@letterblack/lbe-core 1.3.3 → 1.3.4

package/lbe.audit.jsonl

@@ -1,46 +0,0 @@
-{"kind":"local_policy","timestamp":"2026-06-19T23:35:11.147Z","action":"echo","actor":"agent:x","target":null,"command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"GENESIS","hash":"4fa59031cd7aefdda2eaa673582431436e61b29cc52b1df44dcec64ff9500156"}
-{"kind":"local_policy","timestamp":"2026-06-19T23:35:11.287Z","action":"write_file","actor":"agent:gpt","target":"Z:\\Core_Control\\letterblack-sentinel\\data\\backup-test-target.txt","command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"4fa59031cd7aefdda2eaa673582431436e61b29cc52b1df44dcec64ff9500156","hash":"ebe9a6effd202c1bfc7c744e34b9a4594fb87fbb9fcf9008fcb879d07b9e2e83"}
-{"kind":"local_policy","timestamp":"2026-06-19T23:37:07.027Z","action":"echo","actor":"agent:x","target":null,"command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"ebe9a6effd202c1bfc7c744e34b9a4594fb87fbb9fcf9008fcb879d07b9e2e83","hash":"09837b4ecbfea59315450838934da8dacff3e4606be177a9f2374ea3a7a17b7b"}
-{"kind":"local_policy","timestamp":"2026-06-19T23:37:07.162Z","action":"write_file","actor":"agent:gpt","target":"Z:\\Core_Control\\letterblack-sentinel\\data\\backup-test-target.txt","command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"09837b4ecbfea59315450838934da8dacff3e4606be177a9f2374ea3a7a17b7b","hash":"55b48900a3fe9129aa3c5d6ca56b987b13b9519567ccdcf87111ee8fcf9d0c65"}
-{"kind":"local_policy","timestamp":"2026-06-20T00:00:57.479Z","action":"echo","actor":"agent:x","target":null,"command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"55b48900a3fe9129aa3c5d6ca56b987b13b9519567ccdcf87111ee8fcf9d0c65","hash":"43b7db12e0fb2a5c78b0cde6219e1899d0c153b06332304f5ffb588184f9a546"}
-{"kind":"local_policy","timestamp":"2026-06-20T00:00:57.597Z","action":"write_file","actor":"agent:gpt","target":"Y:\\Core_Control\\letterblack-sentinel\\data\\backup-test-target.txt","command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"43b7db12e0fb2a5c78b0cde6219e1899d0c153b06332304f5ffb588184f9a546","hash":"ad3bff0b0d87f8d7cdd89c81d4feccf5ecb2b1ba6c6c87f4e1941b9f7602682a"}
-{"kind":"local_policy","timestamp":"2026-06-20T00:01:37.683Z","action":"echo","actor":"agent:x","target":null,"command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"ad3bff0b0d87f8d7cdd89c81d4feccf5ecb2b1ba6c6c87f4e1941b9f7602682a","hash":"0cd624477f29707d50fb51ed129cfcc4b1492fff6f764851818d85007de9d8a2"}
-{"kind":"local_policy","timestamp":"2026-06-20T00:01:37.800Z","action":"write_file","actor":"agent:gpt","target":"Y:\\Core_Control\\letterblack-sentinel\\data\\backup-test-target.txt","command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"0cd624477f29707d50fb51ed129cfcc4b1492fff6f764851818d85007de9d8a2","hash":"60849f57f26cb478d16dfacbd890285c86039b353dd32b610781f2bd1ead37e2"}
-{"kind":"local_policy","timestamp":"2026-06-20T07:38:16.456Z","action":"echo","actor":"agent:x","target":null,"command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"60849f57f26cb478d16dfacbd890285c86039b353dd32b610781f2bd1ead37e2","hash":"14893cfb196d22710a42277d90e2f25210965842732cc9f945bb96ce8f9f4fcb"}
-{"kind":"local_policy","timestamp":"2026-06-20T07:38:16.579Z","action":"write_file","actor":"agent:gpt","target":"Z:\\Core_Control\\letterblack-sentinel\\data\\backup-test-target.txt","command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"14893cfb196d22710a42277d90e2f25210965842732cc9f945bb96ce8f9f4fcb","hash":"882079452527f032349a2e7a60dd12d135198e22497d3f4b68b60f800f468e9e"}
-{"kind":"local_policy","timestamp":"2026-06-20T08:26:18.715Z","action":"echo","actor":"agent:x","target":null,"command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"882079452527f032349a2e7a60dd12d135198e22497d3f4b68b60f800f468e9e","hash":"5ebd63b1800100e757fd313bc9533e317595e3f387246403e583d7e47ae182dd"}
-{"kind":"local_policy","timestamp":"2026-06-20T08:26:18.895Z","action":"write_file","actor":"agent:gpt","target":"Z:\\Core_Control\\letterblack-sentinel\\data\\backup-test-target.txt","command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"5ebd63b1800100e757fd313bc9533e317595e3f387246403e583d7e47ae182dd","hash":"2d8c2e634df7bea55d1086da89b9b2cba39385b8f8f4c93fe5f00e2861af4ebb"}
-{"kind":"local_policy","timestamp":"2026-06-20T08:47:49.677Z","action":"echo","actor":"agent:x","target":null,"command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"2d8c2e634df7bea55d1086da89b9b2cba39385b8f8f4c93fe5f00e2861af4ebb","hash":"58705eea240aca0a89a23848d8e217bfc66a20754d26d4d5e1c873a5d7f26243"}
