@letterblack/lbe-core 1.3.2 → 1.3.4

package/src/cli/commands/init.js

@@ -1,306 +0,0 @@
-// src/cli/commands/init.js
-// Initialize LBE in a workspace:
-//   1. Scan project → generate workspace contract (semantics + enforcement)
-//   2. Show compact summary → ask once
-//   3. Write lbe.workspace.json
-//   4. Set up crypto infrastructure silently
-
-import fs from 'fs';
-import path from 'path';
-import readline from 'readline';
-import { generateKeyPair } from '../../core/signature.js';
-import { createPolicySignatureEnvelope } from '../../core/policySignature.js';
-import { scanWorkspace, formatSummary } from '../../core/workspaceScanner.js';
-
-// ─── Interactive prompt ───────────────────────────────────────────────────────
-
-function ask(question) {
-    // Non-interactive (CI / pipe) — default accept
-    if (!process.stdin.isTTY) return Promise.resolve('y');
-    return new Promise(resolve => {
-        const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
-        rl.question(question, ans => { rl.close(); resolve(ans.trim().toLowerCase()); });
-    });
-}
-
-// ─── Strict / relaxed adjustments ────────────────────────────────────────────
-
-function applyStrict(enforcement) {
-    // Strict: move approval items to deny, add common risky patterns
-    return {
-        ...enforcement,
-        deny: [...new Set([...enforcement.deny, ...enforcement.approval, '*.json', 'config/**'])],
-        approval: [],
-    };
-}
-
-function applyRelaxed(enforcement) {
-    // Relaxed: drop approval requirement, everything not denied is allowed
-    return { ...enforcement, approval: [] };
-}
-
-// ─── Crypto setup (silent — infrastructure only) ──────────────────────────────
-
-function setupCrypto(cwd) {
-    const nowIso      = new Date().toISOString();
-    const expiresAt   = new Date(Date.now() + 180 * 24 * 60 * 60 * 1000).toISOString();
-    const defaultKeyId = 'agent:gpt-v1-2026Q1';
-    const signerKeyId  = 'policy-signer-v1-2026Q1';
-
-    // All LBE infrastructure lives under .lbe/ — nothing pollutes the project root
-    const lbeDir = path.join(cwd, '.lbe');
-    for (const d of ['config', 'keys', 'data']) {
-        fs.mkdirSync(path.join(lbeDir, d), { recursive: true });
-    }
-
-    // Data stores
-    const dataFiles = {
-        '.lbe/data/nonce.db.json':      JSON.stringify({ entries: [] }, null, 2),
-        '.lbe/data/rate-limit.db.json': JSON.stringify({ entries: [] }, null, 2),
-        '.lbe/data/policy.state.json':  JSON.stringify({ schemaVersion: '1', lastAccepted: null, updatedAt: null }, null, 2),
-        '.lbe/data/audit.log.jsonl':    '',
-    };
-    for (const [rel, content] of Object.entries(dataFiles)) {
-        const p = path.join(cwd, rel);
-        if (!fs.existsSync(p)) fs.writeFileSync(p, content);
-    }
-
-    // Keypair
-    const keyDir    = path.join(lbeDir, 'keys');
-    const pubPath   = path.join(keyDir, 'public.key');
-    const secPath   = path.join(keyDir, 'secret.key');
-    let publicKeyB64, secretKeyB64;
-    if (fs.existsSync(pubPath) && fs.existsSync(secPath)) {
-        publicKeyB64 = fs.readFileSync(pubPath, 'utf8').trim();
-        secretKeyB64 = fs.readFileSync(secPath, 'utf8').trim();
-    } else {
-        const kp = generateKeyPair();
-        publicKeyB64 = kp.publicKey;
-        secretKeyB64 = kp.secretKey;
-        fs.writeFileSync(pubPath, publicKeyB64);
-        fs.writeFileSync(secPath, secretKeyB64, { mode: 0o600 });
-    }
-
-    // Keys store
-    const keysPath = path.join(lbeDir, 'config/keys.json');
-    const keysStore = fs.existsSync(keysPath)
-        ? JSON.parse(fs.readFileSync(keysPath, 'utf8'))
-        : { schemaVersion: '1', defaultKeyId, trustedKeys: {} };
-
-    for (const keyId of [defaultKeyId, signerKeyId]) {
-        if (!keysStore.trustedKeys[keyId]) {
-            keysStore.trustedKeys[keyId] = {
-                publicKey: publicKeyB64,
-                notBefore: nowIso,
-                expiresAt,
