log-llm-config-staging 1.3.44

package/dist/log_config_files/runtime/hook_logger.js

@@ -0,0 +1,197 @@
+import { existsSync, mkdirSync, appendFileSync, writeFileSync, statSync } from 'node:fs';
+import path from 'node:path';
+import { OPT_AI_SEC_MANAGEMENT_REL } from '../../bootstrap_constants.js';
+const HOOK_LOG_FILENAME = 'hook_log.txt';
+const COMPLIANCE_RUNNER_LOG_FILENAME = 'compliance_runner.log';
+/** Append-only: remediation verify/apply failures (not cleared per hook session). */
+const REMEDIATION_APPLY_FAILURES_FILENAME = 'remediation_apply_failures.log';
+/** Hard cap so a single upload/sync session cannot grow hook_log.txt without bound. */
+const MAX_HOOK_LOG_BYTES = 2 * 1024 * 1024;
+function getHookLogPath() {
+    const homeDir = process.env.HOME || process.env.USERPROFILE;
+    if (!homeDir)
+        return null;
+    return path.join(homeDir, OPT_AI_SEC_MANAGEMENT_REL, HOOK_LOG_FILENAME);
+}
+function getComplianceRunnerLogPath() {
+    const homeDir = process.env.HOME || process.env.USERPROFILE;
+    if (!homeDir)
+        return null;
+    return path.join(homeDir, OPT_AI_SEC_MANAGEMENT_REL, COMPLIANCE_RUNNER_LOG_FILENAME);
+}
+function getRemediationApplyFailuresLogPath() {
+    const homeDir = process.env.HOME || process.env.USERPROFILE;
+    if (!homeDir)
+        return null;
+    return path.join(homeDir, OPT_AI_SEC_MANAGEMENT_REL, REMEDIATION_APPLY_FAILURES_FILENAME);
+}
+/**
+ * Append one ISO-timestamped line to compliance_runner.log.
+ * `level` examples: INFO, RUNNER, RESTART, FAIL
+ */
+function appendComplianceRunnerLine(level, message) {
+    const logPath = getComplianceRunnerLogPath();
+    if (!logPath)
+        return;
+    try {
+        const dir = path.dirname(logPath);
+        if (!existsSync(dir))
+            mkdirSync(dir, { recursive: true, mode: 0o700 });
+        const ts = new Date().toISOString();
+        appendFileSync(logPath, `${ts} [${level}] pid=${process.pid} ${message}\n`, 'utf8');
+    }
+    catch {
+        // best-effort
+    }
+}
+/**
+ * Append-only diagnostics for remediation sync / compliance (structured).
+ */
+function complianceRunnerDiag(message) {
+    appendComplianceRunnerLine('INFO', message);
+}
+/**
+ * Background compliance_check_runner should use this so entries match the same format.
+ */
+function complianceRunnerRunnerLine(message) {
+    appendComplianceRunnerLine('RUNNER', message);
+}
+/**
+ * Loud, append-only record when a remediation cannot be verified or applied. Writes
+ * {@link REMEDIATION_APPLY_FAILURES_FILENAME} and mirrors the same block to compliance_runner.log;
+ * also appends a single summary line to hook_log.txt for the current session.
