@synkro-sh/cli 1.6.86 → 1.6.88

package/dist/bootstrap.js

@@ -2143,10 +2143,12 @@ export function appendSessionAction(sessionId: string, entry: SessionAction): vo
     appendFileSync(logPath, JSON.stringify(entry) + '\\n', 'utf-8');
   } catch {}
 
-  // Cloud: ship the action to the API transcript-sync (org from login JWT) with an
-  // explicit step so streamed single-action sends stay idempotent + ordered.
+  // Cloud: stream the action to the session_actions hypertable (salience tagged
+  // server-side, indexed) so the grade path pulls a BOUNDED indexed slice instead
+  // of re-reading a multi-GB log \u2014 what lets us scale to million-tool-call
+  // sessions. Fire-and-forget, idempotent by (session, step).
   if (deployIsCloud()) {
-    void syncTranscriptCloud(sessionId, '', [], [{ step, tool: entry.tool, summary: entry.summary, file: entry.file, outcome: entry.outcome }]);
+    shipCloud(loadJwt(), '/api/v1/cli/session-action', { session_id: sessionId, step, tool: entry.tool, summary: entry.summary, file: entry.file, outcome: entry.outcome });
     return;
   }
   const mcpPort = process.env.SYNKRO_MCP_PORT || '18931';
@@ -2173,8 +2175,68 @@ export function readSessionLog(sessionId: string): SessionAction[] {
   } catch { return []; }
 }
 
-export function compressSessionLog(actions: SessionAction[]): string {
+const RETRIEVAL_RECENT_N = 40;
+const PROCESS_KW = ['test', 'typecheck', 'tsc', 'lint', 'build', 'migrate', 'migration', 'deploy', 'publish', 'push', 'seed'];
+
+// Is this session action security- or rule-relevant (i.e. can it participate in a
+// violation)? Conservative net \u2014 uses substring checks (no regex, to stay safe
+// inside the materialized-hook template). Plus rule-awareness: an action that
+// performs a process keyword an active rule actually mentions (e.g. a "pnpm test"
+// when a rule is about tests) is kept so precondition rules stay resolvable.
+function actionSalience(a: SessionAction, ruleText: string): string | null {
+  const x = ((a.tool || '') + ' ' + (a.file || '') + ' ' + (a.summary || '')).toLowerCase();
+  const has = (arr: string[]): boolean => { for (const k of arr) if (x.indexOf(k) >= 0) return true; return false; };
+  if (has(['.env', 'credential', 'secret', 'token', '.pem', '.key', 'password', 'api key', 'api_key', 'api-key', 'authorization', 'bearer', 'oauth', '.aws'])) return 'secret';
+  if (has(['curl ', 'wget ', 'ssh ', 'scp ', 'netcat', 'http://', 'https://', 'fetch('])) return 'network';
+  if (has(['rm -rf', 'rm -r ', 'drop table', 'drop database', 'truncate', 'chmod', 'chown', 'sudo', 'kill ', 'wrangler', '--force', 'deploy', 'publish', 'git push'])) return 'destructive';
+  for (const kw of PROCESS_KW) if (ruleText.indexOf(kw) >= 0 && x.indexOf(kw) >= 0) return 'rule';
+  return null;
+}
+
+// Cloud session log \u2014 retrieval style (validated 4/4 vs the last-200 dump in the
+// shadow corpus). Keeps EVERY security-salient + rule-relevant action in order
+// regardless of age (so cross-turn violations the dump's 200-window drops are
+// still seen), a recent verbatim window, and a COMPLETENESS-asserting summary of
+// the routine remainder (the assertion is what lets the grader trust the collapsed
+// part is benign \u2014 safe only because the salience net above is conservative).
+function compressSessionLogRetrieval(actions: SessionAction[], rules: Rule[]): string {
+  if (actions.length === 0) return '';
+  const ruleText = (rules || []).map(r => String((r as any).text || '').toLowerCase()).join(' ');
+  const total = actions.length;
+  const recentStart = Math.max(0, total - RETRIEVAL_RECENT_N);
+  const salient: Array<{ a: SessionAction; s: string; i: number }> = [];
+  const noise: Record<string, number> = {};
+  for (let i = 0; i < recentStart; i++) {
+    const a = actions[i];
+    const s = actionSalience(a, ruleText);
+    if (s) salient.push({ a, s, i });
+    else noise[a.tool] = (noise[a.tool] || 0) + 1;
+  }
+  const lines: string[] = ['SESSION HISTORY (' + total + ' actions; security-salient + recent, in order):'];
+  if (salient.length) {
+    lines.push('  --- relevant (any point this session) ---');
+    for (const r of salient) {
+      const target = r.a.file || (r.a.summary || '').slice(0, 80);
+      lines.push('  ' + (r.i + 1) + '. [' + r.s + '] ' + r.a.tool + ' ' + target + (r.a.outcome ? ' -> ' + r.a.outcome : ''));
+    }
+  }
+  const noiseN = Object.values(noise).reduce((n, c) => n + c, 0);
+  if (noiseN) {
+    lines.push('  [' + noiseN + ' earlier routine actions (' + Object.entries(noise).map(([t, c]) => c + ' ' + t).join(', ') + '). The relevant list above is COMPLETE: every credential/secret read, outbound network call, and destructive or rule-gated action this session is listed there; these ' + noiseN + ' are non-salient in-repo reads/edits/builds only.]');
+  }
+  lines.push('  --- recent ---');
+  for (let i = recentStart; i < total; i++) {
+    const a = actions[i];
+    lines.push('  ' + (i + 1) + '. ' + (a.summary || a.tool) + (a.outcome ? ' -> ' + a.outcome : ''));
+  }
+  return lines.join('\\n');
+}
+
+export function compressSessionLog(actions: SessionAction[], rules?: Rule[]): string {
   if (actions.length === 0) return '';
+  // Cloud grade path passes the active rules \u2192 retrieval-style context. Local
+  // (no rules arg, or local storage mode) keeps the dump below, UNTOUCHED.
+  if (rules !== undefined && !isLocalStorageMode()) return compressSessionLogRetrieval(actions, rules);
   const total = actions.length;
   const lines: string[] = [];
 
