log-llm-config-staging 1.4.5 → 1.4.8

package/dist/apply_deferred_vscdb.js

@@ -1,9 +1,38 @@
 #!/usr/bin/env node
-/**
- * Runs after Cursor SIGKILL: applies queued state.vscdb patches from
- * ~/opt-ai-sec/management/optimus_deferred_vscdb_apply.json (see remediation_sync).
- */
+// Runs after Cursor SIGKILL: applies queued state.vscdb patches, then immediately runs
+// post-restart verification so the server gets `verified` without waiting for the next prompt.
 import { applyDeferredVscdbFromDisk } from './log_config_files/runtime/remediation_sync.js';
+import { runPostApplyVerification } from './log_config_files/runtime/compliance_check.js';
+import { hookRunLog } from './log_config_files/runtime/hook_logger.js';
+import { finalizeAndUploadComplianceSessionLog, setActiveComplianceLogPath, } from './log_config_files/runtime/compliance_session_log.js';
+const complianceLogPath = process.env.OPTIMUS_COMPLIANCE_LOG?.trim() || null;
+if (complianceLogPath) {
+    setActiveComplianceLogPath(complianceLogPath);
+}
 applyDeferredVscdbFromDisk()
-    .then((ok) => process.exit(ok ? 0 : 1))
+    .then(async (ok) => {
+    if (ok) {
+        try {
+            const outcomes = await runPostApplyVerification();
+            if (outcomes.length > 0) {
+                hookRunLog(`apply_deferred_vscdb: post_apply_verification count=${outcomes.length} ` +
+                    `verified=${outcomes.filter((o) => o.status === 'verified').length}`);
+            }
+            if (complianceLogPath) {
+                await finalizeAndUploadComplianceSessionLog(complianceLogPath);
+            }
+        }
+        catch (e) {
+            hookRunLog(`apply_deferred_vscdb: post_apply_verification error: ${e instanceof Error ? e.message : String(e)}`);
+            if (complianceLogPath) {
+                await finalizeAndUploadComplianceSessionLog(complianceLogPath, 'error');
+            }
+        }
+    }
+    else if (complianceLogPath) {
+        hookRunLog('apply_deferred_vscdb: apply failed');
+        await finalizeAndUploadComplianceSessionLog(complianceLogPath, 'error');
+    }
+    process.exit(ok ? 0 : 1);
+})
     .catch(() => process.exit(1));

package/dist/compliance_check_runner.js

@@ -1,8 +1,28 @@
 #!/usr/bin/env node
 import { complianceRunnerRunnerLine, hookLogAppendSection } from './log_config_files/runtime/hook_logger.js';
 import { runComplianceCheck } from './log_config_files/runtime/compliance_check.js';
+import { finalizeAndUploadComplianceSessionLog, initComplianceSessionForRunner, isFinalizeComplianceSessionArgv, isInflightComplianceLogPath, parseComplianceLogArg, resolveComplianceSessionLogPath, } from './log_config_files/runtime/compliance_session_log.js';
+import { existsSync } from 'node:fs';
 (async () => {
-    hookLogAppendSection('compliance_check_runner (background sync + check)');
+    let complianceLogPath = parseComplianceLogArg(process.argv);
+    if (isFinalizeComplianceSessionArgv(process.argv)) {
+        if (complianceLogPath) {
+            await finalizeAndUploadComplianceSessionLog(complianceLogPath);
+        }
+        process.exit(0);
+    }
+    if (complianceLogPath) {
+        const resolved = resolveComplianceSessionLogPath(complianceLogPath);
+        if (existsSync(resolved) && isInflightComplianceLogPath(resolved)) {
+            complianceLogPath = initComplianceSessionForRunner(resolved);
+        }
+        else {
+            complianceLogPath = null;
+        }
+    }
+    else {
+        hookLogAppendSection('compliance_check_runner (background sync + check)');
+    }
     complianceRunnerRunnerLine('compliance_check_runner: start');
     try {
         await runComplianceCheck();
@@ -13,6 +33,12 @@ import { runComplianceCheck } from './log_config_files/runtime/compliance_check.
         complianceRunnerRunnerLine(`compliance_check_runner: uncaught error — ${err instanceof Error ? err.message : String(err)}`);
         complianceRunnerRunnerLine(`compliance_check_runner: stack_or_detail ${detail.slice(0, 4000)}`);
         process.stderr.write(`compliance_check_runner error: ${err instanceof Error ? err.message : String(err)}\n`);
+        if (complianceLogPath) {
+            await finalizeAndUploadComplianceSessionLog(complianceLogPath, 'error');
+        }
         process.exit(1);
     }
+    if (complianceLogPath) {
+        await finalizeAndUploadComplianceSessionLog(complianceLogPath);
+    }
 })();

