@synkro-sh/cli 1.4.92 → 1.4.94

package/dist/bootstrap.js

@@ -1661,8 +1661,12 @@ export function extractTranscript(transcriptPath: string | undefined): Transcrip
 
 // \u2500\u2500\u2500 Last Prompt \u2500\u2500\u2500
 
-export function readLastPrompt(): string {
+export function readLastPrompt(sessionId?: string): string {
   try {
+    if (sessionId) {
+      const perSession = join(SESSIONS_DIR, sessionId + '.last-prompt');
+      if (existsSync(perSession)) return readFileSync(perSession, 'utf-8').trim();
+    }
     if (!existsSync(LAST_PROMPT_FILE)) return '';
     return readFileSync(LAST_PROMPT_FILE, 'utf-8').trim();
   } catch {
@@ -1986,7 +1990,7 @@ async function main() {
 
     // Extract transcript context
     const transcript = extractTranscript(transcriptPath);
-    const lastPrompt = readLastPrompt();
+    const lastPrompt = readLastPrompt(sessionId);
 
     // Load config and decide route
     const config = await loadConfig(jwt);
@@ -2297,12 +2301,14 @@ async function main() {
     if (!proposed) { outputEmpty(); return; }
 
     let cweContent: string;
+    let cweDiffSection = '';
     if (toolName === 'Edit' || toolName === 'MultiEdit' || toolName === 'edit_file' || toolName === 'reapply' || toolName === 'ApplyPatch' || toolName === 'apply_patch') {
       const newStr = toolName === 'Edit' || toolName === 'edit_file' || toolName === 'reapply'
         ? (toolInput.new_string || '')
         : toolName === 'ApplyPatch' || toolName === 'apply_patch'
           ? (toolInput.patch || toolInput.content || toolInput.code_edit || '')
         : (Array.isArray(toolInput.edits) ? toolInput.edits.map((e: any) => e?.new_string || '').join('\n') : '');
+      cweDiffSection = newStr.slice(0, 4000);
       const changeIdx = proposed.indexOf(newStr);
       if (changeIdx >= 0 && proposed.length > 6000) {
         const start = Math.max(0, changeIdx - 2000);
@@ -2333,14 +2339,28 @@ async function main() {
 
     if (rt === 'local') {
       let cweRules: any[] = [];
+      let cweRuleFetchFailed = false;
       try {
         const resp = await fetch(GATEWAY_URL + '/api/v1/cwe-rules?ext=' + encodeURIComponent(fileExt), {
           headers: { Authorization: 'Bearer ' + jwt },
           signal: AbortSignal.timeout(4000),
         });
-        const data = await resp.json() as any;
-        cweRules = data.rules || [];
-      } catch {}
+        if (!resp.ok) {
+          log('CWE rules fetch failed: HTTP ' + resp.status);
+          cweRuleFetchFailed = true;
+        } else {
+          const data = await resp.json() as any;
+          cweRules = data.rules || [];
+        }
+      } catch (fetchErr: any) {
+        log('CWE rules fetch error: ' + (fetchErr?.message || String(fetchErr)));
+        cweRuleFetchFailed = true;
+      }
+
+      if (cweRuleFetchFailed) {
+        outputJson({ systemMessage: cweTag + ' ' + fileShort + ' \u2192 CWE rules unavailable \u2014 scan skipped' });
+        return;
+      }
 
       if (cweRules.length === 0) {
         outputJson({ systemMessage: cweTag + ' ' + fileShort + ' \u2192 clean (no CWE rules for ' + fileExt + ')' });
@@ -2359,40 +2379,86 @@ async function main() {
         }
       }
 
