{"slug": "lbe-open-source-execution-control-layer-for-ai-agents", "title": "LBE – open-source execution control layer for AI agents", "summary": "Letterblack released LBE, an open-source execution control layer for AI agents that validates every action locally before execution, enforcing policy gates without cloud dependencies. The tool, already used in production for Letterblack for After Effects, provides a 7-gate pipeline for schema, timestamp, key lifecycle, signature, rate limit, nonce, and policy checks, with observer and enforce modes.", "body_md": "LBE puts a local policy gate between what an AI agent proposes and what the system actually executes. Every action — file write, shell command, anything — is validated locally before it runs. No cloud service. No daemon.\n\nUsed in production:LBE is the safety engine inside[Letterblack for After Effects]— every AI-generated script and automation command passes through it before touching a live project.\n\n| I want… | Package |\n|---|---|\n| LBE to handle file writes and shell commands for me (full controller) | `@letterblack/lbe-exec` |\n| Just the allow/deny decision — I'll execute it myself | `@letterblack/lbe-sdk` ← you are here |\n\n```\nnpm install @letterblack/lbe-sdk\n```\n\nRequires Node.js ≥ 20.9.0.\n\n``` js\nimport { execute } from '@letterblack/lbe-sdk';\n\nconst request = {\n version: '1.0',\n request_id: 'req-001',\n timestamp: Math.floor(Date.now() / 1000),\n actor: { id: 'agent:local', role: 'agent' },\n intent: { type: 'command', name: 'write_file', payload: { target: 'out.txt' } },\n context: { workspace: process.cwd(), env: {}, history: [] },\n constraints: { policy_mode: 'strict', timeout_ms: 5000 },\n auth: { signature: '', nonce: '' }\n};\n\nconst result = JSON.parse(execute(JSON.stringify(request)));\n// Approved: { ok: true, decision: 'allow', ... }\n// Blocked: { ok: false, decision: 'deny', error: { stage, message } }\n```\n\n`execute(input: string): string`\n\n— accepts JSON, returns JSON. The runtime validates and returns a decision. The host acts on the decision.\n\n| Field | Required | Description |\n|---|---|---|\n`version` |\nYes | `\"1.0\"` |\n`request_id` |\nYes | Caller-supplied unique identifier |\n`timestamp` |\nYes | Unix timestamp in seconds |\n`actor` |\nYes | `{ id, role }` — identity of the requesting agent |\n`intent` |\nYes | `{ type, name, payload }` — what the agent wants to do |\n`context` |\nYes | Workspace path and caller context |\n`constraints` |\nYes | `policy_mode` and `timeout_ms` |\n`auth` |\nYes | Host-supplied `signature` and `nonce` |\n\nNot ready to block? Start in observer mode. Every request is fully validated and logged exactly as it would be in enforcement — but nothing is blocked. Watch what the agent is doing before you decide what to deny.\n\n```\nnpx lbe init # create lbe.policy.json in observer mode\nnpx lbe enforce # switch to blocking\nnpx lbe observe # switch back to advisory\n```\n\n| Command | Purpose |\n|---|---|\n`npx lbe init` |\nCreate project-local policy and key state in observer mode |\n`npx lbe policy-add` |\nAdd a rule to the active policy |\n`npx lbe observe` |\nSet advisory (log-only) mode |\n`npx lbe enforce` |\nSet blocking mode |\n`npx lbe run` |\nValidate and execute a proposal from `--in ` |\n`npx lbe verify` |\nValidate a proposal without executing |\n`npx lbe dryrun` |\nValidate and simulate without executing |\n`npx lbe health` |\nCheck all required files are present and readable |\n`npx lbe audit-verify` |\nVerify the audit log hash chain |\n\nEvery request enters a 7-gate pipeline. A failure at any gate returns a structured denial — the remaining gates are not evaluated.