@synkro-sh/cli 1.6.3 → 1.6.5

package/dist/bootstrap.js

@@ -967,7 +967,7 @@ export async function cweChannelUp(): Promise<boolean> {
 
 // \u2500\u2500\u2500 Mode Normalization \u2500\u2500\u2500
 
-function normalizeMode(m?: string): 'ask' | 'fix' {
+export function normalizeMode(m?: string): 'ask' | 'fix' {
   if (m === 'blocking' || m === 'ask') return 'ask';
   if (m === 'audit' || m === 'fix') return 'fix';
   return 'ask';
@@ -1089,12 +1089,18 @@ export function tag(rt: string, config: HookConfig): string {
 
 type GradeRole = 'grade-edit' | 'grade-bash' | 'grade-plan' | 'grade-cwe';
 
+// Which coding agent fired this grade. The dispatcher routes grades to a
+// worker pool of the matching kind so a Cursor grade is judged by Cursor and
+// a Claude grade by Claude. Defaults to 'claude_code' so existing cc-* hook
+// call sites need no change; cursor-* hooks pass 'cursor' explicitly.
+export type AgentKind = 'claude_code' | 'cursor';
+
 const ROLE_MAP: Record<string, GradeRole> = {
   edit: 'grade-edit', bash: 'grade-bash', plan: 'grade-plan', cwe: 'grade-cwe',
 };
 
-async function channelGrade(role: GradeRole, prompt: string, _jwt: string, port: number, timeoutMs = 30000): Promise<string> {
-  const body = JSON.stringify({ role, payload: prompt, content: prompt });
+async function channelGrade(role: GradeRole, prompt: string, _jwt: string, port: number, timeoutMs = 30000, agentKind: AgentKind = 'claude_code'): Promise<string> {
+  const body = JSON.stringify({ role, payload: prompt, content: prompt, agent_kind: agentKind });
 
   const resp = await fetch('http://127.0.0.1:' + port + '/submit', {
     method: 'POST',
@@ -1113,17 +1119,217 @@ async function channelGrade(role: GradeRole, prompt: string, _jwt: string, port:
   return String(data.result || '');
 }
 
-export async function localGrade(surface: string, prompt: string, timeoutMs = 30000): Promise<string> {
+export async function localGrade(surface: string, prompt: string, timeoutMs = 30000, agentKind: AgentKind = 'claude_code'): Promise<string> {
   if (!(await channelUp())) throw new Error('SYNKRO_CHANNEL_DOWN');
   const jwt = loadJwt();
   if (!jwt) throw new Error('NO_JWT');
-  return channelGrade(ROLE_MAP[surface] || 'grade-edit', prompt, jwt, 18929, timeoutMs);
+  return channelGrade(ROLE_MAP[surface] || 'grade-edit', prompt, jwt, 18929, timeoutMs, agentKind);
 }
 
