npm - @synkro-sh/cli - Versions diffs - 1.4.67 → 1.4.69 - Mend

@synkro-sh/cli 1.4.67 → 1.4.69

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/bootstrap.js CHANGED Viewed

@@ -286,6 +286,15 @@ var init_ccHookConfig = __esm({
 import { readFileSync as readFileSync2, writeFileSync as writeFileSync2, renameSync as renameSync2, mkdirSync as mkdirSync2 } from "fs";
 import { dirname as dirname2, resolve, normalize } from "path";
 import { homedir as homedir2 } from "os";
+function shellQuote(s) {
+  return "'" + s.replace(/'/g, "'\\''") + "'";
+}
+function cursorCcCmd(scriptPath) {
+  return "env SYNKRO_HOOK_FORMAT=cursor bun run " + shellQuote(scriptPath);
+}
+function bunRunCmd(scriptPath) {
+  return "bun run " + shellQuote(scriptPath);
+}
 function validateHooksPath(path) {
   const resolved = resolve(normalize(path));
   if (!ALLOWED_PARENT_DIRS.some((dir) => resolved.startsWith(dir + "/") || resolved === dir)) {
@@ -320,6 +329,16 @@ function removeSynkroEntries2(hooks, event) {
   if (!Array.isArray(arr)) return;
   hooks[event] = arr.filter((entry) => !isSynkroEntry2(entry));
 }
+function pushCcHook(hooks, event, scriptPath, opts) {
+  hooks[event] = hooks[event] ?? [];
+  hooks[event].push({
+    command: cursorCcCmd(scriptPath),
+    timeout: opts.timeout,
+    failClosed: opts.failClosed ?? false,
+    ...opts.matcher ? { matcher: opts.matcher } : {},
+    [SYNKRO_MARKER2]: true
+  });
+}
 function installCursorHooks(hooksJsonPath, config) {
   const file = readHooksFile(hooksJsonPath);
   file.version = file.version ?? 1;
@@ -327,37 +346,58 @@ function installCursorHooks(hooksJsonPath, config) {
   for (const evt of ALL_EVENTS) {
     removeSynkroEntries2(file.hooks, evt);
   }
-  file.hooks.sessionStart = file.hooks.sessionStart ?? [];
-  file.hooks.sessionStart.push({
-    command: config.sessionStartScriptPath,
-    timeout: 5,
+  const h = file.hooks;
+  pushCcHook(h, "sessionStart", config.sessionStartScriptPath, { timeout: 5 });
+  pushCcHook(h, "sessionEnd", config.stopSummaryScriptPath, { timeout: 10 });
+  pushCcHook(h, "beforeSubmitPrompt", config.userPromptSubmitScriptPath, { timeout: 5 });
+  pushCcHook(h, "stop", config.transcriptSyncScriptPath, { timeout: 3 });
+  h.beforeShellExecution = h.beforeShellExecution ?? [];
+  h.beforeShellExecution.push({
+    command: bunRunCmd(config.bashJudgeScriptPath),
+    timeout: 15,
+    failClosed: false,
     [SYNKRO_MARKER2]: true
   });
-  file.hooks.beforeShellExecution = file.hooks.beforeShellExecution ?? [];
-  file.hooks.beforeShellExecution.push({
-    command: config.bashJudgeScriptPath,
-    timeout: 10,
-    failClosed: true,
+  pushCcHook(h, "afterShellExecution", config.bashFollowupScriptPath, { timeout: 10 });
+  h.preToolUse = h.preToolUse ?? [];
+  h.preToolUse.push({
+    command: bunRunCmd(config.bashJudgeScriptPath),
+    timeout: 15,
+    failClosed: false,
+    matcher: "Shell|Bash|Read|ReadFile|Grep|Glob|terminal|run_terminal_cmd|execute_command|read_file|grep_search|file_search|list_dir|codebase_search|delete_file",
     [SYNKRO_MARKER2]: true
   });
-  file.hooks.preToolUse = file.hooks.preToolUse ?? [];
-  file.hooks.preToolUse.push({
-    command: config.editPrecheckScriptPath,
+  pushCcHook(h, "preToolUse", config.editPrecheckScriptPath, {
     timeout: 15,
-    [SYNKRO_MARKER2]: true
+    matcher: "Write|Edit|StrReplace|MultiEdit|NotebookEdit|edit_file|reapply|edit_notebook"
   });
-  file.hooks.afterFileEdit = file.hooks.afterFileEdit ?? [];
-  file.hooks.afterFileEdit.push({
-    command: config.editCaptureScriptPath,
+  pushCcHook(h, "preToolUse", config.cwePrecheckScriptPath, {
     timeout: 15,
-    [SYNKRO_MARKER2]: true
+    matcher: "Write|Edit|StrReplace|MultiEdit|NotebookEdit|edit_file|reapply|edit_notebook"
   });
-  file.hooks.postToolUse = file.hooks.postToolUse ?? [];
-  file.hooks.postToolUse.push({
-    command: config.bashFollowupScriptPath,
+  pushCcHook(h, "preToolUse", config.cvePrecheckScriptPath, {
     timeout: 10,
+    matcher: "Write|Edit|StrReplace|MultiEdit|NotebookEdit|edit_file|reapply|edit_notebook"
+  });
+  pushCcHook(h, "preToolUse", config.agentJudgeScriptPath, {
+    timeout: 15,
+    matcher: "Agent|Task"
+  });
+  pushCcHook(h, "preToolUse", config.planJudgeScriptPath, {
+    timeout: 20,
+    matcher: "ExitPlanMode|SwitchMode|CreatePlan"
+  });
+  h.afterFileEdit = h.afterFileEdit ?? [];
+  h.afterFileEdit.push({
+    command: bunRunCmd(config.editCaptureScriptPath),
+    timeout: 15,
+    failClosed: false,
     [SYNKRO_MARKER2]: true
   });
+  pushCcHook(h, "postToolUse", config.bashFollowupScriptPath, {
+    timeout: 10,
+    matcher: "Shell|Bash|terminal|run_terminal_cmd|execute_command|delete_file"
+  });
   writeHooksFileAtomic(hooksJsonPath, file);
 }
 function uninstallCursorHooks(hooksJsonPath) {
@@ -382,24 +422,67 @@ function uninstallCursorHooks(hooksJsonPath) {
   writeHooksFileAtomic(hooksJsonPath, file);
   return true;
 }
+function preToolUseUsesScript(hooks, scriptBasename) {
+  return (hooks ?? []).some(
+    (e) => isSynkroEntry2(e) && typeof e.command === "string" && e.command.includes(scriptBasename)
+  );
+}
 function inspectCursorHooks(hooksJsonPath) {
   let file;
   try {
     file = readHooksFile(hooksJsonPath);
   } catch {
-    return { installed: false, sessionStart: false, beforeShellExecution: false, preToolUse: false, afterFileEdit: false, postToolUse: false };
+    return {
+      installed: false,
+      sessionStart: false,
+      sessionEnd: false,
+      beforeSubmitPrompt: false,
+      stop: false,
+      beforeShellExecution: false,
+      afterShellExecution: false,
+      preToolUse: false,
+      preToolUseBash: false,
+      preToolUseEdit: false,
+      preToolUseCwe: false,
+      preToolUseCve: false,
+      preToolUseAgent: false,
+      preToolUsePlan: false,
+      afterFileEdit: false,
+      postToolUse: false
+    };
   }
   const h = file.hooks ?? {};
   const sessionStart = (h.sessionStart ?? []).some((e) => isSynkroEntry2(e));
+  const sessionEnd = (h.sessionEnd ?? []).some((e) => isSynkroEntry2(e));
+  const beforeSubmitPrompt = (h.beforeSubmitPrompt ?? []).some((e) => isSynkroEntry2(e));
+  const stop = (h.stop ?? []).some((e) => isSynkroEntry2(e));
   const beforeShellExecution = (h.beforeShellExecution ?? []).some((e) => isSynkroEntry2(e));
-  const preToolUse = (h.preToolUse ?? []).some((e) => isSynkroEntry2(e));
+  const afterShellExecution = (h.afterShellExecution ?? []).some((e) => isSynkroEntry2(e));
+  const pre = h.preToolUse ?? [];
+  const preToolUseBash = preToolUseUsesScript(pre, "cc-bash-judge") || preToolUseUsesScript(pre, "cursor-bash-judge");
+  const preToolUseEdit = preToolUseUsesScript(pre, "cc-edit-precheck") || preToolUseUsesScript(pre, "cursor-edit-precheck");
+  const preToolUseCwe = preToolUseUsesScript(pre, "cc-cwe-precheck");
+  const preToolUseCve = preToolUseUsesScript(pre, "cc-cve-precheck");
+  const preToolUseAgent = preToolUseUsesScript(pre, "cc-agent-judge");
+  const preToolUsePlan = preToolUseUsesScript(pre, "cc-plan-judge");
+  const preToolUse = preToolUseBash || preToolUseEdit || preToolUseCwe || preToolUseCve || preToolUseAgent || preToolUsePlan;
   const afterFileEdit = (h.afterFileEdit ?? []).some((e) => isSynkroEntry2(e));
   const postToolUse = (h.postToolUse ?? []).some((e) => isSynkroEntry2(e));
   return {
-    installed: sessionStart || beforeShellExecution || preToolUse || afterFileEdit || postToolUse,
+    installed: sessionStart || sessionEnd || beforeSubmitPrompt || stop || beforeShellExecution || afterShellExecution || preToolUse || afterFileEdit || postToolUse,
     sessionStart,
+    sessionEnd,
+    beforeSubmitPrompt,
+    stop,
     beforeShellExecution,
+    afterShellExecution,
     preToolUse,
+    preToolUseBash,
+    preToolUseEdit,
+    preToolUseCwe,
+    preToolUseCve,
+    preToolUseAgent,
+    preToolUsePlan,
     afterFileEdit,
     postToolUse
   };
@@ -413,7 +496,17 @@ var init_cursorHookConfig = __esm({
       resolve(homedir2(), ".cursor"),
       resolve(homedir2(), ".config", "cursor")
     ];
-    ALL_EVENTS = ["sessionStart", "beforeShellExecution", "preToolUse", "afterFileEdit", "postToolUse"];
+    ALL_EVENTS = [
+      "sessionStart",
+      "sessionEnd",
+      "beforeSubmitPrompt",
+      "stop",
+      "beforeShellExecution",
+      "afterShellExecution",
+      "preToolUse",
+      "afterFileEdit",
+      "postToolUse"
+    ];
   }
 });
@@ -496,13 +589,76 @@ function inspectMcpConfig() {
   }
   return { installed: true, configPath: CC_CONFIG_PATH, url: entry.url };
 }
-var SYNKRO_MARKER3, SYNKRO_SERVER_NAME, CC_CONFIG_PATH;
+function readCursorMcpJson() {
+  if (!existsSync3(CURSOR_MCP_PATH)) return {};
+  try {
+    const raw = readFileSync3(CURSOR_MCP_PATH, "utf-8");
+    return JSON.parse(raw);
+  } catch (err) {
+    throw new Error(`Failed to parse ${CURSOR_MCP_PATH}: ${err.message}`);
+  }
+}
