log-llm-config 1.3.13 → 1.3.16

package/dist/log_config_files/runtime/remediation_sync.js

@@ -334,26 +334,31 @@ function assertSafeSqliteIdentifiersForItemTable(table, keyColumn, valueColumn)
     complianceRunnerDiag('sqlite_update: rejected unsafe SQL identifier(s)');
     return false;
 }
+/**
+ * Canonical Cursor restart_command strings — single source for buildDeferredCursorRestartCommand + allowlist.
+ *
+ * - **SQLite / state.vscdb (deferred):** autofix queued ItemTable writes; restart runs `apply_deferred_vscdb` then reopens Cursor.
+ * - **JSON settings files:** autofix wrote normal config JSON; restart is kill + reopen only (no deferred apply).
+ *
+ * Exact-match only: `spawn('sh', ['-c', cmd])` runs the whole string; substring checks would allow
+ * appending `; arbitrary shell` after a trusted prefix.
+ */
+const TRUSTED_CURSOR_SQLITE_DEFERRED_RESTART_COMMAND = 'REPO_ROOT=$(git rev-parse --show-toplevel 2>/dev/null || pwd) && export REPO_ROOT CURSOR_PROJECT="$REPO_ROOT" && ' +
+    "nohup bash -c 'sleep 2; if [ -f \"$REPO_ROOT/npx_packages/log-llm-config/dist/apply_deferred_vscdb.js\" ]; then node \"$REPO_ROOT/npx_packages/log-llm-config/dist/apply_deferred_vscdb.js\"; else npx --yes -p log-llm-config apply-deferred-vscdb; fi || true; open -a Cursor \"$CURSOR_PROJECT\"' >/dev/null 2>&1 & killall -9 Cursor";
+const TRUSTED_CURSOR_JSON_SETTINGS_RESTART_COMMAND = 'CURSOR_PROJECT=$(git rev-parse --show-toplevel 2>/dev/null || pwd) && export CURSOR_PROJECT && nohup bash -c \'sleep 2 && open -a Cursor "$CURSOR_PROJECT"\' >/dev/null 2>&1 & killall -9 Cursor';
+const TRUSTED_CLAUDE_RESTART_COMMAND = "nohup bash -c 'sleep 2 && open -a Claude' >/dev/null 2>&1 & pkill -x 'Claude'";
 /**
  * Autofix restart_command allowlist: manifest strings are attacker-controlled if JSON is tampered.
- * Deferred vscdb path always uses buildDeferredCursorRestartCommand(); this guards non-deferred restarts.
+ * SQLite-deferred Cursor path always uses {@link buildDeferredCursorRestartCommand}; manifests may still
+ * embed the JSON-settings-only Cursor template when `restart_required` applies to file-based autofix.
  */
 export function isTrustedRestartCommandForAutofix(cmd) {
     const t = cmd.trim();
     if (!t)
         return false;
-    const deferredPrefix = 'REPO_ROOT=$(git rev-parse --show-toplevel 2>/dev/null || pwd) && export REPO_ROOT CURSOR_PROJECT="$REPO_ROOT" && ';
-    const legacyCursorPrefix = 'CURSOR_PROJECT=$(git rev-parse --show-toplevel 2>/dev/null || pwd) && export CURSOR_PROJECT && ';
-    const legacyCursorSnippet = 'nohup bash -c \'sleep 2 && open -a Cursor "$CURSOR_PROJECT"\'';
-    const deferred = t.startsWith(deferredPrefix) &&
-        (t.includes('apply_deferred_vscdb') || t.includes('apply-deferred-vscdb')) &&
-        t.includes('killall -9 Cursor') &&
-        t.includes('open -a Cursor');
-    const legacyCursor = t.startsWith(legacyCursorPrefix) &&
-        t.includes(legacyCursorSnippet) &&
-        t.includes('killall -9 Cursor');
-    const claude = t.startsWith("nohup bash -c 'sleep 2 && open -a Claude'") && t.includes("pkill -x 'Claude'");
-    return deferred || legacyCursor || claude;
+    return (t === TRUSTED_CURSOR_SQLITE_DEFERRED_RESTART_COMMAND ||
+        t === TRUSTED_CURSOR_JSON_SETTINGS_RESTART_COMMAND ||
+        t === TRUSTED_CLAUDE_RESTART_COMMAND);
 }
 /** Legacy Cursor: dedicated ItemTable row `composerState`. Current Cursor: nested under reactive `applicationUser` blob. */
 function cursorVscdbHasUsableComposerStateRow(dbPath, sqliteOp) {
@@ -711,17 +716,16 @@ export async function applyDeferredVscdbFromDisk() {
     }
 }
 /**
- * macOS Cursor: SIGKILL, apply queued vscdb writes, reopen project.
+ * macOS Cursor: after deferred **SQLite / state.vscdb** autofix — apply queued writes, SIGKILL, reopen project.
  *
- * When `restart_required` implies deferred state.vscdb, `applyAutofixViolations` replaces any
- * `restart_command` from remediation specs with this string (see compliance_check.ts). Spec JSON
- * still documents a simpler Cursor reopen for non-code readers; that template is not executed on the deferred path.
+ * When autofix used the deferred vscdb path, `applyAutofixViolations` replaces any manifest `restart_command`
+ * with this string (see compliance_check.ts). For **JSON settings-file** remediations only, the trusted template
+ * is the JSON-settings-only Cursor template (kill + reopen, no `apply_deferred_vscdb`).
  */
 export function buildDeferredCursorRestartCommand() {
     // Prefer monorepo path when hooks run from optimus-secure-fdn; otherwise `npx -p log-llm-config apply-deferred-vscdb`
     // (package bin) so published installs work without a local npx_packages copy.
-    return ('REPO_ROOT=$(git rev-parse --show-toplevel 2>/dev/null || pwd) && export REPO_ROOT CURSOR_PROJECT="$REPO_ROOT" && ' +
-        "nohup bash -c 'sleep 2; if [ -f \"$REPO_ROOT/npx_packages/log-llm-config/dist/apply_deferred_vscdb.js\" ]; then node \"$REPO_ROOT/npx_packages/log-llm-config/dist/apply_deferred_vscdb.js\"; else npx --yes -p log-llm-config apply-deferred-vscdb; fi || true; open -a Cursor \"$CURSOR_PROJECT\"' >/dev/null 2>&1 & killall -9 Cursor");
+    return TRUSTED_CURSOR_SQLITE_DEFERRED_RESTART_COMMAND;
 }
 function sqliteRowGroupKey(dbPath, op) {
     return `${dbPath}|${op.table}|${op.key_column}|${op.value_column}|${op.target_key}`;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "log-llm-config",
-  "version": "1.3.13",
+  "version": "1.3.16",
   "description": "CLI helpers for logging hardware UUIDs and posting startup payloads to Optimus Security.",
   "type": "module",
   "bin": {