npm - @synkro-sh/cli - Versions diffs - 1.5.6 → 1.6.0 - Mend

@synkro-sh/cli 1.5.6 → 1.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/bootstrap.js CHANGED Viewed

@@ -641,32 +641,9 @@ synkro_channel_up() {
 }
 # Fetch hook config. Sets SYNKRO_CAPTURE_DEPTH, SYNKRO_TIER, SYNKRO_RULES, SYNKRO_SILENT, SYNKRO_POLICY_NAME.
-_SYNKRO_RULES_FILE="$HOME/.synkro/rules.json"
 _SYNKRO_MCP_JWT_FILE="$HOME/.synkro/.mcp-jwt"
 synkro_load_config() {
-  # Local-first: read from ~/.synkro/rules.json if it exists (zero latency, no network)
-  if [ -f "$_SYNKRO_RULES_FILE" ]; then
-    local rdata
-    rdata=$(cat "$_SYNKRO_RULES_FILE" 2>/dev/null)
-    if [ -n "$rdata" ]; then
-      SYNKRO_CAPTURE_DEPTH="local_only"
-      SYNKRO_TIER="standard"
-      SYNKRO_SILENT=$(echo "$rdata" | jq -r '.config.silent // false' 2>/dev/null)
-      local active_id
-      active_id=$(echo "$rdata" | jq -r '.config.activePolicyId // empty' 2>/dev/null)
-      if [ -n "$active_id" ]; then
-        SYNKRO_POLICY_NAME=$(echo "$rdata" | jq -r --arg id "$active_id" '.policies[]? | select(.id == $id) | .name // empty' 2>/dev/null)
-        SYNKRO_RULES=$(echo "$rdata" | jq -c --arg id "$active_id" '[.policies[]? | select(.id == $id) | .rules[]? | select(.hook_stage == "pre" or .hook_stage == "both" or .hook_stage == null) | {rule_id,text,severity,category,mode}]' 2>/dev/null || echo "[]")
-      else
-        SYNKRO_POLICY_NAME=$(echo "$rdata" | jq -r '.policies[0]?.name // empty' 2>/dev/null)
-        SYNKRO_RULES=$(echo "$rdata" | jq -c '[.policies[0]?.rules[]? | select(.hook_stage == "pre" or .hook_stage == "both" or .hook_stage == null) | {rule_id,text,severity,category,mode}]' 2>/dev/null || echo "[]")
-      fi
-      return
-    fi
-  fi
-  # Fallback: fetch from cloud API
   local resp
   resp=$(curl -sS "\${GATEWAY_URL}/api/v1/hook/config\${1:+?$1}" -H "Authorization: Bearer $JWT" --max-time 4 2>/dev/null || echo "")
   if [ -z "$resp" ]; then return; fi
@@ -674,7 +651,7 @@ synkro_load_config() {
   SYNKRO_TIER=$(echo "$resp" | jq -r '.tier // "standard"' 2>/dev/null)
   SYNKRO_SILENT=$(echo "$resp" | jq -r '.silent_mode // false' 2>/dev/null)
   SYNKRO_POLICY_NAME=$(echo "$resp" | jq -r '.active_policy_name // empty' 2>/dev/null)
-  SYNKRO_RULES=$(echo "$resp" | jq -c '[.rules[]? | select(.hook_stage == "pre" or .hook_stage == "both" or .hook_stage == null) | {rule_id,text,severity,category,mode}]' 2>/dev/null || echo "[]")
+  SYNKRO_RULES=$(echo "$resp" | jq -c '[.rules[]? | {rule_id,text,severity,category,mode}]' 2>/dev/null || echo "[]")
 }
 synkro_local_capture() {
@@ -988,6 +965,14 @@ export async function cweChannelUp(): Promise<boolean> {
   return channelUp(18930);
 }
+// \u2500\u2500\u2500 Mode Normalization \u2500\u2500\u2500
+function normalizeMode(m?: string): 'ask' | 'fix' {
+  if (m === 'blocking' || m === 'ask') return 'ask';
+  if (m === 'audit' || m === 'fix') return 'fix';
+  return 'ask';
+}
 // \u2500\u2500\u2500 Config Loading \u2500\u2500\u2500
 export interface Rule {
@@ -1029,13 +1014,12 @@ export async function loadConfig(jwt: string, query?: string): Promise<HookConfi
       if (policy) {
         config.policyName = policy.name || '';
         config.rules = (policy.rules || [])
-          .filter((r: any) => r.hook_stage === 'pre' || r.hook_stage === 'both' || r.hook_stage == null)
           .map((r: any) => ({
             rule_id: r.rule_id || '',
             text: r.text || '',
             severity: r.severity || '',
             category: r.category || '',
-            mode: r.mode || 'blocking',
+            mode: normalizeMode(r.mode),
           }));
       }
       config.silent = raw.silent === true;
@@ -1067,13 +1051,12 @@ export async function loadConfig(jwt: string, query?: string): Promise<HookConfi
     }
     if (Array.isArray(data.rules)) {
       config.rules = data.rules
-        .filter((r: any) => r.hook_stage === 'pre' || r.hook_stage === 'both' || r.hook_stage == null)
         .map((r: any) => ({
           rule_id: r.rule_id || '',
           text: r.text || '',
           severity: r.severity || '',
           category: r.category || '',
-          mode: r.mode || 'blocking',
+          mode: normalizeMode(r.mode),
         }));
     }
   } catch {}
@@ -1410,11 +1393,11 @@ export function appendLocalTelemetry(body: Record<string, any>): void {
 // \u2500\u2500\u2500 Rule Mode Lookup \u2500\u2500\u2500
-export function ruleMode(ruleId: string, rules: Rule[]): 'blocking' | 'audit' {
-  if (!ruleId || !rules.length) return 'blocking';
+export function ruleMode(ruleId: string, rules: Rule[]): 'ask' | 'fix' {
+  if (!ruleId || !rules.length) return 'ask';
   const matched = rules.filter(r => r.rule_id === ruleId);
-  if (matched.some(r => r.mode === 'blocking')) return 'blocking';
-  return (matched[0]?.mode as 'blocking' | 'audit') || 'blocking';
+  if (matched.some(r => r.mode === 'blocking' || r.mode === 'ask')) return 'ask';
+  return normalizeMode(matched[0]?.mode);
 }
 // \u2500\u2500\u2500 Content Reconstruction \u2500\u2500\u2500
@@ -2027,7 +2010,7 @@ async function main() {
         'User intent (last human message): ' + (transcript.userIntent || 'none stated'),
