log-llm-config-staging 1.3.82 → 1.3.84

package/dist/cli.js

@@ -38,6 +38,12 @@ const main = async () => {
         await import('./compliance_check_runner.js');
         return;
     }
+    if (args[0] === 'dialog_prefs') {
+        const { runDialogPrefsCli } = await import('./dialog_prefs_cli.js');
+        await runDialogPrefsCli();
+        process.exit(0);
+        return;
+    }
     // `npx log-llm-config@latest <name>` runs this file (default bin) with args[0] set — not the named bin file.
     if (args[0] === 'execute-trusted-restarts') {
         const { runExecuteTrustedRestartsFromStdin } = await import('./execute_trusted_restarts.js');

package/dist/compliance_prompt_gate.js

@@ -6,9 +6,10 @@
  * When autofix returns restart_commands, this process does not spawn them — the shell hook pipes
  * the same JSON line to execute_trusted_restarts (TS allowlist + spawn).
  */
-import { applyAutofixViolations, normalizeAgentToken, pruneSatisfiedOneTimeRemediations, runLocalRemediationComplianceCheck, } from './log_config_files/runtime/compliance_check.js';
+import { applyAutofixViolations, normalizeAgentToken, pruneSatisfiedOneTimeRemediations, reportPostRestartVerificationOutcomes, runLocalRemediationComplianceCheck, uploadSatisfiedManifestConfigs, } from './log_config_files/runtime/compliance_check.js';
+import { isRemediationQuarantined, markRemediationApplyVerified, } from './log_config_files/runtime/remediation_apply_tracking.js';
 import { existsSync, readFileSync, statSync } from 'node:fs';
-import { getRemediationInstructionsPath, readRemediationInstructionsFile } from './log_config_files/runtime/management_storage.js';
+import { getRemediationInstructionsPath } from './log_config_files/runtime/management_storage.js';
 import { hookLogSessionBanner, hookRunLog, logRemediationApplyFailure } from './log_config_files/runtime/hook_logger.js';
 import { isThisCliModule } from './cli_invocation_match.js';
 import { ensureAuthentication } from './log_config_files/auth/auth_flow.js';
@@ -16,6 +17,7 @@ import { sendConfigFile } from './log_config_files/sender/batch_sender.js';
 import { tryResolveHardwareUuid } from './log_config_files/runtime/hardware_uuid.js';
 import { syncRemediations } from './log_config_files/runtime/remediation_sync.js';
 import { loadEndpointBase } from './log_config_files/sender/endpoint_config.js';
+import { formatRemediationChangePreviewForApplied } from './remediation_change_preview.js';
 const MANIFEST_STALE_MS = 7 * 24 * 60 * 60 * 1000;
 function parseIde() {
     const eq = process.argv.find((a) => a.startsWith('--ide='));
@@ -102,8 +104,11 @@ function uniquePolicyLabelsFromViolations(appliedViolations) {
     return policyNames.length > 0 ? policyNames.join('\n\n') : 'Agent security policy';
 }
 function formatPreventiveAutofixDialog(appliedViolations, applyLine) {
+    const changePreview = formatRemediationChangePreviewForApplied(appliedViolations);
+    const changePreviewBlock = changePreview ? `${changePreview}\n\n` : '';
     return ('Optimus Labs enforced a preventive agent security policy as determined by your security team:\n\n' +
         `${uniquePolicyLabelsFromViolations(appliedViolations)}\n\n` +
+        changePreviewBlock +
         `${applyLine}\n\n` +
         'Click OK to continue');
 }
@@ -165,20 +170,23 @@ export async function runCompliancePromptGate() {
     // unavailable server never delays the gate significantly.
     const hw = tryResolveHardwareUuid();
     if (hw) {
-        const { remediations } = readRemediationInstructionsFile();
-        if (Array.isArray(remediations) && remediations.length > 0) {
-            try {
-                await Promise.race([
-                    syncRemediations(loadEndpointBase(), hw),
-                    new Promise((resolve) => setTimeout(resolve, 3000)),
-                ]);
-            }
-            catch {
-                // Network or auth failure — fall back to local file state.
-            }
+        try {
+            await Promise.race([
+                syncRemediations(loadEndpointBase(), hw),
+                new Promise((resolve) => setTimeout(resolve, 3000)),
+            ]);
+        }
+        catch {
+            // Network or auth failure — fall back to local file state.
         }
     }
     const status = runLocalRemediationComplianceCheck(agent);
