@synkro-sh/cli 1.5.5 → 1.5.7

package/dist/bootstrap.js

@@ -1110,7 +1110,7 @@ const ROLE_MAP: Record<string, GradeRole> = {
   edit: 'grade-edit', bash: 'grade-bash', plan: 'grade-plan', cwe: 'grade-cwe',
 };
 
-async function channelGrade(role: GradeRole, prompt: string, _jwt: string, port: number, timeoutMs = 20000): Promise<string> {
+async function channelGrade(role: GradeRole, prompt: string, _jwt: string, port: number, timeoutMs = 30000): Promise<string> {
   const body = JSON.stringify({ role, payload: prompt, content: prompt });
 
   const resp = await fetch('http://127.0.0.1:' + port + '/submit', {
@@ -1130,7 +1130,7 @@ async function channelGrade(role: GradeRole, prompt: string, _jwt: string, port:
   return String(data.result || '');
 }
 
-export async function localGrade(surface: string, prompt: string, timeoutMs = 20000): Promise<string> {
+export async function localGrade(surface: string, prompt: string, timeoutMs = 30000): Promise<string> {
   if (!(await channelUp())) throw new Error('SYNKRO_CHANNEL_DOWN');
   const jwt = loadJwt();
   if (!jwt) throw new Error('NO_JWT');
@@ -2804,7 +2804,7 @@ import {
   parseVerdict, dispatchCapture, dispatchFinding, ruleMode, postWithRetry, readStdin,
   extractTranscript, readLastPrompt, appendSessionAction, readSessionLog, compressSessionLog, log,
   outputJson, outputEmpty, setupCursorHookSignals, isShellTool, hookSessionId, GATEWAY_URL,
-  logGraderUnavailable,
+  logGraderUnavailable, isPathUnder,
   type HookConfig, type Rule,
 } from './_synkro-common.ts';
 
@@ -2849,65 +2849,138 @@ async function main() {
     const cmdShort = command.slice(0, 80);
     log('bashGuard checking: ' + cmdShort);
 
