log-llm-config 1.2.8 → 1.3.2

package/dist/apply_deferred_vscdb.js

@@ -0,0 +1,8 @@
+/**
+ * Runs after Cursor SIGKILL: applies queued state.vscdb patches from
+ * ~/opt-ai-sec/management/optimus_deferred_vscdb_apply.json (see remediation_sync).
+ */
+import { applyDeferredVscdbFromDisk } from './log_config_files/runtime/remediation_sync.js';
+applyDeferredVscdbFromDisk()
+    .then((ok) => process.exit(ok ? 0 : 1))
+    .catch(() => process.exit(1));

package/dist/cli/bash_script_generator.js

@@ -1,3 +1,9 @@
+import { readFileCollectionVscdbContract } from '../log_config_files/runtime/management_storage.js';
+/** Reactive ItemTable key from backend-derived cache (written on log-config); same path as remediations. */
+function readReactiveStorageItemKeyFromDisk() {
+    const k = readFileCollectionVscdbContract()?.reactive_storage_item_key;
+    return typeof k === 'string' && k.trim() !== '' ? k.trim() : null;
+}
 const fileCategories = [
     { label: 'Cursor: mcp.json', targets: ['./.cursor/mcp.json', '$HOME/.cursor/mcp.json'] },
     { label: 'Claude: .mcp.json', targets: ['./mcp.json', './.mcp.json', '/Library/Application Support/ClaudeCode/managed-mcp.json'] },
@@ -5,15 +11,20 @@ const fileCategories = [
     { label: 'Cursor: hooks.json', targets: ['./.cursor/hooks.json', '$HOME/.cursor/hooks.json', '/Library/Application Support/Cursor/hooks.json'] },
     { label: 'Cursor: User/settings.json (user-level)', targets: ['$HOME/Library/Application Support/Cursor/User/settings.json'] },
 ];
-const sqliteCategories = [
-    {
-        label: 'Cursor: state.vscdb (composerState)',
-        dbPath: '$HOME/Library/Application Support/Cursor/User/globalStorage/state.vscdb',
-        table: 'ItemTable',
-        key: 'src.vs.platform.reactivestorage.browser.reactiveStorageServiceImpl.persistentStorage.applicationUser',
-        jsonPaths: [['composerState'], []],
-    },
-];
+function buildSqliteCategories() {
+    const key = readReactiveStorageItemKeyFromDisk();
+    if (!key)
+        return [];
+    return [
+        {
+            label: 'Cursor: state.vscdb (reactive blob / composerState)',
+            dbPath: '$HOME/Library/Application Support/Cursor/User/globalStorage/state.vscdb',
+            table: 'ItemTable',
+            key,
+            jsonPaths: [['composerState'], []],
+        },
+    ];
+}
 function buildFileCategoryLines(category) {
     return [
         `echo "===== ${category.label} ====="`,
@@ -38,12 +49,13 @@ function buildFileCategoryLines(category) {
 }
 function buildSqliteCategoryLines(category) {
     const jsonPathsLiteral = JSON.stringify(category.jsonPaths);
+    const safeSqlKey = category.key.replace(/'/g, "''");
     return [
         `echo "===== ${category.label} ====="`, `db_path="${category.dbPath}"`,
         'expanded=$(eval echo "$db_path")',
         'if [ -f "$expanded" ]; then', '  if command -v sqlite3 >/dev/null 2>&1; then',
         '    echo "===== $expanded ====="',
-        `    query_result=$(sqlite3 "$expanded" "SELECT value FROM ${category.table} WHERE key='${category.key}'")`,
+        `    query_result=$(sqlite3 "$expanded" "SELECT value FROM ${category.table} WHERE key='${safeSqlKey}'")`,
         '    if [ -n "$query_result" ]; then',
         `      echo "===== key: ${category.key} ====="`,
         `      LOG_CONFIG_JSON_VALUE="$query_result" python3 - <<'PY'`,
@@ -76,7 +88,7 @@ function renderBashScript() {
         '    local suffix="${path#"$repo_root"}"', '    if [ -z "$suffix" ]; then', '      echo "<project_root>"',
         '    else', '      echo "<project_root>${suffix}"', '    fi', '  else', '    echo "$path"', '  fi', '}', '',
         ...fileCategories.flatMap(buildFileCategoryLines),
-        ...sqliteCategories.flatMap(buildSqliteCategoryLines),
+        ...buildSqliteCategories().flatMap(buildSqliteCategoryLines),
     ];
     return scriptLines.join('\n');
 }

