log-llm-config-staging 1.3.81 → 1.3.83

package/dist/compliance_prompt_gate.js

@@ -6,7 +6,8 @@
  * When autofix returns restart_commands, this process does not spawn them — the shell hook pipes
  * the same JSON line to execute_trusted_restarts (TS allowlist + spawn).
  */
-import { applyAutofixViolations, normalizeAgentToken, pruneSatisfiedOneTimeRemediations, runLocalRemediationComplianceCheck, } from './log_config_files/runtime/compliance_check.js';
+import { applyAutofixViolations, normalizeAgentToken, pruneSatisfiedOneTimeRemediations, reportPostRestartVerificationOutcomes, runLocalRemediationComplianceCheck, } from './log_config_files/runtime/compliance_check.js';
+import { isRemediationQuarantined } from './log_config_files/runtime/remediation_apply_tracking.js';
 import { existsSync, readFileSync, statSync } from 'node:fs';
 import { getRemediationInstructionsPath, readRemediationInstructionsFile } from './log_config_files/runtime/management_storage.js';
 import { hookLogSessionBanner, hookRunLog, logRemediationApplyFailure } from './log_config_files/runtime/hook_logger.js';
@@ -179,6 +180,12 @@ export async function runCompliancePromptGate() {
         }
     }
     const status = runLocalRemediationComplianceCheck(agent);
+    // Always process pending post-restart rows (even when compliance is ok — apply may have stuck).
+    const postRestartVerify = reportPostRestartVerificationOutcomes(status.violations);
+    if (postRestartVerify.outcomes.length > 0) {
+        await Promise.allSettled(postRestartVerify.reportPromises);
+        hookRunLog(`compliance_prompt_gate: post_restart_verification count=${postRestartVerify.outcomes.length} quarantined=${postRestartVerify.outcomes.filter((o) => o.status === 'quarantined').length}`);
+    }
     // Secondary-satisfied: primary checks failed but settings.json (or equiv) has the fix.
     // Upload those files fire-and-forget so the backend can resolve the finding immediately.
     for (const e of status.secondarySatisfied ?? []) {
@@ -198,7 +205,17 @@ export async function runCompliancePromptGate() {
             printAllowWithAdvisory(ide, advisory);
             return;
         }
-        const { fixed, appliedViolations = [], restartCommands, failedViolations, reportPromises, deferredSqlitePending, } = applyAutofixViolations(status.violations, agent);
+        const actionableViolations = status.violations.filter((v) => !isRemediationQuarantined(v.uuid));
+        if (actionableViolations.length === 0 && status.violations.length > 0) {
+            hookRunLog(`compliance_prompt_gate: all ${status.violations.length} violation(s) quarantined — allowing prompt silently (backend notified on quarantine)`);
+            logRemediationApplyFailure('prompt_gate_quarantined_silent_allow', {
+                reason: 'all violations quarantined; no dialog — enforcement paused on this machine',
+                quarantined_count: status.violations.length,
+            });
+            printAllow(ide);
+            return;
+        }
+        const { fixed, appliedViolations = [], restartCommands, failedViolations, reportPromises, deferredSqlitePending, } = applyAutofixViolations(actionableViolations, agent);
         hookRunLog(`compliance_prompt_gate: autofix result ide=${ide} fixed=${fixed} applied=${appliedViolations.length} failed=${failedViolations.length} restart_commands=${restartCommands.length} deferred_sqlite_pending=${deferredSqlitePending}`);
         if (fixed > 0) {
             // Wait for all server reports before exiting so the POST lands.

