npm - log-llm-config - Versions diffs - 1.2.1 → 1.2.2 - Mend

log-llm-config 1.2.1 → 1.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/compliance_prompt_gate.js +7 -2
package/dist/log_config_files/runtime/compliance_check.js +163 -13
package/dist/log_config_files/runtime/remediation_sync.js +161 -2
package/package.json +1 -1

package/dist/compliance_prompt_gate.js CHANGED Viewed

@@ -2,7 +2,7 @@
  * Synchronous pre-prompt gate: local compliance only (stdout = single JSON line for IDE hooks).
  * stderr must stay clean; logs go via hookRunLog (file).
  */
-import { applyAutofixViolations, runLocalRemediationComplianceCheck } from './log_config_files/runtime/compliance_check.js';
+import { applyAutofixViolations, pruneSatisfiedOneTimeRemediations, runLocalRemediationComplianceCheck, } from './log_config_files/runtime/compliance_check.js';
 import { existsSync, statSync } from 'node:fs';
 import { getRemediationInstructionsPath } from './log_config_files/runtime/management_storage.js';
 const MANIFEST_STALE_MS = 7 * 24 * 60 * 60 * 1000;
@@ -74,7 +74,7 @@ async function run() {
             if (recheck.status === 'ok' || recheck.violations.length === 0) {
                 const fixedViolations = status.violations.filter((v) => v.autofix_allowed);
                 const lines = fixedViolations.map((v) => `• [${v.finding_formatted_id}] ${v.description}`);
-                const autofixMessage = `Optimus Security auto-fixed ${fixed} compliance violation(s):\n${lines.join('\n')}`;
+                const autofixMessage = `Optimus Security auto-fixed ${fixed} policy violation(s):\n${lines.join('\n')}`;
                 const payload = { __optimus_autofix: true, autofix_message: autofixMessage };
                 if (restartCommands.length > 0)
                     payload.restart_commands = restartCommands;
@@ -95,6 +95,11 @@ async function run() {
         console.log(blockPayload(ide, msg));
         return;
     }
+    // No violations: clean up satisfied one-time remediations so they don't linger locally forever.
+    const pruned = pruneSatisfiedOneTimeRemediations();
+    if (pruned.removed > 0) {
+        await Promise.allSettled(pruned.reportPromises);
+    }
     printAllow(ide);
 }
 run().catch(() => printAllow(ide)).finally(() => process.exit(0));

package/dist/log_config_files/runtime/compliance_check.js CHANGED Viewed

@@ -1,6 +1,10 @@
 /**
  * Compliance check: types and check runner entry point.
  *
+ * Compliance is in-memory only (no compliance.json): runLocalRemediationComplianceCheck returns
+ * ComplianceStatus; the prompt gate and tests use that return value. Autofix may write config files
+ * and remediation_instructions.json via applyAutofixViolations / enforceRemediation.
+ *
  * Prompt gate: compliance_prompt_gate runs runLocalRemediationComplianceCheck (local files only).
  * Background: compliance_check_runner runs syncRemediations (network) then the same local check.
  */
@@ -9,7 +13,7 @@ import { readRemediationInstructionsFile, writeRemediationInstructionsFile } fro
 import { hookRunLog } from './hook_logger.js';
 import { loadEndpointBase } from '../sender/endpoint_config.js';
 import { resolveHardwareUuid } from './hardware_uuid.js';
-import { enforceRemediation, fetchSync, reportAutofixApplied, syncRemediations } from './remediation_sync.js';
+import { enforceRemediation, fetchSync, remediationFixSpec, reportAutofixApplied, syncRemediations, } from './remediation_sync.js';
 import { sendConfigFile } from '../sender/batch_sender.js';
 import { readStoredAuthKey } from '../auth/auth_key_store.js';
 // ---------------------------------------------------------------------------
@@ -30,13 +34,54 @@ function getByPath(obj, path) {
 function deepEqual(a, b) {
     return JSON.stringify(a) === JSON.stringify(b);
 }
+function isStringArray(v) {
+    return Array.isArray(v) && v.every((x) => typeof x === 'string');
+}
+function verifyOpsApplied(configJson, settingPath, ops) {
+    const parts = settingPath.split('.');
+    const leafKey = parts[parts.length - 1] ?? '';
+    const parentPath = parts.slice(0, -1).join('.');
+    const set = ops.set ?? {};
+    const add = ops.add ?? {};
+    const remove = ops.remove ?? {};
+    const keys = new Set([...Object.keys(set), ...Object.keys(add), ...Object.keys(remove)]);
+    // If ops targets a single leaf key, check at settingPath; otherwise treat keys as subkeys under parent.