\n\n```\n[1] Schema required fields and structural validity\n ↓\n[2] Timestamp permitted clock-skew window (±10 minutes)\n ↓\n[3] Key lifecycle trusted key, active, not expired\n ↓\n[4] Signature Ed25519 request authenticity\n ↓\n[5] Rate limit per-requester sliding-window limit\n ↓\n[6] Nonce single-use replay protection\n ↓\n[7] Policy configured authorization (deny-wins)\n ↓\n allow / deny / error — structured result returned to host\n```\n\nThe WASM runtime owns all gate decisions. Your host receives the decision and acts on it. Nothing executes inside the runtime.\n\n- The agent produces a signed action proposal.\n- Identity is confirmed against a locally held key — no network call required.\n- The project policy is evaluated. The action is approved.\n- The host executes the write or command inside the allowed workspace.\n- The audit chain is extended — every approved action appends a hash-linked entry to the local log, permanently verifiable, impossible to silently remove.\n- A structured result returns: whether it succeeded, which rules matched, and the audit entry identifier.\n\nThe application stays in control. @letterblack/lbe-sdk decides whether the action was permitted and hands the answer back. It does not execute for you.\n\n- The agent attempts an action — whether by mistake, misconfiguration, or a deliberate bypass attempt.\n- The policy gate closes immediately. The WASM runtime stamps the request denied before any adapter is reached.\n- The shell is untouched. The filesystem is unchanged.\n- The denial is written to the immutable audit log — chain sealed, evidence preserved.\n\nNo partial execution. No silent failures. Denial is a first-class outcome, not an error.\n\n| Threat | Gate |\n|---|---|\n| Malformed or incomplete request | Schema |\n| Stale or replayed request | Timestamp + Nonce |\n| Tampered or expired key | Key lifecycle + Signature |\n| Excessive requests from one actor | Rate limit |\n| Action not permitted by project policy | Policy — deny-wins |\n| Agent writing outside project root | Scope check in host after decision |\n\n```\ndist/index.js WebAssembly runtime loader and execute()\ndist/cli.js Local CLI (npx lbe)\ndist/lbe_engine.wasm Verified runtime binary\ndist/wasm.lock.json Runtime integrity lock (SHA-256 of wasm binary)\nassets/lbe-gates.jpg Gate sequence diagram\nassets/story-allow.jpg Approved-request storyboard\nassets/story-deny.jpg Blocked-request storyboard\nassets/runtime-boundary.svg Runtime boundary diagram\nassets/lbe-gates.png Gate sequence diagram (full resolution)\nassets/story-allow.png Approved-request storyboard (full resolution)\nassets/story-deny.png Blocked-request storyboard (full resolution)\ntypes.d.ts TypeScript declarations\n```\n\nAt load time the runtime verifies `lbe_engine.wasm`\n\nagainst `wasm.lock.json`\n\n. A missing, modified, or swapped binary fails before any request is processed.\n\nSource code, controller implementation, adapters, tests, keys, and runtime state are not included.\n\nThis package validates requests routed through its runtime. It does not provide kernel-level process isolation, network-egress control, multi-tenant separation, or a hosted control plane.\n\nFor an in-process controller with file operations, shell, and policy management built in, see `@letterblack/lbe-exec`\n\n.", "url": "https://wpnews.pro/news/lbe-open-source-execution-control-layer-for-ai-agents", "canonical_source": "https://github.com/Letterblack0306/LetterBlack-Sentinel", "published_at": "2026-06-21 07:11:01+00:00", "updated_at": "2026-06-21 07:36:59.656909+00:00", "lang": "en", "topics": ["ai-safety", "ai-agents", "developer-tools"], "entities": ["Letterblack", "LBE", "After Effects", "Node.js"], "alternates": {"html": "https://wpnews.pro/news/lbe-open-source-execution-control-layer-for-ai-agents", "markdown": "https://wpnews.pro/news/lbe-open-source-execution-control-layer-for-ai-agents.md", "text": "https://wpnews.pro/news/lbe-open-source-execution-control-layer-for-ai-agents.txt", "jsonld": "https://wpnews.pro/news/lbe-open-source-execution-control-layer-for-ai-agents.jsonld"}}