@synkro-sh/cli 1.4.87 → 1.4.88

package/dist/bootstrap.js

@@ -5243,1567 +5243,484 @@ var init_promptFetcher = __esm({
   }
 });
 
-// cli/local-cc/settings.ts
-import { existsSync as existsSync7, readFileSync as readFileSync6 } from "fs";
-import { homedir as homedir6 } from "os";
+// cli/local-cc/macKeychain.ts
+import { existsSync as existsSync7, mkdirSync as mkdirSync6, writeFileSync as writeFileSync6, chmodSync, readFileSync as readFileSync6, statSync } from "fs";
+import { homedir as homedir6, platform as platform3 } from "os";
 import { join as join6 } from "path";
-function isLocalCCEnabled() {
-  if (!existsSync7(CONFIG_PATH2)) return false;
-  try {
-    const content = readFileSync6(CONFIG_PATH2, "utf-8");
-    const match = content.match(/^SYNKRO_LOCAL_INFERENCE='([^']*)'/m);
-    return match?.[1] === "yes";
-  } catch {
-    return false;
-  }
-}
-var CONFIG_PATH2;
-var init_settings = __esm({
-  "cli/local-cc/settings.ts"() {
-    "use strict";
-    CONFIG_PATH2 = join6(homedir6(), ".synkro", "config.env");
-  }
-});
-
-// cli/local-cc/channelSource.ts
-var CHANNEL_PLUGIN_SOURCE;
-var init_channelSource = __esm({
-  "cli/local-cc/channelSource.ts"() {
-    "use strict";
-    CHANNEL_PLUGIN_SOURCE = `#!/usr/bin/env bun
-/**
- * Synkro local-CC channel plugin (auto-generated by \`synkro install\`).
- * DO NOT EDIT \u2014 your changes will be overwritten on next install.
- */
-import { Server } from '@modelcontextprotocol/sdk/server/index.js';
-import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
-import { ListToolsRequestSchema, CallToolRequestSchema } from '@modelcontextprotocol/sdk/types.js';
-import { readFileSync } from 'node:fs';
-import { join } from 'node:path';
-import { homedir } from 'node:os';
-
-const PORT = parseInt(process.env.SYNKRO_CHANNEL_PORT || '8929', 10);
-const HOSTNAME = '127.0.0.1';
-
-const REQUEST_TIMEOUT_MS = parseInt(process.env.SYNKRO_CHANNEL_TIMEOUT_MS || '120000', 10);
-
-// \u2500\u2500\u2500 Primer cache (in-memory, refreshed every 60s) \u2500\u2500\u2500
-const PRIMER_REFRESH_MS = 60_000;
-const PRIMER_KEY: Record<string, string> = {
-  'grade-edit': 'grader_primer_edit',
-  'grade-bash': 'grader_primer_bash',
-  'grade-plan': 'grader_primer_plan',
-  'grade-cwe': 'grader_primer_cwe',
-};
-const REPLY_INSTRUCTIONS = \`
-DELIVERY METHOD \u2014 MANDATORY, OVERRIDES ALL OTHER OUTPUT RULES:
-You are running inside a Synkro MCP channel. Do NOT output your verdict as text.
-Instead, after generating your verdict, call the \\\`reply\\\` tool EXACTLY ONCE with:
-  - req_id: the req_id from this channel event's meta
-  - result: your complete verdict block as a string (the <synkro-verdict>\u2026</synkro-verdict> XML)
-Any text output is silently discarded. Only the reply tool call is captured.\`;
-
-let primerData: Record<string, string> = {};
-let primerFetchedAt = 0;
-let primerRefreshTimer: ReturnType<typeof setInterval> | null = null;
-
-function readCreds(): { jwt: string; gatewayUrl: string } {
-  try {
-    const raw = JSON.parse(readFileSync(join(homedir(), '.synkro', 'credentials.json'), 'utf-8'));
-    return { jwt: raw.access_token || '', gatewayUrl: raw.gateway_url || 'https://api.synkro.sh' };
-  } catch { return { jwt: '', gatewayUrl: 'https://api.synkro.sh' }; }
+import { spawnSync } from "child_process";
+function needsKeychainBridge() {
+  return platform3() === "darwin";
 }
-
-async function refreshPrimers(): Promise<void> {
-  const { jwt, gatewayUrl } = readCreds();
-  if (!jwt) return;
-  try {
-    const resp = await fetch(gatewayUrl + '/api/v1/cli/judge-prompts', {
-      headers: { Authorization: 'Bearer ' + jwt },
-      signal: AbortSignal.timeout(5000),
-    });
-    if (!resp.ok) return;
-    const data = await resp.json() as Record<string, string>;
-    primerData = data;
-    primerFetchedAt = Date.now();
-  } catch {}
+function readKeychainCreds() {
+  if (platform3() !== "darwin") return null;
+  const r = spawnSync("security", ["find-generic-password", "-s", KEYCHAIN_SERVICE, "-w"], {
+    encoding: "utf-8",
+    timeout: 5e3
+  });
+  if (r.status !== 0) return null;
+  const blob = (r.stdout || "").trim();
+  return blob || null;
 }
-
-function getPrimer(role: string): string {
-  const key = PRIMER_KEY[role];
-  return (key ? primerData[key] : '') || '';
+function exportKeychainCreds() {
+  const blob = readKeychainCreds();
+  if (!blob) return null;
+  mkdirSync6(CLAUDE_CREDS_DIR, { recursive: true });
+  chmodSync(CLAUDE_CREDS_DIR, 448);
+  writeFileSync6(CLAUDE_CREDS_FILE, blob, "utf-8");
+  chmodSync(CLAUDE_CREDS_FILE, 384);
+  return CLAUDE_CREDS_FILE;
 }
-
-function buildContent(role: string, payload: string): string {
-  const primer = getPrimer(role);
-  return (primer ? primer + '\\n\\n' : '') + REPLY_INSTRUCTIONS + '\\n\\n---\\nPAYLOAD (the input to evaluate):\\n\\n' + payload;
+function writeRefreshAgent(synkroBinPath) {
+  if (platform3() !== "darwin") {
+    throw new KeychainExportError("writeRefreshAgent is darwin-only");
+  }
+  mkdirSync6(join6(homedir6(), "Library", "LaunchAgents"), { recursive: true });
+  const plist = `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>Label</key>
+  <string>${LAUNCHD_LABEL}</string>
+  <key>ProgramArguments</key>
+  <array>
+    <string>${synkroBinPath}</string>
+    <string>local-cc</string>
+    <string>refresh-creds</string>
+  </array>
+  <key>StartInterval</key>
+  <integer>${REFRESH_INTERVAL_SECONDS}</integer>
+  <key>RunAtLoad</key>
+  <true/>
+  <key>StandardErrorPath</key>
+  <string>${join6(SYNKRO_DIR2, "claude-creds-refresh.log")}</string>
+  <key>StandardOutPath</key>
+  <string>${join6(SYNKRO_DIR2, "claude-creds-refresh.log")}</string>
+</dict>
+</plist>
+`;
+  writeFileSync6(LAUNCHD_PLIST, plist, "utf-8");
+  return LAUNCHD_PLIST;
 }
-
-// Kick off initial fetch + periodic refresh
-refreshPrimers();
-primerRefreshTimer = setInterval(refreshPrimers, PRIMER_REFRESH_MS);
-
-interface PendingRequest {
-  resolve: (result: string) => void;
-  reject: (err: Error) => void;
-  timer: ReturnType<typeof setTimeout>;
+function loadRefreshAgent() {
+  if (platform3() !== "darwin") return;
+  spawnSync("launchctl", ["bootout", `gui/${process.getuid?.() ?? 501}`, LAUNCHD_PLIST], {
+    encoding: "utf-8",
+    timeout: 5e3
+  });
+  const r = spawnSync("launchctl", ["bootstrap", `gui/${process.getuid?.() ?? 501}`, LAUNCHD_PLIST], {
+    encoding: "utf-8",
+    timeout: 5e3
+  });
+  if (r.status !== 0) {
+    throw new KeychainExportError(
+      `launchctl bootstrap failed: ${r.stderr || r.stdout || "unknown"}`
+    );
+  }
 }
-
-const pending = new Map<string, PendingRequest>();
-let nextRequestId = 1;
-
-const mcp = new Server(
-  { name: 'synkro-local', version: '0.1.0' },
-  {
-    capabilities: {
-      experimental: { 'claude/channel': {} },
-      tools: {},
-    },
-    instructions: [
-      'Synkro local inference channel.',
-      'Each <channel source="synkro-local" req_id="..." role="..."> event contains a',
-      'self-contained instruction block followed by the payload to evaluate. Treat it',
-      'as a fresh isolated request \u2014 IGNORE any prior conversation turns or context.',
-      'Do not call Read, Edit, Write, Bash, or any other tool. Do exactly one thing:',
-      'parse the request, produce the structured response described inside it, then',
-      'call the \\\`reply\\\` tool exactly once with the same req_id and the response',
-      'wrapped as the \\\`result\\\` argument (a string). Output no other text.',
-    ].join(' '),
-  },
-);
-
-mcp.setRequestHandler(ListToolsRequestSchema, async () => ({
-  tools: [{
-    name: 'reply',
-    description: 'Return the response for a Synkro local-inference request',
-    inputSchema: {
-      type: 'object',
-      properties: {
-        req_id: { type: 'string', description: 'The req_id from the channel event being answered' },
-        result: { type: 'string', description: 'The response text. For grading/classification roles, the JSON-tagged verdict the role requested.' },
-      },
-      required: ['req_id', 'result'],
-    },
-  }],
-}));
-
-mcp.setRequestHandler(CallToolRequestSchema, async req => {
-  if (req.params.name !== 'reply') {
-    throw new Error('unknown tool: ' + req.params.name);
-  }
-  const args = req.params.arguments as { req_id?: string; result?: string };
-  const reqId = String(args.req_id ?? '');
-  const result = String(args.result ?? '');
-  const p = pending.get(reqId);
-  if (p) {
-    clearTimeout(p.timer);
-    pending.delete(reqId);
-    p.resolve(result);
-    return { content: [{ type: 'text', text: 'ok' }] };
-  }
-  return { content: [{ type: 'text', text: 'unknown req_id (likely already timed out)' }] };
-});
-
-// Bind the listener BEFORE awaiting mcp.connect \u2014 Bun.serve is synchronous
-// and must run on the script's first tick, otherwise the stdio transport's
-// read loop can starve the serve setup.
-Bun.serve({
-  port: PORT,
-  hostname: HOSTNAME,
-  idleTimeout: 0,
-  async fetch(req) {
-    const url = new URL(req.url);
-    if (url.pathname === '/healthz') {
-      return new Response(JSON.stringify({ ok: true, pending: pending.size }), {
-        headers: { 'Content-Type': 'application/json' },
-      });
-    }
-    if (req.method !== 'POST' || url.pathname !== '/submit') {
-      return new Response('not found', { status: 404 });
-    }
-    let body: { role?: string; content?: string; payload?: string };
-    try {
-      body = await req.json() as typeof body;
-    } catch {
-      return new Response('invalid json', { status: 400 });
-    }
-    const role = String(body.role ?? '');
-    const content = body.payload ? buildContent(role, body.payload) : String(body.content ?? '');
-    if (!role || !content) {
-      return new Response('missing role/content', { status: 400 });
-    }
-    const reqId = 'r' + (nextRequestId++) + Date.now().toString(36);
-    const result = await new Promise<string>((resolve, reject) => {
-      const timer = setTimeout(() => {
-        pending.delete(reqId);
-        reject(new Error('timeout waiting for reply (' + REQUEST_TIMEOUT_MS + 'ms)'));
-      }, REQUEST_TIMEOUT_MS);
-      pending.set(reqId, { resolve, reject, timer });
-      mcp.notification({
-        method: 'notifications/claude/channel',
-        params: {
-          content,
-          meta: { req_id: reqId, role },
-        },
-      }).catch(err => {
-        clearTimeout(timer);
-        pending.delete(reqId);
-        reject(err instanceof Error ? err : new Error(String(err)));
-      });
-    }).catch(err => {
-      return JSON.stringify({ error: err instanceof Error ? err.message : String(err) });
-    });
-    if (typeof result === 'string' && result.startsWith('{"error":')) {
-      return new Response(result, { status: 504, headers: { 'Content-Type': 'application/json' } });
+function uninstallRefreshAgent() {
+  if (platform3() !== "darwin") return;
+  spawnSync("launchctl", ["bootout", `gui/${process.getuid?.() ?? 501}`, LAUNCHD_PLIST], {
+    encoding: "utf-8",
+    timeout: 5e3
+  });
+  try {
+    if (existsSync7(LAUNCHD_PLIST)) {
+      __require("fs").unlinkSync(LAUNCHD_PLIST);
     }
-    return new Response(JSON.stringify({ result }), {
-      headers: { 'Content-Type': 'application/json' },
-    });
-  },
-});
-
-process.on('SIGTERM', () => process.exit(0));
-process.on('SIGINT', () => process.exit(0));
-
-// MCP stdio handshake last. The transport's read loop keeps the process
-// alive; the TCP listener is already bound at this point so the CLI can
-// hit it as soon as Claude finishes its end of the handshake.
-await mcp.connect(new StdioServerTransport());
-`;
+  } catch {
+  }
+}
+var SYNKRO_DIR2, CLAUDE_CREDS_DIR, CLAUDE_CREDS_FILE, KEYCHAIN_SERVICE, LAUNCHD_LABEL, LAUNCHD_PLIST, REFRESH_INTERVAL_SECONDS, KeychainExportError;
+var init_macKeychain = __esm({
+  "cli/local-cc/macKeychain.ts"() {
+    "use strict";
+    SYNKRO_DIR2 = join6(homedir6(), ".synkro");
+    CLAUDE_CREDS_DIR = join6(SYNKRO_DIR2, "claude-creds");
+    CLAUDE_CREDS_FILE = join6(CLAUDE_CREDS_DIR, ".credentials.json");
+    KEYCHAIN_SERVICE = "Claude Code-credentials";
+    LAUNCHD_LABEL = "com.synkro.cli.claude-creds-refresh";
+    LAUNCHD_PLIST = join6(homedir6(), "Library", "LaunchAgents", `${LAUNCHD_LABEL}.plist`);
+    REFRESH_INTERVAL_SECONDS = 6 * 60 * 60;
+    KeychainExportError = class extends Error {
+      constructor(message, cause) {
+        super(message);
+        this.cause = cause;
+        this.name = "KeychainExportError";
+      }
+      cause;
+    };
   }
 });
 
-// cli/local-cc/install.ts
-import { existsSync as existsSync8, mkdirSync as mkdirSync6, writeFileSync as writeFileSync6, readFileSync as readFileSync7, chmodSync, copyFileSync, renameSync as renameSync4, unlinkSync as unlinkSync4, openSync, fsyncSync, closeSync } from "fs";
-import { join as join7 } from "path";
+// cli/local-cc/dockerInstall.ts
+import { existsSync as existsSync8, mkdirSync as mkdirSync7 } from "fs";
 import { homedir as homedir7 } from "os";
-import { spawnSync } from "child_process";
-function writePluginFiles() {
-  for (const c of CHANNELS) {
-    mkdirSync6(c.sessionDir, { recursive: true });
-    mkdirSync6(c.pluginSettingsDir, { recursive: true });
-    writeFileSync6(c.pluginPath, CHANNEL_PLUGIN_SOURCE, "utf-8");
-    chmodSync(c.pluginPath, 493);
-    writeFileSync6(c.pluginPkgPath, PLUGIN_PACKAGE_JSON, "utf-8");
-    writeFileSync6(
-      c.pluginSettingsPath,
-      JSON.stringify({
-        fastMode: true,
-        enabledMcpjsonServers: ["synkro-local"]
-      }, null, 2) + "\n",
-      "utf-8"
+import { join as join7 } from "path";
+import { spawnSync as spawnSync2 } from "child_process";
+function imageTag() {
+  const registry = process.env.SYNKRO_IMAGE_REGISTRY || "";
+  const tag = process.env.SYNKRO_IMAGE_TAG || DEFAULT_IMAGE;
+  return registry ? `${registry.replace(/\/+$/, "")}/${tag.replace(/^.*\//, "")}` : tag;
+}
+function assertDockerAvailable() {
+  const v = spawnSync2("docker", ["version", "--format", "{{.Server.Version}}"], {
+    encoding: "utf-8",
+    timeout: 5e3
+  });
+  if (v.status !== 0) {
+    throw new DockerInstallError(
+      "Docker CLI is not installed or the daemon is not reachable.\nInstall Docker Desktop (macOS) or docker-engine (Linux), start the daemon, then re-run."
     );
-    writeFileSync6(c.runScriptPath, c.runScriptSource, "utf-8");
-    chmodSync(c.runScriptPath, 493);
   }
 }
-function runBunInstall() {
-  for (const c of CHANNELS) {
-    const r = spawnSync("bun", ["install", "--silent"], {
-      cwd: c.sessionDir,
-      encoding: "utf-8",
-      timeout: 12e4
-    });
-    if (r.status !== 0) {
-      throw new LocalCCInstallError(
-        `bun install failed in ${c.sessionDir}: ${r.stderr || r.stdout || "unknown"}`
-      );
-    }
-  }
+function claudeCredsHostDir() {
+  if (needsKeychainBridge()) return CLAUDE_CREDS_DIR;
+  return join7(homedir7(), ".claude");
 }
-function safelyMutateClaudeJson(mutator) {
-  if (!existsSync8(CLAUDE_JSON_PATH)) {
-    return;
-  }
-  const originalText = readFileSync7(CLAUDE_JSON_PATH, "utf-8");
-  let parsed;
-  try {
-    parsed = JSON.parse(originalText);
-  } catch (err) {
-    throw new LocalCCInstallError(
-      `refusing to modify malformed ${CLAUDE_JSON_PATH}: ${err.message}. Please fix the JSON manually before retrying.`,
-      err
+async function dockerInstall(opts = {}) {
+  assertDockerAvailable();
+  const image = imageTag();
+  const workers = String(opts.workersPerPool ?? 4);
+  mkdirSync7(PGDATA_PATH, { recursive: true });
+  if (!existsSync8(MCP_JWT_PATH)) {
+    throw new DockerInstallError(
+      `MCP JWT missing at ${MCP_JWT_PATH}. The installer should mint this before calling dockerInstall.`
     );
   }
-  const originalKeys = new Set(Object.keys(parsed));
-  const dirty = mutator(parsed);
-  if (!dirty) return;
-  for (const k of originalKeys) {
-    if (!(k in parsed)) {
-      throw new LocalCCInstallError(
-        `refusing to write ${CLAUDE_JSON_PATH}: mutator dropped top-level key "${k}". This is a bug \u2014 please report.`
+  if (needsKeychainBridge()) {
+    const path = exportKeychainCreds();
+    if (!path) {
+      throw new DockerInstallError(
+        "Claude Code keychain entry not found. Run `claude login` (or open Claude Code and sign in) before installing the container."
       );
     }
-  }
-  const newText = JSON.stringify(parsed, null, 2) + "\n";
-  try {
-    JSON.parse(newText);
-  } catch (err) {
-    throw new LocalCCInstallError(
-      `refusing to write ${CLAUDE_JSON_PATH}: serialized result is not valid JSON. This is a bug \u2014 please report.`,
-      err
-    );
-  }
-  copyFileSync(CLAUDE_JSON_PATH, CLAUDE_JSON_BACKUP_PATH);
-  const tmpPath = `${CLAUDE_JSON_PATH}.synkro-tmp.${process.pid}`;
-  try {
-    writeFileSync6(tmpPath, newText, "utf-8");
-    const fd = openSync(tmpPath, "r");
+    const plist = writeRefreshAgent("/usr/local/bin/synkro");
     try {
-      fsyncSync(fd);
-    } finally {
-      closeSync(fd);
+      loadRefreshAgent();
+    } catch (err) {
+      console.warn(`  \u26A0 launchd refresh agent not loaded: ${err.message}`);
+      console.warn(`    Plist written to ${plist} \u2014 load manually with launchctl bootstrap when ready.`);
     }
-    renameSync4(tmpPath, CLAUDE_JSON_PATH);
-  } catch (err) {
+  } else {
+    mkdirSync7(join7(homedir7(), ".claude"), { recursive: true });
+  }
+  console.log(`  Pulling ${image}...`);
+  const pull = spawnSync2("docker", ["pull", image], { encoding: "utf-8", stdio: "inherit", timeout: 6e5 });
+  if (pull.status !== 0) {
+    throw new DockerInstallError(`docker pull ${image} failed`);
+  }
+  spawnSync2("docker", ["rm", "-f", CONTAINER_NAME], { encoding: "utf-8", timeout: 3e4 });
+  const credsDir = claudeCredsHostDir();
+  const args2 = [
+    "run",
+    "--detach",
+    "--name",
+    CONTAINER_NAME,
+    "--restart",
+    "unless-stopped",
+    "-p",
+    `127.0.0.1:${HOST_MCP_PORT}:8931`,
+    "-p",
+    `127.0.0.1:${HOST_GRADER_PORT}:8929`,
+    "-p",
+    `127.0.0.1:${HOST_CWE_PORT}:8930`,
+    "-p",
+    `127.0.0.1:${HOST_PG_PORT}:5433`,
+    "-v",
+    `${PGDATA_PATH}:/data/pgdata`,
+    "-v",
+    `${MCP_JWT_PATH}:/data/.mcp-jwt:ro`,
+    "-v",
+    `${credsDir}:/home/synkro/.claude:rw`,
+    "-e",
+    `WORKERS_PER_POOL=${workers}`,
+    image
+  ];
+  const run = spawnSync2("docker", args2, { encoding: "utf-8", stdio: "inherit", timeout: 6e4 });
+  if (run.status !== 0) {
+    throw new DockerInstallError(`docker run failed (image ${image})`);
+  }
+  return { image, hostMcpPort: HOST_MCP_PORT, hostGraderPort: HOST_GRADER_PORT, hostCwePort: HOST_CWE_PORT };
+}
+async function waitForContainerReady(timeoutMs = 6e4) {
+  const start = Date.now();
+  const url = `http://127.0.0.1:${HOST_MCP_PORT}/health`;
+  while (Date.now() - start < timeoutMs) {
     try {
-      unlinkSync4(tmpPath);
+      const r = await fetch(url, { signal: AbortSignal.timeout(2e3) });
+      if (r.ok) return true;
     } catch {
     }
-    try {
-      copyFileSync(CLAUDE_JSON_BACKUP_PATH, CLAUDE_JSON_PATH);
-    } catch {
-    }
-    throw new LocalCCInstallError(
-      `failed to write ${CLAUDE_JSON_PATH}: ${err.message}. Backup at ${CLAUDE_JSON_BACKUP_PATH} preserves the prior state.`,
-      err
-    );
+    await new Promise((r) => setTimeout(r, 1e3));
   }
+  return false;
 }
-function writeProjectMcpJson() {
-  for (const c of CHANNELS) {
-    const mcp = {
-      mcpServers: {
-        [MCP_SERVER_NAME]: {
-          command: "bun",
-          args: [c.pluginPath]
-        }
+function dockerStop() {
+  spawnSync2("docker", ["stop", CONTAINER_NAME], { encoding: "utf-8", timeout: 3e4 });
+  spawnSync2("docker", ["rm", "-f", CONTAINER_NAME], { encoding: "utf-8", timeout: 3e4 });
+}
+function dockerStatus() {
+  const r = spawnSync2("docker", ["inspect", "--format", "{{.State.Status}}", CONTAINER_NAME], {
+    encoding: "utf-8",
+    timeout: 5e3
+  });
+  const status = (r.stdout || "").trim();
+  if (status !== "running") return { running: false };
+  return {
+    running: true,
+    image: imageTag(),
+    healthz: `http://127.0.0.1:${HOST_MCP_PORT}/`
+  };
+}
+var SYNKRO_DIR3, MCP_JWT_PATH, PGDATA_PATH, HOST_MCP_PORT, HOST_GRADER_PORT, HOST_CWE_PORT, HOST_PG_PORT, CONTAINER_NAME, DEFAULT_IMAGE, DockerInstallError;
+var init_dockerInstall = __esm({
+  "cli/local-cc/dockerInstall.ts"() {
+    "use strict";
+    init_macKeychain();
+    SYNKRO_DIR3 = join7(homedir7(), ".synkro");
+    MCP_JWT_PATH = join7(SYNKRO_DIR3, ".mcp-jwt");
+    PGDATA_PATH = join7(SYNKRO_DIR3, "pgdata");
+    HOST_MCP_PORT = parseInt(process.env.SYNKRO_HOST_MCP_PORT || "18931", 10);
+    HOST_GRADER_PORT = parseInt(process.env.SYNKRO_HOST_GRADER_PORT || "18929", 10);
+    HOST_CWE_PORT = parseInt(process.env.SYNKRO_HOST_CWE_PORT || "18930", 10);
+    HOST_PG_PORT = parseInt(process.env.SYNKRO_HOST_PG_PORT || "15433", 10);
+    CONTAINER_NAME = "synkro-server";
+    DEFAULT_IMAGE = "ghcr.io/synkro-sh/server:latest";
+    DockerInstallError = class extends Error {
+      constructor(message, cause) {
+        super(message);
+        this.cause = cause;
+        this.name = "DockerInstallError";
       }
+      cause;
     };
-    writeFileSync6(c.projectMcpPath, JSON.stringify(mcp, null, 2) + "\n", "utf-8");
   }
+});
+
+// cli/commands/install.ts
+var install_exports = {};
+__export(install_exports, {
+  installCommand: () => installCommand,
+  parseArgs: () => parseArgs
+});
+import { existsSync as existsSync9, mkdirSync as mkdirSync8, writeFileSync as writeFileSync7, chmodSync as chmodSync2, readFileSync as readFileSync7, readdirSync } from "fs";
+import { homedir as homedir8 } from "os";
+import { join as join8 } from "path";
+import { execSync as execSync5 } from "child_process";
+import { createInterface as createInterface3 } from "readline";
+function sanitizeGatewayCandidate(raw) {
+  if (!raw) return void 0;
+  return /^https?:\/\//.test(raw) ? raw : void 0;
 }
-function patchClaudeJson() {
-  safelyMutateClaudeJson((parsed) => {
-    let dirty = false;
-    if (parsed.mcpServers && typeof parsed.mcpServers === "object" && parsed.mcpServers[MCP_SERVER_NAME]) {
-      delete parsed.mcpServers[MCP_SERVER_NAME];
-      dirty = true;
-    }
-    if (!parsed.projects || typeof parsed.projects !== "object") {
-      parsed.projects = {};
-    }
-    const projects = parsed.projects;
-    for (const dir of CHANNELS.map((c) => c.sessionDir)) {
-      const existing = projects[dir] && typeof projects[dir] === "object" ? projects[dir] : {};
-      const wantEnabled = Array.from(/* @__PURE__ */ new Set([
-        ...existing.enabledMcpjsonServers ?? [],
-        MCP_SERVER_NAME
-      ]));
-      const next = {
-        ...existing,
-        hasTrustDialogAccepted: true,
-        hasCompletedProjectOnboarding: true,
-        enabledMcpjsonServers: wantEnabled
-      };
-      if (existing.hasTrustDialogAccepted !== true || existing.hasCompletedProjectOnboarding !== true || JSON.stringify(existing.enabledMcpjsonServers ?? []) !== JSON.stringify(wantEnabled)) {
-        projects[dir] = next;
-        dirty = true;
+function parseArgs(argv) {
+  const opts = {};
+  for (const a of argv) {
+    if (a.startsWith("--api-key=")) opts.apiKey = a.slice("--api-key=".length);
+    else if (a.startsWith("--gateway=")) opts.gatewayUrl = a.slice("--gateway=".length);
+    else if (a === "--skip-auth") opts.skipAuth = true;
+    else if (a === "--no-mcp") opts.noMcp = true;
+    else if (a === "--force" || a === "-f") opts.force = true;
+    else if (a === "--link-repo") opts.linkRepo = true;
+  }
+  if (!opts.gatewayUrl) {
+    const fromEnv = sanitizeGatewayCandidate(process.env.SYNKRO_GATEWAY_URL);
+    if (fromEnv) opts.gatewayUrl = fromEnv;
+  }
+  return opts;
+}
+async function promptTranscriptConsent() {
+  const rl = createInterface3({ input: process.stdin, output: process.stdout });
+  return new Promise((resolve3) => {
+    rl.question(
+      "Would you like Synkro to use Claude Code session transcripts\nto generate guardrail rules and policies for your team? (Y/n) ",
+      (answer) => {
+        rl.close();
+        const trimmed = answer.trim().toLowerCase();
+        resolve3(trimmed === "" || trimmed === "y" || trimmed === "yes");
       }
-    }
-    return dirty;
+    );
   });
 }
-function installLocalCC() {
-  let bunCheck = spawnSync("bun", ["--version"], { encoding: "utf-8" });
-  if (bunCheck.status !== 0) {
-    if (process.platform === "darwin") {
-      console.log("  Installing bun via brew...");
-      const brewR = spawnSync("brew", ["install", "oven-sh/bun/bun"], { encoding: "utf-8", stdio: "inherit", timeout: 12e4 });
-      if (brewR.status !== 0) {
-        throw new LocalCCInstallError("bun auto-install failed. Install manually: curl -fsSL https://bun.sh/install | bash");
-      }
-      bunCheck = spawnSync("bun", ["--version"], { encoding: "utf-8" });
-      if (bunCheck.status !== 0) {
-        throw new LocalCCInstallError("bun installed but not found on PATH. Restart your terminal and re-run install.");
-      }
-    } else {
-      throw new LocalCCInstallError("bun is required. Install it: curl -fsSL https://bun.sh/install | bash");
-    }
+function ensureSynkroDir() {
+  mkdirSync8(SYNKRO_DIR4, { recursive: true });
+  mkdirSync8(HOOKS_DIR, { recursive: true });
+  mkdirSync8(BIN_DIR, { recursive: true });
+  mkdirSync8(OFFSETS_DIR, { recursive: true });
+  mkdirSync8(join8(SYNKRO_DIR4, "sessions"), { recursive: true });
+}
+function writeHookScripts() {
+  const bashScriptPath = join8(HOOKS_DIR, "cc-bash-judge.ts");
+  const bashFollowupScriptPath = join8(HOOKS_DIR, "cc-bash-followup.ts");
+  const editPrecheckScriptPath = join8(HOOKS_DIR, "cc-edit-precheck.ts");
+  const cwePrecheckScriptPath = join8(HOOKS_DIR, "cc-cwe-precheck.ts");
+  const cvePrecheckScriptPath = join8(HOOKS_DIR, "cc-cve-precheck.ts");
+  const planJudgeScriptPath = join8(HOOKS_DIR, "cc-plan-judge.ts");
+  const agentJudgeScriptPath = join8(HOOKS_DIR, "cc-agent-judge.ts");
+  const stopSummaryScriptPath = join8(HOOKS_DIR, "cc-stop-summary.ts");
+  const sessionStartScriptPath = join8(HOOKS_DIR, "cc-session-start.ts");
