npm - @letterblack/lbe-exec - Versions diffs - 1.2.15 → 1.2.17 - Mend

@letterblack/lbe-exec 1.2.15 → 1.2.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/cli.js CHANGED Viewed

@@ -404,7 +404,7 @@ var init_localPolicy = __esm({
   "src/core/localPolicy.js"() {
     init_auditLog();
     init_atomicWrite();
-    POLICY_FILE = "lbe.policy.json";
+    POLICY_FILE = ".lbe/policy.json";
     AUDIT_FILE = ".lbe/audit.jsonl";
   }
 });
@@ -2363,12 +2363,8 @@ This project has LetterBlack LBE (Local-first execution Governance) active.
 ## Your role as an agent
-You do not have direct access to the file system or shell in this workspace.
-Every file write, file read, file delete, and shell command must go through the
-LBE executor. The executor validates every action against the project policy,
-signs it, audits it, and either allows or blocks it \u2014 transparently.
-You do not need to know how this works. You only need to use the right methods.
+Every file write, delete, and shell command must go through the LBE executor.
+The executor validates each action against the project policy and audits it.
 ## How to perform actions
@@ -2376,143 +2372,83 @@ You do not need to know how this works. You only need to use the right methods.
 import { createLocalExecutor } from '@letterblack/lbe-exec';
 const lbe = createLocalExecutor({ rootDir: process.cwd() });
-// File operations
 await lbe.writeFile('output/report.md', content);
 await lbe.readFile('src/config.json');
 await lbe.patchFile('src/index.js', patch);
 await lbe.deleteFile('tmp/scratch.txt');
-// Shell (only explicitly allowlisted commands run)
 await lbe.runShell('node', ['scripts/build.js']);
 \`\`\`
 ## What you must never do
-- Call file system APIs directly (fs.writeFile, fs.readFile, etc.)
-- Call child_process or exec directly
-- Modify \`lbe.policy.json\` directly \u2014 propose a rule via \`lbe.policy.proposeRule()\`
-- Attempt to bypass, patch, or disable the executor
-## Proposing a new policy rule
+- Call fs.* or child_process.* directly
+- Modify \`.lbe/policy.json\` directly \u2014 propose a rule via \`lbe.policy.proposeRule()\`
+- Attempt to bypass or disable the executor
-If you believe a rule should be added or removed, propose it and let the
-controller decide:
+## Proposing a policy rule
 \`\`\`js
 const proposal = lbe.policy.proposeRule({
-  effect: 'deny',
-  type: 'path',
-  pattern: 'secrets/**',
+  effect: 'deny', type: 'path', pattern: 'secrets/**',
   from: 'agent: these files should never be modified'
 });
-// Return proposal to the user. Never call lbe.policy.addRule() yourself.
+// Return proposal to the user \u2014 never call lbe.policy.addRule() yourself.
 \`\`\`
 ## Result shape
-Every method returns:
-\`\`\`
-{ ok: boolean, decision: 'allow' | 'deny' | 'observe', executed: boolean }
-\`\`\`
-If \`ok\` is false, the action was blocked. Check \`result.error.message\` for reason.
-## Current policy
-See \`lbe.policy.json\` in the project root.
-See \`.lbe/audit.jsonl\` for the execution audit trail.
-## CLI
-\`\`\`bash
-npx lbe-exec status    # mode, rule count, audit entry count
-npx lbe-exec policy    # list active rules
-npx lbe-exec observe   # switch to observer mode
-npx lbe-exec enforce   # switch to enforcement mode
-\`\`\`
-`;
-}
-function claudeMdSection() {
-  return `<!-- lbe-governance -->
-## LBE Execution Governance
-This project has LetterBlack LBE active. All file and shell operations must
-route through the LBE executor \u2014 do not use file system tools directly.
