npm - log-llm-config - Versions diffs - 1.3.15 → 1.3.17 - Mend

log-llm-config 1.3.15 → 1.3.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/log_config_files/readers/vscdb_reader.js +7 -3
package/dist/log_config_files/runtime/remediation_sync.js +23 -19
package/package.json +1 -1

package/dist/log_config_files/readers/vscdb_reader.js CHANGED Viewed

@@ -100,12 +100,16 @@ export function readVscdbItemTableJson(dbPath, itemKey) {
             return { [itemKey]: parsed };
         }
         // Bare JSON primitives. Scalar toggles must be wrapped so getByPath(key.field) works in compliance checks.
+        // Match coerceScalarForItemTableField in remediation_sync: Cursor may store toggles as JSON 0/1, not only booleans.
         if (typeof parsed === 'boolean' || typeof parsed === 'number' || typeof parsed === 'string') {
-            if (typeof parsed === 'boolean') {
-                const field = CURSOR_SCALAR_ITEMTABLE_FIELDS[itemKey];
-                if (field) {
+            const field = CURSOR_SCALAR_ITEMTABLE_FIELDS[itemKey];
+            if (field) {
+                if (typeof parsed === 'boolean') {
                     return { [itemKey]: { [field]: parsed } };
                 }
+                if (typeof parsed === 'number' && !Number.isNaN(parsed)) {
+                    return { [itemKey]: { [field]: parsed !== 0 } };
+                }
             }
             return { [itemKey]: parsed };
         }

