@letterblack/lbe-core 1.3.3 → 1.3.4

package/src/cli/commands/run.js

@@ -1,342 +0,0 @@
-// src/cli/commands/run.js
-// Validate and execute a proposal
-
-import fs from 'fs';
-import path from 'path';
-import crypto from 'crypto';
-import { validateCommand } from '../../core/validator.js';
-import { NonceStore } from '../../core/nonceStore.js';
-import { executeAdapter } from '../../adapters/index.js';
-import { appendAudit } from '../../core/auditLog.js';
-import { loadKeysStore } from '../../core/trustedKeys.js';
-import { RequestRateLimiter } from '../../core/requestRateLimiter.js';
-import { verifyPolicySignature } from '../../core/policySignature.js';
-import { validateAndUpdatePolicyVersionState } from '../../core/policyVersionGuard.js';
-import { getApprovalManager } from '../../core/approval-token.js';
-import { createBackup, restoreBackup } from '../../core/backup.js';
-import { loadLocalPolicy, evaluateLocalPolicy, auditLocalPolicy } from '../../core/localPolicy.js';
-
-function sha256(obj) {
-    return crypto.createHash('sha256').update(JSON.stringify(obj)).digest('hex');
-}
-
-export async function runCommand(opts) {
-    const { in: inFile } = opts;
-    const config = opts.config || opts.policy;
-    const pubKey = opts['pub-key'];
-    const keysStorePath = opts['keys-store'] || path.resolve('.lbe/config/keys.json');
-    const policySigPath = opts['policy-sig'] || path.resolve('.lbe/config/policy.sig.json');
-    const policyStatePath = opts['policy-state'] || path.resolve('.lbe/data/policy.state.json');
-    const allowUnsignedPolicy = opts['policy-unsigned-ok'] === true || String(opts['policy-unsigned-ok']).toLowerCase() === 'true';
-    // Validate required arguments
-    if (!inFile) {
-        console.error('Error: --in <file> is required');
-        process.exit(1);
-    }
-
-    // Read proposal file
-    let proposal;
-    try {
-        const filePath = path.resolve(inFile);
-        const content = fs.readFileSync(filePath, 'utf-8');
-        proposal = JSON.parse(content);
-    } catch (error) {
-        console.error(JSON.stringify({
-            status: 'error',
-            error: 'INVALID_PROPOSAL_FILE',
-            message: error.message
-        }));
-        process.exit(5);
-    }
-
-    // Load policy
-    let policy;
-    try {
-        const policyPath = config || path.resolve('.lbe/config/policy.default.json');
-        if (!fs.existsSync(policyPath)) {
-            console.error(JSON.stringify({
-                status: 'error',
-                error: 'MISSING_POLICY',
-                message: `Policy file not found: ${policyPath}`
-            }));
-            process.exit(1);
-        }
-        const policyContent = fs.readFileSync(policyPath, 'utf-8');
-        policy = JSON.parse(policyContent);
-    } catch (error) {
-        console.error(JSON.stringify({
-            status: 'error',
-            error: 'INVALID_POLICY',
-            message: error.message
-        }));
-        process.exit(1);
-    }
-
-    // Project-local rules are controller-owned and take precedence over any
-    // observer allow. Observe mode records a would-deny decision only.
