@letterblack/lbe-core 1.3.26 → 1.3.28

package/CHANGELOG.md

@@ -1,5 +1,15 @@
 # Changelog
 
+## 1.3.28 — 2026-06-25
+
+### Fixed
+- Fixed public mirror README source: updated `release/README.md` (the template read by `build-public-sdk.mjs`) instead of `release-public/README.md` which is overwritten at build time. README now accurately documents the 6 real CLI commands, programmatic API, request/response shape, and package contents.
+
+## 1.3.27 — 2026-06-25
+
+### Changed
+- Rewrote public mirror README to accurately reflect the 6 real CLI commands, programmatic API, request/response shape, and what ships in the package. Removed all phantom commands and stale package references.
+
 ## 1.3.26 — 2026-06-25
 
 ### Fixed

package/Release-README.md

@@ -1,6 +1,6 @@
 # @letterblack/lbe-core
 
-**Release 1.3.26**
+**Release 1.3.28**
 
 LBE is local execution control for AI agents. It evaluates file and shell
 actions routed through its execution boundary, records local evidence, and

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@letterblack/lbe-core",
-  "version": "1.3.26",
+  "version": "1.3.28",
   "description": "Local-first execution governance SDK for AI agents. Agents propose → Controller validates → Adapters execute.",
   "type": "module",
   "main": "index.js",
@@ -74,5 +74,5 @@
   "directories": {
     "doc": "docs"
   },
-  "gitHead": "5e49100b365521086fb845d36a98a17165184bad"
+  "gitHead": "3ab9a74084e1e4f067d65223d4a3d632b3a8a3e7"
 }

package/release/README.md

@@ -1,216 +1,215 @@
 # {{PACKAGE_NAME}}
 
-LBE is local execution control for AI agents. It evaluates file and shell
-actions routed through its execution boundary and records local evidence.
-It is not an AI model, IDE, full OS sandbox, or cloud monitor.
+**Local execution control for AI agents.**
 
-## Setup
+LBE sits between what an AI agent proposes and what your system executes. Every action is validated against a local policy before it runs. No cloud service. No daemon. Evidence stays on your machine.
+
+---
+
+## Install
 
 ```bash
 npm install {{PACKAGE_NAME}}
-npx lbe init
-npx lbe status
-npx lbe logs
-npx lbe proof --public
-npx lbe open-state
 ```
 
-State is stored locally in a central per-user folder, keyed by workspace ID.
-In v1.3, `.lbe/events.jsonl` remains local fallback truth and is imported once
-without changing the original file. Proof uses intent, target, file index, LBE
-events, and `proof/latest.json`; `--public` redacts sensitive proof details.
-
-LBE controls only actions routed through its execution boundary. Central writes
-are best-effort, logs remain local, and non-inspectable targets may produce
-`WEAK_PROOF`.
+Requires Node.js >= 20.9.0.
 
 ---
 
-LBE puts a local policy gate between what an AI agent proposes and what the system actually executes. Every action — file write, shell command, anything — is validated locally before it runs. No cloud service. No daemon.
+## Quick start
 
-> **Used in production:** LBE is the safety engine inside [Letterblack for After Effects](https://letterblack.net) — every AI-generated script and automation command passes through it before touching a live project.
+```bash
+npx lbe init      # create policy file in observer mode
+npx lbe status    # show current policy and workspace state
+npx lbe enforce   # switch to blocking mode when ready
+```
 
 ---
 
-## Which package do you need?
-
-| I want… | Package |
-|---|---|
-| LBE to handle file writes and shell commands for me (full controller) | `@letterblack/lbe-exec` |
-| Just the allow/deny decision — I'll execute it myself | `@letterblack/lbe-sdk` ← you are here |
+## How it works
 
----
+Every request passes through a 7-gate validation pipeline inside a local WASM runtime. If any gate fails, the request is denied before anything executes.
 
