log-llm-config 1.3.31 → 1.3.35

package/dist/log_config_files/auth/auth_flow.js

@@ -1,76 +1,22 @@
-import { mkdirSync, writeFileSync } from 'node:fs';
 import path from 'node:path';
 import { postStartupPayload } from '../../endpoint_client/index.js';
-import { createSignature } from '../sender/signing.js';
+import { ensureAuthentication as ensureTofuAuthentication } from 'optimus-tofu';
 import { loadEndpointBase } from '../sender/endpoint_config.js';
-import { getAuthKeyPath, readStoredAuthKey } from './auth_key_store.js';
+import { OPT_AI_SEC_MANAGEMENT_REL } from '../../bootstrap_constants.js';
 import { hookRunLog } from '../runtime/hook_logger.js';
-function resolveApiBase(endpoint) {
-    try {
-        return new URL(endpoint).origin;
-    }
-    catch {
-        return endpoint.replace(/\/+$/, '');
-    }
-}
-function persistAuthKey(key, keyId, hardwareUuid) {
-    const authPath = getAuthKeyPath();
-    if (!authPath)
-        return;
-    mkdirSync(path.dirname(authPath), { recursive: true, mode: 0o700 });
-    writeFileSync(authPath, JSON.stringify({ key, key_id: keyId ?? null, hardware_uuid: hardwareUuid, stored_at: new Date().toISOString() }, null, 2), { encoding: 'utf8', mode: 0o600 });
-}
-async function verifyStoredKey(hardwareUuid, storedKey, authUrl) {
-    const verifyPayload = { hardware_uuid: hardwareUuid };
-    const signature = createSignature(verifyPayload, storedKey.key);
-    const requestBody = { hardware_uuid: hardwareUuid, signature, key_id: storedKey.key_id || '' };
-    try {
-        const response = await postStartupPayload(authUrl, requestBody);
-        if (response.status === 'authenticated') {
-            console.log('Auth key verified successfully.');
-            hookRunLog(`auth: verified key_id_suffix=${(storedKey.key_id || '').slice(-8) || '(none)'}`);
-            return storedKey;
-        }
-        if (response.status === 'key_issued' && response.key) {
-            console.log('Stored key was invalid, received new key from server.');
-            hookRunLog('auth: new_key_issued (stored key was invalid)');
-            persistAuthKey(response.key, response.key_id, hardwareUuid);
-            return { key: response.key, key_id: response.key_id, hardware_uuid: hardwareUuid };
-        }
-        console.warn('Key verification failed, will request new key.');
-        return null;
-    }
-    catch (error) {
-        console.warn(`Failed to verify key: ${error instanceof Error ? error.message : String(error)}, will request new key.`);
-        return null;
-    }
-}
-async function requestNewKey(hardwareUuid, authUrl) {
-    console.log('No valid auth key found, performing authentication handshake...');
-    try {
-        const response = await postStartupPayload(authUrl, { hardware_uuid: hardwareUuid });
-        if (response.status === 'key_issued' && response.key) {
-            hookRunLog('auth: handshake_new_key');
-            persistAuthKey(response.key, response.key_id, hardwareUuid);
-            console.log(`Stored new auth key at ${getAuthKeyPath()}`);
-            return { key: response.key, key_id: response.key_id, hardware_uuid: hardwareUuid };
-        }
-        throw new Error(`Authentication failed: ${response.error || response.message || 'Unknown error'}`);
-    }
-    catch (error) {
-        throw new Error(`Failed to authenticate: ${error instanceof Error ? error.message : String(error)}`);
-    }
-}
+const AUTH_KEY_RELATIVE_PATH = path.join(OPT_AI_SEC_MANAGEMENT_REL, 'auth_key.txt');
 /** Ensure authentication — verify stored key or request new one via handshake. */
 async function ensureAuthentication(hardwareUuid) {
-    const endpoint = loadEndpointBase();
-    const authUrl = `${resolveApiBase(endpoint)}/endpoint_security/auth/`;
-    const storedKey = readStoredAuthKey();
-    if (storedKey?.key && storedKey.hardware_uuid === hardwareUuid) {
-        const verified = await verifyStoredKey(hardwareUuid, storedKey, authUrl);
-        if (verified)
-            return verified;
-    }
-    return requestNewKey(hardwareUuid, authUrl);
+    const key = await ensureTofuAuthentication({
+        hardwareUuid,
+        endpointBase: loadEndpointBase(),
+        authRelativePath: AUTH_KEY_RELATIVE_PATH,
+        postJson: (endpointUrl, body) => postStartupPayload(endpointUrl, body),
+        onLog: (message) => {
+            if (message.startsWith('auth:'))
+                hookRunLog(message);
+        },
+    });
+    return key;
 }
 export { ensureAuthentication };