-export async function localGradeCwe(prompt: string): Promise<string> {
+export async function localGradeCwe(prompt: string, agentKind: AgentKind = 'claude_code'): Promise<string> {
   const jwt = loadJwt();
   if (!jwt) throw new Error('NO_JWT');
-  return channelGrade('grade-cwe', prompt, jwt, 18930, 45000);
+  return channelGrade('grade-cwe', prompt, jwt, 18930, 45000, agentKind);
+}
+
+// \u2500\u2500\u2500 Rule Pre-Filter (embedding-based) \u2500\u2500\u2500
+
+export async function filterRules(commandText: string, allRules: Rule[]): Promise<Rule[]> {
+  if (allRules.length <= 3) return allRules;
+  const mcpPort = process.env.SYNKRO_MCP_PORT || '18931';
+  try {
+    const resp = await fetch('http://127.0.0.1:' + mcpPort + '/api/local/filter-rules', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ text: commandText, top_k: 3 }),
+      signal: AbortSignal.timeout(500),
+    });
+    if (!resp.ok) return allRules;
+    const data = await resp.json() as { rules?: Array<{ rule_id: string; similarity?: number }> };
+    if (!data.rules || data.rules.length === 0) return allRules;
+    const selectedIds = new Set(data.rules.map(r => r.rule_id));
+    return allRules.filter(r => selectedIds.has(r.rule_id));
+  } catch {
+    return allRules;
+  }
+}
+
+// \u2500\u2500\u2500 Safe-read short-circuit (shared by cc-bash-judge + cursor-bash-judge) \u2500\u2500\u2500
+// Read-only tool calls, and bash pipelines where every segment is a pure
+// in-repo read, are allowed instantly without an LLM grade. Strict by design:
+// any $ / backtick / redirect / shell metachar, any non-whitelisted verb, any
+// .. traversal, or any absolute path outside repoRoot falls through to the judge.
+
+const SAFE_READ_TOOLS = new Set([
+  'Read', 'ReadFile', 'read_file', 'Grep', 'grep_search', 'codebase_search',
+  'file_search', 'Glob', 'list_dir',
+]);
+const SAFE_SHELL_TOOLS = new Set([
+  'Bash', 'Shell', 'terminal', 'run_terminal_cmd', 'execute_command',
+]);
+
+function isSafeBashSegment(seg: string, repoRoot: string): boolean {
+  const UNSAFE_CHARS = ['>', ';', '&', '\`', '$'];
+  for (const ch of UNSAFE_CHARS) { if (seg.indexOf(ch) !== -1) return false; }
+  const padded = ' ' + seg + ' ';
+  const UNSAFE_WORDS = [
+    ' sudo ', ' su ', ' rm ', ' mv ', ' cp ', ' chmod ', ' chown ',
+    ' tee ', ' kill ', ' sed -i', ' sed --in-place',
+    ' sh -c', ' bash -c', ' zsh -c', ' eval ', ' exec ',
+  ];
+  for (const w of UNSAFE_WORDS) { if (padded.indexOf(w) !== -1) return false; }
+  const SAFE_VERBS = new Set([
+    'cat','head','tail','less','more','grep','egrep','fgrep','rg','ag',
+    'find','fd','ls','wc','cmp','diff','file','stat','which','whereis','type',
+    'pwd','whoami','id','date','echo','printf','true','false',
+    'jq','yq','sort','uniq','cut','tr','xxd','hexdump','od','column',
+    'node','npm','pnpm','yarn','bun','python','python3','ruby','go','rustc','cargo',
+    'git',
+  ]);
+  const tokens = seg.trim().split(' ').filter(t => t.length > 0);
+  const verb = tokens[0] || '';
+  if (!SAFE_VERBS.has(verb)) return false;
+  if (verb === 'find' || verb === 'fd') {
+    const BAD = new Set([
+      '-exec','-execdir','-ok','-okdir','-delete',
+      '-fprint','-fprintf','-fprint0','-fls','--exec','--exec-batch',
+    ]);
+    for (const t of tokens) { if (BAD.has(t)) return false; }
+  }
+  if (verb === 'git') {
+    const SAFE_GIT = new Set([
+      'log','show','diff','blame','status','rev-parse',
+      'ls-files','ls-tree','cat-file','shortlog','reflog',
+      'describe','symbolic-ref','--version',
+    ]);
+    const sub = tokens[1] || '';
+    if (!SAFE_GIT.has(sub)) return false;
+  } else if (['npm','pnpm','yarn','bun','cargo','go'].includes(verb)) {
+    const sub = tokens[1] || '';
+    const SAFE_PKG = new Set([
+      '--version','-v','version','list','ls','why','view','show','info','outdated',
+      '-h','--help','help',
+    ]);
+    if (!SAFE_PKG.has(sub)) return false;
+  } else if (['node','python','python3','ruby','rustc'].includes(verb)) {
+    const sub = tokens[1] || '';
+    if (sub !== '--version' && sub !== '-v' && sub !== '-V') return false;
+  }
+  if (!repoRoot) return false;
+  for (let i = 1; i < tokens.length; i++) {
+    const stripped = tokens[i].replace(/^['"]/, '').replace(/['"]$/, '');
+    if (stripped.startsWith('~')) return false;
+    // Reject any .. traversal segment \u2014 a relative path with .. can escape the
+    // repo root just as easily as an absolute one.
+    if (stripped.split('/').some(p => p === '..')) return false;
+    if (stripped.startsWith('/') && !isPathUnder(stripped, repoRoot)) return false;
+  }
+  return true;
+}
+
+export function isSafeInRepoRead(toolName: string, command: string, repoRoot: string): boolean {
+  if (SAFE_READ_TOOLS.has(toolName)) return true;
+  if (!SAFE_SHELL_TOOLS.has(toolName)) return false;
+  if (!command || !repoRoot) return false;
+  const segments = command.split('|');
+  for (const seg of segments) {
+    const t = seg.trim();
+    if (t.length === 0) return false;
+    if (!isSafeBashSegment(t, repoRoot)) return false;
+  }
+  return true;
+}
+
+// \u2500\u2500\u2500 Install protection: server-side pkg-scan (shared by both bash judges) \u2500\u2500\u2500
+// Parses an install command, scans the packages for CVEs / typosquats /
+// malicious tarballs / low reputation, and returns a structured verdict the
+// caller renders in its own (cc or cursor) output format.
+
+export interface InstallScanResult {
+  scanned: boolean;
+  action: 'allow' | 'warn' | 'block';
+  blockContext: string;
+  summary: string;
+  scannedLabel: string;
+  findings: Array<{ advisoryId: string; name: string; version: string; severity: string; detail: string }>;
+  violatedIds: string[];
+}
+
+export async function runInstallScan(command: string, jwt: string): Promise<InstallScanResult> {
+  const empty: InstallScanResult = {
+    scanned: false, action: 'allow', blockContext: '', summary: '',
+    scannedLabel: '', findings: [], violatedIds: [],
+  };
+  const pkgInstallMatch = command.match(
+    /^(?:.*&&\\s*|.*;\\s*)?(?:npm\\s+(?:install|i|add)|pnpm\\s+(?:add|install|i)|yarn\\s+add|bun\\s+(?:add|install|i)|(?:uv\\s+)?pip3?\\s+install|go\\s+get|cargo\\s+add|gem\\s+install|composer\\s+require)\\s+([^|;&><]+)/
+  );
+  if (!pkgInstallMatch) return empty;
+  const isPip = /(?:uv\\s+)?pip3?\\s+install/.test(command);
+  const packages: Array<{ name: string; version: string; ecosystem: string }> = [];
+  const tokens = pkgInstallMatch[1].split(/\\s+/);
+  let skipNext = false;
+  for (const token of tokens) {
+    if (skipNext) { skipNext = false; continue; }
+    if (!token || !/^[@a-zA-Z]/.test(token)) continue;
+    if (token.startsWith('-')) {
+      if (/^--(python|target|prefix|root|constraint|requirement|index-url|extra-index-url|find-links|build|src|cache-dir|filter|workspace)$/.test(token)) skipNext = true;
+      continue;
+    }
+    const ecosystem = isPip ? 'PyPI' : 'npm';
+    if (isPip) {
+      const pipMatch = token.match(/^([a-zA-Z0-9_.-]+)(?:[=~!<>]=?(.+))?$/);
+      if (pipMatch) {
+        packages.push({ name: pipMatch[1], version: pipMatch[2]?.replace(/^=/, '') || '*', ecosystem });
+        continue;
+      }
+    }
+    const atIdx = token.lastIndexOf('@');
+    if (atIdx > 0) packages.push({ name: token.slice(0, atIdx), version: token.slice(atIdx + 1), ecosystem });
+    else packages.push({ name: token, version: '*', ecosystem });
+  }
+  if (packages.length === 0) return empty;
+  const scannedLabel = packages.map(p => p.name + '@' + p.version).join(', ');
+  try {
+    const scanResp = await fetch(GATEWAY_URL + '/api/v1/pkg-scan', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json', Authorization: 'Bearer ' + jwt },
+      body: JSON.stringify({ packages, command }),
+      signal: AbortSignal.timeout(15000),
+    }).then(r => r.json()) as any;
+    const action = scanResp?.action || 'allow';
+    const pkgResults = Array.isArray(scanResp?.packages) ? scanResp.packages : [];
+    const summary = scanResp?.summary || '';
+    if (action === 'block') {
+      const blockSignals = pkgResults
+        .flatMap((p: any) => (p.signals || []).filter((s: any) => s.severity === 'critical' || s.severity === 'high'))
+        .slice(0, 5);
+      const findings: InstallScanResult['findings'] = [];
+      for (const p of pkgResults) {
+        for (const s of (p.signals || [])) {
+          if (s.severity === 'critical' || s.severity === 'high') {
+            const advisoryMatch = (s.detail || '').match(/\\b(GHSA-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}|CVE-\\d{4}-\\d+)\\b/i);
+            findings.push({
+              advisoryId: advisoryMatch ? advisoryMatch[1] : s.type,
+              name: p.name, version: p.version, severity: s.severity, detail: s.detail,
+            });
+          }
+        }
+      }
+      const details = blockSignals.map((s: any) => s.detail).join('\\n');
+      return {
+        scanned: true, action: 'block',
+        blockContext: details + '\\nDo NOT install packages with security risks. Use a patched version or a different package.',
+        summary, scannedLabel, findings,
+        violatedIds: blockSignals.map((s: any) => s.type + ':' + (s.detail || '').slice(0, 40)),
+      };
+    }
+    return {
+      scanned: true, action: action === 'warn' ? 'warn' : 'allow',
+      blockContext: '', summary, scannedLabel, findings: [], violatedIds: [],
+    };
+  } catch {
+    return { scanned: true, action: 'allow', blockContext: '', summary: '', scannedLabel, findings: [], violatedIds: [] };
+  }
 }
 
 // \u2500\u2500\u2500 Session Action Log \u2500\u2500\u2500
@@ -1147,10 +1353,23 @@ function sessionLogPath(sessionId: string): string | null {
 export function appendSessionAction(sessionId: string, entry: SessionAction): void {
   const logPath = sessionLogPath(sessionId);
   if (!logPath) return;
+  let step = 0;
   try {
     mkdirSync(SESSIONS_DIR, { recursive: true });
+    try { step = readFileSync(logPath, 'utf-8').split('\\n').filter(Boolean).length + 1; } catch { step = 1; }
     appendFileSync(logPath, JSON.stringify(entry) + '\\n', 'utf-8');
   } catch {}
+
+  const mcpPort = process.env.SYNKRO_MCP_PORT || '18931';
+  let mcpToken = '';
+  try { mcpToken = readFileSync(join(HOME, '.synkro', '.mcp-jwt'), 'utf-8').trim(); } catch {}
+  if (!mcpToken) return;
+  fetch('http://127.0.0.1:' + mcpPort + '/api/session-action', {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json', Authorization: 'Bearer ' + mcpToken },
+    body: JSON.stringify({ session_id: sessionId, step, tool: entry.tool, summary: entry.summary, file: entry.file, outcome: entry.outcome }),
+    signal: AbortSignal.timeout(2000),
+  }).catch(() => {});
 }
 
 export function readSessionLog(sessionId: string): SessionAction[] {
@@ -1170,8 +1389,8 @@ export function compressSessionLog(actions: SessionAction[]): string {
   const total = actions.length;
   const lines: string[] = [];
 