+  const transcriptSyncScriptPath = join8(HOOKS_DIR, "cc-transcript-sync.ts");
+  const userPromptSubmitScriptPath = join8(HOOKS_DIR, "cc-user-prompt-submit.ts");
+  const commonScriptPath = join8(HOOKS_DIR, "_synkro-common.ts");
+  const commonBashScriptPath = join8(HOOKS_DIR, "_synkro-common.sh");
+  const cursorBashJudgePath = join8(HOOKS_DIR, "cursor-bash-judge.ts");
+  const cursorEditCapturePath = join8(HOOKS_DIR, "cursor-edit-capture.ts");
+  const mcpStdioProxyPath = join8(HOOKS_DIR, "mcp-stdio-proxy.ts");
+  writeFileSync7(bashScriptPath, BASH_JUDGE_TS, "utf-8");
+  writeFileSync7(bashFollowupScriptPath, BASH_FOLLOWUP_TS, "utf-8");
+  writeFileSync7(editPrecheckScriptPath, EDIT_PRECHECK_TS, "utf-8");
+  writeFileSync7(cwePrecheckScriptPath, CWE_PRECHECK_TS, "utf-8");
+  writeFileSync7(cvePrecheckScriptPath, CVE_PRECHECK_TS, "utf-8");
+  writeFileSync7(planJudgeScriptPath, PLAN_JUDGE_TS, "utf-8");
+  writeFileSync7(agentJudgeScriptPath, AGENT_JUDGE_TS, "utf-8");
+  writeFileSync7(stopSummaryScriptPath, STOP_SUMMARY_TS, "utf-8");
+  writeFileSync7(sessionStartScriptPath, SESSION_START_TS, "utf-8");
+  writeFileSync7(transcriptSyncScriptPath, TRANSCRIPT_SYNC_TS, "utf-8");
+  writeFileSync7(userPromptSubmitScriptPath, USER_PROMPT_SUBMIT_TS, "utf-8");
+  writeFileSync7(commonScriptPath, SYNKRO_COMMON_TS, "utf-8");
+  writeFileSync7(commonBashScriptPath, SYNKRO_COMMON_SCRIPT, "utf-8");
+  writeFileSync7(cursorBashJudgePath, CURSOR_BASH_JUDGE_TS, "utf-8");
+  writeFileSync7(cursorEditCapturePath, CURSOR_EDIT_CAPTURE_TS, "utf-8");
+  writeFileSync7(mcpStdioProxyPath, MCP_STDIO_PROXY_SRC, "utf-8");
+  chmodSync2(bashScriptPath, 493);
+  chmodSync2(bashFollowupScriptPath, 493);
+  chmodSync2(editPrecheckScriptPath, 493);
+  chmodSync2(cwePrecheckScriptPath, 493);
+  chmodSync2(cvePrecheckScriptPath, 493);
+  chmodSync2(planJudgeScriptPath, 493);
+  chmodSync2(agentJudgeScriptPath, 493);
+  chmodSync2(stopSummaryScriptPath, 493);
+  chmodSync2(sessionStartScriptPath, 493);
+  chmodSync2(transcriptSyncScriptPath, 493);
+  chmodSync2(userPromptSubmitScriptPath, 493);
+  chmodSync2(commonScriptPath, 493);
+  chmodSync2(commonBashScriptPath, 493);
+  chmodSync2(cursorBashJudgePath, 493);
+  chmodSync2(cursorEditCapturePath, 493);
+  chmodSync2(mcpStdioProxyPath, 493);
+  return {
+    bashScript: bashScriptPath,
+    bashFollowupScript: bashFollowupScriptPath,
+    editPrecheckScript: editPrecheckScriptPath,
+    cwePrecheckScript: cwePrecheckScriptPath,
+    cvePrecheckScript: cvePrecheckScriptPath,
+    planJudgeScript: planJudgeScriptPath,
+    agentJudgeScript: agentJudgeScriptPath,
+    stopSummaryScript: stopSummaryScriptPath,
+    sessionStartScript: sessionStartScriptPath,
+    transcriptSyncScript: transcriptSyncScriptPath,
+    userPromptSubmitScript: userPromptSubmitScriptPath,
+    cursorBashJudgeScript: cursorBashJudgePath,
+    cursorEditCaptureScript: cursorEditCapturePath
+  };
+}
+function sanitizeConfigValue(raw, maxLen = 256) {
+  if (!raw) return "";
+  return raw.replace(/[^\x20-\x7E]/g, "").slice(0, maxLen);
+}
+function shellQuoteSingle(value) {
+  return `'${value.replace(/'/g, "'\\''")}'`;
+}
+function resolveSynkroBundle() {
+  const scriptPath = process.argv[1];
+  if (scriptPath && existsSync9(scriptPath)) return scriptPath;
+  return null;
+}
+function writeConfigEnv(opts) {
+  const credsPath = join8(SYNKRO_DIR4, "credentials.json");
+  const safeGateway = sanitizeConfigValue(opts.gatewayUrl);
+  const safeUserId = sanitizeConfigValue(opts.userId);
+  const safeOrgId = sanitizeConfigValue(opts.orgId);
+  const safeEmail = sanitizeConfigValue(opts.email);
+  const safeTier = sanitizeConfigValue(opts.tier ?? "pro", 32);
+  const safeInference = sanitizeConfigValue(opts.inference ?? "fast", 16);
+  const safeSynkroBin = sanitizeConfigValue(opts.synkroBin ?? "", 1024);
+  const lines = [
+    "# Synkro CLI config (managed by synkro install)",
+    "# JWT auth \u2014 the hook scripts read SYNKRO_CREDENTIALS_PATH at runtime",
+    "# and send Authorization: Bearer <access_token> on every gateway call.",
+    `SYNKRO_GATEWAY_URL=${shellQuoteSingle(safeGateway)}`,
+    `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
+    `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
+    `SYNKRO_INFERENCE=${shellQuoteSingle(safeInference)}`,
+    `SYNKRO_VERSION=${shellQuoteSingle("1.4.88")}`
+  ];
+  if (safeSynkroBin) lines.push(`SYNKRO_CLI_BIN=${shellQuoteSingle(safeSynkroBin)}`);
+  if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);
+  if (safeOrgId) lines.push(`SYNKRO_ORG_ID=${shellQuoteSingle(safeOrgId)}`);
+  if (safeEmail) lines.push(`SYNKRO_EMAIL=${shellQuoteSingle(safeEmail)}`);
+  if (opts.transcriptConsent !== void 0) {
+    lines.push(`SYNKRO_TRANSCRIPT_CONSENT=${shellQuoteSingle(opts.transcriptConsent ? "yes" : "no")}`);
   }
-  writePluginFiles();
-  runBunInstall();
-  writeProjectMcpJson();
-  patchClaudeJson();
-  return { sessionDir: SESSION_DIR, pluginPath: PLUGIN_PATH };
+  lines.push(`SYNKRO_LOCAL_INFERENCE=${shellQuoteSingle(opts.localInference ? "yes" : "no")}`);
+  const safeMode = sanitizeConfigValue(opts.deploymentMode ?? "docker", 16);
+  lines.push(`SYNKRO_DEPLOYMENT_MODE=${shellQuoteSingle(safeMode)}`);
+  lines.push("");
+  writeFileSync7(CONFIG_PATH2, lines.join("\n"), "utf-8");
+  chmodSync2(CONFIG_PATH2, 384);
 }
-function uninstallLocalCC() {
-  safelyMutateClaudeJson((parsed) => {
-    let dirty = false;
-    if (parsed.mcpServers && parsed.mcpServers[MCP_SERVER_NAME]) {
-      delete parsed.mcpServers[MCP_SERVER_NAME];
-      dirty = true;
+function resolveDeploymentMode() {
+  const envOverride = process.env.SYNKRO_DEPLOYMENT_MODE;
+  if (envOverride) return envOverride.toLowerCase();
+  try {
+    if (existsSync9(CONFIG_PATH2)) {
+      const m = readFileSync7(CONFIG_PATH2, "utf-8").match(/^SYNKRO_DEPLOYMENT_MODE='([^']*)'/m);
+      if (m && m[1]) return m[1].toLowerCase();
     }
-    for (const dir of CHANNELS.map((c) => c.sessionDir)) {
-      if (parsed.projects && typeof parsed.projects === "object" && parsed.projects[dir]) {
-        delete parsed.projects[dir];
-        dirty = true;
+  } catch {
+  }
+  return "docker";
+}
+function collectLocalMetadata() {
+  const meta = { platform: process.platform };
+  try {
+    meta.display_name = execSync5("git config user.name", { encoding: "utf-8", timeout: 3e3 }).trim();
+  } catch {
+  }
+  try {
+    const remote = execSync5("git remote get-url origin", { encoding: "utf-8", timeout: 3e3 }).trim();
+    const sshMatch = remote.match(/^git@[^:]+:(.+?)(?:\.git)?$/);
+    const httpMatch = remote.match(/^https?:\/\/[^/]+\/(.+?)(?:\.git)?$/);
+    const m = sshMatch || httpMatch;
+    if (m) meta.active_repo = m[1];
+  } catch {
+  }
+  try {
+    meta.cc_version = execSync5("claude --version", { encoding: "utf-8", timeout: 5e3 }).trim().split("\n")[0];
+  } catch {
+  }
+  const claudeDir = join8(homedir8(), ".claude");
+  try {
+    const settings = JSON.parse(readFileSync7(join8(claudeDir, "settings.json"), "utf-8"));
+    const plugins = Object.keys(settings.enabledPlugins ?? {}).filter((k) => settings.enabledPlugins[k]);
+    if (plugins.length) meta.enabled_plugins = plugins;
+    if (settings.permissions?.defaultMode) meta.permissions_mode = settings.permissions.defaultMode;
+  } catch {
+  }
+  try {
+    const mcpCache = JSON.parse(readFileSync7(join8(claudeDir, "mcp-needs-auth-cache.json"), "utf-8"));
+    const mcpNames = Object.keys(mcpCache);
+    if (mcpNames.length) meta.mcp_servers = mcpNames;
+  } catch {
+  }
+  try {
+    const mcpList = execSync5("claude mcp list 2>/dev/null", { encoding: "utf-8", timeout: 1e4 });
+    const connected = mcpList.split("\n").filter((l) => l.includes("Connected")).map((l) => l.split(":")[0].trim()).filter(Boolean);
+    if (connected.length) meta.mcp_servers_connected = connected;
+  } catch {
+  }
+  try {
+    const sessionsDir = join8(claudeDir, "sessions");
+    const files = readdirSync(sessionsDir).filter((f) => f.endsWith(".json")).slice(-5);
+    for (const f of files) {
+      const s = JSON.parse(readFileSync7(join8(sessionsDir, f), "utf-8"));
+      if (s.version) {
+        meta.cc_version = meta.cc_version || s.version;
+        break;
       }
     }
-    return dirty;
-  });
-}
-var CLAUDE_JSON_BACKUP_PATH, SESSION_DIR, PLUGIN_PATH, PLUGIN_PKG_PATH, PLUGIN_SETTINGS_DIR, PLUGIN_SETTINGS_PATH, PROJECT_MCP_PATH, CLAUDE_JSON_PATH, RUN_SCRIPT_PATH, TMUX_SESSION_NAME, CHANNEL_1_PORT, SESSION_DIR_2, PLUGIN_PATH_2, PLUGIN_PKG_PATH_2, PLUGIN_SETTINGS_DIR_2, PLUGIN_SETTINGS_PATH_2, PROJECT_MCP_PATH_2, RUN_SCRIPT_PATH_2, TMUX_SESSION_NAME_2, CHANNEL_2_PORT, SESSION_DIR_3, PLUGIN_PATH_3, PLUGIN_PKG_PATH_3, PLUGIN_SETTINGS_DIR_3, PLUGIN_SETTINGS_PATH_3, PROJECT_MCP_PATH_3, RUN_SCRIPT_PATH_3, TMUX_SESSION_NAME_3, CHANNEL_3_PORT, SESSION_DIR_4, PLUGIN_PATH_4, PLUGIN_PKG_PATH_4, PLUGIN_SETTINGS_DIR_4, PLUGIN_SETTINGS_PATH_4, PROJECT_MCP_PATH_4, RUN_SCRIPT_PATH_4, TMUX_SESSION_NAME_4, CHANNEL_4_PORT, RUN_SCRIPT_SOURCE, RUN_SCRIPT_SOURCE_2, RUN_SCRIPT_SOURCE_3, RUN_SCRIPT_SOURCE_4, MCP_SERVER_NAME, PLUGIN_PACKAGE_JSON, LocalCCInstallError, CHANNELS;
-var init_install = __esm({
-  "cli/local-cc/install.ts"() {
-    "use strict";
-    init_channelSource();
-    CLAUDE_JSON_BACKUP_PATH = join7(homedir7(), ".claude.json.synkro-bak");
-    SESSION_DIR = join7(homedir7(), ".synkro", "cc_sessions");
-    PLUGIN_PATH = join7(SESSION_DIR, "synkro-channel.ts");
-    PLUGIN_PKG_PATH = join7(SESSION_DIR, "package.json");
-    PLUGIN_SETTINGS_DIR = join7(SESSION_DIR, ".claude");
-    PLUGIN_SETTINGS_PATH = join7(PLUGIN_SETTINGS_DIR, "settings.json");
-    PROJECT_MCP_PATH = join7(SESSION_DIR, ".mcp.json");
-    CLAUDE_JSON_PATH = join7(homedir7(), ".claude.json");
-    RUN_SCRIPT_PATH = join7(SESSION_DIR, "run-claude.sh");
-    TMUX_SESSION_NAME = "synkro-local-cc";
-    CHANNEL_1_PORT = 8941;
-    SESSION_DIR_2 = join7(homedir7(), ".synkro", "cc_sessions_2");
-    PLUGIN_PATH_2 = join7(SESSION_DIR_2, "synkro-channel.ts");
-    PLUGIN_PKG_PATH_2 = join7(SESSION_DIR_2, "package.json");
-    PLUGIN_SETTINGS_DIR_2 = join7(SESSION_DIR_2, ".claude");
-    PLUGIN_SETTINGS_PATH_2 = join7(PLUGIN_SETTINGS_DIR_2, "settings.json");
-    PROJECT_MCP_PATH_2 = join7(SESSION_DIR_2, ".mcp.json");
-    RUN_SCRIPT_PATH_2 = join7(SESSION_DIR_2, "run-claude.sh");
-    TMUX_SESSION_NAME_2 = "synkro-local-cc-2";
-    CHANNEL_2_PORT = 8951;
-    SESSION_DIR_3 = join7(homedir7(), ".synkro", "cc_sessions_3");
-    PLUGIN_PATH_3 = join7(SESSION_DIR_3, "synkro-channel.ts");
-    PLUGIN_PKG_PATH_3 = join7(SESSION_DIR_3, "package.json");
-    PLUGIN_SETTINGS_DIR_3 = join7(SESSION_DIR_3, ".claude");
-    PLUGIN_SETTINGS_PATH_3 = join7(PLUGIN_SETTINGS_DIR_3, "settings.json");
-    PROJECT_MCP_PATH_3 = join7(SESSION_DIR_3, ".mcp.json");
-    RUN_SCRIPT_PATH_3 = join7(SESSION_DIR_3, "run-claude.sh");
-    TMUX_SESSION_NAME_3 = "synkro-local-cc-3";
-    CHANNEL_3_PORT = 8942;
-    SESSION_DIR_4 = join7(homedir7(), ".synkro", "cc_sessions_4");
-    PLUGIN_PATH_4 = join7(SESSION_DIR_4, "synkro-channel.ts");
-    PLUGIN_PKG_PATH_4 = join7(SESSION_DIR_4, "package.json");
-    PLUGIN_SETTINGS_DIR_4 = join7(SESSION_DIR_4, ".claude");
-    PLUGIN_SETTINGS_PATH_4 = join7(PLUGIN_SETTINGS_DIR_4, "settings.json");
-    PROJECT_MCP_PATH_4 = join7(SESSION_DIR_4, ".mcp.json");
-    RUN_SCRIPT_PATH_4 = join7(SESSION_DIR_4, "run-claude.sh");
-    TMUX_SESSION_NAME_4 = "synkro-local-cc-4";
-    CHANNEL_4_PORT = 8952;
-    RUN_SCRIPT_SOURCE = `#!/usr/bin/env bash
-# Auto-generated by \`synkro install\`. Do not edit.
-set -uo pipefail
-
-SESSION=${TMUX_SESSION_NAME}
-LOG="$HOME/.synkro/cc_sessions/run-claude.log"
-
-log() { echo "[$(date '+%H:%M:%S')] $*" >> "$LOG"; echo "$*"; }
-
-# Pre-flight checks
-if ! command -v claude >/dev/null 2>&1; then
-  log "ERROR: claude CLI not found on PATH. Install Claude Code first."
-  exit 1
-fi
-
-if ! command -v tmux >/dev/null 2>&1; then
-  log "ERROR: tmux not found on PATH."
-  exit 1
-fi
-
-# Check claude is authenticated
-if ! claude --version >/dev/null 2>&1; then
-  log "ERROR: claude --version failed. Is Claude Code installed correctly?"
-  exit 1
-fi
-
-log "Starting local-CC session..."
-log "claude version: $(claude --version 2>&1 | head -1)"
-
-# Kill any previous session so restarts come up clean.
-tmux kill-session -t "=$SESSION" 2>/dev/null || true
-
-# Start claude inside a detached tmux session so it has a real pty.
-# Redirect stderr to the log so we can see why it dies.
-tmux new-session -d -s "$SESSION" \\
-  "SYNKRO_CHANNEL_PORT=${CHANNEL_1_PORT} claude --dangerously-load-development-channels server:synkro-local --dangerously-skip-permissions --setting-sources project,local --model claude-sonnet-4-6 2>>$LOG; echo 'claude exited with code '$'?' >> $LOG"
-
-# Claude's --dangerously-load-development-channels shows a confirmation
-# prompt: option 1 = "I am using this for local development" (accept),
-# option 2 = "Exit". Auto-accept by sending '1' + Enter.
-sleep 3
-if tmux has-session -t "=$SESSION" 2>/dev/null; then
-  tmux send-keys -t "$SESSION" '1' 2>/dev/null || true
-  sleep 1
-  tmux send-keys -t "$SESSION" Enter 2>/dev/null || true
-  sleep 1
-  # Additional Enter for any follow-up prompts (workspace trust, MCP consent)
-  tmux send-keys -t "$SESSION" Enter 2>/dev/null || true
-  log "Sent auto-accept keys to claude session."
-fi
-
-sleep 2
-if ! tmux has-session -t "$SESSION" 2>/dev/null; then
-  log "ERROR: tmux session died immediately. Check $LOG for details."
-  log "Try running claude manually to verify auth: claude --print 'say ok'"
-  exit 1
-fi
-
-log "tmux session started successfully."
-
-# Block on the tmux session so pueue's task lifetime tracks claude's.
-while tmux has-session -t "=$SESSION" 2>/dev/null; do
-  sleep 5
-done
-
-log "tmux session ended."
-`;
-    RUN_SCRIPT_SOURCE_2 = `#!/usr/bin/env bash
-# Auto-generated by \`synkro install\`. Channel 2 (CWE scan, port ${CHANNEL_2_PORT}).
-set -uo pipefail
-
-SESSION=${TMUX_SESSION_NAME_2}
-LOG="$HOME/.synkro/cc_sessions_2/run-claude.log"
-
-log() { echo "[$(date '+%H:%M:%S')] $*" >> "$LOG"; echo "$*"; }
-
-if ! command -v claude >/dev/null 2>&1; then
-  log "ERROR: claude CLI not found on PATH."
-  exit 1
-fi
-
-if ! command -v tmux >/dev/null 2>&1; then
-  log "ERROR: tmux not found on PATH."
-  exit 1
-fi
-
-if ! claude --version >/dev/null 2>&1; then
-  log "ERROR: claude --version failed."
-  exit 1
-fi
-
-log "Starting local-CC channel 2 (port ${CHANNEL_2_PORT})..."
-log "claude version: $(claude --version 2>&1 | head -1)"
-
-tmux kill-session -t "=$SESSION" 2>/dev/null || true
-
-tmux new-session -d -s "$SESSION" \\
-  "SYNKRO_CHANNEL_PORT=${CHANNEL_2_PORT} claude --dangerously-load-development-channels server:synkro-local --dangerously-skip-permissions --setting-sources project,local --model claude-sonnet-4-6 2>>$LOG; echo 'claude exited with code '$'?' >> $LOG"
-
-sleep 3
-if tmux has-session -t "=$SESSION" 2>/dev/null; then
-  tmux send-keys -t "$SESSION" '1' 2>/dev/null || true
-  sleep 1
-  tmux send-keys -t "$SESSION" Enter 2>/dev/null || true
-  sleep 1
-  tmux send-keys -t "$SESSION" Enter 2>/dev/null || true
-  log "Sent auto-accept keys to channel 2 session."
-fi
-
-sleep 2
-if ! tmux has-session -t "$SESSION" 2>/dev/null; then
-  log "ERROR: tmux session died immediately. Check $LOG for details."
-  exit 1
-fi
-
-log "tmux session started successfully (port ${CHANNEL_2_PORT})."
-
-while tmux has-session -t "=$SESSION" 2>/dev/null; do
-  sleep 5
-done
-
-log "tmux session ended."
-`;
-    RUN_SCRIPT_SOURCE_3 = `#!/usr/bin/env bash
-# Auto-generated by \`synkro install\`. General worker B (port ${CHANNEL_3_PORT}).
-set -uo pipefail
-
-SESSION=${TMUX_SESSION_NAME_3}
-LOG="$HOME/.synkro/cc_sessions_3/run-claude.log"
-
-log() { echo "[$(date '+%H:%M:%S')] $*" >> "$LOG"; echo "$*"; }
-
-if ! command -v claude >/dev/null 2>&1; then
-  log "ERROR: claude CLI not found on PATH."
-  exit 1
-fi
-
-if ! command -v tmux >/dev/null 2>&1; then
-  log "ERROR: tmux not found on PATH."
-  exit 1
-fi
-
-if ! claude --version >/dev/null 2>&1; then
-  log "ERROR: claude --version failed."
-  exit 1
-fi
-
-log "Starting local-CC general worker B (port ${CHANNEL_3_PORT})..."
-log "claude version: $(claude --version 2>&1 | head -1)"
-
-tmux kill-session -t "=$SESSION" 2>/dev/null || true
-
-tmux new-session -d -s "$SESSION" \\
-  "SYNKRO_CHANNEL_PORT=${CHANNEL_3_PORT} claude --dangerously-load-development-channels server:synkro-local --dangerously-skip-permissions --setting-sources project,local --model claude-sonnet-4-6 2>>$LOG; echo 'claude exited with code '$'?' >> $LOG"
-
-sleep 3
-if tmux has-session -t "=$SESSION" 2>/dev/null; then
-  tmux send-keys -t "$SESSION" '1' 2>/dev/null || true
-  sleep 1
-  tmux send-keys -t "$SESSION" Enter 2>/dev/null || true
-  sleep 1
-  tmux send-keys -t "$SESSION" Enter 2>/dev/null || true
-  log "Sent auto-accept keys to general worker B session."
-fi
-
-sleep 2
-if ! tmux has-session -t "$SESSION" 2>/dev/null; then
-  log "ERROR: tmux session died immediately. Check $LOG for details."
-  exit 1
-fi
-
-log "tmux session started successfully (port ${CHANNEL_3_PORT})."
-
-while tmux has-session -t "=$SESSION" 2>/dev/null; do
-  sleep 5
-done
-
-log "tmux session ended."
-`;
-    RUN_SCRIPT_SOURCE_4 = `#!/usr/bin/env bash
-# Auto-generated by \`synkro install\`. CWE worker B (port ${CHANNEL_4_PORT}).
-set -uo pipefail
-
-SESSION=${TMUX_SESSION_NAME_4}
-LOG="$HOME/.synkro/cc_sessions_4/run-claude.log"
-
-log() { echo "[$(date '+%H:%M:%S')] $*" >> "$LOG"; echo "$*"; }
-
-if ! command -v claude >/dev/null 2>&1; then
-  log "ERROR: claude CLI not found on PATH."
-  exit 1
-fi
-
-if ! command -v tmux >/dev/null 2>&1; then
-  log "ERROR: tmux not found on PATH."
-  exit 1
-fi
-
-if ! claude --version >/dev/null 2>&1; then
-  log "ERROR: claude --version failed."
-  exit 1
-fi
-
-log "Starting local-CC CWE worker B (port ${CHANNEL_4_PORT})..."
-log "claude version: $(claude --version 2>&1 | head -1)"
-
-tmux kill-session -t "=$SESSION" 2>/dev/null || true
-
-tmux new-session -d -s "$SESSION" \\
-  "SYNKRO_CHANNEL_PORT=${CHANNEL_4_PORT} claude --dangerously-load-development-channels server:synkro-local --dangerously-skip-permissions --setting-sources project,local --model claude-sonnet-4-6 2>>$LOG; echo 'claude exited with code '$'?' >> $LOG"
-
-sleep 3
-if tmux has-session -t "=$SESSION" 2>/dev/null; then
-  tmux send-keys -t "$SESSION" '1' 2>/dev/null || true
-  sleep 1
-  tmux send-keys -t "$SESSION" Enter 2>/dev/null || true
-  sleep 1
-  tmux send-keys -t "$SESSION" Enter 2>/dev/null || true
-  log "Sent auto-accept keys to CWE worker B session."
-fi
-
-sleep 2
-if ! tmux has-session -t "$SESSION" 2>/dev/null; then
-  log "ERROR: tmux session died immediately. Check $LOG for details."
-  exit 1
-fi
-
-log "tmux session started successfully (port ${CHANNEL_4_PORT})."
-
-while tmux has-session -t "=$SESSION" 2>/dev/null; do
-  sleep 5
-done
-
-log "tmux session ended."
-`;
-    MCP_SERVER_NAME = "synkro-local";
-    PLUGIN_PACKAGE_JSON = JSON.stringify(
-      {
-        name: "synkro-local-channel",
-        private: true,
-        version: "0.1.0",
-        type: "module",
-        dependencies: {
-          "@modelcontextprotocol/sdk": "^1.0.0"
-        }
-      },
-      null,
-      2
-    ) + "\n";
-    LocalCCInstallError = class extends Error {
-      constructor(message, cause) {
-        super(message);
-        this.cause = cause;
-        this.name = "LocalCCInstallError";
-      }
-      cause;
-    };
-    CHANNELS = [
-      { sessionDir: SESSION_DIR, pluginPath: PLUGIN_PATH, pluginPkgPath: PLUGIN_PKG_PATH, pluginSettingsDir: PLUGIN_SETTINGS_DIR, pluginSettingsPath: PLUGIN_SETTINGS_PATH, projectMcpPath: PROJECT_MCP_PATH, runScriptPath: RUN_SCRIPT_PATH, runScriptSource: RUN_SCRIPT_SOURCE },
-      { sessionDir: SESSION_DIR_2, pluginPath: PLUGIN_PATH_2, pluginPkgPath: PLUGIN_PKG_PATH_2, pluginSettingsDir: PLUGIN_SETTINGS_DIR_2, pluginSettingsPath: PLUGIN_SETTINGS_PATH_2, projectMcpPath: PROJECT_MCP_PATH_2, runScriptPath: RUN_SCRIPT_PATH_2, runScriptSource: RUN_SCRIPT_SOURCE_2 },
-      { sessionDir: SESSION_DIR_3, pluginPath: PLUGIN_PATH_3, pluginPkgPath: PLUGIN_PKG_PATH_3, pluginSettingsDir: PLUGIN_SETTINGS_DIR_3, pluginSettingsPath: PLUGIN_SETTINGS_PATH_3, projectMcpPath: PROJECT_MCP_PATH_3, runScriptPath: RUN_SCRIPT_PATH_3, runScriptSource: RUN_SCRIPT_SOURCE_3 },
-      { sessionDir: SESSION_DIR_4, pluginPath: PLUGIN_PATH_4, pluginPkgPath: PLUGIN_PKG_PATH_4, pluginSettingsDir: PLUGIN_SETTINGS_DIR_4, pluginSettingsPath: PLUGIN_SETTINGS_PATH_4, projectMcpPath: PROJECT_MCP_PATH_4, runScriptPath: RUN_SCRIPT_PATH_4, runScriptSource: RUN_SCRIPT_SOURCE_4 }
-    ];
-  }
-});
-
-// cli/local-cc/macKeychain.ts
-import { existsSync as existsSync9, mkdirSync as mkdirSync7, writeFileSync as writeFileSync7, chmodSync as chmodSync2, readFileSync as readFileSync8, statSync } from "fs";
-import { homedir as homedir8, platform as platform3 } from "os";
-import { join as join8 } from "path";
-import { spawnSync as spawnSync2 } from "child_process";
-function needsKeychainBridge() {
-  return platform3() === "darwin";
-}
-function readKeychainCreds() {
-  if (platform3() !== "darwin") return null;
-  const r = spawnSync2("security", ["find-generic-password", "-s", KEYCHAIN_SERVICE, "-w"], {
-    encoding: "utf-8",
-    timeout: 5e3
-  });
-  if (r.status !== 0) return null;
-  const blob = (r.stdout || "").trim();
-  return blob || null;
-}
-function exportKeychainCreds() {
-  const blob = readKeychainCreds();
-  if (!blob) return null;
-  mkdirSync7(CLAUDE_CREDS_DIR, { recursive: true });
-  chmodSync2(CLAUDE_CREDS_DIR, 448);
-  writeFileSync7(CLAUDE_CREDS_FILE, blob, "utf-8");
-  chmodSync2(CLAUDE_CREDS_FILE, 384);
-  return CLAUDE_CREDS_FILE;
-}
-function writeRefreshAgent(synkroBinPath) {
-  if (platform3() !== "darwin") {
-    throw new KeychainExportError("writeRefreshAgent is darwin-only");
-  }
-  mkdirSync7(join8(homedir8(), "Library", "LaunchAgents"), { recursive: true });
-  const plist = `<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-  <key>Label</key>
-  <string>${LAUNCHD_LABEL}</string>
-  <key>ProgramArguments</key>
-  <array>
-    <string>${synkroBinPath}</string>
-    <string>local-cc</string>
-    <string>refresh-creds</string>
-  </array>
-  <key>StartInterval</key>
-  <integer>${REFRESH_INTERVAL_SECONDS}</integer>
-  <key>RunAtLoad</key>
-  <true/>
-  <key>StandardErrorPath</key>
-  <string>${join8(SYNKRO_DIR2, "claude-creds-refresh.log")}</string>
-  <key>StandardOutPath</key>
-  <string>${join8(SYNKRO_DIR2, "claude-creds-refresh.log")}</string>
-</dict>
-</plist>
-`;
-  writeFileSync7(LAUNCHD_PLIST, plist, "utf-8");
-  return LAUNCHD_PLIST;
-}
-function loadRefreshAgent() {
-  if (platform3() !== "darwin") return;
-  spawnSync2("launchctl", ["bootout", `gui/${process.getuid?.() ?? 501}`, LAUNCHD_PLIST], {
-    encoding: "utf-8",
-    timeout: 5e3
-  });
-  const r = spawnSync2("launchctl", ["bootstrap", `gui/${process.getuid?.() ?? 501}`, LAUNCHD_PLIST], {
-    encoding: "utf-8",
-    timeout: 5e3
-  });
-  if (r.status !== 0) {
-    throw new KeychainExportError(
-      `launchctl bootstrap failed: ${r.stderr || r.stdout || "unknown"}`
-    );
-  }
-}
-function uninstallRefreshAgent() {
-  if (platform3() !== "darwin") return;
-  spawnSync2("launchctl", ["bootout", `gui/${process.getuid?.() ?? 501}`, LAUNCHD_PLIST], {
-    encoding: "utf-8",
-    timeout: 5e3
-  });
-  try {
-    if (existsSync9(LAUNCHD_PLIST)) {
-      __require("fs").unlinkSync(LAUNCHD_PLIST);
-    }
-  } catch {
-  }
-}
-var SYNKRO_DIR2, CLAUDE_CREDS_DIR, CLAUDE_CREDS_FILE, KEYCHAIN_SERVICE, LAUNCHD_LABEL, LAUNCHD_PLIST, REFRESH_INTERVAL_SECONDS, KeychainExportError;
-var init_macKeychain = __esm({
-  "cli/local-cc/macKeychain.ts"() {
-    "use strict";
-    SYNKRO_DIR2 = join8(homedir8(), ".synkro");
-    CLAUDE_CREDS_DIR = join8(SYNKRO_DIR2, "claude-creds");
-    CLAUDE_CREDS_FILE = join8(CLAUDE_CREDS_DIR, ".credentials.json");
-    KEYCHAIN_SERVICE = "Claude Code-credentials";
-    LAUNCHD_LABEL = "com.synkro.cli.claude-creds-refresh";
-    LAUNCHD_PLIST = join8(homedir8(), "Library", "LaunchAgents", `${LAUNCHD_LABEL}.plist`);
-    REFRESH_INTERVAL_SECONDS = 6 * 60 * 60;
-    KeychainExportError = class extends Error {
-      constructor(message, cause) {
-        super(message);
-        this.cause = cause;
-        this.name = "KeychainExportError";
-      }
-      cause;
-    };
-  }
-});
-
-// cli/local-cc/dockerInstall.ts
-import { existsSync as existsSync10, mkdirSync as mkdirSync8 } from "fs";
-import { homedir as homedir9 } from "os";
-import { join as join9 } from "path";
-import { spawnSync as spawnSync3 } from "child_process";
-function imageTag() {
-  const registry = process.env.SYNKRO_IMAGE_REGISTRY || "";
-  const tag = process.env.SYNKRO_IMAGE_TAG || DEFAULT_IMAGE;
-  return registry ? `${registry.replace(/\/+$/, "")}/${tag.replace(/^.*\//, "")}` : tag;
-}
-function assertDockerAvailable() {
-  const v = spawnSync3("docker", ["version", "--format", "{{.Server.Version}}"], {
-    encoding: "utf-8",
-    timeout: 5e3
-  });
-  if (v.status !== 0) {
-    throw new DockerInstallError(
-      "Docker CLI is not installed or the daemon is not reachable.\nInstall Docker Desktop (macOS) or docker-engine (Linux), start the daemon, then re-run."
-    );
-  }
-}
-function claudeCredsHostDir() {
-  if (needsKeychainBridge()) return CLAUDE_CREDS_DIR;
-  return join9(homedir9(), ".claude");
-}
-async function dockerInstall(opts = {}) {
-  assertDockerAvailable();
-  const image = imageTag();
-  const workers = String(opts.workersPerPool ?? 4);
-  mkdirSync8(PGDATA_PATH, { recursive: true });
-  if (!existsSync10(MCP_JWT_PATH)) {
-    throw new DockerInstallError(
-      `MCP JWT missing at ${MCP_JWT_PATH}. The installer should mint this before calling dockerInstall.`
-    );
-  }
-  if (needsKeychainBridge()) {
-    const path = exportKeychainCreds();
-    if (!path) {
-      throw new DockerInstallError(
-        "Claude Code keychain entry not found. Run `claude login` (or open Claude Code and sign in) before installing the container."
