@synkro-sh/cli 1.4.71 → 1.4.73

package/dist/bootstrap.js

@@ -147,6 +147,11 @@ function installCCHooks(settingsPath, config) {
         command: config.editPrecheckScriptPath,
         timeout: 30
       },
+      {
+        type: "command",
+        command: config.cwePrecheckScriptPath,
+        timeout: 30
+      },
       {
         type: "command",
         command: config.cvePrecheckScriptPath,
@@ -6249,6 +6254,7 @@ function writeHookScripts() {
   const bashScriptPath = join11(HOOKS_DIR, "cc-bash-judge.ts");
   const bashFollowupScriptPath = join11(HOOKS_DIR, "cc-bash-followup.ts");
   const editPrecheckScriptPath = join11(HOOKS_DIR, "cc-edit-precheck.ts");
+  const cwePrecheckScriptPath = join11(HOOKS_DIR, "cc-cwe-precheck.ts");
   const cvePrecheckScriptPath = join11(HOOKS_DIR, "cc-cve-precheck.ts");
   const planJudgeScriptPath = join11(HOOKS_DIR, "cc-plan-judge.ts");
   const agentJudgeScriptPath = join11(HOOKS_DIR, "cc-agent-judge.ts");
@@ -6264,6 +6270,7 @@ function writeHookScripts() {
   writeFileSync7(bashScriptPath, BASH_JUDGE_TS, "utf-8");
   writeFileSync7(bashFollowupScriptPath, BASH_FOLLOWUP_TS, "utf-8");
   writeFileSync7(editPrecheckScriptPath, EDIT_PRECHECK_TS, "utf-8");
+  writeFileSync7(cwePrecheckScriptPath, CWE_PRECHECK_TS, "utf-8");
   writeFileSync7(cvePrecheckScriptPath, CVE_PRECHECK_TS, "utf-8");
   writeFileSync7(planJudgeScriptPath, PLAN_JUDGE_TS, "utf-8");
   writeFileSync7(agentJudgeScriptPath, AGENT_JUDGE_TS, "utf-8");
@@ -6279,7 +6286,7 @@ function writeHookScripts() {
 /**
  * Local MCP guardrails server \u2014 runs on port 8931, stores rules in ~/.synkro/rules.json.
  * JSON-RPC 2.0 over HTTP, same protocol as the cloud MCP server.
- * No auth (localhost only), no embedding API, no Inngest.
+ * Bearer token auth (file-based shared secret), localhost only, no embedding API, no Inngest.
  */
 import { existsSync, readFileSync, writeFileSync, renameSync, appendFileSync, mkdirSync } from 'node:fs';
 import { homedir } from 'node:os';
@@ -6296,15 +6303,29 @@ const TOKEN_PATH = join(HOME, '.synkro', '.mcp-local-token');
 // File-based shared secret \u2014 generated once, required on all POST requests.
 function getOrCreateToken(): string {
   try {
-    if (existsSync(TOKEN_PATH)) return readFileSync(TOKEN_PATH, 'utf-8').trim();
+    return readFileSync(TOKEN_PATH, 'utf-8').trim();
   } catch {}
   const token = randomBytes(32).toString('hex');
   mkdirSync(join(HOME, '.synkro'), { recursive: true });
-  writeFileSync(TOKEN_PATH, token + '\\n', { mode: 0o600 });
-  return token;
+  try {
+    writeFileSync(TOKEN_PATH, token + '\\n', { mode: 0o600, flag: 'wx' });
+    return token;
+  } catch {
+    return readFileSync(TOKEN_PATH, 'utf-8').trim();
+  }
 }
 
 const SERVER_TOKEN = getOrCreateToken();
+const MAX_BODY_BYTES = 1_048_576;
+
+let _writeLock: Promise<void> = Promise.resolve();
+function serialized<T>(fn: () => T | Promise<T>): Promise<T> {
+  let release: () => void;
+  const next = new Promise<void>(r => { release = r; });
+  const prev = _writeLock;
+  _writeLock = next;
+  return prev.then(() => fn()).finally(() => release!());
+}
 
 // \u2500\u2500\u2500 Storage \u2500\u2500\u2500
 
@@ -6691,6 +6712,219 @@ function handleListExemptions(): any {
   return { exemptions: data.scanExemptions, total: data.scanExemptions.length };
 }
 