+function writeCursorMcpJsonAtomic(config) {
+  mkdirSync3(dirname3(CURSOR_MCP_PATH), { recursive: true });
+  const tmpPath = `${CURSOR_MCP_PATH}.synkro.tmp`;
+  writeFileSync3(tmpPath, JSON.stringify(config, null, 2) + "\n", "utf-8");
+  renameSync3(tmpPath, CURSOR_MCP_PATH);
+}
+function installCursorMcpConfig(opts) {
+  const config = readCursorMcpJson();
+  config.mcpServers = config.mcpServers ?? {};
+  for (const [name, entry] of Object.entries(config.mcpServers)) {
+    if (entry?.[SYNKRO_MARKER3] === true) delete config.mcpServers[name];
+  }
+  if (opts.local) {
+    const url2 = "http://127.0.0.1:8931/";
+    const tokenPath = join2(homedir3(), ".synkro", ".mcp-local-token");
+    let localToken = "";
+    try {
+      localToken = readFileSync3(tokenPath, "utf-8").trim();
+    } catch {
+    }
+    config.mcpServers[SYNKRO_SERVER_NAME] = {
+      url: url2,
+      ...localToken ? { headers: { Authorization: `Bearer ${localToken}` } } : {},
+      [SYNKRO_MARKER3]: true
+    };
+    writeCursorMcpJsonAtomic(config);
+    return { path: CURSOR_MCP_PATH, url: url2 };
+  }
+  const url = `${opts.gatewayUrl.replace(/\/$/, "")}/api/v1/mcp/guardrails`;
+  config.mcpServers[SYNKRO_SERVER_NAME] = {
+    url,
+    headers: { Authorization: `Bearer ${opts.bearerToken}` },
+    [SYNKRO_MARKER3]: true
+  };
+  writeCursorMcpJsonAtomic(config);
+  return { path: CURSOR_MCP_PATH, url };
+}
+function uninstallCursorMcpConfig() {
+  if (!existsSync3(CURSOR_MCP_PATH)) return false;
+  const config = readCursorMcpJson();
+  if (!config.mcpServers || Object.keys(config.mcpServers).length === 0) return false;
+  let removed = false;
+  for (const [name, entry] of Object.entries(config.mcpServers)) {
+    if (entry?.[SYNKRO_MARKER3] === true) {
+      delete config.mcpServers[name];
+      removed = true;
+    }
+  }
+  if (!removed) return false;
+  if (Object.keys(config.mcpServers).length === 0) delete config.mcpServers;
+  writeCursorMcpJsonAtomic(config);
+  return true;
+}
+var SYNKRO_MARKER3, SYNKRO_SERVER_NAME, CC_CONFIG_PATH, CURSOR_MCP_PATH;
 var init_mcpConfig = __esm({
   "cli/installer/mcpConfig.ts"() {
     "use strict";
     SYNKRO_MARKER3 = "__synkro_managed__";
     SYNKRO_SERVER_NAME = "synkro-guardrails";
     CC_CONFIG_PATH = join2(homedir3(), ".claude.json");
+    CURSOR_MCP_PATH = join2(homedir3(), ".cursor", "mcp.json");
   }
 });
@@ -702,7 +858,7 @@ synkro_post_with_retry() {
 });
 // cli/installer/hookScriptsTs.ts
-var SYNKRO_COMMON_TS, EDIT_PRECHECK_TS, CWE_PRECHECK_TS, CVE_PRECHECK_TS, BASH_JUDGE_TS, AGENT_JUDGE_TS, PLAN_JUDGE_TS, STOP_SUMMARY_TS, SESSION_START_TS, BASH_FOLLOWUP_TS, TRANSCRIPT_SYNC_TS, USER_PROMPT_SUBMIT_TS, CURSOR_BASH_JUDGE_TS, CURSOR_EDIT_PRECHECK_TS, CURSOR_EDIT_CAPTURE_TS, CURSOR_BASH_FOLLOWUP_TS, CURSOR_SESSION_START_TS;
+var SYNKRO_COMMON_TS, EDIT_PRECHECK_TS, CWE_PRECHECK_TS, CVE_PRECHECK_TS, BASH_JUDGE_TS, AGENT_JUDGE_TS, PLAN_JUDGE_TS, STOP_SUMMARY_TS, SESSION_START_TS, BASH_FOLLOWUP_TS, TRANSCRIPT_SYNC_TS, USER_PROMPT_SUBMIT_TS, CURSOR_BASH_JUDGE_TS, CURSOR_EDIT_CAPTURE_TS;
 var init_hookScriptsTs = __esm({
   "cli/installer/hookScriptsTs.ts"() {
     "use strict";
@@ -739,7 +895,17 @@ if (existsSync(CONFIG_PATH)) {
   } catch {}
 }
-export const GATEWAY_URL = process.env.SYNKRO_GATEWAY_URL || 'https://api.synkro.sh';
+const ALLOWED_GATEWAY_HOSTS = new Set(['api.synkro.sh', 'localhost', '127.0.0.1']);
+function validateGatewayUrl(raw: string): string {
+  try {
+    const u = new URL(raw);
+    if (!ALLOWED_GATEWAY_HOSTS.has(u.hostname)) return 'https://api.synkro.sh';
+    return raw.replace(/\\/+$/, '');
+  } catch {
+    return 'https://api.synkro.sh';
+  }
+}
+export const GATEWAY_URL = validateGatewayUrl(process.env.SYNKRO_GATEWAY_URL || 'https://api.synkro.sh');
 export const CREDS_PATH = process.env.SYNKRO_CREDENTIALS_PATH || join(HOME, '.synkro', 'credentials.json');
 const LAST_PROMPT_FILE = join(HOME, '.synkro', '.last-prompt');
@@ -1083,11 +1249,11 @@ async function channelGrade(role: GradeRole, prompt: string, jwt: string, port:
   return String(data.result || '');
 }
-export async function localGrade(surface: string, prompt: string): Promise<string> {
+export async function localGrade(surface: string, prompt: string, timeoutMs = 20000): Promise<string> {
   if (!(await channelUp())) throw new Error('SYNKRO_CHANNEL_DOWN');
   const jwt = loadJwt();
   if (!jwt) throw new Error('NO_JWT');
-  return channelGrade(ROLE_MAP[surface] || 'grade-edit', prompt, jwt, 8929);
+  return channelGrade(ROLE_MAP[surface] || 'grade-edit', prompt, jwt, 8929, timeoutMs);
 }
 export async function localGradeCwe(prompt: string): Promise<string> {
@@ -1101,6 +1267,7 @@ export async function localGradeCwe(prompt: string): Promise<string> {
 export interface Verdict {
   ok: boolean;
   reason: string;
+  suggestedFix: string;
   ruleId: string;
   ruleMode: string;
   severity: string;
@@ -1111,6 +1278,7 @@ export function parseVerdict(resp: string): Verdict {
   const verdict: Verdict = {
     ok: true,
     reason: '',
+    suggestedFix: '',
     ruleId: '',
     ruleMode: '',
     severity: 'low',
@@ -1129,6 +1297,9 @@ export function parseVerdict(resp: string): Verdict {
   const reasonMatch = inner.match(/<reason>(.*?)<\\/reason>/) || inner.match(/<reasoning>(.*?)<\\/reasoning>/);
   if (reasonMatch) verdict.reason = reasonMatch[1].trim();
+  const fixMatch = inner.match(/<suggested_fix>(.*?)<\\/suggested_fix>/);
+  if (fixMatch) verdict.suggestedFix = fixMatch[1].trim();
   if (!verdict.ok) {
     const ruleIdMatch = inner.match(/<rule_id>(.*?)<\\/rule_id>/);
     const ruleModeMatch = inner.match(/<rule_mode>(.*?)<\\/rule_mode>/);
@@ -1147,6 +1318,10 @@ export function parseVerdict(resp: string): Verdict {
           const vReason = vBlock.match(/<reason>(.*?)<\\/reason>/);
           if (vReason) verdict.reason = vReason[1].trim();
         }
+        if (!verdict.suggestedFix) {
+          const vFix = vBlock.match(/<suggested_fix>(.*?)<\\/suggested_fix>/);
+          if (vFix) verdict.suggestedFix = vFix[1].trim();
+        }
         if (!sevMatch) {
           const vSev = vBlock.match(/<severity>(.*?)<\\/severity>/);
           if (vSev) verdict.severity = vSev[1].trim();
@@ -1301,8 +1476,10 @@ export function reconstructContent(toolName: string, toolInput: any, filePath: s
     }
     case 'NotebookEdit':
       return toolInput.new_source || '';
+    case 'StrReplace':
+      return toolInput.new_string || toolInput.content || toolInput.code_edit || '';
     default:
-      return '';
+      return toolInput.content || toolInput.new_string || toolInput.code_edit || '';
   }
 }
@@ -1616,13 +1793,102 @@ export function dispatchFinding(
   }).catch(() => {});
 }
+// \u2500\u2500\u2500 Hook tool-name sets (CC + Cursor) \u2500\u2500\u2500
+export const EDIT_TOOL_NAMES = new Set([
+  'Edit', 'Write', 'MultiEdit', 'NotebookEdit', 'StrReplace',
+]);
+export const SHELL_TOOL_NAMES = new Set([
+  'Bash', 'Shell', 'Read', 'Grep', 'Glob', 'terminal', 'run_terminal_cmd', 'execute_command',
+]);
+export const AGENT_TOOL_NAMES = new Set(['Agent', 'Task']);
+export const PLAN_TOOL_NAMES = new Set(['ExitPlanMode', 'SwitchMode', 'CreatePlan']);
+export function isEditTool(toolName: string): boolean {
+  return EDIT_TOOL_NAMES.has(toolName);
+}
+export function isShellTool(toolName: string): boolean {
+  return SHELL_TOOL_NAMES.has(toolName);
+}
+export function isAgentTool(toolName: string): boolean {
+  return AGENT_TOOL_NAMES.has(toolName);
+}
+export function isPlanTool(toolName: string): boolean {
+  return PLAN_TOOL_NAMES.has(toolName);
+}
+export function hookSessionId(payload: Record<string, unknown>): string {
+  return String(payload.session_id ?? payload.conversation_id ?? '');
+}
+export function isCursorHookFormat(): boolean {
+  return process.env.SYNKRO_HOOK_FORMAT === 'cursor';
+}
+let cursorHookExited = false;
+export function setupCursorHookSignals(): void {
+  if (!isCursorHookFormat()) return;
+  process.on('SIGTERM', () => outputEmpty());
+}
+function cursorHookExit(): never {
+  cursorHookExited = true;
+  process.exit(0);
+}
 // \u2500\u2500\u2500 Output Helpers \u2500\u2500\u2500
 export function outputJson(obj: any): void {
+  if (isCursorHookFormat()) {
+    if (obj?.permission === 'allow') {
+      const u = typeof obj.user_message === 'string' ? obj.user_message : '';
+      const a = typeof obj.agent_message === 'string' ? obj.agent_message : u;
+      if (u || a) {
+        if (!cursorHookExited) {
+          cursorHookExited = true;
+          process.stdout.write(JSON.stringify({ permission: 'allow' }) + '\\n');
+        }
+        cursorHookExit();
+      }
+    }
+    const hso = obj?.hookSpecificOutput;
+    const sys = typeof obj?.systemMessage === 'string' ? obj.systemMessage : '';
+    if (hso?.permissionDecision === 'deny') {
+      const reason = hso.permissionDecisionReason || hso.additionalContext || sys;