-      );
-    }
-    const plist = writeRefreshAgent("/usr/local/bin/synkro");
-    try {
-      loadRefreshAgent();
-    } catch (err) {
-      console.warn(`  \u26A0 launchd refresh agent not loaded: ${err.message}`);
-      console.warn(`    Plist written to ${plist} \u2014 load manually with launchctl bootstrap when ready.`);
-    }
-  } else {
-    mkdirSync8(join9(homedir9(), ".claude"), { recursive: true });
-  }
-  console.log(`  Pulling ${image}...`);
-  const pull = spawnSync3("docker", ["pull", image], { encoding: "utf-8", stdio: "inherit", timeout: 6e5 });
-  if (pull.status !== 0) {
-    throw new DockerInstallError(`docker pull ${image} failed`);
-  }
-  spawnSync3("docker", ["rm", "-f", CONTAINER_NAME], { encoding: "utf-8", timeout: 3e4 });
-  const credsDir = claudeCredsHostDir();
-  const args2 = [
-    "run",
-    "--detach",
-    "--name",
-    CONTAINER_NAME,
-    "--restart",
-    "unless-stopped",
-    "-p",
-    `127.0.0.1:${HOST_MCP_PORT}:8931`,
-    "-p",
-    `127.0.0.1:${HOST_GRADER_PORT}:8929`,
-    "-p",
-    `127.0.0.1:${HOST_CWE_PORT}:8930`,
-    "-p",
-    `127.0.0.1:${HOST_PG_PORT}:5433`,
-    "-v",
-    `${PGDATA_PATH}:/data/pgdata`,
-    "-v",
-    `${MCP_JWT_PATH}:/data/.mcp-jwt:ro`,
-    "-v",
-    `${credsDir}:/home/synkro/.claude:rw`,
-    "-e",
-    `WORKERS_PER_POOL=${workers}`,
-    image
-  ];
-  const run = spawnSync3("docker", args2, { encoding: "utf-8", stdio: "inherit", timeout: 6e4 });
-  if (run.status !== 0) {
-    throw new DockerInstallError(`docker run failed (image ${image})`);
-  }
-  return { image, hostMcpPort: HOST_MCP_PORT, hostGraderPort: HOST_GRADER_PORT, hostCwePort: HOST_CWE_PORT };
-}
-async function waitForContainerReady(timeoutMs = 6e4) {
-  const start = Date.now();
-  const url = `http://127.0.0.1:${HOST_MCP_PORT}/health`;
-  while (Date.now() - start < timeoutMs) {
-    try {
-      const r = await fetch(url, { signal: AbortSignal.timeout(2e3) });
-      if (r.ok) return true;
-    } catch {
-    }
-    await new Promise((r) => setTimeout(r, 1e3));
-  }
-  return false;
-}
-function dockerStop() {
-  spawnSync3("docker", ["stop", CONTAINER_NAME], { encoding: "utf-8", timeout: 3e4 });
-  spawnSync3("docker", ["rm", "-f", CONTAINER_NAME], { encoding: "utf-8", timeout: 3e4 });
-}
-function dockerStatus() {
-  const r = spawnSync3("docker", ["inspect", "--format", "{{.State.Status}}", CONTAINER_NAME], {
-    encoding: "utf-8",
-    timeout: 5e3
-  });
-  const status = (r.stdout || "").trim();
-  if (status !== "running") return { running: false };
-  return {
-    running: true,
-    image: imageTag(),
-    healthz: `http://127.0.0.1:${HOST_MCP_PORT}/`
-  };
-}
-var SYNKRO_DIR3, MCP_JWT_PATH, PGDATA_PATH, HOST_MCP_PORT, HOST_GRADER_PORT, HOST_CWE_PORT, HOST_PG_PORT, CONTAINER_NAME, DEFAULT_IMAGE, DockerInstallError;
-var init_dockerInstall = __esm({
-  "cli/local-cc/dockerInstall.ts"() {
-    "use strict";
-    init_macKeychain();
-    SYNKRO_DIR3 = join9(homedir9(), ".synkro");
-    MCP_JWT_PATH = join9(SYNKRO_DIR3, ".mcp-jwt");
-    PGDATA_PATH = join9(SYNKRO_DIR3, "pgdata");
-    HOST_MCP_PORT = parseInt(process.env.SYNKRO_HOST_MCP_PORT || "18931", 10);
-    HOST_GRADER_PORT = parseInt(process.env.SYNKRO_HOST_GRADER_PORT || "18929", 10);
-    HOST_CWE_PORT = parseInt(process.env.SYNKRO_HOST_CWE_PORT || "18930", 10);
-    HOST_PG_PORT = parseInt(process.env.SYNKRO_HOST_PG_PORT || "15433", 10);
-    CONTAINER_NAME = "synkro-server";
-    DEFAULT_IMAGE = "ghcr.io/synkro-sh/server:latest";
-    DockerInstallError = class extends Error {
-      constructor(message, cause) {
-        super(message);
-        this.cause = cause;
-        this.name = "DockerInstallError";
-      }
-      cause;
-    };
-  }
-});
-
-// cli/local-cc/pueue.ts
-import { execFileSync, spawnSync as spawnSync4, spawn } from "child_process";
-import { homedir as homedir10 } from "os";
-import { join as join10 } from "path";
-import { connect } from "net";
-function pueueAvailable() {
-  const r = spawnSync4("pueue", ["--version"], { encoding: "utf-8" });
-  if (r.status !== 0) {
-    throw new PueueError("pueue CLI not found on PATH. Install pueue (https://github.com/Nukesor/pueue) and start `pueued`.");
-  }
-}
-function statusJson() {
-  pueueAvailable();
-  const r = spawnSync4("pueue", ["status", "--json"], { encoding: "utf-8" });
-  if (r.status !== 0) {
-    throw new PueueError(`pueue status failed: ${r.stderr || r.stdout || "unknown error"} \u2014 is pueued running?`);
-  }
-  try {
-    return JSON.parse(r.stdout);
-  } catch (err) {
-    throw new PueueError(`pueue status returned non-JSON output: ${r.stdout.slice(0, 200)}`, err);
-  }
-}
-function statusName(s) {
-  if (typeof s === "string") return s;
-  if (s && typeof s === "object") {
-    if ("Running" in s) return "Running";
-    if ("Done" in s) {
-      const result = s.Done?.result;
-      if (typeof result === "string") return `Done (${result})`;
-      if (result && typeof result === "object") return `Done (${Object.keys(result)[0] ?? "unknown"})`;
-      return "Done";
-    }
-    return Object.keys(s)[0] ?? "unknown";
-  }
-  return "unknown";
-}
-function findTask(channel = CHANNEL_PRIMARY) {
-  const data = statusJson();
-  for (const [id, t] of Object.entries(data.tasks)) {
-    if (t.label === channel.taskLabel) {
-      return {
-        id: Number(id),
-        label: t.label,
-        status: statusName(t.status),
-        command: t.command,
-        cwd: t.path
-      };
-    }
-  }
-  return null;
-}
-function startTask(opts = {}) {
-  const ch = opts.channel ?? CHANNEL_PRIMARY;
-  const cwd = opts.cwd ?? ch.sessionDir;
-  let existing = findTask(ch);
-  while (existing) {
-    if (existing.status === "Running" || existing.status === "Queued") {
-      spawnSync4("tmux", ["kill-session", "-t", `=${ch.tmuxSession}`], { encoding: "utf-8" });
-      spawnSync4("pueue", ["kill", String(existing.id)], { encoding: "utf-8" });
-      for (let i = 0; i < 10; i++) {
-        const check = findTask(ch);
-        if (!check || check.id !== existing.id || check.status !== "Running" && check.status !== "Queued") break;
-        spawnSync4("sleep", ["0.5"], { encoding: "utf-8" });
-      }
-    }
-    spawnSync4("pueue", ["remove", String(existing.id)], { encoding: "utf-8" });
-    existing = findTask(ch);
-  }
-  const runScript = join10(cwd, "run-claude.sh");
-  const args2 = [
-    "add",
-    "--label",
-    ch.taskLabel,
-    "--working-directory",
-    cwd,
-    "--",
-    "bash",
-    runScript
-  ];
-  const r = spawnSync4("pueue", args2, { encoding: "utf-8" });
-  if (r.status !== 0) {
-    throw new PueueError(`pueue add failed: ${r.stderr || r.stdout}`);
-  }
-  const created = findTask(ch);
-  if (!created) {
-    throw new PueueError(`pueue add succeeded but no task with label ${ch.taskLabel} found`);
-  }
-  return created;
-}
-function stopTask(channel = CHANNEL_PRIMARY) {
-  spawnSync4("tmux", ["kill-session", "-t", `=${channel.tmuxSession}`], { encoding: "utf-8" });
-  let t = findTask(channel);
-  while (t) {
-    if (t.status === "Running" || t.status === "Queued") {
-      spawnSync4("pueue", ["kill", String(t.id)], { encoding: "utf-8" });
-      for (let i = 0; i < 10; i++) {
-        const check = findTask(channel);
-        if (!check || check.id !== t.id || check.status !== "Running" && check.status !== "Queued") break;
-        spawnSync4("sleep", ["0.5"], { encoding: "utf-8" });
-      }
-    }
-    spawnSync4("pueue", ["remove", String(t.id)], { encoding: "utf-8" });
-    t = findTask(channel);
-  }
-}
-function tailLogs(lines = 80, channel = CHANNEL_PRIMARY) {
-  const t = findTask(channel);
-  if (!t) return `(no ${channel.taskLabel} task)`;
-  const r = spawnSync4("pueue", ["log", "--lines", String(lines), String(t.id)], { encoding: "utf-8" });
-  return r.stdout || r.stderr || "(no output)";
-}
-function probePort(host, port, timeoutMs = 500) {
-  return new Promise((resolve3) => {
-    const sock = connect(port, host);
-    const done = (ok) => {
-      try {
-        sock.destroy();
-      } catch {
-      }
-      resolve3(ok);
-    };
-    sock.once("connect", () => done(true));
-    sock.once("error", () => done(false));
-    sock.setTimeout(timeoutMs, () => done(false));
-  });
-}
-function tmuxDismissPrompts(tmuxSession = TMUX_SESSION) {
-  spawnSync4("tmux", ["send-keys", "-t", tmuxSession, "1"], { encoding: "utf-8" });
-  spawnSync4("tmux", ["send-keys", "-t", tmuxSession, "Enter"], { encoding: "utf-8" });
-}
-async function waitForChannelReady(port, timeoutMs = 6e4, host = "127.0.0.1", tmuxSession = TMUX_SESSION) {
-  const deadline = Date.now() + timeoutMs;
-  while (Date.now() < deadline) {
-    if (await probePort(host, port)) return true;
-    tmuxDismissPrompts(tmuxSession);
-    await new Promise((r) => setTimeout(r, 1e3));
-  }
-  return probePort(host, port);
-}
-function brewInstall(pkg) {
-  const brew = spawnSync4("brew", ["--version"], { encoding: "utf-8" });
-  if (brew.status !== 0) return false;
-  console.log(`  Installing ${pkg} via brew...`);
-  const r = spawnSync4("brew", ["install", pkg], { encoding: "utf-8", stdio: "inherit", timeout: 12e4 });
-  return r.status === 0;
-}
-function assertPueueInstalled() {
-  let r = spawnSync4("pueue", ["--version"], { encoding: "utf-8" });
-  if (r.status !== 0) {
-    if (process.platform === "darwin" && brewInstall("pueue")) {
-      r = spawnSync4("pueue", ["--version"], { encoding: "utf-8" });
-      if (r.status !== 0) throw new PueueError("pueue install succeeded but binary not found on PATH.");
-    } else {
-      throw new PueueError("pueue not found. Install it: brew install pueue (macOS) or https://github.com/Nukesor/pueue");
-    }
-  }
-  const status = spawnSync4("pueue", ["status", "--json"], { encoding: "utf-8", timeout: 5e3 });
-  if (status.status !== 0) {
-    console.log("  Starting pueued daemon...");
-    const child = spawn("pueued", ["-d"], { stdio: "ignore", detached: true });
-    child.unref();
-    spawnSync4("sleep", ["1"]);
-    const retry = spawnSync4("pueue", ["status", "--json"], { encoding: "utf-8", timeout: 5e3 });
-    if (retry.status !== 0) {
-      throw new PueueError("pueue daemon not reachable after starting pueued. Check `pueued` manually.");
-    }
-  }
-  spawnSync4("pueue", ["parallel", "2"], { encoding: "utf-8" });
-}
-function assertClaudeInstalled() {
-  const r = spawnSync4("claude", ["--version"], { encoding: "utf-8" });
-  if (r.status !== 0) {
-    throw new PueueError("claude CLI not found on PATH. Install Claude Code first: https://docs.claude.com/claude-code");
-  }
-}
-function assertTmuxInstalled() {
-  let r = spawnSync4("tmux", ["-V"], { encoding: "utf-8" });
-  if (r.status !== 0) {
-    if (process.platform === "darwin" && brewInstall("tmux")) {
-      r = spawnSync4("tmux", ["-V"], { encoding: "utf-8" });
-      if (r.status !== 0) throw new PueueError("tmux install succeeded but binary not found on PATH.");
-    } else {
-      throw new PueueError("tmux not found. Install it: brew install tmux (macOS) or apt install tmux (Linux)");
-    }
-  }
-}
-var TASK_LABEL, TMUX_SESSION, SESSION_DIR2, TASK_LABEL_2, TMUX_SESSION_2, SESSION_DIR_22, TASK_LABEL_3, TMUX_SESSION_3, SESSION_DIR_32, TASK_LABEL_4, TMUX_SESSION_4, SESSION_DIR_42, PueueError, CHANNEL_PRIMARY, CHANNEL_SECONDARY, CHANNEL_TERTIARY, CHANNEL_QUATERNARY;
-var init_pueue = __esm({
-  "cli/local-cc/pueue.ts"() {
-    "use strict";
-    TASK_LABEL = "synkro-local-cc";
-    TMUX_SESSION = "synkro-local-cc";
-    SESSION_DIR2 = join10(homedir10(), ".synkro", "cc_sessions");
-    TASK_LABEL_2 = "synkro-local-cc-2";
-    TMUX_SESSION_2 = "synkro-local-cc-2";
-    SESSION_DIR_22 = join10(homedir10(), ".synkro", "cc_sessions_2");
-    TASK_LABEL_3 = "synkro-local-cc-3";
-    TMUX_SESSION_3 = "synkro-local-cc-3";
-    SESSION_DIR_32 = join10(homedir10(), ".synkro", "cc_sessions_3");
-    TASK_LABEL_4 = "synkro-local-cc-4";
-    TMUX_SESSION_4 = "synkro-local-cc-4";
-    SESSION_DIR_42 = join10(homedir10(), ".synkro", "cc_sessions_4");
-    PueueError = class extends Error {
-      constructor(message, cause) {
-        super(message);
-        this.cause = cause;
-        this.name = "PueueError";
-      }
-      cause;
-    };
-    CHANNEL_PRIMARY = { taskLabel: TASK_LABEL, tmuxSession: TMUX_SESSION, sessionDir: SESSION_DIR2 };
-    CHANNEL_SECONDARY = { taskLabel: TASK_LABEL_2, tmuxSession: TMUX_SESSION_2, sessionDir: SESSION_DIR_22 };
-    CHANNEL_TERTIARY = { taskLabel: TASK_LABEL_3, tmuxSession: TMUX_SESSION_3, sessionDir: SESSION_DIR_32 };
-    CHANNEL_QUATERNARY = { taskLabel: TASK_LABEL_4, tmuxSession: TMUX_SESSION_4, sessionDir: SESSION_DIR_42 };
-  }
-});
-
-// cli/local-cc/turnLog.ts
-import { appendFileSync, existsSync as existsSync11, mkdirSync as mkdirSync9, openSync as openSync2, readFileSync as readFileSync9, readSync, closeSync as closeSync2, statSync as statSync2, watchFile, unwatchFile } from "fs";
-import { dirname as dirname5, join as join11 } from "path";
-import { homedir as homedir11 } from "os";
-function truncate(s, max = PREVIEW_MAX) {
-  if (s.length <= max) return s;
-  return s.slice(0, max) + "\u2026 [+" + (s.length - max) + " chars]";
-}
-function extractSeverity(result) {
-  const m = result.match(/<synkro-(?:verdict|intent)>([\s\S]*?)<\/synkro-(?:verdict|intent)>/);
-  if (!m) return void 0;
-  try {
-    const obj = JSON.parse(m[1]);
-    if (obj.severity) return String(obj.severity);
-    if (typeof obj.ok === "boolean") return obj.ok ? "ok" : "violations";
-    if (obj.type) return String(obj.type);
-    if (obj.verdict) return String(obj.verdict);
-  } catch {
-  }
-  return void 0;
-}
-function appendTurn(args2) {
-  try {
-    mkdirSync9(dirname5(TURN_LOG_PATH), { recursive: true });
-    const entry = {
-      ts: new Date(args2.startedAt).toISOString(),
-      role: args2.role,
-      duration_ms: Date.now() - args2.startedAt,
-      status: args2.status,
-      request_preview: truncate(args2.request),
-      response_preview: args2.result ? truncate(args2.result) : "",
-      severity: args2.result ? extractSeverity(args2.result) : void 0,
-      error: args2.error
-    };
-    appendFileSync(TURN_LOG_PATH, JSON.stringify(entry) + "\n", "utf-8");
-  } catch {
-  }
-}
-var TURN_LOG_PATH, PREVIEW_MAX;
-var init_turnLog = __esm({
-  "cli/local-cc/turnLog.ts"() {
-    "use strict";
-    TURN_LOG_PATH = join11(homedir11(), ".synkro", "cc_sessions", "turns.log");
-    PREVIEW_MAX = 400;
-  }
-});
-
-// cli/local-cc/client.ts
-import { request as httpRequest } from "http";
-import { connect as connect2 } from "net";
-async function submitToChannel(role, payload, opts = {}) {
-  const body = JSON.stringify({ role, payload, content: payload });
-  const timeoutMs = opts.timeoutMs ?? DEFAULT_TIMEOUT_MS;
-  const port = opts.port ?? CHANNEL_PORT;
-  const startedAt = Date.now();
-  try {
-    const result = await new Promise((resolve3, reject) => {
-      const req = httpRequest({
-        host: CHANNEL_HOST,
-        port,
-        method: "POST",
-        path: "/submit",
-        headers: {
-          "Content-Type": "application/json",
-          "Content-Length": Buffer.byteLength(body)
-        },
-        timeout: timeoutMs
-      }, (res) => {
-        const chunks = [];
-        res.on("data", (c) => chunks.push(c));
-        res.on("end", () => {
-          const text = Buffer.concat(chunks).toString("utf-8");
-          if (res.statusCode !== 200) {
-            reject(new LocalCCError(`channel returned ${res.statusCode}: ${text.slice(0, 500)}`));
-            return;
-          }
-          try {
-            const parsed = JSON.parse(text);
-            if (parsed.error) {
-              reject(new LocalCCError(parsed.error));
-              return;
-            }
-            resolve3(String(parsed.result ?? ""));
-          } catch (err) {
-            reject(new LocalCCError(`malformed channel response: ${text.slice(0, 200)}`, err));
-          }
-        });
-      });
-      req.on("timeout", () => {
-        req.destroy(new LocalCCError(`channel request timed out after ${timeoutMs}ms`));
-      });
-      req.on("error", (err) => {
-        const msg = err.code === "ECONNREFUSED" ? `channel connection refused at ${CHANNEL_HOST}:${CHANNEL_PORT} (is the pueue task running?)` : `channel request failed: ${err.message}`;
-        reject(new LocalCCError(msg, err));
-      });
-      req.write(body);
-      req.end();
-    });
-    appendTurn({ startedAt, role, request: payload, result, status: "ok" });
-    return result;
-  } catch (err) {
-    const message = err.message ?? String(err);
-    const status = /timed out/i.test(message) ? "timeout" : "error";
-    appendTurn({ startedAt, role, request: payload, status, error: message });
-    throw err;
-  }
-}
-var CHANNEL_HOST, CHANNEL_PORT, DEFAULT_TIMEOUT_MS, LocalCCError;
-var init_client = __esm({
-  "cli/local-cc/client.ts"() {
-    "use strict";
-    init_turnLog();
-    CHANNEL_HOST = "127.0.0.1";
-    CHANNEL_PORT = parseInt(process.env.SYNKRO_CHANNEL_PORT || "8929", 10);
-    DEFAULT_TIMEOUT_MS = 9e4;
-    LocalCCError = class extends Error {
-      constructor(message, cause) {
-        super(message);
-        this.cause = cause;
-        this.name = "LocalCCError";
-      }
-      cause;
-    };
-  }
-});
-
-// cli/commands/install.ts
-var install_exports = {};
-__export(install_exports, {
-  installCommand: () => installCommand,
-  parseArgs: () => parseArgs
-});
-import { existsSync as existsSync12, mkdirSync as mkdirSync10, writeFileSync as writeFileSync8, chmodSync as chmodSync3, readFileSync as readFileSync10, readdirSync, renameSync as renameSync5 } from "fs";
-import { homedir as homedir12 } from "os";
-import { join as join12 } from "path";
-import { execSync as execSync5, spawnSync as spawnSync5, spawn as spawn2 } from "child_process";
-import { createInterface as createInterface3 } from "readline";
-function sanitizeGatewayCandidate(raw) {
-  if (!raw) return void 0;
-  return /^https?:\/\//.test(raw) ? raw : void 0;
-}
-function parseArgs(argv) {
-  const opts = {};
-  for (const a of argv) {
-    if (a.startsWith("--api-key=")) opts.apiKey = a.slice("--api-key=".length);
-    else if (a.startsWith("--gateway=")) opts.gatewayUrl = a.slice("--gateway=".length);
-    else if (a === "--skip-auth") opts.skipAuth = true;
-    else if (a === "--no-mcp") opts.noMcp = true;
-    else if (a === "--force" || a === "-f") opts.force = true;
-    else if (a === "--link-repo") opts.linkRepo = true;
-  }
-  if (!opts.gatewayUrl) {
-    const fromEnv = sanitizeGatewayCandidate(process.env.SYNKRO_GATEWAY_URL);
-    if (fromEnv) opts.gatewayUrl = fromEnv;
-  }
-  return opts;
-}
-async function promptTranscriptConsent() {
-  const rl = createInterface3({ input: process.stdin, output: process.stdout });
-  return new Promise((resolve3) => {
-    rl.question(
-      "Would you like Synkro to use Claude Code session transcripts\nto generate guardrail rules and policies for your team? (Y/n) ",
-      (answer) => {
-        rl.close();
-        const trimmed = answer.trim().toLowerCase();
-        resolve3(trimmed === "" || trimmed === "y" || trimmed === "yes");
-      }
-    );
-  });
-}
-function ensureSynkroDir() {
-  mkdirSync10(SYNKRO_DIR4, { recursive: true });
-  mkdirSync10(HOOKS_DIR, { recursive: true });
-  mkdirSync10(BIN_DIR, { recursive: true });
-  mkdirSync10(OFFSETS_DIR, { recursive: true });
-  mkdirSync10(join12(SYNKRO_DIR4, "sessions"), { recursive: true });
-}
-function writeHookScripts() {
-  const bashScriptPath = join12(HOOKS_DIR, "cc-bash-judge.ts");
-  const bashFollowupScriptPath = join12(HOOKS_DIR, "cc-bash-followup.ts");
-  const editPrecheckScriptPath = join12(HOOKS_DIR, "cc-edit-precheck.ts");
-  const cwePrecheckScriptPath = join12(HOOKS_DIR, "cc-cwe-precheck.ts");
-  const cvePrecheckScriptPath = join12(HOOKS_DIR, "cc-cve-precheck.ts");
-  const planJudgeScriptPath = join12(HOOKS_DIR, "cc-plan-judge.ts");
-  const agentJudgeScriptPath = join12(HOOKS_DIR, "cc-agent-judge.ts");
-  const stopSummaryScriptPath = join12(HOOKS_DIR, "cc-stop-summary.ts");
-  const sessionStartScriptPath = join12(HOOKS_DIR, "cc-session-start.ts");
-  const transcriptSyncScriptPath = join12(HOOKS_DIR, "cc-transcript-sync.ts");
-  const userPromptSubmitScriptPath = join12(HOOKS_DIR, "cc-user-prompt-submit.ts");
-  const commonScriptPath = join12(HOOKS_DIR, "_synkro-common.ts");
-  const commonBashScriptPath = join12(HOOKS_DIR, "_synkro-common.sh");
-  const cursorBashJudgePath = join12(HOOKS_DIR, "cursor-bash-judge.ts");
-  const cursorEditCapturePath = join12(HOOKS_DIR, "cursor-edit-capture.ts");
-  const mcpLocalServerPath = join12(HOOKS_DIR, "mcp-local-server.ts");
-  const pgliteDbPath = join12(HOOKS_DIR, "pglite-db.ts");
-  const mcpStdioProxyPath = join12(HOOKS_DIR, "mcp-stdio-proxy.ts");
-  writeFileSync8(bashScriptPath, BASH_JUDGE_TS, "utf-8");
-  writeFileSync8(bashFollowupScriptPath, BASH_FOLLOWUP_TS, "utf-8");
-  writeFileSync8(editPrecheckScriptPath, EDIT_PRECHECK_TS, "utf-8");
-  writeFileSync8(cwePrecheckScriptPath, CWE_PRECHECK_TS, "utf-8");
-  writeFileSync8(cvePrecheckScriptPath, CVE_PRECHECK_TS, "utf-8");
-  writeFileSync8(planJudgeScriptPath, PLAN_JUDGE_TS, "utf-8");
-  writeFileSync8(agentJudgeScriptPath, AGENT_JUDGE_TS, "utf-8");
-  writeFileSync8(stopSummaryScriptPath, STOP_SUMMARY_TS, "utf-8");
-  writeFileSync8(sessionStartScriptPath, SESSION_START_TS, "utf-8");
-  writeFileSync8(transcriptSyncScriptPath, TRANSCRIPT_SYNC_TS, "utf-8");
-  writeFileSync8(userPromptSubmitScriptPath, USER_PROMPT_SUBMIT_TS, "utf-8");
-  writeFileSync8(commonScriptPath, SYNKRO_COMMON_TS, "utf-8");
-  writeFileSync8(commonBashScriptPath, SYNKRO_COMMON_SCRIPT, "utf-8");
-  writeFileSync8(cursorBashJudgePath, CURSOR_BASH_JUDGE_TS, "utf-8");
-  writeFileSync8(cursorEditCapturePath, CURSOR_EDIT_CAPTURE_TS, "utf-8");
-  writeFileSync8(mcpLocalServerPath, "#!/usr/bin/env bun\n/**\n * Local MCP guardrails server \u2014 runs on port 8931, stores rules in ~/.synkro/rules.json.\n * PGLite embedded database at ~/.synkro/pgdata.\n * JSON-RPC 2.0 + REST over HTTP, Bearer token auth, localhost only.\n */\nimport { existsSync, readFileSync, writeFileSync, renameSync, mkdirSync, unlinkSync } from 'node:fs';\nimport { homedir } from 'node:os';\nimport { join } from 'node:path';\nimport pg from 'pg';\nimport { pipeline, type FeatureExtractionPipeline } from '@huggingface/transformers';\n\nconst PORT = parseInt(process.env.SYNKRO_MCP_PORT || '8931', 10);\nconst PG_SOCKET_PORT = parseInt(process.env.SYNKRO_PG_PORT || '5433', 10);\nconst BIND_HOST = process.env.SYNKRO_BIND_HOST || '127.0.0.1';\nconst HOME = homedir();\nconst RULES_PATH = join(HOME, '.synkro', 'rules.json');\nconst PGDATA_PATH = join(HOME, '.synkro', 'pgdata');\nconst JWT_TOKEN_PATH = join(HOME, '.synkro', '.mcp-jwt');\n\n// Synkro-signed long-lived JWT \u2014 minted during `synkro install`, required on all POST requests.\n// If missing, the server still starts (for GET health checks) but rejects all tool calls.\nlet SERVER_TOKEN = '';\ntry { SERVER_TOKEN = readFileSync(JWT_TOKEN_PATH, 'utf-8').trim(); } catch {}\nif (!SERVER_TOKEN) console.warn('[synkro] \u26A0 No MCP JWT found \u2014 run `synkro install` to authenticate.');\nconst MAX_BODY_BYTES = 1_048_576;\n\n// \u2500\u2500\u2500 OWASP Top 10 (2021) categories for violation classification \u2500\u2500\u2500\nconst OWASP_CATEGORIES: { id: string; label: string; description: string }[] = [\n  { id: 'ASI01', label: 'Memory Poisoning', description: 'Malicious or corrupted data injected into agent memory, conversation history, vector stores, or retrieval contexts to alter future behavior; poisoned RAG sources, contaminated long-term memory, tampered embeddings used in retrieval' },\n  { id: 'ASI02', label: 'Tool Misuse', description: 'Agent invokes tools, MCP servers, function calls, or APIs in unsafe ways; unsanitized arguments passed to shell, SQL, filesystem, or network tools; command injection via tool inputs; agents calling destructive tools without confirmation' },\n  { id: 'ASI03', label: 'Privilege Compromise', description: 'Agent escalates or abuses permissions; running with excessive scopes, accessing resources outside its mandate, bypassing access control, using stolen credentials, exploiting overly broad IAM roles or API keys' },\n  { id: 'ASI04', label: 'Resource Overload', description: 'Unbounded LLM token consumption, runaway tool loops, recursive agent calls, denial-of-wallet attacks, unrestricted context growth, missing rate limits on agent operations, cost-amplification via repeated inference' },\n  { id: 'ASI05', label: 'Cascading Hallucination Attacks', description: 'Hallucinated outputs propagate downstream through multi-agent chains, tool calls, or generated code; fabricated package names, made-up API endpoints, invented function signatures, hallucinated dependencies causing supply-chain risks' },\n  { id: 'ASI06', label: 'Intent Breaking and Goal Manipulation', description: 'Prompt injection, jailbreaks, indirect prompt injection via retrieved content, system prompt override, goal hijacking, instructions embedded in user data or tool output that redirect the agent away from its intended task' },\n  { id: 'ASI07', label: 'Misaligned and Deceptive Behaviors', description: 'Agent provides misleading or deceptive responses, hides errors, fabricates success, refuses to follow legitimate instructions, exhibits reward hacking, deceives user about tool call outcomes or its own capabilities' },\n  { id: 'ASI08', label: 'Repudiation and Untraceability', description: 'Insufficient audit logging of agent decisions, tool calls, or external actions; missing provenance, no replay capability, deleted or tampered logs, inability to attribute actions to specific agents, sessions, or users' },\n  { id: 'ASI09', label: 'Identity Spoofing and Impersonation', description: 'Agent impersonates users, other agents, or trusted systems; missing authentication on agent-to-agent communication, weak identity binding, session hijacking, credential forwarding without verification' },\n  { id: 'ASI10', label: 'Overwhelming Human-in-the-Loop', description: 'Approval fatigue from excessive HITL prompts, alarm flooding, low-signal confirmations that train users to rubber-stamp dangerous actions, missing escalation differentiation, no consolidation of low-risk approvals' },\n];\n\nlet embedder: FeatureExtractionPipeline | null = null;\nlet categoryEmbeddings: { id: string; label: string; vec: Float32Array }[] = [];\n\nasync function initEmbedder(): Promise<void> {\n  try {\n    embedder = await pipeline('feature-extraction', 'Xenova/gte-small', { dtype: 'fp32' });\n    const texts = OWASP_CATEGORIES.map(c => `${c.label}: ${c.description}`);\n    const results = await embedder(texts, { pooling: 'mean', normalize: true });\n    categoryEmbeddings = OWASP_CATEGORIES.map((c, i) => ({\n      id: c.id,\n      label: c.label,\n      vec: new Float32Array(results[i].data),\n    }));\n    console.log('[synkro] Embedding model loaded (gte-small), OWASP categories indexed');\n  } catch (e) {\n    console.error('[synkro] Embedding model failed to load:', String(e).slice(0, 200));\n  }\n}\n\nfunction cosineSim(a: Float32Array, b: Float32Array): number {\n  let dot = 0, na = 0, nb = 0;\n  for (let i = 0; i < a.length; i++) {\n    dot += a[i] * b[i];\n    na += a[i] * a[i];\n    nb += b[i] * b[i];\n  }\n  return dot / (Math.sqrt(na) * Math.sqrt(nb));\n}\n\nasync function classifyText(text: string): Promise<{ id: string; label: string; confidence: number } | null> {\n  if (!embedder || categoryEmbeddings.length === 0) return null;\n  const result = await embedder(text, { pooling: 'mean', normalize: true });\n  const vec = new Float32Array(result.data);\n  let best = { id: '', label: '', confidence: 0 };\n  for (const cat of categoryEmbeddings) {\n    const sim = cosineSim(vec, cat.vec);\n    if (sim > best.confidence) best = { id: cat.id, label: cat.label, confidence: sim };\n  }\n  return best.confidence > 0.3 ? best : null;\n}\n\nasync function classifyViolationInline(violationId: string, text: string): Promise<void> {\n  const cat = await classifyText(text.slice(0, 1000));\n  if (cat) {\n    await db.query(\n      `UPDATE guard_violations SET mechanism_category = $1, classification_confidence = $2 WHERE id = $3`,\n      [cat.id + ': ' + cat.label, cat.confidence, violationId]\n    );\n  }\n}\n\nlet _writeLock: Promise<void> = Promise.resolve();\nfunction serialized<T>(fn: () => T | Promise<T>): Promise<T> {\n  let release: () => void;\n  const next = new Promise<void>(r => { release = r; });\n  const prev = _writeLock;\n  _writeLock = next;\n  return prev.then(() => fn()).finally(() => release!