@synkro-sh/cli 1.5.1 → 1.5.3

package/dist/bootstrap.js

@@ -51,18 +51,6 @@ function detectAgents() {
       version: claudeBinary ? getVersion("claude") : void 0
     });
   }
-  const codexBinary = which("codex");
-  const codexConfigDir = join(home, ".codex");
-  if (codexBinary || existsSync(codexConfigDir)) {
-    agents.push({
-      kind: "codex",
-      name: "Codex",
-      binaryPath: codexBinary,
-      configDir: codexConfigDir,
-      settingsPath: join(codexConfigDir, "config.toml"),
-      version: codexBinary ? getVersion("codex") : void 0
-    });
-  }
   const cursorBinary = which("cursor");
   const cursorConfigDir = join(home, ".cursor");
   if (cursorBinary || existsSync(cursorConfigDir)) {
@@ -1866,6 +1854,28 @@ function cursorHookExit(): never {
   process.exit(0);
 }
 
+// \u2500\u2500\u2500 Grader-unavailable diagnostic log \u2500\u2500\u2500
+// Records every time a hook tried to call the local grader and fell open
+// because the call failed. JSONL at ~/.synkro/grader-unavailable.log so the
+// user can pinpoint cause (timeout vs ECONNREFUSED vs HTTP 5xx vs sick pool)
+// instead of guessing from a one-shot system message in the CC UI.
+
+const UNAVAIL_LOG = join(HOME, '.synkro', 'grader-unavailable.log');
+
+export function logGraderUnavailable(hook: string, target: string, errorMessage: string): void {
+  try {
+    const entry = {
+      ts: new Date().toISOString(),
+      hook,
+      target,
+      error: errorMessage.slice(0, 500),
+    };
+    appendFileSync(UNAVAIL_LOG, JSON.stringify(entry) + '\\n', 'utf-8');
+  } catch {
+    // best-effort \u2014 never let logging failure cascade into a hook failure
+  }
+}
+
 // \u2500\u2500\u2500 Output Helpers \u2500\u2500\u2500
 
 export function outputJson(obj: any): void {
@@ -1928,6 +1938,7 @@ import {
   readStdin, extractTranscript, readLastPrompt, findNearestDeps, filePathFromToolInput,
   appendSessionAction, readSessionLog, compressSessionLog, log,
   outputJson, outputEmpty, setupCursorHookSignals, isEditTool, hookSessionId, GATEWAY_URL,
+  logGraderUnavailable,
   type HookConfig, type Rule,
 } from './_synkro-common.ts';
 import { existsSync, readFileSync } from 'node:fs';
@@ -2022,7 +2033,8 @@ async function main() {
       let gradeResp: string;
       try {
         gradeResp = await localGrade('edit', graderPrompt);
-      } catch {
+      } catch (err) {
+        logGraderUnavailable('editGuard', fileShort, (err as Error).message || String(err));
         outputJson({ systemMessage: tagStr + ' editGuard ' + fileShort + ' \u2192 local grader unavailable, skipped' });
         return;
       }
@@ -2145,6 +2157,7 @@ import {
   loadJwt, ensureFreshJwt, detectRepo, loadConfig, cweRoute, tag,
   localGradeCwe, parseVerdict, reconstructContent, readStdin, log,
   outputJson, outputEmpty, setupCursorHookSignals, isEditTool, hookSessionId, filePathFromToolInput, dispatchFinding, dispatchCapture, GATEWAY_URL,
+  logGraderUnavailable,
 } from './_synkro-common.ts';
 import { basename, extname, resolve, join, dirname } from 'node:path';
 import { readFileSync, readdirSync, existsSync } from 'node:fs';
@@ -2415,6 +2428,7 @@ async function main() {
           gradeResponses = [resp1, resp2];
         } catch (gradeErr: any) {
           const reason = gradeErr?.message || String(gradeErr);
+          logGraderUnavailable('cweGuard', fileShort, reason);
           outputJson({ systemMessage: cweTag + ' ' + fileShort + ' \u2192 grader unavailable (' + reason + '), skipped' });
           return;
         }
@@ -2423,6 +2437,7 @@ async function main() {
           gradeResponses = [await localGradeCwe(buildCwePrompt(cweContent))];
         } catch (gradeErr: any) {
           const reason = gradeErr?.message || String(gradeErr);
+          logGraderUnavailable('cweGuard', fileShort, reason);
           outputJson({ systemMessage: cweTag + ' ' + fileShort + ' \u2192 grader unavailable (' + reason + '), skipped' });
           return;
         }
@@ -2789,6 +2804,7 @@ import {
   parseVerdict, dispatchCapture, dispatchFinding, ruleMode, postWithRetry, readStdin,
   extractTranscript, readLastPrompt, appendSessionAction, readSessionLog, compressSessionLog, log,
   outputJson, outputEmpty, setupCursorHookSignals, isShellTool, hookSessionId, GATEWAY_URL,
+  logGraderUnavailable,
   type HookConfig, type Rule,
 } from './_synkro-common.ts';
 