+      if (!cursorHookExited) {
+        cursorHookExited = true;
+        process.stdout.write(JSON.stringify({
+          permission: 'deny',
+          user_message: sys || reason,
+          agent_message: hso.additionalContext || reason,
+        }) + '\\n');
+      }
+      cursorHookExit();
+    }
+    const addCtx = typeof hso?.additionalContext === 'string' ? hso.additionalContext : '';
+    const ctx = sys || addCtx;
+    if (ctx) {
+      if (!cursorHookExited) {
+        cursorHookExited = true;
+        process.stdout.write(JSON.stringify({ permission: 'allow' }) + '\\n');
+      }
+      cursorHookExit();
+    }
+    outputEmpty();
+    return;
+  }
   console.log(JSON.stringify(obj));
 }
 export function outputEmpty(): void {
+  if (isCursorHookFormat()) {
+    if (!cursorHookExited) {
+      cursorHookExited = true;
+      try { process.stdout.write('{}\\n'); } catch {}
+    }
+    cursorHookExit();
+  }
   console.log('{}');
 }
 `;
@@ -1631,26 +1897,27 @@ import {
   loadJwt, ensureFreshJwt, detectRepo, loadConfig, route, tag, localGrade,
   parseVerdict, dispatchCapture, ruleMode, reconstructContent, isPathUnder, postWithRetry,
   readStdin, extractTranscript, readLastPrompt, findNearestDeps, log,
-  outputJson, outputEmpty, GATEWAY_URL,
+  outputJson, outputEmpty, setupCursorHookSignals, isEditTool, hookSessionId, GATEWAY_URL,
   type HookConfig, type Rule,
 } from './_synkro-common.ts';
 import { existsSync, readFileSync } from 'node:fs';
 import { basename, dirname, join } from 'node:path';
 async function main() {
+  setupCursorHookSignals();
   try {
     const input = await readStdin();
     if (!input.trim()) { outputEmpty(); return; }
     const payload = JSON.parse(input);
     const toolName = payload.tool_name || '';
-    if (!['Edit', 'Write', 'MultiEdit', 'NotebookEdit'].includes(toolName)) {
+    if (!isEditTool(toolName)) {
       outputEmpty();
       return;
     }
     const toolInput = payload.tool_input || {};
-    const sessionId = payload.session_id || '';
+    const sessionId = hookSessionId(payload);
     const toolUseId = payload.tool_use_id || '';
     const cwd = payload.cwd || '';
     const permissionMode = payload.permission_mode || '';
@@ -1721,7 +1988,7 @@ async function main() {
       try {
         gradeResp = await localGrade('edit', graderPrompt);
       } catch {
-        outputEmpty();
+        outputJson({ systemMessage: tagStr + ' editGuard ' + fileShort + ' \\u2192 local grader unavailable, skipped' });
         return;
       }
@@ -1755,7 +2022,7 @@ async function main() {
             rulesChecked: config.rules, violatedRules,
             ccModel: transcript.ccModel,
           });
-        outputJson({ systemMessage: tagStr + ' editGuard ' + fileShort + ' \\u2192 warning: ' + guardReason });
+        outputJson({ systemMessage: tagStr + ' editGuard ' + fileShort + ' \\u2192 warning: ' + guardReason, hookSpecificOutput: { hookEventName: 'PreToolUse', additionalContext: 'Synkro local edit judge (audit). ' + guardReason } });
         return;
       }
@@ -1766,7 +2033,8 @@ async function main() {
           rulesChecked: config.rules, violatedRules: [],
           ccModel: transcript.ccModel,
         });
-      outputJson({ systemMessage: tagStr + ' editGuard ' + fileShort + ' \\u2192 pass: ' + (verdict.reason || 'no policy violations detected') });
+      const passLine = tagStr + ' editGuard ' + fileShort + ' \\u2192 pass: ' + (verdict.reason || 'no policy violations detected');
+      outputJson({ systemMessage: passLine, hookSpecificOutput: { hookEventName: 'PreToolUse', additionalContext: 'Synkro local edit judge. ' + (verdict.reason || 'no policy violations detected') } });
       return;
     }
@@ -1841,24 +2109,25 @@ main();
 import {
   loadJwt, ensureFreshJwt, detectRepo, loadConfig, cweRoute, tag,
   localGradeCwe, parseVerdict, reconstructContent, readStdin, log,
-  outputJson, outputEmpty, dispatchFinding, GATEWAY_URL,
+  outputJson, outputEmpty, setupCursorHookSignals, isEditTool, hookSessionId, dispatchFinding, GATEWAY_URL,
 } from './_synkro-common.ts';
 import { basename, extname } from 'node:path';
 async function main() {
+  setupCursorHookSignals();
   try {
     const input = await readStdin();
     if (!input.trim()) { outputEmpty(); return; }
     const payload = JSON.parse(input);
     const toolName = payload.tool_name || '';
-    if (!['Edit', 'Write', 'MultiEdit', 'NotebookEdit'].includes(toolName)) {
+    if (!isEditTool(toolName)) {
       outputEmpty();
       return;
     }
     const toolInput = payload.tool_input || {};
-    const sessionId = payload.session_id || '';
+    const sessionId = hookSessionId(payload);
     const cwd = payload.cwd || '';
     const gitRepo = detectRepo(cwd || '.');
@@ -1959,6 +2228,12 @@ async function main() {
           if (id && !cweIds.includes(id)) cweIds.push(id);
         }
+        const fixMatches = gradeResp.match(/<suggested_fix>([^<]+)<\\/suggested_fix>/g) || [];
+        const fixes: Record<string, string> = {};
+        for (let i = 0; i < Math.min(cweIds.length, fixMatches.length); i++) {
+          fixes[cweIds[i]] = fixMatches[i].replace(/<\\/?suggested_fix>/g, '').trim();
+        }
         // Filter out exempted CWEs for this file
         const activeCweIds = cweIds.filter(id => !exemptedCwes.has(id.toUpperCase()));
@@ -1977,7 +2252,11 @@ async function main() {
         const label = count === 1 ? 'match' : 'matches';
         const cweMsg = cweTag + ' ' + fileShort + ' \\u2192 ' + count + ' CWE ' + label + ' (' + displayIds + ')';
         const denyDetail = '[' + displayIds + '] ' + (verdict.reason || 'code weakness detected');
-        const ctx = 'CWE: ' + denyDetail + '\\nFix all issues before retrying. Do NOT ask the user to make the edit manually \u2014 resolve the weakness in code yourself.';
+        const fixLines = activeCweIds
+          .filter(id => fixes[id])
+          .map(id => '[' + id + '] Fix: ' + fixes[id]);
+        const fixHint = fixLines.length > 0 ? '\\n' + fixLines.join('\\n') : '';
+        const ctx = 'CWE: ' + denyDetail + fixHint + '\\nFix all issues before retrying. Do NOT ask the user to make the edit manually \u2014 resolve the weakness in code yourself.';
         for (const cweId of activeCweIds) {
           dispatchFinding(jwt, {
@@ -1992,6 +2271,13 @@ async function main() {
           }, config.captureDepth);
         }
+        dispatchCapture(jwt, 'cwe', 'block', verdict.severity || 'high', verdict.category || 'security',
+          toolName, gitRepo, sessionId, config.captureDepth, {
+            command: 'edit ' + filePath,
+            reasoning: denyDetail,
+            violatedRules: activeCweIds,
+          });
         outputJson({
           systemMessage: cweMsg,
           hookSpecificOutput: { hookEventName: 'PreToolUse', permissionDecision: 'deny', permissionDecisionReason: ctx, additionalContext: ctx },
@@ -2007,7 +2293,14 @@ async function main() {
         status: 'resolved',
       }, config.captureDepth);
-      outputJson({ systemMessage: cweTag + ' ' + fileShort + ' \\u2192 clean' });
+      dispatchCapture(jwt, 'cwe', 'pass', 'audit', 'clean',
+        toolName, gitRepo, sessionId, config.captureDepth, {
+          command: 'edit ' + filePath,
+          reasoning: verdict.reason || 'no CWE weaknesses detected',
+        });
+      const cleanMsg = cweTag + ' ' + fileShort + ' \\u2192 clean' + (verdict.reason ? ' (' + verdict.reason + ')' : '');
+      outputJson({ systemMessage: cleanMsg, hookSpecificOutput: { hookEventName: 'PreToolUse', additionalContext: cleanMsg } });
       return;
     }
@@ -2026,7 +2319,7 @@ main();
 import {
   loadJwt, ensureFreshJwt, detectRepo, loadConfig, route, tag,
   reconstructContent, readStdin, findNearestDeps, log,
-  outputJson, outputEmpty, dispatchFinding, GATEWAY_URL,
+  outputJson, outputEmpty, setupCursorHookSignals, isEditTool, hookSessionId, dispatchFinding, dispatchCapture, GATEWAY_URL,
 } from './_synkro-common.ts';
 import { basename } from 'node:path';
@@ -2044,20 +2337,22 @@ function isManifest(filename: string): boolean {
 }
 async function main() {
+  setupCursorHookSignals();
   try {
     const input = await readStdin();
     if (!input.trim()) { outputEmpty(); return; }
     const payload = JSON.parse(input);
     const toolName = payload.tool_name || '';
-    if (!['Edit', 'Write', 'MultiEdit', 'NotebookEdit'].includes(toolName)) {
+    if (!isEditTool(toolName)) {
       outputEmpty();
       return;
     }
     const toolInput = payload.tool_input || {};
-    const sessionId = payload.session_id || '';
+    const sessionId = hookSessionId(payload);
     const cwd = payload.cwd || '';
+    const gitRepo = detectRepo(cwd || '.');
     const filePath = toolInput.file_path || toolInput.notebook_path || toolInput.path || '';
     if (!filePath) { outputEmpty(); return; }
@@ -2152,6 +2447,16 @@ async function main() {
