npm - log-llm-config - Versions diffs - 1.3.6 → 1.3.7 - Mend

log-llm-config 1.3.6 → 1.3.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/compliance_prompt_gate.js +13 -2
package/dist/log_config_files/readers/vscdb_reader.js +15 -5
package/dist/log_config_files/runtime/compliance_check.js +55 -7
package/dist/log_config_files/runtime/remediation_sync.js +1 -7
package/package.json +1 -1

package/dist/compliance_prompt_gate.js CHANGED Viewed

@@ -10,7 +10,7 @@ import { existsSync, statSync } from 'node:fs';
 import { pathToFileURL } from 'node:url';
 import { resolve } from 'node:path';
 import { getRemediationInstructionsPath } from './log_config_files/runtime/management_storage.js';
-import { hookLogSessionBanner } from './log_config_files/runtime/hook_logger.js';
+import { hookLogSessionBanner, hookRunLog } from './log_config_files/runtime/hook_logger.js';
 const MANIFEST_STALE_MS = 7 * 24 * 60 * 60 * 1000;
 function parseIde() {
     const eq = process.argv.find((a) => a.startsWith('--ide='));
@@ -111,7 +111,18 @@ export async function runCompliancePromptGate() {
             }
             const recheck = runLocalRemediationComplianceCheck();
             const recheckOk = recheck.status === 'ok' || recheck.violations.length === 0;
-            if (deferredSqlitePending || recheckOk) {
+            // Cursor: tolerate a failing recheck only when SQLite updates are deferred (apply after restart).
+            // Claude Code: JSON remediations are written immediately; merge/verify timing can still leave the
+            // in-process recheck red for the same UUID — allow in that case only for --ide=claude.
+            const appliedUuids = new Set(appliedViolations.map((v) => v.uuid));
+            const claudeRecheckStaleAfterImmediateApply = ide === 'claude' &&
+                !recheckOk &&
+                recheck.violations.length > 0 &&
+                recheck.violations.every((v) => appliedUuids.has(v.uuid));
+            if (claudeRecheckStaleAfterImmediateApply) {
+                hookRunLog('compliance_prompt_gate: Claude — autofix wrote JSON; recheck still flags same UUID(s) — proceeding (immediate apply)');
+            }
+            if (deferredSqlitePending || recheckOk || claudeRecheckStaleAfterImmediateApply) {
                 const autofixMessage = `Optimus Security auto-fixed ${fixed} policy violation(s):\n${appliedViolations.map((v) => autofixDialogLine(v)).join('\n')}`;
                 const payload = { __optimus_autofix: true, autofix_message: autofixMessage };
                 if (restartCommands.length > 0)

package/dist/log_config_files/readers/vscdb_reader.js CHANGED Viewed

@@ -1,6 +1,15 @@
 import { existsSync } from 'node:fs';
 import { execSync } from 'node:child_process';
 import { readFileCollectionVscdbContract, writeFileCollectionVscdbContract, } from '../runtime/management_storage.js';
+/**
+ * ItemTable keys that store a bare JSON boolean; compliance paths use `${key}.${field}`.
+ * Kept in sync with `coerceItemTableValueToObjectRoot` / `serializeItemTableValueForWrite` in remediation_sync.
+ */
+export const CURSOR_SCALAR_ITEMTABLE_FIELDS = {
+    'cursor/thirdPartyExtensibilityEnabled': 'thirdPartyExtensibilityEnabled',
+    'cursorai/donotchange/privacyMode': 'privacyMode',
+    'cursor/autoOpenLocalhostUrls': 'autoOpenLocalhostUrls',
+};
 function querySqlite(dbPath, key) {
     const safe = key.replace(/'/g, "''");
     return execSync(`sqlite3 "${dbPath}" "SELECT value FROM ItemTable WHERE key='${safe}'"`, {
@@ -90,12 +99,13 @@ export function readVscdbItemTableJson(dbPath, itemKey) {
         if (parsed !== null && typeof parsed === 'object' && !Array.isArray(parsed)) {
             return { [itemKey]: parsed };
         }
-        // Bare JSON primitives (e.g. cursor/thirdPartyExtensibilityEnabled stores `true`/`false`).
+        // Bare JSON primitives. Scalar toggles must be wrapped so getByPath(key.field) works in compliance checks.
         if (typeof parsed === 'boolean' || typeof parsed === 'number' || typeof parsed === 'string') {
-            const leaf = itemKey.split('/').pop() ?? '';
-            // Legacy cursorai/donotchange/privacyMode row is bare true/false; compliance paths use …/privacyMode.privacyMode.
-            if (typeof parsed === 'boolean' && leaf === 'privacyMode') {
-                return { [itemKey]: { privacyMode: parsed } };
+            if (typeof parsed === 'boolean') {
+                const field = CURSOR_SCALAR_ITEMTABLE_FIELDS[itemKey];
+                if (field) {
+                    return { [itemKey]: { [field]: parsed } };
+                }
             }
             return { [itemKey]: parsed };
         }

