@letterblack/lbe-core 1.3.3 → 1.3.4

package/runtime/engine.js

@@ -1,322 +0,0 @@
-// Runtime boundary for the compiled governance engine.
-// All governance decisions route through here — the WASM module owns the logic.
-
-import fs from 'fs';
-import path from 'path';
-import { fileURLToPath } from 'url';
-
-const runtimeDir = path.dirname(fileURLToPath(import.meta.url));
-const wasmPath = path.join(runtimeDir, 'lbe_engine.wasm');
-
-// ── Result tables (error code → message) ─────────────────────────────────────
-// These map WASM integer codes to human-readable reasons for the JS surface.
-
-const POLICY_MESSAGES = {
-    0: { allowed: true,  reason: null,                          message: 'Policy check passed' },
-    1: { allowed: false, reason: 'POLICY_NOT_CONFIGURED',       message: 'No policy configured' },
-    2: { allowed: false, reason: 'REQUESTER_NOT_ALLOWED',       message: 'Requester not in policy' },
-    3: { allowed: false, reason: 'COMMAND_NOT_ALLOWED',         message: 'Command not allowed for requester' },
-    4: { allowed: false, reason: 'ADAPTER_NOT_ALLOWED',         message: 'Adapter not allowed' },
-    5: { allowed: false, reason: 'NO_FILESYSTEM_ROOTS_DEFINED', message: 'No filesystem roots defined for requester' },
-    6: { allowed: false, reason: 'CWD_OUTSIDE_ALLOWED_ROOT',    message: 'Path not under allowed roots' },
-    7: { allowed: false, reason: 'PATH_DENIED_BY_PATTERN',      message: 'Path matches deny pattern' },
-    8: { allowed: false, reason: 'SHELL_CMD_DENIED',            message: 'Shell command not allowed' },
-};
-
-const SCHEMA_MESSAGES = {
-    0:  { valid: true,  error: null },
-    1:  { valid: false, error: 'Missing required field: id' },
-    2:  { valid: false, error: 'Missing required field: commandId' },
-    3:  { valid: false, error: 'Missing required field: requesterId' },
-    4:  { valid: false, error: 'Missing required field: sessionId' },
-    5:  { valid: false, error: 'Missing required field: timestamp' },
-    6:  { valid: false, error: 'Missing required field: nonce' },
-    7:  { valid: false, error: 'Missing required field: requires' },
-    8:  { valid: false, error: 'Missing required field: payload' },
-    9:  { valid: false, error: 'Missing required field: signature' },
-    10: { valid: false, error: "Field 'id' is invalid" },
-    11: { valid: false, error: "Field 'commandId' is invalid" },
-    12: { valid: false, error: "Field 'requesterId' is invalid" },
-    13: { valid: false, error: "Field 'sessionId' is invalid" },
-    14: { valid: false, error: "Field 'timestamp' is invalid" },
-    15: { valid: false, error: "Field 'nonce' is invalid" },
-    16: { valid: false, error: "Field 'requires' is invalid" },
-    17: { valid: false, error: 'payload: missing required field: adapter' },
-    18: { valid: false, error: "payload: field 'adapter' is invalid" },
-    19: { valid: false, error: 'signature: missing required field: alg' },
-    20: { valid: false, error: 'signature: missing required field: keyId' },
-    21: { valid: false, error: 'signature: missing required field: sig' },
-    22: { valid: false, error: "signature: field 'alg' must be ed25519" },
-    23: { valid: false, error: "signature: field 'sig' is invalid" },
-    24: { valid: false, error: "Field 'risk' is invalid" },
-};
-
-const KEY_REASONS = {
-    1: 'KEY_ID_INVALID',
-    2: 'KEY_NOT_TRUSTED',
-    3: 'KEY_DEPRECATED',
-    4: 'KEY_REQUESTER_MISMATCH',
-    5: 'KEY_LIFECYCLE_INVALID',
-    6: 'KEY_NOT_YET_VALID',
-    7: 'KEY_EXPIRED',
-};
-
-const PIPELINE_STAGES = {
-    0: 'schema',
-    1: 'timestamp',
-    2: 'key',
-    3: 'signature',
-    4: 'rate_limit',
-    5: 'nonce',
-    6: 'policy',
-    255: 'ok',
-};
-
-const RISK_LABELS = ['LOW', 'MEDIUM', 'HIGH', 'CRITICAL'];
-const COMMAND_TYPE = { ECHO: 0, READ_FILE: 1, WRITE_FILE: 2, PATCH_FILE: 3, DELETE_FILE: 4, RUN_SHELL: 5 };
-
-// ── WASM instance (lazy singleton) ────────────────────────────────────────────
-
-let _instance = null;
-
-function wasm() {
-    if (_instance) return _instance;
-    if (!fs.existsSync(wasmPath)) throw new Error(`LBE engine missing: ${wasmPath}`);
-    const bytes = fs.readFileSync(wasmPath);
-    _instance = new WebAssembly.Instance(new WebAssembly.Module(bytes), {});
-    return _instance;
-}
-
-function memory() {
-    return new Uint8Array(wasm().exports.memory.buffer);
-}
-
-function inPtr()  { return wasm().exports.lbe_in_ptr(); }
-function outPtr() { return wasm().exports.lbe_out_ptr(); }
-function bufSize(){ return wasm().exports.lbe_buf_size(); }
-
-// Write a UTF-8 string + null terminator into the WASM input buffer.
