmdShort = command.slice(0, 80);
     log('bashGuard checking: ' + cmdShort);
     let jwt = loadJwt();
-    if (!jwt) { process.stdout.write('{}\\n'); return; }
+    if (!jwt) finishAllow();
     jwt = await ensureFreshJwt(jwt);
+    const transcript = extractTranscript(transcriptPath);
+    const lastPrompt = readLastPrompt();
     const config = await loadConfig(jwt);
-    if (config.silent) { process.stdout.write('{}\\n'); return; }
+    if (config.silent) finishAllow();
     const rt = await route(config);
     const tagStr = tag(rt, config);
     if (rt === 'local') {
-      // Build grading prompt with rules
       const rulesBlock = config.rules.map((r: Rule, i: number) =>
         (i + 1) + '. [' + r.rule_id + '] (' + r.severity + '/' + r.mode + ') ' + r.text
       ).join('\\n');
@@ -3357,14 +3659,17 @@ async function main() {
         '',
         'COMMAND TO EVALUATE:',
         command,
+        '',
+        'User intent (last human message): ' + (transcript.userIntent || lastPrompt || 'none stated'),
+        'Last user prompt: ' + (lastPrompt || 'none'),
       ].join('\\n');
       let gradeResp: string;
       try {
-        gradeResp = await localGrade('bash', graderPrompt);
-      } catch {
-        process.stdout.write('{}\\n');
-        return;
+        gradeResp = await localGrade('bash', graderPrompt, CURSOR_GRADE_TIMEOUT_MS);
+      } catch (e) {
+        log('bashGuard ' + cmdShort + ' \u2192 pass (grade unavailable): ' + String(e));
+        finishAllow();
       }
       const verdict = parseVerdict(gradeResp);
@@ -3379,16 +3684,13 @@ async function main() {
               command, reasoning: guardReason,
               rulesChecked: config.rules, violatedRules: verdict.ruleId ? [verdict.ruleId] : [],
             });
-          const result = {
+          finishWith({
             permission: 'deny',
-            user_message: tagStr + ' bashGuard \\u2192 block: ' + guardReason,
+            user_message: tagStr + ' bashGuard \u2192 block: ' + guardReason,
             agent_message: 'Synkro safety judge. Reasoning: ' + (verdict.reason || guardReason),
-          };
-          process.stdout.write(JSON.stringify(result) + '\\n');
-          return;
+          });
         }
-        // Audit mode \u2014 warn but allow
         dispatchCapture(jwt, 'bash', 'warning', verdict.severity || 'medium', verdict.category || 'security',
           'Bash', repo, sessionId, config.captureDepth, {
             command, reasoning: guardReason,
@@ -3402,177 +3704,46 @@ async function main() {
           });
       }
-      process.stdout.write('{}\\n');
-      return;
+      log('bashGuard ' + cmdShort + ' \u2192 pass');
+      finishAllow();
     }
-    // \u2500\u2500\u2500 Cloud grading \u2500\u2500\u2500
-    const body = {
+    const body: Record<string, any> = {
       hook_event: 'PreToolUse',
-      tool_name: 'Bash',
+      tool_name: toolName || 'Bash',
       tool_input: { command },
       response_format: 'cursor',
+      user_intent: transcript.userIntent || null,
+      last_user_message: lastPrompt || null,
+      recent_user_messages: transcript.recentUserMessages,
+      recent_messages: transcript.recentMessages,
       session_id: sessionId || null,
       cwd: cwd || null,
       repo: repo || null,
     };
-    const resp = await postWithRetry(GATEWAY_URL + '/api/v1/hook/judge', body, jwt, 6000);
-    if (!resp) {
-      log('bashGuard ' + cmdShort + ' \\u2192 error (timeout)');
-      process.stdout.write('{}\\n');
-      return;
-    }
-    if (resp.hook_response) {
