log-llm-config 1.3.90 → 1.3.94

package/dist/log_config_files/readers/vscdb_reader.js

@@ -25,6 +25,27 @@ function querySqlite(dbPath, key) {
         stdio: ['pipe', 'pipe', 'pipe'],
     }).trim();
 }
+/**
+ * Cursor keeps live agent settings (e.g. yoloCommandAllowlist) on nested composerState inside
+ * the reactive blob while the legacy ItemTable `composerState` row is often stale/partial.
+ * Merge nested fields so compliance/autofix match policy scans on uploaded reactive data.
+ */
+function mergeLegacyComposerStateWithReactiveNested(dbPath, reactiveKey, legacyComposerState) {
+    try {
+        const reactive = querySqlite(dbPath, reactiveKey);
+        if (!reactive)
+            return legacyComposerState;
+        const root = JSON.parse(reactive);
+        const nested = root.composerState;
+        if (nested === null || typeof nested !== 'object' || Array.isArray(nested)) {
+            return legacyComposerState;
+        }
+        return { ...legacyComposerState, ...nested };
+    }
+    catch {
+        return legacyComposerState;
+    }
+}
 /**
  * Fallback if the API omits vscdb_composer_contract (older server): derive from vscdb_read_queries.
  */
@@ -113,6 +134,10 @@ export function readVscdbItemTableJson(dbPath, itemKey) {
         }
         const parsed = JSON.parse(raw);
         if (parsed !== null && typeof parsed === 'object' && !Array.isArray(parsed)) {
+            if (itemKey === 'composerState' && reactiveKey) {
+                const merged = mergeLegacyComposerStateWithReactiveNested(dbPath, reactiveKey, parsed);
+                return { [itemKey]: merged };
+            }
             return { [itemKey]: parsed };
         }
         // Bare JSON arrays (e.g. cursor/disabledMcpServers) — wrap under itemKey so ops-based

package/dist/log_config_files/runtime/compliance_check.js

@@ -39,6 +39,8 @@ export function normalizeAgentToken(raw) {
         return 'claude';
     if (s === 'cursor')
         return 'cursor';
+    if (s === 'copilot')
+        return 'copilot';
     return '';
 }
 function currentAgentFromEnv() {
@@ -46,9 +48,13 @@ function currentAgentFromEnv() {
     const override = normalizeAgentToken(process.env.OPTIMUS_AGENT);
     if (override)
         return override;
-    // Backwards-compatible: hook wrappers set OPTIMUS_HOOK_TYPE to cursor|claude.
+    // Backwards-compatible: hook wrappers set OPTIMUS_HOOK_TYPE to cursor|claude|copilot.
     const hookType = normalizeAgentToken(process.env.OPTIMUS_HOOK_TYPE);
-    return hookType === 'cursor' ? 'cursor' : 'claude';
+    if (hookType === 'cursor')
+        return 'cursor';
+    if (hookType === 'copilot')
+        return 'copilot';
+    return 'claude';
 }
 function targetsCurrentAgent(entry, agent) {
     // Prefer top-level manifest field; fall back to embedded fix payload for older local files.
@@ -159,6 +165,21 @@ function deepEqual(a, b) {
 function isStringArray(v) {
     return Array.isArray(v) && v.every((x) => typeof x === 'string');
 }
+function escapeRegExp(s) {
+    return s.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+/** Match Cursor yolo allowlist entries (same boundary idea as server filter_yolo_allowlist_entries). */
+function allowlistEntryMatchesRemoveToken(entry, token) {
+    const valStr = String(entry).toLowerCase();
+    const t = token.toLowerCase().trim();
+    if (!t)
+        return false;
+    const first = valStr.trim().split(/\s+/)[0] ?? '';
+    if (first === t || valStr === t)
+        return true;
+    const pattern = new RegExp(`(^|[^a-z0-9_|])${escapeRegExp(t)}([^a-z0-9_|]|$)`);
+    return pattern.test(valStr);
+}
 function verifyOpsApplied(configJson, settingPath, ops) {
     const parts = settingPath.split('.');
     const leafKey = parts[parts.length - 1] ?? '';
@@ -180,7 +201,14 @@ function verifyOpsApplied(configJson, settingPath, ops) {
         const curArr = Array.isArray(cur) ? cur : [];
         const toAdd = add[k] ?? [];
         const toRemove = remove[k] ?? [];
+        const isYoloAllowlist = leafKey === 'yoloCommandAllowlist' || targetPath.endsWith('.yoloCommandAllowlist');
         for (const item of toRemove) {
+            if (isYoloAllowlist) {
+                if (curArr.some((entry) => allowlistEntryMatchesRemoveToken(entry, String(item)))) {
+                    return { ok: false, expected: { op: 'remove', path: targetPath, value: item } };
+                }
+                continue;
+            }
             if (curArr.some((curItem) => deepEqual(curItem, item))) {
                 return { ok: false, expected: { op: 'remove', path: targetPath, value: item } };
             }

