@letterblack/lbe-exec 1.2.2 → 1.2.3

package/dist/cli.js

@@ -0,0 +1,2614 @@
+#!/usr/bin/env node
+#!/usr/bin/env node
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+
+// src/core/signature.js
+import nacl from "tweetnacl";
+import { canonicalize } from "json-canonicalize";
+function bytesFromBase64(b64) {
+  return Buffer.from(b64, "base64");
+}
+function toBase64(bytes) {
+  return Buffer.from(bytes).toString("base64");
+}
+function verifyEd25519({ payloadObj, sigB64, pubKeyB64 }) {
+  try {
+    const msg = Buffer.from(canonicalize(payloadObj), "utf8");
+    const sig = bytesFromBase64(sigB64);
+    const pub = bytesFromBase64(pubKeyB64);
+    const isValid = nacl.sign.detached.verify(
+      new Uint8Array(msg),
+      new Uint8Array(sig),
+      new Uint8Array(pub)
+    );
+    return {
+      valid: isValid,
+      message: isValid ? "Signature verified" : "Signature verification failed"
+    };
+  } catch (err) {
+    return {
+      valid: false,
+      message: `Signature verification error: ${err.message}`
+    };
+  }
+}
+function generateKeyPair() {
+  const keyPair = nacl.sign.keyPair();
+  return {
+    publicKey: toBase64(keyPair.publicKey),
+    secretKey: toBase64(keyPair.secretKey)
+  };
+}
+function signEd25519({ payloadObj, secretKeyB64 }) {
+  try {
+    const msg = Buffer.from(canonicalize(payloadObj), "utf8");
+    const secretKey = bytesFromBase64(secretKeyB64);
+    const sig = nacl.sign.detached(new Uint8Array(msg), new Uint8Array(secretKey));
+    return {
+      signature: toBase64(sig),
+      error: null
+    };
+  } catch (err) {
+    return {
+      signature: null,
+      error: `Signing failed: ${err.message}`
+    };
+  }
+}
+var init_signature = __esm({
+  "src/core/signature.js"() {
+  }
+});
+
+// src/core/atomicWrite.js
+import fs5 from "fs";
+import path5 from "path";
+import crypto from "crypto";
+function _lockPathFor(targetPath) {
+  return targetPath + ".lock";
+}
+function _tryAcquire(lockPath) {
+  try {
+    const fd = fs5.openSync(lockPath, "wx");
+    fs5.writeSync(fd, `pid:${process.pid}:${Date.now()}`);
+    fs5.closeSync(fd);
+    return true;
+  } catch (err) {
+    if (err.code === "EEXIST" || err.code === "EPERM" || err.code === "EBUSY" || err.code === "EACCES") {
+      return false;
+    }
+    throw err;
+  }
+}
+function _removeIfStale(lockPath, staleMs) {
+  try {
+    const stat = fs5.statSync(lockPath);
+    const ageMs = Date.now() - stat.mtimeMs;
+    if (ageMs > staleMs) {
+      try {
+        fs5.unlinkSync(lockPath);
+      } catch {
+      }
+    }
+  } catch {
+  }
+}
+function _sleepSync(ms) {
+  const end = Date.now() + ms;
+  while (Date.now() < end) {
+    try {
+      Atomics.wait(new Int32Array(new SharedArrayBuffer(4)), 0, 0, Math.max(1, end - Date.now()));
+    } catch {
+    }
+  }
+}
+function withFileLock(targetPath, optsOrFn, maybeFn) {
+  const fn = typeof optsOrFn === "function" ? optsOrFn : maybeFn;
+  const opts2 = typeof optsOrFn === "function" ? {} : optsOrFn || {};
+  const { timeoutMs, pollMs, staleMs } = { ...DEFAULT_LOCK_OPTS, ...opts2 };
+  const dir = path5.dirname(targetPath);
+  if (!fs5.existsSync(dir)) {
+    fs5.mkdirSync(dir, { recursive: true });
+  }
+  const lockPath = _lockPathFor(targetPath);
+  const deadline = Date.now() + timeoutMs;
+  let acquired = false;
+  while (!acquired) {
+    acquired = _tryAcquire(lockPath);
+    if (acquired) break;
+    if (Date.now() >= deadline) {
+      _removeIfStale(lockPath, staleMs);
+      acquired = _tryAcquire(lockPath);
+      if (acquired) break;
+      const err = new Error(`withFileLock: timeout acquiring ${lockPath} after ${timeoutMs}ms`);
+      err.code = "ELOCKTIMEOUT";
+      throw err;
+    }
+    _removeIfStale(lockPath, staleMs);
+    const jitter = Math.floor(Math.random() * pollMs);
+    _sleepSync(pollMs + jitter);
+  }
+  try {
+    return fn();
+  } finally {
+    try {
+      fs5.unlinkSync(lockPath);
+    } catch {
+    }
+  }
+}
+function atomicWriteFileSync(filePath, data, options = {}) {
+  const dir = path5.dirname(filePath);
+  if (!fs5.existsSync(dir)) {
+    fs5.mkdirSync(dir, { recursive: true });
+  }
+  const tempFile = path5.join(dir, `.tmp-${Date.now()}-${crypto.randomBytes(4).toString("hex")}`);
+  try {
+    fs5.writeFileSync(tempFile, data, options);
+    fs5.renameSync(tempFile, filePath);
+  } catch (error2) {
+    try {
+      if (fs5.existsSync(tempFile)) {
+        fs5.unlinkSync(tempFile);
+      }
+    } catch (cleanupError) {
+    }
+    throw error2;
+  }
+}
+var DEFAULT_LOCK_OPTS;
+var init_atomicWrite = __esm({
+  "src/core/atomicWrite.js"() {
+    DEFAULT_LOCK_OPTS = {
+      timeoutMs: 5e3,
+      // total wait before giving up
+      pollMs: 15,
+      // base poll interval (jittered)
+      staleMs: 3e4
+      // lock files older than this are presumed orphaned
+    };
+  }
+});
+
+// src/core/auditLog.js
+import fs6 from "fs";
+import path6 from "path";
+import crypto2 from "crypto";
+function sha256(str) {
+  return crypto2.createHash("sha256").update(str).digest("hex");
+}
+function getLastHash(logPath) {
+  try {
+    if (!fs6.existsSync(logPath)) return "GENESIS";
+    const content = fs6.readFileSync(logPath, "utf8").trim();
+    if (!content) return "GENESIS";
+    const lines = content.split("\n");
+    const lastLine = lines[lines.length - 1];
+    try {
+      const lastEntry = JSON.parse(lastLine);
+      return lastEntry.hash || "GENESIS";
+    } catch (err) {
+      return "GENESIS";
+    }
+  } catch (err) {
+    return "GENESIS";
+  }
+}
+function appendAudit(logPath, entry) {
+  const dir = path6.dirname(logPath);
+  if (!fs6.existsSync(dir)) {
+    fs6.mkdirSync(dir, { recursive: true });
+  }
+  let result;
+  withFileLock(logPath, () => {
+    const prevHash = getLastHash(logPath);
+    const record = {
+      ...entry,
+      prevHash,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    delete record.hash;
+    const recordStr = JSON.stringify(record);
+    const hash = sha256(recordStr);
+    const final = JSON.stringify({ ...record, hash });
+    let existingContent = "";
+    if (fs6.existsSync(logPath)) {
+      existingContent = fs6.readFileSync(logPath, "utf8");
+    }
+    try {
+      atomicWriteFileSync(logPath, existingContent + final + "\n", { encoding: "utf8" });
+    } catch (err) {
+      throw new Error(`Audit log write failed: ${err.message}`);
+    }
+    result = {
+      success: true,
+      hash,
+      prevHash,
+      message: "Audit entry appended"
+    };
+  });
+  return result;
+}
+function verifyAuditLogIntegrity(logPath, options = {}) {
+  const failFast = options.failFast !== false;
+  const maxEntries = Number.isFinite(options.maxEntries) && options.maxEntries > 0 ? Math.floor(options.maxEntries) : null;
+  const response = {
+    ok: true,
+    file: path6.resolve(logPath),
+    entries: 0,
+    valid: true,
+    firstInvalidIndex: null,
+    reason: null,
+    errors: [],
+    message: "Audit log verified"
+  };
+  try {
+    if (!fs6.existsSync(logPath)) {
+      response.message = "Audit log file not found (treated as empty)";
+      return response;
+    }
+    const raw = fs6.readFileSync(logPath, "utf8").trim();
+    if (!raw) {
+      response.message = "Empty audit log";
+      return response;
+    }
+    const allLines = raw.split("\n");
+    const lines = maxEntries ? allLines.slice(0, maxEntries) : allLines;
+    response.entries = lines.length;
+    let expectedPrevHash = "GENESIS";
+    for (let i = 0; i < lines.length; i++) {
+      let entry;
+      try {
+        entry = JSON.parse(lines[i]);
+      } catch {
+        const errObj = {
+          index: i,
+          reason: "INVALID_JSON_LINE",
+          message: `Line ${i} is not valid JSON`
+        };
+        response.valid = false;
+        response.ok = false;
+        response.firstInvalidIndex ??= i;
+        response.reason ??= errObj.reason;
+        response.errors.push(errObj);
+        if (failFast) break;
+        continue;
+      }
+      if (entry.prevHash !== expectedPrevHash) {
+        const errObj = {
+          index: i,
+          reason: "PREV_HASH_MISMATCH",
+          message: `Expected prevHash '${expectedPrevHash}', got '${entry.prevHash}'`
+        };
+        response.valid = false;
+        response.ok = false;
+        response.firstInvalidIndex ??= i;
+        response.reason ??= errObj.reason;
+        response.errors.push(errObj);
+        if (failFast) break;
+      }
+      const recordCopy = { ...entry };
+      const recordHash = recordCopy.hash;
+      delete recordCopy.hash;
+      const expectedHash = sha256(JSON.stringify(recordCopy));
+      if (recordHash !== expectedHash) {
+        const errObj = {
+          index: i,
+          reason: "HASH_MISMATCH",
+          message: `Expected hash '${expectedHash}', got '${recordHash}'`
+        };
+        response.valid = false;
+        response.ok = false;
+        response.firstInvalidIndex ??= i;
+        response.reason ??= errObj.reason;
+        response.errors.push(errObj);
+        if (failFast) break;
+      }
+      expectedPrevHash = recordHash;
+    }
+    response.message = response.valid ? `Audit log verified: ${response.entries} entries` : `Audit log integrity failed at index ${response.firstInvalidIndex}`;
+    return response;
+  } catch (err) {
+    return {
+      ok: false,
+      file: path6.resolve(logPath),
+      entries: 0,
+      valid: false,
+      firstInvalidIndex: null,
+      reason: "AUDIT_VERIFY_ERROR",
+      errors: [{ index: null, reason: "AUDIT_VERIFY_ERROR", message: err.message }],
+      message: `Integrity check failed: ${err.message}`
+    };
+  }
+}
+var init_auditLog = __esm({
+  "src/core/auditLog.js"() {
+    init_atomicWrite();
+  }
+});
+
+// src/core/localPolicy.js
+import fs7 from "fs";
+import path7 from "path";
+import crypto3 from "crypto";
+function glob(pattern) {
+  const escaped = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&");
+  return new RegExp("^" + escaped.replace(/\*\*\//g, "(?:.*/)?").replace(/\*\*/g, ".*").replace(/\*/g, "[^/]*") + "$");
+}
+function relative(root, value) {
+  const rel = path7.relative(root, path7.resolve(value));
+  return rel.split(path7.sep).join("/");
+}
+function localPolicyPaths(rootDir) {
+  const root = path7.resolve(rootDir || process.cwd());
+  return { root, policyPath: path7.join(root, POLICY_FILE), auditPath: path7.join(root, AUDIT_FILE) };
+}
+function loadLocalPolicy(rootDir, mode = "observe") {
+  const paths = localPolicyPaths(rootDir);
+  if (!fs7.existsSync(paths.policyPath)) {
+    return { ...paths, policy: { version: 1, mode, workspace: paths.root, rules: [] } };
+  }
+  const policy = JSON.parse(fs7.readFileSync(paths.policyPath, "utf8"));
+  if (policy?.version !== 1 || !["observe", "enforce"].includes(policy.mode) || !Array.isArray(policy.rules)) {
+    throw new Error(`Invalid ${POLICY_FILE}`);
+  }
+  return { ...paths, policy };
+}
+function writeLocalPolicy(rootDir, policy) {
+  const { policyPath, root } = localPolicyPaths(rootDir);
+  const next = { ...policy, version: 1, workspace: root, rules: Array.isArray(policy.rules) ? policy.rules : [] };
+  atomicWriteFileSync(policyPath, JSON.stringify(next, null, 2) + "\n", { encoding: "utf8" });
+  return next;
+}
+function addLocalPolicyRule(rootDir, rule, mode) {
+  if (!rule || !["allow", "deny"].includes(rule.effect) || !["path", "command"].includes(rule.type) || typeof rule.pattern !== "string" || !rule.pattern || typeof rule.from !== "string" || !rule.from) {
+    throw new Error("Rule requires effect, type, pattern, and from");
+  }
+  const loaded = loadLocalPolicy(rootDir, mode);
+  const entry = {
+    id: rule.id || crypto3.randomUUID(),
+    effect: rule.effect,
+    type: rule.type,
+    pattern: rule.pattern,
+    from: rule.from,
+    at: rule.at || (/* @__PURE__ */ new Date()).toISOString()
+  };
+  writeLocalPolicy(loaded.root, { ...loaded.policy, mode: mode || loaded.policy.mode, rules: [...loaded.policy.rules, entry] });
+  return { id: entry.id, added: true, rule: entry };
