npm - @synkro-sh/cli - Versions diffs - 1.4.72 → 1.4.73 - Mend

@synkro-sh/cli 1.4.72 → 1.4.73

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/bootstrap.js CHANGED Viewed

@@ -6286,7 +6286,7 @@ function writeHookScripts() {
 /**
  * Local MCP guardrails server \u2014 runs on port 8931, stores rules in ~/.synkro/rules.json.
  * JSON-RPC 2.0 over HTTP, same protocol as the cloud MCP server.
- * No auth (localhost only), no embedding API, no Inngest.
+ * Bearer token auth (file-based shared secret), localhost only, no embedding API, no Inngest.
  */
 import { existsSync, readFileSync, writeFileSync, renameSync, appendFileSync, mkdirSync } from 'node:fs';
 import { homedir } from 'node:os';
@@ -6303,15 +6303,29 @@ const TOKEN_PATH = join(HOME, '.synkro', '.mcp-local-token');
 // File-based shared secret \u2014 generated once, required on all POST requests.
 function getOrCreateToken(): string {
   try {
-    if (existsSync(TOKEN_PATH)) return readFileSync(TOKEN_PATH, 'utf-8').trim();
+    return readFileSync(TOKEN_PATH, 'utf-8').trim();
   } catch {}
   const token = randomBytes(32).toString('hex');
   mkdirSync(join(HOME, '.synkro'), { recursive: true });
-  writeFileSync(TOKEN_PATH, token + '\\n', { mode: 0o600 });
-  return token;
+  try {
+    writeFileSync(TOKEN_PATH, token + '\\n', { mode: 0o600, flag: 'wx' });
+    return token;
+  } catch {
+    return readFileSync(TOKEN_PATH, 'utf-8').trim();
+  }
 }
 const SERVER_TOKEN = getOrCreateToken();
+const MAX_BODY_BYTES = 1_048_576;
+let _writeLock: Promise<void> = Promise.resolve();
+function serialized<T>(fn: () => T | Promise<T>): Promise<T> {
+  let release: () => void;
+  const next = new Promise<void>(r => { release = r; });
+  const prev = _writeLock;
+  _writeLock = next;
+  return prev.then(() => fn()).finally(() => release!());
+}
 // \u2500\u2500\u2500 Storage \u2500\u2500\u2500
@@ -6698,6 +6712,219 @@ function handleListExemptions(): any {
   return { exemptions: data.scanExemptions, total: data.scanExemptions.length };
 }
+// \u2500\u2500\u2500 Findings \u2500\u2500\u2500
+const CONFIG_PATH = join(HOME, '.synkro', 'config.json');
+const JWT_PATH = join(HOME, '.synkro', '.jwt');
+interface Finding {
+  id: string;
+  session_id: string;
+  file_path: string;
+  finding_type: string;
+  finding_id: string;
+  severity: string;
+  status: string;
+  detail?: string;
+  package_name?: string;
+  package_version?: string;
+  fixed_version?: string;
+  created_at: string;
+  resolved_at?: string;
+}
+function getCloudConfig(): { apiUrl: string; jwt: string } | null {
+  try {
+    const jwt = readFileSync(JWT_PATH, 'utf-8').trim();
+    if (!jwt) return null;
+    let apiUrl = process.env.SYNKRO_API_URL || '';
+    if (!apiUrl) {
+      try {
+        const cfg = JSON.parse(readFileSync(CONFIG_PATH, 'utf-8'));
+        apiUrl = cfg.api_url || cfg.apiUrl || '';
+      } catch {}
+    }
+    if (!apiUrl) apiUrl = 'https://api.synkro.sh';
+    return { apiUrl, jwt };
+  } catch {
+    return null;
+  }
+}
+function readLocalFindings(): Finding[] {
+  if (!existsSync(TELEMETRY_PATH)) return [];
+  let lines: string[];
+  try {
+    lines = readFileSync(TELEMETRY_PATH, 'utf-8').split('\\n').filter(Boolean);
+  } catch { return []; }
+  const findingMap = new Map<string, Finding>();
+  for (const line of lines) {
+    try {
+      const event = JSON.parse(line);
+      if (event.capture_type !== 'scan_finding') continue;
+      const key = \`\${event.file_path}:\${event.finding_id}\`;
+      const existing = findingMap.get(key);
+      const ts = event._ts || event.created_at || '';
+      findingMap.set(key, {
+        id: event.id || existing?.id || \`sf_\${event.session_id}_\${event.finding_id}_\${Date.now()}\`,
+        session_id: event.session_id || existing?.session_id || '',