-{"kind":"local_policy","timestamp":"2026-06-20T08:47:49.835Z","action":"write_file","actor":"agent:gpt","target":"Z:\\Core_Control\\letterblack-sentinel\\data\\backup-test-target.txt","command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"58705eea240aca0a89a23848d8e217bfc66a20754d26d4d5e1c873a5d7f26243","hash":"f7e59903f44ed0ef649dd51d1ac0f9c65928f7ac9e1d05d3ed647ccfd439043e"}
-{"kind":"local_policy","timestamp":"2026-06-20T09:16:18.272Z","action":"echo","actor":"agent:x","target":null,"command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"f7e59903f44ed0ef649dd51d1ac0f9c65928f7ac9e1d05d3ed647ccfd439043e","hash":"9b46fff5248d53c6e6a3d0292306e72f72107717d720bbb8110f1c9bbe4aba98"}
-{"kind":"local_policy","timestamp":"2026-06-20T09:16:18.415Z","action":"write_file","actor":"agent:gpt","target":"Z:\\Core_Control\\letterblack-sentinel\\data\\backup-test-target.txt","command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"9b46fff5248d53c6e6a3d0292306e72f72107717d720bbb8110f1c9bbe4aba98","hash":"3ce47f5511666be6bcd556a20b3f67fe98e30835036a7f8da0c98af0d2bb6eed"}
-{"kind":"local_policy","timestamp":"2026-06-20T09:47:26.292Z","action":"echo","actor":"agent:x","target":null,"command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"3ce47f5511666be6bcd556a20b3f67fe98e30835036a7f8da0c98af0d2bb6eed","hash":"6bec570ee7f1ccfb93ab08d3668e50f787318fece9461dc06c9a2b1a62c53727"}
-{"kind":"local_policy","timestamp":"2026-06-20T09:47:26.439Z","action":"write_file","actor":"agent:gpt","target":"Z:\\Core_Control\\letterblack-sentinel\\data\\backup-test-target.txt","command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"6bec570ee7f1ccfb93ab08d3668e50f787318fece9461dc06c9a2b1a62c53727","hash":"d25f758c9d834280d62aecdd50bee074a910bb5a16876c834f3df3ef7dd90a9f"}
-{"kind":"local_policy","timestamp":"2026-06-20T10:02:37.628Z","action":"echo","actor":"agent:x","target":null,"command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"d25f758c9d834280d62aecdd50bee074a910bb5a16876c834f3df3ef7dd90a9f","hash":"b076f0c558e069a876135b52f197fe4eb265dd44efd9b74b68cf74eaf199c8ae"}
-{"kind":"local_policy","timestamp":"2026-06-20T10:02:37.771Z","action":"write_file","actor":"agent:gpt","target":"Z:\\Core_Control\\letterblack-sentinel\\data\\backup-test-target.txt","command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"b076f0c558e069a876135b52f197fe4eb265dd44efd9b74b68cf74eaf199c8ae","hash":"b915c35fe9d842f42399bc83e5ed8bbf4c9ac0cf1d592fe72f51ec4d539b7fdb"}
-{"kind":"local_policy","timestamp":"2026-06-20T11:47:47.851Z","action":"echo","actor":"agent:x","target":null,"command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"b915c35fe9d842f42399bc83e5ed8bbf4c9ac0cf1d592fe72f51ec4d539b7fdb","hash":"817368eab148ac1bc57ecfa22f06124164b1e6176c4051b050b5e3b23f9152a1"}
-{"kind":"local_policy","timestamp":"2026-06-20T11:47:48.023Z","action":"write_file","actor":"agent:gpt","target":"Z:\\Core_Control\\letterblack-sentinel\\data\\backup-test-target.txt","command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"817368eab148ac1bc57ecfa22f06124164b1e6176c4051b050b5e3b23f9152a1","hash":"060d71f2c54bb153628220eb1258231940a06ff16a6d7024201052d84176606d"}
-{"kind":"local_policy","timestamp":"2026-06-20T11:56:56.022Z","action":"echo","actor":"agent:x","target":null,"command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"060d71f2c54bb153628220eb1258231940a06ff16a6d7024201052d84176606d","hash":"6aed9fdcb3a3bec3530a0d89c06f7ac3fc1f3119ca91da4f1b056d813710a30a"}
-{"kind":"local_policy","timestamp":"2026-06-20T11:56:56.171Z","action":"write_file","actor":"agent:gpt","target":"Z:\\Core_Control\\letterblack-sentinel\\data\\backup-test-target.txt","command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"6aed9fdcb3a3bec3530a0d89c06f7ac3fc1f3119ca91da4f1b056d813710a30a","hash":"91f2c57d924a21815ad3ef0abf0a4e8c05060380fe2c36ae104c4a8a67cebdbe"}
-{"kind":"local_policy","timestamp":"2026-06-20T12:03:02.759Z","action":"echo","actor":"agent:x","target":null,"command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"91f2c57d924a21815ad3ef0abf0a4e8c05060380fe2c36ae104c4a8a67cebdbe","hash":"d889e17676f042abfa4200d7834aa2a53bfabde2d339b81b8e6db8c365e83e28"}
-{"kind":"local_policy","timestamp":"2026-06-20T12:03:02.916Z","action":"write_file","actor":"agent:gpt","target":"Z:\\Core_Control\\letterblack-sentinel\\data\\backup-test-target.txt","command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"d889e17676f042abfa4200d7834aa2a53bfabde2d339b81b8e6db8c365e83e28","hash":"f76eb13e259464f177968a80df07c737ad414ea324a2eeadc1f22afef29cf3ea"}
