log-llm-config 1.4.4 → 1.4.9

package/dist/log_config_files/runtime/compliance_session_log.js

@@ -0,0 +1,372 @@
+import { existsSync, mkdirSync, readdirSync, renameSync, statSync, unlinkSync, writeFileSync, appendFileSync, readFileSync, } from 'node:fs';
+import path from 'node:path';
+import { homedir } from 'node:os';
+import { OPT_AI_SEC_MANAGEMENT_REL } from '../../bootstrap_constants.js';
+const COMPLIANCE_SUBDIR = 'compliance';
+const TIER_NOOP = 'noop';
+const TIER_SUCCESS = 'success';
+const TIER_ERROR = 'error';
+const TIER_IN_PROCESS = 'in_process';
+const TIER_DIRS = [TIER_NOOP, TIER_SUCCESS, TIER_ERROR];
+const NOOP_MAX_AGE_MS = 30 * 60 * 1000;
+const SUCCESS_ERROR_MAX_AGE_MS = 24 * 60 * 60 * 1000;
+/** In-flight logs in compliance/in_process/ before finalize. */
+const INFLIGHT_MAX_AGE_MS = 2 * 60 * 60 * 1000;
+const LATEST_POINTER = 'latest';
+const MAX_SESSION_LOG_UPLOAD_BYTES = 5 * 1024 * 1024;
+let activeComplianceLogPath = null;
+export function parseComplianceLogArg(argv) {
+    const eq = argv.find((a) => a.startsWith('--compliance-log='));
+    if (eq) {
+        const v = eq.slice('--compliance-log='.length).trim();
+        return v || null;
+    }
+    const idx = argv.indexOf('--compliance-log');
+    if (idx >= 0 && argv[idx + 1]) {
+        const v = argv[idx + 1].trim();
+        return v || null;
+    }
+    return null;
+}
+export function isFinalizeComplianceSessionArgv(argv) {
+    return argv.includes('--finalize-compliance-session');
+}
+export function getComplianceLogDir() {
+    return path.join(homedir(), OPT_AI_SEC_MANAGEMENT_REL, COMPLIANCE_SUBDIR);
+}
+export function getActiveComplianceLogPath() {
+    return activeComplianceLogPath;
+}
+export function setActiveComplianceLogPath(logPath) {
+    activeComplianceLogPath = logPath ? path.resolve(logPath) : null;
+}
+function isTierDirName(name) {
+    return TIER_DIRS.includes(name);
+}
+function isManagedDirName(name) {
+    return isTierDirName(name) || name === TIER_IN_PROCESS;
+}
+function getInProcessComplianceLogDir() {
+    return path.join(getComplianceLogDir(), TIER_IN_PROCESS);
+}
+/**
+ * Convert legacy/root session paths into the explicit in_process/ location.
+ *
+ * Hooks may still pass ~/.../compliance/<timestamp>.log; future writes should live
+ * at ~/.../compliance/in_process/<timestamp>.log until finalize classifies them.
+ */
+export function resolveComplianceSessionLogPath(logPath) {
+    const resolved = path.resolve(logPath);
+    if (path.dirname(resolved) === getComplianceLogDir()) {
+        return path.join(getInProcessComplianceLogDir(), path.basename(resolved));
+    }
+    return resolved;
+}
+/** Session log still in compliance/in_process/ (not yet finalized into a tier folder). */
+export function isInflightComplianceLogPath(logPath) {
+    const resolved = resolveComplianceSessionLogPath(logPath);
+    return path.dirname(resolved) === getInProcessComplianceLogDir();
+}
+export function readLatestComplianceLogPointer() {
+    const pointer = path.join(getComplianceLogDir(), LATEST_POINTER);
+    if (!existsSync(pointer))
+        return null;
+    try {
+        const p = readFileSync(pointer, 'utf8').trim();
+        return p || null;
+    }
+    catch {
+        return null;
+    }
+}
+function pruneLogFilesInDir(dir, maxAgeMs, exceptPath) {
+    if (!existsSync(dir))
+        return 0;
+    const cutoff = Date.now() - maxAgeMs;
+    let removed = 0;
+    for (const name of readdirSync(dir)) {
+        if (!name.endsWith('.log'))
+            continue;
+        const full = path.join(dir, name);
+        if (exceptPath && full === exceptPath)
+            continue;
+        try {
+            const st = statSync(full);
+            if (st.mtimeMs < cutoff) {
+                unlinkSync(full);
+                removed += 1;
+            }
+        }
+        catch {
+            // best-effort
+        }
+    }
+    return removed;
+}
