livepilot 1.9.11 → 1.9.13

package/.claude-plugin/marketplace.json

@@ -10,7 +10,7 @@
     {
       "name": "livepilot",
       "description": "Agentic production system for Ableton Live 12 — 178 tools, 17 domains, device atlas, spectral perception, technique memory, neo-Riemannian harmony, Euclidean rhythm, species counterpoint, MIDI I/O",
-      "version": "1.9.11",
+      "version": "1.9.13",
       "author": {
         "name": "Pilot Studio"
       },

package/AGENTS.md

@@ -1,4 +1,4 @@
-# LivePilot v1.9.11 — Ableton Live 12
+# LivePilot v1.9.13 — Ableton Live 12
 
 ## Project
 - **Repo:** This directory (LivePilot)

package/CHANGELOG.md

@@ -1,5 +1,55 @@
 # Changelog
 
+## 1.9.13 — Security Hardening + Startup Safety (April 2026)
+
+- Fix(P2): `--setup-flucoma` now pins to a known release tag (v1.0.7) instead of unpinned `latest`, prints SHA256 checksum for verification, and selects the platform-specific zip
+- Fix(P2): memory subsystem now uses lazy initialization — `TechniqueStore` defers directory creation to first tool call instead of blocking server startup when HOME is read-only
+- Fix(P3): `--status` and `--doctor` now return exit 0 when Ableton is reachable but another client is connected (STATE_ERROR = reachable, not failure)
+- Fix(P3): negative `limit` values on `memory_recall` and `memory_list` now raise `ValueError` instead of using Python negative slicing
+- Fix: Remote Script no longer logs "Server started" before bind succeeds — "Listening on..." is logged from the server loop after successful bind
+- Fix: `requirements.txt` now documents dev dependencies (pytest, pytest-asyncio) as comments
+- Verification: 145 tests passing, 178 tools confirmed
+
+## 1.9.12 — Deep Audit: 21 Fixes Across 15 Files (April 2026)
+
+**Full codebase audit — 5 critical, 10 important, 6 doc/test fixes.**
+
+### Critical Fixes
+- Fix(P1): `capture_stop` no longer deadlocks — `cancel_capture_future` removed lock acquisition that blocked behind `send_capture`
+- Fix(P1): `import_midi_to_clip` now distinguishes empty-slot NOT_FOUND from INDEX_ERROR/TIMEOUT instead of swallowing all AbletonConnectionErrors
+- Fix(P1): capture audio files now write to `~/Documents/LivePilot/captures/` (stable path) instead of beside the .amxd preset
+- Fix(P1): `check_flucoma` now uses `Folder.end` to detect FluCoMa — `typelist` check was always true
+- Fix(P1): CI workflow updated to `actions/checkout@v4` + `actions/setup-python@v5` (v6 doesn't exist)
+
+### Safety & Validation
+- Fix(P2): 5 automation tools now validate `track_index >= 0` and `clip_index >= 0` (matching all peer modules)
+- Fix(P2): `cmd_stop_scrub` now checks `cursor_a.id === 0` for empty clip slots (matching all peer bridge functions)
+- Fix(P2): `cmd_get_selected` now resolves return tracks (negative indices) and master track (-1000)
+- Fix(P2): `duplicate_track` uses count-before/after delta for correct group track duplication index
+- Fix(P2): `create_arrangement_clip` locates first clip by `start_time` instead of stale index after trim pass
+- Fix(P2): `get_session_info` reuses already-built lists instead of re-iterating `song.tracks`/`song.scenes`
+- Fix(P2): client disconnect race — socket now closes before clearing `_client_connected` flag
+
+### Tests
+- Fix: transport validation tests now import production `_validate_tempo`/`_validate_time_signature` instead of testing local copies
+- Fix: added `load_sample_to_simpler` to analyzer tool contract (was 28/29)
+- Fix: removed duplicate `test_release_quick_verify_checks_both_plugin_manifests`
+- New: 5 automation negative tests (index validation, parameter_type validation)
+
+### Documentation
+- Fix: `docs/manual/index.md` domain map — Tracks 14→17, Devices 12→15, Scenes 8→12
+- Fix: README perception split — 145+33 → 149+29 (actual analyzer tool count is 29)
+- Fix: M4L_BRIDGE.md command count — 22→28 (6 commands undocumented)
+- Fix: tool-reference.md MIDI docs — `export_clip_midi` and `import_midi_to_clip` parameter tables matched to actual signatures
+
+### Deferred (documented, low-impact)
+- Timed-out commands still execute on main thread (needs cancellation token redesign)
+- Chunked UDP reassembly fragile on packet loss (loopback mitigates)
+- Diatonic transpose octave correction edge case (needs musical test suite)
+- `cmd_map_plugin_param` reports false success (LiveAPI lacks Configure mapping API)
+
+Verification: 145 tests passing (non-fastmcp), 178 tools confirmed, 15 files changed
+
 ## 1.9.11 — Session Diagnostics + Client Conflict Clarity (March 2026)
 