-      process.stdout.write(JSON.stringify(resp.hook_response) + '\\n');
-    } else {
-      process.stdout.write('{}\\n');
-    }
-  } catch {
-    process.stdout.write('{}\\n');
-  }
-}
-main();
-`;
-    CURSOR_EDIT_PRECHECK_TS = `#!/usr/bin/env bun
-import {
-  loadJwt, ensureFreshJwt, detectRepo, loadConfig, route, tag, localGrade,
-  parseVerdict, dispatchCapture, ruleMode, postWithRetry, readStdin,
-  appendLocalTelemetry, log, GATEWAY_URL,
-  type HookConfig, type Rule,
-} from './_synkro-common.ts';
-import { basename } from 'node:path';
-async function main() {
-  try {
-    const input = await readStdin();
-    if (!input.trim()) { process.stdout.write('{}\\n'); return; }
-    const payload = JSON.parse(input);
-    const toolName = payload.tool_name || '';
-    const toolInput = payload.tool_input || {};
-    const cwd = payload.cwd || '';
-    const sessionId = payload.conversation_id || '';
-    const filePath = toolInput.file_path || toolInput.path || toolInput.target_file || '';
-    const content = toolInput.content || toolInput.new_string || toolInput.code_edit || '';
-    if (!filePath) { process.stdout.write('{}\\n'); return; }
-    const fileShort = basename(filePath);
-    log('editGuard checking: ' + fileShort);
-    const repo = detectRepo(cwd || '.');
-    let jwt = loadJwt();
-    if (!jwt) { process.stdout.write('{}\\n'); return; }
-    jwt = await ensureFreshJwt(jwt);
-    const config = await loadConfig(jwt);
-    if (config.silent) { process.stdout.write('{}\\n'); return; }
-    const rt = await route(config);
-    const tagStr = tag(rt, config);
-    if (rt === 'local') {
-      const contentShort = content.slice(0, 4000);
-      const rulesBlock = config.rules.map((r: Rule, i: number) =>
-        (i + 1) + '. [' + r.rule_id + '] (' + r.severity + '/' + r.mode + ') ' + r.text
-      ).join('\\n');
-      const graderPrompt = [
-        'RULES:',
-        rulesBlock || '(none)',
-        '',
-        'FILE: ' + filePath,
-        '',
-        'CONTENT TO EVALUATE (first 4000 chars):',
-        contentShort,
-      ].join('\\n');
-      let gradeResp: string;
-      try {
-        gradeResp = await localGrade('edit', graderPrompt);
-      } catch {
-        process.stdout.write('{}\\n');
-        return;
-      }
-      const verdict = parseVerdict(gradeResp);
-      const editContent = 'file=' + filePath + ' content=' + content.slice(0, 2000);
-      if (!verdict.ok) {
-        const mode = verdict.ruleMode || ruleMode(verdict.ruleId, config.rules);
-        const guardReason = (verdict.ruleId ? '(' + verdict.ruleId + ') ' : '') + (verdict.reason || 'policy violation');
-        if (mode !== 'audit') {
-          dispatchCapture(jwt, 'edit', 'block', verdict.severity || 'critical', verdict.category || 'security',
-            toolName || 'Edit', repo, sessionId, config.captureDepth, {
-              command: editContent, reasoning: guardReason,
-              rulesChecked: config.rules, violatedRules: verdict.ruleId ? [verdict.ruleId] : [],
-            });
-          const result = {
-            permission: 'deny',
-            user_message: tagStr + ' editGuard ' + fileShort + ' \\u2192 block: ' + guardReason,
-            agent_message: 'Synkro safety judge. Reasoning: ' + (verdict.reason || guardReason),
-          };
-          process.stdout.write(JSON.stringify(result) + '\\n');
-          return;
-        }
-        // Audit mode
-        dispatchCapture(jwt, 'edit', 'warning', verdict.severity || 'medium', verdict.category || 'security',
-          toolName || 'Edit', repo, sessionId, config.captureDepth, {