-{"kind":"local_policy","timestamp":"2026-06-20T12:06:17.815Z","action":"echo","actor":"agent:x","target":null,"command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"f76eb13e259464f177968a80df07c737ad414ea324a2eeadc1f22afef29cf3ea","hash":"b2710860f37999d3365ef9c3702e0d619e80138d45d086054fad169d98f9e212"}
-{"kind":"local_policy","timestamp":"2026-06-20T12:06:17.957Z","action":"write_file","actor":"agent:gpt","target":"Z:\\Core_Control\\letterblack-sentinel\\data\\backup-test-target.txt","command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"b2710860f37999d3365ef9c3702e0d619e80138d45d086054fad169d98f9e212","hash":"4346d148ce5d4f090f2f1f574eeb6d748e641b30aadfdac27e41aae59d48ba35"}
-{"kind":"local_policy","timestamp":"2026-06-20T12:07:08.214Z","action":"echo","actor":"agent:x","target":null,"command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"4346d148ce5d4f090f2f1f574eeb6d748e641b30aadfdac27e41aae59d48ba35","hash":"a30c9b09a33473fc27fa0fb7b0d8900ad662be4a07486ffdb15a9a2f715e9a7e"}
-{"kind":"local_policy","timestamp":"2026-06-20T12:07:08.344Z","action":"write_file","actor":"agent:gpt","target":"Z:\\Core_Control\\letterblack-sentinel\\data\\backup-test-target.txt","command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"a30c9b09a33473fc27fa0fb7b0d8900ad662be4a07486ffdb15a9a2f715e9a7e","hash":"83f2c7d56d26415e6d4b6fdc4111e5e979e32485f6d994cb433622a96dd70aca"}
-{"kind":"local_policy","timestamp":"2026-06-20T12:08:25.892Z","action":"echo","actor":"agent:x","target":null,"command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"83f2c7d56d26415e6d4b6fdc4111e5e979e32485f6d994cb433622a96dd70aca","hash":"1f649193b5fb02d0c83f36b7ff7648342da42d10b2b0589a884f2979a4518940"}
-{"kind":"local_policy","timestamp":"2026-06-20T12:08:26.076Z","action":"write_file","actor":"agent:gpt","target":"Z:\\Core_Control\\letterblack-sentinel\\data\\backup-test-target.txt","command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"1f649193b5fb02d0c83f36b7ff7648342da42d10b2b0589a884f2979a4518940","hash":"939f5ceaa938d0a6e7dc520b607375cbd8bda9e6bce672db2adddc08ebe5167e"}
-{"kind":"local_policy","timestamp":"2026-06-20T12:14:43.895Z","action":"echo","actor":"agent:x","target":null,"command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"939f5ceaa938d0a6e7dc520b607375cbd8bda9e6bce672db2adddc08ebe5167e","hash":"88409073a33f89a8e29b5c9188816d8de460f23bfe92647f89cefba5029ccaa4"}
-{"kind":"local_policy","timestamp":"2026-06-20T12:14:44.042Z","action":"write_file","actor":"agent:gpt","target":"Z:\\Core_Control\\letterblack-sentinel\\data\\backup-test-target.txt","command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"88409073a33f89a8e29b5c9188816d8de460f23bfe92647f89cefba5029ccaa4","hash":"cf477d692f3888269d9243b450d9c000e630c4bba5be1f223b4baba16b70db8d"}
-{"kind":"local_policy","timestamp":"2026-06-20T13:23:45.701Z","action":"echo","actor":"agent:x","target":null,"command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"cf477d692f3888269d9243b450d9c000e630c4bba5be1f223b4baba16b70db8d","hash":"baa3e917baa568c84ee8172d913a5744356dda663db1a6b6403f1e7380ccba3d"}
-{"kind":"local_policy","timestamp":"2026-06-20T13:23:46.038Z","action":"write_file","actor":"agent:gpt","target":"Z:\\Core_Control\\letterblack-sentinel\\data\\backup-test-target.txt","command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"baa3e917baa568c84ee8172d913a5744356dda663db1a6b6403f1e7380ccba3d","hash":"8a347b48752b01af461624d9b62a0d626a7d0c16c61930ac5765a41c5146f41c"}
-{"kind":"local_policy","timestamp":"2026-06-20T13:53:06.494Z","action":"echo","actor":"agent:x","target":null,"command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"8a347b48752b01af461624d9b62a0d626a7d0c16c61930ac5765a41c5146f41c","hash":"0f40141f3d9d3f865a01aa684e5e6e36bcf04b037c0fa566b6ab78650f68c8c3"}
-{"kind":"local_policy","timestamp":"2026-06-20T13:53:06.939Z","action":"write_file","actor":"agent:gpt","target":"Z:\\Core_Control\\letterblack-sentinel\\data\\backup-test-target.txt","command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"0f40141f3d9d3f865a01aa684e5e6e36bcf04b037c0fa566b6ab78650f68c8c3","hash":"af45bc8c55e6682f81a14869d1b3ba0acc40107bf4e007e6b7b89786dc4cf226"}