package/dist/compliance_check_runner.js

@@ -1,9 +1,40 @@
+import { appendFileSync, mkdirSync, existsSync } from 'node:fs';
+import { join } from 'node:path';
+import { homedir } from 'node:os';
+import { OPT_AI_SEC_MANAGEMENT_REL } from './bootstrap_constants.js';
+import { hookLogSessionBanner } from './log_config_files/runtime/hook_logger.js';
 import { runComplianceCheck } from './log_config_files/runtime/compliance_check.js';
+/** Append-only log for compliance runner lifecycle; hook_log.txt is also append-only (session banners). */
+function runnerFileLog(message) {
+    try {
+        const dir = join(homedir(), OPT_AI_SEC_MANAGEMENT_REL);
+        if (!existsSync(dir))
+            mkdirSync(dir, { recursive: true, mode: 0o700 });
+        const path = join(dir, 'compliance_runner.log');
+        appendFileSync(path, `${new Date().toISOString()} ${message}\n`, 'utf8');
+    }
+    catch {
+        /* ignore */
+    }
+}
 (async () => {
+    hookLogSessionBanner('compliance_check_runner (background sync + check)');
+    runnerFileLog('compliance_check_runner: start');
     try {
         await runComplianceCheck();
+        runnerFileLog('compliance_check_runner: finished ok');
     }
     catch (err) {
+        const detail = err instanceof Error ? err.stack ?? err.message : String(err);
+        runnerFileLog('compliance_check_runner: uncaught error');
+        try {
+            const dir = join(homedir(), OPT_AI_SEC_MANAGEMENT_REL);
+            const path = join(dir, 'compliance_runner.log');
+            appendFileSync(path, `${detail}\n\n`, 'utf8');
+        }
+        catch {
+            /* ignore */
+        }
         process.stderr.write(`compliance_check_runner error: ${err instanceof Error ? err.message : String(err)}\n`);
         process.exit(1);
     }

