log-llm-config-staging 1.3.44

package/README.md

@@ -0,0 +1,46 @@
+## log-llm-config
+
+CLI helpers for Optimus Security startup workflows.
+
+### Prerequisites
+
+- Node.js 18+
+- `OPTIMUS_ENDPOINT` defined in `optimus.env` (e.g. `http://localhost:8080/endpoint_security/`)
+
+### Commands
+
+#### `log_uuid`
+
+Collects the machine hardware UUID (or uses the `OPTIMUS_HARDWARE_UUID` env variable), prints it, and POSTs a startup payload to `OPTIMUS_ENDPOINT/startup/`. If the server responds with a key, it stores it at `~/opt-ai-sec/management/auth_key.txt`.
+
+```bash
+OPTIMUS_ENDPOINT=http://localhost:8080/endpoint_security/ \
+npx --yes log-llm-config@latest log_uuid
+```
+
+- **Optional flags** (for git context, similar to `optimus-init`):
+  - `--uuid <hw_uuid>` – override hardware UUID
+  - `--user <git_user>` – e.g. `$(git config user.name)`
+  - `--repo <git_remote>` – e.g. `$(git remote -v)`
+  - `--branch <git_branch>` – e.g. `$(git branch --show-current)`
+  - `--agent <agent_name>` – e.g. `Cursor`
+
+#### `log-llm-config`
+
+Legacy helper that logs local Optimus/Cursor configuration files to `configs.txt`.
+
+You can also pass the UUID explicitly:
+
+```bash
+npx --yes log-llm-config@latest log_uuid --uuid "DUMMY-LOCAL-UUID"
+```
+
+### Development
+
+```bash
+npm install
+npm run build
+```
+
+> Proprietary package. Do not publish to public registries.
+

package/dist/apply_deferred_vscdb.js

@@ -0,0 +1,8 @@
+/**
+ * Runs after Cursor SIGKILL: applies queued state.vscdb patches from
+ * ~/opt-ai-sec/management/optimus_deferred_vscdb_apply.json (see remediation_sync).
+ */
+import { applyDeferredVscdbFromDisk } from './log_config_files/runtime/remediation_sync.js';
+applyDeferredVscdbFromDisk()
+    .then((ok) => process.exit(ok ? 0 : 1))
+    .catch(() => process.exit(1));

package/dist/bootstrap_constants.js

@@ -0,0 +1,5 @@
+/**
+ * Bootstrap-level path constants — known before the API response is available.
+ * Used by auth, hook logging, and audit output. Do not add agent-specific paths here.
+ */
+export const OPT_AI_SEC_MANAGEMENT_REL = 'opt-ai-sec/management';

