@letterblack/lbe-exec 1.2.2

package/dist/index.js

@@ -0,0 +1,1762 @@
+// src/exec/localExecutor.js
+import crypto5 from "crypto";
+import fs9 from "fs";
+import path10 from "path";
+
+// src/core/signature.js
+import nacl from "tweetnacl";
+import { canonicalize } from "json-canonicalize";
+function bytesFromBase64(b64) {
+  return Buffer.from(b64, "base64");
+}
+function toBase64(bytes) {
+  return Buffer.from(bytes).toString("base64");
+}
+function verifyEd25519({ payloadObj, sigB64, pubKeyB64 }) {
+  try {
+    const msg = Buffer.from(canonicalize(payloadObj), "utf8");
+    const sig = bytesFromBase64(sigB64);
+    const pub = bytesFromBase64(pubKeyB64);
+    const isValid = nacl.sign.detached.verify(
+      new Uint8Array(msg),
+      new Uint8Array(sig),
+      new Uint8Array(pub)
+    );
+    return {
+      valid: isValid,
+      message: isValid ? "Signature verified" : "Signature verification failed"
+    };
+  } catch (err) {
+    return {
+      valid: false,
+      message: `Signature verification error: ${err.message}`
+    };
+  }
+}
+function generateKeyPair() {
+  const keyPair = nacl.sign.keyPair();
+  return {
+    publicKey: toBase64(keyPair.publicKey),
+    secretKey: toBase64(keyPair.secretKey)
+  };
+}
+function signEd25519({ payloadObj, secretKeyB64 }) {
+  try {
+    const msg = Buffer.from(canonicalize(payloadObj), "utf8");
+    const secretKey = bytesFromBase64(secretKeyB64);
+    const sig = nacl.sign.detached(new Uint8Array(msg), new Uint8Array(secretKey));
+    return {
+      signature: toBase64(sig),
+      error: null
+    };
+  } catch (err) {
+    return {
+      signature: null,
+      error: `Signing failed: ${err.message}`
+    };
+  }
+}
+
+// src/core/policyVersionGuard.js
+import fs2 from "fs";
+import path2 from "path";
+
+// src/core/atomicWrite.js
+import fs from "fs";
+import path from "path";
+import crypto from "crypto";
+var DEFAULT_LOCK_OPTS = {
+  timeoutMs: 5e3,
+  // total wait before giving up
+  pollMs: 15,
+  // base poll interval (jittered)
+  staleMs: 3e4
+  // lock files older than this are presumed orphaned
+};
+function _lockPathFor(targetPath) {
+  return targetPath + ".lock";
+}
+function _tryAcquire(lockPath) {
+  try {
+    const fd = fs.openSync(lockPath, "wx");
+    fs.writeSync(fd, `pid:${process.pid}:${Date.now()}`);
+    fs.closeSync(fd);
+    return true;
+  } catch (err) {
+    if (err.code === "EEXIST" || err.code === "EPERM" || err.code === "EBUSY" || err.code === "EACCES") {
+      return false;
+    }
+    throw err;
+  }
+}
+function _removeIfStale(lockPath, staleMs) {
+  try {
+    const stat = fs.statSync(lockPath);
+    const ageMs = Date.now() - stat.mtimeMs;
+    if (ageMs > staleMs) {
+      try {
+        fs.unlinkSync(lockPath);
+      } catch {
+      }
+    }
+  } catch {
+  }
+}
+function _sleepSync(ms) {
+  const end = Date.now() + ms;
+  while (Date.now() < end) {
+    try {
+      Atomics.wait(new Int32Array(new SharedArrayBuffer(4)), 0, 0, Math.max(1, end - Date.now()));
+    } catch {
+    }
+  }
+}
+function withFileLock(targetPath, optsOrFn, maybeFn) {
+  const fn = typeof optsOrFn === "function" ? optsOrFn : maybeFn;
+  const opts = typeof optsOrFn === "function" ? {} : optsOrFn || {};
+  const { timeoutMs, pollMs, staleMs } = { ...DEFAULT_LOCK_OPTS, ...opts };
+  const dir = path.dirname(targetPath);
+  if (!fs.existsSync(dir)) {
+    fs.mkdirSync(dir, { recursive: true });
+  }
+  const lockPath = _lockPathFor(targetPath);
+  const deadline = Date.now() + timeoutMs;
+  let acquired = false;
+  while (!acquired) {
+    acquired = _tryAcquire(lockPath);
+    if (acquired) break;
+    if (Date.now() >= deadline) {
+      _removeIfStale(lockPath, staleMs);
+      acquired = _tryAcquire(lockPath);
+      if (acquired) break;
+      const err = new Error(`withFileLock: timeout acquiring ${lockPath} after ${timeoutMs}ms`);
+      err.code = "ELOCKTIMEOUT";
+      throw err;
+    }
+    _removeIfStale(lockPath, staleMs);
+    const jitter = Math.floor(Math.random() * pollMs);
+    _sleepSync(pollMs + jitter);
+  }
+  try {
+    return fn();
+  } finally {
+    try {
+      fs.unlinkSync(lockPath);
+    } catch {
+    }
+  }
+}
+function atomicWriteFileSync(filePath, data, options = {}) {
+  const dir = path.dirname(filePath);
+  if (!fs.existsSync(dir)) {
+    fs.mkdirSync(dir, { recursive: true });
+  }
+  const tempFile = path.join(dir, `.tmp-${Date.now()}-${crypto.randomBytes(4).toString("hex")}`);
+  try {
+    fs.writeFileSync(tempFile, data, options);
+    fs.renameSync(tempFile, filePath);
+  } catch (error2) {
+    try {
+      if (fs.existsSync(tempFile)) {
+        fs.unlinkSync(tempFile);
+      }
+    } catch (cleanupError) {
+    }
+    throw error2;
+  }
+}
+
+// src/core/policyVersionGuard.js
+function parsePolicyVersion(version) {
+  if (typeof version === "number" && Number.isFinite(version)) {
+    return { ok: true, kind: "int", parts: [Math.floor(version)], raw: String(version) };
+  }
+  if (typeof version !== "string" || !version.trim()) {
+    return { ok: false, reason: "POLICY_VERSION_INVALID", message: "Policy version is required" };
+  }
+  const trimmed = version.trim();
+  if (/^\d+$/.test(trimmed)) {
+    return { ok: true, kind: "int", parts: [Number(trimmed)], raw: trimmed };
+  }
+  const semver = trimmed.replace(/^v/i, "");
+  if (/^\d+(\.\d+){0,2}$/.test(semver)) {
+    const parsed = semver.split(".").map((n) => Number(n));
+    while (parsed.length < 3) {
+      parsed.push(0);
+    }
+    return { ok: true, kind: "semver", parts: parsed, raw: trimmed };
+  }
+  return {
+    ok: false,
+    reason: "POLICY_VERSION_INVALID",
+    message: `Unsupported policy version format '${version}' (use integer or semver)`
+  };
+}
+function compareVersions(a, b) {
+  const len = Math.max(a.parts.length, b.parts.length);
+  for (let i = 0; i < len; i++) {
+    const av = a.parts[i] ?? 0;
+    const bv = b.parts[i] ?? 0;
+    if (av > bv) return 1;
+    if (av < bv) return -1;
+  }
+  return 0;
+}
+function parseCreatedAt(createdAt) {
+  if (typeof createdAt === "number" && Number.isFinite(createdAt)) {
+    const sec = createdAt > 1e12 ? Math.floor(createdAt / 1e3) : Math.floor(createdAt);
+    return { ok: true, epochSec: sec };
+  }
+  if (typeof createdAt !== "string" || !createdAt.trim()) {
+    return {
+      ok: false,
+      reason: "POLICY_CREATED_AT_INVALID",
+      message: "Policy createdAt is required"
+    };
+  }
+  const ts = Date.parse(createdAt);
+  if (Number.isNaN(ts)) {
+    return {
+      ok: false,
+      reason: "POLICY_CREATED_AT_INVALID",
+      message: `Invalid policy createdAt '${createdAt}'`
+    };
+  }
+  return { ok: true, epochSec: Math.floor(ts / 1e3) };
+}
+function loadPolicyState(statePath) {
+  if (!fs2.existsSync(statePath)) {
+    return {
+      schemaVersion: "1",
+      lastAccepted: null,
+      updatedAt: null
+    };
+  }
+  try {
+    const parsed = JSON.parse(fs2.readFileSync(statePath, "utf8"));
+    if (!parsed || typeof parsed !== "object") {
+      throw new Error("Policy state file has invalid structure");
+    }
+    return {
+      schemaVersion: String(parsed.schemaVersion || "1"),
+      lastAccepted: parsed.lastAccepted && typeof parsed.lastAccepted === "object" ? parsed.lastAccepted : null,
+      updatedAt: parsed.updatedAt || null
+    };
+  } catch (err) {
+    throw new Error(`Policy state at ${statePath} is corrupt or unreadable: ${err.message}`);
+  }
+}
+function savePolicyState(statePath, stateObj) {
+  const payload = JSON.stringify(stateObj, null, 2);
+  atomicWriteFileSync(statePath, payload, { encoding: "utf8" });
+}
+function validateAndUpdatePolicyVersionState({
+  policyObj,
+  statePath = path2.resolve("data/policy.state.json"),
+  maxCreatedAtSkewSec = 31536e3,
+  nowSec = Math.floor(Date.now() / 1e3),
+  persist = true
+}) {
+  const version = parsePolicyVersion(policyObj?.version);
+  if (!version.ok) {
+    return {
+      ok: false,
+      reason: version.reason,
+      message: version.message,
+      updated: false