+ */
+function logRemediationApplyFailure(context, fields) {
+    const ts = new Date().toISOString();
+    const bodyLines = Object.entries(fields)
+        .filter(([, v]) => v !== undefined && v !== null && String(v) !== '')
+        .map(([k, v]) => `  ${k}: ${typeof v === 'string' ? v : JSON.stringify(v)}`);
+    const block = [
+        '',
+        '='.repeat(72),
+        `${ts} REMEDIATION APPLY FAILURE — ${context}`,
+        ...bodyLines,
+        '='.repeat(72),
+        '',
+    ].join('\n');
+    const summary = fields.reason != null
+        ? String(fields.reason)
+        : fields.message != null
+            ? String(fields.message)
+            : 'see fields above';
+    const writeFailAppend = (filePath) => {
+        const dir = path.dirname(filePath);
+        if (!existsSync(dir))
+            mkdirSync(dir, { recursive: true, mode: 0o700 });
+        appendFileSync(filePath, block, 'utf8');
+    };
+    try {
+        const failPath = getRemediationApplyFailuresLogPath();
+        if (failPath)
+            writeFailAppend(failPath);
+        const crPath = getComplianceRunnerLogPath();
+        if (crPath) {
+            const dir = path.dirname(crPath);
+            if (!existsSync(dir))
+                mkdirSync(dir, { recursive: true, mode: 0o700 });
+            appendFileSync(crPath, block, 'utf8');
+        }
+    }
+    catch {
+        /* best-effort */
+    }
+    try {
+        hookRunLog(`REMEDIATION_APPLY_FAILURE [${context}] ${fields.uuid != null ? `uuid=${fields.uuid} ` : ''}${summary}`);
+    }
+    catch {
+        /* best-effort */
+    }
+    appendComplianceRunnerLine('FAIL', `${context} — ${summary}`);
+}
+function ensureHookLogUnderCap() {
+    const logPath = getHookLogPath();
+    if (!logPath || !existsSync(logPath))
+        return;
+    try {
+        if (statSync(logPath).size <= MAX_HOOK_LOG_BYTES)
+            return;
+        const ts = new Date().toISOString();
+        writeFileSync(logPath, `${'='.repeat(72)}\n${ts} hook_log.txt truncated (exceeded ${MAX_HOOK_LOG_BYTES} bytes)\n${'='.repeat(72)}\n`, 'utf8');
+    }
+    catch {
+        // best-effort
+    }
+}
+/**
+ * Start a new hook_log.txt session (replaces the file). Use once per logical run
+ * (e.g. compliance_prompt_gate, log_config_files upload via hookLogReplace).
+ */
+function hookLogSessionBanner(label) {
+    const logPath = getHookLogPath();
+    if (!logPath)
+        return;
+    try {
+        const dir = path.dirname(logPath);
+        if (!existsSync(dir))
+            mkdirSync(dir, { recursive: true, mode: 0o700 });
+        const ts = new Date().toISOString();
+        const banner = `\n${'='.repeat(72)}\n${ts} session: ${label}\n${'='.repeat(72)}\n`;
+        writeFileSync(logPath, banner, 'utf8');
+    }
+    catch {
+        // best-effort
+    }
+}
+/**
+ * Append a subsection after an existing session (e.g. compliance_check_runner after the gate)
+ * without replacing hook_log.txt.
+ */
+function hookLogAppendSection(label) {
+    const logPath = getHookLogPath();
+    if (!logPath)
+        return;
+    try {
+        ensureHookLogUnderCap();
+        const dir = path.dirname(logPath);
+        if (!existsSync(dir))
+            mkdirSync(dir, { recursive: true, mode: 0o700 });
+        const ts = new Date().toISOString();
+        const banner = `\n${'-'.repeat(72)}\n${ts} section: ${label}\n${'-'.repeat(72)}\n`;
+        appendFileSync(logPath, banner, 'utf8');
+    }
+    catch {
+        // best-effort
+    }
+}
+/** Begins a log_config_files upload session (replaces hook_log.txt, same as hookLogSessionBanner). */
+function hookLogReplace() {
+    hookLogSessionBanner('log_config_files (config upload)');
+}
+/** Append a timestamped line to hook_log.txt. */
+function hookRunLog(message) {
+    const logPath = getHookLogPath();
+    if (!logPath)
+        return;
+    try {
+        ensureHookLogUnderCap();