-{"kind":"local_policy","timestamp":"2026-06-20T14:58:33.144Z","action":"echo","actor":"agent:x","target":null,"command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"af45bc8c55e6682f81a14869d1b3ba0acc40107bf4e007e6b7b89786dc4cf226","hash":"c4984421fa1863224c6fc12af043894aba767eb351b7934f0e351f594888825e"}
-{"kind":"local_policy","timestamp":"2026-06-20T14:58:33.291Z","action":"write_file","actor":"agent:gpt","target":"Z:\\Core_Control\\letterblack-sentinel\\data\\backup-test-target.txt","command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"c4984421fa1863224c6fc12af043894aba767eb351b7934f0e351f594888825e","hash":"cfccb5a4c4877491f8e3d06e84f43af20eeea5ab447fcb57412e71e9ff4691be"}
-{"kind":"local_policy","timestamp":"2026-06-20T14:59:22.384Z","action":"echo","actor":"agent:x","target":null,"command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"cfccb5a4c4877491f8e3d06e84f43af20eeea5ab447fcb57412e71e9ff4691be","hash":"fc67b954900c2b704ac3b33c17837de0bd021d64f5607f4add942815e8463008"}
-{"kind":"local_policy","timestamp":"2026-06-20T14:59:22.517Z","action":"write_file","actor":"agent:gpt","target":"Z:\\Core_Control\\letterblack-sentinel\\data\\backup-test-target.txt","command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"fc67b954900c2b704ac3b33c17837de0bd021d64f5607f4add942815e8463008","hash":"f93630b6208fe6b3e135f63e935343fb633a20d9a4a129cc11ae88bdadec1794"}
-{"kind":"local_policy","timestamp":"2026-06-20T15:00:10.434Z","action":"echo","actor":"agent:x","target":null,"command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"f93630b6208fe6b3e135f63e935343fb633a20d9a4a129cc11ae88bdadec1794","hash":"84640c42c4213b5a6e5f995ff36c12e036faabaecb2bb6bd1675e69206425e15"}
-{"kind":"local_policy","timestamp":"2026-06-20T15:00:10.578Z","action":"write_file","actor":"agent:gpt","target":"Z:\\Core_Control\\letterblack-sentinel\\data\\backup-test-target.txt","command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"84640c42c4213b5a6e5f995ff36c12e036faabaecb2bb6bd1675e69206425e15","hash":"b3669fa5f3bb23eb8964ce1b414efb1cad3e9879708e6186c1ebf15f33685362"}
-{"kind":"local_policy","timestamp":"2026-06-20T15:00:59.854Z","action":"echo","actor":"agent:x","target":null,"command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"b3669fa5f3bb23eb8964ce1b414efb1cad3e9879708e6186c1ebf15f33685362","hash":"70ca3430dc4b2e0af375aa4bbe864f362f9f05e67d59e1ba4d2d8941b11c7a01"}
-{"kind":"local_policy","timestamp":"2026-06-20T15:00:59.974Z","action":"write_file","actor":"agent:gpt","target":"Z:\\Core_Control\\letterblack-sentinel\\data\\backup-test-target.txt","command":null,"mode":"observe","decision":"allow","wouldDeny":false,"ruleIds":[],"prevHash":"70ca3430dc4b2e0af375aa4bbe864f362f9f05e67d59e1ba4d2d8941b11c7a01","hash":"5aa409b72bc1b26cef4e2ecefa7441805006096bb5b8e11d0e80c56b18b949a9"}

package/release/README.md

@@ -1,216 +0,0 @@
-# {{PACKAGE_NAME}}
-
-LBE is local execution control for AI agents. It evaluates file and shell
-actions routed through its execution boundary and records local evidence.
-It is not an AI model, IDE, full OS sandbox, or cloud monitor.
-
-## Setup
-
-```bash
-npm install {{PACKAGE_NAME}}
-npx lbe init
-npx lbe status
-npx lbe logs
-npx lbe proof --public
-npx lbe open-state
-```
-
-State is stored locally in a central per-user folder, keyed by workspace ID.
-In v1.3, `.lbe/events.jsonl` remains local fallback truth and is imported once
-without changing the original file. Proof uses intent, target, file index, LBE
-events, and `proof/latest.json`; `--public` redacts sensitive proof details.
-
-LBE controls only actions routed through its execution boundary. Central writes
-are best-effort, logs remain local, and non-inspectable targets may produce
-`WEAK_PROOF`.
-
----
-
-LBE puts a local policy gate between what an AI agent proposes and what the system actually executes. Every action — file write, shell command, anything — is validated locally before it runs. No cloud service. No daemon.
-
-> **Used in production:** LBE is the safety engine inside [Letterblack for After Effects](https://letterblack.net) — every AI-generated script and automation command passes through it before touching a live project.
-
----
-
-## Which package do you need?
-
-| I want… | Package |
-|---|---|
-| LBE to handle file writes and shell commands for me (full controller) | `@letterblack/lbe-exec` |
-| Just the allow/deny decision — I'll execute it myself | `@letterblack/lbe-sdk` ← you are here |
-
----
-
-## Install
-
-```bash
-npm install {{PACKAGE_NAME}}
-```
-
-Requires Node.js ≥ 20.9.0.
