@synkro-sh/cli 1.4.72 → 1.4.74

package/dist/bootstrap.js

@@ -536,21 +536,15 @@ function installMcpConfig(opts) {
     if (entry?.[SYNKRO_MARKER3] === true) delete config.mcpServers[name];
   }
   if (opts.local) {
-    const url2 = "http://127.0.0.1:8931/";
-    const tokenPath = join2(homedir3(), ".synkro", ".mcp-local-token");
-    let localToken = "";
-    try {
-      localToken = readFileSync3(tokenPath, "utf-8").trim();
-    } catch {
-    }
+    const proxyScript = join2(homedir3(), ".synkro", "hooks", "mcp-stdio-proxy.ts");
     config.mcpServers[SYNKRO_SERVER_NAME] = {
-      type: "http",
-      url: url2,
-      ...localToken ? { headers: { Authorization: `Bearer ${localToken}` } } : {},
+      type: "stdio",
+      command: "bun",
+      args: ["run", proxyScript],
       [SYNKRO_MARKER3]: true
     };
     writeClaudeJsonAtomic(config);
-    return { path: CC_CONFIG_PATH, url: url2 };
+    return { path: CC_CONFIG_PATH, url: `stdio://${proxyScript}` };
   }
   const url = `${opts.gatewayUrl.replace(/\/$/, "")}/api/v1/mcp/guardrails`;
   config.mcpServers[SYNKRO_SERVER_NAME] = {
@@ -612,15 +606,15 @@ function installCursorMcpConfig(opts) {
   }
   if (opts.local) {
     const url2 = "http://127.0.0.1:8931/";
-    const tokenPath = join2(homedir3(), ".synkro", ".mcp-local-token");
-    let localToken = "";
+    const jwtPath = join2(homedir3(), ".synkro", ".mcp-jwt");
+    let jwt2 = "";
     try {
-      localToken = readFileSync3(tokenPath, "utf-8").trim();
+      jwt2 = readFileSync3(jwtPath, "utf-8").trim();
     } catch {
     }
     config.mcpServers[SYNKRO_SERVER_NAME] = {
       url: url2,
-      ...localToken ? { headers: { Authorization: `Bearer ${localToken}` } } : {},
+      ...jwt2 ? { headers: { Authorization: `Bearer ${jwt2}` } } : {},
       [SYNKRO_MARKER3]: true
     };
     writeCursorMcpJsonAtomic(config);
@@ -6267,6 +6261,7 @@ function writeHookScripts() {
   const cursorBashJudgePath = join11(HOOKS_DIR, "cursor-bash-judge.ts");
   const cursorEditCapturePath = join11(HOOKS_DIR, "cursor-edit-capture.ts");
   const mcpLocalServerPath = join11(HOOKS_DIR, "mcp-local-server.ts");
+  const mcpStdioProxyPath = join11(HOOKS_DIR, "mcp-stdio-proxy.ts");
   writeFileSync7(bashScriptPath, BASH_JUDGE_TS, "utf-8");
   writeFileSync7(bashFollowupScriptPath, BASH_FOLLOWUP_TS, "utf-8");
   writeFileSync7(editPrecheckScriptPath, EDIT_PRECHECK_TS, "utf-8");
@@ -6286,32 +6281,33 @@ function writeHookScripts() {
 /**
  * Local MCP guardrails server \u2014 runs on port 8931, stores rules in ~/.synkro/rules.json.
  * JSON-RPC 2.0 over HTTP, same protocol as the cloud MCP server.
- * No auth (localhost only), no embedding API, no Inngest.
+ * Bearer token auth (file-based shared secret), localhost only, no embedding API, no Inngest.
  */
 import { existsSync, readFileSync, writeFileSync, renameSync, appendFileSync, mkdirSync } from 'node:fs';
 import { homedir } from 'node:os';
 import { join } from 'node:path';
 
