log-llm-config-staging 1.3.44

package/dist/log_config_files/runtime/sqlite_binary.js

@@ -0,0 +1,92 @@
+import { existsSync } from 'node:fs';
+import { execFileSync } from 'node:child_process';
+import { join } from 'node:path';
+let cached;
+/**
+ * Resolve the sqlite3 CLI for remediations and vscdb reads.
+ *
+ * Cursor/IDE-launched hooks often inherit a minimal PATH (no Homebrew), while macOS still ships
+ * `/usr/bin/sqlite3`. Prefer explicit paths before `which` / bare `sqlite3`.
+ *
+ * Override: `OPTIMUS_SQLITE3`, `SQLITE3_PATH`, or `SQLITE3_BIN` = absolute path to the binary.
+ */
+export function resolveSqlite3Binary() {
+    if (cached !== undefined)
+        return cached;
+    for (const envName of ['OPTIMUS_SQLITE3', 'SQLITE3_PATH', 'SQLITE3_BIN']) {
+        const v = process.env[envName]?.trim();
+        if (v && existsSync(v)) {
+            cached = v;
+            return cached;
+        }
+    }
+    const candidates = [];
+    if (process.platform === 'darwin') {
+        candidates.push('/usr/bin/sqlite3', '/opt/homebrew/bin/sqlite3', '/usr/local/bin/sqlite3', '/opt/local/bin/sqlite3');
+    }
+    else if (process.platform === 'linux') {
+        candidates.push('/usr/bin/sqlite3', '/usr/local/bin/sqlite3');
+    }
+    else if (process.platform === 'win32') {
+        const pf = process.env.ProgramFiles;
+        if (pf) {
+            candidates.push(join(pf, 'Git', 'usr', 'bin', 'sqlite3.exe'));
+        }
+    }
+    for (const p of candidates) {
+        if (p && existsSync(p)) {
+            cached = p;
+            return cached;
+        }
+    }
+    try {
+        if (process.platform === 'win32') {
+            const out = execFileSync('where.exe', ['sqlite3'], {
+                encoding: 'utf8',
+                stdio: ['ignore', 'pipe', 'ignore'],
+            }).trim();
+            const first = out.split(/\r?\n/).find((line) => {
+                const t = line.trim();
+                return t.length > 0 && existsSync(t);
+            });
+            if (first) {
+                cached = first.trim();
+                return cached;
+            }
+        }
+        else {
+            for (const whichBin of ['which', '/usr/bin/which']) {
+                try {
+                    const out = execFileSync(whichBin, ['sqlite3'], {
+                        encoding: 'utf8',
+                        stdio: ['ignore', 'pipe', 'ignore'],
+                    }).trim();
+                    const first = out.split(/\n/)[0]?.trim();
+                    if (first && existsSync(first)) {
+                        cached = first;
+                        return cached;
+                    }
+                }
+                catch {
+                    /* try next */
+                }
+            }
+        }
+    }
+    catch {
+        /* fall through */
+    }
+    try {
+        execFileSync('sqlite3', ['--version'], { stdio: 'ignore' });
+        cached = 'sqlite3';
+        return cached;
+    }
+    catch {
+        cached = null;
+        return null;
+    }
+}
+/** Test-only: reset memoized path after env/path changes. */
+export function clearSqlite3BinaryCacheForTests() {
+    cached = undefined;
+}

