log-llm-config-staging 1.4.8 → 1.4.9

package/dist/compliance_check_runner.js

@@ -1,8 +1,15 @@
 #!/usr/bin/env node
 import { complianceRunnerRunnerLine, hookLogAppendSection } from './log_config_files/runtime/hook_logger.js';
-import { runComplianceCheck } from './log_config_files/runtime/compliance_check.js';
+import { normalizeAgentToken, runComplianceCheck, } from './log_config_files/runtime/compliance_check.js';
 import { finalizeAndUploadComplianceSessionLog, initComplianceSessionForRunner, isFinalizeComplianceSessionArgv, isInflightComplianceLogPath, parseComplianceLogArg, resolveComplianceSessionLogPath, } from './log_config_files/runtime/compliance_session_log.js';
 import { existsSync } from 'node:fs';
+function parseAgentArg() {
+    const eq = process.argv.find((a) => a.startsWith('--agent='));
+    if (!eq)
+        return undefined;
+    const normalized = normalizeAgentToken(eq.slice('--agent='.length));
+    return normalized ? normalized : undefined;
+}
 (async () => {
     let complianceLogPath = parseComplianceLogArg(process.argv);
     if (isFinalizeComplianceSessionArgv(process.argv)) {
@@ -25,7 +32,7 @@ import { existsSync } from 'node:fs';
     }
     complianceRunnerRunnerLine('compliance_check_runner: start');
     try {
-        await runComplianceCheck();
+        await runComplianceCheck(parseAgentArg());
         complianceRunnerRunnerLine('compliance_check_runner: finished ok');
     }
     catch (err) {