+// \u2500\u2500\u2500 Findings \u2500\u2500\u2500
+
+const CONFIG_PATH = join(HOME, '.synkro', 'config.json');
+const JWT_PATH = join(HOME, '.synkro', '.jwt');
+
+interface Finding {
+  id: string;
+  session_id: string;
+  file_path: string;
+  finding_type: string;
+  finding_id: string;
+  severity: string;
+  status: string;
+  detail?: string;
+  package_name?: string;
+  package_version?: string;
+  fixed_version?: string;
+  created_at: string;
+  resolved_at?: string;
+}
+
+function getCloudConfig(): { apiUrl: string; jwt: string } | null {
+  try {
+    const jwt = readFileSync(JWT_PATH, 'utf-8').trim();
+    if (!jwt) return null;
+    let apiUrl = process.env.SYNKRO_API_URL || '';
+    if (!apiUrl) {
+      try {
+        const cfg = JSON.parse(readFileSync(CONFIG_PATH, 'utf-8'));
+        apiUrl = cfg.api_url || cfg.apiUrl || '';
+      } catch {}
+    }
+    if (!apiUrl) apiUrl = 'https://api.synkro.sh';
+    return { apiUrl, jwt };
+  } catch {
+    return null;
+  }
+}
+
+function readLocalFindings(): Finding[] {
+  if (!existsSync(TELEMETRY_PATH)) return [];
+  let lines: string[];
+  try {
+    lines = readFileSync(TELEMETRY_PATH, 'utf-8').split('\\n').filter(Boolean);
+  } catch { return []; }
+  const findingMap = new Map<string, Finding>();
+
+  for (const line of lines) {
+    try {
+      const event = JSON.parse(line);
+      if (event.capture_type !== 'scan_finding') continue;
+      const key = \`\${event.file_path}:\${event.finding_id}\`;
+      const existing = findingMap.get(key);
+      const ts = event._ts || event.created_at || '';
+
+      findingMap.set(key, {
+        id: event.id || existing?.id || \`sf_\${event.session_id}_\${event.finding_id}_\${Date.now()}\`,
+        session_id: event.session_id || existing?.session_id || '',
+        file_path: event.file_path,
+        finding_type: event.finding_type,
+        finding_id: event.finding_id,
+        severity: event.severity || 'unknown',
+        status: event.status || 'open',
+        detail: event.detail || existing?.detail,
+        package_name: event.package_name || existing?.package_name,
+        package_version: event.package_version || existing?.package_version,
+        fixed_version: event.fixed_version || existing?.fixed_version,
+        created_at: existing?.created_at || ts,
+        resolved_at: event.status === 'resolved' ? ts : existing?.resolved_at,
+      });
+    } catch {}
+  }
+
+  return Array.from(findingMap.values());
+}
+
+async function fetchCloudFindings(params: Record<string, string>): Promise<Finding[] | null> {
+  const cloud = getCloudConfig();
+  if (!cloud) return null;
+  try {
+    const qs = new URLSearchParams(params).toString();
+    const resp = await fetch(\`\${cloud.apiUrl}/api/v1/scan-findings?\${qs}\`, {
+      headers: { Authorization: \`Bearer \${cloud.jwt}\` },
+      signal: AbortSignal.timeout(5000),
+    });
+    if (!resp.ok) return null;
+    const data = await resp.json() as any;
+    return data.findings || data.data || [];
+  } catch {
+    return null;
+  }
+}
+
+function dispatchResolution(finding: Finding): void {
+  const cloud = getCloudConfig();
+  if (!cloud) return;
+  fetch(\`\${cloud.apiUrl}/api/v1/hook/finding\`, {
+    method: 'POST',
+    headers: { Authorization: \`Bearer \${cloud.jwt}\`, 'Content-Type': 'application/json' },
+    body: JSON.stringify({
+      session_id: finding.session_id,
+      file_path: finding.file_path,
+      finding_type: finding.finding_type,
+      finding_id: finding.finding_id,
+      severity: finding.severity,
+      status: 'resolved',
+    }),
+    signal: AbortSignal.timeout(3000),
+  }).catch(() => {});
+}
+
+async function handleListFindings(args: any): Promise<any> {
+  const cloudParams: Record<string, string> = {};
+  if (args.status) cloudParams.status = args.status;
+  if (args.finding_type) cloudParams.finding_type = args.finding_type;
+  if (args.severity) cloudParams.severity = args.severity;
+  if (args.file_path) cloudParams.file_path = args.file_path;
+  if (args.limit) cloudParams.limit = String(args.limit);
+
+  const cloudFindings = await fetchCloudFindings(cloudParams);
+
+  let findings: Finding[];
+  let source: string;
+  if (cloudFindings) {
+    findings = cloudFindings;
+    source = 'cloud';
+  } else {
+    findings = readLocalFindings();
+    source = 'local';
+    if (args.status) findings = findings.filter(f => f.status === args.status);
+    if (args.finding_type) findings = findings.filter(f => f.finding_type === args.finding_type);
+    if (args.severity) findings = findings.filter(f => f.severity === args.severity);
+    if (args.file_path) findings = findings.filter(f => f.file_path.includes(args.file_path));
+  }
+
+  findings.sort((a, b) => (b.created_at || '').localeCompare(a.created_at || ''));
+  const limit = Math.min(args.limit || 25, 50);
+  return {
+    source,
+    findings: findings.slice(0, limit).map(f => ({
+      id: f.id,
+      finding_type: f.finding_type,
+      finding_id: f.finding_id,
+      file_path: f.file_path,
+      severity: f.severity,
+      status: f.status,
+      package_name: f.package_name,
+      package_version: f.package_version,
+      created_at: f.created_at,
+    })),
+    total: findings.length,
+    open: findings.filter(f => f.status === 'open').length,
+    resolved: findings.filter(f => f.status === 'resolved').length,
+  };
+}
+
+async function handleGetFindingDetail(args: any): Promise<any> {
+  const findings = readLocalFindings();
+  const match = findings.find(f => {
+    if (args.id && f.id === args.id) return true;
+    if (args.file_path && args.finding_id) {
+      return f.file_path.includes(args.file_path) && f.finding_id.toUpperCase() === (args.finding_id || '').toUpperCase();
+    }
+    return false;
+  });
+  if (!match) return { found: false, error: 'Finding not found' };
+  return { found: true, ...match };
+}
+
+async function handleResolveFinding(args: any): Promise<any> {
+  const findings = readLocalFindings();
+  const toResolve = findings.filter(f => {
+    if (f.status !== 'open') return false;
+    if (args.id && f.id === args.id) return true;
+    if (args.file_path && args.finding_id) {
+      return f.file_path.includes(args.file_path) && f.finding_id.toUpperCase() === (args.finding_id || '').toUpperCase();
+    }
+    if (args.file_path) return f.file_path.includes(args.file_path);
+    return false;
+  });
+
+  if (toResolve.length === 0) return { resolved: 0, error: 'No matching open findings' };
+
+  const now = new Date().toISOString();
+  for (const f of toResolve) {
+    const event = {
+      capture_type: 'scan_finding',
+      id: f.id,
+      session_id: f.session_id,
+      file_path: f.file_path,
+      finding_type: f.finding_type,
+      finding_id: f.finding_id,
+      severity: f.severity,
+      status: 'resolved',
+      detail: f.detail,
+      package_name: f.package_name,
+      package_version: f.package_version,
+      fixed_version: f.fixed_version,
+      resolved_at: now,
+      _ts: now,
+    };
+    try {
+      appendFileSync(TELEMETRY_PATH, JSON.stringify(event) + '\\n', 'utf-8');
+    } catch {}
+    dispatchResolution(f);
+  }
+
+  return {
+    resolved: toResolve.length,
+    findings: toResolve.map(f => ({ finding_id: f.finding_id, file_path: f.file_path })),
+  };
+}
+
 // \u2500\u2500\u2500 Tool Descriptors \u2500\u2500\u2500
 