+    };
+  }
+  const createdAt = parseCreatedAt(policyObj?.createdAt);
+  if (!createdAt.ok) {
+    return {
+      ok: false,
+      reason: createdAt.reason,
+      message: createdAt.message,
+      updated: false
+    };
+  }
+  const skew = Math.abs(nowSec - createdAt.epochSec);
+  const allowedSkew = Number.isFinite(maxCreatedAtSkewSec) && maxCreatedAtSkewSec > 0 ? Math.floor(maxCreatedAtSkewSec) : 31536e3;
+  if (skew > allowedSkew) {
+    return {
+      ok: false,
+      reason: "POLICY_CREATED_AT_SKEW_EXCEEDED",
+      message: `Policy createdAt skew ${skew}s exceeds allowed ${allowedSkew}s`,
+      updated: false
+    };
+  }
+  let state;
+  try {
+    state = loadPolicyState(statePath);
+  } catch (err) {
+    return {
+      ok: false,
+      reason: "POLICY_STATE_CORRUPT",
+      message: err.message,
+      updated: false
+    };
+  }
+  const previous = state.lastAccepted;
+  let previousVersion = null;
+  let previousCreatedAt = null;
+  let versionCompare = 0;
+  if (previous) {
+    previousVersion = parsePolicyVersion(previous.version);
+    previousCreatedAt = parseCreatedAt(previous.createdAt);
+    if (previousVersion.ok && previousCreatedAt.ok) {
+      versionCompare = compareVersions(version, previousVersion);
+      if (versionCompare < 0) {
+        return {
+          ok: false,
+          reason: "POLICY_VERSION_REGRESSION",
+          message: `Policy version regression: current '${version.raw}' < last '${previousVersion.raw}'`,
+          updated: false
+        };
+      }
+      if (versionCompare === 0 && createdAt.epochSec < previousCreatedAt.epochSec) {
+        return {
+          ok: false,
+          reason: "POLICY_CREATED_AT_REGRESSION",
+          message: `Policy createdAt regression: current '${policyObj.createdAt}' < last '${previous.createdAt}'`,
+          updated: false
+        };
+      }
+      if (versionCompare > 0 && createdAt.epochSec < previousCreatedAt.epochSec) {
+        return {
+          ok: false,
+          reason: "POLICY_CREATED_AT_REGRESSION",
+          message: `Policy createdAt must be monotonic when version increases`,
+          updated: false
+        };
+      }
+    }
+  }
+  const shouldUpdate = !previous || !previousVersion?.ok || !previousCreatedAt?.ok || versionCompare > 0 || versionCompare === 0 && createdAt.epochSec > previousCreatedAt.epochSec;
+  if (persist && shouldUpdate) {
+    const nextState = {
+      schemaVersion: "1",
+      lastAccepted: {
+        version: policyObj.version,
+        createdAt: policyObj.createdAt,
+        environment: policyObj.environment || null
+      },
+      updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    savePolicyState(statePath, nextState);
+  }
+  return {
+    ok: true,
+    reason: null,
+    message: "Policy version guard passed",
+    updated: shouldUpdate
+  };
+}
+
+// runtime/engine.js
+import fs3 from "fs";
+import path3 from "path";
+import { fileURLToPath } from "url";
+var runtimeDir = path3.dirname(fileURLToPath(import.meta.url));
+var wasmPath = path3.join(runtimeDir, "lbe_engine.wasm");
+var POLICY_MESSAGES = {
+  0: { allowed: true, reason: null, message: "Policy check passed" },
+  1: { allowed: false, reason: "POLICY_NOT_CONFIGURED", message: "No policy configured" },
+  2: { allowed: false, reason: "REQUESTER_NOT_ALLOWED", message: "Requester not in policy" },
+  3: { allowed: false, reason: "COMMAND_NOT_ALLOWED", message: "Command not allowed for requester" },
+  4: { allowed: false, reason: "ADAPTER_NOT_ALLOWED", message: "Adapter not allowed" },
+  5: { allowed: false, reason: "NO_FILESYSTEM_ROOTS_DEFINED", message: "No filesystem roots defined for requester" },
+  6: { allowed: false, reason: "CWD_OUTSIDE_ALLOWED_ROOT", message: "Path not under allowed roots" },
+  7: { allowed: false, reason: "PATH_DENIED_BY_PATTERN", message: "Path matches deny pattern" },
+  8: { allowed: false, reason: "SHELL_CMD_DENIED", message: "Shell command not allowed" }
+};
+var SCHEMA_MESSAGES = {
+  0: { valid: true, error: null },
+  1: { valid: false, error: "Missing required field: id" },
+  2: { valid: false, error: "Missing required field: commandId" },
+  3: { valid: false, error: "Missing required field: requesterId" },
+  4: { valid: false, error: "Missing required field: sessionId" },
+  5: { valid: false, error: "Missing required field: timestamp" },
+  6: { valid: false, error: "Missing required field: nonce" },
+  7: { valid: false, error: "Missing required field: requires" },
+  8: { valid: false, error: "Missing required field: payload" },
+  9: { valid: false, error: "Missing required field: signature" },
+  10: { valid: false, error: "Field 'id' is invalid" },
+  11: { valid: false, error: "Field 'commandId' is invalid" },
+  12: { valid: false, error: "Field 'requesterId' is invalid" },
+  13: { valid: false, error: "Field 'sessionId' is invalid" },
+  14: { valid: false, error: "Field 'timestamp' is invalid" },
+  15: { valid: false, error: "Field 'nonce' is invalid" },
+  16: { valid: false, error: "Field 'requires' is invalid" },
+  17: { valid: false, error: "payload: missing required field: adapter" },
+  18: { valid: false, error: "payload: field 'adapter' is invalid" },
+  19: { valid: false, error: "signature: missing required field: alg" },
+  20: { valid: false, error: "signature: missing required field: keyId" },
+  21: { valid: false, error: "signature: missing required field: sig" },
+  22: { valid: false, error: "signature: field 'alg' must be ed25519" },
+  23: { valid: false, error: "signature: field 'sig' is invalid" },
+  24: { valid: false, error: "Field 'risk' is invalid" }
+};
+var KEY_REASONS = {
+  1: "KEY_ID_INVALID",
+  2: "KEY_NOT_TRUSTED",
+  3: "KEY_DEPRECATED",
+  4: "KEY_REQUESTER_MISMATCH",
+  5: "KEY_LIFECYCLE_INVALID",
+  6: "KEY_NOT_YET_VALID",
+  7: "KEY_EXPIRED"
+};
+var PIPELINE_STAGES = {
+  0: "schema",
+  1: "timestamp",
+  2: "key",
+  3: "signature",
+  4: "rate_limit",
+  5: "nonce",
+  6: "policy",
+  255: "ok"
+};
+var RISK_LABELS = ["LOW", "MEDIUM", "HIGH", "CRITICAL"];
+var COMMAND_TYPE = { ECHO: 0, READ_FILE: 1, WRITE_FILE: 2, PATCH_FILE: 3, DELETE_FILE: 4, RUN_SHELL: 5 };
+var _instance = null;
+function wasm() {
+  if (_instance) return _instance;
+  if (!fs3.existsSync(wasmPath)) throw new Error(`LBE engine missing: ${wasmPath}`);
+  const bytes = fs3.readFileSync(wasmPath);
+  _instance = new WebAssembly.Instance(new WebAssembly.Module(bytes), {});
+  return _instance;
+}
+function memory() {
+  return new Uint8Array(wasm().exports.memory.buffer);
+}
+function inPtr() {
+  return wasm().exports.lbe_in_ptr();
+}
+function outPtr() {
+  return wasm().exports.lbe_out_ptr();
+}
+function bufSize() {
+  return wasm().exports.lbe_buf_size();
+}
+function writeIn(str) {
+  const enc = new TextEncoder().encode(str);
+  const mem = memory();
+  const ptr = inPtr();
+  mem.set(enc, ptr);
+  mem[ptr + enc.length] = 0;
+}
+function readOut() {
+  const mem = memory();
+  const ptr = outPtr();
+  let end = ptr;
+  while (mem[end] !== 0 && end - ptr < bufSize()) end++;
+  return new TextDecoder().decode(mem.slice(ptr, end));
+}
+function writePipelineInput(fields) {
+  const mem = memory();
+  const ptr = inPtr();
+  const view = new DataView(mem.buffer, ptr);
+  fields.forEach((v, i) => view.setUint32(i * 4, v >>> 0, true));
+}
+function readPipelineOutput() {
+  const mem = memory();
+  const ptr = outPtr();
+  const view = new DataView(mem.buffer, ptr);
+  return { stage: view.getUint32(0, true), code: view.getUint32(4, true) };
+}
+function runValidationPipeline(flags) {
+  writePipelineInput([
+    // Schema flags [0..24]
+    flags.hasId ? 1 : 0,
+    flags.idValid ? 1 : 0,
+    flags.hasCommandId ? 1 : 0,
+    flags.commandIdValid ? 1 : 0,
+    flags.hasRequesterId ? 1 : 0,
+    flags.requesterIdValid ? 1 : 0,
+    flags.hasSessionId ? 1 : 0,
+    flags.sessionIdValid ? 1 : 0,
+    flags.hasTimestamp ? 1 : 0,
+    flags.timestampValid ? 1 : 0,
+    flags.hasNonce ? 1 : 0,
+    flags.nonceValid ? 1 : 0,
