npm - @synkro-sh/cli - Versions diffs - 1.4.76 → 1.4.78 - Mend

@synkro-sh/cli 1.4.76 → 1.4.78

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/bootstrap.js CHANGED Viewed

@@ -6277,1081 +6277,7 @@ function writeHookScripts() {
   writeFileSync7(commonBashScriptPath, SYNKRO_COMMON_SCRIPT, "utf-8");
   writeFileSync7(cursorBashJudgePath, CURSOR_BASH_JUDGE_TS, "utf-8");
   writeFileSync7(cursorEditCapturePath, CURSOR_EDIT_CAPTURE_TS, "utf-8");
-  writeFileSync7(mcpLocalServerPath, `#!/usr/bin/env bun
-/**
- * Local MCP guardrails server \u2014 runs on port 8931, stores rules in ~/.synkro/rules.json.
- * JSON-RPC 2.0 over HTTP, same protocol as the cloud MCP server.
- * Bearer token auth (file-based shared secret), localhost only, no embedding API, no Inngest.
- */
-import { existsSync, readFileSync, writeFileSync, renameSync, appendFileSync, mkdirSync } from 'node:fs';
-import { homedir } from 'node:os';
-import { join } from 'node:path';
-const PORT = parseInt(process.env.SYNKRO_MCP_PORT || '8931', 10);
-const HOME = homedir();
-const RULES_PATH = join(HOME, '.synkro', 'rules.json');
-const TELEMETRY_PATH = join(HOME, '.synkro', 'telemetry.jsonl');
-const JWT_TOKEN_PATH = join(HOME, '.synkro', '.mcp-jwt');
-// Synkro-signed long-lived JWT \u2014 minted during \`synkro install\`, required on all POST requests.
-// If missing, the server still starts (for GET health checks) but rejects all tool calls.
-let SERVER_TOKEN = '';
-try { SERVER_TOKEN = readFileSync(JWT_TOKEN_PATH, 'utf-8').trim(); } catch {}
-if (!SERVER_TOKEN) console.warn('[synkro] \u26A0 No MCP JWT found \u2014 run \`synkro install\` to authenticate.');
-const MAX_BODY_BYTES = 1_048_576;
-let _writeLock: Promise<void> = Promise.resolve();
-function serialized<T>(fn: () => T | Promise<T>): Promise<T> {
-  let release: () => void;
-  const next = new Promise<void>(r => { release = r; });
-  const prev = _writeLock;
-  _writeLock = next;
-  return prev.then(() => fn()).finally(() => release!());
-}
-// \u2500\u2500\u2500 Storage \u2500\u2500\u2500
-interface Rule {
-  rule_id: string;
-  text: string;
-  category: string;
-  severity: string;
-  mode: string;
-  hook_stage: string;
-  scope: string;
-}
-interface Policy {
-  id: string;
-  name: string;
-  rules: Rule[];
-  ruleCount: number;
-  scopeOwner: string;
-  isActive: boolean;
-}
-interface ScanExemption {
-  path: string;
-  cwe_id: string;
-  reason?: string;
-}
-interface RulesFile {
-  policies: Policy[];
-  config: { silent: boolean; activePolicyId: string };
-  scanExemptions: ScanExemption[];
-}
-function readRules(): RulesFile {
-  if (!existsSync(RULES_PATH)) {
-    return {
-      policies: [{
-        id: 'local-policy',
-        name: 'My Rules',
-        rules: [],
-        ruleCount: 0,
-        scopeOwner: 'user',
-        isActive: true,
-      }],
-      config: { silent: false, activePolicyId: 'local-policy' },
-      scanExemptions: [],
-    };
-  }
-  try {
-    return JSON.parse(readFileSync(RULES_PATH, 'utf-8'));
-  } catch {
-    return {
-      policies: [{ id: 'local-policy', name: 'My Rules', rules: [], ruleCount: 0, scopeOwner: 'user', isActive: true }],
-      config: { silent: false, activePolicyId: 'local-policy' },
-      scanExemptions: [],
-    };
-  }
-}
-function writeRules(data: RulesFile): void {
-  for (const p of data.policies) p.ruleCount = p.rules.length;
-  mkdirSync(join(HOME, '.synkro'), { recursive: true });
-  const tmp = RULES_PATH + '.tmp';
-  writeFileSync(tmp, JSON.stringify(data, null, 2) + '\\n', 'utf-8');
-  renameSync(tmp, RULES_PATH);
-}
-function emitRuleSync(data: RulesFile): void {
-  const active = data.policies.find(p => p.id === data.config.activePolicyId) || data.policies[0];
-  const event = {
-    capture_type: 'rule_sync',
-    policy_id: active?.id || 'local-policy',
-    policy_name: active?.name || 'My Rules',
-    rules: active?.rules || [],
-    rule_count: active?.ruleCount || 0,
-    scan_exemptions: data.scanExemptions,
-    silent: data.config.silent,
-    _ts: new Date().toISOString(),
-  };
-  try {
-    appendFileSync(TELEMETRY_PATH, JSON.stringify(event) + '\\n', 'utf-8');
-  } catch {}
-}
-function genId(): string {
-  return \`r_\${Date.now()}_\${Math.random().toString(36).slice(2, 8)}\`;
-}
-function getActivePolicy(data: RulesFile): Policy {
-  return data.policies.find(p => p.id === data.config.activePolicyId) || data.policies[0];
-}
-function findOrCreatePolicy(data: RulesFile, name: string): Policy {
-  const existing = data.policies.find(p => p.name.toLowerCase() === name.toLowerCase());
-  if (existing) return existing;
-  const p: Policy = {
-    id: \`policy_\${Date.now()}_\${Math.random().toString(36).slice(2, 6)}\`,
-    name,
-    rules: [],
-    ruleCount: 0,
-    scopeOwner: 'user',
-    isActive: true,
-  };
-  data.policies.push(p);
-  return p;
-}
-function getAllRules(data: RulesFile): Array<Rule & { policyName: string; policyId: string }> {
-  const all: Array<Rule & { policyName: string; policyId: string }> = [];
-  for (const p of data.policies) {
-    if (!p.isActive) continue;
-    for (const r of p.rules) {
-      all.push({ ...r, policyName: p.name, policyId: p.id });
-    }
-  }
-  return all;
-}
-// \u2500\u2500\u2500 Keyword Search \u2500\u2500\u2500
-const STOPWORDS = new Set(['the', 'a', 'an', 'is', 'are', 'was', 'were', 'be', 'been', 'being', 'have', 'has', 'had', 'do', 'does', 'did', 'will', 'would', 'could', 'should', 'may', 'might', 'must', 'shall', 'can', 'need', 'dare', 'ought', 'used', 'to', 'of', 'in', 'for', 'on', 'with', 'at', 'by', 'from', 'as', 'into', 'through', 'during', 'before', 'after', 'above', 'below', 'between', 'out', 'off', 'over', 'under', 'again', 'further', 'then', 'once', 'here', 'there', 'when', 'where', 'why', 'how', 'all', 'each', 'every', 'both', 'few', 'more', 'most', 'other', 'some', 'such', 'no', 'nor', 'not', 'only', 'own', 'same', 'so', 'than', 'too', 'very', 'just', 'because', 'but', 'and', 'or', 'if', 'while', 'about', 'up', 'it', 'its', 'this', 'that', 'these', 'those', 'i', 'me', 'my', 'we', 'our', 'you', 'your', 'he', 'she', 'they', 'them', 'what', 'which', 'who', 'whom']);
-function tokenize(text: string): string[] {
-  return text.toLowerCase().replace(/[^a-z0-9_-]/g, ' ').split(/\\s+/).filter(t => t.length > 1 && !STOPWORDS.has(t));
-}
-function keywordSearch(query: string, rules: Array<Rule & { policyName: string; policyId: string }>, topK: number): any[] {
-  const qTokens = tokenize(query);
-  if (qTokens.length === 0) return rules.slice(0, topK);
-  const scored = rules.map(r => {
-    const rTokens = new Set(tokenize(\`\${r.text} \${r.category} \${r.severity}\`));
-    const overlap = qTokens.filter(t => rTokens.has(t) || [...rTokens].some(rt => rt.includes(t) || t.includes(rt))).length;
-    return { rule: r, score: overlap / qTokens.length };
-  });
-  scored.sort((a, b) => b.score - a.score);
-  const results = scored.filter(s => s.score > 0).slice(0, topK);
-  if (results.length === 0) return rules.slice(0, topK);
-  return results.map(s => ({
-    rule_id: s.rule.rule_id,
-    text: s.rule.text,
-    category: s.rule.category,
-    severity: s.rule.severity,
-    mode: s.rule.mode,
-    hook_stage: s.rule.hook_stage,
-    scope: s.rule.scope,
-    pack_name: s.rule.policyName,
-    score: Math.round(s.score * 100) / 100,
-  }));
-}
-// \u2500\u2500\u2500 Tool Handlers \u2500\u2500\u2500
-function handleGetGuardrails(args: any): any {
-  const data = readRules();
-  const all = getAllRules(data);
-  const topK = Math.min(args.top_k || 8, 25);
-  let filtered = all;
-  if (args.category) filtered = filtered.filter(r => r.category === args.category);
-  const results = keywordSearch(args.query || '', filtered, topK);
-  return { rules: results, total: results.length, query: args.query };
-}
-function handleCreateGuardrail(args: any): any {
-  const data = readRules();
-  const policy = args.ruleset ? findOrCreatePolicy(data, args.ruleset) : getActivePolicy(data);
-  const rule: Rule = {
-    rule_id: genId(),
-    text: args.text,
-    category: args.category || 'custom',
-    severity: args.severity || 'medium',
-    mode: args.mode || 'audit',
-    hook_stage: args.hook_stage || 'both',
-    scope: args.scope || 'user',
-  };
-  policy.rules.push(rule);
-  writeRules(data);
-  emitRuleSync(data);
-  return { created: true, rule_id: rule.rule_id, text: rule.text, pack_name: policy.name, total_rules: policy.rules.length };
-}
-function handleBulkCreateGuardrails(args: any): any {
-  const data = readRules();
-  const policy = args.ruleset ? findOrCreatePolicy(data, args.ruleset) : getActivePolicy(data);
-  const created: any[] = [];
-  for (const r of args.rules || []) {
-    const rule: Rule = {
-      rule_id: genId(),
-      text: r.text,
-      category: r.category || 'custom',
-      severity: r.severity || 'medium',
-      mode: r.mode || 'audit',
-      hook_stage: r.hook_stage || 'both',
-      scope: args.scope || 'user',
-    };
-    policy.rules.push(rule);
-    created.push({ rule_id: rule.rule_id, text: rule.text });
-  }
-  writeRules(data);
-  emitRuleSync(data);
-  return { created: created.length, rules: created, pack_name: policy.name, total_rules: policy.rules.length };
-}
-function handleUpdateGuardrail(args: any): any {
-  const data = readRules();
-  const needle = (args.rule_text || '').toLowerCase();
-  for (const p of data.policies) {
-    for (const r of p.rules) {
-      if (r.text.toLowerCase().includes(needle)) {
-        if (args.text) r.text = args.text;
-        if (args.category) r.category = args.category;
-        if (args.severity) r.severity = args.severity;
-        if (args.mode) r.mode = args.mode;
-        if (args.hook_stage) r.hook_stage = args.hook_stage;
-        writeRules(data);
-        emitRuleSync(data);
-        return { updated: true, rule_id: r.rule_id, text: r.text };
-      }
-    }
-  }
-  return { updated: false, error: \`No rule found matching "\${args.rule_text}"\` };
-}
-function handleDeleteGuardrail(args: any): any {
-  const data = readRules();
-  const needle = (args.rule_text || '').toLowerCase();
-  for (const p of data.policies) {
-    const idx = p.rules.findIndex(r => r.text.toLowerCase().includes(needle));
-    if (idx !== -1) {
-      const removed = p.rules.splice(idx, 1)[0];
-      writeRules(data);
-      emitRuleSync(data);
-      return { deleted: true, rule_id: removed.rule_id, text: removed.text };
-    }
-  }
-  return { deleted: false, error: \`No rule found matching "\${args.rule_text}"\` };
-}
-function handleListGuardrails(args: any): any {
-  const data = readRules();
