@synkro-sh/cli 1.6.21 → 1.6.23

package/dist/bootstrap.js

@@ -1297,8 +1297,7 @@ export function ruleFilterText(action: string, userMessage?: string | null): str
   const act = (action || '').trim();
   if (!user) return act.slice(0, 4000);
   if (!act) return user.slice(0, 4000);
-  return (user + '
-' + act).slice(0, 4000);
+  return (user + '\\n' + act).slice(0, 4000);
 }
 
 export async function filterRules(commandText: string, allRules: Rule[]): Promise<Rule[]> {
@@ -6661,9 +6660,8 @@ __export(install_exports, {
 });
 import { existsSync as existsSync9, mkdirSync as mkdirSync8, writeFileSync as writeFileSync7, chmodSync as chmodSync2, readFileSync as readFileSync7, readdirSync as readdirSync2 } from "fs";
 import { homedir as homedir8 } from "os";
-import { dirname as dirname5, join as join8 } from "path";
+import { join as join8 } from "path";
 import { execSync as execSync5, spawnSync as spawnSync3 } from "child_process";
-import { fileURLToPath } from "url";
 import { createInterface as createInterface3 } from "readline";
 function sanitizeGatewayCandidate(raw) {
   if (!raw) return void 0;
@@ -6778,10 +6776,6 @@ function ensureSynkroDir() {
   mkdirSync8(join8(SYNKRO_DIR4, "sessions"), { recursive: true });
 }
 function writeHookScripts() {
-  const installExtractCoreSrc = join8(
-    dirname5(fileURLToPath(import.meta.url)),
-    "../../../api/src/lib/installExtractCore.ts"
-  );
   const installExtractCorePath = join8(HOOKS_DIR, "installExtractCore.ts");
   const bashScriptPath = join8(HOOKS_DIR, "cc-bash-judge.ts");
   const bashFollowupScriptPath = join8(HOOKS_DIR, "cc-bash-followup.ts");
@@ -6817,7 +6811,7 @@ function writeHookScripts() {
   writeFileSync7(cursorBashJudgePath, CURSOR_BASH_JUDGE_TS, "utf-8");
   writeFileSync7(cursorEditCapturePath, CURSOR_EDIT_CAPTURE_TS, "utf-8");
   writeFileSync7(mcpStdioProxyPath, MCP_STDIO_PROXY_SRC, "utf-8");
-  writeFileSync7(installExtractCorePath, readFileSync7(installExtractCoreSrc, "utf-8"), "utf-8");
+  writeFileSync7(installExtractCorePath, "/**\n * Deterministic install-command extraction \u2014 no LLM, no network.\n * Shared by the API pkg-scan route and the hook scripts (copied to ~/.synkro/hooks/).\n */\nimport { parse as shellParse } from 'shell-quote';\n\nexport interface DeterministicPkgRequest {\n  name: string;\n  version: string;\n  ecosystem: string;\n}\n\ninterface RawInstall {\n  ecosystem: string;\n  name: string;\n  versionSpec: string | null;\n  source: 'registry' | 'git' | 'local' | 'url' | 'unknown';\n}\n\nconst SEPARATOR_OPS = new Set(['&&', '||', ';', '|', '&', '\\n']);\n\n/** Split a shell command into command segments (each an argv string array). */\nexport function segmentCommand(command: string): string[][] {\n  let tokens: unknown[];\n  try {\n    tokens = shellParse(command) as unknown[];\n  } catch {\n    return [command.split(/\\s+/).filter(Boolean)];\n  }\n  const segments: string[][] = [];\n  let current: string[] = [];\n  for (const tok of tokens) {\n    if (typeof tok === 'string') {\n      current.push(tok);\n      continue;\n    }\n    if (tok && typeof tok === 'object') {\n      const op = (tok as { op?: string }).op;\n      const pattern = (tok as { pattern?: string }).pattern;\n      if (op && SEPARATOR_OPS.has(op)) {\n        if (current.length) segments.push(current);\n        current = [];\n      } else if (typeof pattern === 'string') {\n        current.push(pattern);\n      }\n    }\n  }\n  if (current.length) segments.push(current);\n  return segments;\n}\n\nconst PM_TABLE: Record<string, { subs: Set<string>; ecosystem: string }> = {\n  