package/dist/log_config_files/runtime/main_runner.js

@@ -91,7 +91,7 @@ async function addSensitivePathsAudit(endpointBase, configFiles) {
 }
 async function sendAllConfigFiles(configFiles, worktreeReport, hardwareUuid, authKey) {
     const hookTypeRaw = (process.env.OPTIMUS_HOOK_TYPE || 'claude').toLowerCase();
-    const hookType = hookTypeRaw === 'cursor' ? 'cursor' : 'claude';
+    const hookType = hookTypeRaw === 'cursor' ? 'cursor' : hookTypeRaw === 'copilot' ? 'copilot' : 'claude';
     const manifest = configFiles.map((c) => canonicalCursorUserStateVscdbPath(c.file_path));
     const workspaceRepo = ensureWorkspaceRepoEnv(manifest);
     const hookRequestId = await sendHookRequestCreate(hardwareUuid, authKey, hookType, workspaceRepo);
@@ -132,7 +132,8 @@ async function main() {
     const endpointBase = loadEndpointBase();
     hookRunLog(`start endpoint=${endpointBase} hardware_uuid=${hardwareUuid}`);
     hookRunLog(`endpoint_source=${getEndpointSource()} cwd=${process.cwd()}`);
-    hookRunLog(`env: OPTIMUS_HOOK_TYPE=${process.env.OPTIMUS_HOOK_TYPE ? 'set' : 'unset'} OPTIMUS_PROJECT_DIR=${process.env.OPTIMUS_PROJECT_DIR ? 'set' : 'unset'} OPTIMUS_WORKSPACE_REPO=${process.env.OPTIMUS_WORKSPACE_REPO ? 'set' : 'unset'} OPTIMUS_ENDPOINT=${process.env.OPTIMUS_ENDPOINT ? 'set' : 'unset'}`);
+    const envForLog = (v) => (v && v.trim() ? v.trim() : 'unset');
+    hookRunLog(`env: OPTIMUS_HOOK_TYPE=${envForLog(process.env.OPTIMUS_HOOK_TYPE)} OPTIMUS_PROJECT_DIR=${envForLog(process.env.OPTIMUS_PROJECT_DIR)} OPTIMUS_WORKSPACE_REPO=${envForLog(process.env.OPTIMUS_WORKSPACE_REPO)} OPTIMUS_ENDPOINT=${envForLog(process.env.OPTIMUS_ENDPOINT)}`);
     let authKey;
     try {
         authKey = await ensureAuthentication(hardwareUuid);

package/dist/log_config_files/runtime/remediation_sync.js

@@ -428,6 +428,23 @@ function applyCheck(configJson, check) {
     }
     setByPath(configJson, check.setting_path, value);
 }
+// ---------------------------------------------------------------------------
+// SQLite remediation support
+// ---------------------------------------------------------------------------
+function escapeRegExpForAllowlist(s) {
+    return s.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+function allowlistEntryMatchesRemoveToken(entry, token) {
+    const valStr = String(entry).toLowerCase();
+    const t = token.toLowerCase().trim();
+    if (!t)
+        return false;
+    const first = valStr.trim().split(/\s+/)[0] ?? '';
+    if (first === t || valStr === t)
+        return true;
+    const pattern = new RegExp(`(^|[^a-z0-9_|])${escapeRegExpForAllowlist(t)}([^a-z0-9_|]|$)`);
+    return pattern.test(valStr);
+}
 function mergePostApplyUploadIntoPayload(payload, hint) {
     if (!hint)
         return;
@@ -645,6 +662,59 @@ function mergeSqliteOpIntoJson(currentJson, sqliteOp) {
         currentJson[key] = arr;
         return;
     }
+    if (sqliteOp.array_remove?.length) {
+        const jp = (sqliteOp.json_path ?? '').trim();
+        const removeSet = new Set(sqliteOp.array_remove.map((v) => String(v)));
+        if (!jp) {
+            const key = sqliteOp.target_key;
+            const existing = currentJson[key];
+            const arr = Array.isArray(existing) ? [...existing] : [];
+            currentJson[key] = arr.filter((x) => !removeSet.has(String(x)));
+            return;
+        }
+        const parts = jp.split('.').filter(Boolean);
+        if (parts.length === 0)
+            return;
+        let node = currentJson;
+        for (const p of parts.slice(0, -1)) {
+            if (node == null || typeof node !== 'object' || Array.isArray(node))
+                return;
+            node = node[p];
+        }
+        if (node == null || typeof node !== 'object' || Array.isArray(node))
+            return;
+        const container = node;
+        const arrayKey = parts[parts.length - 1];
+        const existing = container[arrayKey];
+        if (!Array.isArray(existing))
+            return;
+        container[arrayKey] = existing.filter((x) => !removeSet.has(String(x)));
+        return;
+    }
+    if (sqliteOp.remove_commands?.length &&
+        (sqliteOp.json_path ?? '').includes('yoloCommandAllowlist') &&
+        !sqliteOp.array_remove?.length) {
+        const jp = (sqliteOp.json_path ?? '').trim();
+        const parts = jp.split('.').filter(Boolean);
+        if (parts.length === 0)
+            return;
+        let node = currentJson;
+        for (const p of parts.slice(0, -1)) {
+            if (node == null || typeof node !== 'object' || Array.isArray(node))
+                return;
+            node = node[p];
+        }
+        if (node == null || typeof node !== 'object' || Array.isArray(node))
+            return;
+        const container = node;
+        const arrayKey = parts[parts.length - 1];
+        const existing = container[arrayKey];
+        if (!Array.isArray(existing))
+            return;
+        const tokens = sqliteOp.remove_commands.map((t) => String(t).trim()).filter(Boolean);
+        container[arrayKey] = existing.filter((entry) => !tokens.some((t) => allowlistEntryMatchesRemoveToken(entry, t)));
+        return;
+    }
     const where = sqliteOp.array_item_where;
     const jp = sqliteOp.json_path ?? '';
     if (where && typeof where === 'object' && Object.keys(where).length > 0 && jp) {

