log-llm-config 1.3.78 → 1.3.80

package/dist/cli.js

@@ -93,8 +93,10 @@ function parseAndSetLogUuidEnvVars() {
         process.env.OPTIMUS_HARDWARE_UUID = uuidArg;
     if (userArg)
         process.env.GITHUB_USER = userArg;
-    if (repoArg)
+    if (repoArg) {
+        process.env.OPTIMUS_WORKSPACE_REPO = repoArg;
         process.env.GITHUB_REPOSITORY = repoArg;
+    }
     if (branchArg)
         process.env.GITHUB_REF_NAME = branchArg;
     if (agentArg)

package/dist/log_config_files/readers/vscdb_reader.js

@@ -176,13 +176,13 @@ function runOneStep(dbPath, stateData, step) {
                         ? composerState
                         : undefined;
                     for (const k of step.include_keys) {
-                        // Prefer the value inside composerState when present; blob root can be stale vs the UI.
-                        if (nested && k in nested && nested[k] !== undefined) {
-                            stateData[k] = nested[k];
-                        }
-                        else if (k in obj && obj[k] !== undefined) {
+                        // Reactive blob root wins over nested composerState (matches policy_engine.scan_targets merge).
+                        if (k in obj && obj[k] !== undefined) {
                             stateData[k] = obj[k];
                         }
+                        else if (nested && k in nested && nested[k] !== undefined) {
+                            stateData[k] = nested[k];
+                        }
                     }
                 }
                 return;

package/dist/log_config_files/runtime/compliance_check.js

@@ -14,7 +14,7 @@ import { existsSync, readFileSync } from 'node:fs';
 import { homedir } from 'node:os';
 import { join } from 'node:path';
 import { readVscdbItemTableJson } from '../readers/vscdb_reader.js';
-import { readRemediationInstructionsFile, writeRemediationInstructionsFile } from './management_storage.js';
+import { readFileCollectionVscdbContract, readRemediationInstructionsFile, writeRemediationInstructionsFile, } from './management_storage.js';
 import { resolveRemediationConfigPath } from './remediation_config_path.js';
 import { complianceRunnerDiag, hookRunLog, logRemediationApplyFailure } from './hook_logger.js';
 import { loadEndpointBase } from '../sender/endpoint_config.js';
@@ -174,6 +174,47 @@ function verifyOpsApplied(configJson, settingPath, ops) {
     }
     return { ok: true, expected: null };
 }
+function shouldMergeComposerShadowKeys(itemKeyFromPath, checkSettingPaths) {
+    if (itemKeyFromPath === 'composerState')
+        return true;
+    return checkSettingPaths.some((p) => p === 'composerState' || p.startsWith('composerState.'));
+}
+/**
+ * Cursor stores web-tool toggles on the reactive blob root and nested `composerState`.
+ * Policy scan merges root shadow keys into composerState; compliance must match or autofix
+ * never runs when nested values are stale (e.g. lastBrowserConnectionMode none vs root editor).
+ */
+export function mergeComposerShadowKeysFromReactiveBlob(dbPath, merged) {
+    const contract = readFileCollectionVscdbContract();
+    const reactiveKey = contract?.reactive_storage_item_key?.trim();
+    const shadowKeys = contract?.composer_shadow_keys ?? [];
+    if (!reactiveKey || shadowKeys.length === 0)
+        return;
+    const reactiveWrapped = readVscdbItemTableJson(dbPath, reactiveKey);
+    if (reactiveWrapped === null)
+        return;
+    const blob = reactiveWrapped[reactiveKey];
+    if (!blob || typeof blob !== 'object' || Array.isArray(blob))
+        return;
+    const root = blob;
+    let cs = merged.composerState;
+    if (!cs || typeof cs !== 'object' || Array.isArray(cs)) {
+        const nested = root.composerState;
+        if (nested && typeof nested === 'object' && !Array.isArray(nested)) {
+            cs = { ...nested };
+        }
+        else {
+            cs = {};
+        }
+        merged.composerState = cs;
+    }
+    const composerState = cs;
+    for (const key of shadowKeys) {
+        if (Object.prototype.hasOwnProperty.call(root, key) && root[key] !== undefined) {
+            composerState[key] = root[key];
+        }
+    }
+}
 /** Plain JSON file or virtual `…/state.vscdb#itemKey` path for ItemTable-backed settings. */
 function loadRemediationConfigJson(configFilePath, checkSettingPaths = []) {
     const resolvedPath = resolveRemediationConfigPath(configFilePath);
@@ -193,6 +234,9 @@ function loadRemediationConfigJson(configFilePath, checkSettingPaths = []) {
                 return { ok: false, reason: 'vscdb_read_failed' };
             Object.assign(merged, wrapped);
         }
+        if (shouldMergeComposerShadowKeys(itemKeyFromPath, checkSettingPaths)) {
+            mergeComposerShadowKeysFromReactiveBlob(dbPath, merged);
+        }
         return { ok: true, json: merged };
     }
     if (!existsSync(resolvedPath))