-                validFrom: nowIso,
-                validUntil: expiresAt,
-                deprecated: false,
-            };
-        }
-    }
-    keysStore.defaultKeyId = defaultKeyId;
-    fs.writeFileSync(keysPath, JSON.stringify(keysStore, null, 2));
-
-    // Policy
-    const policyPath = path.join(lbeDir, 'config/policy.default.json');
-    let policyObj;
-    if (fs.existsSync(policyPath)) {
-        policyObj = JSON.parse(fs.readFileSync(policyPath, 'utf8'));
-    } else {
-        policyObj = {
-            default: 'DENY',
-            version: '1.0.0',
-            createdAt: nowIso,
-            security: {
-                maxClockSkewSec: 600,
-                maxPolicyCreatedAtSkewSec: 31536000,
-                defaultRateLimit: { windowSec: 60, maxRequests: 30 }
-            },
-            requesters: {
-                'agent:gpt': {
-                    allowAdapters: ['noop', 'shell'],
-                    allowCommands: ['RUN_SHELL'],
-                    rateLimit: { windowSec: 60, maxRequests: 30 },
-                    filesystem: { roots: [cwd], denyPatterns: ['**/.git/**', '**/secrets/**', '**/*.key'] },
-                    exec: { allowCmds: ['ls', 'node', 'python', 'echo'], denyCmds: ['rm', 'chmod', 'chown', 'curl', 'wget', 'su', 'sudo'] }
-                }
-            }
-        };
-        fs.writeFileSync(policyPath, JSON.stringify(policyObj, null, 2));
-    }
-
-    // Policy signature
-    const sigResult = createPolicySignatureEnvelope({ policyObj, secretKeyB64, keyId: signerKeyId });
-    if (sigResult.ok) {
-        fs.writeFileSync(path.join(lbeDir, 'config/policy.sig.json'), JSON.stringify(sigResult.envelope, null, 2));
-    }
-
-    return { defaultKeyId, secretKeyB64, publicKeyB64 };
-}
-
-// ─── Agent governance files ───────────────────────────────────────────────────
-// Generated once by init so every AI agent auto-discovers LBE without the user
-// needing to explain it. Logic and internals are never mentioned — only the API.
-
-function agentContractContent() {
-    return `# LBE Governance Contract
-
-This project has LetterBlack LBE (Local-first execution Governance) active.
-
-## Your role as an agent
-
-Every file write, delete, and shell command must go through the LBE executor.
-The executor validates each action against the project policy and audits it.
-
-## How to perform actions
-
-\`\`\`js
-import { createLocalExecutor } from '@letterblack/lbe-exec';
-const lbe = createLocalExecutor({ rootDir: process.cwd() });
-
-await lbe.writeFile('output/report.md', content);
-await lbe.readFile('src/config.json');
-await lbe.patchFile('src/index.js', patch);
-await lbe.deleteFile('tmp/scratch.txt');
-await lbe.runShell('node', ['scripts/build.js']);
-\`\`\`
-
-## What you must never do
-
-- Call fs.* or child_process.* directly
-- Modify \`.lbe/policy.json\` directly — propose a rule via \`lbe.policy.proposeRule()\`
-- Attempt to bypass or disable the executor
-
-## Proposing a policy rule
-
-\`\`\`js
-const proposal = lbe.policy.proposeRule({
-  effect: 'deny', type: 'path', pattern: 'secrets/**',
-  from: 'agent: these files should never be modified'
-});
-// Return proposal to the user — never call lbe.policy.addRule() yourself.
-\`\`\`
-
-## Result shape
-
-\`{ ok: boolean, decision: 'allow' | 'deny' | 'observe', executed: boolean }\`
-
-## Files
-
-- Policy: \`.lbe/policy.json\`
-- Audit:  \`.lbe/audit.jsonl\`
-- Status: \`npx lbe-exec status\`
-`;
-}
-
-function writeAgentContract(cwd) {
-    const lbeDir = path.join(cwd, '.lbe');
-    fs.mkdirSync(lbeDir, { recursive: true });
-    fs.writeFileSync(path.join(lbeDir, 'AGENT_CONTRACT.md'), agentContractContent());
-}
-
-// Migrate legacy root-level LBE files into .lbe/ so the workspace stays clean.
-function migrateLegacyRootFiles(cwd) {
-    const lbeDir = path.join(cwd, '.lbe');
-    fs.mkdirSync(lbeDir, { recursive: true });
-    const migrations = [
-        ['lbe.policy.json',    '.lbe/policy.json'],