       const cveMsg = cveTag + ' ' + fileShort + ' \\u2192 ' + count + ' ' + label;
       const ctx = 'CVE: ' + top3 + '\\nFix all issues before retrying. Do NOT ask the user to make the edit manually \u2014 upgrade the vulnerable dependencies yourself.';
+      const cveIds = findings.slice(0, 10).map((f: any) =>
+        (f.aliases || []).find((a: string) => a.startsWith('CVE-')) || f.id || 'unknown'
+      );
+      dispatchCapture(jwt, 'cve', 'block', 'critical', 'security',
+        toolName, gitRepo, sessionId, config.captureDepth, {
+          command: 'edit ' + filePath,
+          reasoning: top3,
+          violatedRules: cveIds,
+        });
       outputJson({
         systemMessage: cveMsg,
         hookSpecificOutput: { hookEventName: 'PreToolUse', permissionDecision: 'deny', permissionDecisionReason: ctx, additionalContext: ctx },
@@ -2173,12 +2478,12 @@ import {
   loadJwt, ensureFreshJwt, detectRepo, loadConfig, route, tag, localGrade,
   parseVerdict, dispatchCapture, dispatchFinding, ruleMode, postWithRetry, readStdin,
   extractTranscript, readLastPrompt, log,
-  outputJson, outputEmpty, GATEWAY_URL,
+  outputJson, outputEmpty, setupCursorHookSignals, isShellTool, hookSessionId, GATEWAY_URL,
   type HookConfig, type Rule,
 } from './_synkro-common.ts';
 const TOP_NPM_PKGS = new Set([
-  'express','react','lodash','axios','chalk','commander','debug','dotenv','webpack',
+  'express','react','lodash','chalk','commander','debug','dotenv','webpack',
   'typescript','moment','uuid','cors','body-parser','mongoose','jsonwebtoken','bcrypt',
   'nodemon','eslint','prettier','jest','mocha','chai','sinon','supertest','request',
   'async','bluebird','underscore','ramda','rxjs','socket.io','redis','pg','mysql',
@@ -2249,28 +2554,35 @@ interface PkgMeta {
 }
 async function main() {
+  setupCursorHookSignals();
   try {
     const input = await readStdin();
     if (!input.trim()) { outputEmpty(); return; }
     const payload = JSON.parse(input);
     const toolName = payload.tool_name || '';
-    if (!['Bash', 'Read', 'Grep', 'Glob'].includes(toolName)) {
+    if (!isShellTool(toolName)) {
       outputEmpty();
       return;
     }
     const toolInput = payload.tool_input || {};
-    const sessionId = payload.session_id || '';
+    const sessionId = hookSessionId(payload);
     const toolUseId = payload.tool_use_id || '';
     const cwd = payload.cwd || '';
     const permissionMode = payload.permission_mode || '';
     const transcriptPath = payload.transcript_path || '';
     const gitRepo = detectRepo(cwd || '.');
+    const transcript = extractTranscript(transcriptPath);
     let command = '';
     switch (toolName) {
-      case 'Bash': command = toolInput.command || ''; break;
+      case 'Bash':
+      case 'Shell':
+      case 'terminal':
+      case 'run_terminal_cmd':
+      case 'execute_command':
+        command = toolInput.command || ''; break;
       case 'Read': command = 'cat ' + (toolInput.file_path || ''); break;
       case 'Grep': command = "grep -r '" + (toolInput.pattern || '') + "' " + (toolInput.path || '.'); break;
       case 'Glob': command = "find . -name '" + (toolInput.pattern || '') + "'"; break;
@@ -2441,6 +2753,15 @@ async function main() {
                 }, config.captureDepth);
               }
+              const cveIds = findings.map((f: any) => f.cve || f.id || f.package);
+              dispatchCapture(jwt, 'cve', 'block', 'critical', 'security',
+                'Bash', gitRepo, sessionId, config.captureDepth, {
+                  command,
+                  reasoning: top3,
+                  violatedRules: cveIds,
+                  ccModel: transcript.ccModel,
+                });
               outputJson({
                 systemMessage: cveMsg,
                 hookSpecificOutput: { hookEventName: 'PreToolUse', permissionDecision: 'deny', permissionDecisionReason: ctx, additionalContext: ctx },
@@ -2461,7 +2782,6 @@ async function main() {
       }
     }
-    const transcript = extractTranscript(transcriptPath);
     const lastPrompt = readLastPrompt();
     const config = await loadConfig(jwt);
@@ -2488,7 +2808,7 @@ async function main() {
       try {
         gradeResp = await localGrade('bash', graderPrompt);
       } catch {
-        outputEmpty();
+        outputJson({ systemMessage: tagStr + ' bashGuard \\u2192 local grader unavailable, skipped' });
         return;
       }
@@ -2601,24 +2921,25 @@ import {
   loadJwt, ensureFreshJwt, detectRepo, loadConfig, route, tag, localGrade,
   parseVerdict, dispatchCapture, ruleMode, postWithRetry, readStdin,
   extractTranscript, readLastPrompt, log,
-  outputJson, outputEmpty, GATEWAY_URL,
+  outputJson, outputEmpty, setupCursorHookSignals, isAgentTool, hookSessionId, GATEWAY_URL,
   type HookConfig, type Rule,
 } from './_synkro-common.ts';
 async function main() {
+  setupCursorHookSignals();
   try {
     const input = await readStdin();
     if (!input.trim()) { outputEmpty(); return; }
     const payload = JSON.parse(input);
     const toolName = payload.tool_name || '';
-    if (toolName !== 'Agent') {
+    if (!isAgentTool(toolName)) {
       outputEmpty();
       return;
     }
     const toolInput = payload.tool_input || {};
-    const sessionId = payload.session_id || '';
+    const sessionId = hookSessionId(payload);
     const toolUseId = payload.tool_use_id || '';
     const cwd = payload.cwd || '';
     const permissionMode = payload.permission_mode || '';
@@ -2668,7 +2989,7 @@ async function main() {
       try {
         gradeResp = await localGrade('bash', graderPrompt);
       } catch {
-        outputEmpty();
+        outputJson({ systemMessage: tagStr + ' agentGuard \\u2192 local grader unavailable, skipped' });
         return;
       }
@@ -2764,14 +3085,13 @@ main();
 import {
   loadJwt, ensureFreshJwt, detectRepo, loadConfig, route, tag, localGrade,
   parseVerdict, dispatchCapture, postWithRetry, readStdin, log,
-  outputJson, outputEmpty, GATEWAY_URL,
+  outputJson, outputEmpty, setupCursorHookSignals, isPlanTool, hookSessionId, GATEWAY_URL,
 } from './_synkro-common.ts';
 import { existsSync, readFileSync, writeFileSync, readdirSync, statSync } from 'node:fs';
 import { join } from 'node:path';
 import { homedir } from 'node:os';
-function findLatestPlan(): string | null {
-  const plansDir = join(homedir(), '.claude', 'plans');
+function findLatestPlanInDir(plansDir: string): string | null {
   if (!existsSync(plansDir)) return null;
   try {
     const files = readdirSync(plansDir)
@@ -2784,6 +3104,23 @@ function findLatestPlan(): string | null {
   }
 }
+function findLatestPlan(): string | null {
+  const dirs = [
+    join(homedir(), '.claude', 'plans'),
+    join(homedir(), '.cursor', 'plans'),
+  ];
+  let best: { path: string; mtime: number } | null = null;
+  for (const dir of dirs) {
+    const p = findLatestPlanInDir(dir);
+    if (!p) continue;
+    try {
+      const mtime = statSync(p).mtimeMs;
+      if (!best || mtime > best.mtime) best = { path: p, mtime };
+    } catch {}
+  }
+  return best?.path ?? null;
+}
 function appendReviewToPlan(planFile: string, verdict: string): void {
   try {
     let content = readFileSync(planFile, 'utf-8');
@@ -2795,20 +3132,21 @@ function appendReviewToPlan(planFile: string, verdict: string): void {
 }
 async function main() {
+  setupCursorHookSignals();
   try {
     const input = await readStdin();
     if (!input.trim()) { outputEmpty(); return; }
     const payload = JSON.parse(input);
     const toolName = payload.tool_name || '';
-    if (toolName !== 'ExitPlanMode') { outputEmpty(); return; }
+    if (!isPlanTool(toolName)) { outputEmpty(); return; }
     const planFile = findLatestPlan();
     if (!planFile) { outputEmpty(); return; }
     const plan = readFileSync(planFile, 'utf-8');
     if (plan.length < 20) { outputEmpty(); return; }
-    const sessionId = payload.session_id || '';
+    const sessionId = hookSessionId(payload);
     const cwd = payload.cwd || '';
     const gitRepo = detectRepo(cwd || '.');
@@ -2841,7 +3179,7 @@ async function main() {
       try {
         gradeResp = await localGrade('plan', graderPrompt);
       } catch {
-        outputEmpty();
+        outputJson({ systemMessage: tagStr + ' planReview \\u2192 local grader unavailable, skipped' });
         return;
       }
@@ -2852,7 +3190,8 @@ async function main() {
       if (!verdict.ok) {
         const reviewMsg = (verdict.ruleId ? '(first: ' + verdict.ruleId + ') ' : '') + (verdict.reason || 'check org rules during implementation');
         appendReviewToPlan(planFile, '\\u26a0\\ufe0f Advisory \\u2014 ' + reviewMsg);
-        outputJson({ systemMessage: tagStr + ' planReview \\u2192 ' + reviewMsg });
+        const advLine = tagStr + ' planReview \\u2192 ' + reviewMsg;
+        outputJson({ systemMessage: advLine, hookSpecificOutput: { hookEventName: 'PreToolUse', additionalContext: 'Synkro local plan judge (advisory). ' + reviewMsg } });
