@letterblack/lbe-exec 1.2.15 → 1.2.16

package/dist/cli.js

@@ -2574,11 +2574,6 @@ function loadPolicy() {
   const p = path15.join(process.cwd(), "lbe.policy.json");
   return fs14.existsSync(p) ? JSON.parse(fs14.readFileSync(p, "utf8")) : null;
 }
-function countAudit() {
-  const p = path15.join(process.cwd(), ".lbe", "audit.jsonl");
-  if (!fs14.existsSync(p)) return 0;
-  return fs14.readFileSync(p, "utf8").split("\n").filter((l) => l.trim()).length;
-}
 function findHookPath() {
   const candidates = [
     path15.resolve(__dir, "../hooks/register.cjs"),
@@ -2684,8 +2679,9 @@ switch (cmd) {
       process.exit(1);
     }
     const existing = process.env.NODE_OPTIONS || "";
-    const hookFlag = "--require " + hookPath;
-    const nodeOptions = existing.includes(hookFlag) ? existing : (existing + " " + hookFlag).trim();
+    const hookPathFwd = hookPath.replace(/\\/g, "/");
+    const hookFlag = '--require "' + hookPathFwd + '"';
+    const nodeOptions = existing.includes(hookPathFwd) ? existing : (existing + " " + hookFlag).trim();
     const npmArgs = rest.filter((v) => !v.startsWith("--mode") && v !== opts.mode);
     const child = spawn("npm", npmArgs, {
       stdio: "inherit",
@@ -2696,59 +2692,63 @@ switch (cmd) {
     break;
   }
   case "status": {
-    const policy = loadPolicy();
+    const root = process.cwd();
     console.log("\u2500\u2500 LBE Status \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
-    console.log("workspace:   " + process.cwd());
-    if (policy) {
-      console.log("mode:        " + policy.mode);
-      console.log("rules:       " + (policy.rules?.length ?? 0));
-      console.log("audit:       " + countAudit() + " entries  (.lbe/audit.jsonl)");
-    } else {
-      console.log("policy:      not found \u2014 run: npx lbe-exec init");
-    }
-    const statusFile = path15.join(process.cwd(), ".lbe", "runtime", "hook-status.json");
-    if (!fs14.existsSync(statusFile)) {
-      console.log("\nhook:        inactive \u2014 use: npx lbe-exec run-node ./agent.js");
-      break;
-    }
-    let hookStatus;
-    try {
-      hookStatus = JSON.parse(fs14.readFileSync(statusFile, "utf8"));
-    } catch (e) {
-      console.log("\nhook:        status file unreadable \u2014 " + e.message);
-      break;
-    }
-    let pidAlive = false;
-    try {
-      process.kill(hookStatus.pid, 0);
-      pidAlive = true;
-    } catch (_) {
-    }
-    console.log("\nhook:        " + (pidAlive ? "ACTIVE" : "stale (process exited)"));
-    console.log("hook pid:    " + hookStatus.pid + (pidAlive ? " (alive)" : " (gone)"));
-    console.log("hook mode:   " + hookStatus.mode);
-    console.log("hook root:   " + hookStatus.root);
-    console.log("hook start:  " + hookStatus.started_at);
-    if (hookStatus.patched) {
-      console.log("\nPatched functions:");
-      for (const [fn, active] of Object.entries(hookStatus.patched)) {
-        console.log("  " + (active ? "\u2713" : "\u2013") + " " + fn);
+    console.log("workspace:   " + root);
+    const hookPath = findHookPath();
+    console.log("hook file:   " + hookPath + (fs14.existsSync(hookPath) ? " (found)" : " (MISSING)"));
+    const lbeRoot = process.env.LBE_ROOT || "";
+    console.log("LBE_ROOT:    " + (lbeRoot || "(not set)"));
+    const nodeOpts = process.env.NODE_OPTIONS || "";
+    const hookInPath = nodeOpts.includes("register.cjs");
+    console.log("NODE_OPTIONS contains hook: " + (hookInPath ? "yes" : "no"));
+    const eventsFile = path15.join(root, ".lbe", "events.jsonl");
+    const auditExists = fs14.existsSync(eventsFile);
+    console.log("audit log:   " + (auditExists ? eventsFile : "(none yet)"));
+    if (auditExists) {
+      try {
+        const lines = fs14.readFileSync(eventsFile, "utf8").split("\n").filter((l) => l.trim());
+        if (lines.length) {
+          const last = JSON.parse(lines[lines.length - 1]);
+          const ts = new Date((last.ts || 0) * 1e3).toISOString().replace("T", " ").slice(0, 19);
+          const target = last.path || last.cmd || "?";
+          console.log("last event:  " + ts + "  " + last.action + "  " + target + "  \u2192 " + (last.decision || "?"));
+        } else {
