log-llm-config 1.3.82 → 1.3.84

package/dist/log_config_files/runtime/compliance_check.js

@@ -13,9 +13,11 @@
 import { existsSync, readFileSync } from 'node:fs';
 import { homedir } from 'node:os';
 import { join } from 'node:path';
-import { readVscdbItemTableJson } from '../readers/vscdb_reader.js';
-import { readFileCollectionVscdbContract, readRemediationInstructionsFile, writeRemediationInstructionsFile, } from './management_storage.js';
+import { mergeComposerShadowKeysFromReactiveBlob, readVscdbItemTableJson, } from '../readers/vscdb_reader.js';
+import { readRemediationInstructionsFile, writeRemediationInstructionsFile, } from './management_storage.js';
 import { resolveRemediationConfigPath } from './remediation_config_path.js';
+import { resolveOpsTargetPath } from './ops_target_path.js';
+import { isRemediationQuarantined, markRemediationApplyPendingVerification, processPendingPostRestartVerifications, readRemediationApplyTrackingFile, writeRemediationApplyTrackingFile, } from './remediation_apply_tracking.js';
 import { complianceRunnerDiag, hookRunLog, logRemediationApplyFailure } from './hook_logger.js';
 import { loadEndpointBase } from '../sender/endpoint_config.js';
 import { resolveHardwareUuid, tryResolveHardwareUuid } from './hardware_uuid.js';
@@ -84,6 +86,28 @@ export function itemTableKeyFromSettingPath(settingPath) {
     const i = settingPath.indexOf('.');
     return i === -1 ? settingPath : settingPath.slice(0, i);
 }
+/**
+ * Compliance reads the live config at `config_file_path` (#itemKey), but sqlite apply may target
+ * a different ItemTable row. Verify against the manifest path's item key, not the apply target.
+ */
+export function canonicalComplianceSettingPath(configFilePath, check) {
+    const settingPath = check.setting_path;
+    const applyKey = check.sqlite_op?.target_key?.trim();
+    if (!applyKey || applyKey === settingPath)
+        return settingPath;
+    const hashIdx = configFilePath.indexOf('#');
+    if (hashIdx < 0)
+        return settingPath;
+    const verifyKey = configFilePath.slice(hashIdx + 1).trim();
+    if (!verifyKey || applyKey === verifyKey)
+        return settingPath;
+    const prefix = `${applyKey}.`;
+    if (settingPath === applyKey)
+        return verifyKey;
+    if (settingPath.startsWith(prefix))
+        return `${verifyKey}${settingPath.slice(applyKey.length)}`;
+    return settingPath;
+}
 /** Traverse a JSON object using dot-notation path. Returns undefined if any segment is missing. */
 export function getByPath(obj, path) {
     const parts = path.split('.');
@@ -143,13 +167,8 @@ function verifyOpsApplied(configJson, settingPath, ops) {
     const add = ops.add ?? {};
     const remove = ops.remove ?? {};
     const keys = new Set([...Object.keys(set), ...Object.keys(add), ...Object.keys(remove)]);
-    // If ops targets a single leaf key, check at settingPath; otherwise treat keys as subkeys under parent.
     for (const k of keys) {
-        const targetPath = k === leafKey || (keys.size === 1 && (k === leafKey || k === ''))
-            ? settingPath
-            : parentPath
-                ? `${parentPath}.${k}`
-                : k;
+        const targetPath = resolveOpsTargetPath(settingPath, k);
         if (Object.prototype.hasOwnProperty.call(set, k)) {
             const cur = getByPath(configJson, targetPath);
             const expected = set[k];
@@ -179,42 +198,8 @@ function shouldMergeComposerShadowKeys(itemKeyFromPath, checkSettingPaths) {
         return true;
     return checkSettingPaths.some((p) => p === 'composerState' || p.startsWith('composerState.'));
 }
-/**
- * Cursor stores web-tool toggles on the reactive blob root and nested `composerState`.
- * Policy scan merges root shadow keys into composerState; compliance must match or autofix
- * never runs when nested values are stale (e.g. lastBrowserConnectionMode none vs root editor).
