ltcai 1.0.1 → 1.2.0

package/latticeai/services/__init__.py

@@ -0,0 +1,6 @@
+"""Service layer extracted from server_app.py.
+
+Services wrap stores and business logic with no dependency on the FastAPI app
+object, so API routers (latticeai.api.*) and the app assembly
+(latticeai.server_app) can import them without creating import cycles.
+"""

package/latticeai/services/chat_service.py

@@ -0,0 +1,53 @@
+"""Chat / session service seam.
+
+The streaming chat path in ``server_app`` is intentionally left in place — its
+generator and SSE behaviour are sensitive. This service provides a stable seam
+for the *bookkeeping* around answers (conversation history access and
+Workspace-OS answer-trace recording) so those concerns are named and wrapped
+rather than reaching into the store directly from the streaming handler.
+
+It is a behaviour-preserving façade: methods forward to the injected history
+accessor and :class:`WorkspaceOSStore`, so wiring the chat path through it
+cannot change streaming output.
+"""
+
+from __future__ import annotations
+
+from typing import Any, Callable, Dict, List, Optional
+
+from latticeai.core.workspace_os import WorkspaceOSStore
+
+
+class ChatService:
+    def __init__(self, *, store: WorkspaceOSStore, get_history: Callable[[], List[Dict[str, Any]]]):
+        self._store = store
+        self._get_history = get_history
+
+    # ── conversation history ─────────────────────────────────────────────
+
+    def history(self) -> List[Dict[str, Any]]:
+        return self._get_history()
+
+    # ── answer-trace recording (Graph RAG) ───────────────────────────────
+
+    def build_graph_trace(self, question: str, graph: Any, context: str = "", *, limit: int = 8) -> Dict[str, Any]:
+        return self._store.build_graph_trace(question, graph, context, limit=limit)
+
+    def record_trace(
+        self,
+        *,
+        question: str,
+        response: str,
+        conversation_id: Optional[str],
+        user_email: Optional[str],
+        trace: Dict[str, Any],
+        workspace_id: Optional[str] = None,
+    ) -> Dict[str, Any]:
+        return self._store.record_trace(
+            question=question,
+            response=response,
+            conversation_id=conversation_id,
+            user_email=user_email,
+            trace=trace,
+            workspace_id=workspace_id,
+        )

package/latticeai/services/model_service.py

@@ -0,0 +1,51 @@
+"""Model / engine state helpers used by the health and model routers.
+
+Pure payload builders with no FastAPI dependency. The model runtime (LLMRouter),
+``engine_status``, and ``runtime_features`` remain owned by ``server_app``; this
+module just assembles the response shapes so the health/model routers stay thin
+and the summaries live in one place.
+"""
+
+from __future__ import annotations
+
+from typing import Any, Callable, Dict, List
+
+
+class ModelService:
+    """Assembles health/engine summary payloads from injected runtime pieces."""
+
+    def __init__(
+        self,
+        *,
+        model_router: Any,
+        runtime_features: Callable[[], Dict[str, Any]],
+        is_public: bool,
+    ):
+        self._router = model_router
+        self._runtime_features = runtime_features
+        self._is_public = is_public
+
+    def runtime(self) -> Dict[str, Any]:
+        return self._runtime_features()
+
+    def health_base(self, *, version: str, mode: str) -> Dict[str, Any]:
+        return {
+            "status": "ok",
+            "version": version,
+            "mode": mode,
+            "platform": "AI Workspace OS",
+        }
+
+    def health_full(self, base: Dict[str, Any], engines: List[Dict[str, Any]]) -> Dict[str, Any]:
+        return {
+            **base,
+            "current_model": self._router.current_model_id,
+            "loaded_models": self._router.loaded_model_ids,
+            "device": "Apple Silicon MLX" if not self._is_public else "Public cloud/API runtime",
+            "features": self._runtime_features(),
+            "providers": self._router.detected_cloud_models(),
+            "engines": engines,
+        }
+
+    def engines_payload(self, engines: List[Dict[str, Any]]) -> Dict[str, Any]:
+        return {"engines": engines, "current": self._router.current_model_id}