package/dist/log_config_files/auth/auth_key_store.js

@@ -1,29 +1,14 @@
-import { existsSync, readFileSync } from 'node:fs';
 import path from 'node:path';
+import { getAuthKeyPath as getSharedAuthKeyPath, readStoredAuthKey as readSharedStoredAuthKey, } from 'optimus-tofu';
 import { OPT_AI_SEC_MANAGEMENT_REL } from '../../bootstrap_constants.js';
 const AUTH_KEY_RELATIVE_PATH = path.join(OPT_AI_SEC_MANAGEMENT_REL, 'auth_key.txt');
+const AUTH_KEY_OPTIONS = { authRelativePath: AUTH_KEY_RELATIVE_PATH };
 /** Return absolute path to auth_key.txt, or null if home dir is unavailable. */
 function getAuthKeyPath() {
-    const homeDir = process.env.HOME || process.env.USERPROFILE;
-    if (!homeDir)
-        return null;
-    return path.join(homeDir, AUTH_KEY_RELATIVE_PATH);
+    return getSharedAuthKeyPath(AUTH_KEY_OPTIONS);
 }
 /** Read and parse the stored auth key, or return null if absent/unreadable. */
 function readStoredAuthKey() {
-    const authPath = getAuthKeyPath();
-    if (!authPath || !existsSync(authPath))
-        return null;
-    try {
-        const raw = readFileSync(authPath, 'utf8');
-        const parsed = JSON.parse(raw);
-        if (parsed?.key && parsed?.hardware_uuid) {
-            return parsed;
-        }
-    }
-    catch (error) {
-        console.warn(`Unable to read stored auth key: ${error instanceof Error ? error.message : String(error)}`);
-    }
-    return null;
+    return readSharedStoredAuthKey(AUTH_KEY_OPTIONS);
 }
 export { getAuthKeyPath, readStoredAuthKey };

package/dist/log_config_files/sender/endpoint_config.js

@@ -1,65 +1,11 @@
-import { existsSync, readFileSync } from 'node:fs';
-import path from 'node:path';
-const DEFAULT_ENDPOINT = 'https://demo.optimuslabs.io/';
-/**
- * Walk up from `dir` looking for `optimus_dev.env`, stopping at the filesystem
- * root. Returns the first path found, or null. Mirrors how git finds .git.
- */
-function findEnvFileUpward(dir) {
-    let current = dir;
-    while (true) {
-        const candidate = path.join(current, 'optimus_dev.env');
-        if (existsSync(candidate))
-            return candidate;
-        const parent = path.dirname(current);
-        if (parent === current)
-            return null; // filesystem root
-        current = parent;
-    }
-}
-function parseEndpointFromFile(filePath) {
-    try {
-        const envContent = readFileSync(filePath, 'utf8');
-        for (const line of envContent.split(/\r?\n/)) {
-            const trimmed = line.trim();
-            if (!trimmed || trimmed.startsWith('#'))
-                continue;
-            const [key, ...rest] = trimmed.split('=');
-            if (key === 'OPTIMUS_ENDPOINT') {
-                const value = rest.join('=').trim();
-                if (value)
-                    return value.replace(/\/+$/, '') + '/';
-            }
-        }
-    }
-    catch {
-        // ignore
-    }
-    return null;
-}
+import { getEndpointSource as getSharedEndpointSource, loadEndpointBase, } from "optimus-tofu";
 /** Where endpoint came from (for logging). */
 function getEndpointSource() {
-    if (process.env.OPTIMUS_ENDPOINT?.trim())
-        return 'env';
-    const found = findEnvFileUpward(process.cwd());
-    if (found && parseEndpointFromFile(found))
-        return 'file';
-    return 'default';
-}
-/**
- * Load OPTIMUS_ENDPOINT: env var wins, then walk up from cwd looking for
- * optimus_dev.env, then default (https://demo.optimuslabs.io/).
- */
-function loadEndpointBase() {
-    const fromEnv = process.env.OPTIMUS_ENDPOINT?.trim();
-    if (fromEnv)
-        return fromEnv.replace(/\/+$/, '') + '/';
-    const found = findEnvFileUpward(process.cwd());
-    if (found) {
-        const value = parseEndpointFromFile(found);
-        if (value)
-            return value;
-    }
-    return DEFAULT_ENDPOINT;
+    const source = getSharedEndpointSource();
+    if (source === "file")
+        return "file";
+    if (source === "default")
+        return "default";
+    return "env";
 }
 export { loadEndpointBase, getEndpointSource };