- */
-export function mergeComposerShadowKeysFromReactiveBlob(dbPath, merged) {
-    const contract = readFileCollectionVscdbContract();
-    const reactiveKey = contract?.reactive_storage_item_key?.trim();
-    const shadowKeys = contract?.composer_shadow_keys ?? [];
-    if (!reactiveKey || shadowKeys.length === 0)
-        return;
-    const reactiveWrapped = readVscdbItemTableJson(dbPath, reactiveKey);
-    if (reactiveWrapped === null)
-        return;
-    const blob = reactiveWrapped[reactiveKey];
-    if (!blob || typeof blob !== 'object' || Array.isArray(blob))
-        return;
-    const root = blob;
-    let cs = merged.composerState;
-    if (!cs || typeof cs !== 'object' || Array.isArray(cs)) {
-        const nested = root.composerState;
-        if (nested && typeof nested === 'object' && !Array.isArray(nested)) {
-            cs = { ...nested };
-        }
-        else {
-            cs = {};
-        }
-        merged.composerState = cs;
-    }
-    const composerState = cs;
-    for (const key of shadowKeys) {
-        if (Object.prototype.hasOwnProperty.call(root, key) && root[key] !== undefined) {
-            composerState[key] = root[key];
-        }
-    }
-}
+/** @deprecated Import from vscdb_reader — re-export for existing tests. */
+export { mergeComposerShadowKeysFromReactiveBlob } from '../readers/vscdb_reader.js';
 /** Plain JSON file or virtual `…/state.vscdb#itemKey` path for ItemTable-backed settings. */
 function loadRemediationConfigJson(configFilePath, checkSettingPaths = []) {
     const resolvedPath = resolveRemediationConfigPath(configFilePath);
@@ -270,6 +255,101 @@ function evaluateSecondaryGroup(group) {
 // ---------------------------------------------------------------------------
 // Check runner — Section 6: real per-check evaluation
 // ---------------------------------------------------------------------------
+function violationFromCheck(entry, compliance, check, expected) {
+    return {
+        uuid: entry.uuid,
+        finding_formatted_id: compliance.finding_formatted_id,
+        setting_path: check.setting_path,
+        description: check.description,
+        finding_title: entry.finding_title,
+        finding_description: entry.finding_description,
+        policy_name: entry.policy_name,
+        severity: compliance.severity,
+        autofix_allowed: compliance.autofix_allowed,
+        config_file_path: entry.config_file_path,
+        expected_value: expected,
+        message: `[${compliance.finding_formatted_id}] ${entry.finding_title ?? compliance.description}\nDescription: ${entry.finding_description ?? compliance.description}\nHow to fix: Apply remediation ops for ${check.setting_path} in ${entry.config_file_path}`,
+    };
+}
+/** Evaluate one manifest row against on-disk config (used by gate + post-restart verify). */
+export function evaluateManifestEntryCompliance(entry) {
+    const compliance = entry.fix ?? entry.compliance;
+    if (!compliance || compliance.file_format !== 'json')
+        return { violations: [] };
+    const checks = compliance.checks ?? [];
+    if (checks.length === 0)
+        return { violations: [] };
+    const loaded = loadRemediationConfigJson(entry.config_file_path, checks.map((c) => c.setting_path));
+    if (!loaded.ok)
+        return { violations: [] };
+    const configJson = loaded.json;
+    const entryViolations = [];
+    for (const check of checks) {
+        const effectivePath = canonicalComplianceSettingPath(entry.config_file_path, check);
+        if (check.sqlite_op?.apply_to_all_workspaces && check.ops) {
+            const segments = check.sqlite_op.workspace_storage_path_segments ?? [
+                'Library', 'Application Support', 'Cursor', 'User', 'workspaceStorage',
+            ];
+            const wsPath = join(homedir(), ...segments);
+            const vscdbPaths = discoverAllWorkspaceVscdbs(wsPath);
+            if (vscdbPaths.length === 0)
+                continue;
+            let violated = false;
+            let expectedForViolation = null;