package/dist/cli/bash_script_generator.js

@@ -0,0 +1,95 @@
+import { readFileCollectionVscdbContract } from '../log_config_files/runtime/management_storage.js';
+/** Reactive ItemTable key from backend-derived cache (written on log-config); same path as remediations. */
+function readReactiveStorageItemKeyFromDisk() {
+    const k = readFileCollectionVscdbContract()?.reactive_storage_item_key;
+    return typeof k === 'string' && k.trim() !== '' ? k.trim() : null;
+}
+const fileCategories = [
+    { label: 'Cursor: mcp.json', targets: ['./.cursor/mcp.json', '$HOME/.cursor/mcp.json'] },
+    { label: 'Claude: .mcp.json', targets: ['./mcp.json', './.mcp.json', '/Library/Application Support/ClaudeCode/managed-mcp.json'] },
+    { label: 'Claude: settings.json', targets: ['./.claude/settings.json', './.claude/settings.local.json', '$HOME/.claude/settings.json', '/Library/Application Support/ClaudeCode/managed-settings.json'] },
+    { label: 'Cursor: hooks.json', targets: ['./.cursor/hooks.json', '$HOME/.cursor/hooks.json', '/Library/Application Support/Cursor/hooks.json'] },
+    { label: 'Cursor: User/settings.json (user-level)', targets: ['$HOME/Library/Application Support/Cursor/User/settings.json'] },
+];
+function buildSqliteCategories() {
+    const key = readReactiveStorageItemKeyFromDisk();
+    if (!key)
+        return [];
+    return [
+        {
+            label: 'Cursor: state.vscdb (reactive blob / composerState)',
+            dbPath: '$HOME/Library/Application Support/Cursor/User/globalStorage/state.vscdb',
+            table: 'ItemTable',
+            key,
+            jsonPaths: [['composerState'], []],
+        },
+    ];
+}
+function buildFileCategoryLines(category) {
+    return [
+        `echo "===== ${category.label} ====="`,
+        'files=(', ...category.targets.map((t) => `  "${t}"`), ')',
+        'expanded_files=()', 'paths=()', 'display_paths=()',
+        'for f in "${files[@]}"; do',
+        '  expanded=$(eval echo "$f")',
+        '  expanded_dir=$(dirname "$expanded")', '  expanded_base=$(basename "$expanded")',
+        '  abs_dir=$(cd "$expanded_dir" 2>/dev/null && pwd || echo "$expanded_dir")',
+        '  abs_path="$abs_dir/$expanded_base"', '  expanded_files+=("$abs_path")',
+        '  relative_path="$(to_relative "$abs_path")"', '  paths+=("$relative_path")', '  display_paths+=("$relative_path")',
+        'done', 'echo ""',
+        'if [ ${#paths[@]} -gt 0 ]; then', '  echo "Paths:"',
+        '  printf "%s\\n" "${paths[@]}" | awk \'!seen[$0]++\' | while IFS= read -r dir; do', '    echo "$dir"', '  done',
+        '  echo ""', 'else', '  echo "Paths: (none)"', 'fi', 'echo ""',
+        'for idx in "${!expanded_files[@]}"; do', '  expanded="${expanded_files[$idx]}"', '  display="${display_paths[$idx]}"',
+        '  if [ -f "$expanded" ]; then',
+        `    echo "===== ${category.label}: $display ====="`, '    cat "$expanded"',
+        '  else', `    echo "===== ${category.label}: missing: $display ====="`, '  fi',
+        'done', 'echo ""',
+    ];
+}
+function buildSqliteCategoryLines(category) {
+    const jsonPathsLiteral = JSON.stringify(category.jsonPaths);
+    const safeSqlKey = category.key.replace(/'/g, "''");
+    return [
+        `echo "===== ${category.label} ====="`, `db_path="${category.dbPath}"`,
+        'expanded=$(eval echo "$db_path")',
+        'if [ -f "$expanded" ]; then', '  if command -v sqlite3 >/dev/null 2>&1; then',
+        '    echo "===== $expanded ====="',
+        `    query_result=$(sqlite3 "$expanded" "SELECT value FROM ${category.table} WHERE key='${safeSqlKey}'")`,
+        '    if [ -n "$query_result" ]; then',
+        `      echo "===== key: ${category.key} ====="`,
+        `      LOG_CONFIG_JSON_VALUE="$query_result" python3 - <<'PY'`,
+        'import json', 'import os', '',
+        'raw = os.environ.get("LOG_CONFIG_JSON_VALUE", "")',
+        'if not raw:', '    print("{}")', '    raise SystemExit',
+        `paths = ${jsonPathsLiteral}`,
+        'try:', '    data = json.loads(raw)',
+        'except json.JSONDecodeError as exc:', '    print(f"failed to parse JSON: {exc}")', '    raise SystemExit',
+        'def walk(obj, path):', '    cur = obj',
+        '    for segment in path:', '        if isinstance(cur, dict):', '            cur = cur.get(segment)', '        else:', '            return None',
+        '    return cur',
+        'selected_value = None', 'selected_label = None',
+        'for path in paths:', '    value = walk(data, path)',
+        '    if value is not None:', '        selected_value = value', '        selected_label = ".".join(path) if path else "root"', '        break',
+        'if selected_value is None:', '    print("{}")',
+        'else:', '    print(f"[path: {selected_label}]")', '    print(json.dumps(selected_value, indent=2, sort_keys=True))',
+        'PY',
+        '    else', `      echo "===== key not found: ${category.key} ====="`, '    fi',
+        '  else', '    echo "===== sqlite3 not found; skipping ====="', '  fi',
+        'else', '    echo "===== missing: $expanded ====="', 'fi', 'echo ""',
+    ];
+}
+function renderBashScript() {
+    const scriptLines = [
+        '#!/usr/bin/env bash', 'set -euo pipefail',
+        'output_file="$(pwd)/configs.txt"', ': > "$output_file"', 'exec >"$output_file"', 'exec 2>&1', '',
+        'repo_root="$(pwd)"',
+        'to_relative() {', '  local path="$1"', '  if [[ "$path" == "$repo_root"* ]]; then',
+        '    local suffix="${path#"$repo_root"}"', '    if [ -z "$suffix" ]; then', '      echo "<project_root>"',
+        '    else', '      echo "<project_root>${suffix}"', '    fi', '  else', '    echo "$path"', '  fi', '}', '',
+        ...fileCategories.flatMap(buildFileCategoryLines),
+        ...buildSqliteCategories().flatMap(buildSqliteCategoryLines),
+    ];
+    return scriptLines.join('\n');
+}
+export { renderBashScript };

