@synkro-sh/cli 1.6.44 → 1.6.45

package/dist/bootstrap.js

@@ -350,13 +350,13 @@ function installCursorHooks(hooksJsonPath, config) {
   });
   h.beforeShellExecution.push({
     command: cursorCcCmd(config.cwePrecheckScriptPath),
-    timeout: 60,
+    timeout: 30,
     failClosed: false,
     [SYNKRO_MARKER2]: true
   });
   h.beforeShellExecution.push({
     command: bunRunCmd(config.bashJudgeScriptPath),
-    timeout: 15,
+    timeout: 30,
     failClosed: false,
     [SYNKRO_MARKER2]: true
   });
@@ -371,36 +371,36 @@ function installCursorHooks(hooksJsonPath, config) {
   });
   h.preToolUse.push({
     command: cursorCcCmd(config.cwePrecheckScriptPath),
-    timeout: 60,
+    timeout: 30,
     failClosed: false,
     matcher: "Shell|Bash|terminal|run_terminal_cmd|execute_command",
     [SYNKRO_MARKER2]: true
   });
   h.preToolUse.push({
     command: bunRunCmd(config.bashJudgeScriptPath),
-    timeout: 15,
+    timeout: 30,
     failClosed: false,
     matcher: "Shell|Bash|Read|ReadFile|Grep|Glob|terminal|run_terminal_cmd|execute_command|read_file|grep_search|file_search|list_dir|codebase_search|delete_file",
     [SYNKRO_MARKER2]: true
   });
   pushCcHook(h, "preToolUse", config.editPrecheckScriptPath, {
-    timeout: 15,
+    timeout: 30,
     matcher: "Write|Edit|StrReplace|MultiEdit|NotebookEdit|edit_file|reapply|edit_notebook|ApplyPatch|apply_patch"
   });
   pushCcHook(h, "preToolUse", config.cwePrecheckScriptPath, {
-    timeout: 60,
+    timeout: 30,
     matcher: "Write|Edit|StrReplace|MultiEdit|NotebookEdit|edit_file|reapply|edit_notebook|ApplyPatch|apply_patch"
   });
   pushCcHook(h, "preToolUse", config.cvePrecheckScriptPath, {
-    timeout: 20,
+    timeout: 10,
     matcher: "Write|Edit|StrReplace|MultiEdit|NotebookEdit|edit_file|reapply|edit_notebook|ApplyPatch|apply_patch"
   });
   pushCcHook(h, "preToolUse", config.agentJudgeScriptPath, {
-    timeout: 15,
+    timeout: 30,
     matcher: "Agent|Task"
   });
   pushCcHook(h, "preToolUse", config.planJudgeScriptPath, {
-    timeout: 20,
+    timeout: 45,
     matcher: "ExitPlanMode|SwitchMode|CreatePlan"
   });
   h.afterFileEdit = h.afterFileEdit ?? [];
@@ -3218,6 +3218,7 @@ export function isCursorInvokingCcHook(agentKind: string, model: string): boolea
 }
 
 let cursorHookExited = false;
+let hookFinalized = false;
 
 export function setupCursorHookSignals(): void {
   if (!isCursorHookFormat()) return;
@@ -3226,9 +3227,28 @@ export function setupCursorHookSignals(): void {
 
 function cursorHookExit(): never {
   cursorHookExited = true;
+  hookFinalized = true;
   process.exit(0);
 }
 
+// Self-imposed deadline. CC/Cursor kill the hook process at the configured hook
+// timeout with a signal; if a grade fetch is still in flight when that happens,
+// the runtime dumps the in-flight request body (the grader prompt) to stderr and
+// exits non-zero \u2014 surfacing as a "hook error" toast with leaked prompt text.
+// To prevent that, each grading hook arms this watchdog a few seconds UNDER its
+// configured budget: when it fires we emit a clean empty result and exit 0
+// ourselves, so the harness never has to kill us. The timer is unref'd, so a
+// hook that finishes early exits normally and the watchdog never runs.
+export function installHookWatchdog(budgetMs: number): void {
+  const t = setTimeout(() => {
+    if (hookFinalized) return;
+    hookFinalized = true;
+    try { process.stdout.write('{}\\n'); } catch {}
+    process.exit(0);
+  }, budgetMs);
+  if (typeof (t as any).unref === 'function') (t as any).unref();
+}
+
 // \u2500\u2500\u2500 Grader-unavailable diagnostic log \u2500\u2500\u2500
 // Records every time a hook tried to call the local grader and fell open
 // because the call failed. JSONL at ~/.synkro/grader-unavailable.log so the
@@ -3308,6 +3328,8 @@ export function outputJson(obj: any): void {
     outputEmpty();
     return;
   }
+  if (hookFinalized) return;
+  hookFinalized = true;
   console.log(JSON.stringify(obj));
 }
 