-function writeIn(str) {
-    const enc = new TextEncoder().encode(str);
-    const mem = memory();
-    const ptr = inPtr();
-    mem.set(enc, ptr);
-    mem[ptr + enc.length] = 0;
-}
-
-// Read a null-terminated UTF-8 string from the WASM output buffer.
-function readOut() {
-    const mem = memory();
-    const ptr = outPtr();
-    let end = ptr;
-    while (mem[end] !== 0 && end - ptr < bufSize()) end++;
-    return new TextDecoder().decode(mem.slice(ptr, end));
-}
-
-// Write raw bytes + null to input buffer (for audit hash — two segments).
-function writeInBinary(a, b) {
-    const mem = memory();
-    const ptr = inPtr();
-    let pos = ptr;
-    for (let i = 0; i < a.length; i++) mem[pos++] = a[i];
-    mem[pos++] = 0;
-    for (let i = 0; i < b.length; i++) mem[pos++] = b[i];
-    mem[pos] = 0;
-}
-
-// Write 48 u32 values (pipeline input struct) to input buffer.
-function writePipelineInput(fields) {
-    const mem = memory();
-    const ptr = inPtr();
-    const view = new DataView(mem.buffer, ptr);
-    fields.forEach((v, i) => view.setUint32(i * 4, v >>> 0, true));
-}
-
-// Read 2 u32 values (pipeline output struct) from output buffer.
-function readPipelineOutput() {
-    const mem = memory();
-    const ptr = outPtr();
-    const view = new DataView(mem.buffer, ptr);
-    return { stage: view.getUint32(0, true), code: view.getUint32(4, true) };
-}
-
-// ── Public engine API ─────────────────────────────────────────────────────────
-
-export function getRuntimeInfo() {
-    return { mode: 'wasm', available: fs.existsSync(wasmPath), wasmPath, localFirst: true };
-}
-
-export async function loadWasmEngine() {
-    return { ok: true, mode: 'wasm', version: wasm().exports.lbe_engine_version() };
-}
-
-/**
- * runValidationPipeline — full 4-gate validation in WASM.
- *
- * @param {object} flags  All pre-extracted flags for each gate.
- * @returns {{ stage, stageLabel, code, ok, policyResult, keyReason, schemaError }}
- */
-export function runValidationPipeline(flags) {
-    // Pack the 49-field input struct into IN_BUF as little-endian u32 values.
-    // Order must match lib.rs lbe_validate_pipeline documentation.
