log-llm-config-staging 1.3.86 → 1.3.90

package/dist/compliance_prompt_gate.js

@@ -6,8 +6,8 @@
  * When autofix returns restart_commands, this process does not spawn them — the shell hook pipes
  * the same JSON line to execute_trusted_restarts (TS allowlist + spawn).
  */
-import { applyAutofixViolations, normalizeAgentToken, pruneSatisfiedOneTimeRemediations, reportPostRestartVerificationOutcomes, runLocalRemediationComplianceCheck, uploadSatisfiedManifestConfigs, } from './log_config_files/runtime/compliance_check.js';
-import { isRemediationQuarantined, markRemediationApplyVerified, } from './log_config_files/runtime/remediation_apply_tracking.js';
+import { applyAutofixViolations, confirmAppliedAutofixVerified, normalizeAgentToken, pruneSatisfiedOneTimeRemediations, reportPostRestartVerificationOutcomes, runLocalRemediationComplianceCheck, uploadSatisfiedManifestConfigs, } from './log_config_files/runtime/compliance_check.js';
+import { isRemediationQuarantined } from './log_config_files/runtime/remediation_apply_tracking.js';
 import { existsSync, readFileSync, statSync } from 'node:fs';
 import { getRemediationInstructionsPath } from './log_config_files/runtime/management_storage.js';
 import { hookLogSessionBanner, hookRunLog, logRemediationApplyFailure } from './log_config_files/runtime/hook_logger.js';
@@ -249,12 +249,12 @@ export async function runCompliancePromptGate() {
                 hookRunLog('compliance_prompt_gate: Claude — autofix wrote JSON; recheck still flags same UUID(s) — proceeding (immediate apply)');
             }
             if (deferredSqlitePending || recheckOk || claudeRecheckStaleAfterImmediateApply) {
-                // For immediate (non-restart, non-deferred) fixes that the inline recheck confirmed,
-                // mark verified now so the next hook run does not false-quarantine due to pending flag.
-                if (recheckOk && restartCommands.length === 0 && !deferredSqlitePending) {
-                    for (const v of appliedViolations) {
-                        markRemediationApplyVerified(v.uuid);
-                    }
+                const immediateVerified = restartCommands.length === 0 &&
+                    !deferredSqlitePending &&
+                    (recheckOk || claudeRecheckStaleAfterImmediateApply);
+                if (immediateVerified) {
+                    confirmAppliedAutofixVerified(appliedViolations, reportPromises);
+                    await Promise.allSettled(reportPromises);
                 }
                 const changePreview = formatRemediationChangePreviewForApplied(appliedViolations);
                 const changePreviewSuffix = changePreview ? `\n\n${changePreview}` : '';

package/dist/log_config_files/auth/auth_flow.js

@@ -6,10 +6,10 @@ import { OPT_AI_SEC_MANAGEMENT_REL } from '../../bootstrap_constants.js';
 import { hookRunLog } from '../runtime/hook_logger.js';
 const AUTH_KEY_RELATIVE_PATH = path.join(OPT_AI_SEC_MANAGEMENT_REL, 'auth_key.txt');
 /** Ensure authentication — verify stored key or request new one via handshake. */
-async function ensureAuthentication(hardwareUuid) {
+async function ensureAuthentication(hardwareUuid, endpointBase) {
     const key = await ensureTofuAuthentication({
         hardwareUuid,
-        endpointBase: loadEndpointBase(),
+        endpointBase: endpointBase ?? loadEndpointBase(),
         authRelativePath: AUTH_KEY_RELATIVE_PATH,
         postJson: (endpointUrl, body) => postStartupPayload(endpointUrl, body),
         onLog: (message) => {