-## Install
-
-```bash
-npm install {{PACKAGE_NAME}}
+```
+[1] Schema         required fields and structure
+[2] Timestamp      clock-skew within ±10 minutes
+[3] Key lifecycle  trusted key, active, not expired
+[4] Signature      Ed25519 request authenticity
+[5] Rate limit     per-requester sliding-window limit
+[6] Nonce          single-use replay protection
+[7] Policy         configured rules — deny always wins
+        ↓
+allow / deny — structured result returned to your host
 ```
 
-Requires Node.js ≥ 20.9.0.
+Your host receives the decision and acts on it. Nothing executes inside the runtime.
 
 ---
 
-## Quick start
+## CLI reference
 
-```js
-import { execute } from '{{PACKAGE_NAME}}';
+| Command | What it does |
+|---|---|
+| `npx lbe init` | Create `lbe.policy.json` in observer mode |
+| `npx lbe status` | Show policy mode, rules, and workspace state |
+| `npx lbe policy` | Print the current policy file |
+| `npx lbe observe` | Switch to advisory mode — logs but does not block |
+| `npx lbe enforce` | Switch to blocking mode — denies policy violations |
+| `npx lbe execute` | Validate a JSON proposal from stdin |
+| `npx lbe execute --input <file>` | Validate a JSON proposal from a file |
 
-const request = {
-  version: '1.0',
-  request_id: 'req-001',
-  timestamp: Math.floor(Date.now() / 1000),
-  actor: { id: 'agent:local', role: 'agent' },
-  intent: { type: 'command', name: 'write_file', payload: { target: 'out.txt' } },
-  context: { workspace: process.cwd(), env: {}, history: [] },
-  constraints: { policy_mode: 'strict', timeout_ms: 5000 },
-  auth: { signature: '<host-signed>', nonce: '<unique-per-request>' }
-};
-
-const result = JSON.parse(execute(JSON.stringify(request)));
-// Approved:  { ok: true,  decision: 'allow', ... }
-// Blocked:   { ok: false, decision: 'deny',  error: { stage, message } }
-```
+Start in observer mode. Watch what your agent proposes. Add deny rules. Switch to enforce when you are confident in the policy.
 
-`execute(input: string): string` — accepts JSON, returns JSON. The runtime validates and returns a decision. The host acts on the decision.
+---
+
+## Observer mode
 
-### Request fields
+Not ready to block? `init` creates the policy in observer mode. LBE validates every request and writes audit entries — but nothing is blocked. You see exactly what the agent is doing before you decide what to deny.
 
-| Field | Required | Description |
-|---|---:|---|
-| `version` | Yes | `"1.0"` |
-| `request_id` | Yes | Caller-supplied unique identifier |
-| `timestamp` | Yes | Unix timestamp in seconds |
-| `actor` | Yes | `{ id, role }` — identity of the requesting agent |
-| `intent` | Yes | `{ type, name, payload }` — what the agent wants to do |
-| `context` | Yes | Workspace path and caller context |
-| `constraints` | Yes | `policy_mode` and `timeout_ms` |
-| `auth` | Yes | Host-supplied `signature` and `nonce` |
+```bash
+npx lbe init       # observer mode on by default
+npx lbe status     # confirm mode: observe
+npx lbe enforce    # block when ready
+npx lbe observe    # back to advisory if needed
+```
 
 ---
 
-## Observer mode — start here
+## Validating a request
 
-Not ready to block? Start in observer mode. Every request is fully validated and logged exactly as it would be in enforcement — but nothing is blocked. Watch what the agent is doing before you decide what to deny.
+`execute` accepts a JSON proposal on stdin or via `--input <file>` and returns a structured decision.
 