-
----
-
-## Quick start
-
-```js
-import { execute } from '{{PACKAGE_NAME}}';
-
-const request = {
-  version: '1.0',
-  request_id: 'req-001',
-  timestamp: Math.floor(Date.now() / 1000),
-  actor: { id: 'agent:local', role: 'agent' },
-  intent: { type: 'command', name: 'write_file', payload: { target: 'out.txt' } },
-  context: { workspace: process.cwd(), env: {}, history: [] },
-  constraints: { policy_mode: 'strict', timeout_ms: 5000 },
-  auth: { signature: '<host-signed>', nonce: '<unique-per-request>' }
-};
-
-const result = JSON.parse(execute(JSON.stringify(request)));
-// Approved:  { ok: true,  decision: 'allow', ... }
-// Blocked:   { ok: false, decision: 'deny',  error: { stage, message } }
-```
-
-`execute(input: string): string` — accepts JSON, returns JSON. The runtime validates and returns a decision. The host acts on the decision.
-
-### Request fields
-
-| Field | Required | Description |
-|---|---:|---|
-| `version` | Yes | `"1.0"` |
-| `request_id` | Yes | Caller-supplied unique identifier |
-| `timestamp` | Yes | Unix timestamp in seconds |
-| `actor` | Yes | `{ id, role }` — identity of the requesting agent |
-| `intent` | Yes | `{ type, name, payload }` — what the agent wants to do |
-| `context` | Yes | Workspace path and caller context |
-| `constraints` | Yes | `policy_mode` and `timeout_ms` |
-| `auth` | Yes | Host-supplied `signature` and `nonce` |
-
----
-
-## Observer mode — start here
-
-Not ready to block? Start in observer mode. Every request is fully validated and logged exactly as it would be in enforcement — but nothing is blocked. Watch what the agent is doing before you decide what to deny.
-
-```bash
-npx lbe init      # create lbe.policy.json in observer mode
-npx lbe enforce   # switch to blocking
-npx lbe observe   # switch back to advisory
-```
-
----
-
-## CLI reference
-
-| Command | Purpose |
-|---|---|
-| `npx lbe init` | Create project-local policy and key state in observer mode |
-| `npx lbe policy-add` | Add a rule to the active policy |
-| `npx lbe observe` | Set advisory (log-only) mode |
-| `npx lbe enforce` | Set blocking mode |
-| `npx lbe run` | Validate and execute a proposal from `--in <file>` |
-| `npx lbe verify` | Validate a proposal without executing |
-| `npx lbe dryrun` | Validate and simulate without executing |
-| `npx lbe health` | Check all required files are present and readable |
-| `npx lbe audit-verify` | Verify the audit log hash chain |
-
----
-
-## How the gate pipeline works
-
-![LBE gate sequence — Request flows through Policy, Identity, and Scope gates before reaching Action. A rejected request is routed to denial before it reaches execution.](https://unpkg.com/@letterblack/lbe-exec/assets/lbe-gates.jpg)
-
-Every request enters a 7-gate pipeline. A failure at any gate returns a structured denial — the remaining gates are not evaluated.
-
-```
-[1] Schema         required fields and structural validity
-        ↓
-[2] Timestamp      permitted clock-skew window (±10 minutes)
-        ↓
-[3] Key lifecycle  trusted key, active, not expired
-        ↓
-[4] Signature      Ed25519 request authenticity
-        ↓
-[5] Rate limit     per-requester sliding-window limit
-        ↓
-[6] Nonce          single-use replay protection
-        ↓
-[7] Policy         configured authorization (deny-wins)
-        ↓
-  allow / deny / error — structured result returned to host
-```
-
-The WASM runtime owns all gate decisions. Your host receives the decision and acts on it. Nothing executes inside the runtime.
-
----
-
-## When a request is approved
-
-![Happy path — agent proposes action, identity confirmed, policy approved, governed write executed, audit chain extended, result returned to app.](https://unpkg.com/@letterblack/lbe-exec/assets/story-allow.jpg)
-
-1. The agent produces a signed action proposal.
-2. Identity is confirmed against a locally held key — no network call required.
-3. The project policy is evaluated. The action is approved.
-4. The host executes the write or command inside the allowed workspace.
-5. The audit chain is extended — every approved action appends a hash-linked entry to the local log, permanently verifiable, impossible to silently remove.
-6. A structured result returns: whether it succeeded, which rules matched, and the audit entry identifier.
-
-The application stays in control. {{PACKAGE_NAME}} decides whether the action was permitted and hands the answer back. It does not execute for you.
-
----
-
-## When a request is blocked
-
-![Deny path — policy rejection before a governed action, shell untouched, filesystem unchanged, audit entry written, final state clean.](https://unpkg.com/@letterblack/lbe-exec/assets/story-deny.jpg)
-
-1. The agent proposes an action that is outside the permitted policy.
-2. The policy gate closes immediately. The WASM runtime stamps the request denied before any adapter is reached.
-3. The shell is untouched. The filesystem is unchanged.
-4. The denial is written to the immutable audit log — chain sealed, evidence preserved.
-
-No partial execution. No silent failures. Denial is a first-class outcome, not an error.
