ltcai 1.3.0 → 1.4.0

package/latticeai/api/permissions.py

@@ -0,0 +1,331 @@
+"""Local permission request and approval routes."""
+
+from __future__ import annotations
+
+import hashlib
+import json
+import logging
+import secrets
+import threading
+import time
+import urllib.request
+from pathlib import Path
+from typing import Dict, Optional, Tuple
+
+from fastapi import APIRouter, HTTPException, Request
+
+
+_PERMISSION_ACTION_LABELS = {
+    "list": "폴더 목록 보기",
+    "read": "파일 읽기",
+    "write": "파일 쓰기",
+}
+
+
+class PermissionGateway:
+    """Shared permission state used by local-file and knowledge routers."""
+
+    def __init__(self, *, config, data_dir: Path, require_admin, get_current_user) -> None:
+        self.require_admin = require_admin
+        self.get_current_user = get_current_user
+        self.local_approval_ttl_seconds = 5 * 60
+        self.local_approval_lock = threading.Lock()
+        self.local_approvals: Dict[str, Dict[str, object]] = {}
+        self.discord_permission_webhook_url = config.discord_permission_webhook
+        self.discord_bot_token = config.discord_bot_token
+        self.discord_permission_channel = config.discord_permission_channel
+        self.permission_monitor_secret = config.permission_monitor_secret
+        self.perm_queue_file = data_dir / "permission_queue.json"
+
+    def _perm_queue_write(self, token: str, record: Dict[str, object]) -> None:
+        try:
+            queue: Dict = {}
+            if self.perm_queue_file.exists():
+                try:
+                    queue = json.loads(self.perm_queue_file.read_text(encoding="utf-8"))
+                except Exception:
+                    queue = {}
+            queue[token] = {**record, "notified": False}
+            self.perm_queue_file.write_text(json.dumps(queue, ensure_ascii=False, indent=2), encoding="utf-8")
+        except Exception as exc:
+            logging.warning("perm_queue_write failed: %s", exc)
+
+    def _perm_queue_remove(self, token: str) -> None:
+        try:
+            if not self.perm_queue_file.exists():
+                return
+            queue: Dict = json.loads(self.perm_queue_file.read_text(encoding="utf-8"))
+            queue.pop(token, None)
+            self.perm_queue_file.write_text(json.dumps(queue, ensure_ascii=False, indent=2), encoding="utf-8")
+        except Exception as exc:
+            logging.warning("perm_queue_remove failed: %s", exc)
+
+    @staticmethod
+    def normalize_local_path_for_approval(path: str) -> str:
+        return str(Path(path).expanduser().resolve())
+
+    @staticmethod
+    def content_fingerprint(content: str = "") -> str:
+        return hashlib.sha256(content.encode("utf-8")).hexdigest()
+
+    def _notify_discord_permission_sync(self, token: str, path: str, action: str, user_email: str) -> None:
+        sent = False
+        if self.discord_bot_token and self.discord_permission_channel:
+            action_label = _PERMISSION_ACTION_LABELS.get(action, action)
+            expires_at_iso = time.strftime(
+                "%Y-%m-%d %H:%M:%S UTC",
+                time.gmtime(time.time() + self.local_approval_ttl_seconds),
+            )
+            msg = (
+                f"🔐 **파일 접근 권한 요청**\n"
+                f"**경로:** `{path}`\n"
+                f"**작업:** {action_label}\n"
+                f"**요청자:** {user_email}\n"
+                f"**토큰:** `{token}`\n"
+                f"**만료:** {expires_at_iso}\n\n"
+                f"승인하려면 `승인 {token[:8]}` / 거부하려면 `거부 {token[:8]}` 라고 답장하세요."
