@synkro-sh/cli 1.6.82 → 1.6.84

package/dist/bootstrap.js

@@ -1570,7 +1570,12 @@ export async function loadConfig(jwt: string, query?: string): Promise<HookConfi
           .filter((e: any) => e && typeof e.path === 'string')
           .map((e: any) => ({ path: e.path, cwe_id: e.cwe_id || '' }));
       }
-      return config;
+      // Trust the local result as authoritative ONLY when it actually carried a
+      // policy (or we're in local storage mode, where no cloud fallback exists).
+      // A transient empty local read (policy:null) must NOT short-circuit the
+      // gateway fallback \u2014 otherwise the grade runs ruleless and the tag flaps to
+      // "[\u2026:all:\u2026] no org rules to evaluate" on a repo that DOES have rules.
+      if (policy || isLocalStorageMode()) return config;
     }
   } catch {}
 
@@ -1744,6 +1749,26 @@ async function hostedGrade(role: GradeRole, prompt: string, jwt: string, timeout
   return String(data.result || '');
 }
 
+// Option B: when a cloud grade fails (esp. a timeout), the REAL reason lives
+// inside the container, not on the wire \u2014 the client only ever sees "timed out".
+// Pull the org's per-worker claude/cursor sick reasons + log tails from the
+// hosted /debug endpoint so the diagnostic records WHY the grade actually died
+// (e.g. a claude 401 inside the worker). Best-effort + tightly timed; null if
+// the container is itself unreachable.
+async function fetchContainerSickReason(jwt: string, timeoutMs = 2500): Promise<string | null> {
+  try {
+    const r = await fetch(CONTAINERS_URL + '/debug', {
+      headers: { Authorization: 'Bearer ' + jwt },
+      signal: AbortSignal.timeout(timeoutMs),
+    });
+    if (!r.ok) return 'debug ' + r.status + ': ' + (await r.text().catch(() => '')).slice(0, 400);
+    const data = await r.json().catch(() => null);
+    return data ? JSON.stringify(data).slice(0, 8000) : null;
+  } catch {
+    return null;
+  }
+}
+
 // Cloud transcript capture \u2014 the cloud mirror of the local /api/conversation-sync
 // + /api/session-action telemetry. Posts to the API /api/v1/cli/sync-transcripts
 // (the org is derived from the login JWT, same one cloud grading uses). Best-effort:
@@ -3007,7 +3032,7 @@ export async function syncConversationTranscript(
           const b = c as Record<string, unknown>;
           return {
             name: b.name,
-            input: JSON.stringify(b.input || b.arguments || {}).slice(0, 500),
+            input: JSON.stringify(b.input || b.arguments || {}).slice(0, 20000),
             id: b.id,
           };
         });
@@ -3749,35 +3774,99 @@ export function isGraderNotConfigured(errorMessage: string): boolean {
   return lower.includes('no worker') || lower.includes('not configured') || lower.includes('agent_kind') || lower.includes('no pool');
 }
 
