log-llm-config 1.3.24 → 1.3.26

package/README.md

@@ -15,7 +15,7 @@ Collects the machine hardware UUID (or uses the `OPTIMUS_HARDWARE_UUID` env vari
 
 ```bash
 OPTIMUS_ENDPOINT=http://localhost:8080/endpoint_security/ \
-npx log-llm-config log_uuid
+npx --yes log-llm-config@latest log_uuid
 ```
 
 - **Optional flags** (for git context, similar to `optimus-init`):
@@ -32,7 +32,7 @@ Legacy helper that logs local Optimus/Cursor configuration files to `configs.txt
 You can also pass the UUID explicitly:
 
 ```bash
-npx log-llm-config log_uuid --uuid "DUMMY-LOCAL-UUID"
+npx --yes log-llm-config@latest log_uuid --uuid "DUMMY-LOCAL-UUID"
 ```
 
 ### Development

package/dist/compliance_check_runner.js

@@ -1,40 +1,16 @@
-import { appendFileSync, mkdirSync, existsSync } from 'node:fs';
-import { join } from 'node:path';
-import { homedir } from 'node:os';
-import { OPT_AI_SEC_MANAGEMENT_REL } from './bootstrap_constants.js';
-import { hookLogAppendSection } from './log_config_files/runtime/hook_logger.js';
+import { complianceRunnerRunnerLine, hookLogAppendSection } from './log_config_files/runtime/hook_logger.js';
 import { runComplianceCheck } from './log_config_files/runtime/compliance_check.js';
-/** Append-only log for compliance runner lifecycle; hook_log.txt uses a fresh session from the gate then this section. */
-function runnerFileLog(message) {
-    try {
-        const dir = join(homedir(), OPT_AI_SEC_MANAGEMENT_REL);
-        if (!existsSync(dir))
-            mkdirSync(dir, { recursive: true, mode: 0o700 });
-        const path = join(dir, 'compliance_runner.log');
-        appendFileSync(path, `${new Date().toISOString()} ${message}\n`, 'utf8');
-    }
-    catch {
-        /* ignore */
-    }
-}
 (async () => {
     hookLogAppendSection('compliance_check_runner (background sync + check)');
-    runnerFileLog('compliance_check_runner: start');
+    complianceRunnerRunnerLine('compliance_check_runner: start');
     try {
         await runComplianceCheck();
-        runnerFileLog('compliance_check_runner: finished ok');
+        complianceRunnerRunnerLine('compliance_check_runner: finished ok');
     }
     catch (err) {
         const detail = err instanceof Error ? err.stack ?? err.message : String(err);
-        runnerFileLog('compliance_check_runner: uncaught error');
-        try {
-            const dir = join(homedir(), OPT_AI_SEC_MANAGEMENT_REL);
-            const path = join(dir, 'compliance_runner.log');
-            appendFileSync(path, `${detail}\n\n`, 'utf8');
-        }
-        catch {
-            /* ignore */
-        }
+        complianceRunnerRunnerLine(`compliance_check_runner: uncaught error — ${err instanceof Error ? err.message : String(err)}`);
+        complianceRunnerRunnerLine(`compliance_check_runner: stack_or_detail ${detail.slice(0, 4000)}`);
         process.stderr.write(`compliance_check_runner error: ${err instanceof Error ? err.message : String(err)}\n`);
         process.exit(1);
     }