package/dist/cli.js

@@ -0,0 +1,103 @@
+#!/usr/bin/env node
+import { renderBashScript } from './cli/bash_script_generator.js';
+const args = process.argv.slice(2);
+const main = async () => {
+    if (args[0] === 'log_uuid') {
+        parseAndSetLogUuidEnvVars();
+        await import('./log_uuid/index.js');
+        return;
+    }
+    if (args[0] === 'log_config_files') {
+        const { main, logSingleFile } = await import('./log_config_files/index.js');
+        const filePathArg = args.find((arg, idx) => idx > 0 && !arg.startsWith('-') && (arg.includes('/') || arg.endsWith('.json') || arg.endsWith('.md')));
+        if (filePathArg) {
+            const success = await logSingleFile(filePathArg);
+            try {
+                process.exit(success ? 0 : 1);
+            }
+            catch {
+                // process.exit may be mocked in tests (throws instead of exiting); allow process to continue
+            }
+            return;
+        }
+        await main();
+        return;
+    }
+    if (args[0] === 'log_sensitive_paths_audit') {
+        const { main } = await import('./log_sensitive_paths_audit.js');
+        await main();
+        return;
+    }
+    if (args[0] === 'compliance_prompt_gate') {
+        const { runCompliancePromptGateCli } = await import('./compliance_prompt_gate.js');
+        await runCompliancePromptGateCli();
+        process.exit(0);
+        return;
+    }
+    if (args[0] === 'compliance_check_runner') {
+        await import('./compliance_check_runner.js');
+        return;
+    }
+    // `npx log-llm-config@latest <name>` runs this file (default bin) with args[0] set — not the named bin file.
+    if (args[0] === 'execute-trusted-restarts') {
+        const { runExecuteTrustedRestartsFromStdin } = await import('./execute_trusted_restarts.js');
+        try {
+            runExecuteTrustedRestartsFromStdin();
+        }
+        catch (e) {
+            console.error(e instanceof Error ? e.message : String(e));
+            process.exit(1);
+        }
+        process.exit(0);
+        return;
+    }
+    if (args[0] === 'apply-deferred-vscdb') {
+        await import('./apply_deferred_vscdb.js');
+        return;
+    }
+    // No command matched — output legacy bash script
+    console.log(renderBashScript());
+};
+function parseAndSetLogUuidEnvVars() {
+    let uuidArg;
+    let userArg;
+    let repoArg;
+    let branchArg;
+    let agentArg;
+    for (let i = 1; i < args.length; i++) {
+        const arg = args[i];
+        if (arg === '--uuid' || arg === '-u') {
+            uuidArg = args[++i];
+            continue;
+        }
+        if (arg === '--user') {
+            userArg = args[++i];
+            continue;
+        }
+        if (arg === '--repo') {
+            repoArg = args[++i];
+            continue;
+        }
+        if (arg === '--branch') {
+            branchArg = args[++i];
+            continue;
+        }
+        if (arg === '--agent') {
+            agentArg = args[++i];
+            continue;
+        }
+        if (!arg.startsWith('-') && !uuidArg)
+            uuidArg = arg;
+    }
+    if (uuidArg)
+        process.env.OPTIMUS_HARDWARE_UUID = uuidArg;
+    if (userArg)
+        process.env.GITHUB_USER = userArg;
+    if (repoArg)
+        process.env.GITHUB_REPOSITORY = repoArg;
+    if (branchArg)
+        process.env.GITHUB_REF_NAME = branchArg;
+    if (agentArg)
+        process.env.OPTIMUS_AGENT = agentArg;
+}
+void main();