+          console.log("last event:  (none)");
+        }
+      } catch (_) {
+        console.log("last event:  (unreadable)");
       }
     }
-    const activationFile = path15.join(process.cwd(), ".lbe", "activation.json");
-    const sessionActive = (process.env.NODE_OPTIONS || "").includes("register.cjs");
-    if (fs14.existsSync(activationFile)) {
+    const statusFile = path15.join(root, ".lbe", "runtime", "hook-status.json");
+    if (fs14.existsSync(statusFile)) {
+      let h;
       try {
-        const act = JSON.parse(fs14.readFileSync(activationFile, "utf8"));
-        console.log("\nactivation:  " + (act.permanent ? "permanent" : "session") + " (" + act.mode + ")" + (sessionActive ? "  NODE_OPTIONS \u2713" : "  restart terminal to apply"));
+        h = JSON.parse(fs14.readFileSync(statusFile, "utf8"));
       } catch (_) {
       }
-    } else if (sessionActive) {
-      console.log("\nactivation:  session active  NODE_OPTIONS \u2713");
+      if (h) {
+        let pidAlive = false;
+        try {
+          process.kill(h.pid, 0);
+          pidAlive = true;
+        } catch (_) {
+        }
+        console.log("\nhook process: " + (pidAlive ? "ACTIVE" : "stale (process exited)"));
+        console.log("hook pid:     " + h.pid + (pidAlive ? " (alive)" : " (gone)"));
+        console.log("hook mode:    " + h.mode);
+        console.log("hook started: " + h.started_at);
+        if (h.patched) {
+          console.log("\nPatched functions:");
+          for (const [fn, active] of Object.entries(h.patched)) {
+            console.log("  " + (active ? "\u2713" : "\u2013") + " " + fn);
+          }
+        }
+      }
     } else {
-      console.log("\nactivation:  none \u2014 run: lbe-exec activate");
+      console.log("\nhook process: inactive \u2014 run: lbe-exec run-node ./agent.js");
+      console.log("              or: lbe-exec activate  then  lbe-exec shell");
     }
-    console.log("\nevents log:  .lbe/events.jsonl");
     break;
   }
   case "audit": {
@@ -2793,12 +2793,12 @@ switch (cmd) {
   case "activate": {
     const hookPath = findHookPath();
     if (!fs14.existsSync(hookPath)) {
-      console.error("Hook not found: " + hookPath + "\nRun: npm install @letterblack/lbe-exec");
+      console.error("Hook not found: " + hookPath);
+      console.error("Run: npm install @letterblack/lbe-exec");
       process.exit(1);
     }
     const mode = opts.mode || "observe";
     const root = process.cwd();
-    const reqFlag = '--require "' + hookPath + '"';
     const lbeDir = path15.join(root, ".lbe");
     fs14.mkdirSync(lbeDir, { recursive: true });
     fs14.writeFileSync(path15.join(lbeDir, "activation.json"), JSON.stringify({
@@ -2806,111 +2806,83 @@ switch (cmd) {
       activatedAt: (/* @__PURE__ */ new Date()).toISOString(),
       hookPath,
       mode,
-      root,
-      permanent: !!opts.permanent
+      root
     }, null, 2) + "\n");
-    if (opts.permanent) {
-      if (process.platform === "win32") {
-        const psRead = spawnSync2("powershell.exe", [
-          "-NoProfile",
-          "-NonInteractive",
-          "-Command",
-          '[System.Environment]::GetEnvironmentVariable("NODE_OPTIONS","User")'
-        ], { encoding: "utf8" });
-        const current = (psRead.stdout || "").trim();
-        const merged = current.includes(hookPath) ? current : (current + " " + reqFlag).trim();
-        spawnSync2("powershell.exe", [
-          "-NoProfile",
-          "-NonInteractive",
-          "-Command",
-          `[System.Environment]::SetEnvironmentVariable('NODE_OPTIONS','${merged}','User');[System.Environment]::SetEnvironmentVariable('LBE_ROOT','${root}','User');[System.Environment]::SetEnvironmentVariable('LBE_MODE','${mode}','User')`
-        ], { stdio: "inherit" });
-        console.log("\n\u2713 LBE permanently activated \u2014 Windows user environment updated.");
-        console.log("  Restart your terminal or IDE to apply.\n");
-        console.log("  Every node / npm / npx process will be governed automatically.");
-      } else {
-        const home = process.env.HOME || "";
-        const rcFiles = [".bashrc", ".zshrc"].map((f) => path15.join(home, f)).filter((f) => fs14.existsSync(f));