package/latticeai/services/workspace_service.py

@@ -0,0 +1,117 @@
+"""Workspace service layer: scope resolution, permission guardrails, and a
+single seam in front of :class:`WorkspaceOSStore`.
+
+This module centralizes the workspace_id resolution and role/permission checks
+that were previously scattered across the FastAPI handlers. It depends only on
+``workspace_os`` (and indirectly ``enterprise``), never on the FastAPI app, so
+both the app assembly and the API routers can import it freely.
+
+Guardrail summary (v1.2.0):
+
+* **Explicit workspace targeting is gated.** When a caller names a workspace
+  (``X-Workspace-Id`` header / ``workspace_id``), reads require ``read`` and
+  writes require ``write`` on that workspace; non-members are rejected.
+* **Backward compatible default.** With no workspace named, the scope resolves
+  to the *active* workspace (Personal by default). Pre-1.1 clients that never
+  send a header keep operating on Personal data exactly as before.
+* **Personal workspace** always grants its single local user owner rights.
+* **No-auth local mode** keeps the owner fallback for *ownerless* org
+  workspaces (the anonymous local user owns what they create), but a *named*
+  stranger never bypasses membership.
+* **Graph and installed Skills are intentionally machine-global shared state**
+  (the local knowledge graph and on-disk skills are not partitioned per
+  workspace). Skill enable/disable and other actions still record
+  workspace-scoped timeline events via the active workspace.
+"""
+
+from __future__ import annotations
+
+from typing import Any, Dict, Optional
+
+from latticeai.core.workspace_os import WorkspaceOSStore
+
+
+class WorkspaceService:
+    """Permission-aware façade over :class:`WorkspaceOSStore`."""
+
+    # Graph / installed-skill state that is shared machine-wide rather than
+    # partitioned per workspace. Surfaced so the UI / docs can be explicit.
+    SHARED_GLOBAL_AREAS = ("graph", "skills")
+
+    def __init__(self, store: WorkspaceOSStore):
+        self.store = store
+
+    # ── scope resolution + gating ────────────────────────────────────────
+
+    def _ensure_permission(self, workspace_id: str, user_id: Optional[str], permission: str) -> None:
+        if not self.store.has_permission(workspace_id, user_id, permission):
+            raise PermissionError(
+                f"'{user_id or 'anonymous'}' lacks '{permission}' on workspace '{workspace_id}'"
+            )
+
+    def resolve_read_scope(self, requested: Optional[str], user_id: Optional[str]) -> str:
+        """Resolve + authorize the workspace a read should target.
+
+        ``None`` falls back to the active workspace (Personal by default), which
+        preserves pre-1.1 behaviour. An explicitly named workspace is gated on
+        ``read`` so non-members cannot read organization data.
+        """
+        workspace_id = requested or self.store._active_workspace_id()
+        self._ensure_permission(workspace_id, user_id, "read")
+        return workspace_id
+
+    def resolve_write_scope(self, requested: Optional[str], user_id: Optional[str]) -> str:
+        """Resolve + authorize the workspace a write should target (gated on ``write``)."""
+        workspace_id = requested or self.store._active_workspace_id()