());\n}\n\n// \u2500\u2500\u2500 PGLite Database \u2500\u2500\u2500\n\nlet db: pg.Pool;\n\nconst SCHEMA_MIGRATIONS = [\n  `CREATE EXTENSION IF NOT EXISTS vector`,\n  `CREATE TABLE IF NOT EXISTS guard_checks (\n    id TEXT PRIMARY KEY,\n    project_id TEXT,\n    org_id TEXT,\n    policy_id TEXT,\n    trace_id TEXT,\n    passed SMALLINT,\n    score REAL,\n    rule_count INTEGER,\n    rule_ids_checked TEXT[],\n    model TEXT,\n    interaction_type TEXT,\n    skill_name TEXT,\n    tool_names TEXT[],\n    guard_mode TEXT,\n    messages TEXT,\n    verdicts TEXT,\n    rule_similarities TEXT,\n    sentiment_score REAL,\n    sentiment_label TEXT,\n    operation_type TEXT,\n    conversation_id TEXT,\n    trajectory_id UUID,\n    end_user_id TEXT DEFAULT '',\n    reasoning_content TEXT,\n    cve_findings TEXT,\n    judge_context TEXT,\n    provider TEXT,\n    input_tokens INTEGER,\n    output_tokens INTEGER,\n    total_tokens INTEGER,\n    cost_usd REAL,\n    content_redacted SMALLINT DEFAULT 0,\n    updated_at TIMESTAMPTZ,\n    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()\n  )`,\n  `CREATE TABLE IF NOT EXISTS guard_violations (\n    id TEXT PRIMARY KEY,\n    user_id TEXT,\n    org_id TEXT,\n    policy_id TEXT,\n    end_user_id TEXT,\n    project_id TEXT,\n    run_id TEXT,\n    trajectory_id UUID,\n    key TEXT,\n    score REAL,\n    value TEXT,\n    comment TEXT,\n    rules_violated TEXT[],\n    rule_ids_violated TEXT[],\n    issues TEXT[],\n    severity TEXT,\n    latency_ms INTEGER,\n    messages TEXT,\n    verdicts TEXT,\n    model TEXT,\n    guard_mode TEXT,\n    interaction_type TEXT,\n    tool_names TEXT[],\n    skill_name TEXT,\n    passed SMALLINT,\n    conversation_id TEXT,\n    mechanism_category TEXT,\n    business_category TEXT,\n    classification_confidence REAL,\n    content_redacted SMALLINT DEFAULT 0,\n    updated_at TIMESTAMPTZ,\n    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()\n  )`,\n  `CREATE TABLE IF NOT EXISTS trajectories (\n    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),\n    project_id TEXT NOT NULL,\n    org_id TEXT NOT NULL DEFAULT '',\n    conversation_id TEXT NOT NULL,\n    check_ids TEXT[] NOT NULL DEFAULT '{}',\n    check_count INTEGER NOT NULL DEFAULT 0,\n    preamble TEXT,\n    user_message TEXT,\n    final_response TEXT,\n    status TEXT NOT NULL DEFAULT 'pending_grade',\n    passed SMALLINT,\n    score REAL,\n    verdicts TEXT,\n    rule_ids_checked TEXT[],\n    rule_ids_violated TEXT[],\n    severity TEXT,\n    model TEXT,\n    provider TEXT,\n    input_tokens INTEGER,\n    output_tokens INTEGER,\n    total_tokens INTEGER,\n    cost_usd REAL,\n    interaction_type TEXT,\n    operation_type TEXT,\n    end_user_id TEXT,\n    policy_id TEXT,\n    topic_label TEXT,\n    started_at TIMESTAMPTZ,\n    completed_at TIMESTAMPTZ,\n    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()\n  )`,\n  `CREATE TABLE IF NOT EXISTS usage_ticks (\n    id TEXT PRIMARY KEY,\n    session_id TEXT NOT NULL UNIQUE,\n    model TEXT,\n    input_tokens INTEGER NOT NULL DEFAULT 0,\n    output_tokens INTEGER NOT NULL DEFAULT 0,\n    cache_creation_tokens INTEGER DEFAULT 0,\n    cache_read_tokens INTEGER DEFAULT 0,\n    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()\n  )`,\n  `CREATE TABLE IF NOT EXISTS scan_findings (\n    id TEXT PRIMARY KEY,\n    session_id TEXT NOT NULL,\n    file_path TEXT NOT NULL,\n    finding_type TEXT NOT NULL,\n    finding_id TEXT NOT NULL,\n    severity TEXT,\n    status TEXT NOT NULL DEFAULT 'open',\n    detail TEXT,\n    description TEXT,\n    package_name TEXT,\n    package_version TEXT,\n    fixed_version TEXT,\n    aliases TEXT,\n    \"references\" TEXT,\n    cwe_name TEXT,\n    repo TEXT,\n    resolved_at TIMESTAMPTZ,\n    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()\n  )`,\n  `ALTER TABLE scan_findings ADD COLUMN IF NOT EXISTS repo TEXT`,\n  `CREATE TABLE IF NOT EXISTS policies (\n    id TEXT PRIMARY KEY,\n    project_id UUID,\n    org_id TEXT,\n    name TEXT,\n    rules JSONB NOT NULL DEFAULT '[]',\n    rule_count INTEGER NOT NULL DEFAULT 0,\n    scope TEXT DEFAULT 'agent_runtime',\n    scope_owner TEXT NOT NULL DEFAULT 'org',\n    is_active BOOLEAN NOT NULL DEFAULT TRUE,\n    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n    updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()\n  )`,\n  `CREATE TABLE IF NOT EXISTS precheck_corrections (\n    id TEXT PRIMARY KEY,\n    org_id TEXT NOT NULL,\n    user_id TEXT,\n    session_id TEXT,\n    tool_use_id TEXT,\n    surface_kind TEXT NOT NULL DEFAULT 'edit',\n    file_path TEXT NOT NULL,\n    file_after TEXT,\n    user_intent TEXT,\n    rule_id TEXT,\n    rule_text TEXT,\n    severity TEXT,\n    category TEXT,\n    reasoning TEXT,\n    confidence REAL,\n    decision TEXT NOT NULL,\n    user_note TEXT,\n    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n    resolved_at TIMESTAMPTZ\n  )`,\n  `CREATE TABLE IF NOT EXISTS guard_context (\n    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),\n    session_id TEXT NOT NULL UNIQUE,\n    project_id UUID,\n    org_id TEXT,\n    summary TEXT NOT NULL DEFAULT '',\n    compliance_summary TEXT,\n    check_counter INTEGER NOT NULL DEFAULT 0,\n    violated_rule_ids TEXT[] DEFAULT '{}',\n    updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()\n  )`,\n  `CREATE TABLE IF NOT EXISTS user_profiles (\n    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),\n    org_id TEXT NOT NULL,\n    end_user_id TEXT NOT NULL,\n    email TEXT,\n    full_name TEXT,\n    display_name TEXT,\n    platform TEXT,\n    active_repo TEXT,\n    silent_mode BOOLEAN NOT NULL DEFAULT FALSE,\n    last_seen_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()\n  )`,\n  `ALTER TABLE trajectories ADD COLUMN IF NOT EXISTS operation_type TEXT`,\n  `CREATE UNIQUE INDEX IF NOT EXISTS usage_ticks_session_id_key ON usage_ticks (session_id)`,\n  `CREATE TABLE IF NOT EXISTS synkro_local_config (\n    key TEXT PRIMARY KEY,\n    value TEXT,\n    updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()\n  )`,\n  `CREATE TABLE IF NOT EXISTS scan_exemptions (\n    id SERIAL PRIMARY KEY,\n    path TEXT NOT NULL,\n    cwe_id TEXT NOT NULL,\n    reason TEXT,\n    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n    UNIQUE (path, cwe_id)\n  )`,\n  `ALTER TABLE policies ADD COLUMN IF NOT EXISTS active_in_session BOOLEAN NOT NULL DEFAULT TRUE`,\n];\n\nasync function initDb(): Promise<void> {\n  mkdirSync(join(HOME, '.synkro'), { recursive: true });\n\n  db = new pg.Pool({\n    host: process.env.SYNKRO_PG_HOST || '127.0.0.1',\n    port: PG_SOCKET_PORT,\n    user: 'postgres',\n    database: 'postgres',\n    ssl: false,\n    // pglite-socket is effectively single-connection (the docs warn that\n    // concurrent clients \"are not guaranteed to work\"). Keep our connection\n    // warm for 30s so request bursts don't have to reconnect every time, but\n    // still release eventually so external clients (psql, debug tools) can\n    // grab the socket during quiet windows.\n    max: 1,\n    idleTimeoutMillis: 30000,\n  });\n  db.on('error', (err) => {\n    // Pool emits 'error' when an idle connection dies; pg auto-replaces it on\n    // the next query, so just log and keep going.\n    console.error('[synkro] pg pool error (auto-recovering):', String(err).slice(0, 200));\n  });\n\n  // Wait for the standalone pglite-db daemon to accept connections.\n  let lastErr: unknown = null;\n  for (let i = 0; i < 60; i++) {\n    try {\n      await db.query('SELECT 1');\n      lastErr = null;\n      break;\n    } catch (err) {\n      lastErr = err;\n      await new Promise(r => setTimeout(r, 500));\n    }\n  }\n  if (lastErr) throw new Error('pglite-db daemon unreachable on port ' + PG_SOCKET_PORT + ': ' + String(lastErr).slice(0, 200));\n\n  for (const migration of SCHEMA_MIGRATIONS) {\n    try { await db.query(migration); } catch (e) {\n      console.error('[synkro] migration error:', String(e).slice(0, 200));\n    }\n  }\n\n  console.log('[synkro] PGLite database ready at ' + PGDATA_PATH);\n  await migrateRulesJsonIfPresent();\n}\n\n// \u2500\u2500\u2500 Ingest Functions \u2500\u2500\u2500\n\nasync function ingestEvent(event: any): Promise<void> {\n  switch (event.capture_type) {\n    case 'local_verdict': await ingestVerdict(event); break;\n    case 'usage_tick': await ingestUsageTick(event); break;\n    case 'scan_finding': await ingestScanFinding(event); break;\n    case 'rule_sync': await ingestRuleSync(event); break;\n  }\n}\n\nasync function ingestVerdict(event: any): Promise<void> {\n  const id = event.event_id || `evt_${Date.now()}_${Math.random().toString(36).slice(2)}`;\n  const passed = event.verdict === 'pass' || event.verdict === 'allow' ? 1 : 0;\n  const sessionId = event.session_id || '';\n  const operationType = event.tool_name\n    ? `${event.hook_type || 'tool'}:${event.tool_name}`\n    : event.hook_type || null;\n  const messages = event.command\n    ? JSON.stringify([{ role: 'assistant', content: `[${event.tool_name || event.hook_type}] ${event.command}` }])\n    : event.recent_user_messages?.length\n      ? JSON.stringify([{ role: 'user', content: event.recent_user_messages[0] }])\n      : null;\n  const verdicts = event.reasoning ? JSON.stringify({ reasoning: event.reasoning }) : null;\n  const ruleIdsChecked = event.rules_checked?.map((r: any) => r.rule_id || r) || null;\n  const ts = event._ts ? new Date(event._ts).toISOString() : new Date().toISOString();\n\n  await db.query(\n    `INSERT INTO guard_checks (id, project_id, passed, model, interaction_type, tool_names, guard_mode, operation_type, messages, verdicts, rule_ids_checked, conversation_id, end_user_id, judge_context, created_at)\n     VALUES ($1, $2, $3, $4, $5, $6, 'local', $7, $8, $9, $10, $11, 'local-user', $12, $13)\n     ON CONFLICT (id) DO NOTHING`,\n    [id, event.repo || 'local', passed, event.cc_model || event.model || null,\n     event.hook_type || null, event.tool_name ? [event.tool_name] : null,\n     operationType, messages, verdicts, ruleIdsChecked, sessionId,\n     event.category || null, ts]\n  );\n\n  if (!passed && event.verdict !== 'allow') {\n    const violationId = `viol_${id}`;\n    await db.query(\n      `INSERT INTO guard_violations (id, project_id, run_id, severity, model, interaction_type, tool_names, guard_mode, passed, rule_ids_violated, rules_violated, messages, verdicts, mechanism_category, conversation_id, created_at)\n       VALUES ($1, $2, $3, $4, $5, $6, $7, 'local', 0, $8, $9, $10, $11, $12, $13, $14)\n       ON CONFLICT (id) DO NOTHING`,\n      [violationId, event.repo || 'local', id, event.severity || null,\n       event.cc_model || event.model || null, event.hook_type || null,\n       event.tool_name ? [event.tool_name] : null,\n       event.violated_rules || null, event.violated_rules || null,\n       event.command ? JSON.stringify({ command: event.command }) : null, verdicts,\n       event.category || null, sessionId, ts]\n    );\n    const classifyText = [event.command, event.reasoning].filter(Boolean).join(' ');\n    if (classifyText && embedder) {\n      classifyText.length > 0 && classifyViolationInline(violationId, classifyText).catch(() => {});\n    }\n  }\n\n  const existing = await db.query<{ id: string }>(\n    `SELECT id FROM trajectories WHERE check_ids[1] = $1 LIMIT 1`, [id]\n  );\n  if (existing.rows.length) return;\n\n  const model = event.cc_model || event.model || null;\n  await db.query(\n    `INSERT INTO trajectories (project_id, org_id, conversation_id, check_ids, check_count, passed, severity, end_user_id, status, interaction_type, model, provider, operation_type, user_message, final_response, started_at, completed_at, created_at)\n     VALUES ($1, 'local', $2, $3, 1, $4, $5, 'local-user', 'graded', $6, $7, $8, $9, $10, $11, $12, $13, $14)`,\n    [event.repo || 'local', sessionId, [id], passed,\n     !passed ? (event.severity || 'medium') : null,\n     event.hook_type || null, model,\n     model?.startsWith('claude-') ? 'anthropic' : 'unknown',\n     operationType,\n     event.command || event.recent_user_messages?.[0] || null,\n     event.reasoning || null, ts, ts, ts]\n  );\n}\n\nasync function ingestUsageTick(event: any): Promise<void> {\n  if (!event.cc_usage && !event.session_id) return;\n  const sid = event.session_id || '';\n  const id = event.event_id || `usage_${Date.now()}_${Math.random().toString(36).slice(2)}`;\n  const ts = event._ts ? new Date(event._ts).toISOString() : new Date().toISOString();\n  const usage = event.cc_usage || {};\n\n  await db.query(\n    `INSERT INTO usage_ticks (id, session_id, model, input_tokens, output_tokens, cache_creation_tokens, cache_read_tokens, created_at)\n     VALUES ($1, $2, $3, $4, $5, $6, $7, $8)\n     ON CONFLICT (session_id) DO UPDATE SET\n       input_tokens = EXCLUDED.input_tokens,\n       output_tokens = EXCLUDED.output_tokens,\n       cache_creation_tokens = EXCLUDED.cache_creation_tokens,\n       cache_read_tokens = EXCLUDED.cache_read_tokens,\n       model = COALESCE(EXCLUDED.model, usage_ticks.model),\n       created_at = EXCLUDED.created_at`,\n    [id, sid, event.cc_model || event.model || null,\n     usage.input_tokens || 0, usage.output_tokens || 0,\n     usage.cache_creation_input_tokens || 0, usage.cache_read_input_tokens || 0, ts]\n  );\n}\n\nasync function ingestScanFinding(event: any): Promise<void> {\n  if (!event.finding_type || !event.finding_id) return;\n  const sessionId = event.session_id || '';\n  const filePath = event.file_path || '';\n\n  if (event.finding_id === 'pass') {\n    await db.query(\n      `UPDATE scan_findings SET status = 'resolved', resolved_at = NOW() WHERE file_path = $1 AND status = 'open'`,\n      [filePath]\n    );\n    return;\n  }\n\n  if (event.status === 'resolved') {\n    await db.query(\n      `UPDATE scan_findings SET status = 'resolved', resolved_at = NOW() WHERE session_id = $1 AND file_path = $2 AND status = 'open'`,\n      [sessionId, filePath]\n    );\n    return;\n  }\n\n  const isBlocked = event.finding_type === 'cve';\n  const ts = event._ts ? new Date(event._ts).toISOString() : new Date().toISOString();\n  const tsMs = event._ts ? new Date(event._ts).getTime() : Date.now();\n  const id = `sf_${sessionId}_${event.finding_id}_${tsMs}`;\n\n  await db.query(\n    `INSERT INTO scan_findings (id, session_id, file_path, finding_type, finding_id, severity, status, detail, description, package_name, package_version, fixed_version, aliases, \"references\", cwe_name, repo, resolved_at, created_at)\n     VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18)\n     ON CONFLICT (id) DO NOTHING`,\n    [id, sessionId, filePath, event.finding_type, event.finding_id,\n     event.severity || null, isBlocked ? 'resolved' : (event.status || 'open'),\n     event.detail || null, event.description || null,\n     event.package_name || null, event.package_version || null, event.fixed_version || null,\n     event.aliases ? JSON.stringify(event.aliases) : null,\n     event.references ? JSON.stringify(event.references) : null,\n     event.cwe_name || null, event.repo || null,\n     isBlocked ? ts : null, ts]\n  );\n}\n\nasync function ingestRuleSync(event: any): Promise<void> {\n  if (!event.policy_id) return;\n  const ts = event._ts ? new Date(event._ts).toISOString() : new Date().toISOString();\n  const rules = Array.isArray(event.rules) ? event.rules : [];\n\n  await db.query(\n    `INSERT INTO policies (id, name, rules, rule_count, scope, scope_owner, is_active, created_at, updated_at)\n     VALUES ($1, $2, $3, $4, 'agent_runtime', 'user', true, $5, $6)\n     ON CONFLICT (id) DO UPDATE SET name = $2, rules = $3, rule_count = $4, updated_at = $6`,\n    [event.policy_id, event.policy_name || 'My Rules', JSON.stringify(rules), rules.length, ts, ts]\n  );\n}\n\n// \u2500\u2500\u2500 Storage \u2500\u2500\u2500\n\ninterface Rule {\n  rule_id: string;\n  text: string;\n  category: string;\n  severity: string;\n  mode: string;\n  hook_stage: string;\n  scope: string;\n}\n\ninterface Policy {\n  id: string;\n  name: string;\n  rules: Rule[];\n  ruleCount: number;\n  scopeOwner: string;\n  isActive: boolean;\n}\n\ninterface ScanExemption {\n  path: string;\n  cwe_id: string;\n  reason?: string;\n}\n\ninterface RulesFile {\n  policies: Policy[];\n  config: { silent: boolean; activePolicyId: string };\n  scanExemptions: ScanExemption[];\n}\n\nconst DEFAULT_POLICY: Policy = {\n  id: 'local-policy',\n  name: 'My Rules',\n  rules: [],\n  ruleCount: 0,\n  scopeOwner: 'user',\n  isActive: true,\n};\n\nfunction parseRulesField(raw: any): Rule[] {\n  if (Array.isArray(raw)) return raw;\n  if (typeof raw === 'string') {\n    try { return JSON.parse(raw); } catch { return []; }\n  }\n  return [];\n}\n\nasync function readRules(): Promise<RulesFile> {\n  if (!db) {\n    return {\n      policies: [{ ...DEFAULT_POLICY }],\n      config: { silent: false, activePolicyId: 'local-policy' },\n      scanExemptions: [],\n    };\n  }\n\n  const policiesRes = await db.query<{\n    id: string; name: string; rules: any; rule_count: number; scope_owner: string; is_active: boolean;\n  }>(`SELECT id, name, rules, rule_count, scope_owner, is_active FROM policies ORDER BY created_at ASC, id ASC`);\n\n  const policies: Policy[] = policiesRes.rows.map(r => ({\n    id: r.id,\n    name: r.name || 'My Rules',\n    rules: parseRulesField(r.rules),\n    ruleCount: r.rule_count || 0,\n    scopeOwner: r.scope_owner || 'user',\n    isActive: r.is_active !== false,\n  }));\n\n  if (policies.length === 0) policies.push({ ...DEFAULT_POLICY });\n\n  const cfgRes = await db.query<{ key: string; value: string }>(`SELECT key, value FROM synkro_local_config`);\n  const cfgMap: Record<string, string> = {};\n  for (const r of cfgRes.rows) cfgMap[r.key] = r.value;\n  const config = {\n    silent: cfgMap.silent === 'true',\n    activePolicyId: cfgMap.activePolicyId || policies[0].id,\n  };\n\n  const exRes = await db.query<{ path: string; cwe_id: string; reason: string | null }>(\n    `SELECT path, cwe_id, reason FROM scan_exemptions ORDER BY created_at ASC, id ASC`);\n  const scanExemptions: ScanExemption[] = exRes.rows.map(r => ({\n    path: r.path, cwe_id: r.cwe_id, ...(r.reason ? { reason: r.reason } : {}),\n  }));\n\n  return { policies, config, scanExemptions };\n}\n\nasync function writeRules(data: RulesFile): Promise<void> {\n  if (!db) return;\n  for (const p of data.policies) p.ruleCount = p.rules.length;\n\n  const keepIds: string[] = [];\n  for (const p of data.policies) {\n    keepIds.push(p.id);\n    await db.query(\n      `INSERT INTO policies (id, name, rules, rule_count, scope, scope_owner, is_active, created_at, updated_at)\n       VALUES ($1, $2, $3, $4, 'agent_runtime', $5, $6, NOW(), NOW())\n       ON CONFLICT (id) DO UPDATE SET name = $2, rules = $3, rule_count = $4, scope_owner = $5, is_active = $6, updated_at = NOW()`,\n      [p.id, p.name, JSON.stringify(p.rules), p.ruleCount, p.scopeOwner, p.isActive]\n    );\n  }\n  if (keepIds.length > 0) {\n    const placeholders = keepIds.map((_, i) => `$${i + 1}`).join(',');\n    await db.query(`DELETE FROM policies WHERE id NOT IN (${placeholders})`, keepIds);\n  } else {\n    await db.query(`DELETE FROM policies`);\n  }\n\n  await db.query(\n    `INSERT INTO synkro_local_config (key, value, updated_at) VALUES ('silent', $1, NOW())\n     ON CONFLICT (key) DO UPDATE SET value = $1, updated_at = NOW()`,\n    [String(data.config.silent)]\n  );\n  await db.query(\n    `INSERT INTO synkro_local_config (key, value, updated_at) VALUES ('activePolicyId', $1, NOW())\n     ON CONFLICT (key) DO UPDATE SET value = $1, updated_at = NOW()`,\n    [data.config.activePolicyId]\n  );\n\n  await db.query(`DELETE FROM scan_exemptions`);\n  for (const e of data.scanExemptions) {\n    await db.query(\n      `INSERT INTO scan_exemptions (path, cwe_id, reason) VALUES ($1, $2, $3) ON CONFLICT (path, cwe_id) DO NOTHING`,\n      [e.path, e.cwe_id, e.reason || null]\n    );\n  }\n}\n\nasync function migrateRulesJsonIfPresent(): Promise<void> {\n  if (!db || !existsSync(RULES_PATH)) return;\n  try {\n    const data = JSON.parse(readFileSync(RULES_PATH, 'utf-8')) as RulesFile;\n    if (!data || !Array.isArray(data.policies)) return;\n    // writeRules upserts policies (ON CONFLICT DO UPDATE) and replaces config + exemptions.\n    // Safe to run even when old ingestRuleSync had already inserted the active policy.\n    await writeRules({\n      policies: data.policies.length > 0 ? data.policies : [{ ...DEFAULT_POLICY }],\n      config: data.config || { silent: false, activePolicyId: 'local-policy' },\n      scanExemptions: Array.isArray(data.scanExemptions) ? data.scanExemptions : [],\n    });\n    unlinkSync(RULES_PATH);\n    console.log('[synkro] migrated rules.json into PGLite, removed file');\n  } catch (err) {\n    console.error('[synkro] rules.json migration failed:', err);\n  }\n}\n\nfunction emitRuleSync(data: RulesFile): void {\n  const active = data.policies.find(p => p.id === data.config.activePolicyId) || data.policies[0];\n  const event = {\n    capture_type: 'rule_sync',\n    policy_id: active?.id || 'local-policy',\n    policy_name: active?.name || 'My Rules',\n    rules: active?.rules || [],\n    rule_count: active?.ruleCount || 0,\n    scan_exemptions: data.scanExemptions,\n    silent: data.config.silent,\n    _ts: new Date().toISOString(),\n  };\n  if (db) ingestRuleSync(event).catch(() => {});\n}\n\nfunction highestRuleNumber(data: RulesFile): number {\n  let max = 0;\n  for (const p of data.policies) {\n    for (const r of p.rules) {\n      const m = /^R(\\d+)$/.exec(r.rule_id);\n      if (m) {\n        const n = parseInt(m[1], 10);\n        if (n > max) max = n;\n      }\n    }\n  }\n  return max;\n}\n\nfunction nextRuleId(data: RulesFile): string {\n  return 'R' + String(highestRuleNumber(data) + 1).padStart(3, '0');\n}\n\nfunction ruleIdAllocator(data: RulesFile): () => string {\n  let n = highestRuleNumber(data);\n  return () => 'R' + String(++n).padStart(3, '0');\n}\n\nfunction getActivePolicy(data: RulesFile): Policy {\n  return data.policies.find(p => p.id === data.config.activePolicyId) || data.policies[0];\n}\n\nfunction findOrCreatePolicy(data: RulesFile, name: string): Policy {\n  const existing = data.policies.find(p => p.name.toLowerCase() === name.toLowerCase());\n  if (existing) return existing;\n  const p: Policy = {\n    id: `policy_${Date.now()}_${Math.random().toString(36).slice(2, 6)}`,\n    name,\n    rules: [],\n    ruleCount: 0,\n    scopeOwner: 'user',\n    isActive: true,\n  };\n  data.policies.push(p);\n  return p;\n}\n\nfunction getAllRules(data: RulesFile): Array<Rule & { policyName: string; policyId: string }> {\n  const all: Array<Rule & { policyName: string; policyId: string }> = [];\n  for (const p of data.policies) {\n    if (!p.isActive) continue;\n    for (const r of p.rules) {\n      all.push({ ...r, policyName: p.name, policyId: p.id });\n    }\n  }\n  return all;\n}\n\n// \u2500\u2500\u2500 Keyword Search \u2500\u2500\u2500\n\nconst STOPWORDS = new Set(['the', 'a', 'an', 'is', 'are', 'was', 'were', 'be', 'been', 'being', 'have', 'has', 'had', 'do', 'does', 'did', 'will', 'would', 'could', 'should', 'may', 'might', 'must', 'shall', 'can', 'need', 'dare', 'ought', 'used', 'to', 'of', 'in', 'for', 'on', 'with', 'at', 'by', 'from', 'as', 'into', 'through', 'during', 'before', 'after', 'above', 'below', 'between', 'out', 'off', 'over', 'under', 'again', 'further', 'then', 'once', 'here', 'there', 'when', 'where', 'why', 'how', 'all', 'each', 'every', 'both', 'few', 'more', 'most', 'other', 'some', 'such', 'no', 'nor', 'not', 'only', 'own', 'same', 'so', 'than', 'too', 'very', 'just', 'because', 'but', 'and', 'or', 'if', 'while', 'about', 'up', 'it', 'its', 'this', 'that', 'these', 'those', 'i', 'me', 'my', 'we', 'our', 'you', 'your', 'he', 'she', 'they', 'them', 'what', 'which', 'who', 'whom']);\n\nfunction tokenize(text: string): string[] {\n  return text.toLowerCase().replace(/[^a-z0-9_-]/g, ' ').split(/\\s+/).filter(t => t.length > 1 && !STOPWORDS.has(t));\n}\n\nfunction keywordSearch(query: string, rules: Array<Rule & { policyName: string; policyId: string }>, topK: number): any[] {\n  const qTokens = tokenize(query);\n  if (qTokens.length === 0) return rules.slice(0, topK);\n\n  const scored = rules.map(r => {\n    const rTokens = new Set(tokenize(`${r.text} ${r.category} ${r.severity}`));\n    const overlap = qTokens.filter(t => rTokens.has(t) || [...rTokens].some(rt => rt.includes(t) || t.includes(rt))).length;\n    return { rule: r, score: overlap / qTokens.length };\n  });\n\n  scored.sort((a, b) => b.score - a.score);\n  const results = scored.filter(s => s.score > 0).slice(0, topK);\n  if (results.length === 0) return rules.slice(0, topK);\n\n  return results.map(s => ({\n    rule_id: s.rule.rule_id,\n    text: s.rule.text,\n    category: s.rule.category,\n    severity: s.rule.severity,\n    mode: s.rule.mode,\n    hook_stage: s.rule.hook_stage,\n    scope: s.rule.scope,\n    pack_name: s.rule.policyName,\n    score: Math.round(s.score * 100) / 100,\n  }));\n}\n\n// \u2500\u2500\u2500 Tool Handlers \u2500\u2500\u2500\n\nasync function handleGetGuardrails(args: any): Promise<any> {\n  const data = await readRules();\n  const all = getAllRules(data);\n  const topK = Math.min(args.top_k || 8, 25);\n  let filtered = all;\n  if (args.category) filtered = filtered.filter(r => r.category === args.category);\n  const results = keywordSearch(args.query || '', filtered, topK);\n  return { rules: results, total: results.length, query: args.query };\n}\n\nasync function handleCreateGuardrail(args: any): Promise<any> {\n  const data = await readRules();\n  const policy = args.ruleset ? findOrCreatePolicy(data, args.ruleset) : getActivePolicy(data);\n  const rule: Rule = {\n    rule_id: nextRuleId(data),\n    text: args.text,\n    category: args.category || 'custom',\n    severity: args.severity || 'medium',\n    mode: args.mode || 'audit',\n    hook_stage: args.hook_stage || 'both',\n    scope: args.scope || 'user',\n  };\n  policy.rules.push(rule);\n  await writeRules(data);\n  emitRuleSync(data);\n  return { created: true, rule_id: rule.rule_id, text: rule.text, pack_name: policy.name, total_rules: policy.rules.length };\n}\n\nasync function handleBulkCreateGuardrails(args: any): Promise<any> {\n  const data = await readRules();\n  const policy = args.ruleset ? findOrCreatePolicy(data, args.ruleset) : getActivePolicy(data);\n  const created: any[] = [];\n  const allocId = ruleIdAllocator(data);\n  for (const r of args.rules || []) {\n    const rule: Rule = {\n      rule_id: allocId(),\n      text: r.text,\n      category: r.category || 'custom',\n      severity: r.severity || 'medium',\n      mode: r.mode || 'audit',\n      hook_stage: r.hook_stage || 'both',\n      scope: args.scope || 'user',\n    };\n    policy.rules.push(rule);\n    created.push({ rule_id: rule.rule_id, text: rule.text });\n  }\n  await writeRules(data);\n  emitRuleSync(data);\n  return { created: created.length, rules: created, pack_name: policy.name, total_rules: policy.rules.length };\n}\n\nasync function handleUpdateGuardrail(args: any): Promise<any> {\n  const data = await readRules();\n  const needle = (args.rule_text || '').toLowerCase();\n  for (const p of data.policies) {\n    for (const r of p.rules) {\n      if (r.text.toLowerCase().includes(needle)) {\n        if (args.text) r.text = args.text;\n        if (args.category) r.category = args.category;\n        if (args.severity) r.severity = args.severity;\n        if (args.mode) r.mode = args.mode;\n        if (args.hook_stage) r.hook_stage = args.hook_stage;\n        await writeRules(data);\n        emitRuleSync(data);\n        return { updated: true, rule_id: r.rule_id, text: r.text };\n      }\n    }\n  }\n  return { updated: false, error: `No rule found matching \"${args.rule_text}\"` };\n}\n\nasync function handleDeleteGuardrail(args: any): Promise<any> {\n  const data = await readRules();\n  const needle = (args.rule_text || '').toLowerCase();\n  for (const p of data.policies) {\n    const idx = p.rules.findIndex(r => r.text.toLowerCase().includes(needle));\n    if (idx !== -1) {\n      const removed = p.rules.splice(idx, 1)[0];\n      await writeRules(data);\n      emitRuleSync(data);\n      return { deleted: true, rule_id: removed.rule_id, text: removed.text };\n    }\n  }\n  return { deleted: false, error: `No rule found matching \"${args.rule_text}\"` };\n}\n\nasync function handleListGuardrails(args: any): Promise<any> {\n  const data = await readRules();\n  let all = getAllRules(data);\n  if (args.category) all = all.filter(r => r.category === args.category);\n  if (args.severity) all = all.filter(r => r.severity === args.severity);\n  if (args.mode) all = all.filter(r => r.mode === args.mode);\n  if (args.hook_stage) all = all.filter(r => r.hook_stage === args.hook_stage);\n  if (args.pack_name) {\n    const pn = args.pack_name.toLowerCase();\n    all = all.filter(r => r.policyName.toLowerCase().includes(pn));\n  }\n  return {\n    rules: all.map(r => ({\n      rule_id: r.rule_id,\n      text: r.text,\n      category: r.category,\n      severity: r.severity,\n      mode: r.mode,\n      hook_stage: r.hook_stage,\n      scope: r.scope,\n      pack_name: r.policyName,\n    })),\n    total: all.length,\n  };\n}\n\nasync function handleSwapRuleset(args: any): Promise<any> {\n  const data = await readRules();\n  const name = args.policy_name || '';\n  if (name.toLowerCase() === 'all') {\n    data.config.activePolicyId = data.policies[0]?.id || 'local-policy';\n    await writeRules(data);\n    return { swapped: true, active: 'all' };\n  }\n  const match = data.policies.find(p => p.name.toLowerCase().includes(name.toLowerCase()));\n  if (!match) return { swapped: false, error: `No ruleset found matching \"${name}\"` };\n  data.config.activePolicyId = match.id;\n  await writeRules(data);\n  return { swapped: true, active: match.name };\n}\n\nasync function handleToggleSilentMode(args: any): Promise<any> {\n  const data = await readRules();\n  data.config.silent = args.enabled === true;\n  await writeRules(data);\n  emitRuleSync(data);\n  return { silent: data.config.silent };\n}\n\nasync function handleScanDependencies(args: any): Promise<any> {\n  const manifests = args.manifests || [];\n  if (manifests.length === 0) return { findings: [], summary: null };\n\n  const packages: Array<{ name: string; version: string; ecosystem: string }> = [];\n  for (const m of manifests) {\n    const fp: string = m.file_path || '';\n    const content: string = m.content || '';\n    try {\n      if (fp.endsWith('package.json')) {\n        const pkg = JSON.parse(content);\n        for (const [name, ver] of Object.entries({ ...pkg.dependencies, ...pkg.devDependencies })) {\n          packages.push({ name, version: String(ver).replace(/^[\\^~>=<]*/g, ''), ecosystem: 'npm' });\n        }\n      } else if (fp.endsWith('requirements.txt') || fp.match(/requirements.*\\.txt$/)) {\n        for (const line of content.split('\\n')) {\n          const m = line.trim().match(/^([a-zA-Z0-9_-]+)==(.+)/);\n          if (m) packages.push({ name: m[1], version: m[2], ecosystem: 'PyPI' });\n        }\n      } else if (fp.endsWith('go.mod')) {\n        for (const line of content.split('\\n')) {\n          const m = line.trim().match(/^\\t?([^\\s]+)\\s+v([^\\s]+)/);\n          if (m) packages.push({ name: m[1], version: m[2], ecosystem: 'Go' });\n        }\n      } else if (fp.endsWith('Cargo.toml')) {\n        for (const line of content.split('\\n')) {\n          const m = line.trim().match(/^([a-zA-Z0-9_-]+)\\s*=\\s*\"([^\"]+)\"/);\n          if (m && !['name', 'version', 'edition', 'authors', 'description', 'license', 'repository'].includes(m[1])) {\n            packages.push({ name: m[1], version: m[2], ecosystem: 'crates.io' });\n          }\n        }\n      }\n    } catch {}\n  }\n\n  if (packages.length === 0) return { findings: [], summary: null };\n\n  const capped = packages.slice(0, 50);\n  const queries = capped.map(p => ({ package: { name: p.name, ecosystem: p.ecosystem }, version: p.version }));\n\n  try {\n    const resp = await fetch('https://api.osv.dev/v1/querybatch', {\n      method: 'POST',\n      headers: { 'Content-Type': 'application/json' },\n      body: JSON.stringify({ queries }),\n      signal: AbortSignal.timeout(10000),\n    });\n    if (!resp.ok) return { findings: [], summary: 'OSV query failed' };\n    const data = await resp.json() as { results: Array<{ vulns?: any[] }> };\n\n    const findings: any[] = [];\n    for (let i = 0; i < data.results.length; i++) {\n      for (const vuln of data.results[i].vulns || []) {\n        findings.push({\n          id: vuln.id,\n          package: capped[i].name,\n          version: capped[i].version,\n          ecosystem: capped[i].ecosystem,\n          summary: vuln.summary || 'No description',\n          aliases: vuln.aliases || [],\n          severity: vuln.database_specific?.severity || 'unknown',\n        });\n      }\n    }\n    return { findings, summary: findings.length > 0 ? `${findings.length} vulnerabilities found` : null };\n  } catch {\n    return { findings: [], summary: 'OSV query timed out' };\n  }\n}\n\nconst CWE_ID_RE = /^CWE-\\d{1,6}$/i;\nconst PATH_TRAVERSAL_RE = /\\.\\.