         'Last user prompt: ' + (lastPrompt || 'none'),
         'Org rules: ' + JSON.stringify(config.rules),
-        'IMPORTANT: If a rule is violated, ALWAYS return ok=false with the rule_id and reason, regardless of the rule mode. Do NOT pass a command just because the rule mode is "audit". The enforcement layer handles audit vs blocking \u2014 your job is only to detect violations.',
+        'IMPORTANT: If a rule is violated, ALWAYS return ok=false with the rule_id and reason, regardless of the rule mode. Do NOT pass a command just because the rule mode is "fix". The enforcement layer handles ask vs fix \u2014 your job is only to detect violations.',
       ].join('\\n');
       let gradeResp: string;
@@ -2044,37 +2027,27 @@ async function main() {
       const violatedRules = verdict.ruleId ? [verdict.ruleId] : [];
       if (!verdict.ok) {
-        const mode = verdict.ruleMode || ruleMode(verdict.ruleId, config.rules);
+        const mode = normalizeMode(verdict.ruleMode || ruleMode(verdict.ruleId, config.rules));
         const guardReason = (verdict.ruleId ? '(' + verdict.ruleId + ') ' : '') + (verdict.reason || 'policy violation');
-        if (mode !== 'audit') {
-          const denyReason = 'Guard: ' + guardReason + '\\nFix all issues before retrying. Do NOT ask the user to make the edit manually \u2014 resolve the violation in code yourself.';
-          dispatchCapture(jwt, 'edit', 'block', verdict.severity || 'critical', verdict.category || 'security',
-            toolName, gitRepo, sessionId, config.captureDepth, {
-              command: editContent, reasoning: guardReason,
-              rulesChecked: config.rules, violatedRules,
-              ccModel: transcript.ccModel,
-            });
-          outputJson({
-            systemMessage: tagStr + ' editGuard ' + fileShort + ' \u2192 blocked: ' + guardReason,
-            hookSpecificOutput: { hookEventName: 'PreToolUse', permissionDecision: 'deny', permissionDecisionReason: denyReason, additionalContext: denyReason },
-          });
-          return;
-        }
-        // Audit mode \u2014 warn but allow
-        dispatchCapture(jwt, 'edit', 'warning', verdict.severity || 'medium', verdict.category || 'security',
+        const denyReason = mode === 'fix'
+          ? 'Guard: ' + guardReason + '\\nFix all issues before retrying. Do NOT ask the user to make the edit manually \u2014 resolve the violation in code yourself.'
+          : 'Guard: ' + guardReason + '\\nAsk the user for explicit consent before retrying.';
+        dispatchCapture(jwt, 'edit', 'block', verdict.severity || 'critical', verdict.category || 'security',
           toolName, gitRepo, sessionId, config.captureDepth, {
             command: editContent, reasoning: guardReason,
             rulesChecked: config.rules, violatedRules,
             ccModel: transcript.ccModel,
           });
-        outputJson({ systemMessage: tagStr + ' editGuard ' + fileShort + ' \u2192 warning: ' + guardReason, hookSpecificOutput: { hookEventName: 'PreToolUse', additionalContext: 'Synkro local edit judge (audit). ' + guardReason } });
+        outputJson({
+          systemMessage: tagStr + ' editGuard ' + fileShort + ' \u2192 blocked: ' + guardReason,
+          hookSpecificOutput: { hookEventName: 'PreToolUse', permissionDecision: 'deny', permissionDecisionReason: denyReason, additionalContext: denyReason },
+        });
         return;
       }
       // Clean
-      dispatchCapture(jwt, 'edit', 'pass', 'audit', verdict.category || 'trivial_edit',
+      dispatchCapture(jwt, 'edit', 'pass', 'clean', verdict.category || 'trivial_edit',
         toolName, gitRepo, sessionId, config.captureDepth, {
           command: editContent, reasoning: verdict.reason || 'no policy violations detected',
           rulesChecked: config.rules, violatedRules: [],
@@ -2572,7 +2545,7 @@ async function main() {
     const findings = Array.isArray(cweResp?.findings) ? cweResp.findings : [];
     if (cweResp?.action === 'deny' && findings.length > 0) {
       const activeCweIds = findings
-        .filter((f: any) => f.mode === 'blocking')
+        .filter((f: any) => f.mode === 'blocking' || f.mode === 'ask')
         .map((f: any) => f.cwe)
         .filter((id: string) => !exemptedCwes.has(id.toUpperCase()));
@@ -2804,7 +2777,7 @@ import {
   parseVerdict, dispatchCapture, dispatchFinding, ruleMode, postWithRetry, readStdin,
   extractTranscript, readLastPrompt, appendSessionAction, readSessionLog, compressSessionLog, log,
   outputJson, outputEmpty, setupCursorHookSignals, isShellTool, hookSessionId, GATEWAY_URL,
-  logGraderUnavailable,
+  logGraderUnavailable, isPathUnder,
   type HookConfig, type Rule,
 } from './_synkro-common.ts';
@@ -2849,6 +2822,24 @@ async function main() {
     const cmdShort = command.slice(0, 80);
     log('bashGuard checking: ' + cmdShort);
+    // Load JWT + routing config eagerly so even the short-circuit message
+    // carries the live pack name + local/cloud tag. Cost: ~200-500ms for the
+    // config fetch (network call, no caching). The fetch is unavoidable for
+    // the LLM path anyway — we just pay it sooner so the short-circuit can
+    // produce a properly-tagged system message.