package/dist/execute_trusted_restarts.js

@@ -5,7 +5,7 @@
  */
 import { readFileSync } from 'node:fs';
 import { isThisCliModule } from './cli_invocation_match.js';
-import { hookRunLog } from './log_config_files/runtime/hook_logger.js';
+import { appendComplianceRunnerLine, hookRunLog } from './log_config_files/runtime/hook_logger.js';
 import { executeTrustedRestartCommands } from './log_config_files/runtime/trusted_restarts.js';
 function main() {
     let raw;
@@ -13,24 +13,33 @@ function main() {
         raw = readFileSync(0, 'utf8');
     }
     catch {
-        hookRunLog('execute_trusted_restarts: could not read stdin');
+        const msg = 'execute_trusted_restarts: could not read stdin';
+        hookRunLog(msg);
+        appendComplianceRunnerLine('RESTART', msg);
         return;
     }
     const first = raw.trim().split(/\r?\n/)[0]?.trim() ?? '';
-    if (!first)
+    if (!first) {
+        appendComplianceRunnerLine('RESTART', 'empty stdin — no restart_commands');
         return;
+    }
     let j;
     try {
         j = JSON.parse(first);
     }
     catch {
-        hookRunLog('execute_trusted_restarts: stdin is not valid JSON');
+        const msg = 'execute_trusted_restarts: stdin is not valid JSON';
+        hookRunLog(msg);
+        appendComplianceRunnerLine('RESTART', msg);
         return;
     }
     const cmds = j.restart_commands;
-    if (!Array.isArray(cmds))
+    if (!Array.isArray(cmds)) {
+        appendComplianceRunnerLine('RESTART', 'JSON missing restart_commands array — nothing to run');
         return;
+    }
     const strings = cmds.filter((c) => typeof c === 'string');
+    appendComplianceRunnerLine('RESTART', `stdin ok restart_commands=${strings.length}`);
     executeTrustedRestartCommands(strings);
 }
 if (isThisCliModule(process.argv[1], import.meta.url)) {

package/dist/log_config_files/runtime/compliance_check.js

@@ -143,19 +143,29 @@ export function runLocalRemediationComplianceCheck() {
         }
         const uuids = entries.map((e) => e.uuid);
         const violations = [];
+        let skippedNoCompliance = 0;
+        let skippedNonJson = 0;
+        let skippedNoChecks = 0;
+        let skippedUnreadable = 0;
         for (const entry of entries) {
             const compliance = entry.fix ?? entry.compliance;
-            if (!compliance)
+            if (!compliance) {
+                skippedNoCompliance++;
                 continue;
+            }
             if (compliance.file_format !== 'json') {
+                skippedNonJson++;
                 hookRunLog(`compliance_check: skipping non-json entry uuid=${entry.uuid}`);
                 continue;
             }
             const checks = compliance.checks ?? [];
-            if (checks.length === 0)
+            if (checks.length === 0) {
+                skippedNoChecks++;
                 continue;
+            }
             const loaded = loadRemediationConfigJson(entry.config_file_path, checks.map((c) => c.setting_path));
             if (!loaded.ok) {
+                skippedUnreadable++;
                 const msg = loaded.reason === 'file_not_found'
                     ? `compliance_check: config file not found, skipping uuid=${entry.uuid}`
                     : loaded.reason === 'db_not_found'
@@ -228,7 +238,20 @@ export function runLocalRemediationComplianceCheck() {
             manifest_uuids: uuids,
             violations,
         };
-        hookRunLog(`compliance_check: done — status=${status.status} violations=${violations.length} uuids=${uuids.length}`);
+        const skipParts = [];
+        if (skippedNoCompliance)
+            skipParts.push(`no_fix=${skippedNoCompliance}`);
+        if (skippedNonJson)
+            skipParts.push(`non_json=${skippedNonJson}`);
+        if (skippedNoChecks)
+            skipParts.push(`no_checks=${skippedNoChecks}`);
+        if (skippedUnreadable)
+            skipParts.push(`unreadable_config=${skippedUnreadable}`);
+        const skipSummary = skipParts.length > 0 ? ` skipped{${skipParts.join(' ')}}` : '';
+        hookRunLog(`compliance_check: done — status=${status.status} violations=${violations.length} manifest_entries=${uuids.length}${skipSummary}`);
+        if (skippedUnreadable > 0) {
+            complianceRunnerDiag(`compliance_check: ${skippedUnreadable} manifest row(s) skipped — vscdb/config unreadable (often DB locked while Cursor runs, or sqlite3/PATH). Autofix cannot evaluate until read succeeds.`);
+        }
         return status;
     }
     catch (err) {