+    // Always process pending post-restart rows (even when compliance is ok — apply may have stuck).
+    const postRestartVerify = reportPostRestartVerificationOutcomes(status.violations);
+    if (postRestartVerify.outcomes.length > 0) {
+        await Promise.allSettled(postRestartVerify.reportPromises);
+        hookRunLog(`compliance_prompt_gate: post_restart_verification count=${postRestartVerify.outcomes.length} quarantined=${postRestartVerify.outcomes.filter((o) => o.status === 'quarantined').length}`);
+    }
     // Secondary-satisfied: primary checks failed but settings.json (or equiv) has the fix.
     // Upload those files fire-and-forget so the backend can resolve the finding immediately.
     for (const e of status.secondarySatisfied ?? []) {
@@ -198,7 +206,17 @@ export async function runCompliancePromptGate() {
             printAllowWithAdvisory(ide, advisory);
             return;
         }
-        const { fixed, appliedViolations = [], restartCommands, failedViolations, reportPromises, deferredSqlitePending, } = applyAutofixViolations(status.violations, agent);
+        const actionableViolations = status.violations.filter((v) => !isRemediationQuarantined(v.uuid));
+        if (actionableViolations.length === 0 && status.violations.length > 0) {
+            hookRunLog(`compliance_prompt_gate: all ${status.violations.length} violation(s) quarantined — allowing prompt silently (backend notified on quarantine)`);
+            logRemediationApplyFailure('prompt_gate_quarantined_silent_allow', {
+                reason: 'all violations quarantined; no dialog — enforcement paused on this machine',
+                quarantined_count: status.violations.length,
+            });
+            printAllow(ide);
+            return;
+        }
+        const { fixed, appliedViolations = [], restartCommands, failedViolations, reportPromises, deferredSqlitePending, } = applyAutofixViolations(actionableViolations, agent);
         hookRunLog(`compliance_prompt_gate: autofix result ide=${ide} fixed=${fixed} applied=${appliedViolations.length} failed=${failedViolations.length} restart_commands=${restartCommands.length} deferred_sqlite_pending=${deferredSqlitePending}`);
         if (fixed > 0) {
             // Wait for all server reports before exiting so the POST lands.
@@ -231,13 +249,22 @@ export async function runCompliancePromptGate() {
                 hookRunLog('compliance_prompt_gate: Claude — autofix wrote JSON; recheck still flags same UUID(s) — proceeding (immediate apply)');
             }
             if (deferredSqlitePending || recheckOk || claudeRecheckStaleAfterImmediateApply) {
+                // For immediate (non-restart, non-deferred) fixes that the inline recheck confirmed,
+                // mark verified now so the next hook run does not false-quarantine due to pending flag.
+                if (recheckOk && restartCommands.length === 0 && !deferredSqlitePending) {
+                    for (const v of appliedViolations) {
+                        markRemediationApplyVerified(v.uuid);
+                    }
+                }
+                const changePreview = formatRemediationChangePreviewForApplied(appliedViolations);
+                const changePreviewSuffix = changePreview ? `\n\n${changePreview}` : '';
                 const autofixMessage = ide === 'cursor' && restartCommands.length > 0
                     ? formatCursorRestartAutofixDialog(appliedViolations)
                     : ide === 'claude'
                         ? formatClaudeAutofixDialog(appliedViolations)
                         : `Optimus Labs auto-fixed ${fixed} ${fixed === 1 ? 'policy violation' : 'policy violations'}:\n\n${appliedViolations
                             .map((v) => autofixDialogLine(v))
-                            .join('\n')}`;
+                            .join('\n')}${changePreviewSuffix}`;
                 const payload = { __optimus_autofix: true, autofix_message: autofixMessage };
                 if (restartCommands.length > 0)
                     payload.restart_commands = restartCommands;
@@ -283,6 +310,7 @@ export async function runCompliancePromptGate() {
     if (pruned.removed > 0) {
         await Promise.allSettled(pruned.reportPromises);
     }
+    await Promise.allSettled(uploadSatisfiedManifestConfigs(agent));
     printAllow(ide);
 }
 if (isRunAsCliModule()) {