-### Use these methods
-\`\`\`js
-import { createLocalExecutor } from '@letterblack/lbe-exec';
-const lbe = createLocalExecutor({ rootDir: process.cwd() });
-await lbe.writeFile('path/to/file', content);
-await lbe.readFile('path/to/file');
-await lbe.patchFile('path/to/file', patch);
-await lbe.deleteFile('path/to/file');
-await lbe.runShell('node', ['script.js']);
-\`\`\`
-### Rules
-- Never call \`fs.*\` or \`child_process.*\` directly
-- Never write to \`lbe.policy.json\` directly \u2014 use \`lbe.policy.proposeRule()\`
-- Every blocked action has a reason in \`result.error.message\`
-- Audit trail is in \`.lbe/audit.jsonl\`
+\`{ ok: boolean, decision: 'allow' | 'deny' | 'observe', executed: boolean }\`
-See \`.lbe/AGENT_CONTRACT.md\` for the full agent contract.
-<!-- /lbe-governance -->`;
-}
-function copilotInstructionsContent() {
-  return `# LBE Governance \u2014 Copilot Instructions
-This project has LetterBlack LBE active. All file and shell operations must
-route through the LBE executor.
-## Required
-Use \`@letterblack/lbe-exec\` for all file and shell actions:
-\`\`\`js
-const lbe = createLocalExecutor({ rootDir: process.cwd() });
-await lbe.writeFile(path, content);
-await lbe.readFile(path);
-await lbe.runShell(cmd, args);
-\`\`\`
-## Forbidden
+## Files
-- Direct \`fs.*\` calls
-- Direct \`child_process.*\` or \`exec\` calls
-- Writing to \`lbe.policy.json\` directly
-See \`.lbe/AGENT_CONTRACT.md\` for the full contract.
+- Policy: \`.lbe/policy.json\`
+- Audit:  \`.lbe/audit.jsonl\`
+- Status: \`npx lbe-exec status\`
 `;
 }
-function writeAgentGovernanceFiles(cwd) {
+function writeAgentContract(cwd) {
   const lbeDir = path4.join(cwd, ".lbe");
   fs4.mkdirSync(lbeDir, { recursive: true });
   fs4.writeFileSync(path4.join(lbeDir, "AGENT_CONTRACT.md"), agentContractContent());
-  const claudePath = path4.join(cwd, "CLAUDE.md");
-  const section = claudeMdSection();
-  if (fs4.existsSync(claudePath)) {
-    const existing = fs4.readFileSync(claudePath, "utf8");
-    if (!existing.includes("<!-- lbe-governance -->")) {
-      fs4.appendFileSync(claudePath, "\n\n" + section + "\n");
+}
+function migrateLegacyRootFiles(cwd) {
+  const lbeDir = path4.join(cwd, ".lbe");
+  fs4.mkdirSync(lbeDir, { recursive: true });
+  const migrations = [
+    ["lbe.policy.json", ".lbe/policy.json"],
+    ["lbe.workspace.json", ".lbe/workspace.json"]
+  ];
+  const removed = [];
+  for (const [src, dest] of migrations) {
+    const srcPath = path4.join(cwd, src);
+    const destPath = path4.join(cwd, dest);
+    if (fs4.existsSync(srcPath) && !fs4.existsSync(destPath)) {
+      fs4.renameSync(srcPath, destPath);
+      removed.push(src + " \u2192 " + dest);
+    } else if (fs4.existsSync(srcPath)) {
+      fs4.unlinkSync(srcPath);
+      removed.push(src + " (removed \u2014 .lbe/ version exists)");
+    }
+  }
+  const toDelete = ["CLAUDE.md", path4.join(".github", "copilot-instructions.md")];
+  for (const rel of toDelete) {
+    const p = path4.join(cwd, rel);
+    if (fs4.existsSync(p)) {
+      const content = fs4.readFileSync(p, "utf8");
+      if (content.includes("lbe-governance") || content.includes("LetterBlack LBE")) {
+        fs4.unlinkSync(p);
+        removed.push(rel + " (removed \u2014 LBE-generated file)");
+      }
     }
-  } else {
-    fs4.writeFileSync(claudePath, section + "\n");
-  }
-  const githubDir = path4.join(cwd, ".github");
-  fs4.mkdirSync(githubDir, { recursive: true });