package/dist/log_config_files/runtime/remediation_sync.js CHANGED Viewed

@@ -334,26 +334,31 @@ function assertSafeSqliteIdentifiersForItemTable(table, keyColumn, valueColumn)
     complianceRunnerDiag('sqlite_update: rejected unsafe SQL identifier(s)');
     return false;
 }
+/**
+ * Canonical Cursor restart_command strings — single source for buildDeferredCursorRestartCommand + allowlist.
+ *
+ * - **SQLite / state.vscdb (deferred):** autofix queued ItemTable writes; restart runs `apply_deferred_vscdb` then reopens Cursor.
+ * - **JSON settings files:** autofix wrote normal config JSON; restart is kill + reopen only (no deferred apply).
+ *
+ * Exact-match only: `spawn('sh', ['-c', cmd])` runs the whole string; substring checks would allow
+ * appending `; arbitrary shell` after a trusted prefix.
+ */
+const TRUSTED_CURSOR_SQLITE_DEFERRED_RESTART_COMMAND = 'REPO_ROOT=$(git rev-parse --show-toplevel 2>/dev/null || pwd) && export REPO_ROOT CURSOR_PROJECT="$REPO_ROOT" && ' +
+    "nohup bash -c 'sleep 2; if [ -f \"$REPO_ROOT/npx_packages/log-llm-config/dist/apply_deferred_vscdb.js\" ]; then node \"$REPO_ROOT/npx_packages/log-llm-config/dist/apply_deferred_vscdb.js\"; else npx --yes -p log-llm-config apply-deferred-vscdb; fi || true; open -a Cursor \"$CURSOR_PROJECT\"' >/dev/null 2>&1 & killall -9 Cursor";
+const TRUSTED_CURSOR_JSON_SETTINGS_RESTART_COMMAND = 'CURSOR_PROJECT=$(git rev-parse --show-toplevel 2>/dev/null || pwd) && export CURSOR_PROJECT && nohup bash -c \'sleep 2 && open -a Cursor "$CURSOR_PROJECT"\' >/dev/null 2>&1 & killall -9 Cursor';
+const TRUSTED_CLAUDE_RESTART_COMMAND = "nohup bash -c 'sleep 2 && open -a Claude' >/dev/null 2>&1 & pkill -x 'Claude'";
 /**
  * Autofix restart_command allowlist: manifest strings are attacker-controlled if JSON is tampered.
- * Deferred vscdb path always uses buildDeferredCursorRestartCommand(); this guards non-deferred restarts.
+ * SQLite-deferred Cursor path always uses {@link buildDeferredCursorRestartCommand}; manifests may still
+ * embed the JSON-settings-only Cursor template when `restart_required` applies to file-based autofix.
  */
 export function isTrustedRestartCommandForAutofix(cmd) {
     const t = cmd.trim();
     if (!t)
         return false;
-    const deferredPrefix = 'REPO_ROOT=$(git rev-parse --show-toplevel 2>/dev/null || pwd) && export REPO_ROOT CURSOR_PROJECT="$REPO_ROOT" && ';
-    const legacyCursorPrefix = 'CURSOR_PROJECT=$(git rev-parse --show-toplevel 2>/dev/null || pwd) && export CURSOR_PROJECT && ';
-    const legacyCursorSnippet = 'nohup bash -c \'sleep 2 && open -a Cursor "$CURSOR_PROJECT"\'';
-    const deferred = t.startsWith(deferredPrefix) &&
-        (t.includes('apply_deferred_vscdb') || t.includes('apply-deferred-vscdb')) &&
-        t.includes('killall -9 Cursor') &&
-        t.includes('open -a Cursor');
-    const legacyCursor = t.startsWith(legacyCursorPrefix) &&
-        t.includes(legacyCursorSnippet) &&
-        t.includes('killall -9 Cursor');
-    const claude = t.startsWith("nohup bash -c 'sleep 2 && open -a Claude'") && t.includes("pkill -x 'Claude'");
-    return deferred || legacyCursor || claude;
+    return (t === TRUSTED_CURSOR_SQLITE_DEFERRED_RESTART_COMMAND ||
+        t === TRUSTED_CURSOR_JSON_SETTINGS_RESTART_COMMAND ||
+        t === TRUSTED_CLAUDE_RESTART_COMMAND);
 }
 /** Legacy Cursor: dedicated ItemTable row `composerState`. Current Cursor: nested under reactive `applicationUser` blob. */
 function cursorVscdbHasUsableComposerStateRow(dbPath, sqliteOp) {
@@ -711,17 +716,16 @@ export async function applyDeferredVscdbFromDisk() {
     }
 }
 /**
- * macOS Cursor: SIGKILL, apply queued vscdb writes, reopen project.
+ * macOS Cursor: after deferred **SQLite / state.vscdb** autofix — apply queued writes, SIGKILL, reopen project.
  *
- * When `restart_required` implies deferred state.vscdb, `applyAutofixViolations` replaces any
- * `restart_command` from remediation specs with this string (see compliance_check.ts). Spec JSON
- * still documents a simpler Cursor reopen for non-code readers; that template is not executed on the deferred path.
+ * When autofix used the deferred vscdb path, `applyAutofixViolations` replaces any manifest `restart_command`
+ * with this string (see compliance_check.ts). For **JSON settings-file** remediations only, the trusted template
+ * is the JSON-settings-only Cursor template (kill + reopen, no `apply_deferred_vscdb`).
  */
 export function buildDeferredCursorRestartCommand() {
     // Prefer monorepo path when hooks run from optimus-secure-fdn; otherwise `npx -p log-llm-config apply-deferred-vscdb`
     // (package bin) so published installs work without a local npx_packages copy.
-    return ('REPO_ROOT=$(git rev-parse --show-toplevel 2>/dev/null || pwd) && export REPO_ROOT CURSOR_PROJECT="$REPO_ROOT" && ' +
-        "nohup bash -c 'sleep 2; if [ -f \"$REPO_ROOT/npx_packages/log-llm-config/dist/apply_deferred_vscdb.js\" ]; then node \"$REPO_ROOT/npx_packages/log-llm-config/dist/apply_deferred_vscdb.js\"; else npx --yes -p log-llm-config apply-deferred-vscdb; fi || true; open -a Cursor \"$CURSOR_PROJECT\"' >/dev/null 2>&1 & killall -9 Cursor");
+    return TRUSTED_CURSOR_SQLITE_DEFERRED_RESTART_COMMAND;
 }
 function sqliteRowGroupKey(dbPath, op) {
     return `${dbPath}|${op.table}|${op.key_column}|${op.value_column}|${op.target_key}`;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "log-llm-config",
-  "version": "1.3.15",
+  "version": "1.3.17",
   "description": "CLI helpers for logging hardware UUIDs and posting startup payloads to Optimus Security.",
   "type": "module",
   "bin": {