 const TOOL_DESCRIPTORS = [
@@ -6854,6 +7088,47 @@ const TOOL_DESCRIPTORS = [
     description: "List all scan exemptions.",
     inputSchema: { type: 'object', properties: {}, required: [] },
   },
+  {
+    name: 'list_findings',
+    description: "List CWE/CVE scan findings. Shows security issues found by Synkro hooks. Use to review what needs fixing.",
+    inputSchema: {
+      type: 'object',
+      properties: {
+        status: { type: 'string', enum: ['open', 'resolved', 'exempted'], description: 'Filter by status (default: all).' },
+        finding_type: { type: 'string', enum: ['cwe', 'cve'], description: 'Filter by finding type.' },
+        severity: { type: 'string', enum: ['critical', 'high', 'medium', 'low'] },
+        file_path: { type: 'string', description: 'Filter by file path substring.' },
+        limit: { type: 'integer', default: 25, description: 'Max results (default 25, max 50).' },
+      },
+      required: [],
+    },
+  },
+  {
+    name: 'get_finding_detail',
+    description: "Get full detail of a specific finding including remediation context.",
+    inputSchema: {
+      type: 'object',
+      properties: {
+        id: { type: 'string', description: 'Finding ID (e.g. sf_...).' },
+        file_path: { type: 'string', description: 'File path (used with finding_id).' },
+        finding_id: { type: 'string', description: 'CWE/CVE ID like CWE-89 or CVE-2024-1234.' },
+      },
+      required: [],
+    },
+  },
+  {
+    name: 'resolve_finding',
+    description: "Mark finding(s) as resolved after the underlying issue is fixed. Can target by ID, file+finding_id, or all findings for a file.",
+    inputSchema: {
+      type: 'object',
+      properties: {
+        id: { type: 'string', description: 'Specific finding ID to resolve.' },
+        file_path: { type: 'string', description: 'Resolve all open findings matching this file path.' },
+        finding_id: { type: 'string', description: 'CWE/CVE ID (used with file_path for targeted resolution).' },
+      },
+      required: [],
+    },
+  },
 ];
 
