log-llm-config-staging 1.4.6 → 1.4.9

package/dist/apply_deferred_vscdb.js

@@ -1,9 +1,38 @@
 #!/usr/bin/env node
-/**
- * Runs after Cursor SIGKILL: applies queued state.vscdb patches from
- * ~/opt-ai-sec/management/optimus_deferred_vscdb_apply.json (see remediation_sync).
- */
+// Runs after Cursor SIGKILL: applies queued state.vscdb patches, then immediately runs
+// post-restart verification so the server gets `verified` without waiting for the next prompt.
 import { applyDeferredVscdbFromDisk } from './log_config_files/runtime/remediation_sync.js';
+import { runPostApplyVerification } from './log_config_files/runtime/compliance_check.js';
+import { hookRunLog } from './log_config_files/runtime/hook_logger.js';
+import { finalizeAndUploadComplianceSessionLog, setActiveComplianceLogPath, } from './log_config_files/runtime/compliance_session_log.js';
+const complianceLogPath = process.env.OPTIMUS_COMPLIANCE_LOG?.trim() || null;
+if (complianceLogPath) {
+    setActiveComplianceLogPath(complianceLogPath);
+}
 applyDeferredVscdbFromDisk()
-    .then((ok) => process.exit(ok ? 0 : 1))
+    .then(async (ok) => {
+    if (ok) {
+        try {
+            const outcomes = await runPostApplyVerification();
+            if (outcomes.length > 0) {
+                hookRunLog(`apply_deferred_vscdb: post_apply_verification count=${outcomes.length} ` +
+                    `verified=${outcomes.filter((o) => o.status === 'verified').length}`);
+            }
+            if (complianceLogPath) {
+                await finalizeAndUploadComplianceSessionLog(complianceLogPath);
+            }
+        }
+        catch (e) {
+            hookRunLog(`apply_deferred_vscdb: post_apply_verification error: ${e instanceof Error ? e.message : String(e)}`);
+            if (complianceLogPath) {
+                await finalizeAndUploadComplianceSessionLog(complianceLogPath, 'error');
+            }
+        }
+    }
+    else if (complianceLogPath) {
+        hookRunLog('apply_deferred_vscdb: apply failed');
+        await finalizeAndUploadComplianceSessionLog(complianceLogPath, 'error');
+    }
+    process.exit(ok ? 0 : 1);
+})
     .catch(() => process.exit(1));

package/dist/compliance_check_runner.js

@@ -1,11 +1,38 @@
 #!/usr/bin/env node
 import { complianceRunnerRunnerLine, hookLogAppendSection } from './log_config_files/runtime/hook_logger.js';
-import { runComplianceCheck } from './log_config_files/runtime/compliance_check.js';
+import { normalizeAgentToken, runComplianceCheck, } from './log_config_files/runtime/compliance_check.js';
+import { finalizeAndUploadComplianceSessionLog, initComplianceSessionForRunner, isFinalizeComplianceSessionArgv, isInflightComplianceLogPath, parseComplianceLogArg, resolveComplianceSessionLogPath, } from './log_config_files/runtime/compliance_session_log.js';
+import { existsSync } from 'node:fs';
+function parseAgentArg() {
+    const eq = process.argv.find((a) => a.startsWith('--agent='));
+    if (!eq)
+        return undefined;
+    const normalized = normalizeAgentToken(eq.slice('--agent='.length));
+    return normalized ? normalized : undefined;
+}
 (async () => {
-    hookLogAppendSection('compliance_check_runner (background sync + check)');
+    let complianceLogPath = parseComplianceLogArg(process.argv);
+    if (isFinalizeComplianceSessionArgv(process.argv)) {
+        if (complianceLogPath) {
+            await finalizeAndUploadComplianceSessionLog(complianceLogPath);
+        }
+        process.exit(0);
+    }
+    if (complianceLogPath) {
+        const resolved = resolveComplianceSessionLogPath(complianceLogPath);
+        if (existsSync(resolved) && isInflightComplianceLogPath(resolved)) {
+            complianceLogPath = initComplianceSessionForRunner(resolved);
+        }
+        else {
+            complianceLogPath = null;
+        }
+    }
+    else {
+        hookLogAppendSection('compliance_check_runner (background sync + check)');
+    }
     complianceRunnerRunnerLine('compliance_check_runner: start');
     try {
-        await runComplianceCheck();
+        await runComplianceCheck(parseAgentArg());
         complianceRunnerRunnerLine('compliance_check_runner: finished ok');
     }
     catch (err) {
@@ -13,6 +40,12 @@ import { runComplianceCheck } from './log_config_files/runtime/compliance_check.
         complianceRunnerRunnerLine(`compliance_check_runner: uncaught error — ${err instanceof Error ? err.message : String(err)}`);
         complianceRunnerRunnerLine(`compliance_check_runner: stack_or_detail ${detail.slice(0, 4000)}`);
         process.stderr.write(`compliance_check_runner error: ${err instanceof Error ? err.message : String(err)}\n`);
+        if (complianceLogPath) {
+            await finalizeAndUploadComplianceSessionLog(complianceLogPath, 'error');
+        }
         process.exit(1);
     }
+    if (complianceLogPath) {
+        await finalizeAndUploadComplianceSessionLog(complianceLogPath);
+    }
 })();