-            command: editContent, reasoning: guardReason,
-            rulesChecked: config.rules, violatedRules: verdict.ruleId ? [verdict.ruleId] : [],
-          });
-      } else {
-        dispatchCapture(jwt, 'edit', 'pass', 'audit', verdict.category || 'trivial_edit',
-          toolName || 'Edit', repo, sessionId, config.captureDepth, {
-            command: editContent, reasoning: verdict.reason || 'no policy violations detected',
-            rulesChecked: config.rules, violatedRules: [],
-          });
-      }
-      process.stdout.write('{}\\n');
-      return;
-    }
-    // \u2500\u2500\u2500 Cloud grading \u2500\u2500\u2500
-    const body = {
-      hook_event: 'PreToolUse',
-      tool_name: toolName || 'Edit',
-      tool_input: { file_path: filePath, content },
-      file_path: filePath,
-      content,
-      response_format: 'cursor',
-      session_id: sessionId || null,
-      cwd: cwd || null,
-      repo: repo || null,
-    };
-    const resp = await postWithRetry(GATEWAY_URL + '/api/v1/hook/judge', body, jwt, 8000);
+    const resp = await postWithRetry(GATEWAY_URL + '/api/v1/hook/judge', body, jwt, CURSOR_CLOUD_TIMEOUT_MS);
     if (!resp) {
-      log('editGuard ' + fileShort + ' \\u2192 error (timeout)');
-      process.stdout.write('{}\\n');
-      return;
+      log('bashGuard ' + cmdShort + ' \u2192 pass (cloud timeout)');
+      finishAllow();
     }
     if (resp.hook_response) {
-      process.stdout.write(JSON.stringify(resp.hook_response) + '\\n');
-    } else {
-      process.stdout.write('{}\\n');
+      finishWith(resp.hook_response as Record<string, unknown>);
     }
-  } catch {
-    process.stdout.write('{}\\n');
+    log('bashGuard ' + cmdShort + ' \u2192 pass (no hook_response)');
+    finishAllow();
+  } catch (e) {
+    log('bashGuard error: ' + String(e));
+    finishAllow();
   }
 }
-main();
-`;
+main().catch((e) => {
+  log('bashGuard fatal: ' + String(e));
+  finishAllow();
+});`;
     CURSOR_EDIT_CAPTURE_TS = `#!/usr/bin/env bun
 import {
   loadJwt, ensureFreshJwt, detectRepo, readStdin,
@@ -3582,26 +3753,37 @@ import { existsSync, readFileSync } from 'node:fs';
 import { basename, dirname, join } from 'node:path';
 import { homedir } from 'node:os';
+let hookDone = false;
+function finish(): never {
+  if (!hookDone) {
+    hookDone = true;
+    try { process.stdout.write('{}\\n'); } catch {}
+  }
+  process.exit(0);
+}
+process.on('SIGTERM', () => finish());
 async function main() {
   try {
     const input = await readStdin();
-    if (!input.trim()) { process.stdout.write('{}\\n'); return; }
+    if (!input.trim()) finish();
     const payload = JSON.parse(input);
     const filePath = payload.file_path || '';
-    if (!filePath) { process.stdout.write('{}\\n'); return; }
+    if (!filePath) finish();
-    const cwd = payload.cwd || '';
+    const cwd = payload.cwd || payload.workspace_roots?.[0] || '';
     const sessionId = payload.conversation_id || '';
     const repo = detectRepo(cwd || '.');
     log('editScan ' + basename(filePath));
     let jwt = loadJwt();
-    if (!jwt) { process.stdout.write('{}\\n'); return; }
+    if (!jwt) finish();
     jwt = await ensureFreshJwt(jwt);
-    // Read actual file content (up to 50KB)
     let fileContent = '';
     const fullPath = filePath.startsWith('/') ? filePath : (cwd ? join(cwd, filePath) : filePath);
     try {
@@ -3611,7 +3793,6 @@ async function main() {
       }
     } catch {}
-    // Walk up to find package.json dependencies
     let dependencies: Record<string, string> = {};
     let pkgDir = cwd || dirname(fullPath);