package/dist/log_config_files/sender/signing.js

@@ -1,15 +1 @@
-import crypto from 'node:crypto';
-import { createRequire } from 'node:module';
-const canonicalize = createRequire(import.meta.url)('canonicalize');
-/** RFC 8785 canonical JSON — must match server's rfc8785.dumps() exactly. */
-function canonicalizePayload(payload) {
-    const out = canonicalize(payload);
-    return out ?? '{}';
-}
-/** Create HMAC-SHA256 signature for a payload (canonicalize then sign). */
-function createSignature(payload, keyHex) {
-    const canonicalPayload = canonicalizePayload(payload);
-    const keyBuffer = Buffer.from(keyHex, 'hex');
-    return crypto.createHmac('sha256', keyBuffer).update(canonicalPayload).digest('hex');
-}
-export { canonicalizePayload, createSignature };
+export { canonicalizePayload, createSignature } from 'optimus-tofu';

package/dist/log_uuid/startup_sender.js

@@ -1,7 +1,8 @@
-import crypto from 'node:crypto';
+import { createSignature as createSharedSignature } from 'optimus-tofu';
 import { classifyEndpointResponse, postStartupPayload } from '../endpoint_client/index.js';
 import { resolveHardwareUuid } from './hardware_uuid.js';
 import { writeAuthKey, readStoredAuthKey, loadEndpointBase, buildStartupEndpointUrl } from './auth_key_store.js';
+import { resolveUserProfile } from './user_profile.js';
 const canonicalizeValue = (value) => {
     if (Array.isArray(value))
         return value.map(canonicalizeValue);
@@ -15,8 +16,8 @@ const canonicalizeValue = (value) => {
 };
 const canonicalStringify = (value) => JSON.stringify(canonicalizeValue(value));
 const createSignature = (payloadSummary, keyHex) => {
-    const keyBuffer = Buffer.from(keyHex, 'hex');
-    return crypto.createHmac('sha256', keyBuffer).update(canonicalStringify(payloadSummary)).digest('hex');
+    // Keep this adapter for backward compatibility of public exports in log_uuid.
+    return createSharedSignature(payloadSummary, keyHex);
 };
 const getMetadata = () => ({
     github_username: process.env.GITHUB_USER || process.env.GH_USER || '',
@@ -25,6 +26,7 @@ const getMetadata = () => ({
     branch: process.env.GITHUB_REF_NAME || process.env.BRANCH_NAME || '',
     commit_sha: process.env.GITHUB_SHA || '',
     agent_name: process.env.OPTIMUS_AGENT || '',
+    user_profile: { ...resolveUserProfile() },
 });
 function buildRequestBody(hardwareUuid, timestamp) {
     const payloadSummary = { timestamp, directory: process.cwd(), hardware_uuid: hardwareUuid };