package/dist/log_config_files/runtime/compliance_check.js

@@ -17,7 +17,7 @@ import { mergeComposerShadowKeysFromReactiveBlob, readVscdbItemTableJson, } from
 import { readRemediationInstructionsFile, writeRemediationInstructionsFile, } from './management_storage.js';
 import { resolveRemediationConfigPath } from './remediation_config_path.js';
 import { resolveOpsTargetPath } from './ops_target_path.js';
-import { isRemediationQuarantined, markRemediationApplyPendingVerification, processPendingPostRestartVerifications, readRemediationApplyTrackingFile, writeRemediationApplyTrackingFile, } from './remediation_apply_tracking.js';
+import { isRemediationQuarantined, markRemediationApplyPendingVerification, markRemediationApplyVerified, processPendingPostRestartVerifications, readRemediationApplyTrackingFile, writeRemediationApplyTrackingFile, } from './remediation_apply_tracking.js';
 import { complianceRunnerDiag, hookRunLog, logRemediationApplyFailure } from './hook_logger.js';
 import { loadEndpointBase } from '../sender/endpoint_config.js';
 import { resolveHardwareUuid, tryResolveHardwareUuid } from './hardware_uuid.js';
@@ -487,6 +487,17 @@ export function reportPostRestartVerificationOutcomes(violations) {
     });
     return { outcomes, reportPromises };
 }
+/**
+ * Immediate autofix succeeded (inline recheck OK or Claude stale-recheck tolerance).
+ * Clear pending verification locally and report verified so the next prompt does not POST
+ * verification_failed while the user already saw a successful fix.
+ */
+export function confirmAppliedAutofixVerified(appliedViolations, reportPromises) {
+    for (const v of appliedViolations) {
+        markRemediationApplyVerified(v.uuid);
+        reportPromises.push(reportAutofixApplied(v.uuid, 'verified'));
+    }
+}
 export function applyAutofixViolations(violations, agent = 'cursor') {
     for (const v of violations) {
         if (!v.autofix_allowed) {

package/dist/log_config_files/runtime/remediation_sync.js

@@ -158,12 +158,9 @@ function transferQuarantineForRetiredUuids(removed, added, retiredInstructions,
     if (changed)
         writeRemediationApplyTrackingFile(file);
 }
-async function ensureAuthKeyForMachine(machineUuid) {
-    const stored = readStoredAuthKey();
-    if (stored?.key)
-        return stored;
+async function ensureAuthKeyForMachine(endpointBase, machineUuid) {
     try {
-        return await ensureAuthentication(machineUuid);
+        return await ensureAuthentication(machineUuid, endpointBase);
     }
     catch (err) {
         hookRunLog(`remediation_sync: ensureAuthentication failed: ${err instanceof Error ? err.message : String(err)}`);
@@ -178,7 +175,7 @@ function buildSignedMachinePostBody(machineUuid, fields, authKey) {
 }
 export async function fetchSync(endpointBase, machineUuid, activeUuids, timeoutMs = 8000) {
     const sortedUuids = [...new Set(activeUuids.map((u) => u.trim()).filter(Boolean))].sort();
-    const authKey = await ensureAuthKeyForMachine(machineUuid);
+    const authKey = await ensureAuthKeyForMachine(endpointBase, machineUuid);
     if (!authKey) {
         hookRunLog('remediation_sync_post: no auth key, skipping');
         complianceRunnerDiag('remediation_sync_post: no auth key');
@@ -200,7 +197,10 @@ export async function fetchSync(endpointBase, machineUuid, activeUuids, timeoutM
         return null;
     }
     if (statusCode !== 200 || !responseBody) {
-        const line = `remediation_sync_post: url=${url} status=${statusCode} bytes=${responseBody?.length ?? 0}`;
+        const bodyHint = responseBody && responseBody.length < 500
+            ? ` body=${responseBody.replace(/\s+/g, ' ').trim()}`
+            : '';
+        const line = `remediation_sync_post: url=${url} status=${statusCode} bytes=${responseBody?.length ?? 0}${bodyHint}`;
         hookRunLog(line);
         complianceRunnerDiag(line);
         return null;
@@ -216,7 +216,7 @@ export async function fetchSync(endpointBase, machineUuid, activeUuids, timeoutM
 }
 async function fetchManifest(endpointBase, machineUuid, uuids, timeoutMs = 8000) {
     const sortedUuids = [...new Set(uuids.map((u) => u.trim()).filter(Boolean))].sort();
-    const authKey = await ensureAuthKeyForMachine(machineUuid);
+    const authKey = await ensureAuthKeyForMachine(endpointBase, machineUuid);
     if (!authKey) {
         hookRunLog('remediation_manifest_post: no auth key, skipping');
         complianceRunnerDiag('remediation_manifest_post: no auth key');

