@synkro-sh/cli 1.6.44 → 1.6.46

package/dist/bootstrap.js

@@ -350,13 +350,13 @@ function installCursorHooks(hooksJsonPath, config) {
   });
   h.beforeShellExecution.push({
     command: cursorCcCmd(config.cwePrecheckScriptPath),
-    timeout: 60,
+    timeout: 30,
     failClosed: false,
     [SYNKRO_MARKER2]: true
   });
   h.beforeShellExecution.push({
     command: bunRunCmd(config.bashJudgeScriptPath),
-    timeout: 15,
+    timeout: 30,
     failClosed: false,
     [SYNKRO_MARKER2]: true
   });
@@ -371,36 +371,36 @@ function installCursorHooks(hooksJsonPath, config) {
   });
   h.preToolUse.push({
     command: cursorCcCmd(config.cwePrecheckScriptPath),
-    timeout: 60,
+    timeout: 30,
     failClosed: false,
     matcher: "Shell|Bash|terminal|run_terminal_cmd|execute_command",
     [SYNKRO_MARKER2]: true
   });
   h.preToolUse.push({
     command: bunRunCmd(config.bashJudgeScriptPath),
-    timeout: 15,
+    timeout: 30,
     failClosed: false,
     matcher: "Shell|Bash|Read|ReadFile|Grep|Glob|terminal|run_terminal_cmd|execute_command|read_file|grep_search|file_search|list_dir|codebase_search|delete_file",
     [SYNKRO_MARKER2]: true
   });
   pushCcHook(h, "preToolUse", config.editPrecheckScriptPath, {
-    timeout: 15,
+    timeout: 30,
     matcher: "Write|Edit|StrReplace|MultiEdit|NotebookEdit|edit_file|reapply|edit_notebook|ApplyPatch|apply_patch"
   });
   pushCcHook(h, "preToolUse", config.cwePrecheckScriptPath, {
-    timeout: 60,
+    timeout: 30,
     matcher: "Write|Edit|StrReplace|MultiEdit|NotebookEdit|edit_file|reapply|edit_notebook|ApplyPatch|apply_patch"
   });
   pushCcHook(h, "preToolUse", config.cvePrecheckScriptPath, {
-    timeout: 20,
+    timeout: 10,
     matcher: "Write|Edit|StrReplace|MultiEdit|NotebookEdit|edit_file|reapply|edit_notebook|ApplyPatch|apply_patch"
   });
   pushCcHook(h, "preToolUse", config.agentJudgeScriptPath, {
-    timeout: 15,
+    timeout: 30,
     matcher: "Agent|Task"
   });
   pushCcHook(h, "preToolUse", config.planJudgeScriptPath, {
-    timeout: 20,
+    timeout: 45,
     matcher: "ExitPlanMode|SwitchMode|CreatePlan"
   });
   h.afterFileEdit = h.afterFileEdit ?? [];
@@ -1280,6 +1280,39 @@ export function effectiveGraderPool(synkroFile: SynkroFileConfig, hookAgentKind:
   return 'cursor';
 }
 
+// \u2500\u2500\u2500 .synkro presence (per-repo onboarding) \u2500\u2500\u2500
+// A repo is "onboarded" to Synkro when it has a .synkro file at its git root.
+// The hooks are installed globally, so they fire in every repo \u2014 including ones
+// the user never set up. Without a .synkro there, grading is SKIPPED gracefully
+// rather than attempting a grade that surfaces a confusing "grader unavailable"
+// error: the tool call passes through and we show a one-time hint pointing at
+// "synkro install".
+export function synkroFilePresent(cwd?: string): boolean {
+  try {
+    const root = cwd ? findGitRoot(cwd) : '';
+    if (!root) return false;
+    return existsSync(root + '/.synkro');
+  } catch { return false; }
+}
+
+const NO_SYNKRO_HINT_DIR = join(HOME, '.synkro', '.no-synkro-hint');
+
+// Returns the onboarding hint the FIRST time a session touches a repo with no
+// .synkro file, then null on subsequent calls so it doesn't repeat on every
+// tool call. Caller passes null straight through to outputEmpty().
+export function noSynkroSkipMessage(sessionId: string): string | null {
+  try {
+    mkdirSync(NO_SYNKRO_HINT_DIR, { recursive: true });
+    const key = (sessionId || 'nosession').replace(/[^a-zA-Z0-9_-]/g, '_');
+    const marker = join(NO_SYNKRO_HINT_DIR, key);
+    if (existsSync(marker)) return null;
+    writeFileSync(marker, '', { flag: 'w' });
+  } catch {
+    // best-effort dedup \u2014 if the marker can't be written, still show the hint
+  }
+  return '[synkro] No .synkro config in this repo \u2014 grading skipped. Run \`synkro install\` here to enable Synkro.';
+}
+
 // \u2500\u2500\u2500 Channel Health \u2500\u2500\u2500
 
 export async function channelUp(port = 18929): Promise<boolean> {
@@ -3218,6 +3251,7 @@ export function isCursorInvokingCcHook(agentKind: string, model: string): boolea
 }
 
 let cursorHookExited = false;
+let hookFinalized = false;
 
 export function setupCursorHookSignals(): void {
   if (!isCursorHookFormat()) return;
@@ -3226,9 +3260,28 @@ export function setupCursorHookSignals(): void {
 
 function cursorHookExit(): never {
   cursorHookExited = true;
+  hookFinalized = true;
   process.exit(0);
 }
 
