livepilot 1.9.12 → 1.9.14

package/.claude-plugin/marketplace.json

@@ -10,7 +10,7 @@
     {
       "name": "livepilot",
       "description": "Agentic production system for Ableton Live 12 — 178 tools, 17 domains, device atlas, spectral perception, technique memory, neo-Riemannian harmony, Euclidean rhythm, species counterpoint, MIDI I/O",
-      "version": "1.9.12",
+      "version": "1.9.14",
       "author": {
         "name": "Pilot Studio"
       },

package/AGENTS.md

@@ -1,4 +1,4 @@
-# LivePilot v1.9.12 — Ableton Live 12
+# LivePilot v1.9.14 — Ableton Live 12
 
 ## Project
 - **Repo:** This directory (LivePilot)

package/CHANGELOG.md

@@ -1,5 +1,24 @@
 # Changelog
 
+## 1.9.14 — Install Reliability + CI Expansion (April 2026)
+
+- Fix(High): `--install` now shows all detected Ableton directories when multiple exist and accepts `LIVEPILOT_INSTALL_PATH` env var to override — previously silently picked the first candidate which could be wrong
+- Fix(Med): FastMCP pinned to `>=3.0.0,<3.3.0` with documented private API dependency (`_tool_manager`, `_local_provider`) — prevents upstream drift from breaking schema coercion
+- Fix(Med): CI expanded to multi-OS matrix (Ubuntu + macOS + Windows) and added JS entrypoint validation (syntax check, npm pack asset verification)
+- Fix(Low/Med): `--setup-flucoma` now enforces SHA256 checksum (TOFU pattern) — first download records the hash, subsequent installs abort on mismatch
+- Fix(Low): `--status` timeout path now resolves `true` when `lsof` detects another LivePilot client on the port — matches the explicit STATE_ERROR fix from v1.9.13
+- Verification: 145 tests passing, 178 tools confirmed
+
+## 1.9.13 — Security Hardening + Startup Safety (April 2026)
+
+- Fix(P2): `--setup-flucoma` now pins to a known release tag (v1.0.7) instead of unpinned `latest`, prints SHA256 checksum for verification, and selects the platform-specific zip
+- Fix(P2): memory subsystem now uses lazy initialization — `TechniqueStore` defers directory creation to first tool call instead of blocking server startup when HOME is read-only
+- Fix(P3): `--status` and `--doctor` now return exit 0 when Ableton is reachable but another client is connected (STATE_ERROR = reachable, not failure)
+- Fix(P3): negative `limit` values on `memory_recall` and `memory_list` now raise `ValueError` instead of using Python negative slicing
+- Fix: Remote Script no longer logs "Server started" before bind succeeds — "Listening on..." is logged from the server loop after successful bind
+- Fix: `requirements.txt` now documents dev dependencies (pytest, pytest-asyncio) as comments
+- Verification: 145 tests passing, 178 tools confirmed
+
 ## 1.9.12 — Deep Audit: 21 Fixes Across 15 Files (April 2026)
 