package/dist/cli_invocation_match.js

@@ -0,0 +1,28 @@
+import { basename } from 'node:path';
+import { fileURLToPath } from 'node:url';
+function toFsPath(scriptPathOrFileUrl) {
+    if (scriptPathOrFileUrl.startsWith('file://')) {
+        return fileURLToPath(scriptPathOrFileUrl);
+    }
+    return scriptPathOrFileUrl;
+}
+/**
+ * Basename of the invoked script, normalized so npm `bin` names (hyphens) match compiled
+ * artifacts (underscores), e.g. `execute-trusted-restarts` → `execute_trusted_restarts`.
+ */
+export function normalizedCliScriptBasename(scriptPathOrFileUrl) {
+    return basename(toFsPath(scriptPathOrFileUrl))
+        .replace(/\.[cm]?js$/, '')
+        .replace(/-/g, '_');
+}
+/**
+ * True when this process was started as the given module's CLI entrypoint.
+ * Handles npx bin shims (symlink paths) and hyphen vs underscore bin/file naming.
+ */
+export function isThisCliModule(argv1, thisImportMetaUrl) {
+    if (!argv1)
+        return false;
+    const entry = normalizedCliScriptBasename(argv1);
+    const self = normalizedCliScriptBasename(thisImportMetaUrl);
+    return entry !== '' && entry === self;
+}

package/dist/compliance_check_runner.js

@@ -0,0 +1,17 @@
+import { complianceRunnerRunnerLine, hookLogAppendSection } from './log_config_files/runtime/hook_logger.js';
+import { runComplianceCheck } from './log_config_files/runtime/compliance_check.js';
+(async () => {
+    hookLogAppendSection('compliance_check_runner (background sync + check)');
+    complianceRunnerRunnerLine('compliance_check_runner: start');
+    try {
+        await runComplianceCheck();
+        complianceRunnerRunnerLine('compliance_check_runner: finished ok');
+    }
+    catch (err) {
+        const detail = err instanceof Error ? err.stack ?? err.message : String(err);
+        complianceRunnerRunnerLine(`compliance_check_runner: uncaught error — ${err instanceof Error ? err.message : String(err)}`);
+        complianceRunnerRunnerLine(`compliance_check_runner: stack_or_detail ${detail.slice(0, 4000)}`);
+        process.stderr.write(`compliance_check_runner error: ${err instanceof Error ? err.message : String(err)}\n`);
+        process.exit(1);
+    }
+})();