+    for (const k of keys) {
+        const targetPath = k === leafKey || (keys.size === 1 && (k === leafKey || k === ''))
+            ? settingPath
+            : parentPath
+                ? `${parentPath}.${k}`
+                : k;
+        if (Object.prototype.hasOwnProperty.call(set, k)) {
+            const cur = getByPath(configJson, targetPath);
+            const expected = set[k];
+            if (!deepEqual(cur, expected))
+                return { ok: false, expected: { op: 'set', path: targetPath, value: expected } };
+            continue;
+        }
+        const cur = getByPath(configJson, targetPath);
+        const curArr = isStringArray(cur) ? cur : [];
+        const toAdd = add[k] ?? [];
+        const toRemove = remove[k] ?? [];
+        for (const item of toRemove) {
+            if (curArr.includes(item)) {
+                return { ok: false, expected: { op: 'remove', path: targetPath, value: item } };
+            }
+        }
+        for (const item of toAdd) {
+            if (!curArr.includes(item)) {
+                return { ok: false, expected: { op: 'add', path: targetPath, value: item } };
+            }
+        }
+    }
+    return { ok: true, expected: null };
+}
 // ---------------------------------------------------------------------------
 // Check runner — Section 6: real per-check evaluation
 // ---------------------------------------------------------------------------
 /**
  * Evaluate current on-disk configs against remediation_instructions.json only (no server).
- * Writes compliance.json and returns the status for prompt gating.
- * Logs `compliance_check: local_file_check_wall_ms=<n>` — instruction + config reads and comparisons only (not sync/remediate).
+ * Returns status for prompt gating / callers; does not persist compliance.json.
  */
 export function runLocalRemediationComplianceCheck() {
     try {
@@ -49,7 +94,7 @@ export function runLocalRemediationComplianceCheck() {
         const uuids = entries.map((e) => e.uuid);
         const violations = [];
         for (const entry of entries) {
-            const compliance = entry.compliance;
+            const compliance = entry.fix ?? entry.compliance;
             if (!compliance)
                 continue;
             if (compliance.file_format !== 'json') {
@@ -72,9 +117,31 @@ export function runLocalRemediationComplianceCheck() {
                 continue;
             }
             for (const check of checks) {
+                // Prefer ops-based verification (matches delta apply semantics; doesn't require full after snapshot).
+                if (check.ops) {
+                    const { ok, expected } = verifyOpsApplied(configJson, check.setting_path, check.ops);
+                    if (!ok) {
+                        hookRunLog(`compliance_check: VIOLATION uuid=${entry.uuid} path=${check.setting_path} expected=${JSON.stringify(expected)}`);
+                        violations.push({
+                            uuid: entry.uuid,
+                            finding_formatted_id: compliance.finding_formatted_id,
+                            setting_path: check.setting_path,
+                            description: check.description,
+                            severity: compliance.severity,
+                            autofix_allowed: compliance.autofix_allowed,
+                            config_file_path: entry.config_file_path,
+                            expected_value: expected,
+                            message: `[${compliance.finding_formatted_id}] ${entry.finding_title ?? compliance.description}\nDescription: ${entry.finding_description ?? compliance.description}\nHow to fix: Apply remediation ops for ${check.setting_path} in ${entry.config_file_path}`,
+                        });
+                    }
+                    continue;
+                }
+                // Backwards compat: old local files may still carry after snapshots.
