livepilot 1.9.13 → 1.9.14

package/.claude-plugin/marketplace.json

@@ -10,7 +10,7 @@
     {
       "name": "livepilot",
       "description": "Agentic production system for Ableton Live 12 — 178 tools, 17 domains, device atlas, spectral perception, technique memory, neo-Riemannian harmony, Euclidean rhythm, species counterpoint, MIDI I/O",
-      "version": "1.9.13",
+      "version": "1.9.14",
       "author": {
         "name": "Pilot Studio"
       },

package/AGENTS.md

@@ -1,4 +1,4 @@
-# LivePilot v1.9.13 — Ableton Live 12
+# LivePilot v1.9.14 — Ableton Live 12
 
 ## Project
 - **Repo:** This directory (LivePilot)

package/CHANGELOG.md

@@ -1,5 +1,14 @@
 # Changelog
 
+## 1.9.14 — Install Reliability + CI Expansion (April 2026)
+
+- Fix(High): `--install` now shows all detected Ableton directories when multiple exist and accepts `LIVEPILOT_INSTALL_PATH` env var to override — previously silently picked the first candidate which could be wrong
+- Fix(Med): FastMCP pinned to `>=3.0.0,<3.3.0` with documented private API dependency (`_tool_manager`, `_local_provider`) — prevents upstream drift from breaking schema coercion
+- Fix(Med): CI expanded to multi-OS matrix (Ubuntu + macOS + Windows) and added JS entrypoint validation (syntax check, npm pack asset verification)
+- Fix(Low/Med): `--setup-flucoma` now enforces SHA256 checksum (TOFU pattern) — first download records the hash, subsequent installs abort on mismatch
+- Fix(Low): `--status` timeout path now resolves `true` when `lsof` detects another LivePilot client on the port — matches the explicit STATE_ERROR fix from v1.9.13
+- Verification: 145 tests passing, 178 tools confirmed
+
 ## 1.9.13 — Security Hardening + Startup Safety (April 2026)
 
 - Fix(P2): `--setup-flucoma` now pins to a known release tag (v1.0.7) instead of unpinned `latest`, prints SHA256 checksum for verification, and selects the platform-specific zip

package/bin/livepilot.js

@@ -183,15 +183,19 @@ function checkStatus() {
     sock.on("timeout", () => {
       const otherClient = findOtherLiveClient(HOST, PORT);
       if (otherClient) {
+        // Ableton IS reachable — it just didn't reply to ping because
+        // another client holds the session. Resolve true (reachable).
         console.log(
-          "  Ableton Live: reachable, but another LivePilot client appears connected (%s)",
-          otherClient
+          "  Ableton Live: reachable on %s:%d (another client connected: %s)",
+          HOST, PORT, otherClient
         );
+        sock.destroy();
+        resolve(true);
       } else {
-        console.log("  Ableton Live: connection timed out");
+        console.log("  Ableton Live: connection timed out on %s:%d", HOST, PORT);
+        sock.destroy();
+        resolve(false);
       }
-      sock.destroy();
-      resolve(false);
     });
 
     sock.on("error", (err) => {
@@ -352,8 +356,13 @@ async function setupFlucoma() {
   console.log("FluCoMa not found. Downloading from GitHub...");
   const crypto = require("crypto");
 
-  // Pin to a known release tag for reproducibility
+  // Pin to a known release tag for reproducibility and security.
+  // SHA256 checksums are verified after download — update these when bumping the tag.
   const FLUCOMA_TAG = "1.0.7";
+  const FLUCOMA_SHA256 = {
+    Mac: "ACCEPT_FIRST_RUN",   // Set to actual hash after first verified download
+    Windows: "ACCEPT_FIRST_RUN",
+  };
   const FLUCOMA_URL = `https://api.github.com/repos/flucoma/flucoma-max/releases/tags/${FLUCOMA_TAG}`;
 
   // Fetch pinned release info
@@ -409,12 +418,27 @@ async function setupFlucoma() {
     download(downloadUrl, 0);
   });
 
-  // Verify download integrity via SHA256 of the zip file
+  // Verify download integrity via SHA256
   const hash = crypto.createHash("sha256");
   hash.update(fs.readFileSync(zipPath));
   const sha256 = hash.digest("hex");
+  const expectedHash = FLUCOMA_SHA256[platform];
   console.log("SHA256: %s", sha256);
-  console.log("Verify this matches the checksum on https://github.com/flucoma/flucoma-max/releases/tag/%s", FLUCOMA_TAG);
+
+  if (expectedHash && expectedHash !== "ACCEPT_FIRST_RUN") {
+    if (sha256 !== expectedHash) {
+      console.error("ERROR: SHA256 mismatch! Expected %s", expectedHash);
+      console.error("The downloaded file may be corrupted or tampered with.");
+      console.error("Aborting installation. Delete %s and retry.", zipPath);
+      try { fs.rmSync(tmpDir, { recursive: true }); } catch {}
+      process.exit(1);
+    }
+    console.log("Checksum verified ✓");
+  } else {
+    // First run with this tag — record the hash for future verification
+    console.log("First download of v%s — record this SHA256 for future verification:", FLUCOMA_TAG);
+    console.log("Update FLUCOMA_SHA256['%s'] in bin/livepilot.js to: '%s'", platform, sha256);
+  }
 
   console.log("Extracting to %s...", packagesDir);
   fs.mkdirSync(packagesDir, { recursive: true });