+// Self-imposed deadline. CC/Cursor kill the hook process at the configured hook
+// timeout with a signal; if a grade fetch is still in flight when that happens,
+// the runtime dumps the in-flight request body (the grader prompt) to stderr and
+// exits non-zero \u2014 surfacing as a "hook error" toast with leaked prompt text.
+// To prevent that, each grading hook arms this watchdog a few seconds UNDER its
+// configured budget: when it fires we emit a clean empty result and exit 0
+// ourselves, so the harness never has to kill us. The timer is unref'd, so a
+// hook that finishes early exits normally and the watchdog never runs.
+export function installHookWatchdog(budgetMs: number): void {
+  const t = setTimeout(() => {
+    if (hookFinalized) return;
+    hookFinalized = true;
+    try { process.stdout.write('{}\\n'); } catch {}
+    process.exit(0);
+  }, budgetMs);
+  if (typeof (t as any).unref === 'function') (t as any).unref();
+}
+
 // \u2500\u2500\u2500 Grader-unavailable diagnostic log \u2500\u2500\u2500
 // Records every time a hook tried to call the local grader and fell open
 // because the call failed. JSONL at ~/.synkro/grader-unavailable.log so the
@@ -3308,6 +3361,8 @@ export function outputJson(obj: any): void {
     outputEmpty();
     return;
   }
+  if (hookFinalized) return;
+  hookFinalized = true;
   console.log(JSON.stringify(obj));
 }
 
@@ -3319,6 +3374,8 @@ export function outputEmpty(): void {
     }
     cursorHookExit();
   }
+  if (hookFinalized) return;
+  hookFinalized = true;
   console.log('{}');
 }
 `;
@@ -3328,10 +3385,10 @@ import {
   parseVerdict, dispatchCapture, ruleMode, reconstructContent, isPathUnder, postWithRetry,
   readStdin, extractTranscript, readLastPrompt, findNearestDeps, filePathFromToolInput,
   appendSessionAction, readSessionLog, compressSessionLog, log,
-  outputJson, outputEmpty, setupCursorHookSignals, isEditTool, hookSessionId, GATEWAY_URL,
+  outputJson, outputEmpty, setupCursorHookSignals, installHookWatchdog, isEditTool, hookSessionId, GATEWAY_URL,
   logGraderUnavailable, graderUnavailableMessage, filterRules, ruleFilterText, normalizeMode, countEditLineDelta,
   captureLineMetrics, cursorModelFromPayload, resolveTranscriptPath, isCursorInvokingCcHook,
-  loadSynkroFile, effectiveGraderPool,
+  loadSynkroFile, effectiveGraderPool, synkroFilePresent, noSynkroSkipMessage,
   type HookConfig, type Rule,
 } from './_synkro-common.ts';
 import { existsSync, readFileSync } from 'node:fs';
@@ -3341,6 +3398,7 @@ const agentKind = (process.env.SYNKRO_HOOK_FORMAT === 'cursor' || process.argv.i
 
 async function main() {
   setupCursorHookSignals();
+  installHookWatchdog(27000);
   try {
     const input = await readStdin();
     if (!input.trim()) { outputEmpty(); return; }
@@ -3365,6 +3423,13 @@ async function main() {
 
     if (filePath.includes('/.synkro/hooks/')) { outputEmpty(); return; }
 
+    if (!synkroFilePresent(cwd)) {
+      const _skipMsg = noSynkroSkipMessage(sessionId);
+      if (_skipMsg) outputJson({ systemMessage: _skipMsg, hookSpecificOutput: { hookEventName: 'PreToolUse', additionalContext: _skipMsg } });
+      else outputEmpty();
+      return;
+    }
+
     const fileShort = basename(filePath);
     log('editGuard checking: ' + fileShort);
 
@@ -3463,7 +3528,7 @@ async function main() {
         'Last user prompt: ' + (lastPrompt || 'none'),
         'Org rules: ' + JSON.stringify(relevantRules),
         'IMPORTANT: If a rule is violated, ALWAYS return ok=false with the rule_id and reason, regardless of the rule mode. Do NOT pass a command just because the rule mode is "fix". The enforcement layer handles ask vs fix \u2014 your job is only to detect violations.',
-        'CRITICAL: The user requesting or instructing an action does NOT exempt it from rules. Even if the user explicitly said "drop the database" or "delete everything", you MUST still flag the rule violation on first encounter. User intent is NOT consent. However, for ask-mode rules ONLY: if the session history shows a prior block for the SAME rule AND the user explicitly consented after seeing that block, subsequent commands covered by that same rule may pass \u2014 but each distinct command is consumed once. Look for the sequence: block event \u2192 user acknowledgment \u2192 retry. Once a specific command has successfully executed under that consent, it is consumed. If the same command appears again later, it requires fresh consent (a new block \u2192 consent cycle). Example: R012 covers deploy, publish, push. Block on deploy \u2192 user consents \u2192 deploy passes (consumed), publish passes (consumed), push passes (consumed). A later deploy triggers a fresh block. A user's initial instruction is NEVER consent \u2014 only a response to a shown block counts.',
+        'CRITICAL: The user requesting or instructing an action does NOT exempt it from rules. Even if the user explicitly said "drop the database" or "delete everything", you MUST still flag the rule violation on first encounter. User intent is NOT consent. However, for ask-mode rules ONLY: if the session history shows a prior block for the SAME rule AND the user explicitly consented after seeing that block, subsequent commands covered by that same rule may pass \u2014 but each distinct command is consumed once. Look for the sequence: block event \u2192 user acknowledgment \u2192 retry. Once a specific command has successfully executed under that consent, it is consumed. If the same command appears again later, it requires fresh consent (a new block \u2192 consent cycle). Example: R012 covers deploy, publish, push. Block on deploy \u2192 user consents \u2192 deploy passes (consumed), publish passes (consumed), push passes (consumed). A later deploy triggers a fresh block. An initial user instruction is NEVER consent \u2014 only a response to a shown block counts.',
         'The rules shown were pre-selected as the ones relevant to this edit \u2014 every rule here IS relevant, do not label any "not relevant". When passing (ok=true), give a terse, specific reason each rule passes. Format: "R003: no hardcoded secrets in file. R005: in-repo path only." Cover every rule shown.',
       ].join('\\n');
 