     while (pkgDir !== '/' && pkgDir !== '.') {
@@ -3638,12 +3819,10 @@ async function main() {
     if (cwd) captureBody.cwd = cwd;
     if (repo) captureBody.repo = repo;
-    // Check if local_only
     const rulesPath = join(homedir(), '.synkro', 'rules.json');
     if (existsSync(rulesPath)) {
       appendLocalTelemetry(captureBody);
     } else {
-      // Fire-and-forget to cloud
       fetch(GATEWAY_URL + '/api/v1/hook/capture', {
         method: 'POST',
         headers: { 'Content-Type': 'application/json', Authorization: 'Bearer ' + jwt },
@@ -3653,157 +3832,17 @@ async function main() {
       appendLocalTelemetry(captureBody);
     }
-    process.stdout.write('{}\\n');
-  } catch {
-    process.stdout.write('{}\\n');
+    finish();
+  } catch (e) {
+    log('editScan error: ' + String(e));
+    finish();
   }
 }
-main();
-`;
-    CURSOR_BASH_FOLLOWUP_TS = `#!/usr/bin/env bun
-import {
-  loadJwt, readStdin, appendLocalTelemetry, log, GATEWAY_URL,
-} from './_synkro-common.ts';
-import { existsSync, readFileSync, writeFileSync, appendFileSync, mkdirSync } from 'node:fs';
-import { join, dirname } from 'node:path';
-import { createHash } from 'node:crypto';
-import { homedir } from 'node:os';
-const CONSENT_FILE = join(homedir(), '.synkro', '.local-consent');
-function hashCmd(cmd: string): string {
-  return createHash('sha256').update(cmd).digest('hex').slice(0, 16);
-}
-function consentGrant(sid: string, hash: string): void {
-  try {
-    const dir = dirname(CONSENT_FILE);
-    if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
-    appendFileSync(CONSENT_FILE, sid + '\\t' + hash + '\\tactive\\n', 'utf-8');
-  } catch {}
-}
-function consentHasActive(sid: string, hash: string): boolean {
-  try {
-    if (!existsSync(CONSENT_FILE)) return false;
-    const content = readFileSync(CONSENT_FILE, 'utf-8');
-    return content.includes(sid + '\\t' + hash + '\\tactive');
-  } catch {
-    return false;
-  }
-}
-function consentConsume(sid: string, hash: string): void {
-  try {
-    if (!existsSync(CONSENT_FILE)) return;
-    const content = readFileSync(CONSENT_FILE, 'utf-8');
-    const target = sid + '\\t' + hash + '\\tactive';
-    const replacement = sid + '\\t' + hash + '\\tconsumed';
-    const updated = content.split('\\n').map((l: string) => l === target ? replacement : l).join('\\n');
-    writeFileSync(CONSENT_FILE, updated, 'utf-8');
-  } catch {}
-}
-async function main() {
-  try {
-    const input = await readStdin();
-    if (!input.trim()) { process.stdout.write('{}\\n'); return; }
-    const payload = JSON.parse(input);
-    const toolName = payload.tool_name || '';
-    // Only process shell/bash tool types
-    const shellTools = ['Shell', 'Bash', 'terminal', 'run_terminal_cmd', 'execute_command'];
-    if (!shellTools.includes(toolName)) { process.stdout.write('{}\\n'); return; }
-    const sessionId = payload.conversation_id || '';
-    const toolUseId = payload.tool_use_id || '';
-    const isError = payload.tool_result?.is_error === true;
-    const command = payload.tool_input?.command || '';
-    const cmdHash = command ? hashCmd(command) : '';
-    // Consent tracking
-    if (cmdHash && sessionId) {
-      if (!isError) {
-        consentConsume(sessionId, cmdHash);
-      } else {
-        if (!consentHasActive(sessionId, cmdHash)) {
-          consentGrant(sessionId, cmdHash);
-        }
-      }
-    }
-    // Build capture body
-    const captureBody: Record<string, any> = {
-      capture_type: 'bash_followup',
-      session_id: sessionId || null,
-      tool_use_id: toolUseId || null,
-      is_error: isError,