-        const block = `
-# LBE Agent Governance
-export NODE_OPTIONS='${reqFlag}'
-export LBE_ROOT="${root}"
-export LBE_MODE="${mode}"
-`;
-        for (const rc of rcFiles) {
-          fs14.appendFileSync(rc, block);
-          console.log("\u2713 Appended to " + rc);
-        }
-        if (!rcFiles.length) console.log("No .bashrc/.zshrc found \u2014 add these manually:\n" + block);
-        console.log("  Run: source ~/.bashrc  (or restart terminal)");
+    console.log("\u2500\u2500 LBE workspace activated \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
+    console.log("workspace: " + root);
+    console.log("hook:      " + hookPath);
+    console.log("mode:      " + mode);
+    console.log("\nNext: open a governed shell session:");
+    console.log("  lbe-exec shell");
+    console.log("\nAny Node.js agent run inside that shell is intercepted.");
+    console.log("Python, Go, native binaries, and PowerShell are NOT governed.");
+    break;
+  }
+  case "shell": {
+    const activationFile = path15.join(process.cwd(), ".lbe", "activation.json");
+    let activation = null;
+    if (fs14.existsSync(activationFile)) {
+      try {
+        activation = JSON.parse(fs14.readFileSync(activationFile, "utf8"));
+      } catch (_) {
       }
+    }
+    const hookPath = activation && activation.hookPath || findHookPath();
+    if (!fs14.existsSync(hookPath)) {
+      console.error("Hook not found. Run: lbe-exec activate");
+      process.exit(1);
+    }
+    const mode = opts.mode || activation && activation.mode || "observe";
+    const root = activation && activation.root || process.cwd();
+    const hookPathFwd = hookPath.replace(/\\/g, "/");
+    const nodeOpts = '--require "' + hookPathFwd + '"';
+    const shellEnv = { ...process.env, NODE_OPTIONS: nodeOpts, LBE_ROOT: root, LBE_MODE: mode };
+    console.log("[lbe] Opening governed shell \u2014 mode: " + mode);
+    console.log("[lbe] NODE_OPTIONS set. Node.js agents are intercepted.");
+    console.log("[lbe] Python / Go / native binaries are NOT governed.");
+    console.log('[lbe] Type "exit" to close.\n');
+    let shellProc;
+    if (process.platform === "win32") {
+      const banner = [
+        `$env:NODE_OPTIONS='--require "${hookPathFwd}"'`,
+        `$env:LBE_ROOT='${root}'`,
+        `$env:LBE_MODE='${mode}'`,
+        `Write-Host '[lbe] Shell armed \u2014 mode: ${mode}' -ForegroundColor Green`
+      ].join("; ");
+      shellProc = spawn(
+        "powershell.exe",
+        ["-NoExit", "-Command", banner],
+        { stdio: "inherit", env: shellEnv }
+      );
     } else {
-      console.log("\u2500\u2500 LBE Workspace Activation \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
-      console.log("workspace: " + root);
-      console.log("hook:      " + hookPath);
-      console.log("mode:      " + mode);
-      console.log("\nCopy and run in your terminal to arm this session:\n");
-      if (process.platform === "win32") {
-        console.log("# PowerShell:");
-        console.log(`$env:NODE_OPTIONS='--require "` + hookPath + `"'`);
-        console.log('$env:LBE_ROOT="' + root + '"');
-        console.log('$env:LBE_MODE="' + mode + '"');
-        console.log("\n# cmd.exe:");
-        console.log('set NODE_OPTIONS=--require "' + hookPath + '"');
-        console.log("set LBE_ROOT=" + root);
-        console.log("set LBE_MODE=" + mode);
-      } else {
-        console.log(`export NODE_OPTIONS='--require "` + hookPath + `"'`);
-        console.log('export LBE_ROOT="' + root + '"');
-        console.log('export LBE_MODE="' + mode + '"');
-      }
-      console.log("\nAfter running: every node / npm / npx command in this session is governed.");
-      console.log("To persist across all terminals:  lbe-exec activate --permanent");
+      const sh = process.env.SHELL || "/bin/bash";
+      shellProc = spawn(sh, [], { stdio: "inherit", env: shellEnv });
     }
+    shellProc.on("close", (code) => {
+      console.log("\n[lbe] Governed shell closed.");
+      process.exit(code ?? 0);
+    });
     break;
   }
   case "deactivate": {
-    const activationFile = path15.join(process.cwd(), ".lbe", "activation.json");