@@ -3585,10 +3650,10 @@ main();
 import {
   loadJwt, ensureFreshJwt, detectRepo, loadConfig, cweRoute, tag,
   localGradeCwe, parseVerdict, reconstructContent, readStdin, log,
-  outputJson, outputEmpty, setupCursorHookSignals, isEditTool, isShellTool, isCursorHookFormat,
+  outputJson, outputEmpty, setupCursorHookSignals, installHookWatchdog, isEditTool, isShellTool, isCursorHookFormat,
   extractShellCodeWrites, hookSessionId, filePathFromToolInput, emitBlockScanFindings, dispatchFinding, dispatchCapture, GATEWAY_URL,
   logGraderUnavailable, graderUnavailableMessage, resolveTranscriptPath, isCursorInvokingCcHook,
-  loadSynkroFile, effectiveGraderPool,
+  loadSynkroFile, effectiveGraderPool, synkroFilePresent, noSynkroSkipMessage,
 } from './_synkro-common.ts';
 import { basename, extname, resolve, join, dirname } from 'node:path';
 import { readFileSync, readdirSync, existsSync } from 'node:fs';
@@ -3725,6 +3790,7 @@ function scanPackageCapabilities(pkgName: string, cwd: string): PackageCapabilit
 
 async function main() {
   setupCursorHookSignals();
+  installHookWatchdog(27000);
   try {
     const input = await readStdin();
     if (!input.trim()) { outputEmpty(); return; }
@@ -3741,6 +3807,13 @@ async function main() {
 
     if (isCursorInvokingCcHook(agentKind, ccModel)) { outputEmpty(); return; }
 
+    if (!synkroFilePresent(cwd)) {
+      const _skipMsg = noSynkroSkipMessage(sessionId);
+      if (_skipMsg) outputJson({ systemMessage: _skipMsg, hookSpecificOutput: { hookEventName: 'PreToolUse', additionalContext: _skipMsg } });
+      else outputEmpty();
+      return;
+    }
+
     const targets: CweScanTarget[] = [];
 
     if (isCursorHookFormat() && (shellCommand || isShellTool(toolName))) {
@@ -4147,7 +4220,7 @@ import {
   loadJwt, ensureFreshJwt, detectRepo, loadConfig, route, tag,
   reconstructContent, readStdin, findNearestDeps, filePathFromToolInput, log,
   outputJson, outputEmpty, setupCursorHookSignals, isEditTool, hookSessionId, dispatchFinding, dispatchCapture, dispatchScanResult, extractTranscript, emitBlockScanFindings, resolveTranscriptPath, GATEWAY_URL,
-  isCursorHookFormat,
+  isCursorHookFormat, synkroFilePresent, noSynkroSkipMessage,
 } from './_synkro-common.ts';
 import { basename } from 'node:path';
 import { readFileSync } from 'node:fs';
@@ -4193,6 +4266,13 @@ async function main() {
 
     if (filePath.includes('/.synkro/hooks/')) { outputEmpty(); return; }
 
+    if (!synkroFilePresent(cwd)) {
+      const _skipMsg = noSynkroSkipMessage(sessionId);
+      if (_skipMsg) outputJson({ systemMessage: _skipMsg, hookSpecificOutput: { hookEventName: 'PreToolUse', additionalContext: _skipMsg } });
+      else outputEmpty();
+      return;
+    }
+
     const fileShort = basename(filePath);
 
     let jwt = loadJwt();
@@ -4429,7 +4509,7 @@ import {
   loadJwt, ensureFreshJwt, detectRepo, loadConfig, route, tag,
   readStdin, runInstallScan, emitBlockScanFindings, dispatchCapture, dispatchScanResult, hashCommand,
   outputJson, outputEmpty, setupCursorHookSignals, isShellTool, hookSessionId, log, GATEWAY_URL,
-  resolveTranscriptPath, isCursorHookFormat, loadSynkroFile, effectiveGraderPool,
+  resolveTranscriptPath, isCursorHookFormat, loadSynkroFile, effectiveGraderPool, synkroFilePresent, noSynkroSkipMessage,
 } from './_synkro-common.ts';
 import { writeFileSync, mkdirSync } from 'node:fs';
 import { join } from 'node:path';
@@ -4454,6 +4534,14 @@ async function main() {
     // beforeShellExecution supplies command directly; preToolUse uses tool_name + tool_input.
     if (!isShellTool(toolName) && typeof payload.command !== 'string') { outputEmpty(); return; }
 