-import { randomBytes } from 'node:crypto';
-
 const PORT = parseInt(process.env.SYNKRO_MCP_PORT || '8931', 10);
 const HOME = homedir();
 const RULES_PATH = join(HOME, '.synkro', 'rules.json');
 const TELEMETRY_PATH = join(HOME, '.synkro', 'telemetry.jsonl');
-const TOKEN_PATH = join(HOME, '.synkro', '.mcp-local-token');
+const JWT_TOKEN_PATH = join(HOME, '.synkro', '.mcp-jwt');
 
-// File-based shared secret \u2014 generated once, required on all POST requests.
-function getOrCreateToken(): string {
-  try {
-    if (existsSync(TOKEN_PATH)) return readFileSync(TOKEN_PATH, 'utf-8').trim();
-  } catch {}
-  const token = randomBytes(32).toString('hex');
-  mkdirSync(join(HOME, '.synkro'), { recursive: true });
-  writeFileSync(TOKEN_PATH, token + '\\n', { mode: 0o600 });
-  return token;
-}
+// Synkro-signed long-lived JWT \u2014 minted during \`synkro install\`, required on all POST requests.
+// If missing, the server still starts (for GET health checks) but rejects all tool calls.
+let SERVER_TOKEN = '';
+try { SERVER_TOKEN = readFileSync(JWT_TOKEN_PATH, 'utf-8').trim(); } catch {}
+if (!SERVER_TOKEN) console.warn('[synkro] \u26A0 No MCP JWT found \u2014 run \`synkro install\` to authenticate.');
+const MAX_BODY_BYTES = 1_048_576;
 
-const SERVER_TOKEN = getOrCreateToken();
+let _writeLock: Promise<void> = Promise.resolve();
+function serialized<T>(fn: () => T | Promise<T>): Promise<T> {
+  let release: () => void;
+  const next = new Promise<void>(r => { release = r; });
+  const prev = _writeLock;
+  _writeLock = next;
+  return prev.then(() => fn()).finally(() => release!());
+}
 
 // \u2500\u2500\u2500 Storage \u2500\u2500\u2500
 
@@ -6698,6 +6694,219 @@ function handleListExemptions(): any {
   return { exemptions: data.scanExemptions, total: data.scanExemptions.length };
 }
 
