log-llm-config 1.2.8 → 1.3.2

package/dist/log_config_files/runtime/remediation_sync.js

@@ -1,16 +1,37 @@
-import { existsSync, mkdirSync, readFileSync, writeFileSync, renameSync } from 'node:fs';
+import { existsSync, mkdirSync, readFileSync, writeFileSync, renameSync, unlinkSync } from 'node:fs';
 import { dirname } from 'node:path';
+import { execFileSync } from 'node:child_process';
 import { executeGet, executeBody } from '../../endpoint_client/http_transport.js';
-import { hookRunLog } from './hook_logger.js';
-import { getRemediationInstructionsPath, readRemediationInstructionsFile, writeRemediationInstructionsFile, } from './management_storage.js';
+import { complianceRunnerDiag, hookRunLog } from './hook_logger.js';
+import { atomicWriteJson, getDeferredVscdbApplyPath, getFileCollectionVscdbContractPath, getRemediationInstructionsPath, readFileCollectionVscdbContract, readRemediationInstructionsFile, writeRemediationInstructionsFile, } from './management_storage.js';
 import { readStoredAuthKey } from '../auth/auth_key_store.js';
 import { createSignature } from '../sender/signing.js';
 import { loadEndpointBase } from '../sender/endpoint_config.js';
-import { resolveHardwareUuid } from './hardware_uuid.js';
+import { tryResolveHardwareUuid } from './hardware_uuid.js';
+import { persistVscdbComposerContractFromPatternsResponse, readVscdbItemTableJson, } from '../readers/vscdb_reader.js';
+import { sendConfigFile } from '../sender/batch_sender.js';
+import { getFileCollectionPatterns } from '../../endpoint_client/registry_api.js';
+function reactiveStorageItemKeyFromContract() {
+    const k = readFileCollectionVscdbContract()?.reactive_storage_item_key;
+    return typeof k === 'string' && k.trim() !== '' ? k.trim() : undefined;
+}
+function composerShadowKeySetFromContract() {
+    return new Set(readFileCollectionVscdbContract()?.composer_shadow_keys ?? []);
+}
 /** Resolve fix payload from API or legacy `compliance` key in local JSON. */
 export function remediationFixSpec(inst) {
     return inst.fix ?? inst.compliance ?? null;
 }
+/** True when this row should be replaced from GET manifest (missing or empty fix checks). */
+function needsManifestRefetch(inst) {
+    if (!inst)
+        return true;
+    const spec = remediationFixSpec(inst);
+    if (!spec)
+        return true;
+    const checks = spec.checks;
+    return !Array.isArray(checks) || checks.length === 0;
+}
 // ---------------------------------------------------------------------------
 // Persistence (single file: remediation_instructions.json)
 // ---------------------------------------------------------------------------
@@ -34,7 +55,8 @@ async function ensureInstructionsForUuids(endpointBase, machineUuid, want, overl
         if (want.has(inst.uuid))
             byUuid.set(inst.uuid, inst);
     }
-    const missing = [...want].filter((u) => !byUuid.has(u));
+    // Refetch rows that are missing entirely or have no usable checks (stale/incomplete local cache).
+    const missing = [...want].filter((u) => needsManifestRefetch(byUuid.get(u)));
     if (missing.length > 0) {
         try {
             const fetched = await fetchManifest(endpointBase, machineUuid, missing);
@@ -85,24 +107,36 @@ export async function fetchSync(endpointBase, machineUuid, activeUuids, timeoutM
     const uuidsParam = activeUuids.join(',');
     const url = `${resolveOrigin(endpointBase)}/api/findings/remediations/sync/?machine_uuid=${encodeURIComponent(machineUuid)}&active_uuids=${encodeURIComponent(uuidsParam)}`;
     const { statusCode, body } = await executeGet(url, timeoutMs);
-    if (statusCode !== 200 || !body)
+    if (statusCode !== 200 || !body) {
+        const line = `remediation_sync_get: url=${url} status=${statusCode} bytes=${body?.length ?? 0}`;
+        hookRunLog(line);
+        complianceRunnerDiag(line);
         return null;
+    }
     try {
         return JSON.parse(body);
     }
     catch {
+        hookRunLog('remediation_sync_get: invalid JSON body');
+        complianceRunnerDiag('remediation_sync_get: invalid JSON body');
         return null;
     }
 }
 async function fetchManifest(endpointBase, machineUuid, uuids, timeoutMs = 8000) {
     const url = `${resolveOrigin(endpointBase)}/api/findings/remediations/manifest/?machine_uuid=${encodeURIComponent(machineUuid)}&uuids=${encodeURIComponent(uuids.join(','))}`;
     const { statusCode, body } = await executeGet(url, timeoutMs);
-    if (statusCode !== 200 || !body)
+    if (statusCode !== 200 || !body) {
+        const line = `remediation_manifest_get: url=${url} status=${statusCode} bytes=${body?.length ?? 0}`;
+        hookRunLog(line);
+        complianceRunnerDiag(line);
         return null;
+    }
     try {
         const parsed = JSON.parse(body);
-        if (!Array.isArray(parsed.remediations))
+        if (!Array.isArray(parsed.remediations)) {
+            complianceRunnerDiag('remediation_manifest_get: JSON remediations is not an array');
             return null;
+        }
         return parsed.remediations.map((raw) => {
             const { compliance, ...rest } = raw;
             const fix = rest.fix ?? compliance ?? null;
@@ -110,6 +144,7 @@ async function fetchManifest(endpointBase, machineUuid, uuids, timeoutMs = 8000)
         });
     }
     catch {
+        complianceRunnerDiag('remediation_manifest_get: invalid JSON body');