+    const _cwd = payload.cwd || (Array.isArray(payload.workspace_roots) ? payload.workspace_roots[0] : '') || '';
+    if (!synkroFilePresent(_cwd)) {
+      const _skipMsg = noSynkroSkipMessage(hookSessionId(payload));
+      if (_skipMsg) outputJson({ systemMessage: _skipMsg, hookSpecificOutput: { hookEventName: 'PreToolUse', additionalContext: _skipMsg } });
+      else outputEmpty();
+      return;
+    }
+
     let jwt = loadJwt();
     if (!jwt) { outputEmpty(); return; }
     jwt = await ensureFreshJwt(jwt);
@@ -4548,9 +4636,9 @@ import {
   loadJwt, ensureFreshJwt, detectRepo, loadConfig, route, tag, localGrade,
   parseVerdict, dispatchCapture, dispatchFinding, ruleMode, postWithRetry, readStdin,
   extractTranscript, readLastPrompt, appendSessionAction, readSessionLog, compressSessionLog, log,
-  outputJson, outputEmpty, setupCursorHookSignals, isShellTool, hookSessionId, GATEWAY_URL,
+  outputJson, outputEmpty, setupCursorHookSignals, installHookWatchdog, isShellTool, hookSessionId, GATEWAY_URL,
   logGraderUnavailable, graderUnavailableMessage, filterRules, ruleFilterText, normalizeMode, appendLocalTelemetry, isSafeInRepoRead,
-  loadSynkroFile, effectiveGraderPool,
+  loadSynkroFile, effectiveGraderPool, synkroFilePresent, noSynkroSkipMessage,
   hashCommand, resolveTranscriptPath, isCursorHookFormat,
   type HookConfig, type Rule,
 } from './_synkro-common.ts';
@@ -4591,6 +4679,7 @@ function isDuplicate(command: string, sessionId: string): boolean {
 
 async function main() {
   setupCursorHookSignals();
+  installHookWatchdog(27000);
   try {
     const input = await readStdin();
     if (!input.trim()) { outputEmpty(); return; }
@@ -4630,6 +4719,13 @@ async function main() {
 
     const gitRepo = detectRepo(cwd, transcriptPath, command, workspaceRoots);
 
+    if (!synkroFilePresent(cwd)) {
+      const _skipMsg = noSynkroSkipMessage(sessionId);
+      if (_skipMsg) outputJson({ systemMessage: _skipMsg, hookSpecificOutput: { hookEventName: 'PreToolUse', additionalContext: _skipMsg } });
+      else outputEmpty();
+      return;
+    }
+
     if (isDuplicate(command, sessionId)) {
       log('bashGuard skip (dedup): ' + command.slice(0, 80));
       outputEmpty();
@@ -4722,7 +4818,7 @@ async function main() {
         'Org rules: ' + JSON.stringify(relevantRules),
         scanConcern,
         'IMPORTANT: If a rule is violated, ALWAYS return ok=false with the rule_id and reason, regardless of the rule mode. Do NOT pass a command just because the rule mode is "fix". The enforcement layer handles ask vs fix — your job is only to detect violations.',
-        'CRITICAL: The user requesting or instructing an action does NOT exempt it from rules. Even if the user explicitly said "drop the database" or "delete everything", you MUST still flag the rule violation on first encounter. User intent is NOT consent. However, for ask-mode rules ONLY: if the session history shows a prior block for the SAME rule AND the user explicitly consented after seeing that block, subsequent commands covered by that same rule may pass — but each distinct command is consumed once. Look for the sequence: block event → user acknowledgment → retry. Once a specific command has successfully executed under that consent, it is consumed. If the same command appears again later, it requires fresh consent (a new block → consent cycle). Example: R012 covers deploy, publish, push. Block on deploy → user consents → deploy passes (consumed), publish passes (consumed), push passes (consumed). A later deploy triggers a fresh block. A user\'s initial instruction is NEVER consent — only a response to a shown block counts.',
+        'CRITICAL: The user requesting or instructing an action does NOT exempt it from rules. Even if the user explicitly said "drop the database" or "delete everything", you MUST still flag the rule violation on first encounter. User intent is NOT consent. However, for ask-mode rules ONLY: if the session history shows a prior block for the SAME rule AND the user explicitly consented after seeing that block, subsequent commands covered by that same rule may pass — but each distinct command is consumed once. Look for the sequence: block event → user acknowledgment → retry. Once a specific command has successfully executed under that consent, it is consumed. If the same command appears again later, it requires fresh consent (a new block → consent cycle). Example: R012 covers deploy, publish, push. Block on deploy → user consents → deploy passes (consumed), publish passes (consumed), push passes (consumed). A later deploy triggers a fresh block. An initial user instruction is NEVER consent — only a response to a shown block counts.',
         'The rules shown were pre-selected as the ones relevant to this command — every rule here IS relevant, do not label any "not relevant". When passing (ok=true), give a terse, specific reason each rule passes. Format: "R003: no secrets in grep args. R005: in-repo path only." Cover every rule shown.',
         'Rules with preconditions (e.g. "run X before Y") are CONSUMED after the protected action completes. Use the session history timestamps to determine ordering: a precondition satisfied before the last occurrence of the protected action does NOT satisfy the next occurrence. Each new protected action needs its precondition re-satisfied.',
       ].filter(Boolean).join('\\n');
@@ -4845,9 +4941,9 @@ import {
   loadJwt, ensureFreshJwt, detectRepo, loadConfig, route, tag, localGrade,
   parseVerdict, dispatchCapture, ruleMode, postWithRetry, readStdin,
   extractTranscript, readLastPrompt, appendSessionAction, readSessionLog, compressSessionLog, log,
-  outputJson, outputEmpty, setupCursorHookSignals, isAgentTool, hookSessionId, GATEWAY_URL,
+  outputJson, outputEmpty, setupCursorHookSignals, installHookWatchdog, isAgentTool, hookSessionId, GATEWAY_URL,
   logGraderUnavailable, graderUnavailableMessage, filterRules, normalizeMode, resolveTranscriptPath, isCursorInvokingCcHook,
-  loadSynkroFile, effectiveGraderPool,
+  loadSynkroFile, effectiveGraderPool, synkroFilePresent, noSynkroSkipMessage,
   type HookConfig, type Rule,
 } from './_synkro-common.ts';
 