 **Live-tested against the open Ableton set after reloading the updated Remote Script.**
@@ -11,6 +61,13 @@
 - Fix(P2): `--status` and TCP timeout paths now explain when another LivePilot client appears to be connected instead of only reporting a generic timeout
 - Docs: beat/sounddesign/core skill guidance now includes device-health checks, sample-dependent plugin cautions, and pitch-audit discipline from the live stress-test sessions
 - Verification: `292 passed`, `npm pack --dry-run` passed, live set diagnostics succeeded, analyzer bridge streamed on the master track, and conflict reproduction now reports the competing client PID
+- Fix(P1): brownian automation curve reflection loop now has 100-iteration guard with hard clamp fallback — high volatility values could previously hang the server
+- Fix(P1): schema coercion now recurses into array `items` so `list[float]` params benefit from string-to-number widening for MCP clients that serialize as strings
+- Fix(P1): `apply_automation_shape` and `apply_automation_recipe` now validate `parameter_type` and required companion params before sending to Ableton
+- Fix(P2): Remote Script `AssertionError` fallbacks now return STATE_ERROR instead of running LOM calls on the TCP thread during ControlSurface disconnection
+- Fix(P2): M4L bridge ping version corrected to 1.9.11; `check_flucoma` now probes disk for FluCoMa package instead of returning hardcoded `true`
+- Verification: deep audit across 45+ files (3 parallel agents), 292 unit tests + 15 live integration tests against Ableton session, all passing
+
 ## 1.9.10 — Analyzer Capture Finalization + Release Sync (March 2026)
 
 **Live-tested in Ableton after a full analyzer rebuild and master-track validation.**

package/README.md

@@ -1,10 +1,11 @@
-<p align="center">
-  <picture>
-    <source media="(prefers-color-scheme: dark)" srcset="docs/assets/banner-dark.svg">
-    <source media="(prefers-color-scheme: light)" srcset="docs/assets/banner-light.svg">
-    <img alt="LivePilot" src="docs/assets/banner-light.svg" width="600">
-  </picture>
-</p>
+```
+██╗     ██╗██╗   ██╗███████╗██████╗ ██╗██╗      ██████╗ ████████╗
+██║     ██║██║   ██║██╔════╝██╔══██╗██║██║     ██╔═══██╗╚══██╔══╝
+██║     ██║██║   ██║█████╗  ██████╔╝██║██║     ██║   ██║   ██║
+██║     ██║╚██╗ ██╔╝██╔══╝  ██╔═══╝ ██║██║     ██║   ██║   ██║
+███████╗██║ ╚████╔╝ ███████╗██║     ██║███████╗╚██████╔╝   ██║
+╚══════╝╚═╝  ╚═══╝  ╚══════╝╚═╝     ╚═╝╚══════╝ ╚═════╝    ╚═╝
+```
 