 const MCP_INSTRUCTIONS =
@@ -6864,7 +7139,12 @@ const MCP_INSTRUCTIONS =
   "'we need a rule about\u2026' \u2014 route to THIS server's tools.\\n\\n" +
   "TOOL ROUTING:\\n" +
   "  \u2022 get_guardrails(query) \u2014 keyword search. Use to check if a rule exists.\\n" +
-  "  \u2022 list_guardrails \u2014 full enumeration. Use for listings.\\n\\n" +
+  "  \u2022 list_guardrails \u2014 full enumeration. Use for listings.\\n" +
+  "  \u2022 list_findings \u2014 show CWE/CVE scan findings (open, resolved, all).\\n" +
+  "  \u2022 get_finding_detail \u2014 get full detail + remediation context for a finding.\\n" +
+  "  \u2022 resolve_finding \u2014 mark findings resolved after fixing the code.\\n\\n" +
+  "When the user asks about security issues, vulnerabilities, or scan results, " +
+  "use list_findings first. After fixing code, call resolve_finding to update status.\\n\\n" +
   "Do NOT use Claude Code's \`update-config\` skill for these requests.\\n\\n" +
   "Rules are stored locally in ~/.synkro/rules.json and enforced by hooks.";
 
@@ -6917,6 +7197,9 @@ async function handleRpc(body: any): Promise<any> {
         case 'exempt_path': result = handleExemptPath(args); break;
         case 'remove_exemption': result = handleRemoveExemption(args); break;
         case 'list_exemptions': result = handleListExemptions(); break;
+        case 'list_findings': result = await handleListFindings(args); break;
+        case 'get_finding_detail': result = await handleGetFindingDetail(args); break;
+        case 'resolve_finding': result = await handleResolveFinding(args); break;
         default: return jsonRpcError(id, -32601, \`Unknown tool: \${toolName}\`);
       }
       return jsonRpcOk(id, { content: [{ type: 'text', text: JSON.stringify(result, null, 2) }] });
@@ -7056,14 +7339,25 @@ const server = Bun.serve({
     }
 