npm:      { subs: new Set(['install', 'i', 'add', 'ci']),  ecosystem: 'npm' },\n  pnpm:     { subs: new Set(['add', 'install', 'i', 'dlx']), ecosystem: 'npm' },\n  yarn:     { subs: new Set(['add', 'install']),             ecosystem: 'npm' },\n  bun:      { subs: new Set(['add', 'install', 'i']),        ecosystem: 'npm' },\n  pip:      { subs: new Set(['install']),                    ecosystem: 'PyPI' },\n  pip3:     { subs: new Set(['install']),                    ecosystem: 'PyPI' },\n  cargo:    { subs: new Set(['add', 'install']),             ecosystem: 'crates.io' },\n  go:       { subs: new Set(['get', 'install']),             ecosystem: 'Go' },\n  gem:      { subs: new Set(['install']),                    ecosystem: 'RubyGems' },\n  composer: { subs: new Set(['require']),                    ecosystem: 'Packagist' },\n};\nconst SYSTEM_PMS = new Set(['apt', 'apt-get', 'apk', 'brew', 'dnf', 'yum', 'pacman']);\nconst SYSTEM_SUBS = new Set(['install', 'add']);\n\nconst WRAPPERS = new Set(['sudo', 'doas', 'command', 'env', 'xargs', 'nice', 'time']);\nconst VALUE_FLAGS = new Set([\n  '--filter', '-F', '-C', '--dir', '--prefix', '--registry', '--tag', '--features',\n  '-v', '--version', '--index-url', '--extra-index-url', '--target', '-t',\n]);\n\nfunction basename(p: string): string {\n  const i = p.lastIndexOf('/');\n  return i >= 0 ? p.slice(i + 1) : p;\n}\n\nfunction stripPrefixes(argv: string[]): string[] {\n  let i = 0;\n  while (i < argv.length) {\n    const t = argv[i];\n    if (WRAPPERS.has(basename(t).toLowerCase())) { i++; continue; }\n    if (/^[A-Za-z_][A-Za-z0-9_]*=/.test(t)) { i++; continue; }\n    break;\n  }\n  return argv.slice(i);\n}\n\nfunction looksLikePath(tok: string): boolean {\n  return tok === '.' || tok === '..' || /^\\.{0,2}\\//.test(tok) || tok.startsWith('~/') || tok.startsWith('file:');\n}\n\n/** Shell redirect fragments (e.g. `2>&1` \u2192 argv `2`, `1`) \u2014 not package names. */\nfunction isRedirectFragment(tok: string): boolean {\n  if (/^\\d+$/.test(tok)) return true;\n  if (/^[<>]|[<>]$/.test(tok)) return true;\n  if (tok === '&' || tok === '|') return true;\n  if (/^\\d*[<>]/.test(tok)) return true;\n  return false;\n}\n\nfunction parsePackageToken(tok: string, ecosystem: string): RawInstall | null {\n  if (/^(https?:)?\\/\\//.test(tok) || tok.startsWith('git+') || tok.startsWith('git:')) {\n    return { ecosystem, name: tok, versionSpec: null, source: tok.includes('git') ? 'git' : 'url' };\n  }\n  if (looksLikePath(tok)) {\n    return { ecosystem, name: basename(tok.replace(/\\/+$/, '')) || tok, versionSpec: null, source: 'local' };\n  }\n  if (ecosystem === 'PyPI') {\n    const noExtras = tok.replace(/\\[[^\\]]*\\]/g, '');\n    const m = noExtras.match(/^([A-Za-z0-9_.-]+)\\s*([=~!<>].*)?$/);\n    if (!m) return null;\n    return { ecosystem, name: m[1], versionSpec: m[2] ? m[2].trim() : null, source: 'registry' };\n  }\n  const at = tok.lastIndexOf('@');\n  if (at > 0) {\n    return { ecosystem, name: tok.slice(0, at), versionSpec: tok.slice(at + 1) || null, source: 'registry' };\n  }\n  return { ecosystem, name: tok, versionSpec: null, source: 'registry' };\n}\n\n/** Deterministic extraction for a single command segment. */\nexport function extractSegment(rawArgv: string[]): RawInstall[] {\n  let argv = stripPrefixes(rawArgv);\n  if (argv.length < 2) return [];\n  let bin = basename(argv[0]).toLowerCase();\n\n  if (bin === 'uv' && argv[1] === 'pip') { argv = argv.slice(1); bin = 'pip'; }\n  if ((bin === 'python' || bin === 'python3') && argv.includes('-m')) {\n    const mi = argv.indexOf('-m');\n    