+// \u2500\u2500\u2500 Findings \u2500\u2500\u2500
+
+const CONFIG_PATH = join(HOME, '.synkro', 'config.json');
+const JWT_PATH = join(HOME, '.synkro', '.jwt');
+
+interface Finding {
+  id: string;
+  session_id: string;
+  file_path: string;
+  finding_type: string;
+  finding_id: string;
+  severity: string;
+  status: string;
+  detail?: string;
+  package_name?: string;
+  package_version?: string;
+  fixed_version?: string;
+  created_at: string;
+  resolved_at?: string;
+}
+
+function getCloudConfig(): { apiUrl: string; jwt: string } | null {
+  try {
+    const jwt = readFileSync(JWT_PATH, 'utf-8').trim();
+    if (!jwt) return null;
+    let apiUrl = process.env.SYNKRO_API_URL || '';
+    if (!apiUrl) {
+      try {
+        const cfg = JSON.parse(readFileSync(CONFIG_PATH, 'utf-8'));
+        apiUrl = cfg.api_url || cfg.apiUrl || '';
+      } catch {}
+    }
+    if (!apiUrl) apiUrl = 'https://api.synkro.sh';
+    return { apiUrl, jwt };
+  } catch {
+    return null;
+  }
+}
+
+function readLocalFindings(): Finding[] {
+  if (!existsSync(TELEMETRY_PATH)) return [];
+  let lines: string[];
+  try {
+    lines = readFileSync(TELEMETRY_PATH, 'utf-8').split('\\n').filter(Boolean);
+  } catch { return []; }
+  const findingMap = new Map<string, Finding>();
+
+  for (const line of lines) {
+    try {
+      const event = JSON.parse(line);
+      if (event.capture_type !== 'scan_finding') continue;
+      const key = \`\${event.file_path}:\${event.finding_id}\`;
+      const existing = findingMap.get(key);
+      const ts = event._ts || event.created_at || '';
+
+      findingMap.set(key, {
+        id: event.id || existing?.id || \`sf_\${event.session_id}_\${event.finding_id}_\${Date.now()}\`,
+        session_id: event.session_id || existing?.session_id || '',
+        file_path: event.file_path,
+        finding_type: event.finding_type,
+        finding_id: event.finding_id,
+        severity: event.severity || 'unknown',
+        status: event.status || 'open',
+        detail: event.detail || existing?.detail,
+        package_name: event.package_name || existing?.package_name,
+        package_version: event.package_version || existing?.package_version,
+        fixed_version: event.fixed_version || existing?.fixed_version,
+        created_at: existing?.created_at || ts,
+        resolved_at: event.status === 'resolved' ? ts : existing?.resolved_at,
+      });
+    } catch {}
+  }
+
+  return Array.from(findingMap.values());
+}
+
+async function fetchCloudFindings(params: Record<string, string>): Promise<Finding[] | null> {
+  const cloud = getCloudConfig();
+  if (!cloud) return null;
+  try {
+    const qs = new URLSearchParams(params).toString();
+    const resp = await fetch(\`\${cloud.apiUrl}/api/v1/scan-findings?\${qs}\`, {
+      headers: { Authorization: \`Bearer \${cloud.jwt}\` },
+      signal: AbortSignal.timeout(5000),
+    });
+    if (!resp.ok) return null;
+    const data = await resp.json() as any;
+    return data.findings || data.data || [];
+  } catch {
+    return null;
+  }
+}
+
+function dispatchResolution(finding: Finding): void {
+  const cloud = getCloudConfig();
+  if (!cloud) return;
+  fetch(\`\${cloud.apiUrl}/api/v1/hook/finding\`, {
+    method: 'POST',
+    headers: { Authorization: \`Bearer \${cloud.jwt}\`, 'Content-Type': 'application/json' },
+    body: JSON.stringify({
+      session_id: finding.session_id,
+      file_path: finding.file_path,
+      finding_type: finding.finding_type,
+      finding_id: finding.finding_id,
+      severity: finding.severity,
+      status: 'resolved',
+    }),
+    signal: AbortSignal.timeout(3000),
+  }).catch(() => {});
+}
+
+async function handleListFindings(args: any): Promise<any> {