-    const rootDir = process.cwd();
-    let localPolicy;
-    try {
-        localPolicy = loadLocalPolicy(rootDir);
-    } catch (error) {
-        console.error(JSON.stringify({ status: 'error', error: 'LOCAL_POLICY_INVALID', message: error.message }));
-        process.exit(1);
-    }
-    const localDecision = evaluateLocalPolicy(localPolicy.policy, rootDir, {
-        target: proposal.payload?.target,
-        command: proposal.payload?.cmd
-    });
-    const localBlocked = localPolicy.policy.mode === 'enforce' && !localDecision.allowed;
-    auditLocalPolicy(rootDir, {
-        commandId: proposal.commandId || 'N/A', requesterId: proposal.requesterId || 'unknown',
-        mode: localPolicy.policy.mode, decision: localBlocked ? 'deny' : 'allow',
-        wouldDeny: !localDecision.allowed, ruleIds: localDecision.winningRules.map(rule => rule.id)
-    });
-    if (localBlocked) {
-        console.error(JSON.stringify({ status: 'blocked', error: 'LOCAL_POLICY_DENY', ruleIds: localDecision.winningRules.map(rule => rule.id) }, null, 2));
-        process.exit(2);
-    }
-
-    // Load key store (preferred) with legacy pub-key fallback
-    const keyStoreResult = loadKeysStore(keysStorePath);
-    const keyStore = keyStoreResult.ok ? keyStoreResult.store : null;
-
-    // Preflight: policy signature verification (strict by default)
-    const policySigCheck = verifyPolicySignature({
-        policyObj: policy,
-        keyStore,
-        policySigPath,
-        allowUnsigned: allowUnsignedPolicy
-    });
-    if (!policySigCheck.ok) {
-        console.error(JSON.stringify({
-            status: 'error',
-            error: policySigCheck.reason,
-            message: policySigCheck.message
-        }, null, 2));
-        process.exit(8);
-    }
-
-    const versionCheck = validateAndUpdatePolicyVersionState({
-        policyObj: policy,
-        statePath: policyStatePath,
-        maxCreatedAtSkewSec: policy?.security?.maxPolicyCreatedAtSkewSec
-    });
-    if (!versionCheck.ok) {
-        console.error(JSON.stringify({
-            status: 'error',
-            error: versionCheck.reason,
-            message: versionCheck.message
-        }, null, 2));
-        process.exit(8);
-    }
-
-    // Load nonce store
-    const nonceDb = new NonceStore(path.resolve('.lbe/data/nonce.db.json'));
-    await nonceDb.load();
-
-    if (!keyStore && !pubKey) {
-        console.error(JSON.stringify({
-            status: 'error',
-            error: 'MISSING_KEY_MATERIAL',
-            message: `${keyStoreResult.message}. Provide --pub-key/--pub-key-file or create .lbe/config/keys.json`
-        }));
-        process.exit(1);
-    }
-
-    // Load requester rate limiter
-    const rateLimiter = new RequestRateLimiter(path.resolve('.lbe/data/rate-limit.db.json'));
-    await rateLimiter.load();
-
-    // Validate command
-    const validateResult = validateCommand({
-        commandObj: proposal,
-        pubKeyB64: pubKey,
-        keyStore,
-        nonceDb,
-        policy,
-        rateLimiter
-    });
-
-    if (!validateResult.valid) {
-        // Persist state from checks that may record entries prior to rejection.
-        try {
-            await nonceDb.save();
-            await rateLimiter.save();
-        } catch {
-            // Continue with rejection path even if state persistence fails.
-        }
-
-        const output = {
-            status: 'invalid',
-            commandId: proposal.commandId || 'N/A',
-            checks: validateResult.checks,
-            errors: validateResult.errors || [],
-            executionResult: null
-        };
-        console.error(JSON.stringify(output, null, 2));
-
-        // Load audit log and append this rejection
-        const auditPath = path.resolve('.lbe/data/audit.log.jsonl');
-        try {
-            appendAudit(auditPath, {
-                commandId: proposal.commandId || 'N/A',
-                status: 'rejected',
-                requesterId: proposal.requesterId || 'unknown',
-                payloadHash: sha256(proposal),
-                reason: validateResult.checks,
-                timestamp: new Date().toISOString()
-            });
-        } catch (auditErr) {
-            console.error(JSON.stringify({
-                status: 'error',
-                error: 'AUDIT_WRITE_FAILED',
-                message: auditErr.message
-            }));
-            process.exit(10);
-        }
-
-        if (validateResult.checks.schema === false) process.exit(5);
-        if (validateResult.checks.signature === false) process.exit(3);
-        if (validateResult.checks.nonce === false) process.exit(4);
-        if (validateResult.checks.timestamp === false) process.exit(6);
-        if (validateResult.checks.rateLimit === false) process.exit(7);
-        if (validateResult.checks.policy === false) process.exit(2);
-        process.exit(9);
-    }
-
-    const risk = validateResult.risk || 'LOW';
-    const adapterName = proposal.payload.adapter || 'shell';
-    const requesterPolicy = policy.requesters?.[proposal.requesterId];
-
-    // Approval gate — pause if the requester policy marks this risk level for approval
-    const approvalRule = requesterPolicy?.requireApproval;
-    const approvalRequired = approvalRule === true
-        || (Array.isArray(approvalRule) && (