package/dist/log_config_files/runtime/trusted_restarts.js

@@ -0,0 +1,52 @@
+/**
+ * Execute autofix restart_command strings only if allowlisted (same rules as gate enqueue).
+ * Used by the compliance shell hook via execute_trusted_restarts CLI — single place for allowlist + spawn.
+ */
+import { spawn } from 'node:child_process';
+import { appendComplianceRunnerLine, hookRunLog } from './hook_logger.js';
+import { getDeferredVscdbRestartLogPath } from './management_storage.js';
+import { isTrustedRestartCommandForAutofix } from './remediation_sync.js';
+const FALLBACK_PATH = '/usr/bin:/bin:/usr/local/bin:/opt/homebrew/bin';
+function isDeferredVscdbRestart(cmd) {
+    return cmd.includes('OPTIMUS_DEFERRED_LOG') || cmd.includes('apply_deferred_vscdb');
+}
+/** Spawn each trusted command detached (same pattern as former compliance_prompt_gate fireRestartCommands). */
+export function executeTrustedRestartCommands(commands) {
+    for (const cmd of commands) {
+        const t = cmd.trim();
+        if (!t)
+            continue;
+        if (!isTrustedRestartCommandForAutofix(cmd)) {
+            const msg = `rejected_not_allowlisted prefix=${t.slice(0, 200)}`;
+            hookRunLog(`execute_trusted_restarts: ${msg}`);
+            appendComplianceRunnerLine('RESTART', msg);
+            continue;
+        }
+        const deferred = isDeferredVscdbRestart(t);
+        const detailPath = getDeferredVscdbRestartLogPath();
+        if (deferred) {
+            hookRunLog(`execute_trusted_restarts: spawning deferred state.vscdb restart (killall Cursor, then apply + reopen). Step-by-step log → ${detailPath}`);
+            appendComplianceRunnerLine('RESTART', `spawn deferred_vscdb_restart sh -c (detail_log=${detailPath}) cwd_inherited_from_node`);
+        }
+        else {
+            hookRunLog('execute_trusted_restarts: spawning trusted restart (see compliance_runner.log [RESTART])');
+            appendComplianceRunnerLine('RESTART', 'spawn trusted_restart sh -c (non-deferred)');
+        }
+        const child = spawn('sh', ['-c', t], {
+            detached: true,
+            stdio: 'ignore',
+            env: {
+                ...process.env,
+                PATH: process.env.PATH && String(process.env.PATH).trim().length > 0
+                    ? process.env.PATH
+                    : FALLBACK_PATH,
+            },
+        });
+        child.on('error', (err) => {
+            const emsg = err instanceof Error ? err.message : String(err);
+            hookRunLog(`execute_trusted_restarts: spawn failed ${emsg}`);
+            appendComplianceRunnerLine('RESTART', `spawn_error ${emsg}`);
+        });
+        child.unref();
+    }
+}