+        self._ensure_permission(workspace_id, user_id, "write")
+        return workspace_id
+
+    def can_read(self, workspace_id: str, user_id: Optional[str]) -> bool:
+        return self.store.has_permission(workspace_id, user_id, "read")
+
+    def can_write(self, workspace_id: str, user_id: Optional[str]) -> bool:
+        return self.store.has_permission(workspace_id, user_id, "write")
+
+    # ── workspace registry / summary ─────────────────────────────────────
+
+    def summary(self, user_id: Optional[str]) -> Dict[str, Any]:
+        data = self.store.summary()
+        data["workspace_registry"] = self.store.list_workspaces(user_id=user_id)
+        data["shared_global_areas"] = list(self.SHARED_GLOBAL_AREAS)
+        return data
+
+    def list_workspaces(self, user_id: Optional[str]) -> Dict[str, Any]:
+        return self.store.list_workspaces(user_id=user_id)
+
+    def get_workspace(self, workspace_id: str, user_id: Optional[str]) -> Dict[str, Any]:
+        # Reading workspace metadata requires read access to that workspace.
+        self._ensure_permission(workspace_id, user_id, "read")
+        return self.store.get_workspace(workspace_id, user_id=user_id)
+
+    def workspace_summary(self, workspace_id: str, user_id: Optional[str]) -> Dict[str, Any]:
+        self._ensure_permission(workspace_id, user_id, "read")
+        return self.store.workspace_summary(workspace_id, user_id=user_id)
+
+    # ── organization workspace management (delegates with actor) ─────────
+
+    def create_organization_workspace(self, *, name: str, owner_user_id: Optional[str], settings: Optional[Dict[str, Any]] = None) -> Dict[str, Any]:
+        return self.store.create_organization_workspace(name=name, owner_user_id=owner_user_id, settings=settings)
+
+    def update_workspace(self, workspace_id: str, *, name=None, settings=None, actor=None) -> Dict[str, Any]:
+        return self.store.update_workspace(workspace_id, name=name, settings=settings, actor=actor)
+
+    def archive_workspace(self, workspace_id: str, *, actor=None) -> Dict[str, Any]:
+        return self.store.archive_workspace(workspace_id, actor=actor)
+
+    def add_member(self, workspace_id: str, *, user_id: str, role: str = "member", actor=None) -> Dict[str, Any]:
+        return self.store.add_member(workspace_id, user_id=user_id, role=role, actor=actor)
+
+    def update_member_role(self, workspace_id: str, *, user_id: str, role: str, actor=None) -> Dict[str, Any]:
+        return self.store.update_member_role(workspace_id, user_id=user_id, role=role, actor=actor)
+
+    def remove_member(self, workspace_id: str, *, user_id: str, actor=None) -> Dict[str, Any]:
+        return self.store.remove_member(workspace_id, user_id=user_id, actor=actor)
+
+    def set_active_workspace(self, workspace_id: str, user_id: Optional[str]) -> Dict[str, Any]:
+        # Membership is enforced inside the store for organization workspaces.
+        return self.store.set_active_workspace(workspace_id, user_id=user_id)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ltcai",
-  "version": "1.0.1",
+  "version": "1.2.0",
   "description": "Lattice AI Workspace OS for local-first graph, memory, agent, workflow, and skill operations",
   "homepage": "https://github.com/TaeSooPark-PTS/LatticeAI#readme",
   "repository": {