package/dist/compliance_prompt_gate.js

@@ -0,0 +1,197 @@
+/**
+ * Synchronous pre-prompt gate: local compliance only (stdout = single JSON line for IDE hooks).
+ * stderr must stay clean; logs go via hookRunLog (file).
+ *
+ * When autofix returns restart_commands, this process does not spawn them — the shell hook pipes
+ * the same JSON line to execute_trusted_restarts (TS allowlist + spawn).
+ */
+import { applyAutofixViolations, pruneSatisfiedOneTimeRemediations, runLocalRemediationComplianceCheck, } from './log_config_files/runtime/compliance_check.js';
+import { existsSync, statSync } from 'node:fs';
+import { fileURLToPath } from 'node:url';
+import { basename } from 'node:path';
+import { getRemediationInstructionsPath } from './log_config_files/runtime/management_storage.js';
+import { hookLogSessionBanner, hookRunLog, logRemediationApplyFailure } from './log_config_files/runtime/hook_logger.js';
+const MANIFEST_STALE_MS = 7 * 24 * 60 * 60 * 1000;
+function parseIde() {
+    const eq = process.argv.find((a) => a.startsWith('--ide='));
+    if (eq) {
+        const v = eq.slice('--ide='.length).toLowerCase();
+        return v === 'claude' ? 'claude' : 'cursor';
+    }
+    if (process.argv.includes('--claude'))
+        return 'claude';
+    return 'cursor';
+}
+function printAllow(ide) {
+    if (ide === 'claude')
+        console.log('{}');
+    else
+        console.log(JSON.stringify({ continue: true }));
+}
+function printAllowWithAdvisory(ide, advisoryMessage) {
+    if (ide === 'claude') {
+        console.log(JSON.stringify({ __optimus_advisory: true, advisory_message: advisoryMessage }));
+    }
+    else {
+        console.log(JSON.stringify({
+            continue: true,
+            __optimus_advisory: true,
+            advisory_message: advisoryMessage,
+        }));
+    }
+}
+function blockPayload(ide, violationMessage) {
+    const prefix = 'Prompt blocked by Optimus: ';
+    const text = prefix + violationMessage;
+    if (ide === 'claude') {
+        return JSON.stringify({ decision: 'block', reason: text, systemMessage: text });
+    }
+    return JSON.stringify({ continue: false, user_message: text });
+}
+function getManifestStalenessMs() {
+    try {
+        const path = getRemediationInstructionsPath();
+        if (!existsSync(path))
+            return null;
+        const st = statSync(path);
+        return Date.now() - st.mtimeMs;
+    }
+    catch {
+        return null;
+    }
+}
+function isRunAsCliModule() {
+    const entry = process.argv[1];
+    if (!entry)
+        return false;
+    // Compare by basename only: npx bins are symlinks (no .js extension) while import.meta.url
+    // is the real resolved path with extension — full-path comparison reliably fails across setups.
+    const entryBase = basename(entry).replace(/\.[cm]?js$/, '');
+    const selfBase = basename(fileURLToPath(import.meta.url)).replace(/\.[cm]?js$/, '');
+    return entryBase !== '' && entryBase === selfBase;
+}
+/** Short line for success dialog: finding title/sentence from manifest, not per-check remediation technical text. */
+function autofixDialogLine(v) {
+    const title = v.finding_title?.trim();
+    if (title)
+        return `• [${v.finding_formatted_id}] ${title}`;
+    const fd = v.finding_description?.trim();
+    if (fd)
+        return `• [${v.finding_formatted_id}] ${fd}`;
+    const d = v.description.trim();
+    const short = d.length > 160 ? `${d.slice(0, 157)}…` : d;
+    return `• [${v.finding_formatted_id}] ${short}`;
+}
+/**
+ * Entry when the default npm bin (`log-llm-config` / cli.js) dispatches
+ * `compliance_prompt_gate` — npx does not execute compliance_prompt_gate.js as argv[1], so
+ * {@link isRunAsCliModule} is false and the gate must be invoked explicitly from cli.ts.
+ */
+export async function runCompliancePromptGateCli() {
+    await runCompliancePromptGate().catch(() => printAllow(parseIde()));
+}
+/** Exported for tests; runs when `dist/compliance_prompt_gate.js` is the process entry (argv[1]). */
+export async function runCompliancePromptGate() {
+    const ide = parseIde();
+    hookLogSessionBanner('compliance_prompt_gate (before submit)');
+    const status = runLocalRemediationComplianceCheck();
+    if (status.status === 'fail' && status.violations.length > 0) {
+        const staleMs = getManifestStalenessMs();
+        if (staleMs !== null && staleMs > MANIFEST_STALE_MS) {
+            const staleDays = Math.floor(staleMs / (24 * 60 * 60 * 1000));
+            const advisory = `Remediation enforcement suspended: local remediation manifest is stale (${staleDays} days old). ` +
+                'Please reconnect to sync latest policy state.';
+            logRemediationApplyFailure('prompt_gate_stale_manifest_advisory', {
+                reason: advisory,
+                stale_days: staleDays,
+                violation_count: status.violations.length,
+            });
+            printAllowWithAdvisory(ide, advisory);
+            return;
+        }
+        const { fixed, appliedViolations = [], restartCommands, failedViolations, reportPromises, deferredSqlitePending, } = applyAutofixViolations(status.violations);
+        if (fixed > 0) {