+            )
+            payload = json.dumps({"content": msg}, ensure_ascii=False).encode("utf-8")
+            try:
+                req = urllib.request.Request(
+                    f"https://discord.com/api/v10/channels/{self.discord_permission_channel}/messages",
+                    data=payload,
+                    headers={
+                        "Content-Type": "application/json",
+                        "Authorization": f"Bot {self.discord_bot_token}",
+                    },
+                    method="POST",
+                )
+                with urllib.request.urlopen(req, timeout=5):
+                    pass
+                sent = True
+            except Exception as exc:
+                logging.warning("Discord bot permission notify failed: %s", exc)
+
+        if not sent and self.discord_permission_webhook_url:
+            action_label = _PERMISSION_ACTION_LABELS.get(action, action)
+            expires_at_iso = time.strftime(
+                "%Y-%m-%d %H:%M:%S UTC",
+                time.gmtime(time.time() + self.local_approval_ttl_seconds),
+            )
+            payload = json.dumps(
+                {
+                    "embeds": [
+                        {
+                            "title": "🔐 파일 접근 권한 요청",
+                            "color": 0xFF9900,
+                            "fields": [
+                                {"name": "경로", "value": f"`{path}`", "inline": False},
+                                {"name": "작업", "value": action_label, "inline": True},
+                                {"name": "요청자", "value": user_email, "inline": True},
+                                {"name": "토큰", "value": f"`{token}`", "inline": False},
+                                {"name": "만료", "value": expires_at_iso, "inline": True},
+                            ],
+                            "footer": {
+                                "text": (
+                                    "승인: POST /permissions/approve/{token}  |  "
+                                    "거부: POST /permissions/deny/{token}  |  "
+                                    "목록: GET /permissions/pending"
+                                )
+                            },
+                        }
+                    ]
+                },
+                ensure_ascii=False,
+            ).encode("utf-8")
+            try:
+                req = urllib.request.Request(
+                    self.discord_permission_webhook_url,
+                    data=payload,
+                    headers={"Content-Type": "application/json"},
+                    method="POST",
+                )
+                with urllib.request.urlopen(req, timeout=5):
+                    pass
+            except Exception as exc:
+                logging.warning("Discord permission webhook failed: %s", exc)
+
+    def local_permission_response(self, path: str, action: str, user_email: str, content: str = "") -> dict:
+        normalized = self.normalize_local_path_for_approval(path)
+        token = secrets.token_urlsafe(24)
+        record: Dict[str, object] = {
+            "path": normalized,
+            "action": action,
+            "user_email": user_email,
+            "expires_at": time.time() + self.local_approval_ttl_seconds,
+            "approved": False,
+        }
+        if action == "write":
+            record["content_hash"] = self.content_fingerprint(content)
+        with self.local_approval_lock:
+            self.local_approvals[token] = record
+        self._perm_queue_write(token, record)
+        action_label = _PERMISSION_ACTION_LABELS.get(action, action)
+        return {
+            "permission_required": True,
+            "path": path,
+            "action": action,
+            "action_label": action_label,
+            "approval_token": token,
+            "expires_in": self.local_approval_ttl_seconds,
+            "message": f"AI가 '{path}' 에 대한 {action_label} 권한을 요청합니다.",
+            "check_status_url": f"/permissions/status/{token}",
+        }
+
+    def require_local_user(self, request: Request) -> str:
+        email = self.get_current_user(request)
+        if not email:
+            raise HTTPException(status_code=401, detail="로컬 파일 접근은 로그인 세션이 필요합니다.")
+        return email
+
+    def require_local_approval(
+        self,
+        *,
+        token: Optional[str],
+        path: str,
+        action: str,
+        user_email: str,
+        content: str = "",
+    ) -> None:
+        if not token:
+            raise HTTPException(status_code=403, detail="파일 접근 승인 토큰이 필요합니다.")
+        normalized = self.normalize_local_path_for_approval(path)
+        now = time.time()
+        with self.local_approval_lock:
+            expired = [key for key, value in self.local_approvals.items() if float(value.get("expires_at", 0)) < now]
+            for key in expired:
+                self.local_approvals.pop(key, None)
+            record = self.local_approvals.get(token)
+        if not record:
+            raise HTTPException(status_code=403, detail="파일 접근 승인이 만료되었거나 유효하지 않습니다.")