-  const copilotPath = path4.join(githubDir, "copilot-instructions.md");
-  if (!fs4.existsSync(copilotPath)) {
-    fs4.writeFileSync(copilotPath, copilotInstructionsContent());
   }
+  return removed;
 }
 async function initCommand(opts2 = {}) {
   const cwd = process.cwd();
   const yes = opts2.yes || opts2.y || !process.stdin.isTTY;
-  const outPath = path4.join(cwd, "lbe.workspace.json");
+  const lbeDir = path4.join(cwd, ".lbe");
+  fs4.mkdirSync(lbeDir, { recursive: true });
+  const outPath = path4.join(lbeDir, "workspace.json");
   console.log("\nScanning workspace...\n");
   const { projectTypes, primaryType: primaryType2, semantics, enforcement } = scanWorkspace(cwd);
   console.log(formatSummary(projectTypes, semantics, enforcement));
@@ -2537,21 +2473,24 @@ async function initCommand(opts2 = {}) {
     enforcement: finalEnforcement
   };
   fs4.writeFileSync(outPath, JSON.stringify(contract, null, 2));
-  console.log("\u2713 Wrote lbe.workspace.json");
+  console.log("\u2713 Wrote .lbe/workspace.json");
   setupCrypto(cwd);
-  const localPolicyPath = path4.join(cwd, "lbe.policy.json");
+  const localPolicyPath = path4.join(lbeDir, "policy.json");
   if (!fs4.existsSync(localPolicyPath)) {
     fs4.writeFileSync(localPolicyPath, JSON.stringify({ version: 1, mode: "observe", workspace: cwd, rules: [] }, null, 2) + "\n");
   }
-  const localAuditPath = path4.join(cwd, ".lbe", "audit.jsonl");
+  const localAuditPath = path4.join(lbeDir, "audit.jsonl");
   if (!fs4.existsSync(localAuditPath)) fs4.writeFileSync(localAuditPath, "");
-  console.log("\u2713 Keys and policy ready");
-  writeAgentGovernanceFiles(cwd);
+  console.log("\u2713 Keys and policy ready  (.lbe/)");
+  writeAgentContract(cwd);
   console.log("\u2713 Agent contract written  \u2192  .lbe/AGENT_CONTRACT.md");
-  console.log("\u2713 CLAUDE.md updated with LBE governance section");
-  console.log("\u2713 .github/copilot-instructions.md ready\n");
-  console.log("Done. Any AI agent that reads project context will follow LBE governance automatically.");
-  console.log("Run  npx lbe status  to see mode, rules, and audit entry count.\n");
+  const migrated = migrateLegacyRootFiles(cwd);
+  if (migrated.length) {
+    console.log("\n\u2713 Migrated legacy files:");
+    for (const m of migrated) console.log("  " + m);
+  }
+  console.log("\nDone. All LBE state is in .lbe/");
+  console.log("Run  npx lbe-exec status  to verify.\n");
   return { success: true, contract };
 }
@@ -2571,14 +2510,10 @@ var opts = Object.fromEntries(
 var positional = rest.filter((v) => !v.startsWith("--") && rest[rest.indexOf(v) - 1]?.startsWith("--") === false);
 var __dir = path15.dirname(fileURLToPath2(import.meta.url));
 function loadPolicy() {
-  const p = path15.join(process.cwd(), "lbe.policy.json");
+  const cwd = process.cwd();
+  const p = fs14.existsSync(path15.join(cwd, ".lbe", "policy.json")) ? path15.join(cwd, ".lbe", "policy.json") : path15.join(cwd, "lbe.policy.json");
   return fs14.existsSync(p) ? JSON.parse(fs14.readFileSync(p, "utf8")) : null;
 }
-function countAudit() {
-  const p = path15.join(process.cwd(), ".lbe", "audit.jsonl");
-  if (!fs14.existsSync(p)) return 0;
-  return fs14.readFileSync(p, "utf8").split("\n").filter((l) => l.trim()).length;
-}
 function findHookPath() {
   const candidates = [
     path15.resolve(__dir, "../hooks/register.cjs"),
@@ -2684,8 +2619,9 @@ switch (cmd) {
       process.exit(1);
     }
     const existing = process.env.NODE_OPTIONS || "";
-    const hookFlag = "--require " + hookPath;