+}
+function proposePolicyRule(rule) {
+  return { ...rule, proposed: true, at: (/* @__PURE__ */ new Date()).toISOString() };
+}
+function evaluateLocalPolicy(policy, rootDir, { target, command } = {}) {
+  const root = path7.resolve(rootDir);
+  const candidates = [];
+  if (target) candidates.push({ type: "path", value: relative(root, target) });
+  if (command) candidates.push({ type: "command", value: command });
+  const matched = policy.rules.filter((rule) => candidates.some((c) => c.type === rule.type && glob(rule.pattern).test(c.value)));
+  const denied = matched.filter((rule) => rule.effect === "deny");
+  return { allowed: denied.length === 0, matched, winningRules: denied.length ? denied : matched.filter((r) => r.effect === "allow"), reason: denied.length ? "LOCAL_POLICY_DENY" : null };
+}
+function auditLocalPolicy(rootDir, entry) {
+  const { auditPath } = localPolicyPaths(rootDir);
+  appendAudit(auditPath, { kind: "local_policy", timestamp: (/* @__PURE__ */ new Date()).toISOString(), ...entry });
+}
+var POLICY_FILE, AUDIT_FILE;
+var init_localPolicy = __esm({
+  "src/core/localPolicy.js"() {
+    init_auditLog();
+    init_atomicWrite();
+    POLICY_FILE = "lbe.policy.json";
+    AUDIT_FILE = ".lbe/audit.jsonl";
+  }
+});
+
+// src/core/policyVersionGuard.js
+import fs8 from "fs";
+import path8 from "path";
+function parsePolicyVersion(version) {
+  if (typeof version === "number" && Number.isFinite(version)) {
+    return { ok: true, kind: "int", parts: [Math.floor(version)], raw: String(version) };
+  }
+  if (typeof version !== "string" || !version.trim()) {
+    return { ok: false, reason: "POLICY_VERSION_INVALID", message: "Policy version is required" };
+  }
+  const trimmed = version.trim();
+  if (/^\d+$/.test(trimmed)) {
+    return { ok: true, kind: "int", parts: [Number(trimmed)], raw: trimmed };
+  }
+  const semver = trimmed.replace(/^v/i, "");
+  if (/^\d+(\.\d+){0,2}$/.test(semver)) {
+    const parsed = semver.split(".").map((n) => Number(n));
+    while (parsed.length < 3) {
+      parsed.push(0);
+    }
+    return { ok: true, kind: "semver", parts: parsed, raw: trimmed };
+  }
+  return {
+    ok: false,
+    reason: "POLICY_VERSION_INVALID",
+    message: `Unsupported policy version format '${version}' (use integer or semver)`
+  };
+}
+function compareVersions(a, b) {
+  const len = Math.max(a.parts.length, b.parts.length);
+  for (let i = 0; i < len; i++) {
+    const av = a.parts[i] ?? 0;
+    const bv = b.parts[i] ?? 0;
+    if (av > bv) return 1;
+    if (av < bv) return -1;
+  }
+  return 0;
+}
+function parseCreatedAt(createdAt) {
+  if (typeof createdAt === "number" && Number.isFinite(createdAt)) {
+    const sec = createdAt > 1e12 ? Math.floor(createdAt / 1e3) : Math.floor(createdAt);
+    return { ok: true, epochSec: sec };
+  }
+  if (typeof createdAt !== "string" || !createdAt.trim()) {
+    return {
+      ok: false,
+      reason: "POLICY_CREATED_AT_INVALID",
+      message: "Policy createdAt is required"
+    };
+  }
+  const ts = Date.parse(createdAt);
+  if (Number.isNaN(ts)) {
+    return {
+      ok: false,
+      reason: "POLICY_CREATED_AT_INVALID",
+      message: `Invalid policy createdAt '${createdAt}'`
+    };
+  }
+  return { ok: true, epochSec: Math.floor(ts / 1e3) };
+}
+function loadPolicyState(statePath) {
+  if (!fs8.existsSync(statePath)) {
+    return {
+      schemaVersion: "1",
+      lastAccepted: null,
+      updatedAt: null
+    };
+  }
+  try {
+    const parsed = JSON.parse(fs8.readFileSync(statePath, "utf8"));
+    if (!parsed || typeof parsed !== "object") {
+      throw new Error("Policy state file has invalid structure");
+    }
+    return {
+      schemaVersion: String(parsed.schemaVersion || "1"),
+      lastAccepted: parsed.lastAccepted && typeof parsed.lastAccepted === "object" ? parsed.lastAccepted : null,
+      updatedAt: parsed.updatedAt || null
+    };
+  } catch (err) {
+    throw new Error(`Policy state at ${statePath} is corrupt or unreadable: ${err.message}`);
+  }
+}
+function savePolicyState(statePath, stateObj) {
+  const payload = JSON.stringify(stateObj, null, 2);
+  atomicWriteFileSync(statePath, payload, { encoding: "utf8" });
+}
+function validateAndUpdatePolicyVersionState({
+  policyObj,
+  statePath = path8.resolve(".lbe/data/policy.state.json"),
+  maxCreatedAtSkewSec = 31536e3,
+  nowSec = Math.floor(Date.now() / 1e3),
+  persist = true
+}) {
+  const version = parsePolicyVersion(policyObj?.version);
+  if (!version.ok) {
+    return {
+      ok: false,
+      reason: version.reason,
+      message: version.message,
+      updated: false
+    };
+  }
+  const createdAt = parseCreatedAt(policyObj?.createdAt);
+  if (!createdAt.ok) {
+    return {
+      ok: false,
+      reason: createdAt.reason,
+      message: createdAt.message,
+      updated: false
+    };
+  }
+  const skew = Math.abs(nowSec - createdAt.epochSec);
+  const allowedSkew = Number.isFinite(maxCreatedAtSkewSec) && maxCreatedAtSkewSec > 0 ? Math.floor(maxCreatedAtSkewSec) : 31536e3;
+  if (skew > allowedSkew) {
+    return {
+      ok: false,
+      reason: "POLICY_CREATED_AT_SKEW_EXCEEDED",
+      message: `Policy createdAt skew ${skew}s exceeds allowed ${allowedSkew}s`,
+      updated: false
+    };
+  }
+  let state;
+  try {
+    state = loadPolicyState(statePath);
+  } catch (err) {
+    return {
+      ok: false,
+      reason: "POLICY_STATE_CORRUPT",
+      message: err.message,
+      updated: false
+    };
+  }
+  const previous = state.lastAccepted;
+  let previousVersion = null;
+  let previousCreatedAt = null;
+  let versionCompare = 0;
+  if (previous) {
+    previousVersion = parsePolicyVersion(previous.version);
+    previousCreatedAt = parseCreatedAt(previous.createdAt);
+    if (previousVersion.ok && previousCreatedAt.ok) {
+      versionCompare = compareVersions(version, previousVersion);
+      if (versionCompare < 0) {
+        return {
+          ok: false,
+          reason: "POLICY_VERSION_REGRESSION",
+          message: `Policy version regression: current '${version.raw}' < last '${previousVersion.raw}'`,
+          updated: false
+        };
+      }
+      if (versionCompare === 0 && createdAt.epochSec < previousCreatedAt.epochSec) {
+        return {
+          ok: false,
+          reason: "POLICY_CREATED_AT_REGRESSION",
+          message: `Policy createdAt regression: current '${policyObj.createdAt}' < last '${previous.createdAt}'`,
+          updated: false
+        };
+      }
+      if (versionCompare > 0 && createdAt.epochSec < previousCreatedAt.epochSec) {
+        return {
+          ok: false,
+          reason: "POLICY_CREATED_AT_REGRESSION",
+          message: `Policy createdAt must be monotonic when version increases`,
+          updated: false
+        };
+      }
+    }
+  }
+  const shouldUpdate = !previous || !previousVersion?.ok || !previousCreatedAt?.ok || versionCompare > 0 || versionCompare === 0 && createdAt.epochSec > previousCreatedAt.epochSec;
+  if (persist && shouldUpdate) {
+    const nextState = {
+      schemaVersion: "1",
+      lastAccepted: {
+        version: policyObj.version,
+        createdAt: policyObj.createdAt,
+        environment: policyObj.environment || null
+      },
+      updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    savePolicyState(statePath, nextState);
+  }
+  return {
+    ok: true,
+    reason: null,
+    message: "Policy version guard passed",
+    updated: shouldUpdate
+  };
+}
+var init_policyVersionGuard = __esm({
+  "src/core/policyVersionGuard.js"() {
+    init_atomicWrite();
+  }
+});
+
+// runtime/engine.js
+import fs9 from "fs";
+import path9 from "path";
+import { fileURLToPath } from "url";
+function wasm() {
+  if (_instance) return _instance;
+  if (!fs9.existsSync(wasmPath)) throw new Error(`LBE engine missing: ${wasmPath}`);
+  const bytes = fs9.readFileSync(wasmPath);
+  _instance = new WebAssembly.Instance(new WebAssembly.Module(bytes), {});
+  return _instance;
+}
+function memory() {
+  return new Uint8Array(wasm().exports.memory.buffer);
+}
+function inPtr() {
+  return wasm().exports.lbe_in_ptr();
+}
+function outPtr() {
+  return wasm().exports.lbe_out_ptr();
+}
+function bufSize() {
+  return wasm().exports.lbe_buf_size();
+}
+function writeIn(str) {
+  const enc = new TextEncoder().encode(str);
+  const mem = memory();
+  const ptr = inPtr();
+  mem.set(enc, ptr);
+  mem[ptr + enc.length] = 0;
+}
+function readOut() {
+  const mem = memory();
+  const ptr = outPtr();
+  let end = ptr;
+  while (mem[end] !== 0 && end - ptr < bufSize()) end++;
+  return new TextDecoder().decode(mem.slice(ptr, end));
+}
+function writePipelineInput(fields) {
+  const mem = memory();
+  const ptr = inPtr();
+  const view = new DataView(mem.buffer, ptr);
+  fields.forEach((v, i) => view.setUint32(i * 4, v >>> 0, true));
+}
+function readPipelineOutput() {
+  const mem = memory();
+  const ptr = outPtr();
+  const view = new DataView(mem.buffer, ptr);
+  return { stage: view.getUint32(0, true), code: view.getUint32(4, true) };
+}
+function runValidationPipeline(flags) {
+  writePipelineInput([
+    // Schema flags [0..24]
+    flags.hasId ? 1 : 0,
+    flags.idValid ? 1 : 0,
+    flags.hasCommandId ? 1 : 0,
+    flags.commandIdValid ? 1 : 0,
+    flags.hasRequesterId ? 1 : 0,
+    flags.requesterIdValid ? 1 : 0,
+    flags.hasSessionId ? 1 : 0,
+    flags.sessionIdValid ? 1 : 0,
+    flags.hasTimestamp ? 1 : 0,
+    flags.timestampValid ? 1 : 0,
+    flags.hasNonce ? 1 : 0,
+    flags.nonceValid ? 1 : 0,
+    flags.hasRequires ? 1 : 0,
+    flags.requiresValid ? 1 : 0,
+    flags.hasPayload ? 1 : 0,
+    flags.hasPayloadAdapter ? 1 : 0,
+    flags.payloadAdapterValid ? 1 : 0,
+    flags.hasSignature ? 1 : 0,
+    flags.hasSignatureAlg ? 1 : 0,
+    flags.signatureAlgValid ? 1 : 0,
+    flags.hasSignatureKeyId ? 1 : 0,
+    flags.hasSignatureSig ? 1 : 0,
+    flags.signatureSigValid ? 1 : 0,
+    flags.hasRisk ? 1 : 0,
+    flags.riskValid ? 1 : 0,
+    // Timestamp [25..27]
+    flags.cmdTimestamp >>> 0,
+    flags.nowSec >>> 0,
+    flags.maxClockSkewSec >>> 0,
+    // Key lifecycle [28..34]
+    flags.keyIdFormatValid ? 1 : 0,
+    flags.keyFound ? 1 : 0,
+    flags.keyNotDeprecated ? 1 : 0,
+    flags.keyRequesterMatches ? 1 : 0,
+    flags.keyNotBeforeOk ? 1 : 0,
+    flags.keyNotExpired ? 1 : 0,
+    flags.keyLifecycleFieldsPresent ? 1 : 0,
+    // Signature [35]
+    flags.signatureValid ? 1 : 0,
+    // Rate limit [36..37]
+    flags.rateLimitOk ? 1 : 0,
+    flags.rateLimitRetryAfterSec >>> 0,
+    // Nonce [38]
+    flags.nonceOk ? 1 : 0,
+    // Policy [39..48]
+    flags.policyConfigured ? 1 : 0,
+    flags.requesterConfigured ? 1 : 0,
+    flags.commandAllowed ? 1 : 0,
+    flags.adapterAllowed ? 1 : 0,
+    flags.filesystemRequired ? 1 : 0,
+    flags.filesystemRootsDefined ? 1 : 0,
+    flags.filesystemOk ? 1 : 0,
+    flags.pathDenied ? 1 : 0,
+    flags.shellRequired ? 1 : 0,
+    flags.shellCommandOk ? 1 : 0
+  ]);
+  wasm().exports.lbe_validate_pipeline();
+  const { stage, code } = readPipelineOutput();
+  const ok = stage === 255;
+  return {
+    ok,
+    stage,
+    stageLabel: PIPELINE_STAGES[stage] || "unknown",
+    code,
+    schemaError: stage === 0 ? SCHEMA_MESSAGES[code]?.error || "Schema invalid" : null,
+    keyReason: stage === 2 ? KEY_REASONS[code] || "KEY_ERROR" : null,
+    policyResult: stage === 6 ? { ...POLICY_MESSAGES[code] || POLICY_MESSAGES[1], code } : null,
+    retryAfterSec: stage === 4 ? code : 0,
+    skewSec: stage === 1 ? code : 0
+  };
+}
+function checkNonce({ ttlSec, nowSec, newKey, existingEntries }) {
+  const lines = [`${ttlSec}:${nowSec}`, newKey, ...existingEntries].join("\n") + "\n";
+  writeIn(lines);
+  const isReplay = wasm().exports.lbe_nonce_check() !== 0;
+  if (isReplay) return { ok: false, updatedEntriesText: null };
+  const out = readOut();
+  return { ok: true, updatedEntriesText: out.startsWith("OK\n") ? out.slice(3) : out };
+}
+function checkRateLimit({ windowSec, maxRequests, nowSec, requesterId, existingEntries }) {