+    let jwt = loadJwt();
+    if (!jwt) { outputEmpty(); return; }
+    jwt = await ensureFreshJwt(jwt);
+    const config = await loadConfig(jwt);
+    const rt = await route(config);
+    const tagStr = tag(rt, config);
+    if (config.silent) {
+      outputJson({ systemMessage: tagStr + ' bashGuard → skipped (silent mode)' });
+      return;
+    }
     // ─── Hook-side short-circuit for safe in-repo reads ───
     // The judge primer already deterministically allows these, but the round
     // trip + batch queue still costs 1–25s per call. Skipping the grade for
@@ -2953,14 +2944,16 @@ async function main() {
     if (isSafeInRepoRead(toolName, command, cwd)) {
       log('bashGuard ' + cmdShort + ' → instant allow (safe in-repo read)');
-      outputJson({ hookSpecificOutput: { hookEventName: 'PreToolUse', additionalContext: 'Synkro: safe in-repo read, deterministic allow.' } });
+      outputJson({
+        systemMessage: tagStr + ' bashGuard → pass: safe in-repo read',
+        hookSpecificOutput: {
+          hookEventName: 'PreToolUse',
+          additionalContext: tagStr + ' bashGuard pass: safe in-repo read.',
+        },
+      });
       return;
     }
-    let jwt = loadJwt();
-    if (!jwt) { outputEmpty(); return; }
-    jwt = await ensureFreshJwt(jwt);
     // ─── Install protection: server-side pkg-scan (CVE + typosquat + tarball + reputation) ───
     let installScanMsg = '';
     if (toolName === 'Bash') {
@@ -3069,15 +3062,9 @@ async function main() {
     const lastPrompt = readLastPrompt(sessionId);
-    const config = await loadConfig(jwt);
-    const rt = await route(config);
-    const tagStr = tag(rt, config);
-    if (config.silent) {
-      const msg = (installScanMsg ? installScanMsg + '\\n' : '') + tagStr + ' bashGuard → skipped (silent mode)';
-      outputJson({ systemMessage: msg, hookSpecificOutput: { hookEventName: 'PreToolUse', additionalContext: msg } });
-      return;
-    }
+    // jwt + config + rt + tagStr already loaded eagerly at top of main
+    // (so the short-circuit could emit a properly-tagged message). Silent
+    // mode was also checked up there.
     if (rt === 'local') {
       const sessionLog = compressSessionLog(readSessionLog(sessionId));
@@ -3089,7 +3076,7 @@ async function main() {
         'User intent (last human message): ' + (transcript.userIntent || 'none stated'),
         'Last user prompt: ' + (lastPrompt || 'none'),
         'Org rules: ' + JSON.stringify(config.rules),
-        'IMPORTANT: If a rule is violated, ALWAYS return ok=false with the rule_id and reason, regardless of the rule mode. Do NOT pass a command just because the rule mode is "audit". The enforcement layer handles audit vs blocking — your job is only to detect violations.',
+        'IMPORTANT: If a rule is violated, ALWAYS return ok=false with the rule_id and reason, regardless of the rule mode. Do NOT pass a command just because the rule mode is "fix". The enforcement layer handles ask vs fix — your job is only to detect violations.',
         'When passing (ok=true), cite which rules you checked and why they passed (e.g. "R006 satisfied: typecheck found in session history"). Be specific, not generic.',
         'Rules with preconditions (e.g. "run X before Y") are CONSUMED after the protected action completes. Use the session history timestamps to determine ordering: a precondition satisfied before the last occurrence of the protected action does NOT satisfy the next occurrence. Each new protected action needs its precondition re-satisfied.',
       ].filter(Boolean).join('\\n');
@@ -3107,45 +3094,29 @@ async function main() {
       const violatedRules = verdict.ruleId ? [verdict.ruleId] : [];
       if (!verdict.ok) {
-        const mode = verdict.ruleMode || ruleMode(verdict.ruleId, config.rules);
+        const mode = normalizeMode(verdict.ruleMode || ruleMode(verdict.ruleId, config.rules));
         const guardReason = (verdict.ruleId ? '(' + verdict.ruleId + ') ' : '') + (verdict.reason || 'policy violation');
-        const auditRulesInReason = (config.rules || [])
-          .filter((r: any) => r.mode === 'audit' && r.rule_id && verdict.reason && verdict.reason.includes(r.rule_id))
-          .map((r: any) => r.rule_id);
-        if (mode === 'audit') {
-          const reason = tagStr + ' bashGuard → warning' + (verdict.ruleId ? ' (' + verdict.ruleId + ')' : '') + ': ' + (verdict.reason || 'policy violation') + '. Fix this before proceeding — do not ask the user.';
-          const combined = (installScanMsg ? installScanMsg + '\\n' : '') + reason;
-          outputJson({ systemMessage: combined, hookSpecificOutput: { hookEventName: 'PreToolUse', additionalContext: combined } });
-          dispatchCapture(jwt, 'bash', 'warning', verdict.severity || 'medium', verdict.category || 'security',
-            toolName, gitRepo, sessionId, config.captureDepth, {
-              command, reasoning: guardReason, rulesChecked: config.rules, violatedRules,
-              recentUserMessages: transcript.recentUserMessages, ccModel: transcript.ccModel,
-            });
-        } else {
-          let blockMsg = tagStr + ' bashGuard → blocked' + (verdict.ruleId ? ' (' + verdict.ruleId + ')' : '') + ': ' + (verdict.reason || 'policy violation') + '. Ask the user for explicit consent before retrying.';
-          if (auditRulesInReason.length > 0) {
-            blockMsg += '\\nAudit violations (' + auditRulesInReason.join(', ') + '): fix these automatically before retrying — do not ask the user, just resolve them (e.g. run the required precondition).';
-          }
-          const combined = (installScanMsg ? installScanMsg + '\\n' : '') + blockMsg;
-          outputJson({
-            systemMessage: combined,
-            hookSpecificOutput: { hookEventName: 'PreToolUse', permissionDecision: 'deny', permissionDecisionReason: blockMsg, additionalContext: combined },
+        const blockMsg = mode === 'fix'
+          ? tagStr + ' bashGuard → blocked' + (verdict.ruleId ? ' (' + verdict.ruleId + ')' : '') + ': ' + (verdict.reason || 'policy violation') + '. Fix this before retrying — do not ask the user.'