package/dist/compliance_prompt_gate.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 /**
  * Synchronous pre-prompt gate: local compliance only (stdout = single JSON line for IDE hooks).
- * stderr must stay clean; logs go via hookRunLog (file).
+ * stderr must stay clean; logs go via hookRunLog (compliance session file when --compliance-log is set).
  *
  * When autofix returns restart_commands, this process does not spawn them — the shell hook pipes
  * the same JSON line to execute_trusted_restarts (TS allowlist + spawn).
@@ -11,6 +11,7 @@ import { isRemediationQuarantined } from './log_config_files/runtime/remediation
 import { existsSync, readFileSync, statSync } from 'node:fs';
 import { getRemediationInstructionsPath } from './log_config_files/runtime/management_storage.js';
 import { hookLogSessionBanner, hookRunLog, logRemediationApplyFailure } from './log_config_files/runtime/hook_logger.js';
+import { finalizeAndUploadComplianceSessionLog, initComplianceSessionForGate, parseComplianceLogArg, } from './log_config_files/runtime/compliance_session_log.js';
 import { isThisCliModule } from './cli_invocation_match.js';
 import { ensureAuthentication } from './log_config_files/auth/auth_flow.js';
 import { sendConfigFile } from './log_config_files/sender/batch_sender.js';
@@ -19,17 +20,34 @@ import { syncRemediations } from './log_config_files/runtime/remediation_sync.js
 import { loadEndpointBase } from './log_config_files/sender/endpoint_config.js';
 import { formatRemediationChangePreviewForApplied } from './remediation_change_preview.js';
 const MANIFEST_STALE_MS = 7 * 24 * 60 * 60 * 1000;
+/** After verified (or failed verify), push enforcement + session log immediately — do not wait for background runner. */
+async function flushRemediationOutcomeToServer(complianceLogPath) {
+    if (!complianceLogPath)
+        return;
+    try {
+        await finalizeAndUploadComplianceSessionLog(complianceLogPath);
+    }
+    catch (err) {
+        hookRunLog(`compliance_prompt_gate: session finalize/upload failed: ${err instanceof Error ? err.message : String(err)}`);
+    }
+}
 function parseIde() {
     const eq = process.argv.find((a) => a.startsWith('--ide='));
     if (eq) {
         const v = eq.slice('--ide='.length).toLowerCase();
-        return v === 'claude' ? 'claude' : 'cursor';
+        if (v === 'claude')
+            return 'claude';
+        if (v === 'copilot')
+            return 'copilot';
+        return 'cursor';
     }
     if (process.argv.includes('--claude'))
         return 'claude';
     return 'cursor';
 }
 function defaultAgentFromIde(ide) {
+    if (ide === 'copilot')
+        return 'copilot';
     return ide === 'claude' ? 'claude' : 'cursor';
 }
 function parseAgent(ide) {
@@ -42,13 +60,13 @@ function parseAgent(ide) {
     return defaultAgentFromIde(ide);
 }
 function printAllow(ide) {
-    if (ide === 'claude')
+    if (ide === 'claude' || ide === 'copilot')
         console.log('{}');
     else
         console.log(JSON.stringify({ continue: true }));
 }
 function printAllowWithAdvisory(ide, advisoryMessage) {
-    if (ide === 'claude') {
+    if (ide === 'claude' || ide === 'copilot') {
         console.log(JSON.stringify({ __optimus_advisory: true, advisory_message: advisoryMessage }));
     }
     else {
@@ -62,7 +80,7 @@ function printAllowWithAdvisory(ide, advisoryMessage) {
 function blockPayload(ide, violationMessage) {
     const prefix = 'Prompt blocked by Optimus: ';
     const text = prefix + violationMessage;
-    if (ide === 'claude') {
+    if (ide === 'claude' || ide === 'copilot') {
         return JSON.stringify({ decision: 'block', reason: text, systemMessage: text });
     }
     return JSON.stringify({ continue: false, user_message: text });
@@ -116,6 +134,10 @@ function formatPreventiveAutofixDialog(appliedViolations, applyLine) {
 export function formatClaudeAutofixDialog(appliedViolations) {
     return formatPreventiveAutofixDialog(appliedViolations, 'Claude will now apply this policy to your environment.');
 }
+/** Copilot dialog after enforced/preventive remediation is applied locally (no restart). */
+export function formatCopilotAutofixDialog(appliedViolations) {
+    return formatPreventiveAutofixDialog(appliedViolations, 'Copilot will now apply this policy to your environment.');
+}
 /** Cursor restart dialog after enforced/preventive remediation is applied locally. */
 export function formatCursorRestartAutofixDialog(appliedViolations) {
     return formatPreventiveAutofixDialog(appliedViolations, 'Cursor will now restart to apply this policy, and your context will be retained.');
@@ -164,10 +186,21 @@ export async function runCompliancePromptGateCli() {
 export async function runCompliancePromptGate() {
     const ide = parseIde();
     const agent = parseAgent(ide);
-    hookLogSessionBanner('compliance_prompt_gate (before submit)');
-    // Sync before checking so server-side changes (enforce/unenforce) propagate on every prompt
-    // without waiting for the background runner. Race against a 3 s timeout so a slow or
-    // unavailable server never delays the gate significantly.
+    let complianceLogPath = parseComplianceLogArg(process.argv);
+    if (complianceLogPath) {
+        complianceLogPath = initComplianceSessionForGate(complianceLogPath);
+    }
+    else {
+        hookLogSessionBanner('compliance_prompt_gate (before submit)');
+    }
+    let status = runLocalRemediationComplianceCheck(agent);
+    const postRestartVerify = reportPostRestartVerificationOutcomes(status.violations);
+    if (postRestartVerify.outcomes.length > 0) {
+        await Promise.allSettled(postRestartVerify.reportPromises);
+        await flushRemediationOutcomeToServer(complianceLogPath);
+        hookRunLog(`compliance_prompt_gate: post_restart_verification count=${postRestartVerify.outcomes.length} quarantined=${postRestartVerify.outcomes.filter((o) => o.status === 'quarantined').length}`);
+        status = runLocalRemediationComplianceCheck(agent);
+    }
     const hw = tryResolveHardwareUuid();
     if (hw) {
         try {
@@ -180,13 +213,7 @@ export async function runCompliancePromptGate() {
             // Network or auth failure — fall back to local file state.
         }
     }
-    const status = runLocalRemediationComplianceCheck(agent);
-    // Always process pending post-restart rows (even when compliance is ok — apply may have stuck).
-    const postRestartVerify = reportPostRestartVerificationOutcomes(status.violations);
-    if (postRestartVerify.outcomes.length > 0) {
-        await Promise.allSettled(postRestartVerify.reportPromises);
-        hookRunLog(`compliance_prompt_gate: post_restart_verification count=${postRestartVerify.outcomes.length} quarantined=${postRestartVerify.outcomes.filter((o) => o.status === 'quarantined').length}`);
-    }
+    status = runLocalRemediationComplianceCheck(agent);
     // Secondary-satisfied: primary checks failed but settings.json (or equiv) has the fix.
     // Upload those files fire-and-forget so the backend can resolve the finding immediately.
     for (const e of status.secondarySatisfied ?? []) {
@@ -238,15 +265,15 @@ export async function runCompliancePromptGate() {
             const recheck = runLocalRemediationComplianceCheck(agent);
             const recheckOk = recheck.status === 'ok' || recheck.violations.length === 0;
             // Cursor: tolerate a failing recheck only when SQLite updates are deferred (apply after restart).
-            // Claude Code: JSON remediations are written immediately; merge/verify timing can still leave the
-            // in-process recheck red for the same UUID — allow in that case only for --ide=claude.
+            // Claude / Copilot: JSON remediations are written immediately; merge/verify timing can still leave
+            // the in-process recheck red for the same UUID — allow in that case for immediate JSON agents.
             const appliedUuids = new Set(appliedViolations.map((v) => v.uuid));
-            const claudeRecheckStaleAfterImmediateApply = ide === 'claude' &&
+            const claudeRecheckStaleAfterImmediateApply = (ide === 'claude' || ide === 'copilot') &&
                 !recheckOk &&
                 recheck.violations.length > 0 &&
                 recheck.violations.every((v) => appliedUuids.has(v.uuid));
             if (claudeRecheckStaleAfterImmediateApply) {
-                hookRunLog('compliance_prompt_gate: Claude — autofix wrote JSON; recheck still flags same UUID(s) — proceeding (immediate apply)');
+                hookRunLog(`compliance_prompt_gate: ${ide} — autofix wrote JSON; recheck still flags same UUID(s) — proceeding (immediate apply)`);
             }
             if (deferredSqlitePending || recheckOk || claudeRecheckStaleAfterImmediateApply) {
                 const immediateVerified = restartCommands.length === 0 &&
@@ -255,6 +282,7 @@ export async function runCompliancePromptGate() {
                 if (immediateVerified) {
                     confirmAppliedAutofixVerified(appliedViolations, reportPromises);
                     await Promise.allSettled(reportPromises);
+                    await flushRemediationOutcomeToServer(complianceLogPath);
                 }
                 const changePreview = formatRemediationChangePreviewForApplied(appliedViolations);
                 const changePreviewSuffix = changePreview ? `\n\n${changePreview}` : '';
@@ -262,9 +290,11 @@ export async function runCompliancePromptGate() {
                     ? formatCursorRestartAutofixDialog(appliedViolations)
                     : ide === 'claude'
                         ? formatClaudeAutofixDialog(appliedViolations)
-                        : `Optimus Labs auto-fixed ${fixed} ${fixed === 1 ? 'policy violation' : 'policy violations'}:\n\n${appliedViolations
-                            .map((v) => autofixDialogLine(v))
-                            .join('\n')}${changePreviewSuffix}`;
+                        : ide === 'copilot'
+                            ? formatCopilotAutofixDialog(appliedViolations)
+                            : `Optimus Labs auto-fixed ${fixed} ${fixed === 1 ? 'policy violation' : 'policy violations'}:\n\n${appliedViolations
+                                .map((v) => autofixDialogLine(v))
+                                .join('\n')}${changePreviewSuffix}`;
                 const payload = { __optimus_autofix: true, autofix_message: autofixMessage };
                 if (restartCommands.length > 0)
                     payload.restart_commands = restartCommands;