@@ -4855,6 +4951,7 @@ const agentKind = (process.env.SYNKRO_HOOK_FORMAT === 'cursor' || process.argv.i
 
 async function main() {
   setupCursorHookSignals();
+  installHookWatchdog(27000);
   try {
     const input = await readStdin();
     if (!input.trim()) { outputEmpty(); return; }
@@ -4877,6 +4974,13 @@ async function main() {
     const permissionMode = payload.permission_mode || '';
     const transcriptPath = resolveTranscriptPath(payload);
 
+    if (!synkroFilePresent(cwd)) {
+      const _skipMsg = noSynkroSkipMessage(sessionId);
+      if (_skipMsg) outputJson({ systemMessage: _skipMsg, hookSpecificOutput: { hookEventName: 'PreToolUse', additionalContext: _skipMsg } });
+      else outputEmpty();
+      return;
+    }
+
     const prompt = toolInput.prompt || '';
     const description = toolInput.description || '';
     const subagentType = toolInput.subagent_type || 'general-purpose';
@@ -4934,7 +5038,7 @@ async function main() {
         'Last user prompt: ' + (lastPrompt || 'none'),
         'Org rules: ' + JSON.stringify(relevantRules),
         'IMPORTANT: If a rule is violated, ALWAYS return ok=false with the rule_id and reason, regardless of the rule mode. Do NOT pass a command just because the rule mode is "fix". The enforcement layer handles ask vs fix \u2014 your job is only to detect violations.',
-        'CRITICAL: The user requesting or instructing an action does NOT exempt it from rules. Even if the user explicitly said "drop the database" or "delete everything", you MUST still flag the rule violation on first encounter. User intent is NOT consent. However, for ask-mode rules ONLY: if the session history shows a prior block for the SAME rule AND the user explicitly consented after seeing that block, subsequent commands covered by that same rule may pass \u2014 but each distinct command is consumed once. Look for the sequence: block event \u2192 user acknowledgment \u2192 retry. Once a specific command has successfully executed under that consent, it is consumed. If the same command appears again later, it requires fresh consent (a new block \u2192 consent cycle). Example: R012 covers deploy, publish, push. Block on deploy \u2192 user consents \u2192 deploy passes (consumed), publish passes (consumed), push passes (consumed). A later deploy triggers a fresh block. A user's initial instruction is NEVER consent \u2014 only a response to a shown block counts.',
+        'CRITICAL: The user requesting or instructing an action does NOT exempt it from rules. Even if the user explicitly said "drop the database" or "delete everything", you MUST still flag the rule violation on first encounter. User intent is NOT consent. However, for ask-mode rules ONLY: if the session history shows a prior block for the SAME rule AND the user explicitly consented after seeing that block, subsequent commands covered by that same rule may pass \u2014 but each distinct command is consumed once. Look for the sequence: block event \u2192 user acknowledgment \u2192 retry. Once a specific command has successfully executed under that consent, it is consumed. If the same command appears again later, it requires fresh consent (a new block \u2192 consent cycle). Example: R012 covers deploy, publish, push. Block on deploy \u2192 user consents \u2192 deploy passes (consumed), publish passes (consumed), push passes (consumed). A later deploy triggers a fresh block. An initial user instruction is NEVER consent \u2014 only a response to a shown block counts.',
       ].filter(Boolean).join('\\n');
 
