@lattices/cli 0.5.0 → 0.6.1

package/bin/lattices-app.ts

@@ -6,6 +6,7 @@ import { tmpdir } from "node:os";
 import { join, resolve } from "node:path";
 import { get } from "node:https";
 import type { IncomingMessage } from "node:http";
+import { resolveBuildEnv } from "./lattices-build-env";
 
 const __dirname = import.meta.dir;
 const appDir = resolve(__dirname, "../apps/mac");
@@ -37,6 +38,50 @@ function isRunning(): boolean {
   }
 }
 
+type RunningProcess = { pid: string; command: string };
+
+function runningLatticesProcesses(): RunningProcess[] {
+  let pids: string[];
+  try {
+    pids = execFileSync("pgrep", ["-x", "Lattices"], {
+      encoding: "utf8",
+      stdio: ["ignore", "pipe", "ignore"],
+    }).trim().split(/\s+/).filter(Boolean);
+  } catch {
+    return [];
+  }
+
+  const processes: RunningProcess[] = [];
+  for (const pid of pids) {
+    try {
+      const command = execFileSync("ps", ["-p", pid, "-o", "command="], {
+        encoding: "utf8",
+        stdio: ["ignore", "pipe", "ignore"],
+      }).trim();
+      if (command) processes.push({ pid, command });
+    } catch {}
+  }
+  return processes;
+}
+
+function runningBundleProcesses(targetBundlePath = bundlePath): RunningProcess[] {
+  const executable = resolve(targetBundlePath, "Contents/MacOS/Lattices");
+  return runningLatticesProcesses().filter(({ command }) =>
+    command === executable || command.startsWith(`${executable} `)
+  );
+}
+
+function requireBundleNotRunningForBuild(): void {
+  const running = runningBundleProcesses();
+  if (!running.length) return;
+
+  console.error("Refusing to rebuild Lattices.app while that bundle is running.");
+  console.error("Rewriting or re-signing a live Mach-O can make macOS kill it later with Code Signature Invalid.");
+  console.error(`Running PID(s): ${running.map((proc) => proc.pid).join(", ")}`);
+  console.error("Use `lattices app restart` to quit, rebuild, and relaunch, or run `lattices app quit` before `lattices app build`.");
+  process.exit(1);
+}
+
 function sleep(ms: number): void {
   execFileSync("/bin/sleep", [(ms / 1000).toString()], { stdio: "ignore" });
 }
@@ -213,34 +258,73 @@ function resolveSigningIdentity(): string | null {
   }
 }
 
+function bundleTeamIdentifier(): string | null {
+  try {
+    const output = execSync(`codesign -dv '${bundlePath}' 2>&1`, { encoding: "utf8" });
+    const match = output.match(/TeamIdentifier=(.+)/);
+    const team = match?.[1]?.trim();
+    return team && team !== "not set" ? team : null;
+  } catch {
+    return null;
+  }
+}
+
+function runCodesign(args: string[]): void {
+  try {
+    execFileSync("codesign", args, { stdio: "pipe" });
+  } catch (error) {
+    const stderr = (error as { stderr?: Buffer | string }).stderr;
+    const detail = stderr ? `\n${String(stderr).trim()}` : "";
+    throw new Error(`codesign ${args.join(" ")}${detail}`);
+  }
+}
+
 function signBundle(): void {
   const identity = resolveSigningIdentity();
-  const entFlag = existsSync(entitlementsPath) ? ` --entitlements '${entitlementsPath}'` : "";
+  const entitlements = existsSync(entitlementsPath) ? entitlementsPath : null;
   const tempBinaryPath = `${binaryPath}.cstemp`;
 
   try {
     if (existsSync(tempBinaryPath)) rmSync(tempBinaryPath, { force: true });
   } catch {}
 
+  const sign = (signer: string, label: string) => {
+    // Sign the Mach-O first, then the bundle — more reliable than --deep and
+    // keeps a stable TeamIdentifier so macOS TCC grants survive rebuilds.
+    const binaryArgs = ["--force", "--options", "runtime", "--sign", signer];
+    if (entitlements) binaryArgs.push("--entitlements", entitlements);
+    binaryArgs.push(binaryPath);
+    runCodesign(binaryArgs);
+
+    const bundleArgs = ["--force", "--options", "runtime", "--sign", signer];
+    if (entitlements) bundleArgs.push("--entitlements", entitlements);
+    bundleArgs.push("--identifier", "dev.lattices.app", bundlePath);
+    runCodesign(bundleArgs);
+
+    const team = bundleTeamIdentifier();
+    if (team) {
+      console.log(`Signed (${label}) — TeamIdentifier=${team}`);
+      return;
+    }
+    if (label === "ad-hoc") return;
+    throw new Error(`codesign reported no TeamIdentifier after ${label} signing`);
+  };
+
   if (identity) {
     console.log(`Signing with: ${identity}`);
     try {
-      execSync(
-        `codesign --force --options runtime --deep --sign '${identity}'${entFlag} --identifier dev.lattices.app '${bundlePath}'`,
-        { stdio: "pipe" }
-      );
+      sign(identity, "developer");
       return;
-    } catch {
-      console.log(`Warning: signing with '${identity}' failed — falling back to ad-hoc.`);
+    } catch (error) {
+      console.log(`Warning: signing with '${identity}' failed — ${(error as Error).message}`);
+      console.log("Warning: falling back to ad-hoc. Privacy permissions will not persist across rebuilds.");
     }
   } else {
     console.log("Warning: no local signing identity found — falling back to ad-hoc.");
+    console.log("Warning: grant Accessibility/Screen Recording again after each rebuild, or install a signing cert.");
   }
 