package/dist/log_config_files/sender/batch_sender.js

@@ -0,0 +1,220 @@
+import { postStartupPayload, patchPayload } from '../../endpoint_client/index.js';
+import { createSignature } from './signing.js';
+import { loadEndpointBase } from './endpoint_config.js';
+import { hookRunLog } from '../runtime/hook_logger.js';
+import { canonicalCursorUserStateVscdbPath } from '../runtime/remediation_config_path.js';
+/** Chunk size per batch request. */
+export const BATCH_CHUNK_SIZE = 20;
+const MAX_BATCH_SIZE_BYTES = 500 * 1024; // 500KB
+function resolveApiBase(endpoint) {
+    try {
+        return new URL(endpoint).origin;
+    }
+    catch {
+        return endpoint.replace(/\/+$/, '');
+    }
+}
+function estimateConfigFileSize(configFile) {
+    if (configFile.collect_style === 'metadata')
+        return 300;
+    const contentStr = typeof configFile.raw_content === 'string'
+        ? configFile.raw_content
+        : JSON.stringify(configFile.raw_content || {});
+    return (configFile.file_type?.length || 0) + (configFile.file_path?.length || 0) + contentStr.length + 80 + Math.ceil(contentStr.length * 0.3);
+}
+function buildBatchChunks(configFiles, basePayloadSize) {
+    const chunks = [];
+    let currentChunk = [];
+    let currentChunkSize = basePayloadSize;
+    for (const configFile of configFiles) {
+        const fileSize = estimateConfigFileSize(configFile);
+        if ((currentChunkSize + fileSize > MAX_BATCH_SIZE_BYTES || currentChunk.length >= BATCH_CHUNK_SIZE) && currentChunk.length > 0) {
+            chunks.push(currentChunk);
+            currentChunk = [];
+            currentChunkSize = basePayloadSize;
+        }
+        if (fileSize > MAX_BATCH_SIZE_BYTES) {
+            const note = configFile.collect_style === 'metadata' ? ' (metadata only)' : '';
+            hookRunLog(`warning: file ${configFile.file_path} is very large (${Math.round(fileSize / 1024)}KB)${note}`);
+            if (currentChunk.length > 0) {
+                chunks.push(currentChunk);
+                currentChunk = [];
+                currentChunkSize = basePayloadSize;
+            }
+            chunks.push([configFile]);
+            continue;
+        }
+        currentChunk.push(configFile);
+        currentChunkSize += fileSize;
+    }
+    if (currentChunk.length > 0)
+        chunks.push(currentChunk);
+    return chunks;
+}
+function buildChunkBody(chunk, hardwareUuid, authKey, hookRequestId, metadata) {
+    const config_files = chunk.map((c) => ({
+        file_type: c.file_type,
+        file_path: canonicalCursorUserStateVscdbPath(c.file_path),
+        raw_content: c.raw_content,
+    }));
+    const payload = { hardware_uuid: hardwareUuid, metadata, config_files };
+    if (hookRequestId != null)
+        payload.hook_request_id = hookRequestId;
+    const signature = createSignature(payload, authKey.key);
+    return { ...payload, signature, key_id: authKey.key_id || '' };
+}
+function splitChunk(chunks, chunkIndex) {
+    const chunk = chunks[chunkIndex];
+    const half = Math.ceil(chunk.length / 2);
+    chunks[chunkIndex] = chunk.slice(0, half);
+    chunks.splice(chunkIndex + 1, 0, chunk.slice(half));
+}
+async function sendConfigFilesBatch(configFiles, hardwareUuid, authKey, hookRequestId, ingestSessionId) {
+    const endpoint = loadEndpointBase();
+    const apiUrl = `${resolveApiBase(endpoint)}/endpoint_security/log-config-files/`;
+    const metadata = { org_identifier: process.env.GITHUB_ORG || process.env.GH_ORG || '', repo_identifier: process.env.GITHUB_REPOSITORY || process.env.GH_REPOSITORY || '' };
+    const basePayloadSize = JSON.stringify({ hardware_uuid: hardwareUuid, metadata }).length + 800;
+    const chunks = buildBatchChunks(configFiles, basePayloadSize);
+    const totals = { accepted: 0, failed: 0 };
+    let chunkIndex = 0;
+    while (chunkIndex < chunks.length) {
+        let chunk = chunks[chunkIndex];
+        let body = buildChunkBody(chunk, hardwareUuid, authKey, hookRequestId, metadata);
+        if (ingestSessionId) {
+            const payload = { hardware_uuid: hardwareUuid, metadata, config_files: body.config_files, ingest_session_id: ingestSessionId, ...(hookRequestId != null ? { hook_request_id: hookRequestId } : {}) };
+            const signature = createSignature(payload, authKey.key);
+            body = { ...payload, signature, key_id: authKey.key_id || '' };
+        }
+        const bodySize = new TextEncoder().encode(JSON.stringify(body)).length;
+        // Pre-send size check: split if too large
+        if (bodySize > MAX_BATCH_SIZE_BYTES && chunk.length > 1) {
+            hookRunLog(`batch chunk too large (${Math.round(bodySize / 1024)}KB), splitting ${chunk.length} files`);
+            splitChunk(chunks, chunkIndex);
+            // Don't increment — retry with the smaller first half
+            continue;
+        }
+        const fileInfo = chunk.length === 1 ? `: ${chunk[0].file_path}` : chunk.length <= 3 ? `: ${chunk.map((f) => f.file_path.split('/').pop()).join(', ')}` : '';
+        hookRunLog(`batch send ${chunkIndex + 1}/${chunks.length}: ${chunk.length} file(s) (~${Math.round(bodySize / 1024)}KB)${fileInfo}`);
+        const timeoutMs = Math.min(20000 + Math.ceil(bodySize / (1024 * 1024)) * 15000, 90000);
+        try {
+            const response = (await postStartupPayload(apiUrl, body, timeoutMs));
+            if (response.status === 'accepted') {
+                totals.accepted += typeof response.accepted === 'number' ? response.accepted : chunk.length;
+                const failedList = Array.isArray(response.failed) ? response.failed : [];
+                totals.failed += failedList.length;
+                if (failedList.length > 0)
+                    hookRunLog(`batch chunk failed items: ${JSON.stringify(failedList.slice(0, 3))}`);
+            }
+            else {
+                totals.failed += chunk.length;