package/dist/log_config_files/runtime/main_runner.js

@@ -16,16 +16,8 @@ import { collectWorkspaceVscdbs } from '../collection/mcp_tool_collector.js';
 import { normalizePathSkipPrefixes } from '../paths/pattern_resolver.js';
 import { sendConfigFile, sendConfigFilesBatch, sendHookRequestCreate, sendHookRequestUpdateManifest, sendIngestSessionStart, sendIngestSessionFinish, BATCH_CHUNK_SIZE } from '../sender/batch_sender.js';
 import { canonicalCursorUserStateVscdbPath } from './remediation_config_path.js';
-import { execFileSync } from 'node:child_process';
+import { ensureWorkspaceRepoEnv, resolveProjectRoot } from './workspace_repo.js';
 import { createSignature, canonicalizePayload } from '../sender/signing.js';
-function resolveProjectRoot() {
-    try {
-        return execFileSync('git', ['rev-parse', '--show-toplevel'], { encoding: 'utf8', stdio: ['pipe', 'pipe', 'pipe'] }).trim();
-    }
-    catch {
-        return process.cwd();
-    }
-}
 const PROJECT_ROOT = resolveProjectRoot();
 async function collectAllConfigFiles(endpointBase) {
     const patternsUrl = `${endpointBase.replace(/\/+$/, '')}${FILE_PATH_REGISTRY_FILE_PATTERNS_PATH}`;
@@ -93,8 +85,8 @@ async function addSensitivePathsAudit(endpointBase, configFiles) {
 async function sendAllConfigFiles(configFiles, hardwareUuid, authKey) {
     const hookTypeRaw = (process.env.OPTIMUS_HOOK_TYPE || 'claude').toLowerCase();
     const hookType = hookTypeRaw === 'cursor' ? 'cursor' : 'claude';
-    const workspaceRepo = process.env.OPTIMUS_WORKSPACE_REPO || process.env.GITHUB_REPOSITORY || '';
     const manifest = configFiles.map((c) => canonicalCursorUserStateVscdbPath(c.file_path));
+    const workspaceRepo = ensureWorkspaceRepoEnv(manifest);
     const hookRequestId = await sendHookRequestCreate(hardwareUuid, authKey, hookType, workspaceRepo);
     hookRunLog(`hook-request id=${hookRequestId ?? 'none'}`);
     const ingestSessionId = await sendIngestSessionStart(hardwareUuid, authKey);
@@ -127,7 +119,7 @@ async function main() {
     const endpointBase = loadEndpointBase();
     hookRunLog(`start endpoint=${endpointBase} hardware_uuid=${hardwareUuid}`);
     hookRunLog(`endpoint_source=${getEndpointSource()} cwd=${process.cwd()}`);
-    hookRunLog(`env: OPTIMUS_HOOK_TYPE=${process.env.OPTIMUS_HOOK_TYPE ? 'set' : 'unset'} GITHUB_REPOSITORY=${process.env.GITHUB_REPOSITORY ? 'set' : 'unset'} OPTIMUS_ENDPOINT=${process.env.OPTIMUS_ENDPOINT ? 'set' : 'unset'}`);
+    hookRunLog(`env: OPTIMUS_HOOK_TYPE=${process.env.OPTIMUS_HOOK_TYPE ? 'set' : 'unset'} OPTIMUS_PROJECT_DIR=${process.env.OPTIMUS_PROJECT_DIR ? 'set' : 'unset'} OPTIMUS_WORKSPACE_REPO=${process.env.OPTIMUS_WORKSPACE_REPO ? 'set' : 'unset'} OPTIMUS_ENDPOINT=${process.env.OPTIMUS_ENDPOINT ? 'set' : 'unset'}`);
     let authKey;
     try {
         authKey = await ensureAuthentication(hardwareUuid);