-    writePipelineInput([
-        // Schema flags [0..24]
-        flags.hasId          ? 1 : 0, flags.idValid          ? 1 : 0,
-        flags.hasCommandId   ? 1 : 0, flags.commandIdValid   ? 1 : 0,
-        flags.hasRequesterId ? 1 : 0, flags.requesterIdValid ? 1 : 0,
-        flags.hasSessionId   ? 1 : 0, flags.sessionIdValid   ? 1 : 0,
-        flags.hasTimestamp   ? 1 : 0, flags.timestampValid   ? 1 : 0,
-        flags.hasNonce       ? 1 : 0, flags.nonceValid       ? 1 : 0,
-        flags.hasRequires    ? 1 : 0, flags.requiresValid    ? 1 : 0,
-        flags.hasPayload     ? 1 : 0,
-        flags.hasPayloadAdapter   ? 1 : 0, flags.payloadAdapterValid  ? 1 : 0,
-        flags.hasSignature        ? 1 : 0,
-        flags.hasSignatureAlg     ? 1 : 0, flags.signatureAlgValid    ? 1 : 0,
-        flags.hasSignatureKeyId   ? 1 : 0,
-        flags.hasSignatureSig     ? 1 : 0, flags.signatureSigValid    ? 1 : 0,
-        flags.hasRisk ? 1 : 0, flags.riskValid ? 1 : 0,
-        // Timestamp [25..27]
-        flags.cmdTimestamp >>> 0, flags.nowSec >>> 0, flags.maxClockSkewSec >>> 0,
-        // Key lifecycle [28..34]
-        flags.keyIdFormatValid      ? 1 : 0,
-        flags.keyFound              ? 1 : 0,
-        flags.keyNotDeprecated      ? 1 : 0,
-        flags.keyRequesterMatches   ? 1 : 0,
-        flags.keyNotBeforeOk        ? 1 : 0,
-        flags.keyNotExpired         ? 1 : 0,
-        flags.keyLifecycleFieldsPresent ? 1 : 0,
-        // Signature [35]
-        flags.signatureValid ? 1 : 0,
-        // Rate limit [36..37]
-        flags.rateLimitOk ? 1 : 0, flags.rateLimitRetryAfterSec >>> 0,
-        // Nonce [38]
-        flags.nonceOk ? 1 : 0,
-        // Policy [39..48]
-        flags.policyConfigured     ? 1 : 0,
-        flags.requesterConfigured  ? 1 : 0,
-        flags.commandAllowed       ? 1 : 0,
-        flags.adapterAllowed       ? 1 : 0,
-        flags.filesystemRequired   ? 1 : 0,
-        flags.filesystemRootsDefined ? 1 : 0,
-        flags.filesystemOk         ? 1 : 0,
-        flags.pathDenied           ? 1 : 0,
-        flags.shellRequired        ? 1 : 0,
-        flags.shellCommandOk       ? 1 : 0,
-    ]);
-
-    wasm().exports.lbe_validate_pipeline();
-    const { stage, code } = readPipelineOutput();
-    const ok = stage === 255;
-
-    return {
-        ok,
-        stage,
-        stageLabel:  PIPELINE_STAGES[stage] || 'unknown',
-        code,
-        schemaError: stage === 0 ? (SCHEMA_MESSAGES[code]?.error || 'Schema invalid') : null,
-        keyReason:   stage === 2 ? (KEY_REASONS[code] || 'KEY_ERROR') : null,
-        policyResult:stage === 6 ? { ...(POLICY_MESSAGES[code] || POLICY_MESSAGES[1]), code } : null,
-        retryAfterSec: stage === 4 ? code : 0,
-        skewSec:     stage === 1 ? code : 0,
-    };
-}
-
-/**
- * checkNonce — delegates nonce deduplication to WASM.
- * Returns { ok, updatedEntriesText } where updatedEntriesText is the new serialised
- * nonce DB to persist (null when replay detected).
- */
-export function checkNonce({ ttlSec, nowSec, newKey, existingEntries }) {
-    const lines = [`${ttlSec}:${nowSec}`, newKey, ...existingEntries].join('\n') + '\n';
-    writeIn(lines);
-    const isReplay = wasm().exports.lbe_nonce_check() !== 0;
-    if (isReplay) return { ok: false, updatedEntriesText: null };
-    const out = readOut();
-    // Strip leading "OK\n"
-    return { ok: true, updatedEntriesText: out.startsWith('OK\n') ? out.slice(3) : out };
-}
-
-/**
- * checkRateLimit — delegates rate-limit sliding-window logic to WASM.
- * Returns { ok, retryAfterSec, updatedEntriesText }.
- */
-export function checkRateLimit({ windowSec, maxRequests, nowSec, requesterId, existingEntries }) {
-    const lines = [
-        `${windowSec}:${maxRequests}:${nowSec}`,
-        requesterId,
-        ...existingEntries,
-    ].join('\n') + '\n';
-    writeIn(lines);
-    const exceeded = wasm().exports.lbe_rate_check() !== 0;
-    const out = readOut();
-    if (exceeded) {
-        const retryAfterSec = parseInt(out.match(/^EXCEEDED:(\d+)/)?.[1] ?? '1', 10);
-        const entriesText = out.replace(/^EXCEEDED:\d+\n/, '');
-        return { ok: false, retryAfterSec, updatedEntriesText: entriesText };
-    }
-    return { ok: true, retryAfterSec: 0, updatedEntriesText: out.startsWith('OK\n') ? out.slice(3) : out };
-}
-
-/**
- * computeAuditHash — SHA-256 of (prevHash || entryJson) computed in WASM.