         return null;
     }
 }
@@ -139,6 +174,19 @@ function getByPath(obj, path) {
     }
     return current;
 }
+/** Recursively set a value at a dot-notation path in a JSON object. */
+function setByPathNested(obj, path, value) {
+    const parts = path.split('.');
+    let current = obj;
+    for (let i = 0; i < parts.length - 1; i++) {
+        const part = parts[i];
+        if (current[part] == null || typeof current[part] !== 'object' || Array.isArray(current[part])) {
+            current[part] = {};
+        }
+        current = current[part];
+    }
+    current[parts[parts.length - 1]] = value;
+}
 function isPlainObject(v) {
     return v != null && typeof v === 'object' && !Array.isArray(v);
 }
@@ -247,17 +295,628 @@ function applyCheck(configJson, check) {
     }
     setByPath(configJson, check.setting_path, value);
 }
+function mergePostApplyUploadIntoPayload(payload, hint) {
+    if (!hint)
+        return;
+    const ft = hint.file_type?.trim();
+    if (!ft || !hint.file_path.includes('#'))
+        return;
+    if (!payload.post_apply_uploads)
+        payload.post_apply_uploads = [];
+    if (payload.post_apply_uploads.some((u) => u.file_path === hint.file_path))
+        return;
+    payload.post_apply_uploads.push({ file_path: hint.file_path, file_type: ft });
+}
+function assertSqlite3Available() {
+    try {
+        execFileSync('which', ['sqlite3'], { stdio: 'ignore' });
+        return true;
+    }
+    catch {
+        const line = 'sqlite_update: sqlite3 command not found';
+        hookRunLog(line);
+        complianceRunnerDiag(line);
+        return false;
+    }
+}
+/**
+ * Unquoted SQLite identifiers must be [A-Za-z_][A-Za-z0-9_]* so values read from
+ * deferred_vscdb_apply.json cannot inject SQL via bogus table/column names.
+ */
+function isSafeSqliteIdentifier(ident) {
+    return /^[A-Za-z_][A-Za-z0-9_]*$/.test(ident);
+}
+function assertSafeSqliteIdentifiersForItemTable(table, keyColumn, valueColumn) {
+    if (isSafeSqliteIdentifier(table) && isSafeSqliteIdentifier(keyColumn) && isSafeSqliteIdentifier(valueColumn)) {
+        return true;
+    }
+    hookRunLog(`sqlite_update: rejected unsafe SQL identifier(s) table=${table} key_column=${keyColumn} value_column=${valueColumn}`);
+    complianceRunnerDiag('sqlite_update: rejected unsafe SQL identifier(s)');
+    return false;
+}
+/**
+ * Autofix restart_command allowlist: manifest strings are attacker-controlled if JSON is tampered.
+ * Deferred vscdb path always uses buildDeferredCursorRestartCommand(); this guards non-deferred restarts.
+ */
+export function isTrustedRestartCommandForAutofix(cmd) {
+    const t = cmd.trim();
+    if (!t)
+        return false;
+    const deferredPrefix = 'REPO_ROOT=$(git rev-parse --show-toplevel 2>/dev/null || pwd) && export REPO_ROOT CURSOR_PROJECT="$REPO_ROOT" && ';
+    const legacyCursorPrefix = 'CURSOR_PROJECT=$(git rev-parse --show-toplevel 2>/dev/null || pwd) && export CURSOR_PROJECT && ';
+    const legacyCursorSnippet = 'nohup bash -c \'sleep 2 && open -a Cursor "$CURSOR_PROJECT"\'';
+    const deferred = t.startsWith(deferredPrefix) &&
+        (t.includes('apply_deferred_vscdb') || t.includes('apply-deferred-vscdb')) &&
+        t.includes('killall -9 Cursor') &&
+        t.includes('open -a Cursor');
+    const legacyCursor = t.startsWith(legacyCursorPrefix) &&
+        t.includes(legacyCursorSnippet) &&
+        t.includes('killall -9 Cursor');
+    const claude = t.startsWith("nohup bash -c 'sleep 2 && open -a Claude'") && t.includes("pkill -x 'Claude'");
+    return deferred || legacyCursor || claude;
+}
+/** Legacy Cursor: dedicated ItemTable row `composerState`. Current Cursor: nested under reactive `applicationUser` blob. */
+function cursorVscdbHasUsableComposerStateRow(dbPath, sqliteOp) {
+    const raw = sqliteSelectValueCell(dbPath, sqliteOp.table, sqliteOp.key_column, sqliteOp.value_column, 'composerState').trim();
+    if (!raw || raw === '{}')
+        return false;
+    try {
+        const o = JSON.parse(raw);
+        return typeof o === 'object' && o !== null && !Array.isArray(o) && Object.keys(o).length > 0;
+    }
+    catch {
+        return false;
+    }
+}
+function resolveCursorComposerSqliteOp(dbPath, sqliteOp) {
+    if (sqliteOp.target_key !== 'composerState')
+        return sqliteOp;
+    const reactiveKey = reactiveStorageItemKeyFromContract();
+    /** Merge into applicationUser (or equivalent) JSON: inner `composerState` or nested path under it. */
+    const resolveToReactive = () => {
+        if (!reactiveKey)
+            return sqliteOp;
+        const jp = (sqliteOp.json_path ?? '').trim();
+        if (!jp) {
+            return {
+                ...sqliteOp,
+                target_key: reactiveKey,
+                json_path: 'composerState',
+            };
+        }
+        const nestedPath = jp.startsWith('composerState.') ? jp : `composerState.${jp}`;
+        return {
+            ...sqliteOp,
+            target_key: reactiveKey,
+            json_path: nestedPath,
+        };
+    };
+    // Prefer the reactive storage blob when it exists and is non-empty. Cursor reads web/composer
+    // toggles from there; a legacy ItemTable `composerState` row may still hold stale JSON — writing
+    // only that row leaves the UI unchanged (user sees "remediation did nothing" after restart).