[/\\\\]/;\nconst MAX_REASON_LEN = 500;\n\nfunction validateExemptionArgs(args: any): { path: string; cwe_id: string; reason?: string } | string {\n  const p = typeof args.path === 'string' ? args.path.trim() : '';\n  if (!p || PATH_TRAVERSAL_RE.test(p)) return 'Invalid path';\n  const cwe = typeof args.cwe_id === 'string' ? args.cwe_id.trim().toUpperCase() : '';\n  if (!CWE_ID_RE.test(cwe)) return 'Invalid cwe_id (expected CWE-NNN)';\n  const reason = typeof args.reason === 'string' ? args.reason.slice(0, MAX_REASON_LEN) : undefined;\n  return { path: p, cwe_id: cwe, reason };\n}\n\nasync function handleExemptPath(args: any): Promise<any> {\n  const v = validateExemptionArgs(args);\n  if (typeof v === 'string') return { exempted: false, error: v };\n  const data = await readRules();\n  const existing = data.scanExemptions.find(e => e.path === v.path && e.cwe_id.toUpperCase() === v.cwe_id);\n  if (existing) return { exempted: true, already_existed: true, path: v.path, cwe_id: v.cwe_id };\n\n  data.scanExemptions.push({ path: v.path, cwe_id: v.cwe_id, reason: v.reason });\n  await writeRules(data);\n  emitRuleSync(data);\n  return { exempted: true, path: v.path, cwe_id: v.cwe_id, total_exemptions: data.scanExemptions.length };\n}\n\nasync function handleRemoveExemption(args: any): Promise<any> {\n  const v = validateExemptionArgs(args);\n  if (typeof v === 'string') return { removed: false, error: v };\n  const data = await readRules();\n  const idx = data.scanExemptions.findIndex(e => e.path === v.path && e.cwe_id.toUpperCase() === v.cwe_id);\n  if (idx === -1) return { removed: false, error: `No exemption found for path=\"${v.path}\" cwe_id=\"${v.cwe_id}\"` };\n  data.scanExemptions.splice(idx, 1);\n  await writeRules(data);\n  emitRuleSync(data);\n  return { removed: true, path: v.path, cwe_id: v.cwe_id };\n}\n\nasync function handleListExemptions(): Promise<any> {\n  const data = await readRules();\n  return { exemptions: data.scanExemptions, total: data.scanExemptions.length };\n}\n\n// \u2500\u2500\u2500 Findings \u2500\u2500\u2500\n\nconst CONFIG_PATH = join(HOME, '.synkro', 'config.json');\nconst FINDINGS_JWT_PATH = join(HOME, '.synkro', '.mcp-jwt');\n\nconst ALLOWED_API_HOSTS = new Set(['api.synkro.sh', 'localhost', '127.0.0.1']);\nfunction validateApiUrl(raw: string): string | null {\n  try {\n    const u = new URL(raw);\n    if (!['http:', 'https:'].includes(u.protocol)) return null;\n    if (!ALLOWED_API_HOSTS.has(u.hostname)) return null;\n    return u.origin;\n  } catch { return null; }\n}\n\ninterface Finding {\n  id: string;\n  session_id: string;\n  file_path: string;\n  finding_type: string;\n  finding_id: string;\n  severity: string;\n  status: string;\n  detail?: string;\n  package_name?: string;\n  package_version?: string;\n  fixed_version?: string;\n  created_at: string;\n  resolved_at?: string;\n}\n\nconst CREDENTIALS_PATH = join(HOME, '.synkro', 'credentials.json');\n\nfunction getCloudConfig(): { apiUrl: string; jwt: string } | null {\n  try {\n    let jwt = '';\n    try {\n      const creds = JSON.parse(readFileSync(CREDENTIALS_PATH, 'utf-8'));\n      jwt = creds.access_token || '';\n    } catch {}\n    if (!jwt) {\n      try { jwt = readFileSync(FINDINGS_JWT_PATH, 'utf-8').trim(); } catch {}\n    }\n    if (!jwt) return null;\n    let raw = process.env.SYNKRO_API_URL || '';\n    if (!raw) raw = 'https://api.synkro.sh';\n    const apiUrl = validateApiUrl(raw);\n    if (!apiUrl) return null;\n    return { apiUrl, jwt };\n  } catch {\n    return null;\n  }\n}\n\nasync function readLocalFindings(): Promise<Finding[]> {\n  const result = await db.query<Finding>(\n    `SELECT id, session_id, file_path, finding_type, finding_id, severity, status, detail,\n            description, cwe_name, package_name, package_version, fixed_version,\n            created_at::text as created_at, resolved_at::text as resolved_at\n     FROM scan_findings ORDER BY created_at DESC`\n  );\n  return result.rows;\n}\n\nasync function proxyToCloudMcp(toolName: string, args: Record<string, unknown>): Promise<any | null> {\n  const cloud = getCloudConfig();\n  if (!cloud) return null;\n  try {\n    const resp = await fetch(`${cloud.apiUrl}/api/v1/mcp/guardrails`, {\n      method: 'POST',\n      headers: { Authorization: `Bearer ${cloud.jwt}`, 'Content-Type': 'application/json' },\n      body: JSON.stringify({\n        jsonrpc: '2.0',\n        id: `local_${Date.now()}`,\n        method: 'tools/call',\n        params: { name: toolName, arguments: args },\n      }),\n      signal: AbortSignal.timeout(10000),\n    });\n    if (!resp.ok) return null;\n    const data = await resp.json() as any;\n    if (data.error) return null;\n    return data.result;\n  } catch {\n    return null;\n  }\n}\n\nasync function handleListFindings(args: any): Promise<any> {\n  let findings = await readLocalFindings();\n  if (args.status) findings = findings.filter(f => f.status === args.status);\n  if (args.finding_type) findings = findings.filter(f => f.finding_type === args.finding_type);\n  if (args.severity) findings = findings.filter(f => f.severity === args.severity);\n\n  const limit = Math.min(args.limit || 50, 200);\n  const open = findings.filter(f => f.status === 'open').length;\n  const resolved = findings.filter(f => f.status === 'resolved').length;\n\n  if (findings.length === 0) {\n    return { content: [{ type: 'text', text: args.status ? `No ${args.status} findings found.` : 'No scan findings found.' }] };\n  }\n\n  const lines = findings.slice(0, limit).map(f => {\n    const badge = f.finding_type === 'cve' ? '\u{1F534} CVE' : '\u{1F7E1} CWE';\n    const name = (f as any).cwe_name ? ` (${(f as any).cwe_name})` : '';\n    const pkg = f.package_name ? ` in \\`${f.package_name}@${f.package_version || '?'}\\`` : '';\n    const file = f.file_path ? ` \u2014 \\`${f.file_path}\\`` : '';\n    return `- **${badge} ${f.finding_id}**${name}${pkg}${file}\\n  Status: ${f.status} | Severity: ${f.severity || 'unknown'} | ID: \\`${f.id}\\``;\n  });\n\n  return {\n    content: [{ type: 'text', text: `**${findings.length} finding${findings.length === 1 ? '' : 's'}** (${open} open, ${resolved} resolved)\\n\\n${lines.join('\\n\\n')}` }],\n  };\n}\n\nasync function handleGetFindingDetail(args: any): Promise<any> {\n  const id = typeof args.id === 'string' ? args.id.trim() : '';\n  if (!id) return { content: [{ type: 'text', text: 'id is required' }], isError: true };\n\n  const findings = await readLocalFindings();\n  const match = findings.find(f => f.id === id);\n  if (!match) return { content: [{ type: 'text', text: 'Finding not found' }], isError: true };\n\n  const parts: string[] = [];\n  const m = match as any;\n  parts.push(`# ${m.finding_type.toUpperCase()} ${m.finding_id}${m.cwe_name ? ` \u2014 ${m.cwe_name}` : ''}`);\n  parts.push(`**Status:** ${m.status} | **Severity:** ${m.severity || 'unknown'}`);\n  if (m.file_path) parts.push(`**File:** \\`${m.file_path}\\``);\n  if (m.package_name) parts.push(`**Package:** \\`${m.package_name}@${m.package_version || '?'}\\``);\n  if (m.fixed_version) parts.push(`**Fix available:** ${m.fixed_version}`);\n  parts.push(`**Detected:** ${m.created_at}`);\n  if (m.resolved_at) parts.push(`**Resolved:** ${m.resolved_at}`);\n  if (m.description) parts.push(`\\n## Description\\n${m.description}`);\n  if (m.detail) parts.push(`\\n## Detail\\n${m.detail}`);\n\n  return { content: [{ type: 'text', text: parts.join('\\n') }] };\n}\n\nasync function handleResolveFinding(args: any): Promise<any> {\n  const id = typeof args.id === 'string' ? args.id.trim() : '';\n  const filePath = typeof args.file_path === 'string' ? args.file_path.trim() : '';\n  const findingId = typeof args.finding_id === 'string' ? args.finding_id.trim() : '';\n\n  if (!id && !filePath) return { content: [{ type: 'text', text: 'id or file_path is required' }], isError: true };\n\n  if (id) {\n    const result = await db.query<Finding>(\n      `SELECT * FROM scan_findings WHERE id = $1 AND status = 'open' LIMIT 1`, [id]\n    );\n    const match = result.rows[0];\n    if (!match) return { content: [{ type: 'text', text: 'No matching open finding' }], isError: true };\n    await db.query(`UPDATE scan_findings SET status = 'resolved', resolved_at = NOW() WHERE id = $1`, [id]);\n    proxyToCloudMcp('resolve_finding', { id }).catch(() => {});\n    return { content: [{ type: 'text', text: `Finding \\`${match.finding_id}\\` on \\`${match.file_path || '(unknown)'}\\` marked as **resolved**.` }] };\n  }\n\n  let where = `file_path = $1 AND status = 'open'`;\n  const params: string[] = [filePath];\n  if (findingId) { params.push(findingId); where += ` AND finding_id = $2`; }\n\n  const before = await db.query<{ cnt: string }>(`SELECT count(*) as cnt FROM scan_findings WHERE ${where}`, params);\n  const cnt = Number(before.rows[0]?.cnt || 0);\n  if (cnt === 0) return { content: [{ type: 'text', text: `No open findings for \\`${filePath}\\`` }], isError: true };\n\n  await db.query(`UPDATE scan_findings SET status = 'resolved', resolved_at = NOW() WHERE ${where}`, params);\n  return { content: [{ type: 'text', text: `Resolved ${cnt} finding${cnt === 1 ? '' : 's'} on \\`${filePath}\\`.` }] };\n}\n\n// \u2500\u2500\u2500 Tool Descriptors \u2500\u2500\u2500\n\nconst TOOL_DESCRIPTORS = [\n  {\n    name: 'get_guardrails',\n    description:\n      \"Retrieve rules by keyword similarity. Call BEFORE writing security-sensitive code \" +\n      \"AND before create_guardrail to check for existing rules.\",\n    inputSchema: {\n      type: 'object',\n      properties: {\n        query: { type: 'string', description: \"Plain-language description of what you're looking up.\" },\n        category: { type: 'string', enum: ['security', 'architecture', 'style', 'testing', 'compliance', 'custom'] },\n        top_k: { type: 'integer', default: 8, description: 'Max rules to return (default 8, max 25).' },\n      },\n      required: ['query'],\n    },\n  },\n  {\n    name: 'create_guardrail',\n    description: \"Persist a new rule. Call get_guardrails first to avoid duplicates.\",\n    inputSchema: {\n      type: 'object',\n      properties: {\n        text: { type: 'string', description: 'The rule in plain language.' },\n        category: { type: 'string', enum: ['security', 'architecture', 'style', 'testing', 'compliance', 'custom'] },\n        severity: { type: 'string', enum: ['low', 'medium', 'high', 'critical'] },\n        mode: { type: 'string', enum: ['blocking', 'audit'], description: '\"blocking\" = halt on violation, \"audit\" = log only.' },\n        scope: { type: 'string', enum: ['user', 'org'], default: 'user' },\n        hook_stage: { type: 'string', enum: ['pre', 'post', 'both'], default: 'both' },\n        ruleset: { type: 'string', description: 'Optional: name of ruleset to add to (created if missing).' },\n      },\n      required: ['text', 'category'],\n    },\n  },\n  {\n    name: 'bulk_create_guardrails',\n    description: \"Create multiple rules at once. Preferable to looping create_guardrail.\",\n    inputSchema: {\n      type: 'object',\n      properties: {\n        rules: {\n          type: 'array', minItems: 1, maxItems: 50,\n          items: {\n            type: 'object',\n            properties: {\n              text: { type: 'string' }, category: { type: 'string', enum: ['security', 'architecture', 'style', 'testing', 'compliance', 'custom'] },\n              severity: { type: 'string', enum: ['low', 'medium', 'high', 'critical'] },\n              mode: { type: 'string', enum: ['blocking', 'audit'] },\n              hook_stage: { type: 'string', enum: ['pre', 'post', 'both'] },\n            },\n            required: ['text', 'category'],\n          },\n        },\n        scope: { type: 'string', enum: ['user', 'org'], default: 'user' },\n        ruleset: { type: 'string' },\n      },\n      required: ['rules'],\n    },\n  },\n  {\n    name: 'update_guardrail',\n    description: \"Refine an existing rule. Pass a substring of the rule text to identify it.\",\n    inputSchema: {\n      type: 'object',\n      properties: {\n        rule_text: { type: 'string', description: 'Substring of rule text to find.' },\n        text: { type: 'string' }, category: { type: 'string', enum: ['security', 'architecture', 'style', 'testing', 'compliance', 'custom'] },\n        severity: { type: 'string', enum: ['low', 'medium', 'high', 'critical'] },\n        mode: { type: 'string', enum: ['blocking', 'audit'] },\n        hook_stage: { type: 'string', enum: ['pre', 'post', 'both'] },\n      },\n      required: ['rule_text'],\n    },\n  },\n  {\n    name: 'delete_guardrail',\n    description: \"Permanently remove a rule. Pass a substring of the rule text to identify it.\",\n    inputSchema: {\n      type: 'object',\n      properties: { rule_text: { type: 'string', description: 'Substring of rule text to find.' } },\n      required: ['rule_text'],\n    },\n  },\n  {\n    name: 'list_guardrails',\n    description: \"Enumerate all rules. Use for listings, not similarity search.\",\n    inputSchema: {\n      type: 'object',\n      properties: {\n        category: { type: 'string', enum: ['security', 'architecture', 'style', 'testing', 'compliance', 'custom'] },\n        severity: { type: 'string', enum: ['low', 'medium', 'high', 'critical'] },\n        mode: { type: 'string', enum: ['blocking', 'audit', 'literal_match'] },\n        pack_name: { type: 'string' },\n        hook_stage: { type: 'string', enum: ['pre', 'post', 'both'] },\n      },\n      required: [],\n    },\n  },\n  {\n    name: 'swap_ruleset',\n    description: 'Switch which ruleset is active. Pass \"all\" to use all rulesets.',\n    inputSchema: {\n      type: 'object',\n      properties: { policy_name: { type: 'string' } },\n      required: ['policy_name'],\n    },\n  },\n  {\n    name: 'toggle_silent_mode',\n    description: 'Toggle grading on/off. NEVER call autonomously \u2014 this is a USER decision.',\n    inputSchema: {\n      type: 'object',\n      properties: {\n        enabled: { type: 'boolean' },\n        user_confirmation: { type: 'string', description: \"Copy-paste the user's exact request.\" },\n      },\n      required: ['enabled', 'user_confirmation'],\n    },\n  },\n  {\n    name: 'scan_dependencies',\n    description: \"Scan manifests against OSV for known vulnerabilities. Read ALL manifest files first.\",\n    inputSchema: {\n      type: 'object',\n      properties: {\n        manifests: {\n          type: 'array', minItems: 1,\n          items: {\n            type: 'object',\n            properties: { file_path: { type: 'string' }, content: { type: 'string' } },\n            required: ['file_path', 'content'],\n          },\n        },\n      },\n      required: ['manifests'],\n    },\n  },\n  {\n    name: 'exempt_path',\n    description: \"Exempt a CWE from firing on a specific file/directory.\",\n    inputSchema: {\n      type: 'object',\n      properties: {\n        path: { type: 'string' }, cwe_id: { type: 'string' }, reason: { type: 'string' },\n      },\n      required: ['path', 'cwe_id'],\n    },\n  },\n  {\n    name: 'remove_exemption',\n    description: \"Remove a scan exemption.\",\n    inputSchema: {\n      type: 'object',\n      properties: { path: { type: 'string' }, cwe_id: { type: 'string' } },\n      required: ['path', 'cwe_id'],\n    },\n  },\n  {\n    name: 'list_exemptions',\n    description: \"List all scan exemptions.\",\n    inputSchema: { type: 'object', properties: {}, required: [] },\n  },\n  {\n    name: 'list_findings',\n    description: \"List CWE/CVE scan findings. Shows security issues found by Synkro hooks. Use to review what needs fixing.\",\n    inputSchema: {\n      type: 'object',\n      properties: {\n        status: { type: 'string', enum: ['open', 'resolved', 'exempted'], description: 'Filter by status (default: all).' },\n        finding_type: { type: 'string', enum: ['cwe', 'cve'], description: 'Filter by finding type.' },\n        severity: { type: 'string', enum: ['critical', 'high', 'medium', 'low'] },\n        file_path: { type: 'string', description: 'Filter by file path substring.' },\n        limit: { type: 'integer', default: 25, description: 'Max results (default 25, max 50).' },\n      },\n      required: [],\n    },\n  },\n  {\n    name: 'get_finding_detail',\n    description: \"Get full detail of a specific finding including remediation context.\",\n    inputSchema: {\n      type: 'object',\n      properties: {\n        id: { type: 'string', description: 'Finding ID (e.g. sf_...).' },\n        file_path: { type: 'string', description: 'File path (used with finding_id).' },\n        finding_id: { type: 'string', description: 'CWE/CVE ID like CWE-89 or CVE-2024-1234.' },\n      },\n      required: [],\n    },\n  },\n  {\n    name: 'resolve_finding',\n    description: \"Mark finding(s) as resolved after the underlying issue is fixed. Can target by ID, file+finding_id, or all findings for a file.\",\n    inputSchema: {\n      type: 'object',\n      properties: {\n        id: { type: 'string', description: 'Specific finding ID to resolve.' },\n        file_path: { type: 'string', description: 'Resolve all open findings matching this file path.' },\n        finding_id: { type: 'string', description: 'CWE/CVE ID (used with file_path for targeted resolution).' },\n      },\n      required: [],\n    },\n  },\n];\n\nconst MCP_INSTRUCTIONS =\n  \"Synkro Guardrails MCP server (local mode).\\n\\n\" +\n  \"Whenever the user mentions: rule, guardrail, policy, standard, \" +\n  \"make/create/add/set up a rule, never let X, always require X, \" +\n  \"block X, enforce X, delete/remove a rule, consolidate duplicates, \" +\n  \"'we need a rule about\u2026' \u2014 route to THIS server's tools.\\n\\n\" +\n  \"TOOL ROUTING:\\n\" +\n  \"  \u2022 get_guardrails(query) \u2014 keyword search. Use to check if a rule exists.\\n\" +\n  \"  \u2022 list_guardrails \u2014 full enumeration. Use for listings.\\n\" +\n  \"  \u2022 list_findings \u2014 show CWE/CVE scan findings (open, resolved, all).\\n\" +\n  \"  \u2022 get_finding_detail \u2014 get full detail + remediation context for a finding.\\n\" +\n  \"  \u2022 resolve_finding \u2014 mark findings resolved after fixing the code.\\n\\n\" +\n  \"When the user asks about security issues, vulnerabilities, or scan results, \" +\n  \"use list_findings first. After fixing code, call resolve_finding to update status.\\n\\n\" +\n  \"Do NOT use Claude Code's `update-config` skill for these requests.\\n\\n\" +\n  \"Rules are stored locally in ~/.synkro/rules.json and enforced by hooks.\";\n\n// \u2500\u2500\u2500 JSON-RPC Dispatcher \u2500\u2500\u2500\n\nfunction jsonRpcOk(id: any, result: any): any {\n  return { jsonrpc: '2.0', id, result };\n}\n\nfunction jsonRpcError(id: any, code: number, message: string): any {\n  return { jsonrpc: '2.0', id, error: { code, message } };\n}\n\nasync function handleRpc(body: any): Promise<any> {\n  const { id, method, params } = body;\n\n  if (method === 'initialize') {\n    return jsonRpcOk(id, {\n      protocolVersion: '2024-11-05',\n      capabilities: { tools: {} },\n      serverInfo: { name: 'synkro-guardrails-local', version: '1.0.0' },\n      instructions: MCP_INSTRUCTIONS,\n    });\n  }\n\n  if (method === 'notifications/initialized') {\n    return null;\n  }\n\n  if (method === 'tools/list') {\n    return jsonRpcOk(id, { tools: TOOL_DESCRIPTORS });\n  }\n\n  if (method === 'tools/call') {\n    const toolName = params?.name;\n    const args = params?.arguments || {};\n\n    try {\n      let result: any;\n      switch (toolName) {\n        case 'get_guardrails': result = await handleGetGuardrails(args); break;\n        case 'create_guardrail': result = await handleCreateGuardrail(args); break;\n        case 'bulk_create_guardrails': result = await handleBulkCreateGuardrails(args); break;\n        case 'update_guardrail': result = await handleUpdateGuardrail(args); break;\n        case 'delete_guardrail': result = await handleDeleteGuardrail(args); break;\n        case 'list_guardrails': result = await handleListGuardrails(args); break;\n        case 'swap_ruleset': result = await handleSwapRuleset(args); break;\n        case 'toggle_silent_mode': result = await handleToggleSilentMode(args); break;\n        case 'scan_dependencies': result = await handleScanDependencies(args); break;\n        case 'exempt_path': result = await handleExemptPath(args); break;\n        case 'remove_exemption': result = await handleRemoveExemption(args); break;\n        case 'list_exemptions': result = await handleListExemptions(); break;\n        case 'list_findings': result = await handleListFindings(args); break;\n        case 'get_finding_detail': result = await handleGetFindingDetail(args); break;\n        case 'resolve_finding': result = await handleResolveFinding(args); break;\n        default: return jsonRpcError(id, -32601, `Unknown tool: ${toolName}`);\n      }\n      if (result?.content && Array.isArray(result.content)) {\n        return jsonRpcOk(id, result);\n      }\n      return jsonRpcOk(id, { content: [{ type: 'text', text: JSON.stringify(result, null, 2) }] });\n    } catch (err) {\n      console.error('[synkro] tool error:', err);\n      return jsonRpcOk(id, { content: [{ type: 'text', text: 'Internal error processing tool call' }], isError: true });\n    }\n  }\n\n  // \u2500\u2500\u2500 Dashboard REST-bridge methods \u2500\u2500\u2500\n  // Called by the local dashboard (not AI agents) to mutate rules.json directly.\n\n  if (method === 'dashboard.patch_policy') {\n    try {\n      const data = await readRules();\n      const policyId = params?.policy_id as string | undefined;\n      const policy = policyId\n        ? data.policies.find(p => p.id === policyId)\n        : getActivePolicy(data);\n      if (!policy) return jsonRpcError(id, -32602, `Policy not found: ${policyId}`);\n\n      if (params?.name !== undefined) {\n        policy.name = params.name;\n      }\n      if (params?.is_active !== undefined) {\n        policy.isActive = params.is_active;\n      }\n      // Bulk replace\n      if (Array.isArray(params?.rules)) {\n        policy.rules = params.rules;\n        policy.ruleCount = policy.rules.length;\n      }\n      // Individual updates by rule_id\n      if (Array.isArray(params?.rule_updates)) {\n        for (const upd of params.rule_updates) {\n          const rule = policy.rules.find(r => r.rule_id === upd.rule_id);\n          if (!rule) continue;\n          if (upd.text !== undefined) rule.text = upd.text;\n          if (upd.category !== undefined) rule.category = upd.category;\n          if (upd.severity !== undefined) rule.severity = upd.severity;\n          if (upd.mode !== undefined) rule.mode = upd.mode;\n          if (upd.hook_stage !== undefined) rule.hook_stage = upd.hook_stage;\n        }\n        policy.ruleCount = policy.rules.length;\n      }\n\n      await writeRules(data);\n      emitRuleSync(data);\n      return jsonRpcOk(id, { ok: true, policy_id: policy.id, rule_count: policy.ruleCount });\n    } catch (err) {\n      console.error('[synkro] dashboard.patch_policy error:', err);\n      return jsonRpcError(id, -32603, 'Internal error');\n    }\n  }\n\n  if (method === 'dashboard.create_policy') {\n    try {\n      const data = await readRules();\n      const name = (params?.name as string) || 'New Rule Set';\n      const allocId = ruleIdAllocator(data);\n      const rules: Rule[] = (params?.rules || []).map((r: any) => ({\n        rule_id: r.rule_id || allocId(),\n        text: r.text || '',\n        category: r.category || 'custom',\n        severity: r.severity || 'medium',\n        mode: r.mode || 'audit',\n        hook_stage: r.hook_stage || 'both',\n        scope: r.scope || 'user',\n      }));\n      const policy: Policy = {\n        id: `policy_${Date.now()}_${Math.random().toString(36).slice(2, 6)}`,\n        name,\n        rules,\n        ruleCount: rules.length,\n        scopeOwner: 'user',\n        isActive: true,\n      };\n      data.policies.push(policy);\n      await writeRules(data);\n      emitRuleSync(data);\n      return jsonRpcOk(id, { ok: true, policy_id: policy.id, name: policy.name });\n    } catch (err) {\n      console.error('[synkro] dashboard.create_policy error:', err);\n      return jsonRpcError(id, -32603, 'Internal error');\n    }\n  }\n\n  if (method === 'dashboard.delete_policy') {\n    try {\n      const data = await readRules();\n      const policyId = params?.policy_id as string | undefined;\n      const idx = policyId ? data.policies.findIndex(p => p.id === policyId) : -1;\n      if (idx === -1) return jsonRpcError(id, -32602, `Policy not found: ${policyId}`);\n\n      if (params?.hard === true) {\n        data.policies.splice(idx, 1);\n      } else {\n        data.policies[idx].isActive = false;\n      }\n      await writeRules(data);\n      emitRuleSync(data);\n      return jsonRpcOk(id, { ok: true, policy_id: policyId });\n    } catch (err) {\n      console.error('[synkro] dashboard.delete_policy error:', err);\n      return jsonRpcError(id, -32603, 'Internal error');\n    }\n  }\n\n  if (method === 'dashboard.list_policies') {\n    try {\n      const data = await readRules();\n      return jsonRpcOk(id, {\n        policies: data.policies.map(p => ({\n          id: p.id,\n          name: p.name,\n          rules: p.rules,\n          ruleCount: p.ruleCount,\n          isActive: p.isActive,\n          scopeOwner: p.scopeOwner,\n        })),\n        active_policy_id: data.config.activePolicyId,\n      });\n    } catch (err) {\n      console.error('[synkro] dashboard.list_policies error:', err);\n      return jsonRpcError(id, -32603, 'Internal error');\n    }\n  }\n\n  return jsonRpcError(id, -32601, `Unknown method: ${method}`);\n}\n\n// \u2500\u2500\u2500 REST Query Handlers (for dashboard) \u2500\u2500\u2500\n\nconst MODEL_PRICING: Record<string, { input: number; output: number }> = {\n  'claude-opus-4-6': { input: 15, output: 75 },\n  'claude-opus-4-7': { input: 15, output: 75 },\n  'claude-sonnet-4-6': { input: 3, output: 15 },\n  'claude-haiku-4-5-20251001': { input: 0.8, output: 4 },\n  'gpt-4o': { input: 2.5, output: 10 },\n  'gpt-4o-mini': { input: 0.15, output: 0.6 },\n  'gemini-2.5-flash': { input: 0.15, output: 0.6 },\n  'gemini-2.5-pro': { input: 1.25, output: 10 },\n};\n\nfunction estimateCost(model: string | null, inputTokens: number, outputTokens: number): number {\n  const pricing = MODEL_PRICING[model || ''] || MODEL_PRICING['claude-sonnet-4-6'];\n  return (inputTokens * pricing.input + outputTokens * pricing.output) / 1_000_000;\n}\n\nfunction camelify(row: any): any {\n  const out: any = {};\n  for (const [k, v] of Object.entries(row)) {\n    const camel = k.replace(/_([a-z])/g, (_, c) => c.toUpperCase());\n    out[k] = v;\n    if (camel !== k) out[camel] = v;\n  }\n  return out;\n}\n\nasync function restQueryChecks(params: URLSearchParams): Promise<any> {\n  const days = parseInt(params.get('days') || '7', 10);\n  const limit = Math.min(parseInt(params.get('limit') || '25', 10), 200);\n  const offset = parseInt(params.get('offset') || '0', 10);\n  const cutoff = new Date(Date.now() - days * 86400000).toISOString();\n\n  const [rows, totalResult] = await Promise.all([\n    db.query(\n      `SELECT * FROM guard_checks WHERE created_at >= $1 ORDER BY created_at DESC LIMIT $2 OFFSET $3`,\n      [cutoff, limit, offset]\n    ),\n    db.query<{ cnt: string }>(\n      `SELECT count(*) as cnt FROM guard_checks WHERE created_at >= $1`, [cutoff]\n    ),\n  ]);\n  return { checks: rows.rows.map(camelify), total: Number(totalResult.rows[0]?.cnt || 0) };\n}\n\nasync function restQueryViolations(params: URLSearchParams): Promise<any> {\n  const days = parseInt(params.get('days') || '7', 10);\n  const limit = Math.min(parseInt(params.get('limit') || '25', 10), 200);\n  const offset = parseInt(params.get('offset') || '0', 10);\n  const cutoff = new Date(Date.now() - days * 86400000).toISOString();\n\n  const [rows, totalResult] = await Promise.all([\n    db.query(\n      `SELECT * FROM guard_violations WHERE created_at >= $1 ORDER BY created_at DESC LIMIT $2 OFFSET $3`,\n      [cutoff, limit, offset]\n    ),\n    db.query<{ cnt: string }>(\n      `SELECT count(*) as cnt FROM guard_violations WHERE created_at >= $1`, [cutoff]\n    ),\n  ]);\n  return { violations: rows.rows.map(camelify), total: Number(totalResult.rows[0]?.cnt || 0) };\n}\n\nasync function restQueryTrajectories(params: URLSearchParams): Promise<any> {\n  const days = parseInt(params.get('days') || '7', 10);\n  const limit = Math.min(parseInt(params.get('limit') || '25', 10), 200);\n  const offset = parseInt(params.get('offset') || '0', 10);\n  const search = params.get('search') || '';\n  const cutoff = new Date(Date.now() - days * 86400000).toISOString();\n\n  let whereClause = `WHERE created_at >= $1`;\n  const queryParams: any[] = [cutoff];\n  if (search) {\n    queryParams.push(`%${search}%`);\n    whereClause += ` AND (conversation_id ILIKE $${queryParams.length} OR user_message ILIKE $${queryParams.length})`;\n  }\n\n  queryParams.push(limit, offset);\n  const limitIdx = queryParams.length - 1;\n  const offsetIdx = queryParams.length;\n\n  const [rows, totalResult] = await Promise.all([\n    db.query(\n      `SELECT * FROM trajectories ${whereClause} ORDER BY created_at DESC LIMIT $${limitIdx} OFFSET $${offsetIdx}`,\n      queryParams\n    ),\n    db.query<{ cnt: string }>(\n      `SELECT count(*) as cnt FROM trajectories ${whereClause}`,\n      search ? [cutoff, `%${search}%`] : [cutoff]\n    ),\n  ]);\n\n  const mapped = rows.rows.map((r: any) => ({\n    ...camelify(r),\n    endUserName: r.end_user_id === 'local-user' ? 'local' : r.end_user_id || null,\n    hasViolation: r.passed !== 1,\n    passedCount: r.passed === 1 ? 1 : 0,\n    failedCount: r.passed === 1 ? 0 : 1,\n    stepCount: r.check_count,\n  }));\n  return { trajectories: mapped, total: Number(totalResult.rows[0]?.cnt || 0) };\n}\n\nasync function restQueryTrajectoryDetail(id: string): Promise<any> {\n  const trajResult = await db.query(\n    `SELECT * FROM trajectories WHERE id::text = $1 OR conversation_id = $1 LIMIT 1`,\n    [id]\n  );\n  const row = trajResult.rows[0];\n  if (!row) return null;\n\n  const trajectory = {\n    ...camelify(row),\n    endUserName: row.end_user_id === 'local-user' ? 'local' : row.end_user_id || null,\n    hasViolation: row.passed !