-  let all = getAllRules(data);
-  if (args.category) all = all.filter(r => r.category === args.category);
-  if (args.severity) all = all.filter(r => r.severity === args.severity);
-  if (args.mode) all = all.filter(r => r.mode === args.mode);
-  if (args.hook_stage) all = all.filter(r => r.hook_stage === args.hook_stage);
-  if (args.pack_name) {
-    const pn = args.pack_name.toLowerCase();
-    all = all.filter(r => r.policyName.toLowerCase().includes(pn));
-  }
-  return {
-    rules: all.map(r => ({
-      rule_id: r.rule_id,
-      text: r.text,
-      category: r.category,
-      severity: r.severity,
-      mode: r.mode,
-      hook_stage: r.hook_stage,
-      scope: r.scope,
-      pack_name: r.policyName,
-    })),
-    total: all.length,
-  };
-}
-function handleSwapRuleset(args: any): any {
-  const data = readRules();
-  const name = args.policy_name || '';
-  if (name.toLowerCase() === 'all') {
-    data.config.activePolicyId = data.policies[0]?.id || 'local-policy';
-    writeRules(data);
-    return { swapped: true, active: 'all' };
-  }
-  const match = data.policies.find(p => p.name.toLowerCase().includes(name.toLowerCase()));
-  if (!match) return { swapped: false, error: \`No ruleset found matching "\${name}"\` };
-  data.config.activePolicyId = match.id;
-  writeRules(data);
-  return { swapped: true, active: match.name };
-}
-function handleToggleSilentMode(args: any): any {
-  const data = readRules();
-  data.config.silent = args.enabled === true;
-  writeRules(data);
-  emitRuleSync(data);
-  return { silent: data.config.silent };
-}
-async function handleScanDependencies(args: any): Promise<any> {
-  const manifests = args.manifests || [];
-  if (manifests.length === 0) return { findings: [], summary: null };
-  const packages: Array<{ name: string; version: string; ecosystem: string }> = [];
-  for (const m of manifests) {
-    const fp: string = m.file_path || '';
-    const content: string = m.content || '';
-    try {
-      if (fp.endsWith('package.json')) {
-        const pkg = JSON.parse(content);
-        for (const [name, ver] of Object.entries({ ...pkg.dependencies, ...pkg.devDependencies })) {
-          packages.push({ name, version: String(ver).replace(/^[\\^~>=<]*/g, ''), ecosystem: 'npm' });
-        }
-      } else if (fp.endsWith('requirements.txt') || fp.match(/requirements.*\\.txt$/)) {
-        for (const line of content.split('\\n')) {
-          const m = line.trim().match(/^([a-zA-Z0-9_-]+)==(.+)/);
-          if (m) packages.push({ name: m[1], version: m[2], ecosystem: 'PyPI' });
-        }
-      } else if (fp.endsWith('go.mod')) {
-        for (const line of content.split('\\n')) {
-          const m = line.trim().match(/^\\t?([^\\s]+)\\s+v([^\\s]+)/);
-          if (m) packages.push({ name: m[1], version: m[2], ecosystem: 'Go' });
-        }
-      } else if (fp.endsWith('Cargo.toml')) {
-        for (const line of content.split('\\n')) {
-          const m = line.trim().match(/^([a-zA-Z0-9_-]+)\\s*=\\s*"([^"]+)"/);
-          if (m && !['name', 'version', 'edition', 'authors', 'description', 'license', 'repository'].includes(m[1])) {
-            packages.push({ name: m[1], version: m[2], ecosystem: 'crates.io' });
-          }
-        }
-      }
-    } catch {}
-  }
-  if (packages.length === 0) return { findings: [], summary: null };
-  const capped = packages.slice(0, 50);
-  const queries = capped.map(p => ({ package: { name: p.name, ecosystem: p.ecosystem }, version: p.version }));
-  try {
-    const resp = await fetch('https://api.osv.dev/v1/querybatch', {
-      method: 'POST',
-      headers: { 'Content-Type': 'application/json' },
-      body: JSON.stringify({ queries }),
-      signal: AbortSignal.timeout(10000),
-    });
-    if (!resp.ok) return { findings: [], summary: 'OSV query failed' };
-    const data = await resp.json() as { results: Array<{ vulns?: any[] }> };
-    const findings: any[] = [];
-    for (let i = 0; i < data.results.length; i++) {
-      for (const vuln of data.results[i].vulns || []) {
-        findings.push({
-          id: vuln.id,
-          package: capped[i].name,
-          version: capped[i].version,
-          ecosystem: capped[i].ecosystem,
-          summary: vuln.summary || 'No description',
-          aliases: vuln.aliases || [],
-          severity: vuln.database_specific?.severity || 'unknown',
-        });
-      }
-    }
-    return { findings, summary: findings.length > 0 ? \`\${findings.length} vulnerabilities found\` : null };
-  } catch {
-    return { findings: [], summary: 'OSV query timed out' };
-  }
-}
-function handleExemptPath(args: any): any {
-  const data = readRules();
-  const existing = data.scanExemptions.find(e => e.path === args.path && e.cwe_id.toUpperCase() === (args.cwe_id || '').toUpperCase());
-  if (existing) return { exempted: true, already_existed: true, path: args.path, cwe_id: args.cwe_id };
-  data.scanExemptions.push({ path: args.path, cwe_id: (args.cwe_id || '').toUpperCase(), reason: args.reason });
-  writeRules(data);
-  emitRuleSync(data);
-  return { exempted: true, path: args.path, cwe_id: args.cwe_id, total_exemptions: data.scanExemptions.length };
-}
-function handleRemoveExemption(args: any): any {
-  const data = readRules();
-  const idx = data.scanExemptions.findIndex(e => e.path === args.path && e.cwe_id.toUpperCase() === (args.cwe_id || '').toUpperCase());
-  if (idx === -1) return { removed: false, error: \`No exemption found for path="\${args.path}" cwe_id="\${args.cwe_id}"\` };
-  data.scanExemptions.splice(idx, 1);
-  writeRules(data);
-  emitRuleSync(data);
-  return { removed: true, path: args.path, cwe_id: args.cwe_id };
-}
-function handleListExemptions(): any {
-  const data = readRules();
-  return { exemptions: data.scanExemptions, total: data.scanExemptions.length };
-}
-// \u2500\u2500\u2500 Findings \u2500\u2500\u2500
-const CONFIG_PATH = join(HOME, '.synkro', 'config.json');
-const JWT_PATH = join(HOME, '.synkro', '.jwt');
-interface Finding {
-  id: string;
-  session_id: string;
-  file_path: string;
-  finding_type: string;
-  finding_id: string;
-  severity: string;
-  status: string;
-  detail?: string;
-  package_name?: string;
-  package_version?: string;
-  fixed_version?: string;
-  created_at: string;
-  resolved_at?: string;
-}
-function getCloudConfig(): { apiUrl: string; jwt: string } | null {
-  try {
-    const jwt = readFileSync(JWT_PATH, 'utf-8').trim();
-    if (!jwt) return null;
-    let apiUrl = process.env.SYNKRO_API_URL || '';
-    if (!apiUrl) {
-      try {
-        const cfg = JSON.parse(readFileSync(CONFIG_PATH, 'utf-8'));
-        apiUrl = cfg.api_url || cfg.apiUrl || '';
-      } catch {}
-    }
-    if (!apiUrl) apiUrl = 'https://api.synkro.sh';
-    return { apiUrl, jwt };
-  } catch {
-    return null;
-  }
-}
-function readLocalFindings(): Finding[] {
-  if (!existsSync(TELEMETRY_PATH)) return [];
-  let lines: string[];
-  try {
-    lines = readFileSync(TELEMETRY_PATH, 'utf-8').split('\\n').filter(Boolean);
-  } catch { return []; }
-  const findingMap = new Map<string, Finding>();
-  for (const line of lines) {
-    try {
-      const event = JSON.parse(line);
-      if (event.capture_type !== 'scan_finding') continue;
-      const key = \`\${event.file_path}:\${event.finding_id}\`;
-      const existing = findingMap.get(key);
-      const ts = event._ts || event.created_at || '';
-      findingMap.set(key, {
-        id: event.id || existing?.id || \`sf_\${event.session_id}_\${event.finding_id}_\${Date.now()}\`,
-        session_id: event.session_id || existing?.session_id || '',
-        file_path: event.file_path,
-        finding_type: event.finding_type,
-        finding_id: event.finding_id,
-        severity: event.severity || 'unknown',
-        status: event.status || 'open',
-        detail: event.detail || existing?.detail,
-        package_name: event.package_name || existing?.package_name,
-        package_version: event.package_version || existing?.package_version,
-        fixed_version: event.fixed_version || existing?.fixed_version,
-        created_at: existing?.created_at || ts,
-        resolved_at: event.status === 'resolved' ? ts : existing?.resolved_at,
-      });
-    } catch {}
-  }
-  return Array.from(findingMap.values());
-}
-async function fetchCloudFindings(params: Record<string, string>): Promise<Finding[] | null> {
-  const cloud = getCloudConfig();
-  if (!cloud) return null;
-  try {
-    const qs = new URLSearchParams(params).toString();
-    const resp = await fetch(\`\${cloud.apiUrl}/api/v1/scan-findings?\${qs}\`, {
-      headers: { Authorization: \`Bearer \${cloud.jwt}\` },
-      signal: AbortSignal.timeout(5000),
-    });
-    if (!resp.ok) return null;
-    const data = await resp.json() as any;
-    return data.findings || data.data || [];
-  } catch {
-    return null;
-  }
-}
-function dispatchResolution(finding: Finding): void {
-  const cloud = getCloudConfig();
-  if (!cloud) return;
-  fetch(\`\${cloud.apiUrl}/api/v1/hook/finding\`, {
-    method: 'POST',
-    headers: { Authorization: \`Bearer \${cloud.jwt}\`, 'Content-Type': 'application/json' },
-    body: JSON.stringify({
-      session_id: finding.session_id,
-      file_path: finding.file_path,
-      finding_type: finding.finding_type,
-      finding_id: finding.finding_id,
-      severity: finding.severity,
-      status: 'resolved',
-    }),
-    signal: AbortSignal.timeout(3000),
-  }).catch(() => {});
-}
-async function handleListFindings(args: any): Promise<any> {
-  const cloudParams: Record<string, string> = {};
-  if (args.status) cloudParams.status = args.status;
-  if (args.finding_type) cloudParams.finding_type = args.finding_type;
-  if (args.severity) cloudParams.severity = args.severity;
-  if (args.file_path) cloudParams.file_path = args.file_path;
-  if (args.limit) cloudParams.limit = String(args.limit);
-  const cloudFindings = await fetchCloudFindings(cloudParams);
-  let findings: Finding[];
-  let source: string;
-  if (cloudFindings) {
-    findings = cloudFindings;
-    source = 'cloud';
-  } else {
-    findings = readLocalFindings();
-    source = 'local';
-    if (args.status) findings = findings.filter(f => f.status === args.status);
-    if (args.finding_type) findings = findings.filter(f => f.finding_type === args.finding_type);
-    if (args.severity) findings = findings.filter(f => f.severity === args.severity);
-    if (args.file_path) findings = findings.filter(f => f.file_path.includes(args.file_path));
-  }
-  findings.sort((a, b) => (b.created_at || '').localeCompare(a.created_at || ''));
