@letterblack/lbe-core 1.3.4 → 1.3.5

package/src/state/proofRunner.js

@@ -0,0 +1,246 @@
+import fs from 'node:fs';
+import path from 'node:path';
+
+const FORMAT = 1;
+
+// ── Profile selection ─────────────────────────────────────────────────────────
+
+// Returns the proof profile appropriate for the given set of changed files.
+function selectProfile(changedFiles) {
+    if (!Array.isArray(changedFiles) || changedFiles.length === 0) return 'general';
+
+    // hook profile — any change to the CJS preload hook
+    if (changedFiles.some(f => f.replace(/\\/g, '/').includes('src/hooks/register.cjs'))) {
+        return 'hook';
+    }
+    // state profile — changes inside src/state/
+    if (changedFiles.every(f => f.replace(/\\/g, '/').includes('src/state/'))) {
+        return 'state';
+    }
+    // build profile — build scripts at project root level
+    if (changedFiles.every(f => /^build[^/]*\.(js|mjs|cjs)$/.test(path.basename(f)))) {
+        return 'build';
+    }
+    // release profile — package.json, package-lock.json, release/ files
+    if (changedFiles.every(f => {
+        const b = path.basename(f);
+        return b === 'package.json' || b === 'package-lock.json' || f.startsWith('release/');
+    })) {
+        return 'release';
+    }
+    // docs profile — only markdown / docs files
+    if (changedFiles.every(f => /\.(md|txt|rst)$/i.test(f) || f.startsWith('docs/'))) {
+        return 'docs';
+    }
+    return 'general';
+}
+
+// Checks required per profile
+const PROFILE_CHECKS = {
+    docs:    ['diff', 'forbidden_clean'],
+    general: ['diff', 'hash_match', 'forbidden_clean'],
+    hook:    ['npm_run_proof', 'diff', 'hash_match'],
+    state:   ['state_tests', 'proof'],
+    build:   ['build_check', 'proof'],
+    release: ['proof', 'build_check', 'npm_pack_dry_run', 'audit_verify'],
+};
+
+// ── Helpers ───────────────────────────────────────────────────────────────────
+
+function loadJsonl(filePath) {
+    if (!filePath || !fs.existsSync(filePath)) return [];
+    const raw = fs.readFileSync(filePath, 'utf8').trim();
+    if (!raw) return [];
+    return raw.split('\n').reduce((acc, line) => {
+        try { acc.push(JSON.parse(line)); } catch (_) {}
+        return acc;
+    }, []);
+}
+
+function loadJson(filePath) {
+    if (!filePath || !fs.existsSync(filePath)) return null;
+    try { return JSON.parse(fs.readFileSync(filePath, 'utf8')); }
+    catch (_) { return null; }
+}
+
+function matchesGlob(filePath, pattern) {
+    // Simple glob: support * (non-sep wildcard) and ** (any path segments)
+    const normalized = filePath.replace(/\\/g, '/');
+    const escaped = pattern.replace(/[.+^${}()|[\]\\]/g, '\\$&');
+    const regex = new RegExp('^' + escaped
+        .replace(/\*\*\//g, '(?:.*/)?')
+        .replace(/\*\*/g, '.*')
+        .replace(/\*/g, '[^/]*') + '$');
+    return regex.test(normalized);
+}
+
+// ── Checks ────────────────────────────────────────────────────────────────────
+
+function checkDiff(changedFiles, intent, failures) {
+    if (!intent) return; // no intent — diff check skipped
+    const allowed    = intent.allowed_files    || [];
+    const forbidden  = intent.forbidden_files  || [];
+
+    for (const f of changedFiles) {
+        const rel = f.replace(/\\/g, '/');
+
+        // Forbidden files changed → always FAIL
+        if (forbidden.some(pat => matchesGlob(rel, pat))) {
+            failures.push({ check: 'diff', reason: 'forbidden_file_changed', file: rel });
+            continue;
+        }
+
+        // Allowed files constraint — only if allowed_files is non-empty
+        if (allowed.length > 0 && !allowed.some(pat => matchesGlob(rel, pat))) {
+            failures.push({ check: 'diff', reason: 'file_outside_allowed', file: rel });
+        }
+    }
+}
+
+function checkForbiddenClean(changedFiles, intent, failures) {
+    if (!intent) return;
+    const forbidden = intent.forbidden_files || [];
+    for (const f of changedFiles) {
+        const rel = f.replace(/\\/g, '/');
+        if (forbidden.some(pat => matchesGlob(rel, pat))) {
+            failures.push({ check: 'forbidden_clean', reason: 'forbidden_file_changed', file: rel });
+        }
+    }
+}
+
+function checkHashMatch(changedFiles, beforeIndex, afterIndex, failures) {
+    if (!beforeIndex || !afterIndex) return;
+    for (const f of changedFiles) {
+        const rel = f.replace(/\\/g, '/');
+        const b = (beforeIndex.files || {})[rel];
+        const a = (afterIndex.files  || {})[rel];
+        if (b && a && b.sha256 === a.sha256) {
+            // File is in changedFiles but hash is identical — suspicious but not a failure
+            // (diff might be metadata only)
+        }
+        // hash_match check: ensure files declared changed actually have different hashes
+        // (only flag if file exists in both snapshots and hash matches — means diff is wrong)