package/static/scripts/workspace.js

@@ -3,6 +3,9 @@ const API_BASE = window.location.protocol === "file:" ? "http://localhost:4825"
 const state = {
   os: null,
   snapshots: [],
+  activeWorkspace: null,
+  registry: null,
+  managingWorkspace: null,
 };
 
 function $(id) {
@@ -21,6 +24,7 @@ function escapeHtml(value) {
 async function api(path, options = {}) {
   const headers = { ...(options.headers || {}) };
   if (options.body && !headers["Content-Type"]) headers["Content-Type"] = "application/json";
+  if (state.activeWorkspace && !headers["X-Workspace-Id"]) headers["X-Workspace-Id"] = state.activeWorkspace;
   const response = await fetch(API_BASE + path, { credentials: "include", ...options, headers });
   const text = await response.text();
   let data = {};
@@ -226,6 +230,103 @@ function renderTimeline(payload) {
   `).join("") : `<div class="timeline-item"><div class="meta-line">No timeline events.</div></div>`;
 }
 
+function renderWorkspaceRegistry(registry, edition) {
+  state.registry = registry;
+  if (!state.activeWorkspace) state.activeWorkspace = registry.active_workspace || "personal";
+  const workspaces = registry.workspaces || [];
+  const select = $("workspace-select");
+  if (select) {
+    select.innerHTML = workspaces.map((ws) => `
+      <option value="${escapeHtml(ws.workspace_id)}" ${ws.workspace_id === state.activeWorkspace ? "selected" : ""}>
+        ${escapeHtml(ws.name)}${ws.type === "organization" ? " (org)" : ""}${ws.status === "archived" ? " · archived" : ""}
+      </option>
+    `).join("");
+  }
+  const active = workspaces.find((ws) => ws.workspace_id === state.activeWorkspace);
+  const rolePill = $("workspace-role");
+  if (rolePill) rolePill.textContent = active ? (active.your_role || "—") : "";
+  if (edition) {
+    const pill = $("edition-pill");
+    if (pill) pill.textContent = edition.edition || "community";
+  }
+  const list = $("workspace-list");
+  if (list) {
+    list.innerHTML = workspaces.length ? workspaces.map((ws) => `
+      <div class="list-item">
+        <div class="list-title">
+          <span>${escapeHtml(ws.name)}</span>
+          <span class="status-pill">${escapeHtml(ws.type)}</span>
+        </div>
+        <div class="meta-line">id: ${escapeHtml(ws.workspace_id)} · members: ${escapeHtml(ws.member_count)} · role: ${escapeHtml(ws.your_role || "—")} · ${escapeHtml(ws.status || "active")}</div>
+        <div class="item-actions">
+          ${ws.workspace_id === state.activeWorkspace ? `<span class="status-pill">active</span>` : `<button class="small-action" data-ws-action="activate" data-ws="${escapeHtml(ws.workspace_id)}"><i class="ti ti-switch-horizontal"></i>Switch</button>`}
+          ${ws.type === "organization" ? `<button class="small-action" data-ws-action="members" data-ws="${escapeHtml(ws.workspace_id)}"><i class="ti ti-users"></i>Members</button>` : ""}
+          ${ws.type === "organization" && ws.status !== "archived" ? `<button class="small-action" data-ws-action="archive" data-ws="${escapeHtml(ws.workspace_id)}"><i class="ti ti-archive"></i>Archive</button>` : ""}
+        </div>
+      </div>
+    `).join("") : `<div class="list-item"><div class="meta-line">No workspaces.</div></div>`;
+  }
+  renderMembers(workspaces);
+}
+
+function renderMembers(workspaces) {
+  const panel = $("member-panel");
+  if (!panel) return;
+  if (!state.managingWorkspace) {
+    panel.hidden = true;
+    return;
+  }
+  const ws = (workspaces || []).find((item) => item.workspace_id === state.managingWorkspace);
+  if (!ws || ws.type !== "organization") {
+    panel.hidden = true;
+    return;
+  }
+  panel.hidden = false;
+  const title = $("member-panel-title");
+  if (title) title.textContent = `Members — ${ws.name}`;
+  const members = ws.members || [];
+  $("member-list").innerHTML = members.length ? members.map((m) => `
+    <div class="list-item">