@@ -3319,6 +3341,8 @@ export function outputEmpty(): void {
     }
     cursorHookExit();
   }
+  if (hookFinalized) return;
+  hookFinalized = true;
   console.log('{}');
 }
 `;
@@ -3328,7 +3352,7 @@ import {
   parseVerdict, dispatchCapture, ruleMode, reconstructContent, isPathUnder, postWithRetry,
   readStdin, extractTranscript, readLastPrompt, findNearestDeps, filePathFromToolInput,
   appendSessionAction, readSessionLog, compressSessionLog, log,
-  outputJson, outputEmpty, setupCursorHookSignals, isEditTool, hookSessionId, GATEWAY_URL,
+  outputJson, outputEmpty, setupCursorHookSignals, installHookWatchdog, isEditTool, hookSessionId, GATEWAY_URL,
   logGraderUnavailable, graderUnavailableMessage, filterRules, ruleFilterText, normalizeMode, countEditLineDelta,
   captureLineMetrics, cursorModelFromPayload, resolveTranscriptPath, isCursorInvokingCcHook,
   loadSynkroFile, effectiveGraderPool,
@@ -3341,6 +3365,7 @@ const agentKind = (process.env.SYNKRO_HOOK_FORMAT === 'cursor' || process.argv.i
 
 async function main() {
   setupCursorHookSignals();
+  installHookWatchdog(27000);
   try {
     const input = await readStdin();
     if (!input.trim()) { outputEmpty(); return; }
@@ -3463,7 +3488,7 @@ async function main() {
         'Last user prompt: ' + (lastPrompt || 'none'),
         'Org rules: ' + JSON.stringify(relevantRules),
         'IMPORTANT: If a rule is violated, ALWAYS return ok=false with the rule_id and reason, regardless of the rule mode. Do NOT pass a command just because the rule mode is "fix". The enforcement layer handles ask vs fix \u2014 your job is only to detect violations.',
-        'CRITICAL: The user requesting or instructing an action does NOT exempt it from rules. Even if the user explicitly said "drop the database" or "delete everything", you MUST still flag the rule violation on first encounter. User intent is NOT consent. However, for ask-mode rules ONLY: if the session history shows a prior block for the SAME rule AND the user explicitly consented after seeing that block, subsequent commands covered by that same rule may pass \u2014 but each distinct command is consumed once. Look for the sequence: block event \u2192 user acknowledgment \u2192 retry. Once a specific command has successfully executed under that consent, it is consumed. If the same command appears again later, it requires fresh consent (a new block \u2192 consent cycle). Example: R012 covers deploy, publish, push. Block on deploy \u2192 user consents \u2192 deploy passes (consumed), publish passes (consumed), push passes (consumed). A later deploy triggers a fresh block. A user's initial instruction is NEVER consent \u2014 only a response to a shown block counts.',
+        'CRITICAL: The user requesting or instructing an action does NOT exempt it from rules. Even if the user explicitly said "drop the database" or "delete everything", you MUST still flag the rule violation on first encounter. User intent is NOT consent. However, for ask-mode rules ONLY: if the session history shows a prior block for the SAME rule AND the user explicitly consented after seeing that block, subsequent commands covered by that same rule may pass \u2014 but each distinct command is consumed once. Look for the sequence: block event \u2192 user acknowledgment \u2192 retry. Once a specific command has successfully executed under that consent, it is consumed. If the same command appears again later, it requires fresh consent (a new block \u2192 consent cycle). Example: R012 covers deploy, publish, push. Block on deploy \u2192 user consents \u2192 deploy passes (consumed), publish passes (consumed), push passes (consumed). A later deploy triggers a fresh block. An initial user instruction is NEVER consent \u2014 only a response to a shown block counts.',
         'The rules shown were pre-selected as the ones relevant to this edit \u2014 every rule here IS relevant, do not label any "not relevant". When passing (ok=true), give a terse, specific reason each rule passes. Format: "R003: no hardcoded secrets in file. R005: in-repo path only." Cover every rule shown.',
       ].join('\\n');
 