+    if (reactiveKey) {
+        const raw = sqliteSelectValueCell(dbPath, sqliteOp.table, sqliteOp.key_column, sqliteOp.value_column, reactiveKey).trim();
+        const reactiveHasBlob = raw !== '' && raw !== '{}';
+        if (reactiveHasBlob) {
+            return resolveToReactive();
+        }
+    }
+    if (cursorVscdbHasUsableComposerStateRow(dbPath, sqliteOp))
+        return sqliteOp;
+    if (reactiveKey) {
+        return resolveToReactive();
+    }
+    hookRunLog('vscdb_contract: missing file_collection_vscdb_contract.json (reactive_storage_item_key); run log-config or remediation sync against API');
+    return sqliteOp;
+}
+/** Apply sqlite merge: dot-path, or array match where `json_path` is `…container.arrayKey` (e.g. `modes4` or `composerState.modes4`). */
+/** ItemTable keys that store a JSON primitive; map to one field for merge + serialize. */
+const CURSOR_SCALAR_ITEMTABLE_FIELDS = {
+    'cursor/thirdPartyExtensibilityEnabled': 'thirdPartyExtensibilityEnabled',
+    'cursorai/donotchange/privacyMode': 'privacyMode',
+    'cursor/autoOpenLocalhostUrls': 'autoOpenLocalhostUrls',
+};
+function coerceScalarForItemTableField(parsed) {
+    if (typeof parsed === 'boolean')
+        return parsed;
+    if (typeof parsed === 'string') {
+        const lower = parsed.trim().toLowerCase();
+        if (lower === 'true' || lower === '1' || lower === 'yes')
+            return true;
+        return false;
+    }
+    if (typeof parsed === 'number' && !Number.isNaN(parsed))
+        return parsed !== 0;
+    return undefined;
+}
+/**
+ * ItemTable values are sometimes bare JSON booleans for toggle keys; sqlite merge expects an object root.
+ * Maps known scalar roots to the policy-shaped object before applying updates.
+ */
+function coerceItemTableValueToObjectRoot(targetKey, parsed) {
+    if (parsed !== null && typeof parsed === 'object' && !Array.isArray(parsed)) {
+        return parsed;
+    }
+    const field = CURSOR_SCALAR_ITEMTABLE_FIELDS[targetKey];
+    if (field) {
+        const b = coerceScalarForItemTableField(parsed);
+        if (b !== undefined)
+            return { [field]: b };
+    }
+    return {};
+}
+/**
+ * Cursor stores some ItemTable toggles as bare JSON booleans (`true`/`false` text). Writing a wrapper
+ * object can be ignored or overwritten on launch; match the native primitive shape when disabling.
+ */
+function serializeItemTableValueForWrite(targetKey, root) {
+    const field = CURSOR_SCALAR_ITEMTABLE_FIELDS[targetKey];
+    if (field) {
+        const keys = Object.keys(root);
+        if (keys.length === 1 && keys[0] === field) {
+            const v = root[field];
+            if (typeof v === 'boolean')
+                return v ? 'true' : 'false';
+            if (typeof v === 'number' && !Number.isNaN(v))
+                return v !== 0 ? 'true' : 'false';
+        }
+    }
+    return JSON.stringify(root);
+}
+function mergeSqliteOpIntoJson(currentJson, sqliteOp) {
+    const where = sqliteOp.array_item_where;
+    const jp = sqliteOp.json_path ?? '';
+    if (where && typeof where === 'object' && Object.keys(where).length > 0 && jp) {
+        const parts = jp.split('.').filter(Boolean);
+        if (parts.length < 1) {
+            mergeJsonAtSqlitePath(currentJson, sqliteOp.json_path, sqliteOp.updates);
+            return;
+        }
+        const arrayKey = parts[parts.length - 1];
+        const parentParts = parts.slice(0, -1);
+        let node = currentJson;
+        for (const p of parentParts) {
+            if (node == null || typeof node !== 'object')
+                return;
+            node = node[p];
+        }
+        if (node == null || typeof node !== 'object' || Array.isArray(node))
+            return;
+        const container = node;
+        const arr = container[arrayKey];
+        if (!Array.isArray(arr))
+            return;
+        const idx = arr.findIndex((item) => {
+            if (item === null || typeof item !== 'object')
+                return false;
+            const o = item;
+            return Object.entries(where).every(([k, v]) => o[k] === v);
+        });
+        if (idx < 0)
+            return;
+        Object.assign(arr[idx], sqliteOp.updates);
+        return;
+    }
+    mergeJsonAtSqlitePath(currentJson, sqliteOp.json_path, sqliteOp.updates);
+    mirrorComposerShadowKeysToReactiveRoot(currentJson, sqliteOp);
+}
+/**
+ * Cursor remediations historically used json_path `composerState.` (trailing dot). That yields an empty
+ * segment and mergeJsonAtSqlitePath wrote under composerState[''] instead of composerState — the real
+ * isWebFetchToolEnabled stayed true. Strip that spurious object if present.