package/dist/log_config_files/runtime/hook_logger.js

@@ -26,9 +26,10 @@ function getRemediationApplyFailuresLogPath() {
     return path.join(homeDir, OPT_AI_SEC_MANAGEMENT_REL, REMEDIATION_APPLY_FAILURES_FILENAME);
 }
 /**
- * Append-only diagnostics (not truncated by main_runner). Use for remediation sync / compliance.
+ * Append one ISO-timestamped line to compliance_runner.log.
+ * `level` examples: INFO, RUNNER, RESTART, FAIL
  */
-function complianceRunnerDiag(message) {
+function appendComplianceRunnerLine(level, message) {
     const logPath = getComplianceRunnerLogPath();
     if (!logPath)
         return;
@@ -37,12 +38,24 @@ function complianceRunnerDiag(message) {
         if (!existsSync(dir))
             mkdirSync(dir, { recursive: true, mode: 0o700 });
         const ts = new Date().toISOString();
-        appendFileSync(logPath, `${ts} ${message}\n`, 'utf8');
+        appendFileSync(logPath, `${ts} [${level}] pid=${process.pid} ${message}\n`, 'utf8');
     }
     catch {
         // best-effort
     }
 }
+/**
+ * Append-only diagnostics for remediation sync / compliance (structured).
+ */
+function complianceRunnerDiag(message) {
+    appendComplianceRunnerLine('INFO', message);
+}
+/**
+ * Background compliance_check_runner should use this so entries match the same format.
+ */
+function complianceRunnerRunnerLine(message) {
+    appendComplianceRunnerLine('RUNNER', message);
+}
 /**
  * Loud, append-only record when a remediation cannot be verified or applied. Writes
  * {@link REMEDIATION_APPLY_FAILURES_FILENAME} and mirrors the same block to compliance_runner.log;
@@ -66,7 +79,7 @@ function logRemediationApplyFailure(context, fields) {
         : fields.message != null
             ? String(fields.message)
             : 'see fields above';
-    const writeAppend = (filePath) => {
+    const writeFailAppend = (filePath) => {
         const dir = path.dirname(filePath);
         if (!existsSync(dir))
             mkdirSync(dir, { recursive: true, mode: 0o700 });
@@ -75,10 +88,14 @@ function logRemediationApplyFailure(context, fields) {
     try {
         const failPath = getRemediationApplyFailuresLogPath();
         if (failPath)
-            writeAppend(failPath);
+            writeFailAppend(failPath);
         const crPath = getComplianceRunnerLogPath();
-        if (crPath)
-            writeAppend(crPath);
+        if (crPath) {
+            const dir = path.dirname(crPath);
+            if (!existsSync(dir))
+                mkdirSync(dir, { recursive: true, mode: 0o700 });
+            appendFileSync(crPath, block, 'utf8');
+        }
     }
     catch {
         /* best-effort */
@@ -89,6 +106,7 @@ function logRemediationApplyFailure(context, fields) {
     catch {
         /* best-effort */
     }
+    appendComplianceRunnerLine('FAIL', `${context} — ${summary}`);
 }
 function ensureHookLogUnderCap() {
     const logPath = getHookLogPath();
@@ -176,4 +194,4 @@ function hookLogLine(message) {
         // best-effort
     }
 }
-export { getHookLogPath, getComplianceRunnerLogPath, hookLogReplace, hookLogSessionBanner, hookLogAppendSection, hookRunLog, hookLogLine, complianceRunnerDiag, logRemediationApplyFailure, };
+export { getHookLogPath, getComplianceRunnerLogPath, hookLogReplace, hookLogSessionBanner, hookLogAppendSection, hookRunLog, hookLogLine, complianceRunnerDiag, complianceRunnerRunnerLine, appendComplianceRunnerLine, logRemediationApplyFailure, };

package/dist/log_config_files/runtime/management_storage.js

@@ -9,6 +9,8 @@ import { OPT_AI_SEC_MANAGEMENT_REL } from '../../bootstrap_constants.js';
 export const REMEDIATION_INSTRUCTIONS_BASENAME = 'remediation_instructions.json';
 /** Pending state.vscdb writes applied after Cursor exits (IDE holds the DB locked). */
 export const DEFERRED_VSCDB_APPLY_BASENAME = 'optimus_deferred_vscdb_apply.json';
+/** Shell stdout/stderr from the trusted deferred restart pipeline (apply_deferred_vscdb + open Cursor). */
+export const DEFERRED_VSCDB_RESTART_LOG_BASENAME = 'deferred_vscdb_restart.log';
 /**
  * Cached subset of GET file-patterns: reactive ItemTable key + composer shadow keys from the backend.
  * Written when patterns are fetched; remediations and vscdb reads use this so the npm package stays free
@@ -24,6 +26,9 @@ export function getRemediationInstructionsPath() {
 export function getDeferredVscdbApplyPath() {
     return join(getManagementDir(), DEFERRED_VSCDB_APPLY_BASENAME);
 }
+export function getDeferredVscdbRestartLogPath() {
+    return join(getManagementDir(), DEFERRED_VSCDB_RESTART_LOG_BASENAME);
+}
 export function getFileCollectionVscdbContractPath() {
     return join(getManagementDir(), FILE_COLLECTION_VSCDB_CONTRACT_BASENAME);
 }