+        if not record.get("approved"):
+            raise HTTPException(status_code=403, detail="파일 접근이 아직 승인되지 않았습니다. Discord 또는 UI에서 승인해주세요.")
+        if record.get("user_email") != user_email:
+            raise HTTPException(status_code=403, detail="다른 사용자의 파일 접근 승인은 사용할 수 없습니다.")
+        if record.get("path") != normalized or record.get("action") != action:
+            raise HTTPException(status_code=403, detail="파일 접근 승인 범위가 일치하지 않습니다.")
+        if action == "write" and record.get("content_hash") != self.content_fingerprint(content):
+            raise HTTPException(status_code=403, detail="승인된 파일 내용과 요청 내용이 다릅니다.")
+
+    def check_permission_auth(self, request: Request, token: Optional[str] = None) -> None:
+        if self.permission_monitor_secret:
+            auth_header = request.headers.get("Authorization", "")
+            if auth_header == f"Bearer {self.permission_monitor_secret}":
+                return
+        if token:
+            current_user = self.get_current_user(request)
+            with self.local_approval_lock:
+                record = self.local_approvals.get(token)
+            if current_user and record and record.get("user_email") == current_user:
+                return
+        self.require_admin(request)
+
+
+def create_permissions_router(
+    *,
+    config,
+    data_dir: Path,
+    require_user,
+    require_admin,
+    get_current_user,
+) -> Tuple[APIRouter, PermissionGateway]:
+    router = APIRouter()
+    gateway = PermissionGateway(
+        config=config,
+        data_dir=data_dir,
+        require_admin=require_admin,
+        get_current_user=get_current_user,
+    )
+
+    @router.get("/permissions/pending")
+    async def permissions_pending(request: Request):
+        require_admin(request)
+        now = time.time()
+        with gateway.local_approval_lock:
+            result = {}
+            for tok, rec in list(gateway.local_approvals.items()):
+                expires_at = float(rec.get("expires_at", 0))
+                if expires_at < now:
+                    continue
+                result[tok] = {
+                    "path": rec.get("path"),
+                    "action": rec.get("action"),
+                    "action_label": _PERMISSION_ACTION_LABELS.get(str(rec.get("action", "")), str(rec.get("action", ""))),
+                    "user_email": rec.get("user_email"),
+                    "approved": bool(rec.get("approved")),
+                    "expires_in": round(expires_at - now),
+                }
+        return {"pending": result, "count": len(result)}
+
+    @router.post("/permissions/approve/{token}")
+    async def permissions_approve(token: str, request: Request):
+        gateway.check_permission_auth(request, token)
+        with gateway.local_approval_lock:
+            record = gateway.local_approvals.get(token)
+            if not record:
+                raise HTTPException(status_code=404, detail="토큰이 없거나 만료되었습니다.")
+            if float(record.get("expires_at", 0)) < time.time():
+                gateway.local_approvals.pop(token, None)
+                raise HTTPException(status_code=410, detail="토큰이 만료되었습니다.")
+            record["approved"] = True
+        gateway._perm_queue_remove(token)
+        logging.info(
+            "Permission approved: token=%s path=%s action=%s user=%s",
+            token,
+            record.get("path"),
+            record.get("action"),
+            record.get("user_email"),
+        )
+        return {
+            "ok": True,
+            "token": token,
+            "path": record.get("path"),
+            "action": record.get("action"),
+            "user_email": record.get("user_email"),
+        }
+
+    @router.post("/permissions/deny/{token}")
+    async def permissions_deny(token: str, request: Request):
+        gateway.check_permission_auth(request, token)
+        with gateway.local_approval_lock:
+            record = gateway.local_approvals.pop(token, None)
+        gateway._perm_queue_remove(token)
+        if not record:
+            raise HTTPException(status_code=404, detail="토큰이 없거나 이미 처리되었습니다.")
