@synkro-sh/cli 1.6.13 → 1.6.15

package/dist/bootstrap.js

@@ -1322,9 +1322,15 @@ export async function runInstallScan(command: string, jwt: string): Promise<Inst
     const summary = scanResp?.summary || '';
     const scannedLabel = pkgResults.map((p: any) => p.name + '@' + p.version).join(', ');
     if (action === 'block') {
-      const blockSignals = pkgResults
-        .flatMap((p: any) => (p.signals || []).filter((s: any) => s.severity === 'critical' || s.severity === 'high'))
-        .slice(0, 5);
+      // Every critical/high signal (uncapped) + the true CVE total. The grader
+      // only sees what we put in blockContext \u2014 so the real count must be
+      // STATED here; a bare preview lets it under-report (the count is data,
+      // not something the grader should infer from a truncated list).
+      const highSignals = pkgResults
+        .flatMap((p: any) => (p.signals || []).filter((s: any) => s.severity === 'critical' || s.severity === 'high'));
+      const cveCount = pkgResults
+        .flatMap((p: any) => (p.signals || []))
+        .filter((s: any) => s.type === 'cve').length;
       const findings: InstallScanResult['findings'] = [];
       for (const p of pkgResults) {
         for (const s of (p.signals || [])) {
@@ -1337,10 +1343,20 @@ export async function runInstallScan(command: string, jwt: string): Promise<Inst
           }
         }
       }
-      const details = blockSignals.map((s: any) => s.detail).join('\\n') || summary;
+      // Preview the top 5 detail lines; the headline carries the true total.
+      const blockSignals = highSignals.slice(0, 5);
+      const headline = cveCount > 0
+        ? cveCount + ' known CVE' + (cveCount === 1 ? '' : 's') + ' found in ' + (scannedLabel || 'the requested install') + '.\\n'
+        : '';
+      const preview = blockSignals.map((s: any) => s.detail).join('\\n') || summary;
+      const more = highSignals.length > blockSignals.length
+        ? '\\n(+' + (highSignals.length - blockSignals.length) + ' more critical/high findings not shown)'
+        : '';
       return {
         scanned: true, action: 'block',
-        blockContext: details + '\\nDo NOT install packages with security risks. Use a patched version or a different package.',
+        blockContext: headline + preview + more
+          + '\\nReport the CVE count and fix version exactly as stated above \u2014 do not estimate.'
+          + '\\nDo NOT install packages with security risks. Use a patched version or a different package.',
         summary, scannedLabel, findings,
         violatedIds: blockSignals.map((s: any) => s.type + ':' + (s.detail || '').slice(0, 40)),
       };
@@ -1556,7 +1572,7 @@ export function parseVerdict(resp: string): Verdict {
 // Gated cloud telemetry POST \u2014 fires only when storage mode is 'cloud'. The
 // local PGLite spool (appendLocalTelemetry) always gets the data regardless,
 // so 'local' storage keeps everything on the machine.
-function shipCloud(jwt: string, path: string, body: Record<string, any>, timeoutMs = 3000): void {
+export function shipCloud(jwt: string, path: string, body: Record<string, any>, timeoutMs = 3000): void {
   if ((process.env.SYNKRO_STORAGE_MODE || 'local') !== 'cloud') return;
   fetch(GATEWAY_URL + path, {
     method: 'POST',
@@ -1644,6 +1660,10 @@ const SPOOL_DRAIN_PREFIX = 'telemetry-spool.jsonl.draining.';
 // appendLocalTelemetry \u2014 durably records one telemetry event. The synchronous
 // append IS the durability guarantee; nothing here can drop the event.
 export function appendLocalTelemetry(body: Record<string, any>): void {
+  // Cloud storage mode: the dashboard reads Timescale and a cloud-only setup
+  // has no container to drain a local spool \u2014 so skip it. Cloud telemetry goes
+  // via shipCloud; the local spool is only meaningful in local storage mode.
+  if ((process.env.SYNKRO_STORAGE_MODE || 'local') !== 'local') return;
   const event = { ...body, _ts: new Date().toISOString() };
   try {
     appendFileSync(TELEMETRY_SPOOL, JSON.stringify(event) + '\\n');
@@ -3728,7 +3748,7 @@ main();
     STOP_SUMMARY_TS = `#!/usr/bin/env bun
 import {
   loadJwt, detectRepo, loadConfig, tag, readStdin, aggregateUsage, cleanupSessionLog,
-  outputJson, outputEmpty, appendLocalTelemetry, setupCursorHookSignals, hookSessionId, GATEWAY_URL,
+  outputJson, outputEmpty, appendLocalTelemetry, shipCloud, setupCursorHookSignals, hookSessionId, GATEWAY_URL,
 } from './_synkro-common.ts';
 