-  if (total > 30) {
-    const old = actions.slice(0, total - 30);
+  if (total > 200) {
+    const old = actions.slice(0, total - 200);
     const counts: Record<string, number> = {};
     const dirs = new Set<string>();
     for (const a of old) {
@@ -1186,7 +1405,7 @@ export function compressSessionLog(actions: SessionAction[]): string {
     lines.push('  [' + old.length + ' earlier: ' + parts + dirHint + ']');
   }
 
-  const tier2Start = Math.max(0, total - 30);
+  const tier2Start = Math.max(0, total - 200);
   const tier2End = Math.max(0, total - 10);
   for (let i = tier2Start; i < tier2End; i++) {
     const a = actions[i];
@@ -1921,7 +2140,7 @@ import {
   readStdin, extractTranscript, readLastPrompt, findNearestDeps, filePathFromToolInput,
   appendSessionAction, readSessionLog, compressSessionLog, log,
   outputJson, outputEmpty, setupCursorHookSignals, isEditTool, hookSessionId, GATEWAY_URL,
-  logGraderUnavailable,
+  logGraderUnavailable, filterRules, normalizeMode,
   type HookConfig, type Rule,
 } from './_synkro-common.ts';
 import { existsSync, readFileSync } from 'node:fs';
@@ -2000,6 +2219,8 @@ async function main() {
       // \u2500\u2500\u2500 Local grading: org rules ONLY (channel 1, port 18929) \u2500\u2500\u2500
       const proposedShort = proposed.slice(0, 4000);
       const sessionLog = compressSessionLog(readSessionLog(sessionId));
+      const graderContent = 'file=' + filePath + ' content=' + proposedShort;
+      const relevantRules = await filterRules(graderContent, config.rules);
       const graderPrompt = [
         'Working directory: ' + (cwd || '.'),
         'Repo: ' + (gitRepo || 'unknown'),
@@ -2009,9 +2230,9 @@ async function main() {
         proposedShort,
         'User intent (last human message): ' + (transcript.userIntent || 'none stated'),
         'Last user prompt: ' + (lastPrompt || 'none'),
-        'Org rules: ' + JSON.stringify(config.rules),
+        'Org rules: ' + JSON.stringify(relevantRules),
         'IMPORTANT: If a rule is violated, ALWAYS return ok=false with the rule_id and reason, regardless of the rule mode. Do NOT pass a command just because the rule mode is "fix". The enforcement layer handles ask vs fix \u2014 your job is only to detect violations.',
-        'When passing (ok=true), for EVERY rule: state whether it is relevant to this edit, and if relevant, why it passes. Format: "R001 (not relevant: no deployment). R003 relevant: no hardcoded secrets in file." Cover ALL rules \u2014 do not skip any. Be terse but specific per rule.',
+        'The rules shown were pre-selected as the ones relevant to this edit \u2014 every rule here IS relevant, do not label any "not relevant". When passing (ok=true), give a terse, specific reason each rule passes. Format: "R003: no hardcoded secrets in file. R005: in-repo path only." Cover every rule shown.',
       ].join('\\n');
 
       let gradeResp: string;
@@ -2078,6 +2299,7 @@ async function main() {
       recent_user_messages: transcript.recentUserMessages,
       recent_messages: transcript.recentMessages,
       recent_actions: transcript.recentActions,
+      session_history: compressSessionLog(readSessionLog(sessionId)),
       session_id: sessionId || null,
       tool_use_id: toolUseId || null,
       cwd: cwd || null,
@@ -2778,7 +3000,7 @@ import {
   parseVerdict, dispatchCapture, dispatchFinding, ruleMode, postWithRetry, readStdin,
   extractTranscript, readLastPrompt, appendSessionAction, readSessionLog, compressSessionLog, log,
   outputJson, outputEmpty, setupCursorHookSignals, isShellTool, hookSessionId, GATEWAY_URL,
-  logGraderUnavailable, isPathUnder,
+  logGraderUnavailable, filterRules, normalizeMode, appendLocalTelemetry, isSafeInRepoRead,
   type HookConfig, type Rule,
 } from './_synkro-common.ts';
 
@@ -2818,8 +3040,6 @@ async function main() {
     }
     if (!command) { outputEmpty(); return; }
 
-    appendSessionAction(sessionId, { ts: new Date().toISOString(), tool: toolName, summary: command.slice(0, 120) });
-
     const cmdShort = command.slice(0, 80);
     log('bashGuard checking: ' + cmdShort);
 
@@ -2841,108 +3061,6 @@ async function main() {
       return;
     }
 
-    // ─── Hook-side short-circuit for safe in-repo reads ───
-    // The judge primer already deterministically allows these, but the round
-    // trip + batch queue still costs 1–25s per call. Skipping the grade for
-    // unambiguously read-only operations removes that latency for ~half of
-    // typical commands (cat/grep/git status/ls/etc.) and unblocks the worker
-    // pool to grade the operations that actually need judgment.
-    // Returning FALSE just means "don't short-circuit — let the LLM grade it."
-    // Never blocks. The judge sees the command, applies rules, returns its
-    // own verdict. Path scoping below: STRICT, only short-circuit when every
-    // absolute path is under the linked repo root.
-    function isSafeBashSegment(seg: string, repoRoot: string): boolean {
-      const UNSAFE_CHARS = ['>', ';', '&', '\`'];
-      for (const ch of UNSAFE_CHARS) { if (seg.indexOf(ch) !== -1) return false; }
-      const padded = ' ' + seg + ' ';
-      const UNSAFE_WORDS = [
-        ' sudo ', ' su ', ' rm ', ' mv ', ' cp ', ' chmod ', ' chown ',
-        ' tee ', ' kill ', ' sed -i', ' sed --in-place',
-        ' sh -c', ' bash -c', ' zsh -c', ' eval ', ' exec ',
-        '\$(',
-      ];
-      for (const w of UNSAFE_WORDS) { if (padded.indexOf(w) !== -1) return false; }
-
-      // Narrowed verb set. Removed:
-      //   awk:  has system() / |& shell-spawn
-      //   env:  \`env FOO=bar evil_cmd\` runs evil_cmd
-      //   sed:  scripting + -i write capability; not worth parsing
-      const SAFE_VERBS = new Set([
-        'cat','head','tail','less','more','grep','egrep','fgrep','rg','ag',
-        'find','fd','ls','wc','cmp','diff','file','stat','which','whereis','type',
-        'pwd','whoami','id','date','echo','printf','true','false',
-        'jq','yq','sort','uniq','cut','tr','xxd','hexdump','od','column',
-        'node','npm','pnpm','yarn','bun','python','python3','ruby','go','rustc','cargo',
-        'git',
-      ]);
-      const tokens = seg.trim().split(' ').filter(t => t.length > 0);
-      const verb = tokens[0] || '';
-      if (!SAFE_VERBS.has(verb)) return false;
-
-      // find/fd: reject any execution / mutation action flag.
-      if (verb === 'find' || verb === 'fd') {
-        const BAD = new Set([
-          '-exec','-execdir','-ok','-okdir','-delete',
-          '-fprint','-fprintf','-fprint0','-fls',
-          '--exec','--exec-batch',
-        ]);
-        for (const t of tokens) { if (BAD.has(t)) return false; }
-      }
-
-      // git: only pure-read subcommands. branch/tag/remote/config dropped —
-      // each has flag combinations that mutate state.
-      if (verb === 'git') {
-        const SAFE_GIT = new Set([
-          'log','show','diff','blame','status','rev-parse',
-          'ls-files','ls-tree','cat-file','shortlog','reflog',
-          'describe','symbolic-ref','--version',
-        ]);
-        const sub = tokens[1] || '';
-        if (!SAFE_GIT.has(sub)) return false;
-      } else if (['npm','pnpm','yarn','bun','cargo','go'].includes(verb)) {
-        const sub = tokens[1] || '';
-        const SAFE_PKG = new Set([
-          '--version','-v','version','list','ls','why','view','show','info','outdated',
-          '-h','--help','help',
-        ]);
-        if (!SAFE_PKG.has(sub)) return false;
-      } else if (['node','python','python3','ruby','rustc'].includes(verb)) {
-        const sub = tokens[1] || '';
-        if (sub !== '--version' && sub !== '-v' && sub !== '-V') return false;
-      }
-
-      // STRICT path scoping. Absolute paths MUST resolve under repoRoot.
-      // Home-relative (~/...) paths fall through to the LLM. Relative paths
-      // are implicitly under cwd which is the repo root for the agent session.
-      if (!repoRoot) return false;
-      for (let i = 1; i < tokens.length; i++) {
-        const t = tokens[i];
-        const stripped = t.replace(/^['"]/, '').replace(/['"]$/, '');
-        if (stripped.startsWith('~')) return false;
-        if (stripped.startsWith('/')) {
-          if (!isPathUnder(stripped, repoRoot)) return false;
-        }
-      }
-      return true;
-    }
-
-    function isSafeInRepoRead(tName: string, cmd: string, repoRoot: string): boolean {
-      if (tName === 'Read' || tName === 'Grep' || tName === 'Glob') return true;
-      if (tName !== 'Bash' && tName !== 'Shell' && tName !== 'terminal' &&
-          tName !== 'run_terminal_cmd' && tName !== 'execute_command') return false;
-      if (!cmd || !repoRoot) return false;
-      // Allow pipes only if EVERY segment is safe on its own. Catches
-      // \`grep ... | head\`, \`cat foo | wc -l\`, \`git log | less\`, etc.
-      // Empty segments (from \`||\`) cause rejection.
-      const segments = cmd.split('|');
-      for (const seg of segments) {
-        const t = seg.trim();
-        if (t.length === 0) return false;
-        if (!isSafeBashSegment(t, repoRoot)) return false;
-      }
-      return true;
-    }
-
     if (isSafeInRepoRead(toolName, command, cwd)) {
       log('bashGuard ' + cmdShort + ' → instant allow (safe in-repo read)');
       appendLocalTelemetry({
@@ -3079,6 +3197,7 @@ async function main() {
 