- */
-export function computeAuditHash(prevHash, entryJson) {
-    const enc = new TextEncoder();
-    writeInBinary(enc.encode(prevHash), enc.encode(entryJson));
-    wasm().exports.lbe_audit_hash();
-    return readOut().slice(0, 64); // 64-char hex string
-}
-
-/**
- * classifyRisk — risk level via WASM.
- * commandId: one of ECHO, READ_FILE, WRITE_FILE, PATCH_FILE, DELETE_FILE, RUN_SHELL
- */
-export function classifyRisk(commandId, shellCmdIsRm = false) {
-    const typeCode = COMMAND_TYPE[commandId] ?? 0;
-    const code = wasm().exports.lbe_classify_risk(typeCode, shellCmdIsRm ? 1 : 0);
-    return RISK_LABELS[code] ?? 'LOW';
-}
-
-/**
- * shouldRollback — rollback decision via WASM.
- */
-export function shouldRollback({ execFailed, postCheckFailed, backupExists, rollbackEnabled }) {
-    return wasm().exports.lbe_rollback_decision(
-        execFailed     ? 1 : 0,
-        postCheckFailed ? 1 : 0,
-        backupExists   ? 1 : 0,
-        rollbackEnabled ? 1 : 0
-    ) === 1;
-}
-
-// ── Legacy scalar exports (back-compat) ───────────────────────────────────────
-
-export function evaluatePolicyDecision(input) {
-    const code = wasm().exports.lbe_policy_decision(
-        input.policyConfigured    ? 1 : 0, input.requesterConfigured ? 1 : 0,
-        input.commandAllowed      ? 1 : 0, input.adapterAllowed      ? 1 : 0,
-        input.filesystemRequired  ? 1 : 0, input.filesystemRootsDefined ? 1 : 0,
-        input.filesystemOk        ? 1 : 0, input.pathDenied          ? 1 : 0,
-        input.shellRequired       ? 1 : 0, input.shellCommandOk      ? 1 : 0
-    );
-    return { ...(POLICY_MESSAGES[code] || POLICY_MESSAGES[1]), code };
-}
-
-export function evaluateSchemaDecision(input) {
-    const code = wasm().exports.lbe_schema_decision(
-        input.hasId             ? 1 : 0, input.idValid             ? 1 : 0,
-        input.hasCommandId      ? 1 : 0, input.commandIdValid      ? 1 : 0,
-        input.hasRequesterId    ? 1 : 0, input.requesterIdValid    ? 1 : 0,
-        input.hasSessionId      ? 1 : 0, input.sessionIdValid      ? 1 : 0,
-        input.hasTimestamp      ? 1 : 0, input.timestampValid      ? 1 : 0,
-        input.hasNonce          ? 1 : 0, input.nonceValid          ? 1 : 0,
-        input.hasRequires       ? 1 : 0, input.requiresValid       ? 1 : 0,
-        input.hasPayload        ? 1 : 0,
-        input.hasPayloadAdapter ? 1 : 0, input.payloadAdapterValid ? 1 : 0,
-        input.hasSignature      ? 1 : 0, input.hasSignatureAlg     ? 1 : 0,
-        input.signatureAlgValid ? 1 : 0, input.hasSignatureKeyId   ? 1 : 0,
-        input.hasSignatureSig   ? 1 : 0, input.signatureSigValid   ? 1 : 0,
-        input.hasRisk           ? 1 : 0, input.riskValid           ? 1 : 0
-    );
-    return { ...(SCHEMA_MESSAGES[code] || SCHEMA_MESSAGES[10]), code };
-}

package/src/cli/commands/auditVerify.js

@@ -1,36 +0,0 @@
-// src/cli/commands/auditVerify.js
-// Verify audit log hash-chain integrity
-
-import path from 'path';
-import { verifyAuditLogIntegrity } from '../../core/auditLog.js';
-
-function toBoolean(value, defaultValue) {
-    if (value === undefined) return defaultValue;
-    if (value === true || value === false) return value;
-    const normalized = String(value).trim().toLowerCase();
-    if (normalized === 'true' || normalized === '1' || normalized === 'yes') return true;
-    if (normalized === 'false' || normalized === '0' || normalized === 'no') return false;
-    return defaultValue;
-}
-
-export async function auditVerifyCommand(opts) {
-    const auditPath = opts.audit ? path.resolve(opts.audit) : path.resolve('.lbe/data/audit.log.jsonl');
-    const failFast = toBoolean(opts['fail-fast'], true);
-    const jsonOutput = toBoolean(opts.json, true);
-    const maxEntries = Number.isFinite(Number(opts.max)) ? Number(opts.max) : undefined;
-
-    const result = verifyAuditLogIntegrity(auditPath, { failFast, maxEntries });
-
-    if (jsonOutput) {
-        console.log(JSON.stringify(result, null, 2));