+        logging.info(
+            "Permission denied: token=%s path=%s action=%s user=%s",
+            token,
+            record.get("path"),
+            record.get("action"),
+            record.get("user_email"),
+        )
+        return {
+            "ok": True,
+            "denied": True,
+            "token": token,
+            "path": record.get("path"),
+            "action": record.get("action"),
+        }
+
+    @router.get("/permissions/status/{token}")
+    async def permissions_status(token: str, request: Request):
+        require_user(request)
+        now = time.time()
+        with gateway.local_approval_lock:
+            record = gateway.local_approvals.get(token)
+        if not record:
+            return {"status": "denied_or_expired", "token": token}
+        if float(record.get("expires_at", 0)) < now:
+            return {"status": "expired", "token": token}
+        if record.get("approved"):
+            return {"status": "approved", "token": token}
+        return {
+            "status": "pending",
+            "token": token,
+            "expires_in": round(float(record.get("expires_at", 0)) - now),
+        }
+
+    return router, gateway
+
+
+__all__ = ["PermissionGateway", "create_permissions_router"]

package/latticeai/api/setup.py

@@ -0,0 +1,158 @@
+"""Setup wizard and OS permission routes."""
+
+from __future__ import annotations
+
+from typing import Dict, List, Optional
+
+from fastapi import APIRouter, HTTPException, Request
+from fastapi.responses import StreamingResponse
+from pydantic import BaseModel
+
+from auto_setup import (
+    plan as auto_setup_plan,
+    preset as auto_setup_preset,
+    probe as auto_setup_probe,
+    recommend as auto_setup_recommend,
+    verify as auto_setup_verify,
+)
+from llm_router import parse_model_ref
+from setup import get_recommendations, install_stream, open_url, scan_environment
+
+
+def create_setup_router(*, model_router, require_user) -> APIRouter:
+    api_router = APIRouter()
+    router = model_router
+
+    # ── Setup Wizard ─────────────────────────────────────────────────────────────
+    
+    class SetupInstallRequest(BaseModel):
+        items: List[Dict]
+    
+    def setup_auto_state() -> Dict[str, object]:
+        """Return the PPT-aligned zero-config setup state used by setup UI/API."""
+        profile = auto_setup_probe()
+        recommendation = auto_setup_recommend(profile)
+        install_plan = auto_setup_plan(profile, recommendation)
+        return {
+            "probe": profile.to_json(),
+            "recommend": recommendation.to_json(),
+            "plan": install_plan.to_json(),
+            "verify": auto_setup_verify(profile, recommendation),
+            "preset": auto_setup_preset(profile, recommendation),
+        }
+    
+    
+    def primary_setup_model(recs: Dict[str, object]) -> Optional[Dict[str, object]]:
+        models = recs.get("models") if isinstance(recs, dict) else None
+        if not isinstance(models, list):
+            return None
+        candidates = [
+            item for item in models
+            if isinstance(item, dict) and not item.get("disabled") and (item.get("model_id") or (item.get("action") or {}).get("model_id"))
+        ]
+        if not candidates:
+            return None
+        return next((item for item in candidates if item.get("checked")), candidates[0])
+    
+    
+    @api_router.get("/setup/scan")
+    async def setup_scan(request: Request):
+        """환경 감지 및 맞춤 추천 반환."""