-    const nodeOptions = existing.includes(hookFlag) ? existing : (existing + " " + hookFlag).trim();
+    const hookPathFwd = hookPath.replace(/\\/g, "/");
+    const hookFlag = '--require "' + hookPathFwd + '"';
+    const nodeOptions = existing.includes(hookPathFwd) ? existing : (existing + " " + hookFlag).trim();
     const npmArgs = rest.filter((v) => !v.startsWith("--mode") && v !== opts.mode);
     const child = spawn("npm", npmArgs, {
       stdio: "inherit",
@@ -2696,59 +2632,63 @@ switch (cmd) {
     break;
   }
   case "status": {
-    const policy = loadPolicy();
+    const root = process.cwd();
     console.log("\u2500\u2500 LBE Status \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
-    console.log("workspace:   " + process.cwd());
-    if (policy) {
-      console.log("mode:        " + policy.mode);
-      console.log("rules:       " + (policy.rules?.length ?? 0));
-      console.log("audit:       " + countAudit() + " entries  (.lbe/audit.jsonl)");
-    } else {
-      console.log("policy:      not found \u2014 run: npx lbe-exec init");
-    }
-    const statusFile = path15.join(process.cwd(), ".lbe", "runtime", "hook-status.json");
-    if (!fs14.existsSync(statusFile)) {
-      console.log("\nhook:        inactive \u2014 use: npx lbe-exec run-node ./agent.js");
-      break;
-    }
-    let hookStatus;
-    try {
-      hookStatus = JSON.parse(fs14.readFileSync(statusFile, "utf8"));
-    } catch (e) {
-      console.log("\nhook:        status file unreadable \u2014 " + e.message);
-      break;
-    }
-    let pidAlive = false;
-    try {
-      process.kill(hookStatus.pid, 0);
-      pidAlive = true;
-    } catch (_) {
-    }
-    console.log("\nhook:        " + (pidAlive ? "ACTIVE" : "stale (process exited)"));
-    console.log("hook pid:    " + hookStatus.pid + (pidAlive ? " (alive)" : " (gone)"));
-    console.log("hook mode:   " + hookStatus.mode);
-    console.log("hook root:   " + hookStatus.root);
-    console.log("hook start:  " + hookStatus.started_at);
-    if (hookStatus.patched) {
-      console.log("\nPatched functions:");
-      for (const [fn, active] of Object.entries(hookStatus.patched)) {
-        console.log("  " + (active ? "\u2713" : "\u2013") + " " + fn);
+    console.log("workspace:   " + root);
+    const hookPath = findHookPath();
+    console.log("hook file:   " + hookPath + (fs14.existsSync(hookPath) ? " (found)" : " (MISSING)"));
+    const lbeRoot = process.env.LBE_ROOT || "";
+    console.log("LBE_ROOT:    " + (lbeRoot || "(not set)"));
+    const nodeOpts = process.env.NODE_OPTIONS || "";
+    const hookInPath = nodeOpts.includes("register.cjs");
+    console.log("NODE_OPTIONS contains hook: " + (hookInPath ? "yes" : "no"));
+    const eventsFile = path15.join(root, ".lbe", "events.jsonl");
+    const auditExists = fs14.existsSync(eventsFile);
+    console.log("audit log:   " + (auditExists ? eventsFile : "(none yet)"));
+    if (auditExists) {
+      try {
+        const lines = fs14.readFileSync(eventsFile, "utf8").split("\n").filter((l) => l.trim());
+        if (lines.length) {
+          const last = JSON.parse(lines[lines.length - 1]);
+          const ts = new Date((last.ts || 0) * 1e3).toISOString().replace("T", " ").slice(0, 19);
+          const target = last.path || last.cmd || "?";
+          console.log("last event:  " + ts + "  " + last.action + "  " + target + "  \u2192 " + (last.decision || "?"));
+        } else {
+          console.log("last event:  (none)");