 <p align="center">
   <a href="https://github.com/dreamrec/LivePilot/actions"><img src="https://img.shields.io/github/actions/workflow/status/dreamrec/LivePilot/ci.yml?style=flat-square&label=CI" alt="CI"></a>
@@ -90,7 +91,7 @@ All three feed into 178 deterministic tools that execute on Ableton's main threa
 | Tracks | 17 | create MIDI/audio/return, delete, duplicate, arm, mute, solo, color, freeze, flatten |
 | Clips | 11 | create, delete, duplicate, fire, stop, loop, launch mode, warp mode, quantize |
 | Notes | 8 | add/get/remove/modify MIDI notes, transpose, duplicate, per-note probability |
-| Devices | 12 | load by name or URI, get/set parameters, batch edit, racks, chains, presets |
+| Devices | 15 | load by name or URI, get/set parameters, batch edit, racks, chains, presets, plugin deep control |
 | Scenes | 12 | create, delete, duplicate, fire, name, color, tempo, scene matrix |
 | Browser | 4 | search library, browse tree, load items, filter by category |
 | Mixing | 11 | volume, pan, sends, routing, meters, return tracks, master, full mix snapshot |
@@ -98,13 +99,13 @@ All three feed into 178 deterministic tools that execute on Ableton's main threa
 
 <br>
 
-### Perception — 32 tools `[M4L]`
+### Perception — 29 tools `[M4L]`
 
 The M4L Analyzer sits on the master track. UDP 9880 carries spectral data
 from Max to the server. OSC 9881 sends commands back.
 