package/dist/log_config_files/runtime/compliance_check.js CHANGED Viewed

@@ -5,12 +5,15 @@
  * ComplianceStatus; the prompt gate and tests use that return value. Autofix may write config files
  * and remediation_instructions.json via applyAutofixViolations / enforceRemediation.
  *
- * Prompt gate: compliance_prompt_gate runs runLocalRemediationComplianceCheck (local files only).
- * Background: compliance_check_runner runs syncRemediations (network) then the same local check.
+ * Prompt gate: compliance_prompt_gate runs runLocalRemediationComplianceCheck then applyAutofixViolations.
+ * Background: compliance_check_runner runs syncRemediations (network), the same local check, then
+ * applyAutofixViolations + executeTrustedRestartCommands so remediations apply even when only the
+ * background path runs (sqlite/vscdb updates remain Cursor-specific; restarts use the shared allowlist).
  */
-import { existsSync, readFileSync } from 'node:fs';
+import { existsSync, readFileSync, statSync } from 'node:fs';
 import { readVscdbItemTableJson } from '../readers/vscdb_reader.js';
-import { readRemediationInstructionsFile, writeRemediationInstructionsFile } from './management_storage.js';
+import { getRemediationInstructionsPath, readRemediationInstructionsFile, writeRemediationInstructionsFile, } from './management_storage.js';
+import { executeTrustedRestartCommands } from './trusted_restarts.js';
 import { complianceRunnerDiag, hookRunLog } from './hook_logger.js';
 import { loadEndpointBase } from '../sender/endpoint_config.js';
 import { resolveHardwareUuid, tryResolveHardwareUuid } from './hardware_uuid.js';
@@ -431,9 +434,22 @@ export function pruneSatisfiedOneTimeRemediations() {
     }
     return { removed, reportPromises };
 }
+/** Same staleness window as compliance_prompt_gate: avoid applying very old local manifests. */
+const MANIFEST_STALE_MS = 7 * 24 * 60 * 60 * 1000;
+function getManifestStalenessMs() {
+    try {
+        const p = getRemediationInstructionsPath();
+        if (!existsSync(p))
+            return null;
+        return Date.now() - statSync(p).mtimeMs;
+    }
+    catch {
+        return null;
+    }
+}
 /**
- * Background refresh: server sync for latest instructions, then the same local evaluation as the hook.
- * Does not persist compliance state to disk.
+ * Background refresh: server sync, local evaluation, then autofix + trusted restarts (same enforcement
+ * as the prompt gate, without blocking stdin/stdout for the IDE).
  */
 export async function runComplianceCheck() {
     try {
@@ -442,5 +458,37 @@ export async function runComplianceCheck() {
     catch (err) {
         hookRunLog(`compliance_check: remediation_sync unexpected error: ${err instanceof Error ? err.message : String(err)}`);
     }
-    runLocalRemediationComplianceCheck();
+    const status = runLocalRemediationComplianceCheck();
+    if (status.status === 'ok' || status.violations.length === 0) {
+        const pruned = pruneSatisfiedOneTimeRemediations();
+        if (pruned.removed > 0) {
+            await Promise.allSettled(pruned.reportPromises);
+        }
+        return;
+    }
+    const staleMs = getManifestStalenessMs();
+    if (staleMs !== null && staleMs > MANIFEST_STALE_MS) {
+        const staleDays = Math.floor(staleMs / (24 * 60 * 60 * 1000));
+        hookRunLog(`compliance_check_runner: skip autofix — local remediation manifest is stale (${staleDays} days old)`);
+        return;
+    }
+    const { fixed, restartCommands, failedViolations, reportPromises } = applyAutofixViolations(status.violations);
+    if (fixed === 0) {
+        if (failedViolations.length > 0) {
+            hookRunLog(`compliance_check_runner: autofix failed for ${failedViolations.length} violation(s) (see autofix logs above)`);
+        }
+        return;
+    }
+    await Promise.allSettled(reportPromises);
+    if (failedViolations.length > 0) {
+        hookRunLog(`compliance_check_runner: autofix partial failure — ${failedViolations.length} violation(s) still unresolved`);
+    }
+    if (restartCommands.length > 0) {
+        hookRunLog(`compliance_check_runner: executing ${restartCommands.length} trusted restart command(s)`);
+        executeTrustedRestartCommands(restartCommands);
+    }
+    const pruned = pruneSatisfiedOneTimeRemediations();
+    if (pruned.removed > 0) {
+        await Promise.allSettled(pruned.reportPromises);
+    }
 }

package/dist/log_config_files/runtime/remediation_sync.js CHANGED Viewed

@@ -8,7 +8,7 @@ import { readStoredAuthKey } from '../auth/auth_key_store.js';
 import { createSignature } from '../sender/signing.js';
 import { loadEndpointBase } from '../sender/endpoint_config.js';
 import { tryResolveHardwareUuid } from './hardware_uuid.js';
-import { persistVscdbComposerContractFromPatternsResponse, readVscdbItemTableJson, } from '../readers/vscdb_reader.js';
+import { CURSOR_SCALAR_ITEMTABLE_FIELDS, persistVscdbComposerContractFromPatternsResponse, readVscdbItemTableJson, } from '../readers/vscdb_reader.js';
 import { sendConfigFile } from '../sender/batch_sender.js';
 import { getFileCollectionPatterns } from '../../endpoint_client/registry_api.js';
 function reactiveStorageItemKeyFromContract() {
@@ -410,12 +410,6 @@ function resolveCursorComposerSqliteOp(dbPath, sqliteOp) {
     return sqliteOp;
 }
 /** Apply sqlite merge: dot-path, or array match where `json_path` is `…container.arrayKey` (e.g. `modes4` or `composerState.modes4`). */
-/** ItemTable keys that store a JSON primitive; map to one field for merge + serialize. */
-const CURSOR_SCALAR_ITEMTABLE_FIELDS = {
-    'cursor/thirdPartyExtensibilityEnabled': 'thirdPartyExtensibilityEnabled',
-    'cursorai/donotchange/privacyMode': 'privacyMode',
-    'cursor/autoOpenLocalhostUrls': 'autoOpenLocalhostUrls',
-};
 function coerceScalarForItemTableField(parsed) {
     if (typeof parsed === 'boolean')
         return parsed;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "log-llm-config",
-  "version": "1.3.6",
+  "version": "1.3.7",
   "description": "CLI helpers for logging hardware UUIDs and posting startup payloads to Optimus Security.",
   "type": "module",
   "bin": {