+    flags.hasRequires ? 1 : 0,
+    flags.requiresValid ? 1 : 0,
+    flags.hasPayload ? 1 : 0,
+    flags.hasPayloadAdapter ? 1 : 0,
+    flags.payloadAdapterValid ? 1 : 0,
+    flags.hasSignature ? 1 : 0,
+    flags.hasSignatureAlg ? 1 : 0,
+    flags.signatureAlgValid ? 1 : 0,
+    flags.hasSignatureKeyId ? 1 : 0,
+    flags.hasSignatureSig ? 1 : 0,
+    flags.signatureSigValid ? 1 : 0,
+    flags.hasRisk ? 1 : 0,
+    flags.riskValid ? 1 : 0,
+    // Timestamp [25..27]
+    flags.cmdTimestamp >>> 0,
+    flags.nowSec >>> 0,
+    flags.maxClockSkewSec >>> 0,
+    // Key lifecycle [28..34]
+    flags.keyIdFormatValid ? 1 : 0,
+    flags.keyFound ? 1 : 0,
+    flags.keyNotDeprecated ? 1 : 0,
+    flags.keyRequesterMatches ? 1 : 0,
+    flags.keyNotBeforeOk ? 1 : 0,
+    flags.keyNotExpired ? 1 : 0,
+    flags.keyLifecycleFieldsPresent ? 1 : 0,
+    // Signature [35]
+    flags.signatureValid ? 1 : 0,
+    // Rate limit [36..37]
+    flags.rateLimitOk ? 1 : 0,
+    flags.rateLimitRetryAfterSec >>> 0,
+    // Nonce [38]
+    flags.nonceOk ? 1 : 0,
+    // Policy [39..48]
+    flags.policyConfigured ? 1 : 0,
+    flags.requesterConfigured ? 1 : 0,
+    flags.commandAllowed ? 1 : 0,
+    flags.adapterAllowed ? 1 : 0,
+    flags.filesystemRequired ? 1 : 0,
+    flags.filesystemRootsDefined ? 1 : 0,
+    flags.filesystemOk ? 1 : 0,
+    flags.pathDenied ? 1 : 0,
+    flags.shellRequired ? 1 : 0,
+    flags.shellCommandOk ? 1 : 0
+  ]);
+  wasm().exports.lbe_validate_pipeline();
+  const { stage, code } = readPipelineOutput();
+  const ok = stage === 255;
+  return {
+    ok,
+    stage,
+    stageLabel: PIPELINE_STAGES[stage] || "unknown",
+    code,
+    schemaError: stage === 0 ? SCHEMA_MESSAGES[code]?.error || "Schema invalid" : null,
+    keyReason: stage === 2 ? KEY_REASONS[code] || "KEY_ERROR" : null,
+    policyResult: stage === 6 ? { ...POLICY_MESSAGES[code] || POLICY_MESSAGES[1], code } : null,
+    retryAfterSec: stage === 4 ? code : 0,
+    skewSec: stage === 1 ? code : 0
+  };
+}
+function checkNonce({ ttlSec, nowSec, newKey, existingEntries }) {
+  const lines = [`${ttlSec}:${nowSec}`, newKey, ...existingEntries].join("\n") + "\n";
+  writeIn(lines);
+  const isReplay = wasm().exports.lbe_nonce_check() !== 0;
+  if (isReplay) return { ok: false, updatedEntriesText: null };
+  const out = readOut();
+  return { ok: true, updatedEntriesText: out.startsWith("OK\n") ? out.slice(3) : out };
+}
+function checkRateLimit({ windowSec, maxRequests, nowSec, requesterId, existingEntries }) {
+  const lines = [
+    `${windowSec}:${maxRequests}:${nowSec}`,
+    requesterId,
+    ...existingEntries
+  ].join("\n") + "\n";
+  writeIn(lines);
+  const exceeded = wasm().exports.lbe_rate_check() !== 0;
+  const out = readOut();
+  if (exceeded) {
+    const retryAfterSec = parseInt(out.match(/^EXCEEDED:(\d+)/)?.[1] ?? "1", 10);
+    const entriesText = out.replace(/^EXCEEDED:\d+\n/, "");
+    return { ok: false, retryAfterSec, updatedEntriesText: entriesText };
+  }
+  return { ok: true, retryAfterSec: 0, updatedEntriesText: out.startsWith("OK\n") ? out.slice(3) : out };
+}
+function classifyRisk(commandId, shellCmdIsRm = false) {
+  const typeCode = COMMAND_TYPE[commandId] ?? 0;
+  const code = wasm().exports.lbe_classify_risk(typeCode, shellCmdIsRm ? 1 : 0);
+  return RISK_LABELS[code] ?? "LOW";
+}
+
+// src/core/validator.js
+import path4 from "path";
+function extractSchemaFlags(cmd) {
+  const has = (k) => cmd != null && Object.prototype.hasOwnProperty.call(cmd, k);
+  const isStr = (v) => typeof v === "string";
+  const p = cmd?.payload;
+  const sig = cmd?.signature;
+  return {
+    hasId: has("id"),
+    idValid: isStr(cmd?.id) && /^[A-Z_]+$/.test(cmd.id) && cmd.id.length >= 1 && cmd.id.length <= 50,
+    hasCommandId: has("commandId"),
+    commandIdValid: isStr(cmd?.commandId) && /^[a-f0-9-]+$/.test(cmd.commandId) && cmd.commandId.length === 36,
+    hasRequesterId: has("requesterId"),
+    requesterIdValid: isStr(cmd?.requesterId) && cmd.requesterId.length >= 3 && cmd.requesterId.length <= 100,
+    hasSessionId: has("sessionId"),
+    sessionIdValid: isStr(cmd?.sessionId) && cmd.sessionId.length >= 3,
+    hasTimestamp: has("timestamp"),
+    timestampValid: typeof cmd?.timestamp === "number" && cmd.timestamp >= 1e9,
+    hasNonce: has("nonce"),
+    nonceValid: isStr(cmd?.nonce) && cmd.nonce.length >= 32 && cmd.nonce.length <= 128,
+    hasRequires: has("requires"),
+    requiresValid: Array.isArray(cmd?.requires) && cmd.requires.length >= 1 && cmd.requires.every(isStr),
+    hasPayload: has("payload") && typeof p === "object" && p !== null && !Array.isArray(p),
+    hasPayloadAdapter: p != null && Object.prototype.hasOwnProperty.call(p, "adapter"),
+    payloadAdapterValid: isStr(p?.adapter),
+    hasSignature: has("signature") && typeof sig === "object" && sig !== null && !Array.isArray(sig),
+    hasSignatureAlg: sig != null && Object.prototype.hasOwnProperty.call(sig, "alg"),
+    signatureAlgValid: sig?.alg === "ed25519",
+    hasSignatureKeyId: sig != null && Object.prototype.hasOwnProperty.call(sig, "keyId"),
+    hasSignatureSig: sig != null && Object.prototype.hasOwnProperty.call(sig, "sig"),
+    signatureSigValid: isStr(sig?.sig) && sig.sig.length >= 10,
+    hasRisk: has("risk"),
+    riskValid: ["LOW", "MEDIUM", "HIGH", "CRITICAL"].includes(cmd?.risk)
+  };
+}
+function extractPolicyFlags(policy, cmd) {
+  const hasPolicy = !!(policy && policy.default === "DENY" && policy.requesters && typeof policy.requesters === "object");
+  const rp = policy?.requesters?.[cmd.requesterId];
+  const cmdId = cmd.id?.toLowerCase() ?? "";
+  const commandAllowed = !!rp?.allowCommands?.some((c) => c.toLowerCase() === cmdId);
+  const adapterAllowed = !!rp?.allowAdapters?.includes(cmd.payload?.adapter);
+  const filesystemRequired = !!cmd.payload?.cwd;
+  let filesystemRootsDefined = false;
+  let filesystemOk = false;
+  let pathDenied = false;
+  if (filesystemRequired) {
+    const roots = rp?.filesystem?.roots ?? [];
+    filesystemRootsDefined = roots.length > 0;
+    if (filesystemRootsDefined) {
+      const cwd = path4.resolve(cmd.payload.cwd);
+      filesystemOk = roots.some((r) => {
+        const rr = path4.resolve(r);
+        return cwd === rr || cwd.startsWith(rr + path4.sep);
+      });
+      const denyPatterns = rp?.filesystem?.denyPatterns ?? [];
+      pathDenied = denyPatterns.some((pattern) => {
+        const re = new RegExp("^" + pattern.replace(/\./g, "\\.").replace(/\*\*/g, ".*").replace(/\*/g, "[^/]*") + "$");
+        return re.test(cwd);
+      });
+    }
+  }
+  let shellRequired = false;
+  let shellCommandOk = true;
+  if (cmd.id === "RUN_SHELL") {
+    shellRequired = true;
+    const allowCmds = rp?.exec?.allowCmds ?? [];
+    const denyCmds = rp?.exec?.denyCmds ?? [];
+    const shellCmd = cmd.payload?.cmd;
+    if (denyCmds.includes(shellCmd)) {
+      shellCommandOk = false;
+    } else {
+      shellCommandOk = allowCmds.length === 0 || allowCmds.includes(shellCmd);
+    }
+  }
+  return {
+    policyConfigured: hasPolicy,
+    requesterConfigured: !!rp,
+    commandAllowed,
+    adapterAllowed,
+    filesystemRequired,
+    filesystemRootsDefined,
+    filesystemOk,
+    pathDenied,
+    shellRequired,
+    shellCommandOk
+  };
+}
+function extractKeyFlags(keyStore, keyId, requesterId, now = /* @__PURE__ */ new Date()) {
+  if (!keyStore || !keyId) {
+    return {
+      keyIdFormatValid: false,
+      keyFound: false,
+      keyNotDeprecated: false,
+      keyRequesterMatches: false,
+      keyNotBeforeOk: false,
+      keyNotExpired: false,
+      keyLifecycleFieldsPresent: false,
+      publicKey: null
+    };
+  }
+  const KEY_ID_RE = /^[A-Za-z0-9:_-]{3,128}$/;
+  const keyIdFormatValid = KEY_ID_RE.test(keyId) && keyId !== "default";
+  if (!keyIdFormatValid) {
+    return {
+      keyIdFormatValid,
+      keyFound: false,
+      keyNotDeprecated: false,
+      keyRequesterMatches: false,
+      keyNotBeforeOk: false,
+      keyNotExpired: false,
+      keyLifecycleFieldsPresent: false,