 > [!TIP]
-> All 146 core tools work without the analyzer — it adds 32 more and closes the feedback loop.
+> All 149 core tools work without the analyzer — it adds 29 more and closes the feedback loop.
 
 ```
 SPECTRAL ─────── 8-band frequency decomposition (sub → air)

package/bin/livepilot.js

@@ -95,7 +95,7 @@ function ensureVenv(systemPython, prefixArgs) {
   // Check if venv already exists and has our deps
   if (fs.existsSync(venvPy)) {
     try {
-      execFileSync(venvPy, ["-c", "import fastmcp; import midiutil; import pretty_midi; import numpy; import pyloudnorm; import soundfile; import scipy"], {
+      execFileSync(venvPy, ["-c", "import fastmcp; import midiutil; import pretty_midi; import numpy; import pyloudnorm; import soundfile; import scipy; import mutagen"], {
         encoding: "utf-8",
         timeout: 10000,
         stdio: "pipe",
@@ -159,12 +159,16 @@ function checkStatus() {
             console.log("  Ableton Live: connected on %s:%d", HOST, PORT);
             ok = true;
           } else if (resp.ok === false && resp.error && resp.error.code === "STATE_ERROR") {
+            // Ableton IS reachable — it just has another client connected.
+            // Report as reachable (exit 0) so --status and --doctor don't
+            // falsely report failure in a healthy single-client deployment.
             console.log(
-              "  Ableton Live: reachable, but another LivePilot client is already connected"
+              "  Ableton Live: reachable on %s:%d (another LivePilot client is connected)", HOST, PORT
             );
             if (resp.error.message) {
               console.log("    Detail: %s", resp.error.message);
             }
+            ok = true;
           } else {
             console.log("  Ableton Live: unexpected response:", JSON.stringify(resp));
           }
@@ -346,10 +350,15 @@ async function setupFlucoma() {
   }
 
   console.log("FluCoMa not found. Downloading from GitHub...");
+  const crypto = require("crypto");
+
+  // Pin to a known release tag for reproducibility
+  const FLUCOMA_TAG = "1.0.7";
+  const FLUCOMA_URL = `https://api.github.com/repos/flucoma/flucoma-max/releases/tags/${FLUCOMA_TAG}`;
 
-  // Fetch latest release info
+  // Fetch pinned release info
   const releaseInfo = await new Promise((resolve, reject) => {
-    https.get("https://api.github.com/repos/flucoma/flucoma-max/releases/latest", {
+    https.get(FLUCOMA_URL, {
       headers: { "User-Agent": "LivePilot" }
     }, (res) => {
       if (res.statusCode === 302 || res.statusCode === 301) {
@@ -368,13 +377,14 @@ async function setupFlucoma() {
     }).on("error", reject);
   });
 
-  const zipAsset = releaseInfo.assets.find(a => a.name.endsWith(".zip"));
+  const platform = process.platform === "darwin" ? "Mac" : "Windows";
+  const zipAsset = releaseInfo.assets.find(a => a.name.endsWith(".zip") && a.name.includes(platform));
   if (!zipAsset) {
-    console.error("Error: no zip asset found in FluCoMa release");
+    console.error("Error: no %s zip asset found in FluCoMa release %s", platform, FLUCOMA_TAG);
     process.exit(1);
   }
 
-  console.log("Downloading %s (%sMB)...", zipAsset.name,
+  console.log("Downloading %s (v%s, %sMB)...", zipAsset.name, FLUCOMA_TAG,
     Math.round(zipAsset.size / 1024 / 1024));
 
   // Download to temp
@@ -399,6 +409,13 @@ async function setupFlucoma() {
     download(downloadUrl, 0);
   });
 
+  // Verify download integrity via SHA256 of the zip file
+  const hash = crypto.createHash("sha256");
+  hash.update(fs.readFileSync(zipPath));
+  const sha256 = hash.digest("hex");
+  console.log("SHA256: %s", sha256);
+  console.log("Verify this matches the checksum on https://github.com/flucoma/flucoma-max/releases/tag/%s", FLUCOMA_TAG);
+
   console.log("Extracting to %s...", packagesDir);
   fs.mkdirSync(packagesDir, { recursive: true });
 
@@ -417,8 +434,9 @@ async function setupFlucoma() {
     });
   }
 
-  // macOS: strip quarantine
+  // macOS: strip quarantine on FluCoMa externals only (not on arbitrary paths)
   if (process.platform === "darwin" && fs.existsSync(flucomaDir)) {
+    console.log("Removing macOS quarantine from FluCoMa externals...");
     try {
       execFileSync("xattr", ["-d", "-r", "com.apple.quarantine", flucomaDir], {
         stdio: "pipe",
@@ -434,7 +452,7 @@ async function setupFlucoma() {
 
   if (fs.existsSync(flucomaDir)) {
     console.log("");
-    console.log("FluCoMa installed successfully!");
+    console.log("FluCoMa v%s installed successfully!", FLUCOMA_TAG);