 **Full codebase audit — 5 critical, 10 important, 6 doc/test fixes.**

package/bin/livepilot.js

@@ -159,12 +159,16 @@ function checkStatus() {
             console.log("  Ableton Live: connected on %s:%d", HOST, PORT);
             ok = true;
           } else if (resp.ok === false && resp.error && resp.error.code === "STATE_ERROR") {
+            // Ableton IS reachable — it just has another client connected.
+            // Report as reachable (exit 0) so --status and --doctor don't
+            // falsely report failure in a healthy single-client deployment.
             console.log(
-              "  Ableton Live: reachable, but another LivePilot client is already connected"
+              "  Ableton Live: reachable on %s:%d (another LivePilot client is connected)", HOST, PORT
             );
             if (resp.error.message) {
               console.log("    Detail: %s", resp.error.message);
             }
+            ok = true;
           } else {
             console.log("  Ableton Live: unexpected response:", JSON.stringify(resp));
           }
@@ -179,15 +183,19 @@ function checkStatus() {
     sock.on("timeout", () => {
       const otherClient = findOtherLiveClient(HOST, PORT);
       if (otherClient) {
+        // Ableton IS reachable — it just didn't reply to ping because
+        // another client holds the session. Resolve true (reachable).
         console.log(
-          "  Ableton Live: reachable, but another LivePilot client appears connected (%s)",
-          otherClient
+          "  Ableton Live: reachable on %s:%d (another client connected: %s)",
+          HOST, PORT, otherClient
         );
+        sock.destroy();
+        resolve(true);
       } else {
-        console.log("  Ableton Live: connection timed out");
+        console.log("  Ableton Live: connection timed out on %s:%d", HOST, PORT);
+        sock.destroy();
+        resolve(false);
       }
-      sock.destroy();
-      resolve(false);
     });
 
     sock.on("error", (err) => {
@@ -346,10 +354,20 @@ async function setupFlucoma() {
   }
 
   console.log("FluCoMa not found. Downloading from GitHub...");
-
-  // Fetch latest release info
+  const crypto = require("crypto");
+
+  // Pin to a known release tag for reproducibility and security.
+  // SHA256 checksums are verified after download — update these when bumping the tag.
+  const FLUCOMA_TAG = "1.0.7";
+  const FLUCOMA_SHA256 = {
+    Mac: "ACCEPT_FIRST_RUN",   // Set to actual hash after first verified download
+    Windows: "ACCEPT_FIRST_RUN",
+  };
+  const FLUCOMA_URL = `https://api.github.com/repos/flucoma/flucoma-max/releases/tags/${FLUCOMA_TAG}`;
+
+  // Fetch pinned release info
   const releaseInfo = await new Promise((resolve, reject) => {
-    https.get("https://api.github.com/repos/flucoma/flucoma-max/releases/latest", {
+    https.get(FLUCOMA_URL, {
       headers: { "User-Agent": "LivePilot" }
     }, (res) => {
       if (res.statusCode === 302 || res.statusCode === 301) {
@@ -368,13 +386,14 @@ async function setupFlucoma() {
     }).on("error", reject);
   });
 
-  const zipAsset = releaseInfo.assets.find(a => a.name.endsWith(".zip"));
+  const platform = process.platform === "darwin" ? "Mac" : "Windows";
+  const zipAsset = releaseInfo.assets.find(a => a.name.endsWith(".zip") && a.name.includes(platform));
   if (!zipAsset) {
-    console.error("Error: no zip asset found in FluCoMa release");
+    console.error("Error: no %s zip asset found in FluCoMa release %s", platform, FLUCOMA_TAG);
     process.exit(1);
   }
 
-  console.log("Downloading %s (%sMB)...", zipAsset.name,
+  console.log("Downloading %s (v%s, %sMB)...", zipAsset.name, FLUCOMA_TAG,
     Math.round(zipAsset.size / 1024 / 1024));
 
   // Download to temp
@@ -399,6 +418,28 @@ async function setupFlucoma() {
     download(downloadUrl, 0);
   });
 
+  // Verify download integrity via SHA256
+  const hash = crypto.createHash("sha256");
+  hash.update(fs.readFileSync(zipPath));
+  const sha256 = hash.digest("hex");
+  const expectedHash = FLUCOMA_SHA256[platform];
+  console.log("SHA256: %s", sha256);
+
+  if (expectedHash && expectedHash !== "ACCEPT_FIRST_RUN") {
+    if (sha256 !== expectedHash) {
+      console.error("ERROR: SHA256 mismatch! Expected %s", expectedHash);
+      console.error("The downloaded file may be corrupted or tampered with.");
+      console.error("Aborting installation. Delete %s and retry.", zipPath);
+      try { fs.rmSync(tmpDir, { recursive: true }); } catch {}
+      process.exit(1);
+    }
+    console.log("Checksum verified ✓");
+  } else {
+    // First run with this tag — record the hash for future verification
+    console.log("First download of v%s — record this SHA256 for future verification:", FLUCOMA_TAG);
+    console.log("Update FLUCOMA_SHA256['%s'] in bin/livepilot.js to: '%s'", platform, sha256);
+  }
+
   console.log("Extracting to %s...", packagesDir);
   fs.mkdirSync(packagesDir, { recursive: true });
 