+      publicKey: null
+    };
+  }
+  const entry = keyStore.trustedKeys?.[keyId];
+  const keyFound = !!entry;
+  if (!keyFound) {
+    return {
+      keyIdFormatValid,
+      keyFound,
+      keyNotDeprecated: false,
+      keyRequesterMatches: false,
+      keyNotBeforeOk: false,
+      keyNotExpired: false,
+      keyLifecycleFieldsPresent: false,
+      publicKey: null
+    };
+  }
+  const keyNotDeprecated = !entry.deprecated;
+  const keyRequesterMatches = !entry.requesterId || entry.requesterId === requesterId;
+  const notBefore = entry.notBefore || entry.validFrom;
+  const expiresAt = entry.expiresAt || entry.validUntil;
+  const keyLifecycleFieldsPresent = typeof notBefore === "string" && typeof expiresAt === "string";
+  let keyNotBeforeOk = false;
+  let keyNotExpired = false;
+  if (keyLifecycleFieldsPresent) {
+    const nb = new Date(notBefore);
+    const exp = new Date(expiresAt);
+    if (!isNaN(nb.getTime()) && !isNaN(exp.getTime()) && nb < exp) {
+      keyNotBeforeOk = now >= nb;
+      keyNotExpired = now < exp;
+    }
+  }
+  return {
+    keyIdFormatValid,
+    keyFound,
+    keyNotDeprecated,
+    keyRequesterMatches,
+    keyNotBeforeOk,
+    keyNotExpired,
+    keyLifecycleFieldsPresent,
+    publicKey: entry.publicKey ?? null
+  };
+}
+function nonceEntriesToText(db) {
+  return (db?.entries ?? []).map((e) => `${e.key}:${e.timestamp}`);
+}
+function textToNonceEntries(text) {
+  return text.split("\n").filter(Boolean).map((line) => {
+    const lastColon = line.lastIndexOf(":");
+    return {
+      key: line.slice(0, lastColon),
+      timestamp: parseInt(line.slice(lastColon + 1), 10) || 0
+    };
+  });
+}
+function rateEntriesToText(db) {
+  return (db?.entries ?? []).map((e) => `${e.requesterId}:${e.timestamp}`);
+}
+function textToRateEntries(text) {
+  return text.split("\n").filter(Boolean).map((line) => {
+    const lastColon = line.lastIndexOf(":");
+    return {
+      requesterId: line.slice(0, lastColon),
+      timestamp: parseInt(line.slice(lastColon + 1), 10) || 0
+    };
+  });
+}
+function validateCommand({
+  commandObj,
+  pubKeyB64,
+  keyStore,
+  nonceDb,
+  policy,
+  rateLimiter,
+  policyStatePath
+}) {
+  const result = {
+    valid: false,
+    commandId: commandObj?.commandId,
+    checks: {},
+    errors: []
+  };
+  const nowSec = Math.floor(Date.now() / 1e3);
+  const now = /* @__PURE__ */ new Date();
+  const maxClockSkewSec = Number.isFinite(policy?.security?.maxClockSkewSec) ? policy.security.maxClockSkewSec : 600;
+  if (policyStatePath && policy?.version !== void 0) {
+    try {
+      const vCheck = validateAndUpdatePolicyVersionState({ policyObj: policy, statePath: policyStatePath });
+      result.checks.policyVersion = vCheck.ok;
+      if (!vCheck.ok) {
+        result.errors.push({ type: "POLICY_VERSION_INVALID", message: vCheck.message });
+        return result;
+      }
+    } catch {
+      result.checks.policyVersion = true;
+    }
+  } else {
+    result.checks.policyVersion = true;
+  }
+  const schemaFlags = extractSchemaFlags(commandObj);
+  const keyId = commandObj?.signature?.keyId;
+  const keyFlags = extractKeyFlags(keyStore, keyId, commandObj?.requesterId, now);
+  let signatureValid = false;
+  let effectivePubKey = keyFlags.publicKey;
+  if (!effectivePubKey && pubKeyB64) effectivePubKey = pubKeyB64;
+  if (effectivePubKey) {
+    const bodyWithoutSig = { ...commandObj };
+    delete bodyWithoutSig.signature;
+    const sigCheck = verifyEd25519({
+      payloadObj: bodyWithoutSig,
+      sigB64: commandObj?.signature?.sig,
+      pubKeyB64: effectivePubKey
+    });
+    signatureValid = sigCheck.valid;
+  }
+  let rateLimitOk = true;
+  let rateLimitRetryAfterSec = 0;
+  if (signatureValid && rateLimiter && typeof rateLimiter.db !== "undefined") {
+    const rateCfg = policy?.requesters?.[commandObj.requesterId]?.rateLimit || {};
+    const dfltCfg = policy?.security?.defaultRateLimit || {};
+    const windowSec = rateCfg.windowSec ?? dfltCfg.windowSec ?? 60;
+    const maxRequests = rateCfg.maxRequests ?? dfltCfg.maxRequests ?? 30;
+    const rateResult = checkRateLimit({
+      windowSec,
+      maxRequests,
+      nowSec,
+      requesterId: commandObj.requesterId,
+      existingEntries: rateEntriesToText(rateLimiter.db)
+    });
+    rateLimitOk = rateResult.ok;
+    rateLimitRetryAfterSec = rateResult.retryAfterSec;
+    if (rateResult.ok) {
+      rateLimiter.db.entries = textToRateEntries(rateResult.updatedEntriesText);
+    }
+  } else if (signatureValid && rateLimiter && typeof rateLimiter.checkAndRecord === "function") {
+    const rateCfg = policy?.requesters?.[commandObj.requesterId]?.rateLimit || {};
+    const dfltCfg = policy?.security?.defaultRateLimit || {};
+    const rateCheck = rateLimiter.checkAndRecord({
+      requesterId: commandObj.requesterId,
+      nowSec,
+      windowSec: rateCfg.windowSec ?? dfltCfg.windowSec ?? 60,
+      maxRequests: rateCfg.maxRequests ?? dfltCfg.maxRequests ?? 30
+    });
+    rateLimitOk = rateCheck.ok;
+    rateLimitRetryAfterSec = rateCheck.retryAfterSec ?? 0;
+  }
+  let nonceOk = true;
+  const nonceKey = `${commandObj?.requesterId}|${commandObj?.sessionId}|${commandObj?.nonce}`;
+  const ttlSec = 3600;
+  if (signatureValid && rateLimitOk && nonceDb) {
+    if (typeof nonceDb.checkAndRecord === "function") {
+      if (nonceDb.db) {
+        const nonceResult = checkNonce({
+          ttlSec,
+          nowSec,
+          newKey: nonceKey,
+          existingEntries: nonceEntriesToText(nonceDb.db)
+        });
+        nonceOk = nonceResult.ok;
+        if (nonceResult.ok) {
+          nonceDb.db.entries = textToNonceEntries(nonceResult.updatedEntriesText);
+        }
+      } else {
+        const r = nonceDb.checkAndRecord({
+          requesterId: commandObj.requesterId,
+          sessionId: commandObj.sessionId,
+          nonce: commandObj.nonce
+        });
+        nonceOk = r.ok;
+      }
+    } else {
+      const nonceResult = checkNonce({
+        ttlSec,
+        nowSec,
+        newKey: nonceKey,
+        existingEntries: nonceEntriesToText(nonceDb)
+      });
+      nonceOk = nonceResult.ok;
+      if (nonceResult.ok) {
+        nonceDb.entries = textToNonceEntries(nonceResult.updatedEntriesText);
+      }
+    }
+  }
+  const policyFlags = extractPolicyFlags(policy, commandObj ?? {});
+  const pipeline = runValidationPipeline({
+    ...schemaFlags,
+    cmdTimestamp: commandObj?.timestamp ?? 0,
+    nowSec,
+    maxClockSkewSec,
+    ...keyFlags,
+    signatureValid,
+    rateLimitOk,
+    rateLimitRetryAfterSec,
+    nonceOk,
+    ...policyFlags
+  });
+  const s = pipeline.stage;
+  result.checks.schema = s !== 0;
+  if (s >= 1) result.checks.timestamp = s !== 1;
+  if (s >= 2) result.checks.keyId = s !== 2;
+  if (s >= 2) result.checks.signature = s !== 2 && s !== 3;
+  if (s >= 4) result.checks.rateLimit = s !== 4;
+  if (s >= 5) result.checks.nonce = s !== 5;
+  if (s >= 6 || pipeline.ok) result.checks.policy = s !== 6;
+  if (!pipeline.ok) {
+    const stage = pipeline.stageLabel;
+    if (stage === "schema") {
+      result.errors.push({ type: "SCHEMA_ERROR", message: pipeline.schemaError || "Schema invalid" });
+    } else if (stage === "timestamp") {
+      result.errors.push({ type: "TIMESTAMP_SKEW_EXCEEDED", message: `Command timestamp skew ${pipeline.skewSec}s exceeds allowed ${maxClockSkewSec}s` });
+    } else if (stage === "key") {
+      const reason = pipeline.keyReason || "KEY_ERROR";
+      const msgs = {
+        KEY_ID_INVALID: `Invalid keyId '${keyId}'`,
+        KEY_NOT_TRUSTED: `Key '${keyId}' is not in trusted key store`,
+        KEY_DEPRECATED: `Key '${keyId}' is deprecated`,
+        KEY_REQUESTER_MISMATCH: `Key '${keyId}' is not authorized for requester '${commandObj?.requesterId}'`,
+        KEY_LIFECYCLE_INVALID: `Key '${keyId}' must define notBefore and expiresAt`,
+        KEY_NOT_YET_VALID: `Key '${keyId}' is not yet valid`,
+        KEY_EXPIRED: `Key '${keyId}' has expired`
+      };