                 const currentValue = getByPath(configJson, check.setting_path);
                 const leafKey = check.setting_path.split('.').pop();
-                const expectedValue = check.after[leafKey];
+                const expectedValue = check.after?.[leafKey];
+                if (expectedValue === undefined)
+                    continue;
                 if (!deepEqual(currentValue, expectedValue)) {
                     hookRunLog(`compliance_check: VIOLATION uuid=${entry.uuid} path=${check.setting_path} current=${JSON.stringify(currentValue)} expected=${JSON.stringify(expectedValue)}`);
                     violations.push({
@@ -142,15 +209,24 @@ export function applyAutofixViolations(violations) {
             if (inst.file_type) {
                 const authKey = readStoredAuthKey();
                 if (authKey) {
-                    reportPromises.push(sendConfigFile({ file_type: inst.file_type, file_path: inst.config_file_path, raw_content: inst.recommended_settings }, resolveHardwareUuid(), authKey).then((ok) => {
-                        hookRunLog(`autofix: re-sent updated file uuid=${inst.uuid} ok=${ok}`);
-                    }));
+                    let updatedContent;
+                    try {
+                        updatedContent = JSON.parse(readFileSync(inst.config_file_path, 'utf8'));
+                    }
+                    catch {
+                        updatedContent = undefined;
+                    }
+                    if (updatedContent !== undefined) {
+                        reportPromises.push(sendConfigFile({ file_type: inst.file_type, file_path: inst.config_file_path, raw_content: updatedContent }, resolveHardwareUuid(), authKey).then((ok) => {
+                            hookRunLog(`autofix: re-sent updated file uuid=${inst.uuid} ok=${ok}`);
+                        }));
+                    }
                 }
             }
-            const compliance = inst.compliance;
-            if (compliance?.restart_required && compliance.restart_command) {
-                hookRunLog(`autofix: restart required uuid=${inst.uuid} command=${compliance.restart_command}`);
-                restartCommands.push(compliance.restart_command);
+            const spec = remediationFixSpec(inst);
+            if (spec?.restart_required && spec.restart_command) {
+                hookRunLog(`autofix: restart required uuid=${inst.uuid} command=${spec.restart_command}`);
+                restartCommands.push(spec.restart_command);
             }
             if (!inst.is_enforced) {
                 oneTimeAppliedUuids.add(inst.uuid);
@@ -176,7 +252,81 @@ export function applyAutofixViolations(violations) {
     }
     return { fixed, restartCommands, failedViolations, reportPromises };
 }
-/** Background refresh: server sync for latest instructions, then local evaluation and latch write. */
+/**
+ * Remove satisfied one-time remediations from local remediation_instructions.json.
+ *
+ * This handles the case where a user (or another tool) manually applied the change, so the
+ * instruction no longer needs to persist locally. Enforced remediations are never pruned.
+ *
+ * Returns number removed and any async report promises (heartbeat).
+ */
+export function pruneSatisfiedOneTimeRemediations() {
+    const { remediations } = readRemediationInstructionsFile();
+    if (!Array.isArray(remediations) || remediations.length === 0)
+        return { removed: 0, reportPromises: [] };
+    const remaining = [];
+    let removed = 0;
+    for (const raw of remediations) {
+        const inst = raw;
+        if (inst.is_enforced) {
+            remaining.push(raw);
+            continue;
+        }
+        const spec = remediationFixSpec(inst);
+        const checks = spec?.file_format === 'json' ? (spec.checks ?? []) : [];
+        if (checks.length === 0) {
+            remaining.push(raw);
+            continue;
+        }
+        if (!existsSync(inst.config_file_path)) {
+            remaining.push(raw);
+            continue;
+        }
+        let configJson;
+        try {
+            configJson = JSON.parse(readFileSync(inst.config_file_path, 'utf8'));
+        }
+        catch {
+            remaining.push(raw);
+            continue;
+        }
+        // Only prune when every check is ops-based and currently satisfied.
+        let okAll = true;
+        for (const check of checks) {
+            if (!check.ops) {
+                okAll = false;
+                break;
+            }
+            const res = verifyOpsApplied(configJson, check.setting_path, check.ops);
+            if (!res.ok) {
+                okAll = false;
+                break;
+            }
+        }
+        if (okAll) {
+            removed++;
+            hookRunLog(`remediation_prune: satisfied one-time uuid=${inst.uuid} path=${inst.config_file_path}`);
+        }
+        else {
+            remaining.push(raw);
+        }
+    }
+    if (removed === 0)
+        return { removed: 0, reportPromises: [] };
+    writeRemediationInstructionsFile({ remediations: remaining });
+    hookRunLog(`remediation_prune: removed=${removed} remaining=${remaining.length}`);
+    const remainingUuids = remaining.map((r) => r.uuid);
+    const reportPromises = [
+        fetchSync(loadEndpointBase(), resolveHardwareUuid(), remainingUuids)
+            .then(() => hookRunLog(`remediation_prune: post-prune heartbeat sent uuids=${remainingUuids.length}`))
+            .catch(() => undefined),
+    ];
+    return { removed, reportPromises };
+}
+/**
+ * Background refresh: server sync for latest instructions, then the same local evaluation as the hook.