-    } else if (result.valid) {
-        console.log(`OK: ${result.file}`);
-        console.log(`Entries: ${result.entries}`);
-    } else {
-        console.log(`FAIL: ${result.file}`);
-        console.log(`First invalid index: ${result.firstInvalidIndex}`);
-        console.log(`Reason: ${result.reason}`);
-    }
-
-    process.exit(result.valid ? 0 : 8);
-}

package/src/cli/commands/dryrun.js

@@ -1,175 +0,0 @@
-// src/cli/commands/dryrun.js
-// Validate proposal and simulate execution
-
-import fs from 'fs';
-import path from 'path';
-import { validateCommand } from '../../core/validator.js';
-import { NonceStore } from '../../core/nonceStore.js';
-import { executeAdapter } from '../../adapters/index.js';
-import { loadKeysStore } from '../../core/trustedKeys.js';
-import { verifyPolicySignature } from '../../core/policySignature.js';
-import { validateAndUpdatePolicyVersionState } from '../../core/policyVersionGuard.js';
-
-export async function dryrunCommand(opts) {
-    const { in: inFile } = opts;
-    const config = opts.config || opts.policy;
-    const pubKey = opts['pub-key'];
-    const keysStorePath = opts['keys-store'] || path.resolve('.lbe/config/keys.json');
-    const policySigPath = opts['policy-sig'] || path.resolve('.lbe/config/policy.sig.json');
-    const policyStatePath = opts['policy-state'] || path.resolve('.lbe/data/policy.state.json');
-    const allowUnsignedPolicy = opts['policy-unsigned-ok'] === true || String(opts['policy-unsigned-ok']).toLowerCase() === 'true';
-    // Validate required arguments
-    if (!inFile) {
-        console.error('Error: --in <file> is required');
-        process.exit(1);
-    }
-
-    // Read proposal file
-    let proposal;
-    try {
-        const filePath = path.resolve(inFile);
-        const content = fs.readFileSync(filePath, 'utf-8');
-        proposal = JSON.parse(content);
-    } catch (error) {
-        console.error(JSON.stringify({
-            status: 'error',
-            error: 'INVALID_PROPOSAL_FILE',
-            message: error.message
-        }));
-        process.exit(5);
-    }
-
-    // Load policy
-    let policy;
-    try {
-        const policyPath = config || path.resolve('.lbe/config/policy.default.json');
-        if (!fs.existsSync(policyPath)) {
-            console.error(JSON.stringify({
-                status: 'error',
-                error: 'MISSING_POLICY',
-                message: `Policy file not found: ${policyPath}`
-            }));
-            process.exit(1);
-        }
-        const policyContent = fs.readFileSync(policyPath, 'utf-8');
-        policy = JSON.parse(policyContent);
-    } catch (error) {
-        console.error(JSON.stringify({
-            status: 'error',
-            error: 'INVALID_POLICY',
-            message: error.message
-        }));
-        process.exit(1);
-    }
-
-    // Load key store (preferred) with legacy pub-key fallback
-    const keyStoreResult = loadKeysStore(keysStorePath);
-    const keyStore = keyStoreResult.ok ? keyStoreResult.store : null;
-
-    // Preflight: policy signature verification (strict by default)
-    const policySigCheck = verifyPolicySignature({
-        policyObj: policy,
-        keyStore,
-        policySigPath,
-        allowUnsigned: allowUnsignedPolicy
-    });
-    if (!policySigCheck.ok) {
-        console.error(JSON.stringify({
-            status: 'error',
-            error: policySigCheck.reason,
-            message: policySigCheck.message
-        }, null, 2));
-        process.exit(8);
-    }
-
-    const versionCheck = validateAndUpdatePolicyVersionState({
-        policyObj: policy,
-        statePath: policyStatePath,
-        maxCreatedAtSkewSec: policy?.security?.maxPolicyCreatedAtSkewSec
-    });
-    if (!versionCheck.ok) {
-        console.error(JSON.stringify({
-            status: 'error',
-            error: versionCheck.reason,
-            message: versionCheck.message
-        }, null, 2));