+      result.errors.push({ type: reason, message: msgs[reason] || reason });
+    } else if (stage === "signature") {
+      result.errors.push({ type: "SIGNATURE_INVALID", message: effectivePubKey ? "Signature verification failed" : "No public key available" });
+    } else if (stage === "rate_limit") {
+      result.errors.push({ type: "RATE_LIMIT_EXCEEDED", message: `Rate limit exceeded. Retry after ${pipeline.retryAfterSec}s` });
+    } else if (stage === "nonce") {
+      result.errors.push({ type: "REPLAY_NONCE", message: "Nonce has already been used" });
+    } else if (stage === "policy" && pipeline.policyResult) {
+      result.errors.push({ type: pipeline.policyResult.reason, message: pipeline.policyResult.message });
+    } else {
+      result.errors.push({ type: "VALIDATION_FAILED", message: `Failed at stage: ${stage}` });
+    }
+    return result;
+  }
+  result.valid = true;
+  result.risk = classifyRisk(commandObj.id, commandObj.payload?.cmd === "rm");
+  result.message = "Command validation successful";
+  return result;
+}
+
+// src/adapters/noopAdapter.js
+async function noopAdapter(cmd) {
+  return {
+    adapter: "noop",
+    commandId: cmd.commandId || "unknown",
+    command: cmd.id || "unknown",
+    status: "completed",
+    output: `[NOOP] Would execute: ${cmd.id || "unknown"} on adapter: ${cmd.payload?.adapter || "unknown"}`,
+    exitCode: 0,
+    timestamp: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+
+// src/adapters/shellAdapter.js
+import { spawnSync } from "child_process";
+import path5 from "path";
+import fs4 from "fs";
+function physicalPath(candidate) {
+  try {
+    return fs4.realpathSync(path5.resolve(candidate));
+  } catch {
+    return path5.resolve(candidate);
+  }
+}
+function normalizeArgs(args) {
+  if (args === void 0) return { ok: true, args: [] };
+  if (!Array.isArray(args)) {
+    return { ok: false, error: "payload.args must be an array" };
+  }
+  const normalized = [];
+  for (const arg of args) {
+    if (typeof arg !== "string" && typeof arg !== "number" && typeof arg !== "boolean") {
+      return { ok: false, error: "payload.args may only contain string, number, or boolean values" };
+    }
+    normalized.push(String(arg));
+  }
+  return { ok: true, args: normalized };
+}
+async function shellAdapter(cmd, policy, requester) {
+  const payload = cmd.payload;
+  const timeout = Math.min(Math.max(Number(payload.timeoutMs) || 3e4, 1), 3e4);
+  const maxOutputSize = Math.min(Math.max(Number(payload.maxOutputBytes) || 1024 * 1024, 1024), 1024 * 1024);
+  if (payload.adapter !== "shell") {
+    return {
+      adapter: "shell",
+      commandId: cmd.commandId,
+      status: "error",
+      error: "Adapter mismatch",
+      exitCode: 1
+    };
+  }
+  const allowedCmds = requester?.exec?.allowCmds || [];
+  const deniedCmds = requester?.exec?.denyCmds || [];
+  if (deniedCmds.includes(payload.cmd)) {
+    return {
+      adapter: "shell",
+      commandId: cmd.commandId,
+      status: "blocked",
+      error: `Command '${payload.cmd}' is denied`,
+      exitCode: 2
+    };
+  }
+  if (allowedCmds.length > 0 && !allowedCmds.includes(payload.cmd)) {
+    return {
+      adapter: "shell",
+      commandId: cmd.commandId,
+      status: "blocked",
+      error: `Command '${payload.cmd}' not in allowlist`,
+      exitCode: 2
+    };
+  }
+  const roots = requester?.filesystem?.roots || [];
+  const cwdAllow = roots.some((r) => {
+    const resolvedRoot = physicalPath(r);
+    const norm = physicalPath(payload.cwd);
+    return norm === resolvedRoot || norm.startsWith(resolvedRoot + path5.sep);
+  });
+  if (!cwdAllow) {
+    return {
+      adapter: "shell",
+      commandId: cmd.commandId,
+      status: "blocked",
+      error: `CWD '${payload.cwd}' not authorized`,
+      exitCode: 2
+    };
+  }
+  const argCheck = normalizeArgs(payload.args);
+  if (!argCheck.ok) {
+    return {
+      adapter: "shell",
+      commandId: cmd.commandId,
+      status: "blocked",
+      error: argCheck.error,
+      exitCode: 2
+    };
+  }
+  try {
+    const result = spawnSync(payload.cmd, argCheck.args, {
+      cwd: payload.cwd,
+      timeout,
+      encoding: "utf8",
+      maxBuffer: maxOutputSize,
+      stdio: ["pipe", "pipe", "pipe"],
+      shell: false
+    });
+    if (result.error) {
+      throw result.error;
+    }
+    const output = `${result.stdout || ""}${result.stderr || ""}`;
+    const exitCode = result.status ?? 1;
+    if (exitCode !== 0) {
+      return {
+        adapter: "shell",
+        commandId: cmd.commandId,
+        command: payload.cmd,
+        status: "error",
+        error: output.substring(0, maxOutputSize) || `Command exited with code ${exitCode}`,
+        exitCode,
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      };
+    }
+    return {
+      adapter: "shell",
+      commandId: cmd.commandId,
+      command: payload.cmd,
+      status: "completed",
+      output: output.substring(0, maxOutputSize),
+      exitCode: 0,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  } catch (err) {
+    return {
+      adapter: "shell",
+      commandId: cmd.commandId,
+      command: payload.cmd,
+      status: "error",
+      error: err.message,
+      exitCode: err.status || 1,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+}
+
+// src/adapters/fileAdapter.js
+import fs6 from "fs";
+import path7 from "path";
+
+// src/core/backup.js
+import fs5 from "fs";
+import path6 from "path";
+import crypto2 from "crypto";
+function createBackup(filePath, backupDir) {
+  const dir = backupDir || path6.resolve("data/backups");
+  if (!fs5.existsSync(dir)) {
+    fs5.mkdirSync(dir, { recursive: true });
+  }
+  const target = path6.resolve(filePath);
+  const existed = fs5.existsSync(target);
+  let content = null;
+  let hash = null;
+  if (existed) {
+    content = fs5.readFileSync(target);
+    hash = crypto2.createHash("sha256").update(content).digest("hex");
+  }
+  const basename = path6.basename(target).replace(/[^a-zA-Z0-9._-]/g, "_");
+  const backupName = `${Date.now()}-${hash ? hash.slice(0, 8) : "new"}-${basename}`;
+  const backupPath = existed ? path6.join(dir, backupName) : null;
+  if (existed && content !== null) {
+    atomicWriteFileSync(backupPath, content);
+  }
+  return {
+    originalPath: target,
+    backupPath,
+    existed,
+    hash,
+    createdAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+function restoreBackup(backupMeta) {
+  if (!backupMeta) return { restored: false, error: "No backup metadata" };
+  const { originalPath, backupPath, existed } = backupMeta;
+  if (!existed) {
+    try {
+      if (fs5.existsSync(originalPath)) fs5.unlinkSync(originalPath);
+      return { restored: true, action: "deleted" };
+    } catch (e) {
+      return { restored: false, error: e.message };
+    }
+  }
+  if (!backupPath || !fs5.existsSync(backupPath)) {
+    return { restored: false, error: "Backup file not found at: " + backupPath };
+  }
+  try {
+    const content = fs5.readFileSync(backupPath);
+    atomicWriteFileSync(originalPath, content);
+    return { restored: true, action: "restored" };
+  } catch (e) {
+    return { restored: false, error: e.message };
+  }
+}
+
+// src/adapters/fileAdapter.js
+var MAX_READ_BYTES = 10 * 1024 * 1024;
+function resolvedTarget(target, cwd) {
+  if (!target) return null;
+  return path7.isAbsolute(target) ? path7.resolve(target) : path7.resolve(cwd || process.cwd(), target);
+}
+function isUnderRoot(targetPath, roots) {
+  const norm = resolvePhysicalPath(targetPath);
+  return roots.some((r) => {
+    const root = resolvePhysicalPath(r);
+    return norm === root || norm.startsWith(root + path7.sep);
+  });
+}
+function resolvePhysicalPath(candidate) {
+  let current = path7.resolve(candidate);
+  const suffix = [];
+  while (!fs6.existsSync(current)) {
+    const parent = path7.dirname(current);
+    if (parent === current) break;
+    suffix.unshift(path7.basename(current));
+    current = parent;
+  }
+  try {
+    current = fs6.realpathSync(current);
+  } catch {