-        ['lbe.workspace.json', '.lbe/workspace.json'],
-    ];
-    const removed = [];
-    for (const [src, dest] of migrations) {
-        const srcPath  = path.join(cwd, src);
-        const destPath = path.join(cwd, dest);
-        if (fs.existsSync(srcPath) && !fs.existsSync(destPath)) {
-            fs.renameSync(srcPath, destPath);
-            removed.push(src + ' → ' + dest);
-        } else if (fs.existsSync(srcPath)) {
-            fs.unlinkSync(srcPath);          // dest already exists — just drop the old file
-            removed.push(src + ' (removed — .lbe/ version exists)');
-        }
-    }
-    // Remove files that should never have been created in the project root
-    const toDelete = ['CLAUDE.md', path.join('.github', 'copilot-instructions.md')];
-    for (const rel of toDelete) {
-        const p = path.join(cwd, rel);
-        // Only remove if it contains the lbe-governance marker — don't touch user files
-        if (fs.existsSync(p)) {
-            const content = fs.readFileSync(p, 'utf8');
-            if (content.includes('lbe-governance') || content.includes('LetterBlack LBE')) {
-                fs.unlinkSync(p);
-                removed.push(rel + ' (removed — LBE-generated file)');
-            }
-        }
-    }
-    return removed;
-}
-
-// ─── Main ─────────────────────────────────────────────────────────────────────
-
-export async function initCommand(opts = {}) {
-    const cwd     = process.cwd();
-    const yes     = opts.yes || opts.y || !process.stdin.isTTY;
-    const lbeDir  = path.join(cwd, '.lbe');
-    fs.mkdirSync(lbeDir, { recursive: true });
-    const outPath = path.join(lbeDir, 'workspace.json');
-
-    // 1. Scan
-    console.log('\nScanning workspace...\n');
-    const { projectTypes, primaryType, semantics, enforcement } = scanWorkspace(cwd);
-
-    // 2. Show summary
-    console.log(formatSummary(projectTypes, semantics, enforcement));
-    console.log('');
-
-    // 3. Ask once (unless --yes or non-interactive)
-    let finalEnforcement = enforcement;
-    if (!yes) {
-        const answer = await ask('Accept? [Y = accept / s = strict / r = relaxed / n = cancel] ');
-        if (answer === 'n') {
-            console.log('Cancelled.');
-            return { success: false };
-        }
-        if (answer === 's') finalEnforcement = applyStrict(enforcement);
-        if (answer === 'r') finalEnforcement = applyRelaxed(enforcement);
-    }
-
-    // 4. Write lbe.workspace.json
-    const contract = {
-        lbe:         true,
-        version:     '0.4.0',
-        state:       'local',
-        projectTypes,
-        primaryType,
-        semantics,
-        enforcement: finalEnforcement,
-    };
-    fs.writeFileSync(outPath, JSON.stringify(contract, null, 2));
-    console.log('✓ Wrote .lbe/workspace.json');
-
-    // 5. Crypto setup (silent)
-    setupCrypto(cwd);
-    const localPolicyPath = path.join(lbeDir, 'policy.json');
-    if (!fs.existsSync(localPolicyPath)) {
-        fs.writeFileSync(localPolicyPath, JSON.stringify({ version: 1, mode: 'observe', workspace: cwd, rules: [] }, null, 2) + '\n');
-    }
-    const localAuditPath = path.join(lbeDir, 'audit.jsonl');
-    if (!fs.existsSync(localAuditPath)) fs.writeFileSync(localAuditPath, '');
-    console.log('✓ Keys and policy ready  (.lbe/)');
-
-    // 6. Agent contract inside .lbe/ only — no CLAUDE.md, no .github/ changes
-    writeAgentContract(cwd);
-    console.log('✓ Agent contract written  →  .lbe/AGENT_CONTRACT.md');
-
-    // 7. Migrate any legacy root files from previous LBE versions
-    const migrated = migrateLegacyRootFiles(cwd);
-    if (migrated.length) {
-        console.log('\n✓ Migrated legacy files:');
-        for (const m of migrated) console.log('  ' + m);
-    }
-
-    console.log('\nDone. All LBE state is in .lbe/');
-    console.log('Run  npx lbe-exec status  to verify.\n');
-
-    return { success: true, contract };
-}

