livepilot 1.9.12 → 1.9.13

package/.claude-plugin/marketplace.json

@@ -10,7 +10,7 @@
     {
       "name": "livepilot",
       "description": "Agentic production system for Ableton Live 12 — 178 tools, 17 domains, device atlas, spectral perception, technique memory, neo-Riemannian harmony, Euclidean rhythm, species counterpoint, MIDI I/O",
-      "version": "1.9.12",
+      "version": "1.9.13",
       "author": {
         "name": "Pilot Studio"
       },

package/AGENTS.md

@@ -1,4 +1,4 @@
-# LivePilot v1.9.12 — Ableton Live 12
+# LivePilot v1.9.13 — Ableton Live 12
 
 ## Project
 - **Repo:** This directory (LivePilot)

package/CHANGELOG.md

@@ -1,5 +1,15 @@
 # Changelog
 
+## 1.9.13 — Security Hardening + Startup Safety (April 2026)
+
+- Fix(P2): `--setup-flucoma` now pins to a known release tag (v1.0.7) instead of unpinned `latest`, prints SHA256 checksum for verification, and selects the platform-specific zip
+- Fix(P2): memory subsystem now uses lazy initialization — `TechniqueStore` defers directory creation to first tool call instead of blocking server startup when HOME is read-only
+- Fix(P3): `--status` and `--doctor` now return exit 0 when Ableton is reachable but another client is connected (STATE_ERROR = reachable, not failure)
+- Fix(P3): negative `limit` values on `memory_recall` and `memory_list` now raise `ValueError` instead of using Python negative slicing
+- Fix: Remote Script no longer logs "Server started" before bind succeeds — "Listening on..." is logged from the server loop after successful bind
+- Fix: `requirements.txt` now documents dev dependencies (pytest, pytest-asyncio) as comments
+- Verification: 145 tests passing, 178 tools confirmed
+
 ## 1.9.12 — Deep Audit: 21 Fixes Across 15 Files (April 2026)
 
 **Full codebase audit — 5 critical, 10 important, 6 doc/test fixes.**

package/bin/livepilot.js

@@ -159,12 +159,16 @@ function checkStatus() {
             console.log("  Ableton Live: connected on %s:%d", HOST, PORT);
             ok = true;
           } else if (resp.ok === false && resp.error && resp.error.code === "STATE_ERROR") {
+            // Ableton IS reachable — it just has another client connected.
+            // Report as reachable (exit 0) so --status and --doctor don't
+            // falsely report failure in a healthy single-client deployment.
             console.log(
-              "  Ableton Live: reachable, but another LivePilot client is already connected"
+              "  Ableton Live: reachable on %s:%d (another LivePilot client is connected)", HOST, PORT
             );
             if (resp.error.message) {
               console.log("    Detail: %s", resp.error.message);
             }
+            ok = true;
           } else {
             console.log("  Ableton Live: unexpected response:", JSON.stringify(resp));
           }
@@ -346,10 +350,15 @@ async function setupFlucoma() {
   }
 
   console.log("FluCoMa not found. Downloading from GitHub...");
+  const crypto = require("crypto");
+
+  // Pin to a known release tag for reproducibility
+  const FLUCOMA_TAG = "1.0.7";
+  const FLUCOMA_URL = `https://api.github.com/repos/flucoma/flucoma-max/releases/tags/${FLUCOMA_TAG}`;
 
-  // Fetch latest release info
+  // Fetch pinned release info
   const releaseInfo = await new Promise((resolve, reject) => {
-    https.get("https://api.github.com/repos/flucoma/flucoma-max/releases/latest", {
+    https.get(FLUCOMA_URL, {
       headers: { "User-Agent": "LivePilot" }
     }, (res) => {
       if (res.statusCode === 302 || res.statusCode === 301) {
@@ -368,13 +377,14 @@ async function setupFlucoma() {
     }).on("error", reject);
   });
 
-  const zipAsset = releaseInfo.assets.find(a => a.name.endsWith(".zip"));
+  const platform = process.platform === "darwin" ? "Mac" : "Windows";
+  const zipAsset = releaseInfo.assets.find(a => a.name.endsWith(".zip") && a.name.includes(platform));
   if (!zipAsset) {
-    console.error("Error: no zip asset found in FluCoMa release");
+    console.error("Error: no %s zip asset found in FluCoMa release %s", platform, FLUCOMA_TAG);
     process.exit(1);
   }
 
-  console.log("Downloading %s (%sMB)...", zipAsset.name,
+  console.log("Downloading %s (v%s, %sMB)...", zipAsset.name, FLUCOMA_TAG,
     Math.round(zipAsset.size / 1024 / 1024));
 
   // Download to temp
@@ -399,6 +409,13 @@ async function setupFlucoma() {
     download(downloadUrl, 0);
   });
 