package/dist/dialog_prefs_cli.js

@@ -0,0 +1,105 @@
+#!/usr/bin/env node
+/**
+ * CLI for macOS non-restart autofix dialogs and dialog preferences in ~/opt-ai-sec/management.
+ * Invoked from optimus-compliance-check.sh hooks.
+ */
+import { execFileSync } from 'node:child_process';
+import { existsSync, readFileSync } from 'node:fs';
+import { isNonRestartAutofixDialogSuppressed, setSuppressNonRestartAutofixDialogs, } from './log_config_files/runtime/dialog_preferences.js';
+export const STOP_NOTIFICATIONS_BUTTON = 'Mute Alerts';
+export const OK_BUTTON = 'OK';
+function cliParts() {
+    const a = process.argv;
+    if (a[2] === 'dialog_prefs')
+        return a.slice(2);
+    return a.slice(2);
+}
+function parseArgValue(parts, flag) {
+    const eq = parts.find((p) => p.startsWith(`${flag}=`));
+    if (eq)
+        return eq.slice(flag.length + 1);
+    const idx = parts.indexOf(flag);
+    if (idx >= 0 && parts[idx + 1])
+        return parts[idx + 1];
+    return undefined;
+}
+function escapeAppleScriptString(text) {
+    return text.replace(/\\/g, '\\\\').replace(/"/g, '\\"');
+}
+function icnsIconClause() {
+    const p = (process.env.OPTIMUS_DIALOG_ICNS ?? '').trim();
+    if (!p || !existsSync(p))
+        return 'with icon caution';
+    try {
+        const buf = readFileSync(p);
+        if (buf.length < 8 || buf.subarray(0, 4).toString('ascii') !== 'icns') {
+            return 'with icon caution';
+        }
+    }
+    catch {
+        return 'with icon caution';
+    }
+    return `with icon POSIX file "${escapeAppleScriptString(p)}"`;
+}
+export function buildNonRestartAutofixDialogScript(message, target) {
+    const msg = escapeAppleScriptString(message);
+    const icon = icnsIconClause();
+    const mute = escapeAppleScriptString(STOP_NOTIFICATIONS_BUTTON);
+    const body = `display dialog "${msg}" with title "Optimus Labs" buttons {"${mute}", "${OK_BUTTON}"} default button "${OK_BUTTON}" ${icon}`;
+    if (target === 'cursor') {
+        return `tell application "Cursor" to ${body}`;
+    }
+    if (target === 'claude-app') {
+        return `tell application "Claude" to ${body}`;
+    }
+    return body;
+}
+export function showNonRestartAutofixDialog(message, target) {
+    const script = buildNonRestartAutofixDialogScript(message, target);
+    let out = '';
+    try {
+        out = execFileSync('osascript', ['-'], { input: script, encoding: 'utf8' });
+    }
+    catch (err) {
+        const e = err;
+        out = typeof e.stdout === 'string' ? e.stdout : '';
+        // User dismissed or osascript failed — do not block callers; preference only set on explicit Stop.
+        if (!out.includes(STOP_NOTIFICATIONS_BUTTON)) {
+            throw err;
+        }
+    }
+    if (out.includes(STOP_NOTIFICATIONS_BUTTON)) {
+        setSuppressNonRestartAutofixDialogs(true);
+        return 'stop_notifications';
+    }
+    return 'ok';
+}
+function readMessageFile(path) {
+    if (!path || !existsSync(path)) {
+        throw new Error(`message file not found: ${path}`);
+    }
+    return readFileSync(path, 'utf8');
+}
+export async function runDialogPrefsCli() {
+    const parts = cliParts();
+    const sub = parts[1];
+    if (sub === 'is_suppressed') {
+        console.log(isNonRestartAutofixDialogSuppressed() ? 'true' : 'false');
+        return;
+    }
+    if (sub === 'set_suppress') {
+        setSuppressNonRestartAutofixDialogs(true);
+        return;
+    }
+    if (sub === 'show') {
+        const messageFile = parseArgValue(parts, '--message-file');
+        const targetRaw = parseArgValue(parts, '--target') ?? 'terminal';
+        if (targetRaw !== 'cursor' && targetRaw !== 'claude-app' && targetRaw !== 'terminal') {
+            throw new Error(`invalid --target: ${targetRaw}`);
+        }
+        const message = readMessageFile(messageFile ?? '');
+        showNonRestartAutofixDialog(message, targetRaw);
+        return;
+    }
+    throw new Error(`unknown dialog_prefs subcommand: ${sub ?? '(none)'}`);
+}