package/dist/log_config_files/collection/directory_collector.js

@@ -50,38 +50,58 @@ function collectDirectoryEntries(t) {
     }
     return results;
 }
-/**
- * For metadata-style DIR targets: scan files matching dir_glob, return one entry
- * with the highest mtime found. Falls back to the directory's own mtime if no files match.
- */
-function collectDirectoryMetadata(t) {
+const METADATA_DIR_SCAN_MAX_DEPTH = 8;
+function matchesDirGlob(name, glob) {
+    if (glob === '*')
+        return true;
+    // **/*.jsonl → match any extension suffix after **/
+    if (glob.startsWith('**/')) {
+        const suffix = glob.slice(3);
+        if (suffix.startsWith('*.'))
+            return name.endsWith(suffix.slice(1));
+        return name === suffix;
+    }
+    if (glob.startsWith('*.'))
+        return name.endsWith(glob.slice(1));
+    return name === glob;
+}
+/** Walk dir tree (bounded depth) and return the file with the highest mtime matching dir_glob. */
+function findNewestMatchingFile(dirPath, glob, depth, maxDepth) {
+    let best = null;
     try {
-        const dirStat = statSync(t.path);
-        let bestMtime = dirStat.mtime;
-        let bestPath = t.path;
-        const glob = t.dir_glob ?? '*';
-        const matchName = (name) => {
-            if (glob === '*')
-                return true;
-            if (glob.startsWith('*.'))
-                return name.endsWith(glob.slice(1));
-            return name === glob;
-        };
-        try {
-            for (const entry of readdirSync(t.path, { withFileTypes: true })) {
-                if (!entry.isFile() || !matchName(entry.name))
-                    continue;
+        for (const entry of readdirSync(dirPath, { withFileTypes: true })) {
+            const fullPath = join(dirPath, entry.name);
+            if (entry.isFile() && matchesDirGlob(entry.name, glob)) {
                 try {
-                    const fileStat = statSync(join(t.path, entry.name));
-                    if (fileStat.mtime > bestMtime) {
-                        bestMtime = fileStat.mtime;
-                        bestPath = join(t.path, entry.name);
+                    const fileStat = statSync(fullPath);
+                    if (!best || fileStat.mtime > best.mtime) {
+                        best = { path: fullPath, mtime: fileStat.mtime };
                     }
                 }
                 catch { /* ignore unreadable files */ }
             }
+            else if (entry.isDirectory() && depth < maxDepth) {
+                const nested = findNewestMatchingFile(fullPath, glob, depth + 1, maxDepth);
+                if (nested && (!best || nested.mtime > best.mtime)) {
+                    best = nested;
+                }
+            }
         }
-        catch { /* ignore unreadable dir */ }
+    }
+    catch { /* ignore unreadable dir */ }
+    return best;
+}
+/**
+ * For metadata-style DIR targets: recursively scan files matching dir_glob, return one entry
+ * with the highest mtime found. Falls back to the directory's own mtime if no files match.
+ */
+function collectDirectoryMetadata(t) {
+    try {
+        const dirStat = statSync(t.path);
+        const glob = t.dir_glob ?? '*';
+        const newest = findNewestMatchingFile(t.path, glob, 0, METADATA_DIR_SCAN_MAX_DEPTH);
+        const bestPath = newest?.path ?? t.path;
+        const bestMtime = newest?.mtime ?? dirStat.mtime;
         return {
             file_type: t.file_type,
             file_path: bestPath,

package/dist/log_config_files/readers/composer_shadow_merge.js

@@ -0,0 +1,67 @@
+import { CURSOR_SHADOW_KEYS_NESTED_WINS, coalesceCursorEnabledShadowValue, stripShadowKeysFromReactiveBlobUpload, } from './cursor_shadow_merge_policy.js';
+const CURSOR_SHADOW_KEYS_MERGE_ENABLED_OR = new Set([
+    'isWebSearchToolEnabled',
+    'isWebSearchToolEnabled2',
+]);
+/**
+ * Collect include_keys from composer_with_include read steps (backend-driven list).
+ */
+export function shadowKeysFromReadQueries(readQueries) {
+    const keys = new Set();
+    for (const step of readQueries ?? []) {
+        if (step.value_kind === 'composer_with_include' && step.include_keys?.length) {
+            for (const k of step.include_keys) {
+                keys.add(k);
+            }
+        }
+    }
+    return [...keys];
+}
+/**
+ * Resolve one shadow key from reactive blob root + nested composerState (matches scan_targets).
+ */
+export function mergeCursorShadowKeyValue(key, root, nested) {
+    const rootVal = Object.prototype.hasOwnProperty.call(root, key) ? root[key] : undefined;
+    const nestedVal = nested && Object.prototype.hasOwnProperty.call(nested, key) ? nested[key] : undefined;
+    if (CURSOR_SHADOW_KEYS_NESTED_WINS.has(key)) {
+        if (nestedVal !== undefined)
+            return nestedVal;
+        if (rootVal !== undefined)
+            return rootVal;
+        return undefined;
+    }
+    if (CURSOR_SHADOW_KEYS_MERGE_ENABLED_OR.has(key)) {
+        return coalesceCursorEnabledShadowValue(rootVal, nestedVal);
+    }
+    if (rootVal !== undefined)
+        return rootVal;
+    return nestedVal;
+}
+/**
+ * Merge shadow keys from the reactive blob into nested composerState (canonical for policy).
+ * Matches policy_engine.scan_targets; strips duplicate top-level keys from the upload shape.
+ */
+export function mergeShadowKeysIntoComposerState(stateData, shadowKeys) {
+    if (!shadowKeys.length)
+        return;
+    const hasNested = stateData.composerState &&
+        typeof stateData.composerState === 'object' &&
+        !Array.isArray(stateData.composerState);
+    const hasRootKey = shadowKeys.some((k) => Object.prototype.hasOwnProperty.call(stateData, k));
+    if (!hasNested && !hasRootKey)
+        return;
+    let cs = stateData.composerState;
+    if (!hasNested) {
+        cs = {};
+        stateData.composerState = cs;
+    }
+    const composerState = cs;
+    const root = stateData;
+    for (const key of shadowKeys) {
+        const merged = mergeCursorShadowKeyValue(key, root, composerState);
+        if (merged !== undefined) {
+            composerState[key] = merged;
+        }
+    }
+    stripShadowKeysFromReactiveBlobUpload(stateData);
+}