+  // Verify download integrity via SHA256 of the zip file
+  const hash = crypto.createHash("sha256");
+  hash.update(fs.readFileSync(zipPath));
+  const sha256 = hash.digest("hex");
+  console.log("SHA256: %s", sha256);
+  console.log("Verify this matches the checksum on https://github.com/flucoma/flucoma-max/releases/tag/%s", FLUCOMA_TAG);
+
   console.log("Extracting to %s...", packagesDir);
   fs.mkdirSync(packagesDir, { recursive: true });
 
@@ -417,8 +434,9 @@ async function setupFlucoma() {
     });
   }
 
-  // macOS: strip quarantine
+  // macOS: strip quarantine on FluCoMa externals only (not on arbitrary paths)
   if (process.platform === "darwin" && fs.existsSync(flucomaDir)) {
+    console.log("Removing macOS quarantine from FluCoMa externals...");
     try {
       execFileSync("xattr", ["-d", "-r", "com.apple.quarantine", flucomaDir], {
         stdio: "pipe",
@@ -434,7 +452,7 @@ async function setupFlucoma() {
 
   if (fs.existsSync(flucomaDir)) {
     console.log("");
-    console.log("FluCoMa installed successfully!");
+    console.log("FluCoMa v%s installed successfully!", FLUCOMA_TAG);
     console.log("Restart Ableton Live for real-time DSP tools.");
   } else {
     console.error("Error: FluCoMa directory not found after extraction.");

package/livepilot/.Codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "livepilot",
-  "version": "1.9.12",
+  "version": "1.9.13",
   "description": "Agentic production system for Ableton Live 12 — 178 tools, 17 domains, device atlas, spectral perception, technique memory, neo-Riemannian harmony, Euclidean rhythm, species counterpoint, MIDI I/O",
   "author": {
     "name": "Pilot Studio"

package/livepilot/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "livepilot",
-  "version": "1.9.12",
+  "version": "1.9.13",
   "description": "Agentic production system for Ableton Live 12 — 178 tools, 17 domains, device atlas, spectral perception, technique memory, neo-Riemannian harmony, Euclidean rhythm, species counterpoint, MIDI I/O",
   "author": {
     "name": "Pilot Studio"

package/livepilot/skills/livepilot-core/references/overview.md

@@ -1,4 +1,4 @@
-# LivePilot v1.9.12 — Architecture & Tool Reference
+# LivePilot v1.9.13 — Architecture & Tool Reference
 
 Agentic production system for Ableton Live 12. 178 tools across 17 domains. Device atlas (280+ devices), spectral perception (M4L analyzer), technique memory, automation intelligence (16 curve types, 15 recipes), music theory (Krumhansl-Schmuckler, species counterpoint), generative algorithms (Euclidean rhythm, tintinnabuli, phase shift, additive process), neo-Riemannian harmony (PRL transforms, Tonnetz), MIDI file I/O.
 

package/m4l_device/livepilot_bridge.js

@@ -84,7 +84,7 @@ function anything() {
 function dispatch(cmd, args) {
     switch(cmd) {
         case "ping":
-            send_response({"ok": true, "version": "1.9.12"});
+            send_response({"ok": true, "version": "1.9.13"});
             break;
         case "get_params":
             cmd_get_params(args);

package/mcp_server/__init__.py

@@ -1,2 +1,2 @@
 """LivePilot MCP Server — bridges MCP protocol to Ableton Live."""
-__version__ = "1.9.12"
+__version__ = "1.9.13"

package/mcp_server/memory/technique_store.py

@@ -26,10 +26,26 @@ class TechniqueStore:
         if base_dir is None:
             base_dir = os.path.join(os.path.expanduser("~"), ".livepilot", "memory")
         self._base_dir = Path(base_dir)
-        self._base_dir.mkdir(parents=True, exist_ok=True)
         self._file = self._base_dir / "techniques.json"
         self._lock = threading.Lock()
-
+        self._initialized = False
+        self._data: dict = {"version": 1, "techniques": []}
+
+    def _ensure_initialized(self) -> None:
+        """Lazily create directory and load data on first access.
+
+        Deferred so that a read-only HOME doesn't crash the entire MCP
+        server at import time — memory tools just return errors instead.
+        """
+        if self._initialized:
+            return
+        try:
+            self._base_dir.mkdir(parents=True, exist_ok=True)
+        except OSError as exc:
+            raise RuntimeError(
+                f"Cannot create memory directory {self._base_dir}: {exc}. "
+                "Memory tools are unavailable."
+            ) from exc
         if self._file.exists():
             try:
                 with open(self._file, "r") as f:
@@ -41,6 +57,7 @@ class TechniqueStore:
         else:
             self._data = {"version": 1, "techniques": []}
             self._flush()
+        self._initialized = True
 