+  const lines = [
+    `${windowSec}:${maxRequests}:${nowSec}`,
+    requesterId,
+    ...existingEntries
+  ].join("\n") + "\n";
+  writeIn(lines);
+  const exceeded = wasm().exports.lbe_rate_check() !== 0;
+  const out = readOut();
+  if (exceeded) {
+    const retryAfterSec = parseInt(out.match(/^EXCEEDED:(\d+)/)?.[1] ?? "1", 10);
+    const entriesText = out.replace(/^EXCEEDED:\d+\n/, "");
+    return { ok: false, retryAfterSec, updatedEntriesText: entriesText };
+  }
+  return { ok: true, retryAfterSec: 0, updatedEntriesText: out.startsWith("OK\n") ? out.slice(3) : out };
+}
+function classifyRisk(commandId, shellCmdIsRm = false) {
+  const typeCode = COMMAND_TYPE[commandId] ?? 0;
+  const code = wasm().exports.lbe_classify_risk(typeCode, shellCmdIsRm ? 1 : 0);
+  return RISK_LABELS[code] ?? "LOW";
+}
+var runtimeDir, wasmPath, POLICY_MESSAGES, SCHEMA_MESSAGES, KEY_REASONS, PIPELINE_STAGES, RISK_LABELS, COMMAND_TYPE, _instance;
+var init_engine = __esm({
+  "runtime/engine.js"() {
+    runtimeDir = path9.dirname(fileURLToPath(import.meta.url));
+    wasmPath = path9.join(runtimeDir, "lbe_engine.wasm");
+    POLICY_MESSAGES = {
+      0: { allowed: true, reason: null, message: "Policy check passed" },
+      1: { allowed: false, reason: "POLICY_NOT_CONFIGURED", message: "No policy configured" },
+      2: { allowed: false, reason: "REQUESTER_NOT_ALLOWED", message: "Requester not in policy" },
+      3: { allowed: false, reason: "COMMAND_NOT_ALLOWED", message: "Command not allowed for requester" },
+      4: { allowed: false, reason: "ADAPTER_NOT_ALLOWED", message: "Adapter not allowed" },
+      5: { allowed: false, reason: "NO_FILESYSTEM_ROOTS_DEFINED", message: "No filesystem roots defined for requester" },
+      6: { allowed: false, reason: "CWD_OUTSIDE_ALLOWED_ROOT", message: "Path not under allowed roots" },
+      7: { allowed: false, reason: "PATH_DENIED_BY_PATTERN", message: "Path matches deny pattern" },
+      8: { allowed: false, reason: "SHELL_CMD_DENIED", message: "Shell command not allowed" }
+    };
+    SCHEMA_MESSAGES = {
+      0: { valid: true, error: null },
+      1: { valid: false, error: "Missing required field: id" },
+      2: { valid: false, error: "Missing required field: commandId" },
+      3: { valid: false, error: "Missing required field: requesterId" },
+      4: { valid: false, error: "Missing required field: sessionId" },
+      5: { valid: false, error: "Missing required field: timestamp" },
+      6: { valid: false, error: "Missing required field: nonce" },
+      7: { valid: false, error: "Missing required field: requires" },
+      8: { valid: false, error: "Missing required field: payload" },
+      9: { valid: false, error: "Missing required field: signature" },
+      10: { valid: false, error: "Field 'id' is invalid" },
+      11: { valid: false, error: "Field 'commandId' is invalid" },
+      12: { valid: false, error: "Field 'requesterId' is invalid" },
+      13: { valid: false, error: "Field 'sessionId' is invalid" },
+      14: { valid: false, error: "Field 'timestamp' is invalid" },
+      15: { valid: false, error: "Field 'nonce' is invalid" },
+      16: { valid: false, error: "Field 'requires' is invalid" },
+      17: { valid: false, error: "payload: missing required field: adapter" },
+      18: { valid: false, error: "payload: field 'adapter' is invalid" },
+      19: { valid: false, error: "signature: missing required field: alg" },
+      20: { valid: false, error: "signature: missing required field: keyId" },
+      21: { valid: false, error: "signature: missing required field: sig" },
+      22: { valid: false, error: "signature: field 'alg' must be ed25519" },
+      23: { valid: false, error: "signature: field 'sig' is invalid" },
+      24: { valid: false, error: "Field 'risk' is invalid" }
+    };
+    KEY_REASONS = {
+      1: "KEY_ID_INVALID",
+      2: "KEY_NOT_TRUSTED",
+      3: "KEY_DEPRECATED",
+      4: "KEY_REQUESTER_MISMATCH",
+      5: "KEY_LIFECYCLE_INVALID",
+      6: "KEY_NOT_YET_VALID",
+      7: "KEY_EXPIRED"
+    };
+    PIPELINE_STAGES = {
+      0: "schema",
+      1: "timestamp",
+      2: "key",
+      3: "signature",
+      4: "rate_limit",
+      5: "nonce",
+      6: "policy",
+      255: "ok"
+    };
+    RISK_LABELS = ["LOW", "MEDIUM", "HIGH", "CRITICAL"];
+    COMMAND_TYPE = { ECHO: 0, READ_FILE: 1, WRITE_FILE: 2, PATCH_FILE: 3, DELETE_FILE: 4, RUN_SHELL: 5 };
+    _instance = null;
+  }
+});
+
+// src/core/validator.js
+import path10 from "path";
+function extractSchemaFlags(cmd2) {
+  const has = (k) => cmd2 != null && Object.prototype.hasOwnProperty.call(cmd2, k);
+  const isStr = (v) => typeof v === "string";
+  const p = cmd2?.payload;
+  const sig = cmd2?.signature;
+  return {
+    hasId: has("id"),
+    idValid: isStr(cmd2?.id) && /^[A-Z_]+$/.test(cmd2.id) && cmd2.id.length >= 1 && cmd2.id.length <= 50,
+    hasCommandId: has("commandId"),
+    commandIdValid: isStr(cmd2?.commandId) && /^[a-f0-9-]+$/.test(cmd2.commandId) && cmd2.commandId.length === 36,
+    hasRequesterId: has("requesterId"),
+    requesterIdValid: isStr(cmd2?.requesterId) && cmd2.requesterId.length >= 3 && cmd2.requesterId.length <= 100,
+    hasSessionId: has("sessionId"),
+    sessionIdValid: isStr(cmd2?.sessionId) && cmd2.sessionId.length >= 3,
+    hasTimestamp: has("timestamp"),
+    timestampValid: typeof cmd2?.timestamp === "number" && cmd2.timestamp >= 1e9,
+    hasNonce: has("nonce"),
+    nonceValid: isStr(cmd2?.nonce) && cmd2.nonce.length >= 32 && cmd2.nonce.length <= 128,
+    hasRequires: has("requires"),
+    requiresValid: Array.isArray(cmd2?.requires) && cmd2.requires.length >= 1 && cmd2.requires.every(isStr),
+    hasPayload: has("payload") && typeof p === "object" && p !== null && !Array.isArray(p),
+    hasPayloadAdapter: p != null && Object.prototype.hasOwnProperty.call(p, "adapter"),
+    payloadAdapterValid: isStr(p?.adapter),
+    hasSignature: has("signature") && typeof sig === "object" && sig !== null && !Array.isArray(sig),
+    hasSignatureAlg: sig != null && Object.prototype.hasOwnProperty.call(sig, "alg"),
+    signatureAlgValid: sig?.alg === "ed25519",
+    hasSignatureKeyId: sig != null && Object.prototype.hasOwnProperty.call(sig, "keyId"),
+    hasSignatureSig: sig != null && Object.prototype.hasOwnProperty.call(sig, "sig"),
+    signatureSigValid: isStr(sig?.sig) && sig.sig.length >= 10,
+    hasRisk: has("risk"),
+    riskValid: ["LOW", "MEDIUM", "HIGH", "CRITICAL"].includes(cmd2?.risk)
+  };
+}
+function extractPolicyFlags(policy, cmd2) {
+  const hasPolicy = !!(policy && policy.default === "DENY" && policy.requesters && typeof policy.requesters === "object");
+  const rp = policy?.requesters?.[cmd2.requesterId];
+  const cmdId = cmd2.id?.toLowerCase() ?? "";
+  const commandAllowed = !!rp?.allowCommands?.some((c) => c.toLowerCase() === cmdId);
+  const adapterAllowed = !!rp?.allowAdapters?.includes(cmd2.payload?.adapter);
+  const filesystemRequired = !!cmd2.payload?.cwd;
+  let filesystemRootsDefined = false;
+  let filesystemOk = false;
+  let pathDenied = false;
+  if (filesystemRequired) {
+    const roots = rp?.filesystem?.roots ?? [];
+    filesystemRootsDefined = roots.length > 0;
+    if (filesystemRootsDefined) {
+      const cwd = path10.resolve(cmd2.payload.cwd);
+      filesystemOk = roots.some((r) => {
+        const rr = path10.resolve(r);
+        return cwd === rr || cwd.startsWith(rr + path10.sep);
+      });
+      const denyPatterns = rp?.filesystem?.denyPatterns ?? [];
+      pathDenied = denyPatterns.some((pattern) => {
+        const re = new RegExp("^" + pattern.replace(/\./g, "\\.").replace(/\*\*/g, ".*").replace(/\*/g, "[^/]*") + "$");
+        return re.test(cwd);
+      });
+    }
+  }
+  let shellRequired = false;
+  let shellCommandOk = true;
+  if (cmd2.id === "RUN_SHELL") {
+    shellRequired = true;
+    const allowCmds = rp?.exec?.allowCmds ?? [];
+    const denyCmds = rp?.exec?.denyCmds ?? [];
+    const shellCmd = cmd2.payload?.cmd;
+    if (denyCmds.includes(shellCmd)) {
+      shellCommandOk = false;
+    } else {
+      shellCommandOk = allowCmds.length === 0 || allowCmds.includes(shellCmd);
+    }
+  }
+  return {
+    policyConfigured: hasPolicy,
+    requesterConfigured: !!rp,
+    commandAllowed,
+    adapterAllowed,
+    filesystemRequired,
+    filesystemRootsDefined,
+    filesystemOk,
+    pathDenied,
+    shellRequired,
+    shellCommandOk
+  };
+}
+function extractKeyFlags(keyStore, keyId, requesterId, now = /* @__PURE__ */ new Date()) {
+  if (!keyStore || !keyId) {
+    return {
+      keyIdFormatValid: false,
+      keyFound: false,
+      keyNotDeprecated: false,
+      keyRequesterMatches: false,
+      keyNotBeforeOk: false,
+      keyNotExpired: false,
+      keyLifecycleFieldsPresent: false,
+      publicKey: null
+    };
+  }
+  const KEY_ID_RE = /^[A-Za-z0-9:_-]{3,128}$/;
+  const keyIdFormatValid = KEY_ID_RE.test(keyId) && keyId !== "default";
+  if (!keyIdFormatValid) {
+    return {
+      keyIdFormatValid,
+      keyFound: false,
+      keyNotDeprecated: false,
+      keyRequesterMatches: false,
+      keyNotBeforeOk: false,
+      keyNotExpired: false,
+      keyLifecycleFieldsPresent: false,
+      publicKey: null
+    };
+  }
+  const entry = keyStore.trustedKeys?.[keyId];
+  const keyFound = !!entry;
+  if (!keyFound) {
+    return {
+      keyIdFormatValid,
+      keyFound,
+      keyNotDeprecated: false,
+      keyRequesterMatches: false,
+      keyNotBeforeOk: false,
+      keyNotExpired: false,
+      keyLifecycleFieldsPresent: false,
+      publicKey: null
+    };
+  }
+  const keyNotDeprecated = !entry.deprecated;
+  const keyRequesterMatches = !entry.requesterId || entry.requesterId === requesterId;
+  const notBefore = entry.notBefore || entry.validFrom;
+  const expiresAt = entry.expiresAt || entry.validUntil;
+  const keyLifecycleFieldsPresent = typeof notBefore === "string" && typeof expiresAt === "string";
+  let keyNotBeforeOk = false;
+  let keyNotExpired = false;
+  if (keyLifecycleFieldsPresent) {
+    const nb = new Date(notBefore);
+    const exp = new Date(expiresAt);
+    if (!isNaN(nb.getTime()) && !isNaN(exp.getTime()) && nb < exp) {
+      keyNotBeforeOk = now >= nb;
+      keyNotExpired = now < exp;
+    }
+  }
+  return {
+    keyIdFormatValid,
+    keyFound,
+    keyNotDeprecated,
+    keyRequesterMatches,
+    keyNotBeforeOk,
+    keyNotExpired,
+    keyLifecycleFieldsPresent,
+    publicKey: entry.publicKey ?? null
+  };
+}
+function nonceEntriesToText(db) {
+  return (db?.entries ?? []).map((e) => `${e.key}:${e.timestamp}`);
+}
+function textToNonceEntries(text) {
+  return text.split("\n").filter(Boolean).map((line) => {
+    const lastColon = line.lastIndexOf(":");
+    return {
+      key: line.slice(0, lastColon),
+      timestamp: parseInt(line.slice(lastColon + 1), 10) || 0
+    };
+  });
+}
+function rateEntriesToText(db) {
+  return (db?.entries ?? []).map((e) => `${e.requesterId}:${e.timestamp}`);
+}
+function textToRateEntries(text) {
+  return text.split("\n").filter(Boolean).map((line) => {
+    const lastColon = line.lastIndexOf(":");
+    return {
+      requesterId: line.slice(0, lastColon),
+      timestamp: parseInt(line.slice(lastColon + 1), 10) || 0
+    };
+  });
+}
+function validateCommand({
+  commandObj,
+  pubKeyB64,
+  keyStore,
+  nonceDb,
+  policy,
+  rateLimiter,
+  policyStatePath
+}) {
+  const result = {
+    valid: false,
+    commandId: commandObj?.commandId,
+    checks: {},
+    errors: []
+  };
+  const nowSec = Math.floor(Date.now() / 1e3);
+  const now = /* @__PURE__ */ new Date();
+  const maxClockSkewSec = Number.isFinite(policy?.security?.maxClockSkewSec) ? policy.security.maxClockSkewSec : 600;
+  if (policyStatePath && policy?.version !== void 0) {
+    try {
+      const vCheck = validateAndUpdatePolicyVersionState({ policyObj: policy, statePath: policyStatePath });
+      result.checks.policyVersion = vCheck.ok;
+      if (!vCheck.ok) {
+        result.errors.push({ type: "POLICY_VERSION_INVALID", message: vCheck.message });