package/dist/compliance_prompt_gate.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 /**
  * Synchronous pre-prompt gate: local compliance only (stdout = single JSON line for IDE hooks).
- * stderr must stay clean; logs go via hookRunLog (file).
+ * stderr must stay clean; logs go via hookRunLog (compliance session file when --compliance-log is set).
  *
  * When autofix returns restart_commands, this process does not spawn them — the shell hook pipes
  * the same JSON line to execute_trusted_restarts (TS allowlist + spawn).
@@ -11,6 +11,7 @@ import { isRemediationQuarantined } from './log_config_files/runtime/remediation
 import { existsSync, readFileSync, statSync } from 'node:fs';
 import { getRemediationInstructionsPath } from './log_config_files/runtime/management_storage.js';
 import { hookLogSessionBanner, hookRunLog, logRemediationApplyFailure } from './log_config_files/runtime/hook_logger.js';
+import { finalizeAndUploadComplianceSessionLog, initComplianceSessionForGate, parseComplianceLogArg, } from './log_config_files/runtime/compliance_session_log.js';
 import { isThisCliModule } from './cli_invocation_match.js';
 import { ensureAuthentication } from './log_config_files/auth/auth_flow.js';
 import { sendConfigFile } from './log_config_files/sender/batch_sender.js';
@@ -19,6 +20,17 @@ import { syncRemediations } from './log_config_files/runtime/remediation_sync.js
 import { loadEndpointBase } from './log_config_files/sender/endpoint_config.js';
 import { formatRemediationChangePreviewForApplied } from './remediation_change_preview.js';
 const MANIFEST_STALE_MS = 7 * 24 * 60 * 60 * 1000;
+/** After verified (or failed verify), push enforcement + session log immediately — do not wait for background runner. */
+async function flushRemediationOutcomeToServer(complianceLogPath) {
+    if (!complianceLogPath)
+        return;
+    try {
+        await finalizeAndUploadComplianceSessionLog(complianceLogPath);
+    }
+    catch (err) {
+        hookRunLog(`compliance_prompt_gate: session finalize/upload failed: ${err instanceof Error ? err.message : String(err)}`);
+    }
+}
 function parseIde() {
     const eq = process.argv.find((a) => a.startsWith('--ide='));
     if (eq) {
@@ -164,10 +176,21 @@ export async function runCompliancePromptGateCli() {
 export async function runCompliancePromptGate() {
     const ide = parseIde();
     const agent = parseAgent(ide);
-    hookLogSessionBanner('compliance_prompt_gate (before submit)');
-    // Sync before checking so server-side changes (enforce/unenforce) propagate on every prompt
-    // without waiting for the background runner. Race against a 3 s timeout so a slow or
-    // unavailable server never delays the gate significantly.
+    let complianceLogPath = parseComplianceLogArg(process.argv);
+    if (complianceLogPath) {
+        complianceLogPath = initComplianceSessionForGate(complianceLogPath);
+    }
+    else {
+        hookLogSessionBanner('compliance_prompt_gate (before submit)');
+    }
+    let status = runLocalRemediationComplianceCheck(agent);
+    const postRestartVerify = reportPostRestartVerificationOutcomes(status.violations);
+    if (postRestartVerify.outcomes.length > 0) {
+        await Promise.allSettled(postRestartVerify.reportPromises);
+        await flushRemediationOutcomeToServer(complianceLogPath);
+        hookRunLog(`compliance_prompt_gate: post_restart_verification count=${postRestartVerify.outcomes.length} quarantined=${postRestartVerify.outcomes.filter((o) => o.status === 'quarantined').length}`);
+        status = runLocalRemediationComplianceCheck(agent);
+    }
     const hw = tryResolveHardwareUuid();
     if (hw) {
         try {
@@ -180,13 +203,7 @@ export async function runCompliancePromptGate() {
             // Network or auth failure — fall back to local file state.
         }
     }
-    const status = runLocalRemediationComplianceCheck(agent);
-    // Always process pending post-restart rows (even when compliance is ok — apply may have stuck).
-    const postRestartVerify = reportPostRestartVerificationOutcomes(status.violations);
-    if (postRestartVerify.outcomes.length > 0) {
-        await Promise.allSettled(postRestartVerify.reportPromises);
-        hookRunLog(`compliance_prompt_gate: post_restart_verification count=${postRestartVerify.outcomes.length} quarantined=${postRestartVerify.outcomes.filter((o) => o.status === 'quarantined').length}`);
-    }
+    status = runLocalRemediationComplianceCheck(agent);
     // Secondary-satisfied: primary checks failed but settings.json (or equiv) has the fix.
     // Upload those files fire-and-forget so the backend can resolve the finding immediately.
     for (const e of status.secondarySatisfied ?? []) {
@@ -255,6 +272,7 @@ export async function runCompliancePromptGate() {
                 if (immediateVerified) {
                     confirmAppliedAutofixVerified(appliedViolations, reportPromises);
                     await Promise.allSettled(reportPromises);
+                    await flushRemediationOutcomeToServer(complianceLogPath);
                 }
                 const changePreview = formatRemediationChangePreviewForApplied(appliedViolations);
                 const changePreviewSuffix = changePreview ? `\n\n${changePreview}` : '';