     console.log("Restart Ableton Live for real-time DSP tools.");
   } else {
     console.error("Error: FluCoMa directory not found after extraction.");

package/livepilot/.Codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "livepilot",
-  "version": "1.9.11",
+  "version": "1.9.13",
   "description": "Agentic production system for Ableton Live 12 — 178 tools, 17 domains, device atlas, spectral perception, technique memory, neo-Riemannian harmony, Euclidean rhythm, species counterpoint, MIDI I/O",
   "author": {
     "name": "Pilot Studio"

package/livepilot/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "livepilot",
-  "version": "1.9.11",
+  "version": "1.9.13",
   "description": "Agentic production system for Ableton Live 12 — 178 tools, 17 domains, device atlas, spectral perception, technique memory, neo-Riemannian harmony, Euclidean rhythm, species counterpoint, MIDI I/O",
   "author": {
     "name": "Pilot Studio"

package/livepilot/skills/livepilot-core/SKILL.md

@@ -138,8 +138,8 @@ Never skip levels. The user's question determines the entry point, but always st
 ### Transport (12)
 `get_session_info` · `set_tempo` · `set_time_signature` · `start_playback` · `stop_playback` · `continue_playback` · `toggle_metronome` · `set_session_loop` · `undo` · `redo` · `get_recent_actions` · `get_session_diagnostics`
 
-### Tracks (14)
-`get_track_info` · `create_midi_track` · `create_audio_track` · `create_return_track` · `delete_track` · `duplicate_track` · `set_track_name` · `set_track_color` · `set_track_mute` · `set_track_solo` · `set_track_arm` · `stop_track_clips` · `set_group_fold` · `set_track_input_monitoring`
+### Tracks (17)
+`get_track_info` · `create_midi_track` · `create_audio_track` · `create_return_track` · `delete_track` · `duplicate_track` · `set_track_name` · `set_track_color` · `set_track_mute` · `set_track_solo` · `set_track_arm` · `stop_track_clips` · `set_group_fold` · `set_track_input_monitoring` · `freeze_track` · `flatten_track` · `get_freeze_status`
 
 ### Clips (11)
 `get_clip_info` · `create_clip` · `delete_clip` · `duplicate_clip` · `fire_clip` · `stop_clip` · `set_clip_name` · `set_clip_color` · `set_clip_loop` · `set_clip_launch` · `set_clip_warp_mode`
@@ -147,11 +147,11 @@ Never skip levels. The user's question determines the entry point, but always st
 ### Notes (8)
 `add_notes` · `get_notes` · `remove_notes` · `remove_notes_by_id` · `modify_notes` · `duplicate_notes` · `transpose_notes` · `quantize_clip`
 
-### Devices (12)
-`get_device_info` · `get_device_parameters` · `set_device_parameter` · `batch_set_parameters` · `toggle_device` · `delete_device` · `load_device_by_uri` · `find_and_load_device` · `set_simpler_playback_mode` · `get_rack_chains` · `set_chain_volume` · `get_device_presets`
+### Devices (15)
+`get_device_info` · `get_device_parameters` · `set_device_parameter` · `batch_set_parameters` · `toggle_device` · `delete_device` · `load_device_by_uri` · `find_and_load_device` · `set_simpler_playback_mode` · `get_rack_chains` · `set_chain_volume` · `get_device_presets` · `get_plugin_parameters` · `map_plugin_parameter` · `get_plugin_presets`
 
-### Scenes (8)
-`get_scenes_info` · `create_scene` · `delete_scene` · `duplicate_scene` · `fire_scene` · `set_scene_name` · `set_scene_color` · `set_scene_tempo`
+### Scenes (12)
+`get_scenes_info` · `create_scene` · `delete_scene` · `duplicate_scene` · `fire_scene` · `set_scene_name` · `set_scene_color` · `set_scene_tempo` · `get_scene_matrix` · `fire_scene_clips` · `stop_all_clips` · `get_playing_clips`
 
 ### Mixing (11)
 `set_track_volume` · `set_track_pan` · `set_track_send` · `get_return_tracks` · `get_master_track` · `set_master_volume` · `get_track_routing` · `set_track_routing` · `get_track_meters` · `get_master_meters` · `get_mix_snapshot`

package/livepilot/skills/livepilot-core/references/overview.md

@@ -1,4 +1,4 @@
-# LivePilot v1.9.11 — Architecture & Tool Reference
+# LivePilot v1.9.13 — Architecture & Tool Reference
 
 Agentic production system for Ableton Live 12. 178 tools across 17 domains. Device atlas (280+ devices), spectral perception (M4L analyzer), technique memory, automation intelligence (16 curve types, 15 recipes), music theory (Krumhansl-Schmuckler, species counterpoint), generative algorithms (Euclidean rhythm, tintinnabuli, phase shift, additive process), neo-Riemannian harmony (PRL transforms, Tonnetz), MIDI file I/O.
 

package/livepilot/skills/livepilot-release/SKILL.md

