@synkro-sh/cli 1.5.4 → 1.5.6

package/dist/bootstrap.js

@@ -1110,7 +1110,7 @@ const ROLE_MAP: Record<string, GradeRole> = {
   edit: 'grade-edit', bash: 'grade-bash', plan: 'grade-plan', cwe: 'grade-cwe',
 };
 
-async function channelGrade(role: GradeRole, prompt: string, _jwt: string, port: number, timeoutMs = 20000): Promise<string> {
+async function channelGrade(role: GradeRole, prompt: string, _jwt: string, port: number, timeoutMs = 30000): Promise<string> {
   const body = JSON.stringify({ role, payload: prompt, content: prompt });
 
   const resp = await fetch('http://127.0.0.1:' + port + '/submit', {
@@ -1130,7 +1130,7 @@ async function channelGrade(role: GradeRole, prompt: string, _jwt: string, port:
   return String(data.result || '');
 }
 
-export async function localGrade(surface: string, prompt: string, timeoutMs = 20000): Promise<string> {
+export async function localGrade(surface: string, prompt: string, timeoutMs = 30000): Promise<string> {
   if (!(await channelUp())) throw new Error('SYNKRO_CHANNEL_DOWN');
   const jwt = loadJwt();
   if (!jwt) throw new Error('NO_JWT');
@@ -2855,48 +2855,103 @@ async function main() {
     // unambiguously read-only operations removes that latency for ~half of
     // typical commands (cat/grep/git status/ls/etc.) and unblocks the worker
     // pool to grade the operations that actually need judgment.
-    function isSafeInRepoRead(tName: string, cmd: string): boolean {
-      // CC's native read tools are inherently safe.
-      if (tName === 'Read' || tName === 'Grep' || tName === 'Glob') return true;
-      if (tName !== 'Bash' && tName !== 'Shell' && tName !== 'terminal' &&
-          tName !== 'run_terminal_cmd' && tName !== 'execute_command') return false;
-      // Reject any shell metacharacter that could turn a "read" into a write
-      // or chain to an unsafe consumer: redirects, pipes, sequencing, command
-      // substitution, sudo/su.
-      if (/[>;&|\\\`]|\\$\\(|<<|\\bsudo\\b|\\bsu\\b|\\brm\\b|\\bmv\\b|\\bcp\\b|\\bchmod\\b|\\bchown\\b|\\btee\\b|\\bsed\\s+-i\\b|\\bkill\\b/.test(cmd)) return false;
+    // Returning FALSE just means "don't short-circuit — let the LLM grade it."
+    // Never blocks. The judge sees the command, applies rules, returns its
+    // own verdict. Path scoping below: STRICT, only short-circuit when every
+    // absolute path is under the linked repo root.
+    function isSafeBashSegment(seg: string, repoRoot: string): boolean {
+      const UNSAFE_CHARS = ['>', ';', '&', '\`'];
+      for (const ch of UNSAFE_CHARS) { if (seg.indexOf(ch) !== -1) return false; }
+      const padded = ' ' + seg + ' ';
+      const UNSAFE_WORDS = [
+        ' sudo ', ' su ', ' rm ', ' mv ', ' cp ', ' chmod ', ' chown ',
+        ' tee ', ' kill ', ' sed -i', ' sed --in-place',
+        ' sh -c', ' bash -c', ' zsh -c', ' eval ', ' exec ',
+        '\$(',
+      ];
+      for (const w of UNSAFE_WORDS) { if (padded.indexOf(w) !== -1) return false; }
+
+      // Narrowed verb set. Removed:
+      //   awk:  has system() / |& shell-spawn
+      //   env:  \`env FOO=bar evil_cmd\` runs evil_cmd
+      //   sed:  scripting + -i write capability; not worth parsing
       const SAFE_VERBS = new Set([
         'cat','head','tail','less','more','grep','egrep','fgrep','rg','ag',
         'find','fd','ls','wc','cmp','diff','file','stat','which','whereis','type',
-        'pwd','whoami','id','date','echo','printf','env','true','false',
-        'jq','yq','awk','sort','uniq','cut','tr','xxd','hexdump','od','column',
+        'pwd','whoami','id','date','echo','printf','true','false',
+        'jq','yq','sort','uniq','cut','tr','xxd','hexdump','od','column',
         'node','npm','pnpm','yarn','bun','python','python3','ruby','go','rustc','cargo',
         'git',
       ]);
-      const tokens = cmd.trim().split(/\\s+/);
+      const tokens = seg.trim().split(' ').filter(t => t.length > 0);
       const verb = tokens[0] || '';
       if (!SAFE_VERBS.has(verb)) return false;
-      // For multi-mode tools, only allow read subcommands / version flags.
+
+      // find/fd: reject any execution / mutation action flag.
+      if (verb === 'find' || verb === 'fd') {
+        const BAD = new Set([
+          '-exec','-execdir','-ok','-okdir','-delete',
+          '-fprint','-fprintf','-fprint0','-fls',
+          '--exec','--exec-batch',
+        ]);
+        for (const t of tokens) { if (BAD.has(t)) return false; }