+  const cloudParams: Record<string, string> = {};
+  if (args.status) cloudParams.status = args.status;
+  if (args.finding_type) cloudParams.finding_type = args.finding_type;
+  if (args.severity) cloudParams.severity = args.severity;
+  if (args.file_path) cloudParams.file_path = args.file_path;
+  if (args.limit) cloudParams.limit = String(args.limit);
+
+  const cloudFindings = await fetchCloudFindings(cloudParams);
+
+  let findings: Finding[];
+  let source: string;
+  if (cloudFindings) {
+    findings = cloudFindings;
+    source = 'cloud';
+  } else {
+    findings = readLocalFindings();
+    source = 'local';
+    if (args.status) findings = findings.filter(f => f.status === args.status);
+    if (args.finding_type) findings = findings.filter(f => f.finding_type === args.finding_type);
+    if (args.severity) findings = findings.filter(f => f.severity === args.severity);
+    if (args.file_path) findings = findings.filter(f => f.file_path.includes(args.file_path));
+  }
+
+  findings.sort((a, b) => (b.created_at || '').localeCompare(a.created_at || ''));
+  const limit = Math.min(args.limit || 25, 50);
+  return {
+    source,
+    findings: findings.slice(0, limit).map(f => ({
+      id: f.id,
+      finding_type: f.finding_type,
+      finding_id: f.finding_id,
+      file_path: f.file_path,
+      severity: f.severity,
+      status: f.status,
+      package_name: f.package_name,
+      package_version: f.package_version,
+      created_at: f.created_at,
+    })),
+    total: findings.length,
+    open: findings.filter(f => f.status === 'open').length,
+    resolved: findings.filter(f => f.status === 'resolved').length,
+  };
+}
+
+async function handleGetFindingDetail(args: any): Promise<any> {
+  const findings = readLocalFindings();
+  const match = findings.find(f => {
+    if (args.id && f.id === args.id) return true;
+    if (args.file_path && args.finding_id) {
+      return f.file_path.includes(args.file_path) && f.finding_id.toUpperCase() === (args.finding_id || '').toUpperCase();
+    }
+    return false;
+  });
+  if (!match) return { found: false, error: 'Finding not found' };
+  return { found: true, ...match };
+}
+
+async function handleResolveFinding(args: any): Promise<any> {
+  const findings = readLocalFindings();
+  const toResolve = findings.filter(f => {
+    if (f.status !== 'open') return false;
+    if (args.id && f.id === args.id) return true;
+    if (args.file_path && args.finding_id) {
+      return f.file_path.includes(args.file_path) && f.finding_id.toUpperCase() === (args.finding_id || '').toUpperCase();
+    }
+    if (args.file_path) return f.file_path.includes(args.file_path);
+    return false;
+  });
+
+  if (toResolve.length === 0) return { resolved: 0, error: 'No matching open findings' };
+
+  const now = new Date().toISOString();
+  for (const f of toResolve) {
+    const event = {
+      capture_type: 'scan_finding',
+      id: f.id,
+      session_id: f.session_id,
+      file_path: f.file_path,
+      finding_type: f.finding_type,
+      finding_id: f.finding_id,
+      severity: f.severity,
+      status: 'resolved',
+      detail: f.detail,
+      package_name: f.package_name,
+      package_version: f.package_version,
+      fixed_version: f.fixed_version,
+      resolved_at: now,
+      _ts: now,
+    };
+    try {
+      appendFileSync(TELEMETRY_PATH, JSON.stringify(event) + '\\n', 'utf-8');
+    } catch {}
+    dispatchResolution(f);
+  }
+
+  return {
+    resolved: toResolve.length,
+    findings: toResolve.map(f => ({ finding_id: f.finding_id, file_path: f.file_path })),
+  };
+}
+
 // \u2500\u2500\u2500 Tool Descriptors \u2500\u2500\u2500
 