+        return result;
+      }
+    } catch {
+      result.checks.policyVersion = true;
+    }
+  } else {
+    result.checks.policyVersion = true;
+  }
+  const schemaFlags = extractSchemaFlags(commandObj);
+  const keyId = commandObj?.signature?.keyId;
+  const keyFlags = extractKeyFlags(keyStore, keyId, commandObj?.requesterId, now);
+  let signatureValid = false;
+  let effectivePubKey = keyFlags.publicKey;
+  if (!effectivePubKey && pubKeyB64) effectivePubKey = pubKeyB64;
+  if (effectivePubKey) {
+    const bodyWithoutSig = { ...commandObj };
+    delete bodyWithoutSig.signature;
+    const sigCheck = verifyEd25519({
+      payloadObj: bodyWithoutSig,
+      sigB64: commandObj?.signature?.sig,
+      pubKeyB64: effectivePubKey
+    });
+    signatureValid = sigCheck.valid;
+  }
+  let rateLimitOk = true;
+  let rateLimitRetryAfterSec = 0;
+  if (signatureValid && rateLimiter && typeof rateLimiter.db !== "undefined") {
+    const rateCfg = policy?.requesters?.[commandObj.requesterId]?.rateLimit || {};
+    const dfltCfg = policy?.security?.defaultRateLimit || {};
+    const windowSec = rateCfg.windowSec ?? dfltCfg.windowSec ?? 60;
+    const maxRequests = rateCfg.maxRequests ?? dfltCfg.maxRequests ?? 30;
+    const rateResult = checkRateLimit({
+      windowSec,
+      maxRequests,
+      nowSec,
+      requesterId: commandObj.requesterId,
+      existingEntries: rateEntriesToText(rateLimiter.db)
+    });
+    rateLimitOk = rateResult.ok;
+    rateLimitRetryAfterSec = rateResult.retryAfterSec;
+    if (rateResult.ok) {
+      rateLimiter.db.entries = textToRateEntries(rateResult.updatedEntriesText);
+    }
+  } else if (signatureValid && rateLimiter && typeof rateLimiter.checkAndRecord === "function") {
+    const rateCfg = policy?.requesters?.[commandObj.requesterId]?.rateLimit || {};
+    const dfltCfg = policy?.security?.defaultRateLimit || {};
+    const rateCheck = rateLimiter.checkAndRecord({
+      requesterId: commandObj.requesterId,
+      nowSec,
+      windowSec: rateCfg.windowSec ?? dfltCfg.windowSec ?? 60,
+      maxRequests: rateCfg.maxRequests ?? dfltCfg.maxRequests ?? 30
+    });
+    rateLimitOk = rateCheck.ok;
+    rateLimitRetryAfterSec = rateCheck.retryAfterSec ?? 0;
+  }
+  let nonceOk = true;
+  const nonceKey = `${commandObj?.requesterId}|${commandObj?.sessionId}|${commandObj?.nonce}`;
+  const ttlSec = 3600;
+  if (signatureValid && rateLimitOk && nonceDb) {
+    if (typeof nonceDb.checkAndRecord === "function") {
+      if (nonceDb.db) {
+        const nonceResult = checkNonce({
+          ttlSec,
+          nowSec,
+          newKey: nonceKey,
+          existingEntries: nonceEntriesToText(nonceDb.db)
+        });
+        nonceOk = nonceResult.ok;
+        if (nonceResult.ok) {
+          nonceDb.db.entries = textToNonceEntries(nonceResult.updatedEntriesText);
+        }
+      } else {
+        const r = nonceDb.checkAndRecord({
+          requesterId: commandObj.requesterId,
+          sessionId: commandObj.sessionId,
+          nonce: commandObj.nonce
+        });
+        nonceOk = r.ok;
+      }
+    } else {
+      const nonceResult = checkNonce({
+        ttlSec,
+        nowSec,
+        newKey: nonceKey,
+        existingEntries: nonceEntriesToText(nonceDb)
+      });
+      nonceOk = nonceResult.ok;
+      if (nonceResult.ok) {
+        nonceDb.entries = textToNonceEntries(nonceResult.updatedEntriesText);
+      }
+    }
+  }
+  const policyFlags = extractPolicyFlags(policy, commandObj ?? {});
+  const pipeline = runValidationPipeline({
+    ...schemaFlags,
+    cmdTimestamp: commandObj?.timestamp ?? 0,
+    nowSec,
+    maxClockSkewSec,
+    ...keyFlags,
+    signatureValid,
+    rateLimitOk,
+    rateLimitRetryAfterSec,
+    nonceOk,
+    ...policyFlags
+  });
+  const s = pipeline.stage;
+  result.checks.schema = s !== 0;
+  if (s >= 1) result.checks.timestamp = s !== 1;
+  if (s >= 2) result.checks.keyId = s !== 2;
+  if (s >= 2) result.checks.signature = s !== 2 && s !== 3;
+  if (s >= 4) result.checks.rateLimit = s !== 4;
+  if (s >= 5) result.checks.nonce = s !== 5;
+  if (s >= 6 || pipeline.ok) result.checks.policy = s !== 6;
+  if (!pipeline.ok) {
+    const stage = pipeline.stageLabel;
+    if (stage === "schema") {
+      result.errors.push({ type: "SCHEMA_ERROR", message: pipeline.schemaError || "Schema invalid" });
+    } else if (stage === "timestamp") {
+      result.errors.push({ type: "TIMESTAMP_SKEW_EXCEEDED", message: `Command timestamp skew ${pipeline.skewSec}s exceeds allowed ${maxClockSkewSec}s` });
+    } else if (stage === "key") {
+      const reason = pipeline.keyReason || "KEY_ERROR";
+      const msgs = {
+        KEY_ID_INVALID: `Invalid keyId '${keyId}'`,
+        KEY_NOT_TRUSTED: `Key '${keyId}' is not in trusted key store`,
+        KEY_DEPRECATED: `Key '${keyId}' is deprecated`,
+        KEY_REQUESTER_MISMATCH: `Key '${keyId}' is not authorized for requester '${commandObj?.requesterId}'`,
+        KEY_LIFECYCLE_INVALID: `Key '${keyId}' must define notBefore and expiresAt`,
+        KEY_NOT_YET_VALID: `Key '${keyId}' is not yet valid`,
+        KEY_EXPIRED: `Key '${keyId}' has expired`
+      };
+      result.errors.push({ type: reason, message: msgs[reason] || reason });
+    } else if (stage === "signature") {
+      result.errors.push({ type: "SIGNATURE_INVALID", message: effectivePubKey ? "Signature verification failed" : "No public key available" });
+    } else if (stage === "rate_limit") {
+      result.errors.push({ type: "RATE_LIMIT_EXCEEDED", message: `Rate limit exceeded. Retry after ${pipeline.retryAfterSec}s` });
+    } else if (stage === "nonce") {
+      result.errors.push({ type: "REPLAY_NONCE", message: "Nonce has already been used" });
+    } else if (stage === "policy" && pipeline.policyResult) {
+      result.errors.push({ type: pipeline.policyResult.reason, message: pipeline.policyResult.message });
+    } else {
+      result.errors.push({ type: "VALIDATION_FAILED", message: `Failed at stage: ${stage}` });
+    }
+    return result;
+  }
+  result.valid = true;
+  result.risk = classifyRisk(commandObj.id, commandObj.payload?.cmd === "rm");
+  result.message = "Command validation successful";
+  return result;
+}
+var init_validator = __esm({
+  "src/core/validator.js"() {
+    init_signature();
+    init_policyVersionGuard();
+    init_engine();
+  }
+});
+
+// src/adapters/noopAdapter.js
+async function noopAdapter(cmd2) {
+  return {
+    adapter: "noop",
+    commandId: cmd2.commandId || "unknown",
+    command: cmd2.id || "unknown",
+    status: "completed",
+    output: `[NOOP] Would execute: ${cmd2.id || "unknown"} on adapter: ${cmd2.payload?.adapter || "unknown"}`,
+    exitCode: 0,
+    timestamp: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+var init_noopAdapter = __esm({
+  "src/adapters/noopAdapter.js"() {
+  }
+});
+
+// src/adapters/shellAdapter.js
+import { spawnSync } from "child_process";
+import path11 from "path";
+import fs10 from "fs";
+function physicalPath(candidate) {
+  try {
+    return fs10.realpathSync(path11.resolve(candidate));
+  } catch {
+    return path11.resolve(candidate);
+  }
+}
+function normalizeArgs(args) {
+  if (args === void 0) return { ok: true, args: [] };
+  if (!Array.isArray(args)) {
+    return { ok: false, error: "payload.args must be an array" };
+  }
+  const normalized = [];
+  for (const arg of args) {
+    if (typeof arg !== "string" && typeof arg !== "number" && typeof arg !== "boolean") {
+      return { ok: false, error: "payload.args may only contain string, number, or boolean values" };
+    }
+    normalized.push(String(arg));
+  }
+  return { ok: true, args: normalized };
+}
+async function shellAdapter(cmd2, policy, requester) {
+  const payload = cmd2.payload;
+  const timeout = Math.min(Math.max(Number(payload.timeoutMs) || 3e4, 1), 3e4);
+  const maxOutputSize = Math.min(Math.max(Number(payload.maxOutputBytes) || 1024 * 1024, 1024), 1024 * 1024);
+  if (payload.adapter !== "shell") {
+    return {
+      adapter: "shell",
+      commandId: cmd2.commandId,
+      status: "error",
+      error: "Adapter mismatch",
+      exitCode: 1
+    };
+  }
+  const allowedCmds = requester?.exec?.allowCmds || [];
+  const deniedCmds = requester?.exec?.denyCmds || [];
+  if (deniedCmds.includes(payload.cmd)) {
+    return {
+      adapter: "shell",
+      commandId: cmd2.commandId,
+      status: "blocked",
+      error: `Command '${payload.cmd}' is denied`,
+      exitCode: 2
+    };
+  }
+  if (allowedCmds.length > 0 && !allowedCmds.includes(payload.cmd)) {
+    return {
+      adapter: "shell",
+      commandId: cmd2.commandId,
+      status: "blocked",
+      error: `Command '${payload.cmd}' not in allowlist`,
+      exitCode: 2
+    };
+  }
+  const roots = requester?.filesystem?.roots || [];
+  const cwdAllow = roots.some((r) => {
+    const resolvedRoot = physicalPath(r);
+    const norm = physicalPath(payload.cwd);
+    return norm === resolvedRoot || norm.startsWith(resolvedRoot + path11.sep);
+  });
+  if (!cwdAllow) {
+    return {
+      adapter: "shell",
+      commandId: cmd2.commandId,
+      status: "blocked",
+      error: `CWD '${payload.cwd}' not authorized`,
+      exitCode: 2
+    };
+  }
+  const argCheck = normalizeArgs(payload.args);
+  if (!argCheck.ok) {
+    return {
+      adapter: "shell",
+      commandId: cmd2.commandId,
+      status: "blocked",
+      error: argCheck.error,
+      exitCode: 2
+    };
+  }
+  try {
+    const result = spawnSync(payload.cmd, argCheck.args, {
+      cwd: payload.cwd,
+      timeout,
+      encoding: "utf8",
+      maxBuffer: maxOutputSize,
+      stdio: ["pipe", "pipe", "pipe"],
+      shell: false
+    });
+    if (result.error) {
+      throw result.error;
+    }
+    const output = `${result.stdout || ""}${result.stderr || ""}`;
+    const exitCode = result.status ?? 1;
+    if (exitCode !== 0) {
+      return {
+        adapter: "shell",
+        commandId: cmd2.commandId,
+        command: payload.cmd,
+        status: "error",
+        error: output.substring(0, maxOutputSize) || `Command exited with code ${exitCode}`,
+        exitCode,
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      };
+    }
+    return {
+      adapter: "shell",
+      commandId: cmd2.commandId,
+      command: payload.cmd,
+      status: "completed",
+      output: output.substring(0, maxOutputSize),
+      exitCode: 0,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  } catch (err) {
+    return {
+      adapter: "shell",
+      commandId: cmd2.commandId,
+      command: payload.cmd,
+      status: "error",
+      error: err.message,
+      exitCode: err.status || 1,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+}
+var init_shellAdapter = __esm({
+  "src/adapters/shellAdapter.js"() {
+  }
+});
+
+// src/core/backup.js
+import fs11 from "fs";
+import path12 from "path";
+import crypto4 from "crypto";
+function createBackup(filePath, backupDir) {
+  const dir = backupDir || path12.resolve(".lbe/data/backups");
+  if (!fs11.existsSync(dir)) {
+    fs11.mkdirSync(dir, { recursive: true });
+  }
+  const target = path12.resolve(filePath);
+  const existed = fs11.existsSync(target);
+  let content = null;
+  let hash = null;
+  if (existed) {
+    content = fs11.readFileSync(target);
+    hash = crypto4.createHash("sha256").update(content).digest("hex");
+  }
+  const basename = path12.basename(target).replace(/[^a-zA-Z0-9._-]/g, "_");
+  const backupName = `${Date.now()}-${hash ? hash.slice(0, 8) : "new"}-${basename}`;
+  const backupPath = existed ? path12.join(dir, backupName) : null;
+  if (existed && content !== null) {
+    atomicWriteFileSync(backupPath, content);
+  }
+  return {
+    originalPath: target,
+    backupPath,
+    existed,
+    hash,
+    createdAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+function restoreBackup(backupMeta) {
+  if (!backupMeta) return { restored: false, error: "No backup metadata" };
+  const { originalPath, backupPath, existed } = backupMeta;