package/src/cli/commands/integrityCheck.js

@@ -1,57 +0,0 @@
-// src/cli/commands/integrityCheck.js
-// Controller integrity commands
-
-import path from 'path';
-import { performIntegrityCheck, writeIntegrityManifest } from '../../core/integrity.js';
-
-function toBoolean(value, defaultValue = false) {
-    if (value === undefined) return defaultValue;
-    if (value === true || value === false) return value;
-    const normalized = String(value).trim().toLowerCase();
-    if (normalized === 'true' || normalized === '1' || normalized === 'yes') return true;
-    if (normalized === 'false' || normalized === '0' || normalized === 'no') return false;
-    return defaultValue;
-}
-
-export async function integrityCheckCommand(opts) {
-    const strict = toBoolean(opts.strict, false) || toBoolean(opts['integrity-strict'], false);
-    const manifestPath = opts.manifest
-        ? path.resolve(opts.manifest)
-        : path.resolve(opts['integrity-manifest'] || '.lbe/config/integrity.manifest.json');
-    const jsonOutput = toBoolean(opts.json, true);
-
-    const result = await performIntegrityCheck({
-        manifestPath,
-        strict
-    });
-
-    if (jsonOutput) {
-        console.log(JSON.stringify({
-            ok: result.valid,
-            valid: result.valid,
-            skipped: result.skipped === true,
-            strict,
-            manifestPath,
-            checkedFiles: result.checkedFiles,
-            mismatches: result.mismatches || [],
-            missing: result.missing || [],
-            reason: result.reason || null,
-            message: result.message
-        }, null, 2));
-    } else {
-        console.log(result.message);
-    }
-
-    process.exit(result.valid ? 0 : 8);
-}
-
-export async function integrityGenerateCommand(opts) {
-    const outputPath = path.resolve(opts.out || opts.output || opts.manifest || '.lbe/config/integrity.manifest.json');
-    const result = writeIntegrityManifest({ outputPath });
-    console.log(JSON.stringify({
-        ok: true,
-        outputPath: result.outputPath,
-        fileCount: result.fileCount
-    }, null, 2));
-    process.exit(0);
-}