     if (rt === 'local') {
       const sessionLog = compressSessionLog(readSessionLog(sessionId));
+      const relevantRules = await filterRules(command, config.rules);
       const graderPrompt = [
         'Working directory: ' + (cwd || '.'),
         'Repo: ' + (gitRepo || 'unknown'),
@@ -3086,9 +3205,9 @@ async function main() {
         'Command: ' + command,
         'User intent (last human message): ' + (transcript.userIntent || 'none stated'),
         'Last user prompt: ' + (lastPrompt || 'none'),
-        'Org rules: ' + JSON.stringify(config.rules),
+        'Org rules: ' + JSON.stringify(relevantRules),
         'IMPORTANT: If a rule is violated, ALWAYS return ok=false with the rule_id and reason, regardless of the rule mode. Do NOT pass a command just because the rule mode is "fix". The enforcement layer handles ask vs fix — your job is only to detect violations.',
-        'When passing (ok=true), for EVERY rule: state whether it is relevant to this command, and if relevant, why it passes. Format: "R001 (not relevant: no deployment). R003 relevant: no secrets in grep args. R005 relevant: in-repo path only." Cover ALL rules — do not skip any. Be terse but specific per rule.',
+        'The rules shown were pre-selected as the ones relevant to this command — every rule here IS relevant, do not label any "not relevant". When passing (ok=true), give a terse, specific reason each rule passes. Format: "R003: no secrets in grep args. R005: in-repo path only." Cover every rule shown.',
         'Rules with preconditions (e.g. "run X before Y") are CONSUMED after the protected action completes. Use the session history timestamps to determine ordering: a precondition satisfied before the last occurrence of the protected action does NOT satisfy the next occurrence. Each new protected action needs its precondition re-satisfied.',
       ].filter(Boolean).join('\\n');
 
@@ -3148,6 +3267,7 @@ async function main() {
       recent_user_messages: transcript.recentUserMessages,
       recent_messages: transcript.recentMessages,
       recent_actions: transcript.recentActions,
+      session_history: compressSessionLog(readSessionLog(sessionId)),
       session_id: sessionId || null,
       tool_use_id: toolUseId || null,
       cwd: cwd || null,
@@ -3202,7 +3322,7 @@ import {
   parseVerdict, dispatchCapture, ruleMode, postWithRetry, readStdin,
   extractTranscript, readLastPrompt, appendSessionAction, readSessionLog, compressSessionLog, log,
   outputJson, outputEmpty, setupCursorHookSignals, isAgentTool, hookSessionId, GATEWAY_URL,
-  logGraderUnavailable,
+  logGraderUnavailable, filterRules, normalizeMode,
   type HookConfig, type Rule,
 } from './_synkro-common.ts';
 
@@ -3256,6 +3376,8 @@ async function main() {
 
     if (rt === 'local') {
       const sessionLog = compressSessionLog(readSessionLog(sessionId));
+      const agentText = 'agent=' + subagentType + ' description=' + description + ' prompt=' + prompt.slice(0, 2000);
+      const relevantRules = await filterRules(agentText, config.rules);
       const graderPrompt = [
         'Working directory: ' + (cwd || '.'),
         'Repo: ' + (gitRepo || 'unknown'),
@@ -3267,7 +3389,7 @@ async function main() {
         prompt.slice(0, 4000),
         'User intent (last human message): ' + (transcript.userIntent || 'none stated'),
         'Last user prompt: ' + (lastPrompt || 'none'),
-        'Org rules: ' + JSON.stringify(config.rules),
+        'Org rules: ' + JSON.stringify(relevantRules),
         'IMPORTANT: If a rule is violated, ALWAYS return ok=false with the rule_id and reason, regardless of the rule mode. Do NOT pass a command just because the rule mode is "fix". The enforcement layer handles ask vs fix \u2014 your job is only to detect violations.',
       ].filter(Boolean).join('\\n');
 
@@ -3326,6 +3448,7 @@ async function main() {
       recent_user_messages: transcript.recentUserMessages,
       recent_messages: transcript.recentMessages,
       recent_actions: transcript.recentActions,
+      session_history: compressSessionLog(readSessionLog(sessionId)),
       session_id: sessionId || null,
       tool_use_id: toolUseId || null,
       cwd: cwd || null,
@@ -3365,6 +3488,7 @@ import {
   loadJwt, ensureFreshJwt, detectRepo, loadConfig, route, tag, localGrade,
   parseVerdict, dispatchCapture, appendSessionAction, readSessionLog, compressSessionLog, postWithRetry, readStdin, log,
   outputJson, outputEmpty, setupCursorHookSignals, isPlanTool, hookSessionId, GATEWAY_URL,
+  filterRules,
 } from './_synkro-common.ts';
 import { existsSync, readFileSync, writeFileSync, readdirSync, statSync } from 'node:fs';
 import { join } from 'node:path';
@@ -3449,13 +3573,14 @@ async function main() {
 
     if (rt === 'local') {
       const sessionLog = compressSessionLog(readSessionLog(sessionId));
+      const relevantRules = await filterRules(plan.slice(0, 2000), config.rules);
       const graderPrompt = [
         'Working directory: ' + (cwd || '.'),
         'Repo: ' + (gitRepo || 'unknown'),
         sessionLog,
         'Plan:',
         plan.slice(0, 8000),
-        'Org rules: ' + JSON.stringify(config.rules),
+        'Org rules: ' + JSON.stringify(relevantRules),
       ].filter(Boolean).join('\\n');
 
       let gradeResp: string;
@@ -3962,8 +4087,10 @@ main();
     CURSOR_BASH_JUDGE_TS = `#!/usr/bin/env bun
 import {
   loadJwt, ensureFreshJwt, detectRepo, loadConfig, route, tag, localGrade,
-  parseVerdict, dispatchCapture, ruleMode, postWithRetry, readStdin,
-  extractTranscript, readLastPrompt, appendSessionAction, readSessionLog, compressSessionLog, log, GATEWAY_URL,
+  parseVerdict, dispatchCapture, dispatchFinding, ruleMode, normalizeMode, filterRules,
+  isSafeInRepoRead, runInstallScan, postWithRetry, readStdin,
+  extractTranscript, readLastPrompt, readSessionLog, compressSessionLog,
+  appendLocalTelemetry, logGraderUnavailable, log, GATEWAY_URL,
   type Rule,
 } from './_synkro-common.ts';
 import { createHash } from 'node:crypto';
@@ -3989,8 +4116,8 @@ function isDuplicate(command: string, sessionId: string): boolean {
 }
 
