log-llm-config-staging 1.3.72 → 1.3.74

package/dist/cli.js

@@ -94,7 +94,7 @@ function parseAndSetLogUuidEnvVars() {
     if (userArg)
         process.env.GITHUB_USER = userArg;
     if (repoArg)
-        process.env.GITHUB_REPOSITORY = repoArg;
+        process.env.OPTIMUS_WORKSPACE_REPO = repoArg;
     if (branchArg)
         process.env.GITHUB_REF_NAME = branchArg;
     if (agentArg)

package/dist/compliance_prompt_gate.js

@@ -8,12 +8,14 @@
  */
 import { applyAutofixViolations, normalizeAgentToken, pruneSatisfiedOneTimeRemediations, runLocalRemediationComplianceCheck, } from './log_config_files/runtime/compliance_check.js';
 import { existsSync, readFileSync, statSync } from 'node:fs';
-import { getRemediationInstructionsPath } from './log_config_files/runtime/management_storage.js';
+import { getRemediationInstructionsPath, readRemediationInstructionsFile } from './log_config_files/runtime/management_storage.js';
 import { hookLogSessionBanner, hookRunLog, logRemediationApplyFailure } from './log_config_files/runtime/hook_logger.js';
 import { isThisCliModule } from './cli_invocation_match.js';
 import { ensureAuthentication } from './log_config_files/auth/auth_flow.js';
 import { sendConfigFile } from './log_config_files/sender/batch_sender.js';
 import { tryResolveHardwareUuid } from './log_config_files/runtime/hardware_uuid.js';
+import { syncRemediations } from './log_config_files/runtime/remediation_sync.js';
+import { loadEndpointBase } from './log_config_files/sender/endpoint_config.js';
 const MANIFEST_STALE_MS = 7 * 24 * 60 * 60 * 1000;
 function parseIde() {
     const eq = process.argv.find((a) => a.startsWith('--ide='));
@@ -90,6 +92,19 @@ function autofixDialogLine(v) {
     const short = d.length > 160 ? `${d.slice(0, 157)}…` : d;
     return `• [${v.finding_formatted_id}] ${short}`;
 }
+/** Cursor restart dialog after enforced/preventive remediation is applied locally. */
+export function formatCursorRestartAutofixDialog(appliedViolations) {
+    const policyNames = [
+        ...new Set(appliedViolations
+            .map((v) => v.policy_name?.trim() || v.finding_title?.trim() || '')
+            .filter(Boolean)),
+    ];
+    const policyLabel = policyNames.length > 0 ? policyNames.join('\n\n') : 'Agent security policy';
+    return ('Optimus Labs enforced a preventive agent security policy as determined by your security team:\n\n' +
+        `${policyLabel}\n\n` +
+        'Cursor will now restart to apply this policy, and your context will be retained.\n\n' +
+        'Click OK to continue');
+}
 /**
  * Upload a secondary compliance file to the backend so the server can resolve the finding.
  * Fire-and-forget: upload runs in background; any failure is logged but does not block the gate.
@@ -135,6 +150,24 @@ export async function runCompliancePromptGate() {
     const ide = parseIde();
     const agent = parseAgent(ide);
     hookLogSessionBanner('compliance_prompt_gate (before submit)');
+    // Sync before checking so server-side changes (enforce/unenforce) propagate on every prompt
+    // without waiting for the background runner. Race against a 3 s timeout so a slow or
+    // unavailable server never delays the gate significantly.
+    const hw = tryResolveHardwareUuid();
+    if (hw) {
+        const { remediations } = readRemediationInstructionsFile();
+        if (Array.isArray(remediations) && remediations.length > 0) {
+            try {
+                await Promise.race([
+                    syncRemediations(loadEndpointBase(), hw),
+                    new Promise((resolve) => setTimeout(resolve, 3000)),
+                ]);
+            }
+            catch {
+                // Network or auth failure — fall back to local file state.
+            }
+        }
+    }
     const status = runLocalRemediationComplianceCheck(agent);
     // Secondary-satisfied: primary checks failed but settings.json (or equiv) has the fix.
     // Upload those files fire-and-forget so the backend can resolve the finding immediately.
@@ -189,9 +222,11 @@ export async function runCompliancePromptGate() {
             }
             if (deferredSqlitePending || recheckOk || claudeRecheckStaleAfterImmediateApply) {
                 const violationLabel = fixed === 1 ? 'policy violation' : 'policy violations';
-                const autofixMessage = `Optimus Labs auto-fixed ${fixed} ${violationLabel}:\n\n${appliedViolations
-                    .map((v) => autofixDialogLine(v))
-                    .join('\n')}`;
+                const autofixMessage = ide === 'cursor' && restartCommands.length > 0
+                    ? formatCursorRestartAutofixDialog(appliedViolations)
+                    : `Optimus Labs auto-fixed ${fixed} ${violationLabel}:\n\n${appliedViolations
+                        .map((v) => autofixDialogLine(v))
+                        .join('\n')}`;
                 const payload = { __optimus_autofix: true, autofix_message: autofixMessage };
                 if (restartCommands.length > 0)
                     payload.restart_commands = restartCommands;