package/dist/log_config_files/runtime/remediation_sync.js

@@ -362,8 +362,10 @@ function assertSafeSqliteIdentifiersForItemTable(table, keyColumn, valueColumn)
  * Exact-match only: `spawn('sh', ['-c', cmd])` runs the whole string; substring checks would allow
  * appending `; arbitrary shell` after a trusted prefix.
  */
-const TRUSTED_CURSOR_SQLITE_DEFERRED_RESTART_COMMAND = 'REPO_ROOT=$(git rev-parse --show-toplevel 2>/dev/null || pwd) && export REPO_ROOT CURSOR_PROJECT="$REPO_ROOT" && ' +
-    "nohup bash -c 'sleep 2; if [ -f \"$REPO_ROOT/npx_packages/log-llm-config/dist/apply_deferred_vscdb.js\" ]; then node \"$REPO_ROOT/npx_packages/log-llm-config/dist/apply_deferred_vscdb.js\"; else npx --yes -p log-llm-config apply-deferred-vscdb; fi || true; open -a Cursor \"$CURSOR_PROJECT\"' >/dev/null 2>&1 & killall -9 Cursor";
+const TRUSTED_CURSOR_SQLITE_DEFERRED_RESTART_COMMAND = 'REPO_ROOT=$(git rev-parse --show-toplevel 2>/dev/null || pwd) && export REPO_ROOT && ' +
+    'CURSOR_PROJECT="${CURSOR_PROJECT_DIR:-$REPO_ROOT}" && export CURSOR_PROJECT && ' +
+    'OPTIMUS_DEFERRED_LOG="${HOME}/opt-ai-sec/management/deferred_vscdb_restart.log" && mkdir -p "$(dirname "$OPTIMUS_DEFERRED_LOG")" && export OPTIMUS_DEFERRED_LOG && ' +
+    "nohup bash -c 'exec >>\"\$OPTIMUS_DEFERRED_LOG\" 2>&1; echo deferred_restart:begin ts=\$(date -u +%Y-%m-%dT%H:%M:%SZ) REPO_ROOT=\"\$REPO_ROOT\" CURSOR_PROJECT=\"\$CURSOR_PROJECT\"; sleep 2; if [ -f \"\$REPO_ROOT/npx_packages/log-llm-config/dist/apply_deferred_vscdb.js\" ]; then echo deferred_restart:apply_via_monorepo_node; node \"\$REPO_ROOT/npx_packages/log-llm-config/dist/apply_deferred_vscdb.js\"; APPLY_EC=\$?; else echo deferred_restart:apply_via_npx; cd \"\$REPO_ROOT\" && npx --yes log-llm-config@latest apply-deferred-vscdb; APPLY_EC=\$?; fi; echo deferred_restart:apply_exit=\$APPLY_EC; if [ \$APPLY_EC -ne 0 ]; then echo deferred_restart:APPLY_FAILED_see_messages_above; fi; echo deferred_restart:open_cursor; open -a Cursor \"\$CURSOR_PROJECT\"; echo deferred_restart:open_exit=\$?; echo deferred_restart:end ts=\$(date -u +%Y-%m-%dT%H:%M:%SZ)' >/dev/null 2>&1 & killall -9 Cursor";
 const TRUSTED_CURSOR_JSON_SETTINGS_RESTART_COMMAND = 'CURSOR_PROJECT=$(git rev-parse --show-toplevel 2>/dev/null || pwd) && export CURSOR_PROJECT && nohup bash -c \'sleep 2 && open -a Cursor "$CURSOR_PROJECT"\' >/dev/null 2>&1 & killall -9 Cursor';
 const TRUSTED_CLAUDE_RESTART_COMMAND = "nohup bash -c 'sleep 2 && open -a Claude' >/dev/null 2>&1 & pkill -x 'Claude'";
 /**
@@ -721,6 +723,8 @@ function queueDeferredVscdbItem(item, postApplyUpload) {
  */
 export async function applyDeferredVscdbFromDisk() {
     const path = getDeferredVscdbApplyPath();
+    hookRunLog(`deferred_vscdb: applyDeferredVscdbFromDisk queue_path=${path} exists=${existsSync(path)}`);
+    complianceRunnerDiag(`deferred_vscdb: applyDeferredVscdbFromDisk start exists=${existsSync(path)}`);
     if (!existsSync(path))
         return true;
     if (!assertSqlite3Available())
@@ -804,7 +808,7 @@ export async function applyDeferredVscdbFromDisk() {
  * is the JSON-settings-only Cursor template (kill + reopen, no `apply_deferred_vscdb`).
  */
 export function buildDeferredCursorRestartCommand() {
-    // Prefer monorepo path when hooks run from optimus-secure-fdn; otherwise `npx -p log-llm-config apply-deferred-vscdb`
+    // Prefer monorepo path when hooks run from optimus-secure-fdn; otherwise `npx --yes log-llm-config@latest apply-deferred-vscdb`
     // (package bin) so published installs work without a local npx_packages copy.
     return TRUSTED_CURSOR_SQLITE_DEFERRED_RESTART_COMMAND;
 }