-export function graderUnavailableMessage(hook: string, target: string, errorMessage: string, agentKind: AgentKind = 'claude_code'): string {
+// Categorize a grader failure into a stable machine category + a human "why"
+// (with a fix hint). Shared by the terminal message and the diagnostic log so
+// the two never disagree about the reason.
+export function classifyGraderError(errorMessage: string): { category: string; why: string } {
+  const e = (errorMessage || '').toLowerCase();
+  const snippet = (errorMessage || '').replace(/\\s+/g, ' ').trim().slice(0, 160);
   if (errorMessage === 'SYNKRO_CHANNEL_DOWN') {
-    return hook + ' ' + target + ' \u2192 local grader unavailable (container not running), skipped';
+    return { category: 'channel_down', why: 'grader container not running (run \`synkro status\`)' };
   }
   if (isGraderNotConfigured(errorMessage)) {
-    const agent = agentKind === 'cursor' ? 'Cursor' : 'Claude Code';
-    return hook + ' ' + target + ' \u2192 local grader not configured for ' + agent + '. Add this agent to your synkro.toml file and run \`synkro install\`.';
+    return { category: 'not_configured', why: 'grader not configured for this agent \u2014 add it to synkro.toml and run \`synkro install\`' };
+  }
+  if (/tim(e|ed)\\s*out|aborted|operation was aborted/.test(e)) {
+    return { category: 'timeout', why: 'grade timed out (45s) \u2014 grader cold/slow, or its Claude token is invalid (re-run \`synkro install\`)' };
+  }
+  if (/\\b401\\b|unauthorized|token expired|invalid token|\\b403\\b|forbidden/.test(e)) {
+    return { category: 'auth', why: 'auth rejected \u2014 session token expired (re-run \`synkro login\`, or \`synkro install\` if the grader Claude token is stale)' };
+  }
+  if (/econnrefused|enotfound|eai_again|fetch failed|socket|econnreset|getaddrinfo|network/.test(e)) {
+    return { category: 'unreachable', why: 'grader unreachable \u2014 network or container down' };
   }
-  // In cloud-container mode the grade ran against the hosted ingress, NOT a local
-  // worker \u2014 say so, and distinguish a timeout (slow/cold grade) from a true
-  // outage so "local grader unavailable" stops masquerading as a dead grader.
+  if (/\\b5\\d\\d\\b/.test(e)) {
+    return { category: 'server_error', why: 'grader server error: ' + snippet };
+  }
+  return { category: 'unknown', why: snippet || 'unknown error' };
+}
+
+export function graderUnavailableMessage(hook: string, target: string, errorMessage: string, agentKind: AgentKind = 'claude_code'): string {
+  const base = hook + ' ' + target + ' \u2192 ';
+  if (isGraderNotConfigured(errorMessage)) {
+    const agent = agentKind === 'cursor' ? 'Cursor' : 'Claude Code';
+    return base + 'local grader not configured for ' + agent + '. Add this agent to your synkro.toml file and run \`synkro install\`.';
+  }
+  // Always surface WHY (not just "unavailable"), categorized, with a fix hint \u2014
+  // the full raw error + the exact graded prompt are in grader-unavailable.log.
+  const where = process.env.SYNKRO_DEPLOY_LOCATION === 'cloud' ? 'cloud grader' : 'local grader';
+  const { why } = classifyGraderError(errorMessage);
+  return base + where + ' unavailable \u2014 ' + why + '; skipped (full detail: ~/.synkro/grader-unavailable.log)';
+}
+
+// Diagnostic record for a skipped grade \u2014 the categorized reason AND the EXACT
+// prompt that was sent for inference (gradeInput), so you can see WHAT was being
+// graded when it failed. Routing differs by mode:
+//   \u2022 CLOUD \u2192 ship to Timescale via /api/v1/cli/grader-unavailable (central, so
+//     we can debug customer failures), enriched on timeout/outage with the
+//     container's own claude error (option B). NOT written to the user's machine.
+//   \u2022 LOCAL \u2192 the on-device ~/.synkro/grader-unavailable.log file.
+// Fire-and-forget in cloud mode: callers don't await \u2014 the pending fetch keeps
+// the hook process alive until it settles (or the watchdog ends the run).
+export async function logGraderUnavailable(
+  hook: string, target: string, errorMessage: string,
+  gradeInput?: string, ctx?: { sessionId?: string; repo?: string },
+): Promise<void> {
+  const { category, why } = classifyGraderError(errorMessage);
+
   if (process.env.SYNKRO_DEPLOY_LOCATION === 'cloud') {
-    const isTimeout = /tim(e|ed)\\s*out|aborted|the operation was aborted/i.test(errorMessage);
-    if (isTimeout) {
-      return hook + ' ' + target + ' \u2192 cloud grade timed out (45s), skipped';
+    try {
+      const jwt = loadJwt();
+      if (!jwt) return;
+      // Only chase the container's internal reason for failures where it adds
+      // signal (a timeout/outage hides the real claude error); skip it for fast,
+      // already-explanatory failures like auth.
+      let sickReason: string | null = null;
+      if (category === 'timeout' || category === 'unreachable' || category === 'server_error') {
+        sickReason = await fetchContainerSickReason(jwt);
+      }
+      await fetch(GATEWAY_URL + '/api/v1/cli/grader-unavailable', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json', Authorization: 'Bearer ' + jwt },
+        body: JSON.stringify({
+          hook, target, category, why,
+          error: (errorMessage || '').slice(0, 2000),
+          grade_input: gradeInput ? String(gradeInput).slice(0, 20000) : null,
+          sick_reason: sickReason,
+          session_id: ctx?.sessionId || null,
+          repo: ctx?.repo || null,
+        }),
+        signal: AbortSignal.timeout(3000),
+      }).catch(() => {});
+    } catch {
+      // best-effort \u2014 never let diagnostics cascade into a hook failure
     }
-    return hook + ' ' + target + ' \u2192 cloud grader unavailable, skipped';
+    return;
   }
-  return hook + ' ' + target + ' \u2192 local grader unavailable, skipped';
-}
 