+        }
+      } catch (_) {
+        console.log("last event:  (unreadable)");
       }
     }
-    const activationFile = path15.join(process.cwd(), ".lbe", "activation.json");
-    const sessionActive = (process.env.NODE_OPTIONS || "").includes("register.cjs");
-    if (fs14.existsSync(activationFile)) {
+    const statusFile = path15.join(root, ".lbe", "runtime", "hook-status.json");
+    if (fs14.existsSync(statusFile)) {
+      let h;
       try {
-        const act = JSON.parse(fs14.readFileSync(activationFile, "utf8"));
-        console.log("\nactivation:  " + (act.permanent ? "permanent" : "session") + " (" + act.mode + ")" + (sessionActive ? "  NODE_OPTIONS \u2713" : "  restart terminal to apply"));
+        h = JSON.parse(fs14.readFileSync(statusFile, "utf8"));
       } catch (_) {
       }
-    } else if (sessionActive) {
-      console.log("\nactivation:  session active  NODE_OPTIONS \u2713");
+      if (h) {
+        let pidAlive = false;
+        try {
+          process.kill(h.pid, 0);
+          pidAlive = true;
+        } catch (_) {
+        }
+        console.log("\nhook process: " + (pidAlive ? "ACTIVE" : "stale (process exited)"));
+        console.log("hook pid:     " + h.pid + (pidAlive ? " (alive)" : " (gone)"));
+        console.log("hook mode:    " + h.mode);
+        console.log("hook started: " + h.started_at);
+        if (h.patched) {
+          console.log("\nPatched functions:");
+          for (const [fn, active] of Object.entries(h.patched)) {
+            console.log("  " + (active ? "\u2713" : "\u2013") + " " + fn);
+          }
+        }
+      }
     } else {
-      console.log("\nactivation:  none \u2014 run: lbe-exec activate");
+      console.log("\nhook process: inactive \u2014 run: lbe-exec run-node ./agent.js");
+      console.log("              or: lbe-exec activate  then  lbe-exec shell");
     }
-    console.log("\nevents log:  .lbe/events.jsonl");
     break;
   }
   case "audit": {
@@ -2793,12 +2733,12 @@ switch (cmd) {
   case "activate": {
     const hookPath = findHookPath();
     if (!fs14.existsSync(hookPath)) {
-      console.error("Hook not found: " + hookPath + "\nRun: npm install @letterblack/lbe-exec");
+      console.error("Hook not found: " + hookPath);
+      console.error("Run: npm install @letterblack/lbe-exec");
       process.exit(1);
     }
     const mode = opts.mode || "observe";
     const root = process.cwd();
-    const reqFlag = '--require "' + hookPath + '"';
     const lbeDir = path15.join(root, ".lbe");
     fs14.mkdirSync(lbeDir, { recursive: true });
     fs14.writeFileSync(path15.join(lbeDir, "activation.json"), JSON.stringify({
@@ -2806,111 +2746,83 @@ switch (cmd) {
       activatedAt: (/* @__PURE__ */ new Date()).toISOString(),
       hookPath,
       mode,
-      root,
-      permanent: !!opts.permanent
+      root
     }, null, 2) + "\n");
-    if (opts.permanent) {
-      if (process.platform === "win32") {
-        const psRead = spawnSync2("powershell.exe", [
-          "-NoProfile",
-          "-NonInteractive",
-          "-Command",
-          '[System.Environment]::GetEnvironmentVariable("NODE_OPTIONS","User")'
-        ], { encoding: "utf8" });
-        const current = (psRead.stdout || "").trim();
-        const merged = current.includes(hookPath) ? current : (current + " " + reqFlag).trim();
-        spawnSync2("powershell.exe", [
-          "-NoProfile",
-          "-NonInteractive",
-          "-Command",