-      command_hash: cmdHash,
-    };
-    // Check if local_only
-    const rulesPath = join(homedir(), '.synkro', 'rules.json');
-    if (existsSync(rulesPath)) {
-      appendLocalTelemetry(captureBody);
-    } else {
-      const jwt = loadJwt();
-      if (jwt && sessionId && toolUseId) {
-        fetch(GATEWAY_URL + '/api/v1/hook/capture', {
-          method: 'POST',
-          headers: { 'Content-Type': 'application/json', Authorization: 'Bearer ' + jwt },
-          body: JSON.stringify(captureBody),
-          signal: AbortSignal.timeout(3000),
-        }).catch(() => {});
-      }
-      appendLocalTelemetry(captureBody);
-    }
-    process.stdout.write('{}\\n');
-  } catch {
-    process.stdout.write('{}\\n');
-  }
-}
-main();
-`;
-    CURSOR_SESSION_START_TS = `#!/usr/bin/env bun
-import {
-  loadJwt, loadConfig, readStdin,
-  type HookConfig,
-} from './_synkro-common.ts';
-async function main() {
-  try {
-    const input = await readStdin();
-    let jwt = loadJwt();
-    const config: HookConfig = jwt ? await loadConfig(jwt) : {
-      captureDepth: 'local_only', tier: 'standard', silent: false,
-      policyName: '', rules: [], scanExemptions: [],
-    };
-    const policyName = config.policyName || 'default';
-    const ruleCount = config.rules.length;
-    const mode = config.silent ? 'silent' : 'active';
-    const context = [
-      'This session is monitored by Synkro (' + mode + ' mode, policy: "' + policyName + '", ' + ruleCount + ' rules).',
-      'Synkro enforces security and compliance rules on tool calls (shell commands, file edits).',
-      'If a tool call is blocked, Synkro will explain which rule was violated and why.',
-      'Do not suggest workarounds to bypass Synkro hooks \u2014 fix the underlying issue instead.',
-    ].join(' ');
-    const result = { additional_context: context };
-    process.stdout.write(JSON.stringify(result) + '\\n');
-  } catch {
-    process.stdout.write('{}\\n');
-  }
-}
-main();
-`;
+main().catch((e) => {
+  log('editScan fatal: ' + String(e));
+  finish();
+});`;
   }
 });
@@ -6048,10 +6087,7 @@ function writeHookScripts() {
   const commonScriptPath = join11(HOOKS_DIR, "_synkro-common.ts");
   const commonBashScriptPath = join11(HOOKS_DIR, "_synkro-common.sh");
   const cursorBashJudgePath = join11(HOOKS_DIR, "cursor-bash-judge.ts");
-  const cursorEditPrecheckPath = join11(HOOKS_DIR, "cursor-edit-precheck.ts");
   const cursorEditCapturePath = join11(HOOKS_DIR, "cursor-edit-capture.ts");
-  const cursorBashFollowupPath = join11(HOOKS_DIR, "cursor-bash-followup.ts");
-  const cursorSessionStartPath = join11(HOOKS_DIR, "cursor-session-start.ts");
   const mcpLocalServerPath = join11(HOOKS_DIR, "mcp-local-server.ts");
   writeFileSync7(bashScriptPath, BASH_JUDGE_TS, "utf-8");
   writeFileSync7(bashFollowupScriptPath, BASH_FOLLOWUP_TS, "utf-8");
@@ -6067,10 +6103,7 @@ function writeHookScripts() {
   writeFileSync7(commonScriptPath, SYNKRO_COMMON_TS, "utf-8");
   writeFileSync7(commonBashScriptPath, SYNKRO_COMMON_SCRIPT, "utf-8");
   writeFileSync7(cursorBashJudgePath, CURSOR_BASH_JUDGE_TS, "utf-8");
-  writeFileSync7(cursorEditPrecheckPath, CURSOR_EDIT_PRECHECK_TS, "utf-8");
   writeFileSync7(cursorEditCapturePath, CURSOR_EDIT_CAPTURE_TS, "utf-8");
-  writeFileSync7(cursorBashFollowupPath, CURSOR_BASH_FOLLOWUP_TS, "utf-8");
-  writeFileSync7(cursorSessionStartPath, CURSOR_SESSION_START_TS, "utf-8");
   writeFileSync7(mcpLocalServerPath, `#!/usr/bin/env bun
 /**
  * Local MCP guardrails server \u2014 runs on port 8931, stores rules in ~/.synkro/rules.json.