         dispatchCapture(jwt, 'plan_review', 'advisory', verdict.severity || 'medium', verdict.category || 'general',
           'ExitPlanMode', gitRepo, sessionId, config.captureDepth, {
             command: planContent, reasoning: verdict.reason || 'check org rules',
@@ -2861,7 +3200,8 @@ async function main() {
       } else {
         const reviewMsg = verdict.reason || 'no relevant org rules for this plan';
         appendReviewToPlan(planFile, '\\u2705 Clean \\u2014 ' + reviewMsg);
-        outputJson({ systemMessage: tagStr + ' planReview \\u2192 clean: ' + reviewMsg });
+        const cleanLine = tagStr + ' planReview \\u2192 clean: ' + reviewMsg;
+        outputJson({ systemMessage: cleanLine, hookSpecificOutput: { hookEventName: 'PreToolUse', additionalContext: 'Synkro local plan judge. ' + reviewMsg } });
         dispatchCapture(jwt, 'plan_review', 'clean', 'audit', verdict.category || 'general',
           'ExitPlanMode', gitRepo, sessionId, config.captureDepth, {
             command: planContent, reasoning: reviewMsg,
@@ -2913,16 +3253,17 @@ main();
     STOP_SUMMARY_TS = `#!/usr/bin/env bun
 import {
   loadJwt, detectRepo, loadConfig, tag, readStdin, aggregateUsage,
-  outputJson, outputEmpty, appendLocalTelemetry, GATEWAY_URL,
+  outputJson, outputEmpty, appendLocalTelemetry, setupCursorHookSignals, hookSessionId, GATEWAY_URL,
 } from './_synkro-common.ts';
 async function main() {
+  setupCursorHookSignals();
   try {
     const input = await readStdin();
     if (!input.trim()) { outputEmpty(); return; }
     const payload = JSON.parse(input);
-    const sessionId = payload.session_id || '';
+    const sessionId = hookSessionId(payload);
     if (!sessionId) { outputEmpty(); return; }
     const cwd = payload.cwd || '';
@@ -3000,18 +3341,19 @@ main();
     SESSION_START_TS = `#!/usr/bin/env bun
 import {
   loadJwt, detectRepo, channelUp, tag, readStdin,
-  outputJson, outputEmpty, GATEWAY_URL,
+  outputJson, outputEmpty, setupCursorHookSignals, hookSessionId, GATEWAY_URL,
   type HookConfig,
 } from './_synkro-common.ts';
 async function main() {
+  setupCursorHookSignals();
   try {
     const input = await readStdin();
     if (!input.trim()) { outputEmpty(); return; }
     const payload = JSON.parse(input);
     const cwd = payload.cwd || '';
-    const sessionId = payload.session_id || '';
+    const sessionId = hookSessionId(payload);
     const gitRepo = detectRepo(cwd || '.');
     let jwt = loadJwt();
@@ -3064,27 +3406,33 @@ main();
     BASH_FOLLOWUP_TS = `#!/usr/bin/env bun
 import {
   loadJwt, loadConfig, readStdin, hashCommand, consentGrant, consentHasActive, consentConsume,
-  outputEmpty, appendLocalTelemetry, GATEWAY_URL,
+  outputEmpty, appendLocalTelemetry, setupCursorHookSignals, isShellTool, hookSessionId, GATEWAY_URL,
 } from './_synkro-common.ts';
 async function main() {
+  setupCursorHookSignals();
   try {
     const input = await readStdin();
     if (!input.trim()) { outputEmpty(); return; }
     const payload = JSON.parse(input);
     const toolName = payload.tool_name || '';
-    if (toolName !== 'Bash') { outputEmpty(); return; }
+    const shellCmd = typeof payload.command === 'string' ? payload.command : (payload.tool_input?.command || '');
+    if (!isShellTool(toolName) && !shellCmd) { outputEmpty(); return; }
     const jwt = loadJwt();
     if (!jwt) { outputEmpty(); return; }
-    const sessionId = payload.session_id || '';
-    const toolUseId = payload.tool_use_id || '';
-    if (!sessionId || !toolUseId) { outputEmpty(); return; }
+    const sessionId = hookSessionId(payload);
+    const toolUseId = payload.tool_use_id || payload.tool_call_id || 'cursor-shell';
+    if (!sessionId) { outputEmpty(); return; }
-    const isError = payload.tool_result?.is_error === true;
-    const cmd = payload.tool_input?.command || '';
+    let isError = payload.tool_result?.is_error === true;
+    try {
+      const out = JSON.parse(payload.tool_output || '{}');
+      if (out.exitCode !== 0 || out.is_error === true) isError = true;
+    } catch {}
+    const cmd = shellCmd;
     const cmdHash = cmd ? hashCommand(cmd) : '';
     if (cmdHash && sessionId) {
@@ -3128,19 +3476,20 @@ main();
     TRANSCRIPT_SYNC_TS = `#!/usr/bin/env bun
 import {
   loadJwt, detectRepo, readStdin, aggregateUsage, appendLocalTelemetry,
-  outputEmpty, GATEWAY_URL,
+  outputEmpty, setupCursorHookSignals, hookSessionId, GATEWAY_URL,
 } from './_synkro-common.ts';
 import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'node:fs';
 import { join, dirname } from 'node:path';
 import { homedir } from 'node:os';
 async function main() {
+  setupCursorHookSignals();
   try {
     const input = await readStdin();
     if (!input.trim()) { outputEmpty(); return; }
     const payload = JSON.parse(input);
-    const sessionId = payload.session_id || '';
+    const sessionId = hookSessionId(payload);
     const transcriptPath = payload.transcript_path || '';
     const cwd = payload.cwd || '';
@@ -3268,15 +3617,16 @@ async function main() {
 main();
 `;
     USER_PROMPT_SUBMIT_TS = `#!/usr/bin/env bun
-import { readStdin, appendLocalTelemetry, aggregateUsage } from './_synkro-common.ts';
+import { readStdin, appendLocalTelemetry, aggregateUsage, outputEmpty, setupCursorHookSignals, hookSessionId } from './_synkro-common.ts';
 import { writeFileSync, mkdirSync } from 'node:fs';
 import { join, dirname } from 'node:path';
 import { homedir } from 'node:os';
 async function main() {
+  setupCursorHookSignals();
   try {
     const input = await readStdin();
-    if (!input.trim()) return;
+    if (!input.trim()) { outputEmpty(); return; }
     const payload = JSON.parse(input);
     const msg = payload.message || payload.prompt || payload.content || '';
     if (msg) {
@@ -3285,7 +3635,7 @@ async function main() {
       writeFileSync(promptFile, msg, 'utf-8');
     }
-    const sessionId = payload.session_id || '';
+    const sessionId = hookSessionId(payload);
     const transcriptPath = payload.transcript_path || '';
     if (sessionId && transcriptPath) {
       const usage = aggregateUsage(transcriptPath);
@@ -3306,7 +3656,10 @@ async function main() {
         });
       }
     }
-  } catch {}
+    outputEmpty();
+  } catch {
+    outputEmpty();
+  }
 }
 main();
@@ -3315,169 +3668,126 @@ main();
 import {
   loadJwt, ensureFreshJwt, detectRepo, loadConfig, route, tag, localGrade,
   parseVerdict, dispatchCapture, ruleMode, postWithRetry, readStdin,
-  appendLocalTelemetry, log, GATEWAY_URL,
-  type HookConfig, type Rule,
+  extractTranscript, readLastPrompt, log, GATEWAY_URL,
+  type Rule,
 } from './_synkro-common.ts';
+import { createHash } from 'node:crypto';
+import { existsSync, statSync, writeFileSync, mkdirSync } from 'node:fs';
-async function main() {
-  try {
-    const input = await readStdin();
-    if (!input.trim()) { process.stdout.write('{}\\n'); return; }
-    const payload = JSON.parse(input);
-    const command = payload.command || '';
-    if (!command) { process.stdout.write('{}\\n'); return; }
-    const cwd = payload.cwd || '';
-    const sessionId = payload.conversation_id || '';
-    const repo = detectRepo(cwd || '.');
-    const cmdShort = command.slice(0, 80);
-    log('bashGuard checking: ' + cmdShort);
-    let jwt = loadJwt();
-    if (!jwt) { process.stdout.write('{}\\n'); return; }
-    jwt = await ensureFreshJwt(jwt);
-    const config = await loadConfig(jwt);
-    if (config.silent) { process.stdout.write('{}\\n'); return; }
-    const rt = await route(config);
-    const tagStr = tag(rt, config);
-    if (rt === 'local') {
-      // Build grading prompt with rules
-      const rulesBlock = config.rules.map((r: Rule, i: number) =>
-        (i + 1) + '. [' + r.rule_id + '] (' + r.severity + '/' + r.mode + ') ' + r.text
-      ).join('\\n');
+const DEDUP_DIR = process.env.HOME + '/.synkro/.dedup';
+const DEDUP_TTL_MS = 3000;
-      const graderPrompt = [
-        'RULES:',
-        rulesBlock || '(none)',
-        '',
-        'COMMAND TO EVALUATE:',
-        command,
-      ].join('\\n');
+function isDuplicate(command: string, sessionId: string): boolean {
+  const hash = createHash('md5').update(sessionId + ':' + command).digest('hex').slice(0, 12);
+  const marker = DEDUP_DIR + '/' + hash;
+  try {
+    if (existsSync(marker)) {
+      const age = Date.now() - statSync(marker).mtimeMs;
+      if (age < DEDUP_TTL_MS) return true;
+    }
+  } catch {}
+  try {
+    mkdirSync(DEDUP_DIR, { recursive: true });
+    writeFileSync(marker, '', { flag: 'w' });
+  } catch {}
+  return false;
+}
-      let gradeResp: string;
-      try {
-        gradeResp = await localGrade('bash', graderPrompt);
-      } catch {
-        process.stdout.write('{}\\n');
-        return;
-      }
+// Cursor beforeShellExecution timeout is 15s; stay under it (JWT refresh + grade).