+  if (!existed) {
+    try {
+      if (fs11.existsSync(originalPath)) fs11.unlinkSync(originalPath);
+      return { restored: true, action: "deleted" };
+    } catch (e) {
+      return { restored: false, error: e.message };
+    }
+  }
+  if (!backupPath || !fs11.existsSync(backupPath)) {
+    return { restored: false, error: "Backup file not found at: " + backupPath };
+  }
+  try {
+    const content = fs11.readFileSync(backupPath);
+    atomicWriteFileSync(originalPath, content);
+    return { restored: true, action: "restored" };
+  } catch (e) {
+    return { restored: false, error: e.message };
+  }
+}
+var init_backup = __esm({
+  "src/core/backup.js"() {
+    init_atomicWrite();
+  }
+});
+
+// src/adapters/fileAdapter.js
+import fs12 from "fs";
+import path13 from "path";
+function resolvedTarget(target, cwd) {
+  if (!target) return null;
+  return path13.isAbsolute(target) ? path13.resolve(target) : path13.resolve(cwd || process.cwd(), target);
+}
+function isUnderRoot(targetPath, roots) {
+  const norm = resolvePhysicalPath(targetPath);
+  return roots.some((r) => {
+    const root = resolvePhysicalPath(r);
+    return norm === root || norm.startsWith(root + path13.sep);
+  });
+}
+function resolvePhysicalPath(candidate) {
+  let current = path13.resolve(candidate);
+  const suffix = [];
+  while (!fs12.existsSync(current)) {
+    const parent = path13.dirname(current);
+    if (parent === current) break;
+    suffix.unshift(path13.basename(current));
+    current = parent;
+  }
+  try {
+    current = fs12.realpathSync(current);
+  } catch {
+  }
+  return path13.join(current, ...suffix);
+}
+function matchesDenyPattern(str, patterns) {
+  for (const pattern of patterns || []) {
+    const rx = new RegExp(
+      "^" + pattern.replace(/\./g, "\\.").replace(/\*\*/g, ".*").replace(/\*/g, "[^/\\\\]*") + "$"
+    );
+    if (rx.test(str)) return pattern;
+  }
+  return null;
+}
+function blocked(cmd2, code, message, exitCode = 2) {
+  return {
+    adapter: "file",
+    commandId: cmd2.commandId,
+    status: "blocked",
+    errorCode: code,
+    error: message,
+    exitCode
+  };
+}
+function fail(cmd2, code, message, backup = null, exitCode = 1) {
+  return {
+    adapter: "file",
+    commandId: cmd2.commandId,
+    status: "error",
+    errorCode: code,
+    error: message,
+    backup: backup ? summariseBackup(backup) : null,
+    exitCode
+  };
+}
+function summariseBackup(b) {
+  return b ? { path: b.backupPath, existed: b.existed, hash: b.hash, createdAt: b.createdAt } : null;
+}
+async function fileAdapter(cmd2, policy, requester) {
+  const payload = cmd2.payload;
+  const action = payload.action;
+  const cwd = payload.cwd || process.cwd();
+  const target = resolvedTarget(payload.target, cwd);
+  if (!action) return blocked(cmd2, "FILE_NO_ACTION", "payload.action is required");
+  if (!target && action !== "noop") return blocked(cmd2, "FILE_NO_TARGET", "payload.target is required");
+  const roots = requester?.filesystem?.roots || [];
+  if (roots.length === 0) return blocked(cmd2, "FILE_NO_ROOTS", "No filesystem roots defined for requester");
+  if (!isUnderRoot(target, roots)) return blocked(cmd2, "FILE_OUTSIDE_ROOT", `'${target}' is outside allowed roots`);
+  const denied = matchesDenyPattern(target, requester?.filesystem?.denyPatterns);
+  if (denied) return blocked(cmd2, "FILE_PATH_DENIED", `'${target}' matches deny pattern: ${denied}`);
+  switch (action) {
+    case "read":
+      return doRead(cmd2, target);
+    case "write":
+      return doWrite(cmd2, target, payload);
+    case "patch":
+      return doPatch(cmd2, target, payload);
+    case "delete":
+      return doDelete(cmd2, target);
+    default:
+      return blocked(cmd2, "FILE_UNKNOWN_ACTION", `Unknown action: '${action}'`);
+  }
+}
+function doRead(cmd2, target) {
+  if (!fs12.existsSync(target)) return fail(cmd2, "FILE_NOT_FOUND", `Not found: ${target}`);
+  try {
+    const stat = fs12.statSync(target);
+    if (stat.size > MAX_READ_BYTES) return fail(cmd2, "FILE_TOO_LARGE", "File exceeds 10 MB read limit");
+    const content = fs12.readFileSync(target, "utf8");
+    return {
+      adapter: "file",
+      action: "read",
+      commandId: cmd2.commandId,
+      status: "completed",
+      target,
+      output: content,
+      bytesRead: stat.size,
+      exitCode: 0
+    };
+  } catch (e) {
+    return fail(cmd2, "FILE_READ_ERROR", e.message);
+  }
+}
+function doWrite(cmd2, target, payload) {
+  const content = payload.content;
+  if (content === void 0 || content === null) {
+    return fail(cmd2, "FILE_MISSING_CONTENT", "payload.content is required for write");
+  }
+  const backup = tryBackup(target);
+  try {
+    atomicWriteFileSync(target, content, { encoding: "utf8" });
+    return {
+      adapter: "file",
+      action: "write",
+      commandId: cmd2.commandId,
+      status: "completed",
+      target,
+      backup: summariseBackup(backup),
+      output: `Wrote ${Buffer.byteLength(content, "utf8")} bytes to ${target}`,
+      exitCode: 0
+    };
+  } catch (e) {
+    restoreBackup(backup);
+    return fail(cmd2, "FILE_WRITE_ERROR", e.message, backup);
+  }
+}
+function doPatch(cmd2, target, payload) {
+  const content = payload.content;
+  if (content === void 0 || content === null) {
+    return fail(cmd2, "FILE_MISSING_CONTENT", "payload.content is required for patch");
+  }
+  const backup = tryBackup(target);
+  try {
+    atomicWriteFileSync(target, content, { encoding: "utf8" });
+    return {
+      adapter: "file",
+      action: "patch",
+      commandId: cmd2.commandId,
+      status: "completed",
+      target,
+      backup: summariseBackup(backup),
+      output: `Patched ${target} (${Buffer.byteLength(content, "utf8")} bytes)`,
+      exitCode: 0
+    };
+  } catch (e) {
+    restoreBackup(backup);
+    return fail(cmd2, "FILE_PATCH_ERROR", e.message, backup);
+  }
+}
+function doDelete(cmd2, target) {
+  if (!fs12.existsSync(target)) return fail(cmd2, "FILE_NOT_FOUND", `Not found: ${target}`);
+  const backup = tryBackup(target);
+  try {
+    fs12.unlinkSync(target);
+    return {
+      adapter: "file",
+      action: "delete",
+      commandId: cmd2.commandId,
+      status: "completed",
+      target,
+      backup: summariseBackup(backup),
+      output: `Deleted ${target}`,
+      exitCode: 0
+    };
+  } catch (e) {
+    restoreBackup(backup);
+    return fail(cmd2, "FILE_DELETE_ERROR", e.message, backup);
+  }
+}
+function tryBackup(target) {
+  try {
+    return createBackup(target);
+  } catch {
+    return null;
+  }
+}
+var MAX_READ_BYTES;
+var init_fileAdapter = __esm({
+  "src/adapters/fileAdapter.js"() {
+    init_atomicWrite();
+    init_backup();
+    MAX_READ_BYTES = 10 * 1024 * 1024;
+  }
+});
+
+// src/adapters/index.js
+function getAdapter(name) {
+  return ADAPTERS[name];
+}
+async function executeAdapter(adapterName, cmd2, policy, requester) {
+  const adapter = getAdapter(adapterName);
+  if (!adapter) {
+    return {
+      adapter: adapterName,
+      commandId: cmd2.commandId,
+      status: "error",
+      error: `Adapter '${adapterName}' not found`,
+      exitCode: 1
+    };
+  }
+  try {
+    return await adapter(cmd2, policy, requester);
+  } catch (err) {
+    return {
+      adapter: adapterName,
+      commandId: cmd2.commandId,
+      status: "error",
+      error: `Adapter execution failed: ${err.message}`,
+      exitCode: 9
+    };
+  }
+}
+var ADAPTERS, AVAILABLE_ADAPTERS;
+var init_adapters = __esm({
+  "src/adapters/index.js"() {
+    init_noopAdapter();
+    init_shellAdapter();
+    init_fileAdapter();
+    ADAPTERS = {
+      noop: noopAdapter,
+      shell: shellAdapter,
+      file: fileAdapter
+    };
+    AVAILABLE_ADAPTERS = Object.keys(ADAPTERS);
+  }
+});
+
+// src/exec/localExecutor.js
+var localExecutor_exports = {};
+__export(localExecutor_exports, {
+  createLocalExecutor: () => createLocalExecutor
+});
+import crypto5 from "crypto";
+import fs13 from "fs";
+import path14 from "path";
+function error(code, message, recoverable = false) {
+  return { ok: false, decision: "deny", executed: false, dryRun: false, error: { code, message, recoverable } };
+}
+function commandPolicy(rootDir, actor, shell = {}) {
+  const now = /* @__PURE__ */ new Date();
+  const expires = new Date(now.getTime() + 365 * 24 * 60 * 60 * 1e3);
+  return {
+    version: 1,
+    default: "DENY",
+    requesters: {
+      [actor]: {
+        allowCommands: Object.values(INTENTS).map((item) => item.id),
+        allowAdapters: ["file", "shell"],
+        filesystem: { roots: [rootDir], denyPatterns: [] },
+        exec: { allowCmds: shell.allowCommands || [], denyCmds: shell.denyCommands || [] },
+        rateLimit: { windowSec: 60, maxRequests: shell.maxRequests || 60 }
+      }
+    },
+    security: { maxClockSkewSec: 600, defaultRateLimit: { windowSec: 60, maxRequests: 60 } },
+    _keyWindow: { notBefore: now.toISOString(), expiresAt: expires.toISOString() }
+  };
+}
+function physicalPath2(candidate) {
+  let current = path14.resolve(candidate);
+  const suffix = [];
+  while (!fs13.existsSync(current)) {
+    const parent = path14.dirname(current);
+    if (parent === current) break;
+    suffix.unshift(path14.basename(current));
+    current = parent;
+  }
+  try {
+    current = fs13.realpathSync(current);
+  } catch {
+  }
+  return path14.join(current, ...suffix);
+}
+function underRoot(candidate, root) {
+  const target = physicalPath2(candidate);
+  const resolvedRoot = physicalPath2(root);
+  return target === resolvedRoot || target.startsWith(resolvedRoot + path14.sep);
+}
+function scanContent(value, fieldName) {
+  if (typeof value !== "string") return null;
+  for (const pattern of FORBIDDEN_CONTENT) {
+    if (pattern.test(value)) {
+      return error("PAYLOAD_CONTENT_REJECTED", `Forbidden pattern in ${fieldName}: ${pattern}`);
+    }
+  }
+  return null;
+}
+function normalize(rootDir, request, shell = {}) {
+  if (!request || typeof request !== "object") return { error: error("REQUEST_INVALID", "request must be an object") };
+  const detail = INTENTS[request.intent];
+  if (!detail) return { error: error("INTENT_UNSUPPORTED", `Unsupported intent '${request.intent}'`) };
+  const actor = typeof request.actor === "string" && request.actor ? request.actor : "agent:local";
+  let target = null;
+  if (detail.adapter === "file") {
+    if (typeof request.target !== "string" || !request.target) return { error: error("TARGET_REQUIRED", "target is required for file intents") };
+    target = path14.resolve(rootDir, request.target);
+    if (!underRoot(target, rootDir)) return { error: error("PATH_OUTSIDE_ROOT", "target is outside project root") };
+    if (["write_file", "patch_file"].includes(request.intent) && typeof request.content !== "string") {
+      return { error: error("CONTENT_REQUIRED", "content is required for write and patch") };
+    }
+    const contentScan = scanContent(request.content, "content");
+    if (contentScan) return { error: contentScan };
+  }
+  let command = null;
+  if (detail.adapter === "shell") {
+    command = request.command;
+    if (!command || typeof command.cmd !== "string" || !Array.isArray(command.args) || command.args.some((arg) => typeof arg !== "string")) {
+      return { error: error("COMMAND_INVALID", "command requires cmd and string args") };
+    }
+    const cwd = path14.resolve(rootDir, command.cwd || ".");
+    if (!underRoot(cwd, rootDir)) return { error: error("CWD_OUTSIDE_ROOT", "command cwd is outside project root") };
+    if (!Array.isArray(shell.allowCommands) || !shell.allowCommands.includes(command.cmd)) {
+      return { error: error("SHELL_NOT_ALLOWLISTED", `command '${command.cmd}' is not explicitly allowlisted`) };
+    }
+    if (shell.denyCommands?.includes(command.cmd)) return { error: error("SHELL_DENIED", `command '${command.cmd}' is denied`) };
+    command = { ...command, cwd, timeoutMs: Math.min(Math.max(command.timeoutMs || 3e4, 1), 3e4), maxOutputBytes: Math.min(Math.max(command.maxOutputBytes || 1024 * 1024, 1024), 1024 * 1024) };