+                hookRunLog(`batch chunk failed: ${response.error || response.message || response.status}`);
+            }
+        }
+        catch (error) {
+            const errorMessage = error instanceof Error ? error.message : String(error);
+            hookRunLog(`batch chunk error: ${errorMessage}`);
+            totals.failed += chunk.length;
+        }
+        chunkIndex++;
+    }
+    return totals;
+}
+async function sendIngestSessionStart(hardwareUuid, authKey) {
+    const endpoint = loadEndpointBase();
+    const apiUrl = `${resolveApiBase(endpoint)}/endpoint_security/ingest-session/start/`;
+    const payload = { hardware_uuid: hardwareUuid, action: 'ingest_session_start' };
+    const signature = createSignature(payload, authKey.key);
+    const body = { ...payload, signature, key_id: authKey.key_id || '' };
+    try {
+        const response = (await postStartupPayload(apiUrl, body));
+        if (response.status === 'accepted' && typeof response.ingest_session_id === 'string')
+            return response.ingest_session_id;
+        hookRunLog(`ingest-session start failed: ${response.error || response.status || 'unknown'}`);
+        return null;
+    }
+    catch (error) {
+        hookRunLog(`ingest-session start error: ${error instanceof Error ? error.message : String(error)}`);
+        return null;
+    }
+}
+async function sendIngestSessionFinish(hardwareUuid, authKey, ingestSessionId) {
+    const endpoint = loadEndpointBase();
+    const apiUrl = `${resolveApiBase(endpoint)}/endpoint_security/ingest-session/finish/`;
+    const payload = { hardware_uuid: hardwareUuid, action: 'ingest_session_finish', ingest_session_id: ingestSessionId };
+    const signature = createSignature(payload, authKey.key);
+    const body = { ...payload, signature, key_id: authKey.key_id || '' };
+    try {
+        const response = (await postStartupPayload(apiUrl, body, 120000));
+        if (response.status === 'accepted')
+            return true;
+        hookRunLog(`ingest-session finish failed: ${response.error || response.status || 'unknown'}`);
+        return false;
+    }
+    catch (error) {
+        hookRunLog(`ingest-session finish error: ${error instanceof Error ? error.message : String(error)}`);
+        return false;
+    }
+}
+async function sendConfigFile(configFile, hardwareUuid, authKey) {
+    const endpoint = loadEndpointBase();
+    const apiUrl = `${resolveApiBase(endpoint)}/endpoint_security/log-config-file/`;
+    const uploadPath = canonicalCursorUserStateVscdbPath(configFile.file_path);
+    const payload = { hardware_uuid: hardwareUuid, file_type: configFile.file_type, file_path: uploadPath, raw_content: configFile.raw_content };
+    const signature = createSignature(payload, authKey.key);
+    const body = { ...payload, signature, key_id: authKey.key_id || '', metadata: { org_identifier: process.env.GITHUB_ORG || process.env.GH_ORG || '', repo_identifier: process.env.GITHUB_REPOSITORY || process.env.GH_REPOSITORY || '' } };
+    try {
+        const response = await postStartupPayload(apiUrl, body);
+        if (response.status !== 'accepted') {
+            hookRunLog(`sendConfigFile: rejected status=${response.status} error=${response.error ?? ''} path=${uploadPath}`);
+        }
+        return response.status === 'accepted';
+    }
+    catch (err) {
+        hookRunLog(`sendConfigFile: request failed path=${uploadPath} err=${err instanceof Error ? err.message : String(err)}`);
+        return false;
+    }
+}
+async function sendHookRequestCreate(hardwareUuid, authKey, hookType, workspaceRepo) {
+    const endpoint = loadEndpointBase();
+    const apiUrl = `${resolveApiBase(endpoint)}/endpoint_security/hook-request/`;
+    const workspace_repo = String(workspaceRepo || '').trim().slice(0, 512);
+    const payload = { hardware_uuid: hardwareUuid, hook_type: hookType, workspace_repo, manifest: [] };
+    const signature = createSignature(payload, authKey.key);
+    const body = { ...payload, signature, key_id: authKey.key_id || '' };
+    try {
+        hookRunLog(`hook-request create (step 1) posting to ${apiUrl}`);
+        const response = (await postStartupPayload(apiUrl, body));
+        if (response.status === 'accepted' && typeof response.id === 'number') {
+            hookRunLog(`hook-request created id=${response.id}`);
+            return response.id;
+        }
+        hookRunLog(`hook-request create failed: ${response.error || response.status}`);
+        return null;
+    }
+    catch (error) {
+        hookRunLog(`hook-request create error: ${error instanceof Error ? error.message : String(error)}`);
+        return null;
+    }
+}
+async function sendHookRequestUpdateManifest(hardwareUuid, authKey, hookRequestId, manifest) {
+    const endpoint = loadEndpointBase();
+    const apiUrl = `${resolveApiBase(endpoint)}/endpoint_security/hook-request/${hookRequestId}/`;
+    const manifestNormalized = manifest.slice(0, 1000).map((x) => (x != null && typeof x === 'string' ? x.trim() : String(x)).slice(0, 2048));
+    const payload = { hardware_uuid: hardwareUuid, hook_request_id: hookRequestId, manifest: manifestNormalized };
+    const signature = createSignature(payload, authKey.key);
+    const body = { ...payload, signature, key_id: authKey.key_id || '' };
+    try {
+        const data = (await patchPayload(apiUrl, body));
+        if (data.status === 'accepted') {
+            hookRunLog(`hook-request manifest updated (${manifestNormalized.length} paths)`);
+            return true;
+        }
+        hookRunLog(`hook-request update failed: ${data.error ?? data.status ?? 'unknown'}`);
+        return false;
+    }
+    catch (error) {
+        hookRunLog(`hook-request update error: ${error instanceof Error ? error.message : String(error)}`);
+        return false;
+    }
+}
+export { sendConfigFilesBatch, sendConfigFile, sendHookRequestCreate, sendHookRequestUpdateManifest, sendIngestSessionStart, sendIngestSessionFinish, estimateConfigFileSize };