-
----
-
-## What this covers
-
-| Threat | Gate |
-|---|---|
-| Malformed or incomplete request | Schema |
-| Stale or replayed request | Timestamp + Nonce |
-| Tampered or expired key | Key lifecycle + Signature |
-| Excessive requests from one actor | Rate limit |
-| Action not permitted by project policy | Policy — deny-wins |
-| Agent writing outside project root | Scope check in host after decision |
-
----
-
-## What ships
-
-```
-dist/index.js               WebAssembly runtime loader and execute()
-dist/cli.js                 Local CLI (npx lbe)
-dist/lbe_engine.wasm        Verified runtime binary
-dist/wasm.lock.json         Runtime integrity lock (SHA-256 of wasm binary)
-assets/lbe-gates.jpg        Gate sequence diagram
-assets/story-allow.jpg      Approved-request storyboard
-assets/story-deny.jpg       Blocked-request storyboard
-assets/runtime-boundary.svg Runtime boundary diagram
-assets/lbe-gates.png        Gate sequence diagram (full resolution)
-assets/story-allow.png      Approved-request storyboard (full resolution)
-assets/story-deny.png       Blocked-request storyboard (full resolution)
-types.d.ts                  TypeScript declarations
-```
-
-At load time the runtime verifies `lbe_engine.wasm` against `wasm.lock.json`. A missing, modified, or swapped binary fails before any request is processed.
-
-Source code, controller implementation, adapters, tests, keys, and runtime state are not included.
-
----
-
-## Limits
-
-This package validates requests routed through its runtime. It does not provide kernel-level process isolation, network-egress control, multi-tenant separation, or a hosted control plane.
-
-For an in-process controller with file operations, shell, and policy management built in, see `@letterblack/lbe-exec`.

package/release/TRUST.md

@@ -1,90 +0,0 @@
-# Trust Model
-
-This document states plainly what you can and cannot verify about `@letterblack/lbe-exec` and `@letterblack/lbe-sdk`. It is written for agents and developers who want to reason about the trust surface before depending on this package.
-
----
-
-## What this package does
-
-LBE intercepts Node.js file system and shell operations at the process level via a CJS preload hook (`--require`). Every intercepted action is evaluated against a local policy file and appended to an audit log. The governance engine runs inside a compiled WASM binary shipped with the package.
-
----
-
-## What you can verify independently
-
-### 1. Hook behavior (fully verifiable)
-
-The preload hook (`hooks/register.cjs`) is client-side JavaScript. You can read it, run it in isolation, and confirm it patches the APIs it claims to patch. The minified form is smaller but not protected — it can be formatted and read.
-
-```bash
-# Confirm hook patches fs and child_process
-node --require ./node_modules/@letterblack/lbe-exec/hooks/register.cjs \
-  -e "require('fs').writeFileSync('test.txt','x')"
-cat .lbe/events.jsonl
-```
-
-### 2. Audit log integrity (partially verifiable)
-
-`audit.jsonl` is append-only JSONL in `.lbe/`. You can read every entry. The format is stable and human-readable. There is no cryptographic hash chain on the events.jsonl written by the hook — entries can be deleted without detection at the file level.
-
-### 3. WASM hash lock (tamper-detection, not supply-chain proof)
-
-`dist/wasm.lock.json` contains a SHA-256 hash of `dist/lbe_engine.wasm`. The CLI verifies this at runtime.
-
-**What this protects against:** post-install tampering — if someone modifies the WASM binary on your machine after installation, the hash check fails and the CLI refuses to run.
-
-**What this does not protect against:** the initial install. If the package on npm is compromised before you install it, the hash in `wasm.lock.json` will match the compromised binary. This is standard supply-chain trust, not an additional guarantee.
-
-### 4. Commit signatures (verifiable from 2026-06-21 forward)
-
-Commits to this repository are GPG-signed with key `B902B3111F7D01BA` (Ed25519, expires 2028-06-20). You can verify:
-
-```bash
-git log --show-signature
-```
-
-This confirms that commits were made by the key holder. It does not make the code open source.
-
----
-
-## What you cannot verify
-
-### The WASM runtime is closed source
-
-`dist/lbe_engine.wasm` is a compiled binary. Its source is not published. You cannot audit the governance engine logic — policy evaluation, signature verification, rate limiting, nonce replay protection — from the shipped artifact.
-
-The trust chain for the runtime is: **you trust the binary or you don't.** There is no open-source alternative at this time.
-
-### Minified JS is not hidden
-
-`hooks/register.cjs` and `dist/cli.js` are minified. Minified means smaller and harder to read — not protected, not encrypted, not obfuscated beyond whitespace and name compression. A motivated reader can format and read the full implementation.
-
----
-
-## What the hook does and does not govern
-
-**Governed:** Node.js processes that load the hook via `--require` or `NODE_OPTIONS`.
-
-**Not governed:** Python, Go, Rust, native binaries, PowerShell scripts, subprocess spawns outside `child_process`, or any process that runs outside the hooked Node.js environment.
-
-The hook is a best-effort governance layer for Node.js agents, not a sandbox or kernel-level enforcement mechanism.
-
----
-
-## Verification surface summary
-
-| Claim | Verifiable? | How |
-|---|---|---|
-| Hook patches fs and child_process | Yes | Run it, read the audit log |
-| Audit log captures intercepted actions | Yes | Read `.lbe/events.jsonl` |
-| WASM binary not tampered post-install | Yes | Hash in `wasm.lock.json` |
-| WASM binary not tampered at publish time | No | Closed source, standard npm trust |
-| Governance engine logic is correct | No | WASM is not open source |
-| Commits are from the stated author | Yes | GPG signatures on git history |
-| Hook controls every Node.js action | No | JS is not a sandbox |
-
----
-
-## Reporting
-
-If you find behaviour that contradicts this document — the hook not logging, the hash check not failing on a modified binary, or audit entries missing — open an issue on the public repository.

