ltcai 0.1.4 → 0.1.9

package/server.py

@@ -40,6 +40,7 @@ from pydantic import BaseModel
 from PIL import Image
 
 from llm_router import AsyncOpenAI, LLMRouter, OPENAI_COMPATIBLE_PROVIDERS, parse_model_ref, mx, normalize_branding
+from knowledge_graph import KnowledgeGraphStore
 from p_reinforce import BRAIN_DIR, PReinforceGardener
 from setup import get_recommendations, install_stream, open_url, scan_environment
 from telegram_bot import broadcast_web_chat
@@ -165,6 +166,7 @@ IS_PUBLIC_MODE = APP_MODE == "public"
 DEFAULT_HOST = env_value("LATTICEAI_HOST", "127.0.0.1")
 DEFAULT_PORT = int(env_value("LATTICEAI_PORT", "4825"))
 ENABLE_TELEGRAM = env_bool("LATTICEAI_ENABLE_TELEGRAM", default=not IS_PUBLIC_MODE)
+ENABLE_GRAPH    = env_bool("LATTICEAI_ENABLE_GRAPH",    default=True)
 AUTOLOAD_MODELS = env_bool("LATTICEAI_AUTOLOAD_MODELS", default=IS_PUBLIC_MODE)
 MODEL_IDLE_UNLOAD_SECONDS = int(env_value("LATTICEAI_MODEL_IDLE_UNLOAD_SECONDS", "0"))
 ALLOW_LOCAL_MODELS = env_bool("LATTICEAI_ALLOW_LOCAL_MODELS", default=not IS_PUBLIC_MODE)
@@ -215,17 +217,25 @@ def verify_password(password: str, hashed: str) -> bool:
         return False
 
 def verify_and_migrate_password(email: str, plain: str, stored: str, users: Dict) -> bool:
-    """평문 비밀번호를 투명하게 해시로 마이그레이션."""
+    """평문 비밀번호를 투명하게 해시로 마이그레이션. 마이그레이션 발생 시 audit log 남김."""
     if ":" in stored and len(stored) > 64:
         return verify_password(plain, stored)
     if plain == stored:
         users[email]["password"] = hash_password(plain)
         save_users(users)
+        try:
+            append_audit_event("password_migrated_from_plaintext", user_email=email)
+        except Exception as e:
+            logging.warning("audit log failed on password migration: %s", e)
+        logging.info("Migrated plaintext password to bcrypt hash for %s", email)
         return True
     return False
 
 # ── Session store (file-backed, survives restarts) ────────────────────────────
-_SESSION_TTL = 60 * 60 * 24 * 7  # 7 days
+# 24-hour TTL with sliding-window refresh — every authenticated request bumps
+# created_at, so an active user stays logged in while idle sessions auto-expire.
+_SESSION_TTL = 60 * 60 * 24  # 24 hours
+_SESSION_REFRESH_THRESHOLD = 60 * 15  # only persist if >15 min since last bump (write amplification guard)
 _sessions_lock = threading.Lock()
 
 def _sessions_file() -> Path:
@@ -237,15 +247,15 @@ def _load_sessions() -> Dict[str, tuple]:
         if f.exists():
             raw = json.loads(f.read_text())
             return {k: tuple(v) for k, v in raw.items()}
-    except Exception:
-        pass
+    except Exception as e:
+        logging.warning("_load_sessions failed (starting empty): %s", e)
     return {}
 
 def _persist_sessions(sessions: Dict[str, tuple]) -> None:
     try:
         _sessions_file().write_text(json.dumps({k: list(v) for k, v in sessions.items()}, ensure_ascii=False))
-    except Exception:
-        pass
+    except Exception as e:
+        logging.warning("_persist_sessions failed: %s", e)
 
 _sessions: Dict[str, tuple] = _load_sessions()
 
@@ -257,15 +267,21 @@ def create_session(email: str) -> str:
     return token
 
 def get_session_email(token: str) -> Optional[str]:
+    """Return email for a valid session, sliding the expiry forward on activity."""
+    now = time.time()
     with _sessions_lock:
         entry = _sessions.get(token)
         if entry is None:
             return None
         email, created_at = entry
-        if time.time() - created_at > _SESSION_TTL:
+        if now - created_at > _SESSION_TTL:
             _sessions.pop(token, None)
             _persist_sessions(_sessions)
             return None
+        # Sliding refresh: only update if the timestamp drifted enough to be worth a disk write
+        if now - created_at > _SESSION_REFRESH_THRESHOLD:
+            _sessions[token] = (email, now)
+            _persist_sessions(_sessions)
         return email
 
 def invalidate_session(token: str) -> None:
@@ -287,6 +303,12 @@ USERS_FILE = DATA_DIR / "users.json"
 HISTORY_FILE = DATA_DIR / "chat_history.json"
 VPC_FILE = DATA_DIR / "vpc_config.json"
 MCP_FILE = DATA_DIR / "mcp_installs.json"
+AUDIT_FILE = DATA_DIR / "audit_log.json"
+KNOWLEDGE_GRAPH = KnowledgeGraphStore(DATA_DIR / "knowledge_graph.sqlite", DATA_DIR / "knowledge_graph_blobs") if ENABLE_GRAPH else None
+
+def _require_graph():
+    if not ENABLE_GRAPH or KNOWLEDGE_GRAPH is None:
+        raise HTTPException(status_code=404, detail="Data Graph is disabled. Set LATTICEAI_ENABLE_GRAPH=true in .env to enable.")
 
 class UserRegister(BaseModel):
     email: str
@@ -319,6 +341,17 @@ class McpRecommendRequest(BaseModel):
 class McpInstallRequest(BaseModel):
     mcp_id: str
 
+class KnowledgeGraphIngestRequest(BaseModel):
+    type: str
+    content: str = ""
+    role: Optional[str] = None
+    title: Optional[str] = None
+    source: Optional[str] = None
+    conversation_id: Optional[str] = None
+    user_email: Optional[str] = None
+    user_nickname: Optional[str] = None
+    metadata: Optional[Dict] = None
+
 DEFAULT_VPC_CONFIG = {
     "provider": "AWS",
     "region": "ap-northeast-2",
@@ -609,7 +642,8 @@ def load_vpc_config() -> Dict:
         with open(VPC_FILE, "r", encoding="utf-8") as f:
             stored = json.load(f)
         return {**DEFAULT_VPC_CONFIG, **stored}
-    except Exception:
+    except Exception as e:
+        logging.warning("load_vpc_config failed (using defaults): %s", e)
         return DEFAULT_VPC_CONFIG.copy()
 
 def save_vpc_config(config: Dict):
@@ -626,7 +660,8 @@ def load_mcp_installs() -> Dict:
         if "installed" not in data:
             data["installed"] = {}
         return data
-    except Exception:
+    except Exception as e:
+        logging.warning("load_mcp_installs failed: %s", e)
         return {"installed": {}, "updated_at": None}
 
 def save_mcp_installs(data: Dict):
@@ -727,6 +762,36 @@ def connector_info(mcp_id: str) -> Dict:
 
 _history_lock = threading.Lock()
 