+ */
+function repairComposerStateEmptySegmentBug(root) {
+    const cs = root.composerState;
+    if (!cs || typeof cs !== 'object' || Array.isArray(cs))
+        return;
+    const o = cs;
+    if (!('' in o))
+        return;
+    delete o[''];
+}
+/**
+ * Cursor sometimes reads web-tool toggles from the reactive blob root; policy/reads merge those into
+ * `composerState` for scan. After patching `composerState` directly (resolved json_path exactly
+ * `composerState`), copy whitelisted keys to the root using cached
+ * `composer_shadow_keys` from the file-patterns API.
+ * Skips array-target ops (`modes4`, etc.).
+ */
+function mirrorComposerShadowKeysToReactiveRoot(root, resolvedOp) {
+    const rk = reactiveStorageItemKeyFromContract();
+    if (!rk || resolvedOp.target_key !== rk)
+        return;
+    const where = resolvedOp.array_item_where;
+    if (where && typeof where === 'object' && Object.keys(where).length > 0)
+        return;
+    const jp = (resolvedOp.json_path ?? '').split('.').filter(Boolean);
+    if (jp.length !== 1 || jp[0] !== 'composerState')
+        return;
+    const updates = resolvedOp.updates;
+    if (!updates || typeof updates !== 'object')
+        return;
+    const shadow = composerShadowKeySetFromContract();
+    for (const k of Object.keys(updates)) {
+        if (shadow.has(k))
+            root[k] = updates[k];
+    }
+}
+/** Merge `updates` into JSON at dot-path `json_path` (same rules as server-generated ops). */
+function mergeJsonAtSqlitePath(currentJson, json_path, updates) {
+    if (json_path?.trim()) {
+        const pathParts = json_path.split('.').filter(Boolean);
+        if (pathParts.length === 0) {
+            Object.assign(currentJson, updates);
+            return;
+        }
+        let current = currentJson;
+        for (let i = 0; i < pathParts.length - 1; i++) {
+            const part = pathParts[i];
+            const idx = parseInt(part, 10);
+            if (!isNaN(idx) && Array.isArray(current)) {
+                if (!current[idx])
+                    current[idx] = {};
+                current = current[idx];
+            }
+            else {
+                if (!current[part])
+                    current[part] = {};
+                current = current[part];
+            }
+        }
+        const lastPart = pathParts[pathParts.length - 1];
+        const lastIdx = parseInt(lastPart, 10);
+        if (!isNaN(lastIdx) && Array.isArray(current)) {
+            if (!current[lastIdx])
+                current[lastIdx] = {};
+            const target = current[lastIdx];
+            Object.assign(target, updates);
+        }
+        else {
+            if (!current[lastPart])
+                current[lastPart] = {};
+            const target = current[lastPart];
+            Object.assign(target, updates);
+        }
+    }
+    else {
+        Object.assign(currentJson, updates);
+    }
+}
+function sqliteSelectValueCell(dbPath, table, key_column, value_column, target_key) {
+    if (!assertSafeSqliteIdentifiersForItemTable(table, key_column, value_column)) {
+        return '';
+    }
+    const safeName = target_key.replace(/'/g, "''");
+    const script = `.timeout 60000\nSELECT ${value_column} FROM ${table} WHERE ${key_column}='${safeName}';\n`;
+    return execFileSync('sqlite3', ['-noheader', dbPath], {
+        input: script,
+        encoding: 'utf8',
+        stdio: ['pipe', 'pipe', 'pipe'],
+    }).trim();
+}
+function sqliteExecWithTimeout(dbPath, sqlBody) {
+    const script = `.timeout 60000\n${sqlBody}\n`;
+    execFileSync('sqlite3', [dbPath], {
+        input: script,
+        encoding: 'utf8',
+        stdio: ['pipe', 'pipe', 'pipe'],
+    });
+}
+/** Runs a single UPDATE (or other SQL) and returns sqlite `changes()` for the last statement. */
+function sqliteRunUpdateReturningChanges(dbPath, updateSql) {
+    const script = `.timeout 60000\n${updateSql}\nSELECT changes();\n`;
+    const out = execFileSync('sqlite3', [dbPath], {
+        input: script,
+        encoding: 'utf8',
+        stdio: ['pipe', 'pipe', 'pipe'],
+    }).trim();
+    const lines = out.split(/\r?\n/).filter((l) => l.length > 0);
+    const last = lines[lines.length - 1] ?? '0';
+    return parseInt(last, 10) || 0;
+}
+function queueDeferredVscdbItem(item, postApplyUpload) {
+    const path = getDeferredVscdbApplyPath();
+    let payload = { version: 1, items: [] };
+    if (existsSync(path)) {
+        try {
+            const parsed = JSON.parse(readFileSync(path, 'utf8'));
+            if (parsed?.items && Array.isArray(parsed.items)) {
+                payload = parsed;
+                if (!Array.isArray(payload.post_apply_uploads))
+                    payload.post_apply_uploads = [];
+            }
+        }
+        catch {
+            /* replace corrupt file */
+        }
+    }
+    payload.items.push(item);
+    mergePostApplyUploadIntoPayload(payload, postApplyUpload);
+    atomicWriteJson(path, payload);
+}
+/**
+ * After Cursor exits: apply queued ItemTable JSON updates, optional log-config-file uploads (re-read sqlite),
+ * then delete the queue file.