package/dist/compliance_prompt_gate.js

@@ -35,13 +35,19 @@ function parseIde() {
     const eq = process.argv.find((a) => a.startsWith('--ide='));
     if (eq) {
         const v = eq.slice('--ide='.length).toLowerCase();
-        return v === 'claude' ? 'claude' : 'cursor';
+        if (v === 'claude')
+            return 'claude';
+        if (v === 'copilot')
+            return 'copilot';
+        return 'cursor';
     }
     if (process.argv.includes('--claude'))
         return 'claude';
     return 'cursor';
 }
 function defaultAgentFromIde(ide) {
+    if (ide === 'copilot')
+        return 'copilot';
     return ide === 'claude' ? 'claude' : 'cursor';
 }
 function parseAgent(ide) {
@@ -54,13 +60,13 @@ function parseAgent(ide) {
     return defaultAgentFromIde(ide);
 }
 function printAllow(ide) {
-    if (ide === 'claude')
+    if (ide === 'claude' || ide === 'copilot')
         console.log('{}');
     else
         console.log(JSON.stringify({ continue: true }));
 }
 function printAllowWithAdvisory(ide, advisoryMessage) {
-    if (ide === 'claude') {
+    if (ide === 'claude' || ide === 'copilot') {
         console.log(JSON.stringify({ __optimus_advisory: true, advisory_message: advisoryMessage }));
     }
     else {
@@ -74,7 +80,7 @@ function printAllowWithAdvisory(ide, advisoryMessage) {
 function blockPayload(ide, violationMessage) {
     const prefix = 'Prompt blocked by Optimus: ';
     const text = prefix + violationMessage;
-    if (ide === 'claude') {
+    if (ide === 'claude' || ide === 'copilot') {
         return JSON.stringify({ decision: 'block', reason: text, systemMessage: text });
     }
     return JSON.stringify({ continue: false, user_message: text });
@@ -128,6 +134,10 @@ function formatPreventiveAutofixDialog(appliedViolations, applyLine) {
 export function formatClaudeAutofixDialog(appliedViolations) {
     return formatPreventiveAutofixDialog(appliedViolations, 'Claude will now apply this policy to your environment.');
 }
+/** Copilot dialog after enforced/preventive remediation is applied locally (no restart). */
+export function formatCopilotAutofixDialog(appliedViolations) {
+    return formatPreventiveAutofixDialog(appliedViolations, 'Copilot will now apply this policy to your environment.');
+}
 /** Cursor restart dialog after enforced/preventive remediation is applied locally. */
 export function formatCursorRestartAutofixDialog(appliedViolations) {
     return formatPreventiveAutofixDialog(appliedViolations, 'Cursor will now restart to apply this policy, and your context will be retained.');
@@ -255,15 +265,15 @@ export async function runCompliancePromptGate() {
             const recheck = runLocalRemediationComplianceCheck(agent);
             const recheckOk = recheck.status === 'ok' || recheck.violations.length === 0;
             // Cursor: tolerate a failing recheck only when SQLite updates are deferred (apply after restart).
-            // Claude Code: JSON remediations are written immediately; merge/verify timing can still leave the
-            // in-process recheck red for the same UUID — allow in that case only for --ide=claude.
+            // Claude / Copilot: JSON remediations are written immediately; merge/verify timing can still leave
+            // the in-process recheck red for the same UUID — allow in that case for immediate JSON agents.
             const appliedUuids = new Set(appliedViolations.map((v) => v.uuid));
-            const claudeRecheckStaleAfterImmediateApply = ide === 'claude' &&
+            const claudeRecheckStaleAfterImmediateApply = (ide === 'claude' || ide === 'copilot') &&
                 !recheckOk &&
                 recheck.violations.length > 0 &&
                 recheck.violations.every((v) => appliedUuids.has(v.uuid));
             if (claudeRecheckStaleAfterImmediateApply) {
-                hookRunLog('compliance_prompt_gate: Claude — autofix wrote JSON; recheck still flags same UUID(s) — proceeding (immediate apply)');
+                hookRunLog(`compliance_prompt_gate: ${ide} — autofix wrote JSON; recheck still flags same UUID(s) — proceeding (immediate apply)`);
             }
             if (deferredSqlitePending || recheckOk || claudeRecheckStaleAfterImmediateApply) {
                 const immediateVerified = restartCommands.length === 0 &&
@@ -280,9 +290,11 @@ export async function runCompliancePromptGate() {
                     ? formatCursorRestartAutofixDialog(appliedViolations)
                     : ide === 'claude'
                         ? formatClaudeAutofixDialog(appliedViolations)
-                        : `Optimus Labs auto-fixed ${fixed} ${fixed === 1 ? 'policy violation' : 'policy violations'}:\n\n${appliedViolations
-                            .map((v) => autofixDialogLine(v))
-                            .join('\n')}${changePreviewSuffix}`;
+                        : ide === 'copilot'
+                            ? formatCopilotAutofixDialog(appliedViolations)
+                            : `Optimus Labs auto-fixed ${fixed} ${fixed === 1 ? 'policy violation' : 'policy violations'}:\n\n${appliedViolations
+                                .map((v) => autofixDialogLine(v))
+                                .join('\n')}${changePreviewSuffix}`;
                 const payload = { __optimus_autofix: true, autofix_message: autofixMessage };
                 if (restartCommands.length > 0)
                     payload.restart_commands = restartCommands;

package/dist/log_config_files/paths/pattern_resolver.js

@@ -293,6 +293,14 @@ function resolvePatternToTargets(pathPattern, pathType, fileType, projectRoot, h
         targets.push({ path: basePath + suffix, file_type: fileType, content_format: contentFormat ?? 'extensions_cache' });
         return targets;
     }
+    if (spec?.type === 'env_dir_file') {
+        const configuredDir = process.env[spec.env_var]?.trim();
+        const baseDir = configuredDir
+            ? configuredDir.replace(/^~\//, `${home}/`)
+            : join(home, spec.fallback_under_home.replace(/^~\//, ''));
+        pushTargetPaths(targets, join(baseDir, spec.filename), fileType, false, collectStyle, contentFormat, dirGlob);
+        return targets;
+    }
     if (norm.includes('**'))
         return expandRecursiveGlobPathPattern(pathPattern, fileType, home, contentFormat, dirGlob, homeRecurseSkipDirs);
     if (norm.includes('*'))