+const CURSOR_GRADE_TIMEOUT_MS = 7500;
+const CURSOR_CLOUD_TIMEOUT_MS = 6000;
-      const verdict = parseVerdict(gradeResp);
+let hookDone = false;
-      if (!verdict.ok) {
-        const mode = verdict.ruleMode || ruleMode(verdict.ruleId, config.rules);
-        const guardReason = (verdict.ruleId ? '(' + verdict.ruleId + ') ' : '') + (verdict.reason || 'policy violation');
+function finishAllow(): never {
+  if (!hookDone) {
+    hookDone = true;
+    try { process.stdout.write('{}\\n'); } catch {}
+  }
+  process.exit(0);
+}
-        if (mode !== 'audit') {
-          dispatchCapture(jwt, 'bash', 'block', verdict.severity || 'critical', verdict.category || 'security',
-            'Bash', repo, sessionId, config.captureDepth, {
-              command, reasoning: guardReason,
-              rulesChecked: config.rules, violatedRules: verdict.ruleId ? [verdict.ruleId] : [],
-            });
-          const result = {
-            permission: 'deny',
-            user_message: tagStr + ' bashGuard \\u2192 block: ' + guardReason,
-            agent_message: 'Synkro safety judge. Reasoning: ' + (verdict.reason || guardReason),
-          };
-          process.stdout.write(JSON.stringify(result) + '\\n');
-          return;
-        }
+function finishWith(payload: Record<string, unknown>): never {
+  hookDone = true;
+  process.stdout.write(JSON.stringify(payload) + '\\n');
+  process.exit(0);
+}
-        // Audit mode \u2014 warn but allow
-        dispatchCapture(jwt, 'bash', 'warning', verdict.severity || 'medium', verdict.category || 'security',
-          'Bash', repo, sessionId, config.captureDepth, {
-            command, reasoning: guardReason,
-            rulesChecked: config.rules, violatedRules: verdict.ruleId ? [verdict.ruleId] : [],
-          });
-      } else {
-        dispatchCapture(jwt, 'bash', 'pass', 'audit', verdict.category || 'clean',
-          'Bash', repo, sessionId, config.captureDepth, {
-            command, reasoning: verdict.reason || 'no policy violations detected',
-            rulesChecked: config.rules, violatedRules: [],
-          });
-      }
+process.on('SIGTERM', () => finishAllow());
-      process.stdout.write('{}\\n');
-      return;
-    }
+const SHELL_TOOL_NAMES = new Set(['Bash', 'Shell', 'terminal', 'run_terminal_cmd', 'execute_command']);
+const READ_TOOL_NAMES = new Set(['Read', 'ReadFile', 'read_file']);
+const SEARCH_TOOL_NAMES = new Set(['Grep', 'grep_search', 'codebase_search', 'file_search']);
+const DIR_TOOL_NAMES = new Set(['Glob', 'list_dir']);
+const DELETE_TOOL_NAMES = new Set(['delete_file']);
+const BASH_PRE_TOOL_NAMES = new Set([...SHELL_TOOL_NAMES, ...READ_TOOL_NAMES, ...SEARCH_TOOL_NAMES, ...DIR_TOOL_NAMES, ...DELETE_TOOL_NAMES]);
-    // \u2500\u2500\u2500 Cloud grading \u2500\u2500\u2500
-    const body = {
-      hook_event: 'PreToolUse',
-      tool_name: 'Bash',
-      tool_input: { command },
-      response_format: 'cursor',
-      session_id: sessionId || null,
-      cwd: cwd || null,
-      repo: repo || null,
-    };
+function extractCommand(payload: Record<string, unknown>): { command: string; toolName: string } {
+  const direct = typeof payload.command === 'string' ? payload.command : '';
+  if (direct) return { command: direct, toolName: 'Bash' };
-    const resp = await postWithRetry(GATEWAY_URL + '/api/v1/hook/judge', body, jwt, 6000);
+  const toolName = typeof payload.tool_name === 'string' ? payload.tool_name : '';
+  if (!BASH_PRE_TOOL_NAMES.has(toolName)) return { command: '', toolName };
-    if (!resp) {
-      log('bashGuard ' + cmdShort + ' \\u2192 error (timeout)');
-      process.stdout.write('{}\\n');
-      return;
-    }
+  const toolInput = (payload.tool_input && typeof payload.tool_input === 'object')
+    ? payload.tool_input as Record<string, unknown>
+    : {};
-    if (resp.hook_response) {
-      process.stdout.write(JSON.stringify(resp.hook_response) + '\\n');
-    } else {
-      process.stdout.write('{}\\n');
-    }
-  } catch {
-    process.stdout.write('{}\\n');
+  let command = '';
+  if (SHELL_TOOL_NAMES.has(toolName)) {
+    command = String(toolInput.command ?? '');
+  } else if (READ_TOOL_NAMES.has(toolName)) {
+    command = 'cat ' + String(toolInput.file_path ?? toolInput.path ?? '');
+  } else if (SEARCH_TOOL_NAMES.has(toolName)) {
+    command = "grep -r '" + String(toolInput.pattern ?? toolInput.query ?? '') + "' " + String(toolInput.path ?? '.');
+  } else if (DIR_TOOL_NAMES.has(toolName)) {
+    command = "find . -name '" + String(toolInput.pattern ?? toolInput.relative_workspace_path ?? '') + "'";
+  } else if (DELETE_TOOL_NAMES.has(toolName)) {
+    command = 'rm ' + String(toolInput.target_file ?? toolInput.file_path ?? toolInput.path ?? '');
   }
+  return { command, toolName: toolName || 'Bash' };
 }
-main();
-`;
-    CURSOR_EDIT_PRECHECK_TS = `#!/usr/bin/env bun
-import {
-  loadJwt, ensureFreshJwt, detectRepo, loadConfig, route, tag, localGrade,
-  parseVerdict, dispatchCapture, ruleMode, postWithRetry, readStdin,
-  appendLocalTelemetry, log, GATEWAY_URL,
-  type HookConfig, type Rule,
-} from './_synkro-common.ts';
-import { basename } from 'node:path';
 async function main() {
   try {
     const input = await readStdin();
-    if (!input.trim()) { process.stdout.write('{}\\n'); return; }
+    if (!input.trim()) finishAllow();
-    const payload = JSON.parse(input);
-    const toolName = payload.tool_name || '';
-    const toolInput = payload.tool_input || {};
-    const cwd = payload.cwd || '';
-    const sessionId = payload.conversation_id || '';
+    const payload = JSON.parse(input) as Record<string, unknown>;
+    const { command, toolName } = extractCommand(payload);
+    if (!command) finishAllow();
-    const filePath = toolInput.file_path || toolInput.path || toolInput.target_file || '';
-    const content = toolInput.content || toolInput.new_string || toolInput.code_edit || '';
-    if (!filePath) { process.stdout.write('{}\\n'); return; }
+    const cwd = typeof payload.cwd === 'string' ? payload.cwd : '';
+    const sessionId = String(payload.conversation_id ?? payload.session_id ?? '');
-    const fileShort = basename(filePath);
-    log('editGuard checking: ' + fileShort);
+    if (isDuplicate(command, sessionId)) {
+      log('bashGuard skip (dedup): ' + command.slice(0, 80));
+      finishAllow();
+    }
+    const transcriptPath = typeof payload.transcript_path === 'string' ? payload.transcript_path : '';
+    const rawModel = String(payload.model ?? payload.model_id ?? '');
+    const KNOWN_MODELS = new Set(['gpt-4', 'gpt-4o', 'gpt-4.1', 'gpt-5', 'o1', 'o3', 'o4-mini', 'claude-sonnet-4-5', 'claude-opus-4-5', 'sonnet-4', 'sonnet-4-thinking', 'gemini-2.5-pro', 'gemini-2.5-flash']);
+    const model = rawModel ? (KNOWN_MODELS.has(rawModel) || rawModel.startsWith('claude-') || rawModel.startsWith('gpt-') || rawModel.startsWith('gemini-') || rawModel.startsWith('o1') || rawModel.startsWith('o3') ? rawModel : 'cursor/' + rawModel) : 'cursor';
     const repo = detectRepo(cwd || '.');
+    const cmdShort = command.slice(0, 80);
+    log('bashGuard checking: ' + cmdShort);
     let jwt = loadJwt();
-    if (!jwt) { process.stdout.write('{}\\n'); return; }
+    if (!jwt) finishAllow();
     jwt = await ensureFreshJwt(jwt);
+    const transcript = extractTranscript(transcriptPath);
+    const lastPrompt = readLastPrompt();
     const config = await loadConfig(jwt);
-    if (config.silent) { process.stdout.write('{}\\n'); return; }
+    if (config.silent) finishAllow();
     const rt = await route(config);
     const tagStr = tag(rt, config);
     if (rt === 'local') {
-      const contentShort = content.slice(0, 4000);
       const rulesBlock = config.rules.map((r: Rule, i: number) =>
         (i + 1) + '. [' + r.rule_id + '] (' + r.severity + '/' + r.mode + ') ' + r.text
       ).join('\\n');
@@ -3486,93 +3796,107 @@ async function main() {
         'RULES:',
         rulesBlock || '(none)',
         '',
-        'FILE: ' + filePath,
+        'COMMAND TO EVALUATE:',
+        command,
         '',
-        'CONTENT TO EVALUATE (first 4000 chars):',
-        contentShort,
+        'User intent (last human message): ' + (transcript.userIntent || lastPrompt || 'none stated'),
+        'Last user prompt: ' + (lastPrompt || 'none'),
       ].join('\\n');
       let gradeResp: string;
       try {
-        gradeResp = await localGrade('edit', graderPrompt);
-      } catch {
-        process.stdout.write('{}\\n');
-        return;
+        gradeResp = await localGrade('bash', graderPrompt, CURSOR_GRADE_TIMEOUT_MS);
+      } catch (e) {
+        log('bashGuard ' + cmdShort + ' \u2192 pass (grade unavailable): ' + String(e));
+        finishWith({ permission: 'allow' });
       }
       const verdict = parseVerdict(gradeResp);
-      const editContent = 'file=' + filePath + ' content=' + content.slice(0, 2000);
       if (!verdict.ok) {
         const mode = verdict.ruleMode || ruleMode(verdict.ruleId, config.rules);
         const guardReason = (verdict.ruleId ? '(' + verdict.ruleId + ') ' : '') + (verdict.reason || 'policy violation');
         if (mode !== 'audit') {
-          dispatchCapture(jwt, 'edit', 'block', verdict.severity || 'critical', verdict.category || 'security',
-            toolName || 'Edit', repo, sessionId, config.captureDepth, {
-              command: editContent, reasoning: guardReason,
+          dispatchCapture(jwt, 'bash', 'block', verdict.severity || 'critical', verdict.category || 'security',
+            'Bash', gitRepo, sessionId, config.captureDepth, {
+              command, reasoning: guardReason,
               rulesChecked: config.rules, violatedRules: verdict.ruleId ? [verdict.ruleId] : [],
+              ccModel: model,
             });
-          const result = {
+          finishWith({
             permission: 'deny',
-            user_message: tagStr + ' editGuard ' + fileShort + ' \\u2192 block: ' + guardReason,
+            user_message: tagStr + ' bashGuard \u2192 block: ' + guardReason,
             agent_message: 'Synkro safety judge. Reasoning: ' + (verdict.reason || guardReason),
-          };
-          process.stdout.write(JSON.stringify(result) + '\\n');
-          return;
+          });
         }
-        // Audit mode
-        dispatchCapture(jwt, 'edit', 'warning', verdict.severity || 'medium', verdict.category || 'security',
-          toolName || 'Edit', repo, sessionId, config.captureDepth, {
-            command: editContent, reasoning: guardReason,
+        dispatchCapture(jwt, 'bash', 'warning', verdict.severity || 'medium', verdict.category || 'security',
+          'Bash', gitRepo, sessionId, config.captureDepth, {
+            command, reasoning: guardReason,
             rulesChecked: config.rules, violatedRules: verdict.ruleId ? [verdict.ruleId] : [],
+            ccModel: model,
           });
+        log('bashGuard ' + cmdShort + ' \u2192 audit warning');
+        finishWith({ permission: 'allow' });
       } else {
-        dispatchCapture(jwt, 'edit', 'pass', 'audit', verdict.category || 'trivial_edit',
-          toolName || 'Edit', repo, sessionId, config.captureDepth, {
-            command: editContent, reasoning: verdict.reason || 'no policy violations detected',
+        dispatchCapture(jwt, 'bash', 'pass', 'audit', verdict.category || 'clean',