-export function logGraderUnavailable(hook: string, target: string, errorMessage: string): void {
+  // Local mode: on-device diagnostic log.
   try {
-    const entry = {
-      ts: new Date().toISOString(),
-      hook,
-      target,
-      error: errorMessage.slice(0, 500),
+    const entry: Record<string, unknown> = {
+      ts: new Date().toISOString(), mode: 'local',
+      hook, target, category, why,
+      error: (errorMessage || '').slice(0, 1000),
     };
+    if (gradeInput) entry.gradeInput = String(gradeInput).slice(0, 20000);
     appendFileSync(UNAVAIL_LOG, JSON.stringify(entry) + '\\n', 'utf-8');
   } catch {
     // best-effort \u2014 never let logging failure cascade into a hook failure
@@ -4037,7 +4126,7 @@ async function main() {
           }
         } catch (err) {
           const errMsg = (err as Error).message || String(err);
-          logGraderUnavailable('editGuard', fileShort, errMsg);
+          logGraderUnavailable('editGuard', fileShort, errMsg, buildCombined(proposed), { sessionId, repo: gitRepo });
           outputJson({ systemMessage: tagStr + ' ' + graderUnavailableMessage('editGuard', fileShort, errMsg, graderPool) });
           return;
         }
@@ -4111,7 +4200,7 @@ async function main() {
         gradeResp = await localGrade('edit', graderPrompt, undefined, graderPool);
       } catch (err) {
         const errMsg = (err as Error).message || String(err);
-        logGraderUnavailable('editGuard', fileShort, errMsg);
+        logGraderUnavailable('editGuard', fileShort, errMsg, graderPrompt, { sessionId, repo: gitRepo });
         outputJson({ systemMessage: tagStr + ' ' + graderUnavailableMessage('editGuard', fileShort, errMsg, graderPool) });
         return;
       }
@@ -4678,7 +4767,7 @@ async function main() {
           gradeResponses = [resp1, resp2];
         } catch (gradeErr: any) {
           const reason = gradeErr?.message || String(gradeErr);
-          logGraderUnavailable('cweGuard', fileShort, reason);
+          logGraderUnavailable('cweGuard', fileShort, reason, buildCwePrompt(cweContent), { sessionId, repo: gitRepo });
           outputJson({ systemMessage: cweTag + ' ' + graderUnavailableMessage('cweGuard', fileShort, reason, graderPool) });
           return;
         }
@@ -4687,7 +4776,7 @@ async function main() {
           gradeResponses = [await localGradeCwe(buildCwePrompt(cweContent), graderPool)];
         } catch (gradeErr: any) {
           const reason = gradeErr?.message || String(gradeErr);
-          logGraderUnavailable('cweGuard', fileShort, reason);
+          logGraderUnavailable('cweGuard', fileShort, reason, buildCwePrompt(cweContent), { sessionId, repo: gitRepo });
           outputJson({ systemMessage: cweTag + ' ' + graderUnavailableMessage('cweGuard', fileShort, reason, graderPool) });
           return;
         }
@@ -5435,7 +5524,7 @@ async function main() {
         gradeResp = await localGrade('bash', graderPrompt, undefined, graderPool);
       } catch (err) {
         const errMsg = (err as Error).message || String(err);
-        logGraderUnavailable('bashGuard', toolInput.command?.slice(0, 200) || '', errMsg);
+        logGraderUnavailable('bashGuard', toolInput.command?.slice(0, 200) || '', errMsg, graderPrompt, { sessionId, repo: gitRepo });
         if (scanConcern) {
           const ctx = scanBlockContext + ' Synkro flagged this install but the grader is unavailable to check consent — ask the user for explicit consent, then retry.';
           outputJson({
@@ -5653,7 +5742,7 @@ async function main() {
         gradeResp = await localGrade('bash', graderPrompt, undefined, graderPool);
       } catch (err) {
         const errMsg = (err as Error).message || String(err);
-        logGraderUnavailable('agentGuard', subagentType || (description || '').slice(0, 100), errMsg);
+        logGraderUnavailable('agentGuard', subagentType || (description || '').slice(0, 100), errMsg, graderPrompt, { sessionId, repo: gitRepo });
         outputJson({ systemMessage: tagStr + ' ' + graderUnavailableMessage('agentGuard', subagentType || 'agent', errMsg, graderPool) });
         return;
       }
@@ -5744,7 +5833,7 @@ import {
   loadJwt, ensureFreshJwt, detectRepo, loadConfig, route, tag, localGrade,
   parseVerdict, dispatchCapture, appendSessionAction, readSessionLog, compressSessionLog, postWithRetry, readStdin, log,
   outputJson, outputEmpty, setupCursorHookSignals, installHookWatchdog, isPlanTool, hookSessionId, GATEWAY_URL,
-  filterRules, graderUnavailableMessage, resolveTranscriptPath, isCursorInvokingCcHook,
+  filterRules, graderUnavailableMessage, logGraderUnavailable, resolveTranscriptPath, isCursorInvokingCcHook,
   loadSynkroFile, effectiveGraderPool, synkroFilePresent, noSynkroSkipMessage,
 } from './_synkro-common.ts';
 import { existsSync, readFileSync, writeFileSync, readdirSync, statSync } from 'node:fs';
@@ -5864,7 +5953,9 @@ async function main() {
       try {
         gradeResp = await localGrade('plan', graderPrompt, undefined, graderPool);
       } catch (err) {
-        outputJson({ systemMessage: tagStr + ' ' + graderUnavailableMessage('planReview', 'plan', (err as Error).message || String(err), graderPool) });
+        const errMsg = (err as Error).message || String(err);
+        logGraderUnavailable('planReview', 'plan', errMsg, graderPrompt, { sessionId, repo: gitRepo });
+        outputJson({ systemMessage: tagStr + ' ' + graderUnavailableMessage('planReview', 'plan', errMsg, graderPool) });
         return;
       }
 