package/dist/log_config_files/runtime/compliance_check.js

@@ -19,6 +19,7 @@ import { resolveRemediationConfigPath } from './remediation_config_path.js';
 import { resolveOpsTargetPath } from './ops_target_path.js';
 import { isRemediationQuarantined, markRemediationApplyPendingVerification, markRemediationApplyVerified, processPendingPostRestartVerifications, readRemediationApplyTrackingFile, writeRemediationApplyTrackingFile, } from './remediation_apply_tracking.js';
 import { complianceRunnerDiag, hookRunLog, logRemediationApplyFailure } from './hook_logger.js';
+import { isEnvBackedSecretValue, scanJsonForHardcodedSecrets, } from './secret_regex_scan.js';
 import { loadEndpointBase } from '../sender/endpoint_config.js';
 import { resolveHardwareUuid, tryResolveHardwareUuid } from './hardware_uuid.js';
 import { buildDeferredCursorRestartCommand, discoverAllWorkspaceVscdbs, enforceRemediation, fetchSync, isTrustedRestartCommandForAutofix, remediationFixSpec, reportAutofixApplied, syncRemediations, } from './remediation_sync.js';
@@ -188,6 +189,36 @@ function allowlistEntryMatchesRemoveToken(entry, token) {
     const pattern = new RegExp(`(^|[^a-z0-9_|])${escapeRegExp(t)}([^a-z0-9_|]|$)`);
     return pattern.test(valStr);
 }
+/**
+ * MCP secret remediations deploy ops.set to ${env:KEY}. Local compliance passes when the
+ * user picks any env reference, not only the exact string from the manifest.
+ */
+function remediationSetOpSatisfied(current, expected) {
+    if (deepEqual(current, expected))
+        return true;
+    if (typeof expected === 'string' &&
+        isEnvBackedSecretValue(expected) &&
+        isEnvBackedSecretValue(current)) {
+        return true;
+    }
+    return false;
+}
+function violationFromSecretScanFinding(entry, compliance, finding) {
+    return {
+        uuid: entry.uuid,
+        finding_formatted_id: compliance.finding_formatted_id,
+        setting_path: finding.path,
+        description: compliance.description,
+        finding_title: entry.finding_title,
+        finding_description: entry.finding_description,
+        policy_name: entry.policy_name,
+        severity: compliance.severity,
+        autofix_allowed: compliance.autofix_allowed,
+        config_file_path: entry.config_file_path,
+        expected_value: { op: 'secret_scan', path: finding.path, secret_type: finding.secretType },
+        message: `[${compliance.finding_formatted_id}] ${entry.finding_title ?? compliance.description}\nDescription: ${entry.finding_description ?? compliance.description}\nHow to fix: Remove the hardcoded ${finding.secretType} from ${finding.path} in ${entry.config_file_path}`,
+    };
+}
 function verifyOpsApplied(configJson, settingPath, ops) {
     const parts = settingPath.split('.');
     const leafKey = parts[parts.length - 1] ?? '';
@@ -201,8 +232,9 @@ function verifyOpsApplied(configJson, settingPath, ops) {
         if (Object.prototype.hasOwnProperty.call(set, k)) {
             const cur = getByPath(configJson, targetPath);
             const expected = set[k];
-            if (!deepEqual(cur, expected))
+            if (!remediationSetOpSatisfied(cur, expected)) {
                 return { ok: false, expected: { op: 'set', path: targetPath, value: expected } };
+            }
             continue;
         }
         const cur = getByPath(configJson, targetPath);
@@ -319,6 +351,14 @@ export function evaluateManifestEntryCompliance(entry) {
     if (!loaded.ok)
         return { violations: [] };
     const configJson = loaded.json;
+    if (compliance.requires_secret_scan === true) {
+        const secretFindings = scanJsonForHardcodedSecrets(configJson);
+        return secretFindings.length === 0
+            ? { violations: [] }
+            : {
+                violations: secretFindings.map((f) => violationFromSecretScanFinding(entry, compliance, f)),
+            };
+    }
     const entryViolations = [];
     for (const check of checks) {
         const effectivePath = canonicalComplianceSettingPath(entry.config_file_path, check);
@@ -759,6 +799,16 @@ export function pruneSatisfiedOneTimeRemediations(agent = 'cursor') {
             continue;
         }
         const configJson = prLoaded.json;
+        if (spec?.requires_secret_scan === true) {
+            if (scanJsonForHardcodedSecrets(configJson).length === 0) {
+                removed++;
+                hookRunLog(`remediation_prune: satisfied secret-scan uuid=${inst.uuid} path=${inst.config_file_path}`);
+            }
+            else {
+                remaining.push(raw);
+            }
+            continue;
+        }
         // Only prune when every check is ops-based and currently satisfied.
         let okAll = true;
         for (const check of checks) {
@@ -893,8 +943,8 @@ export function uploadSatisfiedManifestConfigs(agent = 'cursor') {
  * Apply (autofix) is intentionally deferred to the gate on the next prompt — this pass only downloads
  * a fresh manifest so the gate has up-to-date data when it runs.
  */
-export async function runComplianceCheck() {
-    const agent = currentAgentFromEnv();
+export async function runComplianceCheck(agentOverride) {
+    const agent = agentOverride ?? currentAgentFromEnv();
     try {
         await syncRemediations(loadEndpointBase(), resolveHardwareUuid());
     }