+ * No-op (returns true) if there is nothing pending so `open -a Cursor` still runs.
+ */
+export async function applyDeferredVscdbFromDisk() {
+    const path = getDeferredVscdbApplyPath();
+    if (!existsSync(path))
+        return true;
+    if (!assertSqlite3Available())
+        return false;
+    let payload;
+    try {
+        payload = JSON.parse(readFileSync(path, 'utf8'));
+    }
+    catch {
+        hookRunLog('deferred_vscdb: could not parse queue file');
+        return false;
+    }
+    const postApplyUploads = [...(payload.post_apply_uploads ?? [])];
+    if (!payload.items?.length) {
+        try {
+            unlinkSync(path);
+        }
+        catch {
+            /* ignore */
+        }
+        return true;
+    }
+    try {
+        for (const it of payload.items) {
+            if (!existsSync(it.dbPath)) {
+                hookRunLog(`deferred_vscdb: database missing ${it.dbPath}`);
+                return false;
+            }
+            if (!assertSafeSqliteIdentifiersForItemTable(it.table, it.key_column, it.value_column)) {
+                return false;
+            }
+            const safeJson = it.new_value_json.replace(/'/g, "''");
+            const safeName = it.target_key.replace(/'/g, "''");
+            const sql = `UPDATE ${it.table} SET ${it.value_column}='${safeJson}' WHERE ${it.key_column}='${safeName}';`;
+            const changed = sqliteRunUpdateReturningChanges(it.dbPath, sql);
+            if (changed < 1) {
+                hookRunLog(`deferred_vscdb: UPDATE changed 0 rows key=${it.target_key} db=${it.dbPath} — keeping queue file`);
+                return false;
+            }
+        }
+        hookRunLog(`deferred_vscdb: applied ${payload.items.length} queued update(s)`);
+        const authKey = readStoredAuthKey();
+        for (const u of postApplyUploads) {
+            if (!authKey) {
+                hookRunLog(`deferred_vscdb: skip post-apply upload (no auth) path=${u.file_path}`);
+                continue;
+            }
+            const hi = u.file_path.indexOf('#');
+            if (hi < 0)
+                continue;
+            const dbPath = u.file_path.slice(0, hi);
+            const itemKey = u.file_path.slice(hi + 1).trim();
+            if (!itemKey)
+                continue;
+            const rawContent = readVscdbItemTableJson(dbPath, itemKey);
+            if (rawContent === null) {
+                hookRunLog(`deferred_vscdb: post-apply read failed path=${u.file_path}`);
+                continue;
+            }
+            const hw = tryResolveHardwareUuid();
+            if (!hw) {
+                hookRunLog(`deferred_vscdb: skip post-apply upload (hardware UUID unavailable) path=${u.file_path}`);
+                continue;
+            }
+            const sent = await sendConfigFile({ file_type: u.file_type, file_path: u.file_path, raw_content: rawContent }, hw, authKey);
+            hookRunLog(`deferred_vscdb: post-apply upload path=${u.file_path} ok=${sent}`);
+        }
+        unlinkSync(path);
+        return true;
+    }
+    catch (e) {
+        hookRunLog(`deferred_vscdb: apply failed: ${e instanceof Error ? e.message : String(e)}`);
+        return false;
+    }
+}
+/**
+ * macOS Cursor: SIGKILL, apply queued vscdb writes, reopen project.
+ *
+ * When `restart_required` implies deferred state.vscdb, `applyAutofixViolations` replaces any
+ * `restart_command` from remediation specs with this string (see compliance_check.ts). Spec JSON
+ * still documents a simpler Cursor reopen for non-code readers; that template is not executed on the deferred path.
+ */
+export function buildDeferredCursorRestartCommand() {
+    // Prefer monorepo path when hooks run from optimus-secure-fdn; otherwise `npx -p log-llm-config apply-deferred-vscdb`
+    // (package bin) so published installs work without a local npx_packages copy.