+          'Bash', gitRepo, sessionId, config.captureDepth, {
+            command, reasoning: verdict.reason || 'no policy violations detected',
             rulesChecked: config.rules, violatedRules: [],
+            ccModel: model,
           });
       }
-      process.stdout.write('{}\\n');
-      return;
+      const passReason = verdict.reason || 'no policy violations detected';
+      log('bashGuard ' + cmdShort + ' \u2192 pass: ' + passReason);
+      finishWith({ permission: 'allow' });
     }
-    // \u2500\u2500\u2500 Cloud grading \u2500\u2500\u2500
-    const body = {
+    const body: Record<string, any> = {
       hook_event: 'PreToolUse',
-      tool_name: toolName || 'Edit',
-      tool_input: { file_path: filePath, content },
-      file_path: filePath,
-      content,
+      tool_name: toolName || 'Bash',
+      tool_input: { command },
       response_format: 'cursor',
+      user_intent: transcript.userIntent || null,
+      last_user_message: lastPrompt || null,
+      recent_user_messages: transcript.recentUserMessages,
+      recent_messages: transcript.recentMessages,
       session_id: sessionId || null,
       cwd: cwd || null,
       repo: repo || null,
     };
-    const resp = await postWithRetry(GATEWAY_URL + '/api/v1/hook/judge', body, jwt, 8000);
+    const resp = await postWithRetry(GATEWAY_URL + '/api/v1/hook/judge', body, jwt, CURSOR_CLOUD_TIMEOUT_MS);
     if (!resp) {
-      log('editGuard ' + fileShort + ' \\u2192 error (timeout)');
-      process.stdout.write('{}\\n');
-      return;
+      log('bashGuard ' + cmdShort + ' \u2192 pass (cloud timeout)');
+      finishAllow();
     }
     if (resp.hook_response) {
-      process.stdout.write(JSON.stringify(resp.hook_response) + '\\n');
-    } else {
-      process.stdout.write('{}\\n');
+      const hr = resp.hook_response as Record<string, unknown>;
+      if (hr.permission === 'allow') {
+        const um = String(hr.user_message || '');
+        const am = String(hr.agent_message || um);
+        if (um || am) {
+          finishWith({ permission: 'allow' });
+        }
+      }
+      finishWith(hr);
     }
-  } catch {
-    process.stdout.write('{}\\n');
+    log('bashGuard ' + cmdShort + ' \u2192 pass (no hook_response)');
+    finishAllow();
+  } catch (e) {
+    log('bashGuard error: ' + String(e));
+    finishAllow();
   }
 }
-main();
-`;
+main().catch((e) => {
+  log('bashGuard fatal: ' + String(e));
+  finishAllow();
+});`;
     CURSOR_EDIT_CAPTURE_TS = `#!/usr/bin/env bun
 import {
   loadJwt, ensureFreshJwt, detectRepo, readStdin,
@@ -3582,26 +3906,37 @@ import { existsSync, readFileSync } from 'node:fs';
 import { basename, dirname, join } from 'node:path';
 import { homedir } from 'node:os';
+let hookDone = false;
+function finish(): never {
+  if (!hookDone) {
+    hookDone = true;
+    try { process.stdout.write('{}\\n'); } catch {}
+  }
+  process.exit(0);
+}
+process.on('SIGTERM', () => finish());
 async function main() {
   try {
     const input = await readStdin();
-    if (!input.trim()) { process.stdout.write('{}\\n'); return; }
+    if (!input.trim()) finish();
     const payload = JSON.parse(input);
     const filePath = payload.file_path || '';
-    if (!filePath) { process.stdout.write('{}\\n'); return; }
+    if (!filePath) finish();
-    const cwd = payload.cwd || '';
+    const cwd = payload.cwd || payload.workspace_roots?.[0] || '';
     const sessionId = payload.conversation_id || '';
     const repo = detectRepo(cwd || '.');
     log('editScan ' + basename(filePath));
     let jwt = loadJwt();
-    if (!jwt) { process.stdout.write('{}\\n'); return; }
+    if (!jwt) finish();
     jwt = await ensureFreshJwt(jwt);
-    // Read actual file content (up to 50KB)
     let fileContent = '';
     const fullPath = filePath.startsWith('/') ? filePath : (cwd ? join(cwd, filePath) : filePath);
     try {
@@ -3611,7 +3946,6 @@ async function main() {
       }
     } catch {}
-    // Walk up to find package.json dependencies
     let dependencies: Record<string, string> = {};
     let pkgDir = cwd || dirname(fullPath);
     while (pkgDir !== '/' && pkgDir !== '.') {
@@ -3638,12 +3972,10 @@ async function main() {
     if (cwd) captureBody.cwd = cwd;
     if (repo) captureBody.repo = repo;
-    // Check if local_only
     const rulesPath = join(homedir(), '.synkro', 'rules.json');
     if (existsSync(rulesPath)) {
       appendLocalTelemetry(captureBody);
     } else {
-      // Fire-and-forget to cloud
       fetch(GATEWAY_URL + '/api/v1/hook/capture', {
         method: 'POST',
         headers: { 'Content-Type': 'application/json', Authorization: 'Bearer ' + jwt },
@@ -3653,157 +3985,17 @@ async function main() {
       appendLocalTelemetry(captureBody);
     }
-    process.stdout.write('{}\\n');
-  } catch {
-    process.stdout.write('{}\\n');
-  }
-}
-main();
-`;
-    CURSOR_BASH_FOLLOWUP_TS = `#!/usr/bin/env bun
-import {
-  loadJwt, readStdin, appendLocalTelemetry, log, GATEWAY_URL,
-} from './_synkro-common.ts';
-import { existsSync, readFileSync, writeFileSync, appendFileSync, mkdirSync } from 'node:fs';
-import { join, dirname } from 'node:path';
-import { createHash } from 'node:crypto';
-import { homedir } from 'node:os';
-const CONSENT_FILE = join(homedir(), '.synkro', '.local-consent');
-function hashCmd(cmd: string): string {
-  return createHash('sha256').update(cmd).digest('hex').slice(0, 16);
-}
-function consentGrant(sid: string, hash: string): void {
-  try {
-    const dir = dirname(CONSENT_FILE);
-    if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
-    appendFileSync(CONSENT_FILE, sid + '\\t' + hash + '\\tactive\\n', 'utf-8');
-  } catch {}
-}
-function consentHasActive(sid: string, hash: string): boolean {
-  try {
-    if (!existsSync(CONSENT_FILE)) return false;
-    const content = readFileSync(CONSENT_FILE, 'utf-8');
-    return content.includes(sid + '\\t' + hash + '\\tactive');
-  } catch {
-    return false;
-  }
-}
-function consentConsume(sid: string, hash: string): void {
-  try {
-    if (!existsSync(CONSENT_FILE)) return;
-    const content = readFileSync(CONSENT_FILE, 'utf-8');
-    const target = sid + '\\t' + hash + '\\tactive';
-    const replacement = sid + '\\t' + hash + '\\tconsumed';
-    const updated = content.split('\\n').map((l: string) => l === target ? replacement : l).join('\\n');
-    writeFileSync(CONSENT_FILE, updated, 'utf-8');
-  } catch {}
-}
-async function main() {
-  try {
-    const input = await readStdin();
-    if (!input.trim()) { process.stdout.write('{}\\n'); return; }
-    const payload = JSON.parse(input);
-    const toolName = payload.tool_name || '';
-    // Only process shell/bash tool types
-    const shellTools = ['Shell', 'Bash', 'terminal', 'run_terminal_cmd', 'execute_command'];
-    if (!shellTools.includes(toolName)) { process.stdout.write('{}\\n'); return; }
-    const sessionId = payload.conversation_id || '';
-    const toolUseId = payload.tool_use_id || '';
-    const isError = payload.tool_result?.is_error === true;
-    const command = payload.tool_input?.command || '';
-    const cmdHash = command ? hashCmd(command) : '';
-    // Consent tracking
-    if (cmdHash && sessionId) {
-      if (!isError) {
-        consentConsume(sessionId, cmdHash);
-      } else {
-        if (!consentHasActive(sessionId, cmdHash)) {
-          consentGrant(sessionId, cmdHash);
-        }
-      }
-    }
-    // Build capture body
-    const captureBody: Record<string, any> = {
-      capture_type: 'bash_followup',
-      session_id: sessionId || null,
-      tool_use_id: toolUseId || null,
-      is_error: isError,
-      command_hash: cmdHash,
-    };
-    // Check if local_only
-    const rulesPath = join(homedir(), '.synkro', 'rules.json');
-    if (existsSync(rulesPath)) {
-      appendLocalTelemetry(captureBody);
-    } else {
-      const jwt = loadJwt();
-      if (jwt && sessionId && toolUseId) {
-        fetch(GATEWAY_URL + '/api/v1/hook/capture', {
-          method: 'POST',
-          headers: { 'Content-Type': 'application/json', Authorization: 'Bearer ' + jwt },
-          body: JSON.stringify(captureBody),
-          signal: AbortSignal.timeout(3000),
-        }).catch(() => {});
-      }
-      appendLocalTelemetry(captureBody);
-    }
-    process.stdout.write('{}\\n');
-  } catch {
-    process.stdout.write('{}\\n');
-  }
-}
-main();
-`;
-    CURSOR_SESSION_START_TS = `#!/usr/bin/env bun
-import {
-  loadJwt, loadConfig, readStdin,
-  type HookConfig,
-} from './_synkro-common.ts';
-async function main() {
-  try {
-    const input = await readStdin();
-    let jwt = loadJwt();
-    const config: HookConfig = jwt ? await loadConfig(jwt) : {
-      captureDepth: 'local_only', tier: 'standard', silent: false,
-      policyName: '', rules: [], scanExemptions: [],
-    };
-    const policyName = config.policyName || 'default';
-    const ruleCount = config.rules.length;
-    const mode = config.silent ? 'silent' : 'active';
-    const context = [
-      'This session is monitored by Synkro (' + mode + ' mode, policy: "' + policyName + '", ' + ruleCount + ' rules).',
-      'Synkro enforces security and compliance rules on tool calls (shell commands, file edits).',
-      'If a tool call is blocked, Synkro will explain which rule was violated and why.',
-      'Do not suggest workarounds to bypass Synkro hooks \u2014 fix the underlying issue instead.',
-    ].join(' ');
-    const result = { additional_context: context };
-    process.stdout.write(JSON.stringify(result) + '\\n');
-  } catch {
-    process.stdout.write('{}\\n');
+    finish();
+  } catch (e) {
+    log('editScan error: ' + String(e));
+    finish();
   }
 }
-main();
-`;
+main().catch((e) => {
+  log('editScan fatal: ' + String(e));
+  finish();
+});`;
   }
 });
@@ -6048,10 +6240,7 @@ function writeHookScripts() {
   const commonScriptPath = join11(HOOKS_DIR, "_synkro-common.ts");
   const commonBashScriptPath = join11(HOOKS_DIR, "_synkro-common.sh");
   const cursorBashJudgePath = join11(HOOKS_DIR, "cursor-bash-judge.ts");
-  const cursorEditPrecheckPath = join11(HOOKS_DIR, "cursor-edit-precheck.ts");
   const cursorEditCapturePath = join11(HOOKS_DIR, "cursor-edit-capture.ts");
-  const cursorBashFollowupPath = join11(HOOKS_DIR, "cursor-bash-followup.ts");
-  const cursorSessionStartPath = join11(HOOKS_DIR, "cursor-session-start.ts");
   const mcpLocalServerPath = join11(HOOKS_DIR, "mcp-local-server.ts");
   writeFileSync7(bashScriptPath, BASH_JUDGE_TS, "utf-8");
   writeFileSync7(bashFollowupScriptPath, BASH_FOLLOWUP_TS, "utf-8");
@@ -6067,10 +6256,7 @@ function writeHookScripts() {
   writeFileSync7(commonScriptPath, SYNKRO_COMMON_TS, "utf-8");
   writeFileSync7(commonBashScriptPath, SYNKRO_COMMON_SCRIPT, "utf-8");
   writeFileSync7(cursorBashJudgePath, CURSOR_BASH_JUDGE_TS, "utf-8");
-  writeFileSync7(cursorEditPrecheckPath, CURSOR_EDIT_PRECHECK_TS, "utf-8");
   writeFileSync7(cursorEditCapturePath, CURSOR_EDIT_CAPTURE_TS, "utf-8");
-  writeFileSync7(cursorBashFollowupPath, CURSOR_BASH_FOLLOWUP_TS, "utf-8");
-  writeFileSync7(cursorSessionStartPath, CURSOR_SESSION_START_TS, "utf-8");
   writeFileSync7(mcpLocalServerPath, `#!/usr/bin/env bun
 /**
  * Local MCP guardrails server \u2014 runs on port 8931, stores rules in ~/.synkro/rules.json.
