log-llm-config 1.3.5 → 1.3.7

package/dist/compliance_prompt_gate.js

@@ -10,7 +10,7 @@ import { existsSync, statSync } from 'node:fs';
 import { pathToFileURL } from 'node:url';
 import { resolve } from 'node:path';
 import { getRemediationInstructionsPath } from './log_config_files/runtime/management_storage.js';
-import { hookLogSessionBanner } from './log_config_files/runtime/hook_logger.js';
+import { hookLogSessionBanner, hookRunLog } from './log_config_files/runtime/hook_logger.js';
 const MANIFEST_STALE_MS = 7 * 24 * 60 * 60 * 1000;
 function parseIde() {
     const eq = process.argv.find((a) => a.startsWith('--ide='));
@@ -111,7 +111,18 @@ export async function runCompliancePromptGate() {
             }
             const recheck = runLocalRemediationComplianceCheck();
             const recheckOk = recheck.status === 'ok' || recheck.violations.length === 0;
-            if (deferredSqlitePending || recheckOk) {
+            // Cursor: tolerate a failing recheck only when SQLite updates are deferred (apply after restart).
+            // Claude Code: JSON remediations are written immediately; merge/verify timing can still leave the
+            // in-process recheck red for the same UUID — allow in that case only for --ide=claude.
+            const appliedUuids = new Set(appliedViolations.map((v) => v.uuid));
+            const claudeRecheckStaleAfterImmediateApply = ide === 'claude' &&
+                !recheckOk &&
+                recheck.violations.length > 0 &&
+                recheck.violations.every((v) => appliedUuids.has(v.uuid));
+            if (claudeRecheckStaleAfterImmediateApply) {
+                hookRunLog('compliance_prompt_gate: Claude — autofix wrote JSON; recheck still flags same UUID(s) — proceeding (immediate apply)');
+            }
+            if (deferredSqlitePending || recheckOk || claudeRecheckStaleAfterImmediateApply) {
                 const autofixMessage = `Optimus Security auto-fixed ${fixed} policy violation(s):\n${appliedViolations.map((v) => autofixDialogLine(v)).join('\n')}`;
                 const payload = { __optimus_autofix: true, autofix_message: autofixMessage };
                 if (restartCommands.length > 0)

package/dist/log_config_files/readers/vscdb_reader.js

@@ -1,6 +1,15 @@
 import { existsSync } from 'node:fs';
 import { execSync } from 'node:child_process';
 import { readFileCollectionVscdbContract, writeFileCollectionVscdbContract, } from '../runtime/management_storage.js';
+/**
+ * ItemTable keys that store a bare JSON boolean; compliance paths use `${key}.${field}`.
+ * Kept in sync with `coerceItemTableValueToObjectRoot` / `serializeItemTableValueForWrite` in remediation_sync.
+ */
+export const CURSOR_SCALAR_ITEMTABLE_FIELDS = {
+    'cursor/thirdPartyExtensibilityEnabled': 'thirdPartyExtensibilityEnabled',
+    'cursorai/donotchange/privacyMode': 'privacyMode',
+    'cursor/autoOpenLocalhostUrls': 'autoOpenLocalhostUrls',
+};
 function querySqlite(dbPath, key) {
     const safe = key.replace(/'/g, "''");
     return execSync(`sqlite3 "${dbPath}" "SELECT value FROM ItemTable WHERE key='${safe}'"`, {
@@ -90,8 +99,14 @@ export function readVscdbItemTableJson(dbPath, itemKey) {
         if (parsed !== null && typeof parsed === 'object' && !Array.isArray(parsed)) {
             return { [itemKey]: parsed };
         }
-        // Bare JSON primitives (e.g. cursor/thirdPartyExtensibilityEnabled stores `true`/`false`).
+        // Bare JSON primitives. Scalar toggles must be wrapped so getByPath(key.field) works in compliance checks.
         if (typeof parsed === 'boolean' || typeof parsed === 'number' || typeof parsed === 'string') {
+            if (typeof parsed === 'boolean') {
+                const field = CURSOR_SCALAR_ITEMTABLE_FIELDS[itemKey];
+                if (field) {
+                    return { [itemKey]: { [field]: parsed } };
+                }
+            }
             return { [itemKey]: parsed };
         }
         return { [itemKey]: {} };