 // Cursor beforeShellExecution timeout is 15s; stay under it (JWT refresh + grade).
-const CURSOR_GRADE_TIMEOUT_MS = 7500;
-const CURSOR_CLOUD_TIMEOUT_MS = 6000;
+const CURSOR_GRADE_TIMEOUT_MS = 12000;
+const CURSOR_CLOUD_TIMEOUT_MS = 9000;
 
 let hookDone = false;
 
@@ -4060,8 +4187,6 @@ async function main() {
       finishAllow();
     }
 
-    appendSessionAction(sessionId, { ts: new Date().toISOString(), tool: toolName, summary: command.slice(0, 120) });
-
     const transcriptPath = typeof payload.transcript_path === 'string' ? payload.transcript_path : '';
     const rawModel = String(payload.model ?? payload.model_id ?? '');
     const KNOWN_MODELS = new Set(['gpt-4', 'gpt-4o', 'gpt-4.1', 'gpt-5', 'o1', 'o3', 'o4-mini', 'claude-sonnet-4-5', 'claude-opus-4-5', 'sonnet-4', 'sonnet-4-thinking', 'gemini-2.5-pro', 'gemini-2.5-flash']);
@@ -4071,6 +4196,18 @@ async function main() {
     const cmdShort = command.slice(0, 80);
     log('bashGuard checking: ' + cmdShort);
 
+    // Instant-allow read-only tool calls + safe in-repo bash reads \u2014 no grade,
+    // no network. Critical under Cursor's tight 15s beforeShellExecution budget.
+    if (isSafeInRepoRead(toolName, command, cwd)) {
+      log('bashGuard ' + cmdShort + ' \u2192 instant allow (safe in-repo read)');
+      appendLocalTelemetry({
+        capture_type: 'local_verdict', verdict: 'pass', hook_type: 'bash',
+        category: 'safe_read', tool_name: toolName, command: command.slice(0, 200),
+        session_id: sessionId, repo: cwd,
+      });
+      finishAllow();
+    }
+
     let jwt = loadJwt();
     if (!jwt) finishAllow();
     jwt = await ensureFreshJwt(jwt);
@@ -4084,28 +4221,55 @@ async function main() {
     const rt = await route(config);
     const tagStr = tag(rt, config);
 
+    // Install protection \u2014 scan packages before any npm/pip/cargo/etc. install.
+    if (SHELL_TOOL_NAMES.has(toolName)) {
+      const scan = await runInstallScan(command, jwt);
+      if (scan.action === 'block') {
+        for (const f of scan.findings) {
+          dispatchFinding(jwt, {
+            session_id: sessionId, file_path: command,
+            finding_type: 'cve' as const, finding_id: f.advisoryId + ':' + f.name,
+            severity: f.severity, status: 'open', detail: f.detail,
+            package_name: f.name, package_version: f.version,
+          }, config.captureDepth);
+        }
+        dispatchCapture(jwt, 'pkg', 'block', 'critical', 'security',
+          'Bash', repo, sessionId, config.captureDepth, {
+            command, reasoning: scan.blockContext.slice(0, 200),
+            violatedRules: scan.violatedIds, ccModel: model,
+          });
+        finishWith({
+          permission: 'deny',
+          user_message: tagStr + ' installScan \u2192 blocked: ' + cmdShort,
+          agent_message: 'Synkro blocked this install \u2014 flagged package(s). ' + scan.blockContext,
+        });
+      } else if (scan.scanned && scan.action === 'warn') {
+        log('bashGuard installScan warn: ' + scan.summary);
+      }
+    }
+
     if (rt === 'local') {
       const sessionLog = compressSessionLog(readSessionLog(sessionId));
-      const rulesBlock = config.rules.map((r: Rule, i: number) =>
-        (i + 1) + '. [' + r.rule_id + '] (' + r.severity + '/' + r.mode + ') ' + r.text
-      ).join('\\n');
+      const relevantRules = await filterRules(command, config.rules);
 
       const graderPrompt = [
-        'RULES:',
-        rulesBlock || '(none)',
-        '',
+        'Working directory: ' + (cwd || '.'),
+        'Repo: ' + (repo || 'unknown'),
         sessionLog,
-        'COMMAND TO EVALUATE:',
-        command,
-        '',
+        'Command: ' + command,
         'User intent (last human message): ' + (transcript.userIntent || lastPrompt || 'none stated'),
         'Last user prompt: ' + (lastPrompt || 'none'),
+        'Org rules: ' + JSON.stringify(relevantRules),
+        'IMPORTANT: If a rule is violated, ALWAYS return ok=false with the rule_id and reason, regardless of the rule mode. Do NOT pass a command just because the rule mode is "fix". The enforcement layer handles ask vs fix \u2014 your job is only to detect violations.',
+        'The rules shown were pre-selected as the ones relevant to this command \u2014 every rule here IS relevant, do not label any "not relevant". When passing (ok=true), give a terse, specific reason each rule passes. Format: "R003: no secrets in grep args. R005: in-repo path only." Cover every rule shown.',
+        'Rules with preconditions (e.g. "run X before Y") are CONSUMED after the protected action completes. Use the session history timestamps to determine ordering: a precondition satisfied before the last occurrence of the protected action does NOT satisfy the next occurrence. Each new protected action needs its precondition re-satisfied.',
       ].filter(Boolean).join('\\n');
 
       let gradeResp: string;
       try {
-        gradeResp = await localGrade('bash', graderPrompt, CURSOR_GRADE_TIMEOUT_MS);
+        gradeResp = await localGrade('bash', graderPrompt, CURSOR_GRADE_TIMEOUT_MS, 'cursor');
       } catch (e) {
+        logGraderUnavailable('bashGuard', command.slice(0, 200), (e as Error).message || String(e));
         log('bashGuard ' + cmdShort + ' \u2192 pass (grade unavailable): ' + String(e));
         finishWith({ permission: 'allow' });
       }
@@ -4120,7 +4284,7 @@ async function main() {
           ? 'Synkro safety judge. Fix this before retrying \u2014 do not ask the user. Reasoning: ' + (verdict.reason || guardReason)
           : 'Synkro safety judge. Ask the user for explicit consent before retrying. Reasoning: ' + (verdict.reason || guardReason);
         dispatchCapture(jwt, 'bash', 'block', verdict.severity || 'critical', verdict.category || 'security',
-          'Bash', gitRepo, sessionId, config.captureDepth, {
+          'Bash', repo, sessionId, config.captureDepth, {
             command, reasoning: guardReason,
             rulesChecked: config.rules, violatedRules: verdict.ruleId ? [verdict.ruleId] : [],
             ccModel: model,
@@ -4132,7 +4296,7 @@ async function main() {
         });
       } else {
         dispatchCapture(jwt, 'bash', 'pass', 'clean', verdict.category || 'clean',
-          'Bash', gitRepo, sessionId, config.captureDepth, {
+          'Bash', repo, sessionId, config.captureDepth, {
             command, reasoning: verdict.reason || 'no policy violations detected',
             rulesChecked: config.rules, violatedRules: [],
             ccModel: model,
@@ -5423,6 +5587,26 @@ var init_promptFetcher = __esm({
 });
 
