@letterblack/lbe-exec 1.2.14 → 1.2.16

package/dist/cli.js

@@ -2574,11 +2574,6 @@ function loadPolicy() {
   const p = path15.join(process.cwd(), "lbe.policy.json");
   return fs14.existsSync(p) ? JSON.parse(fs14.readFileSync(p, "utf8")) : null;
 }
-function countAudit() {
-  const p = path15.join(process.cwd(), ".lbe", "audit.jsonl");
-  if (!fs14.existsSync(p)) return 0;
-  return fs14.readFileSync(p, "utf8").split("\n").filter((l) => l.trim()).length;
-}
 function findHookPath() {
   const candidates = [
     path15.resolve(__dir, "../hooks/register.cjs"),
@@ -2684,8 +2679,9 @@ switch (cmd) {
       process.exit(1);
     }
     const existing = process.env.NODE_OPTIONS || "";
-    const hookFlag = "--require " + hookPath;
-    const nodeOptions = existing.includes(hookFlag) ? existing : (existing + " " + hookFlag).trim();
+    const hookPathFwd = hookPath.replace(/\\/g, "/");
+    const hookFlag = '--require "' + hookPathFwd + '"';
+    const nodeOptions = existing.includes(hookPathFwd) ? existing : (existing + " " + hookFlag).trim();
     const npmArgs = rest.filter((v) => !v.startsWith("--mode") && v !== opts.mode);
     const child = spawn("npm", npmArgs, {
       stdio: "inherit",
@@ -2696,46 +2692,63 @@ switch (cmd) {
     break;
   }
   case "status": {
-    const policy = loadPolicy();
+    const root = process.cwd();
     console.log("\u2500\u2500 LBE Status \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
-    console.log("workspace:   " + process.cwd());
-    if (policy) {
-      console.log("mode:        " + policy.mode);
-      console.log("rules:       " + (policy.rules?.length ?? 0));
-      console.log("audit:       " + countAudit() + " entries  (.lbe/audit.jsonl)");
-    } else {
-      console.log("policy:      not found \u2014 run: npx lbe-exec init");
-    }
-    const statusFile = path15.join(process.cwd(), ".lbe", "runtime", "hook-status.json");
-    if (!fs14.existsSync(statusFile)) {
-      console.log("\nhook:        inactive \u2014 use: npx lbe-exec run-node ./agent.js");
-      break;
-    }
-    let hookStatus;
-    try {
-      hookStatus = JSON.parse(fs14.readFileSync(statusFile, "utf8"));
-    } catch (e) {
-      console.log("\nhook:        status file unreadable \u2014 " + e.message);
-      break;
+    console.log("workspace:   " + root);
+    const hookPath = findHookPath();
+    console.log("hook file:   " + hookPath + (fs14.existsSync(hookPath) ? " (found)" : " (MISSING)"));
+    const lbeRoot = process.env.LBE_ROOT || "";
+    console.log("LBE_ROOT:    " + (lbeRoot || "(not set)"));
+    const nodeOpts = process.env.NODE_OPTIONS || "";
+    const hookInPath = nodeOpts.includes("register.cjs");
+    console.log("NODE_OPTIONS contains hook: " + (hookInPath ? "yes" : "no"));
+    const eventsFile = path15.join(root, ".lbe", "events.jsonl");
+    const auditExists = fs14.existsSync(eventsFile);
+    console.log("audit log:   " + (auditExists ? eventsFile : "(none yet)"));
+    if (auditExists) {
+      try {
+        const lines = fs14.readFileSync(eventsFile, "utf8").split("\n").filter((l) => l.trim());
+        if (lines.length) {
+          const last = JSON.parse(lines[lines.length - 1]);
+          const ts = new Date((last.ts || 0) * 1e3).toISOString().replace("T", " ").slice(0, 19);
+          const target = last.path || last.cmd || "?";
+          console.log("last event:  " + ts + "  " + last.action + "  " + target + "  \u2192 " + (last.decision || "?"));
+        } else {
+          console.log("last event:  (none)");
+        }
+      } catch (_) {
+        console.log("last event:  (unreadable)");
+      }
     }
-    let pidAlive = false;
-    try {
-      process.kill(hookStatus.pid, 0);
-      pidAlive = true;
-    } catch (_) {
-    }
-    console.log("\nhook:        " + (pidAlive ? "ACTIVE" : "stale (process exited)"));
-    console.log("hook pid:    " + hookStatus.pid + (pidAlive ? " (alive)" : " (gone)"));
-    console.log("hook mode:   " + hookStatus.mode);
-    console.log("hook root:   " + hookStatus.root);
-    console.log("hook start:  " + hookStatus.started_at);
-    if (hookStatus.patched) {
-      console.log("\nPatched functions:");
-      for (const [fn, active] of Object.entries(hookStatus.patched)) {
-        console.log("  " + (active ? "\u2713" : "\u2013") + " " + fn);
+    const statusFile = path15.join(root, ".lbe", "runtime", "hook-status.json");
+    if (fs14.existsSync(statusFile)) {
+      let h;
+      try {
+        h = JSON.parse(fs14.readFileSync(statusFile, "utf8"));
+      } catch (_) {
+      }
+      if (h) {
+        let pidAlive = false;
+        try {
+          process.kill(h.pid, 0);
+          pidAlive = true;
+        } catch (_) {
+        }
+        console.log("\nhook process: " + (pidAlive ? "ACTIVE" : "stale (process exited)"));
+        console.log("hook pid:     " + h.pid + (pidAlive ? " (alive)" : " (gone)"));
+        console.log("hook mode:    " + h.mode);
+        console.log("hook started: " + h.started_at);
+        if (h.patched) {
+          console.log("\nPatched functions:");
+          for (const [fn, active] of Object.entries(h.patched)) {
+            console.log("  " + (active ? "\u2713" : "\u2013") + " " + fn);
+          }
+        }
       }
+    } else {