-        process.exit(8);
-    }
-
-    // Load nonce store
-    const nonceDb = new NonceStore(path.resolve('.lbe/data/nonce.db.json'));
-    await nonceDb.load();
-
-    if (!keyStore && !pubKey) {
-        console.error(JSON.stringify({
-            status: 'error',
-            error: 'MISSING_KEY_MATERIAL',
-            message: `${keyStoreResult.message}. Provide --pub-key/--pub-key-file or create .lbe/config/keys.json`
-        }));
-        process.exit(1);
-    }
-
-    // Validate command
-    const validateResult = validateCommand({
-        commandObj: proposal,
-        pubKeyB64: pubKey,
-        keyStore,
-        nonceDb,
-        policy
-    });
-
-    if (!validateResult.valid) {
-        const output = {
-            status: 'invalid',
-            commandId: proposal.commandId || 'N/A',
-            checks: validateResult.checks,
-            errors: validateResult.errors || [],
-            executionResult: null
-        };
-        console.log(JSON.stringify(output, null, 2));
-
-        if (validateResult.checks.schema === false) process.exit(5);
-        if (validateResult.checks.signature === false) process.exit(3);
-        if (validateResult.checks.nonce === false) process.exit(4);
-        if (validateResult.checks.timestamp === false) process.exit(6);
-        if (validateResult.checks.rateLimit === false) process.exit(7);
-        if (validateResult.checks.policy === false) process.exit(2);
-        process.exit(9);
-    }
-
-    // Simulate execution with noop adapter
-    let executionResult;
-    try {
-        const requesterPolicy = policy.requesters?.[proposal.requesterId];
-        executionResult = await executeAdapter(
-            'noop',
-            proposal,
-            policy,
-            requesterPolicy
-        );
-    } catch (error) {
-        executionResult = {
-            adapter: 'noop',
-            status: 'error',
-            error: error.message
-        };
-    }
-
-    // Output structured result
-    const output = {
-        status: 'valid_simulated',
-        commandId: proposal.commandId || 'N/A',
-        checks: validateResult.checks,
-        risk: validateResult.risk || 'UNKNOWN',
-        executionResult: {
-            adapter: executionResult.adapter,
-            status: executionResult.status,
-            output: executionResult.output || executionResult.error || '',
-            exitCode: executionResult.exitCode || 0,
-            note: 'This is a simulation using noop adapter. No actual execution occurred.'
-        }
-    };
-
-    console.log(JSON.stringify(output, null, 2));
-    process.exit(0);
-}

package/src/cli/commands/health.js

@@ -1,153 +0,0 @@
-// src/cli/commands/health.js
-// Deployment health check command
-
-import fs from 'fs';
-import path from 'path';
-import { performIntegrityCheck } from '../../core/integrity.js';
-
-function toBoolean(value, defaultValue) {
-    if (value === undefined) return defaultValue;
-    if (value === true || value === false) return value;
-    const normalized = String(value).trim().toLowerCase();
-    if (normalized === 'true' || normalized === '1' || normalized === 'yes') return true;
-    if (normalized === 'false' || normalized === '0' || normalized === 'no') return false;
-    return defaultValue;
-}
-
-function addCheck(checks, name, ok, message) {
-    checks[name] = { ok, message };
-}
-
-function canReadFile(filePath) {
-    try {
-        fs.accessSync(filePath, fs.constants.R_OK);
-        return true;
-    } catch {
-        return false;
-    }
-}
-
-function checkDataWritable(dataDir) {
-    const marker = path.join(dataDir, `.healthcheck-${Date.now()}`);
-    try {
-        fs.mkdirSync(dataDir, { recursive: true });
-        fs.writeFileSync(marker, 'ok', 'utf8');
-        fs.unlinkSync(marker);
-        return { ok: true, message: 'Data directory writable' };
-    } catch (error) {
-        return { ok: false, message: `Data directory not writable: ${error.message}` };
-    }
-}