package/dist/log_config_files/runtime/hook_logger.js

@@ -4,6 +4,8 @@ import { OPT_AI_SEC_MANAGEMENT_REL } from '../../bootstrap_constants.js';
 import { getActiveComplianceLogPath } from './compliance_session_log.js';
 const HOOK_LOG_FILENAME = 'hook_log.txt';
 const COMPLIANCE_RUNNER_LOG_FILENAME = 'compliance_runner.log';
+const COMPLIANCE_SUBDIR = 'compliance';
+const COMPLIANCE_FALLBACK_TIER = 'noop';
 /** Append-only: remediation verify/apply failures (not cleared per hook session). */
 const REMEDIATION_APPLY_FAILURES_FILENAME = 'remediation_apply_failures.log';
 /** Hard cap so a single upload/sync session cannot grow hook_log.txt without bound. */
@@ -18,7 +20,7 @@ function getComplianceRunnerLogPath() {
     const homeDir = process.env.HOME || process.env.USERPROFILE;
     if (!homeDir)
         return null;
-    return path.join(homeDir, OPT_AI_SEC_MANAGEMENT_REL, COMPLIANCE_RUNNER_LOG_FILENAME);
+    return path.join(homeDir, OPT_AI_SEC_MANAGEMENT_REL, COMPLIANCE_SUBDIR, COMPLIANCE_FALLBACK_TIER, COMPLIANCE_RUNNER_LOG_FILENAME);
 }
 function getRemediationApplyFailuresLogPath() {
     const homeDir = process.env.HOME || process.env.USERPROFILE;
@@ -27,7 +29,8 @@ function getRemediationApplyFailuresLogPath() {
     return path.join(homeDir, OPT_AI_SEC_MANAGEMENT_REL, REMEDIATION_APPLY_FAILURES_FILENAME);
 }
 /**
- * Append one ISO-timestamped line to compliance_runner.log.
+ * Append one ISO-timestamped line to the active compliance session log.
+ * If no session is active, use compliance/noop/compliance_runner.log as a legacy fallback.
  * `level` examples: INFO, RUNNER, RESTART, FAIL
  */
 function appendComplianceRunnerLine(level, message) {
@@ -69,7 +72,7 @@ function complianceRunnerRunnerLine(message) {
 }
 /**
  * Loud, append-only record when a remediation cannot be verified or applied. Writes
- * {@link REMEDIATION_APPLY_FAILURES_FILENAME} and mirrors the same block to compliance_runner.log;
+ * {@link REMEDIATION_APPLY_FAILURES_FILENAME} and mirrors the same block to the compliance log;
  * also appends a single summary line to hook_log.txt for the current session.
  */
 function logRemediationApplyFailure(context, fields) {
@@ -100,12 +103,18 @@ function logRemediationApplyFailure(context, fields) {
         const failPath = getRemediationApplyFailuresLogPath();
         if (failPath)
             writeFailAppend(failPath);
-        const crPath = getComplianceRunnerLogPath();
-        if (crPath) {
-            const dir = path.dirname(crPath);
-            if (!existsSync(dir))
-                mkdirSync(dir, { recursive: true, mode: 0o700 });
-            appendFileSync(crPath, block, 'utf8');
+        const activeCompliancePath = getActiveComplianceLogPath();
+        if (activeCompliancePath) {
+            writeFailAppend(activeCompliancePath);
+        }
+        else {
+            const crPath = getComplianceRunnerLogPath();
+            if (crPath) {
+                const dir = path.dirname(crPath);
+                if (!existsSync(dir))
+                    mkdirSync(dir, { recursive: true, mode: 0o700 });
+                appendFileSync(crPath, block, 'utf8');
+            }
         }
     }
     catch {