package/dist/log_config_files/runtime/compliance_check.js

@@ -5,12 +5,15 @@
  * ComplianceStatus; the prompt gate and tests use that return value. Autofix may write config files
  * and remediation_instructions.json via applyAutofixViolations / enforceRemediation.
  *
- * Prompt gate: compliance_prompt_gate runs runLocalRemediationComplianceCheck (local files only).
- * Background: compliance_check_runner runs syncRemediations (network) then the same local check.
+ * Prompt gate: compliance_prompt_gate runs runLocalRemediationComplianceCheck then applyAutofixViolations.
+ * Background: compliance_check_runner runs syncRemediations (network), the same local check, then
+ * applyAutofixViolations + executeTrustedRestartCommands so remediations apply even when only the
+ * background path runs (sqlite/vscdb updates remain Cursor-specific; restarts use the shared allowlist).
  */
-import { existsSync, readFileSync } from 'node:fs';
+import { existsSync, readFileSync, statSync } from 'node:fs';
 import { readVscdbItemTableJson } from '../readers/vscdb_reader.js';
-import { readRemediationInstructionsFile, writeRemediationInstructionsFile } from './management_storage.js';
+import { getRemediationInstructionsPath, readRemediationInstructionsFile, writeRemediationInstructionsFile, } from './management_storage.js';
+import { executeTrustedRestartCommands } from './trusted_restarts.js';
 import { complianceRunnerDiag, hookRunLog } from './hook_logger.js';
 import { loadEndpointBase } from '../sender/endpoint_config.js';
 import { resolveHardwareUuid, tryResolveHardwareUuid } from './hardware_uuid.js';
@@ -20,6 +23,14 @@ import { readStoredAuthKey } from '../auth/auth_key_store.js';
 // ---------------------------------------------------------------------------
 // Helpers
 // ---------------------------------------------------------------------------
+/**
+ * ItemTable keys use slashes (e.g. cursorai/donotchange/privacyMode) and do not contain dots.
+ * Compliance setting_path is `${itemKey}.${nested.path}` — take the segment before the first `.`.
+ */
+export function itemTableKeyFromSettingPath(settingPath) {
+    const i = settingPath.indexOf('.');
+    return i === -1 ? settingPath : settingPath.slice(0, i);
+}
 /** Traverse a JSON object using dot-notation path. Returns undefined if any segment is missing. */
 export function getByPath(obj, path) {
     const parts = path.split('.');
@@ -85,20 +96,25 @@ function verifyOpsApplied(configJson, settingPath, ops) {
     }
     return { ok: true, expected: null };
 }
-/** Plain JSON file or virtual `…/state.vscdb#composerState` path for ItemTable-backed settings. */
-function loadRemediationConfigJson(configFilePath) {
+/** Plain JSON file or virtual `…/state.vscdb#itemKey` path for ItemTable-backed settings. */
+function loadRemediationConfigJson(configFilePath, checkSettingPaths = []) {
     const hashIdx = configFilePath.indexOf('#');
     if (hashIdx >= 0) {
         const dbPath = configFilePath.slice(0, hashIdx);
-        const itemKey = configFilePath.slice(hashIdx + 1).trim();
-        if (!itemKey)
+        const itemKeyFromPath = configFilePath.slice(hashIdx + 1).trim();
+        if (!itemKeyFromPath)
             return { ok: false, reason: 'empty_vscdb_key' };
         if (!existsSync(dbPath))
             return { ok: false, reason: 'db_not_found' };
-        const wrapped = readVscdbItemTableJson(dbPath, itemKey);
-        if (wrapped === null)
-            return { ok: false, reason: 'vscdb_read_failed' };
-        return { ok: true, json: wrapped };
+        const keys = new Set([itemKeyFromPath, ...checkSettingPaths.map(itemTableKeyFromSettingPath)].filter(Boolean));
+        const merged = {};
+        for (const k of keys) {
+            const wrapped = readVscdbItemTableJson(dbPath, k);
+            if (wrapped === null)
+                return { ok: false, reason: 'vscdb_read_failed' };
+            Object.assign(merged, wrapped);
+        }
+        return { ok: true, json: merged };
     }
     if (!existsSync(configFilePath))
         return { ok: false, reason: 'file_not_found' };
@@ -137,7 +153,7 @@ export function runLocalRemediationComplianceCheck() {
             const checks = compliance.checks ?? [];
             if (checks.length === 0)
                 continue;
-            const loaded = loadRemediationConfigJson(entry.config_file_path);
+            const loaded = loadRemediationConfigJson(entry.config_file_path, checks.map((c) => c.setting_path));
             if (!loaded.ok) {
                 const msg = loaded.reason === 'file_not_found'
                     ? `compliance_check: config file not found, skipping uuid=${entry.uuid}`
@@ -374,7 +390,7 @@ export function pruneSatisfiedOneTimeRemediations() {
             remaining.push(raw);
             continue;
         }
-        const prLoaded = loadRemediationConfigJson(inst.config_file_path);
+        const prLoaded = loadRemediationConfigJson(inst.config_file_path, checks.map((c) => c.setting_path));
         if (!prLoaded.ok) {
             remaining.push(raw);
             continue;
@@ -418,9 +434,22 @@ export function pruneSatisfiedOneTimeRemediations() {
     }
     return { removed, reportPromises };
 }
+/** Same staleness window as compliance_prompt_gate: avoid applying very old local manifests. */
+const MANIFEST_STALE_MS = 7 * 24 * 60 * 60 * 1000;
+function getManifestStalenessMs() {
+    try {
+        const p = getRemediationInstructionsPath();
+        if (!existsSync(p))
+            return null;
+        return Date.now() - statSync(p).mtimeMs;
+    }
+    catch {
+        return null;
+    }
+}
 /**
- * Background refresh: server sync for latest instructions, then the same local evaluation as the hook.
- * Does not persist compliance state to disk.
+ * Background refresh: server sync, local evaluation, then autofix + trusted restarts (same enforcement
+ * as the prompt gate, without blocking stdin/stdout for the IDE).
  */
 export async function runComplianceCheck() {
     try {
@@ -429,5 +458,37 @@ export async function runComplianceCheck() {
     catch (err) {
         hookRunLog(`compliance_check: remediation_sync unexpected error: ${err instanceof Error ? err.message : String(err)}`);
     }
-    runLocalRemediationComplianceCheck();
+    const status = runLocalRemediationComplianceCheck();
+    if (status.status === 'ok' || status.violations.length === 0) {
+        const pruned = pruneSatisfiedOneTimeRemediations();
+        if (pruned.removed > 0) {
+            await Promise.allSettled(pruned.reportPromises);
+        }
+        return;
+    }
+    const staleMs = getManifestStalenessMs();
+    if (staleMs !== null && staleMs > MANIFEST_STALE_MS) {
+        const staleDays = Math.floor(staleMs / (24 * 60 * 60 * 1000));
+        hookRunLog(`compliance_check_runner: skip autofix — local remediation manifest is stale (${staleDays} days old)`);
+        return;
+    }
+    const { fixed, restartCommands, failedViolations, reportPromises } = applyAutofixViolations(status.violations);
+    if (fixed === 0) {
+        if (failedViolations.length > 0) {
+            hookRunLog(`compliance_check_runner: autofix failed for ${failedViolations.length} violation(s) (see autofix logs above)`);
+        }
+        return;
+    }
+    await Promise.allSettled(reportPromises);
+    if (failedViolations.length > 0) {
+        hookRunLog(`compliance_check_runner: autofix partial failure — ${failedViolations.length} violation(s) still unresolved`);
+    }
+    if (restartCommands.length > 0) {
+        hookRunLog(`compliance_check_runner: executing ${restartCommands.length} trusted restart command(s)`);
+        executeTrustedRestartCommands(restartCommands);
+    }
+    const pruned = pruneSatisfiedOneTimeRemediations();
+    if (pruned.removed > 0) {
+        await Promise.allSettled(pruned.reportPromises);
+    }
 }

