log-llm-config-staging 1.3.79 → 1.3.81

package/dist/log_config_files/readers/vscdb_reader.js

@@ -176,13 +176,13 @@ function runOneStep(dbPath, stateData, step) {
                         ? composerState
                         : undefined;
                     for (const k of step.include_keys) {
-                        // Prefer the value inside composerState when present; blob root can be stale vs the UI.
-                        if (nested && k in nested && nested[k] !== undefined) {
-                            stateData[k] = nested[k];
-                        }
-                        else if (k in obj && obj[k] !== undefined) {
+                        // Reactive blob root wins over nested composerState (matches policy_engine.scan_targets merge).
+                        if (k in obj && obj[k] !== undefined) {
                             stateData[k] = obj[k];
                         }
+                        else if (nested && k in nested && nested[k] !== undefined) {
+                            stateData[k] = nested[k];
+                        }
                     }
                 }
                 return;

package/dist/log_config_files/runtime/compliance_check.js

@@ -14,7 +14,7 @@ import { existsSync, readFileSync } from 'node:fs';
 import { homedir } from 'node:os';
 import { join } from 'node:path';
 import { readVscdbItemTableJson } from '../readers/vscdb_reader.js';
-import { readRemediationInstructionsFile, writeRemediationInstructionsFile } from './management_storage.js';
+import { readFileCollectionVscdbContract, readRemediationInstructionsFile, writeRemediationInstructionsFile, } from './management_storage.js';
 import { resolveRemediationConfigPath } from './remediation_config_path.js';
 import { complianceRunnerDiag, hookRunLog, logRemediationApplyFailure } from './hook_logger.js';
 import { loadEndpointBase } from '../sender/endpoint_config.js';
@@ -174,6 +174,47 @@ function verifyOpsApplied(configJson, settingPath, ops) {
     }
     return { ok: true, expected: null };
 }
+function shouldMergeComposerShadowKeys(itemKeyFromPath, checkSettingPaths) {
+    if (itemKeyFromPath === 'composerState')
+        return true;
+    return checkSettingPaths.some((p) => p === 'composerState' || p.startsWith('composerState.'));
+}
+/**
+ * Cursor stores web-tool toggles on the reactive blob root and nested `composerState`.
+ * Policy scan merges root shadow keys into composerState; compliance must match or autofix
+ * never runs when nested values are stale (e.g. lastBrowserConnectionMode none vs root editor).
+ */
+export function mergeComposerShadowKeysFromReactiveBlob(dbPath, merged) {
+    const contract = readFileCollectionVscdbContract();
+    const reactiveKey = contract?.reactive_storage_item_key?.trim();
+    const shadowKeys = contract?.composer_shadow_keys ?? [];
+    if (!reactiveKey || shadowKeys.length === 0)
+        return;
+    const reactiveWrapped = readVscdbItemTableJson(dbPath, reactiveKey);
+    if (reactiveWrapped === null)
+        return;
+    const blob = reactiveWrapped[reactiveKey];
+    if (!blob || typeof blob !== 'object' || Array.isArray(blob))
+        return;
+    const root = blob;
+    let cs = merged.composerState;
+    if (!cs || typeof cs !== 'object' || Array.isArray(cs)) {
+        const nested = root.composerState;
+        if (nested && typeof nested === 'object' && !Array.isArray(nested)) {
+            cs = { ...nested };
+        }
+        else {
+            cs = {};
+        }
+        merged.composerState = cs;
+    }
+    const composerState = cs;
+    for (const key of shadowKeys) {
+        if (Object.prototype.hasOwnProperty.call(root, key) && root[key] !== undefined) {
+            composerState[key] = root[key];
+        }
+    }
+}
 /** Plain JSON file or virtual `…/state.vscdb#itemKey` path for ItemTable-backed settings. */
 function loadRemediationConfigJson(configFilePath, checkSettingPaths = []) {
     const resolvedPath = resolveRemediationConfigPath(configFilePath);
@@ -193,6 +234,9 @@ function loadRemediationConfigJson(configFilePath, checkSettingPaths = []) {
                 return { ok: false, reason: 'vscdb_read_failed' };
             Object.assign(merged, wrapped);
         }
+        if (shouldMergeComposerShadowKeys(itemKeyFromPath, checkSettingPaths)) {
+            mergeComposerShadowKeysFromReactiveBlob(dbPath, merged);
+        }
         return { ok: true, json: merged };
     }
     if (!existsSync(resolvedPath))

package/dist/log_config_files/runtime/main_runner.js

@@ -101,9 +101,13 @@ async function sendAllConfigFiles(configFiles, hardwareUuid, authKey) {
         const ok = await sendHookRequestUpdateManifest(hardwareUuid, authKey, hookRequestId, manifest);
         hookRunLog(`hook-request update manifest result=${ok ? 'ok' : 'fail'}`);
     }
+    // Report failed uploads on finish so the backend holds those paths from OpenClaw prune.
     if (ingestSessionId && batchResult.accepted > 0) {
-        const ok = await sendIngestSessionFinish(hardwareUuid, authKey, ingestSessionId);
-        hookRunLog(`ingest-session finish result=${ok ? 'ok' : 'fail'}`);
+        const ok = await sendIngestSessionFinish(hardwareUuid, authKey, ingestSessionId, batchResult.failedArtifacts);
+        hookRunLog(`ingest-session finish result=${ok ? 'ok' : 'fail'}`
+            + (batchResult.failedArtifacts.length > 0
+                ? ` held=${batchResult.failedArtifacts.length} failed upload(s)`
+                : ''));
     }
     // Exit 0 if anything was persisted so the shell hook keeps last_log and throttles. Exit 1 only when
     // every item failed (e.g. SQLite locked on server) — otherwise partial success used to return 1,