package/dist/execute_trusted_restarts.js

@@ -7,9 +7,14 @@
 import { readFileSync } from 'node:fs';
 import { isThisCliModule } from './cli_invocation_match.js';
 import { appendComplianceRunnerLine, hookRunLog } from './log_config_files/runtime/hook_logger.js';
+import { setActiveComplianceLogPath } from './log_config_files/runtime/compliance_session_log.js';
 import { executeTrustedRestartCommands } from './log_config_files/runtime/trusted_restarts.js';
 /** Invoked by dist entrypoint or by `npx log-llm-config@latest execute-trusted-restarts` (cli.js dispatches here). */
 export function runExecuteTrustedRestartsFromStdin() {
+    const complianceLogPath = process.env.OPTIMUS_COMPLIANCE_LOG?.trim();
+    if (complianceLogPath) {
+        setActiveComplianceLogPath(complianceLogPath);
+    }
     let raw;
     try {
         raw = readFileSync(0, 'utf8');

package/dist/log_config_files/paths/pattern_resolver.js

@@ -293,6 +293,14 @@ function resolvePatternToTargets(pathPattern, pathType, fileType, projectRoot, h
         targets.push({ path: basePath + suffix, file_type: fileType, content_format: contentFormat ?? 'extensions_cache' });
         return targets;
     }
+    if (spec?.type === 'env_dir_file') {
+        const configuredDir = process.env[spec.env_var]?.trim();
+        const baseDir = configuredDir
+            ? configuredDir.replace(/^~\//, `${home}/`)
+            : join(home, spec.fallback_under_home.replace(/^~\//, ''));
+        pushTargetPaths(targets, join(baseDir, spec.filename), fileType, false, collectStyle, contentFormat, dirGlob);
+        return targets;
+    }
     if (norm.includes('**'))
         return expandRecursiveGlobPathPattern(pathPattern, fileType, home, contentFormat, dirGlob, homeRecurseSkipDirs);
     if (norm.includes('*'))

package/dist/log_config_files/runtime/compliance_check.js

@@ -19,6 +19,7 @@ import { resolveRemediationConfigPath } from './remediation_config_path.js';
 import { resolveOpsTargetPath } from './ops_target_path.js';
 import { isRemediationQuarantined, markRemediationApplyPendingVerification, markRemediationApplyVerified, processPendingPostRestartVerifications, readRemediationApplyTrackingFile, writeRemediationApplyTrackingFile, } from './remediation_apply_tracking.js';
 import { complianceRunnerDiag, hookRunLog, logRemediationApplyFailure } from './hook_logger.js';
+import { isEnvBackedSecretValue, scanJsonForHardcodedSecrets, } from './secret_regex_scan.js';
 import { loadEndpointBase } from '../sender/endpoint_config.js';
 import { resolveHardwareUuid, tryResolveHardwareUuid } from './hardware_uuid.js';
 import { buildDeferredCursorRestartCommand, discoverAllWorkspaceVscdbs, enforceRemediation, fetchSync, isTrustedRestartCommandForAutofix, remediationFixSpec, reportAutofixApplied, syncRemediations, } from './remediation_sync.js';
@@ -188,6 +189,36 @@ function allowlistEntryMatchesRemoveToken(entry, token) {
     const pattern = new RegExp(`(^|[^a-z0-9_|])${escapeRegExp(t)}([^a-z0-9_|]|$)`);
     return pattern.test(valStr);
 }
+/**
+ * MCP secret remediations deploy ops.set to ${env:KEY}. Local compliance passes when the
+ * user picks any env reference, not only the exact string from the manifest.
+ */
+function remediationSetOpSatisfied(current, expected) {
+    if (deepEqual(current, expected))
+        return true;
+    if (typeof expected === 'string' &&
+        isEnvBackedSecretValue(expected) &&
+        isEnvBackedSecretValue(current)) {
+        return true;
+    }
+    return false;
+}
+function violationFromSecretScanFinding(entry, compliance, finding) {
+    return {
+        uuid: entry.uuid,
+        finding_formatted_id: compliance.finding_formatted_id,
+        setting_path: finding.path,
+        description: compliance.description,
+        finding_title: entry.finding_title,
+        finding_description: entry.finding_description,
+        policy_name: entry.policy_name,
+        severity: compliance.severity,
+        autofix_allowed: compliance.autofix_allowed,
+        config_file_path: entry.config_file_path,
+        expected_value: { op: 'secret_scan', path: finding.path, secret_type: finding.secretType },
+        message: `[${compliance.finding_formatted_id}] ${entry.finding_title ?? compliance.description}\nDescription: ${entry.finding_description ?? compliance.description}\nHow to fix: Remove the hardcoded ${finding.secretType} from ${finding.path} in ${entry.config_file_path}`,
+    };
+}
 function verifyOpsApplied(configJson, settingPath, ops) {
     const parts = settingPath.split('.');
     const leafKey = parts[parts.length - 1] ?? '';
@@ -201,8 +232,9 @@ function verifyOpsApplied(configJson, settingPath, ops) {
         if (Object.prototype.hasOwnProperty.call(set, k)) {
             const cur = getByPath(configJson, targetPath);
             const expected = set[k];
-            if (!deepEqual(cur, expected))
+            if (!remediationSetOpSatisfied(cur, expected)) {
                 return { ok: false, expected: { op: 'set', path: targetPath, value: expected } };
+            }
             continue;
         }
         const cur = getByPath(configJson, targetPath);
@@ -319,6 +351,14 @@ export function evaluateManifestEntryCompliance(entry) {
     if (!loaded.ok)
         return { violations: [] };
     const configJson = loaded.json;
+    if (compliance.requires_secret_scan === true) {
+        const secretFindings = scanJsonForHardcodedSecrets(configJson);
+        return secretFindings.length === 0
+            ? { violations: [] }
+            : {
+                violations: secretFindings.map((f) => violationFromSecretScanFinding(entry, compliance, f)),
+            };
+    }
     const entryViolations = [];
     for (const check of checks) {
         const effectivePath = canonicalComplianceSettingPath(entry.config_file_path, check);
@@ -523,6 +563,19 @@ export function reportPostRestartVerificationOutcomes(violations) {
     });
     return { outcomes, reportPromises };
 }
+/**
+ * Run immediately after a deferred state.vscdb write lands on disk (post-restart, before the
+ * user's next prompt) so `pending_post_restart_verify` remediations are confirmed and reported
+ * to the server right away — the UI does not need to wait for another gate invocation.
+ */
+export async function runPostApplyVerification(agent = 'cursor') {
+    const status = runLocalRemediationComplianceCheck(agent);
+    const { outcomes, reportPromises } = reportPostRestartVerificationOutcomes(status.violations);
+    if (outcomes.length > 0) {
+        await Promise.allSettled(reportPromises);
+    }
+    return outcomes;
+}
 /**
  * Immediate autofix succeeded (inline recheck OK or Claude stale-recheck tolerance).
  * Clear pending verification locally and report verified so the next prompt does not POST
@@ -746,6 +799,16 @@ export function pruneSatisfiedOneTimeRemediations(agent = 'cursor') {
             continue;
         }
         const configJson = prLoaded.json;
+        if (spec?.requires_secret_scan === true) {
+            if (scanJsonForHardcodedSecrets(configJson).length === 0) {
+                removed++;
+                hookRunLog(`remediation_prune: satisfied secret-scan uuid=${inst.uuid} path=${inst.config_file_path}`);
+            }
+            else {
+                remaining.push(raw);
+            }
+            continue;
+        }
         // Only prune when every check is ops-based and currently satisfied.
         let okAll = true;
         for (const check of checks) {
@@ -880,8 +943,8 @@ export function uploadSatisfiedManifestConfigs(agent = 'cursor') {
  * Apply (autofix) is intentionally deferred to the gate on the next prompt — this pass only downloads
  * a fresh manifest so the gate has up-to-date data when it runs.
  */
-export async function runComplianceCheck() {
-    const agent = currentAgentFromEnv();
+export async function runComplianceCheck(agentOverride) {
+    const agent = agentOverride ?? currentAgentFromEnv();
     try {
         await syncRemediations(loadEndpointBase(), resolveHardwareUuid());
     }