+      <div class="list-title"><span>${escapeHtml(m.user_id)}</span><span class="status-pill">${escapeHtml(m.role)}</span></div>
+      <div class="item-actions">
+        <select class="small-action" data-member-role="${escapeHtml(m.user_id)}" data-ws="${escapeHtml(ws.workspace_id)}">
+          ${["owner", "admin", "member", "viewer"].map((r) => `<option value="${r}" ${m.role === r ? "selected" : ""}>${r}</option>`).join("")}
+        </select>
+        <button class="small-action" data-member-remove="${escapeHtml(m.user_id)}" data-ws="${escapeHtml(ws.workspace_id)}"><i class="ti ti-user-minus"></i>Remove</button>
+      </div>
+    </div>
+  `).join("") : `<div class="list-item"><div class="meta-line">No members yet.</div></div>`;
+}
+
+async function activateWorkspace(workspaceId) {
+  await api("/workspace/activate", { method: "POST", body: JSON.stringify({ workspace_id: workspaceId }) });
+  state.activeWorkspace = workspaceId;
+  toast(`Switched to ${workspaceId}`);
+  await refreshAll();
+}
+
+async function createOrg() {
+  const name = ($("org-name").value || "").trim();
+  if (!name) return;
+  const result = await api("/workspace/orgs", { method: "POST", body: JSON.stringify({ name, settings: {} }) });
+  $("org-name").value = "";
+  toast(`Created ${result.workspace.workspace_id}`);
+  state.managingWorkspace = result.workspace.workspace_id;
+  await refreshAll();
+}
+
+async function addMember(workspaceId) {
+  const userId = ($("member-user").value || "").trim();
+  if (!userId) return;
+  await api(`/workspace/orgs/${encodeURIComponent(workspaceId)}/members`, {
+    method: "POST",
+    body: JSON.stringify({ user_id: userId, role: $("member-role").value }),
+  });
+  $("member-user").value = "";
+  toast(`Added ${userId}`);
+  await refreshAll();
+}
+
 async function refreshAll() {
   const [os, onboarding, traces, indexing, snapshots, memories, computerMemory, agents, workflows, skills, timeline] = await Promise.all([
     api("/workspace/os"),
@@ -242,6 +343,7 @@ async function refreshAll() {
   ]);
   state.os = os;
   renderMetrics(os);
+  if (os.workspace_registry) renderWorkspaceRegistry(os.workspace_registry, os.edition);
   renderOnboarding(onboarding);
   renderTraces(traces);
   renderIndexing(indexing);
@@ -357,6 +459,47 @@ document.addEventListener("click", async (event) => {
     });
     toast(`Skill ${skillBtn.dataset.skillAction}`);
     await refreshAll();
+    return;
+  }
+
+  const wsBtn = event.target.closest("[data-ws-action]");
+  if (wsBtn) {
+    const action = wsBtn.dataset.wsAction;
+    const ws = wsBtn.dataset.ws;
+    if (action === "activate") {
+      await activateWorkspace(ws);
+    } else if (action === "members") {
+      state.managingWorkspace = ws;
+      if (state.registry) renderMembers(state.registry.workspaces);
+    } else if (action === "archive") {
+      await api(`/workspace/orgs/${encodeURIComponent(ws)}/archive`, { method: "POST" });
+      toast(`Archived ${ws}`);
+      await refreshAll();
+    }
+    return;
+  }
+
+  const removeBtn = event.target.closest("[data-member-remove]");
+  if (removeBtn) {
+    await api(`/workspace/orgs/${encodeURIComponent(removeBtn.dataset.ws)}/members/${encodeURIComponent(removeBtn.dataset.memberRemove)}`, { method: "DELETE" });
+    toast("Member removed");
+    await refreshAll();
+  }
+});
+
+document.addEventListener("change", async (event) => {
+  const roleSelect = event.target.closest("[data-member-role]");
+  if (roleSelect) {
+    try {
+      await api(`/workspace/orgs/${encodeURIComponent(roleSelect.dataset.ws)}/members/${encodeURIComponent(roleSelect.dataset.memberRole)}`, {
+        method: "PATCH",
+        body: JSON.stringify({ role: roleSelect.value }),
+      });
+      toast("Role updated");
+      await refreshAll();
+    } catch (err) {
+      toast(err.message);
+    }
   }
 });
 