     if (req.method === 'POST') {
-      try {
-        const body = await req.json();
-        const result = await handleRpc(body);
-        if (result === null) return new Response('', { status: 204, headers: cors });
-        return Response.json(result, { headers: cors });
-      } catch (err) {
-        return Response.json(jsonRpcError(null, -32700, 'Parse error'), { status: 400, headers: cors });
+      const authHeader = req.headers.get('authorization') || '';
+      const bearer = authHeader.startsWith('Bearer ') ? authHeader.slice(7) : '';
+      if (bearer !== SERVER_TOKEN) {
+        return Response.json({ error: 'Unauthorized' }, { status: 401, headers: cors });
+      }
+      const raw = await req.arrayBuffer();
+      if (raw.byteLength > MAX_BODY_BYTES) {
+        return Response.json(jsonRpcError(null, -32600, 'Request too large'), { status: 413, headers: cors });
       }
+      return serialized(async () => {
+        try {
+          const body = JSON.parse(new TextDecoder().decode(raw));
+          const result = await handleRpc(body);
+          if (result === null) return new Response('', { status: 204, headers: cors });
+          return Response.json(result, { headers: cors });
+        } catch {
+          return Response.json(jsonRpcError(null, -32700, 'Parse error'), { status: 400, headers: cors });
+        }
+      });
     }
 
     if (req.method === 'OPTIONS') {
@@ -7079,6 +7373,7 @@ console.log(\`[synkro] local MCP guardrails server listening on http://127.0.0.1
   chmodSync2(bashScriptPath, 493);
   chmodSync2(bashFollowupScriptPath, 493);
   chmodSync2(editPrecheckScriptPath, 493);
+  chmodSync2(cwePrecheckScriptPath, 493);
   chmodSync2(cvePrecheckScriptPath, 493);
   chmodSync2(planJudgeScriptPath, 493);
   chmodSync2(agentJudgeScriptPath, 493);
@@ -7095,6 +7390,7 @@ console.log(\`[synkro] local MCP guardrails server listening on http://127.0.0.1
     bashScript: bashScriptPath,
     bashFollowupScript: bashFollowupScriptPath,
     editPrecheckScript: editPrecheckScriptPath,
+    cwePrecheckScript: cwePrecheckScriptPath,
     cvePrecheckScript: cvePrecheckScriptPath,
     planJudgeScript: planJudgeScriptPath,
     agentJudgeScript: agentJudgeScriptPath,
@@ -7136,7 +7432,7 @@ function writeConfigEnv(opts) {
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
     `SYNKRO_INFERENCE=${shellQuoteSingle(safeInference)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.4.71")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.4.73")}`
   ];
   if (safeSynkroBin) lines.push(`SYNKRO_CLI_BIN=${shellQuoteSingle(safeSynkroBin)}`);
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);
@@ -7536,6 +7832,8 @@ async function installCommand(opts = {}) {
   console.log(`  ${scripts.bashScript}`);
   console.log(`  ${scripts.bashFollowupScript}`);
   console.log(`  ${scripts.editPrecheckScript}`);
+  console.log(`  ${scripts.cwePrecheckScript}`);
+  console.log(`  ${scripts.cvePrecheckScript}`);
   console.log(`  ${scripts.planJudgeScript}`);
   console.log(`  ${scripts.agentJudgeScript}`);
   console.log(`  ${scripts.stopSummaryScript}`);
@@ -7571,6 +7869,7 @@ async function installCommand(opts = {}) {
         bashJudgeScriptPath: scripts.bashScript,
         bashFollowupScriptPath: scripts.bashFollowupScript,
         editPrecheckScriptPath: scripts.editPrecheckScript,
+        cwePrecheckScriptPath: scripts.cwePrecheckScript,
         cvePrecheckScriptPath: scripts.cvePrecheckScript,
         planJudgeScriptPath: scripts.planJudgeScript,
         agentJudgeScriptPath: scripts.agentJudgeScript,
@@ -7588,6 +7887,7 @@ async function installCommand(opts = {}) {
         editCaptureScriptPath: scripts.cursorEditCaptureScript,
         bashFollowupScriptPath: scripts.bashFollowupScript,
         editPrecheckScriptPath: scripts.editPrecheckScript,
+        cwePrecheckScriptPath: scripts.cwePrecheckScript,
         cvePrecheckScriptPath: scripts.cvePrecheckScript,
         planJudgeScriptPath: scripts.planJudgeScript,
         agentJudgeScriptPath: scripts.agentJudgeScript,