+def get_audit_log() -> List[Dict]:
+    if not os.path.exists(AUDIT_FILE):
+        return []
+    try:
+        with open(AUDIT_FILE, "r", encoding="utf-8") as f:
+            data = json.load(f)
+        return data if isinstance(data, list) else []
+    except Exception as e:
+        logging.warning("get_audit_log failed: %s", e)
+        return []
+
+def append_audit_event(event_type: str, **payload) -> None:
+    try:
+        event = {
+            "event_type": event_type,
+            "timestamp": datetime.now().isoformat(),
+            **payload,
+        }
+        with _history_lock:
+            events = get_audit_log()
+            events.append(event)
+            if len(events) > 5000:
+                events = events[-5000:]
+            tmp_path = str(AUDIT_FILE) + ".tmp"
+            with open(tmp_path, "w", encoding="utf-8") as f:
+                json.dump(events, f, ensure_ascii=False, indent=2)
+            os.replace(tmp_path, AUDIT_FILE)
+    except Exception as e:
+        logging.warning("append_audit_event failed: %s", e)
+
 def save_to_history(
     role: str,
     message: str,
@@ -748,6 +813,19 @@ def save_to_history(
             item["source"] = source
         if conversation_id:
             item["conversation_id"] = conversation_id
+        sensitive = classify_sensitive_message(item, -1)
+        append_audit_event(
+            "chat_message",
+            role=role,
+            user_email=user_email,
+            user_nickname=user_nickname,
+            source=source,
+            conversation_id=conversation_id,
+            content_preview=sensitive.get("preview"),
+            content_chars=len(message or ""),
+            sensitivity=sensitive.get("sensitivity"),
+            sensitive_labels=sensitive.get("labels") or [],
+        )
         with _history_lock:
             history = []
             if os.path.exists(HISTORY_FILE):
@@ -760,6 +838,19 @@ def save_to_history(
             with open(tmp_path, "w", encoding="utf-8") as f:
                 json.dump(history, f, ensure_ascii=False, indent=2)
             os.replace(tmp_path, HISTORY_FILE)
+        try:
+            if ENABLE_GRAPH and KNOWLEDGE_GRAPH:
+                KNOWLEDGE_GRAPH.ingest_message(
+                    role,
+                    message,
+                    user_email=user_email,
+                    user_nickname=user_nickname,
+                    source=source,
+                    conversation_id=conversation_id,
+                    raw=item,
+                )
+        except Exception as graph_error:
+            logging.warning("knowledge graph message ingest failed: %s", graph_error)
     except Exception as e:
         logging.warning("save_to_history failed: %s", e)
 
@@ -973,12 +1064,77 @@ def require_user(request: Request) -> str:
         raise HTTPException(status_code=401, detail="인증이 필요합니다.")
     return email or ""
 
+
+# ── Rate limiting ─────────────────────────────────────────────────────────────
+# Per-user token bucket. Disabled when LATTICEAI_RATE_LIMIT=0 (default: enabled).
+_RATE_LIMIT_ENABLED = os.getenv("LATTICEAI_RATE_LIMIT", "1") != "0"
+_rate_buckets: Dict[str, Dict[str, float]] = {}
+_rate_lock = threading.Lock()
+
+# (capacity, refill_per_second) per endpoint family
+_RATE_LIMITS = {
+    "chat":   (30, 0.5),   # 30 burst, 30/min sustained
+    "agent":  (10, 0.1),   # 10 burst, 6/min sustained (agent is expensive)
+    "upload": (20, 0.2),   # 20 burst, 12/min sustained
+}
+
+
+def enforce_rate_limit(email: str, bucket_key: str) -> None:
+    """Raise HTTP 429 if user exceeds the bucket. No-op when disabled or unauth'd."""
+    if not _RATE_LIMIT_ENABLED or not email:
+        return
+    cap, refill = _RATE_LIMITS.get(bucket_key, (60, 1.0))
+    key = f"{email}:{bucket_key}"
+    now = time.time()
+    with _rate_lock:
+        bucket = _rate_buckets.get(key)
+        if bucket is None:
+            _rate_buckets[key] = {"tokens": cap - 1, "ts": now}
+            return
+        elapsed = now - bucket["ts"]
+        bucket["tokens"] = min(cap, bucket["tokens"] + elapsed * refill)
+        bucket["ts"] = now
+        if bucket["tokens"] < 1:
+            retry_after = max(1, int((1 - bucket["tokens"]) / refill))
+            raise HTTPException(
+                status_code=429,
+                detail=f"Rate limit exceeded for {bucket_key}. Retry after {retry_after}s.",
+                headers={"Retry-After": str(retry_after)},
+            )
+        bucket["tokens"] -= 1
+
+
+# ── File magic-number validation ──────────────────────────────────────────────
+# Map of extension → list of byte-prefix signatures (any-match). Files without
+# distinctive magic (.txt, .md, .csv) skip the check.
+_FILE_MAGIC: Dict[str, List[bytes]] = {
+    ".pdf":  [b"%PDF-"],
+    ".docx": [b"PK\x03\x04"],
+    ".xlsx": [b"PK\x03\x04"],
+    ".pptx": [b"PK\x03\x04"],
+    ".zip":  [b"PK\x03\x04", b"PK\x05\x06", b"PK\x07\x08"],
+    ".png":  [b"\x89PNG\r\n\x1a\n"],
+    ".jpg":  [b"\xff\xd8\xff"],
+    ".jpeg": [b"\xff\xd8\xff"],
+    ".gif":  [b"GIF87a", b"GIF89a"],
+}
+
+
+def _bytes_match_extension(data: bytes, ext: str) -> bool:
+    """Return True if the file bytes match the claimed extension (or extension has no magic)."""
+    ext = (ext or "").lower()
+    signatures = _FILE_MAGIC.get(ext)
+    if not signatures:
+        return True  # text-like formats — no reliable magic
+    head = data[:16]
+    return any(head.startswith(sig) for sig in signatures)
+
 def require_admin(request: Request) -> tuple[str, Dict]:
+    users = load_users()
     token = _extract_bearer_token(request)
     if token:
         email = get_session_email(token)
         if email:
-            users = load_users()
             if get_user_role(email, users) == "admin":
                 return email, users
     raise HTTPException(status_code=403, detail="관리자 권한이 필요합니다.")
@@ -1151,6 +1307,136 @@ def build_sensitivity_report(history: List[Dict]) -> Dict:
         "compliance_fields": compliant_items[-30:],
     }
 