package/dist/compliance_prompt_gate.js

@@ -4,8 +4,17 @@
  */
 import { applyAutofixViolations, pruneSatisfiedOneTimeRemediations, runLocalRemediationComplianceCheck, } from './log_config_files/runtime/compliance_check.js';
 import { existsSync, statSync } from 'node:fs';
+import { spawn } from 'node:child_process';
+import { pathToFileURL } from 'node:url';
+import { resolve } from 'node:path';
 import { getRemediationInstructionsPath } from './log_config_files/runtime/management_storage.js';
+import { hookLogSessionBanner, hookRunLog } from './log_config_files/runtime/hook_logger.js';
 const MANIFEST_STALE_MS = 7 * 24 * 60 * 60 * 1000;
+/** Set by optimus-compliance-check.sh only for Claude Desktop (dumb TERM). Hook runs allowlisted restart after osascript. */
+function claudeDesktopHookRunsRestart() {
+    const v = process.env.OPTIMUS_CLAUDE_DESKTOP_DEFER_GATE_RESTART?.trim().toLowerCase();
+    return v === '1' || v === 'true' || v === 'yes';
+}
 function parseIde() {
     const eq = process.argv.find((a) => a.startsWith('--ide='));
     if (eq) {
@@ -42,6 +51,13 @@ function blockPayload(ide, violationMessage) {
     }
     return JSON.stringify({ continue: false, user_message: text });
 }
+function fireRestartCommands(commands) {
+    for (const cmd of commands) {
+        hookRunLog(`restart: firing command="${cmd}"`);
+        const child = spawn('sh', ['-c', cmd], { detached: true, stdio: 'ignore' });
+        child.unref();
+    }
+}
 function getManifestStalenessMs() {
     try {
         const path = getRemediationInstructionsPath();
@@ -54,8 +70,33 @@ function getManifestStalenessMs() {
         return null;
     }
 }
-const ide = parseIde();
-async function run() {
+function isRunAsCliModule() {
+    const entry = process.argv[1];
+    if (!entry)
+        return false;
+    try {
+        return import.meta.url === pathToFileURL(resolve(entry)).href;
+    }
+    catch {
+        return false;
+    }
+}
+/** Short line for success dialog: finding title/sentence from manifest, not per-check remediation technical text. */
+function autofixDialogLine(v) {
+    const title = v.finding_title?.trim();
+    if (title)
+        return `• [${v.finding_formatted_id}] ${title}`;
+    const fd = v.finding_description?.trim();
+    if (fd)
+        return `• [${v.finding_formatted_id}] ${fd}`;
+    const d = v.description.trim();
+    const short = d.length > 160 ? `${d.slice(0, 157)}…` : d;
+    return `• [${v.finding_formatted_id}] ${short}`;
+}
+/** Exported for tests; CLI invokes this only when {@link isRunAsCliModule} is true. */
+export async function runCompliancePromptGate() {
+    const ide = parseIde();
+    hookLogSessionBanner('compliance_prompt_gate (before submit)');
     const status = runLocalRemediationComplianceCheck();
     if (status.status === 'fail' && status.violations.length > 0) {
         const staleMs = getManifestStalenessMs();
@@ -66,19 +107,32 @@ async function run() {
             printAllowWithAdvisory(ide, advisory);
             return;
         }
-        const { fixed, restartCommands, failedViolations, reportPromises } = applyAutofixViolations(status.violations);
+        const { fixed, appliedViolations = [], restartCommands, failedViolations, reportPromises, deferredSqlitePending, } = applyAutofixViolations(status.violations);
         if (fixed > 0) {
             // Wait for all server reports before exiting so the POST lands.
             await Promise.allSettled(reportPromises);
+            // Deferred SQLite can leave recheck failing until restart; that must not hide a separate
+            // failed autofix (e.g. JSON remediation failed while vscdb was only queued).
+            if (failedViolations.length > 0) {
+                const ids = failedViolations.map((v) => `[${v.finding_formatted_id}]`).join(', ');
+                const msg = `Auto-fix failed for ${ids} — please fix manually or contact your security team.\n\n${failedViolations[0]?.message ?? ''}`;
+                console.log(blockPayload(ide, msg));
+                return;
+            }
             const recheck = runLocalRemediationComplianceCheck();
-            if (recheck.status === 'ok' || recheck.violations.length === 0) {
-                const fixedViolations = status.violations.filter((v) => v.autofix_allowed);
-                const lines = fixedViolations.map((v) => `• [${v.finding_formatted_id}] ${v.description}`);
-                const autofixMessage = `Optimus Security auto-fixed ${fixed} policy violation(s):\n${lines.join('\n')}`;
+            const recheckOk = recheck.status === 'ok' || recheck.violations.length === 0;
+            if (deferredSqlitePending || recheckOk) {
+                const autofixMessage = `Optimus Security auto-fixed ${fixed} policy violation(s):\n${appliedViolations.map((v) => autofixDialogLine(v)).join('\n')}`;
                 const payload = { __optimus_autofix: true, autofix_message: autofixMessage };
                 if (restartCommands.length > 0)
                     payload.restart_commands = restartCommands;
                 console.log(JSON.stringify(payload));
+                // Cursor: .cursor/hooks runs restart after the osascript dialog — avoid double SIGKILL here.
+                // Claude Desktop: same — optimus-compliance-check.sh shows the dialog then evals allowlisted restarts.
+                // Claude Code (CLI): no shell restart path; gate must spawn here.
+                const fireInGate = ide !== 'cursor' && !(ide === 'claude' && claudeDesktopHookRunsRestart());
+                if (fireInGate)
+                    fireRestartCommands(restartCommands);
                 return;
             }
             const msg = recheck.violations[0]?.message ?? 'A security policy violation has been detected.';
@@ -102,4 +156,6 @@ async function run() {
     }
     printAllow(ide);
 }
-run().catch(() => printAllow(ide)).finally(() => process.exit(0));
+if (isRunAsCliModule()) {
+    runCompliancePromptGate().catch(() => printAllow(parseIde())).finally(() => process.exit(0));
+}

package/dist/log_config_files/readers/vscdb_config_builder.js

@@ -81,8 +81,12 @@ function buildVscdbRawContentFromSpec(state, spec) {
         if (!Array.isArray(value) || value.length === 0)
             return null;
     }
-    if (spec.value_constraint === 'boolean' && typeof value !== 'boolean')
-        return null;
+    if (spec.value_constraint === 'boolean') {
+        const okBool = typeof value === 'boolean';
+        const okSqliteInt = typeof value === 'number' && (value === 0 || value === 1);
+        if (!okBool && !okSqliteInt)
+            return null;
+    }
     return buildRawContent(state, spec.state_key, value, spec.include_keys, new Date().toISOString());
 }
 /**