-          `[System.Environment]::SetEnvironmentVariable('NODE_OPTIONS','${merged}','User');[System.Environment]::SetEnvironmentVariable('LBE_ROOT','${root}','User');[System.Environment]::SetEnvironmentVariable('LBE_MODE','${mode}','User')`
-        ], { stdio: "inherit" });
-        console.log("\n\u2713 LBE permanently activated \u2014 Windows user environment updated.");
-        console.log("  Restart your terminal or IDE to apply.\n");
-        console.log("  Every node / npm / npx process will be governed automatically.");
-      } else {
-        const home = process.env.HOME || "";
-        const rcFiles = [".bashrc", ".zshrc"].map((f) => path15.join(home, f)).filter((f) => fs14.existsSync(f));
-        const block = `
-# LBE Agent Governance
-export NODE_OPTIONS='${reqFlag}'
-export LBE_ROOT="${root}"
-export LBE_MODE="${mode}"
-`;
-        for (const rc of rcFiles) {
-          fs14.appendFileSync(rc, block);
-          console.log("\u2713 Appended to " + rc);
-        }
-        if (!rcFiles.length) console.log("No .bashrc/.zshrc found \u2014 add these manually:\n" + block);
-        console.log("  Run: source ~/.bashrc  (or restart terminal)");
+    console.log("\u2500\u2500 LBE workspace activated \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
+    console.log("workspace: " + root);
+    console.log("hook:      " + hookPath);
+    console.log("mode:      " + mode);
+    console.log("\nNext: open a governed shell session:");
+    console.log("  lbe-exec shell");
+    console.log("\nAny Node.js agent run inside that shell is intercepted.");
+    console.log("Python, Go, native binaries, and PowerShell are NOT governed.");
+    break;
+  }
+  case "shell": {
+    const activationFile = path15.join(process.cwd(), ".lbe", "activation.json");
+    let activation = null;
+    if (fs14.existsSync(activationFile)) {
+      try {
+        activation = JSON.parse(fs14.readFileSync(activationFile, "utf8"));
+      } catch (_) {
       }
+    }
+    const hookPath = activation && activation.hookPath || findHookPath();
+    if (!fs14.existsSync(hookPath)) {
+      console.error("Hook not found. Run: lbe-exec activate");
+      process.exit(1);
+    }
+    const mode = opts.mode || activation && activation.mode || "observe";
+    const root = activation && activation.root || process.cwd();
+    const hookPathFwd = hookPath.replace(/\\/g, "/");
+    const nodeOpts = '--require "' + hookPathFwd + '"';
+    const shellEnv = { ...process.env, NODE_OPTIONS: nodeOpts, LBE_ROOT: root, LBE_MODE: mode };
+    console.log("[lbe] Opening governed shell \u2014 mode: " + mode);
+    console.log("[lbe] NODE_OPTIONS set. Node.js agents are intercepted.");
+    console.log("[lbe] Python / Go / native binaries are NOT governed.");
+    console.log('[lbe] Type "exit" to close.\n');
+    let shellProc;
+    if (process.platform === "win32") {
+      const banner = [
+        `$env:NODE_OPTIONS='--require "${hookPathFwd}"'`,
+        `$env:LBE_ROOT='${root}'`,
+        `$env:LBE_MODE='${mode}'`,
+        `Write-Host '[lbe] Shell armed \u2014 mode: ${mode}' -ForegroundColor Green`
+      ].join("; ");
+      shellProc = spawn(
+        "powershell.exe",
+        ["-NoExit", "-Command", banner],
+        { stdio: "inherit", env: shellEnv }
+      );
     } else {
-      console.log("\u2500\u2500 LBE Workspace Activation \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
-      console.log("workspace: " + root);
-      console.log("hook:      " + hookPath);