package/release/exec-README.md

@@ -1,215 +0,0 @@
-# @letterblack/lbe-exec
-
-LBE puts a local policy gate between what an AI agent proposes and what the system actually executes. Every action — file write, shell command, anything — is validated locally before it runs. No cloud service. No daemon.
-
-`lbe-exec` is the full in-process controller. It handles signing, execution, and auditing for you — your agent code just calls `lbe.writeFile()` or `lbe.runShell()`.
-
-> **Used in production:** LBE is the safety engine inside [Letterblack for After Effects](https://letterblack.net) — every AI-generated script and automation command passes through it before touching a live project.
-
----
-
-## Which package do you need?
-
-| I want… | Package |
-|---|---|
-| LBE to handle file writes and shell commands for me (full controller) | `@letterblack/lbe-exec` ← you are here |
-| Just the allow/deny decision — I'll execute it myself | `@letterblack/lbe-sdk` |
-
----
-
-## Install
-
-```bash
-npm install @letterblack/lbe-exec
-npx lbe-exec init
-```
-
-`npx lbe-exec init` creates `lbe.policy.json` in observer mode, generates `CLAUDE.md` and `.github/copilot-instructions.md` so AI agents automatically discover and follow governance, and writes `.lbe/AGENT_CONTRACT.md` as a machine-readable contract.
-
-Requires Node.js ≥ 20.9.0.
-
----
-
-## Quick start
-
-```js
-import { createLocalExecutor } from '@letterblack/lbe-exec';
-
-const lbe = createLocalExecutor({ rootDir: process.cwd() });
-
-// Every call routes through the full 7-gate pipeline automatically
-await lbe.writeFile('output/report.md', content);
-await lbe.readFile('src/config.json');
-await lbe.patchFile('src/index.js', patch);
-await lbe.deleteFile('tmp/scratch.txt');
-await lbe.runShell('node', ['scripts/build.js']);
-
-// Result shape — same for every method
-// { ok: true,  decision: 'allow', executed: true,  auditId: '...' }
-// { ok: false, decision: 'deny',  executed: false, error: { code, message } }
-```
-
-No knowledge of the pipeline, request format, or policy internals required. All signing, validation, and auditing happens automatically.
-
----
-
-## Options
-
-```js
-const lbe = createLocalExecutor({
-  rootDir: process.cwd(),          // sandbox root — no writes escape this path
-  mode: 'observe',                 // 'observe' (log only) or 'enforce' (block)
-  shell: {
-    allowCommands: ['node', 'npm'], // only these commands may run
-    denyCommands:  ['rm', 'curl'],  // always blocked regardless of policy
-    maxRequests:   20               // per-minute shell rate limit
-  }
-});
-```
-
----
-
-## Policy management
-
-Only the host application writes policy. Agents may propose a rule — the proposal is returned as a plain object for the host to review. Until the host explicitly accepts and writes it, the proposal has no effect.
-
-```js
-// Propose a rule — returns an object for the host to review, writes nothing
-const proposal = lbe.policy.proposeRule({
-  effect: 'deny',
-  type: 'path',
-  pattern: 'secrets/**',
-  from: 'agent: these files should not be modified'
-});
-
-// Host accepts and writes the rule
-lbe.policy.addRule(proposal);
-
-// Read current policy
-const policy = lbe.policy.read();
-
-// Verify the audit chain has not been tampered with
-lbe.audit.verify();
-```
-
----
-
-## Observer mode — start here
-
-Not ready to block? Start in observer mode. Every request is fully validated and logged exactly as it would be in enforcement — but nothing is blocked. Watch what the agent is doing before you decide what to deny.
-
-```bash
-npx lbe-exec init      # create lbe.policy.json in observer mode
-npx lbe-exec enforce   # switch to blocking
-npx lbe-exec observe   # switch back to advisory
-```
-
----
-
-## CLI reference
-
-| Command | Purpose |
-|---|---|
-| `npx lbe-exec init` | Bootstrap governance — policy, keys, agent files |
-| `npx lbe-exec status` | Show mode, rule count, audit entry count |
-| `npx lbe-exec policy` | List active rules |
-| `npx lbe-exec observe` | Set advisory (log-only) mode |
-| `npx lbe-exec enforce` | Set blocking mode |
-| `npx lbe-exec execute` | Pipe a JSON request from stdin or `--input <file>` |
-
----
-
-## How the gate pipeline works
-
-![LBE gate sequence — Request flows through Policy, Identity, and Scope gates before reaching Action. A rejected request is routed to denial before it reaches execution.](https://unpkg.com/@letterblack/lbe-exec/assets/lbe-gates.jpg)
-
-Every request enters a 7-gate pipeline. A failure at any gate returns a structured denial — the remaining gates are not evaluated.
-
-```
-[1] Schema         required fields and structural validity
-        ↓
-[2] Timestamp      permitted clock-skew window (±10 minutes)
-        ↓
-[3] Key lifecycle  trusted key, active, not expired
-        ↓
-[4] Signature      Ed25519 request authenticity (signed locally, no network)
-        ↓
-[5] Rate limit     per-requester sliding-window limit
-        ↓
-[6] Nonce          single-use replay protection
-        ↓
-[7] Policy         configured authorization (deny-wins)
-        ↓
-  allow / deny / error — structured result returned to host
-```
-
-The executor signs every request with a host-held key before validation. No key material leaves the process.
