@synkro-sh/cli 1.6.79 → 1.6.80

package/dist/bootstrap.js

@@ -913,7 +913,7 @@ var init_hookScriptsTs = __esm({
     "use strict";
     SYNKRO_COMMON_TS = `
 // Shared Synkro hook utilities \u2014 imported by all hook scripts.
-import { readFileSync, writeFileSync, appendFileSync, mkdirSync, existsSync, renameSync, openSync, closeSync, unlinkSync, readdirSync, statSync, createReadStream } from 'node:fs';
+import { readFileSync, writeFileSync, appendFileSync, mkdirSync, existsSync, renameSync, openSync, closeSync, readSync, unlinkSync, readdirSync, statSync, createReadStream } from 'node:fs';
 import { createInterface } from 'node:readline';
 import { join, dirname, basename, extname, resolve as resolvePath } from 'node:path';
 import { homedir } from 'node:os';
@@ -3374,47 +3374,76 @@ export function aggregateUsage(
 ): { model: string; totals: Record<string, number> } {
   const result = { model: opts?.modelFallback || '', totals: { in: 0, out: 0, cw: 0, cr: 0 } };
   if (!transcriptPath || !existsSync(transcriptPath)) return result;
-  try {
-    const raw = readFileSync(transcriptPath, 'utf-8');
-    const entries: Record<string, unknown>[] = [];
-    for (const line of raw.split('\\n')) {
-      if (!line.trim()) continue;
-      try { entries.push(JSON.parse(line) as Record<string, unknown>); } catch {}
-    }
-
-    let sawExplicit = false;
-    for (const entry of entries) {
-      const tokenCount = (entry.tokenCount ?? entry.token_count) as Record<string, unknown> | undefined;
-      const msg = entry.message as Record<string, unknown> | undefined;
-      if (addUsageBlock({ model: '', totals: { in: 0, out: 0, cw: 0, cr: 0 } }, tokenCount)) sawExplicit = true;
-      if (addUsageBlock({ model: '', totals: { in: 0, out: 0, cw: 0, cr: 0 } }, msg?.usage as Record<string, unknown>)) sawExplicit = true;
-      if (addUsageBlock({ model: '', totals: { in: 0, out: 0, cw: 0, cr: 0 } }, entry.usage as Record<string, unknown>)) sawExplicit = true;
-    }
-
-    for (const entry of entries) {
-      const role = String(entry.role || entry.type || '');
-      const modelInfo = entry.modelInfo as Record<string, unknown> | undefined;
-      const model = (typeof modelInfo?.modelName === 'string' && modelInfo.modelName)
-        || (typeof modelInfo?.model === 'string' && modelInfo.model)
-        || (typeof entry.model === 'string' && entry.model)
-        || msgModel(entry);
-      if (model) result.model = model;
-
-      const tokenCount = (entry.tokenCount ?? entry.token_count) as Record<string, unknown> | undefined;
-      const msg = entry.message as Record<string, unknown> | undefined;
-      const hadLine = addUsageBlock(result, tokenCount)
-        || addUsageBlock(result, msg?.usage as Record<string, unknown>)
-        || addUsageBlock(result, entry.usage as Record<string, unknown>);
-
-      if (hadLine || sawExplicit) continue;
-
-      const text = usageTextFromTranscriptEntry(entry);
-      if (!text) continue;
-      const est = Math.ceil(text.length / 4);
-      if (role === 'user' || entry.type === 'user') result.totals.in += est;
-      else if (role === 'assistant' || entry.type === 'assistant') result.totals.out += est;
-    }
+  // CWE-22: only ever read the agent's own transcript, which lives under HOME
+  // (~/.claude, ~/.cursor). Never follow an arbitrary external path.
+  if (!isPathUnder(transcriptPath, HOME)) return result;
+
+  // INCREMENTAL DELTA: returns ONLY the usage in transcript bytes appended since
+  // the last call (a byte offset is tracked per transcript in a sidecar). All three
+  // usage hooks (Claude UserPromptSubmit + Stop, Cursor transcript-sync) share that
+  // offset, so their deltas never overlap; the DB then INCREMENTS by each delta, so
+  // usage climbs per message in both harnesses. We never re-read the whole
+  // (100s-of-MB) transcript \u2014 the old full read OOM'd bun and dropped the tick.
+  const key = (transcriptPath.split('/').pop() || 'session').replace(/[^A-Za-z0-9._-]/g, '_');
