log-llm-config 1.3.70 → 1.3.74

package/dist/compliance_prompt_gate.js

@@ -8,12 +8,14 @@
  */
 import { applyAutofixViolations, normalizeAgentToken, pruneSatisfiedOneTimeRemediations, runLocalRemediationComplianceCheck, } from './log_config_files/runtime/compliance_check.js';
 import { existsSync, readFileSync, statSync } from 'node:fs';
-import { getRemediationInstructionsPath } from './log_config_files/runtime/management_storage.js';
+import { getRemediationInstructionsPath, readRemediationInstructionsFile } from './log_config_files/runtime/management_storage.js';
 import { hookLogSessionBanner, hookRunLog, logRemediationApplyFailure } from './log_config_files/runtime/hook_logger.js';
 import { isThisCliModule } from './cli_invocation_match.js';
 import { ensureAuthentication } from './log_config_files/auth/auth_flow.js';
 import { sendConfigFile } from './log_config_files/sender/batch_sender.js';
 import { tryResolveHardwareUuid } from './log_config_files/runtime/hardware_uuid.js';
+import { syncRemediations } from './log_config_files/runtime/remediation_sync.js';
+import { loadEndpointBase } from './log_config_files/sender/endpoint_config.js';
 const MANIFEST_STALE_MS = 7 * 24 * 60 * 60 * 1000;
 function parseIde() {
     const eq = process.argv.find((a) => a.startsWith('--ide='));
@@ -90,6 +92,19 @@ function autofixDialogLine(v) {
     const short = d.length > 160 ? `${d.slice(0, 157)}…` : d;
     return `• [${v.finding_formatted_id}] ${short}`;
 }
+/** Cursor restart dialog after enforced/preventive remediation is applied locally. */
+export function formatCursorRestartAutofixDialog(appliedViolations) {
+    const policyNames = [
+        ...new Set(appliedViolations
+            .map((v) => v.policy_name?.trim() || v.finding_title?.trim() || '')
+            .filter(Boolean)),
+    ];
+    const policyLabel = policyNames.length > 0 ? policyNames.join('\n\n') : 'Agent security policy';
+    return ('Optimus Labs enforced a preventive agent security policy as determined by your security team:\n\n' +
+        `${policyLabel}\n\n` +
+        'Cursor will now restart to apply this policy, and your context will be retained.\n\n' +
+        'Click OK to continue');
+}
 /**
  * Upload a secondary compliance file to the backend so the server can resolve the finding.
  * Fire-and-forget: upload runs in background; any failure is logged but does not block the gate.
@@ -135,6 +150,24 @@ export async function runCompliancePromptGate() {
     const ide = parseIde();
     const agent = parseAgent(ide);
     hookLogSessionBanner('compliance_prompt_gate (before submit)');
+    // Sync before checking so server-side changes (enforce/unenforce) propagate on every prompt
+    // without waiting for the background runner. Race against a 3 s timeout so a slow or
+    // unavailable server never delays the gate significantly.
+    const hw = tryResolveHardwareUuid();
+    if (hw) {
+        const { remediations } = readRemediationInstructionsFile();
+        if (Array.isArray(remediations) && remediations.length > 0) {
+            try {
+                await Promise.race([
+                    syncRemediations(loadEndpointBase(), hw),
+                    new Promise((resolve) => setTimeout(resolve, 3000)),
+                ]);
+            }
+            catch {
+                // Network or auth failure — fall back to local file state.
+            }
+        }
+    }
     const status = runLocalRemediationComplianceCheck(agent);
     // Secondary-satisfied: primary checks failed but settings.json (or equiv) has the fix.
     // Upload those files fire-and-forget so the backend can resolve the finding immediately.
@@ -189,9 +222,11 @@ export async function runCompliancePromptGate() {
             }
             if (deferredSqlitePending || recheckOk || claudeRecheckStaleAfterImmediateApply) {
                 const violationLabel = fixed === 1 ? 'policy violation' : 'policy violations';
-                const autofixMessage = `Optimus Labs auto-fixed ${fixed} ${violationLabel}:\n\n${appliedViolations
-                    .map((v) => autofixDialogLine(v))
-                    .join('\n')}`;
+                const autofixMessage = ide === 'cursor' && restartCommands.length > 0
+                    ? formatCursorRestartAutofixDialog(appliedViolations)
+                    : `Optimus Labs auto-fixed ${fixed} ${violationLabel}:\n\n${appliedViolations
+                        .map((v) => autofixDialogLine(v))
+                        .join('\n')}`;
                 const payload = { __optimus_autofix: true, autofix_message: autofixMessage };
                 if (restartCommands.length > 0)
                     payload.restart_commands = restartCommands;