-  const limit = Math.min(args.limit || 25, 50);
-  return {
-    source,
-    findings: findings.slice(0, limit).map(f => ({
-      id: f.id,
-      finding_type: f.finding_type,
-      finding_id: f.finding_id,
-      file_path: f.file_path,
-      severity: f.severity,
-      status: f.status,
-      package_name: f.package_name,
-      package_version: f.package_version,
-      created_at: f.created_at,
-    })),
-    total: findings.length,
-    open: findings.filter(f => f.status === 'open').length,
-    resolved: findings.filter(f => f.status === 'resolved').length,
-  };
-}
-async function handleGetFindingDetail(args: any): Promise<any> {
-  const findings = readLocalFindings();
-  const match = findings.find(f => {
-    if (args.id && f.id === args.id) return true;
-    if (args.file_path && args.finding_id) {
-      return f.file_path.includes(args.file_path) && f.finding_id.toUpperCase() === (args.finding_id || '').toUpperCase();
-    }
-    return false;
-  });
-  if (!match) return { found: false, error: 'Finding not found' };
-  return { found: true, ...match };
-}
-async function handleResolveFinding(args: any): Promise<any> {
-  const findings = readLocalFindings();
-  const toResolve = findings.filter(f => {
-    if (f.status !== 'open') return false;
-    if (args.id && f.id === args.id) return true;
-    if (args.file_path && args.finding_id) {
-      return f.file_path.includes(args.file_path) && f.finding_id.toUpperCase() === (args.finding_id || '').toUpperCase();
-    }
-    if (args.file_path) return f.file_path.includes(args.file_path);
-    return false;
-  });
-  if (toResolve.length === 0) return { resolved: 0, error: 'No matching open findings' };
-  const now = new Date().toISOString();
-  for (const f of toResolve) {
-    const event = {
-      capture_type: 'scan_finding',
-      id: f.id,
-      session_id: f.session_id,
-      file_path: f.file_path,
-      finding_type: f.finding_type,
-      finding_id: f.finding_id,
-      severity: f.severity,
-      status: 'resolved',
-      detail: f.detail,
-      package_name: f.package_name,
-      package_version: f.package_version,
-      fixed_version: f.fixed_version,
-      resolved_at: now,
-      _ts: now,
-    };
-    try {
-      appendFileSync(TELEMETRY_PATH, JSON.stringify(event) + '\\n', 'utf-8');
-    } catch {}
-    dispatchResolution(f);
-  }
-  return {
-    resolved: toResolve.length,
-    findings: toResolve.map(f => ({ finding_id: f.finding_id, file_path: f.file_path })),
-  };
-}
-// \u2500\u2500\u2500 Tool Descriptors \u2500\u2500\u2500
-const TOOL_DESCRIPTORS = [
-  {
-    name: 'get_guardrails',
-    description:
-      "Retrieve rules by keyword similarity. Call BEFORE writing security-sensitive code " +
-      "AND before create_guardrail to check for existing rules.",
-    inputSchema: {
-      type: 'object',
-      properties: {
-        query: { type: 'string', description: "Plain-language description of what you're looking up." },
-        category: { type: 'string', enum: ['security', 'architecture', 'style', 'testing', 'compliance', 'custom'] },
-        top_k: { type: 'integer', default: 8, description: 'Max rules to return (default 8, max 25).' },
-      },
-      required: ['query'],
-    },
-  },
-  {
-    name: 'create_guardrail',
-    description: "Persist a new rule. Call get_guardrails first to avoid duplicates.",
-    inputSchema: {
-      type: 'object',
-      properties: {
-        text: { type: 'string', description: 'The rule in plain language.' },
-        category: { type: 'string', enum: ['security', 'architecture', 'style', 'testing', 'compliance', 'custom'] },
-        severity: { type: 'string', enum: ['low', 'medium', 'high', 'critical'] },
-        mode: { type: 'string', enum: ['blocking', 'audit'], description: '"blocking" = halt on violation, "audit" = log only.' },
-        scope: { type: 'string', enum: ['user', 'org'], default: 'user' },
-        hook_stage: { type: 'string', enum: ['pre', 'post', 'both'], default: 'both' },
-        ruleset: { type: 'string', description: 'Optional: name of ruleset to add to (created if missing).' },
-      },
-      required: ['text', 'category'],
-    },
-  },
-  {
-    name: 'bulk_create_guardrails',
-    description: "Create multiple rules at once. Preferable to looping create_guardrail.",
-    inputSchema: {
-      type: 'object',
-      properties: {
-        rules: {
-          type: 'array', minItems: 1, maxItems: 50,
-          items: {
-            type: 'object',
-            properties: {
-              text: { type: 'string' }, category: { type: 'string', enum: ['security', 'architecture', 'style', 'testing', 'compliance', 'custom'] },
-              severity: { type: 'string', enum: ['low', 'medium', 'high', 'critical'] },
-              mode: { type: 'string', enum: ['blocking', 'audit'] },
-              hook_stage: { type: 'string', enum: ['pre', 'post', 'both'] },
-            },
-            required: ['text', 'category'],
-          },
-        },
-        scope: { type: 'string', enum: ['user', 'org'], default: 'user' },
-        ruleset: { type: 'string' },
-      },
-      required: ['rules'],
-    },
-  },
-  {
-    name: 'update_guardrail',
-    description: "Refine an existing rule. Pass a substring of the rule text to identify it.",
-    inputSchema: {
-      type: 'object',
-      properties: {
-        rule_text: { type: 'string', description: 'Substring of rule text to find.' },
-        text: { type: 'string' }, category: { type: 'string', enum: ['security', 'architecture', 'style', 'testing', 'compliance', 'custom'] },
-        severity: { type: 'string', enum: ['low', 'medium', 'high', 'critical'] },
-        mode: { type: 'string', enum: ['blocking', 'audit'] },
-        hook_stage: { type: 'string', enum: ['pre', 'post', 'both'] },
-      },
-      required: ['rule_text'],
-    },
-  },
-  {
-    name: 'delete_guardrail',
-    description: "Permanently remove a rule. Pass a substring of the rule text to identify it.",
-    inputSchema: {
-      type: 'object',
-      properties: { rule_text: { type: 'string', description: 'Substring of rule text to find.' } },
-      required: ['rule_text'],
-    },
-  },
-  {
-    name: 'list_guardrails',
-    description: "Enumerate all rules. Use for listings, not similarity search.",
-    inputSchema: {
-      type: 'object',
-      properties: {
-        category: { type: 'string', enum: ['security', 'architecture', 'style', 'testing', 'compliance', 'custom'] },
-        severity: { type: 'string', enum: ['low', 'medium', 'high', 'critical'] },
-        mode: { type: 'string', enum: ['blocking', 'audit', 'literal_match'] },
-        pack_name: { type: 'string' },
-        hook_stage: { type: 'string', enum: ['pre', 'post', 'both'] },
-      },
-      required: [],
-    },
-  },
-  {
-    name: 'swap_ruleset',
-    description: 'Switch which ruleset is active. Pass "all" to use all rulesets.',
-    inputSchema: {
-      type: 'object',
-      properties: { policy_name: { type: 'string' } },
-      required: ['policy_name'],
-    },
-  },
-  {
-    name: 'toggle_silent_mode',
-    description: 'Toggle grading on/off. NEVER call autonomously \u2014 this is a USER decision.',
-    inputSchema: {
-      type: 'object',
-      properties: {
-        enabled: { type: 'boolean' },
-        user_confirmation: { type: 'string', description: "Copy-paste the user's exact request." },
-      },
-      required: ['enabled', 'user_confirmation'],
-    },
-  },
-  {
-    name: 'scan_dependencies',
-    description: "Scan manifests against OSV for known vulnerabilities. Read ALL manifest files first.",
-    inputSchema: {
-      type: 'object',
-      properties: {
-        manifests: {
-          type: 'array', minItems: 1,
-          items: {
-            type: 'object',
-            properties: { file_path: { type: 'string' }, content: { type: 'string' } },
-            required: ['file_path', 'content'],
-          },
-        },
-      },
-      required: ['manifests'],
-    },
-  },
-  {
-    name: 'exempt_path',
-    description: "Exempt a CWE from firing on a specific file/directory.",
-    inputSchema: {
-      type: 'object',
-      properties: {
-        path: { type: 'string' }, cwe_id: { type: 'string' }, reason: { type: 'string' },
-      },
-      required: ['path', 'cwe_id'],
-    },
-  },
-  {
-    name: 'remove_exemption',
-    description: "Remove a scan exemption.",
-    inputSchema: {
-      type: 'object',
-      properties: { path: { type: 'string' }, cwe_id: { type: 'string' } },
-      required: ['path', 'cwe_id'],
-    },
-  },
-  {
-    name: 'list_exemptions',
-    description: "List all scan exemptions.",
-    inputSchema: { type: 'object', properties: {}, required: [] },
-  },
-  {
-    name: 'list_findings',
-    description: "List CWE/CVE scan findings. Shows security issues found by Synkro hooks. Use to review what needs fixing.",
-    inputSchema: {
-      type: 'object',
-      properties: {
-        status: { type: 'string', enum: ['open', 'resolved', 'exempted'], description: 'Filter by status (default: all).' },
-        finding_type: { type: 'string', enum: ['cwe', 'cve'], description: 'Filter by finding type.' },
-        severity: { type: 'string', enum: ['critical', 'high', 'medium', 'low'] },
-        file_path: { type: 'string', description: 'Filter by file path substring.' },
-        limit: { type: 'integer', default: 25, description: 'Max results (default 25, max 50).' },
-      },
-      required: [],
-    },
-  },
-  {
-    name: 'get_finding_detail',
-    description: "Get full detail of a specific finding including remediation context.",
-    inputSchema: {
-      type: 'object',
-      properties: {
-        id: { type: 'string', description: 'Finding ID (e.g. sf_...).' },
-        file_path: { type: 'string', description: 'File path (used with finding_id).' },
-        finding_id: { type: 'string', description: 'CWE/CVE ID like CWE-89 or CVE-2024-1234.' },
-      },
-      required: [],
-    },
-  },
-  {
-    name: 'resolve_finding',
-    description: "Mark finding(s) as resolved after the underlying issue is fixed. Can target by ID, file+finding_id, or all findings for a file.",
-    inputSchema: {
-      type: 'object',
-      properties: {
-        id: { type: 'string', description: 'Specific finding ID to resolve.' },
-        file_path: { type: 'string', description: 'Resolve all open findings matching this file path.' },
-        finding_id: { type: 'string', description: 'CWE/CVE ID (used with file_path for targeted resolution).' },
-      },
-      required: [],