+        require_user(request)
+        env  = scan_environment()
+        recs = get_recommendations(env)
+        zero_config = setup_auto_state()
+        primary_model = primary_setup_model(recs)
+        if primary_model:
+            model_id = primary_model.get("model_id") or (primary_model.get("action") or {}).get("model_id")
+            model_provider, provider_model = parse_model_ref(str(model_id))
+            primary_runtime = "mlx" if model_provider == "local_mlx" else model_provider
+            zero_config.setdefault("recommend", {})["model_id"] = model_id
+            zero_config["recommend"]["runtime"] = primary_runtime
+            rationale = [
+                item for item in zero_config["recommend"].get("rationale", [])
+                if not (isinstance(item, str) and item.startswith("RAM ") and "→" in item)
+            ]
+            rationale.append(f"실제 다운로드 및 로드 가능한 {primary_runtime} 모델 → {model_id}")
+            zero_config["recommend"]["rationale"] = rationale
+            if isinstance(zero_config.get("plan"), dict):
+                if model_provider == "ollama":
+                    command = ["ollama", "pull", provider_model]
+                elif model_provider in {"vllm", "lmstudio", "llamacpp"}:
+                    command = ["lattice-ai", "models", "load", str(model_id)]
+                else:
+                    command = ["huggingface-cli", "download", str(model_id), "--quiet"]
+                zero_config["plan"]["steps"] = [{
+                    "name": f"weights:{model_id}",
+                    "why": "추론에 사용할 모델 가중치",
+                    "command": command,
+                    "requires_admin": False,
+                }]
+            if isinstance(zero_config.get("preset"), dict):
+                zero_config["preset"].setdefault("model", {})["id"] = model_id
+                zero_config["preset"]["model"]["runtime"] = primary_runtime
+        env["zero_config"] = zero_config
+        recs.setdefault("summary", {})["zero_config"] = zero_config["recommend"]
+        recs["install_plan"] = zero_config["plan"]
+        recs["preset"] = zero_config["preset"]
+        return {"environment": env, "recommendations": recs, "zero_config": zero_config}
+    
+    @api_router.get("/setup/auto")
+    async def setup_auto(request: Request):
+        """PPT-aligned zero-config setup pipeline: probe → recommend → plan → verify → preset."""
+        require_user(request)
+        return setup_auto_state()
+    
+    @api_router.post("/setup/install")
+    async def setup_install(req: SetupInstallRequest, request: Request):
+        """선택된 항목을 순서대로 설치 · 로드하는 SSE 스트림."""
+        require_user(request)
+        async def _gen():
+            async for chunk in install_stream(req.items, router):
+                yield chunk
+        return StreamingResponse(_gen(), media_type="text/event-stream",
+                                 headers={"Cache-Control": "no-cache", "X-Accel-Buffering": "no"})
+    
+    @api_router.post("/setup/open-auth/{mcp_id}")
+    async def setup_open_auth(mcp_id: str, request: Request):
+        require_user(request)
+        """MCP 인증 페이지를 브라우저에서 자동으로 엽니다."""
+        auth_urls: Dict[str, str] = {
+            "github":      "https://github.com/apps",
+            "google-drive": "https://chatgpt.com/connectors",
+            "slack":       "https://chatgpt.com/connectors",
+            "chrome":      "https://chatgpt.com/connectors",
+            "computer-use": "https://chatgpt.com/connectors",
+            "figma":       "https://chatgpt.com/connectors",
+            "notion":      "https://chatgpt.com/connectors",
+            "linear":      "https://chatgpt.com/connectors",
+            "gmail":       "https://chatgpt.com/connectors",
+            "google-calendar": "https://chatgpt.com/connectors",
+            "outlook-email": "https://chatgpt.com/connectors",
+            "outlook-calendar": "https://chatgpt.com/connectors",
+            "teams":       "https://chatgpt.com/connectors",
+            "sharepoint":  "https://chatgpt.com/connectors",
+            "canva":       "https://chatgpt.com/connectors",
+        }
+        url = auth_urls.get(mcp_id)
+        if not url:
+            raise HTTPException(status_code=404, detail=f"알 수 없는 MCP: {mcp_id}")
+        open_url(url)
+        return {"status": "ok", "opened": url, "mcp_id": mcp_id}
+    
+    
+    @api_router.post("/permissions/open/{permission_id}")
+    async def open_permission_settings(permission_id: str, request: Request):
+        require_user(request)
+        """macOS 권한 설정 화면을 엽니다."""