package/dist/log_config_files/readers/composer_shadow_merge.js

@@ -0,0 +1,67 @@
+import { CURSOR_SHADOW_KEYS_NESTED_WINS, coalesceCursorEnabledShadowValue, stripShadowKeysFromReactiveBlobUpload, } from './cursor_shadow_merge_policy.js';
+const CURSOR_SHADOW_KEYS_MERGE_ENABLED_OR = new Set([
+    'isWebSearchToolEnabled',
+    'isWebSearchToolEnabled2',
+]);
+/**
+ * Collect include_keys from composer_with_include read steps (backend-driven list).
+ */
+export function shadowKeysFromReadQueries(readQueries) {
+    const keys = new Set();
+    for (const step of readQueries ?? []) {
+        if (step.value_kind === 'composer_with_include' && step.include_keys?.length) {
+            for (const k of step.include_keys) {
+                keys.add(k);
+            }
+        }
+    }
+    return [...keys];
+}
+/**
+ * Resolve one shadow key from reactive blob root + nested composerState (matches scan_targets).
+ */
+export function mergeCursorShadowKeyValue(key, root, nested) {
+    const rootVal = Object.prototype.hasOwnProperty.call(root, key) ? root[key] : undefined;
+    const nestedVal = nested && Object.prototype.hasOwnProperty.call(nested, key) ? nested[key] : undefined;
+    if (CURSOR_SHADOW_KEYS_NESTED_WINS.has(key)) {
+        if (nestedVal !== undefined)
+            return nestedVal;
+        if (rootVal !== undefined)
+            return rootVal;
+        return undefined;
+    }
+    if (CURSOR_SHADOW_KEYS_MERGE_ENABLED_OR.has(key)) {
+        return coalesceCursorEnabledShadowValue(rootVal, nestedVal);
+    }
+    if (rootVal !== undefined)
+        return rootVal;
+    return nestedVal;
+}
+/**
+ * Merge shadow keys from the reactive blob into nested composerState (canonical for policy).
+ * Matches policy_engine.scan_targets; strips duplicate top-level keys from the upload shape.
+ */
+export function mergeShadowKeysIntoComposerState(stateData, shadowKeys) {
+    if (!shadowKeys.length)
+        return;
+    const hasNested = stateData.composerState &&
+        typeof stateData.composerState === 'object' &&
+        !Array.isArray(stateData.composerState);
+    const hasRootKey = shadowKeys.some((k) => Object.prototype.hasOwnProperty.call(stateData, k));
+    if (!hasNested && !hasRootKey)
+        return;
+    let cs = stateData.composerState;
+    if (!hasNested) {
+        cs = {};
+        stateData.composerState = cs;
+    }
+    const composerState = cs;
+    const root = stateData;
+    for (const key of shadowKeys) {
+        const merged = mergeCursorShadowKeyValue(key, root, composerState);
+        if (merged !== undefined) {
+            composerState[key] = merged;
+        }
+    }
+    stripShadowKeysFromReactiveBlobUpload(stateData);
+}