package/dist/log_config_files/runtime/compliance_check.js

@@ -20,7 +20,7 @@ import { complianceRunnerDiag, hookRunLog, logRemediationApplyFailure } from './
 import { loadEndpointBase } from '../sender/endpoint_config.js';
 import { resolveHardwareUuid, tryResolveHardwareUuid } from './hardware_uuid.js';
 import { buildDeferredCursorRestartCommand, discoverAllWorkspaceVscdbs, enforceRemediation, fetchSync, isTrustedRestartCommandForAutofix, remediationFixSpec, reportAutofixApplied, syncRemediations, } from './remediation_sync.js';
-import { sendConfigFile } from '../sender/batch_sender.js';
+import { sendConfigFile, resolveRepoFromPath } from '../sender/batch_sender.js';
 import { ensureAuthentication } from '../auth/auth_flow.js';
 /** Normalize manifest/env/CLI agent tokens to a known Agent, or '' if unrecognized. */
 export function normalizeAgentToken(raw) {
@@ -325,6 +325,7 @@ export function runLocalRemediationComplianceCheck(agent = 'cursor') {
                                 description: check.description,
                                 finding_title: entry.finding_title,
                                 finding_description: entry.finding_description,
+                                policy_name: entry.policy_name,
                                 severity: compliance.severity,
                                 autofix_allowed: compliance.autofix_allowed,
                                 config_file_path: entry.config_file_path,
@@ -347,6 +348,7 @@ export function runLocalRemediationComplianceCheck(agent = 'cursor') {
                             description: check.description,
                             finding_title: entry.finding_title,
                             finding_description: entry.finding_description,
+                            policy_name: entry.policy_name,
                             severity: compliance.severity,
                             autofix_allowed: compliance.autofix_allowed,
                             config_file_path: entry.config_file_path,
@@ -371,6 +373,7 @@ export function runLocalRemediationComplianceCheck(agent = 'cursor') {
                         description: check.description,
                         finding_title: entry.finding_title,
                         finding_description: entry.finding_description,
+                        policy_name: entry.policy_name,
                         severity: compliance.severity,
                         autofix_allowed: compliance.autofix_allowed,
                         config_file_path: entry.config_file_path,
@@ -525,10 +528,11 @@ export function applyAutofixViolations(violations, agent = 'cursor') {
                 if (fileType) {
                     const hw = tryResolveHardwareUuid();
                     if (hw) {
+                        const repoIdentifier = resolveRepoFromPath(configPathForDisk);
                         // Do not rely on the bulk uploader (start-every-prompt throttles at 1800s).
                         // Always attempt to upload the single remediated file immediately.
                         reportPromises.push(ensureAuthentication(hw)
-                            .then((authKey) => sendConfigFile({ file_type: fileType, file_path: configPathForDisk, raw_content: updatedContent }, hw, authKey))
+                            .then((authKey) => sendConfigFile({ file_type: fileType, file_path: configPathForDisk, raw_content: updatedContent }, hw, authKey, repoIdentifier))
                             .then((sentOk) => {
                             hookRunLog(`autofix: uploaded remediated file uuid=${inst.uuid} path=${configPathForDisk} ok=${sentOk}`);
                         })