+AUDIT_DELETE_EVENTS = {"conversation_delete", "history_delete", "user_delete"}
+
+def _audit_user_bucket(email: Optional[str], nickname: Optional[str] = None, users: Optional[Dict] = None) -> Dict:
+    user = (users or {}).get(email or "", {})
+    return {
+        "email": email or "Unknown",
+        "nickname": nickname or user.get("nickname") or user.get("name") or email or "Unknown",
+        "role": get_user_role(email, users or {}) if email else "unknown",
+        "disabled": bool(user.get("disabled")) if user else False,
+        "user_messages": 0,
+        "assistant_messages": 0,
+        "document_uploads": 0,
+        "clear_events": 0,
+        "delete_events": 0,
+        "sensitive_events": 0,
+        "high_sensitive_events": 0,
+        "total_content_chars": 0,
+        "last_activity_at": None,
+    }
+
+def _public_audit_event(event: Dict) -> Dict:
+    allowed = {
+        "event_type",
+        "timestamp",
+        "role",
+        "user_email",
+        "user_nickname",
+        "source",
+        "conversation_id",
+        "command",
+        "scope",
+        "target_email",
+        "filename",
+        "mime_type",
+        "ext",
+        "bytes",
+        "extracted_chars",
+        "graph_node",
+        "keep_last",
+        "removed",
+        "kept",
+        "started_at",
+        "sensitivity",
+        "sensitive_labels",
+        "content_preview",
+        "content_chars",
+    }
+    return {key: event.get(key) for key in allowed if key in event}
+
+def build_admin_audit_report(users: Dict) -> Dict:
+    events = get_audit_log()
+    per_user: Dict[str, Dict] = {}
+
+    def ensure_user(email: Optional[str], nickname: Optional[str] = None) -> Dict:
+        key = email or nickname or "Unknown"
+        if key not in per_user:
+            per_user[key] = _audit_user_bucket(email, nickname, users)
+        elif nickname and per_user[key].get("nickname") in {"Unknown", email, None}:
+            per_user[key]["nickname"] = nickname
+        return per_user[key]
+
+    for email, user in users.items():
+        ensure_user(email, user.get("nickname") or user.get("name"))
+
+    summary = {
+        "total_events": len(events),
+        "chat_events": 0,
+        "user_messages": 0,
+        "assistant_messages": 0,
+        "document_uploads": 0,
+        "clear_events": 0,
+        "delete_events": 0,
+        "sensitive_events": 0,
+        "high_sensitive_events": 0,
+    }
+
+    sensitive_events = []
+    deletion_events = []
+    for event in events:
+        event_type = event.get("event_type")
+        email = event.get("user_email")
+        user = ensure_user(email, event.get("user_nickname"))
+        timestamp = event.get("timestamp")
+        if timestamp and (not user["last_activity_at"] or timestamp > user["last_activity_at"]):
+            user["last_activity_at"] = timestamp
+
+        user["total_content_chars"] += int(event.get("content_chars") or event.get("extracted_chars") or 0)
+        sensitivity = event.get("sensitivity") or "none"
+        labels = event.get("sensitive_labels") or []
+        is_sensitive = sensitivity != "none" or bool(labels)
+
+        if event_type == "chat_message":
+            summary["chat_events"] += 1
+            if event.get("role") == "user":
+                summary["user_messages"] += 1
+                user["user_messages"] += 1
+            elif event.get("role") == "assistant":
+                summary["assistant_messages"] += 1
+                user["assistant_messages"] += 1
+        elif event_type == "document_upload":
+            summary["document_uploads"] += 1
+            user["document_uploads"] += 1
+        elif event_type == "clear_command":
+            summary["clear_events"] += 1
+            user["clear_events"] += 1
+        elif event_type in AUDIT_DELETE_EVENTS:
+            summary["delete_events"] += 1
+            user["delete_events"] += 1
+            deletion_events.append(_public_audit_event(event))
+
+        if is_sensitive:
+            summary["sensitive_events"] += 1
+            user["sensitive_events"] += 1
+            sensitive_events.append(_public_audit_event(event))
+        if sensitivity == "high":
+            summary["high_sensitive_events"] += 1
+            user["high_sensitive_events"] += 1
+
+    return {
+        "summary": summary,
+        "per_user": sorted(
+            per_user.values(),
+            key=lambda item: (item.get("last_activity_at") or "", item.get("user_messages", 0) + item.get("assistant_messages", 0)),
+            reverse=True,
+        ),
+        "recent_events": [_public_audit_event(event) for event in events[-80:]][::-1],
+        "sensitive_events": sensitive_events[-80:][::-1],
+        "deletion_events": deletion_events[-80:][::-1],
+    }
+
 router = LLMRouter()
 gardener = PReinforceGardener()
 
@@ -1209,18 +1495,31 @@ async def unload_idle_models_loop() -> None:
         except Exception as e:
             logging.warning("Idle model unload failed: %s", e)
 
+def _spawn(coro, *, name: str):
+    """Fire-and-forget asyncio task that logs exceptions instead of swallowing them."""
+    task = asyncio.create_task(coro, name=name)
+    def _on_done(t: asyncio.Task) -> None:
+        if t.cancelled():
+            return
+        exc = t.exception()
+        if exc is not None:
+            logging.warning("background task '%s' failed: %s", name, exc)
+    task.add_done_callback(_on_done)
+    return task
+
+
 @asynccontextmanager
 async def lifespan(app: FastAPI):
     try:
         print(f"🧭 Lattice AI mode: {APP_MODE}")
         if ENABLE_TELEGRAM:
             from telegram_bot import run_bot
-            asyncio.create_task(run_bot())
+            _spawn(run_bot(), name="telegram_bot")
             print("🚀 Telegram Bot Bridge activated!")
         else:
             print("⏭️ Telegram Bot Bridge disabled for this mode.")
-        asyncio.create_task(unload_idle_models_loop())
-        asyncio.create_task(autoload_default_model())
+        _spawn(unload_idle_models_loop(), name="unload_idle_models")
+        _spawn(autoload_default_model(), name="autoload_default_model")
     except Exception as e:
         print(f"⚠️ Startup sequence failed: {e}")
     try:
@@ -1239,11 +1538,16 @@ app.add_middleware(
     allow_origins=CORS_ALLOWED_ORIGINS,
     allow_methods=["*"],
     allow_headers=["*"],
+    allow_credentials=True,
 )
 
 # UI 파일이 담길 static 폴더 연결
 STATIC_DIR.mkdir(parents=True, exist_ok=True)
 app.mount("/static", StaticFiles(directory=str(STATIC_DIR)), name="static")
+# PWA icons served at /icons/*
+_ICONS_DIR = STATIC_DIR / "icons"
+if _ICONS_DIR.exists():
+    app.mount("/icons", StaticFiles(directory=str(_ICONS_DIR)), name="icons")
 ensure_agent_root()
 app.mount("/agent-files", StaticFiles(directory=str(AGENT_ROOT)), name="agent-files")
 
@@ -1281,7 +1585,7 @@ async def login(req: UserLogin):
         "is_admin": role == "admin",
         "token": token,
     })
-    response.set_cookie(key="session_token", value=token, httponly=True, samesite="lax", max_age=60 * 60 * 24 * 7)
+    response.set_cookie(key="session_token", value=token, httponly=True, samesite="lax", max_age=_SESSION_TTL)
     return response
 
 @app.get("/auth/sso/config")
@@ -1468,6 +1772,17 @@ async def admin_sensitivity(request: Request):
     require_admin(request)
     return build_sensitivity_report(get_history())
 