package/dist/execute_trusted_restarts.js

@@ -7,9 +7,14 @@
 import { readFileSync } from 'node:fs';
 import { isThisCliModule } from './cli_invocation_match.js';
 import { appendComplianceRunnerLine, hookRunLog } from './log_config_files/runtime/hook_logger.js';
+import { setActiveComplianceLogPath } from './log_config_files/runtime/compliance_session_log.js';
 import { executeTrustedRestartCommands } from './log_config_files/runtime/trusted_restarts.js';
 /** Invoked by dist entrypoint or by `npx log-llm-config@latest execute-trusted-restarts` (cli.js dispatches here). */
 export function runExecuteTrustedRestartsFromStdin() {
+    const complianceLogPath = process.env.OPTIMUS_COMPLIANCE_LOG?.trim();
+    if (complianceLogPath) {
+        setActiveComplianceLogPath(complianceLogPath);
+    }
     let raw;
     try {
         raw = readFileSync(0, 'utf8');

package/dist/log_config_files/collection/skills_cli_collector.js

@@ -1,11 +1,14 @@
-import { execFileSync } from 'node:child_process';
-import { homedir } from 'node:os';
+import { spawnSync } from 'node:child_process';
+import { closeSync, mkdtempSync, openSync, readFileSync, rmSync } from 'node:fs';
+import { homedir, tmpdir } from 'node:os';
 import { join } from 'node:path';
 export const SKILLS_CLI_FILE_TYPE = 'skills_cli_installed';
 export const SKILLS_CLI_INSTALLED_PATH = join(homedir(), '.agents', '.skills-cli-installed.json');
 /** Override the skills package spec, e.g. `skills@1.5.10`. Default uses whatever is on the machine. */
 export const SKILLS_CLI_NPX_PACKAGE_ENV = 'SKILLS_CLI_NPX_PACKAGE';
 const LIST_TIMEOUT_MS = 120_000;
+/** stderr from npx/npm only; stdout is streamed to a temp file (avoids pipe/maxBuffer truncation). */
+const LIST_STDERR_MAX_BUFFER = 16 * 1024 * 1024;
 function listExecEnv() {
     return {
         ...process.env,
@@ -16,20 +19,61 @@ function npxPackageSpec() {
     const fromEnv = (process.env[SKILLS_CLI_NPX_PACKAGE_ENV] || '').trim();
     return fromEnv || 'skills';
 }
-export function runSkillsListJson(args, cwd) {
-    const out = execFileSync('npx', [npxPackageSpec(), 'list', ...args, '--json'], {
-        encoding: 'utf8',
-        cwd,
-        timeout: LIST_TIMEOUT_MS,
-        env: listExecEnv(),
-    });
-    const trimmed = out.trim();
+/** Strip leading npx/npm noise and parse the skills `list --json` array payload. */
+export function parseSkillsListJsonStdout(stdout) {
+    const trimmed = stdout.trim();
     if (!trimmed)
         return [];
-    const parsed = JSON.parse(trimmed);
-    if (!Array.isArray(parsed))
-        return [];
-    return parsed;
+    const start = trimmed.indexOf('[');
+    if (start < 0) {
+        throw new SyntaxError('skills list --json: no JSON array in stdout');
+    }
+    let end = trimmed.lastIndexOf(']');
+    let lastErr;
+    while (end > start) {
+        const slice = trimmed.slice(start, end + 1);
+        try {
+            const parsed = JSON.parse(slice);
+            if (!Array.isArray(parsed))
+                return [];
+            return parsed;
+        }
+        catch (err) {
+            lastErr = err instanceof SyntaxError ? err : new SyntaxError(String(err));
+            end = trimmed.lastIndexOf(']', end - 1);
+        }
+    }
+    throw lastErr ?? new SyntaxError('skills list --json: could not parse stdout');
+}
+export function runSkillsListJson(args, cwd) {
+    const tmpDir = mkdtempSync(join(tmpdir(), 'optimus-skills-list-'));
+    const outPath = join(tmpDir, 'stdout.json');
+    const outFd = openSync(outPath, 'w');
+    try {
+        const child = spawnSync('npx', [npxPackageSpec(), 'list', ...args, '--json'], {
+            cwd,
+            timeout: LIST_TIMEOUT_MS,
+            env: listExecEnv(),
+            stdio: ['ignore', outFd, 'pipe'],
+            maxBuffer: LIST_STDERR_MAX_BUFFER,