@@ -2214,6 +2276,39 @@ export function compressSessionLog(actions: SessionAction[]): string {
   return 'SESSION HISTORY (' + total + ' actions):\\n' + lines.join('\\n');
 }
 
+// Cloud: fetch the BOUNDED, indexed session context from Timescale (salient +
+// recent + complete summary) \u2014 flat cost at any session length. Returns null if
+// the session isn't streamed yet (brand-new / streaming lagging) so the caller
+// falls back to the local path.
+async function fetchSessionContext(sessionId: string): Promise<string | null> {
+  const jwt = loadJwt();
+  if (!jwt) return null;
+  try {
+    const r = await fetch(GATEWAY_URL + '/api/v1/hook/session-context', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json', Authorization: 'Bearer ' + jwt },
+      body: JSON.stringify({ session_id: sessionId }),
+      signal: AbortSignal.timeout(3000),
+    });
+    if (!r.ok) return null;
+    const d = await r.json() as { context?: string };
+    return (d && typeof d.context === 'string' && d.context) ? d.context : null;
+  } catch {
+    return null;
+  }
+}
+
+// Grade-time session log. CLOUD \u2192 Timescale-backed bounded context (this is the
+// million-tool-call path: no full-history read); falls back to the local
+// retrieval compressor only if the session isn't streamed yet. LOCAL \u2192 the
+// on-device dump, completely UNTOUCHED.
+export async function sessionLogForGrade(sessionId: string, rules: Rule[]): Promise<string> {
+  if (isLocalStorageMode()) return compressSessionLog(readSessionLog(sessionId));
+  const ctx = await fetchSessionContext(sessionId);
+  if (ctx) return ctx;
+  return compressSessionLog(readSessionLog(sessionId), rules);
+}
+
 export function cleanupSessionLog(sessionId: string): void {
   const logPath = sessionLogPath(sessionId);
   if (!logPath) return;
@@ -3961,7 +4056,7 @@ import {
   loadJwt, ensureFreshJwt, detectRepo, loadConfig, route, tag, localGrade,
   parseVerdict, parseCombinedVerdict, combinedEditGradeEnabled, dispatchCapture, dispatchFinding, ruleMode, reconstructContent, isPathUnder, postWithRetry,
   readStdin, extractTranscript, readLastPrompt, findNearestDeps, filePathFromToolInput,
-  appendSessionAction, readSessionLog, compressSessionLog, log,
+  appendSessionAction, readSessionLog, compressSessionLog, sessionLogForGrade, log,
   outputJson, outputEmpty, setupCursorHookSignals, installHookWatchdog, isEditTool, hookSessionId, GATEWAY_URL,
   logGraderUnavailable, graderUnavailableMessage, filterRules, ruleFilterText, normalizeMode, countEditLineDelta,
   captureLineMetrics, cursorModelFromPayload, resolveTranscriptPath, isCursorInvokingCcHook,
@@ -4088,7 +4183,7 @@ async function main() {
     if (rt === 'local') {
       // \u2500\u2500\u2500 Local grading: org rules ONLY (channel 1, port 18929) \u2500\u2500\u2500
       const proposedShort = proposed.slice(0, 4000);
-      const sessionLog = compressSessionLog(readSessionLog(sessionId));
+      const sessionLog = await sessionLogForGrade(sessionId, config.rules);