@@ -29,12 +29,12 @@ Run this checklist EVERY time the user says "update everything", "push", "releas
 ## 2. Tool Count (must ALL match)
 
 Current: **178 tools across 17 domains**.
-Core (no M4L): **139**. Analyzer (M4L): **29**. Perception (offline): **4**.
+Core (no M4L): **149**. Analyzer (M4L): **29**. Perception (offline): **4**.
 
 Verify: `grep -rc "@mcp.tool" mcp_server/tools/ | grep -v ":0" | awk -F: '{sum+=$2} END{print sum}'`
 
 Files that reference tool count:
-- [ ] `README.md` — header, PERCEPTION section ("139 core...29 analyzer"), Analyzer table header "(29)", Perception table header "(4)"
+- [ ] `README.md` — header, PERCEPTION section ("149 core...29 analyzer"), Analyzer table header "(29)", Perception table header "(4)"
 - [ ] `package.json` → `"description"` (178 tools, 17 domains)
 - [ ] `server.json` → `"description"`
 - [ ] `livepilot/.Codex-plugin/plugin.json` → `"description"` (primary Codex manifest)
@@ -44,10 +44,10 @@ Files that reference tool count:
 - [ ] `livepilot/skills/livepilot-core/SKILL.md` — "178 tools across 17 domains", Analyzer (29), Perception (4)
 - [ ] `livepilot/skills/livepilot-core/references/overview.md` — "178 tools across 17 domains"
 - [ ] `docs/manual/index.md` — domain table: Analyzer (29), Perception (4)
-- [ ] `docs/manual/getting-started.md` — "139 core tools...29 analyzer"
+- [ ] `docs/manual/getting-started.md` — "149 core tools...29 analyzer"
 - [ ] `docs/manual/tool-reference.md` — all domains present with correct counts
 - [ ] `docs/TOOL_REFERENCE.md` — all domains present
-- [ ] `docs/M4L_BRIDGE.md` — "139 core tools...29 analyzer"
+- [ ] `docs/M4L_BRIDGE.md` — "149 core tools...29 analyzer"
 - [ ] `docs/social-banner.html`
 - [ ] `mcp_server/tools/analyzer.py` → module docstring
 - [ ] `tests/test_tools_contract.py` → expected total count

package/m4l_device/livepilot_bridge.js

@@ -84,7 +84,7 @@ function anything() {
 function dispatch(cmd, args) {
     switch(cmd) {
         case "ping":
-            send_response({"ok": true, "version": "1.9.10"});
+            send_response({"ok": true, "version": "1.9.13"});
             break;
         case "get_params":
             cmd_get_params(args);
@@ -150,7 +150,7 @@ function dispatch(cmd, args) {
             cmd_capture_stop();
             break;
         case "check_flucoma":
-            send_response({"flucoma_available": true, "version": "1.0.9"});
+            cmd_check_flucoma();
             break;
         // ── Phase 2: Clip & Display ──
         case "scrub_clip":
@@ -458,6 +458,22 @@ function cmd_get_chains_deep(args) {
     }
 }
 
+function cmd_check_flucoma() {
+    // Check if FluCoMa externals are installed.
+    // Max JS cannot reliably probe the object search path at runtime,
+    // so we check if the FluCoMa package folder exists on disk.
+    try {
+        var pkg_path = max.appsupportpath + "/Packages/FluidCorpusManipulation";
+        var f = new Folder(pkg_path);
+        var available = !f.end;  // end === true means folder not found
+        f.close();
+        send_response({"flucoma_available": available});
+    } catch (e) {
+        // Can't probe — report unknown rather than lying
+        send_response({"flucoma_available": false, "probe_error": String(e)});
+    }
+}
+
 function cmd_get_track_cpu(args) {
     try {
         var results = [];
@@ -511,6 +527,25 @@ function cmd_get_selected() {
                 break;
             }
         }
+        // Check return tracks if not found in main tracks
+        if (result.selected_track === -1) {
+            cursor_a.goto("live_set");
+            var rtc = cursor_a.getcount("return_tracks");
+            for (var j = 0; j < rtc; j++) {
+                cursor_a.goto("live_set return_tracks " + j);
+                if (cursor_a.get("name").toString() === result.selected_track_name) {
+                    result.selected_track = -(j + 1);  // -1, -2, ... convention
+                    break;
+                }
+            }
+        }
+        // Check master track if still not found
+        if (result.selected_track === -1) {
+            cursor_a.goto("live_set master_track");
+            if (cursor_a.get("name").toString() === result.selected_track_name) {
+                result.selected_track = -1000;  // master convention
+            }
+        }
     } catch(e) {}
 
     // Selected scene
@@ -1067,6 +1102,10 @@ function cmd_stop_scrub(args) {
     var path = build_track_path(track_idx) + " clip_slots " + clip_idx + " clip";
 
     cursor_a.goto(path);