+        });
+        if (child.error)
+            throw child.error;
+        if (child.status !== 0) {
+            const stderr = (child.stderr ?? '').toString().trim();
+            throw new Error(stderr || `npx skills list exited ${child.status ?? 'unknown'}`);
+        }
+    }
+    finally {
+        closeSync(outFd);
+    }
+    try {
+        const out = readFileSync(outPath, 'utf8');
+        return parseSkillsListJsonStdout(out);
+    }
+    finally {
+        rmSync(tmpDir, { recursive: true, force: true });
+    }
 }
 function normalizeListRows(rows, scope) {
     const out = [];
@@ -60,39 +104,43 @@ export function formatSkillsListScopeForHookLog(scopeLabel, entries) {
         .join(' | ');
     return `skills_cli list ${scopeLabel}: ${entries.length} skill(s) — ${detail}`;
 }
+function runSkillsListForScope(scopeLabel, args, projectRoot, logLine) {
+    try {
+        return runSkillsListJson(args, projectRoot);
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        logLine(`skills_cli: list ${scopeLabel} --json failed: ${msg}`);
+        return [];
+    }
+}
 export function collectSkillsCliInstalled(projectRoot, log) {
     const logLine = (message) => {
         log?.(message);
     };
-    try {
-        const packageSpec = npxPackageSpec();
-        logLine(`skills_cli: npx ${packageSpec} — list -g --json && list --json (projectRoot=${projectRoot})`);
-        const globalRows = runSkillsListJson(['-g'], projectRoot);
-        const projectRows = runSkillsListJson([], projectRoot);
-        const global = normalizeListRows(globalRows, 'global');
-        const project = normalizeListRows(projectRows, 'project');
-        logLine(formatSkillsListScopeForHookLog('-g', global));
-        logLine(formatSkillsListScopeForHookLog('project', project));
-        const payload = {
-            version: 1,
-            skills_cli_version: packageSpec,
-            generated_at: new Date().toISOString(),
-            global,
-            project,
-        };
-        if (payload.global.length === 0 && payload.project.length === 0) {
-            logLine('skills_cli_installed: not uploaded (no global or project skills)');
-            return null;
-        }
-        logLine(`skills_cli_installed: upload ${SKILLS_CLI_INSTALLED_PATH} global=${global.length} project=${project.length}`);
-        return {
-            file_type: SKILLS_CLI_FILE_TYPE,
-            file_path: SKILLS_CLI_INSTALLED_PATH,
-            raw_content: payload,
-        };
-    }
-    catch (err) {
-        logLine(`skills_cli: list --json failed: ${err instanceof Error ? err.message : String(err)}`);
+    const packageSpec = npxPackageSpec();
+    logLine(`skills_cli: npx ${packageSpec} — list -g --json && list --json (projectRoot=${projectRoot})`);
+    const globalRows = runSkillsListForScope('-g', ['-g'], projectRoot, logLine);
+    const projectRows = runSkillsListForScope('project', [], projectRoot, logLine);
+    const global = normalizeListRows(globalRows, 'global');
+    const project = normalizeListRows(projectRows, 'project');
+    logLine(formatSkillsListScopeForHookLog('-g', global));
+    logLine(formatSkillsListScopeForHookLog('project', project));
+    const payload = {
+        version: 1,
+        skills_cli_version: packageSpec,
+        generated_at: new Date().toISOString(),
+        global,
+        project,
+    };
+    if (payload.global.length === 0 && payload.project.length === 0) {
+        logLine('skills_cli_installed: not uploaded (no global or project skills)');
         return null;
     }
+    logLine(`skills_cli_installed: upload ${SKILLS_CLI_INSTALLED_PATH} global=${global.length} project=${project.length}`);
+    return {
+        file_type: SKILLS_CLI_FILE_TYPE,
+        file_path: SKILLS_CLI_INSTALLED_PATH,
+        raw_content: payload,
+    };
 }