+    return ('REPO_ROOT=$(git rev-parse --show-toplevel 2>/dev/null || pwd) && export REPO_ROOT CURSOR_PROJECT="$REPO_ROOT" && ' +
+        "nohup bash -c 'sleep 2; if [ -f \"$REPO_ROOT/npx_packages/log-llm-config/dist/apply_deferred_vscdb.js\" ]; then node \"$REPO_ROOT/npx_packages/log-llm-config/dist/apply_deferred_vscdb.js\"; else npx --yes -p log-llm-config apply-deferred-vscdb; fi || true; open -a Cursor \"$CURSOR_PROJECT\"' >/dev/null 2>&1 & killall -9 Cursor");
+}
+function sqliteRowGroupKey(dbPath, op) {
+    return `${dbPath}|${op.table}|${op.key_column}|${op.value_column}|${op.target_key}`;
+}
+/**
+ * Deferred sqlite path: one read per logical row, apply every `sqlite_op` merge in memory, then one queue
+ * entry per row. Without this, two ops on the same `composerState` row each read the stale DB and queue
+ * two full JSON blobs — the second UPDATE overwrites the first (e.g. only one of autoRun/fullAutoRun sticks).
+ */
+function queueDeferredSqliteOpsMerged(configPath, sqliteOps, postApplyUpload) {
+    const dbPath = configPath.split('#')[0];
+    if (!existsSync(dbPath)) {
+        const line = `sqlite_update: database not found at ${dbPath}`;
+        hookRunLog(line);
+        complianceRunnerDiag(line);
+        return false;
+    }
+    if (!assertSqlite3Available())
+        return false;
+    const resolvedOps = sqliteOps.map((op) => resolveCursorComposerSqliteOp(dbPath, op));
+    const groups = new Map();
+    for (const op of resolvedOps) {
+        const k = sqliteRowGroupKey(dbPath, op);
+        const arr = groups.get(k);
+        if (arr)
+            arr.push(op);
+        else
+            groups.set(k, [op]);
+    }
+    try {
+        for (const ops of groups.values()) {
+            const first = ops[0];
+            complianceRunnerDiag(`sqlite_update: deferred merge db=${dbPath} target_key=${first.target_key} operations=${ops.length}`);
+            let currentJson = {};
+            try {
+                const result = sqliteSelectValueCell(dbPath, first.table, first.key_column, first.value_column, first.target_key);
+                if (result) {
+                    const parsed = JSON.parse(result);
+                    currentJson = coerceItemTableValueToObjectRoot(first.target_key, parsed);
+                }
+            }
+            catch (e) {
+                const line = `sqlite_update: error querying database: ${e instanceof Error ? e.message : String(e)}`;
+                hookRunLog(line);
+                complianceRunnerDiag(line);
+                return false;
+            }
+            for (const op of ops) {
+                mergeSqliteOpIntoJson(currentJson, op);
+            }
+            repairComposerStateEmptySegmentBug(currentJson);
+            const updatedJson = serializeItemTableValueForWrite(first.target_key, currentJson);
+            queueDeferredVscdbItem({
+                dbPath,
+                table: first.table,
+                key_column: first.key_column,
+                value_column: first.value_column,
+                target_key: first.target_key,
+                new_value_json: updatedJson,
+            }, postApplyUpload);
+            const okLine = `sqlite_update: queued deferred write (merged ${ops.length} op(s)) for ${first.target_key} in ${dbPath}`;
+            hookRunLog(okLine);
+            complianceRunnerDiag(okLine);
+        }
+        return true;
+    }
+    catch (err) {
+        const line = `sqlite_update: unexpected error: ${err instanceof Error ? err.message : String(err)}`;
+        hookRunLog(line);
+        complianceRunnerDiag(line);
+        return false;
+    }
+}
+/**
+ * Read + merge JSON for a sqlite op; when `deferred`, queue UPDATE for after IDE exit (state.vscdb lock).
+ */
+function applyOrQueueSqliteJsonUpdate(configPath, sqliteOp, deferred) {
+    try {
+        const dbPath = configPath.split('#')[0];
+        complianceRunnerDiag(`sqlite_update: attempt db=${dbPath} target_key=${sqliteOp.target_key} json_path=${sqliteOp.json_path} deferred=${deferred}`);
+        if (!existsSync(dbPath)) {
+            const line = `sqlite_update: database not found at ${dbPath}`;
+            hookRunLog(line);
+            complianceRunnerDiag(line);
+            return false;
+        }
+        if (!assertSqlite3Available())
+            return false;
+        sqliteOp = resolveCursorComposerSqliteOp(dbPath, sqliteOp);
+        const { table, key_column, value_column, target_key } = sqliteOp;
+        if (!assertSafeSqliteIdentifiersForItemTable(table, key_column, value_column)) {
+            return false;
+        }
+        const safeName = target_key.replace(/'/g, "''");
+        let currentJson = {};
+        try {
+            const result = sqliteSelectValueCell(dbPath, table, key_column, value_column, target_key);
+            if (result) {
+                const parsed = JSON.parse(result);
+                currentJson = coerceItemTableValueToObjectRoot(target_key, parsed);
+            }
+        }
+        catch (e) {
+            const line = `sqlite_update: error querying database: ${e instanceof Error ? e.message : String(e)}`;
+            hookRunLog(line);
+            complianceRunnerDiag(line);
+            return false;
+        }
+        mergeSqliteOpIntoJson(currentJson, sqliteOp);
+        repairComposerStateEmptySegmentBug(currentJson);