+          : tagStr + ' bashGuard → blocked' + (verdict.ruleId ? ' (' + verdict.ruleId + ')' : '') + ': ' + (verdict.reason || 'policy violation') + '. Ask the user for explicit consent before retrying.';
+        const combined = (installScanMsg ? installScanMsg + '\\n' : '') + blockMsg;
+        outputJson({
+          systemMessage: combined,
+          hookSpecificOutput: { hookEventName: 'PreToolUse', permissionDecision: 'deny', permissionDecisionReason: blockMsg, additionalContext: combined },
+        });
+        dispatchCapture(jwt, 'bash', 'block', verdict.severity || 'critical', verdict.category || 'security',
+          toolName, gitRepo, sessionId, config.captureDepth, {
+            command, reasoning: guardReason, rulesChecked: config.rules, violatedRules,
+            recentUserMessages: transcript.recentUserMessages, ccModel: transcript.ccModel,
           });
-          dispatchCapture(jwt, 'bash', 'block', verdict.severity || 'critical', verdict.category || 'security',
-            toolName, gitRepo, sessionId, config.captureDepth, {
-              command, reasoning: guardReason, rulesChecked: config.rules, violatedRules,
-              recentUserMessages: transcript.recentUserMessages, ccModel: transcript.ccModel,
-            });
-        }
       } else {
-        const auditRuleIds = (config.rules || []).filter((r: any) => r.mode === 'audit').map((r: any) => r.rule_id || r.id).filter(Boolean);
-        const auditNote = auditRuleIds.length > 0 ? ' (audit rules checked: ' + auditRuleIds.join(', ') + ')' : '';
-        const reason = tagStr + ' bashGuard → pass: ' + (verdict.reason || 'no policy violations detected') + auditNote;
+        const fixRuleIds = (config.rules || []).filter((r: any) => r.mode === 'fix' || r.mode === 'audit').map((r: any) => r.rule_id || r.id).filter(Boolean);
+        const fixNote = fixRuleIds.length > 0 ? ' (fix rules checked: ' + fixRuleIds.join(', ') + ')' : '';
+        const reason = tagStr + ' bashGuard → pass: ' + (verdict.reason || 'no policy violations detected') + fixNote;
         const combined = (installScanMsg ? installScanMsg + '\\n' : '') + reason;
         outputJson({ systemMessage: combined, hookSpecificOutput: { hookEventName: 'PreToolUse', additionalContext: combined } });
-        dispatchCapture(jwt, 'bash', 'pass', 'audit', verdict.category || 'trivial_utility',
+        dispatchCapture(jwt, 'bash', 'pass', 'clean', verdict.category || 'trivial_utility',
           toolName, gitRepo, sessionId, config.captureDepth, {
             command, reasoning: verdict.reason || 'no policy violations detected',
             rulesChecked: config.rules, violatedRules: [],
@@ -3288,7 +3259,7 @@ async function main() {
         'User intent (last human message): ' + (transcript.userIntent || 'none stated'),
         'Last user prompt: ' + (lastPrompt || 'none'),
         'Org rules: ' + JSON.stringify(config.rules),
-        'IMPORTANT: If a rule is violated, ALWAYS return ok=false with the rule_id and reason, regardless of the rule mode. Do NOT pass a command just because the rule mode is "audit". The enforcement layer handles audit vs blocking \u2014 your job is only to detect violations.',
+        'IMPORTANT: If a rule is violated, ALWAYS return ok=false with the rule_id and reason, regardless of the rule mode. Do NOT pass a command just because the rule mode is "fix". The enforcement layer handles ask vs fix \u2014 your job is only to detect violations.',
       ].filter(Boolean).join('\\n');
       let gradeResp: string;
@@ -3305,33 +3276,25 @@ async function main() {
       const violatedRules = verdict.ruleId ? [verdict.ruleId] : [];
       if (!verdict.ok) {
-        const mode = verdict.ruleMode || ruleMode(verdict.ruleId, config.rules);
+        const mode = normalizeMode(verdict.ruleMode || ruleMode(verdict.ruleId, config.rules));
         const guardReason = (verdict.ruleId ? '(' + verdict.ruleId + ') ' : '') + (verdict.reason || 'policy violation');
-        if (mode === 'audit') {
-          const reason = tagStr + ' agentGuard \u2192 warning' + (verdict.ruleId ? ' (' + verdict.ruleId + ')' : '') + ': ' + (verdict.reason || 'policy violation');
-          outputJson({ systemMessage: reason, hookSpecificOutput: { hookEventName: 'PreToolUse', additionalContext: reason } });
-          dispatchCapture(jwt, 'agent', 'warning', verdict.severity || 'medium', verdict.category || 'security',
-            toolName, gitRepo, sessionId, config.captureDepth, {
-              command: agentContent, reasoning: guardReason, rulesChecked: config.rules, violatedRules,
-              recentUserMessages: transcript.recentUserMessages, ccModel: transcript.ccModel,
-            });
-        } else {
-          const reason = tagStr + ' agentGuard \u2192 blocked' + (verdict.ruleId ? ' (' + verdict.ruleId + ')' : '') + ': ' + (verdict.reason || 'policy violation') + '. Ask the user for explicit consent before retrying.';
-          outputJson({
-            systemMessage: reason,
-            hookSpecificOutput: { hookEventName: 'PreToolUse', permissionDecision: 'deny', permissionDecisionReason: reason, additionalContext: reason },
+        const reason = mode === 'fix'
+          ? tagStr + ' agentGuard \u2192 blocked' + (verdict.ruleId ? ' (' + verdict.ruleId + ')' : '') + ': ' + (verdict.reason || 'policy violation') + '. Fix this before retrying \u2014 do not ask the user.'