package/dist/log_config_files/runtime/main_runner.js

@@ -84,7 +84,7 @@ async function addSensitivePathsAudit(endpointBase, configFiles) {
 async function sendAllConfigFiles(configFiles, hardwareUuid, authKey) {
     const hookTypeRaw = (process.env.OPTIMUS_HOOK_TYPE || 'claude').toLowerCase();
     const hookType = hookTypeRaw === 'cursor' ? 'cursor' : 'claude';
-    const workspaceRepo = process.env.OPTIMUS_WORKSPACE_REPO || process.env.GITHUB_REPOSITORY || '';
+    const workspaceRepo = process.env.OPTIMUS_WORKSPACE_REPO || '';
     const manifest = configFiles.map((c) => canonicalCursorUserStateVscdbPath(c.file_path));
     const hookRequestId = await sendHookRequestCreate(hardwareUuid, authKey, hookType, workspaceRepo);
     hookRunLog(`hook-request id=${hookRequestId ?? 'none'}`);
@@ -118,7 +118,7 @@ async function main() {
     const endpointBase = loadEndpointBase();
     hookRunLog(`start endpoint=${endpointBase} hardware_uuid=${hardwareUuid}`);
     hookRunLog(`endpoint_source=${getEndpointSource()} cwd=${process.cwd()}`);
-    hookRunLog(`env: OPTIMUS_HOOK_TYPE=${process.env.OPTIMUS_HOOK_TYPE ? 'set' : 'unset'} GITHUB_REPOSITORY=${process.env.GITHUB_REPOSITORY ? 'set' : 'unset'} OPTIMUS_ENDPOINT=${process.env.OPTIMUS_ENDPOINT ? 'set' : 'unset'}`);
+    hookRunLog(`env: OPTIMUS_HOOK_TYPE=${process.env.OPTIMUS_HOOK_TYPE ? 'set' : 'unset'} OPTIMUS_WORKSPACE_REPO=${process.env.OPTIMUS_WORKSPACE_REPO ? 'set' : 'unset'} OPTIMUS_ENDPOINT=${process.env.OPTIMUS_ENDPOINT ? 'set' : 'unset'}`);
     let authKey;
     try {
         authKey = await ensureAuthentication(hardwareUuid);

package/dist/log_config_files/sender/batch_sender.js

@@ -6,9 +6,24 @@ import { canonicalCursorUserStateVscdbPath } from '../runtime/remediation_config
 import fs from 'node:fs';
 import os from 'node:os';
 import path from 'node:path';
+import { execFileSync } from 'node:child_process';
 /** Chunk size per batch request. */
 export const BATCH_CHUNK_SIZE = 20;
 const MAX_BATCH_SIZE_BYTES = 500 * 1024; // 500KB
+function resolveWorkspaceRepo() {
+    return process.env.OPTIMUS_WORKSPACE_REPO || '';
+}
+export function resolveRepoFromPath(filePath) {
+    try {
+        const dir = path.dirname(filePath);
+        return execFileSync('git', ['remote', '-v'], { cwd: dir, timeout: 3000, stdio: ['pipe', 'pipe', 'pipe'] })
+            .toString()
+            .trim();
+    }
+    catch {
+        return resolveWorkspaceRepo();
+    }
+}
 function resolveApiBase(endpoint) {
     try {
         return new URL(endpoint).origin;
@@ -86,7 +101,7 @@ function splitChunk(chunks, chunkIndex) {
 async function sendConfigFilesBatch(configFiles, hardwareUuid, authKey, hookRequestId, ingestSessionId) {
     const endpoint = loadEndpointBase();
     const apiUrl = `${resolveApiBase(endpoint)}/endpoint_security/log-config-files/`;
-    const metadata = { org_identifier: process.env.GITHUB_ORG || process.env.GH_ORG || '', organization_uuid: readOrganizationUuid(), repo_identifier: process.env.GITHUB_REPOSITORY || process.env.GH_REPOSITORY || '' };
+    const metadata = { org_identifier: process.env.GITHUB_ORG || process.env.GH_ORG || '', organization_uuid: readOrganizationUuid(), repo_identifier: resolveWorkspaceRepo() };
     const basePayloadSize = JSON.stringify({ hardware_uuid: hardwareUuid, metadata }).length + 800;
     const chunks = buildBatchChunks(configFiles, basePayloadSize);
     const totals = { accepted: 0, failed: 0 };
@@ -169,13 +184,13 @@ async function sendIngestSessionFinish(hardwareUuid, authKey, ingestSessionId) {
         return false;
     }
 }
-async function sendConfigFile(configFile, hardwareUuid, authKey) {
+async function sendConfigFile(configFile, hardwareUuid, authKey, repoIdentifier) {
     const endpoint = loadEndpointBase();
     const apiUrl = `${resolveApiBase(endpoint)}/endpoint_security/log-config-file/`;
     const uploadPath = canonicalCursorUserStateVscdbPath(configFile.file_path);
     const payload = { hardware_uuid: hardwareUuid, file_type: configFile.file_type, file_path: uploadPath, raw_content: configFile.raw_content };
     const signature = createSignature(payload, authKey.key);
-    const body = { ...payload, signature, key_id: authKey.key_id || '', metadata: { org_identifier: process.env.GITHUB_ORG || process.env.GH_ORG || '', organization_uuid: readOrganizationUuid(), repo_identifier: process.env.GITHUB_REPOSITORY || process.env.GH_REPOSITORY || '' } };
+    const body = { ...payload, signature, key_id: authKey.key_id || '', metadata: { org_identifier: process.env.GITHUB_ORG || process.env.GH_ORG || '', organization_uuid: readOrganizationUuid(), repo_identifier: repoIdentifier ?? resolveWorkspaceRepo() } };
     try {
         const response = await postStartupPayload(apiUrl, body);
         if (response.status !== 'accepted') {