+        file_path: event.file_path,
+        finding_type: event.finding_type,
+        finding_id: event.finding_id,
+        severity: event.severity || 'unknown',
+        status: event.status || 'open',
+        detail: event.detail || existing?.detail,
+        package_name: event.package_name || existing?.package_name,
+        package_version: event.package_version || existing?.package_version,
+        fixed_version: event.fixed_version || existing?.fixed_version,
+        created_at: existing?.created_at || ts,
+        resolved_at: event.status === 'resolved' ? ts : existing?.resolved_at,
+      });
+    } catch {}
+  }
+  return Array.from(findingMap.values());
+}
+async function fetchCloudFindings(params: Record<string, string>): Promise<Finding[] | null> {
+  const cloud = getCloudConfig();
+  if (!cloud) return null;
+  try {
+    const qs = new URLSearchParams(params).toString();
+    const resp = await fetch(\`\${cloud.apiUrl}/api/v1/scan-findings?\${qs}\`, {
+      headers: { Authorization: \`Bearer \${cloud.jwt}\` },
+      signal: AbortSignal.timeout(5000),
+    });
+    if (!resp.ok) return null;
+    const data = await resp.json() as any;
+    return data.findings || data.data || [];
+  } catch {
+    return null;
+  }
+}
+function dispatchResolution(finding: Finding): void {
+  const cloud = getCloudConfig();
+  if (!cloud) return;
+  fetch(\`\${cloud.apiUrl}/api/v1/hook/finding\`, {
+    method: 'POST',
+    headers: { Authorization: \`Bearer \${cloud.jwt}\`, 'Content-Type': 'application/json' },
+    body: JSON.stringify({
+      session_id: finding.session_id,
+      file_path: finding.file_path,
+      finding_type: finding.finding_type,
+      finding_id: finding.finding_id,
+      severity: finding.severity,
+      status: 'resolved',
+    }),
+    signal: AbortSignal.timeout(3000),
+  }).catch(() => {});
+}
+async function handleListFindings(args: any): Promise<any> {
+  const cloudParams: Record<string, string> = {};
+  if (args.status) cloudParams.status = args.status;
+  if (args.finding_type) cloudParams.finding_type = args.finding_type;
+  if (args.severity) cloudParams.severity = args.severity;
+  if (args.file_path) cloudParams.file_path = args.file_path;
+  if (args.limit) cloudParams.limit = String(args.limit);
+  const cloudFindings = await fetchCloudFindings(cloudParams);
+  let findings: Finding[];
+  let source: string;
+  if (cloudFindings) {
+    findings = cloudFindings;
+    source = 'cloud';
+  } else {
+    findings = readLocalFindings();
+    source = 'local';
+    if (args.status) findings = findings.filter(f => f.status === args.status);
+    if (args.finding_type) findings = findings.filter(f => f.finding_type === args.finding_type);
+    if (args.severity) findings = findings.filter(f => f.severity === args.severity);
+    if (args.file_path) findings = findings.filter(f => f.file_path.includes(args.file_path));
+  }
+  findings.sort((a, b) => (b.created_at || '').localeCompare(a.created_at || ''));
+  const limit = Math.min(args.limit || 25, 50);
+  return {
+    source,
+    findings: findings.slice(0, limit).map(f => ({
+      id: f.id,
+      finding_type: f.finding_type,
+      finding_id: f.finding_id,
+      file_path: f.file_path,
+      severity: f.severity,
+      status: f.status,
+      package_name: f.package_name,
+      package_version: f.package_version,
+      created_at: f.created_at,
+    })),
+    total: findings.length,
+    open: findings.filter(f => f.status === 'open').length,
+    resolved: findings.filter(f => f.status === 'resolved').length,
+  };
+}
+async function handleGetFindingDetail(args: any): Promise<any> {
+  const findings = readLocalFindings();
+  const match = findings.find(f => {
+    if (args.id && f.id === args.id) return true;