package/dist/log_config_files/runtime/secret_regex_scan.js

@@ -0,0 +1,126 @@
+/**
+ * Lightweight hardcoded-secret detection for local compliance (requires_secret_scan rows).
+ * Regex set aligned with policy_engine HardcodedSecretRule — not a full Secretlint/Gitleaks port.
+ */
+/** Values that reference env vars are never treated as hardcoded secrets. */
+export function isEnvBackedSecretValue(value) {
+    if (typeof value !== 'string')
+        return false;
+    const s = value.trim();
+    if (!s)
+        return false;
+    return s.includes('${env:') || s.includes('$env:') || s.includes('process.env.');
+}
+/** Provider / format patterns (order matters — first match wins). */
+const KNOWN_SECRET_PATTERNS = [
+    { re: /sk-proj-[a-zA-Z0-9_-]{20,}/i, label: 'OpenAI API key' },
+    { re: /sk-ant-[a-zA-Z0-9_-]{20,}/i, label: 'Anthropic API key' },
+    { re: /sk-[a-zA-Z0-9]{20,}/i, label: 'API key (sk-...)' },
+    { re: /sk_(?:live|test|prod)_[a-zA-Z0-9]{20,}/i, label: 'Stripe secret key' },
+    { re: /pk_(?:live|test)_[a-zA-Z0-9]{20,}/i, label: 'Stripe publishable key' },
+    { re: /pk_[a-zA-Z0-9_]{20,}/i, label: 'API key (pk_...)' },
+    { re: /whsec_[a-zA-Z0-9]{20,}/i, label: 'Stripe webhook secret' },
+    { re: /rk_(?:live|test)_[a-zA-Z0-9]{20,}/i, label: 'Stripe restricted key' },
+    { re: /pplx-[a-zA-Z0-9-]{20,}/i, label: 'Perplexity API key' },
+    { re: /ghp_[a-zA-Z0-9]{36}/i, label: 'GitHub personal access token' },
+    { re: /gho_[a-zA-Z0-9]{36}/i, label: 'GitHub OAuth token' },
+    { re: /ghu_[a-zA-Z0-9]{36}/i, label: 'GitHub user-to-server token' },
+    { re: /ghs_[a-zA-Z0-9]{36}/i, label: 'GitHub server-to-server token' },
+    { re: /ghr_[a-zA-Z0-9]{76}/i, label: 'GitHub refresh token' },
+    { re: /github_pat_[a-zA-Z0-9_]{20,}/i, label: 'GitHub fine-grained PAT' },
+    { re: /glpat-[a-zA-Z0-9_-]{20,}/i, label: 'GitLab personal access token' },
+    { re: /glcbt-[a-zA-Z0-9_-]{20,}/i, label: 'GitLab CI job token' },
+    { re: /xoxb-[a-zA-Z0-9-]+/i, label: 'Slack bot token' },
+    { re: /xoxp-[a-zA-Z0-9-]+/i, label: 'Slack user token' },
+    { re: /xoxa-[a-zA-Z0-9-]+/i, label: 'Slack app-level token' },
+    { re: /xapp-[a-zA-Z0-9-]+/i, label: 'Slack app token' },
+    { re: /AKIA[0-9A-Z]{16}/i, label: 'AWS access key ID' },
+    { re: /ASIA[0-9A-Z]{16}/i, label: 'AWS temporary access key ID' },
+    { re: /AIza[0-9A-Za-z_-]{35}/i, label: 'Google API key' },
+    { re: /ya29\.[0-9A-Za-z_-]+/i, label: 'Google OAuth access token' },
+    { re: /AC[a-z0-9]{32}/i, label: 'Twilio account SID' },
+    { re: /SK[a-z0-9]{32}/i, label: 'Twilio API key' },
+    { re: /SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43}/i, label: 'SendGrid API key' },
+    { re: /key-[a-f0-9]{32}/i, label: 'Mailgun API key' },
+    { re: /npm_[a-zA-Z0-9]{36}/i, label: 'npm access token' },
+    { re: /pypi-[a-zA-Z0-9_-]{50,}/i, label: 'PyPI API token' },
+    { re: /discord(?:app)?\.com\/api\/webhooks\/\d+\/[a-zA-Z0-9_-]+/i, label: 'Discord webhook URL' },
+    { re: /hooks\.slack\.com\/services\/T[a-zA-Z0-9_]+\/B[a-zA-Z0-9_]+\/[a-zA-Z0-9_]+/i, label: 'Slack webhook URL' },
+    { re: /eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+/i, label: 'JWT (JSON Web Token)' },
+    { re: /-----BEGIN (?:RSA |EC |OPENSSH )?PRIVATE KEY-----/i, label: 'Private key block' },