-            approvalRule.includes(risk)
-            || approvalRule.includes('*')
-            || (['HIGH', 'CRITICAL'].includes(risk) && approvalRule.includes('HIGH+'))
-        ));
-
-    if (approvalRequired) {
-        const mgr = getApprovalManager();
-        const tokenId = mgr.createToken(proposal.commandId, {
-            requesterId: proposal.requesterId,
-            adapter: adapterName,
-            risk
-        });
-
-        await nonceDb.save().catch(() => {});
-        await rateLimiter.save().catch(() => {});
-
-        console.log(JSON.stringify({
-            status: 'approval_required',
-            commandId: proposal.commandId || 'N/A',
-            risk,
-            approvalToken: tokenId,
-            message: `${risk} risk operation requires operator approval. Approve with: lbe approve --token ${tokenId}`
-        }, null, 2));
-        process.exit(11);
-    }
-
-    // Backup — create before execution for file adapter or when --backup flag is set
-    let backup = null;
-    const shouldBackup = opts.backup === true || adapterName === 'file';
-    if (shouldBackup && proposal.payload.target) {
-        try {
-            backup = createBackup(path.resolve(proposal.payload.target));
-        } catch {
-            // Non-fatal — execution continues without backup
-        }
-    }
-
-    // Execute with appropriate adapter
-    let executionResult;
-    try {
-        executionResult = await executeAdapter(adapterName, proposal, policy, requesterPolicy);
-    } catch (error) {
-        executionResult = {
-            adapter: adapterName,
-            status: 'error',
-            error: error.message,
-            exitCode: 1
-        };
-    }
-
-    const executionFailed = executionResult.status === 'error' || executionResult.exitCode !== 0;
-
-    // Rollback on failure — restore backup if execution failed and we have one
-    let rollbackResult = null;
-    if (executionFailed && backup && opts['rollback-on-failure'] !== false) {
-        try {
-            rollbackResult = restoreBackup(backup);
-        } catch (e) {
-            rollbackResult = { restored: false, error: e.message };
-        }
-    }
-
-    // Post-execution validation — verify target exists after a write/patch
-    let postValidation = null;
-    if (!executionFailed && proposal.payload.target) {
-        const writeActions = ['write', 'patch'];
-        if (writeActions.includes(proposal.payload.action)) {
-            const exists = fs.existsSync(path.resolve(proposal.payload.target));
-            postValidation = { ok: exists, check: 'target_exists', target: proposal.payload.target };
-            if (!exists && backup) {
-                rollbackResult = restoreBackup(backup);
-                executionResult.status = 'error';
-            }
-        }
-    }
-
-    // Log to audit trail
-    // payloadHash: SHA-256 of the validated proposal — proves what the adapter received
-    // executionHash: SHA-256 of the adapter result — proves what the adapter returned
-    // Together these bind the validation result to the execution result in the immutable log
-    const auditPath = path.resolve('.lbe/data/audit.log.jsonl');
-    try {
-        appendAudit(auditPath, {
-            commandId: proposal.commandId || 'N/A',
-            status: rollbackResult?.restored ? 'rolled_back' : (executionResult.status || 'completed'),
-            requesterId: proposal.requesterId || 'unknown',
-            payloadHash: sha256(proposal),
-            executionHash: sha256(executionResult),
-            adapter: executionResult.adapter,
-            riskLevel: risk,
-            exitCode: executionResult.exitCode || 0,
-            rolledBack: rollbackResult?.restored || false,
-            timestamp: new Date().toISOString()
-        });
-    } catch (auditErr) {
-        console.error(JSON.stringify({
-            status: 'error',
-            error: 'AUDIT_WRITE_FAILED',
-            message: auditErr.message
-        }));
-        process.exit(10);
-    }
-
-    // Save nonce DB (records the nonce as used)
-    await nonceDb.save();
-    await rateLimiter.save();
-
-    // Output structured result
-    const output = {
-        status: executionFailed || (postValidation && !postValidation.ok) ? 'failed' : 'executed',
-        commandId: proposal.commandId || 'N/A',
-        risk,
-        checks: validateResult.checks,
-        executionResult: {
-            adapter: executionResult.adapter,
-            status: executionResult.status || 'completed',
-            output: executionResult.output || executionResult.error || '',
-            exitCode: executionResult.exitCode || 0
-        },
-        backup: backup ? { path: backup.backupPath, existed: backup.existed, hash: backup.hash } : null,
-        rollback: rollbackResult,
-        postValidation
-    };
-
-    console.log(JSON.stringify(output, null, 2));
-    process.exit(executionResult.exitCode || 0);
-}

package/src/cli/commands/status.js

@@ -1,73 +0,0 @@
-import fs from 'node:fs';
-import path from 'node:path';
-import { resolveWorkspaceState } from '../../state/index.js';
-import { stateRoot } from '../../state/stateRoot.js';
-import { isWorkspaceRegistryReadable, listWorkspaces } from '../../state/workspaceRegistry.js';
-
-/**
- * lbe status
- *
- * Resolves central state for the workspace and prints a summary.