+            // Wait for all server reports before exiting so the POST lands.
+            await Promise.allSettled(reportPromises);
+            // Deferred SQLite can leave recheck failing until restart; that must not hide a separate
+            // failed autofix (e.g. JSON remediation failed while vscdb was only queued).
+            if (failedViolations.length > 0) {
+                const ids = failedViolations.map((v) => `[${v.finding_formatted_id}]`).join(', ');
+                const msg = `Auto-fix failed for ${ids} — please fix manually or contact your security team.\n\n${failedViolations[0]?.message ?? ''}`;
+                logRemediationApplyFailure('prompt_gate_block_autofix_failed', {
+                    reason: 'autofix had fixed>0 path but failedViolations non-empty after apply',
+                    ide,
+                    failed_formatted_ids: failedViolations.map((v) => v.finding_formatted_id).join(', '),
+                    detail: failedViolations[0]?.message ?? '',
+                });
+                console.log(blockPayload(ide, msg));
+                return;
+            }
+            const recheck = runLocalRemediationComplianceCheck();
+            const recheckOk = recheck.status === 'ok' || recheck.violations.length === 0;
+            // Cursor: tolerate a failing recheck only when SQLite updates are deferred (apply after restart).
+            // Claude Code: JSON remediations are written immediately; merge/verify timing can still leave the
+            // in-process recheck red for the same UUID — allow in that case only for --ide=claude.
+            const appliedUuids = new Set(appliedViolations.map((v) => v.uuid));
+            const claudeRecheckStaleAfterImmediateApply = ide === 'claude' &&
+                !recheckOk &&
+                recheck.violations.length > 0 &&
+                recheck.violations.every((v) => appliedUuids.has(v.uuid));
+            if (claudeRecheckStaleAfterImmediateApply) {
+                hookRunLog('compliance_prompt_gate: Claude — autofix wrote JSON; recheck still flags same UUID(s) — proceeding (immediate apply)');
+            }
+            if (deferredSqlitePending || recheckOk || claudeRecheckStaleAfterImmediateApply) {
+                const violationLabel = fixed === 1 ? 'policy violation' : 'policy violations';
+                const autofixMessage = `Optimus Labs auto-fixed ${fixed} ${violationLabel}:\n\n${appliedViolations
+                    .map((v) => autofixDialogLine(v))
+                    .join('\n')}`;
+                const payload = { __optimus_autofix: true, autofix_message: autofixMessage };
+                if (restartCommands.length > 0)
+                    payload.restart_commands = restartCommands;
+                console.log(JSON.stringify(payload));
+                // Restarts: always executed by optimus-compliance-check.sh via execute_trusted_restarts (TS allowlist + spawn).
+                return;
+            }
+            const msg = recheck.violations[0]?.message ?? 'A security policy violation has been detected.';
+            logRemediationApplyFailure('prompt_gate_block_recheck_failed', {
+                reason: 'after autofix, local compliance recheck still reports violations',
+                ide,
+                deferred_sqlite_pending: deferredSqlitePending,
+                first_uuid: recheck.violations[0]?.uuid ?? '',
+                message: msg,
+            });
+            console.log(blockPayload(ide, msg));
+            return;
+        }
+        if (failedViolations.length > 0) {
+            const ids = failedViolations.map((v) => `[${v.finding_formatted_id}]`).join(', ');
+            const msg = `Auto-fix failed for ${ids} — please fix manually or contact your security team.\n\n${failedViolations[0]?.message ?? ''}`;
+            logRemediationApplyFailure('prompt_gate_block_autofix_failed', {
+                reason: 'autofix failed (fixed=0 branch or partial failure)',
+                ide,
+                failed_formatted_ids: failedViolations.map((v) => v.finding_formatted_id).join(', '),
+                detail: failedViolations[0]?.message ?? '',
+            });
+            console.log(blockPayload(ide, msg));
+            return;
+        }
+        const msg = status.violations[0]?.message ?? 'A security policy violation has been detected.';
+        logRemediationApplyFailure('prompt_gate_block_violations_no_autofix_applied', {
+            reason: 'violations on submit but autofix did not succeed — see autofix_skipped_not_allowed, enforceRemediation, or compliance_check entries',
+            ide,
+            first_uuid: status.violations[0]?.uuid ?? '',
+            finding_formatted_id: status.violations[0]?.finding_formatted_id ?? '',
+        });
+        console.log(blockPayload(ide, msg));
+        return;
+    }
+    // No violations: clean up satisfied one-time remediations so they don't linger locally forever.
+    const pruned = pruneSatisfiedOneTimeRemediations();
+    if (pruned.removed > 0) {
+        await Promise.allSettled(pruned.reportPromises);
+    }
+    printAllow(ide);
+}
+if (isRunAsCliModule()) {
+    runCompliancePromptGateCli().finally(() => process.exit(0));
+}