+      console.log("\nhook process: inactive \u2014 run: lbe-exec run-node ./agent.js");
+      console.log("              or: lbe-exec activate  then  lbe-exec shell");
     }
-    console.log("\nevents log:  .lbe/events.jsonl");
     break;
   }
   case "audit": {
@@ -2777,6 +2790,101 @@ switch (cmd) {
       process.exit(1);
     });
     break;
+  case "activate": {
+    const hookPath = findHookPath();
+    if (!fs14.existsSync(hookPath)) {
+      console.error("Hook not found: " + hookPath);
+      console.error("Run: npm install @letterblack/lbe-exec");
+      process.exit(1);
+    }
+    const mode = opts.mode || "observe";
+    const root = process.cwd();
+    const lbeDir = path15.join(root, ".lbe");
+    fs14.mkdirSync(lbeDir, { recursive: true });
+    fs14.writeFileSync(path15.join(lbeDir, "activation.json"), JSON.stringify({
+      activated: true,
+      activatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      hookPath,
+      mode,
+      root
+    }, null, 2) + "\n");
+    console.log("\u2500\u2500 LBE workspace activated \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
+    console.log("workspace: " + root);
+    console.log("hook:      " + hookPath);
+    console.log("mode:      " + mode);
+    console.log("\nNext: open a governed shell session:");
+    console.log("  lbe-exec shell");
+    console.log("\nAny Node.js agent run inside that shell is intercepted.");
+    console.log("Python, Go, native binaries, and PowerShell are NOT governed.");
+    break;
+  }
+  case "shell": {
+    const activationFile = path15.join(process.cwd(), ".lbe", "activation.json");
+    let activation = null;
+    if (fs14.existsSync(activationFile)) {
+      try {
+        activation = JSON.parse(fs14.readFileSync(activationFile, "utf8"));
+      } catch (_) {
+      }
+    }
+    const hookPath = activation && activation.hookPath || findHookPath();
+    if (!fs14.existsSync(hookPath)) {
+      console.error("Hook not found. Run: lbe-exec activate");
+      process.exit(1);
+    }
+    const mode = opts.mode || activation && activation.mode || "observe";
+    const root = activation && activation.root || process.cwd();
+    const hookPathFwd = hookPath.replace(/\\/g, "/");
+    const nodeOpts = '--require "' + hookPathFwd + '"';
+    const shellEnv = { ...process.env, NODE_OPTIONS: nodeOpts, LBE_ROOT: root, LBE_MODE: mode };
+    console.log("[lbe] Opening governed shell \u2014 mode: " + mode);
+    console.log("[lbe] NODE_OPTIONS set. Node.js agents are intercepted.");
+    console.log("[lbe] Python / Go / native binaries are NOT governed.");
+    console.log('[lbe] Type "exit" to close.\n');
+    let shellProc;
+    if (process.platform === "win32") {
+      const banner = [
+        `$env:NODE_OPTIONS='--require "${hookPathFwd}"'`,
+        `$env:LBE_ROOT='${root}'`,
+        `$env:LBE_MODE='${mode}'`,
+        `Write-Host '[lbe] Shell armed \u2014 mode: ${mode}' -ForegroundColor Green`
+      ].join("; ");
+      shellProc = spawn(
+        "powershell.exe",
+        ["-NoExit", "-Command", banner],
+        { stdio: "inherit", env: shellEnv }
+      );
+    } else {
+      const sh = process.env.SHELL || "/bin/bash";
+      shellProc = spawn(sh, [], { stdio: "inherit", env: shellEnv });
+    }
+    shellProc.on("close", (code) => {
+      console.log("\n[lbe] Governed shell closed.");
+      process.exit(code ?? 0);
+    });
+    break;
+  }
+  case "deactivate": {
+    const root = process.cwd();
+    const files = [
+      path15.join(root, ".lbe", "activation.json"),
+      path15.join(root, ".lbe", "runtime", "hook-status.json")
+    ];
+    let removed = 0;
+    for (const f of files) {
+      if (fs14.existsSync(f)) {
+        fs14.unlinkSync(f);
+        removed++;
+      }
+    }
+    if (removed) {
+      console.log("\u2713 LBE deactivated \u2014 workspace activation files removed.");
+    } else {
+      console.log("Nothing to deactivate (workspace was not activated).");
+    }
+    console.log('Close any open "lbe-exec shell" sessions to fully disarm.');
+    break;
+  }
   case "observe":
   case "enforce":
     policyModeCommand(cmd, opts).catch((e) => {
@@ -2828,6 +2936,11 @@ switch (cmd) {
     console.log("  status              Show workspace, mode, hook state, patched functions");
     console.log("  audit               Show unified event log (.lbe/events.jsonl)");
     console.log("  policy              List active policy rules");
+    console.log("  activate            Write workspace activation record (Node.js only)");
+    console.log("    [--mode observe|enforce]");
+    console.log("  shell               Open a governed terminal (NODE_OPTIONS pre-set)");
+    console.log("    [--mode observe|enforce]");
+    console.log("  deactivate          Remove workspace activation files");
     console.log("  observe             Switch to observer mode (log only, nothing blocked)");
     console.log("  enforce             Switch to enforcement mode (violations blocked)");
     console.log("  execute             Send a JSON request from stdin or --input file");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@letterblack/lbe-exec",
-  "version": "1.2.14",
+  "version": "1.2.16",
   "description": "Local host-signed execution layer for LetterBlack LBE.",
   "type": "module",
   "main": "dist/index.js",