+@app.get("/admin/audit")
+async def admin_audit(request: Request):
+    _, users = require_admin(request)
+    report = build_admin_audit_report(users)
+    try:
+        report["graph"] = KNOWLEDGE_GRAPH.stats() if (ENABLE_GRAPH and KNOWLEDGE_GRAPH) else {"disabled": True}
+    except Exception as e:
+        logging.warning("knowledge graph stats for audit failed: %s", e)
+        report["graph"] = {"error": str(e)}
+    return report
+
 @app.get("/vpc/status")
 async def vpc_status(request: Request):
     require_user(request)
@@ -1489,6 +1804,7 @@ async def admin_update_user(email: str, req: AdminUserUpdate, request: Request):
     admin_email, users = require_admin(request)
     if email not in users:
         raise HTTPException(status_code=404, detail="사용자를 찾을 수 없습니다.")
+    before = public_user(email, users[email], users)
     if req.role is not None:
         if req.role not in {"admin", "user"}:
             raise HTTPException(status_code=400, detail="role은 admin 또는 user만 가능합니다.")
@@ -1498,7 +1814,9 @@ async def admin_update_user(email: str, req: AdminUserUpdate, request: Request):
             raise HTTPException(status_code=400, detail="자기 자신은 비활성화할 수 없습니다.")
         users[email]["disabled"] = req.disabled
     save_users(users)
-    return public_user(email, users[email], users)
+    after = public_user(email, users[email], users)
+    append_audit_event("user_update", user_email=admin_email, target_email=email, before=before, after=after)
+    return after
 
 @app.delete("/admin/users/{email:path}")
 async def admin_delete_user(email: str, request: Request):
@@ -1508,6 +1826,7 @@ async def admin_delete_user(email: str, request: Request):
     if email not in users:
         raise HTTPException(status_code=404, detail="사용자를 찾을 수 없습니다.")
     deleted = public_user(email, users[email], users)
+    append_audit_event("user_delete", user_email=admin_email, target_email=email, deleted_user=deleted)
     del users[email]
     save_users(users)
     return {"status": "ok", "deleted": deleted}
@@ -1515,7 +1834,7 @@ async def admin_delete_user(email: str, request: Request):
 @app.get("/admin/invite-link")
 async def admin_invite_link(request: Request):
     require_admin(request)
-    host = request.headers.get("host", f"localhost:{PORT}")
+    host = request.headers.get("host", f"localhost:{DEFAULT_PORT}")
     scheme = "https" if request.headers.get("x-forwarded-proto") == "https" else "http"
     if INVITE_GATE_ENABLED:
         url = f"{scheme}://{host}/?code={INVITE_CODE}"
@@ -1556,6 +1875,30 @@ async def root(request: Request, code: Optional[str] = None, authorized: Optiona
     """, status_code=403)
 
 
+@app.get("/account")
+async def account_page():
+    """Direct login/register page route used by logout and manual navigation."""
+    return FileResponse(STATIC_DIR / "account.html")
+
+
+@app.get("/manifest.json")
+async def manifest():
+    p = STATIC_DIR / "manifest.json"
+    if not p.exists():
+        raise HTTPException(status_code=404)
+    return FileResponse(str(p), media_type="application/manifest+json")
+
+
+@app.get("/sw.js")
+async def service_worker():
+    p = STATIC_DIR / "sw.js"
+    if not p.exists():
+        raise HTTPException(status_code=404)
+    resp = FileResponse(str(p), media_type="application/javascript")
+    resp.headers["Service-Worker-Allowed"] = "/"
+    return resp
+
+
 @app.get("/chat")
 async def chat_page(request: Request):
     return FileResponse(STATIC_DIR / "chat.html")
@@ -1796,6 +2139,7 @@ ENGINE_MODEL_CATALOG = {
         {"id": "mlx-community/gemma-4-e4b-4bit", "name": "Gemma 4 E4B Base", "family": "Gemma 4", "tag": "local-vlm", "size": "5.2GB", "pullable": True},
         {"id": "mlx-community/gemma-4-e4b-it-4bit", "name": "Gemma 4 E4B Instruct", "family": "Gemma 4", "tag": "local-vlm", "size": "5.2GB", "pullable": True},
         {"id": "mlx-community/gemma-4-26b-a4b-it-4bit", "name": "Gemma 4 26B A4B Instruct", "family": "Gemma 4", "tag": "local-vlm", "size": "Apple Silicon", "pullable": True},
+        {"id": "Jiunsong/supergemma4-26b-abliterated-multimodal-mlx-4bit", "name": "SuperGemma4 26B Abliterated Multimodal", "family": "Gemma 4", "tag": "local-vlm", "size": "Apple Silicon", "pullable": True},
         {"id": "mlx-community/Qwen2.5-Coder-3B-Instruct-4bit", "name": "Qwen 2.5 Coder 3B", "family": "Qwen 2.5 Coder", "tag": "local-coding", "size": "2.1GB", "pullable": True},
         {"id": "mlx-community/Qwen2.5-Coder-7B-Instruct-4bit", "name": "Qwen 2.5 Coder 7B", "family": "Qwen 2.5 Coder", "tag": "local-coding", "size": "4.3GB", "pullable": True},
         {"id": "mlx-community/Qwen2.5-Coder-14B-Instruct-4bit", "name": "Qwen 2.5 Coder 14B", "family": "Qwen 2.5 Coder", "tag": "local-coding", "size": "8.5GB", "pullable": True},
@@ -2045,6 +2389,7 @@ def runtime_features() -> Dict:
         "port": DEFAULT_PORT,
         "data_dir": str(DATA_DIR),
         "telegram_enabled": ENABLE_TELEGRAM,
+        "graph_enabled": ENABLE_GRAPH,
         "autoload_models": AUTOLOAD_MODELS,
         "model_idle_unload_seconds": MODEL_IDLE_UNLOAD_SECONDS,
         "model_memory_policy": router.model_memory_policy(),
@@ -2098,11 +2443,28 @@ def install_engine(engine: str) -> Dict:
         "installed": engine_installed(engine),
     }
     if engine == "ollama" and completed.returncode == 0 and shutil.which("ollama"):
+        # Skip if already running to avoid orphan daemons.
+        already_up = False
         try:
-            subprocess.Popen(["ollama", "serve"], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
-            result["daemon_started"] = True
+            probe = subprocess.run(["ollama", "list"], capture_output=True, timeout=2, check=False)
+            already_up = probe.returncode == 0
         except Exception:
-            result["daemon_started"] = False
+            already_up = False
+        if already_up:
+            result["daemon_started"] = "already_running"
+        else:
+            try:
+                # Detach so the daemon survives this request but doesn't become our zombie.
+                subprocess.Popen(
+                    ["ollama", "serve"],
+                    stdout=subprocess.DEVNULL,
+                    stderr=subprocess.DEVNULL,
+                    start_new_session=True,
+                )
+                result["daemon_started"] = True
+            except Exception as e:
+                logging.warning("ollama serve spawn failed: %s", e)
+                result["daemon_started"] = False
     return result
 
 CLOUD_VERIFY_CACHE: Dict[str, Dict] = {}
@@ -2181,6 +2543,7 @@ async def health(request: Request):
 
 
 @app.get("/mode")
+@app.get("/runtime_features")
 async def mode():
     return runtime_features()
 