package/dist/endpoint_client/http_transport.js

@@ -0,0 +1,88 @@
+import http from 'node:http';
+import https from 'node:https';
+import { URL } from 'node:url';
+/** Normalize localhost/::1 to 127.0.0.1 to avoid IPv6 resolution issues. */
+function resolveHostname(raw) {
+    return raw === 'localhost' || raw === '::1' ? '127.0.0.1' : raw;
+}
+function buildGetOptions(url, timeoutMs) {
+    const isHttps = url.protocol === 'https:';
+    return {
+        hostname: resolveHostname(url.hostname),
+        port: url.port || (isHttps ? 443 : 80),
+        path: url.pathname + url.search,
+        method: 'GET',
+        timeout: timeoutMs,
+    };
+}
+function buildBodyOptions(url, payload, method, timeoutMs) {
+    const isHttps = url.protocol === 'https:';
+    return {
+        hostname: resolveHostname(url.hostname),
+        port: url.port || (isHttps ? 443 : 80),
+        path: `${url.pathname}${url.search}`,
+        method,
+        headers: {
+            'Content-Type': 'application/json',
+            'Content-Length': Buffer.byteLength(payload).toString(),
+        },
+        timeout: timeoutMs,
+    };
+}
+/** Execute a GET request. Returns statusCode=0 and empty body on network/timeout failure. */
+export function executeGet(urlStr, timeoutMs) {
+    const url = new URL(urlStr);
+    const options = buildGetOptions(url, timeoutMs);
+    const transport = url.protocol === 'https:' ? https.request : http.request;
+    return new Promise((resolve) => {
+        const req = transport(options, (res) => {
+            let body = '';
+            res.setEncoding('utf8');
+            res.on('data', (chunk) => { body += chunk; });
+            res.on('end', () => resolve({ statusCode: res.statusCode ?? 0, body }));
+        });
+        req.on('error', () => resolve({ statusCode: 0, body: '' }));
+        req.on('timeout', () => { req.destroy(); resolve({ statusCode: 0, body: '' }); });
+        req.end();
+    });
+}
+/** Execute a POST/PATCH request. Rejects on network error or timeout. */
+export function executeBody(urlStr, method, payload, timeoutMs) {
+    const url = new URL(urlStr);
+    const options = buildBodyOptions(url, payload, method, timeoutMs);
+    const transport = url.protocol === 'https:' ? https.request : http.request;
+    return new Promise((resolve, reject) => {
+        let done = false;
+        const timer = setTimeout(() => {
+            if (!done) {
+                done = true;
+                req.destroy();
+                reject(new Error(`Request timeout after ${timeoutMs}ms`));
+            }
+        }, timeoutMs);
+        const req = transport(options, (res) => {
+            let body = '';
+            res.setEncoding('utf8');
+            res.on('data', (chunk) => { body += chunk; });
+            res.on('end', () => {
+                done = true;
+                clearTimeout(timer);
+                resolve({ statusCode: res.statusCode ?? 0, statusMessage: res.statusMessage ?? '', headers: res.headers, body });
+            });
+        });
+        req.on('error', (err) => {
+            done = true;
+            clearTimeout(timer);
+            console.error('Request error:', err.message, err.code);
+            reject(err);
+        });
+        req.on('timeout', () => {
+            done = true;
+            clearTimeout(timer);
+            req.destroy();
+            reject(new Error(`Request timeout after ${timeoutMs}ms`));
+        });
+        req.write(payload);
+        req.end();
+    });
+}

