@letterblack/lbe-core 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (79) hide show
  1. package/.githooks/pre-commit +2 -0
  2. package/.githooks/pre-push +2 -0
  3. package/CHANGELOG.md +57 -0
  4. package/LICENSE +1 -0
  5. package/README.md +506 -0
  6. package/Release-README.md +339 -0
  7. package/WORKSPACE.md +422 -0
  8. package/_proof.mjs +246 -0
  9. package/assets/lbe-gates.jpg +0 -0
  10. package/assets/lbe-gates.png +0 -0
  11. package/assets/runtime-boundary.svg +36 -0
  12. package/assets/story-allow.jpg +0 -0
  13. package/assets/story-allow.png +0 -0
  14. package/assets/story-deny.jpg +0 -0
  15. package/assets/story-deny.png +0 -0
  16. package/bin/lbe.js +12 -0
  17. package/config/identity.config.json +3 -0
  18. package/config/policy.default.json +24 -0
  19. package/dist/cli/lbe.js +4274 -0
  20. package/dist/hooks/register.cjs +505 -0
  21. package/dist/state/appendCentral.cjs +87 -0
  22. package/dist/state/index.cjs +101 -0
  23. package/exec/cli.js +472 -0
  24. package/exec/index.js +2 -0
  25. package/index.js +24 -0
  26. package/lbe.audit.jsonl +46 -0
  27. package/package.json +76 -0
  28. package/release/README.md +216 -0
  29. package/release/TRUST.md +90 -0
  30. package/release/exec-README.md +215 -0
  31. package/release/exec-types.d.ts +50 -0
  32. package/release-exec/LICENSE +1 -0
  33. package/release-exec/README.md +215 -0
  34. package/release-exec/assets/lbe-gates.jpg +0 -0
  35. package/release-exec/assets/lbe-gates.png +0 -0
  36. package/release-exec/assets/runtime-boundary.svg +36 -0
  37. package/release-exec/assets/story-allow.jpg +0 -0
  38. package/release-exec/assets/story-allow.png +0 -0
  39. package/release-exec/assets/story-deny.jpg +0 -0
  40. package/release-exec/assets/story-deny.png +0 -0
  41. package/release-exec/dist/cli.js +2841 -0
  42. package/release-exec/dist/index.js +1835 -0
  43. package/release-exec/dist/lbe_engine.wasm +0 -0
  44. package/release-exec/dist/wasm.lock.json +4 -0
  45. package/release-exec/hooks/register.cjs +473 -0
  46. package/release-exec/package.json +35 -0
  47. package/release-exec/types.d.ts +50 -0
  48. package/runtime/engine.js +322 -0
  49. package/runtime/lbe_engine.wasm +0 -0
  50. package/src/cli/commands/auditVerify.js +36 -0
  51. package/src/cli/commands/dryrun.js +175 -0
  52. package/src/cli/commands/health.js +153 -0
  53. package/src/cli/commands/init.js +306 -0
  54. package/src/cli/commands/integrityCheck.js +57 -0
  55. package/src/cli/commands/logs.js +53 -0
  56. package/src/cli/commands/openState.js +44 -0
  57. package/src/cli/commands/policyAdd.js +8 -0
  58. package/src/cli/commands/policyMode.js +7 -0
  59. package/src/cli/commands/policySign.js +72 -0
  60. package/src/cli/commands/proof.js +122 -0
  61. package/src/cli/commands/run.js +342 -0
  62. package/src/cli/commands/status.js +73 -0
  63. package/src/cli/commands/verify.js +144 -0
  64. package/src/cli/main.js +176 -0
  65. package/src/cli/parseArgs.js +114 -0
  66. package/src/exec/localExecutor.js +289 -0
  67. package/src/hooks/register.cjs +505 -0
  68. package/src/state/appendCentral.cjs +87 -0
  69. package/src/state/fileIndex.js +140 -0
  70. package/src/state/index.cjs +101 -0
  71. package/src/state/index.js +65 -0
  72. package/src/state/intentRegistry.js +83 -0
  73. package/src/state/migration.js +112 -0
  74. package/src/state/proofRunner.js +246 -0
  75. package/src/state/stateRoot.js +40 -0
  76. package/src/state/targetRegistry.js +108 -0
  77. package/src/state/workspaceId.js +40 -0
  78. package/src/state/workspaceRegistry.js +65 -0
  79. package/types.d.ts +175 -0
package/assets/runtime-boundary.svg ADDED
@@ -0,0 +1,36 @@
1
+ <svg xmlns="http://www.w3.org/2000/svg" width="960" height="440" viewBox="0 0 960 440" role="img" aria-labelledby="title desc">
2
+ <title id="title">LetterBlack LBE runtime boundary</title>
3
+ <desc id="desc">An application sends a serialized request to the local LBE WASM validation runtime, which returns a structured allow, deny, or error decision to the application.</desc>
4
+ <defs>
5
+ <linearGradient id="panel" x1="0" x2="1"><stop stop-color="#172033"/><stop offset="1" stop-color="#202d47"/></linearGradient>
6
+ <linearGradient id="runtime" x1="0" x2="1"><stop stop-color="#3756d6"/><stop offset="1" stop-color="#7356d6"/></linearGradient>
7
+ <marker id="arrow" viewBox="0 0 10 10" refX="9" refY="5" markerWidth="7" markerHeight="7" orient="auto"><path d="M 0 0 L 10 5 L 0 10 z" fill="#8fa3c9"/></marker>