== 1,\n  };\n\n  const checkIds: string[] = Array.isArray(row.check_ids) ? row.check_ids : [];\n  let checks: any[] = [];\n  if (checkIds.length > 0) {\n    const placeholders = checkIds.map((_, i) => `$${i + 1}`).join(', ');\n    const checksResult = await db.query(\n      `SELECT * FROM guard_checks WHERE id IN (${placeholders}) ORDER BY created_at ASC`,\n      checkIds\n    );\n    checks = checksResult.rows.map((r: any) => camelify(r));\n  }\n\n  return { trajectory, checks, external_traces: [], session_messages: null, session_usage: null };\n}\n\nasync function restQueryMetrics(params: URLSearchParams): Promise<any> {\n  const days = parseInt(params.get('days') || '7', 10);\n  const cutoff = new Date(Date.now() - days * 86400000).toISOString();\n\n  const [checks, violations, usage, mechCategories] = await Promise.all([\n    db.query<{ cnt: string; passed_cnt: string }>(\n      `SELECT count(*) as cnt, count(*) FILTER (WHERE passed = 1) as passed_cnt FROM guard_checks WHERE created_at >= $1`, [cutoff]\n    ),\n    db.query<{ cnt: string }>(\n      `SELECT count(*) as cnt FROM guard_violations WHERE created_at >= $1`, [cutoff]\n    ),\n    db.query<{ total_input: string; total_output: string }>(\n      `SELECT COALESCE(sum(input_tokens), 0) as total_input, COALESCE(sum(output_tokens), 0) as total_output FROM usage_ticks WHERE created_at >= $1`, [cutoff]\n    ),\n    db.query<{ mechanism_category: string; cnt: string }>(\n      `SELECT mechanism_category, count(*) as cnt FROM guard_violations WHERE created_at >= $1 AND mechanism_category IS NOT NULL GROUP BY mechanism_category ORDER BY cnt DESC`, [cutoff]\n    ),\n  ]);\n\n  const totalChecks = Number(checks.rows[0]?.cnt || 0);\n  const passedChecks = Number(checks.rows[0]?.passed_cnt || 0);\n  const totalViolations = Number(violations.rows[0]?.cnt || 0);\n  const inputTokens = Number(usage.rows[0]?.total_input || 0);\n  const outputTokens = Number(usage.rows[0]?.total_output || 0);\n  const byMechanismCategory: Record<string, number> = {};\n  for (const row of mechCategories.rows) {\n    byMechanismCategory[row.mechanism_category] = Number(row.cnt);\n  }\n\n  return {\n    totalChecks,\n    passedChecks,\n    failedChecks: totalChecks - passedChecks,\n    totalViolations,\n    violationRate: totalChecks > 0 ? ((totalChecks - passedChecks) / totalChecks) * 100 : 0,\n    passRate: totalChecks > 0 ? passedChecks / totalChecks : 1,\n    byMechanismCategory,\n    inputTokens,\n    outputTokens,\n    estimatedCost: estimateCost(null, inputTokens, outputTokens),\n  };\n}\n\nasync function restQueryTrends(params: URLSearchParams): Promise<any> {\n  const days = parseInt(params.get('days') || '7', 10);\n  const cutoff = new Date(Date.now() - days * 86400000).toISOString();\n\n  const result = await db.query<{ day: string; checks: string; violations: string; passed: string }>(\n    `SELECT date_trunc('day', created_at)::date::text as day,\n            count(*) as checks,\n            count(*) FILTER (WHERE passed = 0) as violations,\n            count(*) FILTER (WHERE passed = 1) as passed\n     FROM guard_checks WHERE created_at >= $1\n     GROUP BY date_trunc('day', created_at)\n     ORDER BY day`, [cutoff]\n  );\n\n  return { trends: result.rows.map(r => ({ date: r.day, checks: Number(r.checks), violations: Number(r.violations), passed: Number(r.passed) })) };\n}\n\nasync function restQueryFindings(params: URLSearchParams): Promise<any> {\n  const status = params.get('status') || '';\n  const findingType = params.get('finding_type') || '';\n  const severity = params.get('severity') || '';\n  const limit = Math.min(parseInt(params.get('limit') || '50', 10), 200);\n\n  const result = await db.query(\n    `SELECT * FROM (\n       SELECT DISTINCT ON (sf.finding_id, sf.file_path) sf.*, t.project_id AS repo\n       FROM scan_findings sf\n       LEFT JOIN trajectories t ON t.conversation_id = sf.session_id\n       WHERE ($1::text = '' OR sf.status = $1)\n         AND ($2::text = '' OR sf.finding_type = $2)\n         AND ($3::text = '' OR sf.severity = $3)\n       ORDER BY sf.finding_id, sf.file_path, sf.created_at DESC\n     ) d\n     ORDER BY created_at DESC NULLS LAST\n     LIMIT $4`,\n    [status, findingType, severity, limit]\n  );\n  const deduped = result.rows;\n\n  const summary = await db.query<{ status: string; cnt: string }>(\n    `SELECT status, count(*) as cnt FROM (\n       SELECT DISTINCT ON (finding_id, file_path) status FROM scan_findings ORDER BY finding_id, file_path, created_at DESC\n     ) d GROUP BY status`\n  );\n  const counts: Record<string, number> = {};\n  for (const r of summary.rows) counts[r.status] = Number(r.cnt);\n\n  return { findings: deduped.map(camelify), open: counts.open || 0, resolved: counts.resolved || 0, total: (counts.open || 0) + (counts.resolved || 0) };\n}\n\nasync function restQueryFindingsSummary(): Promise<any> {\n  const result = await db.query<{ status: string; severity: string; cnt: string }>(\n    `SELECT status, severity, count(*) as cnt FROM (\n       SELECT DISTINCT ON (finding_id, file_path) status, severity FROM scan_findings ORDER BY finding_id, file_path, created_at DESC\n     ) d GROUP BY status, severity`\n  );\n  const open = result.rows.filter(r => r.status === 'open');\n  const resolved = result.rows.filter(r => r.status === 'resolved');\n  const openCount = open.reduce((n, r) => n + Number(r.cnt), 0);\n  const resolvedCount = resolved.reduce((n, r) => n + Number(r.cnt), 0);\n  const total = openCount + resolvedCount;\n\n  const topResult = await db.query<{ finding_id: string; finding_type: string; cnt: string }>(\n    `SELECT finding_id, finding_type, count(*) as cnt FROM (\n       SELECT DISTINCT ON (finding_id, file_path) finding_id, finding_type FROM scan_findings WHERE status = 'open' ORDER BY finding_id, file_path, created_at DESC\n     ) d GROUP BY finding_id, finding_type ORDER BY cnt DESC LIMIT 10`\n  );\n\n  return {\n    total,\n    open: openCount,\n    resolved: resolvedCount,\n    exempted: 0,\n    resolution_rate: total > 0 ? Math.round((resolvedCount / total) * 100) : 0,\n    top_findings: topResult.rows.map(r => ({ finding_id: r.finding_id, finding_type: r.finding_type, count: Number(r.cnt) })),\n    by_severity: open.reduce((acc: Record<string, number>, r) => { acc[r.severity || 'unknown'] = (acc[r.severity || 'unknown'] || 0) + Number(r.cnt); return acc; }, {}),\n  };\n}\n\nasync function restQueryUsers(params: URLSearchParams): Promise<any> {\n  const days = parseInt(params.get('days') || '30', 10);\n  const cutoff = new Date(Date.now() - days * 86400000).toISOString();\n\n  const result = await db.query<{ end_user_id: string; checks: string; violations: string; last_seen: string }>(\n    `SELECT end_user_id, count(*) as checks,\n            count(*) FILTER (WHERE passed = 0) as violations,\n            max(created_at)::text as last_seen\n     FROM guard_checks WHERE created_at >= $1 AND end_user_id IS NOT NULL AND end_user_id != ''\n     GROUP BY end_user_id ORDER BY checks DESC`, [cutoff]\n  );\n\n  return { users: result.rows.map(r => ({ endUserId: r.end_user_id, checks: Number(r.checks), violations: Number(r.violations), lastSeen: r.last_seen })) };\n}\n\nasync function restQuerySearch(params: URLSearchParams): Promise<any> {\n  const query = params.get('query') || '';\n  const limit = Math.min(parseInt(params.get('limit') || '20', 10), 100);\n  if (!query) return { results: [] };\n\n  const pattern = `%${query}%`;\n  const result = await db.query(\n    `SELECT id::text, 'check' as type, messages as content, created_at FROM guard_checks WHERE messages ILIKE $1\n     UNION ALL\n     SELECT id::text, 'trajectory' as type, user_message as content, created_at FROM trajectories WHERE user_message ILIKE $1\n     ORDER BY created_at DESC LIMIT $2`,\n    [pattern, limit]\n  );\n  return { results: result.rows.map(camelify) };\n}\n\nasync function restQueryProjects(): Promise<any> {\n  const result = await db.query<{ project_id: string; checks: string; last_seen: string }>(\n    `SELECT project_id, count(*) as checks, max(created_at)::text as last_seen\n     FROM guard_checks WHERE project_id IS NOT NULL\n     GROUP BY project_id ORDER BY last_seen DESC`\n  );\n  return result.rows.map(r => ({ id: r.project_id, name: r.project_id, checks: Number(r.checks), lastSeen: r.last_seen }));\n}\n\n// \u2500\u2500\u2500 HTTP Server \u2500\u2500\u2500\n\nasync function reclassifyViolations(): Promise<{ total: number; classified: number }> {\n  if (!embedder) return { total: 0, classified: 0 };\n  const result = await db.query(`SELECT id, messages, verdicts, key, severity, interaction_type FROM guard_violations`);\n  let classified = 0;\n  for (const row of result.rows as any[]) {\n    let text = '';\n    try {\n      const msgs = typeof row.messages === 'string' ? JSON.parse(row.messages) : row.messages;\n      if (msgs?.command) text = msgs.command;\n      else if (msgs?.content) text = msgs.content;\n      else if (typeof msgs === 'string') text = msgs;\n    } catch {}\n    try {\n      const v = typeof row.verdicts === 'string' ? JSON.parse(row.verdicts) : row.verdicts;\n      if (v?.reasoning) text += ' ' + v.reasoning;\n    } catch {}\n    if (!text.trim()) continue;\n    const cat = await classifyText(text.slice(0, 1000));\n    if (cat) {\n      await db.query(\n        `UPDATE guard_violations SET mechanism_category = $1, classification_confidence = $2 WHERE id = $3`,\n        [cat.id + ': ' + cat.label, cat.confidence, row.id]\n      );\n      classified++;\n    }\n  }\n  return { total: result.rows.length, classified };\n}\n\n// \u2500\u2500\u2500 Grader Pool Dispatcher \u2500\u2500\u2500\n// Hooks POST to 8929 (general: bash/edit/plan) or 8930 (CWE). We round-robin\n// across N persistent claude workers per pool. Workers are managed by pueue \u2014\n// the dispatcher just picks the least-busy one and forwards the request.\n\ninterface Worker {\n  url: string;\n  inFlight: number;\n  sickUntil: number;\n}\n\n// Pool size is read from WORKERS_PER_POOL at boot. Defaults to 2 so the bare-\n// host install (which still ships exactly 2 cc_sessions per pool) keeps working\n// unchanged; the container's entrypoint overrides it via env var to match\n// whatever pool-config.sh just queued up.\nconst WORKERS_PER_POOL = Math.max(1, parseInt(process.env.WORKERS_PER_POOL || '2', 10));\nconst GENERAL_BASE_PORT = 8940;\nconst CWE_BASE_PORT = 8950;\n\nfunction buildPool(base: number, n: number): Worker[] {\n  const pool: Worker[] = [];\n  for (let i = 1; i <= n; i++) {\n    pool.push({ url: `http://127.0.0.1:${base + i}`, inFlight: 0, sickUntil: 0 });\n  }\n  return pool;\n}\n\nconst POOLS: Record<string, Worker[]> = {\n  general: buildPool(GENERAL_BASE_PORT, WORKERS_PER_POOL),\n  cwe: buildPool(CWE_BASE_PORT, WORKERS_PER_POOL),\n};\n\nfunction pickWorker(pool: Worker[]): Worker | null {\n  const now = Date.now();\n  const healthy = pool.filter(w => w.sickUntil <= now);\n  if (healthy.length === 0) return null;\n  return healthy.reduce((best, w) => (w.inFlight < best.inFlight ? w : best), healthy[0]);\n}\n\nasync function dispatchGrade(req: Request, pool: Worker[], path: string): Promise<Response> {\n  const body = req.method === 'POST' ? await req.text() : '';\n  const tried = new Set<string>();\n  const headers: Record<string, string> = {};\n  req.headers.forEach((v, k) => {\n    const lk = k.toLowerCase();\n    if (lk !== 'host' && lk !== 'connection' && lk !== 'content-length') headers[lk] = v;\n  });\n\n  for (let attempt = 0; attempt < pool.length; attempt++) {\n    const worker = pickWorker(pool);\n    if (!worker || tried.has(worker.url)) break;\n    tried.add(worker.url);\n    worker.inFlight++;\n    try {\n      const resp = await fetch(worker.url + path, {\n        method: req.method,\n        headers,\n        body: body || undefined,\n        signal: AbortSignal.timeout(60000),\n      });\n      worker.inFlight--;\n      if (resp.status >= 500) {\n        worker.sickUntil = Date.now() + 30000;\n        continue;\n      }\n      const respBody = await resp.text();\n      return new Response(respBody, {\n        status: resp.status,\n        headers: { 'Content-Type': resp.headers.get('content-type') || 'application/json' },\n      });\n    } catch {\n      worker.inFlight = Math.max(0, worker.inFlight - 1);\n      worker.sickUntil = Date.now() + 30000;\n    }\n  }\n  return new Response(JSON.stringify({ error: 'no healthy grader workers' }), {\n    status: 503,\n    headers: { 'Content-Type': 'application/json' },\n  });\n}\n\nfunction poolHealthSnapshot(name: string, pool: Worker[]) {\n  const now = Date.now();\n  return {\n    pool: name,\n    workers: pool.length,\n    healthy: pool.filter(w => w.sickUntil <= now).length,\n    pending: pool.reduce((s, w) => s + w.inFlight, 0),\n    detail: pool.map(w => ({\n      url: w.url,\n      inFlight: w.inFlight,\n      sickFor: w.sickUntil > now ? Math.round((w.sickUntil - now) / 1000) : 0,\n    })),\n  };\n}\n\nfunction startDispatcher(pool: Worker[], port: number, label: string): void {\n  Bun.serve({\n    port,\n    hostname: BIND_HOST,\n    async fetch(req) {\n      const url = new URL(req.url);\n      if (url.pathname === '/healthz' && req.method === 'GET') {\n        return Response.json(poolHealthSnapshot(label, pool));\n      }\n      if (url.pathname === '/submit' && req.method === 'POST') {\n        return dispatchGrade(req, pool, '/submit');\n      }\n      return dispatchGrade(req, pool, url.pathname + url.search);\n    },\n  });\n  console.log(`[synkro] grader dispatcher (${label}) on http://127.0.0.1:${port} \u2192 ${pool.map(w => w.url).join(', ')}`);\n}\n\nasync function startServer(): Promise<void> {\n  await initDb();\n  startDispatcher(POOLS.general, 8929, 'general');\n  startDispatcher(POOLS.cwe, 8930, 'cwe');\n  console.log(`[synkro] Postgres wire-protocol on postgresql://postgres@127.0.0.1:${PG_SOCKET_PORT}/postgres?sslmode=disable`);\n  initEmbedder().then(async () => {\n    if (!embedder) return;\n    const stats = await reclassifyViolations().catch(() => null);\n    if (stats) console.log(`[synkro] Reclassified ${stats.classified}/${stats.total} violations with ASI categories`);\n  });\n\n  const server = Bun.serve({\n    port: PORT,\n    hostname: BIND_HOST,\n    async fetch(req) {\n      const origin = req.headers.get('origin') || '';\n      const allowedOrigin = /^https?:\\/\\/(localhost|127\\.0\\.0\\.1)(:\\d+)?$/.test(origin) ? origin : 'http://localhost:4322';\n      const cors = { 'Access-Control-Allow-Origin': allowedOrigin, 'Access-Control-Allow-Methods': 'GET, POST, OPTIONS', 'Access-Control-Allow-Headers': 'Content-Type, Authorization' };\n      const url = new URL(req.url);\n      const path = url.pathname;\n\n      if (req.method === 'OPTIONS') {\n        return new Response('', { status: 204, headers: cors });\n      }\n\n      // Health check (unauthenticated)\n      if (req.method === 'GET' && (path === '/' || path === '/health')) {\n        return Response.json({ name: 'synkro-guardrails-local', version: '2.0.0', status: 'ok' }, { headers: cors });\n      }\n\n      // POST /api/local/reclassify \u2014 reclassify all violations using OWASP embeddings\n      if (req.method === 'POST' && path === '/api/local/reclassify') {\n        if (!embedder) return Response.json({ error: 'Embedding model not loaded yet' }, { status: 503, headers: cors });\n        const result = await reclassifyViolations();\n        return Response.json(result, { headers: cors });\n      }\n\n      // GET /api/local/* \u2014 no Bearer required (server bound to 127.0.0.1 only)\n      if (req.method === 'GET' && path.startsWith('/api/local/')) {\n        if (path === '/api/local/checks') return Response.json(await restQueryChecks(url.searchParams), { headers: cors });\n        if (path === '/api/local/violations') return Response.json(await restQueryViolations(url.searchParams), { headers: cors });\n        if (path === '/api/local/trajectories') return Response.json(await restQueryTrajectories(url.searchParams), { headers: cors });\n        const trajDetailMatch = path.match(/^\\/api\\/local\\/trajectories\\/([^/]+)$/);\n        if (trajDetailMatch) {\n          const detail = await restQueryTrajectoryDetail(decodeURIComponent(trajDetailMatch[1]));\n          if (detail) return Response.json(detail, { headers: cors });\n          return Response.json({ error: 'Not found' }, { status: 404, headers: cors });\n        }\n        if (path === '/api/local/metrics') return Response.json(await restQueryMetrics(url.searchParams), { headers: cors });\n        if (path === '/api/local/trends') return Response.json(await restQueryTrends(url.searchParams), { headers: cors });\n        if (path === '/api/local/findings/summary') return Response.json(await restQueryFindingsSummary(), { headers: cors });\n        if (path === '/api/local/findings') return Response.json(await restQueryFindings(url.searchParams), { headers: cors });\n        if (path === '/api/local/users') return Response.json(await restQueryUsers(url.searchParams), { headers: cors });\n        if (path === '/api/local/search') return Response.json(await restQuerySearch(url.searchParams), { headers: cors });\n        if (path === '/api/local/projects') return Response.json(await restQueryProjects(), { headers: cors });\n        if (path === '/api/local/hook-config') {\n          const data = await readRules();\n          const policy = data.policies.find(p => p.id === data.config.activePolicyId) || data.policies[0] || null;\n          return Response.json({\n            policy: policy ? { id: policy.id, name: policy.name, rules: policy.rules } : null,\n            silent: data.config.silent,\n            scan_exemptions: data.scanExemptions,\n          }, { headers: cors });\n        }\n        return Response.json({ error: 'Not found' }, { status: 404, headers: cors });\n      }\n\n      // \u2500\u2500\u2500 REST: Reclassify violations with OWASP LLM categories \u2500\u2500\u2500\n      if (req.method === 'POST' && path === '/api/local/reclassify') {\n        try {\n          const stats = await reclassifyViolations();\n          return Response.json({ ok: true, ...stats }, { headers: cors });\n        } catch (e) {\n          return Response.json({ error: String(e) }, { status: 500, headers: cors });\n        }\n      }\n\n      // \u2500\u2500\u2500 REST: Migrate rows from IndexedDB (no auth \u2014 localhost-only, one-time migration) \u2500\u2500\u2500\n      if (req.method === 'POST' && path === '/api/migrate/rows') {\n        const ALLOWED_COLS: Record<string, Set<string>> = {\n          guard_checks: new Set(['id','project_id','org_id','policy_id','trace_id','passed','score','rule_count','rule_ids_checked','model','interaction_type','skill_name','tool_names','guard_mode','messages','verdicts','rule_similarities','sentiment_score','sentiment_label','operation_type','conversation_id','trajectory_id','end_user_id','reasoning_content','cve_findings','judge_context','provider','input_tokens','output_tokens','total_tokens','cost_usd','content_redacted','updated_at','created_at']),\n          guard_violations: new Set(['id','user_id','org_id','policy_id','end_user_id','project_id','run_id','trajectory_id','key','score','value','comment','rules_violated','rule_ids_violated','issues','severity','latency_ms','messages','verdicts','model','guard_mode','interaction_type','tool_names','skill_name','passed','conversation_id','mechanism_category','business_category','classification_confidence','content_redacted','updated_at','created_at']),\n          trajectories: new Set(['id','project_id','org_id','conversation_id','check_ids','check_count','preamble','user_message','final_response','status','passed','score','verdicts','rule_ids_checked','rule_ids_violated','severity','model','provider','input_tokens','output_tokens','total_tokens','cost_usd','interaction_type','operation_type','end_user_id','policy_id','topic_label','started_at','completed_at','created_at']),\n          usage_ticks: new Set(['id','session_id','model','input_tokens','output_tokens','cache_creation_tokens','cache_read_tokens','created_at']),\n          scan_findings: new Set(['id','session_id','file_path','finding_type','finding_id','severity','status','detail','description','package_name','package_version','fixed_version','aliases','references','cwe_name','resolved_at','created_at']),\n        };\n        try {\n          const body = await req.json() as any;\n          const table = body.table;\n          const rows = Array.isArray(body.rows) ? body.rows : [];\n          const allowedCols = ALLOWED_COLS[table];\n          if (!allowedCols) {\n            return Response.json({ error: 'invalid table' }, { status: 400, headers: cors });\n          }\n          let inserted = 0;\n          for (const row of rows.slice(0, 2000)) {\n            try {\n              const cols = Object.keys(row).filter(k => allowedCols.has(k) && row[k] !== undefined && row[k] !== null);\n              if (!cols.length) continue;\n              const placeholders = cols.map((_, i) => `$${i + 1}`).join(', ');\n              const colNames = cols.map(c => c === 'references' ? '\"references\"' : c).join(', ');\n              const values = cols.map(k => {\n                const v = row[k];\n                if (Array.isArray(v)) return v;\n                if (typeof v === 'object' && v !== null) return JSON.stringify(v);\n                return v;\n              });\n              await db.query(`INSERT INTO ${table} (${colNames}) VALUES (${placeholders}) ON CONFLICT DO NOTHING`, values);\n              inserted++;\n            } catch {}\n          }\n          return Response.json({ ok: true, inserted }, { headers: cors });\n        } catch (e) {\n          return Response.json({ error: String(e) }, { status: 400, headers: cors });\n        }\n      }\n\n      // Auth check for POST routes (ingest, JSON-RPC)\n      const authHeader = req.headers.get('authorization') || '';\n      const bearer = authHeader.startsWith('Bearer ') ? authHeader.slice(7) : '';\n      if (bearer !== SERVER_TOKEN) {\n        return Response.json({ error: 'Unauthorized' }, { status: 401, headers: cors });\n      }\n\n      // \u2500\u2500\u2500 REST: Ingest \u2500\u2500\u2500\n      if (req.method === 'POST' && path === '/api/ingest') {\n        try {\n          const body = await req.json() as any;\n          await ingestEvent(body.data || body);\n          return Response.json({ ok: true }, { headers: cors });\n        } catch (e) {\n          return Response.json({ error: String(e) }, { status: 400, headers: cors });\n        }\n      }\n\n      if (req.method === 'POST' && path === '/api/ingest/batch') {\n        try {\n          const body = await req.json() as any;\n          const events = Array.isArray(body) ? body : (body.events || []);\n          let ingested = 0;\n          for (const evt of events.slice(0, 500)) {\n            try { await ingestEvent(evt.data || evt); ingested++; } catch {}\n          }\n          return Response.json({ ok: true, ingested }, { headers: cors });\n        } catch (e) {\n          return Response.json({ error: String(e) }, { status: 400, headers: cors });\n        }\n      }\n\n      // \u2500\u2500\u2500 JSON-RPC (MCP protocol) \u2500\u2500\u2500\n      if (req.method === 'POST') {\n        const raw = await req.arrayBuffer();\n        if (raw.byteLength > MAX_BODY_BYTES) {\n          return Response.json(jsonRpcError(null, -32600, 'Request too large'), { status: 413, headers: cors });\n        }\n        return serialized(async () => {\n          try {\n            const body = JSON.parse(new TextDecoder().decode(raw));\n            const result = await handleRpc(body);\n            if (result === null) return new Response('', { status: 204, headers: cors });\n            return Response.json(result, { headers: cors });\n          } catch {\n            return Response.json(jsonRpcError(null, -32700, 'Parse error'), { status: 400, headers: cors });\n          }\n        });\n      }\n\n      return new Response('Not found', { status: 404, headers: cors });\n    },\n  });\n\n  console.log(`[synkro] local MCP server listening on http://127.0.0.1:${server.port}`);\n}\n\nasync function shutdown() {\n  try { await db?.end(); } catch {}\n  process.exit(0);\n}\nprocess.on('SIGINT', shutdown);\nprocess.on('SIGTERM', shutdown);\n\nstartServer().catch(err => {\n  console.error('[synkro] Failed to start server:', err);\n  process.exit(1);\n});\n", "utf-8");
-  writeFileSync8(pgliteDbPath, "#!/usr/bin/env bun\n/**\n * Standalone PGlite data server.\n *\n * Owns the local Postgres datadir at ~/.synkro/pgdata and exposes the\n * Postgres wire protocol on 127.0.0.1:5433. The MCP server connects as\n * a normal pg client. This is the only writer process for pgdata.\n *\n * Lifecycle: starts PGlite, loads vector extension, then prints \"READY\"\n * to stdout so the parent can wait for it before opening a pool.\n */\n\nimport { homedir } from 'node:os';\nimport { join } from 'node:path';\nimport { mkdirSync } from 'node:fs';\nimport { PGlite } from '@electric-sql/pglite';\nimport { PGLiteSocketServer } from '@electric-sql/pglite-socket';\nimport { vector } from '@electric-sql/pglite/vector';\n\nconst HOME = homedir();\nconst PGDATA_PATH = process.env.SYNKRO_PGDATA_PATH || join(HOME, '.synkro', 'pgdata');\nconst PORT = parseInt(process.env.SYNKRO_PG_PORT || '5433', 10);\nconst BIND_HOST = process.env.SYNKRO_BIND_HOST || '127.0.0.1';\n\nlet db: PGlite | null = null;\nlet socketServer: PGLiteSocketServer | null = null;\n\nasync function main(): Promise<void> {\n  mkdirSync(join(HOME, '.synkro'), { recursive: true });\n\n  db = new PGlite(PGDATA_PATH, { extensions: { vector } });\n  await db.waitReady;\n\n  socketServer = new PGLiteSocketServer({ db, port: PORT, host: BIND_HOST });\n  (socketServer as any).on?.('error', (err: unknown) => {\n    process.stderr.write(`[pglite-db] socket error: ${String(err).slice(0, 200)}\\n`);\n  });\n  await socketServer.start();\n\n  process.stdout.write(`READY postgresql://postgres@127.0.0.1:${PORT}/postgres?sslmode=disable\\n`);\n}\n\nasync function shutdown(): Promise<void> {\n  try { await socketServer?.stop(); } catch {}\n  try { await db?.close(); } catch {}\n  process.exit(0);\n}\n\nprocess.on('SIGINT', shutdown);\nprocess.on('SIGTERM', shutdown);\n\nmain().catch(err => {\n  process.stderr.write(`[pglite-db] failed to start: ${err instanceof Error ? err.stack || err.message : JSON.stringify(err)}\\n`);\n  process.exit(1);\n});\n", "utf-8");
-  writeFileSync8(mcpStdioProxyPath, MCP_STDIO_PROXY_SRC, "utf-8");
-  chmodSync3(bashScriptPath, 493);
-  chmodSync3(bashFollowupScriptPath, 493);
-  chmodSync3(editPrecheckScriptPath, 493);
-  chmodSync3(cwePrecheckScriptPath, 493);
-  chmodSync3(cvePrecheckScriptPath, 493);
-  chmodSync3(planJudgeScriptPath, 493);
-  chmodSync3(agentJudgeScriptPath, 493);
-  chmodSync3(stopSummaryScriptPath, 493);
-  chmodSync3(sessionStartScriptPath, 493);
-  chmodSync3(transcriptSyncScriptPath, 493);
-  chmodSync3(userPromptSubmitScriptPath, 493);
-  chmodSync3(commonScriptPath, 493);
-  chmodSync3(commonBashScriptPath, 493);
-  chmodSync3(cursorBashJudgePath, 493);
-  chmodSync3(cursorEditCapturePath, 493);
-  chmodSync3(mcpLocalServerPath, 493);
-  chmodSync3(pgliteDbPath, 493);
-  chmodSync3(mcpStdioProxyPath, 493);
-  return {
-    bashScript: bashScriptPath,
-    bashFollowupScript: bashFollowupScriptPath,
-    editPrecheckScript: editPrecheckScriptPath,
-    cwePrecheckScript: cwePrecheckScriptPath,
-    cvePrecheckScript: cvePrecheckScriptPath,
-    planJudgeScript: planJudgeScriptPath,
-    agentJudgeScript: agentJudgeScriptPath,
-    stopSummaryScript: stopSummaryScriptPath,
-    sessionStartScript: sessionStartScriptPath,
-    transcriptSyncScript: transcriptSyncScriptPath,
-    userPromptSubmitScript: userPromptSubmitScriptPath,
-    cursorBashJudgeScript: cursorBashJudgePath,
-    cursorEditCaptureScript: cursorEditCapturePath,
-    mcpLocalServerScript: mcpLocalServerPath
-  };
-}
-function sanitizeConfigValue(raw, maxLen = 256) {
-  if (!raw) return "";
-  return raw.replace(/[^\x20-\x7E]/g, "").slice(0, maxLen);
-}
-function shellQuoteSingle(value) {
-  return `'${value.replace(/'/g, "'\\''")}'`;
-}
-function resolveSynkroBundle() {
-  const scriptPath = process.argv[1];
-  if (scriptPath && existsSync12(scriptPath)) return scriptPath;
-  return null;
-}
-function writeConfigEnv(opts) {
-  const credsPath = join12(SYNKRO_DIR4, "credentials.json");
-  const safeGateway = sanitizeConfigValue(opts.gatewayUrl);
-  const safeUserId = sanitizeConfigValue(opts.userId);
-  const safeOrgId = sanitizeConfigValue(opts.orgId);
-  const safeEmail = sanitizeConfigValue(opts.email);
-  const safeTier = sanitizeConfigValue(opts.tier ?? "pro", 32);
-  const safeInference = sanitizeConfigValue(opts.inference ?? "fast", 16);
-  const safeSynkroBin = sanitizeConfigValue(opts.synkroBin ?? "", 1024);
-  const lines = [
-    "# Synkro CLI config (managed by synkro install)",
-    "# JWT auth \u2014 the hook scripts read SYNKRO_CREDENTIALS_PATH at runtime",
-    "# and send Authorization: Bearer <access_token> on every gateway call.",
-    `SYNKRO_GATEWAY_URL=${shellQuoteSingle(safeGateway)}`,
-    `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
-    `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
-    `SYNKRO_INFERENCE=${shellQuoteSingle(safeInference)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.4.87")}`
-  ];
-  if (safeSynkroBin) lines.push(`SYNKRO_CLI_BIN=${shellQuoteSingle(safeSynkroBin)}`);
-  if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);
-  if (safeOrgId) lines.push(`SYNKRO_ORG_ID=${shellQuoteSingle(safeOrgId)}`);
-  if (safeEmail) lines.push(`SYNKRO_EMAIL=${shellQuoteSingle(safeEmail)}`);
-  if (opts.transcriptConsent !== void 0) {
-    lines.push(`SYNKRO_TRANSCRIPT_CONSENT=${shellQuoteSingle(opts.transcriptConsent ? "yes" : "no")}`);
-  }
-  lines.push(`SYNKRO_LOCAL_INFERENCE=${shellQuoteSingle(opts.localInference ? "yes" : "no")}`);
-  const safeMode = sanitizeConfigValue(opts.deploymentMode ?? "bare-host", 16);
-  lines.push(`SYNKRO_DEPLOYMENT_MODE=${shellQuoteSingle(safeMode)}`);
-  lines.push("");
-  writeFileSync8(CONFIG_PATH3, lines.join("\n"), "utf-8");
-  chmodSync3(CONFIG_PATH3, 384);
-}
-function resolveDeploymentMode() {
-  const envOverride = process.env.SYNKRO_DEPLOYMENT_MODE;
-  if (envOverride) return envOverride.toLowerCase();
-  try {
-    if (existsSync12(CONFIG_PATH3)) {
-      const m = readFileSync10(CONFIG_PATH3, "utf-8").match(/^SYNKRO_DEPLOYMENT_MODE='([^']*)'/m);
-      if (m && m[1]) return m[1].toLowerCase();
-    }
-  } catch {
-  }
-  return "bare-host";
-}
-function updateLocalInferenceFlag(enabled) {
-  if (!existsSync12(CONFIG_PATH3)) return;
-  let content = readFileSync10(CONFIG_PATH3, "utf-8");
-  const flag = enabled ? "yes" : "no";
-  if (content.includes("SYNKRO_LOCAL_INFERENCE=")) {
-    content = content.replace(/^SYNKRO_LOCAL_INFERENCE='[^']*'/m, `SYNKRO_LOCAL_INFERENCE='${flag}'`);
-  } else {
-    content = content.trimEnd() + `
-SYNKRO_LOCAL_INFERENCE='${flag}'
-`;
-  }
-  writeFileSync8(CONFIG_PATH3, content, "utf-8");
-}
-function collectLocalMetadata() {
-  const meta = { platform: process.platform };
-  try {
-    meta.display_name = execSync5("git config user.name", { encoding: "utf-8", timeout: 3e3 }).trim();
-  } catch {
-  }
-  try {
-    const remote = execSync5("git remote get-url origin", { encoding: "utf-8", timeout: 3e3 }).trim();
-    const sshMatch = remote.match(/^git@[^:]+:(.+?)(?:\.git)?$/);
-    const httpMatch = remote.match(/^https?:\/\/[^/]+\/(.+?)(?:\.git)?$/);
-    const m = sshMatch || httpMatch;
-    if (m) meta.active_repo = m[1];
-  } catch {
-  }
-  try {
-    meta.cc_version = execSync5("claude --version", { encoding: "utf-8", timeout: 5e3 }).trim().split("\n")[0];
-  } catch {
-  }
-  const claudeDir = join12(homedir12(), ".claude");
-  try {
-    const settings = JSON.parse(readFileSync10(join12(claudeDir, "settings.json"), "utf-8"));