package/dist/log_config_files/runtime/compliance_check.js

@@ -523,6 +523,19 @@ export function reportPostRestartVerificationOutcomes(violations) {
     });
     return { outcomes, reportPromises };
 }
+/**
+ * Run immediately after a deferred state.vscdb write lands on disk (post-restart, before the
+ * user's next prompt) so `pending_post_restart_verify` remediations are confirmed and reported
+ * to the server right away — the UI does not need to wait for another gate invocation.
+ */
+export async function runPostApplyVerification(agent = 'cursor') {
+    const status = runLocalRemediationComplianceCheck(agent);
+    const { outcomes, reportPromises } = reportPostRestartVerificationOutcomes(status.violations);
+    if (outcomes.length > 0) {
+        await Promise.allSettled(reportPromises);
+    }
+    return outcomes;
+}
 /**
  * Immediate autofix succeeded (inline recheck OK or Claude stale-recheck tolerance).
  * Clear pending verification locally and report verified so the next prompt does not POST

package/dist/log_config_files/runtime/compliance_session_log.js

@@ -0,0 +1,372 @@
+import { existsSync, mkdirSync, readdirSync, renameSync, statSync, unlinkSync, writeFileSync, appendFileSync, readFileSync, } from 'node:fs';
+import path from 'node:path';
+import { homedir } from 'node:os';
+import { OPT_AI_SEC_MANAGEMENT_REL } from '../../bootstrap_constants.js';
+const COMPLIANCE_SUBDIR = 'compliance';
+const TIER_NOOP = 'noop';
+const TIER_SUCCESS = 'success';
+const TIER_ERROR = 'error';
+const TIER_IN_PROCESS = 'in_process';
+const TIER_DIRS = [TIER_NOOP, TIER_SUCCESS, TIER_ERROR];
+const NOOP_MAX_AGE_MS = 30 * 60 * 1000;
+const SUCCESS_ERROR_MAX_AGE_MS = 24 * 60 * 60 * 1000;
+/** In-flight logs in compliance/in_process/ before finalize. */
+const INFLIGHT_MAX_AGE_MS = 2 * 60 * 60 * 1000;
+const LATEST_POINTER = 'latest';
+const MAX_SESSION_LOG_UPLOAD_BYTES = 5 * 1024 * 1024;
+let activeComplianceLogPath = null;
+export function parseComplianceLogArg(argv) {
+    const eq = argv.find((a) => a.startsWith('--compliance-log='));
+    if (eq) {
+        const v = eq.slice('--compliance-log='.length).trim();
+        return v || null;
+    }
+    const idx = argv.indexOf('--compliance-log');
+    if (idx >= 0 && argv[idx + 1]) {
+        const v = argv[idx + 1].trim();
+        return v || null;
+    }
+    return null;
+}
+export function isFinalizeComplianceSessionArgv(argv) {
+    return argv.includes('--finalize-compliance-session');
+}
+export function getComplianceLogDir() {
+    return path.join(homedir(), OPT_AI_SEC_MANAGEMENT_REL, COMPLIANCE_SUBDIR);
+}
+export function getActiveComplianceLogPath() {
+    return activeComplianceLogPath;
+}
+export function setActiveComplianceLogPath(logPath) {
+    activeComplianceLogPath = logPath ? path.resolve(logPath) : null;
+}
+function isTierDirName(name) {
+    return TIER_DIRS.includes(name);
+}
+function isManagedDirName(name) {
+    return isTierDirName(name) || name === TIER_IN_PROCESS;
+}
+function getInProcessComplianceLogDir() {
+    return path.join(getComplianceLogDir(), TIER_IN_PROCESS);
+}
+/**
+ * Convert legacy/root session paths into the explicit in_process/ location.
+ *
+ * Hooks may still pass ~/.../compliance/<timestamp>.log; future writes should live
+ * at ~/.../compliance/in_process/<timestamp>.log until finalize classifies them.
+ */
+export function resolveComplianceSessionLogPath(logPath) {
+    const resolved = path.resolve(logPath);
+    if (path.dirname(resolved) === getComplianceLogDir()) {
+        return path.join(getInProcessComplianceLogDir(), path.basename(resolved));
+    }
+    return resolved;
+}
+/** Session log still in compliance/in_process/ (not yet finalized into a tier folder). */
+export function isInflightComplianceLogPath(logPath) {
+    const resolved = resolveComplianceSessionLogPath(logPath);
+    return path.dirname(resolved) === getInProcessComplianceLogDir();
+}
+export function readLatestComplianceLogPointer() {
+    const pointer = path.join(getComplianceLogDir(), LATEST_POINTER);
+    if (!existsSync(pointer))
+        return null;
+    try {
+        const p = readFileSync(pointer, 'utf8').trim();
+        return p || null;
+    }
+    catch {
+        return null;
+    }
+}
+function pruneLogFilesInDir(dir, maxAgeMs, exceptPath) {
+    if (!existsSync(dir))
+        return 0;
+    const cutoff = Date.now() - maxAgeMs;
+    let removed = 0;
+    for (const name of readdirSync(dir)) {
+        if (!name.endsWith('.log'))
+            continue;
+        const full = path.join(dir, name);
+        if (exceptPath && full === exceptPath)
+            continue;
+        try {
+            const st = statSync(full);
+            if (st.mtimeMs < cutoff) {
+                unlinkSync(full);
+                removed += 1;
+            }
+        }
+        catch {
+            // best-effort
+        }
+    }
+    return removed;
+}
+export function pruneComplianceSessionLogs(exceptPath) {
+    const base = getComplianceLogDir();
+    const keep = exceptPath ? path.resolve(exceptPath) : null;
+    let removed = 0;
+    removed += pruneLogFilesInDir(path.join(base, TIER_NOOP), NOOP_MAX_AGE_MS, keep);