@@ -6891,10 +7077,7 @@ console.log(\`[synkro] local MCP guardrails server listening on http://127.0.0.1
   chmodSync2(commonScriptPath, 493);
   chmodSync2(commonBashScriptPath, 493);
   chmodSync2(cursorBashJudgePath, 493);
-  chmodSync2(cursorEditPrecheckPath, 493);
   chmodSync2(cursorEditCapturePath, 493);
-  chmodSync2(cursorBashFollowupPath, 493);
-  chmodSync2(cursorSessionStartPath, 493);
   chmodSync2(mcpLocalServerPath, 493);
   return {
     bashScript: bashScriptPath,
@@ -6909,10 +7092,7 @@ console.log(\`[synkro] local MCP guardrails server listening on http://127.0.0.1
     transcriptSyncScript: transcriptSyncScriptPath,
     userPromptSubmitScript: userPromptSubmitScriptPath,
     cursorBashJudgeScript: cursorBashJudgePath,
-    cursorEditPrecheckScript: cursorEditPrecheckPath,
     cursorEditCaptureScript: cursorEditCapturePath,
-    cursorBashFollowupScript: cursorBashFollowupPath,
-    cursorSessionStartScript: cursorSessionStartPath,
     mcpLocalServerScript: mcpLocalServerPath
   };
 }
@@ -6945,7 +7125,7 @@ function writeConfigEnv(opts) {
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
     `SYNKRO_INFERENCE=${shellQuoteSingle(safeInference)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.4.67")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.4.69")}`
   ];
   if (safeSynkroBin) lines.push(`SYNKRO_CLI_BIN=${shellQuoteSingle(safeSynkroBin)}`);
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);
@@ -7396,10 +7576,17 @@ async function installCommand(opts = {}) {
       hasCursor = true;
       installCursorHooks(agent.settingsPath, {
         bashJudgeScriptPath: scripts.cursorBashJudgeScript,
-        editPrecheckScriptPath: scripts.cursorEditPrecheckScript,
         editCaptureScriptPath: scripts.cursorEditCaptureScript,
-        bashFollowupScriptPath: scripts.cursorBashFollowupScript,
-        sessionStartScriptPath: scripts.cursorSessionStartScript
+        bashFollowupScriptPath: scripts.bashFollowupScript,
+        editPrecheckScriptPath: scripts.editPrecheckScript,
+        cwePrecheckScriptPath: scripts.cwePrecheckScript,
+        cvePrecheckScriptPath: scripts.cvePrecheckScript,
+        planJudgeScriptPath: scripts.planJudgeScript,
+        agentJudgeScriptPath: scripts.agentJudgeScript,
+        stopSummaryScriptPath: scripts.stopSummaryScript,
+        sessionStartScriptPath: scripts.sessionStartScript,
+        userPromptSubmitScriptPath: scripts.userPromptSubmitScript,
+        transcriptSyncScriptPath: scripts.transcriptSyncScript
       });
       console.log(`Configured ${agent.name} hooks at ${agent.settingsPath}`);
     }
@@ -7460,6 +7647,36 @@ async function installCommand(opts = {}) {
       }
     }
   }
+  if (hasCursor && !opts.noMcp) {
+    try {
+      if (useLocalMcp) {
+        const mcp = installCursorMcpConfig({ gatewayUrl, bearerToken: "", local: true });
+        console.log(`Registered local MCP guardrails server in ${mcp.path}`);
+        console.log(`  url:        ${mcp.url}`);
+      } else {
+        const mintResp = await fetch(`${gatewayUrl}/api/v1/cli/mcp-token`, {
+          method: "POST",
+          headers: {
+            "Authorization": `Bearer ${token}`,
+            "Content-Type": "application/json"
+          },
+          body: "{}"
+        });
+        if (!mintResp.ok) {
+          const errText = await mintResp.text().catch(() => "");
+          throw new Error(`mcp-token mint failed (${mintResp.status}): ${errText.slice(0, 200)}`);
+        }
+        const minted = await mintResp.json();
+        const mcp = installCursorMcpConfig({ gatewayUrl, bearerToken: minted.token });
+        console.log(`Registered Synkro guardrails MCP server in ${mcp.path}`);
+        console.log(`  url:        ${mcp.url}`);
+      }
+      console.log();
+    } catch (err) {
+      console.warn(`  \u26A0 Cursor MCP registration failed: ${err.message}`);
+      console.log();
+    }
+  }
   const priorLocalFlag = (() => {
     try {
       const content = readFileSync10(CONFIG_PATH3, "utf-8");
@@ -7971,10 +8188,20 @@ async function statusCommand() {
         const hooks = inspectCursorHooks(a.settingsPath);
         console.log(`    hooks installed: ${hooks.installed ? "\u2713" : "\u2717"}`);
         if (hooks.installed) {
+          console.log(`      \u2022 sessionStart:         ${hooks.sessionStart ? "\u2713" : "\u2717"}`);
+          console.log(`      \u2022 sessionEnd:           ${hooks.sessionEnd ? "\u2713" : "\u2717"}`);
+          console.log(`      \u2022 beforeSubmitPrompt:   ${hooks.beforeSubmitPrompt ? "\u2713" : "\u2717"}`);
           console.log(`      \u2022 beforeShellExecution: ${hooks.beforeShellExecution ? "\u2713" : "\u2717"}`);
-          console.log(`      \u2022 preToolUse:           ${hooks.preToolUse ? "\u2713" : "\u2717"}`);
+          console.log(`      \u2022 afterShellExecution:  ${hooks.afterShellExecution ? "\u2713" : "\u2717"}`);
+          console.log(`      \u2022 PreToolUse Bash:      ${hooks.preToolUseBash ? "\u2713" : "\u2717"}`);
+          console.log(`      \u2022 PreToolUse Edit:      ${hooks.preToolUseEdit ? "\u2713" : "\u2717"}`);
+          console.log(`      \u2022 PreToolUse CWE:       ${hooks.preToolUseCwe ? "\u2713" : "\u2717"}`);
+          console.log(`      \u2022 PreToolUse CVE:       ${hooks.preToolUseCve ? "\u2713" : "\u2717"}`);
+          console.log(`      \u2022 PreToolUse Agent:     ${hooks.preToolUseAgent ? "\u2713" : "\u2717"}`);
+          console.log(`      \u2022 PreToolUse Plan:      ${hooks.preToolUsePlan ? "\u2713" : "\u2717"}`);
           console.log(`      \u2022 afterFileEdit:        ${hooks.afterFileEdit ? "\u2713" : "\u2717"}`);
           console.log(`      \u2022 postToolUse:          ${hooks.postToolUse ? "\u2713" : "\u2717"}`);
+          console.log(`      \u2022 stop (transcript):    ${hooks.stop ? "\u2713" : "\u2717"}`);
         }
       }
     }
@@ -7988,6 +8215,7 @@ async function statusCommand() {
     "cc-cwe-precheck.ts",
     "cc-cve-precheck.ts",
     "cc-plan-judge.ts",
+    "cc-agent-judge.ts",
     "cc-stop-summary.ts",
     "cc-session-start.ts",
     "cc-transcript-sync.ts",
@@ -7995,10 +8223,19 @@ async function statusCommand() {
     "_synkro-common.ts"
   ];
   const cursorHooks = [
-    "cursor-bash-judge.sh",
-    "cursor-edit-precheck.sh",
-    "cursor-bash-followup.sh",
-    "_synkro-common.sh"
+    "cursor-bash-judge.ts",
+    "cursor-edit-capture.ts",
+    "cc-edit-precheck.ts",
+    "cc-cwe-precheck.ts",
+    "cc-cve-precheck.ts",
+    "cc-agent-judge.ts",
+    "cc-plan-judge.ts",
+    "cc-session-start.ts",
+    "cc-stop-summary.ts",
+    "cc-bash-followup.ts",
+    "cc-user-prompt-submit.ts",
+    "cc-transcript-sync.ts",
+    "_synkro-common.ts"
   ];
   console.log("Hook scripts (Claude Code):");
   for (const f of ccHooks) {
@@ -9018,7 +9255,11 @@ function disconnectCommand(args2 = []) {
   }
   if (sawClaudeCode) {
     const mcpRemoved = uninstallMcpConfig();
-    console.log(`${mcpRemoved ? "\u2713" : "\xB7"} MCP guardrails server: ${mcpRemoved ? "removed entry from ~/.claude.json" : "no Synkro MCP entry found"}`);
+    console.log(`${mcpRemoved ? "\u2713" : "\xB7"} MCP guardrails (CC): ${mcpRemoved ? "removed from ~/.claude.json" : "no entry found"}`);
+  }
+  {
+    const cursorMcpRemoved = uninstallCursorMcpConfig();
+    console.log(`${cursorMcpRemoved ? "\u2713" : "\xB7"} MCP guardrails (Cursor): ${cursorMcpRemoved ? "removed from ~/.cursor/mcp.json" : "no entry found"}`);
   }
   if (purge) {
     if (existsSync14(SYNKRO_DIR5)) {