 ```bash
-npx lbe init      # create lbe.policy.json in observer mode
-npx lbe enforce   # switch to blocking
-npx lbe observe   # switch back to advisory
+# from a file
+npx lbe execute --input proposal.json
+
+# from stdin
+echo '{"version":"1.0",...}' | npx lbe execute
 ```
 
----
+Exit code `0` = allowed. Exit code `1` = denied. Exit code `2` = bad input.
+
+### Minimal request shape
+
+```json
+{
+  "version": "1.0",
+  "request_id": "req-001",
+  "timestamp": 1700000000,
+  "actor": { "id": "agent:local", "role": "agent" },
+  "intent": {
+    "type": "command",
+    "name": "write_file",
+    "payload": { "target": "out.txt" }
+  },
+  "context": { "workspace": "/your/project", "env": {}, "history": [] },
+  "constraints": { "policy_mode": "strict", "timeout_ms": 5000 },
+  "auth": { "signature": "<host-signed>", "nonce": "<unique-per-request>" }
+}
+```
 
-## CLI reference
+### Decision response
 
-| Command | Purpose |
-|---|---|
-| `npx lbe init` | Create project-local policy and key state in observer mode |
-| `npx lbe policy-add` | Add a rule to the active policy |
-| `npx lbe observe` | Set advisory (log-only) mode |
-| `npx lbe enforce` | Set blocking mode |
-| `npx lbe run` | Validate and execute a proposal from `--in <file>` |
-| `npx lbe verify` | Validate a proposal without executing |
-| `npx lbe dryrun` | Validate and simulate without executing |
-| `npx lbe health` | Check all required files are present and readable |
-| `npx lbe audit-verify` | Verify the audit log hash chain |
+```json
+{
+  "ok": true,
+  "decision": "allow",
+  "request_id": "req-001",
+  "result": { "type": "allowed" }
+}
+```
+
+```json
+{
+  "ok": false,
+  "decision": "deny",
+  "request_id": "req-001",
+  "error": { "stage": "policy", "message": "rule:deny_outside_workspace" }
+}
+```
 
 ---
 
-## How the gate pipeline works
+## Programmatic API
 
-![LBE gate sequence — Request flows through Policy, Identity, and Scope gates before reaching Action. A rejected request is routed to denial before it reaches execution.](https://unpkg.com/@letterblack/lbe-exec/assets/lbe-gates.jpg)
+```js
+import { execute } from '{{PACKAGE_NAME}}';
 
-Every request enters a 7-gate pipeline. A failure at any gate returns a structured denial — the remaining gates are not evaluated.
+const result = JSON.parse(execute(JSON.stringify(proposal)));
 
-```
-[1] Schema         required fields and structural validity
-        ↓
-[2] Timestamp      permitted clock-skew window (±10 minutes)
-        ↓
-[3] Key lifecycle  trusted key, active, not expired
-        ↓
-[4] Signature      Ed25519 request authenticity
-        ↓
-[5] Rate limit     per-requester sliding-window limit
-        ↓
-[6] Nonce          single-use replay protection
-        ↓
-[7] Policy         configured authorization (deny-wins)
-        ↓
-  allow / deny / error — structured result returned to host
+if (result.decision === 'allow') {
+  // safe to act
+} else {
+  // blocked — result.error has the gate and reason
+}
 ```
 
-The WASM runtime owns all gate decisions. Your host receives the decision and acts on it. Nothing executes inside the runtime.
+`execute(input: string): string` — accepts JSON, returns JSON. Synchronous. The WASM runtime owns all gate decisions.
 
 ---
 
-## When a request is approved
+## What ships in this package
 
-![Happy path — agent proposes action, identity confirmed, policy approved, governed write executed, audit chain extended, result returned to app.](https://unpkg.com/@letterblack/lbe-exec/assets/story-allow.jpg)
+```
+dist/index.js          WebAssembly runtime loader — exports execute()
+dist/cli.js            CLI (npx lbe)
+dist/lbe_engine.wasm   Verified runtime binary
+dist/wasm.lock.json    Runtime integrity lock (SHA-256 of wasm binary)
+assets/lbe-gates.jpg        Gate sequence diagram
+assets/story-allow.jpg      Approved-request flow
+assets/story-deny.jpg       Blocked-request flow
+assets/runtime-boundary.svg Runtime boundary diagram
+types.d.ts             TypeScript declarations
+LICENSE
+```
 
-1. The agent produces a signed action proposal.
-2. Identity is confirmed against a locally held key — no network call required.
-3. The project policy is evaluated. The action is approved.
-4. The host executes the write or command inside the allowed workspace.
-5. The audit chain is extended — every approved action appends a hash-linked entry to the local log, permanently verifiable, impossible to silently remove.
-6. A structured result returns: whether it succeeded, which rules matched, and the audit entry identifier.
+At load time the runtime verifies `lbe_engine.wasm` against `wasm.lock.json`. A missing, modified, or swapped binary fails before any request is processed.
 