@@ -2371,6 +2734,7 @@ async def unload_all_models(request: Request):
 @app.post("/chat")
 async def chat(req: ChatRequest, request: Request):
     current_user = require_user(request)
+    enforce_rate_limit(current_user, "chat")
     img_len = len(req.image_data) if req.image_data else 0
     print(
         f"🧪 /chat request: stream={req.stream} image_data_len={img_len} "
@@ -2400,16 +2764,41 @@ async def chat(req: ChatRequest, request: Request):
 
     if is_clear_command(req.message):
         command = req.message.strip().lower()
+        clear_scope = "all" if command == "/clear_all" else "conversation"
+        if ENABLE_GRAPH and KNOWLEDGE_GRAPH:
+            try:
+                KNOWLEDGE_GRAPH.ingest_event(
+                    "ClearEvent",
+                    f"{command} requested",
+                    user_email=effective_email,
+                    user_nickname=req.user_nickname,
+                    source=req.source or "web",
+                    conversation_id=req.conversation_id,
+                    metadata={"command": command, "scope": clear_scope},
+                )
+            except Exception as e:
+                logging.warning("knowledge graph clear event ingest failed: %s", e)
         if command == "/clear_all":
             result = clear_history(0)
-            answer = f"전체 대화 기록을 지웠습니다. 삭제 {result.get('removed', 0)}개."
+            answer = f"채팅창을 정리했습니다. 화면에서 제거 {result.get('removed', 0)}개. 감사 로그와 Data Graph/RAG 데이터는 유지됩니다."
         else:
             if req.conversation_id:
                 result = clear_conversation(req.conversation_id)
-                answer = f"현재 대화방 기록을 지웠습니다. 삭제 {result.get('removed', 0)}개."
+                answer = f"현재 대화방 채팅창을 정리했습니다. 화면에서 제거 {result.get('removed', 0)}개. 감사 로그와 Data Graph/RAG 데이터는 유지됩니다."
             else:
                 result = clear_history(0)
-                answer = f"대화 기록을 지웠습니다. 삭제 {result.get('removed', 0)}개."
+                answer = f"채팅창을 정리했습니다. 화면에서 제거 {result.get('removed', 0)}개. 감사 로그와 Data Graph/RAG 데이터는 유지됩니다."
+        append_audit_event(
+            "clear_command",
+            user_email=effective_email,
+            user_nickname=req.user_nickname,
+            source=req.source or "web",
+            conversation_id=req.conversation_id,
+            command=command,
+            scope=clear_scope,
+            removed=result.get("removed", 0),
+            kept=result.get("kept", 0),
+        )
         if req.stream:
             return StreamingResponse(
                 single_text_stream(answer),
@@ -2454,11 +2843,33 @@ async def chat(req: ChatRequest, request: Request):
     except Exception as e:
         logging.warning("Knowledge reinforcement skipped: %s", e)
 
+    try:
+        if ENABLE_GRAPH and KNOWLEDGE_GRAPH:
+            graph_context = KNOWLEDGE_GRAPH.context_for_query(req.message)
+            if graph_context:
+                context += f"\n\n[KNOWLEDGE GRAPH]\n{graph_context}"
+                print("🕸️ Context reinforced with knowledge graph.")
+    except Exception as e:
+        logging.warning("Knowledge graph reinforcement skipped: %s", e)
+
     if req.image_data:
         screenshot_context = extract_screenshot_context(req.image_data)
         if screenshot_context:
             context += f"\n\n{screenshot_context}"
 
+    # 메시지 안에 절대 경로나 ~/... 경로가 있으면 자동으로 파일 읽어서 컨텍스트 주입
+    _file_path_re = re.compile(r'(?:^|[\s\'\"(])((~|/[\w.])[^\s\'")\]]*)', re.MULTILINE)
+    for _m in _file_path_re.finditer(req.message or ""):
+        _fpath = _m.group(1).strip()
+        try:
+            _result = local_read(_fpath)
+            _fcontent = _result.get("content", "")
+            if _fcontent:
+                context += f"\n\n[FILE: {_fpath}]\n```\n{_fcontent[:6000]}\n```"
+                print(f"📂 Auto-injected file context: {_fpath}")
+        except Exception:
+            pass
+
     history_message = f"{req.message}\n[Image attached]" if req.image_data else req.message
     save_to_history("user", history_message, source=req.source or "web", conversation_id=req.conversation_id, **history_user)
     if req.source != "telegram":
@@ -2521,14 +2932,31 @@ async def fetch_history_conversation(conversation_id: str, request: Request):
 @app.delete("/history/conversations/{conversation_id:path}")
 async def delete_history_conversation(conversation_id: str, request: Request):
     """선택한 대화방의 메시지만 삭제합니다."""
-    require_user(request)
-    return clear_conversation(conversation_id, request.query_params.get("started_at"))
+    email = require_user(request)
+    result = clear_conversation(conversation_id, request.query_params.get("started_at"))
+    append_audit_event(
+        "conversation_delete",
+        user_email=email,
+        conversation_id=conversation_id,
+        started_at=request.query_params.get("started_at"),
+        removed=result.get("removed", 0),
+        kept=result.get("kept", 0),
+    )
+    return result
 
 
 @app.delete("/history")
 async def delete_history(request: Request, keep_last: int = 0):
-    require_user(request)
-    return clear_history(keep_last)
+    email = require_user(request)
+    result = clear_history(keep_last)
+    append_audit_event(
+        "history_delete",
+        user_email=email,
+        keep_last=keep_last,
+        removed=result.get("removed", 0),
+        kept=result.get("kept", 0),
+    )
+    return result
 
 @app.get("/history/search")
 async def search_history(q: str, request: Request):
@@ -2548,6 +2976,85 @@ async def search_history(q: str, request: Request):
     return {"results": list(grouped.values())[-30:], "query": q}
 
 
+@app.get("/graph")
+async def knowledge_graph_page(request: Request):
+    """Serve the interactive knowledge graph canvas UI."""
+    _require_graph()
+    require_user(request)
+    return FileResponse(STATIC_DIR / "graph.html")
+
+
+@app.get("/knowledge-graph")
+async def knowledge_graph_legacy_page(request: Request):
+    """Backward-compatible route for the graph page."""
+    _require_graph()
+    require_user(request)
+    return FileResponse(STATIC_DIR / "graph.html")
+
+
+@app.get("/knowledge-graph/stats")
+async def knowledge_graph_stats(request: Request):
+    _require_graph()
+    require_user(request)
+    return KNOWLEDGE_GRAPH.stats()
+
+
+@app.get("/knowledge-graph/graph")
+async def knowledge_graph_data(request: Request, limit: int = 300):
+    _require_graph()
+    require_user(request)
+    return KNOWLEDGE_GRAPH.graph(limit)
+
+
+@app.get("/knowledge-graph/search")
+async def knowledge_graph_search(q: str, request: Request, limit: int = 30):
+    _require_graph()
+    require_user(request)
+    if not q or not q.strip():
+        return {"query": q, "matches": []}
+    return KNOWLEDGE_GRAPH.search(q, limit)
+
+
+@app.get("/knowledge-graph/context")
+async def knowledge_graph_context(q: str, request: Request, limit: int = 6):
+    _require_graph()
+    require_user(request)
+    return {"query": q, "context": KNOWLEDGE_GRAPH.context_for_query(q, limit)}
+
+
+@app.get("/knowledge-graph/neighbors/{node_id:path}")
+async def knowledge_graph_neighbors(node_id: str, request: Request):
+    _require_graph()
+    require_user(request)
+    if not node_id:
+        raise HTTPException(status_code=400, detail="node_id required")
+    return KNOWLEDGE_GRAPH.neighbors(node_id)
+
+
+@app.post("/knowledge-graph/ingest")
+async def knowledge_graph_ingest(req: KnowledgeGraphIngestRequest, request: Request):
+    _require_graph()
+    current_user = require_user(request)
+    event_type = (req.type or "").strip().lower()
+    if event_type not in {"message", "ai_response", "note"}:
+        raise HTTPException(status_code=400, detail="지원하는 type: message, ai_response, note")
+    role = req.role or ("assistant" if event_type == "ai_response" else "user")
+    return KNOWLEDGE_GRAPH.ingest_message(
+        role,
+        req.content,
+        user_email=req.user_email or current_user,
+        user_nickname=req.user_nickname,
+        source=req.source or "mcp",
+        conversation_id=req.conversation_id,
+        raw={
+            "type": req.type,
+            "title": req.title,
+            "content": req.content,
+            "metadata": req.metadata or {},
+        },
+    )
+
+
 async def _stream_chat(req: ChatRequest, context: str = "", image_data: str = None) -> AsyncIterator[str]:
     full_response = ""
     async for chunk in router.stream_generate(req.message, context, req.max_tokens, req.temperature, image_data):
@@ -2572,7 +3079,9 @@ async def _stream_chat(req: ChatRequest, context: str = "", image_data: str = No
 # ── Local Computer Agent ──────────────────────────────────────────────────────
 