 const TOOL_DESCRIPTORS = [
@@ -6861,6 +7070,47 @@ const TOOL_DESCRIPTORS = [
     description: "List all scan exemptions.",
     inputSchema: { type: 'object', properties: {}, required: [] },
   },
+  {
+    name: 'list_findings',
+    description: "List CWE/CVE scan findings. Shows security issues found by Synkro hooks. Use to review what needs fixing.",
+    inputSchema: {
+      type: 'object',
+      properties: {
+        status: { type: 'string', enum: ['open', 'resolved', 'exempted'], description: 'Filter by status (default: all).' },
+        finding_type: { type: 'string', enum: ['cwe', 'cve'], description: 'Filter by finding type.' },
+        severity: { type: 'string', enum: ['critical', 'high', 'medium', 'low'] },
+        file_path: { type: 'string', description: 'Filter by file path substring.' },
+        limit: { type: 'integer', default: 25, description: 'Max results (default 25, max 50).' },
+      },
+      required: [],
+    },
+  },
+  {
+    name: 'get_finding_detail',
+    description: "Get full detail of a specific finding including remediation context.",
+    inputSchema: {
+      type: 'object',
+      properties: {
+        id: { type: 'string', description: 'Finding ID (e.g. sf_...).' },
+        file_path: { type: 'string', description: 'File path (used with finding_id).' },
+        finding_id: { type: 'string', description: 'CWE/CVE ID like CWE-89 or CVE-2024-1234.' },
+      },
+      required: [],
+    },
+  },
+  {
+    name: 'resolve_finding',
+    description: "Mark finding(s) as resolved after the underlying issue is fixed. Can target by ID, file+finding_id, or all findings for a file.",
+    inputSchema: {
+      type: 'object',
+      properties: {
+        id: { type: 'string', description: 'Specific finding ID to resolve.' },
+        file_path: { type: 'string', description: 'Resolve all open findings matching this file path.' },
+        finding_id: { type: 'string', description: 'CWE/CVE ID (used with file_path for targeted resolution).' },
+      },
+      required: [],
+    },
+  },
 ];
 