+ * Does not persist compliance state to disk.
+ */
 export async function runComplianceCheck() {
     try {
         await syncRemediations(loadEndpointBase(), resolveHardwareUuid());

package/dist/log_config_files/runtime/remediation_sync.js CHANGED Viewed

@@ -7,6 +7,10 @@ import { readStoredAuthKey } from '../auth/auth_key_store.js';
 import { createSignature } from '../sender/signing.js';
 import { loadEndpointBase } from '../sender/endpoint_config.js';
 import { resolveHardwareUuid } from './hardware_uuid.js';
+/** Resolve fix payload from API or legacy `compliance` key in local JSON. */
+export function remediationFixSpec(inst) {
+    return inst.fix ?? inst.compliance ?? null;
+}
 // ---------------------------------------------------------------------------
 // Persistence (single file: remediation_instructions.json)
 // ---------------------------------------------------------------------------
@@ -97,7 +101,13 @@ async function fetchManifest(endpointBase, machineUuid, uuids, timeoutMs = 8000)
         return null;
     try {
         const parsed = JSON.parse(body);
-        return Array.isArray(parsed.remediations) ? parsed.remediations : null;
+        if (!Array.isArray(parsed.remediations))
+            return null;
+        return parsed.remediations.map((raw) => {
+            const { compliance, ...rest } = raw;
+            const fix = rest.fix ?? compliance ?? null;
+            return { ...rest, fix };
+        });
     }
     catch {
         return null;
@@ -106,12 +116,161 @@ async function fetchManifest(endpointBase, machineUuid, uuids, timeoutMs = 8000)
 // ---------------------------------------------------------------------------
 // Enforce / remove
 // ---------------------------------------------------------------------------
+function setByPath(obj, path, value) {
+    const parts = path.split('.');
+    let current = obj;
+    for (let i = 0; i < parts.length - 1; i++) {
+        const part = parts[i];
+        if (current[part] == null || typeof current[part] !== 'object' || Array.isArray(current[part])) {
+            current[part] = {};
+        }
+        current = current[part];
+    }
+    current[parts[parts.length - 1]] = value;
+}
+/** Traverse a JSON object using dot-notation path. Returns undefined if any segment is missing. */
+function getByPath(obj, path) {
+    const parts = path.split('.');
+    let current = obj;
+    for (const part of parts) {
+        if (current == null || typeof current !== 'object')
+            return undefined;
+        current = current[part];
+    }
+    return current;
+}
+function isPlainObject(v) {
+    return v != null && typeof v === 'object' && !Array.isArray(v);
+}
+function isStringArray(v) {
+    return Array.isArray(v) && v.every((x) => typeof x === 'string');
+}
+function applyStringArrayDelta(current, before, after) {
+    const cur = isStringArray(current) ? [...current] : [];
+    const b = isStringArray(before) ? before : [];
+    const a = isStringArray(after) ? after : [];
+    const bSet = new Set(b);
+    const aSet = new Set(a);
+    const removed = b.filter((x) => !aSet.has(x));
+    const added = a.filter((x) => !bSet.has(x));
+    // Remove any items that were removed by the remediation (preserve other local additions).
+    const removedSet = new Set(removed);
+    const next = cur.filter((x) => !removedSet.has(x));
+    // Append items that were added by the remediation (avoid duplicates).
+    const nextSet = new Set(next);
+    for (const x of added) {
+        if (!nextSet.has(x)) {
+            next.push(x);
+            nextSet.add(x);
+        }
+    }
+    return next;
+}
+function applyCheck(configJson, check) {
+    const parts = check.setting_path.split('.');
+    const leafKey = parts[parts.length - 1] ?? '';
+    const parentPath = parts.slice(0, -1).join('.');
+    // Prefer explicit ops when provided by server (safest: avoids clobbering local edits).