package/dist/log_uuid/startup_sender.js

@@ -51,7 +51,7 @@ const getMetadata = () => ({
     github_username: process.env.GITHUB_USER || process.env.GH_USER || '',
     org_identifier: process.env.GITHUB_ORG || '',
     organization_uuid: readOrganizationUuid(),
-    repo_identifier: process.env.GITHUB_REPOSITORY || '',
+    repo_identifier: process.env.OPTIMUS_WORKSPACE_REPO || process.env.GITHUB_REPOSITORY || '',
     branch: process.env.GITHUB_REF_NAME || process.env.BRANCH_NAME || '',
     commit_sha: process.env.GITHUB_SHA || '',
     agent_name: process.env.OPTIMUS_AGENT || '',

package/dist/tofu.js

@@ -10,39 +10,12 @@
  * All other source files import from this module, never directly from
  * "optimus-tofu-staging", so the conditional lives in exactly one place.
  */
-import { existsSync, readFileSync } from "fs";
-import { homedir } from "os";
 import path from "path";
 import { fileURLToPath } from "url";
-function managementEnvPath() {
-    const home = homedir();
-    if (!home)
-        return null;
-    return path.join(home, "opt-ai-sec", "management", "optimus_dev.env");
-}
-function readEnvironment() {
-    const envPath = managementEnvPath();
-    if (!envPath) {
-        return "staging";
-    }
-    try {
-        const content = readFileSync(envPath, "utf8");
-        const match = content.match(/^(?:environment|ENVIRONMENT|OPTIMUS_ENVIRONMENT)\s*=\s*(.+)/m);
-        if (match)
-            return match[1].trim().toLowerCase();
-    }
-    catch {
-        // No management file: this staging package defaults to staging (promotion rewrites to production).
-        return "staging";
-    }
-    const fromEnv = process.env.OPTIMUS_ENVIRONMENT?.trim().toLowerCase();
-    if (fromEnv)
-        return fromEnv;
-    return "staging";
-}
+import { shouldUseLocalTofuDist } from "./tofu_environment.js";
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 const localTofuPath = path.join(__dirname, "../../optimus-tofu/dist/index.js");
-const useLocalTofu = readEnvironment() === "development" && existsSync(localTofuPath);
+const useLocalTofu = shouldUseLocalTofuDist(localTofuPath);
 const tofu = (useLocalTofu
     ? await import(localTofuPath)
     : await import("optimus-tofu-staging"));

package/dist/tofu_environment.js

@@ -0,0 +1,32 @@
+import { existsSync, readFileSync } from 'fs';
+import { homedir } from 'os';
+import path from 'path';
+export function managementEnvPath() {
+    const home = homedir();
+    if (!home)
+        return null;
+    return path.join(home, 'opt-ai-sec', 'management', 'optimus_dev.env');
+}
+/** Resolve optimus environment label (file wins over shell OPTIMUS_ENVIRONMENT). */
+export function readEnvironment() {
+    const envPath = managementEnvPath();
+    if (!envPath) {
+        return 'staging';
+    }
+    try {
+        const content = readFileSync(envPath, 'utf8');
+        const match = content.match(/^(?:environment|ENVIRONMENT|OPTIMUS_ENVIRONMENT)\s*=\s*(.+)/m);
+        if (match)
+            return match[1].trim().toLowerCase();
+    }
+    catch {
+        return 'staging';
+    }
+    const fromEnv = process.env.OPTIMUS_ENVIRONMENT?.trim().toLowerCase();
+    if (fromEnv)
+        return fromEnv;
+    return 'staging';
+}
+export function shouldUseLocalTofuDist(localTofuPath) {
+    return readEnvironment() === 'development' && existsSync(localTofuPath);
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "log-llm-config-staging",
-  "version": "1.3.72",
+  "version": "1.3.74",
   "description": "CLI helpers for logging hardware UUIDs and posting startup payloads to Optimus Security.",
   "type": "module",
   "bin": {