@letterblack/lbe-exec 1.2.16 → 1.2.17

package/dist/cli.js

@@ -404,7 +404,7 @@ var init_localPolicy = __esm({
   "src/core/localPolicy.js"() {
     init_auditLog();
     init_atomicWrite();
-    POLICY_FILE = "lbe.policy.json";
+    POLICY_FILE = ".lbe/policy.json";
     AUDIT_FILE = ".lbe/audit.jsonl";
   }
 });
@@ -2363,12 +2363,8 @@ This project has LetterBlack LBE (Local-first execution Governance) active.
 
 ## Your role as an agent
 
-You do not have direct access to the file system or shell in this workspace.
-Every file write, file read, file delete, and shell command must go through the
-LBE executor. The executor validates every action against the project policy,
-signs it, audits it, and either allows or blocks it \u2014 transparently.
-
-You do not need to know how this works. You only need to use the right methods.
+Every file write, delete, and shell command must go through the LBE executor.
+The executor validates each action against the project policy and audits it.
 
 ## How to perform actions
 
@@ -2376,143 +2372,83 @@ You do not need to know how this works. You only need to use the right methods.
 import { createLocalExecutor } from '@letterblack/lbe-exec';
 const lbe = createLocalExecutor({ rootDir: process.cwd() });
 
-// File operations
 await lbe.writeFile('output/report.md', content);
 await lbe.readFile('src/config.json');
 await lbe.patchFile('src/index.js', patch);
 await lbe.deleteFile('tmp/scratch.txt');
-
-// Shell (only explicitly allowlisted commands run)
 await lbe.runShell('node', ['scripts/build.js']);
 \`\`\`
 
 ## What you must never do
 
-- Call file system APIs directly (fs.writeFile, fs.readFile, etc.)
-- Call child_process or exec directly
-- Modify \`lbe.policy.json\` directly \u2014 propose a rule via \`lbe.policy.proposeRule()\`
-- Attempt to bypass, patch, or disable the executor
-
-## Proposing a new policy rule
+- Call fs.* or child_process.* directly
+- Modify \`.lbe/policy.json\` directly \u2014 propose a rule via \`lbe.policy.proposeRule()\`
+- Attempt to bypass or disable the executor
 
-If you believe a rule should be added or removed, propose it and let the
-controller decide:
+## Proposing a policy rule
 
 \`\`\`js
 const proposal = lbe.policy.proposeRule({
-  effect: 'deny',
-  type: 'path',
-  pattern: 'secrets/**',
+  effect: 'deny', type: 'path', pattern: 'secrets/**',
   from: 'agent: these files should never be modified'
 });
-// Return proposal to the user. Never call lbe.policy.addRule() yourself.
+// Return proposal to the user \u2014 never call lbe.policy.addRule() yourself.
 \`\`\`
 
 ## Result shape
 
-Every method returns:
-\`\`\`
-{ ok: boolean, decision: 'allow' | 'deny' | 'observe', executed: boolean }
-\`\`\`
-
-If \`ok\` is false, the action was blocked. Check \`result.error.message\` for reason.
+\`{ ok: boolean, decision: 'allow' | 'deny' | 'observe', executed: boolean }\`
 