+  }
+  return path7.join(current, ...suffix);
+}
+function matchesDenyPattern(str, patterns) {
+  for (const pattern of patterns || []) {
+    const rx = new RegExp(
+      "^" + pattern.replace(/\./g, "\\.").replace(/\*\*/g, ".*").replace(/\*/g, "[^/\\\\]*") + "$"
+    );
+    if (rx.test(str)) return pattern;
+  }
+  return null;
+}
+function blocked(cmd, code, message, exitCode = 2) {
+  return {
+    adapter: "file",
+    commandId: cmd.commandId,
+    status: "blocked",
+    errorCode: code,
+    error: message,
+    exitCode
+  };
+}
+function fail(cmd, code, message, backup = null, exitCode = 1) {
+  return {
+    adapter: "file",
+    commandId: cmd.commandId,
+    status: "error",
+    errorCode: code,
+    error: message,
+    backup: backup ? summariseBackup(backup) : null,
+    exitCode
+  };
+}
+function summariseBackup(b) {
+  return b ? { path: b.backupPath, existed: b.existed, hash: b.hash, createdAt: b.createdAt } : null;
+}
+async function fileAdapter(cmd, policy, requester) {
+  const payload = cmd.payload;
+  const action = payload.action;
+  const cwd = payload.cwd || process.cwd();
+  const target = resolvedTarget(payload.target, cwd);
+  if (!action) return blocked(cmd, "FILE_NO_ACTION", "payload.action is required");
+  if (!target && action !== "noop") return blocked(cmd, "FILE_NO_TARGET", "payload.target is required");
+  const roots = requester?.filesystem?.roots || [];
+  if (roots.length === 0) return blocked(cmd, "FILE_NO_ROOTS", "No filesystem roots defined for requester");
+  if (!isUnderRoot(target, roots)) return blocked(cmd, "FILE_OUTSIDE_ROOT", `'${target}' is outside allowed roots`);
+  const denied = matchesDenyPattern(target, requester?.filesystem?.denyPatterns);
+  if (denied) return blocked(cmd, "FILE_PATH_DENIED", `'${target}' matches deny pattern: ${denied}`);
+  switch (action) {
+    case "read":
+      return doRead(cmd, target);
+    case "write":
+      return doWrite(cmd, target, payload);
+    case "patch":
+      return doPatch(cmd, target, payload);
+    case "delete":
+      return doDelete(cmd, target);
+    default:
+      return blocked(cmd, "FILE_UNKNOWN_ACTION", `Unknown action: '${action}'`);
+  }
+}
+function doRead(cmd, target) {
+  if (!fs6.existsSync(target)) return fail(cmd, "FILE_NOT_FOUND", `Not found: ${target}`);
+  try {
+    const stat = fs6.statSync(target);
+    if (stat.size > MAX_READ_BYTES) return fail(cmd, "FILE_TOO_LARGE", "File exceeds 10 MB read limit");
+    const content = fs6.readFileSync(target, "utf8");
+    return {
+      adapter: "file",
+      action: "read",
+      commandId: cmd.commandId,
+      status: "completed",
+      target,
+      output: content,
+      bytesRead: stat.size,
+      exitCode: 0
+    };
+  } catch (e) {
+    return fail(cmd, "FILE_READ_ERROR", e.message);
+  }
+}
+function doWrite(cmd, target, payload) {
+  const content = payload.content;
+  if (content === void 0 || content === null) {
+    return fail(cmd, "FILE_MISSING_CONTENT", "payload.content is required for write");
+  }
+  const backup = tryBackup(target);
+  try {
+    atomicWriteFileSync(target, content, { encoding: "utf8" });
+    return {
+      adapter: "file",
+      action: "write",
+      commandId: cmd.commandId,
+      status: "completed",
+      target,
+      backup: summariseBackup(backup),
+      output: `Wrote ${Buffer.byteLength(content, "utf8")} bytes to ${target}`,
+      exitCode: 0
+    };
+  } catch (e) {
+    restoreBackup(backup);
+    return fail(cmd, "FILE_WRITE_ERROR", e.message, backup);
+  }
+}
+function doPatch(cmd, target, payload) {
+  const content = payload.content;
+  if (content === void 0 || content === null) {
+    return fail(cmd, "FILE_MISSING_CONTENT", "payload.content is required for patch");
+  }
+  const backup = tryBackup(target);
+  try {
+    atomicWriteFileSync(target, content, { encoding: "utf8" });
+    return {
+      adapter: "file",
+      action: "patch",
+      commandId: cmd.commandId,
+      status: "completed",
+      target,
+      backup: summariseBackup(backup),
+      output: `Patched ${target} (${Buffer.byteLength(content, "utf8")} bytes)`,
+      exitCode: 0
+    };
+  } catch (e) {
+    restoreBackup(backup);
+    return fail(cmd, "FILE_PATCH_ERROR", e.message, backup);
+  }
+}
+function doDelete(cmd, target) {
+  if (!fs6.existsSync(target)) return fail(cmd, "FILE_NOT_FOUND", `Not found: ${target}`);
+  const backup = tryBackup(target);
+  try {
+    fs6.unlinkSync(target);
+    return {
+      adapter: "file",
+      action: "delete",
+      commandId: cmd.commandId,
+      status: "completed",
+      target,
+      backup: summariseBackup(backup),
+      output: `Deleted ${target}`,
+      exitCode: 0
+    };
+  } catch (e) {
+    restoreBackup(backup);
+    return fail(cmd, "FILE_DELETE_ERROR", e.message, backup);
+  }
+}
+function tryBackup(target) {
+  try {
+    return createBackup(target);
+  } catch {
+    return null;
+  }
+}
+
+// src/adapters/index.js
+var ADAPTERS = {
+  noop: noopAdapter,
+  shell: shellAdapter,
+  file: fileAdapter
+};
+function getAdapter(name) {
+  return ADAPTERS[name];
+}
+async function executeAdapter(adapterName, cmd, policy, requester) {
+  const adapter = getAdapter(adapterName);
+  if (!adapter) {
+    return {
+      adapter: adapterName,
+      commandId: cmd.commandId,
+      status: "error",
+      error: `Adapter '${adapterName}' not found`,
+      exitCode: 1
+    };
+  }
+  try {
+    return await adapter(cmd, policy, requester);
+  } catch (err) {
+    return {
+      adapter: adapterName,
+      commandId: cmd.commandId,
+      status: "error",
+      error: `Adapter execution failed: ${err.message}`,
+      exitCode: 9
+    };
+  }
+}
+var AVAILABLE_ADAPTERS = Object.keys(ADAPTERS);
+
+// src/core/auditLog.js
+import fs7 from "fs";
+import path8 from "path";
+import crypto3 from "crypto";
+function sha256(str) {
+  return crypto3.createHash("sha256").update(str).digest("hex");
+}
+function getLastHash(logPath) {
+  try {
+    if (!fs7.existsSync(logPath)) return "GENESIS";
+    const content = fs7.readFileSync(logPath, "utf8").trim();
+    if (!content) return "GENESIS";
+    const lines = content.split("\n");
+    const lastLine = lines[lines.length - 1];
+    try {
+      const lastEntry = JSON.parse(lastLine);
+      return lastEntry.hash || "GENESIS";
+    } catch (err) {
+      return "GENESIS";
+    }
+  } catch (err) {
+    return "GENESIS";
+  }
+}
+function appendAudit(logPath, entry) {
+  const dir = path8.dirname(logPath);
+  if (!fs7.existsSync(dir)) {
+    fs7.mkdirSync(dir, { recursive: true });
+  }
+  let result;
+  withFileLock(logPath, () => {
+    const prevHash = getLastHash(logPath);
+    const record = {
+      ...entry,
+      prevHash,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    delete record.hash;
+    const recordStr = JSON.stringify(record);
+    const hash = sha256(recordStr);
+    const final = JSON.stringify({ ...record, hash });
+    let existingContent = "";
+    if (fs7.existsSync(logPath)) {
+      existingContent = fs7.readFileSync(logPath, "utf8");
+    }
+    try {
+      atomicWriteFileSync(logPath, existingContent + final + "\n", { encoding: "utf8" });
+    } catch (err) {
+      throw new Error(`Audit log write failed: ${err.message}`);
+    }
+    result = {
+      success: true,
+      hash,
+      prevHash,
+      message: "Audit entry appended"
+    };
+  });
+  return result;
+}
+function verifyAuditLogIntegrity(logPath, options = {}) {
+  const failFast = options.failFast !== false;
+  const maxEntries = Number.isFinite(options.maxEntries) && options.maxEntries > 0 ? Math.floor(options.maxEntries) : null;
+  const response = {
+    ok: true,
+    file: path8.resolve(logPath),
+    entries: 0,
+    valid: true,
+    firstInvalidIndex: null,
+    reason: null,
+    errors: [],
+    message: "Audit log verified"
+  };
+  try {
+    if (!fs7.existsSync(logPath)) {
+      response.message = "Audit log file not found (treated as empty)";
+      return response;
+    }