+            for (const dbPath of vscdbPaths) {
+                const wrapped = readVscdbItemTableJson(dbPath, check.sqlite_op.target_key ?? '');
+                if (wrapped === null) {
+                    violated = true;
+                    expectedForViolation = { op: 'read_failed', db: dbPath };
+                    break;
+                }
+                const { ok, expected } = verifyOpsApplied(wrapped, check.setting_path, check.ops);
+                if (!ok) {
+                    violated = true;
+                    expectedForViolation = expected;
+                    break;
+                }
+            }
+            if (violated) {
+                entryViolations.push(violationFromCheck(entry, compliance, check, expectedForViolation));
+            }
+            continue;
+        }
+        if (check.ops) {
+            const { ok, expected } = verifyOpsApplied(configJson, effectivePath, check.ops);
+            if (!ok) {
+                entryViolations.push(violationFromCheck(entry, compliance, { ...check, setting_path: effectivePath }, expected));
+            }
+            continue;
+        }
+        const currentValue = getByPath(configJson, effectivePath);
+        const leafKey = effectivePath.split('.').pop();
+        const expectedValue = check.after?.[leafKey];
+        if (expectedValue === undefined)
+            continue;
+        if (!deepEqual(currentValue, expectedValue)) {
+            entryViolations.push(violationFromCheck(entry, compliance, { ...check, setting_path: effectivePath }, expectedValue));
+        }
+    }
+    if (entryViolations.length === 0)
+        return { violations: [] };
+    const secondaryGroups = compliance.secondary_checks ?? [];
+    const passingGroup = secondaryGroups.length > 0 ? secondaryGroups.find((g) => evaluateSecondaryGroup(g)) : undefined;
+    if (passingGroup) {
+        return {
+            violations: [],
+            secondarySatisfied: {
+                uuid: entry.uuid,
+                config_file_path: passingGroup.config_file_path,
+                file_type: passingGroup.file_type,
+            },
+        };
+    }
+    return { violations: entryViolations };
+}
+export function collectManifestEntryViolations(entry) {
+    return evaluateManifestEntryCompliance(entry).violations;
+}
 /**
  * Evaluate current on-disk configs against remediation_instructions.json only (no server).
  * Returns status for prompt gating / callers; does not persist compliance.json.
@@ -300,12 +380,11 @@ export function runLocalRemediationComplianceCheck(agent = 'cursor') {
                 hookRunLog(`compliance_check: skipping non-json entry uuid=${entry.uuid}`);
                 continue;
             }
-            const checks = compliance.checks ?? [];
-            if (checks.length === 0) {
+            if ((compliance.checks ?? []).length === 0) {
                 skippedNoChecks++;
                 continue;
             }
-            const loaded = loadRemediationConfigJson(entry.config_file_path, checks.map((c) => c.setting_path));
+            const loaded = loadRemediationConfigJson(entry.config_file_path, (compliance.checks ?? []).map((c) => c.setting_path));
             if (!loaded.ok) {
                 skippedUnreadable++;
                 const msg = loaded.reason === 'file_not_found'
@@ -327,121 +406,16 @@ export function runLocalRemediationComplianceCheck(agent = 'cursor') {
                 });
                 continue;
             }
-            const configJson = loaded.json;
-            const entryViolations = [];
-            for (const check of checks) {
-                // When the check carries a sqlite_op with apply_to_all_workspaces, the authoritative data
-                // lives in workspace state.vscdb files — not in config_file_path (which may be mcp.json in
-                // the fallback case where no workspace vscdb has been collected yet). Verify directly against
-                // every discovered workspace vscdb; fail as a violation if any is missing the required entry.