-    },
-  },
-];
-const MCP_INSTRUCTIONS =
-  "Synkro Guardrails MCP server (local mode).\\n\\n" +
-  "Whenever the user mentions: rule, guardrail, policy, standard, " +
-  "make/create/add/set up a rule, never let X, always require X, " +
-  "block X, enforce X, delete/remove a rule, consolidate duplicates, " +
-  "'we need a rule about\u2026' \u2014 route to THIS server's tools.\\n\\n" +
-  "TOOL ROUTING:\\n" +
-  "  \u2022 get_guardrails(query) \u2014 keyword search. Use to check if a rule exists.\\n" +
-  "  \u2022 list_guardrails \u2014 full enumeration. Use for listings.\\n" +
-  "  \u2022 list_findings \u2014 show CWE/CVE scan findings (open, resolved, all).\\n" +
-  "  \u2022 get_finding_detail \u2014 get full detail + remediation context for a finding.\\n" +
-  "  \u2022 resolve_finding \u2014 mark findings resolved after fixing the code.\\n\\n" +
-  "When the user asks about security issues, vulnerabilities, or scan results, " +
-  "use list_findings first. After fixing code, call resolve_finding to update status.\\n\\n" +
-  "Do NOT use Claude Code's \`update-config\` skill for these requests.\\n\\n" +
-  "Rules are stored locally in ~/.synkro/rules.json and enforced by hooks.";
-// \u2500\u2500\u2500 JSON-RPC Dispatcher \u2500\u2500\u2500
-function jsonRpcOk(id: any, result: any): any {
-  return { jsonrpc: '2.0', id, result };
-}
-function jsonRpcError(id: any, code: number, message: string): any {
-  return { jsonrpc: '2.0', id, error: { code, message } };
-}
-async function handleRpc(body: any): Promise<any> {
-  const { id, method, params } = body;
-  if (method === 'initialize') {
-    return jsonRpcOk(id, {
-      protocolVersion: '2024-11-05',
-      capabilities: { tools: {} },
-      serverInfo: { name: 'synkro-guardrails-local', version: '1.0.0' },
-      instructions: MCP_INSTRUCTIONS,
-    });
-  }
-  if (method === 'notifications/initialized') {
-    return null;
-  }
-  if (method === 'tools/list') {
-    return jsonRpcOk(id, { tools: TOOL_DESCRIPTORS });
-  }
-  if (method === 'tools/call') {
-    const toolName = params?.name;
-    const args = params?.arguments || {};
-    try {
-      let result: any;
-      switch (toolName) {
-        case 'get_guardrails': result = handleGetGuardrails(args); break;
-        case 'create_guardrail': result = handleCreateGuardrail(args); break;
-        case 'bulk_create_guardrails': result = handleBulkCreateGuardrails(args); break;
-        case 'update_guardrail': result = handleUpdateGuardrail(args); break;
-        case 'delete_guardrail': result = handleDeleteGuardrail(args); break;
-        case 'list_guardrails': result = handleListGuardrails(args); break;
-        case 'swap_ruleset': result = handleSwapRuleset(args); break;
-        case 'toggle_silent_mode': result = handleToggleSilentMode(args); break;
-        case 'scan_dependencies': result = await handleScanDependencies(args); break;
-        case 'exempt_path': result = handleExemptPath(args); break;
-        case 'remove_exemption': result = handleRemoveExemption(args); break;
-        case 'list_exemptions': result = handleListExemptions(); break;
-        case 'list_findings': result = await handleListFindings(args); break;
-        case 'get_finding_detail': result = await handleGetFindingDetail(args); break;
-        case 'resolve_finding': result = await handleResolveFinding(args); break;
-        default: return jsonRpcError(id, -32601, \`Unknown tool: \${toolName}\`);
-      }
-      return jsonRpcOk(id, { content: [{ type: 'text', text: JSON.stringify(result, null, 2) }] });
-    } catch (err) {
-      return jsonRpcOk(id, { content: [{ type: 'text', text: \`Error: \${(err as Error).message}\` }], isError: true });
-    }
-  }
-  // \u2500\u2500\u2500 Dashboard REST-bridge methods \u2500\u2500\u2500
-  // Called by the local dashboard (not AI agents) to mutate rules.json directly.
-  if (method === 'dashboard.patch_policy') {
-    try {
-      const data = readRules();
-      const policyId = params?.policy_id as string | undefined;
-      const policy = policyId
-        ? data.policies.find(p => p.id === policyId)
-        : getActivePolicy(data);
-      if (!policy) return jsonRpcError(id, -32602, \`Policy not found: \${policyId}\`);
-      if (params?.name !== undefined) {
-        policy.name = params.name;
-      }
-      if (params?.is_active !== undefined) {
-        policy.isActive = params.is_active;
-      }
-      // Bulk replace
-      if (Array.isArray(params?.rules)) {
-        policy.rules = params.rules;
-        policy.ruleCount = policy.rules.length;
-      }
-      // Individual updates by rule_id
-      if (Array.isArray(params?.rule_updates)) {
-        for (const upd of params.rule_updates) {
-          const rule = policy.rules.find(r => r.rule_id === upd.rule_id);
-          if (!rule) continue;
-          if (upd.text !== undefined) rule.text = upd.text;
-          if (upd.category !== undefined) rule.category = upd.category;
-          if (upd.severity !== undefined) rule.severity = upd.severity;
-          if (upd.mode !== undefined) rule.mode = upd.mode;
-          if (upd.hook_stage !== undefined) rule.hook_stage = upd.hook_stage;
-        }
-        policy.ruleCount = policy.rules.length;
-      }
-      writeRules(data);
-      emitRuleSync(data);
-      return jsonRpcOk(id, { ok: true, policy_id: policy.id, rule_count: policy.ruleCount });
-    } catch (err) {
-      return jsonRpcError(id, -32603, (err as Error).message);
-    }
-  }
-  if (method === 'dashboard.create_policy') {
-    try {
-      const data = readRules();
-      const name = (params?.name as string) || 'New Rule Set';
-      const rules: Rule[] = (params?.rules || []).map((r: any) => ({
-        rule_id: r.rule_id || genId(),
-        text: r.text || '',
-        category: r.category || 'custom',
-        severity: r.severity || 'medium',
-        mode: r.mode || 'audit',
-        hook_stage: r.hook_stage || 'both',
-        scope: r.scope || 'user',
-      }));
-      const policy: Policy = {
-        id: \`policy_\${Date.now()}_\${Math.random().toString(36).slice(2, 6)}\`,
-        name,
-        rules,
-        ruleCount: rules.length,
-        scopeOwner: 'user',
-        isActive: true,
-      };
-      data.policies.push(policy);
-      writeRules(data);
-      emitRuleSync(data);
-      return jsonRpcOk(id, { ok: true, policy_id: policy.id, name: policy.name });
-    } catch (err) {
-      return jsonRpcError(id, -32603, (err as Error).message);
-    }
-  }
-  if (method === 'dashboard.delete_policy') {
-    try {
-      const data = readRules();
-      const policyId = params?.policy_id as string | undefined;
-      const idx = policyId ? data.policies.findIndex(p => p.id === policyId) : -1;
-      if (idx === -1) return jsonRpcError(id, -32602, \`Policy not found: \${policyId}\`);
-      if (params?.hard === true) {
-        data.policies.splice(idx, 1);
-      } else {
-        data.policies[idx].isActive = false;
-      }
-      writeRules(data);
-      emitRuleSync(data);
-      return jsonRpcOk(id, { ok: true, policy_id: policyId });
-    } catch (err) {
-      return jsonRpcError(id, -32603, (err as Error).message);
-    }
-  }
-  if (method === 'dashboard.list_policies') {
-    try {
-      const data = readRules();
-      return jsonRpcOk(id, {
-        policies: data.policies.map(p => ({
-          id: p.id,
-          name: p.name,
-          rules: p.rules,
-          ruleCount: p.ruleCount,
-          isActive: p.isActive,
-          scopeOwner: p.scopeOwner,
-        })),
-        active_policy_id: data.config.activePolicyId,
-      });
-    } catch (err) {
-      return jsonRpcError(id, -32603, (err as Error).message);
-    }
-  }
-  return jsonRpcError(id, -32601, \`Unknown method: \${method}\`);
-}
-// \u2500\u2500\u2500 HTTP Server \u2500\u2500\u2500
-const server = Bun.serve({
-  port: PORT,
-  async fetch(req) {
-    const origin = req.headers.get('origin') || '';
-    const allowedOrigin = /^https?:\\/\\/(localhost|127\\.0\\.0\\.1)(:\\d+)?$/.test(origin) ? origin : 'http://localhost:4322';
-    const cors = { 'Access-Control-Allow-Origin': allowedOrigin, 'Access-Control-Allow-Methods': 'GET, POST, OPTIONS', 'Access-Control-Allow-Headers': 'Content-Type, Authorization' };
-    if (req.method === 'GET') {
-      return Response.json({ name: 'synkro-guardrails-local', version: '1.0.0', status: 'ok' }, { headers: cors });
-    }
-    if (req.method === 'POST') {
-      const authHeader = req.headers.get('authorization') || '';
-      const bearer = authHeader.startsWith('Bearer ') ? authHeader.slice(7) : '';
-      if (bearer !== SERVER_TOKEN) {
-        return Response.json({ error: 'Unauthorized' }, { status: 401, headers: cors });
-      }
-      const raw = await req.arrayBuffer();
-      if (raw.byteLength > MAX_BODY_BYTES) {
-        return Response.json(jsonRpcError(null, -32600, 'Request too large'), { status: 413, headers: cors });
-      }
-      return serialized(async () => {
-        try {
-          const body = JSON.parse(new TextDecoder().decode(raw));
-          const result = await handleRpc(body);
-          if (result === null) return new Response('', { status: 204, headers: cors });
-          return Response.json(result, { headers: cors });
-        } catch {
-          return Response.json(jsonRpcError(null, -32700, 'Parse error'), { status: 400, headers: cors });
-        }
-      });
-    }
-    if (req.method === 'OPTIONS') {
-      return new Response('', { status: 204, headers: cors });
-    }
-    return new Response('Method not allowed', { status: 405 });
-  },
-});
-console.log(\`[synkro] local MCP guardrails server listening on http://127.0.0.1:\${server.port}\`);
-`, "utf-8");