package/dist/log_config_files/readers/cursor_shadow_merge_policy.js

@@ -0,0 +1,46 @@
+/**
+ * Keep in sync with file_path_registry/cursor_composer_shadow_keys.py
+ * (CURSOR_REACTIVE_BLOB_SHADOW_KEYS + merge sets).
+ */
+/** Keys Cursor duplicates on the reactive blob root and inside composerState. */
+export const CURSOR_COMPOSER_SHADOW_KEYS = [
+    'lastBrowserConnectionMode',
+    'playwrightProtection',
+    'isWebSearchToolEnabled',
+    'isWebSearchToolEnabled2',
+    'isWebSearchToolEnabled3',
+    'isWebFetchToolEnabled',
+    'autoAcceptWebSearchTool',
+];
+/** Cursor Settings UI writes these on nested composerState; blob root copies are often stale. */
+export const CURSOR_SHADOW_KEYS_NESTED_WINS = new Set([
+    'playwrightProtection',
+    'isWebFetchToolEnabled',
+    'isWebSearchToolEnabled3',
+    'autoAcceptWebSearchTool',
+]);
+export function cursorShadowValueIsEnabled(value) {
+    return (value === true ||
+        value === 1 ||
+        (typeof value === 'string' && ['true', '1', 'yes'].includes(value.toLowerCase())));
+}
+/** Prefer nested when enabled (web search / auto-accept); else root. */
+export function coalesceCursorEnabledShadowValue(root, nested) {
+    if (cursorShadowValueIsEnabled(nested))
+        return nested;
+    if (cursorShadowValueIsEnabled(root))
+        return root;
+    if (root !== undefined && root !== null)
+        return root;
+    return nested;
+}
+/**
+ * After merge, policy and uploads use composerState.<key> only — drop stale blob-root copies.
+ */
+export function stripShadowKeysFromReactiveBlobUpload(stateData) {
+    if (!('composerState' in stateData))
+        return;
+    for (const key of CURSOR_COMPOSER_SHADOW_KEYS) {
+        delete stateData[key];
+    }
+}

package/dist/log_config_files/readers/vscdb_config_builder.js

@@ -65,7 +65,9 @@ function buildRawContent(state, stateKey, value, includeKeys, ts) {
     else {
         raw[stateKey] = value;
     }
-    if (includeKeys?.length) {
+    // Shadow keys are merged into composerState during readVSCDBState; do not copy stale blob-root
+    // copies onto the upload payload (policy paths are composerState.<key> only).
+    if (includeKeys?.length && stateKey !== 'composerState') {
         for (const k of includeKeys) {
             if (k in state && state[k] !== undefined)
                 raw[k] = state[k];