 const MCP_INSTRUCTIONS =
@@ -6871,7 +7121,12 @@ const MCP_INSTRUCTIONS =
   "'we need a rule about\u2026' \u2014 route to THIS server's tools.\\n\\n" +
   "TOOL ROUTING:\\n" +
   "  \u2022 get_guardrails(query) \u2014 keyword search. Use to check if a rule exists.\\n" +
-  "  \u2022 list_guardrails \u2014 full enumeration. Use for listings.\\n\\n" +
+  "  \u2022 list_guardrails \u2014 full enumeration. Use for listings.\\n" +
+  "  \u2022 list_findings \u2014 show CWE/CVE scan findings (open, resolved, all).\\n" +
+  "  \u2022 get_finding_detail \u2014 get full detail + remediation context for a finding.\\n" +
+  "  \u2022 resolve_finding \u2014 mark findings resolved after fixing the code.\\n\\n" +
+  "When the user asks about security issues, vulnerabilities, or scan results, " +
+  "use list_findings first. After fixing code, call resolve_finding to update status.\\n\\n" +
   "Do NOT use Claude Code's \`update-config\` skill for these requests.\\n\\n" +
   "Rules are stored locally in ~/.synkro/rules.json and enforced by hooks.";
 
@@ -6924,6 +7179,9 @@ async function handleRpc(body: any): Promise<any> {
         case 'exempt_path': result = handleExemptPath(args); break;
         case 'remove_exemption': result = handleRemoveExemption(args); break;
         case 'list_exemptions': result = handleListExemptions(); break;
+        case 'list_findings': result = await handleListFindings(args); break;
+        case 'get_finding_detail': result = await handleGetFindingDetail(args); break;
+        case 'resolve_finding': result = await handleResolveFinding(args); break;
         default: return jsonRpcError(id, -32601, \`Unknown tool: \${toolName}\`);
       }
       return jsonRpcOk(id, { content: [{ type: 'text', text: JSON.stringify(result, null, 2) }] });
@@ -7063,14 +7321,25 @@ const server = Bun.serve({
     }
 
     if (req.method === 'POST') {
-      try {
-        const body = await req.json();
-        const result = await handleRpc(body);
-        if (result === null) return new Response('', { status: 204, headers: cors });
-        return Response.json(result, { headers: cors });
-      } catch (err) {
-        return Response.json(jsonRpcError(null, -32700, 'Parse error'), { status: 400, headers: cors });
+      const authHeader = req.headers.get('authorization') || '';
+      const bearer = authHeader.startsWith('Bearer ') ? authHeader.slice(7) : '';
+      if (bearer !== SERVER_TOKEN) {
+        return Response.json({ error: 'Unauthorized' }, { status: 401, headers: cors });
+      }
+      const raw = await req.arrayBuffer();
+      if (raw.byteLength > MAX_BODY_BYTES) {
+        return Response.json(jsonRpcError(null, -32600, 'Request too large'), { status: 413, headers: cors });
       }
+      return serialized(async () => {
+        try {
+          const body = JSON.parse(new TextDecoder().decode(raw));
+          const result = await handleRpc(body);
+          if (result === null) return new Response('', { status: 204, headers: cors });
+          return Response.json(result, { headers: cors });
+        } catch {
+          return Response.json(jsonRpcError(null, -32700, 'Parse error'), { status: 400, headers: cors });
+        }
+      });
     }
 