+export function pruneComplianceSessionLogs(exceptPath) {
+    const base = getComplianceLogDir();
+    const keep = exceptPath ? path.resolve(exceptPath) : null;
+    let removed = 0;
+    removed += pruneLogFilesInDir(path.join(base, TIER_NOOP), NOOP_MAX_AGE_MS, keep);
+    removed += pruneLogFilesInDir(path.join(base, TIER_SUCCESS), SUCCESS_ERROR_MAX_AGE_MS, keep);
+    removed += pruneLogFilesInDir(path.join(base, TIER_ERROR), SUCCESS_ERROR_MAX_AGE_MS, keep);
+    removed += pruneLogFilesInDir(path.join(base, TIER_IN_PROCESS), INFLIGHT_MAX_AGE_MS, keep);
+    if (!existsSync(base))
+        return removed;
+    for (const name of readdirSync(base)) {
+        if (name === LATEST_POINTER || isManagedDirName(name))
+            continue;
+        if (!name.endsWith('.log'))
+            continue;
+        const full = path.join(base, name);
+        if (keep && full === keep)
+            continue;
+        try {
+            const st = statSync(full);
+            if (st.mtimeMs < Date.now() - INFLIGHT_MAX_AGE_MS) {
+                unlinkSync(full);
+                removed += 1;
+            }
+        }
+        catch {
+            // best-effort
+        }
+    }
+    return removed;
+}
+/**
+ * Classify a compliance session for finalize + optional server upload.
+ *
+ * Only two outcomes are uploaded (success / error): remediation **succeeded** or **failed**.
+ * Policy violations, in-flight restart, and sync-only sessions are noop (local retention only).
+ */
+export function classifyComplianceSessionLog(content) {
+    const text = content.trim();
+    if (!text)
+        return TIER_NOOP;
+    if (/remediation_tracking: verified uuid=/.test(text)) {
+        return TIER_SUCCESS;
+    }
+    const remediationFailedPatterns = [
+        /REMEDIATION APPLY FAILURE/,
+        /compliance_check_runner: uncaught error/,
+        /remediation_tracking: verification_failed uuid=/,
+        /post_restart_verification count=\d+ quarantined=[1-9]/,
+        /enforceRemediation.*failed/i,
+    ];
+    if (remediationFailedPatterns.some((p) => p.test(text))) {
+        return TIER_ERROR;
+    }
+    return TIER_NOOP;
+}
+/** Keep at compliance/ root until verify or remediation failure is recorded in the session. */
+export function isRemediationCycleInflight(content) {
+    if (/remediation_tracking: verified uuid=/.test(content))
+        return false;
+    if (/remediation_tracking: verification_failed uuid=/.test(content))
+        return false;
+    if (/REMEDIATION APPLY FAILURE/.test(content))
+        return false;
+    if (/post_restart_verification count=\d+ quarantined=[1-9]/.test(content))
+        return false;
+    return /remediation_tracking: pending_post_restart_verify uuid=/.test(content);
+}
+function ensureComplianceLogDir() {
+    const dir = getComplianceLogDir();
+    if (!existsSync(dir))
+        mkdirSync(dir, { recursive: true, mode: 0o700 });
+    for (const tier of [...TIER_DIRS, TIER_IN_PROCESS]) {
+        const sub = path.join(dir, tier);
+        if (!existsSync(sub))
+            mkdirSync(sub, { recursive: true, mode: 0o700 });
+    }
+}
+function writeLatestPointer(logPath) {
+    try {
+        ensureComplianceLogDir();
+        writeFileSync(path.join(getComplianceLogDir(), LATEST_POINTER), `${logPath}\n`, 'utf8');
+    }
+    catch {
+        // best-effort
+    }
+}
+function appendComplianceLine(logPath, line) {
+    try {
+        const dir = path.dirname(logPath);
+        if (!existsSync(dir))
+            mkdirSync(dir, { recursive: true, mode: 0o700 });
+        appendFileSync(logPath, line, 'utf8');
+    }
+    catch {
+        // best-effort
+    }
+}
+export function complianceLogSessionBanner(logPath, label, mode) {
+    const resolved = path.resolve(logPath);
+    const ts = new Date().toISOString();
+    const banner = mode === 'replace'
+        ? `\n${'='.repeat(72)}\n${ts} session: ${label}\n${'='.repeat(72)}\n`