-      console.log("mode:      " + mode);
-      console.log("\nCopy and run in your terminal to arm this session:\n");
-      if (process.platform === "win32") {
-        console.log("# PowerShell:");
-        console.log(`$env:NODE_OPTIONS='--require "` + hookPath + `"'`);
-        console.log('$env:LBE_ROOT="' + root + '"');
-        console.log('$env:LBE_MODE="' + mode + '"');
-        console.log("\n# cmd.exe:");
-        console.log('set NODE_OPTIONS=--require "' + hookPath + '"');
-        console.log("set LBE_ROOT=" + root);
-        console.log("set LBE_MODE=" + mode);
-      } else {
-        console.log(`export NODE_OPTIONS='--require "` + hookPath + `"'`);
-        console.log('export LBE_ROOT="' + root + '"');
-        console.log('export LBE_MODE="' + mode + '"');
-      }
-      console.log("\nAfter running: every node / npm / npx command in this session is governed.");
-      console.log("To persist across all terminals:  lbe-exec activate --permanent");
+      const sh = process.env.SHELL || "/bin/bash";
+      shellProc = spawn(sh, [], { stdio: "inherit", env: shellEnv });
     }
+    shellProc.on("close", (code) => {
+      console.log("\n[lbe] Governed shell closed.");
+      process.exit(code ?? 0);
+    });
     break;
   }
   case "deactivate": {
-    const activationFile = path15.join(process.cwd(), ".lbe", "activation.json");
-    if (fs14.existsSync(activationFile)) fs14.unlinkSync(activationFile);
-    if (opts.permanent) {
-      if (process.platform === "win32") {
-        const hookPath = findHookPath();
-        const psRead = spawnSync2("powershell.exe", [
-          "-NoProfile",
-          "-NonInteractive",
-          "-Command",
-          '[System.Environment]::GetEnvironmentVariable("NODE_OPTIONS","User")'
-        ], { encoding: "utf8" });
-        const current = (psRead.stdout || "").trim();
-        const cleaned = current.replace('--require "' + hookPath + '"', "").replace("--require " + hookPath, "").trim();
-        spawnSync2("powershell.exe", [
-          "-NoProfile",
-          "-NonInteractive",
-          "-Command",
-          (cleaned ? `[System.Environment]::SetEnvironmentVariable('NODE_OPTIONS','${cleaned}','User');` : `[System.Environment]::SetEnvironmentVariable('NODE_OPTIONS',$null,'User');`) + `[System.Environment]::SetEnvironmentVariable('LBE_ROOT',$null,'User');[System.Environment]::SetEnvironmentVariable('LBE_MODE',$null,'User')`
-        ], { stdio: "inherit" });
-        console.log("\u2713 LBE deactivated \u2014 user environment cleared. Restart terminal to apply.");
-      } else {
-        console.log("Remove these lines from your shell RC file (.bashrc / .zshrc):");
-        console.log("  export NODE_OPTIONS=... (the --require lbe line)");
-        console.log("  export LBE_ROOT=...");
-        console.log("  export LBE_MODE=...");
+    const root = process.cwd();
+    const files = [
+      path15.join(root, ".lbe", "activation.json"),
+      path15.join(root, ".lbe", "runtime", "hook-status.json")
+    ];
+    let removed = 0;
+    for (const f of files) {
+      if (fs14.existsSync(f)) {
+        fs14.unlinkSync(f);
+        removed++;
       }
+    }
+    if (removed) {
+      console.log("\u2713 LBE deactivated \u2014 workspace activation files removed.");
     } else {
-      console.log("Run these commands to disarm this session:\n");
-      if (process.platform === "win32") {
-        console.log("# PowerShell:");
-        console.log("Remove-Item Env:NODE_OPTIONS -ErrorAction SilentlyContinue");