-      const graderPrompt = [
-        'File: ' + filePath,
-        'Content:',
-        cweContent,
-        '',
-        'CWE rules to check against:',
-        JSON.stringify(cweRules),
-      ].join('\n') + localPkgContext;
-
-      let gradeResp: string;
-      try {
-        gradeResp = await localGradeCwe(graderPrompt);
-      } catch (gradeErr: any) {
-        const reason = gradeErr?.message || String(gradeErr);
-        outputJson({ systemMessage: cweTag + ' ' + fileShort + ' \u2192 grader unavailable (' + reason + '), skipped' });
-        return;
+      const exemptionNote = exemptedCwes.size > 0
+        ? '\n\nEXEMPTED CWEs (already known, DO NOT report these — focus on NEW weaknesses only): ' + [...exemptedCwes].join(', ')
+        : '';
+
+      function buildCwePrompt(content: string): string {
+        const diffBlock = cweDiffSection
+          ? '\n\n=== NEW/CHANGED CODE (evaluate THIS for CWE weaknesses) ===\n' + cweDiffSection + '\n=== END NEW CODE ===\n\nThe surrounding content below is CONTEXT ONLY to help you understand imports, variables, and scope. Do NOT report issues found only in the context section.\n'
+          : '';
+        return [
+          'File: ' + filePath,
+          diffBlock,
+          'Full content window:',
+          content,
+          '',
+          'CWE rules to check against:',
+          JSON.stringify(cweRules),
+        ].join('\n') + localPkgContext + exemptionNote;
       }
 
-      const verdict = parseVerdict(gradeResp);
+      const SPLIT_THRESHOLD = 4000;
+      const OVERLAP = 500;
+      let gradeResponses: string[] = [];
 
-      if (!verdict.ok) {
-        const ruleIdMatches = gradeResp.match(/<rule_id>([^<]+)<\/rule_id>/g) || [];
-        const cweIds: string[] = [];
-        for (const match of ruleIdMatches.slice(0, 5)) {
-          const id = match.replace(/<\/?rule_id>/g, '').trim().replace(/^cwe-/, 'CWE-');
-          if (id && !cweIds.includes(id)) cweIds.push(id);
+      if (cweContent.length > SPLIT_THRESHOLD) {
+        const mid = Math.floor(cweContent.length / 2);
+        const chunk1 = cweContent.slice(0, mid + OVERLAP);
+        const chunk2 = cweContent.slice(mid - OVERLAP);
+        try {
+          const [resp1, resp2] = await Promise.all([
+            localGradeCwe(buildCwePrompt(chunk1)),
+            localGradeCwe(buildCwePrompt(chunk2)),
+          ]);
+          gradeResponses = [resp1, resp2];
+        } catch (gradeErr: any) {
+          const reason = gradeErr?.message || String(gradeErr);
+          outputJson({ systemMessage: cweTag + ' ' + fileShort + ' \u2192 grader unavailable (' + reason + '), skipped' });
+          return;
+        }
+      } else {
+        try {
+          gradeResponses = [await localGradeCwe(buildCwePrompt(cweContent))];
+        } catch (gradeErr: any) {
+          const reason = gradeErr?.message || String(gradeErr);
+          outputJson({ systemMessage: cweTag + ' ' + fileShort + ' \u2192 grader unavailable (' + reason + '), skipped' });
+          return;
         }
+      }
 
-        const fixMatches = gradeResp.match(/<suggested_fix>([^<]+)<\/suggested_fix>/g) || [];
-        const fixes: Record<string, string> = {};
-        for (let i = 0; i < Math.min(cweIds.length, fixMatches.length); i++) {
-          fixes[cweIds[i]] = fixMatches[i].replace(/<\/?suggested_fix>/g, '').trim();
+      const cweIds: string[] = [];
+      const fixes: Record<string, string> = {};
+      let mergedReason = '';
+      let mergedSeverity = '';
+      let mergedCategory = '';
+      let anyFailed = false;
+
+      for (const gradeResp of gradeResponses) {
+        const v = parseVerdict(gradeResp);
+        if (!v.ok) {
+          anyFailed = true;
+          if (v.reason) mergedReason = mergedReason || v.reason;
+          if (v.severity) mergedSeverity = mergedSeverity || v.severity;
+          if (v.category) mergedCategory = mergedCategory || v.category;
+          const ruleIdMatches = gradeResp.match(/<rule_id>([^<]+)<\/rule_id>/g) || [];
+          for (const m of ruleIdMatches.slice(0, 5)) {
+            const id = m.replace(/<\/?rule_id>/g, '').trim().replace(/^cwe-/, 'CWE-');
+            if (id && !cweIds.includes(id)) cweIds.push(id);
+          }
+          const fMatches = gradeResp.match(/<suggested_fix>([^<]+)<\/suggested_fix>/g) || [];
+          const respIds = ruleIdMatches.map(rm => rm.replace(/<\/?rule_id>/g, '').trim().replace(/^cwe-/, 'CWE-'));
+          for (let i = 0; i < Math.min(respIds.length, fMatches.length); i++) {
+            if (!fixes[respIds[i]]) fixes[respIds[i]] = fMatches[i].replace(/<\/?suggested_fix>/g, '').trim();
+          }
         }
+      }
 