- * Policy authority stays in .lbe/policy.json — this command reads it
- * for display only. It does not modify or migrate anything.
- *
- * @returns {{ workspaceId, stateDir, policySource, policyMode, hasProof, hasEvents }}
- */
-export async function statusCommand(opts) {
-    if (opts.all) {
-        const registryPath = opts.registryPath || path.join(stateRoot(), 'registry.json');
-        if (!isWorkspaceRegistryReadable(registryPath)) {
-            console.log('Workspace registry unreadable');
-            return { workspaces: [], registryReadable: false };
-        }
-
-        const workspaces = listWorkspaces(registryPath);
-        if (workspaces.length === 0) {
-            console.log('No known workspaces yet');
-            return { workspaces, registryReadable: true };
-        }
-
-        console.log('\nKnown LBE workspaces');
-        for (const workspace of workspaces) {
-            console.log(`  ${workspace.alias}`);
-            console.log(`    workspace_id ${workspace.workspaceId}`);
-            console.log(`    path         ${workspace.path}`);
-            console.log(`    last_active  ${workspace.last_active}`);
-        }
-        console.log('');
-        return { workspaces, registryReadable: true };
-    }
-
-    const workspaceRoot = path.resolve(opts.root || process.cwd());
-    const { stateDir, workspaceId, paths } = resolveWorkspaceState(workspaceRoot);
-
-    // ── Policy source (read-only, .lbe/policy.json is authoritative) ──────────
-    const policyPath = path.join(workspaceRoot, '.lbe', 'policy.json');
-    let policySource = 'not found';
-    let policyMode   = 'unknown';
-    if (fs.existsSync(policyPath)) {
-        try {
-            const policy = JSON.parse(fs.readFileSync(policyPath, 'utf8'));
-            policyMode   = policy.mode || 'unknown';
-            policySource = policyPath;
-        } catch (_) {
-            policySource = policyPath + ' (unreadable)';
-        }
-    }
-
-    // ── Central state presence ─────────────────────────────────────────────────
-    const hasProof  = fs.existsSync(paths.proofLatest);
-    const hasEvents = fs.existsSync(paths.events);
-
-    // ── Output ─────────────────────────────────────────────────────────────────
-    console.log(`\nLBE Central State — ${workspaceRoot}`);
-    console.log(`  workspace_id  ${workspaceId}`);
-    console.log(`  state_dir     ${stateDir}`);
-    console.log(`  policy_source ${policySource}`);
-    console.log(`  policy_mode   ${policyMode}`);
-    console.log(`  central_proof ${hasProof  ? paths.proofLatest : 'No central proof yet'}`);
-    console.log(`  central_logs  ${hasEvents ? paths.events      : 'No central logs yet. Hook dual-write not enabled.'}`);
-    console.log('');
-
-    return { workspaceId, stateDir, policySource, policyMode, hasProof, hasEvents };
-}

package/src/cli/commands/verify.js

@@ -1,144 +0,0 @@
-// src/cli/commands/verify.js
-// Validate a proposal without executing
-
-import fs from 'fs';
-import path from 'path';
-import { validateCommand } from '../../core/validator.js';
-import { NonceStore } from '../../core/nonceStore.js';
-import { loadKeysStore } from '../../core/trustedKeys.js';
-import { verifyPolicySignature } from '../../core/policySignature.js';
-import { validateAndUpdatePolicyVersionState } from '../../core/policyVersionGuard.js';
-
-export async function verifyCommand(opts) {
-    const { in: inFile } = opts;
-    const config = opts.config || opts.policy;
-    const pubKey = opts['pub-key'];
-    const keysStorePath = opts['keys-store'] || path.resolve('.lbe/config/keys.json');
-    const policySigPath = opts['policy-sig'] || path.resolve('.lbe/config/policy.sig.json');
-    const policyStatePath = opts['policy-state'] || path.resolve('.lbe/data/policy.state.json');
-    const allowUnsignedPolicy = opts['policy-unsigned-ok'] === true || String(opts['policy-unsigned-ok']).toLowerCase() === 'true';
-    // Validate required arguments
-    if (!inFile) {
-        console.error('Error: --in <file> is required');