+    const raw = fs7.readFileSync(logPath, "utf8").trim();
+    if (!raw) {
+      response.message = "Empty audit log";
+      return response;
+    }
+    const allLines = raw.split("\n");
+    const lines = maxEntries ? allLines.slice(0, maxEntries) : allLines;
+    response.entries = lines.length;
+    let expectedPrevHash = "GENESIS";
+    for (let i = 0; i < lines.length; i++) {
+      let entry;
+      try {
+        entry = JSON.parse(lines[i]);
+      } catch {
+        const errObj = {
+          index: i,
+          reason: "INVALID_JSON_LINE",
+          message: `Line ${i} is not valid JSON`
+        };
+        response.valid = false;
+        response.ok = false;
+        response.firstInvalidIndex ??= i;
+        response.reason ??= errObj.reason;
+        response.errors.push(errObj);
+        if (failFast) break;
+        continue;
+      }
+      if (entry.prevHash !== expectedPrevHash) {
+        const errObj = {
+          index: i,
+          reason: "PREV_HASH_MISMATCH",
+          message: `Expected prevHash '${expectedPrevHash}', got '${entry.prevHash}'`
+        };
+        response.valid = false;
+        response.ok = false;
+        response.firstInvalidIndex ??= i;
+        response.reason ??= errObj.reason;
+        response.errors.push(errObj);
+        if (failFast) break;
+      }
+      const recordCopy = { ...entry };
+      const recordHash = recordCopy.hash;
+      delete recordCopy.hash;
+      const expectedHash = sha256(JSON.stringify(recordCopy));
+      if (recordHash !== expectedHash) {
+        const errObj = {
+          index: i,
+          reason: "HASH_MISMATCH",
+          message: `Expected hash '${expectedHash}', got '${recordHash}'`
+        };
+        response.valid = false;
+        response.ok = false;
+        response.firstInvalidIndex ??= i;
+        response.reason ??= errObj.reason;
+        response.errors.push(errObj);
+        if (failFast) break;
+      }
+      expectedPrevHash = recordHash;
+    }
+    response.message = response.valid ? `Audit log verified: ${response.entries} entries` : `Audit log integrity failed at index ${response.firstInvalidIndex}`;
+    return response;
+  } catch (err) {
+    return {
+      ok: false,
+      file: path8.resolve(logPath),
+      entries: 0,
+      valid: false,
+      firstInvalidIndex: null,
+      reason: "AUDIT_VERIFY_ERROR",
+      errors: [{ index: null, reason: "AUDIT_VERIFY_ERROR", message: err.message }],
+      message: `Integrity check failed: ${err.message}`
+    };
+  }
+}
+
+// src/core/localPolicy.js
+import fs8 from "fs";
+import path9 from "path";
+import crypto4 from "crypto";
+var POLICY_FILE = "lbe.policy.json";
+var AUDIT_FILE = "lbe.audit.jsonl";
+function glob(pattern) {
+  const escaped = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&");
+  return new RegExp("^" + escaped.replace(/\*\*\//g, "(?:.*/)?").replace(/\*\*/g, ".*").replace(/\*/g, "[^/]*") + "$");
+}
+function relative(root, value) {
+  const rel = path9.relative(root, path9.resolve(value));
+  return rel.split(path9.sep).join("/");
+}
+function localPolicyPaths(rootDir) {
+  const root = path9.resolve(rootDir || process.cwd());
+  return { root, policyPath: path9.join(root, POLICY_FILE), auditPath: path9.join(root, AUDIT_FILE) };
+}
+function loadLocalPolicy(rootDir, mode = "observe") {
+  const paths = localPolicyPaths(rootDir);
+  if (!fs8.existsSync(paths.policyPath)) {
+    return { ...paths, policy: { version: 1, mode, workspace: paths.root, rules: [] } };
+  }
+  const policy = JSON.parse(fs8.readFileSync(paths.policyPath, "utf8"));
+  if (policy?.version !== 1 || !["observe", "enforce"].includes(policy.mode) || !Array.isArray(policy.rules)) {
+    throw new Error(`Invalid ${POLICY_FILE}`);
+  }
+  return { ...paths, policy };
+}
+function writeLocalPolicy(rootDir, policy) {
+  const { policyPath, root } = localPolicyPaths(rootDir);
+  const next = { ...policy, version: 1, workspace: root, rules: Array.isArray(policy.rules) ? policy.rules : [] };
+  atomicWriteFileSync(policyPath, JSON.stringify(next, null, 2) + "\n", { encoding: "utf8" });
+  return next;
+}
+function addLocalPolicyRule(rootDir, rule, mode) {
+  if (!rule || !["allow", "deny"].includes(rule.effect) || !["path", "command"].includes(rule.type) || typeof rule.pattern !== "string" || !rule.pattern || typeof rule.from !== "string" || !rule.from) {
+    throw new Error("Rule requires effect, type, pattern, and from");
+  }
+  const loaded = loadLocalPolicy(rootDir, mode);
+  const entry = {
+    id: rule.id || crypto4.randomUUID(),
+    effect: rule.effect,
+    type: rule.type,
+    pattern: rule.pattern,
+    from: rule.from,
+    at: rule.at || (/* @__PURE__ */ new Date()).toISOString()
+  };
+  writeLocalPolicy(loaded.root, { ...loaded.policy, mode: mode || loaded.policy.mode, rules: [...loaded.policy.rules, entry] });
+  return { id: entry.id, added: true, rule: entry };
+}
+function proposePolicyRule(rule) {
+  return { ...rule, proposed: true, at: (/* @__PURE__ */ new Date()).toISOString() };
+}
+function evaluateLocalPolicy(policy, rootDir, { target, command } = {}) {
+  const root = path9.resolve(rootDir);
+  const candidates = [];
+  if (target) candidates.push({ type: "path", value: relative(root, target) });
+  if (command) candidates.push({ type: "command", value: command });
+  const matched = policy.rules.filter((rule) => candidates.some((c) => c.type === rule.type && glob(rule.pattern).test(c.value)));
+  const denied = matched.filter((rule) => rule.effect === "deny");
+  return { allowed: denied.length === 0, matched, winningRules: denied.length ? denied : matched.filter((r) => r.effect === "allow"), reason: denied.length ? "LOCAL_POLICY_DENY" : null };
+}
+function auditLocalPolicy(rootDir, entry) {
+  const { auditPath } = localPolicyPaths(rootDir);
+  appendAudit(auditPath, { kind: "local_policy", timestamp: (/* @__PURE__ */ new Date()).toISOString(), ...entry });
+}
+
+// src/exec/localExecutor.js
+var INTENTS = {
+  read_file: { id: "READ_FILE", adapter: "file", action: "read" },
+  write_file: { id: "WRITE_FILE", adapter: "file", action: "write" },
+  patch_file: { id: "PATCH_FILE", adapter: "file", action: "patch" },
+  delete_file: { id: "DELETE_FILE", adapter: "file", action: "delete" },
+  run_shell: { id: "RUN_SHELL", adapter: "shell", action: "run" }
+};
+var MUTATIONS = /* @__PURE__ */ new Set(["write_file", "patch_file", "delete_file"]);
+function error(code, message, recoverable = false) {
+  return { ok: false, decision: "deny", executed: false, dryRun: false, error: { code, message, recoverable } };
+}
+function commandPolicy(rootDir, actor, shell = {}) {
+  const now = /* @__PURE__ */ new Date();
+  const expires = new Date(now.getTime() + 365 * 24 * 60 * 60 * 1e3);
+  return {
+    version: 1,
+    default: "DENY",
+    requesters: {
+      [actor]: {
+        allowCommands: Object.values(INTENTS).map((item) => item.id),
+        allowAdapters: ["file", "shell"],
+        filesystem: { roots: [rootDir], denyPatterns: [] },
+        exec: { allowCmds: shell.allowCommands || [], denyCmds: shell.denyCommands || [] },
+        rateLimit: { windowSec: 60, maxRequests: shell.maxRequests || 60 }
+      }
+    },
+    security: { maxClockSkewSec: 600, defaultRateLimit: { windowSec: 60, maxRequests: 60 } },
+    _keyWindow: { notBefore: now.toISOString(), expiresAt: expires.toISOString() }
+  };
+}
+function physicalPath2(candidate) {
+  let current = path10.resolve(candidate);
+  const suffix = [];
+  while (!fs9.existsSync(current)) {
+    const parent = path10.dirname(current);
+    if (parent === current) break;
+    suffix.unshift(path10.basename(current));
+    current = parent;
+  }
+  try {
+    current = fs9.realpathSync(current);
+  } catch {
+  }
+  return path10.join(current, ...suffix);
+}
+function underRoot(candidate, root) {
+  const target = physicalPath2(candidate);
+  const resolvedRoot = physicalPath2(root);
+  return target === resolvedRoot || target.startsWith(resolvedRoot + path10.sep);
+}