package/dist/log_config_files/readers/cursor_shadow_merge_policy.js

@@ -0,0 +1,46 @@
+/**
+ * Keep in sync with file_path_registry/cursor_composer_shadow_keys.py
+ * (CURSOR_REACTIVE_BLOB_SHADOW_KEYS + merge sets).
+ */
+/** Keys Cursor duplicates on the reactive blob root and inside composerState. */
+export const CURSOR_COMPOSER_SHADOW_KEYS = [
+    'lastBrowserConnectionMode',
+    'playwrightProtection',
+    'isWebSearchToolEnabled',
+    'isWebSearchToolEnabled2',
+    'isWebSearchToolEnabled3',
+    'isWebFetchToolEnabled',
+    'autoAcceptWebSearchTool',
+];
+/** Cursor Settings UI writes these on nested composerState; blob root copies are often stale. */
+export const CURSOR_SHADOW_KEYS_NESTED_WINS = new Set([
+    'playwrightProtection',
+    'isWebFetchToolEnabled',
+    'isWebSearchToolEnabled3',
+    'autoAcceptWebSearchTool',
+]);
+export function cursorShadowValueIsEnabled(value) {
+    return (value === true ||
+        value === 1 ||
+        (typeof value === 'string' && ['true', '1', 'yes'].includes(value.toLowerCase())));
+}
+/** Prefer nested when enabled (web search / auto-accept); else root. */
+export function coalesceCursorEnabledShadowValue(root, nested) {
+    if (cursorShadowValueIsEnabled(nested))
+        return nested;
+    if (cursorShadowValueIsEnabled(root))
+        return root;
+    if (root !== undefined && root !== null)
+        return root;
+    return nested;
+}
+/**
+ * After merge, policy and uploads use composerState.<key> only — drop stale blob-root copies.
+ */
+export function stripShadowKeysFromReactiveBlobUpload(stateData) {
+    if (!('composerState' in stateData))
+        return;
+    for (const key of CURSOR_COMPOSER_SHADOW_KEYS) {
+        delete stateData[key];
+    }
+}

package/dist/log_config_files/readers/vscdb_config_builder.js

@@ -65,7 +65,9 @@ function buildRawContent(state, stateKey, value, includeKeys, ts) {
     else {
         raw[stateKey] = value;
     }
-    if (includeKeys?.length) {
+    // Shadow keys are merged into composerState during readVSCDBState; do not copy stale blob-root
+    // copies onto the upload payload (policy paths are composerState.<key> only).
+    if (includeKeys?.length && stateKey !== 'composerState') {
         for (const k of includeKeys) {
             if (k in state && state[k] !== undefined)
                 raw[k] = state[k];

package/dist/log_config_files/readers/vscdb_reactive_storage.js

@@ -0,0 +1,62 @@
+import { existsSync } from 'node:fs';
+import { execFileSync } from 'node:child_process';
+import { readFileCollectionVscdbContract } from '../runtime/management_storage.js';
+import { resolveSqlite3Binary } from '../runtime/sqlite_binary.js';
+import { CURSOR_COMPOSER_SHADOW_KEYS } from './cursor_shadow_merge_policy.js';
+/** Suffix shared by Cursor reactive-storage ItemTable keys (see file_path_registry cursor agent). */
+export const REACTIVE_STORAGE_ITEM_KEY_SUFFIX = 'reactiveStorageServiceImpl.persistentStorage.applicationUser';
+function querySqliteValue(dbPath, key) {
+    const bin = resolveSqlite3Binary();
+    if (!bin)
+        return '';
+    const safe = key.replace(/'/g, "''");
+    const script = `.timeout 60000\nSELECT value FROM ItemTable WHERE key='${safe}';\n`;
+    return execFileSync(bin, ['-noheader', dbPath], {
+        input: script,
+        encoding: 'utf8',
+        stdio: ['pipe', 'pipe', 'pipe'],
+    }).trim();
+}
+/** When the cached contract is empty/stale, discover the live reactive blob row in state.vscdb. */
+export function discoverReactiveStorageItemKeyInVscdb(dbPath) {
+    if (!existsSync(dbPath) || !resolveSqlite3Binary())
+        return undefined;
+    try {
+        const suffix = REACTIVE_STORAGE_ITEM_KEY_SUFFIX.replace(/'/g, "''");
+        const key = execFileSync(resolveSqlite3Binary(), [
+            dbPath,
+            `SELECT key FROM ItemTable WHERE key LIKE '%${suffix}%' LIMIT 1;`,
+        ], { encoding: 'utf8' }).trim();
+        if (!key || /['"\\]/.test(key))
+            return undefined;
+        const raw = querySqliteValue(dbPath, key);
+        if (!raw || raw === '{}')
+            return undefined;
+        return key;
+    }
+    catch {
+        return undefined;
+    }
+}
+export function reactiveStorageItemKeyFromContract() {
+    const k = readFileCollectionVscdbContract()?.reactive_storage_item_key;
+    return typeof k === 'string' && k.trim() !== '' ? k.trim() : undefined;
+}
+export function reactiveStorageItemKeyForVscdb(dbPath) {
+    const fromContract = reactiveStorageItemKeyFromContract();
+    if (fromContract)
+        return fromContract;
+    if (dbPath)
+        return discoverReactiveStorageItemKeyInVscdb(dbPath);
+    return undefined;
+}
+export function composerShadowKeysFromContract() {
+    const fromContract = readFileCollectionVscdbContract()?.composer_shadow_keys ?? [];
+    if (fromContract.length > 0)
+        return [...fromContract];
+    return [...CURSOR_COMPOSER_SHADOW_KEYS];
+}
+export function reactiveBlobHasUsableContent(dbPath, reactiveKey) {
+    const raw = querySqliteValue(dbPath, reactiveKey).trim();
+    return raw !== '' && raw !== '{}';
+}