-                if (check.sqlite_op?.apply_to_all_workspaces && check.ops) {
-                    const segments = check.sqlite_op.workspace_storage_path_segments ?? [
-                        'Library', 'Application Support', 'Cursor', 'User', 'workspaceStorage',
-                    ];
-                    const wsPath = join(homedir(), ...segments);
-                    const vscdbPaths = discoverAllWorkspaceVscdbs(wsPath);
-                    if (vscdbPaths.length === 0) {
-                        hookRunLog(`compliance_check: apply_to_all_workspaces — no workspace vscdbs found at ${wsPath}, skipping uuid=${entry.uuid}`);
-                    }
-                    else {
-                        let violated = false;
-                        let expectedForViolation = null;
-                        for (const dbPath of vscdbPaths) {
-                            const wrapped = readVscdbItemTableJson(dbPath, check.sqlite_op.target_key ?? '');
-                            if (wrapped === null) {
-                                violated = true;
-                                expectedForViolation = { op: 'read_failed', db: dbPath };
-                                break;
-                            }
-                            const { ok, expected } = verifyOpsApplied(wrapped, check.setting_path, check.ops);
-                            if (!ok) {
-                                violated = true;
-                                expectedForViolation = expected;
-                                break;
-                            }
-                        }
-                        if (violated) {
-                            hookRunLog(`compliance_check: VIOLATION (vscdb) uuid=${entry.uuid} path=${check.setting_path} expected=${JSON.stringify(expectedForViolation)}`);
-                            entryViolations.push({
-                                uuid: entry.uuid,
-                                finding_formatted_id: compliance.finding_formatted_id,
-                                setting_path: check.setting_path,
-                                description: check.description,
-                                finding_title: entry.finding_title,
-                                finding_description: entry.finding_description,
-                                policy_name: entry.policy_name,
-                                severity: compliance.severity,
-                                autofix_allowed: compliance.autofix_allowed,
-                                config_file_path: entry.config_file_path,
-                                expected_value: expectedForViolation,
-                                message: `[${compliance.finding_formatted_id}] ${entry.finding_title ?? compliance.description}\nDescription: ${entry.finding_description ?? compliance.description}\nHow to fix: Apply remediation ops for ${check.setting_path} in workspace state.vscdb files`,
-                            });
-                        }
-                    }
-                    continue;
-                }
-                // Prefer ops-based verification (matches delta apply semantics; doesn't require full after snapshot).
-                if (check.ops) {
-                    const { ok, expected } = verifyOpsApplied(configJson, check.setting_path, check.ops);
-                    if (!ok) {
-                        hookRunLog(`compliance_check: VIOLATION uuid=${entry.uuid} path=${check.setting_path} expected=${JSON.stringify(expected)}`);
-                        entryViolations.push({
-                            uuid: entry.uuid,
-                            finding_formatted_id: compliance.finding_formatted_id,
-                            setting_path: check.setting_path,
-                            description: check.description,
-                            finding_title: entry.finding_title,
-                            finding_description: entry.finding_description,
-                            policy_name: entry.policy_name,
-                            severity: compliance.severity,
-                            autofix_allowed: compliance.autofix_allowed,
-                            config_file_path: entry.config_file_path,
-                            expected_value: expected,
-                            message: `[${compliance.finding_formatted_id}] ${entry.finding_title ?? compliance.description}\nDescription: ${entry.finding_description ?? compliance.description}\nHow to fix: Apply remediation ops for ${check.setting_path} in ${entry.config_file_path}`,
-                        });
-                    }
-                    continue;
-                }
-                // Backwards compat: old local files may still carry after snapshots.