+          : tagStr + ' agentGuard \u2192 blocked' + (verdict.ruleId ? ' (' + verdict.ruleId + ')' : '') + ': ' + (verdict.reason || 'policy violation') + '. Ask the user for explicit consent before retrying.';
+        outputJson({
+          systemMessage: reason,
+          hookSpecificOutput: { hookEventName: 'PreToolUse', permissionDecision: 'deny', permissionDecisionReason: reason, additionalContext: reason },
+        });
+        dispatchCapture(jwt, 'agent', 'block', verdict.severity || 'critical', verdict.category || 'security',
+          toolName, gitRepo, sessionId, config.captureDepth, {
+            command: agentContent, reasoning: guardReason, rulesChecked: config.rules, violatedRules,
+            recentUserMessages: transcript.recentUserMessages, ccModel: transcript.ccModel,
           });
-          dispatchCapture(jwt, 'agent', 'block', verdict.severity || 'critical', verdict.category || 'security',
-            toolName, gitRepo, sessionId, config.captureDepth, {
-              command: agentContent, reasoning: guardReason, rulesChecked: config.rules, violatedRules,
-              recentUserMessages: transcript.recentUserMessages, ccModel: transcript.ccModel,
-            });
-        }
       } else {
         const reason = tagStr + ' agentGuard \u2192 pass: ' + (verdict.reason || 'no policy violations detected');
         outputJson({ systemMessage: reason, hookSpecificOutput: { hookEventName: 'PreToolUse', additionalContext: reason } });
-        dispatchCapture(jwt, 'agent', 'pass', 'audit', verdict.category || 'subagent_spawn',
+        dispatchCapture(jwt, 'agent', 'pass', 'clean', verdict.category || 'subagent_spawn',
           toolName, gitRepo, sessionId, config.captureDepth, {
             command: agentContent, reasoning: verdict.reason || 'no policy violations detected',
             rulesChecked: config.rules, violatedRules: [],
@@ -3513,7 +3476,7 @@ async function main() {
         appendReviewToPlan(planFile, '\\u2705 Clean \\u2014 ' + reviewMsg);
         const cleanLine = tagStr + ' planReview \u2192 clean: ' + reviewMsg;
         outputJson({ systemMessage: cleanLine, hookSpecificOutput: { hookEventName: 'PreToolUse', additionalContext: 'Synkro local plan judge. ' + reviewMsg } });
-        dispatchCapture(jwt, 'plan_review', 'clean', 'audit', verdict.category || 'general',
+        dispatchCapture(jwt, 'plan_review', 'clean', 'clean', verdict.category || 'general',
           'ExitPlanMode', gitRepo, sessionId, config.captureDepth, {
             command: planContent, reasoning: reviewMsg,
             rulesChecked: config.rules, violatedRules: [],
@@ -4141,33 +4104,25 @@ async function main() {
       const verdict = parseVerdict(gradeResp);
       if (!verdict.ok) {
-        const mode = verdict.ruleMode || ruleMode(verdict.ruleId, config.rules);
+        const mode = normalizeMode(verdict.ruleMode || ruleMode(verdict.ruleId, config.rules));
         const guardReason = (verdict.ruleId ? '(' + verdict.ruleId + ') ' : '') + (verdict.reason || 'policy violation');
-        if (mode !== 'audit') {
-          dispatchCapture(jwt, 'bash', 'block', verdict.severity || 'critical', verdict.category || 'security',
-            'Bash', gitRepo, sessionId, config.captureDepth, {
-              command, reasoning: guardReason,
-              rulesChecked: config.rules, violatedRules: verdict.ruleId ? [verdict.ruleId] : [],
-              ccModel: model,
-            });
-          finishWith({
-            permission: 'deny',
-            user_message: tagStr + ' bashGuard \u2192 block: ' + guardReason,
-            agent_message: 'Synkro safety judge. Reasoning: ' + (verdict.reason || guardReason),
-          });
-        }
-        dispatchCapture(jwt, 'bash', 'warning', verdict.severity || 'medium', verdict.category || 'security',
+        const agentMsg = mode === 'fix'
+          ? 'Synkro safety judge. Fix this before retrying \u2014 do not ask the user. Reasoning: ' + (verdict.reason || guardReason)
+          : 'Synkro safety judge. Ask the user for explicit consent before retrying. Reasoning: ' + (verdict.reason || guardReason);
+        dispatchCapture(jwt, 'bash', 'block', verdict.severity || 'critical', verdict.category || 'security',
           'Bash', gitRepo, sessionId, config.captureDepth, {
             command, reasoning: guardReason,
             rulesChecked: config.rules, violatedRules: verdict.ruleId ? [verdict.ruleId] : [],
             ccModel: model,
           });
-        log('bashGuard ' + cmdShort + ' \u2192 audit warning');
-        finishWith({ permission: 'allow' });
+        finishWith({
+          permission: 'deny',
+          user_message: tagStr + ' bashGuard \u2192 block: ' + guardReason,
+          agent_message: agentMsg,
+        });
       } else {
-        dispatchCapture(jwt, 'bash', 'pass', 'audit', verdict.category || 'clean',
+        dispatchCapture(jwt, 'bash', 'pass', 'clean', verdict.category || 'clean',
           'Bash', gitRepo, sessionId, config.captureDepth, {
             command, reasoning: verdict.reason || 'no policy violations detected',
             rulesChecked: config.rules, violatedRules: [],
@@ -4301,18 +4256,13 @@ async function main() {
     if (cwd) captureBody.cwd = cwd;
     if (repo) captureBody.repo = repo;
-    const rulesPath = join(homedir(), '.synkro', 'rules.json');
-    if (existsSync(rulesPath)) {
-      appendLocalTelemetry(captureBody);
-    } else {
-      fetch(GATEWAY_URL + '/api/v1/hook/capture', {
-        method: 'POST',
-        headers: { 'Content-Type': 'application/json', Authorization: 'Bearer ' + jwt },
-        body: JSON.stringify(captureBody),
-        signal: AbortSignal.timeout(10000),