package/dist/endpoint_client/index.js

@@ -0,0 +1,3 @@
+export { FILE_PATH_REGISTRY_FILE_PATTERNS_PATH, FILE_PATH_REGISTRY_SENSITIVE_PATHS_PATH, } from './types.js';
+export { buildApiUrl, getFileCollectionPatterns, getSensitivePathsAuditCandidates, } from './registry_api.js';
+export { postStartupPayload, patchPayload, classifyEndpointResponse } from './startup_api.js';

package/dist/endpoint_client/registry_api.js

@@ -0,0 +1,41 @@
+import { URL } from 'node:url';
+import { executeGet } from './http_transport.js';
+import { FILE_PATH_REGISTRY_FILE_PATTERNS_PATH, FILE_PATH_REGISTRY_SENSITIVE_PATHS_PATH, } from './types.js';
+/** Join API base (may include a path prefix, e.g. https://host/optimus/) with an absolute API path. */
+export function buildApiUrl(base, path) {
+    const normalizedBase = `${base.replace(/\/+$/, '')}/`;
+    const relativePath = path.replace(/^\/+/, '');
+    return new URL(relativePath, normalizedBase).href;
+}
+/**
+ * GET file collection patterns from the backend (what to look for).
+ * No auth required. Returns the complete list of path + type + file_type.
+ */
+export const getFileCollectionPatterns = async (apiBaseUrl, timeoutMs = 5000) => {
+    const { statusCode, body } = await executeGet(buildApiUrl(apiBaseUrl, FILE_PATH_REGISTRY_FILE_PATTERNS_PATH), timeoutMs);
+    if (statusCode !== 200 || !body)
+        return null;
+    try {
+        const parsed = JSON.parse(body);
+        return Array.isArray(parsed.patterns) && typeof parsed.count === 'number' ? parsed : null;
+    }
+    catch {
+        return null;
+    }
+};
+/**
+ * GET sensitive path audit candidates from the backend (concrete paths to check for existence).
+ * No auth required. Returns path templates (~ = home). Client checks existence only, never sends contents.
+ */
+export const getSensitivePathsAuditCandidates = async (apiBaseUrl, timeoutMs = 5000) => {
+    const { statusCode, body } = await executeGet(buildApiUrl(apiBaseUrl, FILE_PATH_REGISTRY_SENSITIVE_PATHS_PATH), timeoutMs);
+    if (statusCode !== 200 || !body)
+        return null;
+    try {
+        const parsed = JSON.parse(body);
+        return Array.isArray(parsed.paths) ? parsed : null;
+    }
+    catch {
+        return null;
+    }
+};