@@ -6478,7 +6569,7 @@ async function main() {
       try {
         gradeResp = await localGrade('bash', graderPrompt, CURSOR_GRADE_TIMEOUT_MS, graderPool);
       } catch (e) {
-        logGraderUnavailable('bashGuard', command.slice(0, 200), (e as Error).message || String(e));
+        logGraderUnavailable('bashGuard', command.slice(0, 200), (e as Error).message || String(e), graderPrompt, { sessionId, repo });
         if (scanConcern) {
           // Grader unavailable to run the consent check \u2014 fail closed on a
           // scanner-flagged install (ask-mode so the user can still consent).
@@ -10753,7 +10844,7 @@ function writeConfigEnv(opts) {
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
     `SYNKRO_INFERENCE=${shellQuoteSingle(safeInference)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.6.82")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.6.84")}`
   ];
   if (safeSynkroBin) lines.push(`SYNKRO_CLI_BIN=${shellQuoteSingle(safeSynkroBin)}`);
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);
@@ -14213,7 +14304,7 @@ function parseSession(filePath, sessionId) {
     const msgObj = e.message;
     const text = extractText(msgObj?.content ?? e.content);
     const blocks = kind === "assistant" && Array.isArray(msgObj?.content) ? msgObj.content : [];
-    const toolCalls = blocks.filter((b) => b?.type === "tool_use").map((b) => ({ name: b.name, input: JSON.stringify(b.input || {}).slice(0, 500), id: b.id }));
+    const toolCalls = blocks.filter((b) => b?.type === "tool_use").map((b) => ({ name: b.name, input: JSON.stringify(b.input || {}).slice(0, 2e4), id: b.id }));
     if (!text.trim() && toolCalls.length === 0) continue;
     const msg = {
       message_index: i,
@@ -14614,7 +14705,7 @@ var args = process.argv.slice(2);
 var cmd = args[0] || "";
 var subArgs = args.slice(1);
 function printVersion() {
-  console.log("1.6.82");
+  console.log("1.6.84");
 }
 function printHelp2() {
   console.log(`Synkro CLI \u2014 runtime safety for AI coding agents