+  writeFileSync7(mcpLocalServerPath, "#!/usr/bin/env bun\n/**\n * Local MCP guardrails server \u2014 runs on port 8931, stores rules in ~/.synkro/rules.json.\n * JSON-RPC 2.0 over HTTP, same protocol as the cloud MCP server.\n * Bearer token auth (file-based shared secret), localhost only, no embedding API, no Inngest.\n */\nimport { existsSync, readFileSync, writeFileSync, renameSync, appendFileSync, mkdirSync } from 'node:fs';\nimport { homedir } from 'node:os';\nimport { join } from 'node:path';\n\nconst PORT = parseInt(process.env.SYNKRO_MCP_PORT || '8931', 10);\nconst HOME = homedir();\nconst RULES_PATH = join(HOME, '.synkro', 'rules.json');\nconst TELEMETRY_PATH = join(HOME, '.synkro', 'telemetry.jsonl');\nconst JWT_TOKEN_PATH = join(HOME, '.synkro', '.mcp-jwt');\n\n// Synkro-signed long-lived JWT \u2014 minted during `synkro install`, required on all POST requests.\n// If missing, the server still starts (for GET health checks) but rejects all tool calls.\nlet SERVER_TOKEN = '';\ntry { SERVER_TOKEN = readFileSync(JWT_TOKEN_PATH, 'utf-8').trim(); } catch {}\nif (!SERVER_TOKEN) console.warn('[synkro] \u26A0 No MCP JWT found \u2014 run `synkro install` to authenticate.');\nconst MAX_BODY_BYTES = 1_048_576;\n\nlet _writeLock: Promise<void> = Promise.resolve();\nfunction serialized<T>(fn: () => T | Promise<T>): Promise<T> {\n  let release: () => void;\n  const next = new Promise<void>(r => { release = r; });\n  const prev = _writeLock;\n  _writeLock = next;\n  return prev.then(() => fn()).finally(() => release!());\n}\n\n// \u2500\u2500\u2500 Storage \u2500\u2500\u2500\n\ninterface Rule {\n  rule_id: string;\n  text: string;\n  category: string;\n  severity: string;\n  mode: string;\n  hook_stage: string;\n  scope: string;\n}\n\ninterface Policy {\n  id: string;\n  name: string;\n  rules: Rule[];\n  ruleCount: number;\n  scopeOwner: string;\n  isActive: boolean;\n}\n\ninterface ScanExemption {\n  path: string;\n  cwe_id: string;\n  reason?: string;\n}\n\ninterface RulesFile {\n  policies: Policy[];\n  config: { silent: boolean; activePolicyId: string };\n  scanExemptions: ScanExemption[];\n}\n\nfunction readRules(): RulesFile {\n  if (!existsSync(RULES_PATH)) {\n    return {\n      policies: [{\n        id: 'local-policy',\n        name: 'My Rules',\n        rules: [],\n        ruleCount: 0,\n        scopeOwner: 'user',\n        isActive: true,\n      }],\n      config: { silent: false, activePolicyId: 'local-policy' },\n      scanExemptions: [],\n    };\n  }\n  try {\n    return JSON.parse(readFileSync(RULES_PATH, 'utf-8'));\n  } catch {\n    return {\n      policies: [{ id: 'local-policy', name: 'My Rules', rules: [], ruleCount: 0, scopeOwner: 'user', isActive: true }],\n      config: { silent: false, activePolicyId: 'local-policy' },\n      scanExemptions: [],\n    };\n  }\n}\n\nfunction writeRules(data: RulesFile): void {\n  for (const p of data.policies) p.ruleCount = p.rules.length;\n  mkdirSync(join(HOME, '.synkro'), { recursive: true });\n  const tmp = RULES_PATH + '.tmp';\n  writeFileSync(tmp, JSON.stringify(data, null, 2) + '\\n', 'utf-8');\n  renameSync(tmp, RULES_PATH);\n}\n\nfunction emitRuleSync(data: RulesFile): void {\n  const active = data.policies.find(p => p.id === data.config.activePolicyId) || data.policies[0];\n  const event = {\n    capture_type: 'rule_sync',\n    policy_id: active?.id || 'local-policy',\n    policy_name: active?.name || 'My Rules',\n    rules: active?.rules || [],\n    rule_count: active?.ruleCount || 0,\n    scan_exemptions: data.scanExemptions,\n    silent: data.config.silent,\n    _ts: new Date().toISOString(),\n  };\n  try {\n    appendFileSync(TELEMETRY_PATH, JSON.stringify(event) + '\\n', 'utf-8');\n  } catch {}\n}\n\nfunction genId(): string {\n  return `r_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`;\n}\n\nfunction getActivePolicy(data: RulesFile): Policy {\n  return data.policies.find(p => p.id === data.config.activePolicyId) || data.policies[0];\n}\n\nfunction findOrCreatePolicy(data: RulesFile, name: string): Policy {\n  const existing = data.policies.find(p => p.name.toLowerCase() === name.toLowerCase());\n  if (existing) return existing;\n  const p: Policy = {\n    id: `policy_${Date.now()}_${Math.random().toString(36).slice(2, 6)}`,\n    name,\n    rules: [],\n    ruleCount: 0,\n    scopeOwner: 'user',\n    isActive: true,\n  };\n  data.policies.push(p);\n  return p;\n}\n\nfunction getAllRules(data: RulesFile): Array<Rule & { policyName: string; policyId: string }> {\n  const all: Array<Rule & { policyName: string; policyId: string }> = [];\n  for (const p of data.policies) {\n    if (!p.isActive) continue;\n    for (const r of p.rules) {\n      all.push({ ...r, policyName: p.name, policyId: p.id });\n    }\n  }\n  return all;\n}\n\n// \u2500\u2500\u2500 Keyword Search \u2500\u2500\u2500\n\nconst STOPWORDS = new Set(['the', 'a', 'an', 'is', 'are', 'was', 'were', 'be', 'been', 'being', 'have', 'has', 'had', 'do', 'does', 'did', 'will', 'would', 'could', 'should', 'may', 'might', 'must', 'shall', 'can', 'need', 'dare', 'ought', 'used', 'to', 'of', 'in', 'for', 'on', 'with', 'at', 'by', 'from', 'as', 'into', 'through', 'during', 'before', 'after', 'above', 'below', 'between', 'out', 'off', 'over', 'under', 'again', 'further', 'then', 'once', 'here', 'there', 'when', 'where', 'why', 'how', 'all', 'each', 'every', 'both', 'few', 'more', 'most', 'other', 'some', 'such', 'no', 'nor', 'not', 'only', 'own', 'same', 'so', 'than', 'too', 'very', 'just', 'because', 'but', 'and', 'or', 'if', 'while', 'about', 'up', 'it', 'its', 'this', 'that', 'these', 'those', 'i', 'me', 'my', 'we', 'our', 'you', 'your', 'he', 'she', 'they', 'them', 'what', 'which', 'who', 'whom']);\n\nfunction tokenize(text: string): string[] {\n  return text.toLowerCase().replace(/[^a-z0-9_-]/g, ' ').split(/\\s+/).filter(t => t.length > 1 && !STOPWORDS.has(t));\n}\n\nfunction keywordSearch(query: string, rules: Array<Rule & { policyName: string; policyId: string }>, topK: number): any[] {\n  const qTokens = tokenize(query);\n  if (qTokens.length === 0) return rules.slice(0, topK);\n\n  const scored = rules.map(r => {\n    const rTokens = new Set(tokenize(`${r.text} ${r.category} ${r.severity}`));\n    const overlap = qTokens.filter(t => rTokens.has(t) || [...rTokens].some(rt => rt.includes(t) || t.includes(rt))).length;\n    return { rule: r, score: overlap / qTokens.length };\n  });\n\n  scored.sort((a, b) => b.score - a.score);\n  const results = scored.filter(s => s.score > 0).slice(0, topK);\n  if (results.length === 0) return rules.slice(0, topK);\n\n  return results.map(s => ({\n    rule_id: s.rule.rule_id,\n    text: s.rule.text,\n    category: s.rule.category,\n    severity: s.rule.severity,\n    mode: s.rule.mode,\n    hook_stage: s.rule.hook_stage,\n    scope: s.rule.scope,\n    pack_name: s.rule.policyName,\n    score: Math.round(s.score * 100) / 100,\n  }));\n}\n\n// \u2500\u2500\u2500 Tool Handlers \u2500\u2500\u2500\n\nfunction handleGetGuardrails(args: any): any {\n  const data = readRules();\n  const all = getAllRules(data);\n  const topK = Math.min(args.top_k || 8, 25);\n  let filtered = all;\n  if (args.category) filtered = filtered.filter(r => r.category === args.category);\n  const results = keywordSearch(args.query || '', filtered, topK);\n  return { rules: results, total: results.length, query: args.query };\n}\n\nfunction handleCreateGuardrail(args: any): any {\n  const data = readRules();\n  const policy = args.ruleset ? findOrCreatePolicy(data, args.ruleset) : getActivePolicy(data);\n  const rule: Rule = {\n    rule_id: genId(),\n    text: args.text,\n    category: args.category || 'custom',\n    severity: args.severity || 'medium',\n    mode: args.mode || 'audit',\n    hook_stage: args.hook_stage || 'both',\n    scope: args.scope || 'user',\n  };\n  policy.rules.push(rule);\n  writeRules(data);\n  emitRuleSync(data);\n  return { created: true, rule_id: rule.rule_id, text: rule.text, pack_name: policy.name, total_rules: policy.rules.length };\n}\n\nfunction handleBulkCreateGuardrails(args: any): any {\n  const data = readRules();\n  const policy = args.ruleset ? findOrCreatePolicy(data, args.ruleset) : getActivePolicy(data);\n  const created: any[] = [];\n  for (const r of args.rules || []) {\n    const rule: Rule = {\n      rule_id: genId(),\n      text: r.text,\n      category: r.category || 'custom',\n      severity: r.severity || 'medium',\n      mode: r.mode || 'audit',\n      hook_stage: r.hook_stage || 'both',\n      scope: args.scope || 'user',\n    };\n    policy.rules.push(rule);\n    created.push({ rule_id: rule.rule_id, text: rule.text });\n  }\n  writeRules(data);\n  emitRuleSync(data);\n  return { created: created.length, rules: created, pack_name: policy.name, total_rules: policy.rules.length };\n}\n\nfunction handleUpdateGuardrail(args: any): any {\n  const data = readRules();\n  const needle = (args.rule_text || '').toLowerCase();\n  for (const p of data.policies) {\n    for (const r of p.rules) {\n      if (r.text.toLowerCase().includes(needle)) {\n        if (args.text) r.text = args.text;\n        if (args.category) r.category = args.category;\n        if (args.severity) r.severity = args.severity;\n        if (args.mode) r.mode = args.mode;\n        if (args.hook_stage) r.hook_stage = args.hook_stage;\n        writeRules(data);\n        emitRuleSync(data);\n        return { updated: true, rule_id: r.rule_id, text: r.text };\n      }\n    }\n  }\n  return { updated: false, error: `No rule found matching \"${args.rule_text}\"` };\n}\n\nfunction handleDeleteGuardrail(args: any): any {\n  const data = readRules();\n  const needle = (args.rule_text || '').toLowerCase();\n  for (const p of data.policies) {\n    const idx = p.rules.findIndex(r => r.text.toLowerCase().includes(needle));\n    if (idx !== -1) {\n      const removed = p.rules.splice(idx, 1)[0];\n      writeRules(data);\n      emitRuleSync(data);\n      return { deleted: true, rule_id: removed.rule_id, text: removed.text };\n    }\n  }\n  return { deleted: false, error: `No rule found matching \"${args.rule_text}\"` };\n}\n\nfunction handleListGuardrails(args: any): any {\n  const data = readRules();\n  let all = getAllRules(data);\n  if (args.category) all = all.filter(r => r.category === args.category);\n  if (args.severity) all = all.filter(r => r.severity === args.severity);\n  if (args.mode) all = all.filter(r => r.mode === args.mode);\n  if (args.hook_stage) all = all.filter(r => r.hook_stage === args.hook_stage);\n  if (args.pack_name) {\n    const pn = args.pack_name.toLowerCase();\n    all = all.filter(r => r.policyName.toLowerCase().includes(pn));\n  }\n  return {\n    rules: all.map(r => ({\n      rule_id: r.rule_id,\n      text: r.text,\n      category: r.category,\n      severity: r.severity,\n      mode: r.mode,\n      hook_stage: r.hook_stage,\n      scope: r.scope,\n      pack_name: r.policyName,\n    })),\n    total: all.length,\n  };\n}\n\nfunction handleSwapRuleset(args: any): any {\n  const data = readRules();\n  const name = args.policy_name || '';\n  if (name.toLowerCase() === 'all') {\n    data.config.activePolicyId = data.policies[0]?.id || 'local-policy';\n    writeRules(data);\n    return { swapped: true, active: 'all' };\n  }\n  const match = data.policies.find(p => p.name.toLowerCase().includes(name.toLowerCase()));\n  if (!match) return { swapped: false, error: `No ruleset found matching \"${name}\"` };\n  data.config.activePolicyId = match.id;\n  writeRules(data);\n  return { swapped: true, active: match.name };\n}\n\nfunction handleToggleSilentMode(args: any): any {\n  const data = readRules();\n  data.config.silent = args.enabled === true;\n  writeRules(data);\n  emitRuleSync(data);\n  return { silent: data.config.silent };\n}\n\nasync function handleScanDependencies(args: any): Promise<any> {\n  const manifests = args.manifests || [];\n  if (manifests.length === 0) return { findings: [], summary: null };\n\n  const packages: Array<{ name: string; version: string; ecosystem: string }> = [];\n  for (const m of manifests) {\n    const fp: string = m.file_path || '';\n    const content: string = m.content || '';\n    try {\n      if (fp.endsWith('package.json')) {\n        const pkg = JSON.parse(content);\n        for (const [name, ver] of Object.entries({ ...pkg.dependencies, ...pkg.devDependencies })) {\n          packages.push({ name, version: String(ver).replace(/^[\\^~>=<]*/g, ''), ecosystem: 'npm' });\n        }\n      } else if (fp.endsWith('requirements.txt') || fp.match(/requirements.