package/dist/log_config_files/runtime/compliance_check.js

@@ -325,6 +325,7 @@ export function runLocalRemediationComplianceCheck(agent = 'cursor') {
                                 description: check.description,
                                 finding_title: entry.finding_title,
                                 finding_description: entry.finding_description,
+                                policy_name: entry.policy_name,
                                 severity: compliance.severity,
                                 autofix_allowed: compliance.autofix_allowed,
                                 config_file_path: entry.config_file_path,
@@ -347,6 +348,7 @@ export function runLocalRemediationComplianceCheck(agent = 'cursor') {
                             description: check.description,
                             finding_title: entry.finding_title,
                             finding_description: entry.finding_description,
+                            policy_name: entry.policy_name,
                             severity: compliance.severity,
                             autofix_allowed: compliance.autofix_allowed,
                             config_file_path: entry.config_file_path,
@@ -371,6 +373,7 @@ export function runLocalRemediationComplianceCheck(agent = 'cursor') {
                         description: check.description,
                         finding_title: entry.finding_title,
                         finding_description: entry.finding_description,
+                        policy_name: entry.policy_name,
                         severity: compliance.severity,
                         autofix_allowed: compliance.autofix_allowed,
                         config_file_path: entry.config_file_path,

package/dist/log_config_files/runtime/remediation_sync.js

@@ -394,7 +394,7 @@ function assertSafeSqliteIdentifiersForItemTable(table, keyColumn, valueColumn)
 const TRUSTED_CURSOR_SQLITE_DEFERRED_RESTART_COMMAND = 'REPO_ROOT=$(git rev-parse --show-toplevel 2>/dev/null || pwd) && export REPO_ROOT && ' +
     'CURSOR_PROJECT="${CURSOR_PROJECT_DIR:-$REPO_ROOT}" && export CURSOR_PROJECT && ' +
     'OPTIMUS_DEFERRED_LOG="${HOME}/opt-ai-sec/management/deferred_vscdb_restart.log" && mkdir -p "$(dirname "$OPTIMUS_DEFERRED_LOG")" && export OPTIMUS_DEFERRED_LOG && ' +
-    "nohup bash -c 'exec >>\"\$OPTIMUS_DEFERRED_LOG\" 2>&1; echo deferred_restart:begin ts=\$(date -u +%Y-%m-%dT%H:%M:%SZ) REPO_ROOT=\"\$REPO_ROOT\" CURSOR_PROJECT=\"\$CURSOR_PROJECT\"; sleep 2; STATIC_DEV_ENV=\"\$HOME/opt-ai-sec/management/optimus_dev.env\"; ENV_LABEL=\"\"; if [ -f \"\$STATIC_DEV_ENV\" ]; then ENV_LABEL=\$(grep -E \"^(environment|ENVIRONMENT|OPTIMUS_ENVIRONMENT)=\" \"\$STATIC_DEV_ENV\" 2>/dev/null | head -1 | cut -d\"=\" -f2- | tr \"[:upper:]\" \"[:lower:]\" | xargs); fi; if [ -z \"\$ENV_LABEL\" ] && [ -n \"\${OPTIMUS_ENVIRONMENT:-}\" ]; then ENV_LABEL=\$(printf \"%s\" \"\$OPTIMUS_ENVIRONMENT\" | tr \"[:upper:]\" \"[:lower:]\" | xargs); fi; [ -z \"\$ENV_LABEL\" ] && ENV_LABEL=\"production\"; NPX_BASE=\"\"; if [ -f \"\$STATIC_DEV_ENV\" ]; then _nb=\$(grep -E \"^npx=\" \"\$STATIC_DEV_ENV\" 2>/dev/null | head -1 | cut -d\"=\" -f2- | xargs); [ -n \"\$_nb\" ] && [ -d \"\$_nb\" ] && NPX_BASE=\"\$_nb\"; fi; p=\"\${npm_config_prefix:-\${NPM_CONFIG_PREFIX:-}}\"; gp=\"\${npm_config_global_prefix:-}\"; gc=\"\${npm_config_globalconfig:-}\"; if [[ \"\$p\" == *\"/Applications/Cursor.app/\"* ]] || [[ \"\$gp\" == *\"/Applications/Cursor.app/\"* ]] || [[ \"\$gc\" == *\"/Applications/Cursor.app/\"* ]]; then unset npm_config_prefix NPM_CONFIG_PREFIX npm_config_global_prefix npm_config_globalconfig npm_node_execpath 2>/dev/null; fi; APPLY_EC=0; if [ -f \"\$REPO_ROOT/dev_npx_packages/log-llm-config/dist/apply_deferred_vscdb.js\" ]; then echo deferred_restart:apply_via_dev_npx_packages; node \"\$REPO_ROOT/dev_npx_packages/log-llm-config/dist/apply_deferred_vscdb.js\"; APPLY_EC=\$?; elif [ \"\$ENV_LABEL\" = \"development\" ] && [ -n \"\$NPX_BASE\" ] && [ -f \"\$NPX_BASE/log-llm-config/dist/apply_deferred_vscdb.js\" ]; then