log-llm-config-staging 1.3.44

package/dist/log_uuid/startup_sender.js

@@ -0,0 +1,74 @@
+import { createSignature as createSharedSignature } from 'optimus-tofu-staging';
+import { classifyEndpointResponse, postStartupPayload } from '../endpoint_client/index.js';
+import { resolveHardwareUuid } from './hardware_uuid.js';
+import { writeAuthKey, readStoredAuthKey, loadEndpointBase, buildStartupEndpointUrl } from './auth_key_store.js';
+import { resolveUserProfile } from './user_profile.js';
+const canonicalizeValue = (value) => {
+    if (Array.isArray(value))
+        return value.map(canonicalizeValue);
+    if (value && typeof value === 'object') {
+        const result = {};
+        for (const key of Object.keys(value).sort())
+            result[key] = canonicalizeValue(value[key]);
+        return result;
+    }
+    return value;
+};
+const canonicalStringify = (value) => JSON.stringify(canonicalizeValue(value));
+const createSignature = (payloadSummary, keyHex) => {
+    // Keep this adapter for backward compatibility of public exports in log_uuid.
+    return createSharedSignature(payloadSummary, keyHex);
+};
+const getMetadata = () => ({
+    github_username: process.env.GITHUB_USER || process.env.GH_USER || '',
+    org_identifier: process.env.GITHUB_ORG || '',
+    repo_identifier: process.env.GITHUB_REPOSITORY || '',
+    branch: process.env.GITHUB_REF_NAME || process.env.BRANCH_NAME || '',
+    commit_sha: process.env.GITHUB_SHA || '',
+    agent_name: process.env.OPTIMUS_AGENT || '',
+    user_profile: { ...resolveUserProfile() },
+});
+function buildRequestBody(hardwareUuid, timestamp) {
+    const payloadSummary = { timestamp, directory: process.cwd(), hardware_uuid: hardwareUuid };
+    const requestBody = { hardware_uuid: hardwareUuid, payload: payloadSummary, metadata: getMetadata(), scan_timestamp: timestamp };
+    const storedKey = readStoredAuthKey();
+    if (storedKey?.key && storedKey.hardware_uuid === hardwareUuid) {
+        requestBody.signature = createSignature(payloadSummary, storedKey.key);
+        if (storedKey.key_id)
+            requestBody.key_id = storedKey.key_id;
+        console.log('Using stored auth key to sign startup payload.');
+    }
+    else if (storedKey && storedKey.hardware_uuid !== hardwareUuid) {
+        console.warn('Stored auth key hardware UUID mismatch; requesting new key from server.');
+    }
+    else {
+        console.log('No stored auth key found; requesting new key from server.');
+    }
+    return requestBody;
+}
+const maybeSendToEndpoint = async (hardwareUuid, timestamp) => {
+    const startupEndpointUrl = buildStartupEndpointUrl(loadEndpointBase());
+    const requestBody = buildRequestBody(hardwareUuid, timestamp);
+    try {
+        const response = await postStartupPayload(startupEndpointUrl, requestBody);
+        const result = classifyEndpointResponse(response);
+        console.log(result.message);
+        if (result.branch === 'key_issued' && result.key)
+            writeAuthKey(result.key, result.keyId, hardwareUuid);
+    }
+    catch (error) {
+        console.error(`Failed to contact endpoint: ${error.message}`);
+    }
+};
+const main = async () => {
+    const timestamp = new Date().toISOString();
+    try {
+        const hardwareUuid = resolveHardwareUuid();
+        await maybeSendToEndpoint(hardwareUuid, timestamp);
+    }
+    catch (error) {
+        console.error(`Unable to log hardware UUID: ${error.message}`);
+        process.exitCode = 1;
+    }
+};
+export { canonicalizeValue, canonicalStringify, createSignature, getMetadata, maybeSendToEndpoint, main };