if (argv[mi + 1] === 'pip') { argv = ['pip', ...argv.slice(mi + 2)]; bin = 'pip'; }\n  }\n\n  const isSystem = SYSTEM_PMS.has(bin);\n  const entry = PM_TABLE[bin];\n  if (!entry && !isSystem) return [];\n  const ecosystem = entry ? entry.ecosystem : 'system';\n  const subs = entry ? entry.subs : SYSTEM_SUBS;\n\n  let subIdx = -1;\n  for (let i = 1; i < argv.length; i++) {\n    if (subs.has(argv[i].toLowerCase())) { subIdx = i; break; }\n  }\n  if (subIdx === -1) return [];\n\n  const installs: RawInstall[] = [];\n  for (let i = subIdx + 1; i < argv.length; i++) {\n    const tok = argv[i];\n    if (isRedirectFragment(tok)) break;\n    if (tok.startsWith('-')) {\n      if (VALUE_FLAGS.has(tok)) i++;\n      continue;\n    }\n    const parsed = parsePackageToken(tok, ecosystem);\n    if (parsed) installs.push(parsed);\n  }\n  return installs;\n}\n\nconst ECO_TO_OSV: Record<string, string | null> = {\n  npm: 'npm',\n  pypi: 'PyPI', PyPI: 'PyPI',\n  cargo: 'crates.io', 'crates.io': 'crates.io',\n  go: 'Go', Go: 'Go',\n  rubygems: 'RubyGems', RubyGems: 'RubyGems',\n  packagist: 'Packagist', Packagist: 'Packagist',\n  maven: 'Maven', Maven: 'Maven',\n  nuget: 'NuGet', NuGet: 'NuGet',\n  apt: null, brew: null, system: null, other: null,\n};\n\nfunction normalizeName(name: string, osvEco: string): string {\n  const n = name.trim();\n  if (osvEco === 'npm') return n.toLowerCase();\n  if (osvEco === 'PyPI') return n.toLowerCase().replace(/[-_.]+/g, '-');\n  return n;\n}\n\nfunction concretePin(spec: string | null): string | null {\n  if (!spec) return null;\n  const c = spec.trim().replace(/^[v=\\s]+/, '');\n  if (c.toLowerCase() === 'latest' || c === '') return null;\n  if (/[\\^~><|*\\sx]/i.test(c)) return null;\n  return /^\\d[\\w.\\-+]*$/.test(c) ? c : null;\n}\n\n/**\n * Parse registry installs from a shell command without LLM/network.\n * Unpinned versions use '*' so OSV scans the full advisory history.\n */\nexport function extractDeterministicPkgRequests(command: string): DeterministicPkgRequest[] {\n  const merged = new Map<string, DeterministicPkgRequest>();\n  for (const r of segmentCommand(command).flatMap(extractSegment)) {\n    if (r.source !== 'registry') continue;\n    const osvEco = ECO_TO_OSV[r.ecosystem] ?? ECO_TO_OSV[r.ecosystem.toLowerCase()] ?? null;\n    if (!osvEco) continue;\n    const name = normalizeName(r.name, osvEco);\n    if (!name) continue;\n    const key = osvEco + '|' + name.toLowerCase();\n    const version = concretePin(r.versionSpec) ?? '*';\n    const prev = merged.get(key);\n    if (!prev || (prev.version === '*' && version !== '*')) {\n      merged.set(key, { name, version, ecosystem: osvEco });\n    }\n  }\n  return [...merged.values()];\n}\n", "utf-8");
   const hooksPkgPath = join8(HOOKS_DIR, "package.json");
   writeFileSync7(hooksPkgPath, JSON.stringify({
     name: "synkro-hooks",
@@ -6893,7 +6887,7 @@ function writeConfigEnv(opts) {
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
     `SYNKRO_INFERENCE=${shellQuoteSingle(safeInference)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.6.21")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.6.23")}`
   ];
   if (safeSynkroBin) lines.push(`SYNKRO_CLI_BIN=${shellQuoteSingle(safeSynkroBin)}`);
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);
@@ -9560,7 +9554,7 @@ var args = process.argv.slice(2);
 var cmd = args[0] || "";
 var subArgs = args.slice(1);
 function printVersion() {
-  console.log("1.6.21");
+  console.log("1.6.23");
 }
 function printHelp2() {
   console.log(`Synkro CLI \u2014 runtime safety for AI coding agents