package/dist/log_config_files/readers/vscdb_reader.js

@@ -1,7 +1,9 @@
 import { existsSync } from 'node:fs';
 import { execFileSync } from 'node:child_process';
 import { resolveSqlite3Binary } from '../runtime/sqlite_binary.js';
-import { readFileCollectionVscdbContract, sanitizeFileCollectionVscdbContract, sanitizeReactiveStorageItemKey, writeFileCollectionVscdbContract, } from '../runtime/management_storage.js';
+import { mergeCursorShadowKeyValue, mergeShadowKeysIntoComposerState, shadowKeysFromReadQueries, } from './composer_shadow_merge.js';
+import { composerShadowKeysFromContract, reactiveStorageItemKeyForVscdb, } from './vscdb_reactive_storage.js';
+import { readFileCollectionVscdbContract, sanitizeFileCollectionVscdbContract, writeFileCollectionVscdbContract, } from '../runtime/management_storage.js';
 /**
  * ItemTable keys that store a bare JSON boolean; compliance paths use `${key}.${field}`.
  * Kept in sync with `coerceItemTableValueToObjectRoot` / `serializeItemTableValueForWrite` in remediation_sync.
@@ -63,8 +65,16 @@ export function normalizeVscdbComposerContractFromPatternsResponse(resp) {
 /** Persist backend-derived contract next to remediation_instructions.json. */
 export function persistVscdbComposerContractFromPatternsResponse(resp) {
     const norm = normalizeVscdbComposerContractFromPatternsResponse(resp);
-    if (norm.reactive_storage_item_key || norm.composer_shadow_keys.length > 0) {
-        writeFileCollectionVscdbContract(norm);
+    const existing = readFileCollectionVscdbContract();
+    const merged = {
+        version: 1,
+        reactive_storage_item_key: norm.reactive_storage_item_key ?? existing?.reactive_storage_item_key ?? undefined,
+        composer_shadow_keys: norm.composer_shadow_keys.length > 0
+            ? norm.composer_shadow_keys
+            : [...(existing?.composer_shadow_keys ?? [])],
+    };
+    if (merged.reactive_storage_item_key || merged.composer_shadow_keys.length > 0) {
+        writeFileCollectionVscdbContract(merged);
     }
 }
 /**
@@ -87,8 +97,7 @@ export function readVscdbItemTableJson(dbPath, itemKey) {
     }
     try {
         const raw = querySqlite(dbPath, itemKey);
-        const contract = readFileCollectionVscdbContract();
-        const reactiveKey = sanitizeReactiveStorageItemKey(contract?.reactive_storage_item_key) ?? '';
+        const reactiveKey = reactiveStorageItemKeyForVscdb(dbPath) ?? '';
         if (itemKey === 'composerState' && (!raw || raw === '{}') && reactiveKey) {
             const reactive = querySqlite(dbPath, reactiveKey);
             if (reactive) {
@@ -137,6 +146,62 @@ export function readVscdbItemTableJson(dbPath, itemKey) {
         return null;
     }
 }
+/**
+ * Cursor stores web-tool toggles on the reactive blob root and nested `composerState`.
+ * Merge root shadow keys into nested composerState (matches policy_engine.scan_targets).
+ */
+export function mergeComposerShadowKeysFromReactiveBlob(dbPath, merged) {
+    const reactiveKey = reactiveStorageItemKeyForVscdb(dbPath)?.trim();
+    const shadowKeys = composerShadowKeysFromContract();
+    if (!reactiveKey || shadowKeys.length === 0)
+        return;
+    const reactiveWrapped = readVscdbItemTableJson(dbPath, reactiveKey);
+    if (reactiveWrapped === null)
+        return;
+    const blob = reactiveWrapped[reactiveKey];
+    if (!blob || typeof blob !== 'object' || Array.isArray(blob))
+        return;
+    const root = blob;
+    let cs = merged.composerState;