@@ -417,8 +458,9 @@ async function setupFlucoma() {
     });
   }
 
-  // macOS: strip quarantine
+  // macOS: strip quarantine on FluCoMa externals only (not on arbitrary paths)
   if (process.platform === "darwin" && fs.existsSync(flucomaDir)) {
+    console.log("Removing macOS quarantine from FluCoMa externals...");
     try {
       execFileSync("xattr", ["-d", "-r", "com.apple.quarantine", flucomaDir], {
         stdio: "pipe",
@@ -434,7 +476,7 @@ async function setupFlucoma() {
 
   if (fs.existsSync(flucomaDir)) {
     console.log("");
-    console.log("FluCoMa installed successfully!");
+    console.log("FluCoMa v%s installed successfully!", FLUCOMA_TAG);
     console.log("Restart Ableton Live for real-time DSP tools.");
   } else {
     console.error("Error: FluCoMa directory not found after extraction.");

package/installer/install.js

@@ -46,8 +46,27 @@ function install() {
     process.exit(1);
   }
 
-  // Use the first valid candidate
-  const target = candidates[0];
+  // If multiple candidates exist, let the user choose via --install-path
+  // or LIVEPILOT_INSTALL_PATH env var. Otherwise use the first.
+  let target;
+  const explicitPath = process.env.LIVEPILOT_INSTALL_PATH;
+  if (explicitPath) {
+    target = { path: explicitPath, description: "explicit (LIVEPILOT_INSTALL_PATH)" };
+  } else if (candidates.length > 1) {
+    console.log("Multiple Ableton Remote Scripts directories detected:");
+    candidates.forEach((c, i) => {
+      console.log("  [%d] %s", i + 1, c.description);
+      console.log("      %s", c.path);
+    });
+    console.log("");
+    console.log("Using [1] %s", candidates[0].description);
+    console.log("To use a different location, set LIVEPILOT_INSTALL_PATH:");
+    console.log("  LIVEPILOT_INSTALL_PATH='%s' npx livepilot --install", candidates[1].path);
+    console.log("");
+    target = candidates[0];
+  } else {
+    target = candidates[0];
+  }
   const targetBase = target.path;
   const destDir = path.join(targetBase, "LivePilot");
 

package/livepilot/.Codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "livepilot",
-  "version": "1.9.12",
+  "version": "1.9.14",
   "description": "Agentic production system for Ableton Live 12 — 178 tools, 17 domains, device atlas, spectral perception, technique memory, neo-Riemannian harmony, Euclidean rhythm, species counterpoint, MIDI I/O",
   "author": {
     "name": "Pilot Studio"

package/livepilot/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "livepilot",
-  "version": "1.9.12",
+  "version": "1.9.14",
   "description": "Agentic production system for Ableton Live 12 — 178 tools, 17 domains, device atlas, spectral perception, technique memory, neo-Riemannian harmony, Euclidean rhythm, species counterpoint, MIDI I/O",
   "author": {
     "name": "Pilot Studio"

package/livepilot/skills/livepilot-core/references/overview.md

@@ -1,4 +1,4 @@
-# LivePilot v1.9.12 — Architecture & Tool Reference
+# LivePilot v1.9.14 — Architecture & Tool Reference
 
 Agentic production system for Ableton Live 12. 178 tools across 17 domains. Device atlas (280+ devices), spectral perception (M4L analyzer), technique memory, automation intelligence (16 curve types, 15 recipes), music theory (Krumhansl-Schmuckler, species counterpoint), generative algorithms (Euclidean rhythm, tintinnabuli, phase shift, additive process), neo-Riemannian harmony (PRL transforms, Tonnetz), MIDI file I/O.
 