-    if (fs14.existsSync(activationFile)) fs14.unlinkSync(activationFile);
-    if (opts.permanent) {
-      if (process.platform === "win32") {
-        const hookPath = findHookPath();
-        const psRead = spawnSync2("powershell.exe", [
-          "-NoProfile",
-          "-NonInteractive",
-          "-Command",
-          '[System.Environment]::GetEnvironmentVariable("NODE_OPTIONS","User")'
-        ], { encoding: "utf8" });
-        const current = (psRead.stdout || "").trim();
-        const cleaned = current.replace('--require "' + hookPath + '"', "").replace("--require " + hookPath, "").trim();
-        spawnSync2("powershell.exe", [
-          "-NoProfile",
-          "-NonInteractive",
-          "-Command",
-          (cleaned ? `[System.Environment]::SetEnvironmentVariable('NODE_OPTIONS','${cleaned}','User');` : `[System.Environment]::SetEnvironmentVariable('NODE_OPTIONS',$null,'User');`) + `[System.Environment]::SetEnvironmentVariable('LBE_ROOT',$null,'User');[System.Environment]::SetEnvironmentVariable('LBE_MODE',$null,'User')`
-        ], { stdio: "inherit" });
-        console.log("\u2713 LBE deactivated \u2014 user environment cleared. Restart terminal to apply.");
-      } else {
-        console.log("Remove these lines from your shell RC file (.bashrc / .zshrc):");
-        console.log("  export NODE_OPTIONS=... (the --require lbe line)");
-        console.log("  export LBE_ROOT=...");
-        console.log("  export LBE_MODE=...");
+    const root = process.cwd();
+    const files = [
+      path15.join(root, ".lbe", "activation.json"),
+      path15.join(root, ".lbe", "runtime", "hook-status.json")
+    ];
+    let removed = 0;
+    for (const f of files) {
+      if (fs14.existsSync(f)) {
+        fs14.unlinkSync(f);
+        removed++;
       }
+    }
+    if (removed) {
+      console.log("\u2713 LBE deactivated \u2014 workspace activation files removed.");
     } else {
-      console.log("Run these commands to disarm this session:\n");
-      if (process.platform === "win32") {
-        console.log("# PowerShell:");
-        console.log("Remove-Item Env:NODE_OPTIONS -ErrorAction SilentlyContinue");
-        console.log("Remove-Item Env:LBE_ROOT    -ErrorAction SilentlyContinue");
-        console.log("Remove-Item Env:LBE_MODE    -ErrorAction SilentlyContinue");
-        console.log("\n# cmd.exe:");
-        console.log("set NODE_OPTIONS=");
-        console.log("set LBE_ROOT=");
-        console.log("set LBE_MODE=");
-      } else {
-        console.log("unset NODE_OPTIONS LBE_ROOT LBE_MODE");
-      }
+      console.log("Nothing to deactivate (workspace was not activated).");
     }
+    console.log('Close any open "lbe-exec shell" sessions to fully disarm.');
     break;
   }
   case "observe":
@@ -2964,10 +2936,11 @@ export LBE_MODE="${mode}"
     console.log("  status              Show workspace, mode, hook state, patched functions");
     console.log("  audit               Show unified event log (.lbe/events.jsonl)");
     console.log("  policy              List active policy rules");
-    console.log("  activate            Arm workspace \u2014 every node/npm/npx is governed");
-    console.log("    [--mode observe|enforce] [--permanent]");
-    console.log("  deactivate          Disarm workspace");
-    console.log("    [--permanent]");
+    console.log("  activate            Write workspace activation record (Node.js only)");
+    console.log("    [--mode observe|enforce]");
+    console.log("  shell               Open a governed terminal (NODE_OPTIONS pre-set)");
+    console.log("    [--mode observe|enforce]");
+    console.log("  deactivate          Remove workspace activation files");
     console.log("  observe             Switch to observer mode (log only, nothing blocked)");
     console.log("  enforce             Switch to enforcement mode (violations blocked)");
     console.log("  execute             Send a JSON request from stdin or --input file");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@letterblack/lbe-exec",
-  "version": "1.2.15",
+  "version": "1.2.16",
   "description": "Local host-signed execution layer for LetterBlack LBE.",
   "type": "module",
   "main": "dist/index.js",