-                const currentValue = getByPath(configJson, check.setting_path);
-                const leafKey = check.setting_path.split('.').pop();
-                const expectedValue = check.after?.[leafKey];
-                if (expectedValue === undefined)
-                    continue;
-                if (!deepEqual(currentValue, expectedValue)) {
-                    hookRunLog(`compliance_check: VIOLATION uuid=${entry.uuid} path=${check.setting_path} current=${JSON.stringify(currentValue)} expected=${JSON.stringify(expectedValue)}`);
-                    entryViolations.push({
-                        uuid: entry.uuid,
-                        finding_formatted_id: compliance.finding_formatted_id,
-                        setting_path: check.setting_path,
-                        description: check.description,
-                        finding_title: entry.finding_title,
-                        finding_description: entry.finding_description,
-                        policy_name: entry.policy_name,
-                        severity: compliance.severity,
-                        autofix_allowed: compliance.autofix_allowed,
-                        config_file_path: entry.config_file_path,
-                        expected_value: expectedValue,
-                        message: `[${compliance.finding_formatted_id}] ${entry.finding_title ?? compliance.description}\nDescription: ${entry.finding_description ?? compliance.description}\nHow to fix: Set ${check.setting_path} to ${JSON.stringify(expectedValue)} in ${entry.config_file_path}`,
-                    });
-                }
+            const { violations: entryViolations, secondarySatisfied: entrySecondary } = evaluateManifestEntryCompliance(entry);
+            for (const v of entryViolations) {
+                hookRunLog(`compliance_check: VIOLATION uuid=${entry.uuid} path=${v.setting_path} expected=${JSON.stringify(v.expected_value)}`);
             }
-            if (entryViolations.length > 0) {
-                const secondaryGroups = compliance.secondary_checks ?? [];
-                const passingGroup = secondaryGroups.length > 0
-                    ? secondaryGroups.find((g) => evaluateSecondaryGroup(g))
-                    : undefined;
-                if (passingGroup) {
-                    hookRunLog(`compliance_check: secondary check satisfied uuid=${entry.uuid} — skipping ${entryViolations.length} primary violation(s)`);
-                    secondarySatisfied.push({
-                        uuid: entry.uuid,
-                        config_file_path: passingGroup.config_file_path,
-                        file_type: passingGroup.file_type,
-                    });
-                }
-                else {
-                    violations.push(...entryViolations);
-                }
+            if (entrySecondary) {
+                hookRunLog(`compliance_check: secondary check satisfied uuid=${entry.uuid} — skipping primary violation(s)`);
+                secondarySatisfied.push(entrySecondary);
+            }
+            else if (entryViolations.length > 0) {
+                violations.push(...entryViolations);
             }
         }
         const status = {
@@ -485,6 +459,34 @@ export function runLocalRemediationComplianceCheck(agent = 'cursor') {
         return fallback;
     }
 }
+/**
+ * After restart, verify pending remediations and report outcomes to the server.
+ */
+export function reportPostRestartVerificationOutcomes(violations) {
+    const { remediations } = readRemediationInstructionsFile();
+    const entriesByUuid = new Map(remediations.map((entry) => [entry.uuid, entry]));
+    const outcomes = processPendingPostRestartVerifications((uuid) => {
+        const entry = entriesByUuid.get(uuid);
+        if (entry && collectManifestEntryViolations(entry).length > 0)
+            return true;
+        return violations.some((v) => v.uuid === uuid);
+    });
+    const reportPromises = outcomes.map((o) => {
+        if (o.status === 'quarantined' || o.status === 'verification_failed') {
+            logRemediationApplyFailure('post_restart_verification_failed', {
+                uuid: o.uuid,
+                reason: o.reason ?? 'Setting unchanged after apply',
+                status: o.status,
+                consecutive_failures: o.consecutive_failures,
+            });
+        }
+        return reportAutofixApplied(o.uuid, o.status, {
+            failure_reason: o.reason,
+            consecutive_failures: o.consecutive_failures,
+        });
+    });
+    return { outcomes, reportPromises };
+}
 export function applyAutofixViolations(violations, agent = 'cursor') {
     for (const v of violations) {
         if (!v.autofix_allowed) {
@@ -520,6 +522,18 @@ export function applyAutofixViolations(violations, agent = 'cursor') {
     for (const violation of autofixable) {
         if (seen.has(violation.uuid))
             continue;
+        if (isRemediationQuarantined(violation.uuid)) {
+            hookRunLog(`autofix: skipped quarantined uuid=${violation.uuid}`);
+            logRemediationApplyFailure('autofix_skipped_quarantined', {
+                uuid: violation.uuid,
+                finding_formatted_id: violation.finding_formatted_id,
+                config_file_path: violation.config_file_path,
+                setting_path: violation.setting_path,
+                reason: 'Auto-fix paused after repeated post-restart verification failures — agent config may have changed',
+            });
+            failedViolations.push(violation);
+            continue;
+        }
         const instruction = byUuid.get(violation.uuid);
         if (!instruction) {
             hookRunLog(`autofix: no instruction found for uuid=${violation.uuid}, skipping`);
@@ -548,6 +562,10 @@ export function applyAutofixViolations(violations, agent = 'cursor') {
         appliedViolations.push(violation);
         hookRunLog(`autofix: applied uuid=${inst.uuid} path=${configPathForDisk}`);
         reportPromises.push(reportAutofixApplied(inst.uuid, 'success'));
+        // Every successful autofix (Cursor + Claude, restart or immediate JSON) awaits verification on
+        // the next compliance check so we can quarantine stuck applies and stop restart/retry loops.