+    removed += pruneLogFilesInDir(path.join(base, TIER_SUCCESS), SUCCESS_ERROR_MAX_AGE_MS, keep);
+    removed += pruneLogFilesInDir(path.join(base, TIER_ERROR), SUCCESS_ERROR_MAX_AGE_MS, keep);
+    removed += pruneLogFilesInDir(path.join(base, TIER_IN_PROCESS), INFLIGHT_MAX_AGE_MS, keep);
+    if (!existsSync(base))
+        return removed;
+    for (const name of readdirSync(base)) {
+        if (name === LATEST_POINTER || isManagedDirName(name))
+            continue;
+        if (!name.endsWith('.log'))
+            continue;
+        const full = path.join(base, name);
+        if (keep && full === keep)
+            continue;
+        try {
+            const st = statSync(full);
+            if (st.mtimeMs < Date.now() - INFLIGHT_MAX_AGE_MS) {
+                unlinkSync(full);
+                removed += 1;
+            }
+        }
+        catch {
+            // best-effort
+        }
+    }
+    return removed;
+}
+/**
+ * Classify a compliance session for finalize + optional server upload.
+ *
+ * Only two outcomes are uploaded (success / error): remediation **succeeded** or **failed**.
+ * Policy violations, in-flight restart, and sync-only sessions are noop (local retention only).
+ */
+export function classifyComplianceSessionLog(content) {
+    const text = content.trim();
+    if (!text)
+        return TIER_NOOP;
+    if (/remediation_tracking: verified uuid=/.test(text)) {
+        return TIER_SUCCESS;
+    }
+    const remediationFailedPatterns = [
+        /REMEDIATION APPLY FAILURE/,
+        /compliance_check_runner: uncaught error/,
+        /remediation_tracking: verification_failed uuid=/,
+        /post_restart_verification count=\d+ quarantined=[1-9]/,
+        /enforceRemediation.*failed/i,
+    ];
+    if (remediationFailedPatterns.some((p) => p.test(text))) {
+        return TIER_ERROR;
+    }
+    return TIER_NOOP;
+}
+/** Keep at compliance/ root until verify or remediation failure is recorded in the session. */
+export function isRemediationCycleInflight(content) {
+    if (/remediation_tracking: verified uuid=/.test(content))
+        return false;
+    if (/remediation_tracking: verification_failed uuid=/.test(content))
+        return false;
+    if (/REMEDIATION APPLY FAILURE/.test(content))
+        return false;
+    if (/post_restart_verification count=\d+ quarantined=[1-9]/.test(content))
+        return false;
+    return /remediation_tracking: pending_post_restart_verify uuid=/.test(content);
+}
+function ensureComplianceLogDir() {
+    const dir = getComplianceLogDir();
+    if (!existsSync(dir))
+        mkdirSync(dir, { recursive: true, mode: 0o700 });
+    for (const tier of [...TIER_DIRS, TIER_IN_PROCESS]) {
+        const sub = path.join(dir, tier);
+        if (!existsSync(sub))
+            mkdirSync(sub, { recursive: true, mode: 0o700 });
+    }
+}
+function writeLatestPointer(logPath) {
+    try {
+        ensureComplianceLogDir();
+        writeFileSync(path.join(getComplianceLogDir(), LATEST_POINTER), `${logPath}\n`, 'utf8');
+    }
+    catch {
+        // best-effort
+    }
+}
+function appendComplianceLine(logPath, line) {
+    try {
+        const dir = path.dirname(logPath);
+        if (!existsSync(dir))
+            mkdirSync(dir, { recursive: true, mode: 0o700 });
+        appendFileSync(logPath, line, 'utf8');
+    }
+    catch {
+        // best-effort
+    }
+}
+export function complianceLogSessionBanner(logPath, label, mode) {
+    const resolved = path.resolve(logPath);
+    const ts = new Date().toISOString();
+    const banner = mode === 'replace'
+        ? `\n${'='.repeat(72)}\n${ts} session: ${label}\n${'='.repeat(72)}\n`
+        : `\n${'-'.repeat(72)}\n${ts} section: ${label}\n${'-'.repeat(72)}\n`;
+    try {
+        const dir = path.dirname(resolved);
+        if (!existsSync(dir))
+            mkdirSync(dir, { recursive: true, mode: 0o700 });
+        if (mode === 'replace') {
+            writeFileSync(resolved, banner, 'utf8');
+        }
+        else {
+            appendFileSync(resolved, banner, 'utf8');
+        }
+        writeLatestPointer(resolved);
+    }
+    catch {
+        // best-effort
+    }
+}
+/** Gate: prune old files, bind path, start or resume an inflight session file. */
+export function initComplianceSessionForGate(logPath) {
+    const resolved = resolveComplianceSessionLogPath(logPath);
+    ensureComplianceLogDir();
+    const removed = pruneComplianceSessionLogs(resolved);
+    setActiveComplianceLogPath(resolved);
+    const resume = existsSync(resolved) && statSync(resolved).size > 0 && isInflightComplianceLogPath(resolved);
+    complianceLogSessionBanner(resolved, 'compliance_prompt_gate (before submit)', resume ? 'append' : 'replace');
+    if (!resume) {
+        writeLatestPointer(resolved);
+    }
+    if (removed > 0) {
+        appendComplianceLine(resolved, `${new Date().toISOString()} compliance_session: pruned ${removed} log(s) (in_process 2h, noop 30m, success/error 24h)\n`);
+    }
+    return resolved;
+}
+/** Runner: prune old files, bind path, append runner section to the gate session file. */
+export function initComplianceSessionForRunner(logPath) {
+    const resolved = resolveComplianceSessionLogPath(logPath);