+    if (!cs || typeof cs !== 'object' || Array.isArray(cs)) {
+        const nested = root.composerState;
+        if (nested && typeof nested === 'object' && !Array.isArray(nested)) {
+            cs = { ...nested };
+        }
+        else {
+            cs = {};
+        }
+        merged.composerState = cs;
+    }
+    const composerState = cs;
+    const nestedRoot = root.composerState && typeof root.composerState === 'object' && !Array.isArray(root.composerState)
+        ? root.composerState
+        : undefined;
+    for (const key of shadowKeys) {
+        const value = mergeCursorShadowKeyValue(key, root, nestedRoot ?? composerState);
+        if (value !== undefined) {
+            composerState[key] = value;
+        }
+    }
+}
+/**
+ * After a deferred state.vscdb write, upload the live reactive blob (not stale legacy composerState row).
+ * Return the full blob so the server can apply per-key shadow merge (same as log-config ingest).
+ */
+export function buildVscdbPostApplyRawContent(dbPath, itemKeyFromPath) {
+    if (itemKeyFromPath === 'composerState') {
+        const reactiveKey = reactiveStorageItemKeyForVscdb(dbPath);
+        if (reactiveKey) {
+            const reactiveWrapped = readVscdbItemTableJson(dbPath, reactiveKey);
+            const blob = reactiveWrapped?.[reactiveKey];
+            if (blob && typeof blob === 'object' && !Array.isArray(blob)) {
+                return { ...blob };
+            }
+        }
+        return readVscdbItemTableJson(dbPath, itemKeyFromPath);
+    }
+    return readVscdbItemTableJson(dbPath, itemKeyFromPath);
+}
 function setNested(obj, dotPath, value) {
     const parts = dotPath.split('.');
     const safe = (k) => k !== '__proto__' && k !== 'constructor' && k !== 'prototype';
@@ -172,16 +237,15 @@ function runOneStep(dbPath, stateData, step) {
                     stateData.composerState = composerState;
                 }
                 if (step.include_keys?.length) {
-                    const nested = composerState && typeof composerState === 'object'
+                    const nested = composerState && typeof composerState === 'object' && !Array.isArray(composerState)
                         ? composerState
                         : undefined;
+                    if (!nested)
+                        return;
                     for (const k of step.include_keys) {
-                        // Reactive blob root wins over nested composerState (matches policy_engine.scan_targets merge).
-                        if (k in obj && obj[k] !== undefined) {
-                            stateData[k] = obj[k];
-                        }
-                        else if (nested && k in nested && nested[k] !== undefined) {
-                            stateData[k] = nested[k];
+                        const merged = mergeCursorShadowKeyValue(k, obj, nested);
+                        if (merged !== undefined) {
+                            nested[k] = merged;
                         }
                     }
                 }
@@ -243,6 +307,7 @@ export function readVSCDBState(dbPath, readQueries, mergeFromComposerStateKeys)
         if (mergeFromComposerStateKeys?.length) {
             mergeFromComposerState(stateData, mergeFromComposerStateKeys);
         }
+        mergeShadowKeysIntoComposerState(stateData, shadowKeysFromReadQueries(readQueries));
         return Object.keys(stateData).length > 0 ? stateData : null;
     }
     catch (error) {