package/src/cli/commands/logs.js

@@ -1,53 +0,0 @@
-import fs from 'node:fs';
-import path from 'node:path';
-import { resolveWorkspaceState } from '../../state/index.js';
-
-const DEFAULT_LIMIT = 20;
-
-/**
- * lbe logs [--limit <n>]
- *
- * Reads central lbe-events.jsonl and prints the last N entries.
- * If the file does not exist, prints a clear "not yet" message — it means
- * hook dual-write (alpha2 of the hook change) has not been enabled yet.
- *
- * Reads only. Does not write, migrate, or modify anything.
- *
- * @returns {{ eventsPath, count, entries, missing }}
- */
-export async function logsCommand(opts) {
-    const workspaceRoot = path.resolve(opts.root || process.cwd());
-    const { paths } = resolveWorkspaceState(workspaceRoot);
-    const limit = opts.limit ? parseInt(opts.limit, 10) : DEFAULT_LIMIT;
-
-    if (!fs.existsSync(paths.events)) {
-        console.log('\nLBE Central Logs');
-        console.log('  No central logs yet. Hook dual-write not enabled.');
-        console.log(`  Expected at: ${paths.events}`);
-        console.log('');
-        return { eventsPath: paths.events, count: 0, entries: [], missing: true };
-    }
-
-    const raw = fs.readFileSync(paths.events, 'utf8').trim();
-    const lines = raw ? raw.split('\n') : [];
-
-    const entries = lines
-        .map(line => { try { return JSON.parse(line); } catch (_) { return null; } })
-        .filter(Boolean);
-
-    const tail = entries.slice(-limit);
-
-    console.log(`\nLBE Central Logs — last ${tail.length} of ${entries.length} entries`);
-    console.log(`  source: ${paths.events}\n`);
-
-    for (const entry of tail) {
-        const ts     = entry.ts ? new Date(entry.ts * 1000).toISOString() : '?';
-        const action = entry.action   || '?';
-        const dec    = entry.decision || '?';
-        const target = entry.path || entry.cmd || '';
-        console.log(`  [${ts}] ${dec.toUpperCase().padEnd(5)} ${action} ${target}`);
-    }
-    console.log('');
-
-    return { eventsPath: paths.events, count: entries.length, entries: tail, missing: false };
-}

package/src/cli/commands/openState.js

@@ -1,44 +0,0 @@
-import { spawnSync } from 'node:child_process';
-import path from 'node:path';
-import { resolveWorkspaceState } from '../../state/index.js';
-
-/**
- * lbe open-state
- *
- * Resolves the central state directory and opens it in the system file manager.
- * Always prints the path regardless of whether the open succeeds — so the user
- * can copy-paste it even if the file manager call fails.
- *
- * Set env LBE_NO_OPEN=1 to skip the subprocess (used in tests and CI).
- *
- * @returns {{ stateDir, opened }}
- */
-export async function openStateCommand(opts) {
-    const workspaceRoot = path.resolve(opts.root || process.cwd());
-    const { stateDir } = resolveWorkspaceState(workspaceRoot);
-
-    console.log(`\nLBE Central State Directory`);
-    console.log(`  ${stateDir}\n`);
-
-    if (process.env.LBE_NO_OPEN === '1') {
-        return { stateDir, opened: false };
-    }
-
-    let opened = false;
-    try {
-        if (process.platform === 'win32') {
-            spawnSync('explorer.exe', [stateDir], { detached: true, stdio: 'ignore' });
-            opened = true;
-        } else if (process.platform === 'darwin') {
-            spawnSync('open', [stateDir], { detached: true, stdio: 'ignore' });
-            opened = true;
-        } else {
-            spawnSync('xdg-open', [stateDir], { detached: true, stdio: 'ignore' });
-            opened = true;
-        }
-    } catch (_) {
-        // Non-fatal — path was already printed above.
-    }
-
-    return { stateDir, opened };
-}

package/src/cli/commands/policyAdd.js

@@ -1,8 +0,0 @@
-import { addLocalPolicyRule } from '../../core/localPolicy.js';
-
-export async function policyAddCommand(opts = {}) {
-    const result = addLocalPolicyRule(opts.root || process.cwd(), {
-        effect: opts.effect, type: opts.type, pattern: opts.pattern, from: opts.from
-    }, opts.mode);
-    console.log(JSON.stringify(result, null, 2));
-}

package/src/cli/commands/policyMode.js

@@ -1,7 +0,0 @@
-import { loadLocalPolicy, writeLocalPolicy } from '../../core/localPolicy.js';
-
-export async function policyModeCommand(mode, opts = {}) {
-    const loaded = loadLocalPolicy(opts.root || process.cwd(), mode);
-    writeLocalPolicy(loaded.root, { ...loaded.policy, mode });
-    console.log(JSON.stringify({ mode, policy: loaded.policyPath }, null, 2));
-}