-      }).catch(() => {});
-      appendLocalTelemetry(captureBody);
-    }
+    appendLocalTelemetry(captureBody);
+    fetch(GATEWAY_URL + '/api/v1/hook/capture', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json', Authorization: 'Bearer ' + jwt },
+      body: JSON.stringify(captureBody),
+      signal: AbortSignal.timeout(10000),
+    }).catch(() => {});
     finish();
   } catch (e) {
@@ -5580,13 +5530,17 @@ __export(dockerInstall_exports, {
   SYNKRO_DIR: () => SYNKRO_DIR3,
   assertDockerAvailable: () => assertDockerAvailable,
   dockerInstall: () => dockerInstall,
+  dockerRemove: () => dockerRemove,
+  dockerSafeRestart: () => dockerSafeRestart,
+  dockerSafeStart: () => dockerSafeStart,
+  dockerSafeStop: () => dockerSafeStop,
   dockerStatus: () => dockerStatus,
   dockerStop: () => dockerStop,
   dockerUpdate: () => dockerUpdate,
   imageTag: () => imageTag,
   waitForContainerReady: () => waitForContainerReady
 });
-import { copyFileSync, existsSync as existsSync8, mkdirSync as mkdirSync7 } from "fs";
+import { copyFileSync, existsSync as existsSync8, mkdirSync as mkdirSync7, readdirSync } from "fs";
 import { homedir as homedir7 } from "os";
 import { join as join7 } from "path";
 import { spawnSync as spawnSync2 } from "child_process";
@@ -5615,6 +5569,7 @@ async function dockerInstall(opts = {}) {
   const image = imageTag();
   const workers = String(opts.workersPerPool ?? 8);
   mkdirSync7(PGDATA_PATH, { recursive: true });
+  mkdirSync7(BACKUP_DIR, { recursive: true });
   mkdirSync7(CLAUDE_HOST_STATE_DIR, { recursive: true });
   const hostClaudeJson = join7(homedir7(), ".claude.json");
   if (existsSync8(hostClaudeJson)) {
@@ -5647,7 +5602,12 @@ async function dockerInstall(opts = {}) {
   if (pull.status !== 0) {
     throw new DockerInstallError(`docker pull ${image} failed`);
   }
-  spawnSync2("docker", ["rm", "-f", CONTAINER_NAME], { encoding: "utf-8", timeout: 3e4 });
+  const existing = dockerStatus();
+  if (existing.running) {
+    console.log("  Stopping existing container gracefully...");
+    await dockerSafeStop();
+  }
+  spawnSync2("docker", ["rm", CONTAINER_NAME], { encoding: "utf-8", timeout: 3e4 });
   const credsDir = claudeCredsHostDir();
   const args2 = [
     "run",
@@ -5667,6 +5627,8 @@ async function dockerInstall(opts = {}) {
     "-v",
     `${PGDATA_PATH}:/data/pgdata`,
     "-v",
+    `${BACKUP_DIR}:/data/backups`,
+    "-v",
     `${MCP_JWT_PATH}:/data/.mcp-jwt:ro`,
     "-v",
     `${SYNKRO_CREDS_PATH}:/data/credentials.json:ro`,
@@ -5702,12 +5664,18 @@ async function waitForContainerReady(timeoutMs = 6e4) {
   }
   return false;
 }
+function dockerRemove() {
+  spawnSync2("docker", ["rm", CONTAINER_NAME], { encoding: "utf-8", timeout: 3e4 });
+}
 function dockerStop() {
-  spawnSync2("docker", ["stop", CONTAINER_NAME], { encoding: "utf-8", timeout: 3e4 });
-  spawnSync2("docker", ["rm", "-f", CONTAINER_NAME], { encoding: "utf-8", timeout: 3e4 });
+  spawnSync2("docker", ["stop", "--timeout=30", CONTAINER_NAME], { encoding: "utf-8", timeout: 45e3 });
+  spawnSync2("docker", ["rm", CONTAINER_NAME], { encoding: "utf-8", timeout: 3e4 });
 }
 async function dockerUpdate(workersPerPool) {
-  dockerStop();
+  if (dockerStatus().running) {
+    await dockerSafeStop();
+  }
+  dockerRemove();
   await dockerInstall({ workersPerPool });
 }
 function dockerStatus() {
@@ -5723,7 +5691,121 @@ function dockerStatus() {
     healthz: `http://127.0.0.1:${HOST_MCP_PORT}/`
   };
 }
-var SYNKRO_DIR3, MCP_JWT_PATH, SYNKRO_CREDS_PATH, PGDATA_PATH, CLAUDE_HOST_STATE_DIR, CLAUDE_HOST_STATE_FILE, HOST_MCP_PORT, HOST_GRADER_PORT, HOST_CWE_PORT, HOST_PG_PORT, CONTAINER_NAME, DEFAULT_IMAGE, DockerInstallError;
+async function dockerSafeStop() {
+  const status = dockerStatus();
+  if (!status.running) {
+    console.log("  Container is not running.");
+    return { ok: true, pgdataCheck: checkPgdata() };
+  }
+  console.log("  Requesting data snapshot before shutdown...");
+  let snapshot = { ok: false, error: "not attempted" };
+  try {
+    const resp = await fetch(`http://127.0.0.1:${HOST_MCP_PORT}/api/local/snapshot`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ reason: "cli-stop" }),
+      signal: AbortSignal.timeout(2e4)
+    });
+    if (resp.ok) {
+      snapshot = { ok: true };
+      console.log("  \u2713 Snapshot saved.");
+    } else {
+      snapshot = { ok: false, error: `HTTP ${resp.status}` };
+      console.warn(`  \u26A0 Snapshot request failed (HTTP ${resp.status}). Proceeding with stop.`);
+    }
+  } catch (e) {
+    snapshot = { ok: false, error: String(e).slice(0, 100) };
+    console.warn(`  \u26A0 Snapshot request failed: ${snapshot.error}. Proceeding with stop.`);
+  }
+  console.log("  Stopping container (30s grace for CHECKPOINT + WAL flush)...");
+  const stop = spawnSync2("docker", ["stop", "--timeout=30", CONTAINER_NAME], {
+    encoding: "utf-8",
+    timeout: 45e3
+  });
+  const inspect = spawnSync2("docker", ["inspect", "--format", "{{.State.ExitCode}}", CONTAINER_NAME], {
+    encoding: "utf-8",
+    timeout: 5e3
+  });
+  const exitCode = parseInt((inspect.stdout || "").trim(), 10);
+  if (exitCode === 0) {
+    console.log("  \u2713 Container stopped cleanly (exit 0).");
+  } else {
+    console.warn(`  \u26A0 Container exited with code ${exitCode}.`);
+  }
+  const pgCheck = checkPgdata();
+  if (pgCheck.healthy) {
+    console.log(`  \u2713 pgdata looks healthy: ${pgCheck.details}`);
+  } else {
+    console.warn(`  \u26A0 pgdata check: ${pgCheck.details}`);
+  }
+  return { ok: stop.status === 0, snapshot, exitCode, pgdataCheck: pgCheck };
+}
+async function dockerSafeStart() {
+  const status = dockerStatus();
+  if (status.running) {