-        process.exit(1);
-    }
-
-    // Read proposal file
-    let proposal;
-    try {
-        const filePath = path.resolve(inFile);
-        const content = fs.readFileSync(filePath, 'utf-8');
-        proposal = JSON.parse(content);
-    } catch (error) {
-        console.error(JSON.stringify({
-            status: 'error',
-            error: 'INVALID_PROPOSAL_FILE',
-            message: error.message
-        }));
-        process.exit(5);
-    }
-
-    // Load policy
-    let policy;
-    try {
-        const policyPath = config || path.resolve('.lbe/config/policy.default.json');
-        if (!fs.existsSync(policyPath)) {
-            console.error(JSON.stringify({
-                status: 'error',
-                error: 'MISSING_POLICY',
-                message: `Policy file not found: ${policyPath}`
-            }));
-            process.exit(1);
-        }
-        const policyContent = fs.readFileSync(policyPath, 'utf-8');
-        policy = JSON.parse(policyContent);
-    } catch (error) {
-        console.error(JSON.stringify({
-            status: 'error',
-            error: 'INVALID_POLICY',
-            message: error.message
-        }));
-        process.exit(1);
-    }
-
-    // Load key store (preferred) with legacy pub-key fallback
-    const keyStoreResult = loadKeysStore(keysStorePath);
-    const keyStore = keyStoreResult.ok ? keyStoreResult.store : null;
-
-    // Preflight: policy signature verification (strict by default)
-    const policySigCheck = verifyPolicySignature({
-        policyObj: policy,
-        keyStore,
-        policySigPath,
-        allowUnsigned: allowUnsignedPolicy
-    });
-    if (!policySigCheck.ok) {
-        console.error(JSON.stringify({
-            status: 'error',
-            error: policySigCheck.reason,
-            message: policySigCheck.message
-        }, null, 2));
-        process.exit(8);
-    }
-
-    const versionCheck = validateAndUpdatePolicyVersionState({
-        policyObj: policy,
-        statePath: policyStatePath,
-        maxCreatedAtSkewSec: policy?.security?.maxPolicyCreatedAtSkewSec
-    });
-    if (!versionCheck.ok) {
-        console.error(JSON.stringify({
-            status: 'error',
-            error: versionCheck.reason,
-            message: versionCheck.message
-        }, null, 2));
-        process.exit(8);
-    }
-
-    // Load nonce store
-    const nonceDb = new NonceStore(path.resolve('.lbe/data/nonce.db.json'));
-    await nonceDb.load();
-
-    if (!keyStore && !pubKey) {
-        console.error(JSON.stringify({
-            status: 'error',
-            error: 'MISSING_KEY_MATERIAL',
-            message: `${keyStoreResult.message}. Provide --pub-key/--pub-key-file or create .lbe/config/keys.json`
-        }));
-        process.exit(1);
-    }
-
-    // Validate command
-    const result = validateCommand({
-        commandObj: proposal,
-        pubKeyB64: pubKey,
-        keyStore,
-        nonceDb,
-        policy
-    });
-
-    // Output structured result
-    const output = {
-        status: result.valid ? 'valid' : 'invalid',
-        commandId: proposal.commandId || 'N/A',
-        checks: result.checks,
-        errors: result.errors || [],
-        risk: result.risk || 'UNKNOWN'
-    };
-
-    console.log(JSON.stringify(output, null, 2));
-
-    // Exit with appropriate code
-    if (!result.valid) {
-        // Determine which validation failed for exit code
-        if (result.checks.schema === false) process.exit(5);       // Schema error
-        if (result.checks.signature === false) process.exit(3);    // Signature error
-        if (result.checks.nonce === false) process.exit(4);        // Replay detected
-        if (result.checks.timestamp === false) process.exit(6);    // Clock skew
-        if (result.checks.rateLimit === false) process.exit(7);    // Rate limited
-        if (result.checks.policy === false) process.exit(2);       // Policy blocked
-        process.exit(9);                                            // Generic error
-    }
-
-    process.exit(0);
-}