+  const stateFile = join(SESSIONS_DIR, key + '.usage.json');
+  let offset = 0, sawExplicit = false, model = '';
+  try {
+    const s = JSON.parse(readFileSync(stateFile, 'utf-8'));
+    if (s && typeof s.offset === 'number') { offset = s.offset; sawExplicit = !!s.sawExplicit; model = s.model || ''; }
   } catch {}
+
+  let fd = -1;
+  try {
+    const size = statSync(transcriptPath).size;
+    if (size < offset) { offset = 0; sawExplicit = false; } // rotated/truncated
+    // Never read more than 16MB in one shot; first sight of a giant existing
+    // transcript jumps to the tail rather than OOM on the whole history.
+    const MAX_READ = 16 * 1024 * 1024;
+    let start = offset, capped = false;
+    if (size - start > MAX_READ) { start = size - MAX_READ; capped = true; }
+    const len = size - start;
+    if (len > 0) {
+      fd = openSync(transcriptPath, 'r');
+      const buf = Buffer.alloc(len);
+      readSync(fd, buf, 0, len, start);
+      const lines = buf.toString('utf-8').split('\\n');
+      if (capped && lines.length) lines.shift(); // drop the partial first line when we jumped mid-file
+      for (const line of lines) {
+        if (!line.trim()) continue;
+        let entry: Record<string, unknown>;
+        try { entry = JSON.parse(line) as Record<string, unknown>; } catch { continue; }
+        const msg = entry.message as Record<string, unknown> | undefined;
+        const modelInfo = entry.modelInfo as Record<string, unknown> | undefined;
+        const m = (typeof modelInfo?.modelName === 'string' && modelInfo.modelName)
+          || (typeof modelInfo?.model === 'string' && modelInfo.model)
+          || (typeof entry.model === 'string' && entry.model)
+          || msgModel(entry);
+        if (m) { model = m; result.model = m; }
+
+        const tokenCount = (entry.tokenCount ?? entry.token_count) as Record<string, unknown> | undefined;
+        // result.totals is the DELTA for THIS call only (it never carries prior totals).
+        const had = addUsageBlock(result, tokenCount)
+          || addUsageBlock(result, msg?.usage as Record<string, unknown>)
+          || addUsageBlock(result, entry.usage as Record<string, unknown>);
+        if (had) { sawExplicit = true; continue; }
+        if (sawExplicit) continue;
+
+        // Fallback (Cursor / transcripts without usage blocks): estimate from text.
+        const text = usageTextFromTranscriptEntry(entry);
+        if (!text) continue;
+        const est = Math.ceil(text.length / 4);
+        const role = String(entry.role || entry.type || '');
+        if (role === 'user') result.totals.in += est;
+        else if (role === 'assistant') result.totals.out += est;
+      }
+    }
+    // Advance the offset (delta consumed). Ship is best-effort like the other
+    // hooks \u2014 a rare dropped tick loses only that one delta, not the running total.
+    try { mkdirSync(SESSIONS_DIR, { recursive: true }); writeFileSync(stateFile, JSON.stringify({ offset: size, model, sawExplicit })); } catch {}
+  } catch {} finally {
+    if (fd >= 0) { try { closeSync(fd); } catch {} }
+  }
+  if (!result.model) result.model = model || opts?.modelFallback || '';
   return result;
 }
 
@@ -10709,7 +10738,7 @@ function writeConfigEnv(opts) {
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
     `SYNKRO_INFERENCE=${shellQuoteSingle(safeInference)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.6.79")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.6.80")}`
   ];
   if (safeSynkroBin) lines.push(`SYNKRO_CLI_BIN=${shellQuoteSingle(safeSynkroBin)}`);
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);
@@ -14384,7 +14413,7 @@ var args = process.argv.slice(2);
 var cmd = args[0] || "";
 var subArgs = args.slice(1);
 function printVersion() {
-  console.log("1.6.79");
+  console.log("1.6.80");
 }
 function printHelp2() {
   console.log(`Synkro CLI \u2014 runtime safety for AI coding agents