@@ -3585,7 +3610,7 @@ main();
 import {
   loadJwt, ensureFreshJwt, detectRepo, loadConfig, cweRoute, tag,
   localGradeCwe, parseVerdict, reconstructContent, readStdin, log,
-  outputJson, outputEmpty, setupCursorHookSignals, isEditTool, isShellTool, isCursorHookFormat,
+  outputJson, outputEmpty, setupCursorHookSignals, installHookWatchdog, isEditTool, isShellTool, isCursorHookFormat,
   extractShellCodeWrites, hookSessionId, filePathFromToolInput, emitBlockScanFindings, dispatchFinding, dispatchCapture, GATEWAY_URL,
   logGraderUnavailable, graderUnavailableMessage, resolveTranscriptPath, isCursorInvokingCcHook,
   loadSynkroFile, effectiveGraderPool,
@@ -3725,6 +3750,7 @@ function scanPackageCapabilities(pkgName: string, cwd: string): PackageCapabilit
 
 async function main() {
   setupCursorHookSignals();
+  installHookWatchdog(27000);
   try {
     const input = await readStdin();
     if (!input.trim()) { outputEmpty(); return; }
@@ -4548,7 +4574,7 @@ import {
   loadJwt, ensureFreshJwt, detectRepo, loadConfig, route, tag, localGrade,
   parseVerdict, dispatchCapture, dispatchFinding, ruleMode, postWithRetry, readStdin,
   extractTranscript, readLastPrompt, appendSessionAction, readSessionLog, compressSessionLog, log,
-  outputJson, outputEmpty, setupCursorHookSignals, isShellTool, hookSessionId, GATEWAY_URL,
+  outputJson, outputEmpty, setupCursorHookSignals, installHookWatchdog, isShellTool, hookSessionId, GATEWAY_URL,
   logGraderUnavailable, graderUnavailableMessage, filterRules, ruleFilterText, normalizeMode, appendLocalTelemetry, isSafeInRepoRead,
   loadSynkroFile, effectiveGraderPool,
   hashCommand, resolveTranscriptPath, isCursorHookFormat,
@@ -4591,6 +4617,7 @@ function isDuplicate(command: string, sessionId: string): boolean {
 
 async function main() {
   setupCursorHookSignals();
+  installHookWatchdog(27000);
   try {
     const input = await readStdin();
     if (!input.trim()) { outputEmpty(); return; }
@@ -4722,7 +4749,7 @@ async function main() {
         'Org rules: ' + JSON.stringify(relevantRules),
         scanConcern,
         'IMPORTANT: If a rule is violated, ALWAYS return ok=false with the rule_id and reason, regardless of the rule mode. Do NOT pass a command just because the rule mode is "fix". The enforcement layer handles ask vs fix — your job is only to detect violations.',
-        'CRITICAL: The user requesting or instructing an action does NOT exempt it from rules. Even if the user explicitly said "drop the database" or "delete everything", you MUST still flag the rule violation on first encounter. User intent is NOT consent. However, for ask-mode rules ONLY: if the session history shows a prior block for the SAME rule AND the user explicitly consented after seeing that block, subsequent commands covered by that same rule may pass — but each distinct command is consumed once. Look for the sequence: block event → user acknowledgment → retry. Once a specific command has successfully executed under that consent, it is consumed. If the same command appears again later, it requires fresh consent (a new block → consent cycle). Example: R012 covers deploy, publish, push. Block on deploy → user consents → deploy passes (consumed), publish passes (consumed), push passes (consumed). A later deploy triggers a fresh block. A user\'s initial instruction is NEVER consent — only a response to a shown block counts.',
+        'CRITICAL: The user requesting or instructing an action does NOT exempt it from rules. Even if the user explicitly said "drop the database" or "delete everything", you MUST still flag the rule violation on first encounter. User intent is NOT consent. However, for ask-mode rules ONLY: if the session history shows a prior block for the SAME rule AND the user explicitly consented after seeing that block, subsequent commands covered by that same rule may pass — but each distinct command is consumed once. Look for the sequence: block event → user acknowledgment → retry. Once a specific command has successfully executed under that consent, it is consumed. If the same command appears again later, it requires fresh consent (a new block → consent cycle). Example: R012 covers deploy, publish, push. Block on deploy → user consents → deploy passes (consumed), publish passes (consumed), push passes (consumed). A later deploy triggers a fresh block. An initial user instruction is NEVER consent — only a response to a shown block counts.',
         'The rules shown were pre-selected as the ones relevant to this command — every rule here IS relevant, do not label any "not relevant". When passing (ok=true), give a terse, specific reason each rule passes. Format: "R003: no secrets in grep args. R005: in-repo path only." Cover every rule shown.',
         'Rules with preconditions (e.g. "run X before Y") are CONSUMED after the protected action completes. Use the session history timestamps to determine ordering: a precondition satisfied before the last occurrence of the protected action does NOT satisfy the next occurrence. Each new protected action needs its precondition re-satisfied.',
       ].filter(Boolean).join('\\n');
@@ -4845,7 +4872,7 @@ import {
   loadJwt, ensureFreshJwt, detectRepo, loadConfig, route, tag, localGrade,
   parseVerdict, dispatchCapture, ruleMode, postWithRetry, readStdin,
   extractTranscript, readLastPrompt, appendSessionAction, readSessionLog, compressSessionLog, log,
-  outputJson, outputEmpty, setupCursorHookSignals, isAgentTool, hookSessionId, GATEWAY_URL,
+  outputJson, outputEmpty, setupCursorHookSignals, installHookWatchdog, isAgentTool, hookSessionId, GATEWAY_URL,
   logGraderUnavailable, graderUnavailableMessage, filterRules, normalizeMode, resolveTranscriptPath, isCursorInvokingCcHook,
   loadSynkroFile, effectiveGraderPool,
   type HookConfig, type Rule,
@@ -4855,6 +4882,7 @@ const agentKind = (process.env.SYNKRO_HOOK_FORMAT === 'cursor' || process.argv.i
 