       let gradeResp: string;
@@ -5032,9 +5136,9 @@ main();
 import {
   loadJwt, ensureFreshJwt, detectRepo, loadConfig, route, tag, localGrade,
   parseVerdict, dispatchCapture, appendSessionAction, readSessionLog, compressSessionLog, postWithRetry, readStdin, log,
-  outputJson, outputEmpty, setupCursorHookSignals, isPlanTool, hookSessionId, GATEWAY_URL,
+  outputJson, outputEmpty, setupCursorHookSignals, installHookWatchdog, isPlanTool, hookSessionId, GATEWAY_URL,
   filterRules, graderUnavailableMessage, resolveTranscriptPath, isCursorInvokingCcHook,
-  loadSynkroFile, effectiveGraderPool,
+  loadSynkroFile, effectiveGraderPool, synkroFilePresent, noSynkroSkipMessage,
 } from './_synkro-common.ts';
 import { existsSync, readFileSync, writeFileSync, readdirSync, statSync } from 'node:fs';
 import { join } from 'node:path';
@@ -5084,6 +5188,7 @@ function appendReviewToPlan(planFile: string, verdict: string): void {
 
 async function main() {
   setupCursorHookSignals();
+  installHookWatchdog(42000);
   try {
     const input = await readStdin();
     if (!input.trim()) { outputEmpty(); return; }
@@ -5106,6 +5211,13 @@ async function main() {
     const transcriptPath = resolveTranscriptPath(payload);
     const gitRepo = detectRepo(cwd, transcriptPath, plan, workspaceRoots);
 
+    if (!synkroFilePresent(cwd)) {
+      const _skipMsg = noSynkroSkipMessage(sessionId);
+      if (_skipMsg) outputJson({ systemMessage: _skipMsg, hookSpecificOutput: { hookEventName: 'PreToolUse', additionalContext: _skipMsg } });
+      else outputEmpty();
+      return;
+    }
+
     appendSessionAction(sessionId, { ts: new Date().toISOString(), tool: 'ExitPlanMode', summary: 'plan review: ' + plan.slice(0, 80) });
 
     const planShort = plan.slice(0, 80);
@@ -5220,7 +5332,7 @@ main();
 import {
   loadJwt, detectRepo, loadConfig, tag, readStdin, aggregateUsage, cleanupSessionLog,
   outputJson, outputEmpty, shipCloud, setupCursorHookSignals, hookSessionId, GATEWAY_URL,
-  resolveTranscriptPath, emitUsageTick, cursorModelFromPayload, log,
+  resolveTranscriptPath, emitUsageTick, cursorModelFromPayload, log, synkroFilePresent,
 } from './_synkro-common.ts';
 
 async function main() {
@@ -5235,6 +5347,7 @@ async function main() {
 
     const workspaceRoots = Array.isArray(payload.workspace_roots) ? payload.workspace_roots as string[] : [];
     const cwd = payload.cwd || workspaceRoots[0] || '';
+    if (!synkroFilePresent(cwd)) { outputEmpty(); return; }
     const transcriptPath = resolveTranscriptPath(payload);
     const gitRepo = detectRepo(cwd, transcriptPath, '', workspaceRoots);
     const modelFallback = cursorModelFromPayload(payload);
@@ -5288,7 +5401,7 @@ main();
 import {
   loadJwt, detectRepo, channelUp, tag, readStdin, writeCachedRepo,
   outputJson, outputEmpty, setupCursorHookSignals, hookSessionId, resolveTranscriptPath, GATEWAY_URL,
-  isLocalStorageMode, loadSynkroFile, log, type HookConfig,
+  isLocalStorageMode, loadSynkroFile, log, synkroFilePresent, type HookConfig,
 } from './_synkro-common.ts';
 
 async function main() {
@@ -5300,6 +5413,7 @@ async function main() {
     const payload = JSON.parse(input);
     const workspaceRoots = Array.isArray(payload.workspace_roots) ? payload.workspace_roots as string[] : [];
     const cwd = payload.cwd || workspaceRoots[0] || '';
+    if (!synkroFilePresent(cwd)) { outputEmpty(); return; }
     const transcriptPath = resolveTranscriptPath(payload);
     const sessionId = hookSessionId(payload);
     const gitRepo = detectRepo(cwd, transcriptPath, '', workspaceRoots);
@@ -5379,7 +5493,7 @@ main();
 import {
   loadJwt, loadConfig, readStdin, hashCommand, consentGrant, consentHasActive, consentConsume,
   appendSessionAction,
-  outputEmpty, appendLocalTelemetry, shipCloud, setupCursorHookSignals, isShellTool, hookSessionId, GATEWAY_URL,
+  outputEmpty, appendLocalTelemetry, shipCloud, setupCursorHookSignals, isShellTool, hookSessionId, GATEWAY_URL, synkroFilePresent,
 } from './_synkro-common.ts';
 
 async function main() {
@@ -5389,6 +5503,8 @@ async function main() {
     if (!input.trim()) { outputEmpty(); return; }
 
     const payload = JSON.parse(input);
+    const _cwd = payload.cwd || (Array.isArray(payload.workspace_roots) ? payload.workspace_roots[0] : '') || '';
+    if (!synkroFilePresent(_cwd)) { outputEmpty(); return; }
     const toolName = payload.tool_name || '';
     const shellCmd = typeof payload.command === 'string' ? payload.command : (payload.tool_input?.command || '');
     if (!isShellTool(toolName) && !shellCmd) { outputEmpty(); return; }
@@ -5443,7 +5559,7 @@ main();
 import {
   loadJwt, detectRepo, readStdin, aggregateUsage, appendLocalTelemetry,
   outputEmpty, setupCursorHookSignals, hookSessionId, GATEWAY_URL, readSessionLog, shipCloud,
-  resolveTranscriptPath, syncConversationTranscript, emitUsageTick, cursorModelFromPayload,
+  resolveTranscriptPath, syncConversationTranscript, emitUsageTick, cursorModelFromPayload, synkroFilePresent,
 } from './_synkro-common.ts';
 import { readFileSync } from 'node:fs';
 