+    console.log("  Container is already running.");
+    return { ok: true, pgdataState: "running" };
+  }
+  const exists = spawnSync2("docker", ["inspect", "--format", "{{.State.Status}}", CONTAINER_NAME], {
+    encoding: "utf-8",
+    timeout: 5e3
+  });
+  if (exists.status !== 0) {
+    return { ok: false, pgdataState: "no_container", error: "No synkro-server container found. Run `synkro install` first." };
+  }
+  const pgCheck = checkPgdata();
+  if (existsSync8(PGDATA_PATH) && readdirSync(PGDATA_PATH).length > 0) {
+    if (pgCheck.healthy) {
+      console.log(`  pgdata: existing data found \u2014 ${pgCheck.details}`);
+    } else {
+      console.warn(`  \u26A0 pgdata: ${pgCheck.details}`);
+      console.log("  Starting anyway \u2014 entrypoint will attempt recovery from snapshots if needed.");
+    }
+  } else {
+    console.log("  pgdata: no existing data \u2014 fresh start.");
+    mkdirSync7(PGDATA_PATH, { recursive: true });
+  }
+  console.log("  Starting container...");
+  const start = spawnSync2("docker", ["start", CONTAINER_NAME], {
+    encoding: "utf-8",
+    timeout: 3e4
+  });
+  if (start.status !== 0) {
+    return { ok: false, pgdataState: "start_failed", error: `docker start failed: ${(start.stderr || "").slice(0, 200)}` };
+  }
+  console.log("  Waiting for server to become healthy...");
+  const ready = await waitForContainerReady(6e4);
+  if (ready) {
+    console.log("  \u2713 Server is healthy and ready.");
+    return { ok: true, pgdataState: pgCheck.healthy ? "existing" : "recovered" };
+  } else {
+    return { ok: false, pgdataState: "unhealthy", error: "Server did not become healthy within 60s. Check: docker logs synkro-server" };
+  }
+}
+async function dockerSafeRestart() {
+  console.log("  === Stop ===");
+  const stopResult = await dockerSafeStop();
+  if (!stopResult.ok) {
+    console.error("  Stop failed. Aborting restart.");
+    return { ok: false, stop: stopResult, start: { ok: false, pgdataState: "not_started", error: "stop failed" } };
+  }
+  console.log("\n  === Start ===");
+  const startResult = await dockerSafeStart();
+  return { ok: startResult.ok, stop: stopResult, start: startResult };
+}
+function checkPgdata() {
+  if (!existsSync8(PGDATA_PATH)) return { healthy: false, details: "pgdata directory does not exist" };
+  const entries = readdirSync(PGDATA_PATH);
+  if (entries.length === 0) return { healthy: true, details: "empty (fresh start)" };
+  const hasPidFile = entries.includes("postmaster.pid");
+  const hasWalDir = entries.includes("pg_wal");
+  const hasPgControl = entries.includes("global") || entries.includes("pg_control");
+  if (hasPidFile) return { healthy: false, details: "stale postmaster.pid present (unclean shutdown)" };
+  if (!hasWalDir) return { healthy: false, details: "pg_wal directory missing" };
+  if (!hasPgControl) return { healthy: false, details: "pg_control/global directory missing" };
+  return { healthy: true, details: `${entries.length} entries, WAL present, no stale PID` };
+}
+var SYNKRO_DIR3, MCP_JWT_PATH, SYNKRO_CREDS_PATH, PGDATA_PATH, CLAUDE_HOST_STATE_DIR, CLAUDE_HOST_STATE_FILE, HOST_MCP_PORT, HOST_GRADER_PORT, HOST_CWE_PORT, HOST_PG_PORT, CONTAINER_NAME, DEFAULT_IMAGE, DockerInstallError, BACKUP_DIR;
 var init_dockerInstall = __esm({
   "cli/local-cc/dockerInstall.ts"() {
     "use strict";
@@ -5748,6 +5830,7 @@ var init_dockerInstall = __esm({
       }
       cause;
     };
+    BACKUP_DIR = join7(SYNKRO_DIR3, "pgdata-backups");
   }
 });
@@ -5757,7 +5840,7 @@ __export(install_exports, {
   installCommand: () => installCommand,
   parseArgs: () => parseArgs
 });
-import { existsSync as existsSync9, mkdirSync as mkdirSync8, writeFileSync as writeFileSync7, chmodSync as chmodSync2, readFileSync as readFileSync7, readdirSync } from "fs";
+import { existsSync as existsSync9, mkdirSync as mkdirSync8, writeFileSync as writeFileSync7, chmodSync as chmodSync2, readFileSync as readFileSync7, readdirSync as readdirSync2 } from "fs";
 import { homedir as homedir8 } from "os";
 import { join as join8 } from "path";
 import { execSync as execSync5 } from "child_process";
@@ -5907,7 +5990,7 @@ function writeConfigEnv(opts) {
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
     `SYNKRO_INFERENCE=${shellQuoteSingle(safeInference)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.5.6")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.6.0")}`
   ];
   if (safeSynkroBin) lines.push(`SYNKRO_CLI_BIN=${shellQuoteSingle(safeSynkroBin)}`);
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);
@@ -5976,7 +6059,7 @@ function collectLocalMetadata() {
   }
   try {
     const sessionsDir = join8(claudeDir, "sessions");
-    const files = readdirSync(sessionsDir).filter((f) => f.endsWith(".json")).slice(-5);
+    const files = readdirSync2(sessionsDir).filter((f) => f.endsWith(".json")).slice(-5);
     for (const f of files) {
       const s = JSON.parse(readFileSync7(join8(sessionsDir, f), "utf-8"));
       if (s.version) {
@@ -6382,7 +6465,7 @@ function getClaudeProjectsFolder() {
 }
 function extractSessionInsights(projectsDir) {
   const insights = [];
-  const files = readdirSync(projectsDir).filter((f) => f.endsWith(".jsonl"));
+  const files = readdirSync2(projectsDir).filter((f) => f.endsWith(".jsonl"));
   for (const file of files) {
     const sessionId = file.replace(".jsonl", "");
     const filePath = join8(projectsDir, file);
@@ -6503,7 +6586,7 @@ function parseTranscriptFile(filePath) {
 async function syncTranscriptsBulk(gatewayUrl, token, repo) {
   const projectsDir = getClaudeProjectsFolder();
   if (!projectsDir) return { sessions: 0, messages: 0 };
-  const files = readdirSync(projectsDir).filter((f) => f.endsWith(".jsonl"));