 async function main() {
   setupCursorHookSignals();
+  installHookWatchdog(27000);
   try {
     const input = await readStdin();
     if (!input.trim()) { outputEmpty(); return; }
@@ -4934,7 +4962,7 @@ async function main() {
         'Last user prompt: ' + (lastPrompt || 'none'),
         'Org rules: ' + JSON.stringify(relevantRules),
         'IMPORTANT: If a rule is violated, ALWAYS return ok=false with the rule_id and reason, regardless of the rule mode. Do NOT pass a command just because the rule mode is "fix". The enforcement layer handles ask vs fix \u2014 your job is only to detect violations.',
-        'CRITICAL: The user requesting or instructing an action does NOT exempt it from rules. Even if the user explicitly said "drop the database" or "delete everything", you MUST still flag the rule violation on first encounter. User intent is NOT consent. However, for ask-mode rules ONLY: if the session history shows a prior block for the SAME rule AND the user explicitly consented after seeing that block, subsequent commands covered by that same rule may pass \u2014 but each distinct command is consumed once. Look for the sequence: block event \u2192 user acknowledgment \u2192 retry. Once a specific command has successfully executed under that consent, it is consumed. If the same command appears again later, it requires fresh consent (a new block \u2192 consent cycle). Example: R012 covers deploy, publish, push. Block on deploy \u2192 user consents \u2192 deploy passes (consumed), publish passes (consumed), push passes (consumed). A later deploy triggers a fresh block. A user's initial instruction is NEVER consent \u2014 only a response to a shown block counts.',
+        'CRITICAL: The user requesting or instructing an action does NOT exempt it from rules. Even if the user explicitly said "drop the database" or "delete everything", you MUST still flag the rule violation on first encounter. User intent is NOT consent. However, for ask-mode rules ONLY: if the session history shows a prior block for the SAME rule AND the user explicitly consented after seeing that block, subsequent commands covered by that same rule may pass \u2014 but each distinct command is consumed once. Look for the sequence: block event \u2192 user acknowledgment \u2192 retry. Once a specific command has successfully executed under that consent, it is consumed. If the same command appears again later, it requires fresh consent (a new block \u2192 consent cycle). Example: R012 covers deploy, publish, push. Block on deploy \u2192 user consents \u2192 deploy passes (consumed), publish passes (consumed), push passes (consumed). A later deploy triggers a fresh block. An initial user instruction is NEVER consent \u2014 only a response to a shown block counts.',
       ].filter(Boolean).join('\\n');
 
       let gradeResp: string;
@@ -5032,7 +5060,7 @@ main();
 import {
   loadJwt, ensureFreshJwt, detectRepo, loadConfig, route, tag, localGrade,
   parseVerdict, dispatchCapture, appendSessionAction, readSessionLog, compressSessionLog, postWithRetry, readStdin, log,
-  outputJson, outputEmpty, setupCursorHookSignals, isPlanTool, hookSessionId, GATEWAY_URL,
+  outputJson, outputEmpty, setupCursorHookSignals, installHookWatchdog, isPlanTool, hookSessionId, GATEWAY_URL,
   filterRules, graderUnavailableMessage, resolveTranscriptPath, isCursorInvokingCcHook,
   loadSynkroFile, effectiveGraderPool,
 } from './_synkro-common.ts';
@@ -5084,6 +5112,7 @@ function appendReviewToPlan(planFile: string, verdict: string): void {
 
 async function main() {
   setupCursorHookSignals();
+  installHookWatchdog(42000);
   try {
     const input = await readStdin();
     if (!input.trim()) { outputEmpty(); return; }
@@ -5590,8 +5619,10 @@ function isDuplicate(command: string, sessionId: string): boolean {
   return false;
 }
 