+        const updatedJson = serializeItemTableValueForWrite(target_key, currentJson);
+        if (deferred) {
+            queueDeferredVscdbItem({
+                dbPath,
+                table,
+                key_column,
+                value_column,
+                target_key,
+                new_value_json: updatedJson,
+            });
+            const okLine = `sqlite_update: queued deferred write for ${target_key} in ${dbPath}`;
+            hookRunLog(okLine);
+            complianceRunnerDiag(okLine);
+            return true;
+        }
+        const safeJson = updatedJson.replace(/'/g, "''");
+        const updateSql = `UPDATE ${table} SET ${value_column}='${safeJson}' WHERE ${key_column}='${safeName}';`;
+        try {
+            sqliteExecWithTimeout(dbPath, updateSql);
+            const okLine = `sqlite_update: successfully updated ${target_key} in ${dbPath}`;
+            hookRunLog(okLine);
+            complianceRunnerDiag(okLine);
+            return true;
+        }
+        catch (e) {
+            const line = `sqlite_update: error updating database: ${e instanceof Error ? e.message : String(e)}`;
+            hookRunLog(line);
+            complianceRunnerDiag(line);
+            return false;
+        }
+    }
+    catch (err) {
+        const line = `sqlite_update: unexpected error: ${err instanceof Error ? err.message : String(err)}`;
+        hookRunLog(line);
+        complianceRunnerDiag(line);
+        return false;
+    }
+}
 export function enforceRemediation(instruction) {
     try {
-        const dir = dirname(instruction.config_file_path);
-        if (!existsSync(dir))
-            mkdirSync(dir, { recursive: true, mode: 0o700 });
         const fixSpec = remediationFixSpec(instruction);
-        const checks = fixSpec?.file_format === 'json' ? (fixSpec.checks ?? []) : [];
+        const checks = fixSpec?.checks ?? [];
         if (checks.length === 0) {
             hookRunLog(`remediation_enforce: no checks to apply uuid=${instruction.uuid}`);
-            return false;
+            return { ok: false };
+        }
+        const sqliteOps = checks.filter((c) => {
+            const raw = c;
+            return raw.sqlite_op !== undefined;
+        });
+        if (sqliteOps.length > 0) {
+            complianceRunnerDiag(`remediation_enforce: sqlite path uuid=${instruction.uuid} checks_with_sqlite=${sqliteOps.length}`);
+            const restartRequired = !!fixSpec?.restart_required;
+            if (restartRequired) {
+                const ops = sqliteOps.map((c) => c.sqlite_op);
+                const ft = instruction.file_type?.trim();
+                const postApplyUpload = ft && instruction.config_file_path.includes('#')
+                    ? { file_path: instruction.config_file_path, file_type: ft }
+                    : undefined;
+                const ok = queueDeferredSqliteOpsMerged(instruction.config_file_path, ops, postApplyUpload);
+                return { ok, deferredSqlite: ok };
+            }
+            let allSuccess = true;
+            for (const check of sqliteOps) {
+                const raw = check;
+                const sqliteOp = raw.sqlite_op;
+                const rowOk = applyOrQueueSqliteJsonUpdate(instruction.config_file_path, sqliteOp, false);
+                if (!rowOk)
+                    allSuccess = false;
+            }
+            return { ok: allSuccess, deferredSqlite: false };
+        }
+        if (fixSpec?.file_format !== 'json') {
+            hookRunLog(`remediation_enforce: unsupported file format ${fixSpec?.file_format} uuid=${instruction.uuid}`);
+            return { ok: false };
         }
+        const dir = dirname(instruction.config_file_path);
+        if (!existsSync(dir))
+            mkdirSync(dir, { recursive: true, mode: 0o700 });
         let configJson = {};
         if (existsSync(instruction.config_file_path)) {
             try {
@@ -274,11 +933,11 @@ export function enforceRemediation(instruction) {
         const tmp = `${instruction.config_file_path}.tmp`;
         writeFileSync(tmp, content, 'utf8');
         renameSync(tmp, instruction.config_file_path);
-        return true;
+        return { ok: true };
     }
     catch (err) {
         hookRunLog(`remediation_enforce_error: uuid=${instruction.uuid} err=${err instanceof Error ? err.message : String(err)}`);
-        return false;
+        return { ok: false };
     }
 }
 // ---------------------------------------------------------------------------
@@ -296,7 +955,11 @@ export function reportAutofixApplied(remediationUuid, result) {
         hookRunLog(`autofix_report: no auth key available, skipping report for uuid=${remediationUuid}`);
         return Promise.resolve();
     }
-    const hardwareUuid = resolveHardwareUuid();
+    const hardwareUuid = tryResolveHardwareUuid();
+    if (!hardwareUuid) {
+        hookRunLog(`autofix_report: hardware UUID unavailable, skipping report for uuid=${remediationUuid}`);
+        return Promise.resolve();
+    }
     const endpointBase = loadEndpointBase();
     const url = `${resolveOrigin(endpointBase)}/endpoint_security/api/autofix-applied/`;
     const payload = { hardware_uuid: hardwareUuid, remediation_uuid: remediationUuid, result };
@@ -318,27 +981,43 @@ export function reportAutofixApplied(remediationUuid, result) {
 export async function syncRemediations(endpointBase, machineUuid) {