-  execSync(
-    `codesign --force --options runtime --deep --sign -${entFlag} --identifier dev.lattices.app '${bundlePath}'`,
-    { stdio: "pipe" }
-  );
+  sign("-", "ad-hoc");
 
   try {
     if (existsSync(tempBinaryPath)) rmSync(tempBinaryPath, { force: true });
@@ -313,6 +397,8 @@ ${buildMetadata}    <key>LSMinimumSystemVersion</key>
     <true/>
     <key>NSHighResolutionCapable</key>
     <true/>
+    <key>NSMicrophoneUsageDescription</key>
+    <string>Lattices uses the microphone for Hudson Voice dictation and voice commands.</string>
     <key>NSSupportsAutomaticTermination</key>
     <true/>
 </dict>
@@ -329,6 +415,14 @@ function syncBundleResources(): void {
   if (existsSync(tapSoundPath)) {
     execSync(`cp '${tapSoundPath}' '${resolve(resourcesDir, "tap.wav")}'`);
   }
+  // Bundle the assistant knowledge base so the in-app chat assistant can load it
+  // in shipped builds (dev builds fall back to the repo docs/ path).
+  const assistantDoc = resolve(cliRoot, "docs/assistant-knowledge.md");
+  if (existsSync(assistantDoc)) {
+    const docsDir = resolve(resourcesDir, "docs");
+    mkdirSync(docsDir, { recursive: true });
+    execSync(`cp '${assistantDoc}' '${resolve(docsDir, "assistant-knowledge.md")}'`);
+  }
 }
 
 // ── Build from source (current arch only) ────────────────────────────
@@ -339,6 +433,10 @@ function buildFromSource(): boolean {
     execSync("swift build -c release", {
       cwd: appDir,
       stdio: "inherit",
+      // Build features are declared in apps/mac/build.json and resolved to the
+      // HUDSONKIT_WITH_* env HudsonKit gates on — one source of truth across
+      // every build entrypoint (see bin/lattices-build-env.ts).
+      env: { ...process.env, ...resolveBuildEnv() },
     });
   } catch {
     return false;
@@ -466,7 +564,7 @@ async function ensureBinary(): Promise<void> {
   console.error(
     "Could not find a bundled lattices app or download one.\n" +
     "Options:\n" +
-    "  \u2022 Reinstall or update @lattices/cli\n" +
+    "  \u2022 Reinstall or update @arach/lattices\n" +
     "  \u2022 Developers can build from source with: lattices-app build\n" +
     "  \u2022 Download manually from:   https://github.com/" + REPO + "/releases"
   );
@@ -517,6 +615,7 @@ const shouldDetachUpdate = flags.includes("--detach");
 const isUpdateWorker = flags.includes("--worker");
 
 if (cmd === "build") {
+  requireBundleNotRunningForBuild();
   if (!hasSwift()) {
     console.error("Swift is required. Install with: xcode-select --install");
     process.exit(1);