+    { re: /sq0[a-zA-Z0-9_-]{20,}/i, label: 'Square access token' },
+    { re: /shpat_[a-fA-F0-9]{32}/i, label: 'Shopify access token' },
+    { re: /shpca_[a-fA-F0-9]{32}/i, label: 'Shopify custom app token' },
+    { re: /shpss_[a-fA-F0-9]{32}/i, label: 'Shopify shared secret' },
+    { re: /dop_v1_[a-f0-9]{64}/i, label: 'DigitalOcean personal access token' },
+    { re: /pat_[a-zA-Z0-9]{22}_[a-fA-F0-9]{59}/i, label: 'Atlassian API token' },
+    { re: /Bearer\s+[a-zA-Z0-9\-_.]{20,}/i, label: 'Bearer token' },
+];
+const BASIC_AUTH_IN_URL = /[a-zA-Z0-9._%+-]+:[a-zA-Z0-9._%+-]+@/gi;
+const GENERIC_TOKEN = /\b[a-zA-Z0-9]{32,}\b/g;
+const GENERIC_KEY_HINT = /(?:api[_-]?key|app[_-]?key|secret|token|password|passwd|pass\b|(?<!o)auth|credential|private[_-]?key|access[_-]?key|master[_-]?key)/i;
+function basicAuthMatchIsCredential(value, matchIndex) {
+    const before = value.slice(0, matchIndex);
+    const schemeIdx = before.lastIndexOf('://');
+    if (schemeIdx === -1)
+        return true;
+    const between = value.slice(schemeIdx + 3, matchIndex);
+    return !between.includes('/');
+}
+function looksLikeUrlContext(value) {
+    return value.includes(':') && (value.toLowerCase().includes('http') || value.includes('://'));
+}
+/**
+ * Scan one scalar config value. Returns secret type label or null if clean / env-backed.
+ */
+export function scanScalarForHardcodedSecret(value, keyName) {
+    if (value == null)
+        return null;
+    const valueStr = String(value);
+    if (isEnvBackedSecretValue(valueStr))
+        return null;
+    for (const { re, label } of KNOWN_SECRET_PATTERNS) {
+        if (re.test(valueStr))
+            return label;
+    }
+    BASIC_AUTH_IN_URL.lastIndex = 0;
+    for (const match of valueStr.matchAll(BASIC_AUTH_IN_URL)) {
+        if (basicAuthMatchIsCredential(valueStr, match.index ?? 0)) {
+            return 'Basic authentication credentials';
+        }
+    }
+    if (!GENERIC_KEY_HINT.test(keyName) || looksLikeUrlContext(valueStr)) {
+        return null;
+    }
+    const genericMatches = valueStr.match(GENERIC_TOKEN) ?? [];
+    if (genericMatches.some((token) => token.length >= 40)) {
+        return 'Potential token/secret';
+    }
+    return null;
+}
+function collectScalarLeaves(value, path = '') {
+    if (value == null)
+        return [];
+    if (Array.isArray(value)) {
+        return value.flatMap((item, idx) => collectScalarLeaves(item, path ? `${path}.${idx}` : String(idx)));
+    }
+    if (typeof value === 'object') {
+        return Object.entries(value).flatMap(([key, nested]) => collectScalarLeaves(nested, path ? `${path}.${key}` : key));
+    }
+    if (typeof value !== 'string' && typeof value !== 'number' && typeof value !== 'boolean') {
+        return [];
+    }
+    const key = path.split('.').pop() ?? path;
+    return [{ path: path || '.', key, value }];
+}
+/** Walk parsed JSON and return all hardcoded-secret hits (JSON dot paths). */
+export function scanJsonForHardcodedSecrets(configJson) {
+    const findings = [];
+    for (const leaf of collectScalarLeaves(configJson)) {
+        const secretType = scanScalarForHardcodedSecret(leaf.value, leaf.key);
+        if (secretType) {
+            findings.push({ path: leaf.path, key: leaf.key, secretType });
+        }
+    }
+    return findings;
+}