+        : `\n${'-'.repeat(72)}\n${ts} section: ${label}\n${'-'.repeat(72)}\n`;
+    try {
+        const dir = path.dirname(resolved);
+        if (!existsSync(dir))
+            mkdirSync(dir, { recursive: true, mode: 0o700 });
+        if (mode === 'replace') {
+            writeFileSync(resolved, banner, 'utf8');
+        }
+        else {
+            appendFileSync(resolved, banner, 'utf8');
+        }
+        writeLatestPointer(resolved);
+    }
+    catch {
+        // best-effort
+    }
+}
+/** Gate: prune old files, bind path, start or resume an inflight session file. */
+export function initComplianceSessionForGate(logPath) {
+    const resolved = resolveComplianceSessionLogPath(logPath);
+    ensureComplianceLogDir();
+    const removed = pruneComplianceSessionLogs(resolved);
+    setActiveComplianceLogPath(resolved);
+    const resume = existsSync(resolved) && statSync(resolved).size > 0 && isInflightComplianceLogPath(resolved);
+    complianceLogSessionBanner(resolved, 'compliance_prompt_gate (before submit)', resume ? 'append' : 'replace');
+    if (!resume) {
+        writeLatestPointer(resolved);
+    }
+    if (removed > 0) {
+        appendComplianceLine(resolved, `${new Date().toISOString()} compliance_session: pruned ${removed} log(s) (in_process 2h, noop 30m, success/error 24h)\n`);
+    }
+    return resolved;
+}
+/** Runner: prune old files, bind path, append runner section to the gate session file. */
+export function initComplianceSessionForRunner(logPath) {
+    const resolved = resolveComplianceSessionLogPath(logPath);
+    ensureComplianceLogDir();
+    const removed = pruneComplianceSessionLogs(resolved);
+    setActiveComplianceLogPath(resolved);
+    complianceLogSessionBanner(resolved, 'compliance_check_runner (background sync + check)', 'append');
+    if (removed > 0) {
+        appendComplianceLine(resolved, `${new Date().toISOString()} compliance_session: pruned ${removed} log(s) (in_process 2h, noop 30m, success/error 24h)\n`);
+    }
+    return resolved;
+}
+/**
+ * Move session log from compliance/ root into noop|success|error/ and prune tiers.
+ * No-op if file missing or already finalized.
+ */
+export function finalizeComplianceSessionLog(logPath, forcedTier) {
+    const resolved = resolveComplianceSessionLogPath(logPath);
+    if (!existsSync(resolved))
+        return null;
+    const parentName = path.basename(path.dirname(resolved));
+    if (isTierDirName(parentName)) {
+        return { tier: parentName, logPath: resolved, moved: false };
+    }
+    const content = readFileSync(resolved, 'utf8');
+    if (isRemediationCycleInflight(content)) {
+        return null;
+    }
+    const tier = forcedTier ?? classifyComplianceSessionLog(content);
+    ensureComplianceLogDir();
+    const dest = path.join(getComplianceLogDir(), tier, path.basename(resolved));
+    if (resolved !== dest) {
+        if (existsSync(dest))
+            unlinkSync(dest);
+        renameSync(resolved, dest);
+    }
+    setActiveComplianceLogPath(null);
+    writeLatestPointer(dest);
+    pruneComplianceSessionLogs(dest);
+    return { tier, logPath: dest, moved: true };
+}
+export function appendToActiveComplianceLog(message) {
+    const logPath = activeComplianceLogPath;
+    if (!logPath)
+        return;
+    try {
+        appendComplianceLine(logPath, `${new Date().toISOString()} ${message}\n`);
+    }
+    catch {
+        // best-effort
+    }
+}
+export function readComplianceSessionLog(logPath) {
+    try {
+        if (!existsSync(logPath))
+            return '';
+        return readFileSync(logPath, 'utf8');
+    }
+    catch {
+        return '';
+    }
+}
+function appendLineToSessionLogFile(logPath, message) {
+    try {
+        appendComplianceLine(logPath, `${new Date().toISOString()} ${message}\n`);
+    }
+    catch {
+        // best-effort
+    }
+}
+/**
+ * Upload full session log to the server (success and error tiers only, first finalize only).