 // cli/local-cc/macKeychain.ts
+var macKeychain_exports = {};
+__export(macKeychain_exports, {
+  CLAUDE_CREDS_DIR: () => CLAUDE_CREDS_DIR,
+  CLAUDE_CREDS_FILE: () => CLAUDE_CREDS_FILE,
+  CURSOR_API_KEY_FILE: () => CURSOR_API_KEY_FILE,
+  CURSOR_CREDS_DIR: () => CURSOR_CREDS_DIR,
+  KeychainExportError: () => KeychainExportError,
+  SYNKRO_DIR: () => SYNKRO_DIR2,
+  credsAreStale: () => credsAreStale,
+  cursorApiKeyConfigured: () => cursorApiKeyConfigured,
+  exportKeychainCreds: () => exportKeychainCreds,
+  loadRefreshAgent: () => loadRefreshAgent,
+  needsKeychainBridge: () => needsKeychainBridge,
+  readExportedCreds: () => readExportedCreds,
+  readKeychainCreds: () => readKeychainCreds,
+  refreshCreds: () => refreshCreds,
+  uninstallRefreshAgent: () => uninstallRefreshAgent,
+  writeCursorApiKey: () => writeCursorApiKey,
+  writeRefreshAgent: () => writeRefreshAgent
+});
 import { existsSync as existsSync7, mkdirSync as mkdirSync6, writeFileSync as writeFileSync6, chmodSync, readFileSync as readFileSync6, statSync } from "fs";
 import { homedir as homedir6, platform as platform3 } from "os";
 import { join as join6 } from "path";
@@ -5449,6 +5633,30 @@ function exportKeychainCreds() {
   chmodSync(CLAUDE_CREDS_FILE, 384);
   return CLAUDE_CREDS_FILE;
 }
+function cursorApiKeyConfigured() {
+  try {
+    return existsSync7(CURSOR_API_KEY_FILE) && readFileSync6(CURSOR_API_KEY_FILE, "utf-8").trim().length > 0;
+  } catch {
+    return false;
+  }
+}
+function writeCursorApiKey(key) {
+  const trimmed = key.trim();
+  if (!trimmed) return;
+  mkdirSync6(CURSOR_CREDS_DIR, { recursive: true });
+  chmodSync(CURSOR_CREDS_DIR, 448);
+  writeFileSync6(CURSOR_API_KEY_FILE, trimmed, "utf-8");
+  chmodSync(CURSOR_API_KEY_FILE, 384);
+}
+function credsAreStale() {
+  if (!existsSync7(CLAUDE_CREDS_FILE)) return true;
+  try {
+    const ageMs = Date.now() - statSync(CLAUDE_CREDS_FILE).mtimeMs;
+    return ageMs > REFRESH_INTERVAL_SECONDS * 1e3;
+  } catch {
+    return true;
+  }
+}
 function writeRefreshAgent(synkroBinPath) {
   if (platform3() !== "darwin") {
     throw new KeychainExportError("writeRefreshAgent is darwin-only");
@@ -5510,13 +5718,26 @@ function uninstallRefreshAgent() {
   } catch {
   }
 }
-var SYNKRO_DIR2, CLAUDE_CREDS_DIR, CLAUDE_CREDS_FILE, KEYCHAIN_SERVICE, LAUNCHD_LABEL, LAUNCHD_PLIST, REFRESH_INTERVAL_SECONDS, KeychainExportError;
+function refreshCreds() {
+  const path = exportKeychainCreds();
+  return path !== null;
+}
+function readExportedCreds() {
+  try {
+    return readFileSync6(CLAUDE_CREDS_FILE, "utf-8");
+  } catch {
+    return null;
+  }
+}
+var SYNKRO_DIR2, CLAUDE_CREDS_DIR, CLAUDE_CREDS_FILE, CURSOR_CREDS_DIR, CURSOR_API_KEY_FILE, KEYCHAIN_SERVICE, LAUNCHD_LABEL, LAUNCHD_PLIST, REFRESH_INTERVAL_SECONDS, KeychainExportError;
 var init_macKeychain = __esm({
   "cli/local-cc/macKeychain.ts"() {
     "use strict";
     SYNKRO_DIR2 = join6(homedir6(), ".synkro");
     CLAUDE_CREDS_DIR = join6(SYNKRO_DIR2, "claude-creds");
     CLAUDE_CREDS_FILE = join6(CLAUDE_CREDS_DIR, ".credentials.json");
+    CURSOR_CREDS_DIR = join6(SYNKRO_DIR2, "cursor-creds");
+    CURSOR_API_KEY_FILE = join6(CURSOR_CREDS_DIR, "api-key");
     KEYCHAIN_SERVICE = "Claude Code-credentials";
     LAUNCHD_LABEL = "com.synkro.cli.claude-creds-refresh";
     LAUNCHD_PLIST = join6(homedir6(), "Library", "LaunchAgents", `${LAUNCHD_LABEL}.plist`);
@@ -5547,12 +5768,69 @@ __export(dockerInstall_exports, {
   dockerStop: () => dockerStop,
   dockerUpdate: () => dockerUpdate,
   imageTag: () => imageTag,
+  resolveWorkerConfig: () => resolveWorkerConfig,
+  splitWorkers: () => splitWorkers,
   waitForContainerReady: () => waitForContainerReady
 });
 import { copyFileSync, existsSync as existsSync8, mkdirSync as mkdirSync7, readdirSync } from "fs";
 import { homedir as homedir7 } from "os";
 import { join as join7 } from "path";
 import { spawnSync as spawnSync2 } from "child_process";
+function splitWorkers(total, providers) {
+  const t = Math.max(0, Math.floor(total));
+  const hasClaude = providers.includes("claude_code");
+  const hasCursor = providers.includes("cursor");
+  if (hasClaude && hasCursor) {
+    const cursorWorkers = Math.floor(t / 2);
+    return { claudeWorkers: t - cursorWorkers, cursorWorkers };
+  }
+  if (hasCursor) return { claudeWorkers: 0, cursorWorkers: t };
+  return { claudeWorkers: t, cursorWorkers: 0 };
+}
+function normalizeProvider(p) {
+  const v = p.trim().toLowerCase();
+  if (v === "claude" || v === "claude-code" || v === "claude_code" || v === "cc") return "claude_code";
+  if (v === "cursor") return "cursor";
+  return null;
+}
+function resolveWorkerConfig(rest) {
+  let workers = 8;
+  let explicit = false;
+  const providers = [];
+  const addProviders = (csv) => {
+    for (const p of csv.split(",")) {
+      const np = normalizeProvider(p);
+      if (np && !providers.includes(np)) providers.push(np);
+    }
+  };
+  for (let i = 0; i < rest.length; i++) {
+    const a = rest[i];
+    if (a === "--workers" || a === "-w") {
+      workers = parseInt(rest[++i] || "8", 10);
+      explicit = true;
+    } else if (a.startsWith("--workers=")) {
+      workers = parseInt(a.slice("--workers=".length), 10);
+      explicit = true;
+    } else if (a === "--provider" || a === "--providers") {
+      addProviders(rest[++i] || "");
+      explicit = true;
+    } else if (a.startsWith("--provider=")) {
+      addProviders(a.slice("--provider=".length));
+      explicit = true;
+    } else if (a.startsWith("--providers=")) {
+      addProviders(a.slice("--providers=".length));
+      explicit = true;
+    }
+  }
+  if (!Number.isFinite(workers) || workers < 1) workers = 8;
+  workers = Math.min(workers, 64);
+  let provs = providers;
+  if (provs.length === 0) {
+    provs = detectAgents().map((a) => a.kind);
+    if (provs.length === 0) provs = ["claude_code"];
+  }
+  return { ...splitWorkers(workers, provs), explicit };
+}
 function imageTag() {
   const registry = process.env.SYNKRO_IMAGE_REGISTRY || "";
   const tag = process.env.SYNKRO_IMAGE_TAG || DEFAULT_IMAGE;
@@ -5576,7 +5854,9 @@ function claudeCredsHostDir() {
 async function dockerInstall(opts = {}) {
   assertDockerAvailable();
   const image = imageTag();