+  }
+  return { actor, detail, target, command, request };
+}
+function envelope(normalized, keyId, secretKey) {
+  const { actor, detail, target, command, request } = normalized;
+  const body = {
+    id: detail.id,
+    risk: MUTATIONS.has(request.intent) ? "MEDIUM" : "LOW",
+    commandId: crypto5.randomUUID(),
+    requesterId: actor,
+    sessionId: "local-host",
+    timestamp: Math.floor(Date.now() / 1e3),
+    nonce: crypto5.randomBytes(32).toString("hex"),
+    requires: ["policy", "signature"],
+    payload: {
+      adapter: detail.adapter,
+      action: detail.action,
+      target,
+      content: request.content,
+      cmd: command?.cmd,
+      args: command?.args,
+      timeoutMs: command?.timeoutMs,
+      maxOutputBytes: command?.maxOutputBytes,
+      cwd: command?.cwd || (target ? path14.dirname(target) : process.cwd())
+    }
+  };
+  const signed = signEd25519({ payloadObj: body, secretKeyB64: secretKey });
+  if (signed.error) throw new Error(signed.error);
+  return { ...body, signature: { alg: "ed25519", keyId, sig: signed.signature } };
+}
+function createLocalExecutor(options = {}) {
+  const rootDir = path14.resolve(options.rootDir || process.cwd());
+  const keyId = options.keyId || "host:local-exec";
+  const keyPair = options.keyPair || generateKeyPair();
+  const shell = options.shell || {};
+  function prepare(request, { recordNonce = false } = {}) {
+    const normalized = normalize(rootDir, request, shell);
+    if (normalized.error) return normalized;
+    const local = loadLocalPolicy(rootDir, options.mode || "enforce");
+    const localDecision = evaluateLocalPolicy(local.policy, rootDir, { target: normalized.target, command: normalized.command?.cmd });
+    const localBlocked = local.policy.mode === "enforce" && !localDecision.allowed;
+    if (localBlocked) return { error: error("LOCAL_POLICY_DENY", `Blocked by rule(s): ${localDecision.winningRules.map((rule) => rule.id).join(", ")}`), local, localDecision, normalized };
+    const policy = commandPolicy(rootDir, normalized.actor, shell);
+    const keyStore = { defaultKeyId: keyId, trustedKeys: { [keyId]: { publicKey: keyPair.publicKey, notBefore: policy._keyWindow.notBefore, expiresAt: policy._keyWindow.expiresAt, deprecated: false } } };
+    delete policy._keyWindow;
+    const proposal = envelope(normalized, keyId, keyPair.secretKey);
+    const nonceDb = { entries: [] };
+    const validation = validateCommand({ commandObj: proposal, keyStore, nonceDb: recordNonce ? nonceDb : { entries: [] }, policy });
+    if (!validation.valid) return { error: error(validation.errors[0]?.type || "VALIDATION_FAILED", validation.errors[0]?.message || "Validation failed"), local, localDecision, normalized, proposal, policy, validation };
+    return { local, localDecision, normalized, proposal, policy, validation };
+  }
+  async function dryRun(request) {
+    const prepared = prepare(request);
+    if (prepared.error) return { ...prepared.error, dryRun: true };
+    return {
+      ok: true,
+      decision: prepared.local.policy.mode === "observe" ? "observe" : "allow",
+      executed: false,
+      dryRun: true,
+      matchedRules: prepared.localDecision.winningRules.map((rule) => rule.id),
+      rollback: { available: MUTATIONS.has(prepared.normalized.request.intent), performed: false }
+    };
+  }
+  async function execute(request) {
+    const prepared = prepare(request, { recordNonce: true });
+    if (prepared.error) {
+      auditLocalPolicy(rootDir, { action: request?.intent, actor: request?.actor || "agent:local", decision: "deny", error: prepared.error.error.code });
+      return prepared.error;
+    }
+    if (prepared.local.policy.mode === "observe") {
+      appendAudit(path14.join(rootDir, ".lbe/audit.jsonl"), {
+        kind: "local_execution",
+        commandId: prepared.proposal.commandId,
+        requesterId: prepared.normalized.actor,
+        intent: prepared.normalized.request.intent,
+        decision: "observe",
+        status: "observed"
+      });
+      return {
+        ok: true,
+        decision: "observe",
+        executed: false,
+        dryRun: false,
+        matchedRules: prepared.localDecision.winningRules.map((r) => r.id),
+        rollback: { available: false, performed: false }
+      };
+    }
+    const requester = prepared.policy.requesters[prepared.normalized.actor];
+    const adapterResult = await executeAdapter(prepared.normalized.detail.adapter, prepared.proposal, prepared.policy, requester);
+    const ok = adapterResult.status === "completed";
+    const audit = appendAudit(path14.join(rootDir, ".lbe/audit.jsonl"), {
+      kind: "local_execution",
+      commandId: prepared.proposal.commandId,
+      requesterId: prepared.normalized.actor,
+      intent: prepared.normalized.request.intent,
+      decision: ok ? "allow" : "deny",
+      status: adapterResult.status
+    });
+    return {
+      ok,
+      decision: ok ? "allow" : "deny",
+      executed: ok,
+      dryRun: false,
+      matchedRules: prepared.localDecision.winningRules.map((rule) => rule.id),
+      auditId: audit.hash,
+      rollback: { available: MUTATIONS.has(prepared.normalized.request.intent), performed: false, backupId: adapterResult.backup?.hash },
+      ...ok ? {} : { error: { code: adapterResult.errorCode || "EXECUTION_FAILED", message: adapterResult.error || "Execution failed", recoverable: true } }
+    };
+  }
+  const writeFile = (target, content) => execute({ intent: "write_file", target, content });
+  const readFile = (target) => execute({ intent: "read_file", target });
+  const patchFile = (target, content) => execute({ intent: "patch_file", target, content });
+  const deleteFile = (target) => execute({ intent: "delete_file", target });
+  const runShell = (cmd2, args = [], opts2 = {}) => execute({ intent: "run_shell", command: { cmd: cmd2, args, ...opts2 } });
+  return {
+    rootDir,
+    // High-level API — use these
+    writeFile,
+    readFile,
+    patchFile,
+    deleteFile,
+    runShell,
+    // Low-level API — for advanced use
+    validate: async (request) => {
+      const preview = await dryRun(request);
+      return { ...preview, dryRun: false, executed: false };
+    },
+    dryRun,
+    execute,
+    policy: {
+      read: () => loadLocalPolicy(rootDir, options.mode || "enforce").policy,
+      proposeRule: proposePolicyRule,
+      addRule: (rule) => addLocalPolicyRule(rootDir, rule, options.mode || "enforce")
+    },
+    audit: { verify: () => verifyAuditLogIntegrity(path14.join(rootDir, ".lbe/audit.jsonl")) }
+  };
+}
+var INTENTS, MUTATIONS, FORBIDDEN_CONTENT;
+var init_localExecutor = __esm({
+  "src/exec/localExecutor.js"() {
+    init_signature();
+    init_validator();
+    init_adapters();
+    init_auditLog();
+    init_localPolicy();
+    INTENTS = {
+      read_file: { id: "READ_FILE", adapter: "file", action: "read" },
+      write_file: { id: "WRITE_FILE", adapter: "file", action: "write" },
+      patch_file: { id: "PATCH_FILE", adapter: "file", action: "patch" },
+      delete_file: { id: "DELETE_FILE", adapter: "file", action: "delete" },
+      run_shell: { id: "RUN_SHELL", adapter: "shell", action: "run" }
+    };
+    MUTATIONS = /* @__PURE__ */ new Set(["write_file", "patch_file", "delete_file"]);
+    FORBIDDEN_CONTENT = [
+      /\beval\s*\(/i,
+      /\bFunction\s*\(/i,
+      /\bexec\s*\(/i,
+      /\brequire\s*\(/,
+      /\bimport\s*\(/,
+      /\bchild_process\b/,
+      /\b__proto__\b/,
+      /\bconstructor\s*\[/,
+      /evalScript/i
+    ];
+  }
+});
+
+// exec/cli.js
+import fs14 from "fs";
+import path15 from "path";
+
+// src/cli/commands/init.js
+init_signature();
+import fs4 from "fs";
+import path4 from "path";
+import readline from "readline";
+
+// src/core/policySignature.js
+init_signature();
+import fs2 from "fs";
+import path2 from "path";
+
+// src/core/trustedKeys.js
+import fs from "fs";
+import path from "path";
+
+// src/core/policySignature.js
+function createPolicySignatureEnvelope({ policyObj, secretKeyB64, keyId }) {
+  const signResult = signEd25519({
+    payloadObj: policyObj,
+    secretKeyB64
+  });
+  if (signResult.error) {
+    return {
+      ok: false,
+      reason: "POLICY_SIGNATURE_CREATE_FAILED",
+      message: signResult.error,
+      envelope: null
+    };
+  }
+  return {
+    ok: true,
+    reason: null,
+    message: "Policy signature created",
+    envelope: {
+      alg: "ed25519",
+      keyId,
+      sig: signResult.signature,
+      createdAt: Math.floor(Date.now() / 1e3)
+    }
+  };
+}
+
+// src/core/workspaceScanner.js
+import fs3 from "fs";
+import path3 from "path";
+var PROJECT_SIGNALS = [
+  // Code types — ordered by priority for primaryType resolution
+  { file: "package.json", type: "node" },
+  { file: "pyproject.toml", type: "python" },
+  { file: "requirements.txt", type: "python" },
+  { file: "go.mod", type: "go" },
+  { file: "Cargo.toml", type: "rust" },
+  { file: "pom.xml", type: "java" },
+  { file: "build.gradle", type: "java" },
+  { file: "build.gradle.kts", type: "java" },
+  // Infrastructure types — supplementary, not primary
+  { file: "Dockerfile", type: "docker" },
+  { file: "docker-compose.yml", type: "docker" },
+  { dir: ".github/workflows", type: "ci" },
+  { file: ".gitlab-ci.yml", type: "ci" },
+  { dir: ".circleci", type: "ci" },
+  { file: "Jenkinsfile", type: "ci" },
+  { file: ".travis.yml", type: "ci" }
+];
+var CODE_TYPES = ["node", "python", "go", "rust", "java"];
+var SURFACE_MAP = {
+  source: ["src", "lib", "app", "pages", "components", "core", "api", "server", "client", "pkg", "cmd"],
+  generated: ["dist", "build", ".next", "out", "coverage", "target", ".cache", "__pycache__", ".turbo"],
+  tests: ["test", "tests", "__tests__", "spec", "e2e"],
+  docs: ["docs", "doc", "documentation"]
+};
+var SECRET_GLOBS = [".env", ".env.*", "keys/**", "secrets/**", "*.key", "*.pem", "*.p12", "*.pfx", "*.crt"];
+var ALWAYS_DENY = ["node_modules/**", ".git/**"];
+var LOCKFILES_BY_TYPE = {
+  node: ["package-lock.json", "yarn.lock", "pnpm-lock.yaml"],
+  python: ["Pipfile.lock", "poetry.lock"],
+  go: ["go.sum"],
+  rust: ["Cargo.lock"],
+  java: ["gradle/wrapper/**"],
+  docker: [],
+  ci: [],
+  generic: []
+};
+var CONFIG_FILES_BY_TYPE = {
+  node: [
+    "package.json",
+    "tsconfig*.json",
+    "jest.config.*",
+    "vite.config.*",
+    "next.config.*",
+    "webpack.config.*",
+    ".eslintrc*",
+    ".eslint.config.*",
+    ".prettierrc*",
+    "babel.config.*"
+  ],
+  python: [
+    "pyproject.toml",
+    "setup.py",
+    "setup.cfg",
+    "tox.ini",
+    "pytest.ini",
+    "mypy.ini",
+    ".flake8",
+    ".pylintrc",
+    "Pipfile"
+  ],
+  go: ["go.mod", ".golangci.yml", ".golangci.yaml"],
+  rust: ["Cargo.toml", "rust-toolchain.toml", "clippy.toml", ".rustfmt.toml"],
+  java: [
+    "pom.xml",
+    "build.gradle",
+    "build.gradle.kts",
+    "gradle.properties",
+    "settings.gradle",
+    "settings.gradle.kts"
+  ],
+  docker: ["Dockerfile", "docker-compose.yml", ".dockerignore"],
+  ci: [".gitlab-ci.yml", "Jenkinsfile", ".travis.yml"],
+  generic: ["Makefile", "CMakeLists.txt", "meson.build"]
+};
+var CONFIG_FILES_UNIVERSAL = [".editorconfig", ".nvmrc", ".node-version", ".python-version"];
+var CONFIG_DIRS_UNIVERSAL = ["config", ".github", ".gitlab", ".circleci", ".vscode"];
+var CONFIG_LABEL = {
+  node: "dependency and build config",
+  python: "package and environment config",
+  go: "module definition",
+  rust: "crate manifest",
+  java: "build definition",
+  docker: "container config",
+  ci: "pipeline definition",
+  generic: "project config"
+};
+var LOCKFILE_LABEL = {
+  node: "package manager",
+  python: "dependency resolver",
+  go: "module checksums",
+  rust: "dependency resolver",
+  java: "Gradle wrapper"
+};
+var FALLBACK_MANIFESTS = [
+  "composer.json",
+  // PHP
+  "Gemfile",
+  // Ruby
+  "mix.exs",
+  // Elixir
+  "pubspec.yaml",
+  // Dart / Flutter
+  "Package.swift",
+  // Swift
+  "project.clj",
+  // Clojure
+  "build.sbt",