+ */
+export async function uploadComplianceSessionLogFromFinalize(result) {
+    if (result.tier !== TIER_SUCCESS && result.tier !== TIER_ERROR)
+        return;
+    if (!result.moved)
+        return;
+    const logText = readComplianceSessionLog(result.logPath);
+    if (!logText.trim())
+        return;
+    const logBytes = Buffer.byteLength(logText, 'utf8');
+    if (logBytes > MAX_SESSION_LOG_UPLOAD_BYTES) {
+        appendLineToSessionLogFile(result.logPath, `compliance_session_upload: skipped (${logBytes} bytes exceeds ${MAX_SESSION_LOG_UPLOAD_BYTES})`);
+        return;
+    }
+    const { readStoredAuthKey } = await import('../auth/auth_key_store.js');
+    const { tryResolveHardwareUuid } = await import('./hardware_uuid.js');
+    const { loadEndpointBase } = await import('../sender/endpoint_config.js');
+    const { createSignature } = await import('../sender/signing.js');
+    const { buildApiUrl } = await import('../../endpoint_client/registry_api.js');
+    const { executeBody } = await import('../../endpoint_client/http_transport.js');
+    const authKey = readStoredAuthKey();
+    const hardwareUuid = tryResolveHardwareUuid();
+    if (!authKey || !hardwareUuid) {
+        appendLineToSessionLogFile(result.logPath, 'compliance_session_upload: skipped (auth key or hardware UUID unavailable)');
+        return;
+    }
+    const sessionFilename = path.basename(result.logPath);
+    const outcome = result.tier;
+    const signingPayload = {
+        hardware_uuid: hardwareUuid,
+        outcome,
+        session_filename: sessionFilename,
+        log_text: logText,
+    };
+    const signature = createSignature(signingPayload, authKey.key);
+    const body = JSON.stringify({ ...signingPayload, signature });
+    const url = buildApiUrl(loadEndpointBase(), '/endpoint_security/api/remediation-activity-log/');
+    try {
+        const { statusCode } = await executeBody(url, 'POST', body, 30_000);
+        if (statusCode === 200) {
+            appendLineToSessionLogFile(result.logPath, `compliance_session_upload: ok outcome=${outcome} bytes=${logBytes}`);
+        }
+        else {
+            appendLineToSessionLogFile(result.logPath, `compliance_session_upload: server status=${statusCode}`);
+        }
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        appendLineToSessionLogFile(result.logPath, `compliance_session_upload: failed ${msg}`);
+    }
+}
+/** Finalize session file into success|error|noop tier, then upload when success or error. */
+export async function finalizeAndUploadComplianceSessionLog(logPath, forcedTier) {
+    const result = finalizeComplianceSessionLog(logPath, forcedTier);
+    if (result) {
+        await uploadComplianceSessionLogFromFinalize(result);
+    }
+    return result;
+}

package/dist/log_config_files/runtime/hook_logger.js

@@ -1,8 +1,11 @@
-import { existsSync, mkdirSync, appendFileSync, writeFileSync, statSync } from 'node:fs';
+import { existsSync, mkdirSync, appendFileSync, writeFileSync, statSync, readFileSync } from 'node:fs';
 import path from 'node:path';
 import { OPT_AI_SEC_MANAGEMENT_REL } from '../../bootstrap_constants.js';
+import { getActiveComplianceLogPath } from './compliance_session_log.js';
 const HOOK_LOG_FILENAME = 'hook_log.txt';
 const COMPLIANCE_RUNNER_LOG_FILENAME = 'compliance_runner.log';
+const COMPLIANCE_SUBDIR = 'compliance';
+const COMPLIANCE_FALLBACK_TIER = 'noop';
 /** Append-only: remediation verify/apply failures (not cleared per hook session). */
 const REMEDIATION_APPLY_FAILURES_FILENAME = 'remediation_apply_failures.log';
 /** Hard cap so a single upload/sync session cannot grow hook_log.txt without bound. */
@@ -17,7 +20,7 @@ function getComplianceRunnerLogPath() {
     const homeDir = process.env.HOME || process.env.USERPROFILE;
     if (!homeDir)
         return null;
-    return path.join(homeDir, OPT_AI_SEC_MANAGEMENT_REL, COMPLIANCE_RUNNER_LOG_FILENAME);
+    return path.join(homeDir, OPT_AI_SEC_MANAGEMENT_REL, COMPLIANCE_SUBDIR, COMPLIANCE_FALLBACK_TIER, COMPLIANCE_RUNNER_LOG_FILENAME);
 }
 function getRemediationApplyFailuresLogPath() {
     const homeDir = process.env.HOME || process.env.USERPROFILE;
@@ -26,10 +29,21 @@ function getRemediationApplyFailuresLogPath() {
     return path.join(homeDir, OPT_AI_SEC_MANAGEMENT_REL, REMEDIATION_APPLY_FAILURES_FILENAME);
 }
 /**
- * Append one ISO-timestamped line to compliance_runner.log.
