@synkro-sh/cli 1.6.77 → 1.6.79

package/dist/bootstrap.js

@@ -2073,6 +2073,12 @@ interface SessionAction {
   outcome?: string;
 }
 
+// True when the grader runs in Synkro Cloud (CF Containers) vs the on-device
+// container. Defined here in the FULL common module too \u2014 it's referenced by
+// appendSessionAction/dispatch helpers below; previously it lived only in the
+// stub common, so the real editGuard hook hit a ReferenceError in cloud mode.
+function deployIsCloud(): boolean { return process.env.SYNKRO_DEPLOY_LOCATION === 'cloud'; }
+
 function sessionLogPath(sessionId: string): string | null {
   if (!sessionId || !SAFE_SESSION_ID.test(sessionId)) return null;
   return join(SESSIONS_DIR, sessionId + '.jsonl');
@@ -3427,7 +3433,7 @@ export function emitUsageTick(params: {
   if (isCursorHookFormat() && model && !model.startsWith('cursor/') && model !== 'cursor') {
     model = 'cursor/' + model;
   }
-  appendLocalTelemetry({
+  const body = {
     capture_type: 'usage_tick',
     event_id: mintEventId('usage'),
     hook_type: hookType,
@@ -3443,7 +3449,14 @@ export function emitUsageTick(params: {
       cache_read_input_tokens: usage.totals.cr,
     },
     ...(gitRepo ? { repo: gitRepo } : {}),
-  });
+  };
+  appendLocalTelemetry(body); // local spool \u2192 usage_ticks (no-op in cloud mode)
+  // Cloud: ship the tick to /hook/capture \u2192 usage_ticks too. appendLocalTelemetry
+  // is gated to local mode, so without this the cloud usage_ticks table stayed
+  // EMPTY \u2014 no token/cost data for the Agents page. (/hook/capture is on the
+  // long-lived MCP-token allowlist; loadJwt returns that token in cloud.)
+  const jwt = loadJwt();
+  if (jwt) shipCloud(jwt, '/api/v1/hook/capture', body);
 }
 
 export function cursorModelFromPayload(payload: Record<string, unknown>): string {
@@ -3924,13 +3937,13 @@ async function main() {
         ruleFilterText(graderContent, transcript.userIntent || lastPrompt),
         config.rules,
       );
-      const graderPrompt = [
+      const buildGraderPrompt = (contentWindow: string) => [
         'Working directory: ' + (cwd || '.'),
         'Repo: ' + (gitRepo || 'unknown'),
         sessionLog,
         'File: ' + filePath,
-        'Proposed content (first 4000 chars):',
-        proposedShort,
+        'Proposed content:',
+        contentWindow,
         'User intent (last human message): ' + (transcript.userIntent || 'none stated'),
         'Last user prompt: ' + (lastPrompt || 'none'),
         'Org rules: ' + JSON.stringify(relevantRules),
@@ -3938,6 +3951,7 @@ async function main() {
         'CRITICAL: The user requesting or instructing an action does NOT exempt it from rules. Even if the user explicitly said "drop the database" or "delete everything", you MUST still flag the rule violation on first encounter. User intent is NOT consent. However, for ask-mode rules ONLY: if the session history shows a prior block for the SAME rule AND the user explicitly consented after seeing that block, subsequent commands covered by that same rule may pass \u2014 but each distinct command is consumed once. Look for the sequence: block event \u2192 user acknowledgment \u2192 retry. Once a specific command has successfully executed under that consent, it is consumed. If the same command appears again later, it requires fresh consent (a new block \u2192 consent cycle). Example: R012 covers deploy, publish, push. Block on deploy \u2192 user consents \u2192 deploy passes (consumed), publish passes (consumed), push passes (consumed). A later deploy triggers a fresh block. An initial user instruction is NEVER consent \u2014 only a response to a shown block counts.',
         'The rules shown were pre-selected as the ones relevant to this edit \u2014 every rule here IS relevant, do not label any "not relevant". When passing (ok=true), give a terse, specific reason each rule passes. Format: "R003: no hardcoded secrets in file. R005: in-repo path only." Cover every rule shown.',
       ].join('\\n');
+      const graderPrompt = buildGraderPrompt(proposedShort);
 