+        urls = {
+            "accessibility": "x-apple.systempreferences:com.apple.preference.security?Privacy_Accessibility",
+            "automation": "x-apple.systempreferences:com.apple.preference.security?Privacy_Automation",
+            "screen": "x-apple.systempreferences:com.apple.preference.security?Privacy_ScreenCapture",
+        }
+        url = urls.get(permission_id)
+        if not url:
+            raise HTTPException(status_code=404, detail="알 수 없는 권한 설정입니다.")
+        open_url(url)
+        return {"status": "ok", "opened": url, "permission": permission_id}
+    return api_router

package/latticeai/api/static_routes.py

@@ -0,0 +1,166 @@
+"""Static UI and lightweight status routes."""
+
+from __future__ import annotations
+
+import re
+import subprocess
+from dataclasses import dataclass
+from pathlib import Path
+from typing import Callable, Optional
+
+from fastapi import APIRouter, Cookie, HTTPException, Request
+from fastapi.responses import FileResponse, HTMLResponse
+
+def ui_file_response(path: Path) -> FileResponse:
+    response = FileResponse(path)
+    response.headers["Cache-Control"] = "no-cache, no-store, must-revalidate"
+    response.headers["Pragma"] = "no-cache"
+    response.headers["Expires"] = "0"
+    return response
+
+@dataclass(frozen=True)
+class StaticRoutesBundle:
+    router: APIRouter
+    ui_file_response: Callable[[Path], FileResponse]
+    local_sysinfo: Callable[[Request], object]
+
+
+def create_static_routes_router(
+    *,
+    static_dir: Path,
+    invite_gate_enabled: bool,
+    invite_code: str,
+    app_mode: str,
+    model_router,
+    require_user,
+) -> StaticRoutesBundle:
+    api_router = APIRouter()
+    STATIC_DIR = static_dir
+    INVITE_GATE_ENABLED = invite_gate_enabled
+    INVITE_CODE = invite_code
+    APP_MODE = app_mode
+    router = model_router
+
+    @api_router.get("/")
+    async def root(request: Request, code: Optional[str] = None, authorized: Optional[str] = Cookie(None)):
+        """로그인/회원가입 페이지. 초대 게이트 활성화 시 코드 검증 후 진입."""
+        if not INVITE_GATE_ENABLED:
+            return ui_file_response(STATIC_DIR / "account.html")
+    
+        # 1. 이미 쿠키로 인증된 경우
+        if authorized == "true":
+            return ui_file_response(STATIC_DIR / "account.html")
+    
+        # 2. 초대 코드가 일치하는 경우 (최초 진입)
+        if code == INVITE_CODE:
+            response = ui_file_response(STATIC_DIR / "account.html")
+            response.set_cookie(key="authorized", value="true", httponly=True, samesite="lax", max_age=60*60*24*7)
+            return response
+    
+        # 3. 인증 실패 시 차단 화면
+        return HTMLResponse(content=f"""
+            <body style="background:#0f1115; color:white; display:flex; flex-direction:column; align-items:center; justify-content:center; height:100vh; font-family:sans-serif;">
+                <div style="background:#16191f; padding:40px; border-radius:24px; border:1px solid rgba(255,255,255,0.1); text-align:center; box-shadow: 0 20px 40px rgba(0,0,0,0.5);">
+                    <div style="font-size:48px; margin-bottom:20px;">🔒</div>
+                    <h1 style="color:#378ADD; margin:0; font-size:24px;">Invitation Required</h1>
+                    <p style="color:#94a3b8; margin:20px 0; line-height:1.6;">이 서비스는 비공개로 운영되고 있습니다.<br>선생님께 받은 <b>초대용 전용 링크</b>를 통해 접속해 주세요.</p>
+                    <div style="margin-top:30px; padding-top:20px; border-top:1px solid rgba(255,255,255,0.05); font-size:11px; color:rgba(255,255,255,0.2); letter-spacing:1px;">LATTICE AI</div>
+                </div>
+            </body>
+        """, status_code=403)
+    
+    
+    @api_router.get("/account")
+    async def account_page():
+        """Direct login/register page route used by logout and manual navigation."""