+        const ts = new Date().toISOString();
+        appendFileSync(logPath, `${ts} ${message}\n`, 'utf8');
+    }
+    catch {
+        // best-effort; don't break the run
+    }
+}
+/** Append a line without timestamp (for multi-line blocks like manifests). */
+function hookLogLine(message) {
+    const logPath = getHookLogPath();
+    if (!logPath)
+        return;
+    try {
+        ensureHookLogUnderCap();
+        appendFileSync(logPath, `${message}\n`, 'utf8');
+    }
+    catch {
+        // best-effort
+    }
+}
+export { getHookLogPath, getComplianceRunnerLogPath, hookLogReplace, hookLogSessionBanner, hookLogAppendSection, hookRunLog, hookLogLine, complianceRunnerDiag, complianceRunnerRunnerLine, appendComplianceRunnerLine, logRemediationApplyFailure, };

package/dist/log_config_files/runtime/main_runner.js

@@ -0,0 +1,192 @@
+import { existsSync } from 'node:fs';
+import { join } from 'node:path';
+import { homedir } from 'node:os';
+import { getFileCollectionPatterns, FILE_PATH_REGISTRY_FILE_PATTERNS_PATH } from '../../endpoint_client/index.js';
+import { OPT_AI_SEC_MANAGEMENT_REL } from '../../bootstrap_constants.js';
+import { runSensitivePathsAudit } from '../../log_sensitive_paths_audit.js';
+import { loadEndpointBase, getEndpointSource } from '../sender/endpoint_config.js';
+import { hookLogReplace, hookRunLog } from './hook_logger.js';
+import { resolveHardwareUuid } from './hardware_uuid.js';
+import { ensureAuthentication } from '../auth/auth_flow.js';
+import { readJSONFile, readMarkdownFile } from '../readers/file_readers.js';
+import { isVscdbVirtualPath, tryReadVscdbVirtualFile, summarizeComposerPayloadForDiagnostics, } from '../readers/vscdb_config_builder.js';
+import { persistVscdbComposerContractFromPatternsResponse } from '../readers/vscdb_reader.js';
+import { collectConfigFilesFromPatterns, collectMcpToolFiles, collectConfigFilesFromInstalledPlugins, determineFileTypeFromPath } from '../collection/config_collector.js';
+import { normalizePathSkipPrefixes } from '../paths/pattern_resolver.js';
+import { sendConfigFile, sendConfigFilesBatch, sendHookRequestCreate, sendHookRequestUpdateManifest, sendIngestSessionStart, sendIngestSessionFinish, BATCH_CHUNK_SIZE } from '../sender/batch_sender.js';
+import { canonicalCursorUserStateVscdbPath } from './remediation_config_path.js';
+import { createSignature, canonicalizePayload } from '../sender/signing.js';
+const PROJECT_ROOT = process.cwd();
+async function collectAllConfigFiles(endpointBase) {
+    const patternsUrl = `${endpointBase.replace(/\/+$/, '')}${FILE_PATH_REGISTRY_FILE_PATTERNS_PATH}`;
+    hookRunLog(`fetching patterns from ${patternsUrl}`);
+    const patternsResponse = await getFileCollectionPatterns(endpointBase);
+    const n = patternsResponse?.patterns?.length ?? 0;
+    hookRunLog(`patterns: ${n} pattern(s) received`);
+    if (!patternsResponse?.patterns?.length) {
+        const msg = 'File collection requires patterns from the API; none received. Check endpoint and file-path-registry.';
+        hookRunLog(msg);
+        throw new Error(msg);
+    }
+    persistVscdbComposerContractFromPatternsResponse(patternsResponse);
+    hookRunLog(`scanning config files`);
+    const configFiles = collectConfigFilesFromPatterns(patternsResponse.patterns, PROJECT_ROOT, hookRunLog, {
+        vscdbEntrySpecs: patternsResponse.vscdb_entry_specs,
+        vscdb_read_queries: patternsResponse.vscdb_read_queries,
+        vscdb_merge_from_composer_state: patternsResponse.vscdb_merge_from_composer_state,
+        client_path_constants: patternsResponse.client_path_constants,
+        path_resolution_specs: patternsResponse.path_resolution_specs,
+        home_recurse_skip_dirs: patternsResponse.home_recurse_skip_dirs,
+        absolute_path_prefixes: patternsResponse.absolute_path_prefixes,
+        mcp_tool_glob_spec: patternsResponse.mcp_tool_glob_spec ?? null,
+    });