+  // Scala
+  "stack.yaml",
+  // Haskell
+  "deno.json",
+  "deno.jsonc",
+  // Deno
+  "Podfile"
+  // CocoaPods (iOS/macOS)
+];
+var FALLBACK_LOCKFILES = [
+  "composer.lock",
+  // PHP
+  "Gemfile.lock",
+  // Ruby
+  "mix.lock",
+  // Elixir
+  "pubspec.lock",
+  // Dart / Flutter
+  "Package.resolved"
+  // Swift
+];
+var FALLBACK_EXTENSIONS = [".csproj", ".fsproj", ".sln", ".cabal"];
+function exists(p) {
+  return fs3.existsSync(p);
+}
+function detectDirs(root, names) {
+  return names.filter((n) => exists(path3.join(root, n))).map((n) => `${n}/**`);
+}
+function readGitignore(root) {
+  const p = path3.join(root, ".gitignore");
+  if (!exists(p)) return [];
+  return fs3.readFileSync(p, "utf8").split("\n").map((l) => l.trim()).filter((l) => l && !l.startsWith("#") && !l.startsWith("!")).map((l) => l.endsWith("/") ? l + "**" : l);
+}
+function dedup(arr) {
+  return arr.filter((v, i, a) => v && a.indexOf(v) === i);
+}
+function detectProjectTypes(root) {
+  const seen = /* @__PURE__ */ new Set();
+  const types = [];
+  for (const sig of PROJECT_SIGNALS) {
+    if (seen.has(sig.type)) continue;
+    const p = path3.join(root, sig.file || sig.dir);
+    if (exists(p)) {
+      seen.add(sig.type);
+      types.push(sig.type);
+    }
+  }
+  return types.length > 0 ? types : ["generic"];
+}
+function primaryType(projectTypes) {
+  return CODE_TYPES.find((t) => projectTypes.includes(t)) ?? "generic";
+}
+function scanFallbackManifests(root) {
+  const manifests = FALLBACK_MANIFESTS.filter((f) => exists(path3.join(root, f)));
+  const lockfiles = FALLBACK_LOCKFILES.filter((f) => exists(path3.join(root, f)));
+  try {
+    const entries = fs3.readdirSync(root);
+    for (const e of entries) {
+      if (FALLBACK_EXTENSIONS.some((ext) => e.endsWith(ext))) manifests.push(e);
+    }
+  } catch {
+  }
+  return { manifests, lockfiles };
+}
+function detectSurfaces(root, projectTypes) {
+  const s = {};
+  for (const [key, names] of Object.entries(SURFACE_MAP)) {
+    s[key] = detectDirs(root, names);
+  }
+  s.secrets = SECRET_GLOBS.filter((g) => {
+    const base = g.split("/")[0].replace(/\*.*/, "");
+    return base.includes("*") || exists(path3.join(root, base));
+  });
+  const typeConfigFiles = dedup(
+    projectTypes.flatMap((t) => CONFIG_FILES_BY_TYPE[t] || CONFIG_FILES_BY_TYPE.generic).concat(CONFIG_FILES_UNIVERSAL)
+  );
+  s.config = dedup([
+    ...typeConfigFiles.filter((f) => !f.includes("*") && !f.endsWith("/**") && exists(path3.join(root, f))),
+    ...typeConfigFiles.filter((f) => f.endsWith("/**") && exists(path3.join(root, f.replace("/**", "")))),
+    ...detectDirs(root, CONFIG_DIRS_UNIVERSAL)
+  ]);
+  s.lockfiles = dedup(
+    projectTypes.flatMap((t) => LOCKFILES_BY_TYPE[t] || []).filter((f) => {
+      const base = f.replace(/\*.*/, "").split("/")[0];
+      return base.includes("*") || exists(path3.join(root, base));
+    })
+  );
+  if (!projectTypes.some((t) => CODE_TYPES.includes(t))) {
+    const fb = scanFallbackManifests(root);
+    s.config = dedup([...s.config, ...fb.manifests]);
+    s.lockfiles = dedup([...s.lockfiles, ...fb.lockfiles]);
+  }
+  return s;
+}
+function buildSemantics(projectTypes, primary, surfaces) {
+  const sem = {};
+  sem.structure = "Preserve the existing folder structure. Add new files within established directories. Do not create top-level directories, reorganize, or rename existing folders.";
+  if (surfaces.source.length > 0) {
+    sem.source = `Source code lives in ${surfaces.source.join(", ")}. Make feature changes and bug fixes here only.`;
+  }
+  sem.secrets = `Never propose changes to credential or key files (${SECRET_GLOBS.slice(0, 4).join(", ")} \u2026). These are never task targets regardless of the instruction.`;
+  if (surfaces.generated.length > 0) {
+    sem.generated = `${surfaces.generated.join(", ")} contain generated output. Modify the source files that produce them; never write to generated directories directly.`;
+  }
+  if (surfaces.config.length > 0) {
+    const codeTypes = projectTypes.filter((t) => CODE_TYPES.includes(t));
+    const label = codeTypes.length === 1 ? CONFIG_LABEL[codeTypes[0]] : "project configuration";
+    const listed = surfaces.config.slice(0, 5).join(", ");
+    const trailer = surfaces.config.length > 5 ? " and related files" : "";
+    sem.config = `Treat ${listed}${trailer} as ${label} files. Do not modify them unless the task explicitly requires a configuration or dependency change.`;
+  }
+  if (surfaces.tests.length > 0) {
+    sem.tests = `Test files in ${surfaces.tests.join(", ")} validate behavior. Update them only when the behavior they cover changes.`;
+  }
+  if (surfaces.lockfiles?.length > 0) {
+    const label = LOCKFILE_LABEL[primary] || "tooling";
+    const listed = surfaces.lockfiles.slice(0, 3).join(", ");
+    sem.lockfiles = `${listed} are generated by the ${label}. Never edit them directly.`;
+  }
+  if (primary === "generic") {
+    const foundManifests = surfaces.config.filter((f) => !f.endsWith("/**"));
+    if (foundManifests.length > 0) {
+      sem.unknown = `This project uses an unrecognized toolchain. Treat ${foundManifests.slice(0, 3).join(", ")} as dependency/manifest files. Do not modify them unless the task explicitly requires a dependency change.`;
+    } else {
+      sem.unknown = "This project uses an unrecognized toolchain. Do not assume standard source layouts, dependency files, or build conventions apply. Confirm any structural assumption before acting.";
+    }
+  }
+  if (projectTypes.includes("docker")) {
+    sem.docker = "Dockerfile and docker-compose.yml define the container environment. Treat them as infrastructure config \u2014 only modify when the task explicitly involves container or environment changes.";
+  }
+  if (projectTypes.includes("ci")) {
+    sem.ci = "CI config files (.github/**, .gitlab-ci.yml, etc.) define the build and deployment pipeline. Do not modify them unless the task explicitly involves CI/CD changes.";
+  }
+  return sem;
+}
+function buildEnforcement(surfaces, gitignorePatterns) {
+  const allow = dedup([...surfaces.source, ...surfaces.docs, ...surfaces.tests]);
+  const approval = [...surfaces.config];
+  const deny = dedup([
+    ...surfaces.secrets,
+    ...surfaces.generated,
+    ...surfaces.lockfiles || [],
+    ...ALWAYS_DENY,
+    ...gitignorePatterns.filter((p) => p.endsWith("/**")).slice(0, 8)
+  ]);
+  return {
+    allow: allow.length > 0 ? allow : ["src/**"],
+    approval: approval.length > 0 ? approval : [],
+    deny
+  };
+}
+function scanWorkspace(rootDir) {
+  const root = path3.resolve(rootDir || process.cwd());
+  const projectTypes = detectProjectTypes(root);
+  const primary = primaryType(projectTypes);
+  const surfaces = detectSurfaces(root, projectTypes);
+  const gitignore = readGitignore(root);
+  const semantics = buildSemantics(projectTypes, primary, surfaces);
+  const enforcement = buildEnforcement(surfaces, gitignore);
+  return { projectTypes, primaryType: primary, surfaces, semantics, enforcement };
+}
+function formatSummary(projectTypes, semantics, enforcement) {
+  const lines = [];
+  const label = Array.isArray(projectTypes) ? projectTypes.join(" + ") : projectTypes;
+  lines.push(`Detected: ${label}`);
+  lines.push("");
+  lines.push("Agent semantics:");
+  for (const [, v] of Object.entries(semantics)) {
+    lines.push(`  - ${v}`);
+  }
+  lines.push("");
+  lines.push("Enforcement:");
+  if (enforcement.allow.length) lines.push(`  allow:    ${enforcement.allow.join(", ")}`);
+  if (enforcement.approval.length) lines.push(`  approval: ${enforcement.approval.join(", ")}`);
+  if (enforcement.deny.length) lines.push(`  deny:     ${enforcement.deny.slice(0, 6).join(", ")}${enforcement.deny.length > 6 ? " \u2026" : ""}`);
+  return lines.join("\n");
+}
+
+// src/cli/commands/init.js
+function ask(question) {
+  if (!process.stdin.isTTY) return Promise.resolve("y");
+  return new Promise((resolve) => {
+    const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+    rl.question(question, (ans) => {
+      rl.close();
+      resolve(ans.trim().toLowerCase());
+    });
+  });
+}
+function applyStrict(enforcement) {
+  return {
+    ...enforcement,
+    deny: [.../* @__PURE__ */ new Set([...enforcement.deny, ...enforcement.approval, "*.json", "config/**"])],
+    approval: []
+  };
+}
+function applyRelaxed(enforcement) {
+  return { ...enforcement, approval: [] };
+}
+function setupCrypto(cwd) {
+  const nowIso = (/* @__PURE__ */ new Date()).toISOString();
+  const expiresAt = new Date(Date.now() + 180 * 24 * 60 * 60 * 1e3).toISOString();
+  const defaultKeyId = "agent:gpt-v1-2026Q1";
+  const signerKeyId = "policy-signer-v1-2026Q1";
+  const lbeDir = path4.join(cwd, ".lbe");
+  for (const d of ["config", "keys", "data"]) {
+    fs4.mkdirSync(path4.join(lbeDir, d), { recursive: true });
+  }
+  const dataFiles = {
+    ".lbe/data/nonce.db.json": JSON.stringify({ entries: [] }, null, 2),
+    ".lbe/data/rate-limit.db.json": JSON.stringify({ entries: [] }, null, 2),
+    ".lbe/data/policy.state.json": JSON.stringify({ schemaVersion: "1", lastAccepted: null, updatedAt: null }, null, 2),
+    ".lbe/data/audit.log.jsonl": ""
+  };
+  for (const [rel, content] of Object.entries(dataFiles)) {
+    const p = path4.join(cwd, rel);
+    if (!fs4.existsSync(p)) fs4.writeFileSync(p, content);
+  }
+  const keyDir = path4.join(lbeDir, "keys");
+  const pubPath = path4.join(keyDir, "public.key");
+  const secPath = path4.join(keyDir, "secret.key");
+  let publicKeyB64, secretKeyB64;
+  if (fs4.existsSync(pubPath) && fs4.existsSync(secPath)) {
+    publicKeyB64 = fs4.readFileSync(pubPath, "utf8").trim();
+    secretKeyB64 = fs4.readFileSync(secPath, "utf8").trim();
+  } else {
+    const kp = generateKeyPair();
+    publicKeyB64 = kp.publicKey;
+    secretKeyB64 = kp.secretKey;
+    fs4.writeFileSync(pubPath, publicKeyB64);
+    fs4.writeFileSync(secPath, secretKeyB64, { mode: 384 });
+  }
+  const keysPath = path4.join(lbeDir, "config/keys.json");
+  const keysStore = fs4.existsSync(keysPath) ? JSON.parse(fs4.readFileSync(keysPath, "utf8")) : { schemaVersion: "1", defaultKeyId, trustedKeys: {} };
+  for (const keyId of [defaultKeyId, signerKeyId]) {
+    if (!keysStore.trustedKeys[keyId]) {
+      keysStore.trustedKeys[keyId] = {
+        publicKey: publicKeyB64,
+        notBefore: nowIso,
+        expiresAt,
+        validFrom: nowIso,
+        validUntil: expiresAt,
+        deprecated: false
+      };
+    }
+  }
+  keysStore.defaultKeyId = defaultKeyId;
+  fs4.writeFileSync(keysPath, JSON.stringify(keysStore, null, 2));
+  const policyPath = path4.join(lbeDir, "config/policy.default.json");
+  let policyObj;
+  if (fs4.existsSync(policyPath)) {
+    policyObj = JSON.parse(fs4.readFileSync(policyPath, "utf8"));
+  } else {
+    policyObj = {
+      default: "DENY",
+      version: "1.0.0",
+      createdAt: nowIso,
+      security: {
+        maxClockSkewSec: 600,
+        maxPolicyCreatedAtSkewSec: 31536e3,
+        defaultRateLimit: { windowSec: 60, maxRequests: 30 }
+      },
+      requesters: {
+        "agent:gpt": {
+          allowAdapters: ["noop", "shell"],
+          allowCommands: ["RUN_SHELL"],
+          rateLimit: { windowSec: 60, maxRequests: 30 },
+          filesystem: { roots: [cwd], denyPatterns: ["**/.git/**", "**/secrets/**", "**/*.key"] },
+          exec: { allowCmds: ["ls", "node", "python", "echo"], denyCmds: ["rm", "chmod", "chown", "curl", "wget", "su", "sudo"] }
+        }
+      }
+    };
+    fs4.writeFileSync(policyPath, JSON.stringify(policyObj, null, 2));
+  }
+  const sigResult = createPolicySignatureEnvelope({ policyObj, secretKeyB64, keyId: signerKeyId });
+  if (sigResult.ok) {
+    fs4.writeFileSync(path4.join(lbeDir, "config/policy.sig.json"), JSON.stringify(sigResult.envelope, null, 2));
+  }
+  return { defaultKeyId, secretKeyB64, publicKeyB64 };
+}
+function agentContractContent() {
+  return `# LBE Governance Contract
+
+This project has LetterBlack LBE (Local-first execution Governance) active.