package/dist/log_uuid/user_profile.js

@@ -0,0 +1,178 @@
+import { execFileSync } from 'node:child_process';
+import crypto from 'node:crypto';
+import fs from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+import { readCommandOutput, resolveHardwareUuid } from './hardware_uuid.js';
+const safeJsonParse = (raw) => {
+    try {
+        return JSON.parse(raw);
+    }
+    catch {
+        return null;
+    }
+};
+const readCursorCachedEmailFromVscdb = () => {
+    const dbPath = path.join(os.homedir(), 'Library/Application Support/Cursor/User/globalStorage/state.vscdb');
+    if (!fs.existsSync(dbPath))
+        return '';
+    try {
+        const out = execFileSync('sqlite3', [dbPath, "select value from ItemTable where key='cursorAuth/cachedEmail';"], { encoding: 'utf8', stdio: ['ignore', 'pipe', 'ignore'] }).trim();
+        return out;
+    }
+    catch {
+        return '';
+    }
+};
+/** Fallback: `storage.json` key path `cursor.auth.email` (design_notes). */
+const readCursorCachedEmailFromStorageJson = () => {
+    const fp = path.join(os.homedir(), 'Library/Application Support/Cursor/User/globalStorage/storage.json');
+    if (!fs.existsSync(fp))
+        return '';
+    try {
+        const parsed = safeJsonParse(fs.readFileSync(fp, { encoding: 'utf8' }));
+        if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed))
+            return '';
+        const root = parsed;
+        const cursor = root.cursor;
+        if (!cursor || typeof cursor !== 'object' || Array.isArray(cursor))
+            return '';
+        const auth = cursor.auth;
+        if (!auth || typeof auth !== 'object' || Array.isArray(auth))
+            return '';
+        const email = auth.email;
+        return typeof email === 'string' ? email.trim() : '';
+    }
+    catch {
+        return '';
+    }
+};
+const readCursorCachedEmail = () => readCursorCachedEmailFromVscdb() || readCursorCachedEmailFromStorageJson();
+const readClaudeAuthEmailFromCli = () => {
+    try {
+        const out = execFileSync('claude', ['auth', 'status'], {
+            encoding: 'utf8',
+            stdio: ['ignore', 'pipe', 'ignore'],
+        }).trim();
+        if (!out)
+            return '';
+        const parsed = safeJsonParse(out);
+        if (parsed && typeof parsed === 'object' && !Array.isArray(parsed)) {
+            const email = parsed.email;
+            return typeof email === 'string' ? email.trim() : '';
+        }
+    }
+    catch {
+        return '';
+    }
+    return '';
+};
+/** Fallback: optional Claude config files under ~/.claude/ (design_notes). */
+const readClaudeEmailFromHomeFiles = () => {
+    const candidates = [
+        path.join(os.homedir(), '.claude/.credentials.json'),
+        path.join(os.homedir(), '.claude/.claude.json'),
+    ];
+    for (const fp of candidates) {
+        if (!fs.existsSync(fp))
+            continue;
+        try {
+            const parsed = safeJsonParse(fs.readFileSync(fp, { encoding: 'utf8' }));
+            if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed))
+                continue;
+            const email = parsed.email;
+            if (typeof email === 'string' && email.includes('@'))
+                return email.trim();
+        }
+        catch {
+            /* try next */
+        }
+    }
+    return '';
+};
+const readClaudeAuthEmail = () => readClaudeAuthEmailFromCli().trim() || readClaudeEmailFromHomeFiles();
+const readMacUsername = () => {
+    const fromEnv = process.env.OPTIMUS_MAC_USERNAME?.trim() ||
+        process.env.USER?.trim() ||
+        process.env.LOGNAME?.trim() ||
+        '';
+    if (fromEnv)
+        return fromEnv;
+    return readCommandOutput('id -un');
+};
+/**
+ * Matches design_notes order: `gh api user` (login), then CI-style env, then `git config user.name`.
+ * `metadata.github_username` in startup_sender still uses env only; this field is the richer probe.
+ */
+const readGithubUsername = () => {
+    try {
+        const out = execFileSync('gh', ['api', 'user', '--jq', '.login'], {
+            encoding: 'utf8',
+            stdio: ['ignore', 'pipe', 'ignore'],
+            maxBuffer: 1024 * 1024,
+            // CI often has `gh` installed; without a cap it can block on auth/network and hang callers.
+            timeout: 3500,
+        }).trim();
+        if (out)
+            return out;
+    }
+    catch {
+        /* gh missing or not authenticated */
+    }
+    return (process.env.GITHUB_USER?.trim() ||
+        process.env.GH_USER?.trim() ||
+        readCommandOutput('git config user.name'));
+};
+const readUserProfileFromEnvOrFile = () => {
+    const inline = process.env.OPTIMUS_USER_PROFILE_JSON?.trim();
+    if (inline) {
+        const parsed = safeJsonParse(inline);
+        if (parsed && typeof parsed === 'object' && !Array.isArray(parsed))
+            return parsed;
+    }
+    const filePath = process.env.OPTIMUS_USER_PROFILE_FILE?.trim();
+    if (filePath && fs.existsSync(filePath)) {
+        const parsed = safeJsonParse(fs.readFileSync(filePath, { encoding: 'utf8' }));
+        if (parsed && typeof parsed === 'object' && !Array.isArray(parsed))
+            return parsed;
+    }
+    return null;
+};
+const isPlausibleUuid = (s) => /^[\da-f]{8}-[\da-f]{4}-[\da-f]{4}-[\da-f]{4}-[\da-f]{12}$/i.test(s.trim());
+/**
+ * macOS Open Directory **GeneratedUID** for the console user (same concept as Directory Utility).
+ * See `dscl . -read /Users/<shortname> GeneratedUID`. Not the hardware UUID (that is `machineuuid`).
+ *
+ * `OPTIMUS_MAC_GENERATED_UID` overrides for tests or locked-down environments where `dscl` is unavailable.
+ */
+const readMacAccountGeneratedUid = () => {
+    const env = process.env.OPTIMUS_MAC_GENERATED_UID?.trim();
+    if (env && isPlausibleUuid(env))
+        return env.trim().toLowerCase();
+    if (process.platform !== 'darwin')
+        return '';
+    const user = readMacUsername();
+    if (!user || !/^[a-zA-Z0-9._-]+$/.test(user))
+        return '';
+    try {
+        const out = execFileSync('dscl', ['.', '-read', `/Users/${user}`, 'GeneratedUID'], { encoding: 'utf8', stdio: ['ignore', 'pipe', 'ignore'] });
+        const m = out.match(/GeneratedUID:\s*([0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12})/);
+        if (m?.[1] && isPlausibleUuid(m[1]))
+            return m[1].toLowerCase();
+    }
+    catch {
+        return '';
+    }
+    return '';
+};
+const buildDefaultUserProfile = () => ({
+    generateduuid: readMacAccountGeneratedUid() || crypto.randomUUID(),
+    machineuuid: resolveHardwareUuid(),
+    mac_username: readMacUsername(),
+    github_username: readGithubUsername(),
+    claude_email: readClaudeAuthEmail(),
+    cursor_email: readCursorCachedEmail(),
+});
+/** Best-effort local user profile object for startup metadata. */
+const resolveUserProfile = () => readUserProfileFromEnvOrFile() ?? buildDefaultUserProfile();
+export { resolveUserProfile };