+ * Append one ISO-timestamped line to the active compliance session log.
+ * If no session is active, use compliance/noop/compliance_runner.log as a legacy fallback.
  * `level` examples: INFO, RUNNER, RESTART, FAIL
  */
 function appendComplianceRunnerLine(level, message) {
+    const sessionPath = getActiveComplianceLogPath();
+    if (sessionPath) {
+        try {
+            appendFileSync(sessionPath, `${new Date().toISOString()} [${level}] pid=${process.pid} ${message}\n`, 'utf8');
+        }
+        catch {
+            // best-effort
+        }
+        return;
+    }
     const logPath = getComplianceRunnerLogPath();
     if (!logPath)
         return;
@@ -58,7 +72,7 @@ function complianceRunnerRunnerLine(message) {
 }
 /**
  * Loud, append-only record when a remediation cannot be verified or applied. Writes
- * {@link REMEDIATION_APPLY_FAILURES_FILENAME} and mirrors the same block to compliance_runner.log;
+ * {@link REMEDIATION_APPLY_FAILURES_FILENAME} and mirrors the same block to the compliance log;
  * also appends a single summary line to hook_log.txt for the current session.
  */
 function logRemediationApplyFailure(context, fields) {
@@ -89,12 +103,18 @@ function logRemediationApplyFailure(context, fields) {
         const failPath = getRemediationApplyFailuresLogPath();
         if (failPath)
             writeFailAppend(failPath);
-        const crPath = getComplianceRunnerLogPath();
-        if (crPath) {
-            const dir = path.dirname(crPath);
-            if (!existsSync(dir))
-                mkdirSync(dir, { recursive: true, mode: 0o700 });
-            appendFileSync(crPath, block, 'utf8');
+        const activeCompliancePath = getActiveComplianceLogPath();
+        if (activeCompliancePath) {
+            writeFailAppend(activeCompliancePath);
+        }
+        else {
+            const crPath = getComplianceRunnerLogPath();
+            if (crPath) {
+                const dir = path.dirname(crPath);
+                if (!existsSync(dir))
+                    mkdirSync(dir, { recursive: true, mode: 0o700 });
+                appendFileSync(crPath, block, 'utf8');
+            }
         }
     }
     catch {
@@ -147,6 +167,18 @@ function hookLogSessionBanner(label) {
  * without replacing hook_log.txt.