package/bin/lattices-build-env.ts

@@ -0,0 +1,77 @@
+#!/usr/bin/env bun
+/**
+ * lattices-build-env — declarative build-feature resolver.
+ *
+ * Mirrors openscout's `hkit` style: an app names *features* in a manifest
+ * (apps/mac/build.json), never raw env vars. The feature → build-env mapping
+ * lives in the catalog below, so every build entrypoint (package / dev / dist)
+ * resolves the same way from one source of truth, instead of each hardcoding
+ * its own `HUDSONKIT_WITH_*` flags.
+ *
+ *   import { resolveBuildEnv } from "./lattices-build-env";  // TS callers
+ *   eval "$(bun bin/lattices-build-env.ts shell)"            // bash callers
+ *   bun bin/lattices-build-env.ts json                       // inspect
+ */
+
+import { existsSync, readFileSync } from "node:fs";
+import { join } from "node:path";
+
+// Feature catalog: feature name -> build env HudsonKit gates on at SwiftPM
+// manifest-eval time. HudsonVoice (Vox/Parakeet dictation) is an optional
+// backend HudsonKit only declares when HUDSONKIT_WITH_VOICE=1 is set at build
+// time. Name a *feature* here; never sprinkle the env var across build scripts.
+export const FEATURE_CATALOG: Record<string, { env: Record<string, string>; note: string }> = {
+  voice: { env: { HUDSONKIT_WITH_VOICE: "1" }, note: "HudsonVoice — Vox/Parakeet dictation" },
+};
+
+export interface BuildManifest {
+  app?: string;
+  features?: string[];
+}
+
+const MANIFEST_PATH = join(import.meta.dir, "../apps/mac/build.json");
+
+export function loadManifest(path = MANIFEST_PATH): BuildManifest {
+  if (!existsSync(path)) return {};
+  return JSON.parse(readFileSync(path, "utf8")) as BuildManifest;
+}
+
+export function resolveFeatureEnv(features: string[] = []): Record<string, string> {
+  const env: Record<string, string> = {};
+  for (const f of features) {
+    const entry = FEATURE_CATALOG[f];
+    if (!entry) {
+      throw new Error(
+        `unknown build feature "${f}" — known features: ${Object.keys(FEATURE_CATALOG).join(", ")}`,
+      );
+    }
+    Object.assign(env, entry.env);
+  }
+  return env;
+}
+
+/** Resolve the manifest's declared features into a build-env map. */
+export function resolveBuildEnv(manifestPath?: string): Record<string, string> {
+  const features = loadManifest(manifestPath).features ?? [];
+  const env = resolveFeatureEnv(features);
+  // HudsonKit enables HudsonVoice by default; opt out unless the voice feature is declared.
+  if (!features.includes("voice")) {
+    env.HUDSONKIT_WITH_VOICE = "0";
+  }
+  return env;
+}
+
+// --- CLI: emit the resolved env for shell / json consumers -------------------
+if (import.meta.main) {
+  const mode = process.argv[2] ?? "shell";
+  const env = resolveBuildEnv();
+  if (mode === "json") {
+    console.log(JSON.stringify(env, null, 2));
+  } else if (mode === "shell") {
+    // eval-able by bash: `eval "$(bun bin/lattices-build-env.ts shell)"`
+    for (const [k, v] of Object.entries(env)) console.log(`export ${k}=${JSON.stringify(v)}`);
+  } else {
+    console.error(`lattices-build-env: unknown mode "${mode}" (use: shell | json)`);
+    process.exit(1);
+  }
+}

package/bin/lattices-dev

@@ -105,8 +105,9 @@ clear_lattices_drag_cache() {
     done
 }
 
-is_install_bundle_running() {
-    local target="$INSTALL_BUNDLE/Contents/MacOS/Lattices"
+is_bundle_running() {
+    local bundle="$1"
+    local target="$bundle/Contents/MacOS/Lattices"
     local pid args
 
     while IFS= read -r pid; do
@@ -120,6 +121,26 @@ is_install_bundle_running() {
     return 1
 }
 
+is_install_bundle_running() {
+    is_bundle_running "$INSTALL_BUNDLE"
+}
+
+require_build_targets_not_running() {
+    if is_bundle_running "$BUNDLE"; then
+        red "Refusing to rebuild the repo-local app artifact while it is running."
+        dim "Rewriting or re-signing a live Mach-O can make macOS kill it later with Code Signature Invalid."
+        dim "Use \`lattices-dev restart\` to quit, rebuild, and relaunch."
+        exit 1
+    fi
+
+    if is_install_bundle_running; then
+        red "Refusing to install over the running dev app bundle."
+        dim "Rewriting or re-signing a live Mach-O can make macOS kill it later with Code Signature Invalid."
+        dim "Use \`lattices-dev restart\` or \`lattices app restart\` to quit, rebuild, and relaunch."
+        exit 1
+    fi
+}
+
 write_info_plist() {
     mkdir -p "$BUNDLE/Contents"
     cat > "$BUNDLE/Contents/Info.plist" <<PLIST
@@ -168,6 +189,8 @@ write_info_plist() {
     <true/>
     <key>NSHighResolutionCapable</key>
     <true/>
+    <key>NSMicrophoneUsageDescription</key>
+    <string>Lattices uses the microphone for Hudson Voice dictation and voice commands.</string>
     <key>NSSupportsAutomaticTermination</key>
     <true/>
 </dict>
@@ -177,6 +200,10 @@ PLIST
 
 cmd_build() {
     echo "Building dev app..."
+    require_build_targets_not_running
+    # Build features are declared in apps/mac/build.json and resolved to the
+    # HUDSONKIT_WITH_* env HudsonKit gates on (see bin/lattices-build-env.ts).
+    eval "$(bun "$ROOT/bin/lattices-build-env.ts" shell)"
     cd "$APP_DIR" && swift build -c release
     # Build into a repo-local dev artifact, then install to a stable app path
     # that macOS permissions can trust across rebuilds.