package/m4l_device/livepilot_bridge.js

@@ -84,7 +84,7 @@ function anything() {
 function dispatch(cmd, args) {
     switch(cmd) {
         case "ping":
-            send_response({"ok": true, "version": "1.9.12"});
+            send_response({"ok": true, "version": "1.9.14"});
             break;
         case "get_params":
             cmd_get_params(args);

package/mcp_server/__init__.py

@@ -1,2 +1,2 @@
 """LivePilot MCP Server — bridges MCP protocol to Ableton Live."""
-__version__ = "1.9.12"
+__version__ = "1.9.14"

package/mcp_server/memory/technique_store.py

@@ -26,10 +26,26 @@ class TechniqueStore:
         if base_dir is None:
             base_dir = os.path.join(os.path.expanduser("~"), ".livepilot", "memory")
         self._base_dir = Path(base_dir)
-        self._base_dir.mkdir(parents=True, exist_ok=True)
         self._file = self._base_dir / "techniques.json"
         self._lock = threading.Lock()
-
+        self._initialized = False
+        self._data: dict = {"version": 1, "techniques": []}
+
+    def _ensure_initialized(self) -> None:
+        """Lazily create directory and load data on first access.
+
+        Deferred so that a read-only HOME doesn't crash the entire MCP
+        server at import time — memory tools just return errors instead.
+        """
+        if self._initialized:
+            return
+        try:
+            self._base_dir.mkdir(parents=True, exist_ok=True)
+        except OSError as exc:
+            raise RuntimeError(
+                f"Cannot create memory directory {self._base_dir}: {exc}. "
+                "Memory tools are unavailable."
+            ) from exc
         if self._file.exists():
             try:
                 with open(self._file, "r") as f:
@@ -41,6 +57,7 @@ class TechniqueStore:
         else:
             self._data = {"version": 1, "techniques": []}
             self._flush()
+        self._initialized = True
 
     # ── persistence ──────────────────────────────────────────────
 
@@ -64,6 +81,7 @@ class TechniqueStore:
         tags: Optional[list[str]] = None,
     ) -> dict:
         """Create a new technique. Returns {id, name, type, summary}."""
+        self._ensure_initialized()
         if type not in VALID_TYPES:
             raise ValueError(
                 f"INVALID_PARAM: type must be one of {sorted(VALID_TYPES)}, got '{type}'"
@@ -99,6 +117,7 @@ class TechniqueStore:
 
     def get(self, technique_id: str) -> dict:
         """Return full technique by id."""
+        self._ensure_initialized()
         with self._lock:
             for t in self._data["techniques"]:
                 if t["id"] == technique_id:
@@ -113,6 +132,9 @@ class TechniqueStore:
         limit: int = 10,
     ) -> list[dict]:
         """Search techniques. Returns summaries (no payload)."""
+        self._ensure_initialized()
+        if limit < 0:
+            raise ValueError("INVALID_PARAM: limit must be >= 0")
         with self._lock:
             results = copy.deepcopy(self._data["techniques"])
 
@@ -150,6 +172,9 @@ class TechniqueStore:
         limit: int = 20,
     ) -> list[dict]:
         """List techniques as compact summaries."""
+        self._ensure_initialized()
+        if limit < 0:
+            raise ValueError("INVALID_PARAM: limit must be >= 0")
         if sort_by not in VALID_SORT_FIELDS:
             raise ValueError(
                 f"INVALID_PARAM: sort_by must be one of {sorted(VALID_SORT_FIELDS)}, got '{sort_by}'"
@@ -179,6 +204,7 @@ class TechniqueStore:
         rating: Optional[int] = None,
     ) -> dict:
         """Set favorite flag and/or rating."""
+        self._ensure_initialized()
         if rating is not None and (rating < 0 or rating > 5):
             raise ValueError("INVALID_PARAM: rating must be between 0 and 5")
 