package/dist/log_uuid/user_profile.js

@@ -12,7 +12,7 @@ const safeJsonParse = (raw) => {
         return null;
     }
 };
-const readCursorCachedEmail = () => {
+const readCursorCachedEmailFromVscdb = () => {
     const dbPath = path.join(os.homedir(), 'Library/Application Support/Cursor/User/globalStorage/state.vscdb');
     if (!fs.existsSync(dbPath))
         return '';
@@ -24,7 +24,31 @@ const readCursorCachedEmail = () => {
         return '';
     }
 };
-const readClaudeAuthEmail = () => {
+/** Fallback: `storage.json` key path `cursor.auth.email` (design_notes). */
+const readCursorCachedEmailFromStorageJson = () => {
+    const fp = path.join(os.homedir(), 'Library/Application Support/Cursor/User/globalStorage/storage.json');
+    if (!fs.existsSync(fp))
+        return '';
+    try {
+        const parsed = safeJsonParse(fs.readFileSync(fp, { encoding: 'utf8' }));
+        if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed))
+            return '';
+        const root = parsed;
+        const cursor = root.cursor;
+        if (!cursor || typeof cursor !== 'object' || Array.isArray(cursor))
+            return '';
+        const auth = cursor.auth;
+        if (!auth || typeof auth !== 'object' || Array.isArray(auth))
+            return '';
+        const email = auth.email;
+        return typeof email === 'string' ? email.trim() : '';
+    }
+    catch {
+        return '';
+    }
+};
+const readCursorCachedEmail = () => readCursorCachedEmailFromVscdb() || readCursorCachedEmailFromStorageJson();
+const readClaudeAuthEmailFromCli = () => {
     try {
         const out = execFileSync('claude', ['auth', 'status'], {
             encoding: 'utf8',
@@ -35,7 +59,7 @@ const readClaudeAuthEmail = () => {
         const parsed = safeJsonParse(out);
         if (parsed && typeof parsed === 'object' && !Array.isArray(parsed)) {
             const email = parsed.email;
-            return typeof email === 'string' ? email : '';
+            return typeof email === 'string' ? email.trim() : '';
         }
     }
     catch {
@@ -43,6 +67,30 @@ const readClaudeAuthEmail = () => {
     }
     return '';
 };
+/** Fallback: optional Claude config files under ~/.claude/ (design_notes). */
+const readClaudeEmailFromHomeFiles = () => {
+    const candidates = [
+        path.join(os.homedir(), '.claude/.credentials.json'),
+        path.join(os.homedir(), '.claude/.claude.json'),
+    ];
+    for (const fp of candidates) {
+        if (!fs.existsSync(fp))
+            continue;
+        try {
+            const parsed = safeJsonParse(fs.readFileSync(fp, { encoding: 'utf8' }));
+            if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed))
+                continue;
+            const email = parsed.email;
+            if (typeof email === 'string' && email.includes('@'))
+                return email.trim();
+        }
+        catch {
+            /* try next */
+        }
+    }
+    return '';
+};
+const readClaudeAuthEmail = () => readClaudeAuthEmailFromCli().trim() || readClaudeEmailFromHomeFiles();
 const readMacUsername = () => {
     const fromEnv = process.env.OPTIMUS_MAC_USERNAME?.trim() ||
         process.env.USER?.trim() ||
@@ -52,7 +100,23 @@ const readMacUsername = () => {
         return fromEnv;
     return readCommandOutput('id -un');
 };
+/**
+ * Matches design_notes order: `gh api user` (login), then CI-style env, then `git config user.name`.
+ * `metadata.github_username` in startup_sender still uses env only; this field is the richer probe.
+ */
 const readGithubUsername = () => {
+    try {
+        const out = execFileSync('gh', ['api', 'user', '--jq', '.login'], {
+            encoding: 'utf8',
+            stdio: ['ignore', 'pipe', 'ignore'],
+            maxBuffer: 1024 * 1024,
+        }).trim();
+        if (out)
+            return out;
+    }
+    catch {
+        /* gh missing or not authenticated */
+    }
     return (process.env.GITHUB_USER?.trim() ||
         process.env.GH_USER?.trim() ||
         readCommandOutput('git config user.name'));
@@ -72,8 +136,35 @@ const readUserProfileFromEnvOrFile = () => {
     }
     return null;
 };
+const isPlausibleUuid = (s) => /^[\da-f]{8}-[\da-f]{4}-[\da-f]{4}-[\da-f]{4}-[\da-f]{12}$/i.test(s.trim());
+/**
+ * macOS Open Directory **GeneratedUID** for the console user (same concept as Directory Utility).
+ * See `dscl . -read /Users/<shortname> GeneratedUID`. Not the hardware UUID (that is `machineuuid`).
+ *
+ * `OPTIMUS_MAC_GENERATED_UID` overrides for tests or locked-down environments where `dscl` is unavailable.
+ */
+const readMacAccountGeneratedUid = () => {
+    const env = process.env.OPTIMUS_MAC_GENERATED_UID?.trim();
+    if (env && isPlausibleUuid(env))
+        return env.trim().toLowerCase();
+    if (process.platform !== 'darwin')
+        return '';
+    const user = readMacUsername();
+    if (!user || !/^[a-zA-Z0-9._-]+$/.test(user))
+        return '';
+    try {
+        const out = execFileSync('dscl', ['.', '-read', `/Users/${user}`, 'GeneratedUID'], { encoding: 'utf8', stdio: ['ignore', 'pipe', 'ignore'] });
+        const m = out.match(/GeneratedUID:\s*([0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12})/);
+        if (m?.[1] && isPlausibleUuid(m[1]))
+            return m[1].toLowerCase();
+    }
+    catch {
+        return '';
+    }
+    return '';
+};
 const buildDefaultUserProfile = () => ({
-    generateduuid: crypto.randomUUID(),
+    generateduuid: readMacAccountGeneratedUid() || crypto.randomUUID(),
     machineuuid: resolveHardwareUuid(),
     mac_username: readMacUsername(),
     github_username: readGithubUsername(),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "log-llm-config",
-  "version": "1.3.31",
+  "version": "1.3.35",
   "description": "CLI helpers for logging hardware UUIDs and posting startup payloads to Optimus Security.",
   "type": "module",
   "bin": {
@@ -56,6 +56,7 @@
   },
   "dependencies": {
     "axios": "^1.15.0",
-    "canonicalize": "^2.1.0"
+    "canonicalize": "^2.1.0",
+    "optimus-tofu": "^0.1.0"
   }
 }