+        return ui_file_response(STATIC_DIR / "account.html")
+    
+    
+    @api_router.get("/manifest.json")
+    async def manifest():
+        p = STATIC_DIR / "manifest.json"
+        if not p.exists():
+            raise HTTPException(status_code=404)
+        return FileResponse(str(p), media_type="application/manifest+json")
+    
+    
+    @api_router.get("/sw.js")
+    async def service_worker():
+        p = STATIC_DIR / "sw.js"
+        if not p.exists():
+            raise HTTPException(status_code=404)
+        resp = FileResponse(str(p), media_type="application/javascript")
+        resp.headers["Service-Worker-Allowed"] = "/"
+        return resp
+    
+    
+    @api_router.get("/chat")
+    async def chat_page(request: Request):
+        return ui_file_response(STATIC_DIR / "chat.html")
+    
+    
+    @api_router.get("/admin")
+    async def admin_page():
+        admin_path = STATIC_DIR / "admin.html"
+        if not admin_path.exists():
+            raise HTTPException(status_code=404, detail="Admin UI not found.")
+        response = FileResponse(admin_path)
+        response.headers["Cache-Control"] = "no-cache, no-store, must-revalidate"
+        return response
+    
+    # /workspace and /onboarding UI pages are served by the workspace router
+    # (latticeai.api.workspace), included below after its dependencies are defined.
+    
+    @api_router.get("/status")
+    async def status():
+        """서버 상태 및 현재 로드된 모델 정보를 반환합니다."""
+        return {
+            "message": "🧠 Lattice AI MLX Server is running!",
+            "status": "online",
+            "mode": APP_MODE,
+            "loaded_model": router._current or "None"
+        }
+    
+    
+    @api_router.get("/local/sysinfo")
+    async def local_sysinfo(request: Request):
+        """CPU / RAM / GPU(MLX) 사용량을 반환합니다."""
+        require_user(request)
+        import subprocess, re as _re
+        result = {"cpu_pct": 0.0, "ram_pct": 0.0, "gpu_mem_pct": 0.0, "gpu_mem_gb": 0.0}
+        try:
+            # CPU
+            top_out = subprocess.run(["top", "-l", "1", "-n", "0"], capture_output=True, text=True, timeout=4).stdout
+            for line in top_out.splitlines():
+                if "CPU usage" in line:
+                    m = _re.search(r"([\d.]+)% user.*?([\d.]+)% sys", line)
+                    if m:
+                        result["cpu_pct"] = round(float(m.group(1)) + float(m.group(2)), 1)
+            # RAM
+            vm_out = subprocess.run(["vm_stat"], capture_output=True, text=True, timeout=4).stdout
+            page_size = 16384
+            pages: dict = {}
+            for line in vm_out.splitlines():
+                for key in ["Pages free", "Pages active", "Pages inactive", "Pages wired down", "Pages occupied by compressor"]:
+                    if line.startswith(key):
+                        m = _re.search(r"(\d+)", line)
+                        if m:
+                            pages[key] = int(m.group(1))
+            total = sum(pages.values())
+            used  = total - pages.get("Pages free", 0)
+            result["ram_pct"] = round(used / total * 100, 1) if total else 0.0
+            # GPU (MLX / Apple Silicon unified memory)
+            try:
+                import mlx.core as _mx
+                hw_out = subprocess.run(["sysctl", "-n", "hw.memsize"], capture_output=True, text=True, timeout=2).stdout
+                total_bytes = int(hw_out.strip())
+                gpu_bytes = _mx.get_active_memory() + _mx.get_cache_memory()
+                result["gpu_mem_gb"]  = round(gpu_bytes / (1024 ** 3), 2)
+                result["gpu_mem_pct"] = round(gpu_bytes / total_bytes * 100, 1) if total_bytes else 0.0
+            except Exception:
+                pass
+        except Exception as e:
+            result["error"] = str(e)
+        return result
+
+    return StaticRoutesBundle(api_router, ui_file_response, local_sysinfo)