package/src/cli/commands/policySign.js

@@ -1,72 +0,0 @@
-// src/cli/commands/policySign.js
-// Sign policy.json and write signature envelope
-
-import fs from 'fs';
-import path from 'path';
-import { createPolicySignatureEnvelope } from '../../core/policySignature.js';
-
-export async function policySignCommand(opts) {
-    const policyPath = path.resolve(opts.config || opts.policy || '.lbe/config/policy.default.json');
-    const sigPath = path.resolve(opts['policy-sig'] || '.lbe/config/policy.sig.json');
-    const secretKeyPath = path.resolve(opts['secret-key-file'] || '.lbe/keys/secret.key');
-    const keyId = String(opts['policy-key-id'] || 'policy-signer-v1-2026Q1');
-
-    if (!fs.existsSync(policyPath)) {
-        console.error(JSON.stringify({
-            status: 'error',
-            error: 'POLICY_FILE_MISSING',
-            message: `Policy file not found: ${policyPath}`
-        }, null, 2));
-        process.exit(1);
-    }
-
-    if (!fs.existsSync(secretKeyPath)) {
-        console.error(JSON.stringify({
-            status: 'error',
-            error: 'SECRET_KEY_MISSING',
-            message: `Secret key file not found: ${secretKeyPath}`
-        }, null, 2));
-        process.exit(1);
-    }
-
-    const policyObj = JSON.parse(fs.readFileSync(policyPath, 'utf8'));
-    if (typeof policyObj.version === 'undefined' || typeof policyObj.createdAt === 'undefined') {
-        console.error(JSON.stringify({
-            status: 'error',
-            error: 'POLICY_VERSION_METADATA_MISSING',
-            message: 'Policy must include version and createdAt before signing'
-        }, null, 2));
-        process.exit(8);
-    }
-
-    const secretKeyB64 = fs.readFileSync(secretKeyPath, 'utf8').trim();
-    const signResult = createPolicySignatureEnvelope({
-        policyObj,
-        secretKeyB64,
-        keyId
-    });
-
-    if (!signResult.ok) {
-        console.error(JSON.stringify({
-            status: 'error',
-            error: signResult.reason || 'POLICY_SIGN_FAILED',
-            message: signResult.message
-        }, null, 2));
-        process.exit(8);
-    }
-
-    const outDir = path.dirname(sigPath);
-    if (!fs.existsSync(outDir)) {
-        fs.mkdirSync(outDir, { recursive: true });
-    }
-    fs.writeFileSync(sigPath, JSON.stringify(signResult.envelope, null, 2));
-
-    console.log(JSON.stringify({
-        status: 'ok',
-        message: 'Policy signature written',
-        policy: policyPath,
-        policySig: sigPath,
-        keyId
-    }, null, 2));
-    process.exit(0);
-}