+    // Load JWT + routing config eagerly so even the short-circuit message
+    // carries the live pack name + local/cloud tag. Cost: ~200-500ms for the
+    // config fetch (network call, no caching). The fetch is unavoidable for
+    // the LLM path anyway — we just pay it sooner so the short-circuit can
+    // produce a properly-tagged system message.
+    let jwt = loadJwt();
+    if (!jwt) { outputEmpty(); return; }
+    jwt = await ensureFreshJwt(jwt);
+
+    const config = await loadConfig(jwt);
+    const rt = await route(config);
+    const tagStr = tag(rt, config);
+
+    if (config.silent) {
+      outputJson({ systemMessage: tagStr + ' bashGuard → skipped (silent mode)' });
+      return;
+    }
+
     // ─── Hook-side short-circuit for safe in-repo reads ───
     // The judge primer already deterministically allows these, but the round
     // trip + batch queue still costs 1–25s per call. Skipping the grade for
     // unambiguously read-only operations removes that latency for ~half of
     // typical commands (cat/grep/git status/ls/etc.) and unblocks the worker
     // pool to grade the operations that actually need judgment.
-    function isSafeInRepoRead(tName: string, cmd: string): boolean {
-      // CC's native read tools are inherently safe.
-      if (tName === 'Read' || tName === 'Grep' || tName === 'Glob') return true;
-      if (tName !== 'Bash' && tName !== 'Shell' && tName !== 'terminal' &&
-          tName !== 'run_terminal_cmd' && tName !== 'execute_command') return false;
-      // Reject any shell metacharacter that could turn a "read" into a write
-      // or chain to an unsafe consumer. Using string includes instead of a
-      // regex because escaping inside a String.raw template literal is a
-      // footgun (we got bitten by an unbalanced-paren regex once already).
-      const UNSAFE_CHARS = ['>', ';', '&', '|', '\`'];
-      for (const ch of UNSAFE_CHARS) { if (cmd.indexOf(ch) !== -1) return false; }
-      const padded = ' ' + cmd + ' ';
-      const UNSAFE_WORDS = [' sudo ', ' su ', ' rm ', ' mv ', ' cp ', ' chmod ', ' chown ', ' tee ', ' kill ', ' sed -i', ' sed --in-place', '\$('];
+    // Returning FALSE just means "don't short-circuit — let the LLM grade it."
+    // Never blocks. The judge sees the command, applies rules, returns its
+    // own verdict. Path scoping below: STRICT, only short-circuit when every
+    // absolute path is under the linked repo root.
+    function isSafeBashSegment(seg: string, repoRoot: string): boolean {
+      const UNSAFE_CHARS = ['>', ';', '&', '\`'];
+      for (const ch of UNSAFE_CHARS) { if (seg.indexOf(ch) !== -1) return false; }
+      const padded = ' ' + seg + ' ';
+      const UNSAFE_WORDS = [
+        ' sudo ', ' su ', ' rm ', ' mv ', ' cp ', ' chmod ', ' chown ',
+        ' tee ', ' kill ', ' sed -i', ' sed --in-place',
+        ' sh -c', ' bash -c', ' zsh -c', ' eval ', ' exec ',
+        '\$(',
+      ];
       for (const w of UNSAFE_WORDS) { if (padded.indexOf(w) !== -1) return false; }
+
+      // Narrowed verb set. Removed:
+      //   awk:  has system() / |& shell-spawn
+      //   env:  \`env FOO=bar evil_cmd\` runs evil_cmd
+      //   sed:  scripting + -i write capability; not worth parsing
       const SAFE_VERBS = new Set([
         'cat','head','tail','less','more','grep','egrep','fgrep','rg','ag',
         'find','fd','ls','wc','cmp','diff','file','stat','which','whereis','type',
-        'pwd','whoami','id','date','echo','printf','env','true','false',
-        'jq','yq','awk','sort','uniq','cut','tr','xxd','hexdump','od','column',
+        'pwd','whoami','id','date','echo','printf','true','false',
+        'jq','yq','sort','uniq','cut','tr','xxd','hexdump','od','column',
         'node','npm','pnpm','yarn','bun','python','python3','ruby','go','rustc','cargo',
-        'git','sed',
+        'git',
       ]);
-      const tokens = cmd.trim().split(' ').filter(t => t.length > 0);
+      const tokens = seg.trim().split(' ').filter(t => t.length > 0);
       const verb = tokens[0] || '';
       if (!SAFE_VERBS.has(verb)) return false;
+
+      // find/fd: reject any execution / mutation action flag.
+      if (verb === 'find' || verb === 'fd') {
+        const BAD = new Set([
+          '-exec','-execdir','-ok','-okdir','-delete',
+          '-fprint','-fprintf','-fprint0','-fls',
+          '--exec','--exec-batch',
+        ]);
+        for (const t of tokens) { if (BAD.has(t)) return false; }
+      }
+
+      // git: only pure-read subcommands. branch/tag/remote/config dropped —
+      // each has flag combinations that mutate state.
       if (verb === 'git') {
-        const SAFE_GIT = new Set(['log','show','diff','blame','status','branch','tag','remote','config','rev-parse','ls-files','ls-tree','cat-file','shortlog','reflog','describe','symbolic-ref']);
+        const SAFE_GIT = new Set([
+          'log','show','diff','blame','status','rev-parse',
+          'ls-files','ls-tree','cat-file','shortlog','reflog',
+          'describe','symbolic-ref','--version',
+        ]);
         const sub = tokens[1] || '';
-        return SAFE_GIT.has(sub);
-      }
-      if (['npm','pnpm','yarn','bun','cargo','go'].includes(verb)) {
+        if (!SAFE_GIT.has(sub)) return false;
+      } else if (['npm','pnpm','yarn','bun','cargo','go'].includes(verb)) {
         const sub = tokens[1] || '';
-        const SAFE_PKG = new Set(['--version','-v','version','list','ls','why','view','show','info','outdated','-h','--help','help']);
-        return SAFE_PKG.has(sub);
-      }
-      if (['node','python','python3','ruby','rustc'].includes(verb)) {
+        const SAFE_PKG = new Set([
+          '--version','-v','version','list','ls','why','view','show','info','outdated',
+          '-h','--help','help',
+        ]);
+        if (!SAFE_PKG.has(sub)) return false;
+      } else if (['node','python','python3','ruby','rustc'].includes(verb)) {
         const sub = tokens[1] || '';
-        return sub === '--version' || sub === '-v' || sub === '-V';
+        if (sub !== '--version' && sub !== '-v' && sub !== '-V') return false;
+      }
+
+      // STRICT path scoping. Absolute paths MUST resolve under repoRoot.
+      // Home-relative (~/...) paths fall through to the LLM. Relative paths
+      // are implicitly under cwd which is the repo root for the agent session.
+      if (!repoRoot) return false;
+      for (let i = 1; i < tokens.length; i++) {
+        const t = tokens[i];
+        const stripped = t.replace(/^['"]/, '').replace(/['"]$/, '');
+        if (stripped.startsWith('~')) return false;
+        if (stripped.startsWith('/')) {
+          if (!isPathUnder(stripped, repoRoot)) return false;
+        }
+      }
+      return true;
+    }
+
+    function isSafeInRepoRead(tName: string, cmd: string, repoRoot: string): boolean {
+      if (tName === 'Read' || tName === 'Grep' || tName === 'Glob') return true;
+      if (tName !== 'Bash' && tName !== 'Shell' && tName !== 'terminal' &&
+          tName !== 'run_terminal_cmd' && tName !== 'execute_command') return false;
+      if (!cmd || !repoRoot) return false;
+      // Allow pipes only if EVERY segment is safe on its own. Catches
+      // \`grep ... | head\`, \`cat foo | wc -l\`, \`git log | less\`, etc.
+      // Empty segments (from \`||\`) cause rejection.
+      const segments = cmd.split('|');
+      for (const seg of segments) {
+        const t = seg.trim();
+        if (t.length === 0) return false;
+        if (!isSafeBashSegment(t, repoRoot)) return false;
       }
-      // sed: only safe without -i (we filtered that above).
       return true;
     }
 