-// Cursor beforeShellExecution timeout is 15s; stay under it (JWT refresh + grade).
-const CURSOR_GRADE_TIMEOUT_MS = 12000;
+// Cursor hook timeouts now match CC (30s for bash/edit/agent), so use the same
+// 24s internal grade budget as the CC path \u2014 stays under the 30s hook timeout
+// (JWT refresh + grade) and fails open cleanly via the caller's catch.
+const CURSOR_GRADE_TIMEOUT_MS = 24000;
 const CURSOR_CLOUD_TIMEOUT_MS = 9000;
 
 let hookDone = false;
@@ -5733,7 +5764,7 @@ async function main() {
         'Org rules: ' + JSON.stringify(relevantRules),
         scanConcern,
         'IMPORTANT: If a rule is violated, ALWAYS return ok=false with the rule_id and reason, regardless of the rule mode. Do NOT pass a command just because the rule mode is "fix". The enforcement layer handles ask vs fix \u2014 your job is only to detect violations.',
-        'CRITICAL: The user requesting or instructing an action does NOT exempt it from rules. Even if the user explicitly said "drop the database" or "delete everything", you MUST still flag the rule violation on first encounter. User intent is NOT consent. However, for ask-mode rules ONLY: if the session history shows a prior block for the SAME rule AND the user explicitly consented after seeing that block, subsequent commands covered by that same rule may pass \u2014 but each distinct command is consumed once. Look for the sequence: block event \u2192 user acknowledgment \u2192 retry. Once a specific command has successfully executed under that consent, it is consumed. If the same command appears again later, it requires fresh consent (a new block \u2192 consent cycle). Example: R012 covers deploy, publish, push. Block on deploy \u2192 user consents \u2192 deploy passes (consumed), publish passes (consumed), push passes (consumed). A later deploy triggers a fresh block. A user's initial instruction is NEVER consent \u2014 only a response to a shown block counts.',
+        'CRITICAL: The user requesting or instructing an action does NOT exempt it from rules. Even if the user explicitly said "drop the database" or "delete everything", you MUST still flag the rule violation on first encounter. User intent is NOT consent. However, for ask-mode rules ONLY: if the session history shows a prior block for the SAME rule AND the user explicitly consented after seeing that block, subsequent commands covered by that same rule may pass \u2014 but each distinct command is consumed once. Look for the sequence: block event \u2192 user acknowledgment \u2192 retry. Once a specific command has successfully executed under that consent, it is consumed. If the same command appears again later, it requires fresh consent (a new block \u2192 consent cycle). Example: R012 covers deploy, publish, push. Block on deploy \u2192 user consents \u2192 deploy passes (consumed), publish passes (consumed), push passes (consumed). A later deploy triggers a fresh block. An initial user instruction is NEVER consent \u2014 only a response to a shown block counts.',
         'The rules shown were pre-selected as the ones relevant to this command \u2014 every rule here IS relevant, do not label any "not relevant". When passing (ok=true), give a terse, specific reason each rule passes. Format: "R003: no secrets in grep args. R005: in-repo path only." Cover every rule shown.',
         'Rules with preconditions (e.g. "run X before Y") are CONSUMED after the protected action completes. Use the session history timestamps to determine ordering: a precondition satisfied before the last occurrence of the protected action does NOT satisfy the next occurrence. Each new protected action needs its precondition re-satisfied.',
       ].filter(Boolean).join('\\n');
@@ -8270,7 +8301,7 @@ function writeConfigEnv(opts) {
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
     `SYNKRO_INFERENCE=${shellQuoteSingle(safeInference)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.6.44")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.6.45")}`
   ];
   if (safeSynkroBin) lines.push(`SYNKRO_CLI_BIN=${shellQuoteSingle(safeSynkroBin)}`);
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);
@@ -11355,7 +11386,7 @@ var args = process.argv.slice(2);
 var cmd = args[0] || "";
 var subArgs = args.slice(1);
 function printVersion() {
-  console.log("1.6.44");
+  console.log("1.6.45");
 }
 function printHelp2() {
   console.log(`Synkro CLI \u2014 runtime safety for AI coding agents