8
+ </defs>
9
+ <rect width="960" height="440" rx="24" fill="#0e1524"/>
10
+ <text x="56" y="65" fill="#f5f8ff" font-family="Arial, sans-serif" font-size="28" font-weight="700">Local validation boundary</text>
11
+ <text x="56" y="98" fill="#aab9d4" font-family="Arial, sans-serif" font-size="17">The host owns execution. LBE returns a deterministic decision before the host accepts an action.</text>
12
+
13
+ <rect x="55" y="165" width="220" height="170" rx="16" fill="url(#panel)" stroke="#405273"/>
14
+ <text x="165" y="220" text-anchor="middle" fill="#fff" font-family="Arial, sans-serif" font-size="21" font-weight="700">Host application</text>
15
+ <text x="165" y="254" text-anchor="middle" fill="#b9c7df" font-family="Arial, sans-serif" font-size="15">agent, tool, or service</text>
16
+ <text x="165" y="286" text-anchor="middle" fill="#7fe1c3" font-family="Arial, sans-serif" font-size="15">serializes request</text>
17
+
18
+ <line x1="285" y1="250" x2="402" y2="250" stroke="#8fa3c9" stroke-width="4" marker-end="url(#arrow)"/>
19
+ <text x="343" y="229" text-anchor="middle" fill="#aab9d4" font-family="Arial, sans-serif" font-size="14">JSON request</text>
20
+
21
+ <rect x="415" y="132" width="290" height="236" rx="18" fill="url(#runtime)" stroke="#9a8cff" stroke-width="2"/>
22
+ <text x="560" y="183" text-anchor="middle" fill="#fff" font-family="Arial, sans-serif" font-size="23" font-weight="700">LBE WASM runtime</text>
23
+ <line x1="453" y1="205" x2="667" y2="205" stroke="#bfc8ff" opacity=".55"/>
24
+ <text x="560" y="242" text-anchor="middle" fill="#f0efff" font-family="Arial, sans-serif" font-size="16">schema · timestamp · key lifecycle</text>
25
+ <text x="560" y="271" text-anchor="middle" fill="#f0efff" font-family="Arial, sans-serif" font-size="16">signature · rate limit · nonce · policy</text>
26
+ <text x="560" y="319" text-anchor="middle" fill="#d7d1ff" font-family="Arial, sans-serif" font-size="14">local, deterministic validation</text>
27
+
28
+ <line x1="718" y1="250" x2="825" y2="250" stroke="#8fa3c9" stroke-width="4" marker-end="url(#arrow)"/>
29
+ <text x="770" y="229" text-anchor="middle" fill="#aab9d4" font-family="Arial, sans-serif" font-size="14">structured result</text>
30
+
31
+ <rect x="838" y="165" width="80" height="170" rx="16" fill="url(#panel)" stroke="#405273"/>
32
+ <text x="878" y="215" text-anchor="middle" fill="#fff" font-family="Arial, sans-serif" font-size="16" font-weight="700">Host</text>
33
+ <text x="878" y="249" text-anchor="middle" fill="#7fe1c3" font-family="Arial, sans-serif" font-size="14">allow</text>
34
+ <text x="878" y="275" text-anchor="middle" fill="#ffadad" font-family="Arial, sans-serif" font-size="14">deny</text>
35
+ <text x="878" y="301" text-anchor="middle" fill="#ffd28a" font-family="Arial, sans-serif" font-size="14">error</text>
36
+ </svg>
package/assets/story-allow.jpg ADDED
Binary file
package/assets/story-allow.png ADDED
Binary file
package/assets/story-deny.jpg ADDED
Binary file
package/assets/story-deny.png ADDED
Binary file
package/bin/lbe.js ADDED
@@ -0,0 +1,12 @@
1
+ #!/usr/bin/env node
2
+
3
+ import fs from 'fs';
4
+ import path from 'path';
5
+ import { fileURLToPath, pathToFileURL } from 'url';
6
+
7
+ const __dirname = path.dirname(fileURLToPath(import.meta.url));
8
+ const distEntry = path.join(__dirname, '../dist/cli/lbe.js');
9
+ const sourceEntry = path.join(__dirname, '../src/cli/main.js');
10
+ const entry = fs.existsSync(distEntry) ? distEntry : sourceEntry;
11
+
12
+ await import(pathToFileURL(entry).href);
package/config/identity.config.json ADDED
@@ -0,0 +1,3 @@
1
+ {
2
+ "version": "0.2.0"
3
+ }
package/config/policy.default.json ADDED
@@ -0,0 +1,24 @@
1
+ {
2
+ "version": 1,
3
+ "createdAt": "2026-06-19T00:00:00Z",
4
+ "default": "DENY",
5
+ "requesters": {
6
+ "agent:sdk": {
7
+ "allowAdapters": ["file", "shell", "noop"],
8
+ "allowCommands": ["READ_FILE", "WRITE_FILE", "PATCH_FILE", "DELETE_FILE", "RUN_SHELL", "ECHO"],
9
+ "filesystem": {
10
+ "roots": ["."],
11
+ "denyPatterns": ["**/.git/**", "**/keys/**", "**/*.key", "**/.env*"]
12
+ },
13
+ "exec": {
14
+ "allowCmds": ["node", "echo"],
15
+ "denyCmds": ["rm", "del", "format", "curl", "wget", "sudo"]
16
+ }
17
+ }
18
+ },
19
+ "security": {
20
+ "maxClockSkewSec": 600,
21
+ "maxPolicyCreatedAtSkewSec": 31536000,
22
+ "defaultRateLimit": { "windowSec": 60, "maxRequests": 30 }
23
+ }
24
+ }