package/dist/log_config_files/runtime/remediation_sync.js

@@ -8,7 +8,7 @@ import { readStoredAuthKey } from '../auth/auth_key_store.js';
 import { createSignature } from '../sender/signing.js';
 import { loadEndpointBase } from '../sender/endpoint_config.js';
 import { tryResolveHardwareUuid } from './hardware_uuid.js';
-import { persistVscdbComposerContractFromPatternsResponse, readVscdbItemTableJson, } from '../readers/vscdb_reader.js';
+import { CURSOR_SCALAR_ITEMTABLE_FIELDS, persistVscdbComposerContractFromPatternsResponse, readVscdbItemTableJson, } from '../readers/vscdb_reader.js';
 import { sendConfigFile } from '../sender/batch_sender.js';
 import { getFileCollectionPatterns } from '../../endpoint_client/registry_api.js';
 function reactiveStorageItemKeyFromContract() {
@@ -410,12 +410,6 @@ function resolveCursorComposerSqliteOp(dbPath, sqliteOp) {
     return sqliteOp;
 }
 /** Apply sqlite merge: dot-path, or array match where `json_path` is `…container.arrayKey` (e.g. `modes4` or `composerState.modes4`). */
-/** ItemTable keys that store a JSON primitive; map to one field for merge + serialize. */
-const CURSOR_SCALAR_ITEMTABLE_FIELDS = {
-    'cursor/thirdPartyExtensibilityEnabled': 'thirdPartyExtensibilityEnabled',
-    'cursorai/donotchange/privacyMode': 'privacyMode',
-    'cursor/autoOpenLocalhostUrls': 'autoOpenLocalhostUrls',
-};
 function coerceScalarForItemTableField(parsed) {
     if (typeof parsed === 'boolean')
         return parsed;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "log-llm-config",
-  "version": "1.3.5",
+  "version": "1.3.7",
   "description": "CLI helpers for logging hardware UUIDs and posting startup payloads to Optimus Security.",
   "type": "module",
   "bin": {