+
+## Your role as an agent
+
+You do not have direct access to the file system or shell in this workspace.
+Every file write, file read, file delete, and shell command must go through the
+LBE executor. The executor validates every action against the project policy,
+signs it, audits it, and either allows or blocks it \u2014 transparently.
+
+You do not need to know how this works. You only need to use the right methods.
+
+## How to perform actions
+
+\`\`\`js
+import { createLocalExecutor } from '@letterblack/lbe-exec';
+const lbe = createLocalExecutor({ rootDir: process.cwd() });
+
+// File operations
+await lbe.writeFile('output/report.md', content);
+await lbe.readFile('src/config.json');
+await lbe.patchFile('src/index.js', patch);
+await lbe.deleteFile('tmp/scratch.txt');
+
+// Shell (only explicitly allowlisted commands run)
+await lbe.runShell('node', ['scripts/build.js']);
+\`\`\`
+
+## What you must never do
+
+- Call file system APIs directly (fs.writeFile, fs.readFile, etc.)
+- Call child_process or exec directly
+- Modify \`lbe.policy.json\` directly \u2014 propose a rule via \`lbe.policy.proposeRule()\`
+- Attempt to bypass, patch, or disable the executor
+
+## Proposing a new policy rule
+
+If you believe a rule should be added or removed, propose it and let the
+controller decide:
+
+\`\`\`js
+const proposal = lbe.policy.proposeRule({
+  effect: 'deny',
+  type: 'path',
+  pattern: 'secrets/**',
+  from: 'agent: these files should never be modified'
+});
+// Return proposal to the user. Never call lbe.policy.addRule() yourself.
+\`\`\`
+
+## Result shape
+
+Every method returns:
+\`\`\`
+{ ok: boolean, decision: 'allow' | 'deny' | 'observe', executed: boolean }
+\`\`\`
+
+If \`ok\` is false, the action was blocked. Check \`result.error.message\` for reason.
+
+## Current policy
+
+See \`lbe.policy.json\` in the project root.
+See \`.lbe/audit.jsonl\` for the execution audit trail.
+
+## CLI
+
+\`\`\`bash
+npx lbe-exec status    # mode, rule count, audit entry count
+npx lbe-exec policy    # list active rules
+npx lbe-exec observe   # switch to observer mode
+npx lbe-exec enforce   # switch to enforcement mode
+\`\`\`
+`;
+}
+function claudeMdSection() {
+  return `<!-- lbe-governance -->
+## LBE Execution Governance
+
+This project has LetterBlack LBE active. All file and shell operations must
+route through the LBE executor \u2014 do not use file system tools directly.
+
+### Use these methods
+
+\`\`\`js
+import { createLocalExecutor } from '@letterblack/lbe-exec';
+const lbe = createLocalExecutor({ rootDir: process.cwd() });
+
+await lbe.writeFile('path/to/file', content);
+await lbe.readFile('path/to/file');
+await lbe.patchFile('path/to/file', patch);
+await lbe.deleteFile('path/to/file');
+await lbe.runShell('node', ['script.js']);
+\`\`\`
+
+### Rules
+
+- Never call \`fs.*\` or \`child_process.*\` directly
+- Never write to \`lbe.policy.json\` directly \u2014 use \`lbe.policy.proposeRule()\`
+- Every blocked action has a reason in \`result.error.message\`
+- Audit trail is in \`.lbe/audit.jsonl\`
+
+See \`.lbe/AGENT_CONTRACT.md\` for the full agent contract.
+<!-- /lbe-governance -->`;
+}
+function copilotInstructionsContent() {
+  return `# LBE Governance \u2014 Copilot Instructions
+
+This project has LetterBlack LBE active. All file and shell operations must
+route through the LBE executor.
+
+## Required
+
+Use \`@letterblack/lbe-exec\` for all file and shell actions:
+
+\`\`\`js
+const lbe = createLocalExecutor({ rootDir: process.cwd() });
+await lbe.writeFile(path, content);
+await lbe.readFile(path);
+await lbe.runShell(cmd, args);
+\`\`\`
+
+## Forbidden
+
+- Direct \`fs.*\` calls
+- Direct \`child_process.*\` or \`exec\` calls
+- Writing to \`lbe.policy.json\` directly
+
+See \`.lbe/AGENT_CONTRACT.md\` for the full contract.
+`;
+}
+function writeAgentGovernanceFiles(cwd) {
+  const lbeDir = path4.join(cwd, ".lbe");
+  fs4.mkdirSync(lbeDir, { recursive: true });
+  fs4.writeFileSync(path4.join(lbeDir, "AGENT_CONTRACT.md"), agentContractContent());
+  const claudePath = path4.join(cwd, "CLAUDE.md");
+  const section = claudeMdSection();
+  if (fs4.existsSync(claudePath)) {
+    const existing = fs4.readFileSync(claudePath, "utf8");
+    if (!existing.includes("<!-- lbe-governance -->")) {
+      fs4.appendFileSync(claudePath, "\n\n" + section + "\n");
+    }
+  } else {
+    fs4.writeFileSync(claudePath, section + "\n");
+  }
+  const githubDir = path4.join(cwd, ".github");
+  fs4.mkdirSync(githubDir, { recursive: true });
+  const copilotPath = path4.join(githubDir, "copilot-instructions.md");
+  if (!fs4.existsSync(copilotPath)) {
+    fs4.writeFileSync(copilotPath, copilotInstructionsContent());
+  }
+}
+async function initCommand(opts2 = {}) {
+  const cwd = process.cwd();
+  const yes = opts2.yes || opts2.y || !process.stdin.isTTY;
+  const outPath = path4.join(cwd, "lbe.workspace.json");
+  console.log("\nScanning workspace...\n");
+  const { projectTypes, primaryType: primaryType2, semantics, enforcement } = scanWorkspace(cwd);
+  console.log(formatSummary(projectTypes, semantics, enforcement));
+  console.log("");
+  let finalEnforcement = enforcement;
+  if (!yes) {
+    const answer = await ask("Accept? [Y = accept / s = strict / r = relaxed / n = cancel] ");
+    if (answer === "n") {
+      console.log("Cancelled.");
+      return { success: false };
+    }
+    if (answer === "s") finalEnforcement = applyStrict(enforcement);
+    if (answer === "r") finalEnforcement = applyRelaxed(enforcement);
+  }
+  const contract = {
+    lbe: true,
+    version: "0.4.0",
+    state: "local",
+    projectTypes,
+    primaryType: primaryType2,
+    semantics,
+    enforcement: finalEnforcement
+  };
+  fs4.writeFileSync(outPath, JSON.stringify(contract, null, 2));
+  console.log("\u2713 Wrote lbe.workspace.json");
+  setupCrypto(cwd);
+  const localPolicyPath = path4.join(cwd, "lbe.policy.json");
+  if (!fs4.existsSync(localPolicyPath)) {
+    fs4.writeFileSync(localPolicyPath, JSON.stringify({ version: 1, mode: "observe", workspace: cwd, rules: [] }, null, 2) + "\n");
+  }
+  const localAuditPath = path4.join(cwd, ".lbe", "audit.jsonl");
+  if (!fs4.existsSync(localAuditPath)) fs4.writeFileSync(localAuditPath, "");
+  console.log("\u2713 Keys and policy ready");
+  writeAgentGovernanceFiles(cwd);
+  console.log("\u2713 Agent contract written  \u2192  .lbe/AGENT_CONTRACT.md");
+  console.log("\u2713 CLAUDE.md updated with LBE governance section");
+  console.log("\u2713 .github/copilot-instructions.md ready\n");
+  console.log("Done. Any AI agent that reads project context will follow LBE governance automatically.");
+  console.log("Run  npx lbe status  to see mode, rules, and audit entry count.\n");
+  return { success: true, contract };
+}
+
+// src/cli/commands/policyMode.js
+init_localPolicy();
+async function policyModeCommand(mode, opts2 = {}) {
+  const loaded = loadLocalPolicy(opts2.root || process.cwd(), mode);
+  writeLocalPolicy(loaded.root, { ...loaded.policy, mode });
+  console.log(JSON.stringify({ mode, policy: loaded.policyPath }, null, 2));
+}
+
+// exec/cli.js
+var [, , cmd, ...rest] = process.argv;
+var opts = Object.fromEntries(
+  rest.flatMap((v, i, a) => v.startsWith("--") ? [[v.slice(2), a[i + 1] ?? true]] : [])
+);
+function loadPolicy() {
+  const p = path15.join(process.cwd(), "lbe.policy.json");
+  return fs14.existsSync(p) ? JSON.parse(fs14.readFileSync(p, "utf8")) : null;
+}
+function countAudit() {
+  const p = path15.join(process.cwd(), ".lbe", "audit.jsonl");
+  if (!fs14.existsSync(p)) return 0;
+  return fs14.readFileSync(p, "utf8").split("\n").filter((l) => l.trim()).length;
+}
+switch (cmd) {
+  case "init":
+    initCommand(opts).catch((e) => {
+      console.error(e.message);
+      process.exit(1);
+    });
+    break;
+  case "observe":
+  case "enforce":
+    policyModeCommand(cmd, opts).catch((e) => {
+      console.error(e.message);
+      process.exit(1);
+    });
+    break;
+  case "status": {
+    const policy = loadPolicy();
+    if (!policy) {
+      console.log("No lbe.policy.json found. Run: npx lbe init");
+      break;
+    }
+    console.log(`mode:        ${policy.mode}`);
+    console.log(`rules:       ${policy.rules?.length ?? 0}`);
+    console.log(`audit:       ${countAudit()} entries`);
+    console.log(`workspace:   ${policy.workspace || process.cwd()}`);
+    break;
+  }
+  case "policy": {
+    const policy = loadPolicy();
+    if (!policy) {
+      console.log("No lbe.policy.json found. Run: npx lbe init");
+      break;
+    }
+    if (!policy.rules?.length) {
+      console.log("No rules defined.");
+      break;
+    }
+    for (const r of policy.rules) {
+      console.log(`[${r.effect.toUpperCase()}] ${r.type}:${r.pattern}  \u2014 ${r.from || ""}  (${r.id || "?"})`);
+    }
+    break;
+  }
+  case "execute": {
+    Promise.resolve().then(() => (init_localExecutor(), localExecutor_exports)).then(async ({ createLocalExecutor: createLocalExecutor2 }) => {
+      const lbe = createLocalExecutor2({ rootDir: process.cwd() });
+      let raw = "";
+      if (opts.input) {
+        raw = fs14.readFileSync(path15.resolve(opts.input), "utf8");
+      } else {
+        for await (const chunk of process.stdin) raw += chunk;
+      }
+      const request = JSON.parse(raw);
+      const result = await lbe.execute(request);
+      console.log(JSON.stringify(result, null, 2));
+      process.exit(result.ok ? 0 : result.decision === "deny" ? 1 : 2);
+    }).catch((e) => {
+      console.error(e.message);
+      process.exit(2);
+    });
+    break;
+  }
+  default:
+    console.log("Usage: lbe <command>\n");
+    console.log("  init      Set up LBE governance in this project");
+    console.log("  status    Show mode, rule count, and audit entry count");
+    console.log("  policy    List active rules");
+    console.log("  observe   Switch to observer mode (log only, nothing blocked)");
+    console.log("  enforce   Switch to enforcement mode (violations blocked)");
+    console.log("  execute   Send a JSON request from stdin or --input file");
+    console.log("\nCLI: npx lbe-exec <command>");
+    if (cmd && cmd !== "--help" && cmd !== "help") {
+      console.error(`
+Unknown command: ${cmd}`);
+      process.exit(1);
+    }
+}