+        markRemediationApplyPendingVerification(inst.uuid);
+        const spec = remediationFixSpec(inst);
         if (er.deferredSqlite && configPathForDisk.includes('#')) {
             hookRunLog(`autofix: skip immediate vscdb upload (deferred until after restart) uuid=${inst.uuid}`);
         }
@@ -597,7 +615,6 @@ export function applyAutofixViolations(violations, agent = 'cursor') {
                 }
             }
         }
-        const spec = remediationFixSpec(inst);
         if (spec?.restart_required && spec.restart_command) {
             if (!er.deferredSqlite) {
                 if (isTrustedRestartCommandForAutofix(spec.restart_command)) {
@@ -749,6 +766,68 @@ export function pruneSatisfiedOneTimeRemediations(agent = 'cursor') {
     }
     return { removed, reportPromises };
 }
+/** Throttle satisfied-manifest uploads (disk already matches ops; autofix did not run). */
+const SATISFIED_MANIFEST_UPLOAD_COOLDOWN_MS = 5 * 60 * 1000;
+/**
+ * When local compliance already passes, autofix is skipped — so settings never reach the server.
+ * Upload satisfied JSON remediations (throttled) so scan can resolve findings.
+ */
+export function uploadSatisfiedManifestConfigs(agent = 'cursor') {
+    const { remediations } = readRemediationInstructionsFile();
+    const entries = remediations.filter((e) => targetsCurrentAgent(e, agent));
+    const promises = [];
+    for (const entry of entries) {
+        const { violations } = evaluateManifestEntryCompliance(entry);
+        if (violations.length > 0)
+            continue;
+        const inst = entry;
+        const fileType = (inst.file_type ?? '').trim();
+        if (!fileType)
+            continue;
+        const diskPath = resolveRemediationConfigPath(entry.config_file_path);
+        if (diskPath.includes('#'))
+            continue;
+        const tracking = readRemediationApplyTrackingFile();
+        const prev = tracking.entries[entry.uuid];
+        const lastUpload = prev?.last_satisfied_upload_at;
+        if (lastUpload) {
+            const elapsed = Date.now() - Date.parse(lastUpload);
+            if (!Number.isNaN(elapsed) && elapsed < SATISFIED_MANIFEST_UPLOAD_COOLDOWN_MS) {
+                continue;
+            }
+        }
+        let rawContent;
+        try {
+            rawContent = JSON.parse(readFileSync(diskPath, 'utf8'));
+        }
+        catch {
+            hookRunLog(`satisfied_upload: could not read path=${diskPath} uuid=${entry.uuid}`);
+            continue;
+        }
+        const hw = tryResolveHardwareUuid();
+        if (!hw) {
+            hookRunLog(`satisfied_upload: skip uuid=${entry.uuid} (hardware UUID unavailable)`);
+            continue;
+        }
+        const uploadPath = entry.config_file_path.trim() || diskPath;
+        promises.push(ensureAuthentication(hw)
+            .then((authKey) => sendConfigFile({ file_type: fileType, file_path: uploadPath, raw_content: rawContent }, hw, authKey))
+            .then((sentOk) => {
+            hookRunLog(`satisfied_upload: uuid=${entry.uuid} path=${uploadPath} ok=${sentOk}`);
+            if (sentOk) {
+                const file = readRemediationApplyTrackingFile();
+                const ent = file.entries[entry.uuid] ?? { consecutive_verify_failures: 0, quarantined: false };
+                ent.last_satisfied_upload_at = new Date().toISOString();
+                file.entries[entry.uuid] = ent;
+                writeRemediationApplyTrackingFile(file);
+            }
+        })
+            .catch((err) => {
+            hookRunLog(`satisfied_upload: failed uuid=${entry.uuid} err=${err instanceof Error ? err.message : String(err)}`);
+        }));
+    }
+    return promises;
+}
 /**
  * Background refresh: server sync for latest instructions, then the same local evaluation as the hook.