-    const plugins = Object.keys(settings.enabledPlugins ?? {}).filter((k) => settings.enabledPlugins[k]);
-    if (plugins.length) meta.enabled_plugins = plugins;
-    if (settings.permissions?.defaultMode) meta.permissions_mode = settings.permissions.defaultMode;
-  } catch {
-  }
-  try {
-    const mcpCache = JSON.parse(readFileSync10(join12(claudeDir, "mcp-needs-auth-cache.json"), "utf-8"));
-    const mcpNames = Object.keys(mcpCache);
-    if (mcpNames.length) meta.mcp_servers = mcpNames;
-  } catch {
-  }
-  try {
-    const mcpList = execSync5("claude mcp list 2>/dev/null", { encoding: "utf-8", timeout: 1e4 });
-    const connected = mcpList.split("\n").filter((l) => l.includes("Connected")).map((l) => l.split(":")[0].trim()).filter(Boolean);
-    if (connected.length) meta.mcp_servers_connected = connected;
-  } catch {
-  }
-  try {
-    const sessionsDir = join12(claudeDir, "sessions");
-    const files = readdirSync(sessionsDir).filter((f) => f.endsWith(".json")).slice(-5);
-    for (const f of files) {
-      const s = JSON.parse(readFileSync10(join12(sessionsDir, f), "utf-8"));
-      if (s.version) {
-        meta.cc_version = meta.cc_version || s.version;
-        break;
-      }
-    }
-  } catch {
-  }
-  return meta;
+  } catch {
+  }
+  return meta;
 }
 async function fetchUserProfile(gatewayUrl, token) {
   try {
@@ -6852,20 +5769,20 @@ function assertGatewayAllowed(gatewayUrl) {
 }
 function isAlreadyInstalled() {
   const requiredScripts = [
-    join12(HOOKS_DIR, "cc-bash-judge.ts"),
-    join12(HOOKS_DIR, "cc-bash-followup.ts"),
-    join12(HOOKS_DIR, "cc-edit-precheck.ts"),
-    join12(HOOKS_DIR, "cc-cve-precheck.ts"),
-    join12(HOOKS_DIR, "cc-plan-judge.ts"),
-    join12(HOOKS_DIR, "cc-stop-summary.ts"),
-    join12(HOOKS_DIR, "cc-session-start.ts")
+    join8(HOOKS_DIR, "cc-bash-judge.ts"),
+    join8(HOOKS_DIR, "cc-bash-followup.ts"),
+    join8(HOOKS_DIR, "cc-edit-precheck.ts"),
+    join8(HOOKS_DIR, "cc-cve-precheck.ts"),
+    join8(HOOKS_DIR, "cc-plan-judge.ts"),
+    join8(HOOKS_DIR, "cc-stop-summary.ts"),
+    join8(HOOKS_DIR, "cc-session-start.ts")
   ];
-  if (!requiredScripts.every((p) => existsSync12(p))) return false;
-  if (!existsSync12(CONFIG_PATH3)) return false;
-  const settingsPath = join12(homedir12(), ".claude", "settings.json");
-  if (!existsSync12(settingsPath)) return false;
+  if (!requiredScripts.every((p) => existsSync9(p))) return false;
+  if (!existsSync9(CONFIG_PATH2)) return false;
+  const settingsPath = join8(homedir8(), ".claude", "settings.json");
+  if (!existsSync9(settingsPath)) return false;
   try {
-    const settings = JSON.parse(readFileSync10(settingsPath, "utf-8"));
+    const settings = JSON.parse(readFileSync7(settingsPath, "utf-8"));
     const hooks = settings?.hooks;
     if (!hooks || typeof hooks !== "object") return false;
     const hasManaged = (kind) => Array.isArray(hooks[kind]) && hooks[kind].some((entry) => entry?.__synkro_managed__ === true);
@@ -6878,226 +5795,6 @@ function isAlreadyInstalled() {
   }
   return true;
 }
-function printChannelDiagnostics() {
-  try {
-    const tmuxCheck = spawnSync5("tmux", ["has-session", "-t", "synkro-local-cc"], { encoding: "utf-8" });
-    console.warn(`    tmux session: ${tmuxCheck.status === 0 ? "running" : "not running"}`);
-    const pueueTask = findTask();
-    console.warn(`    pueue task: ${pueueTask ? `id=${pueueTask.id} status=${pueueTask.status}` : "not found"}`);
-    const bunCheck = spawnSync5("bun", ["--version"], { encoding: "utf-8" });
-    console.warn(`    bun: ${bunCheck.status === 0 ? bunCheck.stdout.trim() : "not found"}`);
-    const claudeCheck = spawnSync5("claude", ["--version"], { encoding: "utf-8" });
-    console.warn(`    claude: ${claudeCheck.status === 0 ? claudeCheck.stdout.trim().split("\n")[0] : "not found"}`);
-    if (pueueTask) {
-      const logs = tailLogs(15);
-      if (logs && logs !== "(no output)") {
-        console.warn(`    pueue logs (last 15 lines):`);
-        for (const line of logs.split("\n").slice(0, 15)) {
-          console.warn(`      ${line}`);
-        }
-      }
-    }
-    const logPath = join12(homedir12(), ".synkro", "cc_sessions", "run-claude.log");
-    if (existsSync12(logPath)) {
-      const logContent = readFileSync10(logPath, "utf-8").trim().split("\n").slice(-10);
-      console.warn(`    run-claude.log:`);
-      for (const line of logContent) console.warn(`      ${line}`);
-    }
-  } catch {
-  }
-  console.warn(`    Run \`synkro local-cc status\` and \`synkro local-cc logs --tmux\` to debug.`);
-}
-async function backfillLocalRules(gatewayUrl, token) {
-  if (existsSync12(RULES_PATH)) {
-    console.log("  Local rules already exist \u2014 skipping cloud backfill.");
-    return;
-  }
-  try {
-    const resp = await fetch(`${gatewayUrl}/api/v1/hook/config`, {
-      headers: { "Authorization": `Bearer ${token}` },
-      signal: AbortSignal.timeout(8e3)
-    });
-    if (!resp.ok) {
-      console.log("  No cloud rules to backfill.");
-      return;
-    }
-    const data = await resp.json();
-    const rules = (data.rules || []).map((r) => ({
-      rule_id: r.rule_id || `r_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`,
-      text: r.text || "",
-      category: r.category || "custom",
-      severity: r.severity || "medium",
-      mode: r.mode || "blocking",
-      hook_stage: r.hook_stage || "both",
-      scope: r.scope || "user"
-    }));
-    const policyName = data.active_policy_name || "My Rules";
-    const policyId = data.active_policy_id || "local-policy";
-    const scanExemptions = (data.scan_exemptions || []).filter((e) => e && typeof e.path === "string").map((e) => ({ path: e.path, cwe_id: e.cwe_id || "", reason: e.reason }));
-    const silent = data.silent_mode === true || data.silent_mode === "true";
-    const rulesFile = {
-      policies: [{
-        id: policyId,
-        name: policyName,
-        rules,
-        ruleCount: rules.length,
-        scopeOwner: "user",
-        isActive: true
-      }],
-      config: { silent, activePolicyId: policyId },
-      scanExemptions
-    };
-    const tmp = RULES_PATH + ".tmp";
-    writeFileSync8(tmp, JSON.stringify(rulesFile, null, 2) + "\n", "utf-8");
-    renameSync5(tmp, RULES_PATH);
-    console.log(`  Backfilled ${rules.length} rules from cloud to ~/.synkro/rules.json`);
-  } catch (err) {
-    console.warn(`  \u26A0 Cloud backfill failed: ${err.message}`);
-  }
-}
-async function installMcpDependencies() {
-  const pkgJsonPath = join12(SYNKRO_DIR4, "package.json");
-  const requiredDeps = {
-    "@electric-sql/pglite": "^0.4.0",
-    "@electric-sql/pglite-socket": "^0.1.0",
-    "pg": "^8.13.1"
-  };
-  let needsInstall = false;
-  if (existsSync12(pkgJsonPath)) {
-    try {
-      const existing = JSON.parse(readFileSync10(pkgJsonPath, "utf-8"));
-      const deps = existing.dependencies || {};
-      for (const [name] of Object.entries(requiredDeps)) {
-        if (!deps[name]) {
-          needsInstall = true;
-          break;
-        }
-      }
-    } catch {
-      needsInstall = true;
-    }
-  } else {
-    needsInstall = true;
-  }
-  if (needsInstall) {
-    const pkg = { name: "synkro-local", private: true, dependencies: requiredDeps };
-    writeFileSync8(pkgJsonPath, JSON.stringify(pkg, null, 2) + "\n", "utf-8");
-    console.log("  Installing PGLite dependencies...");
-    const { execSync: execSync6 } = await import("child_process");
-    try {
-      execSync6("bun install --no-save", { cwd: SYNKRO_DIR4, stdio: "pipe", timeout: 3e4 });
-      console.log("  PGLite dependencies installed.");
-    } catch (e) {
-      console.warn("  \u26A0 Failed to install PGLite deps:", String(e).slice(0, 100));
-    }
-  }
-}
-async function startLocalPgliteDb() {
-  const script = join12(HOOKS_DIR, "pglite-db.ts");
-  if (!existsSync12(script)) {
-    console.warn("  \u26A0 pglite-db script not found \u2014 skipping.");
-    return;
-  }
-  try {
-    const sock = await new Promise((resolve3) => {
-      const s = __require("net").connect(PGLITE_PORT, "127.0.0.1");
-      s.once("connect", () => {
-        s.destroy();
-        resolve3(true);
-      });
-      s.once("error", () => {
-        s.destroy();
-        resolve3(false);
-      });
-      s.setTimeout(500, () => {
-        s.destroy();
-        resolve3(false);
-      });
-    });
-    if (sock) {
-      console.log(`  pglite-db already running on port ${PGLITE_PORT}`);
-      return;
-    }
-  } catch {
-  }
-  const proc = spawn2("bun", ["run", script], {
-    stdio: "ignore",
-    detached: true,
-    env: { ...process.env, SYNKRO_PG_PORT: String(PGLITE_PORT) }
-  });
-  proc.unref();
-  for (let i = 0; i < 50; i++) {
-    await new Promise((r) => setTimeout(r, 200));
-    const up = await new Promise((resolve3) => {
-      const s = __require("net").connect(PGLITE_PORT, "127.0.0.1");
-      s.once("connect", () => {
-        s.destroy();
-        resolve3(true);
-      });
-      s.once("error", () => {
-        s.destroy();
-        resolve3(false);
-      });
-      s.setTimeout(300, () => {
-        s.destroy();
-        resolve3(false);
-      });
-    });
-    if (up) {
-      console.log(`  pglite-db started on port ${PGLITE_PORT}`);
-      return;
-    }
-  }
-  console.warn(`  \u26A0 pglite-db did not start within 10s \u2014 MCP server will retry.`);
-}
-async function startLocalMcpServer() {
-  const serverScript = join12(HOOKS_DIR, "mcp-local-server.ts");
-  if (!existsSync12(serverScript)) {
-    console.warn("  \u26A0 Local MCP server script not found \u2014 skipping.");
-    return;
-  }
-  await installMcpDependencies();
-  await startLocalPgliteDb();
-  try {
-    const probe = await fetch(`http://127.0.0.1:${MCP_LOCAL_PORT}/`, { signal: AbortSignal.timeout(1e3) });
-    if (probe.ok) {
-      console.log("  Restarting local MCP server to pick up new credentials...");
-      try {
-        const { execSync: execSync6 } = await import("child_process");
-        const selfPid = process.pid;
-        const pids = execSync6(`lsof -ti :${MCP_LOCAL_PORT}`, { encoding: "utf-8" }).trim();
-        for (const pid of pids.split("\n").filter(Boolean)) {
-          const n = parseInt(pid, 10);
-          if (n === selfPid) continue;
-          try {
-            process.kill(n, "SIGTERM");
-          } catch {
-          }
-        }
-        await new Promise((r) => setTimeout(r, 500));
-      } catch {
-      }
-    }
-  } catch {
-  }
-  const proc = spawn2("bun", ["run", serverScript], {
-    stdio: "ignore",
-    detached: true
-  });
-  proc.unref();
-  for (let i = 0; i < 25; i++) {
-    await new Promise((r) => setTimeout(r, 200));
-    try {
-      const probe = await fetch(`http://127.0.0.1:${MCP_LOCAL_PORT}/`, { signal: AbortSignal.timeout(500) });
-      if (probe.ok) {
-        console.log(`  Local MCP server started on port ${MCP_LOCAL_PORT}`);
-        return;
-      }
-    } catch {
-    }
-  }
-  console.warn(`  \u26A0 Local MCP server did not start within 5s \u2014 it may need to be started manually.`);
-}
 async function installCommand(opts = {}) {
   const gatewayUrl = opts.gatewayUrl || sanitizeGatewayCandidate(process.env.SYNKRO_GATEWAY_URL) || "https://api.synkro.sh";
   try {
@@ -7125,50 +5822,8 @@ async function installCommand(opts = {}) {
       } catch {
       }
     }
-    const token2 = getAccessToken();
-    if (token2) {
-      const profile2 = await fetchUserProfile(gatewayUrl, token2);
-      if (profile2.localInference && !isLocalCCEnabled()) {
-        console.log("Local inference enabled \u2014 setting up local-CC channels...");
-        try {
-          assertClaudeInstalled();
-          assertPueueInstalled();
-          assertTmuxInstalled();
-          stopTask();
-          stopTask(CHANNEL_SECONDARY);
-          stopTask(CHANNEL_TERTIARY);
-          stopTask(CHANNEL_QUATERNARY);
-          installLocalCC();
-          const t1 = startTask();
-          const t2 = startTask({ channel: CHANNEL_SECONDARY });
-          const t3 = startTask({ channel: CHANNEL_TERTIARY });
-          const t4 = startTask({ channel: CHANNEL_QUATERNARY });
-          console.log(`  general pool: pueue id=${t1.id},${t3.id}  CWE pool: pueue id=${t2.id},${t4.id}`);
-          console.log("  Waiting for all 4 workers...");
-          const [r1, r2, r3, r4] = await Promise.all([
-            waitForChannelReady(CHANNEL_1_PORT, 6e4, CHANNEL_HOST),
-            waitForChannelReady(CHANNEL_2_PORT, 6e4, CHANNEL_HOST, CHANNEL_SECONDARY.tmuxSession),
-            waitForChannelReady(CHANNEL_3_PORT, 6e4, CHANNEL_HOST, CHANNEL_TERTIARY.tmuxSession),
-            waitForChannelReady(CHANNEL_4_PORT, 6e4, CHANNEL_HOST, CHANNEL_QUATERNARY.tmuxSession)
-          ]);
-          if (r1) console.log(`  general worker A ready (${CHANNEL_HOST}:${CHANNEL_1_PORT})`);
-          else console.warn("  \u26A0 general worker A did not come up within 60s \u2014 check `synkro local-cc logs`");
-          if (r3) console.log(`  general worker B ready (${CHANNEL_HOST}:${CHANNEL_3_PORT})`);
-          else console.warn("  \u26A0 general worker B did not come up within 60s");
-          if (r2) console.log(`  CWE worker A ready (${CHANNEL_HOST}:${CHANNEL_2_PORT})`);
-          else console.warn("  \u26A0 CWE worker A did not come up within 60s");
-          if (r4) console.log(`  CWE worker B ready (${CHANNEL_HOST}:${CHANNEL_4_PORT})`);
-          else console.warn("  \u26A0 CWE worker B did not come up within 60s");
-          updateLocalInferenceFlag(true);
-        } catch (err) {
-          console.warn(`  \u26A0 Local-CC setup skipped: ${err.message}`);
-          console.warn("    Install pueue, tmux, and claude, then re-run install.");
-        }
-      }
-    }
     console.log("\u2713 Synkro is already installed and configured.");
-    console.log("  Run `synkro-cli update` to refresh hook scripts and judge prompts.");
-    console.log("  Run `synkro-cli install --force` to reinstall from scratch.");
+    console.log("  Run `synkro install --force` to reinstall from scratch.");
     return;
   }
   console.log("Synkro install starting...\n");
@@ -7241,9 +5896,9 @@ async function installCommand(opts = {}) {
   console.log(`  ${scripts.transcriptSyncScript}
 `);
   for (const mode of ["edit", "bash"]) {
-    const pidFile = join12(SYNKRO_DIR4, "daemon", mode, "daemon.pid");
+    const pidFile = join8(SYNKRO_DIR4, "daemon", mode, "daemon.pid");
     try {
-      const pid = parseInt(readFileSync10(pidFile, "utf-8").trim(), 10);
+      const pid = parseInt(readFileSync7(pidFile, "utf-8").trim(), 10);
       if (pid > 0) {
         process.kill(pid, "SIGTERM");
         console.log(`Stopped stale ${mode} grader daemon (pid ${pid})`);
@@ -7324,20 +5979,17 @@ async function installCommand(opts = {}) {
         if (mintResp.ok) {
           const minted = await mintResp.json();
           mcpJwt = minted.token;
-          writeFileSync8(join12(SYNKRO_DIR4, ".mcp-jwt"), mcpJwt + "\n", { mode: 384 });
+          writeFileSync7(join8(SYNKRO_DIR4, ".mcp-jwt"), mcpJwt + "\n", { mode: 384 });
         } else {
           console.warn("  \u26A0 Could not mint MCP token \u2014 local server will reject requests until re-installed.");
         }
         const mcp = installMcpConfig({ gatewayUrl, bearerToken: mcpJwt, local: true });
         console.log(`Registered local MCP guardrails server in ${mcp.path}`);
         console.log(`  url:        ${mcp.url}`);
-        console.log("  (rules stored in ~/.synkro/rules.json)");
         console.log();
-        await backfillLocalRules(gatewayUrl, token);
-        await startLocalMcpServer();
       } catch (err) {
         console.warn(`  \u26A0 Local MCP setup failed: ${err.message}`);
-        console.warn("  Hooks are still installed. Re-run `synkro-cli install` to retry.");
+        console.warn("  Hooks are still installed. Re-run `synkro install` to retry.");
         console.log();
       }
     } else {
@@ -7355,7 +6007,7 @@ async function installCommand(opts = {}) {
           throw new Error(`mcp-token mint failed (${mintResp.status}): ${errText.slice(0, 200)}`);
         }
         const minted = await mintResp.json();
-        writeFileSync8(join12(SYNKRO_DIR4, ".mcp-jwt"), minted.token + "\n", { mode: 384 });
+        writeFileSync7(join8(SYNKRO_DIR4, ".mcp-jwt"), minted.token + "\n", { mode: 384 });
         const mcp = installMcpConfig({ gatewayUrl, bearerToken: minted.token });
         console.log(`Registered Synkro guardrails MCP server in ${mcp.path}`);
         console.log(`  url:        ${mcp.url}`);
@@ -7364,7 +6016,7 @@ async function installCommand(opts = {}) {
         console.log();
       } catch (err) {
         console.warn(`  \u26A0 MCP registration failed: ${err.message}`);
-        console.warn("  Hooks are still installed. Re-run `synkro-cli install` to retry MCP setup.");
+        console.warn("  Hooks are still installed. Re-run `synkro install` to retry MCP setup.");
         console.log();
       }
     }
@@ -7372,8 +6024,8 @@ async function installCommand(opts = {}) {
   if (hasCursor && !opts.noMcp) {
     try {
       if (useLocalMcp) {
-        const jwtPath = join12(SYNKRO_DIR4, ".mcp-jwt");
-        if (!existsSync12(jwtPath)) {
+        const jwtPath = join8(SYNKRO_DIR4, ".mcp-jwt");
+        if (!existsSync9(jwtPath)) {
           const mintResp = await fetch(`${gatewayUrl}/api/v1/cli/mcp-token`, {
             method: "POST",
             headers: { "Authorization": `Bearer ${token}`, "Content-Type": "application/json" },
@@ -7381,7 +6033,7 @@ async function installCommand(opts = {}) {
           });
           if (mintResp.ok) {
             const minted = await mintResp.json();
-            writeFileSync8(jwtPath, minted.token + "\n", { mode: 384 });
+            writeFileSync7(jwtPath, minted.token + "\n", { mode: 384 });
           }
         }
         const mcp = installCursorMcpConfig({ gatewayUrl, bearerToken: "", local: true });
@@ -7401,7 +6053,7 @@ async function installCommand(opts = {}) {
           throw new Error(`mcp-token mint failed (${mintResp.status}): ${errText.slice(0, 200)}`);
         }
         const minted = await mintResp.json();
-        writeFileSync8(join12(SYNKRO_DIR4, ".mcp-jwt"), minted.token + "\n", { mode: 384 });
+        writeFileSync7(join8(SYNKRO_DIR4, ".mcp-jwt"), minted.token + "\n", { mode: 384 });
         const mcp = installCursorMcpConfig({ gatewayUrl, bearerToken: minted.token });
         console.log(`Registered Synkro guardrails MCP server in ${mcp.path}`);
         console.log(`  url:        ${mcp.url}`);
@@ -7412,18 +6064,10 @@ async function installCommand(opts = {}) {
       console.log();
     }
   }
-  const priorLocalFlag = (() => {
-    try {
-      const content = readFileSync10(CONFIG_PATH3, "utf-8");
-      return content.includes("SYNKRO_LOCAL_INFERENCE='yes'");
-    } catch {
-      return false;
-    }
-  })();
   const synkroBundle = resolveSynkroBundle();
-  const persistedMode = resolveDeploymentMode() === "docker" ? "docker" : "bare-host";
+  const persistedMode = resolveDeploymentMode();
   writeConfigEnv({ gatewayUrl, userId, orgId, email, tier: profile.tier, inference: profile.inference, synkroBin: synkroBundle, transcriptConsent, localInference: profile.localInference, deploymentMode: persistedMode });
-  console.log(`Wrote config to ${CONFIG_PATH3}`);
+  console.log(`Wrote config to ${CONFIG_PATH2}`);
   console.log(`  inference: ${profile.inference} (server-side grading)`);
   if (profile.localInference) console.log(`  local inference: enabled (gradingProvider=claude-code)`);
   if (synkroBundle) console.log(`  SYNKRO_CLI_BIN=${synkroBundle}`);
@@ -7435,34 +6079,7 @@ async function installCommand(opts = {}) {
     console.warn(`  \u26A0 Could not cache judge prompts: ${err.message}`);
   }
   console.log();
-  console.log("Setting up local-CC dependencies...");
-  const localCcDeps = [];
-  try {
-    assertClaudeInstalled();
-    localCcDeps.push("claude");
-  } catch (err) {
-    console.warn(`  \u26A0 claude: ${err.message}`);
-  }
-  try {
-    assertPueueInstalled();
-    localCcDeps.push("pueue");
-  } catch (err) {
-    console.warn(`  \u26A0 pueue: ${err.message}`);
-  }
-  try {
-    assertTmuxInstalled();
-    localCcDeps.push("tmux");
-  } catch (err) {
-    console.warn(`  \u26A0 tmux: ${err.message}`);
-  }
-  if (localCcDeps.length === 3) {
-    console.log(`  \u2713 All local-CC dependencies ready (${localCcDeps.join(", ")})`);
-  } else {
-    console.warn(`  \u26A0 Some dependencies missing \u2014 \`synkro local-cc enable\` may not work until they're installed.`);
-  }
-  console.log();
-  const deploymentMode = resolveDeploymentMode();
-  if (profile.localInference && deploymentMode === "docker") {
+  if (profile.localInference) {
     try {
       console.log("Installing Synkro server container...");
       const workersPerPool = parseInt(process.env.SYNKRO_WORKERS_PER_POOL || "4", 10);
@@ -7472,64 +6089,13 @@ async function installCommand(opts = {}) {
       console.log("  waiting for container /healthz...");
       const ready = await waitForContainerReady(6e4);
       if (ready) {
-        console.log("  container ready");
-        console.log("");
-        console.log(`  Set SYNKRO_MCP_PORT=${hostMcpPort} and SYNKRO_CHANNEL_PORT=${hostGraderPort}`);
-        console.log("  in your shell so hooks point at the container.");
+        console.log("  \u2713 container ready");
       } else {
         console.warn("  \u26A0 container did not become healthy within 60s \u2014 check `docker logs synkro-server`");
       }
       console.log();
     } catch (err) {
       console.warn(`  \u26A0 Docker install failed: ${err.message}
-`);
-    }
-  } else if (profile.localInference && localCcDeps.length === 3) {
-    try {
-      stopTask();
-      stopTask(CHANNEL_SECONDARY);
-      stopTask(CHANNEL_TERTIARY);
-      stopTask(CHANNEL_QUATERNARY);
-      const r = installLocalCC();
-      console.log(`Installed local-CC channel plugin at ${r.pluginPath}`);
-      const t1 = startTask();
-      const t2 = startTask({ channel: CHANNEL_SECONDARY });
-      const t3 = startTask({ channel: CHANNEL_TERTIARY });
-      const t4 = startTask({ channel: CHANNEL_QUATERNARY });
-      console.log(`General pool: pueue id=${t1.id},${t3.id}  CWE pool: pueue id=${t2.id},${t4.id}`);
-      console.log("Waiting for all 4 workers (up to 60s)...");
-      const [ready1, ready2, ready3, ready4] = await Promise.all([
-        waitForChannelReady(CHANNEL_1_PORT, 6e4, CHANNEL_HOST),
-        waitForChannelReady(CHANNEL_2_PORT, 6e4, CHANNEL_HOST, CHANNEL_SECONDARY.tmuxSession),
-        waitForChannelReady(CHANNEL_3_PORT, 6e4, CHANNEL_HOST, CHANNEL_TERTIARY.tmuxSession),
-        waitForChannelReady(CHANNEL_4_PORT, 6e4, CHANNEL_HOST, CHANNEL_QUATERNARY.tmuxSession)
-      ]);
-      if (ready1) console.log(`  general worker A ready (${CHANNEL_HOST}:${CHANNEL_1_PORT})`);
-      else {
-        console.warn("  \u26A0 general worker A did not come up within 60s.");
-        printChannelDiagnostics();
-      }
-      if (ready3) console.log(`  general worker B ready (${CHANNEL_HOST}:${CHANNEL_3_PORT})`);
-      else console.warn("  \u26A0 general worker B did not come up within 60s.");
-      if (ready2) console.log(`  CWE worker A ready (${CHANNEL_HOST}:${CHANNEL_2_PORT})`);
-      else console.warn("  \u26A0 CWE worker A did not come up within 60s.");
-      if (ready4) console.log(`  CWE worker B ready (${CHANNEL_HOST}:${CHANNEL_4_PORT})`);
-      else console.warn("  \u26A0 CWE worker B did not come up within 60s.");
-      const anyReady = ready1 || ready2 || ready3 || ready4;
-      if (anyReady) {
-        console.log("Warming up inference...");
-        const warmups = [];
-        const bashWarmup = "Proposed command: echo hello\nUser intent: warmup\nRecent user messages: []\nRecent actions: []\nOrg rules: []\n";
-        const cweWarmup = 'File: /tmp/warmup.ts\nContent (first 4000 chars):\nconsole.log("hello");\n\nCWE rules to check against:\n[]\n';
-        if (ready1) warmups.push(submitToChannel("grade-bash", bashWarmup, { timeoutMs: 3e4, port: CHANNEL_1_PORT }).then(() => console.log("  general A warm")).catch(() => console.log("  general A warmup skipped")));
-        if (ready3) warmups.push(submitToChannel("grade-bash", bashWarmup, { timeoutMs: 3e4, port: CHANNEL_3_PORT }).then(() => console.log("  general B warm")).catch(() => console.log("  general B warmup skipped")));
-        if (ready2) warmups.push(submitToChannel("grade-cwe", cweWarmup, { timeoutMs: 3e4, port: CHANNEL_2_PORT }).then(() => console.log("  CWE A warm")).catch(() => console.log("  CWE A warmup skipped")));
-        if (ready4) warmups.push(submitToChannel("grade-cwe", cweWarmup, { timeoutMs: 3e4, port: CHANNEL_4_PORT }).then(() => console.log("  CWE B warm")).catch(() => console.log("  CWE B warmup skipped")));
-        await Promise.all(warmups);
-        console.log();
-      }
-    } catch (err) {
-      console.warn(`  \u26A0 Local-CC setup failed: ${err.message}
 `);
     }
   }
@@ -7581,17 +6147,17 @@ function detectGitRepo2() {
 function getClaudeProjectsFolder() {
   const cwd = process.cwd();
   const sanitized = "-" + cwd.replace(/\//g, "-");
-  const projectsDir = join12(homedir12(), ".claude", "projects", sanitized);
-  return existsSync12(projectsDir) ? projectsDir : null;
+  const projectsDir = join8(homedir8(), ".claude", "projects", sanitized);
+  return existsSync9(projectsDir) ? projectsDir : null;
 }
 function extractSessionInsights(projectsDir) {
   const insights = [];
   const files = readdirSync(projectsDir).filter((f) => f.endsWith(".jsonl"));
   for (const file of files) {
     const sessionId = file.replace(".jsonl", "");
-    const filePath = join12(projectsDir, file);
+    const filePath = join8(projectsDir, file);
     try {
-      const content = readFileSync10(filePath, "utf-8");
+      const content = readFileSync7(filePath, "utf-8");
       const lines = content.split("\n").filter(Boolean);
       for (let i = 0; i < lines.length; i++) {
         try {
@@ -7667,7 +6233,7 @@ function extractTextContent(content) {
   return "";
 }
 function parseTranscriptFile(filePath) {
-  const content = readFileSync10(filePath, "utf-8");
+  const content = readFileSync7(filePath, "utf-8");
   const lines = content.split("\n").filter(Boolean);
   const messages = [];
   for (let i = 0; i < lines.length; i++) {
@@ -7701,137 +6267,625 @@ function parseTranscriptFile(filePath) {
       if (msg.content.length > 0) messages.push(msg);
     } catch {
     }
-  }
-  return messages;
-}
-async function syncTranscriptsBulk(gatewayUrl, token, repo) {
-  const projectsDir = getClaudeProjectsFolder();
-  if (!projectsDir) return { sessions: 0, messages: 0 };
-  const files = readdirSync(projectsDir).filter((f) => f.endsWith(".jsonl"));
-  if (files.length === 0) return { sessions: 0, messages: 0 };
-  console.log(`Found ${files.length} CC session transcripts, syncing...`);
-  const maxMessagesPerSession = 500;
-  let totalSessions = 0;
-  let totalMessages = 0;
-  for (let i = 0; i < files.length; i += 5) {
-    const batch = files.slice(i, i + 5);
-    const sessions = [];
-    for (const file of batch) {
-      const sessionId = file.replace(".jsonl", "");
-      const filePath = join12(projectsDir, file);
-      try {
-        const allMessages = parseTranscriptFile(filePath);
-        const messages = allMessages.length > maxMessagesPerSession ? allMessages.slice(-maxMessagesPerSession) : allMessages;
-        if (messages.length > 0) {
-          sessions.push({ cc_session_id: sessionId, messages });
-        }
-      } catch {
-      }
-    }
-    if (sessions.length === 0) continue;
+  }
+  return messages;
+}
+async function syncTranscriptsBulk(gatewayUrl, token, repo) {
+  const projectsDir = getClaudeProjectsFolder();
+  if (!projectsDir) return { sessions: 0, messages: 0 };
+  const files = readdirSync(projectsDir).filter((f) => f.endsWith(".jsonl"));
+  if (files.length === 0) return { sessions: 0, messages: 0 };
+  console.log(`Found ${files.length} CC session transcripts, syncing...`);
+  const maxMessagesPerSession = 500;
+  let totalSessions = 0;
+  let totalMessages = 0;
+  for (let i = 0; i < files.length; i += 5) {
+    const batch = files.slice(i, i + 5);
+    const sessions = [];
+    for (const file of batch) {
+      const sessionId = file.replace(".jsonl", "");
+      const filePath = join8(projectsDir, file);
+      try {
+        const allMessages = parseTranscriptFile(filePath);
+        const messages = allMessages.length > maxMessagesPerSession ? allMessages.slice(-maxMessagesPerSession) : allMessages;
+        if (messages.length > 0) {
+          sessions.push({ cc_session_id: sessionId, messages });
+        }
+      } catch {
+      }
+    }
+    if (sessions.length === 0) continue;
+    try {
+      const resp = await fetch(`${gatewayUrl}/api/v1/cli/sync-transcripts`, {
+        method: "POST",
+        headers: {
+          "Authorization": `Bearer ${token}`,
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify({ repo, sessions })
+      });
+      if (resp.ok) {
+        const result = await resp.json();
+        totalMessages += result.accepted;
+        totalSessions += result.sessions;
+      }
+    } catch {
+    }
+    for (const file of batch) {
+      const sessionId = file.replace(".jsonl", "");
+      const filePath = join8(projectsDir, file);
+      try {
+        const content = readFileSync7(filePath, "utf-8");
+        const lineCount = content.split("\n").filter(Boolean).length;
+        writeFileSync7(join8(OFFSETS_DIR, sessionId), String(lineCount), "utf-8");
+      } catch {
+      }
+    }
+  }
+  return { sessions: totalSessions, messages: totalMessages };
+}
+var SYNKRO_DIR4, HOOKS_DIR, BIN_DIR, CONFIG_PATH2, MCP_STDIO_PROXY_SRC, OFFSETS_DIR;
+var init_install = __esm({
+  "cli/commands/install.ts"() {
+    "use strict";
+    init_agentDetect();
+    init_ccHookConfig();
+    init_cursorHookConfig();
+    init_mcpConfig();
+    init_hookScripts();
+    init_hookScriptsTs();
+    init_stub();
+    init_repoConnect();
+    init_projects();
+    init_setupGithub();
+    init_promptFetcher();
+    init_dockerInstall();
+    SYNKRO_DIR4 = join8(homedir8(), ".synkro");
+    HOOKS_DIR = join8(SYNKRO_DIR4, "hooks");
+    BIN_DIR = join8(SYNKRO_DIR4, "bin");
+    CONFIG_PATH2 = join8(SYNKRO_DIR4, "config.env");
+    MCP_STDIO_PROXY_SRC = `#!/usr/bin/env bun
+import { readFileSync } from 'node:fs';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+import { createInterface } from 'node:readline';
+
+const HOME = homedir();
+const TOKEN_PATH = join(HOME, '.synkro', '.mcp-jwt');
+const PORT = parseInt(process.env.SYNKRO_MCP_PORT || '8931', 10);
+const URL = \`http://127.0.0.1:\${PORT}\`;
+
+let token = '';
+try { token = readFileSync(TOKEN_PATH, 'utf-8').trim(); } catch {}
+
+const rl = createInterface({ input: process.stdin, terminal: false });
+
+rl.on('line', async (line) => {
+  if (!line.trim()) return;
+  let msg;
+  try { msg = JSON.parse(line); } catch { return; }
+  if (!msg.id && msg.method?.startsWith('notifications/')) return;