package/dist/types/config_file_types.js

@@ -0,0 +1 @@
+export {};

package/package.json

@@ -0,0 +1,62 @@
+{
+  "name": "log-llm-config-staging",
+  "version": "1.3.44",
+  "description": "CLI helpers for logging hardware UUIDs and posting startup payloads to Optimus Security.",
+  "type": "module",
+  "bin": {
+    "log-llm-config-staging": "dist/cli.js",
+    "log_uuid-staging": "dist/log_uuid/index.js",
+    "log_config_files-staging": "dist/log_config_files/index.js",
+    "log_sensitive_paths_audit-staging": "dist/log_sensitive_paths_audit.js",
+    "apply-deferred-vscdb-staging": "dist/apply_deferred_vscdb.js",
+    "execute-trusted-restarts-staging": "dist/execute_trusted_restarts.js",
+    "compliance_prompt_gate-staging": "dist/compliance_prompt_gate.js",
+    "compliance_check_runner-staging": "dist/compliance_check_runner.js"
+  },
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "dev": "ts-node src/cli.ts",
+    "lint": "eslint \"src/**/*.ts\"",
+    "prepare": "npm run build",
+    "pretest": "npm run build",
+    "test": "vitest run",
+    "test:watch": "vitest"
+  },
+  "keywords": [
+    "mcp",
+    "config",
+    "logging",
+    "npx"
+  ],
+  "author": "",
+  "license": "UNLICENSED",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/optimuslabs-io/optimus-secure-fdn.git",
+    "directory": "npx_packages/staging/log-llm-config"
+  },
+  "bugs": {
+    "url": "https://github.com/optimuslabs-io/optimus-secure-fdn/issues"
+  },
+  "homepage": "https://github.com/optimuslabs-io/optimus-secure-fdn/tree/main/npx_packages/staging/log-llm-config#readme",
+  "files": [
+    "dist/**/*",
+    "README.md"
+  ],
+  "engines": {
+    "node": ">=18"
+  },
+  "devDependencies": {
+    "@types/node": "^24.10.1",
+    "@vitest/coverage-v8": "^3.2.4",
+    "@vitest/ui": "^3.2.4",
+    "ts-node": "^10.9.2",
+    "typescript": "^5.4.5",
+    "vitest": "^3.2.4"
+  },
+  "dependencies": {
+    "axios": "^1.15.0",
+    "canonicalize": "^2.1.0",
+    "optimus-tofu-staging": "file:../optimus-tofu"
+  }
+}