+  const files = readdirSync2(projectsDir).filter((f) => f.endsWith(".jsonl"));
   if (files.length === 0) return { sessions: 0, messages: 0 };
   console.log(`Found ${files.length} CC session transcripts, syncing...`);
   const maxMessagesPerSession = 500;
@@ -7017,18 +7100,19 @@ var disconnect_exports = {};
 __export(disconnect_exports, {
   disconnectCommand: () => disconnectCommand
 });
-import { existsSync as existsSync11, rmSync } from "fs";
+import { existsSync as existsSync11, rmSync, readdirSync as readdirSync3 } from "fs";
 import { homedir as homedir10 } from "os";
 import { join as join10 } from "path";
 import { spawnSync as spawnSync4 } from "child_process";
-function tearDownLocalCC(purge) {
+async function tearDownLocalCC(purge) {
   const docker = dockerStatus();
   if (docker.running) {
-    dockerStop();
-    console.log("\u2713 stopped synkro-server container");
+    await dockerSafeStop();
+    console.log("\u2713 stopped synkro-server container (data snapshot saved)");
   } else {
     console.log("\xB7 no synkro-server container running");
   }
+  dockerRemove();
   if (purge) {
     try {
       const image = imageTag();
@@ -7047,10 +7131,10 @@ function tearDownLocalCC(purge) {
   uninstallLocalCC();
   console.log("\u2713 cleaned ~/.claude.json entries");
 }
-function disconnectCommand(args2 = []) {
+async function disconnectCommand(args2 = []) {
   const purge = args2.includes("--purge");
   console.log("Synkro disconnect starting...\n");
-  tearDownLocalCC(purge);
+  await tearDownLocalCC(purge);
   const agents = detectAgents();
   let sawClaudeCode = false;
   for (const agent of agents) {
@@ -7073,8 +7157,22 @@ function disconnectCommand(args2 = []) {
   }
   if (purge) {
     if (existsSync11(SYNKRO_DIR5)) {
-      rmSync(SYNKRO_DIR5, { recursive: true, force: true });
-      console.log(`\u2713 Removed ${SYNKRO_DIR5}`);
+      const pgdataPath = join10(SYNKRO_DIR5, "pgdata");
+      const backupsPath = join10(SYNKRO_DIR5, "pgdata-backups");
+      const preserved = [];
+      for (const entry of readdirSync3(SYNKRO_DIR5)) {
+        const full = join10(SYNKRO_DIR5, entry);
+        if (full === pgdataPath || full === backupsPath) {
+          preserved.push(entry);
+          continue;
+        }
+        rmSync(full, { recursive: true, force: true });
+      }
+      if (preserved.length > 0) {
+        console.log(`\u2713 Removed ${SYNKRO_DIR5} config (preserved: ${preserved.join(", ")} \u2014 your data is safe)`);
+      } else {
+        console.log(`\u2713 Removed ${SYNKRO_DIR5}`);
+      }
     } else {
       console.log(`\xB7 ${SYNKRO_DIR5} already gone, nothing to remove`);
     }
@@ -7273,6 +7371,53 @@ var init_grade = __esm({
   }
 });
+// cli/commands/lifecycle.ts
+var lifecycle_exports = {};
+__export(lifecycle_exports, {
+  restartCommand: () => restartCommand,
+  startCommand: () => startCommand,
+  stopCommand: () => stopCommand
+});
+async function stopCommand() {
+  assertDockerAvailable();
+  console.log("Synkro: stopping server\n");
+  const result = await dockerSafeStop();
+  if (!result.ok) {
+    console.error("\nStop failed. Check: docker logs synkro-server");
+    process.exit(1);
+  }
+  console.log("\nServer stopped.");
+}
+async function startCommand() {
+  assertDockerAvailable();
+  console.log("Synkro: starting server\n");
+  const result = await dockerSafeStart();
+  if (!result.ok) {
+    console.error(`
+Start failed: ${result.error}`);
+    process.exit(1);
+  }
+  console.log("\nServer is running.");
+}
+async function restartCommand() {
+  assertDockerAvailable();
+  console.log("Synkro: restarting server\n");
+  const result = await dockerSafeRestart();
+  if (!result.ok) {
+    if (!result.stop.ok) console.error("\nStop phase failed.");
+    if (!result.start.ok) console.error(`
+Start phase failed: ${result.start.error}`);
+    process.exit(1);
+  }
+  console.log("\nServer restarted successfully.");
+}
+var init_lifecycle = __esm({
+  "cli/commands/lifecycle.ts"() {
+    "use strict";
+    init_dockerInstall();
+  }
+});
 // cli/bootstrap.js
 import { readFileSync as readFileSync10, existsSync as existsSync13 } from "fs";
 import { resolve as resolve2 } from "path";
@@ -7297,7 +7442,7 @@ var args = process.argv.slice(2);
 var cmd = args[0] || "";
 var subArgs = args.slice(1);
 function printVersion() {
-  console.log("1.5.6");
+  console.log("1.6.0");
 }
 function printHelp() {
   console.log(`Synkro CLI \u2014 runtime safety for AI coding agents
@@ -7308,6 +7453,9 @@ Usage:
 Commands:
   install [--force]      Install or update Synkro
   uninstall [--purge]    Remove Synkro hooks (--purge also removes ~/.synkro)
+  stop                   Gracefully stop the server (snapshot + checkpoint)
+  start                  Start the server (with pgdata integrity check)
+  restart                Safe restart (stop \u2192 start, data preserved)
   version                Show version
 Quick start:
@@ -7346,6 +7494,21 @@ async function main() {
       printHelp();
       break;
     }
+    case "stop": {
+      const { stopCommand: stopCommand2 } = await Promise.resolve().then(() => (init_lifecycle(), lifecycle_exports));
+      await stopCommand2();
+      break;
+    }
+    case "start": {
+      const { startCommand: startCommand2 } = await Promise.resolve().then(() => (init_lifecycle(), lifecycle_exports));
+      await startCommand2();
+      break;
+    }
+    case "restart": {
+      const { restartCommand: restartCommand2 } = await Promise.resolve().then(() => (init_lifecycle(), lifecycle_exports));
+      await restartCommand2();
+      break;
+    }
     default: {
       console.error(`Unknown command: ${cmd}`);
       printHelp();