     let remediations = readInstructions().remediations;
     const activeUuids = remediations.map((r) => r.uuid);
+    complianceRunnerDiag(`remediation_sync: begin endpoint=${endpointBase} machine_uuid=${machineUuid} local_rows=${remediations.length}`);
+    try {
+        if (!existsSync(getFileCollectionVscdbContractPath())) {
+            const pr = await getFileCollectionPatterns(endpointBase);
+            if (pr)
+                persistVscdbComposerContractFromPatternsResponse(pr);
+        }
+    }
+    catch {
+        /* contract also written on full log-config run */
+    }
     let syncResult;
     try {
         syncResult = await fetchSync(endpointBase, machineUuid, activeUuids);
     }
     catch (err) {
-        hookRunLog(`remediation_sync_error: ${err instanceof Error ? err.message : String(err)}`);
+        const msg = `remediation_sync_error: ${err instanceof Error ? err.message : String(err)}`;
+        hookRunLog(msg);
+        complianceRunnerDiag(msg);
         return;
     }
     if (!syncResult) {
         hookRunLog(`remediation_sync: no response from server, skipping`);
+        complianceRunnerDiag('remediation_sync: no response from server (non-200 or empty body), skipping');
         return;
     }
     if (syncResult.status === 'unchanged') {
         hookRunLog(`remediation_sync: unchanged enforced=${activeUuids.length}`);
+        complianceRunnerDiag(`remediation_sync: server status=unchanged local_uuids=${activeUuids.length} — no new rows to fetch; if a deploy should exist, verify Finding.machine matches this hardware_uuid`);
         const want = new Set(activeUuids);
         const have = new Map(remediations.map((r) => [r.uuid, r]));
         const needBackfill = activeUuids.some((u) => !have.has(u));
+        const haveIncomplete = remediations.some((r) => want.has(r.uuid) && needsManifestRefetch(r));
         const haveOrphan = remediations.some((r) => !want.has(r.uuid));
         const path = getRemediationInstructionsPath();
         if (activeUuids.length > 0) {
-            if (needBackfill || haveOrphan || !existsSync(path)) {
+            if (needBackfill || haveIncomplete || haveOrphan || !existsSync(path)) {
                 try {
                     await ensureInstructionsForUuids(endpointBase, machineUuid, want, null);
                 }
@@ -359,6 +1038,7 @@ export async function syncRemediations(endpointBase, machineUuid) {
     }
     const { added, removed } = syncResult;
     hookRunLog(`remediation_sync: status=updated added=${added.length} removed=${removed.length}`);
+    complianceRunnerDiag(`remediation_sync: server status=updated added=${JSON.stringify(added)} removed=${JSON.stringify(removed)}`);
     const removedSet = new Set(removed);
     let removedCount = 0;
     remediations = remediations.filter((r) => {
@@ -375,7 +1055,9 @@ export async function syncRemediations(endpointBase, machineUuid) {
             manifest = await fetchManifest(endpointBase, machineUuid, added);
         }
         catch (err) {
-            hookRunLog(`remediation_manifest_error: ${err instanceof Error ? err.message : String(err)}`);
+            const msg = `remediation_manifest_error: ${err instanceof Error ? err.message : String(err)}`;
+            hookRunLog(msg);
+            complianceRunnerDiag(msg);
             if (removedCount > 0) {
                 remediations.sort((a, b) => a.uuid.localeCompare(b.uuid));
                 writeInstructions({ remediations });
@@ -384,6 +1066,7 @@ export async function syncRemediations(endpointBase, machineUuid) {
         }
         if (!manifest) {
             hookRunLog(`remediation_sync: manifest fetch failed, skipping`);
+            complianceRunnerDiag('remediation_sync: manifest fetch failed (null), skipping — remediation_instructions.json not updated');
             if (removedCount > 0) {
                 remediations.sort((a, b) => a.uuid.localeCompare(b.uuid));
                 writeInstructions({ remediations });
@@ -411,9 +1094,15 @@ export async function syncRemediations(endpointBase, machineUuid) {
         hookRunLog(`remediation_instructions_saved: uuid=${instruction.uuid} path=${instruction.config_file_path}`);
     }
     const addedCount = overlay.length;
+    if (added.length > 0 && addedCount === 0) {
+        const msg = `remediation_sync: manifest had no rows for added uuids=${added.join(',')} — check server manifest/machine linkage`;
+        hookRunLog(msg);
+        complianceRunnerDiag(`${msg} — remediation_instructions.json not written`);
+    }
     if (removedCount > 0 || addedCount > 0) {
         remediations.sort((a, b) => a.uuid.localeCompare(b.uuid));
         writeInstructions({ remediations });
+        complianceRunnerDiag(`remediation_sync: wrote ${getRemediationInstructionsPath()} rows=${remediations.length} (added_from_manifest=${addedCount} removed=${removedCount})`);
         const finalWant = new Set(remediations.map((r) => r.uuid));
         try {
             await ensureInstructionsForUuids(endpointBase, machineUuid, finalWant, overlay.length > 0 ? overlay : null);
@@ -432,4 +1121,5 @@ export async function syncRemediations(endpointBase, machineUuid) {
         }
     }
     hookRunLog(`remediation_sync: saved=${addedCount} removed=${removedCount}`);
+    complianceRunnerDiag(`remediation_sync: done saved=${addedCount} removed=${removedCount}`);
 }