+function normalize(rootDir, request, shell = {}) {
+  if (!request || typeof request !== "object") return { error: error("REQUEST_INVALID", "request must be an object") };
+  const detail = INTENTS[request.intent];
+  if (!detail) return { error: error("INTENT_UNSUPPORTED", `Unsupported intent '${request.intent}'`) };
+  const actor = typeof request.actor === "string" && request.actor ? request.actor : "agent:local";
+  let target = null;
+  if (detail.adapter === "file") {
+    if (typeof request.target !== "string" || !request.target) return { error: error("TARGET_REQUIRED", "target is required for file intents") };
+    target = path10.resolve(rootDir, request.target);
+    if (!underRoot(target, rootDir)) return { error: error("PATH_OUTSIDE_ROOT", "target is outside project root") };
+    if (["write_file", "patch_file"].includes(request.intent) && typeof request.content !== "string") {
+      return { error: error("CONTENT_REQUIRED", "content is required for write and patch") };
+    }
+  }
+  let command = null;
+  if (detail.adapter === "shell") {
+    command = request.command;
+    if (!command || typeof command.cmd !== "string" || !Array.isArray(command.args) || command.args.some((arg) => typeof arg !== "string")) {
+      return { error: error("COMMAND_INVALID", "command requires cmd and string args") };
+    }
+    const cwd = path10.resolve(rootDir, command.cwd || ".");
+    if (!underRoot(cwd, rootDir)) return { error: error("CWD_OUTSIDE_ROOT", "command cwd is outside project root") };
+    if (!Array.isArray(shell.allowCommands) || !shell.allowCommands.includes(command.cmd)) {
+      return { error: error("SHELL_NOT_ALLOWLISTED", `command '${command.cmd}' is not explicitly allowlisted`) };
+    }
+    if (shell.denyCommands?.includes(command.cmd)) return { error: error("SHELL_DENIED", `command '${command.cmd}' is denied`) };
+    command = { ...command, cwd, timeoutMs: Math.min(Math.max(command.timeoutMs || 3e4, 1), 3e4), maxOutputBytes: Math.min(Math.max(command.maxOutputBytes || 1024 * 1024, 1024), 1024 * 1024) };
+  }
+  return { actor, detail, target, command, request };
+}
+function envelope(normalized, keyId, secretKey) {
+  const { actor, detail, target, command, request } = normalized;
+  const body = {
+    id: detail.id,
+    risk: MUTATIONS.has(request.intent) ? "MEDIUM" : "LOW",
+    commandId: crypto5.randomUUID(),
+    requesterId: actor,
+    sessionId: "local-host",
+    timestamp: Math.floor(Date.now() / 1e3),
+    nonce: crypto5.randomBytes(32).toString("hex"),
+    requires: ["policy", "signature"],
+    payload: {
+      adapter: detail.adapter,
+      action: detail.action,
+      target,
+      content: request.content,
+      cmd: command?.cmd,
+      args: command?.args,
+      timeoutMs: command?.timeoutMs,
+      maxOutputBytes: command?.maxOutputBytes,
+      cwd: command?.cwd || (target ? path10.dirname(target) : process.cwd())
+    }
+  };
+  const signed = signEd25519({ payloadObj: body, secretKeyB64: secretKey });
+  if (signed.error) throw new Error(signed.error);
+  return { ...body, signature: { alg: "ed25519", keyId, sig: signed.signature } };
+}
+function createLocalExecutor(options = {}) {
+  const rootDir = path10.resolve(options.rootDir || process.cwd());
+  const keyId = options.keyId || "host:local-exec";
+  const keyPair = options.keyPair || generateKeyPair();
+  const shell = options.shell || {};
+  function prepare(request, { recordNonce = false } = {}) {
+    const normalized = normalize(rootDir, request, shell);
+    if (normalized.error) return normalized;
+    const local = loadLocalPolicy(rootDir, options.mode || "enforce");
+    const localDecision = evaluateLocalPolicy(local.policy, rootDir, { target: normalized.target, command: normalized.command?.cmd });
+    const localBlocked = local.policy.mode === "enforce" && !localDecision.allowed;
+    if (localBlocked) return { error: error("LOCAL_POLICY_DENY", `Blocked by rule(s): ${localDecision.winningRules.map((rule) => rule.id).join(", ")}`), local, localDecision, normalized };
+    const policy = commandPolicy(rootDir, normalized.actor, shell);
+    const keyStore = { defaultKeyId: keyId, trustedKeys: { [keyId]: { publicKey: keyPair.publicKey, notBefore: policy._keyWindow.notBefore, expiresAt: policy._keyWindow.expiresAt, deprecated: false } } };
+    delete policy._keyWindow;
+    const proposal = envelope(normalized, keyId, keyPair.secretKey);
+    const nonceDb = { entries: [] };
+    const validation = validateCommand({ commandObj: proposal, keyStore, nonceDb: recordNonce ? nonceDb : { entries: [] }, policy });
+    if (!validation.valid) return { error: error(validation.errors[0]?.type || "VALIDATION_FAILED", validation.errors[0]?.message || "Validation failed"), local, localDecision, normalized, proposal, policy, validation };
+    return { local, localDecision, normalized, proposal, policy, validation };
+  }
+  async function dryRun(request) {
+    const prepared = prepare(request);
+    if (prepared.error) return { ...prepared.error, dryRun: true };
+    return {
+      ok: true,
+      decision: prepared.local.policy.mode === "observe" ? "observe" : "allow",
+      executed: false,
+      dryRun: true,
+      matchedRules: prepared.localDecision.winningRules.map((rule) => rule.id),
+      rollback: { available: MUTATIONS.has(prepared.normalized.request.intent), performed: false }
+    };
+  }
+  async function execute(request) {
+    const prepared = prepare(request, { recordNonce: true });
+    if (prepared.error) {
+      auditLocalPolicy(rootDir, { action: request?.intent, actor: request?.actor || "agent:local", decision: "deny", error: prepared.error.error.code });
+      return prepared.error;
+    }
+    if (prepared.local.policy.mode === "observe") {
+      appendAudit(path10.join(rootDir, "lbe.audit.jsonl"), {
+        kind: "local_execution",
+        commandId: prepared.proposal.commandId,
+        requesterId: prepared.normalized.actor,
+        intent: prepared.normalized.request.intent,
+        decision: "observe",
+        status: "observed"
+      });
+      return {
+        ok: true,
+        decision: "observe",
+        executed: false,
+        dryRun: false,
+        matchedRules: prepared.localDecision.winningRules.map((r) => r.id),
+        rollback: { available: false, performed: false }
+      };
+    }
+    const requester = prepared.policy.requesters[prepared.normalized.actor];
+    const adapterResult = await executeAdapter(prepared.normalized.detail.adapter, prepared.proposal, prepared.policy, requester);
+    const ok = adapterResult.status === "completed";
+    const audit = appendAudit(path10.join(rootDir, "lbe.audit.jsonl"), {
+      kind: "local_execution",
+      commandId: prepared.proposal.commandId,
+      requesterId: prepared.normalized.actor,
+      intent: prepared.normalized.request.intent,
+      decision: ok ? "allow" : "deny",
+      status: adapterResult.status
+    });
+    return {
+      ok,
+      decision: ok ? "allow" : "deny",
+      executed: ok,
+      dryRun: false,
+      matchedRules: prepared.localDecision.winningRules.map((rule) => rule.id),
+      auditId: audit.hash,
+      rollback: { available: MUTATIONS.has(prepared.normalized.request.intent), performed: false, backupId: adapterResult.backup?.hash },
+      ...ok ? {} : { error: { code: adapterResult.errorCode || "EXECUTION_FAILED", message: adapterResult.error || "Execution failed", recoverable: true } }
+    };
+  }
+  return {
+    rootDir,
+    validate: async (request) => {
+      const preview = await dryRun(request);
+      return { ...preview, dryRun: false, executed: false };
+    },
+    dryRun,
+    execute,
+    policy: {
+      read: () => loadLocalPolicy(rootDir, options.mode || "enforce").policy,
+      proposeRule: proposePolicyRule,
+      addRule: (rule) => addLocalPolicyRule(rootDir, rule, options.mode || "enforce")
+    },
+    audit: { verify: () => verifyAuditLogIntegrity(path10.join(rootDir, "lbe.audit.jsonl")) }
+  };
+}
+export {
+  createLocalExecutor
+};