-    if (isSafeInRepoRead(toolName, command)) {
+    if (isSafeInRepoRead(toolName, command, cwd)) {
       log('bashGuard ' + cmdShort + ' → instant allow (safe in-repo read)');
-      outputJson({ hookSpecificOutput: { hookEventName: 'PreToolUse', additionalContext: 'Synkro: safe in-repo read, deterministic allow.' } });
+      outputJson({
+        systemMessage: tagStr + ' bashGuard → pass: safe in-repo read',
+        hookSpecificOutput: {
+          hookEventName: 'PreToolUse',
+          additionalContext: tagStr + ' bashGuard pass: safe in-repo read.',
+        },
+      });
       return;
     }
 
-    let jwt = loadJwt();
-    if (!jwt) { outputEmpty(); return; }
-    jwt = await ensureFreshJwt(jwt);
-
     // ─── Install protection: server-side pkg-scan (CVE + typosquat + tarball + reputation) ───
     let installScanMsg = '';
     if (toolName === 'Bash') {
@@ -3016,15 +3089,9 @@ async function main() {
 
     const lastPrompt = readLastPrompt(sessionId);
 
-    const config = await loadConfig(jwt);
-    const rt = await route(config);
-    const tagStr = tag(rt, config);
-
-    if (config.silent) {
-      const msg = (installScanMsg ? installScanMsg + '\\n' : '') + tagStr + ' bashGuard → skipped (silent mode)';
-      outputJson({ systemMessage: msg, hookSpecificOutput: { hookEventName: 'PreToolUse', additionalContext: msg } });
-      return;
-    }
+    // jwt + config + rt + tagStr already loaded eagerly at top of main
+    // (so the short-circuit could emit a properly-tagged message). Silent
+    // mode was also checked up there.
 
     if (rt === 'local') {
       const sessionLog = compressSessionLog(readSessionLog(sessionId));
@@ -5854,7 +5921,7 @@ function writeConfigEnv(opts) {
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
     `SYNKRO_INFERENCE=${shellQuoteSingle(safeInference)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.5.5")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.5.7")}`
   ];
   if (safeSynkroBin) lines.push(`SYNKRO_CLI_BIN=${shellQuoteSingle(safeSynkroBin)}`);
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);
@@ -7244,7 +7311,7 @@ var args = process.argv.slice(2);
 var cmd = args[0] || "";
 var subArgs = args.slice(1);
 function printVersion() {
-  console.log("1.5.5");
+  console.log("1.5.7");
 }
 function printHelp() {
   console.log(`Synkro CLI \u2014 runtime safety for AI coding agents