package/dist/log_config_files/runtime/workspace_repo.js

@@ -0,0 +1,170 @@
+import { execFileSync } from 'node:child_process';
+import fs from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+import { hookRunLog } from './hook_logger.js';
+const GIT_TIMEOUT_MS = 3000;
+const MAX_WALK_UP = 25;
+function gitRemoteInDir(dir) {
+    try {
+        return execFileSync('git', ['remote', '-v'], {
+            cwd: dir,
+            timeout: GIT_TIMEOUT_MS,
+            encoding: 'utf8',
+            stdio: ['pipe', 'pipe', 'pipe'],
+        }).trim();
+    }
+    catch {
+        return '';
+    }
+}
+function gitToplevelFromDir(dir) {
+    try {
+        return execFileSync('git', ['rev-parse', '--show-toplevel'], {
+            cwd: dir,
+            timeout: GIT_TIMEOUT_MS,
+            encoding: 'utf8',
+            stdio: ['pipe', 'pipe', 'pipe'],
+        }).trim();
+    }
+    catch {
+        return '';
+    }
+}
+export function resolveProjectDirFromEnv() {
+    for (const candidate of [
+        process.env.OPTIMUS_PROJECT_DIR,
+        process.env.CLAUDE_PROJECT_DIR,
+        process.env.CURSOR_PROJECT_DIR,
+    ]) {
+        const dir = (candidate || '').trim();
+        if (dir && fs.existsSync(dir))
+            return dir;
+    }
+    return '';
+}
+export function resolveWorkspaceRepoFromEnv() {
+    for (const candidate of [
+        process.env.OPTIMUS_WORKSPACE_REPO,
+        process.env.GITHUB_REPOSITORY,
+        process.env.GH_REPOSITORY,
+    ]) {
+        const value = (candidate || '').trim();
+        if (value)
+            return value;
+    }
+    return '';
+}
+function expandManifestPath(filePath) {
+    const trimmed = (filePath || '').trim();
+    if (!trimmed)
+        return '';
+    if (trimmed.startsWith('/'))
+        return trimmed;
+    if (/^Users-[^/]+/.test(trimmed)) {
+        return path.join(os.homedir(), '.cursor', 'projects', trimmed);
+    }
+    return path.resolve(trimmed);
+}
+export function resolveRepoFromPath(filePath) {
+    const remote = gitRemoteFromPathWalk(filePath);
+    return remote || resolveWorkspaceRepoFromEnv();
+}
+function gitRemoteFromPathWalk(filePath) {
+    let dir = expandManifestPath(filePath);
+    if (!dir)
+        return '';
+    try {
+        if (fs.existsSync(dir) && fs.statSync(dir).isFile())
+            dir = path.dirname(dir);
+        else if (!fs.existsSync(dir))
+            dir = path.dirname(dir);
+    }
+    catch {
+        dir = path.dirname(dir);
+    }
+    for (let i = 0; i < MAX_WALK_UP; i++) {
+        const remote = gitRemoteInDir(dir);
+        if (remote)
+            return remote;