package/dist/log_config_files/runtime/trusted_restarts.js

@@ -32,10 +32,16 @@ function currentAgentFromEnv() {
     const override = normalizeAgentToken(process.env.OPTIMUS_AGENT);
     if (override === 'cursor')
         return 'cursor';
+    if (override === 'copilot')
+        return 'copilot';
     if (override === 'claude' || override === 'claude_desktop')
         return 'claude';
     const hookType = normalizeAgentToken(process.env.OPTIMUS_HOOK_TYPE);
-    return hookType === 'cursor' ? 'cursor' : 'claude';
+    if (hookType === 'cursor')
+        return 'cursor';
+    if (hookType === 'copilot')
+        return 'copilot';
+    return 'claude';
 }
 /** Spawn each trusted command detached (same pattern as former compliance_prompt_gate fireRestartCommands). */
 export function executeTrustedRestartCommands(commands) {

package/dist/tofu_environment.js

@@ -7,25 +7,30 @@ export function managementEnvPath() {
         return null;
     return path.join(home, 'opt-ai-sec', 'management', 'optimus_dev.env');
 }
-/** Resolve optimus environment label (file wins over shell OPTIMUS_ENVIRONMENT). */
+/**
+ * Resolve optimus environment label (matches shell hooks / optimus-tool-call):
+ * - No management file / unreadable → production (ignores OPTIMUS_ENVIRONMENT).
+ * - File present → environment= line in file, then OPTIMUS_ENVIRONMENT, then production.
+ */
 export function readEnvironment() {
     const envPath = managementEnvPath();
     if (!envPath) {
-        return 'staging';
+        return 'production';
     }
+    let content;
     try {
-        const content = readFileSync(envPath, 'utf8');
-        const match = content.match(/^(?:environment|ENVIRONMENT|OPTIMUS_ENVIRONMENT)\s*=\s*(.+)/m);
-        if (match)
-            return match[1].trim().toLowerCase();
+        content = readFileSync(envPath, 'utf8');
     }
     catch {
-        return 'staging';
+        return 'production';
     }
+    const match = content?.match(/^(?:environment|ENVIRONMENT|OPTIMUS_ENVIRONMENT)\s*=\s*(.+)/m);
+    if (match)
+        return match[1].trim().toLowerCase();
     const fromEnv = process.env.OPTIMUS_ENVIRONMENT?.trim().toLowerCase();
     if (fromEnv)
         return fromEnv;
-    return 'staging';
+    return 'production';
 }
 export function shouldUseLocalTofuDist(localTofuPath) {
     return readEnvironment() === 'development' && existsSync(localTofuPath);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "log-llm-config",
-  "version": "1.3.90",
+  "version": "1.3.94",
   "description": "CLI helpers for logging hardware UUIDs and posting startup payloads to Optimus Security.",
   "type": "module",
   "bin": {
@@ -58,6 +58,6 @@
   "dependencies": {
     "axios": "^1.15.2",
     "canonicalize": "^2.1.0",
-    "optimus-tofu": "file:../optimus-tofu"
+    "optimus-tofu": "^0.1.17"
   }
 }