echo deferred_restart:apply_via_optimus_npx_base; node \"\$NPX_BASE/log-llm-config/dist/apply_deferred_vscdb.js\"; APPLY_EC=\$?; elif command -v npx >/dev/null 2>&1; then echo deferred_restart:apply_via_npx env=\"\$ENV_LABEL\"; cd \"\$REPO_ROOT\" || true; if [ \"\$ENV_LABEL\" = \"staging\" ]; then npx --yes --package=log-llm-config-staging@latest apply-deferred-vscdb-staging; APPLY_EC=\$?; else npx --yes --package=log-llm-config@latest apply-deferred-vscdb; APPLY_EC=\$?; fi; else echo deferred_restart:no_npx; APPLY_EC=127; fi; echo deferred_restart:apply_exit=\$APPLY_EC; if [ \$APPLY_EC -ne 0 ]; then echo deferred_restart:APPLY_FAILED_see_messages_above; fi; echo deferred_restart:open_cursor; open -a Cursor \"\$CURSOR_PROJECT\"; echo deferred_restart:open_exit=\$?; echo deferred_restart:end ts=\$(date -u +%Y-%m-%dT%H:%M:%SZ)' >/dev/null 2>&1 & killall -9 Cursor";
+    "nohup bash -c 'exec >>\"\$OPTIMUS_DEFERRED_LOG\" 2>&1; echo deferred_restart:begin ts=\$(date -u +%Y-%m-%dT%H:%M:%SZ) REPO_ROOT=\"\$REPO_ROOT\" CURSOR_PROJECT=\"\$CURSOR_PROJECT\"; sleep 2; STATIC_DEV_ENV=\"\$HOME/opt-ai-sec/management/optimus_dev.env\"; ENV_LABEL=\"\"; if [ -f \"\$STATIC_DEV_ENV\" ]; then ENV_LABEL=\$(grep -E \"^(environment|ENVIRONMENT|OPTIMUS_ENVIRONMENT)=\" \"\$STATIC_DEV_ENV\" 2>/dev/null | head -1 | cut -d\"=\" -f2- | tr \"[:upper:]\" \"[:lower:]\" | xargs); fi; if [ -z \"\$ENV_LABEL\" ] && [ -n \"\${OPTIMUS_ENVIRONMENT:-}\" ]; then ENV_LABEL=\$(printf \"%s\" \"\$OPTIMUS_ENVIRONMENT\" | tr \"[:upper:]\" \"[:lower:]\" | xargs); fi; [ -z \"\$ENV_LABEL\" ] && ENV_LABEL=\"production\"; NPX_BASE=\"\"; if [ -f \"\$STATIC_DEV_ENV\" ]; then _nb=\$(grep -E \"^npx=\" \"\$STATIC_DEV_ENV\" 2>/dev/null | head -1 | cut -d\"=\" -f2- | xargs); [ -n \"\$_nb\" ] && [ -d \"\$_nb\" ] && NPX_BASE=\"\$_nb\"; fi; p=\"\${npm_config_prefix:-\${NPM_CONFIG_PREFIX:-}}\"; gp=\"\${npm_config_global_prefix:-}\"; gc=\"\${npm_config_globalconfig:-}\"; if [[ \"\$p\" == *\"/Applications/Cursor.app/\"* ]] || [[ \"\$gp\" == *\"/Applications/Cursor.app/\"* ]] || [[ \"\$gc\" == *\"/Applications/Cursor.app/\"* ]]; then unset npm_config_prefix NPM_CONFIG_PREFIX npm_config_global_prefix npm_config_globalconfig npm_node_execpath 2>/dev/null; fi; APPLY_EC=0; if [ -f \"\$REPO_ROOT/dev_npx_packages/log-llm-config/dist/apply_deferred_vscdb.js\" ]; then echo deferred_restart:apply_via_dev_npx_packages; node \"\$REPO_ROOT/dev_npx_packages/log-llm-config/dist/apply_deferred_vscdb.js\"; APPLY_EC=\$?; elif [ \"\$ENV_LABEL\" = \"development\" ] && [ -n \"\$NPX_BASE\" ] && [ -f \"\$NPX_BASE/log-llm-config/dist/apply_deferred_vscdb.js\" ]; then echo deferred_restart:apply_via_optimus_npx_base; node \"\$NPX_BASE/log-llm-config/dist/apply_deferred_vscdb.js\"; APPLY_EC=\$?; elif command -v npx >/dev/null 2>&1; then echo deferred_restart:apply_via_npx env=\"\$ENV_LABEL\"; cd \"\$REPO_ROOT\" || true; if [ \"\$ENV_LABEL\" = \"staging\" ]; then npx --yes --package=log-llm-config-staging@latest apply-deferred-vscdb-staging; APPLY_EC=\$?; else npx --yes --package=log-llm-config@latest apply-deferred-vscdb; APPLY_EC=\$?; fi; else echo deferred_restart:no_npx; APPLY_EC=127; fi; echo deferred_restart:apply_exit=\$APPLY_EC; if [ \$APPLY_EC -ne 0 ]; then echo deferred_restart:APPLY_FAILED_see_messages_above; fi; echo deferred_restart:open_cursor; env -u npm_config_package -u npm_lifecycle_event -u npm_lifecycle_script -u npm_config_local_prefix open -a Cursor \"\$CURSOR_PROJECT\"; echo deferred_restart:open_exit=\$?; echo deferred_restart:end ts=\$(date -u +%Y-%m-%dT%H:%M:%SZ)' >/dev/null 2>&1 & killall -9 Cursor";
 const TRUSTED_CURSOR_JSON_SETTINGS_RESTART_COMMAND = 'CURSOR_PROJECT=$(git rev-parse --show-toplevel 2>/dev/null || pwd) && export CURSOR_PROJECT && nohup bash -c \'sleep 2 && open -a Cursor "$CURSOR_PROJECT"\' >/dev/null 2>&1 & killall -9 Cursor';
 const TRUSTED_CLAUDE_RESTART_COMMAND = "nohup bash -c 'sleep 2 && open -a Claude' >/dev/null 2>&1 & pkill -x 'Claude'";
 export function isClaudeRestartCommand(cmd) {