@@ -6891,10 +6924,7 @@ console.log(\`[synkro] local MCP guardrails server listening on http://127.0.0.1
   chmodSync2(commonScriptPath, 493);
   chmodSync2(commonBashScriptPath, 493);
   chmodSync2(cursorBashJudgePath, 493);
-  chmodSync2(cursorEditPrecheckPath, 493);
   chmodSync2(cursorEditCapturePath, 493);
-  chmodSync2(cursorBashFollowupPath, 493);
-  chmodSync2(cursorSessionStartPath, 493);
   chmodSync2(mcpLocalServerPath, 493);
   return {
     bashScript: bashScriptPath,
@@ -6909,10 +6939,7 @@ console.log(\`[synkro] local MCP guardrails server listening on http://127.0.0.1
     transcriptSyncScript: transcriptSyncScriptPath,
     userPromptSubmitScript: userPromptSubmitScriptPath,
     cursorBashJudgeScript: cursorBashJudgePath,
-    cursorEditPrecheckScript: cursorEditPrecheckPath,
     cursorEditCaptureScript: cursorEditCapturePath,
-    cursorBashFollowupScript: cursorBashFollowupPath,
-    cursorSessionStartScript: cursorSessionStartPath,
     mcpLocalServerScript: mcpLocalServerPath
   };
 }
@@ -6945,7 +6972,7 @@ function writeConfigEnv(opts) {
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
     `SYNKRO_INFERENCE=${shellQuoteSingle(safeInference)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.4.67")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.4.68")}`
   ];
   if (safeSynkroBin) lines.push(`SYNKRO_CLI_BIN=${shellQuoteSingle(safeSynkroBin)}`);
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);
@@ -7396,10 +7423,17 @@ async function installCommand(opts = {}) {
       hasCursor = true;
       installCursorHooks(agent.settingsPath, {
         bashJudgeScriptPath: scripts.cursorBashJudgeScript,
-        editPrecheckScriptPath: scripts.cursorEditPrecheckScript,
         editCaptureScriptPath: scripts.cursorEditCaptureScript,
-        bashFollowupScriptPath: scripts.cursorBashFollowupScript,
-        sessionStartScriptPath: scripts.cursorSessionStartScript
+        bashFollowupScriptPath: scripts.bashFollowupScript,
+        editPrecheckScriptPath: scripts.editPrecheckScript,
+        cwePrecheckScriptPath: scripts.cwePrecheckScript,
+        cvePrecheckScriptPath: scripts.cvePrecheckScript,
+        planJudgeScriptPath: scripts.planJudgeScript,
+        agentJudgeScriptPath: scripts.agentJudgeScript,
+        stopSummaryScriptPath: scripts.stopSummaryScript,
+        sessionStartScriptPath: scripts.sessionStartScript,
+        userPromptSubmitScriptPath: scripts.userPromptSubmitScript,
+        transcriptSyncScriptPath: scripts.transcriptSyncScript
       });
       console.log(`Configured ${agent.name} hooks at ${agent.settingsPath}`);
     }
@@ -7971,10 +8005,20 @@ async function statusCommand() {