package/dist/log_config_files/sender/endpoint_config.js

@@ -0,0 +1,24 @@
+import { getEndpointSource as getSharedEndpointSource, loadEndpointBase as loadSharedEndpointBase, } from "optimus-tofu-staging";
+/**
+ * log-llm-config historically only honored OPTIMUS_ENDPOINT (plus file / default).
+ * OPTIMUS_API_URL is reserved for optimus-tool-call; omit it here for backward compatibility.
+ */
+function envWithoutOptimusApiUrl(env) {
+    const copy = { ...env };
+    delete copy.OPTIMUS_API_URL;
+    return copy;
+}
+export function loadEndpointBase(options) {
+    const env = envWithoutOptimusApiUrl(options?.env ?? process.env);
+    return loadSharedEndpointBase({ cwd: options?.cwd, env });
+}
+/** Where endpoint came from (for logging). Matches legacy semantics (never driven by OPTIMUS_API_URL alone). */
+export function getEndpointSource(options) {
+    const env = envWithoutOptimusApiUrl(options?.env ?? process.env);
+    const source = getSharedEndpointSource({ cwd: options?.cwd, env });
+    if (source === "file")
+        return "file";
+    if (source === "default")
+        return "default";
+    return "env";
+}

package/dist/log_config_files/sender/signing.js

@@ -0,0 +1 @@
+export { canonicalizePayload, createSignature } from 'optimus-tofu-staging';