package/dist/log_config_files/runtime/trusted_restarts.js

@@ -3,8 +3,13 @@
  * Used by the compliance shell hook via execute_trusted_restarts CLI — single place for allowlist + spawn.
  */
 import { spawn } from 'node:child_process';
-import { hookRunLog } from './hook_logger.js';
+import { appendComplianceRunnerLine, hookRunLog } from './hook_logger.js';
+import { getDeferredVscdbRestartLogPath } from './management_storage.js';
 import { isTrustedRestartCommandForAutofix } from './remediation_sync.js';
+const FALLBACK_PATH = '/usr/bin:/bin:/usr/local/bin:/opt/homebrew/bin';
+function isDeferredVscdbRestart(cmd) {
+    return cmd.includes('OPTIMUS_DEFERRED_LOG') || cmd.includes('apply_deferred_vscdb');
+}
 /** Spawn each trusted command detached (same pattern as former compliance_prompt_gate fireRestartCommands). */
 export function executeTrustedRestartCommands(commands) {
     for (const cmd of commands) {
@@ -12,11 +17,36 @@ export function executeTrustedRestartCommands(commands) {
         if (!t)
             continue;
         if (!isTrustedRestartCommandForAutofix(cmd)) {
-            hookRunLog(`execute_trusted_restarts: rejected (not allowlisted) prefix=${t.slice(0, 120)}`);
+            const msg = `rejected_not_allowlisted prefix=${t.slice(0, 200)}`;
+            hookRunLog(`execute_trusted_restarts: ${msg}`);
+            appendComplianceRunnerLine('RESTART', msg);
             continue;
         }
-        hookRunLog(`execute_trusted_restarts: firing command="${t}"`);
-        const child = spawn('sh', ['-c', t], { detached: true, stdio: 'ignore' });
+        const deferred = isDeferredVscdbRestart(t);
+        const detailPath = getDeferredVscdbRestartLogPath();
+        if (deferred) {
+            hookRunLog(`execute_trusted_restarts: spawning deferred state.vscdb restart (killall Cursor, then apply + reopen). Step-by-step log → ${detailPath}`);
+            appendComplianceRunnerLine('RESTART', `spawn deferred_vscdb_restart sh -c (detail_log=${detailPath}) cwd_inherited_from_node`);
+        }
+        else {
+            hookRunLog('execute_trusted_restarts: spawning trusted restart (see compliance_runner.log [RESTART])');
+            appendComplianceRunnerLine('RESTART', 'spawn trusted_restart sh -c (non-deferred)');
+        }
+        const child = spawn('sh', ['-c', t], {
+            detached: true,
+            stdio: 'ignore',
+            env: {
+                ...process.env,
+                PATH: process.env.PATH && String(process.env.PATH).trim().length > 0
+                    ? process.env.PATH
+                    : FALLBACK_PATH,
+            },
+        });
+        child.on('error', (err) => {
+            const emsg = err instanceof Error ? err.message : String(err);
+            hookRunLog(`execute_trusted_restarts: spawn failed ${emsg}`);
+            appendComplianceRunnerLine('RESTART', `spawn_error ${emsg}`);
+        });
         child.unref();
     }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "log-llm-config",
-  "version": "1.3.24",
+  "version": "1.3.26",
   "description": "CLI helpers for logging hardware UUIDs and posting startup payloads to Optimus Security.",
   "type": "module",
   "bin": {