-  const workers = String(opts.workersPerPool ?? 8);
+  const claudeWorkers = opts.claudeWorkers ?? opts.workersPerPool ?? 8;
+  const cursorWorkers = opts.cursorWorkers ?? 0;
+  const totalWorkers = claudeWorkers + cursorWorkers;
   mkdirSync7(PGDATA_PATH, { recursive: true });
   mkdirSync7(BACKUP_DIR, { recursive: true });
   mkdirSync7(CLAUDE_HOST_STATE_DIR, { recursive: true });
@@ -5589,12 +5869,20 @@ async function dockerInstall(opts = {}) {
       `MCP JWT missing at ${MCP_JWT_PATH}. The installer should mint this before calling dockerInstall.`
     );
   }
+  mkdirSync7(CURSOR_CREDS_DIR, { recursive: true });
   if (needsKeychainBridge()) {
-    const path = exportKeychainCreds();
-    if (!path) {
-      throw new DockerInstallError(
-        "Claude Code keychain entry not found. Run `claude login` (or open Claude Code and sign in) before installing the container."
-      );
+    if (claudeWorkers > 0) {
+      const path = exportKeychainCreds();
+      if (!path) {
+        throw new DockerInstallError(
+          "Claude Code keychain entry not found. Run `claude login` (or open Claude Code and sign in) before installing the container."
+        );
+      }
+    }
+    if (cursorWorkers > 0 && !cursorApiKeyConfigured()) {
+      console.warn("  \u26A0 No Cursor API key found \u2014 Cursor grader workers will be idle.");
+      console.warn("    Generate a key at cursor.com \u2192 Settings \u2192 API Keys, then:");
+      console.warn(`      echo 'YOUR_KEY' > ~/.synkro/cursor-creds/api-key && chmod 600 ~/.synkro/cursor-creds/api-key`);
     }
     const plist = writeRefreshAgent("/usr/local/bin/synkro");
     try {
@@ -5637,21 +5925,34 @@ async function dockerInstall(opts = {}) {
     `${PGDATA_PATH}:/data/pgdata`,
     "-v",
     `${BACKUP_DIR}:/data/backups`,
+    // The whole host ~/.synkro directory, read-only. The container copies
+    // .mcp-jwt and credentials.json out of it at boot. A directory mount
+    // sidesteps Docker Desktop for macOS's unreliable single-file bind mounts
+    // (which previously left a dangling symlink that blocked container start).
     "-v",
-    `${MCP_JWT_PATH}:/data/.mcp-jwt:ro`,
-    "-v",
-    `${SYNKRO_CREDS_PATH}:/data/credentials.json:ro`,
+    `${SYNKRO_DIR3}:/data/synkro-host:ro`,
     "-v",
     `${credsDir}:/home/synkro/.claude:rw`,
     "-v",
     `${join7(homedir7(), ".claude")}:/data/claude-host:ro`,
     "-v",
     `${CLAUDE_HOST_STATE_DIR}:/data/claude-host-state:ro`,
+    // Cursor creds — mounted RW so the in-container refresher can rotate the
+    // access token in place. Only mounted when the install includes Cursor.
+    ...cursorWorkers > 0 ? ["-v", `${CURSOR_CREDS_DIR}:/home/synkro/.cursor-creds:rw`] : [],
+    "-e",
+    `WORKERS_PER_POOL=${totalWorkers}`,
+    "-e",
+    `CLAUDE_WORKERS=${claudeWorkers}`,
     "-e",
-    `WORKERS_PER_POOL=${workers}`,
+    `CURSOR_WORKERS=${cursorWorkers}`,
     // Pass through the batch-size lever if the operator set it. Defaults
     // inside the container to 5; clamped to [1, 20] by synkro-server.ts.
     ...process.env.SYNKRO_MAX_BATCH_SIZE ? ["-e", `SYNKRO_MAX_BATCH_SIZE=${process.env.SYNKRO_MAX_BATCH_SIZE}`] : [],
+    // Cursor grading model — tunable like SYNKRO_MAX_BATCH_SIZE.
+    ...process.env.SYNKRO_CURSOR_MODEL ? ["-e", `SYNKRO_CURSOR_MODEL=${process.env.SYNKRO_CURSOR_MODEL}`] : [],
+    // Connected repo — the server seeds the local app + ruleset named after it.
+    ...opts.connectedRepo ? ["-e", `SYNKRO_CONNECTED_REPO=${opts.connectedRepo}`] : [],
     image
   ];
   const run = spawnSync2("docker", args2, { encoding: "utf-8", stdio: "inherit", timeout: 6e4 });
@@ -5680,12 +5981,12 @@ function dockerStop() {
   spawnSync2("docker", ["stop", "--timeout=30", CONTAINER_NAME], { encoding: "utf-8", timeout: 45e3 });
   spawnSync2("docker", ["rm", CONTAINER_NAME], { encoding: "utf-8", timeout: 3e4 });
 }
-async function dockerUpdate(workersPerPool) {
+async function dockerUpdate(opts = {}) {
   if (dockerStatus().running) {
     await dockerSafeStop();
   }
   dockerRemove();
-  await dockerInstall({ workersPerPool });
+  await dockerInstall(opts);
 }
 function dockerStatus() {
   const r = spawnSync2("docker", ["inspect", "--format", "{{.State.Status}}", CONTAINER_NAME], {
@@ -5814,14 +6115,14 @@ function checkPgdata() {
   if (!hasPgControl) return { healthy: false, details: "pg_control/global directory missing" };
   return { healthy: true, details: `${entries.length} entries, WAL present, no stale PID` };
 }
-var SYNKRO_DIR3, MCP_JWT_PATH, SYNKRO_CREDS_PATH, PGDATA_PATH, CLAUDE_HOST_STATE_DIR, CLAUDE_HOST_STATE_FILE, HOST_MCP_PORT, HOST_GRADER_PORT, HOST_CWE_PORT, HOST_PG_PORT, CONTAINER_NAME, DEFAULT_IMAGE, DockerInstallError, BACKUP_DIR;
+var SYNKRO_DIR3, MCP_JWT_PATH, PGDATA_PATH, CLAUDE_HOST_STATE_DIR, CLAUDE_HOST_STATE_FILE, HOST_MCP_PORT, HOST_GRADER_PORT, HOST_CWE_PORT, HOST_PG_PORT, CONTAINER_NAME, DEFAULT_IMAGE, DockerInstallError, BACKUP_DIR;
 var init_dockerInstall = __esm({
   "cli/local-cc/dockerInstall.ts"() {
     "use strict";
+    init_agentDetect();
     init_macKeychain();
     SYNKRO_DIR3 = join7(homedir7(), ".synkro");
     MCP_JWT_PATH = join7(SYNKRO_DIR3, ".mcp-jwt");
-    SYNKRO_CREDS_PATH = join7(SYNKRO_DIR3, "credentials.json");
     PGDATA_PATH = join7(SYNKRO_DIR3, "pgdata");
     CLAUDE_HOST_STATE_DIR = join7(SYNKRO_DIR3, "claude-host-state");
     CLAUDE_HOST_STATE_FILE = join7(CLAUDE_HOST_STATE_DIR, ".claude.json");
@@ -5863,6 +6164,7 @@ function parseArgs(argv) {
   for (const a of argv) {
     if (a.startsWith("--api-key=")) opts.apiKey = a.slice("--api-key=".length);
     else if (a.startsWith("--gateway=")) opts.gatewayUrl = a.slice("--gateway=".length);
+    else if (a.startsWith("--cursor-api-key=")) opts.cursorApiKey = a.slice("--cursor-api-key=".length);
     else if (a === "--skip-auth") opts.skipAuth = true;
     else if (a === "--no-mcp") opts.noMcp = true;
     else if (a === "--force" || a === "-f") opts.force = true;
@@ -5898,6 +6200,32 @@ async function promptAgentSelection(detected) {
   });
   return ask2();
 }
+async function promptCursorApiKey(opts) {
+  const { cursorApiKeyConfigured: cursorApiKeyConfigured2, writeCursorApiKey: writeCursorApiKey2 } = await Promise.resolve().then(() => (init_macKeychain(), macKeychain_exports));