package/dist/log_sensitive_paths_audit.js

@@ -0,0 +1,97 @@
+#!/usr/bin/env node
+/**
+ * Sensitive paths audit: writes sensitive_paths_audit.txt listing which sensitive
+ * paths exist on this machine. NEVER reads or sends sensitive file contents—existence only.
+ *
+ * Path templates are fetched from the backend (GET api/file-path-registry/sensitive-paths-audit-candidates/).
+ * The audit is sent with the rest of the config files in log_config_files (same auth, same batch).
+ */
+import { existsSync, writeFileSync, mkdirSync, readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { homedir } from 'node:os';
+import { getSensitivePathsAuditCandidates } from './endpoint_client/index.js';
+import { OPT_AI_SEC_MANAGEMENT_REL } from './bootstrap_constants.js';
+const AUDIT_FILENAME = 'sensitive_paths_audit.txt';
+function loadEndpointBase() {
+    if (process.env.OPTIMUS_ENDPOINT) {
+        return process.env.OPTIMUS_ENDPOINT.replace(/\/+$/, '') + '/';
+    }
+    const defaultEndpoint = 'https://demo.optimuslabs.io/';
+    const envPath = join(process.cwd(), 'optimus_dev.env');
+    try {
+        if (!existsSync(envPath))
+            return defaultEndpoint;
+        const content = readFileSync(envPath, 'utf8');
+        for (const line of content.split(/\r?\n/)) {
+            const trimmed = line.trim();
+            if (!trimmed || trimmed.startsWith('#'))
+                continue;
+            const [key, ...rest] = trimmed.split('=');
+            if (key === 'OPTIMUS_ENDPOINT') {
+                const value = rest.join('=').trim();
+                if (value)
+                    return value.replace(/\/+$/, '') + '/';
+                break;
+            }
+        }
+    }
+    catch {
+        // ignore
+    }
+    return defaultEndpoint;
+}
+function expandPath(template, cwd) {
+    if (template.startsWith('~/')) {
+        return join(homedir(), template.slice(2));
+    }
+    if (template.startsWith('/')) {
+        return template;
+    }
+    return join(cwd, template);
+}
+/**
+ * Write sensitive_paths_audit.txt under outputDir. pathTemplates from backend (~ = home).
+ * Lists one path per line for paths that exist. No file contents are read.
+ * Overwrites the file on each run (same as hook_log.txt); does not append.
+ */
+export function writeSensitivePathsAudit(outputDir, pathTemplates, cwd = process.cwd()) {
+    const existing = [];
+    for (const template of pathTemplates) {
+        const resolved = expandPath(template, cwd);
+        if (existsSync(resolved)) {
+            existing.push(resolved);
+        }
+    }
+    mkdirSync(outputDir, { recursive: true });
+    const outPath = join(outputDir, AUDIT_FILENAME);
+    writeFileSync(outPath, existing.join('\n') + (existing.length ? '\n' : ''), 'utf8');
+    return existing;
+}
+/**
+ * Run audit: fetch candidates from backend, check existence, write file. Returns paths for sending.
+ * Used by log_config_files to include the audit in the same batch (same auth).
+ */
+export async function runSensitivePathsAudit(endpointBase, outputDir = join(homedir(), OPT_AI_SEC_MANAGEMENT_REL), cwd = process.cwd()) {
+    const response = await getSensitivePathsAuditCandidates(endpointBase);
+    const pathTemplates = response?.paths ?? [];
+    if (pathTemplates.length === 0 && !response) {
+        console.warn('Could not fetch sensitive path candidates from backend; writing empty audit.');
+    }
+    const paths = writeSensitivePathsAudit(outputDir, pathTemplates, cwd);
+    const outPath = join(outputDir, AUDIT_FILENAME);
+    console.log(`Sensitive paths audit written to ${outPath} (${paths.length} path(s) present).`);
+    return { paths };
+}
+export async function main() {
+    const outputDir = join(homedir(), OPT_AI_SEC_MANAGEMENT_REL);
+    const endpointBase = loadEndpointBase();
+    await runSensitivePathsAudit(endpointBase, outputDir, process.cwd());
+    process.exit(0);
+}
+if (import.meta.url === `file://${process.argv[1]}` || process.argv[1]?.includes('log_sensitive_paths_audit')) {
+    main().catch((err) => {
+        console.error('Sensitive paths audit failed:', err);
+        process.exit(1);
+    });
+}
+export { AUDIT_FILENAME };