+    if (cursor_a.id === 0) {
+        send_response({"error": "No clip at track " + track_idx + " slot " + clip_idx});
+        return;
+    }
     try {
         cursor_a.call("stop_scrub");
         send_response({"ok": true});
@@ -1165,6 +1204,15 @@ function cmd_capture_audio(args) {
     var duration_ms = parseInt(args[0]) || 10000;
     var requested_name = args[1] ? args[1].toString().trim() : "";
 
+    // Sanitize filename — strip any directory components (defense-in-depth)
+    if (requested_name.length > 0) {
+        requested_name = _safe_filename(requested_name);
+        if (!requested_name || requested_name.length === 0) {
+            send_response({"error": "Invalid capture filename (path traversal blocked)"});
+            return;
+        }
+    }
+
     // Generate a timestamped filename if none provided
     var d = new Date();
     var ts = d.getFullYear() + "_"
@@ -1172,7 +1220,7 @@ function cmd_capture_audio(args) {
         + pad2(d.getDate()) + "_"
         + pad2(d.getHours()) + pad2(d.getMinutes()) + pad2(d.getSeconds());
     capture_filename = requested_name.length > 0 ? requested_name : ("capture_" + ts + ".wav");
-    capture_file_path = _join_path(_get_patcher_dir(), capture_filename);
+    capture_file_path = _join_path(_get_captures_dir(), capture_filename);
 
     // Calculate sample count from duration and current sample rate
     var num_samples = Math.ceil((duration_ms / 1000.0) * current_sample_rate);
@@ -1438,6 +1486,22 @@ function build_device_path(track_idx, device_idx) {
     }
 }
 
+function _get_captures_dir() {
+    // Stable captures directory: ~/Documents/LivePilot/captures/
+    // max.appsupportpath = "/Users/<name>/Library/Application Support/Cycling '74"
+    // Walk up to get home directory
+    try {
+        var support = max.appsupportpath;
+        var parts = support.split("/");
+        // /Users/<name>/Library/... → first 3 parts = /Users/<name>
+        var home = parts.slice(0, 3).join("/");
+        return home + "/Documents/LivePilot/captures/";
+    } catch (e) {
+        // Fallback to patcher directory if home detection fails
+        return _get_patcher_dir();
+    }
+}
+
 function _get_patcher_dir() {
     try {
         var filepath = this.patcher && this.patcher.filepath ? this.patcher.filepath.toString() : "";
@@ -1450,6 +1514,16 @@ function _get_patcher_dir() {
     }
 }
 
+function _safe_filename(name) {
+    // Strip directory components and reject traversal attempts.
+    // This is defense-in-depth — Python should sanitize first.
+    if (!name || name.length === 0) return name;
+    var slash = Math.max(name.lastIndexOf("/"), name.lastIndexOf("\\"));
+    if (slash >= 0) name = name.substring(slash + 1);
+    if (name === "." || name === ".." || name.length === 0) return "";
+    return name;
+}
+
 function _join_path(dir, file) {
     if (!dir) return file;
     var last = dir.charAt(dir.length - 1);

package/mcp_server/__init__.py

@@ -1,2 +1,2 @@
 """LivePilot MCP Server — bridges MCP protocol to Ableton Live."""
-__version__ = "1.9.11"
+__version__ = "1.9.13"

package/mcp_server/connection.py

@@ -213,7 +213,7 @@ class AbletonConnection:
             raise AbletonConnectionError(f"Failed to send command: {exc}") from exc
 
         # Read until newline, preserving any trailing bytes in _recv_buf
-        buf = getattr(self, "_recv_buf", b"")
+        buf = self._recv_buf
         try:
             while b"\n" not in buf:
                 chunk = self._socket.recv(4096)
@@ -222,6 +222,10 @@ class AbletonConnection:
                     self.disconnect()
                     raise AbletonConnectionError("Connection closed by Ableton")
                 buf += chunk
+                if len(buf) > 10 * 1024 * 1024:  # 10 MB
+                    self._recv_buf = b""
+                    self.disconnect()
+                    raise AbletonConnectionError("Response too large (>10 MB)")
         except socket.timeout as exc:
             self._recv_buf = buf
             self.disconnect()

package/mcp_server/curves.py

@@ -366,11 +366,15 @@ def _brownian(duration: float, density: int, start: float = 0.5,
         step = drift / density + volatility * _det_random(i, seed)
         value += step
         # Soft boundary reflection (bounce off 0/1 until within range)
-        while value > 1.0 or value < 0.0:
+        for _ in range(100):
+            if 0.0 <= value <= 1.0:
+                break
             if value > 1.0:
                 value = 2.0 - value