  */
 function hookLogAppendSection(label) {
+    const compliancePath = getActiveComplianceLogPath();
+    if (compliancePath) {
+        try {
+            const ts = new Date().toISOString();
+            const banner = `\n${'-'.repeat(72)}\n${ts} section: ${label}\n${'-'.repeat(72)}\n`;
+            appendFileSync(compliancePath, banner, 'utf8');
+        }
+        catch {
+            // best-effort
+        }
+        return;
+    }
     const logPath = getHookLogPath();
     if (!logPath)
         return;
@@ -167,8 +199,19 @@ function hookLogAppendSection(label) {
 function hookLogReplace() {
     hookLogSessionBanner('log_config_files (config upload)');
 }
-/** Append a timestamped line to hook_log.txt. */
+/** Append a timestamped line to hook_log.txt or the active compliance session log. */
 function hookRunLog(message) {
+    const compliancePath = getActiveComplianceLogPath();
+    if (compliancePath) {
+        try {
+            const ts = new Date().toISOString();
+            appendFileSync(compliancePath, `${ts} ${message}\n`, 'utf8');
+        }
+        catch {
+            // best-effort
+        }
+        return;
+    }
     const logPath = getHookLogPath();
     if (!logPath)
         return;
@@ -194,4 +237,18 @@ function hookLogLine(message) {
         // best-effort
     }
 }
-export { getHookLogPath, getComplianceRunnerLogPath, hookLogReplace, hookLogSessionBanner, hookLogAppendSection, hookRunLog, hookLogLine, complianceRunnerDiag, complianceRunnerRunnerLine, appendComplianceRunnerLine, logRemediationApplyFailure, };
+/** Read the current hook_log.txt content. Returns empty string if not found or unreadable. */
+function readHookLog() {
+    const logPath = getHookLogPath();
+    if (!logPath)
+        return '';
+    try {
+        if (!existsSync(logPath))
+            return '';
+        return readFileSync(logPath, 'utf8');
+    }
+    catch {
+        return '';
+    }
+}
+export { getHookLogPath, getComplianceRunnerLogPath, hookLogReplace, hookLogSessionBanner, hookLogAppendSection, hookRunLog, hookLogLine, complianceRunnerDiag, complianceRunnerRunnerLine, appendComplianceRunnerLine, logRemediationApplyFailure, readHookLog, };

package/dist/log_config_files/runtime/main_runner.js

@@ -6,7 +6,7 @@ import { getFileCollectionPatterns, FILE_PATH_REGISTRY_FILE_PATTERNS_PATH } from
 import { OPT_AI_SEC_MANAGEMENT_REL } from '../../bootstrap_constants.js';
 import { runSensitivePathsAudit } from '../../log_sensitive_paths_audit.js';
 import { loadEndpointBase, getEndpointSource } from '../sender/endpoint_config.js';
-import { hookLogReplace, hookRunLog } from './hook_logger.js';
+import { hookLogReplace, hookRunLog, readHookLog } from './hook_logger.js';
 import { resolveHookTypeFromEnv } from './hook_type_for_request.js';
 import { resolveHardwareUuid } from './hardware_uuid.js';
 import { ensureAuthentication } from '../auth/auth_flow.js';
@@ -159,7 +159,8 @@ async function sendAllConfigFiles(configFiles, worktreeReport, hardwareUuid, aut
     if (batchResult.failed > 0)
         hookRunLog(`config_failed: ${batchResult.failed} item(s) in batch`);
     if (hookRequestId != null) {
-        const ok = await sendHookRequestUpdateManifest(hardwareUuid, authKey, hookRequestId, manifest);
+        const hookLogContent = readHookLog();
+        const ok = await sendHookRequestUpdateManifest(hardwareUuid, authKey, hookRequestId, manifest, hookLogContent || undefined);
         hookRunLog(`hook-request update manifest result=${ok ? 'ok' : 'fail'}`);
     }
     // Finish ingest session: failed_uploads hold set, worktree prune, config prune-on-absence, and scans.

package/dist/log_config_files/runtime/remediation_apply_tracking.js

@@ -58,6 +58,10 @@ export function clearRemediationApplyQuarantine(uuid) {
     writeRemediationApplyTrackingFile(file);
     hookRunLog(`remediation_tracking: quarantine_cleared uuid=${uuid}`);
 }
+export function hasPendingPostRestartVerification() {
+    const file = readRemediationApplyTrackingFile();
+    return Object.values(file.entries).some((e) => e.pending_post_restart_verify === true);
+}
 export function markRemediationApplyPendingVerification(uuid) {
     const file = readRemediationApplyTrackingFile();
     const prev = file.entries[uuid] ?? defaultEntry();

package/dist/log_config_files/runtime/remediation_sync.js

@@ -1460,7 +1460,10 @@ export function reportAutofixApplied(remediationUuid, result, details) {
     const body = JSON.stringify({ ...payload, signature });
     return executeBody(url, 'POST', body, 8000)
         .then(({ statusCode }) => {
-        if (statusCode !== 200) {
+        if (statusCode === 200) {
+            hookRunLog(`autofix_report: ok result=${result} uuid=${remediationUuid}`);
+        }
+        else {
             hookRunLog(`autofix_report: server returned ${statusCode} for uuid=${remediationUuid}`);
         }
     })

package/dist/log_config_files/runtime/secret_regex_scan.js

@@ -0,0 +1,126 @@
+/**
+ * Lightweight hardcoded-secret detection for local compliance (requires_secret_scan rows).