@@ -2973,7 +2989,8 @@ async function main() {
       let gradeResp: string;
       try {
         gradeResp = await localGrade('bash', graderPrompt);
-      } catch {
+      } catch (err) {
+        logGraderUnavailable('bashGuard', toolInput.command?.slice(0, 200) || '', (err as Error).message || String(err));
         outputJson({ systemMessage: tagStr + ' bashGuard → local grader unavailable, skipped' });
         return;
       }
@@ -2985,8 +3002,12 @@ async function main() {
         const mode = verdict.ruleMode || ruleMode(verdict.ruleId, config.rules);
         const guardReason = (verdict.ruleId ? '(' + verdict.ruleId + ') ' : '') + (verdict.reason || 'policy violation');
 
+        const auditRulesInReason = (config.rules || [])
+          .filter((r: any) => r.mode === 'audit' && r.rule_id && verdict.reason && verdict.reason.includes(r.rule_id))
+          .map((r: any) => r.rule_id);
+
         if (mode === 'audit') {
-          const reason = tagStr + ' bashGuard → warning' + (verdict.ruleId ? ' (' + verdict.ruleId + ')' : '') + ': ' + (verdict.reason || 'policy violation');
+          const reason = tagStr + ' bashGuard → warning' + (verdict.ruleId ? ' (' + verdict.ruleId + ')' : '') + ': ' + (verdict.reason || 'policy violation') + '. Fix this before proceeding — do not ask the user.';
           const combined = (installScanMsg ? installScanMsg + '\\n' : '') + reason;
           outputJson({ systemMessage: combined, hookSpecificOutput: { hookEventName: 'PreToolUse', additionalContext: combined } });
           dispatchCapture(jwt, 'bash', 'warning', verdict.severity || 'medium', verdict.category || 'security',
@@ -2995,11 +3016,14 @@ async function main() {
               recentUserMessages: transcript.recentUserMessages, ccModel: transcript.ccModel,
             });
         } else {
-          const reason = tagStr + ' bashGuard → blocked' + (verdict.ruleId ? ' (' + verdict.ruleId + ')' : '') + ': ' + (verdict.reason || 'policy violation') + '. Ask the user for explicit consent before retrying.';
-          const combined = (installScanMsg ? installScanMsg + '\\n' : '') + reason;
+          let blockMsg = tagStr + ' bashGuard → blocked' + (verdict.ruleId ? ' (' + verdict.ruleId + ')' : '') + ': ' + (verdict.reason || 'policy violation') + '. Ask the user for explicit consent before retrying.';
+          if (auditRulesInReason.length > 0) {
+            blockMsg += '\\nAudit violations (' + auditRulesInReason.join(', ') + '): fix these automatically before retrying — do not ask the user, just resolve them (e.g. run the required precondition).';
+          }
+          const combined = (installScanMsg ? installScanMsg + '\\n' : '') + blockMsg;
           outputJson({
             systemMessage: combined,
-            hookSpecificOutput: { hookEventName: 'PreToolUse', permissionDecision: 'deny', permissionDecisionReason: reason, additionalContext: combined },
+            hookSpecificOutput: { hookEventName: 'PreToolUse', permissionDecision: 'deny', permissionDecisionReason: blockMsg, additionalContext: combined },
           });
           dispatchCapture(jwt, 'bash', 'block', verdict.severity || 'critical', verdict.category || 'security',
             toolName, gitRepo, sessionId, config.captureDepth, {
@@ -3090,6 +3114,7 @@ import {
   parseVerdict, dispatchCapture, ruleMode, postWithRetry, readStdin,
   extractTranscript, readLastPrompt, appendSessionAction, readSessionLog, compressSessionLog, log,
   outputJson, outputEmpty, setupCursorHookSignals, isAgentTool, hookSessionId, GATEWAY_URL,
+  logGraderUnavailable,
   type HookConfig, type Rule,
 } from './_synkro-common.ts';
 