+    if (check.ops && typeof check.ops === 'object') {
+        const { set, add, remove } = check.ops;
+        const keys = new Set([
+            ...Object.keys(set ?? {}),
+            ...Object.keys(add ?? {}),
+            ...Object.keys(remove ?? {}),
+        ]);
+        for (const k of keys) {
+            const targetPath = k === leafKey || keys.size === 1 && (k === leafKey || k === '')
+                ? check.setting_path
+                : parentPath
+                    ? `${parentPath}.${k}`
+                    : k;
+            if (set && Object.prototype.hasOwnProperty.call(set, k)) {
+                setByPath(configJson, targetPath, set[k]);
+                continue;
+            }
+            const curVal = getByPath(configJson, targetPath);
+            const cur = isStringArray(curVal) ? [...curVal] : [];
+            const toRemove = (remove && remove[k]) ?? [];
+            const toAdd = (add && add[k]) ?? [];
+            const rmSet = new Set(toRemove);
+            const next = cur.filter((x) => !rmSet.has(x));
+            const nextSet = new Set(next);
+            for (const x of toAdd) {
+                if (!nextSet.has(x)) {
+                    next.push(x);
+                    nextSet.add(x);
+                }
+            }
+            setByPath(configJson, targetPath, next);
+        }
+        return;
+    }
+    // Normal v2 shape: after[leafKey] is the intended leaf value.
+    // Some remediations may include multi-key objects (e.g. {allow, deny}) while the path points at one leaf.
+    // In that case, treat the payload as a patch for the parent object and apply per-key deltas.
+    if (isPlainObject(check.before) && isPlainObject(check.after)) {
+        const afterKeys = Object.keys(check.after);
+        const beforeKeys = Object.keys(check.before);
+        const looksMultiKey = afterKeys.length > 1 || (afterKeys.length > 0 && !Object.prototype.hasOwnProperty.call(check.after, leafKey));
+        if (looksMultiKey) {
+            for (const k of afterKeys) {
+                const targetPath = parentPath ? `${parentPath}.${k}` : k;
+                const curVal = getByPath(configJson, targetPath);
+                const bVal = check.before[k];
+                const aVal = check.after[k];
+                if (isStringArray(bVal) && isStringArray(aVal)) {
+                    setByPath(configJson, targetPath, applyStringArrayDelta(curVal, bVal, aVal));
+                }
+                else {
+                    setByPath(configJson, targetPath, aVal);
+                }
+            }
+            return;
+        }
+    }
+    let value = undefined;
+    if (isPlainObject(check.after) && Object.prototype.hasOwnProperty.call(check.after, leafKey)) {
+        value = check.after[leafKey];
+    }
+    else {
+        value = check.after;
+    }
+    // If the leaf is a string[] and we have before/after snapshots, apply delta not replacement.
+    if (isPlainObject(check.before) && isPlainObject(check.after)) {
+        const b = check.before[leafKey];
+        const a = check.after[leafKey];
+        if (isStringArray(b) && isStringArray(a)) {
+            const cur = getByPath(configJson, check.setting_path);
+            setByPath(configJson, check.setting_path, applyStringArrayDelta(cur, b, a));
+            return;
+        }
+    }
+    setByPath(configJson, check.setting_path, value);
+}
 export function enforceRemediation(instruction) {
     try {
         const dir = dirname(instruction.config_file_path);
         if (!existsSync(dir))
             mkdirSync(dir, { recursive: true, mode: 0o700 });
-        const content = JSON.stringify(instruction.recommended_settings, null, 2);
+        const fixSpec = remediationFixSpec(instruction);
+        const checks = fixSpec?.file_format === 'json' ? (fixSpec.checks ?? []) : [];
+        if (checks.length === 0) {
+            hookRunLog(`remediation_enforce: no checks to apply uuid=${instruction.uuid}`);
+            return false;
+        }
+        let configJson = {};
+        if (existsSync(instruction.config_file_path)) {
+            try {
+                configJson = JSON.parse(readFileSync(instruction.config_file_path, 'utf8'));
+            }
+            catch {
+                hookRunLog(`remediation_enforce: could not parse existing file, starting fresh uuid=${instruction.uuid}`);
+            }
+        }
+        for (const check of checks) {
+            applyCheck(configJson, check);
+        }
+        const content = JSON.stringify(configJson, null, 2);
         const tmp = `${instruction.config_file_path}.tmp`;
         writeFileSync(tmp, content, 'utf8');
         renameSync(tmp, instruction.config_file_path);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "log-llm-config",
-  "version": "1.2.1",
+  "version": "1.2.2",
   "description": "CLI helpers for logging hardware UUIDs and posting startup payloads to Optimus Security.",
   "type": "module",
   "bin": {