+    hookRunLog(`scanning MCP tool cache`);
+    const mcpToolGlobPattern = patternsResponse.patterns.find((p) => p.path_resolution === 'mcp_tool_glob');
+    const mcpToolSkipPrefixes = normalizePathSkipPrefixes(mcpToolGlobPattern?.path_skip_prefixes);
+    const existingPaths = new Set(configFiles.map((c) => `${c.file_type}\t${c.file_path}`));
+    for (const m of collectMcpToolFiles(mcpToolSkipPrefixes, patternsResponse.client_path_constants)) {
+        const key = `${m.file_type}\t${m.file_path}`;
+        if (!existingPaths.has(key)) {
+            existingPaths.add(key);
+            configFiles.push(m);
+        }
+    }
+    hookRunLog(`scanning installed plugins`);
+    if (!patternsResponse.client_path_constants)
+        throw new Error('client_path_constants required from API response');
+    configFiles.push(...collectConfigFilesFromInstalledPlugins(patternsResponse.client_path_constants));
+    return configFiles;
+}
+async function addSensitivePathsAudit(endpointBase, configFiles) {
+    hookRunLog(`running sensitive paths audit`);
+    const auditOutputDir = join(homedir(), OPT_AI_SEC_MANAGEMENT_REL);
+    try {
+        const auditResult = await runSensitivePathsAudit(endpointBase, auditOutputDir, PROJECT_ROOT);
+        hookRunLog(`sensitive_paths_audit: ${auditResult.paths.length} path(s)`);
+        configFiles.push({ file_type: 'sensitive_paths_audit', file_path: 'sensitive_paths_audit.txt', raw_content: { paths: auditResult.paths } });
+    }
+    catch (err) {
+        hookRunLog(`sensitive_paths_audit_error: ${err instanceof Error ? err.message : String(err)}`);
+        configFiles.push({ file_type: 'sensitive_paths_audit', file_path: 'sensitive_paths_audit.txt', raw_content: { paths: [] } });
+    }
+}
+async function sendAllConfigFiles(configFiles, hardwareUuid, authKey) {
+    const hookTypeRaw = (process.env.OPTIMUS_HOOK_TYPE || 'claude').toLowerCase();
+    const hookType = hookTypeRaw === 'cursor' ? 'cursor' : 'claude';
+    const workspaceRepo = process.env.OPTIMUS_WORKSPACE_REPO || process.env.GITHUB_REPOSITORY || '';
+    const manifest = configFiles.map((c) => canonicalCursorUserStateVscdbPath(c.file_path));
+    const hookRequestId = await sendHookRequestCreate(hardwareUuid, authKey, hookType, workspaceRepo);
+    hookRunLog(`hook-request id=${hookRequestId ?? 'none'}`);
+    const ingestSessionId = await sendIngestSessionStart(hardwareUuid, authKey);
+    hookRunLog(`ingest-session id=${ingestSessionId ?? 'none'}`);
+    const estimatedRequests = Math.ceil(configFiles.length / BATCH_CHUNK_SIZE);
+    hookRunLog(`config send: batch ${configFiles.length} file(s) in ~${estimatedRequests} request(s)${hookRequestId != null ? ` hook_request_id=${hookRequestId}` : ''}${ingestSessionId ? ` ingest_session_id=${ingestSessionId}` : ''}`);
+    const batchResult = await sendConfigFilesBatch(configFiles, hardwareUuid, authKey, hookRequestId ?? undefined, ingestSessionId ?? undefined);
+    hookRunLog(`config files ${batchResult.accepted}/${configFiles.length} logged (batch)`);
+    if (batchResult.failed > 0)
+        hookRunLog(`config_failed: ${batchResult.failed} item(s) in batch`);
+    if (hookRequestId != null) {
+        const ok = await sendHookRequestUpdateManifest(hardwareUuid, authKey, hookRequestId, manifest);
+        hookRunLog(`hook-request update manifest result=${ok ? 'ok' : 'fail'}`);
+    }
+    if (ingestSessionId && batchResult.accepted > 0) {
+        const ok = await sendIngestSessionFinish(hardwareUuid, authKey, ingestSessionId);
+        hookRunLog(`ingest-session finish result=${ok ? 'ok' : 'fail'}`);
+    }
+    // Exit 0 if anything was persisted so the shell hook keeps last_log and throttles. Exit 1 only when
+    // every item failed (e.g. SQLite locked on server) — otherwise partial success used to return 1,
+    // the hook deleted last_log, and the next prompt re-uploaded all files every time.