+        const parent = path.dirname(dir);
+        if (parent === dir)
+            break;
+        dir = parent;
+    }
+    return '';
+}
+function manifestPathPriority(filePath) {
+    if (filePath.startsWith('/Users/') || filePath.startsWith('/home/'))
+        return 0;
+    if (filePath.startsWith('/'))
+        return 1;
+    if (/^Users-[^/]+/.test(filePath))
+        return 2;
+    return 3;
+}
+export function resolveWorkspaceRepoFromManifest(manifest) {
+    if (!manifest.length)
+        return '';
+    const candidates = [...manifest]
+        .map((entry) => (entry || '').trim())
+        .filter(Boolean)
+        .sort((a, b) => manifestPathPriority(a) - manifestPathPriority(b));
+    for (const candidate of candidates) {
+        const remote = resolveRepoFromPath(candidate);
+        if (remote)
+            return remote;
+    }
+    return '';
+}
+export function resolveWorkspaceRepo(manifest) {
+    const fromEnv = resolveWorkspaceRepoFromEnv();
+    if (fromEnv) {
+        hookRunLog(`workspace_repo: env (${fromEnv.slice(0, 80)}${fromEnv.length > 80 ? '…' : ''})`);
+        return fromEnv;
+    }
+    const projectDir = resolveProjectDirFromEnv();
+    if (projectDir) {
+        const remote = gitRemoteInDir(projectDir);
+        if (remote) {
+            hookRunLog(`workspace_repo: project_dir (${projectDir})`);
+            return remote;
+        }
+    }
+    const cwdRemote = gitRemoteInDir(process.cwd());
+    if (cwdRemote) {
+        hookRunLog(`workspace_repo: cwd (${process.cwd()})`);
+        return cwdRemote;
+    }
+    if (manifest?.length) {
+        const fromManifest = resolveWorkspaceRepoFromManifest(manifest);
+        if (fromManifest) {
+            hookRunLog('workspace_repo: manifest');
+            return fromManifest;
+        }
+    }
+    hookRunLog(`workspace_repo: unresolved (project_dir=${projectDir || 'unset'} cwd=${process.cwd()})`);
+    return '';
+}
+export function resolveProjectRoot() {
+    const projectDir = resolveProjectDirFromEnv();
+    if (projectDir) {
+        const top = gitToplevelFromDir(projectDir);
+        if (top)
+            return top;
+        return projectDir;
+    }
+    const cwdTop = gitToplevelFromDir(process.cwd());
+    if (cwdTop)
+        return cwdTop;
+    return process.cwd();
+}
+export function ensureWorkspaceRepoEnv(manifest) {
+    const resolved = resolveWorkspaceRepo(manifest);
+    if (resolved) {
+        process.env.OPTIMUS_WORKSPACE_REPO = resolved;
+        if (!process.env.GITHUB_REPOSITORY)
+            process.env.GITHUB_REPOSITORY = resolved;
+    }
+    return resolved;
+}