package/dist/log_config_files/readers/vscdb_reader.js

@@ -1,5 +1,6 @@
 import { existsSync } from 'node:fs';
 import { execSync } from 'node:child_process';
+import { readFileCollectionVscdbContract, writeFileCollectionVscdbContract, } from '../runtime/management_storage.js';
 function querySqlite(dbPath, key) {
     const safe = key.replace(/'/g, "''");
     return execSync(`sqlite3 "${dbPath}" "SELECT value FROM ItemTable WHERE key='${safe}'"`, {
@@ -7,6 +8,98 @@ function querySqlite(dbPath, key) {
         stdio: ['ignore', 'pipe', 'pipe'],
     }).trim();
 }
+/**
+ * Fallback if the API omits vscdb_composer_contract (older server): derive from vscdb_read_queries.
+ */
+export function parseVscdbComposerContractFromReadQueries(queries) {
+    const empty = {
+        version: 1,
+        reactive_storage_item_key: undefined,
+        composer_shadow_keys: [],
+    };
+    if (!queries?.length)
+        return empty;
+    for (const step of queries) {
+        if (step.value_kind === 'composer_with_include' && step.state_key === 'composerState') {
+            const keys = step.item_table_keys ?? [];
+            return {
+                version: 1,
+                reactive_storage_item_key: keys[0],
+                composer_shadow_keys: [...(step.include_keys ?? [])],
+            };
+        }
+    }
+    return empty;
+}
+export function normalizeVscdbComposerContractFromPatternsResponse(resp) {
+    const c = resp.vscdb_composer_contract;
+    const hasKey = c != null &&
+        ((typeof c.reactive_storage_item_key === 'string' && c.reactive_storage_item_key.trim() !== '') ||
+            (c.composer_shadow_keys?.length ?? 0) > 0);
+    if (hasKey && c) {
+        return {
+            version: 1,
+            reactive_storage_item_key: c.reactive_storage_item_key ?? undefined,
+            composer_shadow_keys: [...(c.composer_shadow_keys ?? [])],
+        };
+    }
+    return parseVscdbComposerContractFromReadQueries(resp.vscdb_read_queries);
+}
+/** Persist backend-derived contract next to remediation_instructions.json. */
+export function persistVscdbComposerContractFromPatternsResponse(resp) {
+    const norm = normalizeVscdbComposerContractFromPatternsResponse(resp);
+    if (norm.reactive_storage_item_key || norm.composer_shadow_keys.length > 0) {
+        writeFileCollectionVscdbContract(norm);
+    }
+}
+/**
+ * Read one ItemTable JSON blob (e.g. key `composerState`) and return `{ [itemKey]: object }` so
+ * dot-paths like `composerState.modes4.agent.autoRun` (or legacy numeric `modes4.0`) work in compliance checks. Empty / missing value
+ * yields `{ [itemKey]: {} }`. Returns null if the DB is missing, sqlite3 is unavailable, or JSON parse fails.
+ *
+ * When `file_collection_vscdb_contract.json` lists `reactive_storage_item_key`, a missing legacy `composerState` row
+ * falls back to nested `composerState` inside that reactive blob (paths from the backend API only).
+ */
+export function readVscdbItemTableJson(dbPath, itemKey) {
+    try {
+        if (!dbPath || !existsSync(dbPath))
+            return null;
+        execSync('which sqlite3', { stdio: 'ignore' });
+    }
+    catch {
+        return null;
+    }
+    try {
+        const raw = querySqlite(dbPath, itemKey);
+        const contract = readFileCollectionVscdbContract();
+        const reactiveKey = typeof contract?.reactive_storage_item_key === 'string' ? contract.reactive_storage_item_key.trim() : '';
+        if (itemKey === 'composerState' && (!raw || raw === '{}') && reactiveKey) {
+            const reactive = querySqlite(dbPath, reactiveKey);
+            if (reactive) {
+                const root = JSON.parse(reactive);
+                const cs = root.composerState;
+                if (cs !== null && typeof cs === 'object' && !Array.isArray(cs)) {
+                    return { composerState: cs };
+                }
+            }
+        }
+        if (!raw) {
+            return { [itemKey]: {} };
+        }
+        const parsed = JSON.parse(raw);
+        if (parsed !== null && typeof parsed === 'object' && !Array.isArray(parsed)) {
+            return { [itemKey]: parsed };
+        }
+        // Bare JSON primitives (e.g. cursor/thirdPartyExtensibilityEnabled stores `true`/`false`).
+        if (typeof parsed === 'boolean' || typeof parsed === 'number' || typeof parsed === 'string') {
+            return { [itemKey]: parsed };
+        }
+        return { [itemKey]: {} };
+    }
+    catch {
+        return null;
+    }
+}
 function setNested(obj, dotPath, value) {
     const parts = dotPath.split('.');
     const safe = (k) => k !== '__proto__' && k !== 'constructor' && k !== 'prototype';
@@ -42,9 +135,17 @@ function runOneStep(dbPath, stateData, step) {
                     stateData.composerState = composerState;
                 }
                 if (step.include_keys?.length) {
+                    const nested = composerState && typeof composerState === 'object'
+                        ? composerState
+                        : undefined;
                     for (const k of step.include_keys) {
-                        if (k in obj && obj[k] !== undefined)
+                        // Prefer the value inside composerState when present; blob root can be stale vs the UI.
+                        if (nested && k in nested && nested[k] !== undefined) {
+                            stateData[k] = nested[k];
+                        }
+                        else if (k in obj && obj[k] !== undefined) {
                             stateData[k] = obj[k];
+                        }
                     }
                 }
                 return;