+    const exitCode = batchResult.accepted > 0 ? 0 : 1;
+    hookRunLog(`summary: exit=${exitCode} collected=${configFiles.length} sent=${batchResult.accepted} failed=${configFiles.length - batchResult.accepted} hook_id=${hookRequestId ?? 'n/a'}`);
+    hookRunLog(`done`);
+    process.exit(exitCode);
+}
+async function main() {
+    hookLogReplace();
+    const hardwareUuid = resolveHardwareUuid();
+    const endpointBase = loadEndpointBase();
+    hookRunLog(`start endpoint=${endpointBase} hardware_uuid=${hardwareUuid}`);
+    hookRunLog(`endpoint_source=${getEndpointSource()} cwd=${process.cwd()}`);
+    hookRunLog(`env: OPTIMUS_HOOK_TYPE=${process.env.OPTIMUS_HOOK_TYPE ? 'set' : 'unset'} GITHUB_REPOSITORY=${process.env.GITHUB_REPOSITORY ? 'set' : 'unset'} OPTIMUS_ENDPOINT=${process.env.OPTIMUS_ENDPOINT ? 'set' : 'unset'}`);
+    let authKey;
+    try {
+        authKey = await ensureAuthentication(hardwareUuid);
+    }
+    catch (err) {
+        hookRunLog(`auth: failed ${err instanceof Error ? err.message : String(err)}`);
+        throw err;
+    }
+    let configFiles;
+    try {
+        configFiles = await collectAllConfigFiles(endpointBase);
+    }
+    catch (err) {
+        hookRunLog(`patterns_error: ${err instanceof Error ? err.message : String(err)}`);
+        throw err;
+    }
+    await addSensitivePathsAudit(endpointBase, configFiles);
+    const fileTypes = [...new Set(configFiles.map((c) => c.file_type))].join(', ');
+    hookRunLog(`collected ${configFiles.length} config file(s) file_types=${fileTypes}`);
+    for (const c of configFiles) {
+        if (!c.file_path.replace(/\\/g, '/').includes('#composerState'))
+            continue;
+        const tail = c.file_path.length > 120 ? `…${c.file_path.slice(-120)}` : c.file_path;
+        hookRunLog(`diag pre-upload #composerState ${summarizeComposerPayloadForDiagnostics(c.raw_content)} path=${tail}`);
+    }
+    const claudeSettings = configFiles.filter((c) => c.file_type === 'claude_settings');
+    if (claudeSettings.length > 0)
+        hookRunLog(`claude_settings in batch: ${claudeSettings.length} path(s): ${claudeSettings.map((c) => c.file_path).join(', ')}`);
+    else
+        hookRunLog(`claude_settings in batch: 0 (none collected)`);
+    if (configFiles.length === 0) {
+        hookRunLog('no config files found, exiting');
+        process.exit(0);
+    }
+    await sendAllConfigFiles(configFiles, hardwareUuid, authKey);
+}
+async function logSingleFile(filePath) {
+    const hardwareUuid = resolveHardwareUuid();
+    const authKey = await ensureAuthentication(hardwareUuid);
+    const patternsResponse = await getFileCollectionPatterns(loadEndpointBase());
+    const isVscdb = isVscdbVirtualPath(filePath, patternsResponse ?? null);
+    if (!existsSync(filePath) && !isVscdb) {
+        console.error(`File not found: ${filePath}`);
+        return false;
+    }
+    const patterns = patternsResponse?.patterns ?? [];
+    let rawContent = null;
+    let fileType = determineFileTypeFromPath(filePath, patterns) ?? undefined;
+    if (isVscdb) {
+        const vscdbResult = tryReadVscdbVirtualFile(filePath, patternsResponse ?? null);
+        if (!vscdbResult) {
+            console.error(`Could not read vscdb virtual file: ${filePath}`);
+            return false;
+        }
+        rawContent = vscdbResult.rawContent;
+        fileType = vscdbResult.fileType;
+    }
+    else {
+        rawContent = readJSONFile(filePath);
+        if (!rawContent) {
+            const markdown = readMarkdownFile(filePath);
+            if (markdown !== null) {
+                rawContent = { content: markdown, source: 'file' };
+                if (!fileType)
+                    fileType = determineFileTypeFromPath(filePath, patterns) ?? undefined;
+            }
+        }
+    }
+    if (!rawContent) {
+        console.error(`Could not read file: ${filePath}`);
+        return false;
+    }
+    if (!fileType) {
+        fileType = determineFileTypeFromPath(filePath, patterns) ?? undefined;
+        if (!fileType) {