+    ensureComplianceLogDir();
+    const removed = pruneComplianceSessionLogs(resolved);
+    setActiveComplianceLogPath(resolved);
+    complianceLogSessionBanner(resolved, 'compliance_check_runner (background sync + check)', 'append');
+    if (removed > 0) {
+        appendComplianceLine(resolved, `${new Date().toISOString()} compliance_session: pruned ${removed} log(s) (in_process 2h, noop 30m, success/error 24h)\n`);
+    }
+    return resolved;
+}
+/**
+ * Move session log from compliance/ root into noop|success|error/ and prune tiers.
+ * No-op if file missing or already finalized.
+ */
+export function finalizeComplianceSessionLog(logPath, forcedTier) {
+    const resolved = resolveComplianceSessionLogPath(logPath);
+    if (!existsSync(resolved))
+        return null;
+    const parentName = path.basename(path.dirname(resolved));
+    if (isTierDirName(parentName)) {
+        return { tier: parentName, logPath: resolved, moved: false };
+    }
+    const content = readFileSync(resolved, 'utf8');
+    if (isRemediationCycleInflight(content)) {
+        return null;
+    }
+    const tier = forcedTier ?? classifyComplianceSessionLog(content);
+    ensureComplianceLogDir();
+    const dest = path.join(getComplianceLogDir(), tier, path.basename(resolved));
+    if (resolved !== dest) {
+        if (existsSync(dest))
+            unlinkSync(dest);
+        renameSync(resolved, dest);
+    }
+    setActiveComplianceLogPath(null);
+    writeLatestPointer(dest);
+    pruneComplianceSessionLogs(dest);
+    return { tier, logPath: dest, moved: true };
+}
+export function appendToActiveComplianceLog(message) {
+    const logPath = activeComplianceLogPath;
+    if (!logPath)
+        return;
+    try {
+        appendComplianceLine(logPath, `${new Date().toISOString()} ${message}\n`);
+    }
+    catch {
+        // best-effort
+    }
+}
+export function readComplianceSessionLog(logPath) {
+    try {
+        if (!existsSync(logPath))
+            return '';
+        return readFileSync(logPath, 'utf8');
+    }
+    catch {
+        return '';
+    }
+}
+function appendLineToSessionLogFile(logPath, message) {
+    try {
+        appendComplianceLine(logPath, `${new Date().toISOString()} ${message}\n`);
+    }
+    catch {
+        // best-effort
+    }
+}
+/**
+ * Upload full session log to the server (success and error tiers only, first finalize only).
+ */
+export async function uploadComplianceSessionLogFromFinalize(result) {
+    if (result.tier !== TIER_SUCCESS && result.tier !== TIER_ERROR)
+        return;
+    if (!result.moved)
+        return;
+    const logText = readComplianceSessionLog(result.logPath);
+    if (!logText.trim())
+        return;
+    const logBytes = Buffer.byteLength(logText, 'utf8');
+    if (logBytes > MAX_SESSION_LOG_UPLOAD_BYTES) {
+        appendLineToSessionLogFile(result.logPath, `compliance_session_upload: skipped (${logBytes} bytes exceeds ${MAX_SESSION_LOG_UPLOAD_BYTES})`);
+        return;
+    }
+    const { readStoredAuthKey } = await import('../auth/auth_key_store.js');
+    const { tryResolveHardwareUuid } = await import('./hardware_uuid.js');
+    const { loadEndpointBase } = await import('../sender/endpoint_config.js');
+    const { createSignature } = await import('../sender/signing.js');
+    const { buildApiUrl } = await import('../../endpoint_client/registry_api.js');
+    const { executeBody } = await import('../../endpoint_client/http_transport.js');
+    const authKey = readStoredAuthKey();
+    const hardwareUuid = tryResolveHardwareUuid();
+    if (!authKey || !hardwareUuid) {
+        appendLineToSessionLogFile(result.logPath, 'compliance_session_upload: skipped (auth key or hardware UUID unavailable)');
+        return;
+    }
+    const sessionFilename = path.basename(result.logPath);
+    const outcome = result.tier;
+    const signingPayload = {
+        hardware_uuid: hardwareUuid,
+        outcome,
+        session_filename: sessionFilename,
+        log_text: logText,
+    };
+    const signature = createSignature(signingPayload, authKey.key);
+    const body = JSON.stringify({ ...signingPayload, signature });
+    const url = buildApiUrl(loadEndpointBase(), '/endpoint_security/api/remediation-activity-log/');
+    try {
+        const { statusCode } = await executeBody(url, 'POST', body, 30_000);
+        if (statusCode === 200) {
+            appendLineToSessionLogFile(result.logPath, `compliance_session_upload: ok outcome=${outcome} bytes=${logBytes}`);
+        }
+        else {
+            appendLineToSessionLogFile(result.logPath, `compliance_session_upload: server status=${statusCode}`);
+        }
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        appendLineToSessionLogFile(result.logPath, `compliance_session_upload: failed ${msg}`);
+    }
+}
+/** Finalize session file into success|error|noop tier, then upload when success or error. */
+export async function finalizeAndUploadComplianceSessionLog(logPath, forcedTier) {
+    const result = finalizeComplianceSessionLog(logPath, forcedTier);
+    if (result) {
+        await uploadComplianceSessionLogFromFinalize(result);
+    }
+    return result;
+}