       const graderContent = 'file=' + filePath + ' content=' + proposedShort;
       const relevantRules = await filterRules(
         ruleFilterText(graderContent, transcript.userIntent || lastPrompt),
@@ -4281,7 +4376,7 @@ async function main() {
       recent_user_messages: transcript.recentUserMessages,
       recent_messages: transcript.recentMessages,
       recent_actions: transcript.recentActions,
-      session_history: compressSessionLog(readSessionLog(sessionId)),
+      session_history: await sessionLogForGrade(sessionId, config.rules),
       session_id: sessionId || null,
       tool_use_id: toolUseId || null,
       cwd: cwd || null,
@@ -5352,7 +5447,7 @@ import process from 'node:process';
 import {
   loadJwt, ensureFreshJwt, detectRepo, loadConfig, route, tag, localGrade,
   parseVerdict, dispatchCapture, dispatchFinding, ruleMode, postWithRetry, readStdin,
-  extractTranscript, readLastPrompt, appendSessionAction, readSessionLog, compressSessionLog, log,
+  extractTranscript, readLastPrompt, appendSessionAction, readSessionLog, compressSessionLog, sessionLogForGrade, log,
   outputJson, outputEmpty, setupCursorHookSignals, installHookWatchdog, isShellTool, hookSessionId, GATEWAY_URL,
   logGraderUnavailable, graderUnavailableMessage, filterRules, ruleFilterText, normalizeMode, appendLocalTelemetry, isSafeInRepoRead,
   loadSynkroFile, effectiveGraderPool, synkroFilePresent, noSynkroSkipMessage,
@@ -5520,7 +5615,7 @@ async function main() {
     // mode was also checked up there.
 
     if (rt === 'local') {
-      const sessionLog = compressSessionLog(readSessionLog(sessionId));
+      const sessionLog = await sessionLogForGrade(sessionId, config.rules);
       const relevantRules = await filterRules(
         ruleFilterText(command, transcript.userIntent || lastPrompt),
         config.rules,
@@ -5602,7 +5697,7 @@ async function main() {
       recent_user_messages: transcript.recentUserMessages,
       recent_messages: transcript.recentMessages,
       recent_actions: transcript.recentActions,
-      session_history: compressSessionLog(readSessionLog(sessionId)),
+      session_history: await sessionLogForGrade(sessionId, config.rules),
       session_id: sessionId || null,
       tool_use_id: toolUseId || null,
       cwd: cwd || null,
@@ -5653,7 +5748,7 @@ main();
 import {
   loadJwt, ensureFreshJwt, detectRepo, loadConfig, route, tag, localGrade,
   parseVerdict, dispatchCapture, ruleMode, postWithRetry, readStdin,
-  extractTranscript, readLastPrompt, appendSessionAction, readSessionLog, compressSessionLog, log,
+  extractTranscript, readLastPrompt, appendSessionAction, readSessionLog, compressSessionLog, sessionLogForGrade, log,
   outputJson, outputEmpty, setupCursorHookSignals, installHookWatchdog, isAgentTool, hookSessionId, GATEWAY_URL,
   logGraderUnavailable, graderUnavailableMessage, filterRules, normalizeMode, resolveTranscriptPath, isCursorInvokingCcHook,
   loadSynkroFile, effectiveGraderPool, synkroFilePresent, noSynkroSkipMessage,
@@ -5735,7 +5830,7 @@ async function main() {
     }
 