+            console.error(`Could not determine file type for: ${filePath}`);
+            return false;
+        }
+    }
+    return sendConfigFile({ file_type: fileType, file_path: filePath, raw_content: rawContent }, hardwareUuid, authKey);
+}
+export { main, logSingleFile, createSignature, canonicalizePayload, sendConfigFile, sendConfigFilesBatch, BATCH_CHUNK_SIZE };

package/dist/log_config_files/runtime/management_storage.js

@@ -0,0 +1,82 @@
+/**
+ * Paths and JSON persistence for ~/opt-ai-sec/management:
+ * - remediation_instructions.json (remediations[])
+ */
+import { existsSync, mkdirSync, readFileSync, renameSync, writeFileSync } from 'node:fs';
+import { dirname, join } from 'node:path';
+import { homedir } from 'node:os';
+import { OPT_AI_SEC_MANAGEMENT_REL } from '../../bootstrap_constants.js';
+export const REMEDIATION_INSTRUCTIONS_BASENAME = 'remediation_instructions.json';
+/** Pending state.vscdb writes applied after Cursor exits (IDE holds the DB locked). */
+export const DEFERRED_VSCDB_APPLY_BASENAME = 'optimus_deferred_vscdb_apply.json';
+/** Shell stdout/stderr from the trusted deferred restart pipeline (apply_deferred_vscdb + open Cursor). */
+export const DEFERRED_VSCDB_RESTART_LOG_BASENAME = 'deferred_vscdb_restart.log';
+/**
+ * Cached subset of GET file-patterns: reactive ItemTable key + composer shadow keys from the backend.
+ * Written when patterns are fetched; remediations and vscdb reads use this so the npm package stays free
+ * of hardcoded Cursor paths.
+ */
+export const FILE_COLLECTION_VSCDB_CONTRACT_BASENAME = 'file_collection_vscdb_contract.json';
+export function getManagementDir() {
+    return join(homedir(), OPT_AI_SEC_MANAGEMENT_REL);
+}
+export function getRemediationInstructionsPath() {
+    return join(getManagementDir(), REMEDIATION_INSTRUCTIONS_BASENAME);
+}
+export function getDeferredVscdbApplyPath() {
+    return join(getManagementDir(), DEFERRED_VSCDB_APPLY_BASENAME);
+}
+export function getDeferredVscdbRestartLogPath() {
+    return join(getManagementDir(), DEFERRED_VSCDB_RESTART_LOG_BASENAME);
+}
+export function getFileCollectionVscdbContractPath() {
+    return join(getManagementDir(), FILE_COLLECTION_VSCDB_CONTRACT_BASENAME);
+}
+export function readFileCollectionVscdbContract() {
+    const path = getFileCollectionVscdbContractPath();
+    if (!existsSync(path))
+        return null;
+    try {
+        const parsed = JSON.parse(readFileSync(path, 'utf8'));
+        if (parsed?.version !== 1 || !Array.isArray(parsed.composer_shadow_keys))
+            return null;
+        return parsed;
+    }
+    catch {
+        return null;
+    }
+}
+export function writeFileCollectionVscdbContract(contract) {
+    atomicWriteJson(getFileCollectionVscdbContractPath(), contract);
+}
+export function atomicWriteJson(filePath, data) {
+    const dir = dirname(filePath);
+    if (!existsSync(dir))
+        mkdirSync(dir, { recursive: true, mode: 0o700 });
+    const tmp = `${filePath}.tmp`;
+    writeFileSync(tmp, JSON.stringify(data, null, 2), 'utf8');
+    renameSync(tmp, filePath);
+}
+function parseInstructionsRaw(raw) {
+    try {
+        const parsed = JSON.parse(raw);
+        return Array.isArray(parsed.remediations) ? parsed : { remediations: [] };
+    }
+    catch {
+        return { remediations: [] };
+    }
+}
+export function writeRemediationInstructionsFile(file) {
+    atomicWriteJson(getRemediationInstructionsPath(), file);
+}
+export function readRemediationInstructionsFile() {
+    const path = getRemediationInstructionsPath();
+    if (!existsSync(path))
+        return { remediations: [] };
+    try {
+        return parseInstructionsRaw(readFileSync(path, 'utf8'));
+    }
+    catch {
+        return { remediations: [] };
+    }
+}

package/dist/log_config_files/runtime/remediation_config_path.js

@@ -0,0 +1,90 @@
+import { existsSync } from 'node:fs';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+/**
+ * Portable key stored by the server for Cursor User globalStorage state.vscdb
+ * (see optimus_security/endpoint/log_config_file/handler._canonical_cursor_user_state_vscdb_path).