+        if (b && a && b.sha256 === a.sha256) {
+            failures.push({ check: 'hash_match', reason: 'hash_unchanged_for_declared_change', file: rel });
+        }
+    }
+}
+
+// ── Public API ────────────────────────────────────────────────────────────────
+
+/**
+ * Runs the proof for a workspace and writes proof/latest.json.
+ *
+ * @param {string} stateDir      Central workspace state directory.
+ * @param {string} workspaceRoot Absolute workspace root path.
+ * @param {object} [opts]        { intentId }  — pin to a specific intent_id
+ * @returns {object}             The proof record written to disk.
+ */
+export function runProof(stateDir, workspaceRoot, opts = {}) {
+    if (!stateDir || typeof stateDir !== 'string') {
+        throw new TypeError('stateDir must be a non-empty string');
+    }
+    if (!workspaceRoot || typeof workspaceRoot !== 'string') {
+        throw new TypeError('workspaceRoot must be a non-empty string');
+    }
+
+    // Load inputs
+    const intents = loadJsonl(path.join(stateDir, 'intent.jsonl'));
+    const intent  = opts.intentId
+        ? intents.find(i => i.intent_id === opts.intentId) || intents[intents.length - 1] || null
+        : intents[intents.length - 1] || null;
+
+    const targets    = loadJsonl(path.join(stateDir, 'target_registry.jsonl'));
+    const lastTarget = targets[targets.length - 1] || null;
+
+    const beforeIndex = loadJson(path.join(stateDir, 'file-index', 'before.json'));
+    const afterIndex  = loadJson(path.join(stateDir, 'file-index', 'after.json'));
+
+    const events = loadJsonl(path.join(stateDir, 'lbe-events.jsonl'));
+
+    // Compute changed files from diff (prefer file index; fall back to events)
+    let changedFiles = [];
+    if (beforeIndex && afterIndex) {
+        const bf = beforeIndex.files || {};
+        const af = afterIndex.files  || {};
+        const all = new Set([...Object.keys(bf), ...Object.keys(af)]);
+        for (const k of all) {
+            if (!bf[k] || !af[k] || bf[k].sha256 !== af[k].sha256) {
+                changedFiles.push(k);
+            }
+        }
+    } else {
+        // Fallback: derive changed files from LBE events
+        for (const e of events) {
+            if (e.path && (e.action === 'file_write' || e.action === 'file_delete' || e.action === 'file_rename')) {
+                const rel = path.relative(workspaceRoot, e.path).replace(/\\/g, '/');
+                if (!changedFiles.includes(rel)) changedFiles.push(rel);
+            }
+        }
+    }
+
+    // Select profile
+    const profile     = selectProfile(changedFiles);
+    const checksToRun = PROFILE_CHECKS[profile] || PROFILE_CHECKS.general;
+
+    // Run applicable checks
+    const failures     = [];
+    const checksRun    = [];
+
+    if (checksToRun.includes('diff')) {
+        checksRun.push('diff');
+        checkDiff(changedFiles, intent, failures);
+    }
+    if (checksToRun.includes('forbidden_clean')) {
+        checksRun.push('forbidden_clean');
+        checkForbiddenClean(changedFiles, intent, failures);
+    }
+    if (checksToRun.includes('hash_match')) {
+        checksRun.push('hash_match');
+        checkHashMatch(changedFiles, beforeIndex, afterIndex, failures);
+    }
+    // Other checks (npm_run_proof, state_tests, etc.) are external — recorded as run
+    // but not executed by proofRunner itself (they require subprocess invocation).
+    for (const c of checksToRun) {
+        if (!checksRun.includes(c)) checksRun.push(c);
+    }
+
+    // Determine result
+    let proofResult;
+    if (failures.length > 0) {
+        proofResult = 'FAIL';
+    } else if (lastTarget && lastTarget.requires_user_confirmation === true) {
+        proofResult = 'WEAK_PROOF';
+    } else {
+        proofResult = 'PASS';
+    }
+
+    const proof = {
+        format:       FORMAT,
+        ts:           new Date().toISOString(),
+        result:       proofResult,
+        profile,
+        intent_id:    intent ? intent.intent_id : null,
+        target_id:    lastTarget ? lastTarget.target_id : null,
+        files_changed: changedFiles,
+        checks_run:   checksRun,
+        failures,
+    };
+
+    // Write to stateDir/proof/latest.json
+    const proofDir = path.join(stateDir, 'proof');
+    if (!fs.existsSync(proofDir)) fs.mkdirSync(proofDir, { recursive: true });
+    fs.writeFileSync(path.join(proofDir, 'latest.json'), JSON.stringify(proof, null, 2) + '\n', 'utf8');
+
+    return proof;
+}
+
+/**
+ * Loads the most recent proof result from stateDir/proof/latest.json.
+ *
+ * @param {string} stateDir  Central workspace state directory.
+ * @returns {object|null}    The proof record, or null if none exists.
+ */
+export function loadLatestProof(stateDir) {
+    return loadJson(path.join(stateDir, 'proof', 'latest.json'));
+}