+  if (cursorApiKeyConfigured2()) return;
+  const provided = (opts.cursorApiKey || process.env.SYNKRO_CURSOR_API_KEY || "").trim();
+  if (provided) {
+    writeCursorApiKey2(provided);
+    console.log("  \u2713 Cursor API key saved to ~/.synkro/cursor-creds/api-key");
+    return;
+  }
+  const rl = createInterface3({ input: process.stdin, output: process.stdout });
+  const key = await new Promise((resolve3) => {
+    rl.question(
+      "Cursor grading needs a Cursor API key (cursor.com \u2192 Settings \u2192 API Keys).\nPaste it now, or press Enter to skip (Cursor workers stay idle until set): ",
+      (answer) => {
+        rl.close();
+        resolve3(answer.trim());
+      }
+    );
+  });
+  if (key) {
+    writeCursorApiKey2(key);
+    console.log("  \u2713 Cursor API key saved.");
+  } else {
+    console.log("  \u26A0 Skipped \u2014 Cursor workers will be idle. Re-run install or pass --cursor-api-key=\u2026 later.");
+  }
+}
 function ensureSynkroDir() {
   mkdirSync8(SYNKRO_DIR4, { recursive: true });
   mkdirSync8(HOOKS_DIR, { recursive: true });
@@ -5999,7 +6327,7 @@ function writeConfigEnv(opts) {
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
     `SYNKRO_INFERENCE=${shellQuoteSingle(safeInference)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.6.3")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.6.5")}`
   ];
   if (safeSynkroBin) lines.push(`SYNKRO_CLI_BIN=${shellQuoteSingle(safeSynkroBin)}`);
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);
@@ -6405,9 +6733,18 @@ async function installCommand(opts = {}) {
 \u2717 ${err.message}`);
       process.exit(1);
     }
+    if (hasCursor) {
+      await promptCursorApiKey(opts);
+    }
     console.log("Installing Synkro server container...");
-    const workersPerPool = parseInt(process.env.SYNKRO_WORKERS_PER_POOL || "8", 10);
-    const { image, hostMcpPort, hostGraderPort, hostCwePort } = await dockerInstall({ workersPerPool });
+    const totalWorkers = parseInt(process.env.SYNKRO_WORKERS_PER_POOL || "8", 10);
+    const providers = [];
+    if (hasClaudeCode) providers.push("claude_code");
+    if (hasCursor) providers.push("cursor");
+    const { claudeWorkers, cursorWorkers } = splitWorkers(totalWorkers, providers);
+    console.log(`  worker pool: ${claudeWorkers} claude + ${cursorWorkers} cursor`);
+    const connectedRepo = detectGitRepo2() || void 0;
+    const { image, hostMcpPort, hostGraderPort, hostCwePort } = await dockerInstall({ claudeWorkers, cursorWorkers, connectedRepo });
     console.log(`  \u2713 pulled ${image}`);
     console.log(`  container started \u2014 MCP=${hostMcpPort} general=${hostGraderPort} CWE=${hostCwePort}`);
     console.log("  waiting for container to be ready...");
@@ -7397,8 +7734,21 @@ async function stopCommand() {
   }
   console.log("\nServer stopped.");
 }
-async function startCommand() {
+async function startCommand(rest = []) {
   assertDockerAvailable();
+  const cfg = resolveWorkerConfig(rest);
+  if (cfg.explicit) {
+    console.log(`Synkro: starting server (${cfg.claudeWorkers} claude + ${cfg.cursorWorkers} cursor)
+`);
+    await dockerUpdate({ claudeWorkers: cfg.claudeWorkers, cursorWorkers: cfg.cursorWorkers });
+    const ready = await waitForContainerReady(6e4);
+    if (!ready) {
+      console.error("\n\u26A0 container did not pass /healthz within 60s");
+      process.exit(1);
+    }
+    console.log("\nServer is running.");
+    return;
+  }
   console.log("Synkro: starting server\n");
   const result = await dockerSafeStart();
   if (!result.ok) {
@@ -7408,8 +7758,21 @@ Start failed: ${result.error}`);
   }
   console.log("\nServer is running.");
 }
-async function restartCommand() {
+async function restartCommand(rest = []) {
   assertDockerAvailable();
+  const cfg = resolveWorkerConfig(rest);
+  if (cfg.explicit) {
+    console.log(`Synkro: restarting server (${cfg.claudeWorkers} claude + ${cfg.cursorWorkers} cursor)
+`);
+    await dockerUpdate({ claudeWorkers: cfg.claudeWorkers, cursorWorkers: cfg.cursorWorkers });
+    const ready = await waitForContainerReady(6e4);
+    if (!ready) {
+      console.error("\n\u26A0 container did not pass /healthz within 60s");
+      process.exit(1);
+    }
+    console.log("\nServer restarted successfully.");
+    return;
+  }
   console.log("Synkro: restarting server\n");
   const result = await dockerSafeRestart();
   if (!result.ok) {
@@ -7451,7 +7814,7 @@ var args = process.argv.slice(2);
 var cmd = args[0] || "";
 var subArgs = args.slice(1);
 function printVersion() {
-  console.log("1.6.3");
+  console.log("1.6.5");
 }
 function printHelp() {
   console.log(`Synkro CLI \u2014 runtime safety for AI coding agents
@@ -7463,10 +7826,15 @@ Commands:
   install [--force]      Install or update Synkro
   uninstall [--purge]    Remove Synkro hooks (--purge also removes ~/.synkro)
   stop                   Gracefully stop the server (snapshot + checkpoint)
-  start                  Start the server (with pgdata integrity check)
-  restart                Safe restart (stop \u2192 start, data preserved)
+  start [opts]           Start the server (with pgdata integrity check)
+  restart [opts]         Safe restart (stop \u2192 start, data preserved)
   version                Show version
 
+  start/restart opts (recreate the worker pool):
+    --workers N          total grader workers (default 8, even-split)
+    --providers a,b      grading agents: claude, cursor (or both)
+    e.g. synkro restart --workers 16 --providers claude,cursor
+
 Quick start:
   $ synkro install       # one-time setup
   $ claude               # use Claude Code normally; Synkro judges in real time
@@ -7510,12 +7878,12 @@ async function main() {
     }
     case "start": {
       const { startCommand: startCommand2 } = await Promise.resolve().then(() => (init_lifecycle(), lifecycle_exports));
-      await startCommand2();
+      await startCommand2(args.slice(1));
       break;
     }
     case "restart": {
       const { restartCommand: restartCommand2 } = await Promise.resolve().then(() => (init_lifecycle(), lifecycle_exports));
-      await restartCommand2();
+      await restartCommand2(args.slice(1));
       break;
     }
     default: {