+ * Regex set aligned with policy_engine HardcodedSecretRule — not a full Secretlint/Gitleaks port.
+ */
+/** Values that reference env vars are never treated as hardcoded secrets. */
+export function isEnvBackedSecretValue(value) {
+    if (typeof value !== 'string')
+        return false;
+    const s = value.trim();
+    if (!s)
+        return false;
+    return s.includes('${env:') || s.includes('$env:') || s.includes('process.env.');
+}
+/** Provider / format patterns (order matters — first match wins). */
+const KNOWN_SECRET_PATTERNS = [
+    { re: /sk-proj-[a-zA-Z0-9_-]{20,}/i, label: 'OpenAI API key' },
+    { re: /sk-ant-[a-zA-Z0-9_-]{20,}/i, label: 'Anthropic API key' },
+    { re: /sk-[a-zA-Z0-9]{20,}/i, label: 'API key (sk-...)' },
+    { re: /sk_(?:live|test|prod)_[a-zA-Z0-9]{20,}/i, label: 'Stripe secret key' },
+    { re: /pk_(?:live|test)_[a-zA-Z0-9]{20,}/i, label: 'Stripe publishable key' },
+    { re: /pk_[a-zA-Z0-9_]{20,}/i, label: 'API key (pk_...)' },
+    { re: /whsec_[a-zA-Z0-9]{20,}/i, label: 'Stripe webhook secret' },
+    { re: /rk_(?:live|test)_[a-zA-Z0-9]{20,}/i, label: 'Stripe restricted key' },
+    { re: /pplx-[a-zA-Z0-9-]{20,}/i, label: 'Perplexity API key' },
+    { re: /ghp_[a-zA-Z0-9]{36}/i, label: 'GitHub personal access token' },
+    { re: /gho_[a-zA-Z0-9]{36}/i, label: 'GitHub OAuth token' },
+    { re: /ghu_[a-zA-Z0-9]{36}/i, label: 'GitHub user-to-server token' },
+    { re: /ghs_[a-zA-Z0-9]{36}/i, label: 'GitHub server-to-server token' },
+    { re: /ghr_[a-zA-Z0-9]{76}/i, label: 'GitHub refresh token' },
+    { re: /github_pat_[a-zA-Z0-9_]{20,}/i, label: 'GitHub fine-grained PAT' },
+    { re: /glpat-[a-zA-Z0-9_-]{20,}/i, label: 'GitLab personal access token' },
+    { re: /glcbt-[a-zA-Z0-9_-]{20,}/i, label: 'GitLab CI job token' },
+    { re: /xoxb-[a-zA-Z0-9-]+/i, label: 'Slack bot token' },
+    { re: /xoxp-[a-zA-Z0-9-]+/i, label: 'Slack user token' },
+    { re: /xoxa-[a-zA-Z0-9-]+/i, label: 'Slack app-level token' },
+    { re: /xapp-[a-zA-Z0-9-]+/i, label: 'Slack app token' },
+    { re: /AKIA[0-9A-Z]{16}/i, label: 'AWS access key ID' },
+    { re: /ASIA[0-9A-Z]{16}/i, label: 'AWS temporary access key ID' },
+    { re: /AIza[0-9A-Za-z_-]{35}/i, label: 'Google API key' },
+    { re: /ya29\.[0-9A-Za-z_-]+/i, label: 'Google OAuth access token' },
+    { re: /AC[a-z0-9]{32}/i, label: 'Twilio account SID' },
+    { re: /SK[a-z0-9]{32}/i, label: 'Twilio API key' },
+    { re: /SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43}/i, label: 'SendGrid API key' },
+    { re: /key-[a-f0-9]{32}/i, label: 'Mailgun API key' },
+    { re: /npm_[a-zA-Z0-9]{36}/i, label: 'npm access token' },
+    { re: /pypi-[a-zA-Z0-9_-]{50,}/i, label: 'PyPI API token' },
+    { re: /discord(?:app)?\.com\/api\/webhooks\/\d+\/[a-zA-Z0-9_-]+/i, label: 'Discord webhook URL' },
+    { re: /hooks\.slack\.com\/services\/T[a-zA-Z0-9_]+\/B[a-zA-Z0-9_]+\/[a-zA-Z0-9_]+/i, label: 'Slack webhook URL' },
+    { re: /eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+/i, label: 'JWT (JSON Web Token)' },
+    { re: /-----BEGIN (?:RSA |EC |OPENSSH )?PRIVATE KEY-----/i, label: 'Private key block' },
+    { re: /sq0[a-zA-Z0-9_-]{20,}/i, label: 'Square access token' },