package/dist/log_config_files/runtime/compliance_session_log.js

@@ -0,0 +1,372 @@
+import { existsSync, mkdirSync, readdirSync, renameSync, statSync, unlinkSync, writeFileSync, appendFileSync, readFileSync, } from 'node:fs';
+import path from 'node:path';
+import { homedir } from 'node:os';
+import { OPT_AI_SEC_MANAGEMENT_REL } from '../../bootstrap_constants.js';
+const COMPLIANCE_SUBDIR = 'compliance';
+const TIER_NOOP = 'noop';
+const TIER_SUCCESS = 'success';
+const TIER_ERROR = 'error';
+const TIER_IN_PROCESS = 'in_process';
+const TIER_DIRS = [TIER_NOOP, TIER_SUCCESS, TIER_ERROR];
+const NOOP_MAX_AGE_MS = 30 * 60 * 1000;
+const SUCCESS_ERROR_MAX_AGE_MS = 24 * 60 * 60 * 1000;
+/** In-flight logs in compliance/in_process/ before finalize. */
+const INFLIGHT_MAX_AGE_MS = 2 * 60 * 60 * 1000;
+const LATEST_POINTER = 'latest';
+const MAX_SESSION_LOG_UPLOAD_BYTES = 5 * 1024 * 1024;
+let activeComplianceLogPath = null;
+export function parseComplianceLogArg(argv) {
+    const eq = argv.find((a) => a.startsWith('--compliance-log='));
+    if (eq) {
+        const v = eq.slice('--compliance-log='.length).trim();
+        return v || null;
+    }
+    const idx = argv.indexOf('--compliance-log');
+    if (idx >= 0 && argv[idx + 1]) {
+        const v = argv[idx + 1].trim();
+        return v || null;
+    }
+    return null;
+}
+export function isFinalizeComplianceSessionArgv(argv) {
+    return argv.includes('--finalize-compliance-session');
+}
+export function getComplianceLogDir() {
+    return path.join(homedir(), OPT_AI_SEC_MANAGEMENT_REL, COMPLIANCE_SUBDIR);
+}
+export function getActiveComplianceLogPath() {
+    return activeComplianceLogPath;
+}
+export function setActiveComplianceLogPath(logPath) {
+    activeComplianceLogPath = logPath ? path.resolve(logPath) : null;
+}
+function isTierDirName(name) {
+    return TIER_DIRS.includes(name);
+}
+function isManagedDirName(name) {
+    return isTierDirName(name) || name === TIER_IN_PROCESS;
+}
+function getInProcessComplianceLogDir() {
+    return path.join(getComplianceLogDir(), TIER_IN_PROCESS);
+}
+/**
+ * Convert legacy/root session paths into the explicit in_process/ location.
+ *
+ * Hooks may still pass ~/.../compliance/<timestamp>.log; future writes should live
+ * at ~/.../compliance/in_process/<timestamp>.log until finalize classifies them.
+ */
+export function resolveComplianceSessionLogPath(logPath) {
+    const resolved = path.resolve(logPath);
+    if (path.dirname(resolved) === getComplianceLogDir()) {
+        return path.join(getInProcessComplianceLogDir(), path.basename(resolved));
+    }
+    return resolved;
+}
+/** Session log still in compliance/in_process/ (not yet finalized into a tier folder). */
+export function isInflightComplianceLogPath(logPath) {
+    const resolved = resolveComplianceSessionLogPath(logPath);
+    return path.dirname(resolved) === getInProcessComplianceLogDir();
+}
+export function readLatestComplianceLogPointer() {
+    const pointer = path.join(getComplianceLogDir(), LATEST_POINTER);
+    if (!existsSync(pointer))
+        return null;
+    try {
+        const p = readFileSync(pointer, 'utf8').trim();
+        return p || null;
+    }
+    catch {
+        return null;
+    }
+}
+function pruneLogFilesInDir(dir, maxAgeMs, exceptPath) {
+    if (!existsSync(dir))
+        return 0;
+    const cutoff = Date.now() - maxAgeMs;
+    let removed = 0;
+    for (const name of readdirSync(dir)) {
+        if (!name.endsWith('.log'))
+            continue;
+        const full = path.join(dir, name);
+        if (exceptPath && full === exceptPath)
+            continue;
+        try {
+            const st = statSync(full);
+            if (st.mtimeMs < cutoff) {
+                unlinkSync(full);
+                removed += 1;
+            }
+        }
+        catch {
+            // best-effort
+        }
+    }
+    return removed;
+}
+export function pruneComplianceSessionLogs(exceptPath) {
+    const base = getComplianceLogDir();
+    const keep = exceptPath ? path.resolve(exceptPath) : null;
+    let removed = 0;
+    removed += pruneLogFilesInDir(path.join(base, TIER_NOOP), NOOP_MAX_AGE_MS, keep);
+    removed += pruneLogFilesInDir(path.join(base, TIER_SUCCESS), SUCCESS_ERROR_MAX_AGE_MS, keep);
+    removed += pruneLogFilesInDir(path.join(base, TIER_ERROR), SUCCESS_ERROR_MAX_AGE_MS, keep);
+    removed += pruneLogFilesInDir(path.join(base, TIER_IN_PROCESS), INFLIGHT_MAX_AGE_MS, keep);
+    if (!existsSync(base))
+        return removed;
+    for (const name of readdirSync(base)) {
+        if (name === LATEST_POINTER || isManagedDirName(name))
+            continue;
+        if (!name.endsWith('.log'))
+            continue;
+        const full = path.join(base, name);
+        if (keep && full === keep)
+            continue;
+        try {
+            const st = statSync(full);
+            if (st.mtimeMs < Date.now() - INFLIGHT_MAX_AGE_MS) {
+                unlinkSync(full);
+                removed += 1;
+            }
+        }
+        catch {
+            // best-effort
+        }
+    }
+    return removed;
+}
+/**
+ * Classify a compliance session for finalize + optional server upload.
+ *
+ * Only two outcomes are uploaded (success / error): remediation **succeeded** or **failed**.
+ * Policy violations, in-flight restart, and sync-only sessions are noop (local retention only).
+ */
+export function classifyComplianceSessionLog(content) {
+    const text = content.trim();
+    if (!text)
+        return TIER_NOOP;
+    if (/remediation_tracking: verified uuid=/.test(text)) {
+        return TIER_SUCCESS;
+    }
+    const remediationFailedPatterns = [
+        /REMEDIATION APPLY FAILURE/,
+        /compliance_check_runner: uncaught error/,
+        /remediation_tracking: verification_failed uuid=/,
+        /post_restart_verification count=\d+ quarantined=[1-9]/,
+        /enforceRemediation.*failed/i,
+    ];
+    if (remediationFailedPatterns.some((p) => p.test(text))) {
+        return TIER_ERROR;
+    }
+    return TIER_NOOP;
+}
+/** Keep at compliance/ root until verify or remediation failure is recorded in the session. */
+export function isRemediationCycleInflight(content) {
+    if (/remediation_tracking: verified uuid=/.test(content))
+        return false;
+    if (/remediation_tracking: verification_failed uuid=/.test(content))
+        return false;
+    if (/REMEDIATION APPLY FAILURE/.test(content))
+        return false;
+    if (/post_restart_verification count=\d+ quarantined=[1-9]/.test(content))
+        return false;
+    return /remediation_tracking: pending_post_restart_verify uuid=/.test(content);
+}
+function ensureComplianceLogDir() {
+    const dir = getComplianceLogDir();
+    if (!existsSync(dir))
+        mkdirSync(dir, { recursive: true, mode: 0o700 });
+    for (const tier of [...TIER_DIRS, TIER_IN_PROCESS]) {
+        const sub = path.join(dir, tier);
+        if (!existsSync(sub))
+            mkdirSync(sub, { recursive: true, mode: 0o700 });
+    }
+}
+function writeLatestPointer(logPath) {
+    try {
+        ensureComplianceLogDir();
+        writeFileSync(path.join(getComplianceLogDir(), LATEST_POINTER), `${logPath}\n`, 'utf8');
+    }
+    catch {
+        // best-effort
+    }
+}
+function appendComplianceLine(logPath, line) {