+      const verdict = anyFailed
+        ? { ok: false, reason: mergedReason, severity: mergedSeverity, category: mergedCategory }
+        : { ok: true, reason: '', severity: '', category: '' };
+
+      if (!verdict.ok) {
         const activeCweIds = cweIds.filter(id => !exemptedCwes.has(id.toUpperCase()));
 
         if (activeCweIds.length === 0) {
@@ -2876,7 +2942,7 @@ async function main() {
       }
     }
 
-    const lastPrompt = readLastPrompt();
+    const lastPrompt = readLastPrompt(sessionId);
 
     const config = await loadConfig(jwt);
     const rt = await route(config);
@@ -3057,7 +3123,7 @@ async function main() {
     jwt = await ensureFreshJwt(jwt);
 
     const transcript = extractTranscript(transcriptPath);
-    const lastPrompt = readLastPrompt();
+    const lastPrompt = readLastPrompt(sessionId);
 
     const config = await loadConfig(jwt);
     const rt = await route(config);
@@ -3741,8 +3807,14 @@ async function main() {
     const msg = payload.message || payload.prompt || payload.content || '';
     if (msg) {
       const promptFile = join(homedir(), '.synkro', '.last-prompt');
-      mkdirSync(dirname(promptFile), { recursive: true });
-      writeFileSync(promptFile, msg, 'utf-8');
+      mkdirSync(dirname(promptFile), { recursive: true, mode: 0o700 });
+      writeFileSync(promptFile, msg, { encoding: 'utf-8', mode: 0o600 });
+      const sid = hookSessionId(payload);
+      if (sid) {
+        const sessDir = join(homedir(), '.synkro', 'sessions');
+        mkdirSync(sessDir, { recursive: true, mode: 0o700 });
+        writeFileSync(join(sessDir, sid + '.last-prompt'), msg, { encoding: 'utf-8', mode: 0o600 });
+      }
     }
 
     const sessionId = hookSessionId(payload);
@@ -3891,7 +3963,7 @@ async function main() {
     jwt = await ensureFreshJwt(jwt);
 
     const transcript = extractTranscript(transcriptPath);
-    const lastPrompt = readLastPrompt();
+    const lastPrompt = readLastPrompt(sessionId);
 
     const config = await loadConfig(jwt);
     if (config.silent) finishAllow();
@@ -5660,7 +5732,7 @@ function writeConfigEnv(opts) {
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
     `SYNKRO_INFERENCE=${shellQuoteSingle(safeInference)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.4.92")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.4.94")}`
   ];
   if (safeSynkroBin) lines.push(`SYNKRO_CLI_BIN=${shellQuoteSingle(safeSynkroBin)}`);
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);
@@ -5677,12 +5749,13 @@ function writeConfigEnv(opts) {
   chmodSync2(CONFIG_PATH2, 384);
 }
 function resolveDeploymentMode() {
-  const envOverride = process.env.SYNKRO_DEPLOYMENT_MODE;
-  if (envOverride) return envOverride.toLowerCase();
+  const envOverride = process.env.SYNKRO_DEPLOYMENT_MODE?.toLowerCase();
+  if (envOverride === "bare-host" || envOverride === "docker") return envOverride;
   try {
     if (existsSync9(CONFIG_PATH2)) {
       const m = readFileSync7(CONFIG_PATH2, "utf-8").match(/^SYNKRO_DEPLOYMENT_MODE='([^']*)'/m);
-      if (m && m[1]) return m[1].toLowerCase();
+      const val = m?.[1]?.toLowerCase();
+      if (val === "bare-host" || val === "docker") return val;
     }
   } catch {
   }
@@ -7095,7 +7168,7 @@ var args = process.argv.slice(2);
 var cmd = args[0] || "";
 var subArgs = args.slice(1);
 function printVersion() {
-  console.log("1.4.92");
+  console.log("1.4.94");
 }
 function printHelp() {
   console.log(`Synkro CLI \u2014 runtime safety for AI coding agents