@@ -378,5 +521,11 @@ document.addEventListener("DOMContentLoaded", () => {
   }));
   $("create-demo-workflow").addEventListener("click", () => createDemoWorkflow().catch((err) => toast(err.message)));
   $("reload-skills").addEventListener("click", () => refreshAll().catch((err) => toast(err.message)));
+  $("workspace-select").addEventListener("change", (event) => activateWorkspace(event.target.value).catch((err) => toast(err.message)));
+  $("create-org").addEventListener("click", () => createOrg().catch((err) => toast(err.message)));
+  $("new-org-btn").addEventListener("click", () => $("org-name").focus());
+  $("add-member").addEventListener("click", () => {
+    if (state.managingWorkspace) addMember(state.managingWorkspace).catch((err) => toast(err.message));
+  });
   refreshAll().catch((err) => toast(err.message));
 });

package/static/sw.js

@@ -1,6 +1,6 @@
 // Lattice AI Service Worker — enables PWA install on Android/iOS
 // Strategy: network-first for API, cache-first for static assets.
-const CACHE = "ltcai-v100";
+const CACHE = "ltcai-v110";
 const STATIC = [
   "/",
   "/workspace",

package/static/workspace.css

@@ -513,3 +513,34 @@ textarea {
     grid-template-columns: 1fr;
   }
 }
+
+/* Workspace switcher + organization management (v1.1.0) */
+.workspace-switcher {
+  display: inline-flex;
+  align-items: center;
+  gap: 8px;
+  padding: 6px 10px;
+  border-radius: 10px;
+  background: rgba(255, 255, 255, 0.06);
+  border: 1px solid rgba(255, 255, 255, 0.12);
+}
+.workspace-switcher select {
+  background: transparent;
+  border: none;
+  color: inherit;
+  font: inherit;
+  font-weight: 600;
+  max-width: 220px;
+}
+.workspace-role-pill {
+  font-size: 11px;
+  text-transform: uppercase;
+  letter-spacing: 0.04em;
+  opacity: 0.75;
+}
+#member-panel {
+  margin-top: 16px;
+}
+#org-create-form {
+  margin-bottom: 12px;
+}

package/static/workspace.html

@@ -8,7 +8,7 @@
   <link rel="icon" type="image/png" sizes="32x32" href="/icons/favicon-32.png">
   <link rel="stylesheet" href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700;800&display=swap">
   <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@tabler/icons-webfont@latest/tabler-icons.min.css">
-  <link rel="stylesheet" href="/static/workspace.css?v=1.0.0">
+  <link rel="stylesheet" href="/static/workspace.css?v=1.1.0">
 </head>
 <body>
   <div class="workspace-shell">
@@ -41,6 +41,12 @@
           <h1>Workspace Command Center</h1>
         </div>
         <div class="top-actions">
+          <div class="workspace-switcher" title="Active workspace">
+            <i class="ti ti-building-community"></i>
+            <select id="workspace-select" aria-label="Active workspace"></select>
+            <span class="workspace-role-pill" id="workspace-role"></span>
+          </div>
+          <button class="icon-action" id="new-org-btn" title="New organization workspace"><i class="ti ti-plus"></i></button>
           <button class="icon-action" id="refresh-btn" title="Refresh"><i class="ti ti-refresh"></i></button>
           <button class="primary-action" id="snapshot-now"><i class="ti ti-device-floppy"></i><span>Snapshot</span></button>
         </div>
@@ -48,6 +54,39 @@
 
       <section class="metric-grid" id="metric-grid"></section>
 
+      <section class="workspace-band" id="organization">
+        <div class="section-head">
+          <div>
+            <div class="eyebrow">Workspaces</div>
+            <h2>Personal &amp; Organization</h2>
+          </div>
+          <span class="status-pill" id="edition-pill">community</span>
+        </div>
+        <div class="inline-form" id="org-create-form">
+          <input id="org-name" placeholder="New organization workspace name">
+          <button class="secondary-action" id="create-org"><i class="ti ti-building-plus"></i><span>Create Org</span></button>
+        </div>
+        <div id="workspace-list" class="list-stack"></div>
+        <div class="workspace-panel" id="member-panel" hidden>
+          <div class="section-head">
+            <div>
+              <div class="eyebrow">Members</div>
+              <h2 id="member-panel-title">Manage Members</h2>
+            </div>
+          </div>
+          <div class="inline-form split">
+            <input id="member-user" placeholder="user@example.com">
+            <select id="member-role">
+              <option value="admin">admin</option>
+              <option value="member" selected>member</option>
+              <option value="viewer">viewer</option>
+            </select>
+            <button class="secondary-action" id="add-member"><i class="ti ti-user-plus"></i><span>Add</span></button>
+          </div>
+          <div id="member-list" class="list-stack"></div>
+        </div>
+      </section>
+
       <section class="workspace-band onboarding-band" id="onboarding">
         <div class="section-head">
           <div>
@@ -194,6 +233,6 @@
   </div>
 
   <div class="toast" id="toast"></div>
-  <script src="/static/scripts/workspace.js?v=1.0.0"></script>
+  <script src="/static/scripts/workspace.js?v=1.1.0"></script>
 </body>
 </html>