       // \u2500\u2500\u2500 Combined org-rules + CWE in ONE inference (SYNKRO_COMBINED_EDIT_GRADE) \u2500\u2500\u2500
       // Self-contained early-return branch \u2014 the default two-grade path below is
@@ -3956,13 +3970,27 @@ async function main() {
           if (cr.ok) cweRules = ((await cr.json() as any) || {}).rules || [];
         } catch { /* CWE rules optional \u2014 rule grading still runs in the combined pass */ }
 
-        const combinedPrompt = graderPrompt
-          + '\\n\\nCWE rules to ALSO check the proposed content against (emit cwe-### violations with a <code_snippet>): '
-          + JSON.stringify(cweRules);
-
-        let cResp: string;
+        const cweSuffix = '\\n\\nCWE rules to ALSO check the proposed content against (emit cwe-### violations with a <code_snippet>): ' + JSON.stringify(cweRules);
+        const buildCombined = (win: string) => buildGraderPrompt(win) + cweSuffix;
+
+        // Large-file strategy \u2014 mirrors local cweScanner.ts: rather than one giant
+        // single inference (which blows the 45s cloud budget AND truncated to the
+        // first 4000 chars, missing changes deeper in the file), split content over
+        // the threshold into TWO overlapping halves and grade them IN PARALLEL.
+        // Each half is ~half the size \u2192 faster \u2192 fits the timeout; the whole file
+        // is covered; findings are merged.
+        const SPLIT_THRESHOLD = 4000, OVERLAP = 500;
+        let cResponses: string[];
         try {
-          cResp = await localGrade('edit-cwe', combinedPrompt, undefined, graderPool);
+          if (proposed.length > SPLIT_THRESHOLD) {
+            const mid = Math.floor(proposed.length / 2);
+            cResponses = await Promise.all([
+              localGrade('edit-cwe', buildCombined(proposed.slice(0, mid + OVERLAP)), undefined, graderPool),
+              localGrade('edit-cwe', buildCombined(proposed.slice(mid - OVERLAP)), undefined, graderPool),
+            ]);
+          } else {
+            cResponses = [await localGrade('edit-cwe', buildCombined(proposed), undefined, graderPool)];
+          }
         } catch (err) {
           const errMsg = (err as Error).message || String(err);
           logGraderUnavailable('editGuard', fileShort, errMsg);
@@ -3970,7 +3998,18 @@ async function main() {
           return;
         }
 
-        const { ruleVerdict, cweFindings } = parseCombinedVerdict(cResp);
+        // Merge across halves: a rule violation in EITHER half blocks (first one
+        // wins, keeping its reason/severity); CWE findings are unioned by id.
+        let ruleVerdict: any = null;
+        const cweMap = new Map<string, any>();
+        for (const r of cResponses) {
+          const parsed = parseCombinedVerdict(r);
+          if (!ruleVerdict) ruleVerdict = parsed.ruleVerdict;
+          else if (!parsed.ruleVerdict.ok && ruleVerdict.ok) ruleVerdict = parsed.ruleVerdict;
+          for (const f of parsed.cweFindings) if (f.id && !cweMap.has(f.id)) cweMap.set(f.id, f);
+        }
+        if (!ruleVerdict) ruleVerdict = { ok: true };
+        const cweFindings = [...cweMap.values()];
         const editContent = 'file=' + filePath + ' content=' + proposed.slice(0, 2000);
         const violatedRules = ruleVerdict.ruleId ? [ruleVerdict.ruleId] : [];
         const cweBlock = cweFindings.slice(0, 5)
@@ -10670,7 +10709,7 @@ function writeConfigEnv(opts) {
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
     `SYNKRO_INFERENCE=${shellQuoteSingle(safeInference)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.6.77")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.6.79")}`
   ];
   if (safeSynkroBin) lines.push(`SYNKRO_CLI_BIN=${shellQuoteSingle(safeSynkroBin)}`);
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);
@@ -14345,7 +14384,7 @@ var args = process.argv.slice(2);
 var cmd = args[0] || "";
 var subArgs = args.slice(1);
 function printVersion() {
-  console.log("1.6.77");
+  console.log("1.6.79");
 }
 function printHelp2() {
   console.log(`Synkro CLI \u2014 runtime safety for AI coding agents