-## Current policy
+## Files
 
-See \`lbe.policy.json\` in the project root.
-See \`.lbe/audit.jsonl\` for the execution audit trail.
-
-## CLI
-
-\`\`\`bash
-npx lbe-exec status    # mode, rule count, audit entry count
-npx lbe-exec policy    # list active rules
-npx lbe-exec observe   # switch to observer mode
-npx lbe-exec enforce   # switch to enforcement mode
-\`\`\`
+- Policy: \`.lbe/policy.json\`
+- Audit:  \`.lbe/audit.jsonl\`
+- Status: \`npx lbe-exec status\`
 `;
 }
-function claudeMdSection() {
-  return `<!-- lbe-governance -->
-## LBE Execution Governance
-
-This project has LetterBlack LBE active. All file and shell operations must
-route through the LBE executor \u2014 do not use file system tools directly.
-
-### Use these methods
-
-\`\`\`js
-import { createLocalExecutor } from '@letterblack/lbe-exec';
-const lbe = createLocalExecutor({ rootDir: process.cwd() });
-
-await lbe.writeFile('path/to/file', content);
-await lbe.readFile('path/to/file');
-await lbe.patchFile('path/to/file', patch);
-await lbe.deleteFile('path/to/file');
-await lbe.runShell('node', ['script.js']);
-\`\`\`
-
-### Rules
-
-- Never call \`fs.*\` or \`child_process.*\` directly
-- Never write to \`lbe.policy.json\` directly \u2014 use \`lbe.policy.proposeRule()\`
-- Every blocked action has a reason in \`result.error.message\`
-- Audit trail is in \`.lbe/audit.jsonl\`
-
-See \`.lbe/AGENT_CONTRACT.md\` for the full agent contract.
-<!-- /lbe-governance -->`;
-}
-function copilotInstructionsContent() {
-  return `# LBE Governance \u2014 Copilot Instructions
-
-This project has LetterBlack LBE active. All file and shell operations must
-route through the LBE executor.
-
-## Required
-
-Use \`@letterblack/lbe-exec\` for all file and shell actions:
-
-\`\`\`js
-const lbe = createLocalExecutor({ rootDir: process.cwd() });
-await lbe.writeFile(path, content);
-await lbe.readFile(path);
-await lbe.runShell(cmd, args);
-\`\`\`
-
-## Forbidden
-
-- Direct \`fs.*\` calls
-- Direct \`child_process.*\` or \`exec\` calls
-- Writing to \`lbe.policy.json\` directly
-
-See \`.lbe/AGENT_CONTRACT.md\` for the full contract.
-`;
-}
-function writeAgentGovernanceFiles(cwd) {
+function writeAgentContract(cwd) {
   const lbeDir = path4.join(cwd, ".lbe");
   fs4.mkdirSync(lbeDir, { recursive: true });
   fs4.writeFileSync(path4.join(lbeDir, "AGENT_CONTRACT.md"), agentContractContent());
-  const claudePath = path4.join(cwd, "CLAUDE.md");
-  const section = claudeMdSection();
-  if (fs4.existsSync(claudePath)) {
-    const existing = fs4.readFileSync(claudePath, "utf8");
-    if (!existing.includes("<!-- lbe-governance -->")) {
-      fs4.appendFileSync(claudePath, "\n\n" + section + "\n");
+}
+function migrateLegacyRootFiles(cwd) {
+  const lbeDir = path4.join(cwd, ".lbe");
+  fs4.mkdirSync(lbeDir, { recursive: true });
+  const migrations = [
+    ["lbe.policy.json", ".lbe/policy.json"],
+    ["lbe.workspace.json", ".lbe/workspace.json"]
+  ];
+  const removed = [];
+  for (const [src, dest] of migrations) {
+    const srcPath = path4.join(cwd, src);
+    const destPath = path4.join(cwd, dest);
+    if (fs4.existsSync(srcPath) && !fs4.existsSync(destPath)) {
+      fs4.renameSync(srcPath, destPath);
+      removed.push(src + " \u2192 " + dest);
+    } else if (fs4.existsSync(srcPath)) {
+      fs4.unlinkSync(srcPath);
+      removed.push(src + " (removed \u2014 .lbe/ version exists)");
+    }
+  }
+  const toDelete = ["CLAUDE.md", path4.join(".github", "copilot-instructions.md")];
+  for (const rel of toDelete) {
+    const p = path4.join(cwd, rel);
+    if (fs4.existsSync(p)) {
+      const content = fs4.readFileSync(p, "utf8");
+      if (content.includes("lbe-governance") || content.includes("LetterBlack LBE")) {
+        fs4.unlinkSync(p);
+        removed.push(rel + " (removed \u2014 LBE-generated file)");
+      }
     }
-  } else {
-    fs4.writeFileSync(claudePath, section + "\n");
-  }
-  const githubDir = path4.join(cwd, ".github");
-  fs4.mkdirSync(githubDir, { recursive: true });
-  const copilotPath = path4.join(githubDir, "copilot-instructions.md");
-  if (!fs4.existsSync(copilotPath)) {
-    fs4.writeFileSync(copilotPath, copilotInstructionsContent());
   }
+  return removed;
 }
 async function initCommand(opts2 = {}) {
   const cwd = process.cwd();
   const yes = opts2.yes || opts2.y || !process.stdin.isTTY;
-  const outPath = path4.join(cwd, "lbe.workspace.json");
+  const lbeDir = path4.join(cwd, ".lbe");
+  fs4.mkdirSync(lbeDir, { recursive: true });
+  const outPath = path4.join(lbeDir, "workspace.json");
   console.log("\nScanning workspace...\n");
   const { projectTypes, primaryType: primaryType2, semantics, enforcement } = scanWorkspace(cwd);
   console.log(formatSummary(projectTypes, semantics, enforcement));
@@ -2537,21 +2473,24 @@ async function initCommand(opts2 = {}) {
     enforcement: finalEnforcement
   };
   fs4.writeFileSync(outPath, JSON.stringify(contract, null, 2));
-  console.log("\u2713 Wrote lbe.workspace.json");
+  console.log("\u2713 Wrote .lbe/workspace.json");
   setupCrypto(cwd);
-  const localPolicyPath = path4.join(cwd, "lbe.policy.json");
+  const localPolicyPath = path4.join(lbeDir, "policy.json");
   if (!fs4.existsSync(localPolicyPath)) {
     fs4.writeFileSync(localPolicyPath, JSON.stringify({ version: 1, mode: "observe", workspace: cwd, rules: [] }, null, 2) + "\n");
   }
-  const localAuditPath = path4.join(cwd, ".lbe", "audit.jsonl");
+  const localAuditPath = path4.join(lbeDir, "audit.jsonl");
   if (!fs4.existsSync(localAuditPath)) fs4.writeFileSync(localAuditPath, "");
-  console.log("\u2713 Keys and policy ready");
-  writeAgentGovernanceFiles(cwd);
+  console.log("\u2713 Keys and policy ready  (.lbe/)");
+  writeAgentContract(cwd);
   console.log("\u2713 Agent contract written  \u2192  .lbe/AGENT_CONTRACT.md");
-  console.log("\u2713 CLAUDE.md updated with LBE governance section");
-  console.log("\u2713 .github/copilot-instructions.md ready\n");
-  console.log("Done. Any AI agent that reads project context will follow LBE governance automatically.");
-  console.log("Run  npx lbe status  to see mode, rules, and audit entry count.\n");
+  const migrated = migrateLegacyRootFiles(cwd);
+  if (migrated.length) {
+    console.log("\n\u2713 Migrated legacy files:");
+    for (const m of migrated) console.log("  " + m);
+  }
+  console.log("\nDone. All LBE state is in .lbe/");
+  console.log("Run  npx lbe-exec status  to verify.\n");
   return { success: true, contract };
 }
 