package/dist/log_uuid/auth_key_store.js

@@ -0,0 +1,71 @@
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs';
+import path from 'node:path';
+import { OPT_AI_SEC_MANAGEMENT_REL } from '../bootstrap_constants.js';
+const AUTH_KEY_RELATIVE_PATH = path.join(OPT_AI_SEC_MANAGEMENT_REL, 'auth_key.txt');
+const OPTIMUS_ENV_FILENAME = 'optimus_dev.env';
+const STARTUP_ENDPOINT_SUFFIX = '/endpoint_security/startup/';
+const getAuthKeyPath = () => {
+    const homeDir = process.env.HOME || process.env.USERPROFILE;
+    if (!homeDir)
+        return null;
+    return path.join(homeDir, AUTH_KEY_RELATIVE_PATH);
+};
+const writeAuthKey = (key, keyId, hardwareUuid) => {
+    const authPath = getAuthKeyPath();
+    if (!authPath) {
+        console.warn('Unable to determine home directory; cannot store auth key.');
+        return;
+    }
+    mkdirSync(path.dirname(authPath), { recursive: true, mode: 0o700 });
+    writeFileSync(authPath, JSON.stringify({ key, key_id: keyId ?? null, hardware_uuid: hardwareUuid, stored_at: new Date().toISOString() }, null, 2), { encoding: 'utf8', mode: 0o600 });
+    console.log(`Stored auth key at ${authPath}`);
+};
+const readStoredAuthKey = () => {
+    const authPath = getAuthKeyPath();
+    if (!authPath || !existsSync(authPath))
+        return null;
+    try {
+        const parsed = JSON.parse(readFileSync(authPath, 'utf8'));
+        if (parsed?.key && parsed?.hardware_uuid)
+            return parsed;
+    }
+    catch (error) {
+        console.warn(`Unable to read stored auth key: ${error.message}`);
+    }
+    return null;
+};
+const loadEndpointBase = () => {
+    const DEFAULT_ENDPOINT = 'https://demo.optimuslabs.io/';
+    const fromEnv = process.env.OPTIMUS_ENDPOINT?.trim();
+    if (fromEnv)
+        return fromEnv;
+    const envPath = path.join(process.cwd(), OPTIMUS_ENV_FILENAME);
+    try {
+        if (!existsSync(envPath))
+            return DEFAULT_ENDPOINT;
+        const envContent = readFileSync(envPath, 'utf8');
+        for (const line of envContent.split(/\r?\n/)) {
+            const trimmed = line.trim();
+            if (!trimmed || trimmed.startsWith('#'))
+                continue;
+            const [key, ...rest] = trimmed.split('=');
+            if (key === 'OPTIMUS_ENDPOINT') {
+                const value = rest.join('=').trim();
+                if (value)
+                    return value;
+            }
+        }
+    }
+    catch { /* fall back to default */ }
+    return DEFAULT_ENDPOINT;
+};
+const normalizeBaseUrl = (rawUrl) => {
+    let base = rawUrl.trim();
+    if (!base)
+        throw new Error('OPTIMUS_ENDPOINT is empty');
+    base = base.replace(/\/+$/, '');
+    base = base.replace(/\/(optimus_security|endpoint_security)$/i, '');
+    return base;
+};
+const buildStartupEndpointUrl = (baseUrl) => `${normalizeBaseUrl(baseUrl)}${STARTUP_ENDPOINT_SUFFIX}`;
+export { getAuthKeyPath, writeAuthKey, readStoredAuthKey, loadEndpointBase, normalizeBaseUrl, buildStartupEndpointUrl };