package/dist/log_config_files/runtime/secretlint_scan.js

@@ -0,0 +1,69 @@
+/**
+ * In-process Secretlint scan for compliance rows with requires_secret_scan.
+ * Bundled as log-llm-config dependencies — no separate user install.
+ */
+import { lintSource } from '@secretlint/core';
+import { loadPackagesFromConfigDescriptor } from '@secretlint/config-loader';
+let secretlintConfigPromise = null;
+async function getSecretlintConfig() {
+    if (!secretlintConfigPromise) {
+        secretlintConfigPromise = loadPackagesFromConfigDescriptor({
+            configDescriptor: {
+                rules: [{ id: '@secretlint/secretlint-rule-preset-recommend' }],
+            },
+        }).then((loaded) => {
+            if (!loaded.ok) {
+                throw new Error('Failed to load Secretlint config');
+            }
+            return loaded.config;
+        });
+    }
+    return secretlintConfigPromise;
+}
+function collectStringLeaves(value, path = '') {
+    if (value == null)
+        return [];
+    if (Array.isArray(value)) {
+        return value.flatMap((item, idx) => collectStringLeaves(item, path ? `${path}.${idx}` : String(idx)));
+    }
+    if (typeof value === 'object') {
+        return Object.entries(value).flatMap(([key, nested]) => collectStringLeaves(nested, path ? `${path}.${key}` : key));
+    }
+    if (typeof value !== 'string' && typeof value !== 'number' && typeof value !== 'boolean') {
+        return [];
+    }
+    const key = path.split('.').pop() ?? path;
+    return [{ path: path || '.', key, value: String(value) }];
+}
+function secretTypeFromMessage(ruleId, message) {
+    const trimmed = message.trim();
+    return trimmed || ruleId || 'Secretlint detection';
+}
+/**
+ * Scan parsed JSON config for secrets using Secretlint (preset-recommend).
+ */
+export async function scanJsonForSecretsWithSecretlint(configJson) {
+    const config = await getSecretlintConfig();
+    const leaves = collectStringLeaves(configJson);
+    const findings = [];
+    for (const leaf of leaves) {
+        const result = await lintSource({
+            source: {
+                filePath: `${leaf.path.replace(/\./g, '/')}.json`,
+                content: leaf.value,
+                ext: '.json',
+                contentType: 'text',
+            },
+            options: { config },
+        });
+        if (result.messages.length === 0)
+            continue;
+        const first = result.messages[0];
+        findings.push({
+            path: leaf.path,
+            key: leaf.key,
+            secretType: secretTypeFromMessage(first.ruleId ?? 'secret', String(first.message ?? '')),
+        });
+    }
+    return findings;
+}

package/dist/log_config_files/runtime/trusted_restarts.js

@@ -85,7 +85,7 @@ export function executeTrustedRestartCommands(commands) {
             appendComplianceRunnerLine('RESTART', `spawn deferred_vscdb_restart sh -c (detail_log=${detailPath}) cwd_inherited_from_node`);
         }
         else {
-            hookRunLog('execute_trusted_restarts: spawning trusted restart (see compliance_runner.log [RESTART])');
+            hookRunLog('execute_trusted_restarts: spawning trusted restart (see compliance session log [RESTART])');
             appendComplianceRunnerLine('RESTART', 'spawn trusted_restart sh -c (non-deferred)');
         }
         const projectRoot = resolveProjectRoot();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "log-llm-config-staging",
-  "version": "1.4.8",
+  "version": "1.4.9",
   "description": "CLI helpers for logging hardware UUIDs and posting startup payloads to Optimus Security.",
   "type": "module",
   "bin": {