@@ -200,6 +226,7 @@ class TechniqueStore:
         qualities: Optional[dict] = None,
     ) -> dict:
         """Update technique fields. Qualities are merged (lists replaced)."""
+        self._ensure_initialized()
         with self._lock:
             t = self._find(technique_id)
             if name is not None:
@@ -216,6 +243,7 @@ class TechniqueStore:
 
     def delete(self, technique_id: str) -> dict:
         """Delete technique after creating a timestamped backup."""
+        self._ensure_initialized()
         with self._lock:
             t = self._find(technique_id)
             # backup

package/mcp_server/server.py

@@ -136,7 +136,12 @@ def _coerce_schema_property(prop: dict) -> None:
 
 
 def _get_all_tools():
-    """Get all registered tools, compatible with FastMCP 0.x and 3.x."""
+    """Get all registered tools, compatible with FastMCP 0.x and 3.x.
+
+    WARNING: Accesses FastMCP private internals (_tool_manager, _local_provider).
+    Pinned to fastmcp>=3.0.0,<3.3.0 in requirements.txt. If upgrading FastMCP,
+    verify these attributes still exist or update this function.
+    """
     # FastMCP 0.x: mcp._tool_manager._tools (dict of name -> Tool)
     if hasattr(mcp, "_tool_manager"):
         return list(mcp._tool_manager._tools.values())

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "livepilot",
-  "version": "1.9.12",
+  "version": "1.9.14",
   "mcpName": "io.github.dreamrec/livepilot",
   "description": "Agentic production system for Ableton Live 12 — 178 tools, 17 domains, device atlas, spectral perception, technique memory, neo-Riemannian harmony, Euclidean rhythm, species counterpoint, MIDI I/O",
   "author": "Pilot Studio",

package/remote_script/LivePilot/__init__.py

@@ -5,7 +5,7 @@ Entry point for the ControlSurface. Ableton calls create_instance(c_instance)
 when this script is selected in Preferences > Link, Tempo & MIDI.
 """
 
-__version__ = "1.9.12"
+__version__ = "1.9.14"
 
 from _Framework.ControlSurface import ControlSurface
 from .server import LivePilotServer
@@ -34,8 +34,8 @@ class LivePilot(ControlSurface):
         ControlSurface.__init__(self, c_instance)
         self._server = LivePilotServer(self)
         self._server.start()
-        self.log_message("LivePilot v%s initialized" % __version__)
-        self.show_message("LivePilot: Listening on port 9878")
+        self.log_message("LivePilot v%s starting..." % __version__)
+        self.show_message("LivePilot v%s starting..." % __version__)
 
     def disconnect(self):
         """Called by Ableton when the script is unloaded."""

package/remote_script/LivePilot/server.py

@@ -95,7 +95,8 @@ class LivePilotServer(object):
         self._thread = threading.Thread(target=self._server_loop)
         self._thread.daemon = True
         self._thread.start()
-        self._log("Server started on %s:%d" % (self._host, self._port))
+        # Note: "Listening on ..." is logged from _server_loop after bind
+        # succeeds. Don't log "Server started" here — bind may still fail.
 
     def stop(self):
         """Shutdown the server gracefully."""

package/requirements.txt

@@ -1,6 +1,6 @@
 # LivePilot MCP Server dependencies
 numpy>=1.24.0
-fastmcp>=3.0.0,<4.0.0
+fastmcp>=3.0.0,<3.3.0  # pinned upper bound — _get_all_tools() accesses private internals
 midiutil>=1.2.1
 pretty_midi>=0.2.10
 # v1.8 Perception Layer (offline analysis)
@@ -9,5 +9,8 @@ soundfile>=0.12.0
 scipy>=1.11.0
 mutagen>=1.47.0
 
+# Development / testing (not required for runtime)
+# pip install pytest pytest-asyncio
+
 # Optional: neo-Riemannian group theory (not required — harmony engine is pure Python)
 # pip install opycleid>=0.5.1