@synkro-sh/cli 1.5.6 → 1.5.7

package/dist/bootstrap.js

@@ -2804,7 +2804,7 @@ import {
   parseVerdict, dispatchCapture, dispatchFinding, ruleMode, postWithRetry, readStdin,
   extractTranscript, readLastPrompt, appendSessionAction, readSessionLog, compressSessionLog, log,
   outputJson, outputEmpty, setupCursorHookSignals, isShellTool, hookSessionId, GATEWAY_URL,
-  logGraderUnavailable,
+  logGraderUnavailable, isPathUnder,
   type HookConfig, type Rule,
 } from './_synkro-common.ts';
 
@@ -2849,6 +2849,24 @@ async function main() {
     const cmdShort = command.slice(0, 80);
     log('bashGuard checking: ' + cmdShort);
 
+    // Load JWT + routing config eagerly so even the short-circuit message
+    // carries the live pack name + local/cloud tag. Cost: ~200-500ms for the
+    // config fetch (network call, no caching). The fetch is unavoidable for
+    // the LLM path anyway — we just pay it sooner so the short-circuit can
+    // produce a properly-tagged system message.
+    let jwt = loadJwt();
+    if (!jwt) { outputEmpty(); return; }
+    jwt = await ensureFreshJwt(jwt);
+
+    const config = await loadConfig(jwt);
+    const rt = await route(config);
+    const tagStr = tag(rt, config);
+
+    if (config.silent) {
+      outputJson({ systemMessage: tagStr + ' bashGuard → skipped (silent mode)' });
+      return;
+    }
+
     // ─── Hook-side short-circuit for safe in-repo reads ───
     // The judge primer already deterministically allows these, but the round
     // trip + batch queue still costs 1–25s per call. Skipping the grade for
@@ -2953,14 +2971,16 @@ async function main() {
 
     if (isSafeInRepoRead(toolName, command, cwd)) {
       log('bashGuard ' + cmdShort + ' → instant allow (safe in-repo read)');
-      outputJson({ hookSpecificOutput: { hookEventName: 'PreToolUse', additionalContext: 'Synkro: safe in-repo read, deterministic allow.' } });
+      outputJson({
+        systemMessage: tagStr + ' bashGuard → pass: safe in-repo read',
+        hookSpecificOutput: {
+          hookEventName: 'PreToolUse',
+          additionalContext: tagStr + ' bashGuard pass: safe in-repo read.',
+        },
+      });
       return;
     }
 
-    let jwt = loadJwt();
-    if (!jwt) { outputEmpty(); return; }
-    jwt = await ensureFreshJwt(jwt);
-
     // ─── Install protection: server-side pkg-scan (CVE + typosquat + tarball + reputation) ───
     let installScanMsg = '';
     if (toolName === 'Bash') {
@@ -3069,15 +3089,9 @@ async function main() {
 
     const lastPrompt = readLastPrompt(sessionId);
 
-    const config = await loadConfig(jwt);
-    const rt = await route(config);
-    const tagStr = tag(rt, config);
-
-    if (config.silent) {
-      const msg = (installScanMsg ? installScanMsg + '\\n' : '') + tagStr + ' bashGuard → skipped (silent mode)';
-      outputJson({ systemMessage: msg, hookSpecificOutput: { hookEventName: 'PreToolUse', additionalContext: msg } });
-      return;
-    }
+    // jwt + config + rt + tagStr already loaded eagerly at top of main
+    // (so the short-circuit could emit a properly-tagged message). Silent
+    // mode was also checked up there.
 
     if (rt === 'local') {
       const sessionLog = compressSessionLog(readSessionLog(sessionId));
@@ -5907,7 +5921,7 @@ function writeConfigEnv(opts) {
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
     `SYNKRO_INFERENCE=${shellQuoteSingle(safeInference)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.5.6")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.5.7")}`
   ];
   if (safeSynkroBin) lines.push(`SYNKRO_CLI_BIN=${shellQuoteSingle(safeSynkroBin)}`);
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);
@@ -7297,7 +7311,7 @@ var args = process.argv.slice(2);
 var cmd = args[0] || "";
 var subArgs = args.slice(1);
 function printVersion() {
-  console.log("1.5.6");
+  console.log("1.5.7");
 }
 function printHelp() {
   console.log(`Synkro CLI \u2014 runtime safety for AI coding agents