+
+  try {
+    const resp = await fetch(URL, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'Authorization': \`Bearer \${token}\`,
+      },
+      body: line,
+      signal: AbortSignal.timeout(30000),
+    });
+    if (resp.status === 204) return;
+    const body = await resp.text();
+    process.stdout.write(body + '\\n');
+  } catch (err) {
+    if (msg.id != null) {
+      process.stdout.write(JSON.stringify({
+        jsonrpc: '2.0',
+        id: msg.id,
+        error: { code: -32603, message: 'MCP proxy: HTTP server unreachable' },
+      }) + '\\n');
+    }
+  }
+});
+`;
+    OFFSETS_DIR = join8(SYNKRO_DIR4, ".transcript-offsets");
+  }
+});
+
+// cli/local-cc/pueue.ts
+import { execFileSync, spawnSync as spawnSync3, spawn } from "child_process";
+import { homedir as homedir9 } from "os";
+import { join as join9 } from "path";
+import { connect } from "net";
+function pueueAvailable() {
+  const r = spawnSync3("pueue", ["--version"], { encoding: "utf-8" });
+  if (r.status !== 0) {
+    throw new PueueError("pueue CLI not found on PATH. Install pueue (https://github.com/Nukesor/pueue) and start `pueued`.");
+  }
+}
+function statusJson() {
+  pueueAvailable();
+  const r = spawnSync3("pueue", ["status", "--json"], { encoding: "utf-8" });
+  if (r.status !== 0) {
+    throw new PueueError(`pueue status failed: ${r.stderr || r.stdout || "unknown error"} \u2014 is pueued running?`);
+  }
+  try {
+    return JSON.parse(r.stdout);
+  } catch (err) {
+    throw new PueueError(`pueue status returned non-JSON output: ${r.stdout.slice(0, 200)}`, err);
+  }
+}
+function statusName(s) {
+  if (typeof s === "string") return s;
+  if (s && typeof s === "object") {
+    if ("Running" in s) return "Running";
+    if ("Done" in s) {
+      const result = s.Done?.result;
+      if (typeof result === "string") return `Done (${result})`;
+      if (result && typeof result === "object") return `Done (${Object.keys(result)[0] ?? "unknown"})`;
+      return "Done";
+    }
+    return Object.keys(s)[0] ?? "unknown";
+  }
+  return "unknown";
+}
+function findTask(channel = CHANNEL_PRIMARY) {
+  const data = statusJson();
+  for (const [id, t] of Object.entries(data.tasks)) {
+    if (t.label === channel.taskLabel) {
+      return {
+        id: Number(id),
+        label: t.label,
+        status: statusName(t.status),
+        command: t.command,
+        cwd: t.path
+      };
+    }
+  }
+  return null;
+}
+function stopTask(channel = CHANNEL_PRIMARY) {
+  spawnSync3("tmux", ["kill-session", "-t", `=${channel.tmuxSession}`], { encoding: "utf-8" });
+  let t = findTask(channel);
+  while (t) {
+    if (t.status === "Running" || t.status === "Queued") {
+      spawnSync3("pueue", ["kill", String(t.id)], { encoding: "utf-8" });
+      for (let i = 0; i < 10; i++) {
+        const check = findTask(channel);
+        if (!check || check.id !== t.id || check.status !== "Running" && check.status !== "Queued") break;
+        spawnSync3("sleep", ["0.5"], { encoding: "utf-8" });
+      }
+    }
+    spawnSync3("pueue", ["remove", String(t.id)], { encoding: "utf-8" });
+    t = findTask(channel);
+  }
+}
+var TASK_LABEL, TMUX_SESSION, SESSION_DIR, TASK_LABEL_2, TMUX_SESSION_2, SESSION_DIR_2, TASK_LABEL_3, TMUX_SESSION_3, SESSION_DIR_3, TASK_LABEL_4, TMUX_SESSION_4, SESSION_DIR_4, PueueError, CHANNEL_PRIMARY, CHANNEL_SECONDARY, CHANNEL_TERTIARY, CHANNEL_QUATERNARY;
+var init_pueue = __esm({
+  "cli/local-cc/pueue.ts"() {
+    "use strict";
+    TASK_LABEL = "synkro-local-cc";
+    TMUX_SESSION = "synkro-local-cc";
+    SESSION_DIR = join9(homedir9(), ".synkro", "cc_sessions");
+    TASK_LABEL_2 = "synkro-local-cc-2";
+    TMUX_SESSION_2 = "synkro-local-cc-2";
+    SESSION_DIR_2 = join9(homedir9(), ".synkro", "cc_sessions_2");
+    TASK_LABEL_3 = "synkro-local-cc-3";
+    TMUX_SESSION_3 = "synkro-local-cc-3";
+    SESSION_DIR_3 = join9(homedir9(), ".synkro", "cc_sessions_3");
+    TASK_LABEL_4 = "synkro-local-cc-4";
+    TMUX_SESSION_4 = "synkro-local-cc-4";
+    SESSION_DIR_4 = join9(homedir9(), ".synkro", "cc_sessions_4");
+    PueueError = class extends Error {
+      constructor(message, cause) {
+        super(message);
+        this.cause = cause;
+        this.name = "PueueError";
+      }
+      cause;
+    };
+    CHANNEL_PRIMARY = { taskLabel: TASK_LABEL, tmuxSession: TMUX_SESSION, sessionDir: SESSION_DIR };
+    CHANNEL_SECONDARY = { taskLabel: TASK_LABEL_2, tmuxSession: TMUX_SESSION_2, sessionDir: SESSION_DIR_2 };
+    CHANNEL_TERTIARY = { taskLabel: TASK_LABEL_3, tmuxSession: TMUX_SESSION_3, sessionDir: SESSION_DIR_3 };
+    CHANNEL_QUATERNARY = { taskLabel: TASK_LABEL_4, tmuxSession: TMUX_SESSION_4, sessionDir: SESSION_DIR_4 };
+  }
+});
+
+// cli/local-cc/channelSource.ts
+var init_channelSource = __esm({
+  "cli/local-cc/channelSource.ts"() {
+    "use strict";
+  }
+});
+
+// cli/local-cc/install.ts
+import { existsSync as existsSync10, mkdirSync as mkdirSync9, writeFileSync as writeFileSync8, readFileSync as readFileSync8, chmodSync as chmodSync3, copyFileSync, renameSync as renameSync4, unlinkSync as unlinkSync4, openSync, fsyncSync, closeSync } from "fs";
+import { join as join10 } from "path";
+import { homedir as homedir10 } from "os";
+import { spawnSync as spawnSync4 } from "child_process";
+function safelyMutateClaudeJson(mutator) {
+  if (!existsSync10(CLAUDE_JSON_PATH)) {
+    return;
+  }
+  const originalText = readFileSync8(CLAUDE_JSON_PATH, "utf-8");
+  let parsed;
+  try {
+    parsed = JSON.parse(originalText);
+  } catch (err) {
+    throw new LocalCCInstallError(
+      `refusing to modify malformed ${CLAUDE_JSON_PATH}: ${err.message}. Please fix the JSON manually before retrying.`,
+      err
+    );
+  }
+  const originalKeys = new Set(Object.keys(parsed));
+  const dirty = mutator(parsed);
+  if (!dirty) return;
+  for (const k of originalKeys) {
+    if (!(k in parsed)) {
+      throw new LocalCCInstallError(
+        `refusing to write ${CLAUDE_JSON_PATH}: mutator dropped top-level key "${k}". This is a bug \u2014 please report.`
+      );
+    }
+  }
+  const newText = JSON.stringify(parsed, null, 2) + "\n";
+  try {
+    JSON.parse(newText);
+  } catch (err) {
+    throw new LocalCCInstallError(
+      `refusing to write ${CLAUDE_JSON_PATH}: serialized result is not valid JSON. This is a bug \u2014 please report.`,
+      err
+    );
+  }
+  copyFileSync(CLAUDE_JSON_PATH, CLAUDE_JSON_BACKUP_PATH);
+  const tmpPath = `${CLAUDE_JSON_PATH}.synkro-tmp.${process.pid}`;
+  try {
+    writeFileSync8(tmpPath, newText, "utf-8");
+    const fd = openSync(tmpPath, "r");
+    try {
+      fsyncSync(fd);
+    } finally {
+      closeSync(fd);
+    }
+    renameSync4(tmpPath, CLAUDE_JSON_PATH);
+  } catch (err) {
+    try {
+      unlinkSync4(tmpPath);
+    } catch {
+    }
     try {
-      const resp = await fetch(`${gatewayUrl}/api/v1/cli/sync-transcripts`, {
-        method: "POST",
-        headers: {
-          "Authorization": `Bearer ${token}`,
-          "Content-Type": "application/json"
-        },
-        body: JSON.stringify({ repo, sessions })
-      });
-      if (resp.ok) {
-        const result = await resp.json();
-        totalMessages += result.accepted;
-        totalSessions += result.sessions;
-      }
+      copyFileSync(CLAUDE_JSON_BACKUP_PATH, CLAUDE_JSON_PATH);
     } catch {
     }
-    for (const file of batch) {
-      const sessionId = file.replace(".jsonl", "");
-      const filePath = join12(projectsDir, file);
-      try {
-        const content = readFileSync10(filePath, "utf-8");
-        const lineCount = content.split("\n").filter(Boolean).length;
-        writeFileSync8(join12(OFFSETS_DIR, sessionId), String(lineCount), "utf-8");
-      } catch {
+    throw new LocalCCInstallError(
+      `failed to write ${CLAUDE_JSON_PATH}: ${err.message}. Backup at ${CLAUDE_JSON_BACKUP_PATH} preserves the prior state.`,
+      err
+    );
+  }
+}
+function uninstallLocalCC() {
+  safelyMutateClaudeJson((parsed) => {
+    let dirty = false;
+    if (parsed.mcpServers && parsed.mcpServers[MCP_SERVER_NAME]) {
+      delete parsed.mcpServers[MCP_SERVER_NAME];
+      dirty = true;
+    }
+    for (const dir of CHANNELS.map((c) => c.sessionDir)) {
+      if (parsed.projects && typeof parsed.projects === "object" && parsed.projects[dir]) {
+        delete parsed.projects[dir];
+        dirty = true;
       }
     }
-  }
-  return { sessions: totalSessions, messages: totalMessages };
+    return dirty;
+  });
 }
-var SYNKRO_DIR4, HOOKS_DIR, BIN_DIR, CONFIG_PATH3, MCP_STDIO_PROXY_SRC, OFFSETS_DIR, RULES_PATH, MCP_LOCAL_PORT, PGLITE_PORT;
+var CLAUDE_JSON_BACKUP_PATH, SESSION_DIR2, PLUGIN_PATH, PLUGIN_PKG_PATH, PLUGIN_SETTINGS_DIR, PLUGIN_SETTINGS_PATH, PROJECT_MCP_PATH, CLAUDE_JSON_PATH, RUN_SCRIPT_PATH, TMUX_SESSION_NAME, CHANNEL_1_PORT, SESSION_DIR_22, PLUGIN_PATH_2, PLUGIN_PKG_PATH_2, PLUGIN_SETTINGS_DIR_2, PLUGIN_SETTINGS_PATH_2, PROJECT_MCP_PATH_2, RUN_SCRIPT_PATH_2, TMUX_SESSION_NAME_2, CHANNEL_2_PORT, SESSION_DIR_32, PLUGIN_PATH_3, PLUGIN_PKG_PATH_3, PLUGIN_SETTINGS_DIR_3, PLUGIN_SETTINGS_PATH_3, PROJECT_MCP_PATH_3, RUN_SCRIPT_PATH_3, TMUX_SESSION_NAME_3, CHANNEL_3_PORT, SESSION_DIR_42, PLUGIN_PATH_4, PLUGIN_PKG_PATH_4, PLUGIN_SETTINGS_DIR_4, PLUGIN_SETTINGS_PATH_4, PROJECT_MCP_PATH_4, RUN_SCRIPT_PATH_4, TMUX_SESSION_NAME_4, CHANNEL_4_PORT, RUN_SCRIPT_SOURCE, RUN_SCRIPT_SOURCE_2, RUN_SCRIPT_SOURCE_3, RUN_SCRIPT_SOURCE_4, MCP_SERVER_NAME, PLUGIN_PACKAGE_JSON, LocalCCInstallError, CHANNELS;
 var init_install2 = __esm({
-  "cli/commands/install.ts"() {
+  "cli/local-cc/install.ts"() {
     "use strict";
-    init_agentDetect();
-    init_ccHookConfig();
-    init_cursorHookConfig();
-    init_mcpConfig();
-    init_hookScripts();
-    init_hookScriptsTs();
-    init_stub();
-    init_repoConnect();
-    init_projects();
-    init_setupGithub();
-    init_promptFetcher();
-    init_settings();
-    init_install();
-    init_dockerInstall();
-    init_pueue();
-    init_client();
-    SYNKRO_DIR4 = join12(homedir12(), ".synkro");
-    HOOKS_DIR = join12(SYNKRO_DIR4, "hooks");
-    BIN_DIR = join12(SYNKRO_DIR4, "bin");
-    CONFIG_PATH3 = join12(SYNKRO_DIR4, "config.env");
-    MCP_STDIO_PROXY_SRC = `#!/usr/bin/env bun
-import { readFileSync } from 'node:fs';
-import { homedir } from 'node:os';
-import { join } from 'node:path';
-import { createInterface } from 'node:readline';
+    init_channelSource();
+    CLAUDE_JSON_BACKUP_PATH = join10(homedir10(), ".claude.json.synkro-bak");
+    SESSION_DIR2 = join10(homedir10(), ".synkro", "cc_sessions");
+    PLUGIN_PATH = join10(SESSION_DIR2, "synkro-channel.ts");
+    PLUGIN_PKG_PATH = join10(SESSION_DIR2, "package.json");
+    PLUGIN_SETTINGS_DIR = join10(SESSION_DIR2, ".claude");
+    PLUGIN_SETTINGS_PATH = join10(PLUGIN_SETTINGS_DIR, "settings.json");
+    PROJECT_MCP_PATH = join10(SESSION_DIR2, ".mcp.json");
+    CLAUDE_JSON_PATH = join10(homedir10(), ".claude.json");
+    RUN_SCRIPT_PATH = join10(SESSION_DIR2, "run-claude.sh");
+    TMUX_SESSION_NAME = "synkro-local-cc";
+    CHANNEL_1_PORT = 8941;
+    SESSION_DIR_22 = join10(homedir10(), ".synkro", "cc_sessions_2");
+    PLUGIN_PATH_2 = join10(SESSION_DIR_22, "synkro-channel.ts");
+    PLUGIN_PKG_PATH_2 = join10(SESSION_DIR_22, "package.json");
+    PLUGIN_SETTINGS_DIR_2 = join10(SESSION_DIR_22, ".claude");
+    PLUGIN_SETTINGS_PATH_2 = join10(PLUGIN_SETTINGS_DIR_2, "settings.json");
+    PROJECT_MCP_PATH_2 = join10(SESSION_DIR_22, ".mcp.json");
+    RUN_SCRIPT_PATH_2 = join10(SESSION_DIR_22, "run-claude.sh");
+    TMUX_SESSION_NAME_2 = "synkro-local-cc-2";
+    CHANNEL_2_PORT = 8951;
+    SESSION_DIR_32 = join10(homedir10(), ".synkro", "cc_sessions_3");
+    PLUGIN_PATH_3 = join10(SESSION_DIR_32, "synkro-channel.ts");
+    PLUGIN_PKG_PATH_3 = join10(SESSION_DIR_32, "package.json");
+    PLUGIN_SETTINGS_DIR_3 = join10(SESSION_DIR_32, ".claude");
+    PLUGIN_SETTINGS_PATH_3 = join10(PLUGIN_SETTINGS_DIR_3, "settings.json");
+    PROJECT_MCP_PATH_3 = join10(SESSION_DIR_32, ".mcp.json");
+    RUN_SCRIPT_PATH_3 = join10(SESSION_DIR_32, "run-claude.sh");
+    TMUX_SESSION_NAME_3 = "synkro-local-cc-3";
+    CHANNEL_3_PORT = 8942;
+    SESSION_DIR_42 = join10(homedir10(), ".synkro", "cc_sessions_4");
+    PLUGIN_PATH_4 = join10(SESSION_DIR_42, "synkro-channel.ts");
+    PLUGIN_PKG_PATH_4 = join10(SESSION_DIR_42, "package.json");
+    PLUGIN_SETTINGS_DIR_4 = join10(SESSION_DIR_42, ".claude");
+    PLUGIN_SETTINGS_PATH_4 = join10(PLUGIN_SETTINGS_DIR_4, "settings.json");
+    PROJECT_MCP_PATH_4 = join10(SESSION_DIR_42, ".mcp.json");
+    RUN_SCRIPT_PATH_4 = join10(SESSION_DIR_42, "run-claude.sh");
+    TMUX_SESSION_NAME_4 = "synkro-local-cc-4";
+    CHANNEL_4_PORT = 8952;
+    RUN_SCRIPT_SOURCE = `#!/usr/bin/env bash
+# Auto-generated by \`synkro install\`. Do not edit.
+set -uo pipefail
+
+SESSION=${TMUX_SESSION_NAME}
+LOG="$HOME/.synkro/cc_sessions/run-claude.log"
+
+log() { echo "[$(date '+%H:%M:%S')] $*" >> "$LOG"; echo "$*"; }
+
+# Pre-flight checks
+if ! command -v claude >/dev/null 2>&1; then
+  log "ERROR: claude CLI not found on PATH. Install Claude Code first."
+  exit 1
+fi
+
+if ! command -v tmux >/dev/null 2>&1; then
+  log "ERROR: tmux not found on PATH."
+  exit 1
+fi
+
+# Check claude is authenticated
+if ! claude --version >/dev/null 2>&1; then
+  log "ERROR: claude --version failed. Is Claude Code installed correctly?"
+  exit 1
+fi
+
+log "Starting local-CC session..."
+log "claude version: $(claude --version 2>&1 | head -1)"
+
+# Kill any previous session so restarts come up clean.
+tmux kill-session -t "=$SESSION" 2>/dev/null || true
+
+# Start claude inside a detached tmux session so it has a real pty.
+# Redirect stderr to the log so we can see why it dies.
+tmux new-session -d -s "$SESSION" \\
+  "SYNKRO_CHANNEL_PORT=${CHANNEL_1_PORT} claude --dangerously-load-development-channels server:synkro-local --dangerously-skip-permissions --setting-sources project,local --model claude-sonnet-4-6 2>>$LOG; echo 'claude exited with code '$'?' >> $LOG"
+
+# Claude's --dangerously-load-development-channels shows a confirmation
+# prompt: option 1 = "I am using this for local development" (accept),
+# option 2 = "Exit". Auto-accept by sending '1' + Enter.
+sleep 3
+if tmux has-session -t "=$SESSION" 2>/dev/null; then
+  tmux send-keys -t "$SESSION" '1' 2>/dev/null || true
+  sleep 1
+  tmux send-keys -t "$SESSION" Enter 2>/dev/null || true
+  sleep 1
+  # Additional Enter for any follow-up prompts (workspace trust, MCP consent)
+  tmux send-keys -t "$SESSION" Enter 2>/dev/null || true
+  log "Sent auto-accept keys to claude session."
+fi
+
+sleep 2
+if ! tmux has-session -t "$SESSION" 2>/dev/null; then
+  log "ERROR: tmux session died immediately. Check $LOG for details."
+  log "Try running claude manually to verify auth: claude --print 'say ok'"
+  exit 1
+fi
+
+log "tmux session started successfully."
+
+# Block on the tmux session so pueue's task lifetime tracks claude's.
+while tmux has-session -t "=$SESSION" 2>/dev/null; do
+  sleep 5
+done
+
+log "tmux session ended."
+`;
+    RUN_SCRIPT_SOURCE_2 = `#!/usr/bin/env bash
+# Auto-generated by \`synkro install\`. Channel 2 (CWE scan, port ${CHANNEL_2_PORT}).
+set -uo pipefail
+
+SESSION=${TMUX_SESSION_NAME_2}
+LOG="$HOME/.synkro/cc_sessions_2/run-claude.log"
+
+log() { echo "[$(date '+%H:%M:%S')] $*" >> "$LOG"; echo "$*"; }
+
+if ! command -v claude >/dev/null 2>&1; then
+  log "ERROR: claude CLI not found on PATH."
+  exit 1
+fi
+
+if ! command -v tmux >/dev/null 2>&1; then
+  log "ERROR: tmux not found on PATH."
+  exit 1
+fi
+
+if ! claude --version >/dev/null 2>&1; then
+  log "ERROR: claude --version failed."
+  exit 1
+fi
+
+log "Starting local-CC channel 2 (port ${CHANNEL_2_PORT})..."
+log "claude version: $(claude --version 2>&1 | head -1)"
+
+tmux kill-session -t "=$SESSION" 2>/dev/null || true
+
+tmux new-session -d -s "$SESSION" \\
+  "SYNKRO_CHANNEL_PORT=${CHANNEL_2_PORT} claude --dangerously-load-development-channels server:synkro-local --dangerously-skip-permissions --setting-sources project,local --model claude-sonnet-4-6 2>>$LOG; echo 'claude exited with code '$'?' >> $LOG"
+
+sleep 3
+if tmux has-session -t "=$SESSION" 2>/dev/null; then
+  tmux send-keys -t "$SESSION" '1' 2>/dev/null || true
+  sleep 1
+  tmux send-keys -t "$SESSION" Enter 2>/dev/null || true
+  sleep 1
+  tmux send-keys -t "$SESSION" Enter 2>/dev/null || true
+  log "Sent auto-accept keys to channel 2 session."
+fi
+
+sleep 2
+if ! tmux has-session -t "$SESSION" 2>/dev/null; then
+  log "ERROR: tmux session died immediately. Check $LOG for details."
+  exit 1
+fi
+
+log "tmux session started successfully (port ${CHANNEL_2_PORT})."
+
+while tmux has-session -t "=$SESSION" 2>/dev/null; do
+  sleep 5
+done
+
+log "tmux session ended."
+`;
+    RUN_SCRIPT_SOURCE_3 = `#!/usr/bin/env bash
+# Auto-generated by \`synkro install\`. General worker B (port ${CHANNEL_3_PORT}).
+set -uo pipefail
+
+SESSION=${TMUX_SESSION_NAME_3}
+LOG="$HOME/.synkro/cc_sessions_3/run-claude.log"
+
+log() { echo "[$(date '+%H:%M:%S')] $*" >> "$LOG"; echo "$*"; }
+
+if ! command -v claude >/dev/null 2>&1; then
+  log "ERROR: claude CLI not found on PATH."
+  exit 1
+fi
+
+if ! command -v tmux >/dev/null 2>&1; then
+  log "ERROR: tmux not found on PATH."
+  exit 1
+fi
+
+if ! claude --version >/dev/null 2>&1; then
+  log "ERROR: claude --version failed."
+  exit 1
+fi
+
+log "Starting local-CC general worker B (port ${CHANNEL_3_PORT})..."
+log "claude version: $(claude --version 2>&1 | head -1)"
+
+tmux kill-session -t "=$SESSION" 2>/dev/null || true
+
+tmux new-session -d -s "$SESSION" \\
+  "SYNKRO_CHANNEL_PORT=${CHANNEL_3_PORT} claude --dangerously-load-development-channels server:synkro-local --dangerously-skip-permissions --setting-sources project,local --model claude-sonnet-4-6 2>>$LOG; echo 'claude exited with code '$'?' >> $LOG"
+
+sleep 3
+if tmux has-session -t "=$SESSION" 2>/dev/null; then
+  tmux send-keys -t "$SESSION" '1' 2>/dev/null || true
+  sleep 1
+  tmux send-keys -t "$SESSION" Enter 2>/dev/null || true
+  sleep 1
+  tmux send-keys -t "$SESSION" Enter 2>/dev/null || true
+  log "Sent auto-accept keys to general worker B session."
+fi
 
-const HOME = homedir();
-const TOKEN_PATH = join(HOME, '.synkro', '.mcp-jwt');
-const PORT = parseInt(process.env.SYNKRO_MCP_PORT || '8931', 10);
-const URL = \`http://127.0.0.1:\${PORT}\`;
+sleep 2
+if ! tmux has-session -t "$SESSION" 2>/dev/null; then
+  log "ERROR: tmux session died immediately. Check $LOG for details."
+  exit 1
+fi
 
-let token = '';
-try { token = readFileSync(TOKEN_PATH, 'utf-8').trim(); } catch {}
+log "tmux session started successfully (port ${CHANNEL_3_PORT})."
 
-const rl = createInterface({ input: process.stdin, terminal: false });
+while tmux has-session -t "=$SESSION" 2>/dev/null; do
+  sleep 5
+done
 
-rl.on('line', async (line) => {
-  if (!line.trim()) return;
-  let msg;
-  try { msg = JSON.parse(line); } catch { return; }
-  if (!msg.id && msg.method?.startsWith('notifications/')) return;
+log "tmux session ended."
+`;
+    RUN_SCRIPT_SOURCE_4 = `#!/usr/bin/env bash
+# Auto-generated by \`synkro install\`. CWE worker B (port ${CHANNEL_4_PORT}).
+set -uo pipefail
 
-  try {
-    const resp = await fetch(URL, {
-      method: 'POST',
-      headers: {
-        'Content-Type': 'application/json',
-        'Authorization': \`Bearer \${token}\`,
-      },
-      body: line,
-      signal: AbortSignal.timeout(30000),
-    });
-    if (resp.status === 204) return;
-    const body = await resp.text();
-    process.stdout.write(body + '\\n');
-  } catch (err) {
-    if (msg.id != null) {
-      process.stdout.write(JSON.stringify({
-        jsonrpc: '2.0',
-        id: msg.id,
-        error: { code: -32603, message: 'MCP proxy: HTTP server unreachable' },
-      }) + '\\n');
-    }
-  }
-});
+SESSION=${TMUX_SESSION_NAME_4}
+LOG="$HOME/.synkro/cc_sessions_4/run-claude.log"
+
+log() { echo "[$(date '+%H:%M:%S')] $*" >> "$LOG"; echo "$*"; }
+
+if ! command -v claude >/dev/null 2>&1; then
+  log "ERROR: claude CLI not found on PATH."
+  exit 1
+fi
+
+if ! command -v tmux >/dev/null 2>&1; then
+  log "ERROR: tmux not found on PATH."
+  exit 1
+fi
+
+if ! claude --version >/dev/null 2>&1; then
+  log "ERROR: claude --version failed."
+  exit 1
+fi
+
+log "Starting local-CC CWE worker B (port ${CHANNEL_4_PORT})..."
+log "claude version: $(claude --version 2>&1 | head -1)"
+
+tmux kill-session -t "=$SESSION" 2>/dev/null || true
+
+tmux new-session -d -s "$SESSION" \\
+  "SYNKRO_CHANNEL_PORT=${CHANNEL_4_PORT} claude --dangerously-load-development-channels server:synkro-local --dangerously-skip-permissions --setting-sources project,local --model claude-sonnet-4-6 2>>$LOG; echo 'claude exited with code '$'?' >> $LOG"
+
+sleep 3
+if tmux has-session -t "=$SESSION" 2>/dev/null; then
+  tmux send-keys -t "$SESSION" '1' 2>/dev/null || true
+  sleep 1
+  tmux send-keys -t "$SESSION" Enter 2>/dev/null || true
+  sleep 1
+  tmux send-keys -t "$SESSION" Enter 2>/dev/null || true
+  log "Sent auto-accept keys to CWE worker B session."
+fi
+
+sleep 2
+if ! tmux has-session -t "$SESSION" 2>/dev/null; then
+  log "ERROR: tmux session died immediately. Check $LOG for details."
+  exit 1
+fi
+
+log "tmux session started successfully (port ${CHANNEL_4_PORT})."
+
+while tmux has-session -t "=$SESSION" 2>/dev/null; do
+  sleep 5
+done
+
+log "tmux session ended."
 `;
-    OFFSETS_DIR = join12(SYNKRO_DIR4, ".transcript-offsets");
-    RULES_PATH = join12(SYNKRO_DIR4, "rules.json");
-    MCP_LOCAL_PORT = 8931;
-    PGLITE_PORT = parseInt(process.env.SYNKRO_PG_PORT || "5433", 10);
+    MCP_SERVER_NAME = "synkro-local";
+    PLUGIN_PACKAGE_JSON = JSON.stringify(
+      {
+        name: "synkro-local-channel",
+        private: true,
+        version: "0.1.0",
+        type: "module",
+        dependencies: {
+          "@modelcontextprotocol/sdk": "^1.0.0"
+        }
+      },
+      null,
+      2
+    ) + "\n";
+    LocalCCInstallError = class extends Error {
+      constructor(message, cause) {
+        super(message);
+        this.cause = cause;
+        this.name = "LocalCCInstallError";
+      }
+      cause;
+    };
+    CHANNELS = [
+      { sessionDir: SESSION_DIR2, pluginPath: PLUGIN_PATH, pluginPkgPath: PLUGIN_PKG_PATH, pluginSettingsDir: PLUGIN_SETTINGS_DIR, pluginSettingsPath: PLUGIN_SETTINGS_PATH, projectMcpPath: PROJECT_MCP_PATH, runScriptPath: RUN_SCRIPT_PATH, runScriptSource: RUN_SCRIPT_SOURCE },
+      { sessionDir: SESSION_DIR_22, pluginPath: PLUGIN_PATH_2, pluginPkgPath: PLUGIN_PKG_PATH_2, pluginSettingsDir: PLUGIN_SETTINGS_DIR_2, pluginSettingsPath: PLUGIN_SETTINGS_PATH_2, projectMcpPath: PROJECT_MCP_PATH_2, runScriptPath: RUN_SCRIPT_PATH_2, runScriptSource: RUN_SCRIPT_SOURCE_2 },
+      { sessionDir: SESSION_DIR_32, pluginPath: PLUGIN_PATH_3, pluginPkgPath: PLUGIN_PKG_PATH_3, pluginSettingsDir: PLUGIN_SETTINGS_DIR_3, pluginSettingsPath: PLUGIN_SETTINGS_PATH_3, projectMcpPath: PROJECT_MCP_PATH_3, runScriptPath: RUN_SCRIPT_PATH_3, runScriptSource: RUN_SCRIPT_SOURCE_3 },
+      { sessionDir: SESSION_DIR_42, pluginPath: PLUGIN_PATH_4, pluginPkgPath: PLUGIN_PKG_PATH_4, pluginSettingsDir: PLUGIN_SETTINGS_DIR_4, pluginSettingsPath: PLUGIN_SETTINGS_PATH_4, projectMcpPath: PROJECT_MCP_PATH_4, runScriptPath: RUN_SCRIPT_PATH_4, runScriptSource: RUN_SCRIPT_SOURCE_4 }
+    ];
   }
 });
 
@@ -7840,9 +6894,9 @@ var disconnect_exports = {};
 __export(disconnect_exports, {
   disconnectCommand: () => disconnectCommand
 });
-import { existsSync as existsSync13, rmSync } from "fs";
-import { homedir as homedir13 } from "os";
-import { join as join13 } from "path";
+import { existsSync as existsSync11, rmSync } from "fs";
+import { homedir as homedir11 } from "os";
+import { join as join11 } from "path";
 function tearDownLocalCC() {
   const docker = dockerStatus();
   if (docker.running) {
@@ -7897,13 +6951,13 @@ function disconnectCommand(args2 = []) {
     console.log(`${cursorMcpRemoved ? "\u2713" : "\xB7"} MCP guardrails (Cursor): ${cursorMcpRemoved ? "removed from ~/.cursor/mcp.json" : "no entry found"}`);
   }
   if (purge) {
-    if (existsSync13(SYNKRO_DIR5)) {
+    if (existsSync11(SYNKRO_DIR5)) {
       rmSync(SYNKRO_DIR5, { recursive: true, force: true });
       console.log(`\u2713 Removed ${SYNKRO_DIR5}`);
     } else {
       console.log(`\xB7 ${SYNKRO_DIR5} already gone, nothing to remove`);
     }
-  } else if (existsSync13(SYNKRO_DIR5)) {
+  } else if (existsSync11(SYNKRO_DIR5)) {
     console.log(`Config preserved at ${SYNKRO_DIR5}. Run with --purge to remove.`);
   }
   console.log("\nSynkro disconnected.");
@@ -7917,10 +6971,136 @@ var init_disconnect = __esm({
     init_cursorHookConfig();
     init_mcpConfig();
     init_pueue();
-    init_install();
+    init_install2();
     init_dockerInstall();
     init_macKeychain();
-    SYNKRO_DIR5 = join13(homedir13(), ".synkro");
+    SYNKRO_DIR5 = join11(homedir11(), ".synkro");
+  }
+});
+
+// cli/local-cc/turnLog.ts
+import { appendFileSync, existsSync as existsSync12, mkdirSync as mkdirSync10, openSync as openSync2, readFileSync as readFileSync9, readSync, closeSync as closeSync2, statSync as statSync2, watchFile, unwatchFile } from "fs";
+import { dirname as dirname5, join as join12 } from "path";
+import { homedir as homedir12 } from "os";
+function truncate(s, max = PREVIEW_MAX) {
+  if (s.length <= max) return s;
+  return s.slice(0, max) + "\u2026 [+" + (s.length - max) + " chars]";
+}
+function extractSeverity(result) {
+  const m = result.match(/<synkro-(?:verdict|intent)>([\s\S]*?)<\/synkro-(?:verdict|intent)>/);
+  if (!m) return void 0;
+  try {
+    const obj = JSON.parse(m[1]);
+    if (obj.severity) return String(obj.severity);
+    if (typeof obj.ok === "boolean") return obj.ok ? "ok" : "violations";
+    if (obj.type) return String(obj.type);
+    if (obj.verdict) return String(obj.verdict);
+  } catch {
+  }
+  return void 0;
+}
+function appendTurn(args2) {
+  try {
+    mkdirSync10(dirname5(TURN_LOG_PATH), { recursive: true });
+    const entry = {
+      ts: new Date(args2.startedAt).toISOString(),
+      role: args2.role,
+      duration_ms: Date.now() - args2.startedAt,
+      status: args2.status,
+      request_preview: truncate(args2.request),
+      response_preview: args2.result ? truncate(args2.result) : "",
+      severity: args2.result ? extractSeverity(args2.result) : void 0,
+      error: args2.error
+    };
+    appendFileSync(TURN_LOG_PATH, JSON.stringify(entry) + "\n", "utf-8");
+  } catch {
+  }
+}
+var TURN_LOG_PATH, PREVIEW_MAX;
+var init_turnLog = __esm({
+  "cli/local-cc/turnLog.ts"() {
+    "use strict";
+    TURN_LOG_PATH = join12(homedir12(), ".synkro", "cc_sessions", "turns.log");
+    PREVIEW_MAX = 400;
+  }
+});
+
+// cli/local-cc/client.ts
+import { request as httpRequest } from "http";
+import { connect as connect2 } from "net";
+async function submitToChannel(role, payload, opts = {}) {
+  const body = JSON.stringify({ role, payload, content: payload });
+  const timeoutMs = opts.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+  const port = opts.port ?? CHANNEL_PORT;
+  const startedAt = Date.now();
+  try {
+    const result = await new Promise((resolve3, reject) => {
+      const req = httpRequest({
+        host: CHANNEL_HOST,
+        port,
+        method: "POST",
+        path: "/submit",
+        headers: {
+          "Content-Type": "application/json",
+          "Content-Length": Buffer.byteLength(body)
+        },
+        timeout: timeoutMs
+      }, (res) => {
+        const chunks = [];
+        res.on("data", (c) => chunks.push(c));
+        res.on("end", () => {
+          const text = Buffer.concat(chunks).toString("utf-8");
+          if (res.statusCode !== 200) {
+            reject(new LocalCCError(`channel returned ${res.statusCode}: ${text.slice(0, 500)}`));
+            return;
+          }
+          try {
+            const parsed = JSON.parse(text);
+            if (parsed.error) {
+              reject(new LocalCCError(parsed.error));
+              return;
+            }
+            resolve3(String(parsed.result ?? ""));
+          } catch (err) {
+            reject(new LocalCCError(`malformed channel response: ${text.slice(0, 200)}`, err));
+          }
+        });
+      });
+      req.on("timeout", () => {
+        req.destroy(new LocalCCError(`channel request timed out after ${timeoutMs}ms`));
+      });
+      req.on("error", (err) => {
+        const msg = err.code === "ECONNREFUSED" ? `channel connection refused at ${CHANNEL_HOST}:${CHANNEL_PORT} (is the pueue task running?)` : `channel request failed: ${err.message}`;
+        reject(new LocalCCError(msg, err));
+      });
+      req.write(body);
+      req.end();
+    });
+    appendTurn({ startedAt, role, request: payload, result, status: "ok" });
+    return result;
+  } catch (err) {
+    const message = err.message ?? String(err);
+    const status = /timed out/i.test(message) ? "timeout" : "error";
+    appendTurn({ startedAt, role, request: payload, status, error: message });
+    throw err;
+  }
+}
+var CHANNEL_HOST, CHANNEL_PORT, DEFAULT_TIMEOUT_MS, LocalCCError;
+var init_client = __esm({
+  "cli/local-cc/client.ts"() {
+    "use strict";
+    init_turnLog();
+    CHANNEL_HOST = "127.0.0.1";
+    CHANNEL_PORT = parseInt(process.env.SYNKRO_CHANNEL_PORT || "8929", 10);
+    DEFAULT_TIMEOUT_MS = 9e4;
+    LocalCCError = class extends Error {
+      constructor(message, cause) {
+        super(message);
+        this.cause = cause;
+        this.name = "LocalCCError";
+      }
+      cause;
+    };
   }
 });
 
@@ -7974,15 +7154,15 @@ var init_grade = __esm({
 });
 
 // cli/bootstrap.js
-import { readFileSync as readFileSync11, existsSync as existsSync14 } from "fs";
+import { readFileSync as readFileSync10, existsSync as existsSync13 } from "fs";
 import { resolve as resolve2 } from "path";
 var envCandidates = [
   resolve2(process.cwd(), ".env"),
   resolve2(process.env.HOME ?? "", ".synkro", "config.env")
 ];
 for (const envPath of envCandidates) {
-  if (!existsSync14(envPath)) continue;
-  const envContent = readFileSync11(envPath, "utf-8");
+  if (!existsSync13(envPath)) continue;
+  const envContent = readFileSync10(envPath, "utf-8");
   for (const line of envContent.split("\n")) {
     const trimmed = line.trim();
     if (!trimmed || trimmed.startsWith("#")) continue;
@@ -7997,7 +7177,7 @@ var args = process.argv.slice(2);
 var cmd = args[0] || "";
 var subArgs = args.slice(1);
 function printVersion() {
-  console.log("1.4.87");
+  console.log("1.4.88");
 }
 function printHelp() {
   console.log(`Synkro CLI \u2014 runtime safety for AI coding agents
@@ -8018,7 +7198,7 @@ Quick start:
 async function main() {
   switch (cmd) {
     case "install": {
-      const { installCommand: installCommand2, parseArgs: parseArgs2 } = await Promise.resolve().then(() => (init_install2(), install_exports));
+      const { installCommand: installCommand2, parseArgs: parseArgs2 } = await Promise.resolve().then(() => (init_install(), install_exports));
       await installCommand2(parseArgs2(subArgs));
       break;
     }