+    try {
+        const dir = path.dirname(logPath);
+        if (!existsSync(dir))
+            mkdirSync(dir, { recursive: true, mode: 0o700 });
+        appendFileSync(logPath, line, 'utf8');
+    }
+    catch {
+        // best-effort
+    }
+}
+export function complianceLogSessionBanner(logPath, label, mode) {
+    const resolved = path.resolve(logPath);
+    const ts = new Date().toISOString();
+    const banner = mode === 'replace'
+        ? `\n${'='.repeat(72)}\n${ts} session: ${label}\n${'='.repeat(72)}\n`
+        : `\n${'-'.repeat(72)}\n${ts} section: ${label}\n${'-'.repeat(72)}\n`;
+    try {
+        const dir = path.dirname(resolved);
+        if (!existsSync(dir))
+            mkdirSync(dir, { recursive: true, mode: 0o700 });
+        if (mode === 'replace') {
+            writeFileSync(resolved, banner, 'utf8');
+        }
+        else {
+            appendFileSync(resolved, banner, 'utf8');
+        }
+        writeLatestPointer(resolved);
+    }
+    catch {
+        // best-effort
+    }
+}
+/** Gate: prune old files, bind path, start or resume an inflight session file. */
+export function initComplianceSessionForGate(logPath) {
+    const resolved = resolveComplianceSessionLogPath(logPath);
+    ensureComplianceLogDir();
+    const removed = pruneComplianceSessionLogs(resolved);
+    setActiveComplianceLogPath(resolved);
+    const resume = existsSync(resolved) && statSync(resolved).size > 0 && isInflightComplianceLogPath(resolved);
+    complianceLogSessionBanner(resolved, 'compliance_prompt_gate (before submit)', resume ? 'append' : 'replace');
+    if (!resume) {
+        writeLatestPointer(resolved);
+    }
+    if (removed > 0) {
+        appendComplianceLine(resolved, `${new Date().toISOString()} compliance_session: pruned ${removed} log(s) (in_process 2h, noop 30m, success/error 24h)\n`);
+    }
+    return resolved;
+}
+/** Runner: prune old files, bind path, append runner section to the gate session file. */
+export function initComplianceSessionForRunner(logPath) {
+    const resolved = resolveComplianceSessionLogPath(logPath);
+    ensureComplianceLogDir();
+    const removed = pruneComplianceSessionLogs(resolved);
+    setActiveComplianceLogPath(resolved);
+    complianceLogSessionBanner(resolved, 'compliance_check_runner (background sync + check)', 'append');
+    if (removed > 0) {
+        appendComplianceLine(resolved, `${new Date().toISOString()} compliance_session: pruned ${removed} log(s) (in_process 2h, noop 30m, success/error 24h)\n`);
+    }
+    return resolved;
+}
+/**
+ * Move session log from compliance/ root into noop|success|error/ and prune tiers.
+ * No-op if file missing or already finalized.
+ */
+export function finalizeComplianceSessionLog(logPath, forcedTier) {
+    const resolved = resolveComplianceSessionLogPath(logPath);
+    if (!existsSync(resolved))
+        return null;
+    const parentName = path.basename(path.dirname(resolved));
+    if (isTierDirName(parentName)) {
+        return { tier: parentName, logPath: resolved, moved: false };
+    }
+    const content = readFileSync(resolved, 'utf8');
+    if (isRemediationCycleInflight(content)) {
+        return null;
+    }
+    const tier = forcedTier ?? classifyComplianceSessionLog(content);
+    ensureComplianceLogDir();
+    const dest = path.join(getComplianceLogDir(), tier, path.basename(resolved));
+    if (resolved !== dest) {
+        if (existsSync(dest))
+            unlinkSync(dest);
+        renameSync(resolved, dest);
+    }
+    setActiveComplianceLogPath(null);
+    writeLatestPointer(dest);
+    pruneComplianceSessionLogs(dest);
+    return { tier, logPath: dest, moved: true };
+}
+export function appendToActiveComplianceLog(message) {
+    const logPath = activeComplianceLogPath;
+    if (!logPath)
+        return;
+    try {
+        appendComplianceLine(logPath, `${new Date().toISOString()} ${message}\n`);
+    }
+    catch {
+        // best-effort
+    }
+}
+export function readComplianceSessionLog(logPath) {
+    try {
+        if (!existsSync(logPath))
+            return '';
+        return readFileSync(logPath, 'utf8');
+    }
+    catch {
+        return '';
+    }
+}
+function appendLineToSessionLogFile(logPath, message) {
+    try {
+        appendComplianceLine(logPath, `${new Date().toISOString()} ${message}\n`);
+    }
+    catch {
+        // best-effort
+    }
+}
+/**
+ * Upload full session log to the server (success and error tiers only, first finalize only).
+ */
+export async function uploadComplianceSessionLogFromFinalize(result) {
+    if (result.tier !== TIER_SUCCESS && result.tier !== TIER_ERROR)
+        return;
+    if (!result.moved)
+        return;
+    const logText = readComplianceSessionLog(result.logPath);
+    if (!logText.trim())
+        return;
+    const logBytes = Buffer.byteLength(logText, 'utf8');
+    if (logBytes > MAX_SESSION_LOG_UPLOAD_BYTES) {
+        appendLineToSessionLogFile(result.logPath, `compliance_session_upload: skipped (${logBytes} bytes exceeds ${MAX_SESSION_LOG_UPLOAD_BYTES})`);
+        return;
+    }
+    const { readStoredAuthKey } = await import('../auth/auth_key_store.js');
+    const { tryResolveHardwareUuid } = await import('./hardware_uuid.js');
+    const { loadEndpointBase } = await import('../sender/endpoint_config.js');
+    const { createSignature } = await import('../sender/signing.js');
+    const { buildApiUrl } = await import('../../endpoint_client/registry_api.js');
+    const { executeBody } = await import('../../endpoint_client/http_transport.js');
+    const authKey = readStoredAuthKey();
+    const hardwareUuid = tryResolveHardwareUuid();
+    if (!authKey || !hardwareUuid) {
+        appendLineToSessionLogFile(result.logPath, 'compliance_session_upload: skipped (auth key or hardware UUID unavailable)');
+        return;
+    }
+    const sessionFilename = path.basename(result.logPath);
+    const outcome = result.tier;
+    const signingPayload = {
+        hardware_uuid: hardwareUuid,
+        outcome,
+        session_filename: sessionFilename,
+        log_text: logText,
+    };
+    const signature = createSignature(signingPayload, authKey.key);
+    const body = JSON.stringify({ ...signingPayload, signature });
+    const url = buildApiUrl(loadEndpointBase(), '/endpoint_security/api/remediation-activity-log/');
+    try {
+        const { statusCode } = await executeBody(url, 'POST', body, 30_000);
+        if (statusCode === 200) {
+            appendLineToSessionLogFile(result.logPath, `compliance_session_upload: ok outcome=${outcome} bytes=${logBytes}`);
+        }
+        else {
+            appendLineToSessionLogFile(result.logPath, `compliance_session_upload: server status=${statusCode}`);
+        }
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        appendLineToSessionLogFile(result.logPath, `compliance_session_upload: failed ${msg}`);
+    }
+}
+/** Finalize session file into success|error|noop tier, then upload when success or error. */
+export async function finalizeAndUploadComplianceSessionLog(logPath, forcedTier) {
+    const result = finalizeComplianceSessionLog(logPath, forcedTier);
+    if (result) {
+        await uploadComplianceSessionLogFromFinalize(result);
+    }
+    return result;
+}