+    if (args.file_path && args.finding_id) {
+      return f.file_path.includes(args.file_path) && f.finding_id.toUpperCase() === (args.finding_id || '').toUpperCase();
+    }
+    return false;
+  });
+  if (!match) return { found: false, error: 'Finding not found' };
+  return { found: true, ...match };
+}
+async function handleResolveFinding(args: any): Promise<any> {
+  const findings = readLocalFindings();
+  const toResolve = findings.filter(f => {
+    if (f.status !== 'open') return false;
+    if (args.id && f.id === args.id) return true;
+    if (args.file_path && args.finding_id) {
+      return f.file_path.includes(args.file_path) && f.finding_id.toUpperCase() === (args.finding_id || '').toUpperCase();
+    }
+    if (args.file_path) return f.file_path.includes(args.file_path);
+    return false;
+  });
+  if (toResolve.length === 0) return { resolved: 0, error: 'No matching open findings' };
+  const now = new Date().toISOString();
+  for (const f of toResolve) {
+    const event = {
+      capture_type: 'scan_finding',
+      id: f.id,
+      session_id: f.session_id,
+      file_path: f.file_path,
+      finding_type: f.finding_type,
+      finding_id: f.finding_id,
+      severity: f.severity,
+      status: 'resolved',
+      detail: f.detail,
+      package_name: f.package_name,
+      package_version: f.package_version,
+      fixed_version: f.fixed_version,
+      resolved_at: now,
+      _ts: now,
+    };
+    try {
+      appendFileSync(TELEMETRY_PATH, JSON.stringify(event) + '\\n', 'utf-8');
+    } catch {}
+    dispatchResolution(f);
+  }
+  return {
+    resolved: toResolve.length,
+    findings: toResolve.map(f => ({ finding_id: f.finding_id, file_path: f.file_path })),
+  };
+}
 // \u2500\u2500\u2500 Tool Descriptors \u2500\u2500\u2500
 const TOOL_DESCRIPTORS = [
@@ -6861,6 +7088,47 @@ const TOOL_DESCRIPTORS = [
     description: "List all scan exemptions.",
     inputSchema: { type: 'object', properties: {}, required: [] },
   },
+  {
+    name: 'list_findings',
+    description: "List CWE/CVE scan findings. Shows security issues found by Synkro hooks. Use to review what needs fixing.",
+    inputSchema: {
+      type: 'object',
+      properties: {
+        status: { type: 'string', enum: ['open', 'resolved', 'exempted'], description: 'Filter by status (default: all).' },
+        finding_type: { type: 'string', enum: ['cwe', 'cve'], description: 'Filter by finding type.' },
+        severity: { type: 'string', enum: ['critical', 'high', 'medium', 'low'] },
+        file_path: { type: 'string', description: 'Filter by file path substring.' },
+        limit: { type: 'integer', default: 25, description: 'Max results (default 25, max 50).' },
+      },
+      required: [],
+    },
+  },
+  {
+    name: 'get_finding_detail',
+    description: "Get full detail of a specific finding including remediation context.",
+    inputSchema: {
+      type: 'object',
+      properties: {
+        id: { type: 'string', description: 'Finding ID (e.g. sf_...).' },
+        file_path: { type: 'string', description: 'File path (used with finding_id).' },
+        finding_id: { type: 'string', description: 'CWE/CVE ID like CWE-89 or CVE-2024-1234.' },
+      },
+      required: [],
+    },
+  },
+  {
+    name: 'resolve_finding',
+    description: "Mark finding(s) as resolved after the underlying issue is fixed. Can target by ID, file+finding_id, or all findings for a file.",
+    inputSchema: {
+      type: 'object',
+      properties: {
+        id: { type: 'string', description: 'Specific finding ID to resolve.' },
+        file_path: { type: 'string', description: 'Resolve all open findings matching this file path.' },
+        finding_id: { type: 'string', description: 'CWE/CVE ID (used with file_path for targeted resolution).' },