package/dist/log_config_files/sender/batch_sender.js

@@ -3,12 +3,14 @@ import { createSignature } from './signing.js';
 import { loadEndpointBase } from './endpoint_config.js';
 import { hookRunLog } from '../runtime/hook_logger.js';
 import { canonicalCursorUserStateVscdbPath } from '../runtime/remediation_config_path.js';
+import { resolveWorkspaceRepoFromEnv } from '../runtime/workspace_repo.js';
 import fs from 'node:fs';
 import os from 'node:os';
 import path from 'node:path';
 /** Chunk size per batch request. */
 export const BATCH_CHUNK_SIZE = 20;
 const MAX_BATCH_SIZE_BYTES = 500 * 1024; // 500KB
+export { resolveRepoFromPath } from '../runtime/workspace_repo.js';
 function resolveApiBase(endpoint) {
     try {
         return new URL(endpoint).origin;
@@ -86,7 +88,7 @@ function splitChunk(chunks, chunkIndex) {
 async function sendConfigFilesBatch(configFiles, hardwareUuid, authKey, hookRequestId, ingestSessionId) {
     const endpoint = loadEndpointBase();
     const apiUrl = `${resolveApiBase(endpoint)}/endpoint_security/log-config-files/`;
-    const metadata = { org_identifier: process.env.GITHUB_ORG || process.env.GH_ORG || '', organization_uuid: readOrganizationUuid(), repo_identifier: process.env.GITHUB_REPOSITORY || process.env.GH_REPOSITORY || '' };
+    const metadata = { org_identifier: process.env.GITHUB_ORG || process.env.GH_ORG || '', organization_uuid: readOrganizationUuid(), repo_identifier: resolveWorkspaceRepoFromEnv() };
     const basePayloadSize = JSON.stringify({ hardware_uuid: hardwareUuid, metadata }).length + 800;
     const chunks = buildBatchChunks(configFiles, basePayloadSize);
     const totals = { accepted: 0, failed: 0 };
@@ -169,13 +171,13 @@ async function sendIngestSessionFinish(hardwareUuid, authKey, ingestSessionId) {
         return false;
     }
 }
-async function sendConfigFile(configFile, hardwareUuid, authKey) {
+async function sendConfigFile(configFile, hardwareUuid, authKey, repoIdentifier) {
     const endpoint = loadEndpointBase();
     const apiUrl = `${resolveApiBase(endpoint)}/endpoint_security/log-config-file/`;
     const uploadPath = canonicalCursorUserStateVscdbPath(configFile.file_path);
     const payload = { hardware_uuid: hardwareUuid, file_type: configFile.file_type, file_path: uploadPath, raw_content: configFile.raw_content };
     const signature = createSignature(payload, authKey.key);
-    const body = { ...payload, signature, key_id: authKey.key_id || '', metadata: { org_identifier: process.env.GITHUB_ORG || process.env.GH_ORG || '', organization_uuid: readOrganizationUuid(), repo_identifier: process.env.GITHUB_REPOSITORY || process.env.GH_REPOSITORY || '' } };
+    const body = { ...payload, signature, key_id: authKey.key_id || '', metadata: { org_identifier: process.env.GITHUB_ORG || process.env.GH_ORG || '', organization_uuid: readOrganizationUuid(), repo_identifier: repoIdentifier ?? resolveWorkspaceRepoFromEnv() } };
     try {
         const response = await postStartupPayload(apiUrl, body);
         if (response.status !== 'accepted') {

package/dist/log_uuid/startup_sender.js

@@ -3,6 +3,7 @@ import { classifyEndpointResponse, postStartupPayload } from '../endpoint_client
 import { resolveHardwareUuid } from './hardware_uuid.js';
 import { writeAuthKey, readStoredAuthKey, loadEndpointBase, buildStartupEndpointUrl } from './auth_key_store.js';
 import { resolveUserProfile } from './user_profile.js';
+import { resolveWorkspaceRepo } from '../log_config_files/runtime/workspace_repo.js';
 import fs from 'node:fs';
 import os from 'node:os';
 import path from 'node:path';
@@ -51,7 +52,7 @@ const getMetadata = () => ({
     github_username: process.env.GITHUB_USER || process.env.GH_USER || '',
     org_identifier: process.env.GITHUB_ORG || '',
     organization_uuid: readOrganizationUuid(),
-    repo_identifier: process.env.OPTIMUS_WORKSPACE_REPO || process.env.GITHUB_REPOSITORY || '',
+    repo_identifier: resolveWorkspaceRepo(),
     branch: process.env.GITHUB_REF_NAME || process.env.BRANCH_NAME || '',
     commit_sha: process.env.GITHUB_SHA || '',
     agent_name: process.env.OPTIMUS_AGENT || '',

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "log-llm-config",
-  "version": "1.3.78",
+  "version": "1.3.80",
   "description": "CLI helpers for logging hardware UUIDs and posting startup payloads to Optimus Security.",
   "type": "module",
   "bin": {