package/dist/log_config_files/runtime/hook_logger.js

@@ -1,8 +1,11 @@
 import { existsSync, mkdirSync, appendFileSync, writeFileSync, statSync, readFileSync } from 'node:fs';
 import path from 'node:path';
 import { OPT_AI_SEC_MANAGEMENT_REL } from '../../bootstrap_constants.js';
+import { getActiveComplianceLogPath } from './compliance_session_log.js';
 const HOOK_LOG_FILENAME = 'hook_log.txt';
 const COMPLIANCE_RUNNER_LOG_FILENAME = 'compliance_runner.log';
+const COMPLIANCE_SUBDIR = 'compliance';
+const COMPLIANCE_FALLBACK_TIER = 'noop';
 /** Append-only: remediation verify/apply failures (not cleared per hook session). */
 const REMEDIATION_APPLY_FAILURES_FILENAME = 'remediation_apply_failures.log';
 /** Hard cap so a single upload/sync session cannot grow hook_log.txt without bound. */
@@ -17,7 +20,7 @@ function getComplianceRunnerLogPath() {
     const homeDir = process.env.HOME || process.env.USERPROFILE;
     if (!homeDir)
         return null;
-    return path.join(homeDir, OPT_AI_SEC_MANAGEMENT_REL, COMPLIANCE_RUNNER_LOG_FILENAME);
+    return path.join(homeDir, OPT_AI_SEC_MANAGEMENT_REL, COMPLIANCE_SUBDIR, COMPLIANCE_FALLBACK_TIER, COMPLIANCE_RUNNER_LOG_FILENAME);
 }
 function getRemediationApplyFailuresLogPath() {
     const homeDir = process.env.HOME || process.env.USERPROFILE;
@@ -26,10 +29,21 @@ function getRemediationApplyFailuresLogPath() {
     return path.join(homeDir, OPT_AI_SEC_MANAGEMENT_REL, REMEDIATION_APPLY_FAILURES_FILENAME);
 }
 /**
- * Append one ISO-timestamped line to compliance_runner.log.
+ * Append one ISO-timestamped line to the active compliance session log.
+ * If no session is active, use compliance/noop/compliance_runner.log as a legacy fallback.
  * `level` examples: INFO, RUNNER, RESTART, FAIL
  */
 function appendComplianceRunnerLine(level, message) {
+    const sessionPath = getActiveComplianceLogPath();
+    if (sessionPath) {
+        try {
+            appendFileSync(sessionPath, `${new Date().toISOString()} [${level}] pid=${process.pid} ${message}\n`, 'utf8');
+        }
+        catch {
+            // best-effort
+        }
+        return;
+    }
     const logPath = getComplianceRunnerLogPath();
     if (!logPath)
         return;
@@ -58,7 +72,7 @@ function complianceRunnerRunnerLine(message) {
 }
 /**
  * Loud, append-only record when a remediation cannot be verified or applied. Writes
- * {@link REMEDIATION_APPLY_FAILURES_FILENAME} and mirrors the same block to compliance_runner.log;
+ * {@link REMEDIATION_APPLY_FAILURES_FILENAME} and mirrors the same block to the compliance log;
  * also appends a single summary line to hook_log.txt for the current session.
  */
 function logRemediationApplyFailure(context, fields) {
@@ -89,12 +103,18 @@ function logRemediationApplyFailure(context, fields) {
         const failPath = getRemediationApplyFailuresLogPath();
         if (failPath)
             writeFailAppend(failPath);
-        const crPath = getComplianceRunnerLogPath();
-        if (crPath) {
-            const dir = path.dirname(crPath);
-            if (!existsSync(dir))
-                mkdirSync(dir, { recursive: true, mode: 0o700 });
-            appendFileSync(crPath, block, 'utf8');
+        const activeCompliancePath = getActiveComplianceLogPath();
+        if (activeCompliancePath) {
+            writeFailAppend(activeCompliancePath);
+        }
+        else {
+            const crPath = getComplianceRunnerLogPath();
+            if (crPath) {
+                const dir = path.dirname(crPath);
+                if (!existsSync(dir))
+                    mkdirSync(dir, { recursive: true, mode: 0o700 });
+                appendFileSync(crPath, block, 'utf8');
+            }
         }
     }
     catch {
@@ -147,6 +167,18 @@ function hookLogSessionBanner(label) {
  * without replacing hook_log.txt.
  */
 function hookLogAppendSection(label) {
+    const compliancePath = getActiveComplianceLogPath();
+    if (compliancePath) {
+        try {
+            const ts = new Date().toISOString();
+            const banner = `\n${'-'.repeat(72)}\n${ts} section: ${label}\n${'-'.repeat(72)}\n`;
+            appendFileSync(compliancePath, banner, 'utf8');
+        }
+        catch {
+            // best-effort
+        }
+        return;
+    }
     const logPath = getHookLogPath();
     if (!logPath)
         return;
@@ -167,8 +199,19 @@ function hookLogAppendSection(label) {
 function hookLogReplace() {
     hookLogSessionBanner('log_config_files (config upload)');
 }
-/** Append a timestamped line to hook_log.txt. */
+/** Append a timestamped line to hook_log.txt or the active compliance session log. */
 function hookRunLog(message) {
+    const compliancePath = getActiveComplianceLogPath();
+    if (compliancePath) {
+        try {
+            const ts = new Date().toISOString();
+            appendFileSync(compliancePath, `${ts} ${message}\n`, 'utf8');
+        }
+        catch {
+            // best-effort
+        }
+        return;
+    }
     const logPath = getHookLogPath();
     if (!logPath)
         return;