@@ -3161,7 +3186,8 @@ async function main() {
       let gradeResp: string;
       try {
         gradeResp = await localGrade('bash', graderPrompt);
-      } catch {
+      } catch (err) {
+        logGraderUnavailable('agentGuard', subagentType || (description || '').slice(0, 100), (err as Error).message || String(err));
         outputJson({ systemMessage: tagStr + ' agentGuard \u2192 local grader unavailable, skipped' });
         return;
       }
@@ -3611,7 +3637,7 @@ async function main() {
     let isError = payload.tool_result?.is_error === true;
     try {
       const out = JSON.parse(payload.tool_output || '{}');
-      if (out.exitCode !== 0 || out.is_error === true) isError = true;
+      if ((typeof out.exitCode === 'number' && out.exitCode !== 0) || out.is_error === true) isError = true;
     } catch {}
     const cmd = shellCmd;
     const cmdHash = cmd ? hashCommand(cmd) : '';
@@ -5645,6 +5671,30 @@ function parseArgs(argv) {
   }
   return opts;
 }
+async function promptAgentSelection(detected) {
+  if (detected.length <= 1) return detected;
+  console.log("Multiple coding agents detected. Which ones do you want Synkro guardrails installed for?");
+  detected.forEach((a, i) => console.log(`  ${i + 1}. ${a.name}`));
+  console.log(`  ${detected.length + 1}. Both / all (default)`);
+  const rl = createInterface3({ input: process.stdin, output: process.stdout });
+  const ask2 = () => new Promise((resolve3) => {
+    rl.question(`Pick [1-${detected.length + 1}] (default: all): `, (answer) => {
+      const t = answer.trim().toLowerCase();
+      if (t === "" || t === String(detected.length + 1) || t === "both" || t === "all") {
+        rl.close();
+        return resolve3(detected);
+      }
+      const n = parseInt(t, 10);
+      if (Number.isInteger(n) && n >= 1 && n <= detected.length) {
+        rl.close();
+        return resolve3([detected[n - 1]]);
+      }
+      console.log("Invalid choice. Try again.");
+      resolve3(ask2());
+    });
+  });
+  return ask2();
+}
 function ensureSynkroDir() {
   mkdirSync8(SYNKRO_DIR4, { recursive: true });
   mkdirSync8(HOOKS_DIR, { recursive: true });
@@ -5746,7 +5796,7 @@ function writeConfigEnv(opts) {
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
     `SYNKRO_INFERENCE=${shellQuoteSingle(safeInference)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.5.1")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.5.3")}`
   ];
   if (safeSynkroBin) lines.push(`SYNKRO_CLI_BIN=${shellQuoteSingle(safeSynkroBin)}`);
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);
@@ -5938,16 +5988,21 @@ async function installCommand(opts = {}) {
   }
   setApiBaseUrl(`${gatewayUrl}/api`);
   await promptRepoConnection({ linkRepo: opts.linkRepo });
-  const agents = detectAgents();
-  if (agents.length === 0) {
-    console.error("No AI coding agents detected. Install Claude Code first: https://docs.claude.com/claude-code");
+  const detected = detectAgents();
+  if (detected.length === 0) {
+    console.error("No supported coding agents detected. Install Claude Code or Cursor first.");
     process.exit(1);
   }
   console.log("Detected agents:");
-  for (const a of agents) {
+  for (const a of detected) {
     console.log(`  \u2713 ${a.name}${a.version ? ` (${a.version})` : ""}`);
   }
   console.log();
+  const agents = await promptAgentSelection(detected);
+  if (agents.length < detected.length) {
+    console.log(`Installing hooks for: ${agents.map((a) => a.name).join(", ")}
+`);
+  }
   ensureSynkroDir();
   const scripts = writeHookScripts();
   console.log("Wrote hook scripts:");
@@ -7131,7 +7186,7 @@ var args = process.argv.slice(2);
 var cmd = args[0] || "";
 var subArgs = args.slice(1);
 function printVersion() {
-  console.log("1.5.1");
+  console.log("1.5.3");
 }
 function printHelp() {
   console.log(`Synkro CLI \u2014 runtime safety for AI coding agents