-The application stays in control. {{PACKAGE_NAME}} decides whether the action was permitted and hands the answer back. It does not execute for you.
+Source code, tests, keys, internal adapters, and workspace state are not included.
 
 ---
 
-## When a request is blocked
+## Gate pipeline — approved request
 
-![Deny path — policy rejection before a governed action, shell untouched, filesystem unchanged, audit entry written, final state clean.](https://unpkg.com/@letterblack/lbe-exec/assets/story-deny.jpg)
+![LBE gate sequence — schema, timestamp, key, signature, rate limit, nonce, policy](./assets/lbe-gates.jpg)
 
-1. The agent proposes an action that is outside the permitted policy.
-2. The policy gate closes immediately. The WASM runtime stamps the request denied before any adapter is reached.
-3. The shell is untouched. The filesystem is unchanged.
-4. The denial is written to the immutable audit log — chain sealed, evidence preserved.
-
-No partial execution. No silent failures. Denial is a first-class outcome, not an error.
+1. Agent produces a signed action proposal.
+2. Identity confirmed against a locally held key — no network call.
+3. Policy evaluated. Request approved.
+4. Host executes inside the allowed workspace.
+5. Audit entry appended to local hash-linked log.
 
 ---
 
-## What this covers
+## Gate pipeline — denied request
 
-| Threat | Gate |
-|---|---|
-| Malformed or incomplete request | Schema |
-| Stale or replayed request | Timestamp + Nonce |
-| Tampered or expired key | Key lifecycle + Signature |
-| Excessive requests from one actor | Rate limit |
-| Action not permitted by project policy | Policy — deny-wins |
-| Agent writing outside project root | Scope check in host after decision |
+![Blocked-request flow — policy gate closes, nothing reaches execution](./assets/story-deny.jpg)
 
----
+1. Agent proposes an action outside the permitted policy.
+2. Policy gate closes. WASM runtime returns denied before any adapter runs.
+3. Shell untouched. Filesystem unchanged.
+4. Denial written to audit log — chain sealed.
 
-## What ships
+No partial execution. Denial is a first-class outcome.
 
-```
-dist/index.js               WebAssembly runtime loader and execute()
-dist/cli.js                 Local CLI (npx lbe)
-dist/lbe_engine.wasm        Verified runtime binary
-dist/wasm.lock.json         Runtime integrity lock (SHA-256 of wasm binary)
-assets/lbe-gates.jpg        Gate sequence diagram
-assets/story-allow.jpg      Approved-request storyboard
-assets/story-deny.jpg       Blocked-request storyboard
-assets/runtime-boundary.svg Runtime boundary diagram
-assets/lbe-gates.png        Gate sequence diagram (full resolution)
-assets/story-allow.png      Approved-request storyboard (full resolution)
-assets/story-deny.png       Blocked-request storyboard (full resolution)
-types.d.ts                  TypeScript declarations
-```
+---
 
-At load time the runtime verifies `lbe_engine.wasm` against `wasm.lock.json`. A missing, modified, or swapped binary fails before any request is processed.
+## What LBE does not do
+
+- Kernel-level process isolation
+- Network-egress control
+- Multi-tenant separation
+- Cloud monitoring or hosted control plane
+- Universal control over tools not routed through LBE
 
-Source code, controller implementation, adapters, tests, keys, and runtime state are not included.
+LBE controls only actions that pass through its execution boundary.
 
 ---
 
 ## Limits
 
-This package validates requests routed through its runtime. It does not provide kernel-level process isolation, network-egress control, multi-tenant separation, or a hosted control plane.
+Central writes are best-effort. Local logs remain local. Non-inspectable targets may produce `WEAK_PROOF`. Rate and nonce state is per-process unless you supply a shared database path.
+
+---
 
-For an in-process controller with file operations, shell, and policy management built in, see `@letterblack/lbe-exec`.
+**Used in production:** LBE is the safety engine inside [Letterblack for After Effects](https://letterblack.net) — every AI-generated script and automation command passes through it before touching a live project.