package/dist/log_config_files/runtime/remediation_apply_tracking.js

@@ -58,6 +58,10 @@ export function clearRemediationApplyQuarantine(uuid) {
     writeRemediationApplyTrackingFile(file);
     hookRunLog(`remediation_tracking: quarantine_cleared uuid=${uuid}`);
 }
+export function hasPendingPostRestartVerification() {
+    const file = readRemediationApplyTrackingFile();
+    return Object.values(file.entries).some((e) => e.pending_post_restart_verify === true);
+}
 export function markRemediationApplyPendingVerification(uuid) {
     const file = readRemediationApplyTrackingFile();
     const prev = file.entries[uuid] ?? defaultEntry();

package/dist/log_config_files/runtime/remediation_sync.js

@@ -1460,7 +1460,10 @@ export function reportAutofixApplied(remediationUuid, result, details) {
     const body = JSON.stringify({ ...payload, signature });
     return executeBody(url, 'POST', body, 8000)
         .then(({ statusCode }) => {
-        if (statusCode !== 200) {
+        if (statusCode === 200) {
+            hookRunLog(`autofix_report: ok result=${result} uuid=${remediationUuid}`);
+        }
+        else {
             hookRunLog(`autofix_report: server returned ${statusCode} for uuid=${remediationUuid}`);
         }
     })

package/dist/log_config_files/runtime/secret_regex_scan.js

@@ -0,0 +1,126 @@
+/**
+ * Lightweight hardcoded-secret detection for local compliance (requires_secret_scan rows).
+ * Regex set aligned with policy_engine HardcodedSecretRule — not a full Secretlint/Gitleaks port.
+ */
+/** Values that reference env vars are never treated as hardcoded secrets. */
+export function isEnvBackedSecretValue(value) {
+    if (typeof value !== 'string')
+        return false;
+    const s = value.trim();
+    if (!s)
+        return false;
+    return s.includes('${env:') || s.includes('$env:') || s.includes('process.env.');
+}
+/** Provider / format patterns (order matters — first match wins). */
+const KNOWN_SECRET_PATTERNS = [
+    { re: /sk-proj-[a-zA-Z0-9_-]{20,}/i, label: 'OpenAI API key' },
+    { re: /sk-ant-[a-zA-Z0-9_-]{20,}/i, label: 'Anthropic API key' },
+    { re: /sk-[a-zA-Z0-9]{20,}/i, label: 'API key (sk-...)' },
+    { re: /sk_(?:live|test|prod)_[a-zA-Z0-9]{20,}/i, label: 'Stripe secret key' },
+    { re: /pk_(?:live|test)_[a-zA-Z0-9]{20,}/i, label: 'Stripe publishable key' },
+    { re: /pk_[a-zA-Z0-9_]{20,}/i, label: 'API key (pk_...)' },
+    { re: /whsec_[a-zA-Z0-9]{20,}/i, label: 'Stripe webhook secret' },
+    { re: /rk_(?:live|test)_[a-zA-Z0-9]{20,}/i, label: 'Stripe restricted key' },
+    { re: /pplx-[a-zA-Z0-9-]{20,}/i, label: 'Perplexity API key' },
+    { re: /ghp_[a-zA-Z0-9]{36}/i, label: 'GitHub personal access token' },
+    { re: /gho_[a-zA-Z0-9]{36}/i, label: 'GitHub OAuth token' },
+    { re: /ghu_[a-zA-Z0-9]{36}/i, label: 'GitHub user-to-server token' },
+    { re: /ghs_[a-zA-Z0-9]{36}/i, label: 'GitHub server-to-server token' },
+    { re: /ghr_[a-zA-Z0-9]{76}/i, label: 'GitHub refresh token' },
+    { re: /github_pat_[a-zA-Z0-9_]{20,}/i, label: 'GitHub fine-grained PAT' },
+    { re: /glpat-[a-zA-Z0-9_-]{20,}/i, label: 'GitLab personal access token' },
+    { re: /glcbt-[a-zA-Z0-9_-]{20,}/i, label: 'GitLab CI job token' },
+    { re: /xoxb-[a-zA-Z0-9-]+/i, label: 'Slack bot token' },
+    { re: /xoxp-[a-zA-Z0-9-]+/i, label: 'Slack user token' },
+    { re: /xoxa-[a-zA-Z0-9-]+/i, label: 'Slack app-level token' },
+    { re: /xapp-[a-zA-Z0-9-]+/i, label: 'Slack app token' },
+    { re: /AKIA[0-9A-Z]{16}/i, label: 'AWS access key ID' },
+    { re: /ASIA[0-9A-Z]{16}/i, label: 'AWS temporary access key ID' },
+    { re: /AIza[0-9A-Za-z_-]{35}/i, label: 'Google API key' },
+    { re: /ya29\.[0-9A-Za-z_-]+/i, label: 'Google OAuth access token' },
+    { re: /AC[a-z0-9]{32}/i, label: 'Twilio account SID' },
+    { re: /SK[a-z0-9]{32}/i, label: 'Twilio API key' },
+    { re: /SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43}/i, label: 'SendGrid API key' },
+    { re: /key-[a-f0-9]{32}/i, label: 'Mailgun API key' },
+    { re: /npm_[a-zA-Z0-9]{36}/i, label: 'npm access token' },
+    { re: /pypi-[a-zA-Z0-9_-]{50,}/i, label: 'PyPI API token' },
+    { re: /discord(?:app)?\.com\/api\/webhooks\/\d+\/[a-zA-Z0-9_-]+/i, label: 'Discord webhook URL' },
+    { re: /hooks\.slack\.com\/services\/T[a-zA-Z0-9_]+\/B[a-zA-Z0-9_]+\/[a-zA-Z0-9_]+/i, label: 'Slack webhook URL' },
+    { re: /eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+/i, label: 'JWT (JSON Web Token)' },
+    { re: /-----BEGIN (?:RSA |EC |OPENSSH )?PRIVATE KEY-----/i, label: 'Private key block' },
+    { re: /sq0[a-zA-Z0-9_-]{20,}/i, label: 'Square access token' },
+    { re: /shpat_[a-fA-F0-9]{32}/i, label: 'Shopify access token' },
+    { re: /shpca_[a-fA-F0-9]{32}/i, label: 'Shopify custom app token' },
+    { re: /shpss_[a-fA-F0-9]{32}/i, label: 'Shopify shared secret' },
+    { re: /dop_v1_[a-f0-9]{64}/i, label: 'DigitalOcean personal access token' },
+    { re: /pat_[a-zA-Z0-9]{22}_[a-fA-F0-9]{59}/i, label: 'Atlassian API token' },
+    { re: /Bearer\s+[a-zA-Z0-9\-_.]{20,}/i, label: 'Bearer token' },
+];
+const BASIC_AUTH_IN_URL = /[a-zA-Z0-9._%+-]+:[a-zA-Z0-9._%+-]+@/gi;
+const GENERIC_TOKEN = /\b[a-zA-Z0-9]{32,}\b/g;
+const GENERIC_KEY_HINT = /(?:api[_-]?key|app[_-]?key|secret|token|password|passwd|pass\b|(?<!o)auth|credential|private[_-]?key|access[_-]?key|master[_-]?key)/i;
+function basicAuthMatchIsCredential(value, matchIndex) {
+    const before = value.slice(0, matchIndex);
+    const schemeIdx = before.lastIndexOf('://');
+    if (schemeIdx === -1)
+        return true;
+    const between = value.slice(schemeIdx + 3, matchIndex);
+    return !between.includes('/');
+}
+function looksLikeUrlContext(value) {
+    return value.includes(':') && (value.toLowerCase().includes('http') || value.includes('://'));
+}
+/**
+ * Scan one scalar config value. Returns secret type label or null if clean / env-backed.
+ */
+export function scanScalarForHardcodedSecret(value, keyName) {
+    if (value == null)
+        return null;
+    const valueStr = String(value);
+    if (isEnvBackedSecretValue(valueStr))
+        return null;
+    for (const { re, label } of KNOWN_SECRET_PATTERNS) {
+        if (re.test(valueStr))
+            return label;
+    }
+    BASIC_AUTH_IN_URL.lastIndex = 0;
+    for (const match of valueStr.matchAll(BASIC_AUTH_IN_URL)) {
+        if (basicAuthMatchIsCredential(valueStr, match.index ?? 0)) {
+            return 'Basic authentication credentials';
+        }
+    }
+    if (!GENERIC_KEY_HINT.test(keyName) || looksLikeUrlContext(valueStr)) {
+        return null;
+    }
+    const genericMatches = valueStr.match(GENERIC_TOKEN) ?? [];
+    if (genericMatches.some((token) => token.length >= 40)) {
+        return 'Potential token/secret';
+    }
+    return null;
+}
+function collectScalarLeaves(value, path = '') {
+    if (value == null)
+        return [];
+    if (Array.isArray(value)) {
+        return value.flatMap((item, idx) => collectScalarLeaves(item, path ? `${path}.${idx}` : String(idx)));
+    }
+    if (typeof value === 'object') {
+        return Object.entries(value).flatMap(([key, nested]) => collectScalarLeaves(nested, path ? `${path}.${key}` : key));
+    }
+    if (typeof value !== 'string' && typeof value !== 'number' && typeof value !== 'boolean') {
+        return [];
+    }
+    const key = path.split('.').pop() ?? path;
+    return [{ path: path || '.', key, value }];
+}
+/** Walk parsed JSON and return all hardcoded-secret hits (JSON dot paths). */
+export function scanJsonForHardcodedSecrets(configJson) {
+    const findings = [];
+    for (const leaf of collectScalarLeaves(configJson)) {
+        const secretType = scanScalarForHardcodedSecret(leaf.value, leaf.key);
+        if (secretType) {
+            findings.push({ path: leaf.path, key: leaf.key, secretType });
+        }
+    }
+    return findings;
+}