-        console.log("Remove-Item Env:LBE_ROOT    -ErrorAction SilentlyContinue");
-        console.log("Remove-Item Env:LBE_MODE    -ErrorAction SilentlyContinue");
-        console.log("\n# cmd.exe:");
-        console.log("set NODE_OPTIONS=");
-        console.log("set LBE_ROOT=");
-        console.log("set LBE_MODE=");
-      } else {
-        console.log("unset NODE_OPTIONS LBE_ROOT LBE_MODE");
-      }
+      console.log("Nothing to deactivate (workspace was not activated).");
     }
+    console.log('Close any open "lbe-exec shell" sessions to fully disarm.');
     break;
   }
   case "observe":
@@ -2923,7 +2835,7 @@ export LBE_MODE="${mode}"
   case "policy": {
     const policy = loadPolicy();
     if (!policy) {
-      console.log("No lbe.policy.json found. Run: npx lbe-exec init");
+      console.log("No policy found. Run: npx lbe-exec init");
       break;
     }
     if (!policy.rules?.length) {
@@ -2964,10 +2876,11 @@ export LBE_MODE="${mode}"
     console.log("  status              Show workspace, mode, hook state, patched functions");
     console.log("  audit               Show unified event log (.lbe/events.jsonl)");
     console.log("  policy              List active policy rules");
-    console.log("  activate            Arm workspace \u2014 every node/npm/npx is governed");
-    console.log("    [--mode observe|enforce] [--permanent]");
-    console.log("  deactivate          Disarm workspace");
-    console.log("    [--permanent]");
+    console.log("  activate            Write workspace activation record (Node.js only)");
+    console.log("    [--mode observe|enforce]");
+    console.log("  shell               Open a governed terminal (NODE_OPTIONS pre-set)");
+    console.log("    [--mode observe|enforce]");
+    console.log("  deactivate          Remove workspace activation files");
     console.log("  observe             Switch to observer mode (log only, nothing blocked)");
     console.log("  enforce             Switch to enforcement mode (violations blocked)");
     console.log("  execute             Send a JSON request from stdin or --input file");

package/dist/index.js CHANGED Viewed

@@ -1490,7 +1490,7 @@ function verifyAuditLogIntegrity(logPath, options = {}) {
 import fs8 from "fs";
 import path9 from "path";
 import crypto4 from "crypto";
-var POLICY_FILE = "lbe.policy.json";
+var POLICY_FILE = ".lbe/policy.json";
 var AUDIT_FILE = ".lbe/audit.jsonl";
 function glob(pattern) {
   const escaped = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&");

package/hooks/register.cjs CHANGED Viewed

@@ -14,7 +14,10 @@ const MODE = process.env.LBE_MODE || 'observe';
 // ── Policy loader (inline CJS — ESM cannot be require()'d synchronously) ────
 function loadPolicy() {
-    const policyPath = path.join(ROOT_DIR, 'lbe.policy.json');
+    // .lbe/policy.json is canonical. Fall back to legacy lbe.policy.json in root.
+    const policyPath = fs.existsSync(path.join(ROOT_DIR, '.lbe', 'policy.json'))
+        ? path.join(ROOT_DIR, '.lbe', 'policy.json')
+        : path.join(ROOT_DIR, 'lbe.policy.json');
     try {
         if (fs.existsSync(policyPath)) {
             return JSON.parse(fs.readFileSync(policyPath, 'utf8'));

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@letterblack/lbe-exec",
-  "version": "1.2.15",
+  "version": "1.2.17",
   "description": "Local host-signed execution layer for LetterBlack LBE.",
   "type": "module",
   "main": "dist/index.js",