  * Apply (autofix) is intentionally deferred to the gate on the next prompt — this pass only downloads
@@ -768,5 +847,6 @@ export async function runComplianceCheck() {
         if (pruned.removed > 0) {
             await Promise.allSettled(pruned.reportPromises);
         }
+        await Promise.allSettled(uploadSatisfiedManifestConfigs(agent));
     }
 }

package/dist/log_config_files/runtime/dialog_preferences.js

@@ -0,0 +1,31 @@
+import { existsSync, readFileSync } from 'node:fs';
+import { atomicWriteJson, getDialogPreferencesPath, } from './management_storage.js';
+export function readDialogPreferences() {
+    const path = getDialogPreferencesPath();
+    if (!existsSync(path)) {
+        return { version: 1, suppress_non_restart_autofix_dialogs: false };
+    }
+    try {
+        const parsed = JSON.parse(readFileSync(path, 'utf8'));
+        if (parsed?.version !== 1)
+            return { version: 1, suppress_non_restart_autofix_dialogs: false };
+        return {
+            version: 1,
+            suppress_non_restart_autofix_dialogs: Boolean(parsed.suppress_non_restart_autofix_dialogs),
+        };
+    }
+    catch {
+        return { version: 1, suppress_non_restart_autofix_dialogs: false };
+    }
+}
+export function isNonRestartAutofixDialogSuppressed() {
+    return readDialogPreferences().suppress_non_restart_autofix_dialogs === true;
+}
+export function setSuppressNonRestartAutofixDialogs(suppress) {
+    const next = {
+        version: 1,
+        suppress_non_restart_autofix_dialogs: suppress,
+        updated_at: new Date().toISOString(),
+    };
+    atomicWriteJson(getDialogPreferencesPath(), next);
+}

package/dist/log_config_files/runtime/management_storage.js

@@ -17,6 +17,8 @@ export const DEFERRED_VSCDB_RESTART_LOG_BASENAME = 'deferred_vscdb_restart.log';
  * of hardcoded Cursor paths.
  */
 export const FILE_COLLECTION_VSCDB_CONTRACT_BASENAME = 'file_collection_vscdb_contract.json';
+/** User preferences for Optimus macOS dialogs (hook-driven). */
+export const DIALOG_PREFERENCES_BASENAME = 'optimus_dialog_preferences.json';
 export function sanitizeReactiveStorageItemKey(raw) {
     if (typeof raw !== 'string')
         return undefined;
@@ -59,6 +61,9 @@ export function getDeferredVscdbRestartLogPath() {
 export function getFileCollectionVscdbContractPath() {
     return join(getManagementDir(), FILE_COLLECTION_VSCDB_CONTRACT_BASENAME);
 }
+export function getDialogPreferencesPath() {
+    return join(getManagementDir(), DIALOG_PREFERENCES_BASENAME);
+}
 export function readFileCollectionVscdbContract() {
     const path = getFileCollectionVscdbContractPath();
     if (!existsSync(path))

package/dist/log_config_files/runtime/ops_target_path.js

@@ -0,0 +1,18 @@
+/**
+ * Map ops.add/set/remove keys to JSON dot-paths for apply + verify.
+ *
+ * Server may use either the leaf key (e.g. `deny`) or the full setting_path
+ * (e.g. `cursor.general.globalCursorIgnoreList`) as the op map key.
+ */
+export function resolveOpsTargetPath(settingPath, opKey) {
+    const parts = settingPath.split('.');
+    const leafKey = parts[parts.length - 1] ?? '';
+    const parentPath = parts.slice(0, -1).join('.');
+    if (opKey === settingPath || opKey === leafKey) {
+        return settingPath;
+    }
+    if (opKey.includes('.')) {
+        return opKey;
+    }
+    return parentPath ? `${parentPath}.${opKey}` : opKey;
+}