package/dist/log_config_files/runtime/secretlint_scan.js

@@ -0,0 +1,69 @@
+/**
+ * In-process Secretlint scan for compliance rows with requires_secret_scan.
+ * Bundled as log-llm-config dependencies — no separate user install.
+ */
+import { lintSource } from '@secretlint/core';
+import { loadPackagesFromConfigDescriptor } from '@secretlint/config-loader';
+let secretlintConfigPromise = null;
+async function getSecretlintConfig() {
+    if (!secretlintConfigPromise) {
+        secretlintConfigPromise = loadPackagesFromConfigDescriptor({
+            configDescriptor: {
+                rules: [{ id: '@secretlint/secretlint-rule-preset-recommend' }],
+            },
+        }).then((loaded) => {
+            if (!loaded.ok) {
+                throw new Error('Failed to load Secretlint config');
+            }
+            return loaded.config;
+        });
+    }
+    return secretlintConfigPromise;
+}
+function collectStringLeaves(value, path = '') {
+    if (value == null)
+        return [];
+    if (Array.isArray(value)) {
+        return value.flatMap((item, idx) => collectStringLeaves(item, path ? `${path}.${idx}` : String(idx)));
+    }
+    if (typeof value === 'object') {
+        return Object.entries(value).flatMap(([key, nested]) => collectStringLeaves(nested, path ? `${path}.${key}` : key));
+    }
+    if (typeof value !== 'string' && typeof value !== 'number' && typeof value !== 'boolean') {
+        return [];
+    }
+    const key = path.split('.').pop() ?? path;
+    return [{ path: path || '.', key, value: String(value) }];
+}
+function secretTypeFromMessage(ruleId, message) {
+    const trimmed = message.trim();
+    return trimmed || ruleId || 'Secretlint detection';
+}
+/**
+ * Scan parsed JSON config for secrets using Secretlint (preset-recommend).
+ */
+export async function scanJsonForSecretsWithSecretlint(configJson) {
+    const config = await getSecretlintConfig();
+    const leaves = collectStringLeaves(configJson);
+    const findings = [];
+    for (const leaf of leaves) {
+        const result = await lintSource({
+            source: {
+                filePath: `${leaf.path.replace(/\./g, '/')}.json`,
+                content: leaf.value,
+                ext: '.json',
+                contentType: 'text',
+            },
+            options: { config },
+        });
+        if (result.messages.length === 0)
+            continue;
+        const first = result.messages[0];
+        findings.push({
+            path: leaf.path,
+            key: leaf.key,
+            secretType: secretTypeFromMessage(first.ruleId ?? 'secret', String(first.message ?? '')),
+        });
+    }
+    return findings;
+}

package/dist/log_config_files/runtime/trusted_restarts.js

@@ -4,6 +4,7 @@
  */
 import { spawn } from 'node:child_process';
 import { appendComplianceRunnerLine, hookRunLog } from './hook_logger.js';
+import { getActiveComplianceLogPath } from './compliance_session_log.js';
 import { getDeferredVscdbRestartLogPath } from './management_storage.js';
 import { normalizeAgentToken } from './compliance_check.js';
 import { isClaudeRestartCommand, isCursorRestartCommand, isTrustedRestartCommandForAutofix } from './remediation_sync.js';
@@ -84,10 +85,11 @@ export function executeTrustedRestartCommands(commands) {
             appendComplianceRunnerLine('RESTART', `spawn deferred_vscdb_restart sh -c (detail_log=${detailPath}) cwd_inherited_from_node`);
         }
         else {
-            hookRunLog('execute_trusted_restarts: spawning trusted restart (see compliance_runner.log [RESTART])');
+            hookRunLog('execute_trusted_restarts: spawning trusted restart (see compliance session log [RESTART])');
             appendComplianceRunnerLine('RESTART', 'spawn trusted_restart sh -c (non-deferred)');
         }
         const projectRoot = resolveProjectRoot();
+        const complianceLogPath = getActiveComplianceLogPath();
         const child = spawn('sh', ['-c', t], {
             detached: true,
             stdio: 'ignore',
@@ -95,6 +97,7 @@ export function executeTrustedRestartCommands(commands) {
             env: envForRestartSpawn({
                 ...process.env,
                 CURSOR_PROJECT_DIR: process.env.CURSOR_PROJECT_DIR || projectRoot,
+                ...(complianceLogPath ? { OPTIMUS_COMPLIANCE_LOG: complianceLogPath } : {}),
                 PATH: process.env.PATH && String(process.env.PATH).trim().length > 0
                     ? process.env.PATH
                     : FALLBACK_PATH,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "log-llm-config-staging",
-  "version": "1.4.6",
+  "version": "1.4.9",
   "description": "CLI helpers for logging hardware UUIDs and posting startup payloads to Optimus Security.",
   "type": "module",
   "bin": {