 AGENT_SYSTEM_PROMPT = """You are Lattice AI Agent, a local computer-use coding assistant.
-You can work only inside the agent workspace.
+You have full access to the local filesystem via local_list / local_read / local_write tools.
+Use read_file / write_file for paths inside the agent workspace (relative paths).
+Use local_read / local_write for any absolute path on the system (e.g. ~/Downloads, ~/Desktop).
 
 Available actions:
 - list_dir: {"action":"list_dir","args":{"path":"."}}
@@ -2587,6 +3096,7 @@ Available actions:
 - create_xlsx: {"action":"create_xlsx","args":{"rows":[["A","B"],[1,2]],"filename":"spreadsheet.xlsx","sheet_name":"Sheet1"}}
 - create_pptx: {"action":"create_pptx","args":{"title":"title","slides":[{"title":"Slide","bullets":["point"]}],"filename":"presentation.pptx"}}
 - create_pdf: {"action":"create_pdf","args":{"title":"title","body":"paragraphs","filename":"document.pdf"}}
+- create_web_project: {"action":"create_web_project","args":{"path":"my_app","framework":"react","template":"vite"}} — scaffold a runnable web app project
 - local_list: {"action":"local_list","args":{"path":"/Users/username/Downloads"}} — lists any local folder (UI will request user permission first)
 - local_read: {"action":"local_read","args":{"path":"/Users/username/Documents/note.txt"}} — reads any local file (UI will request user permission first)
 - local_write: {"action":"local_write","args":{"path":"/Users/username/Desktop/output.txt","content":"..."}} — writes any local file (UI will request user permission first)
@@ -2626,10 +3136,14 @@ Rules:
 - Prefer simple, verifiable steps.
 - Use inspect_html and preview_url for generated web UI.
 - Use build_project when the user asks to build, compile, typecheck, or run a package build script.
-- Use deploy_project when the user asks to deploy, preview, or release and package.json defines that script.
+- Use deploy_project when the user asks to deploy, preview, release, or package installers (pkg/exe) and package.json defines that script (e.g. package, dist, make, build:pkg, build:exe).
+- If the user asks for app/service/web creation, prefer create_web_project first, then edit files with write_file/read_file and verify with build_project or run_command.
+- If the user asks for installer outputs (.pkg/.exe), set up packaging config (for example Electron/electron-builder or equivalent), create package scripts in package.json, then run deploy_project for installer scripts.
+- If .exe cannot be built on current OS/toolchain, still generate the full packaging config and scripts for Windows and report the exact missing prerequisite.
 - Do not claim you cannot build or deploy. If a script, token, or platform config is missing, inspect the workspace and explain the exact missing piece.
 - Use knowledge tools when the user asks to remember, search memory, or organize project context.
 - Use run_command for local inspection, tests, and short development commands after files are written.
+- For data analysis tasks, read the provided files first (read_document/local_read), compute with run_command when needed, and return concrete findings plus output artifact paths when created.
 - Use clear_history when the user asks to forget, clear, delete, reset, or speed up chat history.
 - Git is read-only: status, diff, log, and show only. Never commit, push, pull, fetch, clone, reset, or checkout.
 - If the user asks for something unsafe or outside the workspace, explain the limitation with final.
@@ -2637,13 +3151,73 @@ Rules:
 """
 
 
-_FILE_CREATE_ACTIONS = {"create_docx", "create_xlsx", "create_pptx", "create_pdf", "write_file"}
+_FILE_CREATE_ACTIONS = {"create_docx", "create_xlsx", "create_pptx", "create_pdf", "write_file", "create_web_project"}
+
+# Harness risk level per tool action.
+# low    — read-only, no side effects
+# medium — write/create files or knowledge entries
+# high   — execute commands, control computer, write to arbitrary FS paths
+_TOOL_RISK: Dict[str, str] = {
+    # read-only workspace tools
+    "list_dir": "low", "workspace_tree": "low", "read_file": "low",
+    "search_files": "low", "inspect_html": "low",
+    # read-only local FS
+    "local_list": "low", "local_read": "low",
+    # read-only git
+    "git_status": "low", "git_log": "low", "git_diff": "low", "git_show": "low",
+    # read-only knowledge / computer
+    "knowledge_search": "low", "knowledge_tree": "low",
+    "obsidian_search": "low", "obsidian_tree": "low",
+    "computer_screenshot": "low", "computer_status": "low",
+    # write workspace
+    "write_file": "medium", "create_web_project": "medium",
+    "create_docx": "medium", "create_xlsx": "medium",
+    "create_pptx": "medium", "create_pdf": "medium",
+    # write knowledge
+    "knowledge_save": "medium", "obsidian_save": "medium",
+    # write local FS (arbitrary path — treated as medium; blocked from system roots below)
+    "local_write": "medium",
+    # preview
+    "preview_url": "medium",
+    # execute commands
+    "run_command": "high",
+    # computer control
+    "computer_click": "high", "computer_type": "high", "computer_key": "high",
+    "computer_scroll": "high", "computer_drag": "high", "computer_move": "high",
+    "computer_open_app": "high", "computer_open_url": "high",
+}
+
+# Paths that local_write must never target (system-level protection)
+_LOCAL_WRITE_BLOCKED_PREFIXES = (
+    "/etc/", "/usr/", "/bin/", "/sbin/", "/System/", "/private/etc/",
+    "/Library/LaunchDaemons/", "/Library/LaunchAgents/",
+)
+
+
+def _agent_risk(action_name: str, args: dict) -> str:
+    """Return risk level for an action, upgrading local_write to 'high' for system paths."""
+    risk = _TOOL_RISK.get(action_name, "medium")
+    if action_name == "local_write":
+        path = str(args.get("path", ""))
+        if any(path.startswith(p) for p in _LOCAL_WRITE_BLOCKED_PREFIXES):
+            risk = "high"
+    return risk
+
 
 def _collect_created_files(transcript: list) -> list:
     files = []
     for step in transcript:
         if step.get("action") in _FILE_CREATE_ACTIONS:
             result = step.get("result", {})
+            if isinstance(result.get("created_files"), list):
+                for rel_path in result["created_files"]:
+                    files.append({
+                        "path": rel_path,
+                        "filename": Path(rel_path).name,
+                        "bytes": 0,
+                        "action": step["action"],
+                    })
+                continue
             path = result.get("path")
             if path:
                 files.append({
@@ -2679,7 +3253,8 @@ def _extract_agent_action(raw: str) -> Dict:
 @app.post("/agent")
 async def agent(req: AgentRequest, request: Request):
     """Natural-language local agent loop for Telegram and future clients."""
-    require_user(request)
+    current_user = require_user(request)
+    enforce_rate_limit(current_user, "agent")
     if not router.current_model_id:
         raise HTTPException(status_code=400, detail="No model loaded. Call /models/load first.")
 