     if (req.method === 'OPTIONS') {
@@ -7083,6 +7352,7 @@ const server = Bun.serve({
 
 console.log(\`[synkro] local MCP guardrails server listening on http://127.0.0.1:\${server.port}\`);
 `, "utf-8");
+  writeFileSync7(mcpStdioProxyPath, MCP_STDIO_PROXY_SRC, "utf-8");
   chmodSync2(bashScriptPath, 493);
   chmodSync2(bashFollowupScriptPath, 493);
   chmodSync2(editPrecheckScriptPath, 493);
@@ -7099,6 +7369,7 @@ console.log(\`[synkro] local MCP guardrails server listening on http://127.0.0.1
   chmodSync2(cursorBashJudgePath, 493);
   chmodSync2(cursorEditCapturePath, 493);
   chmodSync2(mcpLocalServerPath, 493);
+  chmodSync2(mcpStdioProxyPath, 493);
   return {
     bashScript: bashScriptPath,
     bashFollowupScript: bashFollowupScriptPath,
@@ -7145,7 +7416,7 @@ function writeConfigEnv(opts) {
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
     `SYNKRO_INFERENCE=${shellQuoteSingle(safeInference)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.4.72")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.4.74")}`
   ];
   if (safeSynkroBin) lines.push(`SYNKRO_CLI_BIN=${shellQuoteSingle(safeSynkroBin)}`);
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);
@@ -7628,7 +7899,20 @@ async function installCommand(opts = {}) {
   if (hasClaudeCode && !opts.noMcp) {
     if (useLocalMcp) {
       try {
-        const mcp = installMcpConfig({ gatewayUrl, bearerToken: "", local: true });
+        const mintResp = await fetch(`${gatewayUrl}/api/v1/cli/mcp-token`, {
+          method: "POST",
+          headers: { "Authorization": `Bearer ${token}`, "Content-Type": "application/json" },
+          body: "{}"
+        });
+        let mcpJwt = "";
+        if (mintResp.ok) {
+          const minted = await mintResp.json();
+          mcpJwt = minted.token;
+          writeFileSync7(join11(SYNKRO_DIR2, ".mcp-jwt"), mcpJwt + "\n", { mode: 384 });
+        } else {
+          console.warn("  \u26A0 Could not mint MCP token \u2014 local server will reject requests until re-installed.");
+        }
+        const mcp = installMcpConfig({ gatewayUrl, bearerToken: mcpJwt, local: true });
         console.log(`Registered local MCP guardrails server in ${mcp.path}`);
         console.log(`  url:        ${mcp.url}`);
         console.log("  (rules stored in ~/.synkro/rules.json)");
@@ -7655,6 +7939,7 @@ async function installCommand(opts = {}) {
           throw new Error(`mcp-token mint failed (${mintResp.status}): ${errText.slice(0, 200)}`);
         }
         const minted = await mintResp.json();
+        writeFileSync7(join11(SYNKRO_DIR2, ".mcp-jwt"), minted.token + "\n", { mode: 384 });
         const mcp = installMcpConfig({ gatewayUrl, bearerToken: minted.token });
         console.log(`Registered Synkro guardrails MCP server in ${mcp.path}`);
         console.log(`  url:        ${mcp.url}`);
@@ -7671,6 +7956,18 @@ async function installCommand(opts = {}) {
   if (hasCursor && !opts.noMcp) {
     try {
       if (useLocalMcp) {
+        const jwtPath = join11(SYNKRO_DIR2, ".mcp-jwt");
+        if (!existsSync10(jwtPath)) {
+          const mintResp = await fetch(`${gatewayUrl}/api/v1/cli/mcp-token`, {
+            method: "POST",
+            headers: { "Authorization": `Bearer ${token}`, "Content-Type": "application/json" },
+            body: "{}"
+          });
+          if (mintResp.ok) {
+            const minted = await mintResp.json();
+            writeFileSync7(jwtPath, minted.token + "\n", { mode: 384 });
+          }
+        }
         const mcp = installCursorMcpConfig({ gatewayUrl, bearerToken: "", local: true });
         console.log(`Registered local MCP guardrails server in ${mcp.path}`);
         console.log(`  url:        ${mcp.url}`);
@@ -7688,6 +7985,7 @@ async function installCommand(opts = {}) {
           throw new Error(`mcp-token mint failed (${mintResp.status}): ${errText.slice(0, 200)}`);
         }
         const minted = await mintResp.json();
+        writeFileSync7(join11(SYNKRO_DIR2, ".mcp-jwt"), minted.token + "\n", { mode: 384 });
         const mcp = installCursorMcpConfig({ gatewayUrl, bearerToken: minted.token });
         console.log(`Registered Synkro guardrails MCP server in ${mcp.path}`);
         console.log(`  url:        ${mcp.url}`);
@@ -8027,7 +8325,7 @@ async function syncTranscriptsBulk(gatewayUrl, token, repo) {
   }
   return { sessions: totalSessions, messages: totalMessages };
 }
-var SYNKRO_DIR2, HOOKS_DIR, BIN_DIR, CONFIG_PATH3, OFFSETS_DIR, RULES_PATH, MCP_LOCAL_PORT;
+var SYNKRO_DIR2, HOOKS_DIR, BIN_DIR, CONFIG_PATH3, MCP_STDIO_PROXY_SRC, OFFSETS_DIR, RULES_PATH, MCP_LOCAL_PORT;
 var init_install2 = __esm({
   "cli/commands/install.ts"() {
     "use strict";
@@ -8050,6 +8348,52 @@ var init_install2 = __esm({
     HOOKS_DIR = join11(SYNKRO_DIR2, "hooks");
     BIN_DIR = join11(SYNKRO_DIR2, "bin");
     CONFIG_PATH3 = join11(SYNKRO_DIR2, "config.env");
+    MCP_STDIO_PROXY_SRC = `#!/usr/bin/env bun
+import { readFileSync } from 'node:fs';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+import { createInterface } from 'node:readline';
+
+const HOME = homedir();
+const TOKEN_PATH = join(HOME, '.synkro', '.mcp-jwt');
+const PORT = parseInt(process.env.SYNKRO_MCP_PORT || '8931', 10);
+const URL = \`http://127.0.0.1:\${PORT}\`;
+
+let token = '';
+try { token = readFileSync(TOKEN_PATH, 'utf-8').trim(); } catch {}
+
+const rl = createInterface({ input: process.stdin, terminal: false });
+
+rl.on('line', async (line) => {
+  if (!line.trim()) return;
+  let msg;
+  try { msg = JSON.parse(line); } catch { return; }
+  if (!msg.id && msg.method?.startsWith('notifications/')) return;
+
+  try {
+    const resp = await fetch(URL, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'Authorization': \`Bearer \${token}\`,
+      },
+      body: line,
+      signal: AbortSignal.timeout(30000),
+    });
+    if (resp.status === 204) return;
+    const body = await resp.text();
+    process.stdout.write(body + '\\n');
+  } catch (err) {
+    if (msg.id != null) {
+      process.stdout.write(JSON.stringify({
+        jsonrpc: '2.0',
+        id: msg.id,
+        error: { code: -32603, message: 'MCP proxy: HTTP server unreachable' },
+      }) + '\\n');
+    }
+  }
+});
+`;
     OFFSETS_DIR = join11(SYNKRO_DIR2, ".transcript-offsets");
     RULES_PATH = join11(SYNKRO_DIR2, "rules.json");
     MCP_LOCAL_PORT = 8931;