+      },
+      required: [],
+    },
+  },
 ];
 const MCP_INSTRUCTIONS =
@@ -6871,7 +7139,12 @@ const MCP_INSTRUCTIONS =
   "'we need a rule about\u2026' \u2014 route to THIS server's tools.\\n\\n" +
   "TOOL ROUTING:\\n" +
   "  \u2022 get_guardrails(query) \u2014 keyword search. Use to check if a rule exists.\\n" +
-  "  \u2022 list_guardrails \u2014 full enumeration. Use for listings.\\n\\n" +
+  "  \u2022 list_guardrails \u2014 full enumeration. Use for listings.\\n" +
+  "  \u2022 list_findings \u2014 show CWE/CVE scan findings (open, resolved, all).\\n" +
+  "  \u2022 get_finding_detail \u2014 get full detail + remediation context for a finding.\\n" +
+  "  \u2022 resolve_finding \u2014 mark findings resolved after fixing the code.\\n\\n" +
+  "When the user asks about security issues, vulnerabilities, or scan results, " +
+  "use list_findings first. After fixing code, call resolve_finding to update status.\\n\\n" +
   "Do NOT use Claude Code's \`update-config\` skill for these requests.\\n\\n" +
   "Rules are stored locally in ~/.synkro/rules.json and enforced by hooks.";
@@ -6924,6 +7197,9 @@ async function handleRpc(body: any): Promise<any> {
         case 'exempt_path': result = handleExemptPath(args); break;
         case 'remove_exemption': result = handleRemoveExemption(args); break;
         case 'list_exemptions': result = handleListExemptions(); break;
+        case 'list_findings': result = await handleListFindings(args); break;
+        case 'get_finding_detail': result = await handleGetFindingDetail(args); break;
+        case 'resolve_finding': result = await handleResolveFinding(args); break;
         default: return jsonRpcError(id, -32601, \`Unknown tool: \${toolName}\`);
       }
       return jsonRpcOk(id, { content: [{ type: 'text', text: JSON.stringify(result, null, 2) }] });
@@ -7063,14 +7339,25 @@ const server = Bun.serve({
     }
     if (req.method === 'POST') {
-      try {
-        const body = await req.json();
-        const result = await handleRpc(body);
-        if (result === null) return new Response('', { status: 204, headers: cors });
-        return Response.json(result, { headers: cors });
-      } catch (err) {
-        return Response.json(jsonRpcError(null, -32700, 'Parse error'), { status: 400, headers: cors });
+      const authHeader = req.headers.get('authorization') || '';
+      const bearer = authHeader.startsWith('Bearer ') ? authHeader.slice(7) : '';
+      if (bearer !== SERVER_TOKEN) {
+        return Response.json({ error: 'Unauthorized' }, { status: 401, headers: cors });
+      }
+      const raw = await req.arrayBuffer();
+      if (raw.byteLength > MAX_BODY_BYTES) {
+        return Response.json(jsonRpcError(null, -32600, 'Request too large'), { status: 413, headers: cors });
       }
+      return serialized(async () => {
+        try {
+          const body = JSON.parse(new TextDecoder().decode(raw));
+          const result = await handleRpc(body);
+          if (result === null) return new Response('', { status: 204, headers: cors });
+          return Response.json(result, { headers: cors });
+        } catch {
+          return Response.json(jsonRpcError(null, -32700, 'Parse error'), { status: 400, headers: cors });
+        }
+      });
     }
     if (req.method === 'OPTIONS') {
@@ -7145,7 +7432,7 @@ function writeConfigEnv(opts) {
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
     `SYNKRO_INFERENCE=${shellQuoteSingle(safeInference)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.4.72")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.4.73")}`
   ];
   if (safeSynkroBin) lines.push(`SYNKRO_CLI_BIN=${shellQuoteSingle(safeSynkroBin)}`);
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);