-
-export async function healthCommand(opts) {
-    const jsonOutput = toBoolean(opts.json, true);
-    const policyPath = path.resolve(opts.config || opts.policy || '.lbe/config/policy.default.json');
-    const policySigPath = path.resolve(opts['policy-sig'] || '.lbe/config/policy.sig.json');
-    const keysStorePath = path.resolve(opts['keys-store'] || '.lbe/config/keys.json');
-    const dataDir = path.resolve(opts['data-dir'] || '.lbe/data');
-    const auditPath = path.resolve(opts.audit || path.join(dataDir, 'audit.log.jsonl'));
-    const noncePath = path.resolve(opts['nonce-db'] || path.join(dataDir, 'nonce.db.json'));
-    const ratePath = path.resolve(opts['rate-db'] || path.join(dataDir, 'rate-limit.db.json'));
-    const policyStatePath = path.resolve(opts['policy-state'] || path.join(dataDir, 'policy.state.json'));
-    const integrityStrict = toBoolean(opts['integrity-strict'], false);
-    const integrityManifestPath = path.resolve(opts['integrity-manifest'] || '.lbe/config/integrity.manifest.json');
-
-    const checks = {};
-
-    addCheck(
-        checks,
-        'policy',
-        fs.existsSync(policyPath) && canReadFile(policyPath),
-        fs.existsSync(policyPath)
-            ? `Policy file readable: ${policyPath}`
-            : `Policy file missing: ${policyPath}`
-    );
-
-    addCheck(
-        checks,
-        'policySignature',
-        fs.existsSync(policySigPath) && canReadFile(policySigPath),
-        fs.existsSync(policySigPath)
-            ? `Policy signature readable: ${policySigPath}`
-            : `Policy signature missing: ${policySigPath}`
-    );
-
-    addCheck(
-        checks,
-        'trustedKeys',
-        fs.existsSync(keysStorePath) && canReadFile(keysStorePath),
-        fs.existsSync(keysStorePath)
-            ? `Trusted keys readable: ${keysStorePath}`
-            : `Trusted keys missing: ${keysStorePath}`
-    );
-
-    addCheck(
-        checks,
-        'auditLog',
-        fs.existsSync(auditPath) && canReadFile(auditPath),
-        fs.existsSync(auditPath)
-            ? `Audit log readable: ${auditPath}`
-            : `Audit log missing: ${auditPath}`
-    );
-
-    addCheck(
-        checks,
-        'nonceDb',
-        fs.existsSync(noncePath) && canReadFile(noncePath),
-        fs.existsSync(noncePath)
-            ? `Nonce DB readable: ${noncePath}`
-            : `Nonce DB missing: ${noncePath}`
-    );
-
-    addCheck(
-        checks,
-        'rateLimitDb',
-        fs.existsSync(ratePath) && canReadFile(ratePath),
-        fs.existsSync(ratePath)
-            ? `Rate-limit DB readable: ${ratePath}`
-            : `Rate-limit DB missing: ${ratePath}`
-    );
-
-    addCheck(
-        checks,
-        'policyState',
-        fs.existsSync(policyStatePath) && canReadFile(policyStatePath),
-        fs.existsSync(policyStatePath)
-            ? `Policy state readable: ${policyStatePath}`
-            : `Policy state missing: ${policyStatePath}`
-    );
-
-    const writable = checkDataWritable(dataDir);
-    addCheck(checks, 'dataWritable', writable.ok, writable.message);
-
-    if (integrityStrict) {
-        const integrity = await performIntegrityCheck({
-            strict: true,
-            manifestPath: integrityManifestPath
-        });
-        addCheck(
-            checks,
-            'integrity',
-            integrity.valid,
-            integrity.valid
-                ? integrity.message
-                : `${integrity.reason}: ${integrity.message}`
-        );
-    }
-
-    const allOk = Object.values(checks).every((c) => c.ok === true);
-    const output = {
-        ok: allOk,
-        status: allOk ? 'healthy' : 'unhealthy',
-        timestamp: new Date().toISOString(),
-        checks
-    };
-
-    if (jsonOutput) {
-        console.log(JSON.stringify(output, null, 2));
-    } else {
-        console.log(`${output.status.toUpperCase()}: ${Object.keys(checks).length} checks`);
-    }
-
-    process.exit(allOk ? 0 : 8);
-}