package/dist/log_uuid/hardware_uuid.js

@@ -0,0 +1,35 @@
+import { execSync } from 'node:child_process';
+const readCommandOutput = (command) => {
+    try {
+        // execSync is used here with static strings only (no user input) - safe from injection
+        return execSync(command, { encoding: 'utf8', stdio: ['ignore', 'pipe', 'ignore'] }).trim();
+    }
+    catch {
+        return '';
+    }
+};
+const readHardwareUuidFromCommands = () => {
+    const ioregOutput = readCommandOutput('ioreg -rd1 -c IOPlatformExpertDevice');
+    const ioregMatch = ioregOutput.match(/"IOPlatformUUID"\s*=\s*"([^"]+)"/i);
+    if (ioregMatch?.[1])
+        return ioregMatch[1];
+    const profilerOutput = readCommandOutput('system_profiler SPHardwareDataType');
+    const profilerMatch = profilerOutput.match(/Hardware UUID:\s*([A-F0-9-]+)/i);
+    if (profilerMatch?.[1])
+        return profilerMatch[1];
+    throw new Error('Unable to determine hardware UUID via ioreg or system_profiler.');
+};
+const normalizeHardwareUuid = (raw) => {
+    const trimmed = raw.trim();
+    const match = trimmed.match(/[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}/);
+    if (match)
+        return match[0];
+    return trimmed.replace(/^"+|"+$/g, '');
+};
+const resolveHardwareUuid = () => {
+    const envUuid = process.env.OPTIMUS_HARDWARE_UUID?.trim();
+    if (envUuid)
+        return normalizeHardwareUuid(envUuid);
+    return normalizeHardwareUuid(readHardwareUuidFromCommands());
+};
+export { readCommandOutput, readHardwareUuidFromCommands, normalizeHardwareUuid, resolveHardwareUuid };

package/dist/log_uuid/index.js

@@ -0,0 +1,11 @@
+#!/usr/bin/env node
+// Barrel — all public exports from sub-modules under ./log_uuid/.
+export { resolveHardwareUuid } from './hardware_uuid.js';
+export { getAuthKeyPath, writeAuthKey, readStoredAuthKey, loadEndpointBase, normalizeBaseUrl } from './auth_key_store.js';
+export { getMetadata, createSignature, maybeSendToEndpoint, main } from './startup_sender.js';
+export { buildLogUuidScriptLines, renderLogUuidScript } from './log_uuid_helper.js';
+// Entry point guard (when invoked directly via npx or node)
+if (import.meta.url === `file://${process.argv[1]}` || process.argv[1]?.includes('log_uuid')) {
+    const { main } = await import('./startup_sender.js');
+    void main();
+}

package/dist/log_uuid/log_uuid_helper.js

@@ -0,0 +1,30 @@
+export const buildLogUuidScriptLines = () => [
+    '#!/usr/bin/env bash',
+    'set -euo pipefail',
+    '',
+    'output_file="$(pwd)/uuid.txt"',
+    'timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")',
+    'if command -v ioreg >/dev/null 2>&1; then',
+    '  uuid_value=$(ioreg -rd1 -c IOPlatformExpertDevice | awk \'/IOPlatformUUID/ {gsub(/\\"/, "", $3); print $3}\')',
+    'elif command -v system_profiler >/dev/null 2>&1; then',
+    '  uuid_value=$(system_profiler SPHardwareDataType | awk \'/Hardware UUID/ {print $3}\')',
+    'else',
+    '  echo "Unable to locate hardware UUID utilities (ioreg/system_profiler)" >&2',
+    '  exit 1',
+    'fi',
+    '',
+    'if [ -z "$uuid_value" ]; then',
+    '  echo "Hardware UUID could not be determined" >&2',
+    '  exit 1',
+    'fi',
+    '',
+    'cat <<EOF | tee "$output_file"',
+    '===== Optimus UUID =====',
+    'Timestamp: $timestamp',
+    'Directory: $(pwd)',
+    'UUID: $uuid_value',
+    'EOF',
+    '',
+    'echo "UUID details saved to $output_file"'
+];
+export const renderLogUuidScript = () => buildLogUuidScriptLines().join('\n');