         const hooks = inspectCursorHooks(a.settingsPath);
         console.log(`    hooks installed: ${hooks.installed ? "\u2713" : "\u2717"}`);
         if (hooks.installed) {
+          console.log(`      \u2022 sessionStart:         ${hooks.sessionStart ? "\u2713" : "\u2717"}`);
+          console.log(`      \u2022 sessionEnd:           ${hooks.sessionEnd ? "\u2713" : "\u2717"}`);
+          console.log(`      \u2022 beforeSubmitPrompt:   ${hooks.beforeSubmitPrompt ? "\u2713" : "\u2717"}`);
           console.log(`      \u2022 beforeShellExecution: ${hooks.beforeShellExecution ? "\u2713" : "\u2717"}`);
-          console.log(`      \u2022 preToolUse:           ${hooks.preToolUse ? "\u2713" : "\u2717"}`);
+          console.log(`      \u2022 afterShellExecution:  ${hooks.afterShellExecution ? "\u2713" : "\u2717"}`);
+          console.log(`      \u2022 PreToolUse Bash:      ${hooks.preToolUseBash ? "\u2713" : "\u2717"}`);
+          console.log(`      \u2022 PreToolUse Edit:      ${hooks.preToolUseEdit ? "\u2713" : "\u2717"}`);
+          console.log(`      \u2022 PreToolUse CWE:       ${hooks.preToolUseCwe ? "\u2713" : "\u2717"}`);
+          console.log(`      \u2022 PreToolUse CVE:       ${hooks.preToolUseCve ? "\u2713" : "\u2717"}`);
+          console.log(`      \u2022 PreToolUse Agent:     ${hooks.preToolUseAgent ? "\u2713" : "\u2717"}`);
+          console.log(`      \u2022 PreToolUse Plan:      ${hooks.preToolUsePlan ? "\u2713" : "\u2717"}`);
           console.log(`      \u2022 afterFileEdit:        ${hooks.afterFileEdit ? "\u2713" : "\u2717"}`);
           console.log(`      \u2022 postToolUse:          ${hooks.postToolUse ? "\u2713" : "\u2717"}`);
+          console.log(`      \u2022 stop (transcript):    ${hooks.stop ? "\u2713" : "\u2717"}`);
         }
       }
     }
@@ -7988,6 +8032,7 @@ async function statusCommand() {
     "cc-cwe-precheck.ts",
     "cc-cve-precheck.ts",
     "cc-plan-judge.ts",
+    "cc-agent-judge.ts",
     "cc-stop-summary.ts",
     "cc-session-start.ts",
     "cc-transcript-sync.ts",
@@ -7995,10 +8040,19 @@ async function statusCommand() {
     "_synkro-common.ts"
   ];
   const cursorHooks = [
-    "cursor-bash-judge.sh",
-    "cursor-edit-precheck.sh",
-    "cursor-bash-followup.sh",
-    "_synkro-common.sh"
+    "cursor-bash-judge.ts",
+    "cursor-edit-capture.ts",
+    "cc-edit-precheck.ts",
+    "cc-cwe-precheck.ts",
+    "cc-cve-precheck.ts",
+    "cc-agent-judge.ts",
+    "cc-plan-judge.ts",
+    "cc-session-start.ts",
+    "cc-stop-summary.ts",
+    "cc-bash-followup.ts",
+    "cc-user-prompt-submit.ts",
+    "cc-transcript-sync.ts",
+    "_synkro-common.ts"
   ];
   console.log("Hook scripts (Claude Code):");
   for (const f of ccHooks) {