+    { re: /shpat_[a-fA-F0-9]{32}/i, label: 'Shopify access token' },
+    { re: /shpca_[a-fA-F0-9]{32}/i, label: 'Shopify custom app token' },
+    { re: /shpss_[a-fA-F0-9]{32}/i, label: 'Shopify shared secret' },
+    { re: /dop_v1_[a-f0-9]{64}/i, label: 'DigitalOcean personal access token' },
+    { re: /pat_[a-zA-Z0-9]{22}_[a-fA-F0-9]{59}/i, label: 'Atlassian API token' },
+    { re: /Bearer\s+[a-zA-Z0-9\-_.]{20,}/i, label: 'Bearer token' },
+];
+const BASIC_AUTH_IN_URL = /[a-zA-Z0-9._%+-]+:[a-zA-Z0-9._%+-]+@/gi;
+const GENERIC_TOKEN = /\b[a-zA-Z0-9]{32,}\b/g;
+const GENERIC_KEY_HINT = /(?:api[_-]?key|app[_-]?key|secret|token|password|passwd|pass\b|(?<!o)auth|credential|private[_-]?key|access[_-]?key|master[_-]?key)/i;
+function basicAuthMatchIsCredential(value, matchIndex) {
+    const before = value.slice(0, matchIndex);
+    const schemeIdx = before.lastIndexOf('://');
+    if (schemeIdx === -1)
+        return true;
+    const between = value.slice(schemeIdx + 3, matchIndex);
+    return !between.includes('/');
+}
+function looksLikeUrlContext(value) {
+    return value.includes(':') && (value.toLowerCase().includes('http') || value.includes('://'));
+}
+/**
+ * Scan one scalar config value. Returns secret type label or null if clean / env-backed.
+ */
+export function scanScalarForHardcodedSecret(value, keyName) {
+    if (value == null)
+        return null;
+    const valueStr = String(value);
+    if (isEnvBackedSecretValue(valueStr))
+        return null;
+    for (const { re, label } of KNOWN_SECRET_PATTERNS) {
+        if (re.test(valueStr))
+            return label;
+    }
+    BASIC_AUTH_IN_URL.lastIndex = 0;
+    for (const match of valueStr.matchAll(BASIC_AUTH_IN_URL)) {
+        if (basicAuthMatchIsCredential(valueStr, match.index ?? 0)) {
+            return 'Basic authentication credentials';
+        }
+    }
+    if (!GENERIC_KEY_HINT.test(keyName) || looksLikeUrlContext(valueStr)) {
+        return null;
+    }
+    const genericMatches = valueStr.match(GENERIC_TOKEN) ?? [];
+    if (genericMatches.some((token) => token.length >= 40)) {
+        return 'Potential token/secret';
+    }
+    return null;
+}
+function collectScalarLeaves(value, path = '') {
+    if (value == null)
+        return [];
+    if (Array.isArray(value)) {
+        return value.flatMap((item, idx) => collectScalarLeaves(item, path ? `${path}.${idx}` : String(idx)));
+    }
+    if (typeof value === 'object') {
+        return Object.entries(value).flatMap(([key, nested]) => collectScalarLeaves(nested, path ? `${path}.${key}` : key));
+    }
+    if (typeof value !== 'string' && typeof value !== 'number' && typeof value !== 'boolean') {
+        return [];
+    }
+    const key = path.split('.').pop() ?? path;
+    return [{ path: path || '.', key, value }];
+}
+/** Walk parsed JSON and return all hardcoded-secret hits (JSON dot paths). */
+export function scanJsonForHardcodedSecrets(configJson) {
+    const findings = [];
+    for (const leaf of collectScalarLeaves(configJson)) {
+        const secretType = scanScalarForHardcodedSecret(leaf.value, leaf.key);
+        if (secretType) {
+            findings.push({ path: leaf.path, key: leaf.key, secretType });
+        }
+    }
+    return findings;
+}