@@ -2571,7 +2510,8 @@ var opts = Object.fromEntries(
 var positional = rest.filter((v) => !v.startsWith("--") && rest[rest.indexOf(v) - 1]?.startsWith("--") === false);
 var __dir = path15.dirname(fileURLToPath2(import.meta.url));
 function loadPolicy() {
-  const p = path15.join(process.cwd(), "lbe.policy.json");
+  const cwd = process.cwd();
+  const p = fs14.existsSync(path15.join(cwd, ".lbe", "policy.json")) ? path15.join(cwd, ".lbe", "policy.json") : path15.join(cwd, "lbe.policy.json");
   return fs14.existsSync(p) ? JSON.parse(fs14.readFileSync(p, "utf8")) : null;
 }
 function findHookPath() {
@@ -2895,7 +2835,7 @@ switch (cmd) {
   case "policy": {
     const policy = loadPolicy();
     if (!policy) {
-      console.log("No lbe.policy.json found. Run: npx lbe-exec init");
+      console.log("No policy found. Run: npx lbe-exec init");
       break;
     }
     if (!policy.rules?.length) {

package/dist/index.js

@@ -1490,7 +1490,7 @@ function verifyAuditLogIntegrity(logPath, options = {}) {
 import fs8 from "fs";
 import path9 from "path";
 import crypto4 from "crypto";
-var POLICY_FILE = "lbe.policy.json";
+var POLICY_FILE = ".lbe/policy.json";
 var AUDIT_FILE = ".lbe/audit.jsonl";
 function glob(pattern) {
   const escaped = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&");

package/hooks/register.cjs

@@ -14,7 +14,10 @@ const MODE = process.env.LBE_MODE || 'observe';
 // ── Policy loader (inline CJS — ESM cannot be require()'d synchronously) ────
 
 function loadPolicy() {
-    const policyPath = path.join(ROOT_DIR, 'lbe.policy.json');
+    // .lbe/policy.json is canonical. Fall back to legacy lbe.policy.json in root.
+    const policyPath = fs.existsSync(path.join(ROOT_DIR, '.lbe', 'policy.json'))
+        ? path.join(ROOT_DIR, '.lbe', 'policy.json')
+        : path.join(ROOT_DIR, 'lbe.policy.json');
     try {
         if (fs.existsSync(policyPath)) {
             return JSON.parse(fs.readFileSync(policyPath, 'utf8'));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@letterblack/lbe-exec",
-  "version": "1.2.16",
+  "version": "1.2.17",
   "description": "Local host-signed execution layer for LetterBlack LBE.",
   "type": "module",
   "main": "dist/index.js",