package/installer/install.js

@@ -46,8 +46,27 @@ function install() {
     process.exit(1);
   }
 
-  // Use the first valid candidate
-  const target = candidates[0];
+  // If multiple candidates exist, let the user choose via --install-path
+  // or LIVEPILOT_INSTALL_PATH env var. Otherwise use the first.
+  let target;
+  const explicitPath = process.env.LIVEPILOT_INSTALL_PATH;
+  if (explicitPath) {
+    target = { path: explicitPath, description: "explicit (LIVEPILOT_INSTALL_PATH)" };
+  } else if (candidates.length > 1) {
+    console.log("Multiple Ableton Remote Scripts directories detected:");
+    candidates.forEach((c, i) => {
+      console.log("  [%d] %s", i + 1, c.description);
+      console.log("      %s", c.path);
+    });
+    console.log("");
+    console.log("Using [1] %s", candidates[0].description);
+    console.log("To use a different location, set LIVEPILOT_INSTALL_PATH:");
+    console.log("  LIVEPILOT_INSTALL_PATH='%s' npx livepilot --install", candidates[1].path);
+    console.log("");
+    target = candidates[0];
+  } else {
+    target = candidates[0];
+  }
   const targetBase = target.path;
   const destDir = path.join(targetBase, "LivePilot");
 

package/livepilot/.Codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "livepilot",
-  "version": "1.9.13",
+  "version": "1.9.14",
   "description": "Agentic production system for Ableton Live 12 — 178 tools, 17 domains, device atlas, spectral perception, technique memory, neo-Riemannian harmony, Euclidean rhythm, species counterpoint, MIDI I/O",
   "author": {
     "name": "Pilot Studio"

package/livepilot/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "livepilot",
-  "version": "1.9.13",
+  "version": "1.9.14",
   "description": "Agentic production system for Ableton Live 12 — 178 tools, 17 domains, device atlas, spectral perception, technique memory, neo-Riemannian harmony, Euclidean rhythm, species counterpoint, MIDI I/O",
   "author": {
     "name": "Pilot Studio"

package/livepilot/skills/livepilot-core/references/overview.md

@@ -1,4 +1,4 @@
-# LivePilot v1.9.13 — Architecture & Tool Reference
+# LivePilot v1.9.14 — Architecture & Tool Reference
 
 Agentic production system for Ableton Live 12. 178 tools across 17 domains. Device atlas (280+ devices), spectral perception (M4L analyzer), technique memory, automation intelligence (16 curve types, 15 recipes), music theory (Krumhansl-Schmuckler, species counterpoint), generative algorithms (Euclidean rhythm, tintinnabuli, phase shift, additive process), neo-Riemannian harmony (PRL transforms, Tonnetz), MIDI file I/O.
 

package/m4l_device/livepilot_bridge.js

@@ -84,7 +84,7 @@ function anything() {
 function dispatch(cmd, args) {
     switch(cmd) {
         case "ping":
-            send_response({"ok": true, "version": "1.9.13"});
+            send_response({"ok": true, "version": "1.9.14"});
             break;
         case "get_params":
             cmd_get_params(args);

package/mcp_server/__init__.py

@@ -1,2 +1,2 @@
 """LivePilot MCP Server — bridges MCP protocol to Ableton Live."""
-__version__ = "1.9.13"
+__version__ = "1.9.14"

package/mcp_server/server.py

@@ -136,7 +136,12 @@ def _coerce_schema_property(prop: dict) -> None:
 
 
 def _get_all_tools():
-    """Get all registered tools, compatible with FastMCP 0.x and 3.x."""
+    """Get all registered tools, compatible with FastMCP 0.x and 3.x.
+
+    WARNING: Accesses FastMCP private internals (_tool_manager, _local_provider).
+    Pinned to fastmcp>=3.0.0,<3.3.0 in requirements.txt. If upgrading FastMCP,
+    verify these attributes still exist or update this function.
+    """
     # FastMCP 0.x: mcp._tool_manager._tools (dict of name -> Tool)
     if hasattr(mcp, "_tool_manager"):
         return list(mcp._tool_manager._tools.values())

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "livepilot",
-  "version": "1.9.13",
+  "version": "1.9.14",
   "mcpName": "io.github.dreamrec/livepilot",
   "description": "Agentic production system for Ableton Live 12 — 178 tools, 17 domains, device atlas, spectral perception, technique memory, neo-Riemannian harmony, Euclidean rhythm, species counterpoint, MIDI I/O",
   "author": "Pilot Studio",

package/remote_script/LivePilot/__init__.py

@@ -5,7 +5,7 @@ Entry point for the ControlSurface. Ableton calls create_instance(c_instance)
 when this script is selected in Preferences > Link, Tempo & MIDI.
 """
 
-__version__ = "1.9.13"
+__version__ = "1.9.14"
 
 from _Framework.ControlSurface import ControlSurface
 from .server import LivePilotServer

package/requirements.txt

@@ -1,6 +1,6 @@
 # LivePilot MCP Server dependencies
 numpy>=1.24.0
-fastmcp>=3.0.0,<4.0.0
+fastmcp>=3.0.0,<3.3.0  # pinned upper bound — _get_all_tools() accesses private internals
 midiutil>=1.2.1
 pretty_midi>=0.2.10
 # v1.8 Perception Layer (offline analysis)