package/dist/log_config_files/readers/vscdb_reactive_storage.js

@@ -0,0 +1,62 @@
+import { existsSync } from 'node:fs';
+import { execFileSync } from 'node:child_process';
+import { readFileCollectionVscdbContract } from '../runtime/management_storage.js';
+import { resolveSqlite3Binary } from '../runtime/sqlite_binary.js';
+import { CURSOR_COMPOSER_SHADOW_KEYS } from './cursor_shadow_merge_policy.js';
+/** Suffix shared by Cursor reactive-storage ItemTable keys (see file_path_registry cursor agent). */
+export const REACTIVE_STORAGE_ITEM_KEY_SUFFIX = 'reactiveStorageServiceImpl.persistentStorage.applicationUser';
+function querySqliteValue(dbPath, key) {
+    const bin = resolveSqlite3Binary();
+    if (!bin)
+        return '';
+    const safe = key.replace(/'/g, "''");
+    const script = `.timeout 60000\nSELECT value FROM ItemTable WHERE key='${safe}';\n`;
+    return execFileSync(bin, ['-noheader', dbPath], {
+        input: script,
+        encoding: 'utf8',
+        stdio: ['pipe', 'pipe', 'pipe'],
+    }).trim();
+}
+/** When the cached contract is empty/stale, discover the live reactive blob row in state.vscdb. */
+export function discoverReactiveStorageItemKeyInVscdb(dbPath) {
+    if (!existsSync(dbPath) || !resolveSqlite3Binary())
+        return undefined;
+    try {
+        const suffix = REACTIVE_STORAGE_ITEM_KEY_SUFFIX.replace(/'/g, "''");
+        const key = execFileSync(resolveSqlite3Binary(), [
+            dbPath,
+            `SELECT key FROM ItemTable WHERE key LIKE '%${suffix}%' LIMIT 1;`,
+        ], { encoding: 'utf8' }).trim();
+        if (!key || /['"\\]/.test(key))
+            return undefined;
+        const raw = querySqliteValue(dbPath, key);
+        if (!raw || raw === '{}')
+            return undefined;
+        return key;
+    }
+    catch {
+        return undefined;
+    }
+}
+export function reactiveStorageItemKeyFromContract() {
+    const k = readFileCollectionVscdbContract()?.reactive_storage_item_key;
+    return typeof k === 'string' && k.trim() !== '' ? k.trim() : undefined;
+}
+export function reactiveStorageItemKeyForVscdb(dbPath) {
+    const fromContract = reactiveStorageItemKeyFromContract();
+    if (fromContract)
+        return fromContract;
+    if (dbPath)
+        return discoverReactiveStorageItemKeyInVscdb(dbPath);
+    return undefined;
+}
+export function composerShadowKeysFromContract() {
+    const fromContract = readFileCollectionVscdbContract()?.composer_shadow_keys ?? [];
+    if (fromContract.length > 0)
+        return [...fromContract];
+    return [...CURSOR_COMPOSER_SHADOW_KEYS];
+}
+export function reactiveBlobHasUsableContent(dbPath, reactiveKey) {
+    const raw = querySqliteValue(dbPath, reactiveKey).trim();
+    return raw !== '' && raw !== '{}';
+}