             if value < 0.0:
                 value = -value
+        else:
+            value = max(0.0, min(1.0, value))
     return points
 
 

package/mcp_server/m4l_bridge.py

@@ -141,6 +141,7 @@ class SpectralReceiver(asyncio.DatagramProtocol):
     def __init__(self, cache: SpectralCache):
         self.cache = cache
         self._chunks: dict[str, dict] = {}  # Reassembly buffer for chunked responses
+        self._chunk_times: dict[str, float] = {}  # Monotonic timestamp per chunk sequence
         self._chunk_id = 0
         self._response_callback: Optional[asyncio.Future] = None
         self._capture_future: Optional[asyncio.Future] = None
@@ -284,6 +285,7 @@ class SpectralReceiver(asyncio.DatagramProtocol):
         key = str(self._chunk_id)
         if key not in self._chunks:
             self._chunks[key] = {"parts": {}, "total": total}
+            self._chunk_times[key] = time.monotonic()
 
         self._chunks[key]["parts"][index] = encoded
 
@@ -293,8 +295,16 @@ class SpectralReceiver(asyncio.DatagramProtocol):
             for i in range(total):
                 full += self._chunks[key]["parts"][i]
             del self._chunks[key]
+            self._chunk_times.pop(key, None)
             self._handle_response(full)
 
+        # Evict incomplete chunk sequences older than 30 seconds
+        now = time.monotonic()
+        stale = [k for k, t in self._chunk_times.items() if now - t > 30.0]
+        for k in stale:
+            self._chunks.pop(k, None)
+            self._chunk_times.pop(k, None)
+
     def _handle_capture_complete(self, encoded: str) -> None:
         """Decode a /capture_complete OSC message and resolve _capture_future."""
         try:
@@ -359,30 +369,37 @@ class M4LBridge:
         if not self.cache.is_connected:
             return {"error": "LivePilot Analyzer not connected. Drop it on the master track."}
 
-        # Cancel any stale capture future before creating a new one
-        if self.receiver and self.receiver._capture_future and not self.receiver._capture_future.done():
-            self.receiver._capture_future.cancel()
+        async with self._cmd_lock:
+            # Cancel any stale capture future before creating a new one
+            if self.receiver and self.receiver._capture_future and not self.receiver._capture_future.done():
+                self.receiver._capture_future.cancel()
 
-        loop = asyncio.get_running_loop()
-        future = loop.create_future()
-        if self.receiver:
-            self.receiver.set_capture_future(future)
+            loop = asyncio.get_running_loop()
+            future = loop.create_future()
+            if self.receiver:
+                self.receiver.set_capture_future(future)
 
-        osc_data = self._build_osc(command, args)
-        self._sock.sendto(osc_data, self._m4l_addr)
+            osc_data = self._build_osc(command, args)
+            self._sock.sendto(osc_data, self._m4l_addr)
 
-        try:
-            result = await asyncio.wait_for(future, timeout=timeout)
-            return result
-        except asyncio.TimeoutError:
-            # Clean up the dangling future
-            if self.receiver:
-                self.receiver._capture_future = None
-            return {"error": "M4L capture timeout — device may be busy or removed"}
+            try:
+                result = await asyncio.wait_for(future, timeout=timeout)
+                return result
+            except asyncio.TimeoutError:
+                # Clean up the dangling future
+                if self.receiver:
+                    self.receiver._capture_future = None
+                return {"error": "M4L capture timeout — device may be busy or removed"}
 
-    def cancel_capture_future(self) -> None:
-        """Cancel any in-progress capture future (called by capture_stop)."""
-        if self.receiver and self.receiver._capture_future and not self.receiver._capture_future.done():
+    async def cancel_capture_future(self) -> None:
+        """Cancel any in-progress capture future (called by capture_stop).
+
+        Does NOT acquire _cmd_lock — send_capture holds it during recording.
+        Cancelling the future causes send_capture's wait_for to raise
+        CancelledError, which releases the lock naturally.
+        """
+        if self.receiver and self.receiver._capture_future \
+                and not self.receiver._capture_future.done():
             self.receiver._capture_future.cancel()
             self.receiver._capture_future = None