-
----
-
-## When a request is approved
-
-![Happy path — agent proposes action, identity confirmed, policy approved, governed write executed, audit chain extended, result returned to app.](https://unpkg.com/@letterblack/lbe-exec/assets/story-allow.jpg)
-
-1. The agent calls a convenience method — `lbe.writeFile()`, `lbe.runShell()`, etc.
-2. The executor constructs and signs the request locally with a host-held Ed25519 key.
-3. All seven gates pass. The project policy approves the action.
-4. The write or command executes inside the configured project root.
-5. The audit chain is extended — every approved action appends a hash-linked entry to `.lbe/audit.jsonl`, permanently verifiable, impossible to silently remove.
-6. A structured result returns: whether it succeeded, which rules matched, and the audit entry identifier.
-
----
-
-## When a request is blocked
-
-![Deny path — policy rejection before a governed action, shell untouched, filesystem unchanged, audit entry written, final state clean.](https://unpkg.com/@letterblack/lbe-exec/assets/story-deny.jpg)
-
-1. The agent proposes an action that is outside the permitted policy.
-2. The policy gate closes immediately. The request is denied before any adapter is reached.
-3. The shell is untouched. The filesystem is unchanged.
-4. The denial is written to the immutable audit log — chain sealed, evidence preserved.
-
-No partial execution. No silent failures. Denial is a first-class outcome, not an error.
-
----
-
-## What this covers
-
-| Threat | Gate |
-|---|---|
-| Agent writes outside the project root | Scope — sandbox path check |
-| Replayed or stale request | Identity — nonce and timestamp |
-| Tampered or expired key | Identity — key lifecycle |
-| Excessive requests | Identity — rate limit |
-| Action not permitted by project policy | Policy — deny-wins evaluation |
-| Unauthorized shell command | Scope — explicit command allowlist |
-| Injected payload (eval, exec, __proto__) | Content scan before pipeline |
-
----
-
-## What ships
-
-```
-dist/index.js               In-process executor — createLocalExecutor()
-dist/cli.js                 Local CLI (npx lbe-exec)
-dist/lbe_engine.wasm        Verified WASM runtime binary
-dist/wasm.lock.json         Runtime integrity lock (SHA-256 of wasm binary)
-assets/lbe-gates.jpg        Gate sequence diagram
-assets/story-allow.jpg      Approved-request storyboard
-assets/story-deny.jpg       Blocked-request storyboard
-assets/runtime-boundary.svg Runtime boundary diagram
-assets/lbe-gates.png        Gate sequence diagram (full resolution)
-assets/story-allow.png      Approved-request storyboard (full resolution)
-assets/story-deny.png       Blocked-request storyboard (full resolution)
-types.d.ts                  TypeScript declarations
-```
-
-Source code, tests, keys, and runtime state are not included.
-
----
-
-## Limits
-
-This package governs actions routed through its executor. It does not provide kernel-level process isolation, network-egress control, multi-tenant separation, or a hosted control plane.
-
-For the raw WASM runtime without a controller, see `@letterblack/lbe-sdk`.

package/release/exec-types.d.ts

@@ -1,50 +0,0 @@
-export interface LBEResult {
-  ok: boolean;
-  decision: 'allow' | 'deny' | 'observe';
-  executed: boolean;
-  dryRun: boolean;
-  error?: { code: string; message: string; recoverable: boolean };
-  matchedRules?: string[];
-  auditId?: string;
-  rollback?: { available: boolean; performed: boolean; backupId?: string };
-}
-
-export interface LBEPolicyRule {
-  effect: 'allow' | 'deny';
-  type: 'path' | 'command';
-  pattern: string;
-  from: string;
-}
-
-export interface LocalExecutor {
-  rootDir: string;
-
-  // High-level API — use these in agent code
-  writeFile(target: string, content: string): Promise<LBEResult>;
-  readFile(target: string): Promise<LBEResult>;
-  patchFile(target: string, content: string): Promise<LBEResult>;
-  deleteFile(target: string): Promise<LBEResult>;
-  runShell(cmd: string, args?: string[], opts?: { cwd?: string; timeoutMs?: number; maxOutputBytes?: number }): Promise<LBEResult>;
-
-  // Policy management
-  policy: {
-    read(): unknown;
-    proposeRule(rule: LBEPolicyRule): unknown;
-    addRule(rule: LBEPolicyRule): unknown;
-  };
-
-  // Audit
-  audit: { verify(): unknown };
-
-  // Low-level — for advanced / non-standard use only
-  validate(request: unknown): Promise<LBEResult>;
-  dryRun(request: unknown): Promise<LBEResult>;
-  execute(request: unknown): Promise<LBEResult>;
-}
-
-export function createLocalExecutor(options?: {
-  rootDir?: string;
-  keyId?: string;
-  mode?: 'observe' | 'enforce';
-  shell?: { allowCommands?: string[]; denyCommands?: string[]; maxRequests?: number };
-}): LocalExecutor;

package/release-exec/LICENSE

@@ -1 +0,0 @@
-SEE LICENSE IN LICENSE