package/dist/log_config_files/readers/vscdb_reader.js

@@ -1,7 +1,9 @@
 import { existsSync } from 'node:fs';
 import { execFileSync } from 'node:child_process';
 import { resolveSqlite3Binary } from '../runtime/sqlite_binary.js';
-import { readFileCollectionVscdbContract, sanitizeFileCollectionVscdbContract, sanitizeReactiveStorageItemKey, writeFileCollectionVscdbContract, } from '../runtime/management_storage.js';
+import { mergeCursorShadowKeyValue, mergeShadowKeysIntoComposerState, shadowKeysFromReadQueries, } from './composer_shadow_merge.js';
+import { composerShadowKeysFromContract, reactiveStorageItemKeyForVscdb, } from './vscdb_reactive_storage.js';
+import { readFileCollectionVscdbContract, sanitizeFileCollectionVscdbContract, writeFileCollectionVscdbContract, } from '../runtime/management_storage.js';
 /**
  * ItemTable keys that store a bare JSON boolean; compliance paths use `${key}.${field}`.
  * Kept in sync with `coerceItemTableValueToObjectRoot` / `serializeItemTableValueForWrite` in remediation_sync.
@@ -63,8 +65,16 @@ export function normalizeVscdbComposerContractFromPatternsResponse(resp) {
 /** Persist backend-derived contract next to remediation_instructions.json. */
 export function persistVscdbComposerContractFromPatternsResponse(resp) {
     const norm = normalizeVscdbComposerContractFromPatternsResponse(resp);
-    if (norm.reactive_storage_item_key || norm.composer_shadow_keys.length > 0) {
-        writeFileCollectionVscdbContract(norm);
+    const existing = readFileCollectionVscdbContract();
+    const merged = {
+        version: 1,
+        reactive_storage_item_key: norm.reactive_storage_item_key ?? existing?.reactive_storage_item_key ?? undefined,
+        composer_shadow_keys: norm.composer_shadow_keys.length > 0
+            ? norm.composer_shadow_keys
+            : [...(existing?.composer_shadow_keys ?? [])],
+    };
+    if (merged.reactive_storage_item_key || merged.composer_shadow_keys.length > 0) {
+        writeFileCollectionVscdbContract(merged);
     }
 }
 /**
@@ -87,8 +97,7 @@ export function readVscdbItemTableJson(dbPath, itemKey) {
     }
     try {
         const raw = querySqlite(dbPath, itemKey);
-        const contract = readFileCollectionVscdbContract();
-        const reactiveKey = sanitizeReactiveStorageItemKey(contract?.reactive_storage_item_key) ?? '';
+        const reactiveKey = reactiveStorageItemKeyForVscdb(dbPath) ?? '';
         if (itemKey === 'composerState' && (!raw || raw === '{}') && reactiveKey) {
             const reactive = querySqlite(dbPath, reactiveKey);
             if (reactive) {
@@ -137,6 +146,62 @@ export function readVscdbItemTableJson(dbPath, itemKey) {
         return null;
     }
 }
+/**
+ * Cursor stores web-tool toggles on the reactive blob root and nested `composerState`.
+ * Merge root shadow keys into nested composerState (matches policy_engine.scan_targets).
+ */
+export function mergeComposerShadowKeysFromReactiveBlob(dbPath, merged) {
+    const reactiveKey = reactiveStorageItemKeyForVscdb(dbPath)?.trim();
+    const shadowKeys = composerShadowKeysFromContract();
+    if (!reactiveKey || shadowKeys.length === 0)
+        return;
+    const reactiveWrapped = readVscdbItemTableJson(dbPath, reactiveKey);
+    if (reactiveWrapped === null)
+        return;
+    const blob = reactiveWrapped[reactiveKey];
+    if (!blob || typeof blob !== 'object' || Array.isArray(blob))
+        return;
+    const root = blob;
+    let cs = merged.composerState;
+    if (!cs || typeof cs !== 'object' || Array.isArray(cs)) {
+        const nested = root.composerState;
+        if (nested && typeof nested === 'object' && !Array.isArray(nested)) {
+            cs = { ...nested };
+        }
+        else {
+            cs = {};
+        }
+        merged.composerState = cs;
+    }
+    const composerState = cs;
+    const nestedRoot = root.composerState && typeof root.composerState === 'object' && !Array.isArray(root.composerState)
+        ? root.composerState
+        : undefined;
+    for (const key of shadowKeys) {
+        const value = mergeCursorShadowKeyValue(key, root, nestedRoot ?? composerState);
+        if (value !== undefined) {
+            composerState[key] = value;
+        }
+    }
+}
+/**
+ * After a deferred state.vscdb write, upload the live reactive blob (not stale legacy composerState row).
+ * Return the full blob so the server can apply per-key shadow merge (same as log-config ingest).
+ */
+export function buildVscdbPostApplyRawContent(dbPath, itemKeyFromPath) {
+    if (itemKeyFromPath === 'composerState') {
+        const reactiveKey = reactiveStorageItemKeyForVscdb(dbPath);
+        if (reactiveKey) {
+            const reactiveWrapped = readVscdbItemTableJson(dbPath, reactiveKey);
+            const blob = reactiveWrapped?.[reactiveKey];
+            if (blob && typeof blob === 'object' && !Array.isArray(blob)) {
+                return { ...blob };
+            }
+        }
+        return readVscdbItemTableJson(dbPath, itemKeyFromPath);
+    }
+    return readVscdbItemTableJson(dbPath, itemKeyFromPath);
+}
 function setNested(obj, dotPath, value) {
     const parts = dotPath.split('.');
     const safe = (k) => k !== '__proto__' && k !== 'constructor' && k !== 'prototype';
@@ -172,16 +237,15 @@ function runOneStep(dbPath, stateData, step) {
                     stateData.composerState = composerState;
                 }
                 if (step.include_keys?.length) {
-                    const nested = composerState && typeof composerState === 'object'
+                    const nested = composerState && typeof composerState === 'object' && !Array.isArray(composerState)
                         ? composerState
                         : undefined;
+                    if (!nested)
+                        return;
                     for (const k of step.include_keys) {
-                        // Reactive blob root wins over nested composerState (matches policy_engine.scan_targets merge).
-                        if (k in obj && obj[k] !== undefined) {
-                            stateData[k] = obj[k];
-                        }
-                        else if (nested && k in nested && nested[k] !== undefined) {
-                            stateData[k] = nested[k];
+                        const merged = mergeCursorShadowKeyValue(k, obj, nested);
+                        if (merged !== undefined) {
+                            nested[k] = merged;
                         }
                     }
                 }
@@ -243,6 +307,7 @@ export function readVSCDBState(dbPath, readQueries, mergeFromComposerStateKeys)
         if (mergeFromComposerStateKeys?.length) {
             mergeFromComposerState(stateData, mergeFromComposerStateKeys);
         }
+        mergeShadowKeysIntoComposerState(stateData, shadowKeysFromReadQueries(readQueries));
         return Object.keys(stateData).length > 0 ? stateData : null;
     }
     catch (error) {