     # ── persistence ──────────────────────────────────────────────
 
@@ -64,6 +81,7 @@ class TechniqueStore:
         tags: Optional[list[str]] = None,
     ) -> dict:
         """Create a new technique. Returns {id, name, type, summary}."""
+        self._ensure_initialized()
         if type not in VALID_TYPES:
             raise ValueError(
                 f"INVALID_PARAM: type must be one of {sorted(VALID_TYPES)}, got '{type}'"
@@ -99,6 +117,7 @@ class TechniqueStore:
 
     def get(self, technique_id: str) -> dict:
         """Return full technique by id."""
+        self._ensure_initialized()
         with self._lock:
             for t in self._data["techniques"]:
                 if t["id"] == technique_id:
@@ -113,6 +132,9 @@ class TechniqueStore:
         limit: int = 10,
     ) -> list[dict]:
         """Search techniques. Returns summaries (no payload)."""
+        self._ensure_initialized()
+        if limit < 0:
+            raise ValueError("INVALID_PARAM: limit must be >= 0")
         with self._lock:
             results = copy.deepcopy(self._data["techniques"])
 
@@ -150,6 +172,9 @@ class TechniqueStore:
         limit: int = 20,
     ) -> list[dict]:
         """List techniques as compact summaries."""
+        self._ensure_initialized()
+        if limit < 0:
+            raise ValueError("INVALID_PARAM: limit must be >= 0")
         if sort_by not in VALID_SORT_FIELDS:
             raise ValueError(
                 f"INVALID_PARAM: sort_by must be one of {sorted(VALID_SORT_FIELDS)}, got '{sort_by}'"
@@ -179,6 +204,7 @@ class TechniqueStore:
         rating: Optional[int] = None,
     ) -> dict:
         """Set favorite flag and/or rating."""
+        self._ensure_initialized()
         if rating is not None and (rating < 0 or rating > 5):
             raise ValueError("INVALID_PARAM: rating must be between 0 and 5")
 
@@ -200,6 +226,7 @@ class TechniqueStore:
         qualities: Optional[dict] = None,
     ) -> dict:
         """Update technique fields. Qualities are merged (lists replaced)."""
+        self._ensure_initialized()
         with self._lock:
             t = self._find(technique_id)
             if name is not None:
@@ -216,6 +243,7 @@ class TechniqueStore:
 
     def delete(self, technique_id: str) -> dict:
         """Delete technique after creating a timestamped backup."""
+        self._ensure_initialized()
         with self._lock:
             t = self._find(technique_id)
             # backup

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "livepilot",
-  "version": "1.9.12",
+  "version": "1.9.13",
   "mcpName": "io.github.dreamrec/livepilot",
   "description": "Agentic production system for Ableton Live 12 — 178 tools, 17 domains, device atlas, spectral perception, technique memory, neo-Riemannian harmony, Euclidean rhythm, species counterpoint, MIDI I/O",
   "author": "Pilot Studio",

package/remote_script/LivePilot/__init__.py

@@ -5,7 +5,7 @@ Entry point for the ControlSurface. Ableton calls create_instance(c_instance)
 when this script is selected in Preferences > Link, Tempo & MIDI.
 """
 
-__version__ = "1.9.12"
+__version__ = "1.9.13"
 
 from _Framework.ControlSurface import ControlSurface
 from .server import LivePilotServer
@@ -34,8 +34,8 @@ class LivePilot(ControlSurface):
         ControlSurface.__init__(self, c_instance)
         self._server = LivePilotServer(self)
         self._server.start()
-        self.log_message("LivePilot v%s initialized" % __version__)
-        self.show_message("LivePilot: Listening on port 9878")
+        self.log_message("LivePilot v%s starting..." % __version__)
+        self.show_message("LivePilot v%s starting..." % __version__)
 
     def disconnect(self):
         """Called by Ableton when the script is unloaded."""

package/remote_script/LivePilot/server.py

@@ -95,7 +95,8 @@ class LivePilotServer(object):
         self._thread = threading.Thread(target=self._server_loop)
         self._thread.daemon = True
         self._thread.start()
-        self._log("Server started on %s:%d" % (self._host, self._port))
+        # Note: "Listening on ..." is logged from _server_loop after bind
+        # succeeds. Don't log "Server started" here — bind may still fail.
 
     def stop(self):
         """Shutdown the server gracefully."""

package/requirements.txt

@@ -9,5 +9,8 @@ soundfile>=0.12.0
 scipy>=1.11.0
 mutagen>=1.47.0
 
+# Development / testing (not required for runtime)
+# pip install pytest pytest-asyncio
+
 # Optional: neo-Riemannian group theory (not required — harmony engine is pure Python)
 # pip install opycleid>=0.5.1