package/dist/log_config_files/runtime/trusted_restarts.js

@@ -8,6 +8,20 @@ import { getDeferredVscdbRestartLogPath } from './management_storage.js';
 import { normalizeAgentToken } from './compliance_check.js';
 import { isClaudeRestartCommand, isCursorRestartCommand, isTrustedRestartCommandForAutofix } from './remediation_sync.js';
 const FALLBACK_PATH = '/usr/bin:/bin:/usr/local/bin:/opt/homebrew/bin';
+/** Vars set by `npx --package=...` that break unrelated scoped `npx @scope/pkg` after Cursor reopen. */
+const NPM_RESTART_POLLUTION = [
+    'npm_config_package',
+    'npm_lifecycle_event',
+    'npm_lifecycle_script',
+    'npm_config_local_prefix',
+];
+function envForRestartSpawn(base) {
+    const env = { ...base };
+    for (const key of NPM_RESTART_POLLUTION) {
+        delete env[key];
+    }
+    return env;
+}
 function isDeferredVscdbRestart(cmd) {
     return cmd.includes('OPTIMUS_DEFERRED_LOG') || cmd.includes('apply_deferred_vscdb');
 }
@@ -61,12 +75,12 @@ export function executeTrustedRestartCommands(commands) {
         const child = spawn('sh', ['-c', t], {
             detached: true,
             stdio: 'ignore',
-            env: {
+            env: envForRestartSpawn({
                 ...process.env,
                 PATH: process.env.PATH && String(process.env.PATH).trim().length > 0
                     ? process.env.PATH
                     : FALLBACK_PATH,
-            },
+            }),
         });
         child.on('error', (err) => {
             const emsg = err instanceof Error ? err.message : String(err);