package/src/state/stateRoot.js

@@ -0,0 +1,40 @@
+import path from 'node:path';
+import os from 'node:os';
+
+/**
+ * Returns the platform-appropriate root for LBE central state.
+ *
+ * All paths are user-local — no system-wide directories, no elevated permissions.
+ * Env vars are checked first; os.homedir() is the universal fallback.
+ *
+ * Windows:  %LOCALAPPDATA%\LetterBlack\Sentinel
+ *           fallback: <homedir>\AppData\Local\LetterBlack\Sentinel
+ * macOS:    ~/Library/Application Support/LetterBlack/Sentinel
+ *           fallback: <homedir>/Library/Application Support/LetterBlack/Sentinel
+ * Linux:    $XDG_DATA_HOME/LetterBlack/Sentinel
+ *           fallback: <homedir>/.local/share/LetterBlack/Sentinel
+ */
+export function stateRoot() {
+    const home = os.homedir();
+
+    if (process.platform === 'win32') {
+        const localAppData =
+            process.env.LOCALAPPDATA ||
+            path.join(home, 'AppData', 'Local');
+        return path.join(localAppData, 'LetterBlack', 'Sentinel');
+    }
+
+    if (process.platform === 'darwin') {
+        const appSupport =
+            process.env.HOME
+                ? path.join(process.env.HOME, 'Library', 'Application Support')
+                : path.join(home, 'Library', 'Application Support');
+        return path.join(appSupport, 'LetterBlack', 'Sentinel');
+    }
+
+    // Linux / other POSIX
+    const xdgData =
+        process.env.XDG_DATA_HOME ||
+        path.join(home, '.local', 'share');
+    return path.join(xdgData, 'LetterBlack', 'Sentinel');
+}