*\\.txt$/)) {\n        for (const line of content.split('\\n')) {\n          const m = line.trim().match(/^([a-zA-Z0-9_-]+)==(.+)/);\n          if (m) packages.push({ name: m[1], version: m[2], ecosystem: 'PyPI' });\n        }\n      } else if (fp.endsWith('go.mod')) {\n        for (const line of content.split('\\n')) {\n          const m = line.trim().match(/^\\t?([^\\s]+)\\s+v([^\\s]+)/);\n          if (m) packages.push({ name: m[1], version: m[2], ecosystem: 'Go' });\n        }\n      } else if (fp.endsWith('Cargo.toml')) {\n        for (const line of content.split('\\n')) {\n          const m = line.trim().match(/^([a-zA-Z0-9_-]+)\\s*=\\s*\"([^\"]+)\"/);\n          if (m && !['name', 'version', 'edition', 'authors', 'description', 'license', 'repository'].includes(m[1])) {\n            packages.push({ name: m[1], version: m[2], ecosystem: 'crates.io' });\n          }\n        }\n      }\n    } catch {}\n  }\n\n  if (packages.length === 0) return { findings: [], summary: null };\n\n  const capped = packages.slice(0, 50);\n  const queries = capped.map(p => ({ package: { name: p.name, ecosystem: p.ecosystem }, version: p.version }));\n\n  try {\n    const resp = await fetch('https://api.osv.dev/v1/querybatch', {\n      method: 'POST',\n      headers: { 'Content-Type': 'application/json' },\n      body: JSON.stringify({ queries }),\n      signal: AbortSignal.timeout(10000),\n    });\n    if (!resp.ok) return { findings: [], summary: 'OSV query failed' };\n    const data = await resp.json() as { results: Array<{ vulns?: any[] }> };\n\n    const findings: any[] = [];\n    for (let i = 0; i < data.results.length; i++) {\n      for (const vuln of data.results[i].vulns || []) {\n        findings.push({\n          id: vuln.id,\n          package: capped[i].name,\n          version: capped[i].version,\n          ecosystem: capped[i].ecosystem,\n          summary: vuln.summary || 'No description',\n          aliases: vuln.aliases || [],\n          severity: vuln.database_specific?.severity || 'unknown',\n        });\n      }\n    }\n    return { findings, summary: findings.length > 0 ? `${findings.length} vulnerabilities found` : null };\n  } catch {\n    return { findings: [], summary: 'OSV query timed out' };\n  }\n}\n\nconst CWE_ID_RE = /^CWE-\\d{1,6}$/i;\nconst PATH_TRAVERSAL_RE = /\\.\\.[/\\\\]/;\nconst MAX_REASON_LEN = 500;\n\nfunction validateExemptionArgs(args: any): { path: string; cwe_id: string; reason?: string } | string {\n  const p = typeof args.path === 'string' ? args.path.trim() : '';\n  if (!p || PATH_TRAVERSAL_RE.test(p)) return 'Invalid path';\n  const cwe = typeof args.cwe_id === 'string' ? args.cwe_id.trim().toUpperCase() : '';\n  if (!CWE_ID_RE.test(cwe)) return 'Invalid cwe_id (expected CWE-NNN)';\n  const reason = typeof args.reason === 'string' ? args.reason.slice(0, MAX_REASON_LEN) : undefined;\n  return { path: p, cwe_id: cwe, reason };\n}\n\nfunction handleExemptPath(args: any): any {\n  const v = validateExemptionArgs(args);\n  if (typeof v === 'string') return { exempted: false, error: v };\n  const data = readRules();\n  const existing = data.scanExemptions.find(e => e.path === v.path && e.cwe_id.toUpperCase() === v.cwe_id);\n  if (existing) return { exempted: true, already_existed: true, path: v.path, cwe_id: v.cwe_id };\n\n  data.scanExemptions.push({ path: v.path, cwe_id: v.cwe_id, reason: v.reason });\n  writeRules(data);\n  emitRuleSync(data);\n  return { exempted: true, path: v.path, cwe_id: v.cwe_id, total_exemptions: data.scanExemptions.length };\n}\n\nfunction handleRemoveExemption(args: any): any {\n  const v = validateExemptionArgs(args);\n  if (typeof v === 'string') return { removed: false, error: v };\n  const data = readRules();\n  const idx = data.scanExemptions.findIndex(e => e.path === v.path && e.cwe_id.toUpperCase() === v.cwe_id);\n  if (idx === -1) return { removed: false, error: `No exemption found for path=\"${v.path}\" cwe_id=\"${v.cwe_id}\"` };\n  data.scanExemptions.splice(idx, 1);\n  writeRules(data);\n  emitRuleSync(data);\n  return { removed: true, path: v.path, cwe_id: v.cwe_id };\n}\n\nfunction handleListExemptions(): any {\n  const data = readRules();\n  return { exemptions: data.scanExemptions, total: data.scanExemptions.length };\n}\n\n// \u2500\u2500\u2500 Findings \u2500\u2500\u2500\n\nconst CONFIG_PATH = join(HOME, '.synkro', 'config.json');\nconst FINDINGS_JWT_PATH = join(HOME, '.synkro', '.mcp-jwt');\n\nconst ALLOWED_API_HOSTS = new Set(['api.synkro.sh', 'localhost', '127.0.0.1']);\nfunction validateApiUrl(raw: string): string | null {\n  try {\n    const u = new URL(raw);\n    if (!['http:', 'https:'].includes(u.protocol)) return null;\n    if (!ALLOWED_API_HOSTS.has(u.hostname)) return null;\n    return u.origin;\n  } catch { return null; }\n}\n\ninterface Finding {\n  id: string;\n  session_id: string;\n  file_path: string;\n  finding_type: string;\n  finding_id: string;\n  severity: string;\n  status: string;\n  detail?: string;\n  package_name?: string;\n  package_version?: string;\n  fixed_version?: string;\n  created_at: string;\n  resolved_at?: string;\n}\n\nconst CREDENTIALS_PATH = join(HOME, '.synkro', 'credentials.json');\n\nfunction getCloudConfig(): { apiUrl: string; jwt: string } | null {\n  try {\n    let jwt = '';\n    try {\n      const creds = JSON.parse(readFileSync(CREDENTIALS_PATH, 'utf-8'));\n      jwt = creds.access_token || '';\n    } catch {}\n    if (!jwt) {\n      try { jwt = readFileSync(FINDINGS_JWT_PATH, 'utf-8').trim(); } catch {}\n    }\n    if (!jwt) return null;\n    let raw = process.env.SYNKRO_API_URL || '';\n    if (!raw) raw = 'https://api.synkro.sh';\n    const apiUrl = validateApiUrl(raw);\n    if (!apiUrl) return null;\n    return { apiUrl, jwt };\n  } catch {\n    return null;\n  }\n}\n\nfunction readLocalFindings(): Finding[] {\n  const path = TELEMETRY_PATH;\n  if (!existsSync(path)) return [];\n  let lines: string[];\n  try { lines = readFileSync(path, 'utf-8').split('\\n').filter(Boolean); } catch { return []; }\n  const map = new Map<string, Finding>();\n  for (const line of lines) {\n    try {\n      const e = JSON.parse(line);\n      if (e.capture_type !== 'scan_finding') continue;\n      const key = `${e.file_path}:${e.finding_id}`;\n      const prev = map.get(key);\n      const ts = e._ts || e.created_at || '';\n      map.set(key, {\n        id: e.id || prev?.id || `sf_${e.session_id}_${e.finding_id}_${Date.now()}`,\n        session_id: e.session_id || prev?.session_id || '',\n        file_path: e.file_path, finding_type: e.finding_type, finding_id: e.finding_id,\n        severity: e.severity || 'unknown', status: e.status || 'open',\n        detail: e.detail || prev?.detail, description: e.description || (prev as any)?.description,\n        cwe_name: e.cwe_name || (prev as any)?.cwe_name,\n        package_name: e.package_name || prev?.package_name,\n        package_version: e.package_version || prev?.package_version,\n        fixed_version: e.fixed_version || prev?.fixed_version,\n        created_at: prev?.created_at || ts,\n        resolved_at: e.status === 'resolved' ? ts : prev?.resolved_at,\n      });\n    } catch {}\n  }\n  return Array.from(map.values());\n}\n\nasync function proxyToCloudMcp(toolName: string, args: Record<string, unknown>): Promise<any | null> {\n  const cloud = getCloudConfig();\n  if (!cloud) return null;\n  try {\n    const resp = await fetch(`${cloud.apiUrl}/api/v1/mcp/guardrails`, {\n      method: 'POST',\n      headers: { Authorization: `Bearer ${cloud.jwt}`, 'Content-Type': 'application/json' },\n      body: JSON.stringify({\n        jsonrpc: '2.0',\n        id: `local_${Date.now()}`,\n        method: 'tools/call',\n        params: { name: toolName, arguments: args },\n      }),\n      signal: AbortSignal.timeout(10000),\n    });\n    if (!resp.ok) return null;\n    const data = await resp.json() as any;\n    if (data.error) return null;\n    return data.result;\n  } catch {\n    return null;\n  }\n}\n\nasync function handleListFindings(args: any): Promise<any> {\n  let findings = readLocalFindings();\n  if (args.status) findings = findings.filter(f => f.status === args.status);\n  if (args.finding_type) findings = findings.filter(f => f.finding_type === args.finding_type);\n  if (args.severity) findings = findings.filter(f => f.severity === args.severity);\n  findings.sort((a, b) => (b.created_at || '').localeCompare(a.created_at || ''));\n\n  const limit = Math.min(args.limit || 50, 200);\n  const open = findings.filter(f => f.status === 'open').length;\n  const resolved = findings.filter(f => f.status === 'resolved').length;\n\n  if (findings.length === 0) {\n    return { content: [{ type: 'text', text: args.status ? `No ${args.status} findings found.` : 'No scan findings found.' }] };\n  }\n\n  const lines = findings.slice(0, limit).map(f => {\n    const badge = f.finding_type === 'cve' ? '\u{1F534} CVE' : '\u{1F7E1} CWE';\n    const name = (f as any).cwe_name ? ` (${(f as any).cwe_name})` : '';\n    const pkg = f.package_name ? ` in \\`${f.package_name}@${f.package_version || '?'