@@ -5457,6 +5573,7 @@ async function main() {
     const sessionId = hookSessionId(payload);
     const workspaceRoots = Array.isArray(payload.workspace_roots) ? payload.workspace_roots as string[] : [];
     const cwd = payload.cwd || workspaceRoots[0] || '';
+    if (!synkroFilePresent(cwd)) { outputEmpty(); return; }
     const transcriptPath = resolveTranscriptPath(payload);
 
     if (!sessionId || !transcriptPath) {
@@ -5502,7 +5619,7 @@ async function main() {
 main();
 `;
     USER_PROMPT_SUBMIT_TS = `#!/usr/bin/env bun
-import { readStdin, appendLocalTelemetry, aggregateUsage, outputEmpty, setupCursorHookSignals, hookSessionId, detectRepo, resolveTranscriptPath, syncConversationTranscript, emitUsageTick, cursorModelFromPayload } from './_synkro-common.ts';
+import { readStdin, appendLocalTelemetry, aggregateUsage, outputEmpty, setupCursorHookSignals, hookSessionId, detectRepo, resolveTranscriptPath, syncConversationTranscript, emitUsageTick, cursorModelFromPayload, synkroFilePresent } from './_synkro-common.ts';
 import { writeFileSync, mkdirSync } from 'node:fs';
 import { join, dirname } from 'node:path';
 import { homedir } from 'node:os';
@@ -5513,7 +5630,12 @@ async function main() {
     const input = await readStdin();
     if (!input.trim()) { outputEmpty(); return; }
     const payload = JSON.parse(input);
-    const msg = payload.message || payload.prompt || payload.content || '';
+    const _cwd = typeof payload.cwd === 'string' ? payload.cwd
+      : (Array.isArray(payload.workspace_roots) && typeof payload.workspace_roots[0] === 'string' ? payload.workspace_roots[0] : '');
+    if (!synkroFilePresent(_cwd)) { outputEmpty(); return; }
+    const msg = typeof payload.message === 'string' ? payload.message
+      : typeof payload.prompt === 'string' ? payload.prompt
+      : typeof payload.content === 'string' ? payload.content : '';
     if (msg) {
       const promptFile = join(homedir(), '.synkro', '.last-prompt');
       mkdirSync(dirname(promptFile), { recursive: true, mode: 0o700 });
@@ -5552,7 +5674,7 @@ import {
   isSafeInRepoRead, resolveTranscriptPath, postWithRetry, readStdin, hashCommand,
   extractTranscript, readLastPrompt, readSessionLog, compressSessionLog,
   appendLocalTelemetry, logGraderUnavailable, graderUnavailableMessage, log, GATEWAY_URL,
-  loadSynkroFile, effectiveGraderPool,
+  loadSynkroFile, effectiveGraderPool, synkroFilePresent,
   type Rule,
 } from './_synkro-common.ts';
 import { createHash } from 'node:crypto';
@@ -5590,8 +5712,10 @@ function isDuplicate(command: string, sessionId: string): boolean {
   return false;
 }
 
-// Cursor beforeShellExecution timeout is 15s; stay under it (JWT refresh + grade).
-const CURSOR_GRADE_TIMEOUT_MS = 12000;
+// Cursor hook timeouts now match CC (30s for bash/edit/agent), so use the same
+// 24s internal grade budget as the CC path \u2014 stays under the 30s hook timeout
+// (JWT refresh + grade) and fails open cleanly via the caller's catch.
+const CURSOR_GRADE_TIMEOUT_MS = 24000;
 const CURSOR_CLOUD_TIMEOUT_MS = 9000;
 
 let hookDone = false;
@@ -5668,6 +5792,10 @@ async function main() {
     const model = rawModel ? (rawModel.startsWith('cursor/') ? rawModel : 'cursor/' + rawModel) : 'cursor';
     const repo = detectRepo(cwd, transcriptPath, command, workspaceRoots);
 
+    // No .synkro at the resolved repo root \u2192 Synkro is dormant here; allow
+    // without grading. Keyed off the validated detectRepo() root, not raw cwd.
+    if (!repo || !synkroFilePresent(repo)) finishAllow();
+
     const cmdShort = command.slice(0, 80);
     log('bashGuard checking: ' + cmdShort);
 