package/src/state/targetRegistry.js

@@ -0,0 +1,108 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import crypto from 'node:crypto';
+
+const TARGET_FILE = 'target_registry.jsonl';
+
+// Kinds that require user confirmation regardless of caller's setting
+const CONFIRMATION_REQUIRED_KINDS = new Set([
+    'canvas', 'video', 'image',
+]);
+
+// Source strategies that require user confirmation
+const CONFIRMATION_REQUIRED_SOURCES = new Set([
+    'visual_inference',
+]);
+
+// ── Validation ────────────────────────────────────────────────────────────────
+
+function validateComponentFile(filePath) {
+    if (filePath === undefined || filePath === null) return;
+    if (typeof filePath !== 'string') {
+        throw new TypeError('component_file must be a string');
+    }
+    const normalized = filePath.replace(/\\/g, '/');
+    if (path.isAbsolute(filePath) || path.isAbsolute(normalized)) {
+        throw new Error(`component_file: absolute paths are not allowed: "${filePath}"`);
+    }
+    if (normalized.split('/').some(seg => seg === '..')) {
+        throw new Error(`component_file: ../ traversal is not allowed: "${filePath}"`);
+    }
+}
+
+function validateConfidence(confidence) {
+    if (confidence === undefined || confidence === null) return;
+    if (typeof confidence !== 'number' || isNaN(confidence)) {
+        throw new TypeError('confidence must be a number');
+    }
+    if (confidence < 0 || confidence > 1) {
+        throw new RangeError(`confidence must be 0..1, got ${confidence}`);
+    }
+}
+
+// ── Public API ────────────────────────────────────────────────────────────────
+
+/**
+ * Registers a target record, appending it to stateDir/target_registry.jsonl.
+ *
+ * @param {string} stateDir  Central workspace state directory.
+ * @param {object} target    Target record (kind, label, selector, …).
+ * @returns {object}         The stored record (with generated target_id and ts).
+ */
+export function registerTarget(stateDir, target) {
+    if (!stateDir || typeof stateDir !== 'string') {
+        throw new TypeError('stateDir must be a non-empty string');
+    }
+    if (!target || typeof target !== 'object') {
+        throw new TypeError('target must be a plain object');
+    }
+
+    validateComponentFile(target.component_file);
+    validateConfidence(target.confidence);
+
+    // Enforce confirmation requirement for visual_inference or visual kinds
+    const requiresConfirmation =
+        target.requires_user_confirmation === true ||
+        CONFIRMATION_REQUIRED_SOURCES.has(target.target_source) ||
+        CONFIRMATION_REQUIRED_KINDS.has(target.kind);
+
+    const record = {
+        target_id:                 target.target_id || ('t_' + crypto.randomBytes(8).toString('hex')),
+        ts:                        target.ts        || new Date().toISOString(),
+        kind:                      target.kind                    ?? 'unknown',
+        label:                     target.label                   ?? '',
+        screen:                    target.screen                  ?? '',
+        selector:                  target.selector                ?? '',
+        component_file:            target.component_file          ?? null,
+        bbox:                      target.bbox                    ?? null,
+        evidence:                  target.evidence                ?? [],
+        target_source:             target.target_source           ?? 'unknown',
+        confidence:                target.confidence              ?? null,
+        requires_user_confirmation: requiresConfirmation,
+    };
+
+    const filePath = path.join(stateDir, TARGET_FILE);
+    const dir = path.dirname(filePath);
+    if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+
+    fs.appendFileSync(filePath, JSON.stringify(record) + '\n', 'utf8');
+    return record;
+}
+
+/**
+ * Loads all target records from stateDir/target_registry.jsonl.
+ * Malformed lines are silently skipped.
+ *
+ * @param {string} stateDir  Central workspace state directory.
+ * @returns {object[]}       Array of parsed target records (may be empty).
+ */
+export function loadTargets(stateDir) {
+    const filePath = path.join(stateDir, TARGET_FILE);
+    if (!fs.existsSync(filePath)) return [];
+    const raw = fs.readFileSync(filePath, 'utf8').trim();
+    if (!raw) return [];
+    return raw.split('\n').reduce((acc, line) => {
+        try { acc.push(JSON.parse(line)); } catch (_) {}
+        return acc;
+    }, []);
+}