package/dist/log_uuid/auth_key_store.js

@@ -1,9 +1,9 @@
 import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs';
 import path from 'node:path';
 import { OPT_AI_SEC_MANAGEMENT_REL } from '../bootstrap_constants.js';
+import { loadEndpointBase } from '../log_config_files/sender/endpoint_config.js';
+import { buildStartupEndpointUrl, normalizeBaseUrl } from '../tofu.js';
 const AUTH_KEY_RELATIVE_PATH = path.join(OPT_AI_SEC_MANAGEMENT_REL, 'auth_key.txt');
-const OPTIMUS_ENV_FILENAME = 'optimus_dev.env';
-const STARTUP_ENDPOINT_SUFFIX = '/endpoint_security/startup/';
 const getAuthKeyPath = () => {
     const homeDir = process.env.HOME || process.env.USERPROFILE;
     if (!homeDir)
@@ -34,38 +34,4 @@ const readStoredAuthKey = () => {
     }
     return null;
 };
-const loadEndpointBase = () => {
-    const DEFAULT_ENDPOINT = 'https://demo.optimuslabs.io/';
-    const fromEnv = process.env.OPTIMUS_ENDPOINT?.trim();
-    if (fromEnv)
-        return fromEnv;
-    const envPath = path.join(process.cwd(), OPTIMUS_ENV_FILENAME);
-    try {
-        if (!existsSync(envPath))
-            return DEFAULT_ENDPOINT;
-        const envContent = readFileSync(envPath, 'utf8');
-        for (const line of envContent.split(/\r?\n/)) {
-            const trimmed = line.trim();
-            if (!trimmed || trimmed.startsWith('#'))
-                continue;
-            const [key, ...rest] = trimmed.split('=');
-            if (key === 'OPTIMUS_ENDPOINT') {
-                const value = rest.join('=').trim();
-                if (value)
-                    return value;
-            }
-        }
-    }
-    catch { /* fall back to default */ }
-    return DEFAULT_ENDPOINT;
-};
-const normalizeBaseUrl = (rawUrl) => {
-    let base = rawUrl.trim();
-    if (!base)
-        throw new Error('OPTIMUS_ENDPOINT is empty');
-    base = base.replace(/\/+$/, '');
-    base = base.replace(/\/(optimus_security|endpoint_security)$/i, '');
-    return base;
-};
-const buildStartupEndpointUrl = (baseUrl) => `${normalizeBaseUrl(baseUrl)}${STARTUP_ENDPOINT_SUFFIX}`;
-export { getAuthKeyPath, writeAuthKey, readStoredAuthKey, loadEndpointBase, normalizeBaseUrl, buildStartupEndpointUrl };
+export { getAuthKeyPath, writeAuthKey, readStoredAuthKey, loadEndpointBase, normalizeBaseUrl, buildStartupEndpointUrl, };

package/dist/tofu.js

@@ -19,4 +19,4 @@ const useLocalTofu = shouldUseLocalTofuDist(localTofuPath);
 const tofu = (useLocalTofu
     ? await import(localTofuPath)
     : await import("optimus-tofu-staging"));
-export const { loadEndpointBase, buildStartupEndpointUrl, createSignature, persistAuthKey, readStoredAuthKey, ensureAuthentication, getEndpointSource, canonicalizePayload, getAuthKeyPath, } = tofu;
+export const { loadEndpointBase, normalizeBaseUrl, buildStartupEndpointUrl, createSignature, persistAuthKey, readStoredAuthKey, ensureAuthentication, getEndpointSource, canonicalizePayload, getAuthKeyPath, } = tofu;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "log-llm-config-staging",
-  "version": "1.3.86",
+  "version": "1.3.90",
   "description": "CLI helpers for logging hardware UUIDs and posting startup payloads to Optimus Security.",
   "type": "module",
   "bin": {
@@ -58,6 +58,6 @@
   "dependencies": {
     "axios": "^1.15.2",
     "canonicalize": "^2.1.0",
-    "optimus-tofu-staging": "^0.1.15"
+    "optimus-tofu-staging": "^0.1.16"
   }
 }