package/dist/log_config_files/runtime/hook_logger.js

@@ -1,6 +1,7 @@
 import { existsSync, mkdirSync, appendFileSync, writeFileSync, statSync, readFileSync } from 'node:fs';
 import path from 'node:path';
 import { OPT_AI_SEC_MANAGEMENT_REL } from '../../bootstrap_constants.js';
+import { getActiveComplianceLogPath } from './compliance_session_log.js';
 const HOOK_LOG_FILENAME = 'hook_log.txt';
 const COMPLIANCE_RUNNER_LOG_FILENAME = 'compliance_runner.log';
 /** Append-only: remediation verify/apply failures (not cleared per hook session). */
@@ -30,6 +31,16 @@ function getRemediationApplyFailuresLogPath() {
  * `level` examples: INFO, RUNNER, RESTART, FAIL
  */
 function appendComplianceRunnerLine(level, message) {
+    const sessionPath = getActiveComplianceLogPath();
+    if (sessionPath) {
+        try {
+            appendFileSync(sessionPath, `${new Date().toISOString()} [${level}] pid=${process.pid} ${message}\n`, 'utf8');
+        }
+        catch {
+            // best-effort
+        }
+        return;
+    }
     const logPath = getComplianceRunnerLogPath();
     if (!logPath)
         return;
@@ -147,6 +158,18 @@ function hookLogSessionBanner(label) {
  * without replacing hook_log.txt.
  */
 function hookLogAppendSection(label) {
+    const compliancePath = getActiveComplianceLogPath();
+    if (compliancePath) {
+        try {
+            const ts = new Date().toISOString();
+            const banner = `\n${'-'.repeat(72)}\n${ts} section: ${label}\n${'-'.repeat(72)}\n`;
+            appendFileSync(compliancePath, banner, 'utf8');
+        }
+        catch {
+            // best-effort
+        }
+        return;
+    }
     const logPath = getHookLogPath();
     if (!logPath)
         return;
@@ -167,8 +190,19 @@ function hookLogAppendSection(label) {
 function hookLogReplace() {
     hookLogSessionBanner('log_config_files (config upload)');
 }
-/** Append a timestamped line to hook_log.txt. */
+/** Append a timestamped line to hook_log.txt or the active compliance session log. */
 function hookRunLog(message) {
+    const compliancePath = getActiveComplianceLogPath();
+    if (compliancePath) {
+        try {
+            const ts = new Date().toISOString();
+            appendFileSync(compliancePath, `${ts} ${message}\n`, 'utf8');
+        }
+        catch {
+            // best-effort
+        }
+        return;
+    }
     const logPath = getHookLogPath();
     if (!logPath)
         return;

package/dist/log_config_files/runtime/remediation_apply_tracking.js

@@ -58,6 +58,10 @@ export function clearRemediationApplyQuarantine(uuid) {
     writeRemediationApplyTrackingFile(file);
     hookRunLog(`remediation_tracking: quarantine_cleared uuid=${uuid}`);
 }
+export function hasPendingPostRestartVerification() {
+    const file = readRemediationApplyTrackingFile();
+    return Object.values(file.entries).some((e) => e.pending_post_restart_verify === true);
+}
 export function markRemediationApplyPendingVerification(uuid) {
     const file = readRemediationApplyTrackingFile();
     const prev = file.entries[uuid] ?? defaultEntry();

package/dist/log_config_files/runtime/remediation_sync.js

@@ -1460,7 +1460,10 @@ export function reportAutofixApplied(remediationUuid, result, details) {
     const body = JSON.stringify({ ...payload, signature });
     return executeBody(url, 'POST', body, 8000)
         .then(({ statusCode }) => {
-        if (statusCode !== 200) {
+        if (statusCode === 200) {
+            hookRunLog(`autofix_report: ok result=${result} uuid=${remediationUuid}`);
+        }
+        else {
             hookRunLog(`autofix_report: server returned ${statusCode} for uuid=${remediationUuid}`);
         }
     })

package/dist/log_config_files/runtime/trusted_restarts.js

@@ -4,6 +4,7 @@
  */
 import { spawn } from 'node:child_process';
 import { appendComplianceRunnerLine, hookRunLog } from './hook_logger.js';
+import { getActiveComplianceLogPath } from './compliance_session_log.js';
 import { getDeferredVscdbRestartLogPath } from './management_storage.js';
 import { normalizeAgentToken } from './compliance_check.js';
 import { isClaudeRestartCommand, isCursorRestartCommand, isTrustedRestartCommandForAutofix } from './remediation_sync.js';
@@ -88,6 +89,7 @@ export function executeTrustedRestartCommands(commands) {
             appendComplianceRunnerLine('RESTART', 'spawn trusted_restart sh -c (non-deferred)');
         }
         const projectRoot = resolveProjectRoot();
+        const complianceLogPath = getActiveComplianceLogPath();
         const child = spawn('sh', ['-c', t], {
             detached: true,
             stdio: 'ignore',
@@ -95,6 +97,7 @@ export function executeTrustedRestartCommands(commands) {
             env: envForRestartSpawn({
                 ...process.env,
                 CURSOR_PROJECT_DIR: process.env.CURSOR_PROJECT_DIR || projectRoot,
+                ...(complianceLogPath ? { OPTIMUS_COMPLIANCE_LOG: complianceLogPath } : {}),
                 PATH: process.env.PATH && String(process.env.PATH).trim().length > 0
                     ? process.env.PATH
                     : FALLBACK_PATH,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "log-llm-config-staging",
-  "version": "1.4.5",
+  "version": "1.4.8",
   "description": "CLI helpers for logging hardware UUIDs and posting startup payloads to Optimus Security.",
   "type": "module",
   "bin": {