 async function main() {
@@ -3880,7 +3900,7 @@ main();
 import {
   loadJwt, loadConfig, readStdin, hashCommand, consentGrant, consentHasActive, consentConsume,
   appendSessionAction,
-  outputEmpty, appendLocalTelemetry, setupCursorHookSignals, isShellTool, hookSessionId, GATEWAY_URL,
+  outputEmpty, appendLocalTelemetry, shipCloud, setupCursorHookSignals, isShellTool, hookSessionId, GATEWAY_URL,
 } from './_synkro-common.ts';
 
 async function main() {
@@ -3943,7 +3963,7 @@ main();
     TRANSCRIPT_SYNC_TS = `#!/usr/bin/env bun
 import {
   loadJwt, detectRepo, readStdin, aggregateUsage, appendLocalTelemetry,
-  outputEmpty, setupCursorHookSignals, hookSessionId, GATEWAY_URL, readSessionLog,
+  outputEmpty, setupCursorHookSignals, hookSessionId, GATEWAY_URL, readSessionLog, shipCloud,
 } from './_synkro-common.ts';
 import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'node:fs';
 import { join, dirname } from 'node:path';
@@ -4436,7 +4456,7 @@ main().catch((e) => {
     CURSOR_EDIT_CAPTURE_TS = `#!/usr/bin/env bun
 import {
   loadJwt, ensureFreshJwt, detectRepo, readStdin,
-  appendSessionAction, appendLocalTelemetry, log, GATEWAY_URL,
+  appendSessionAction, appendLocalTelemetry, shipCloud, log, GATEWAY_URL,
 } from './_synkro-common.ts';
 import { existsSync, readFileSync } from 'node:fs';
 import { basename, dirname, join } from 'node:path';
@@ -6500,7 +6520,7 @@ function writeConfigEnv(opts) {
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
     `SYNKRO_INFERENCE=${shellQuoteSingle(safeInference)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.6.13")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.6.15")}`
   ];
   if (safeSynkroBin) lines.push(`SYNKRO_CLI_BIN=${shellQuoteSingle(safeSynkroBin)}`);
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);
@@ -9028,6 +9048,29 @@ function updateConfigValue(key, value) {
   if (!found) updated.splice(updated.length - 1, 0, `${key}='${value}'`);
   writeFileSync10(CONFIG_PATH5, updated.join("\n"), "utf-8");
 }
+async function reconcileContainer() {
+  const cfg = readConfigEnv();
+  const cloudOnly = (cfg.SYNKRO_GRADING_MODE || "local") === "byok" && (cfg.SYNKRO_STORAGE_MODE || "local") === "cloud";
+  try {
+    const { dockerInstall: dockerInstall2, dockerSafeStop: dockerSafeStop2, readContainerConfig: readContainerConfig2, assertDockerAvailable: assertDockerAvailable2, waitForContainerReady: waitForContainerReady2 } = await Promise.resolve().then(() => (init_dockerInstall(), dockerInstall_exports));
+    const existing = readContainerConfig2();
+    if (cloudOnly && existing) {
+      console.log("Cloud-only mode \u2014 the local container is no longer needed; stopping it...");
+      await dockerSafeStop2();
+      console.log("  \u2713 container stopped (grading \u2192 BYOK, telemetry \u2192 cloud).");
+    } else if (!cloudOnly && !existing) {
+      assertDockerAvailable2();
+      console.log("This mode needs the Synkro container \u2014 provisioning...");
+      const { detectGitRepo: detectGitRepo3 } = await Promise.resolve().then(() => (init_install(), install_exports));
+      await dockerInstall2({ claudeWorkers: 8, cursorWorkers: 0, connectedRepo: detectGitRepo3() ?? void 0 });
+      const ready = await waitForContainerReady2(6e4);
+      console.log(ready ? "  \u2713 container running." : "  \u26A0 container did not pass its health check \u2014 see `docker logs synkro-server`.");
+    }
+  } catch (err) {
+    console.warn(`  \u26A0 Container reconcile skipped: ${err.message}`);
+    console.warn("    Run `synkro install` to (re)provision the container if needed.");
+  }
+}
 async function configCommand(args2) {
   if (args2.length === 0) {
     const config2 = readConfigEnv();
@@ -9057,6 +9100,7 @@ To change:`);
       console.log("  BYOK grading uses your own provider key \u2014 register one in the");
       console.log("  dashboard under Settings \u2192 Provider Keys if you have not already.");
     }
+    await reconcileContainer();
     return;
   }
   if (args2[0] === "storage") {
@@ -9067,6 +9111,7 @@ To change:`);
     }
     updateConfigValue("SYNKRO_STORAGE_MODE", value);
     console.log(`\u2713 Storage mode set to '${value}'.`);
+    await reconcileContainer();
     return;
   }
   let inferenceValue;
@@ -9140,7 +9185,7 @@ var args = process.argv.slice(2);
 var cmd = args[0] || "";
 var subArgs = args.slice(1);
 function printVersion() {
-  console.log("1.6.13");
+  console.log("1.6.15");
 }
 function printHelp2() {
   console.log(`Synkro CLI \u2014 runtime safety for AI coding agents