package/src/cli/commands/proof.js

@@ -1,122 +0,0 @@
-import fs from 'node:fs';
-import path from 'node:path';
-import os from 'node:os';
-import { resolveWorkspaceState } from '../../state/index.js';
-import { loadLatestProof } from '../../state/proofRunner.js';
-
-// Fields that must NEVER appear in public proof output
-const REDACT_FIELDS = new Set([
-    'files_changed', 'failures', 'workspace', 'stateDir',
-    'target_id', 'intent_id',
-]);
-
-function redactPath(p) {
-    if (!p || typeof p !== 'string') return p;
-    // Replace home dir with ~, then remove machine-specific prefix
-    const home     = os.homedir().replace(/\\/g, '/');
-    const pNorm    = p.replace(/\\/g, '/');
-    const relative = pNorm.startsWith(home + '/')
-        ? '~/' + pNorm.slice(home.length + 1)
-        : pNorm;
-    // Only keep the last two path segments
-    const parts = relative.replace(/\\/g, '/').split('/');
-    return parts.length > 2 ? '…/' + parts.slice(-2).join('/') : relative;
-}
-
-function buildPublicProof(proof, targets) {
-    const lastTarget = Array.isArray(targets) && targets.length > 0
-        ? targets[targets.length - 1]
-        : null;
-
-    // Redact: only expose safe, non-identifying fields
-    const pub = {
-        result:      proof.result,
-        profile:     proof.profile,
-        checks:      proof.checks_run || [],
-        allow_deny:  (proof.failures && proof.failures.length > 0) ? 'deny' : 'allow',
-    };
-
-    if (lastTarget) {
-        pub.target_type  = lastTarget.kind        || null;
-        pub.target_label = lastTarget.label       || null;
-        // component_file is a relative path — safe to include as-is
-        pub.target_file  = lastTarget.component_file || null;
-    }
-
-    // Include failure reasons but NOT the raw file paths
-    if (proof.failures && proof.failures.length > 0) {
-        pub.failure_reasons = proof.failures.map(f => ({ check: f.check, reason: f.reason }));
-    }
-
-    return pub;
-}
-
-/**
- * lbe proof [--json] [--public] [--root <path>]
- *
- * Reads proof/latest.json from the central state store and prints it.
- * Does not re-run proof; use the programmatic API for that.
- *
- * @returns {{ result, profile, found } | null}
- */
-export async function proofCommand(opts) {
-    const workspaceRoot = path.resolve(opts.root || process.cwd());
-    const { stateDir, workspaceId, paths } = resolveWorkspaceState(workspaceRoot);
-
-    const proof = loadLatestProof(stateDir);
-    const isPublic = opts.public === true || opts.public === 'true';
-    const isJson   = opts.json   === true || opts.json   === 'true' || isPublic;
-
-    if (!proof) {
-        if (isJson) {
-            console.log(JSON.stringify({ found: false, message: 'No proof record found. Run lbe proof after using the hook.' }, null, 2));
-        } else {
-            console.log('\nNo proof record found.');
-            console.log('Use the hook-protected workflow and then run: lbe proof\n');
-        }
-        return { found: false };
-    }
-
-    // Load targets for public redaction
-    let targets = [];
-    if (isPublic) {
-        const targetPath = path.join(stateDir, 'target_registry.jsonl');
-        if (fs.existsSync(targetPath)) {
-            const raw = fs.readFileSync(targetPath, 'utf8').trim();
-            targets = raw ? raw.split('\n').reduce((acc, l) => {
-                try { acc.push(JSON.parse(l)); } catch (_) {}
-                return acc;
-            }, []) : [];
-        }
-    }
-
-    if (isPublic) {
-        const pub = buildPublicProof(proof, targets);
-        console.log(JSON.stringify(pub, null, 2));
-        return { found: true, result: proof.result, profile: proof.profile, public: true };
-    }
-
-    if (isJson) {
-        console.log(JSON.stringify(proof, null, 2));
-        return { found: true, result: proof.result, profile: proof.profile };
-    }
-
-    // Human-readable output
-    const resultMark = proof.result === 'PASS' ? '✓' : proof.result === 'WEAK_PROOF' ? '⚠' : '✗';
-    const workspace  = path.basename(workspaceRoot);
-    console.log(`\nLBE Proof — ${workspace}`);
-    console.log(`  Result         ${resultMark} ${proof.result}`);
-    console.log(`  Profile        ${proof.profile}`);
-    console.log(`  Changed files  ${(proof.files_changed || []).length}`);
-    console.log(`  Checks run     ${(proof.checks_run || []).join(', ')}`);
-    if (proof.failures && proof.failures.length > 0) {
-        console.log(`  Failures       ${proof.failures.length}`);
-        for (const f of proof.failures) {
-            console.log(`    • [${f.check}] ${f.reason}${f.file ? ': ' + f.file : ''}`);
-        }
-    }
-    console.log(`  Recorded at    ${proof.ts}`);
-    console.log('');
-
-    return { found: true, result: proof.result, profile: proof.profile };
-}