@@ -2710,10 +3285,17 @@ async def agent(req: AgentRequest, request: Request):
             action = _extract_agent_action(str(raw))
         except ValueError as exc:
             transcript.append({"step": step + 1, "action": "parse_error", "raw": str(raw), "error": str(exc)})
-            return JSONResponse(
-                status_code=500,
-                content={"status": "error", "error": str(exc), "raw": str(raw), "steps": transcript},
-            )
+            message = "작업 계획을 안정적으로 해석하지 못해 자동 실행을 중단했습니다. 요청을 더 짧고 구체적으로 다시 시도해 주세요."
+            save_to_history("user", req.message, source=req.source or "web", conversation_id=req.conversation_id)
+            save_to_history("assistant", message, source=req.source or "web", conversation_id=req.conversation_id)
+            created_files = _collect_created_files(transcript)
+            return {
+                "status": "ok",
+                "response": message,
+                "workspace": str(AGENT_ROOT),
+                "steps": transcript,
+                "created_files": created_files,
+            }
 
         name = action.get("action")
         if name == "final":
@@ -2723,16 +3305,64 @@ async def agent(req: AgentRequest, request: Request):
             created_files = _collect_created_files(transcript)
             return {"status": "ok", "response": message, "workspace": str(AGENT_ROOT), "steps": transcript, "created_files": created_files}
 
+        # Prevent repeated file/project creation loops with identical action+args.
+        last_step = transcript[-1] if transcript else None
+        current_args = action.get("args") or {}
+        if (
+            name in _FILE_CREATE_ACTIONS
+            and last_step
+            and last_step.get("action") == name
+            and (last_step.get("args") or {}) == current_args
+            and "result" in last_step
+        ):
+            message = "요청한 파일 생성을 이미 완료해서 반복 실행을 중단했습니다."
+            save_to_history("user", req.message, source=req.source or "web", conversation_id=req.conversation_id)
+            save_to_history("assistant", message, source=req.source or "web", conversation_id=req.conversation_id)
+            created_files = _collect_created_files(transcript)
+            return {"status": "ok", "response": message, "workspace": str(AGENT_ROOT), "steps": transcript, "created_files": created_files}
+
         if name == "clear_history":
-            result = clear_history((action.get("args") or {}).get("keep_last", 0))
-            transcript.append({"step": step + 1, "action": name, "args": action.get("args") or {}, "result": result})
+            result = clear_history(current_args.get("keep_last", 0))
+            append_audit_event(
+                "history_delete",
+                user_email=current_user,
+                source=req.source or "agent",
+                keep_last=current_args.get("keep_last", 0),
+                removed=result.get("removed", 0),
+                kept=result.get("kept", 0),
+            )
+            transcript.append({"step": step + 1, "action": name, "args": current_args, "result": result})
             continue
 
+        risk = _agent_risk(name, current_args)
+
+        # Block system-path local_write even if the LLM tries it
+        if name == "local_write":
+            path = str(current_args.get("path", ""))
+            if any(path.startswith(p) for p in _LOCAL_WRITE_BLOCKED_PREFIXES):
+                transcript.append({
+                    "step": step + 1, "action": name, "args": current_args,
+                    "risk": "high", "error": f"BLOCKED: writing to system path is not allowed: {path}",
+                })
+                append_audit_event(
+                    "agent_blocked", user_email=current_user, source=req.source or "agent",
+                    action=name, path=path, reason="system_path",
+                )
+                continue
+
+        # Audit medium/high actions before execution
+        if risk in ("medium", "high"):
+            append_audit_event(
+                "agent_exec", user_email=current_user, source=req.source or "agent",
+                step=step + 1, action=name, risk=risk,
+                args={k: v for k, v in (current_args or {}).items() if k != "content"},
+            )
+
         try:
-            result = execute_tool(name, action.get("args") or {})
-            transcript.append({"step": step + 1, "action": name, "args": action.get("args") or {}, "result": result})
+            result = execute_tool(name, current_args)
+            transcript.append({"step": step + 1, "action": name, "args": current_args, "risk": risk, "result": result})
         except (ToolError, KeyError, TypeError) as exc:
-            transcript.append({"step": step + 1, "action": name, "args": action.get("args") or {}, "error": str(exc)})
+            transcript.append({"step": step + 1, "action": name, "args": current_args, "risk": risk, "error": str(exc)})
 
     summary_context = (
         f"{AGENT_SYSTEM_PROMPT}\n\n"
@@ -2799,8 +3429,17 @@ async def tools_search_files(req: ToolSearchFilesRequest, request: Request):
 
 @app.post("/tools/clear_history")
 async def tools_clear_history(req: ToolClearHistoryRequest, request: Request):
-    require_user(request)
-    return clear_history(req.keep_last)
+    current_user = require_user(request)
+    result = clear_history(req.keep_last)
+    append_audit_event(
+        "history_delete",
+        user_email=current_user,
+        source="tools",
+        keep_last=req.keep_last,
+        removed=result.get("removed", 0),
+        kept=result.get("kept", 0),
+    )
+    return result
 
 
 @app.post("/tools/inspect_html")
@@ -2839,6 +3478,43 @@ async def tools_create_pdf(req: ToolPdfRequest, request: Request):
     return _tool_response(create_pdf, req.title, req.body, req.filename)
 
 
+@app.post("/tools/read_document")
+async def tools_read_document(req: ToolPathRequest, request: Request):
+    require_user(request)
+    return _tool_response(read_document, req.path)
+
+
+@app.get("/tools/pdf_pages")
+async def tools_pdf_pages(path: str, request: Request):
+    """Render PDF pages as base64 PNG images using PyMuPDF."""
+    require_user(request)
+    target = Path(path).expanduser().resolve()
+    if not target.exists() or not target.is_file():
+        raise HTTPException(status_code=404, detail="File not found")
+    import fitz  # PyMuPDF
+    doc = None
+    try:
+        doc = fitz.open(str(target))
+        total = len(doc)
+        pages = []
+        for i, page in enumerate(doc):
+            if i >= 20:  # 최대 20페이지
+                break
+            mat = fitz.Matrix(1.5, 1.5)
+            pix = page.get_pixmap(matrix=mat)
+            b64 = base64.b64encode(pix.tobytes("png")).decode()
+            pages.append({"page": i + 1, "b64": b64})
+        return {"total": total, "pages": pages}
+    except Exception as e:
+        raise HTTPException(status_code=500, detail=f"PDF 렌더링 실패: {e}")
+    finally:
+        if doc is not None:
+            try:
+                doc.close()
+            except Exception as e:
+                logging.warning("fitz doc close failed: %s", e)
+
+
 @app.get("/tools/download")
 async def tools_download(path: str, request: Request):
     """Serve a generated file from agent workspace for download."""
@@ -2859,7 +3535,8 @@ async def tools_download(path: str, request: Request):
 