package/dist/log_config_files/sender/batch_sender.js

@@ -11,6 +11,17 @@ import path from 'node:path';
 export const BATCH_CHUNK_SIZE = 20;
 const MAX_BATCH_SIZE_BYTES = 500 * 1024; // 500KB
 export { resolveRepoFromPath } from '../runtime/workspace_repo.js';
+function recordFailedArtifacts(target, files, seen) {
+    for (const file of files) {
+        const file_path = canonicalCursorUserStateVscdbPath(file.file_path);
+        const file_type = file.file_type || '';
+        const key = `${file_type}\t${file_path}`;
+        if (!file_type || seen.has(key))
+            continue;
+        seen.add(key);
+        target.push({ file_path, file_type });
+    }
+}
 function resolveApiBase(endpoint) {
     try {
         return new URL(endpoint).origin;
@@ -92,6 +103,8 @@ async function sendConfigFilesBatch(configFiles, hardwareUuid, authKey, hookRequ
     const basePayloadSize = JSON.stringify({ hardware_uuid: hardwareUuid, metadata }).length + 800;
     const chunks = buildBatchChunks(configFiles, basePayloadSize);
     const totals = { accepted: 0, failed: 0 };
+    const failedArtifacts = [];
+    const failedArtifactKeys = new Set();
     let chunkIndex = 0;
     while (chunkIndex < chunks.length) {
         let chunk = chunks[chunkIndex];
@@ -118,11 +131,21 @@ async function sendConfigFilesBatch(configFiles, hardwareUuid, authKey, hookRequ
                 totals.accepted += typeof response.accepted === 'number' ? response.accepted : chunk.length;
                 const failedList = Array.isArray(response.failed) ? response.failed : [];
                 totals.failed += failedList.length;
-                if (failedList.length > 0)
+                if (failedList.length > 0) {
                     hookRunLog(`batch chunk failed items: ${JSON.stringify(failedList.slice(0, 3))}`);
+                    for (const item of failedList) {
+                        const idx = typeof item.index === 'number'
+                            ? item.index
+                            : -1;
+                        if (idx >= 0 && idx < chunk.length) {
+                            recordFailedArtifacts(failedArtifacts, [chunk[idx]], failedArtifactKeys);
+                        }
+                    }
+                }
             }
             else {
                 totals.failed += chunk.length;
+                recordFailedArtifacts(failedArtifacts, chunk, failedArtifactKeys);
                 hookRunLog(`batch chunk failed: ${response.error || response.message || response.status}`);
             }
         }
@@ -130,10 +153,11 @@ async function sendConfigFilesBatch(configFiles, hardwareUuid, authKey, hookRequ
             const errorMessage = error instanceof Error ? error.message : String(error);
             hookRunLog(`batch chunk error: ${errorMessage}`);
             totals.failed += chunk.length;
+            recordFailedArtifacts(failedArtifacts, chunk, failedArtifactKeys);
         }
         chunkIndex++;
     }
-    return totals;
+    return { ...totals, failedArtifacts };
 }
 async function sendIngestSessionStart(hardwareUuid, authKey) {
     const endpoint = loadEndpointBase();
@@ -153,10 +177,20 @@ async function sendIngestSessionStart(hardwareUuid, authKey) {
         return null;
     }
 }
-async function sendIngestSessionFinish(hardwareUuid, authKey, ingestSessionId) {
+async function sendIngestSessionFinish(hardwareUuid, authKey, ingestSessionId, failedUploads = []) {
     const endpoint = loadEndpointBase();
     const apiUrl = `${resolveApiBase(endpoint)}/endpoint_security/ingest-session/finish/`;
-    const payload = { hardware_uuid: hardwareUuid, action: 'ingest_session_finish', ingest_session_id: ingestSessionId };
+    const failed_uploads = [...failedUploads]
+        .map(({ file_path, file_type }) => ({ file_path, file_type }))
+        .sort((a, b) => a.file_path.localeCompare(b.file_path) || a.file_type.localeCompare(b.file_type));
+    const payload = {
+        hardware_uuid: hardwareUuid,
+        action: 'ingest_session_finish',
+        ingest_session_id: ingestSessionId,
+    };
+    if (failed_uploads.length > 0) {
+        payload.failed_uploads = failed_uploads;
+    }
     const signature = createSignature(payload, authKey.key);
     const body = { ...payload, signature, key_id: authKey.key_id || '' };
     try {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "log-llm-config-staging",
-  "version": "1.3.79",
+  "version": "1.3.81",
   "description": "CLI helpers for logging hardware UUIDs and posting startup payloads to Optimus Security.",
   "type": "module",
   "bin": {