     if (rt === 'local') {
-      const sessionLog = compressSessionLog(readSessionLog(sessionId));
+      const sessionLog = await sessionLogForGrade(sessionId, config.rules);
       const agentText = 'agent=' + subagentType + ' description=' + description + ' prompt=' + prompt.slice(0, 2000);
       const relevantRules = await filterRules(agentText, config.rules);
       const graderPrompt = [
@@ -5808,7 +5903,7 @@ async function main() {
       recent_user_messages: transcript.recentUserMessages,
       recent_messages: transcript.recentMessages,
       recent_actions: transcript.recentActions,
-      session_history: compressSessionLog(readSessionLog(sessionId)),
+      session_history: await sessionLogForGrade(sessionId, config.rules),
       session_id: sessionId || null,
       tool_use_id: toolUseId || null,
       cwd: cwd || null,
@@ -5846,7 +5941,7 @@ main();
     PLAN_JUDGE_TS = `#!/usr/bin/env bun
 import {
   loadJwt, ensureFreshJwt, detectRepo, loadConfig, route, tag, localGrade,
-  parseVerdict, dispatchCapture, appendSessionAction, readSessionLog, compressSessionLog, postWithRetry, readStdin, log,
+  parseVerdict, dispatchCapture, appendSessionAction, readSessionLog, compressSessionLog, sessionLogForGrade, postWithRetry, readStdin, log,
   outputJson, outputEmpty, setupCursorHookSignals, installHookWatchdog, isPlanTool, hookSessionId, GATEWAY_URL,
   filterRules, graderUnavailableMessage, logGraderUnavailable, resolveTranscriptPath, isCursorInvokingCcHook,
   loadSynkroFile, effectiveGraderPool, synkroFilePresent, noSynkroSkipMessage,
@@ -5953,7 +6048,7 @@ async function main() {
     }
 
     if (rt === 'local') {
-      const sessionLog = compressSessionLog(readSessionLog(sessionId));
+      const sessionLog = await sessionLogForGrade(sessionId, config.rules);
       const relevantRules = await filterRules(plan.slice(0, 2000), config.rules);
       const graderPrompt = [
         'Working directory: ' + (cwd || '.'),
@@ -6386,7 +6481,7 @@ import {
   loadJwt, ensureFreshJwt, detectRepo, loadConfig, route, tag, localGrade,
   parseVerdict, dispatchCapture, dispatchFinding, ruleMode, normalizeMode, filterRules, ruleFilterText,
   isSafeInRepoRead, resolveTranscriptPath, postWithRetry, readStdin, hashCommand,
-  extractTranscript, readLastPrompt, readSessionLog, compressSessionLog,
+  extractTranscript, readLastPrompt, readSessionLog, compressSessionLog, sessionLogForGrade,
   appendLocalTelemetry, logGraderUnavailable, graderUnavailableMessage, log, GATEWAY_URL,
   loadSynkroFile, effectiveGraderPool, synkroFilePresent,
   type Rule,
@@ -6559,7 +6654,7 @@ async function main() {
     }
 
     if (rt === 'local') {
-      const sessionLog = compressSessionLog(readSessionLog(sessionId));
+      const sessionLog = await sessionLogForGrade(sessionId, config.rules);
       const relevantRules = await filterRules(
         ruleFilterText(command, transcript.userIntent || lastPrompt),
         config.rules,
@@ -10856,7 +10951,7 @@ function writeConfigEnv(opts) {
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
     `SYNKRO_INFERENCE=${shellQuoteSingle(safeInference)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.6.86")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.6.88")}`
   ];
   if (safeSynkroBin) lines.push(`SYNKRO_CLI_BIN=${shellQuoteSingle(safeSynkroBin)}`);
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);
@@ -14899,7 +14994,7 @@ var args = process.argv.slice(2);
 var cmd = args[0] || "";
 var subArgs = args.slice(1);
 function printVersion() {
-  console.log("1.6.86");
+  console.log("1.6.88");
 }
 function printHelp2() {
   console.log(`Synkro CLI \u2014 runtime safety for AI coding agents