}\\`` : '';\n    const file = f.file_path ? ` \u2014 \\`${f.file_path}\\`` : '';\n    return `- **${badge} ${f.finding_id}**${name}${pkg}${file}\\n  Status: ${f.status} | Severity: ${f.severity || 'unknown'} | ID: \\`${f.id}\\``;\n  });\n\n  return {\n    content: [{ type: 'text', text: `**${findings.length} finding${findings.length === 1 ? '' : 's'}** (${open} open, ${resolved} resolved)\\n\\n${lines.join('\\n\\n')}` }],\n  };\n}\n\nasync function handleGetFindingDetail(args: any): Promise<any> {\n  const id = typeof args.id === 'string' ? args.id.trim() : '';\n  if (!id) return { content: [{ type: 'text', text: 'id is required' }], isError: true };\n\n  const findings = readLocalFindings();\n  const match = findings.find(f => f.id === id);\n  if (!match) return { content: [{ type: 'text', text: 'Finding not found' }], isError: true };\n\n  const parts: string[] = [];\n  const m = match as any;\n  parts.push(`# ${m.finding_type.toUpperCase()} ${m.finding_id}${m.cwe_name ? ` \u2014 ${m.cwe_name}` : ''}`);\n  parts.push(`**Status:** ${m.status} | **Severity:** ${m.severity || 'unknown'}`);\n  if (m.file_path) parts.push(`**File:** \\`${m.file_path}\\``);\n  if (m.package_name) parts.push(`**Package:** \\`${m.package_name}@${m.package_version || '?'}\\``);\n  if (m.fixed_version) parts.push(`**Fix available:** ${m.fixed_version}`);\n  parts.push(`**Detected:** ${m.created_at}`);\n  if (m.resolved_at) parts.push(`**Resolved:** ${m.resolved_at}`);\n  if (m.description) parts.push(`\\n## Description\\n${m.description}`);\n  if (m.detail) parts.push(`\\n## Detail\\n${m.detail}`);\n\n  return { content: [{ type: 'text', text: parts.join('\\n') }] };\n}\n\nasync function handleResolveFinding(args: any): Promise<any> {\n  const id = typeof args.id === 'string' ? args.id.trim() : '';\n  if (!id) return { content: [{ type: 'text', text: 'id is required' }], isError: true };\n\n  const findings = readLocalFindings();\n  const match = findings.find(f => f.id === id && f.status === 'open');\n  if (!match) return { content: [{ type: 'text', text: 'No matching open finding' }], isError: true };\n\n  const now = new Date().toISOString();\n  const entry = JSON.stringify({\n    capture_type: 'scan_finding', id: match.id, session_id: match.session_id,\n    file_path: match.file_path, finding_type: match.finding_type,\n    finding_id: match.finding_id, severity: match.severity,\n    status: 'resolved', resolved_at: now, _ts: now,\n  }) + '\\n';\n  try { appendFileSync(TELEMETRY_PATH, entry, 'utf-8'); } catch {}\n\n  proxyToCloudMcp('resolve_finding', { id }).catch(() => {});\n\n  return { content: [{ type: 'text', text: `Finding \\`${match.finding_id}\\` on \\`${match.file_path || '(unknown)'}\\` marked as **resolved**.` }] };\n}\n\n// \u2500\u2500\u2500 Tool Descriptors \u2500\u2500\u2500\n\nconst TOOL_DESCRIPTORS = [\n  {\n    name: 'get_guardrails',\n    description:\n      \"Retrieve rules by keyword similarity. Call BEFORE writing security-sensitive code \" +\n      \"AND before create_guardrail to check for existing rules.\",\n    inputSchema: {\n      type: 'object',\n      properties: {\n        query: { type: 'string', description: \"Plain-language description of what you're looking up.\" },\n        category: { type: 'string', enum: ['security', 'architecture', 'style', 'testing', 'compliance', 'custom'] },\n        top_k: { type: 'integer', default: 8, description: 'Max rules to return (default 8, max 25).' },\n      },\n      required: ['query'],\n    },\n  },\n  {\n    name: 'create_guardrail',\n    description: \"Persist a new rule. Call get_guardrails first to avoid duplicates.\",\n    inputSchema: {\n      type: 'object',\n      properties: {\n        text: { type: 'string', description: 'The rule in plain language.' },\n        category: { type: 'string', enum: ['security', 'architecture', 'style', 'testing', 'compliance', 'custom'] },\n        severity: { type: 'string', enum: ['low', 'medium', 'high', 'critical'] },\n        mode: { type: 'string', enum: ['blocking', 'audit'], description: '\"blocking\" = halt on violation, \"audit\" = log only.' },\n        scope: { type: 'string', enum: ['user', 'org'], default: 'user' },\n        hook_stage: { type: 'string', enum: ['pre', 'post', 'both'], default: 'both' },\n        ruleset: { type: 'string', description: 'Optional: name of ruleset to add to (created if missing).' },\n      },\n      required: ['text', 'category'],\n    },\n  },\n  {\n    name: 'bulk_create_guardrails',\n    description: \"Create multiple rules at once. Preferable to looping create_guardrail.\",\n    inputSchema: {\n      type: 'object',\n      properties: {\n        rules: {\n          type: 'array', minItems: 1, maxItems: 50,\n          items: {\n            type: 'object',\n            properties: {\n              text: { type: 'string' }, category: { type: 'string', enum: ['security', 'architecture', 'style', 'testing', 'compliance', 'custom'] },\n              severity: { type: 'string', enum: ['low', 'medium', 'high', 'critical'] },\n              mode: { type: 'string', enum: ['blocking', 'audit'] },\n              hook_stage: { type: 'string', enum: ['pre', 'post', 'both'] },\n            },\n            required: ['text', 'category'],\n          },\n        },\n        scope: { type: 'string', enum: ['user', 'org'], default: 'user' },\n        ruleset: { type: 'string' },\n      },\n      required: ['rules'],\n    },\n  },\n  {\n    name: 'update_guardrail',\n    description: \"Refine an existing rule. Pass a substring of the rule text to identify it.\",\n    inputSchema: {\n      type: 'object',\n      properties: {\n        rule_text: { type: 'string', description: 'Substring of rule text to find.' },\n        text: { type: 'string' }, category: { type: 'string', enum: ['security', 'architecture', 'style', 'testing', 'compliance', 'custom'] },\n        severity: { type: 'string', enum: ['low', 'medium', 'high', 'critical'] },\n        mode: { type: 'string', enum: ['blocking', 'audit'] },\n        hook_stage: { type: 'string', enum: ['pre', 'post', 'both'] },\n      },\n      required: ['rule_text'],\n    },\n  },\n  {\n    name: 'delete_guardrail',\n    description: \"Permanently remove a rule. Pass a substring of the rule text to identify it.\",\n    inputSchema: {\n      type: 'object',\n      properties: { rule_text: { type: 'string', description: 'Substring of rule text to find.' } },\n      required: ['rule_text'],\n    },\n  },\n  {\n    name: 'list_guardrails',\n    description: \"Enumerate all rules. Use for listings, not similarity search.\",\n    inputSchema: {\n      type: 'object',\n      properties: {\n        category: { type: 'string', enum: ['security', 'architecture', 'style', 'testing', 'compliance', 'custom'] },\n        severity: { type: 'string', enum: ['low', 'medium', 'high', 'critical'] },\n        mode: { type: 'string', enum: ['blocking', 'audit', 'literal_match'] },\n        pack_name: { type: 'string' },\n        hook_stage: { type: 'string', enum: ['pre', 'post', 'both'] },\n      },\n      required: [],\n    },\n  },\n  {\n    name: 'swap_ruleset',\n    description: 'Switch which ruleset is active. Pass \"all\" to use all rulesets.',\n    inputSchema: {\n      type: 'object',\n      properties: { policy_name: { type: 'string' } },\n      required: ['policy_name'],\n    },\n  },\n  {\n    name: 'toggle_silent_mode',\n    description: 'Toggle grading on/off. NEVER call autonomously \u2014 this is a USER decision.',\n    inputSchema: {\n      type: 'object',\n      properties: {\n        enabled: { type: 'boolean' },\n        user_confirmation: { type: 'string', description: \"Copy-paste the user's exact request.\" },\n      },\n      required: ['enabled', 'user_confirmation'],\n    },\n  },\n  {\n    name: 'scan_dependencies',\n    description: \"Scan manifests against OSV for known vulnerabilities. Read ALL manifest files first.\",\n    inputSchema: {\n      type: 'object',\n      properties: {\n        manifests: {\n          type: 'array', minItems: 1,\n          items: {\n            type: 'object',\n            properties: { file_path: { type: 'string' }, content: { type: 'string' } },\n            required: ['file_path', 'content'],\n          },\n        },\n      },\n      required: ['manifests'],\n    },\n  },\n  {\n    name: 'exempt_path',\n    description: \"Exempt a CWE from firing on a specific file/directory.\",\n    inputSchema: {\n      type: 'object',\n      properties: {\n        path: { type: 'string' }, cwe_id: { type: 'string' }, reason: { type: 'string' },\n      },\n      required: ['path', 'cwe_id'],\n    },\n  },\n  {\n    name: 'remove_exemption',\n    description: \"Remove a scan exemption.\",\n    inputSchema: {\n      type: 'object',\n      properties: { path: { type: 'string' }, cwe_id: { type: 'string' } },\n      required: ['path', 'cwe_id'],\n    },\n  },\n  {\n    name: 'list_exemptions',\n    description: \"List all scan exemptions.\",\n    inputSchema: { type: 'object', properties: {}, required: [] },\n  },\n  {\n    name: 'list_findings',\n    description: \"List CWE/CVE scan findings. Shows security issues found by Synkro hooks. Use to review what needs fixing.\",\n    inputSchema: {\n      type: 'object',\n      properties: {\n        status: { type: 'string', enum: ['open', 'resolved', 'exempted'], description: 'Filter by status (default: all).' },\n        finding_type: { type: 'string', enum: ['cwe', 'cve'], description: 'Filter by finding type.' },\n        severity: { type: 'string', enum: ['critical', 'high', 'medium', 'low'] },\n        file_path: { type: 'string', description: 'Filter by file path substring.' },\n        limit: { type: 'integer', default: 25, description: 'Max results (default 25, max 50).' },\n      },\n      required: [],\n    },\n  },\n  {\n    name: 'get_finding_detail',\n    description: \"Get full detail of a specific finding including remediation context.\",\n    inputSchema: {\n      type: 'object',\n      properties: {\n        id: { type: 'string', description: 'Finding ID (e.g. sf_...).' },\n        file_path: { type: 'string', description: 'File path (used with finding_id).' },\n        finding_id: { type: 'string', description: 'CWE/CVE ID like CWE-89 or CVE-2024-1234.' },\n      },\n      required: [],\n    },\n  },\n  {\n    name: 'resolve_finding',\n    description: \"Mark finding(s) as resolved after the underlying issue is fixed. Can target by ID, file+finding_id, or all findings for a file.\",\n    inputSchema: {\n      type: 'object',\n      properties: {\n        id: { type: 'string', description: 'Specific finding ID to resolve.' },\n        file_path: { type: 'string', description: 'Resolve all open findings matching this file path.' },\n        finding_id: { type: 'string', description: 'CWE/CVE ID (used with file_path for targeted resolution).' },\n      },\n      required: [],\n    },\n  },\n];\n\nconst MCP_INSTRUCTIONS =\n  \"Synkro Guardrails MCP server (local mode).