 @app.post("/upload/document")
 async def upload_document(request: Request, file: UploadFile = File(...)):
-    require_user(request)
+    current_user = require_user(request)
+    enforce_rate_limit(current_user, "upload")
     """Upload a document and extract text (PDF, DOCX, XLSX, PPTX, TXT, MD, CSV)."""
     suffix = Path(file.filename or "upload").suffix.lower()
     allowed = {".pdf", ".docx", ".xlsx", ".pptx", ".txt", ".md", ".csv"}
@@ -2868,11 +3545,55 @@ async def upload_document(request: Request, file: UploadFile = File(...)):
     contents = await file.read()
     if len(contents) > 10 * 1024 * 1024:
         raise HTTPException(status_code=400, detail="파일이 너무 큽니다. 최대 10MB.")
+    # MIME sniff — verify the bytes actually match the claimed extension (cheap header check)
+    if not _bytes_match_extension(contents, suffix):
+        raise HTTPException(status_code=400, detail=f"파일 내용이 확장자({suffix})와 일치하지 않습니다.")
     with tempfile.NamedTemporaryFile(suffix=suffix, delete=False) as tmp:
         tmp.write(contents)
         tmp_path = tmp.name
     try:
         result = read_document(tmp_path)
+        sensitive = classify_sensitive_message(
+            {
+                "role": "document",
+                "content": result.get("content") or result.get("preview") or "",
+                "user_email": current_user,
+                "timestamp": datetime.now().isoformat(),
+            },
+            -1,
+        )
+        try:
+            if not (ENABLE_GRAPH and KNOWLEDGE_GRAPH):
+                raise RuntimeError("graph disabled")
+            graph_result = KNOWLEDGE_GRAPH.ingest_document(
+                Path(tmp_path),
+                original_filename=file.filename,
+                mime_type=file.content_type,
+                uploader=current_user,
+                conversation_id=request.query_params.get("conversation_id"),
+                extracted=result,
+            )
+            result["knowledge_graph"] = {
+                "node_id": graph_result["node_id"],
+                "sha256": graph_result["sha256"],
+            }
+        except Exception as graph_error:
+            logging.warning("knowledge graph document ingest failed: %s", graph_error)
+            result["knowledge_graph"] = {"error": str(graph_error)}
+        append_audit_event(
+            "document_upload",
+            user_email=current_user,
+            conversation_id=request.query_params.get("conversation_id"),
+            filename=file.filename,
+            mime_type=file.content_type,
+            ext=suffix,
+            bytes=len(contents),
+            extracted_chars=result.get("chars"),
+            graph_node=(result.get("knowledge_graph") or {}).get("node_id"),
+            content_preview=sensitive.get("preview"),
+            sensitivity=sensitive.get("sensitivity"),
+            sensitive_labels=sensitive.get("labels") or [],
+        )
     except ToolError as exc:
         raise HTTPException(status_code=400, detail=str(exc))
     finally:
@@ -2916,6 +3637,16 @@ async def local_read_endpoint(req: LocalAccessRequest, request: Request):
     return _tool_response(local_read, req.path)
 
 
+@app.get("/local/serve")
+async def local_serve_file(path: str, request: Request):
+    """Serve a local file (images etc.) directly for browser preview."""
+    require_user(request)
+    target = Path(path).expanduser().resolve()
+    if not target.exists() or not target.is_file():
+        raise HTTPException(status_code=404, detail="File not found")
+    return FileResponse(str(target))
+
+
 @app.post("/local/write")
 async def local_write_endpoint(req: LocalWriteRequest, request: Request):
     require_user(request)
@@ -3311,6 +4042,10 @@ async def mcp_tools():
             {"name": "knowledge_save", "description": "Save a note into the local knowledge garden."},
             {"name": "knowledge_search", "description": "Search the local knowledge garden."},
             {"name": "knowledge_tree", "description": "List local knowledge garden markdown files."},
+            {"name": "knowledge_graph_ingest", "description": "Ingest a message, AI answer, or connector event into the SQLite knowledge graph."},
+            {"name": "knowledge_graph_search", "description": "Search graph nodes, summaries, and JSON metadata."},
+            {"name": "knowledge_graph_graph", "description": "Return Obsidian-style graph nodes and edges."},
+            {"name": "knowledge_graph_context", "description": "Return compact graph-backed RAG context for a prompt."},
             {"name": "obsidian_save", "description": "Save a note into the Obsidian-compatible memory vault."},
             {"name": "obsidian_search", "description": "Search the Obsidian-compatible memory vault."},
             {"name": "obsidian_tree", "description": "List Obsidian memory vault markdown files."},
@@ -3321,7 +4056,7 @@ async def mcp_tools():
             {"name": "network_status", "description": "Get current local/private IP, public IP, hostname, and Wi-Fi info."},
             {"name": "run_command", "description": "Run an allowlisted local command inside the workspace."},
             {"name": "build_project", "description": "Run an allowlisted package.json build/compile/typecheck/test script."},
-            {"name": "deploy_project", "description": "Run an allowlisted package.json deploy/preview/release script."},
+            {"name": "deploy_project", "description": "Run an allowlisted package.json deploy/preview/release/package installer script (pkg/exe)."},
         ],
     }
 
@@ -3353,7 +4088,33 @@ async def mcp_connector(mcp_id: str, request: Request):
 
 @app.post("/mcp/call")
 async def mcp_call(req: McpCallRequest, request: Request):
-    require_user(request)
+    current_user = require_user(request)
+    args = req.args or {}
+    if req.action == "knowledge_graph_ingest":
+        _require_graph()
+        return KNOWLEDGE_GRAPH.ingest_message(
+            args.get("role") or ("assistant" if args.get("type") == "ai_response" else "user"),
+            args.get("content") or "",
+            user_email=args.get("user_email") or current_user,
+            user_nickname=args.get("user_nickname"),
+            source=args.get("source") or "mcp",
+            conversation_id=args.get("conversation_id"),
+            raw=args,
+        )
+    if req.action == "knowledge_graph_search":
+        _require_graph()
+        return KNOWLEDGE_GRAPH.search(args.get("query") or args.get("q") or "", args.get("limit", 30))
+    if req.action == "knowledge_graph_graph":
+        _require_graph()
+        return KNOWLEDGE_GRAPH.graph(args.get("limit", 300))
+    if req.action == "knowledge_graph_context":
+        _require_graph()
+        return {
+            "context": KNOWLEDGE_GRAPH.context_for_query(
+                args.get("query") or args.get("q") or "",
+                args.get("limit", 6),
+            )
+        }
     return _tool_response(execute_tool, req.action, req.args or {})