package/dist/log_uuid/startup_sender.js

@@ -51,7 +51,7 @@ const getMetadata = () => ({
     github_username: process.env.GITHUB_USER || process.env.GH_USER || '',
     org_identifier: process.env.GITHUB_ORG || '',
     organization_uuid: readOrganizationUuid(),
-    repo_identifier: process.env.GITHUB_REPOSITORY || '',
+    repo_identifier: process.env.OPTIMUS_WORKSPACE_REPO || process.env.GITHUB_REPOSITORY || '',
     branch: process.env.GITHUB_REF_NAME || process.env.BRANCH_NAME || '',
     commit_sha: process.env.GITHUB_SHA || '',
     agent_name: process.env.OPTIMUS_AGENT || '',

package/dist/tofu.js

@@ -2,37 +2,48 @@
  * Tofu shim — centralises all imports from optimus-tofu.
  *
  * Reads ~/opt-ai-sec/management/optimus_dev.env at startup:
- *   - environment=development → loads local dist (file-relative path)
- *   - anything else           → loads the published npm package
+ *   - No file / unreadable → production (ignores OPTIMUS_ENVIRONMENT).
+ *   - File present → environment= line in file, then OPTIMUS_ENVIRONMENT, then production.
+ *   - environment=development + local dist present → loads sibling optimus-tofu dist
+ *   - anything else → published optimus-tofu npm package
  *
  * All other source files import from this module, never directly from
  * "optimus-tofu", so the conditional lives in exactly one place.
  */
-import { readFileSync } from "fs";
+import { existsSync, readFileSync } from "fs";
 import { homedir } from "os";
 import path from "path";
 import { fileURLToPath } from "url";
+function managementEnvPath() {
+    const home = homedir();
+    if (!home)
+        return null;
+    return path.join(home, "opt-ai-sec", "management", "optimus_dev.env");
+}
 function readEnvironment() {
-    const fromEnv = process.env.OPTIMUS_ENVIRONMENT?.trim().toLowerCase();
-    if (fromEnv)
-        return fromEnv;
+    const envPath = managementEnvPath();
+    if (!envPath) {
+        return "production";
+    }
     try {
-        const content = readFileSync(path.join(homedir(), "opt-ai-sec", "management", "optimus_dev.env"), "utf8");
+        const content = readFileSync(envPath, "utf8");
         const match = content.match(/^(?:environment|ENVIRONMENT|OPTIMUS_ENVIRONMENT)\s*=\s*(.+)/m);
         if (match)
             return match[1].trim().toLowerCase();
     }
     catch {
-        // file missing or unreadable — default to production
+        // No management file: always production (ignore stale OPTIMUS_ENVIRONMENT).
+        return "production";
     }
+    const fromEnv = process.env.OPTIMUS_ENVIRONMENT?.trim().toLowerCase();
+    if (fromEnv)
+        return fromEnv;
     return "production";
 }
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
-const isDevelopment = readEnvironment() === "development";
-// In development: resolve local optimus-tofu dist relative to this file.
-// dist/tofu.js → ../.. → npx_packages/staging/ → optimus-tofu/dist/index.js
 const localTofuPath = path.join(__dirname, "../../optimus-tofu/dist/index.js");
-const tofu = (isDevelopment
+const useLocalTofu = readEnvironment() === "development" && existsSync(localTofuPath);
+const tofu = (useLocalTofu
     ? await import(localTofuPath)
     : await import("optimus-tofu"));
 export const { loadEndpointBase, buildStartupEndpointUrl, createSignature, persistAuthKey, readStoredAuthKey, ensureAuthentication, getEndpointSource, canonicalizePayload, getAuthKeyPath, } = tofu;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "log-llm-config",
-  "version": "1.3.70",
+  "version": "1.3.74",
   "description": "CLI helpers for logging hardware UUIDs and posting startup payloads to Optimus Security.",
   "type": "module",
   "bin": {