\\n\\n\" +\n  \"Whenever the user mentions: rule, guardrail, policy, standard, \" +\n  \"make/create/add/set up a rule, never let X, always require X, \" +\n  \"block X, enforce X, delete/remove a rule, consolidate duplicates, \" +\n  \"'we need a rule about\u2026' \u2014 route to THIS server's tools.\\n\\n\" +\n  \"TOOL ROUTING:\\n\" +\n  \"  \u2022 get_guardrails(query) \u2014 keyword search. Use to check if a rule exists.\\n\" +\n  \"  \u2022 list_guardrails \u2014 full enumeration. Use for listings.\\n\" +\n  \"  \u2022 list_findings \u2014 show CWE/CVE scan findings (open, resolved, all).\\n\" +\n  \"  \u2022 get_finding_detail \u2014 get full detail + remediation context for a finding.\\n\" +\n  \"  \u2022 resolve_finding \u2014 mark findings resolved after fixing the code.\\n\\n\" +\n  \"When the user asks about security issues, vulnerabilities, or scan results, \" +\n  \"use list_findings first. After fixing code, call resolve_finding to update status.\\n\\n\" +\n  \"Do NOT use Claude Code's `update-config` skill for these requests.\\n\\n\" +\n  \"Rules are stored locally in ~/.synkro/rules.json and enforced by hooks.\";\n\n// \u2500\u2500\u2500 JSON-RPC Dispatcher \u2500\u2500\u2500\n\nfunction jsonRpcOk(id: any, result: any): any {\n  return { jsonrpc: '2.0', id, result };\n}\n\nfunction jsonRpcError(id: any, code: number, message: string): any {\n  return { jsonrpc: '2.0', id, error: { code, message } };\n}\n\nasync function handleRpc(body: any): Promise<any> {\n  const { id, method, params } = body;\n\n  if (method === 'initialize') {\n    return jsonRpcOk(id, {\n      protocolVersion: '2024-11-05',\n      capabilities: { tools: {} },\n      serverInfo: { name: 'synkro-guardrails-local', version: '1.0.0' },\n      instructions: MCP_INSTRUCTIONS,\n    });\n  }\n\n  if (method === 'notifications/initialized') {\n    return null;\n  }\n\n  if (method === 'tools/list') {\n    return jsonRpcOk(id, { tools: TOOL_DESCRIPTORS });\n  }\n\n  if (method === 'tools/call') {\n    const toolName = params?.name;\n    const args = params?.arguments || {};\n\n    try {\n      let result: any;\n      switch (toolName) {\n        case 'get_guardrails': result = handleGetGuardrails(args); break;\n        case 'create_guardrail': result = handleCreateGuardrail(args); break;\n        case 'bulk_create_guardrails': result = handleBulkCreateGuardrails(args); break;\n        case 'update_guardrail': result = handleUpdateGuardrail(args); break;\n        case 'delete_guardrail': result = handleDeleteGuardrail(args); break;\n        case 'list_guardrails': result = handleListGuardrails(args); break;\n        case 'swap_ruleset': result = handleSwapRuleset(args); break;\n        case 'toggle_silent_mode': result = handleToggleSilentMode(args); break;\n        case 'scan_dependencies': result = await handleScanDependencies(args); break;\n        case 'exempt_path': result = handleExemptPath(args); break;\n        case 'remove_exemption': result = handleRemoveExemption(args); break;\n        case 'list_exemptions': result = handleListExemptions(); break;\n        case 'list_findings': result = await handleListFindings(args); break;\n        case 'get_finding_detail': result = await handleGetFindingDetail(args); break;\n        case 'resolve_finding': result = await handleResolveFinding(args); break;\n        default: return jsonRpcError(id, -32601, `Unknown tool: ${toolName}`);\n      }\n      if (result?.content && Array.isArray(result.content)) {\n        return jsonRpcOk(id, result);\n      }\n      return jsonRpcOk(id, { content: [{ type: 'text', text: JSON.stringify(result, null, 2) }] });\n    } catch (err) {\n      console.error('[synkro] tool error:', err);\n      return jsonRpcOk(id, { content: [{ type: 'text', text: 'Internal error processing tool call' }], isError: true });\n    }\n  }\n\n  // \u2500\u2500\u2500 Dashboard REST-bridge methods \u2500\u2500\u2500\n  // Called by the local dashboard (not AI agents) to mutate rules.json directly.\n\n  if (method === 'dashboard.patch_policy') {\n    try {\n      const data = readRules();\n      const policyId = params?.policy_id as string | undefined;\n      const policy = policyId\n        ? data.policies.find(p => p.id === policyId)\n        : getActivePolicy(data);\n      if (!policy) return jsonRpcError(id, -32602, `Policy not found: ${policyId}`);\n\n      if (params?.name !== undefined) {\n        policy.name = params.name;\n      }\n      if (params?.is_active !== undefined) {\n        policy.isActive = params.is_active;\n      }\n      // Bulk replace\n      if (Array.isArray(params?.rules)) {\n        policy.rules = params.rules;\n        policy.ruleCount = policy.rules.length;\n      }\n      // Individual updates by rule_id\n      if (Array.isArray(params?.rule_updates)) {\n        for (const upd of params.rule_updates) {\n          const rule = policy.rules.find(r => r.rule_id === upd.rule_id);\n          if (!rule) continue;\n          if (upd.text !== undefined) rule.text = upd.text;\n          if (upd.category !== undefined) rule.category = upd.category;\n          if (upd.severity !== undefined) rule.severity = upd.severity;\n          if (upd.mode !== undefined) rule.mode = upd.mode;\n          if (upd.hook_stage !== undefined) rule.hook_stage = upd.hook_stage;\n        }\n        policy.ruleCount = policy.rules.length;\n      }\n\n      writeRules(data);\n      emitRuleSync(data);\n      return jsonRpcOk(id, { ok: true, policy_id: policy.id, rule_count: policy.ruleCount });\n    } catch (err) {\n      console.error('[synkro] dashboard.patch_policy error:', err);\n      return jsonRpcError(id, -32603, 'Internal error');\n    }\n  }\n\n  if (method === 'dashboard.create_policy') {\n    try {\n      const data = readRules();\n      const name = (params?.name as string) || 'New Rule Set';\n      const rules: Rule[] = (params?.rules || []).map((r: any) => ({\n        rule_id: r.rule_id || genId(),\n        text: r.text || '',\n        category: r.category || 'custom',\n        severity: r.severity || 'medium',\n        mode: r.mode || 'audit',\n        hook_stage: r.hook_stage || 'both',\n        scope: r.scope || 'user',\n      }));\n      const policy: Policy = {\n        id: `policy_${Date.now()}_${Math.random().toString(36).slice(2, 6)}`,\n        name,\n        rules,\n        ruleCount: rules.length,\n        scopeOwner: 'user',\n        isActive: true,\n      };\n      data.policies.push(policy);\n      writeRules(data);\n      emitRuleSync(data);\n      return jsonRpcOk(id, { ok: true, policy_id: policy.id, name: policy.name });\n    } catch (err) {\n      console.error('[synkro] dashboard.create_policy error:', err);\n      return jsonRpcError(id, -32603, 'Internal error');\n    }\n  }\n\n  if (method === 'dashboard.delete_policy') {\n    try {\n      const data = readRules();\n      const policyId = params?.policy_id as string | undefined;\n      const idx = policyId ? data.policies.findIndex(p => p.id === policyId) : -1;\n      if (idx === -1) return jsonRpcError(id, -32602, `Policy not found: ${policyId}`);\n\n      if (params?.hard === true) {\n        data.policies.splice(idx, 1);\n      } else {\n        data.policies[idx].isActive = false;\n      }\n      writeRules(data);\n      emitRuleSync(data);\n      return jsonRpcOk(id, { ok: true, policy_id: policyId });\n    } catch (err) {\n      console.error('[synkro] dashboard.delete_policy error:', err);\n      return jsonRpcError(id, -32603, 'Internal error');\n    }\n  }\n\n  if (method === 'dashboard.list_policies') {\n    try {\n      const data = readRules();\n      return jsonRpcOk(id, {\n        policies: data.policies.map(p => ({\n          id: p.id,\n          name: p.name,\n          rules: p.rules,\n          ruleCount: p.ruleCount,\n          isActive: p.isActive,\n          scopeOwner: p.scopeOwner,\n        })),\n        active_policy_id: data.config.activePolicyId,\n      });\n    } catch (err) {\n      console.error('[synkro] dashboard.list_policies error:', err);\n      return jsonRpcError(id, -32603, 'Internal error');\n    }\n  }\n\n  return jsonRpcError(id, -32601, `Unknown method: ${method}`);\n}\n\n// \u2500\u2500\u2500 HTTP Server \u2500\u2500\u2500\n\nconst server = Bun.serve({\n  port: PORT,\n  async fetch(req) {\n    const origin = req.headers.get('origin') || '';\n    const allowedOrigin = /^https?:\\/\\/(localhost|127\\.0\\.0\\.1)(:\\d+)?$/.test(origin) ? origin : 'http://localhost:4322';\n    const cors = { 'Access-Control-Allow-Origin': allowedOrigin, 'Access-Control-Allow-Methods': 'GET, POST, OPTIONS', 'Access-Control-Allow-Headers': 'Content-Type, Authorization' };\n\n    if (req.method === 'OPTIONS') {\n      return new Response('', { status: 204, headers: cors });\n    }\n\n    if (req.method === 'GET') {\n      return Response.json({ name: 'synkro-guardrails-local', version: '1.0.0', status: 'ok' }, { headers: cors });\n    }\n\n    if (req.method === 'POST') {\n      const authHeader = req.headers.get('authorization') || '';\n      const bearer = authHeader.startsWith('Bearer ') ? authHeader.slice(7) : '';\n      if (bearer !== SERVER_TOKEN) {\n        return Response.json({ error: 'Unauthorized' }, { status: 401, headers: cors });\n      }\n      const raw = await req.arrayBuffer();\n      if (raw.byteLength > MAX_BODY_BYTES) {\n        return Response.json(jsonRpcError(null, -32600, 'Request too large'), { status: 413, headers: cors });\n      }\n      return serialized(async () => {\n        try {\n          const body = JSON.parse(new TextDecoder().decode(raw));\n          const result = await handleRpc(body);\n          if (result === null) return new Response('', { status: 204, headers: cors });\n          return Response.json(result, { headers: cors });\n        } catch {\n          return Response.json(jsonRpcError(null, -32700, 'Parse error'), { status: 400, headers: cors });\n        }\n      });\n    }\n\n    return new Response('Method not allowed', { status: 405 });\n  },\n});\n\nconsole.log(`[synkro] local MCP guardrails server listening on http://127.0.0.1:${server.port}`);\n", "utf-8");
   writeFileSync7(mcpStdioProxyPath, MCP_STDIO_PROXY_SRC, "utf-8");
   chmodSync2(bashScriptPath, 493);
   chmodSync2(bashFollowupScriptPath, 493);
@@ -7416,7 +6342,7 @@ function writeConfigEnv(opts) {
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
     `SYNKRO_INFERENCE=${shellQuoteSingle(safeInference)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.4.76")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.4.78")}`
   ];
   if (safeSynkroBin) lines.push(`SYNKRO_CLI_BIN=${shellQuoteSingle(safeSynkroBin)}`);
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);