package/src/state/workspaceId.js

@@ -0,0 +1,40 @@
+import crypto from 'node:crypto';
+import fs from 'node:fs';
+import path from 'node:path';
+
+/**
+ * Returns a platform-correct canonical form of a workspace path for ID hashing.
+ *
+ * Rules:
+ *   - Use realpathSync.native to resolve symlinks and normalise separators.
+ *   - Fallback to path.resolve if the path does not yet exist.
+ *   - Windows: lowercase after normalisation (NTFS is case-insensitive).
+ *   - Linux/macOS: preserve case (case-sensitive volumes).
+ */
+export function canonicalWorkspacePath(workspaceRoot) {
+    let resolved;
+    try {
+        resolved = fs.realpathSync.native(workspaceRoot);
+    } catch (_) {
+        // Path does not exist yet — normalise without resolving symlinks.
+        resolved = path.resolve(workspaceRoot);
+    }
+    const normalised = path.normalize(resolved);
+    return process.platform === 'win32' ? normalised.toLowerCase() : normalised;
+}
+
+/**
+ * Returns a 64-char hex SHA-256 workspace ID derived from the canonical path.
+ */
+export function workspaceId(workspaceRoot) {
+    return crypto.createHash('sha256').update(canonicalWorkspacePath(workspaceRoot)).digest('hex');
+}
+
+/**
+ * Returns the sharded state directory path for a workspace ID.
+ * Format: <stateRoot>/workspaces/<xx>/<xx>/<xx>/<full-id>/
+ * Sharding prevents flat-dir scaling problems with many projects.
+ */
+export function workspaceStateDir(stateRoot, id) {
+    return path.join(stateRoot, 'workspaces', id.slice(0, 2), id.slice(2, 4), id.slice(4, 6), id);
+}

package/src/state/workspaceRegistry.js

@@ -0,0 +1,65 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import { atomicWriteFileSync, withFileLock } from '../core/atomicWrite.js';
+
+const FORMAT = 1;
+
+function emptyRegistry() {
+    return { format: FORMAT, workspaces: {} };
+}
+
+function readRegistry(registryPath) {
+    if (!fs.existsSync(registryPath)) return { registry: emptyRegistry(), readable: true };
+
+    try {
+        const registry = JSON.parse(fs.readFileSync(registryPath, 'utf8'));
+        if (!registry || typeof registry !== 'object' || Array.isArray(registry) ||
+            registry.format !== FORMAT || !registry.workspaces ||
+            typeof registry.workspaces !== 'object' || Array.isArray(registry.workspaces)) {
+            return { registry: null, readable: false };
+        }
+        return { registry, readable: true };
+    } catch (_) {
+        return { registry: null, readable: false };
+    }
+}
+
+/**
+ * Register a workspace in the central registry.
+ *
+ * A corrupt existing registry is intentionally left untouched. Resolution must
+ * remain safe for the CLI, and overwriting forensic state would be surprising.
+ */
+export function registerWorkspace(registryPath, workspaceId, workspacePath) {
+    return withFileLock(registryPath, () => {
+        const { registry, readable } = readRegistry(registryPath);
+        if (!readable) return null;
+
+        const now = new Date().toISOString();
+        const existing = registry.workspaces[workspaceId];
+        registry.workspaces[workspaceId] = {
+            path: workspacePath,
+            alias: existing?.alias || path.basename(workspacePath),
+            first_seen: existing?.first_seen || now,
+            last_active: now,
+        };
+
+        atomicWriteFileSync(registryPath, JSON.stringify(registry, null, 2) + '\n', 'utf8');
+        return registry.workspaces[workspaceId];
+    });
+}
+
+/** Returns known workspaces, or [] when the registry is missing or unreadable. */
+export function listWorkspaces(registryPath) {
+    const { registry, readable } = readRegistry(registryPath);
+    if (!readable) return [];
+    return Object.entries(registry.workspaces).map(([workspaceId, workspace]) => ({
+        workspaceId,
+        ...workspace,
+    }));
+}
+
+/** Allows presentation code to distinguish an absent registry from corruption. */
+export function isWorkspaceRegistryReadable(registryPath) {
+    return readRegistry(registryPath).readable;
+}