+ */
+export const PORTABLE_CURSOR_USER_STATE_VSCDB = 'Cursor/User/globalStorage/state.vscdb';
+function normalizeSlashes(p) {
+    return p.trim().replace(/\\/g, '/');
+}
+/**
+ * Canonical `file_path` for Cursor User globalStorage state.vscdb uploads, matching
+ * `optimus_security.endpoint.log_config_file.handler._canonical_cursor_user_state_vscdb_path`.
+ * Always use before sending log-config-file(s) so findings dedupe regardless of absolute vs portable input.
+ */
+export function canonicalCursorUserStateVscdbPath(filePath) {
+    const s = normalizeSlashes(filePath);
+    const lower = s.toLowerCase();
+    const needle = 'cursor/user/globalstorage/state.vscdb';
+    const idx = lower.indexOf(needle);
+    if (idx >= 0) {
+        const tail = s.slice(idx + needle.length);
+        if (tail.startsWith('#')) {
+            return `${PORTABLE_CURSOR_USER_STATE_VSCDB}${tail}`;
+        }
+        if (tail === '') {
+            return PORTABLE_CURSOR_USER_STATE_VSCDB;
+        }
+        return filePath.trim();
+    }
+    const vscdb = 'state.vscdb';
+    const vlen = vscdb.length;
+    const slashKey = '/' + vscdb;
+    let start;
+    const pos = lower.lastIndexOf(slashKey);
+    if (pos >= 0) {
+        start = pos + 1;
+    }
+    else if (lower.startsWith(vscdb)) {
+        start = 0;
+    }
+    else {
+        return filePath.trim();
+    }
+    const tail = s.slice(start + vlen);
+    if (tail.startsWith('#') || tail === '') {
+        return `${PORTABLE_CURSOR_USER_STATE_VSCDB}${tail}`;
+    }
+    return filePath.trim();
+}
+function cursorStateVscdbAbsoluteBasePaths() {
+    const h = homedir();
+    if (process.platform === 'darwin') {
+        const support = join(h, 'Library', 'Application Support');
+        const variants = ['Cursor', 'Cursor - Insiders', 'Cursor Nightly', 'Cursor Next'];
+        return variants.map((name) => join(support, name, 'User', 'globalStorage', 'state.vscdb'));
+    }
+    if (process.platform === 'win32') {
+        const appData = process.env.APPDATA;
+        if (appData)
+            return [join(appData, 'Cursor', 'User', 'globalStorage', 'state.vscdb')];
+        return [join(h, 'AppData', 'Roaming', 'Cursor', 'User', 'globalStorage', 'state.vscdb')];
+    }
+    return [join(h, '.config', 'Cursor', 'User', 'globalStorage', 'state.vscdb')];
+}
+/**
+ * Expand server-side portable Cursor state.vscdb paths to a local absolute path.
+ * No-op for absolute paths and for relative paths that are not the portable vscdb key.
+ */
+export function resolveRemediationConfigPath(configFilePath) {
+    const t = normalizeSlashes(configFilePath);
+    const hash = t.indexOf('#');
+    const base = hash >= 0 ? t.slice(0, hash) : t;
+    const frag = hash >= 0 ? t.slice(hash) : '';
+    const baseNorm = base.replace(/\/+$/, '');
+    if (baseNorm.startsWith('/') || /^[a-zA-Z]:\//.test(baseNorm)) {
+        return configFilePath;
+    }
+    const portable = PORTABLE_CURSOR_USER_STATE_VSCDB;
+    if (baseNorm !== portable && !baseNorm.endsWith('/' + portable)) {
+        return configFilePath;
+    }
+    const candidates = cursorStateVscdbAbsoluteBasePaths();
+    for (const abs of candidates) {
+        if (existsSync(abs))
+            return `${abs}${frag}`;
+    }
+    return `${candidates[0]}${frag}`;
+}