+      }
+
+      // git: only pure-read subcommands. branch/tag/remote/config dropped —
+      // each has flag combinations that mutate state.
       if (verb === 'git') {
-        const SAFE_GIT = new Set(['log','show','diff','blame','status','branch','tag','remote','config','rev-parse','ls-files','ls-tree','cat-file','shortlog','reflog','describe','symbolic-ref']);
+        const SAFE_GIT = new Set([
+          'log','show','diff','blame','status','rev-parse',
+          'ls-files','ls-tree','cat-file','shortlog','reflog',
+          'describe','symbolic-ref','--version',
+        ]);
         const sub = tokens[1] || '';
-        return SAFE_GIT.has(sub);
-      }
-      if (['npm','pnpm','yarn','bun','cargo','go'].includes(verb)) {
-        // Only allow plain version/info/list/why probes — block install/add/update/run/exec.
+        if (!SAFE_GIT.has(sub)) return false;
+      } else if (['npm','pnpm','yarn','bun','cargo','go'].includes(verb)) {
         const sub = tokens[1] || '';
-        const SAFE_PKG = new Set(['--version','-v','version','list','ls','why','view','show','info','outdated','-h','--help','help']);
-        return SAFE_PKG.has(sub);
-      }
-      if (['node','python','python3','ruby','rustc'].includes(verb)) {
+        const SAFE_PKG = new Set([
+          '--version','-v','version','list','ls','why','view','show','info','outdated',
+          '-h','--help','help',
+        ]);
+        if (!SAFE_PKG.has(sub)) return false;
+      } else if (['node','python','python3','ruby','rustc'].includes(verb)) {
         const sub = tokens[1] || '';
-        return sub === '--version' || sub === '-v' || sub === '-V';
+        if (sub !== '--version' && sub !== '-v' && sub !== '-V') return false;
+      }
+
+      // STRICT path scoping. Absolute paths MUST resolve under repoRoot.
+      // Home-relative (~/...) paths fall through to the LLM. Relative paths
+      // are implicitly under cwd which is the repo root for the agent session.
+      if (!repoRoot) return false;
+      for (let i = 1; i < tokens.length; i++) {
+        const t = tokens[i];
+        const stripped = t.replace(/^['"]/, '').replace(/['"]$/, '');
+        if (stripped.startsWith('~')) return false;
+        if (stripped.startsWith('/')) {
+          if (!isPathUnder(stripped, repoRoot)) return false;
+        }
+      }
+      return true;
+    }
+
+    function isSafeInRepoRead(tName: string, cmd: string, repoRoot: string): boolean {
+      if (tName === 'Read' || tName === 'Grep' || tName === 'Glob') return true;
+      if (tName !== 'Bash' && tName !== 'Shell' && tName !== 'terminal' &&
+          tName !== 'run_terminal_cmd' && tName !== 'execute_command') return false;
+      if (!cmd || !repoRoot) return false;
+      // Allow pipes only if EVERY segment is safe on its own. Catches
+      // \`grep ... | head\`, \`cat foo | wc -l\`, \`git log | less\`, etc.
+      // Empty segments (from \`||\`) cause rejection.
+      const segments = cmd.split('|');
+      for (const seg of segments) {
+        const t = seg.trim();
+        if (t.length === 0) return false;
+        if (!isSafeBashSegment(t, repoRoot)) return false;
       }
-      // sed without -i flag is read-only by definition; we already excluded
-      // sed -i above. Anything else with a SAFE_VERB and no metachars is fine.
       return true;
     }
 
-    if (isSafeInRepoRead(toolName, command)) {
+    if (isSafeInRepoRead(toolName, command, cwd)) {
       log('bashGuard ' + cmdShort + ' → instant allow (safe in-repo read)');
       outputJson({ hookSpecificOutput: { hookEventName: 'PreToolUse', additionalContext: 'Synkro: safe in-repo read, deterministic allow.' } });
       return;
@@ -5852,7 +5907,7 @@ function writeConfigEnv(opts) {
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
     `SYNKRO_INFERENCE=${shellQuoteSingle(safeInference)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.5.4")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.5.6")}`
   ];
   if (safeSynkroBin) lines.push(`SYNKRO_CLI_BIN=${shellQuoteSingle(safeSynkroBin)}`);
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);
@@ -7242,7 +7297,7 @@ var args = process.argv.slice(2);
 var cmd = args[0] || "";
 var subArgs = args.slice(1);
 function printVersion() {
-  console.log("1.5.4");
+  console.log("1.5.6");
 }
 function printHelp() {
   console.log(`Synkro CLI \u2014 runtime safety for AI coding agents