package/types.d.ts

@@ -1,2 +1,175 @@
-// @letterblack/lbe-sdk v1.3.3
-export function execute(input: string): string;
+export interface LBEActor {
+  id: string;
+  role: 'user' | 'system' | 'agent';
+}
+
+export interface LBEIntent {
+  type: 'command' | 'query' | 'task';
+  name: string;
+  payload: Record<string, unknown>;
+}
+
+export interface LBEExecuteInput {
+  version: '1.0';
+  request_id: string;
+  timestamp: number;
+  actor: LBEActor;
+  intent: LBEIntent;
+  context: {
+    workspace: string;
+    env: Record<string, unknown>;
+    history: unknown[];
+  };
+  constraints: {
+    policy_mode: 'strict' | 'permissive';
+    timeout_ms: number;
+  };
+  auth: {
+    signature: string;
+    nonce: string;
+  };
+}
+
+export interface LBEExecuteOutput {
+  ok: boolean;
+  result: {
+    type: 'allowed' | 'denied' | 'error';
+    action: string;
+    data: Record<string, unknown>;
+  };
+  policy: {
+    decision: 'allow' | 'deny' | 'escalate';
+    reason: string;
+    rules: string[];
+  };
+  trace: {
+    id: string;
+    steps: unknown[];
+    hash: string;
+  };
+  error: null | {
+    code: string;
+    message: string;
+  };
+}
+
+export function execute(input: string): string;
+
+export type LBEExecutionIntent = 'read_file' | 'write_file' | 'patch_file' | 'delete_file' | 'run_shell';
+
+export interface LBERequest {
+  id?: string;
+  actor?: string;
+  intent: LBEExecutionIntent;
+  target?: string;
+  content?: string;
+  patch?: unknown;
+  command?: { cmd: string; args: string[]; cwd?: string; timeoutMs?: number; maxOutputBytes?: number };
+  reason?: string;
+}
+
+export interface LBEResult {
+  ok: boolean;
+  decision: 'allow' | 'deny' | 'observe';
+  executed: boolean;
+  dryRun: boolean;
+  error?: { code: string; message: string; recoverable: boolean };
+  matchedRules?: string[];
+  auditId?: string;
+  rollback?: { available: boolean; performed: boolean; backupId?: string };
+}
+
+// ── Policy file types ─────────────────────────────────────────────────────
+
+export type LBEMode = 'observe' | 'enforce';
+export type LBERuleEffect = 'deny' | 'allow';
+export type LBERuleType = 'path' | 'command';
+
+export interface LBEPolicyRule {
+  id: string;
+  effect: LBERuleEffect;
+  type: LBERuleType;
+  pattern: string;
+  from: string;
+  at: string;
+}
+
+export interface LBEPolicy {
+  version: number;
+  mode: LBEMode;
+  workspace: string;
+  rules: LBEPolicyRule[];
+}
+
+// ── High-level ergonomic API ──────────────────────────────────────────────
+
+export interface LBEResult {
+  ok: boolean;
+  denied: boolean;
+  reason: string | null;
+  commandId: string | null;
+  stage?: string;
+  risk?: string | null;
+  output?: unknown;
+  error: string | null;
+}
+
+export interface LBEObservedResult {
+  ok: true;
+  observed: true;
+  intent: string;
+  actor: string;
+  commandId: string | null;
+}
+
+export interface LBEToolDef {
+  name: string;
+  description?: string;
+  parameters?: Record<string, unknown>;
+  [key: string]: unknown;
+}
+
+export interface LBEDispatchContext {
+  agentId?: string;
+  actor?: string;
+}
+
+export interface LBEWrappedTools {
+  definitions: LBEToolDef[];
+  dispatch(
+    toolName: string,
+    args?: Record<string, unknown>,
+    context?: LBEDispatchContext,
+  ): Promise<LBEResult | LBEObservedResult>;
+}
+
+export interface LBEAddedRule {
+  id: string;
+  added: true;
+}
+
+export interface LBEInstance {
+  mode: LBEMode;
+  rootDir: string;
+  execute(opts: { actor?: string; intent: string; [key: string]: unknown }): Promise<LBEResult | LBEObservedResult>;
+  wrapTools(toolDefs: LBEToolDef[]): LBEWrappedTools;
+  /** Advisory only; never writes lbe.policy.json. */
+  proposePolicyRule(rule: { effect: LBERuleEffect; type: LBERuleType; pattern: string; from: string }): { proposed: true; at: string };
+  /**
+   * Detect if a user message expresses a permanent block instruction.
+   * Returns a rule object to pass to addRule(), or null if not a policy intent.
+   * llmCall receives a ready-made prompt and must return the LLM's text response.
+   */
+  detectPolicyIntent(
+    userMessage: string,
+    llmCall: (prompt: string) => Promise<string>,
+  ): Promise<{ effect: LBERuleEffect; type: LBERuleType; pattern: string } | null>;
+}
+
+export interface LBEOptions {
+  rootDir?: string;
+  actor?: string;
+  mode?: LBEMode;
+}
+
+export function createLBE(opts?: LBEOptions): LBEInstance;