@@ -5733,7 +5861,7 @@ async function main() {
         'Org rules: ' + JSON.stringify(relevantRules),
         scanConcern,
         'IMPORTANT: If a rule is violated, ALWAYS return ok=false with the rule_id and reason, regardless of the rule mode. Do NOT pass a command just because the rule mode is "fix". The enforcement layer handles ask vs fix \u2014 your job is only to detect violations.',
-        'CRITICAL: The user requesting or instructing an action does NOT exempt it from rules. Even if the user explicitly said "drop the database" or "delete everything", you MUST still flag the rule violation on first encounter. User intent is NOT consent. However, for ask-mode rules ONLY: if the session history shows a prior block for the SAME rule AND the user explicitly consented after seeing that block, subsequent commands covered by that same rule may pass \u2014 but each distinct command is consumed once. Look for the sequence: block event \u2192 user acknowledgment \u2192 retry. Once a specific command has successfully executed under that consent, it is consumed. If the same command appears again later, it requires fresh consent (a new block \u2192 consent cycle). Example: R012 covers deploy, publish, push. Block on deploy \u2192 user consents \u2192 deploy passes (consumed), publish passes (consumed), push passes (consumed). A later deploy triggers a fresh block. A user's initial instruction is NEVER consent \u2014 only a response to a shown block counts.',
+        'CRITICAL: The user requesting or instructing an action does NOT exempt it from rules. Even if the user explicitly said "drop the database" or "delete everything", you MUST still flag the rule violation on first encounter. User intent is NOT consent. However, for ask-mode rules ONLY: if the session history shows a prior block for the SAME rule AND the user explicitly consented after seeing that block, subsequent commands covered by that same rule may pass \u2014 but each distinct command is consumed once. Look for the sequence: block event \u2192 user acknowledgment \u2192 retry. Once a specific command has successfully executed under that consent, it is consumed. If the same command appears again later, it requires fresh consent (a new block \u2192 consent cycle). Example: R012 covers deploy, publish, push. Block on deploy \u2192 user consents \u2192 deploy passes (consumed), publish passes (consumed), push passes (consumed). A later deploy triggers a fresh block. An initial user instruction is NEVER consent \u2014 only a response to a shown block counts.',
         'The rules shown were pre-selected as the ones relevant to this command \u2014 every rule here IS relevant, do not label any "not relevant". When passing (ok=true), give a terse, specific reason each rule passes. Format: "R003: no secrets in grep args. R005: in-repo path only." Cover every rule shown.',
         'Rules with preconditions (e.g. "run X before Y") are CONSUMED after the protected action completes. Use the session history timestamps to determine ordering: a precondition satisfied before the last occurrence of the protected action does NOT satisfy the next occurrence. Each new protected action needs its precondition re-satisfied.',
       ].filter(Boolean).join('\\n');
@@ -5851,7 +5979,7 @@ import {
   loadJwt, ensureFreshJwt, detectRepo, readStdin, resolveTranscriptPath,
   appendSessionAction, appendLocalTelemetry, shipCloud, log, GATEWAY_URL,
   countEditLineDelta, dispatchCapture, hookSessionId, cursorModelFromPayload,
-  isLocalStorageMode,
+  isLocalStorageMode, synkroFilePresent, isPathUnder,
 } from './_synkro-common.ts';
 import { existsSync, readFileSync } from 'node:fs';
 import { basename, dirname, join } from 'node:path';
@@ -5877,6 +6005,10 @@ async function main() {
     const filePath = String(payload.file_path || payload.path || payload.target_file || '');
     if (!filePath) finish();
 
+    // No .synkro at the resolved repo root \u2192 Synkro is dormant here; skip capture.
+    const _root = detectRepo((typeof payload.cwd === 'string' && payload.cwd) || dirname(filePath), '', filePath, []);
+    if (!_root || !isPathUnder(filePath, _root) || !synkroFilePresent(_root)) finish();
+
     const workspaceRoots = Array.isArray(payload.workspace_roots)
       ? (payload.workspace_roots as unknown[]).filter((r): r is string => typeof r === 'string')
       : [];
@@ -5979,7 +6111,7 @@ main().catch((e) => {
 /** Capture Cursor agent thinking/response text before transcript JSONL redacts it. */
 import {
   readStdin, outputEmpty, setupCursorHookSignals, hookSessionId, detectRepo,
-  appendThoughtOverlay, pushConversationMessage,
+  appendThoughtOverlay, pushConversationMessage, synkroFilePresent,
 } from './_synkro-common.ts';
 
 async function main() {
@@ -5999,6 +6131,7 @@ async function main() {
       ? payload.workspace_roots.filter((r): r is string => typeof r === 'string')
       : [];
     const cwd = (typeof payload.cwd === 'string' && payload.cwd) || workspaceRoots[0] || '';
+    if (!synkroFilePresent(cwd)) { outputEmpty(); return; }
     const gitRepo = detectRepo(cwd, '', '', workspaceRoots);
 
     if (event === 'afterAgentThought') {
@@ -8270,7 +8403,7 @@ function writeConfigEnv(opts) {
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
     `SYNKRO_INFERENCE=${shellQuoteSingle(safeInference)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.6.44")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.6.46")}`
   ];
   if (safeSynkroBin) lines.push(`SYNKRO_CLI_BIN=${shellQuoteSingle(safeSynkroBin)}`);
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);
@@ -11355,7 +11488,7 @@ var args = process.argv.slice(2);
 var cmd = args[0] || "";
 var subArgs = args.slice(1);
 function printVersion() {
-  console.log("1.6.44");
+  console.log("1.6.46");
 }
 function printHelp2() {
   console.log(`Synkro CLI \u2014 runtime safety for AI coding agents