ltcai 1.6.0 → 2.0.0

package/latticeai/server_app.py

@@ -91,8 +91,16 @@ from latticeai.services.model_runtime import (
     verify_cloud_models,
     ensure_ollama_server,
 )
-from latticeai.api.workspace import create_workspace_router
+from latticeai.api.workspace import create_workspace_router, _workspace_scope_from_request
 from latticeai.api.health import create_health_router
+# ── v2.0 Agentic Workspace Platform layers ───────────────────────────────────
+from latticeai.core.plugins import PluginRegistry
+from latticeai.core.realtime import RealtimeBus
+from latticeai.services.platform_runtime import PlatformRuntime
+from latticeai.api.plugins import create_plugins_router
+from latticeai.api.workflow_designer import create_workflow_designer_router
+from latticeai.api.agents import create_agents_router
+from latticeai.api.realtime import create_realtime_router
 from latticeai.api.models import create_models_router
 from latticeai.api.chat import create_chat_router
 from latticeai.api.tools import create_tools_router
@@ -236,10 +244,16 @@ AUDIT_FILE = DATA_DIR / "audit_log.json"
 SSO_FILE = DATA_DIR / "sso_config.json"
 KNOWLEDGE_GRAPH = KnowledgeGraphStore(DATA_DIR / "knowledge_graph.sqlite", DATA_DIR / "knowledge_graph_blobs") if ENABLE_GRAPH else None
 LOCAL_KG_WATCHER = LocalKnowledgeWatcher(lambda: KNOWLEDGE_GRAPH) if ENABLE_GRAPH else None
-WORKSPACE_OS = WorkspaceOSStore(DATA_DIR)
+# ── v2.0 Realtime bus: constructed first so the store can fan every timeline
+# event into the realtime feed via a single additive sink (no per-call wiring).
+REALTIME_BUS = RealtimeBus()
+WORKSPACE_OS = WorkspaceOSStore(DATA_DIR, event_sink=REALTIME_BUS)
 # Service layer (latticeai.services) wraps the store with scope/permission
 # guardrails; routers and the app assembly share this single instance.
 WORKSPACE_SERVICE = WorkspaceService(WORKSPACE_OS)
+# ── v2.0 Plugin SDK registry (extends skills; discovers plugins/<id>/plugin.json)
+PLUGINS_DIR = Path(os.getenv("LATTICEAI_PLUGINS_DIR") or (BASE_DIR / "plugins"))
+PLUGIN_REGISTRY = PluginRegistry(PLUGINS_DIR, store=WORKSPACE_OS)
 
 def _require_graph():
     if not ENABLE_GRAPH or KNOWLEDGE_GRAPH is None:
@@ -1187,6 +1201,66 @@ app.include_router(create_workspace_router(
 ))
 
 
+# ── v2.0 Agentic Workspace Platform: cross-system wiring ─────────────────────
+# All cross-subsystem closures live in latticeai.services.platform_runtime to
+# keep this assembly file lean; server_app only constructs it and mounts routers.
+PLATFORM = PlatformRuntime(
+    store=WORKSPACE_OS,
+    workspace_service=WORKSPACE_SERVICE,
+    plugin_registry=PLUGIN_REGISTRY,
+    get_current_user=get_current_user,
+    workspace_graph=_workspace_graph,
+    workspace_scope_from_request=_workspace_scope_from_request,
+    get_tool_permission=get_tool_permission,
+)
+
+app.include_router(create_plugins_router(
+    registry=PLUGIN_REGISTRY,
+    require_user=require_user,
+    require_admin=require_admin,
+    append_audit_event=append_audit_event,
+    register_skill=PLATFORM.register_plugin_skill,
+    plugin_runners_factory=lambda: PLATFORM.plugin_capability_runners(None, None),
+    ui_file_response=ui_file_response,
+    static_dir=STATIC_DIR,
+))
+
+app.include_router(create_workflow_designer_router(
+    store=WORKSPACE_OS,
+    require_user=require_user,
+    get_current_user=get_current_user,
+    gate_read=PLATFORM.gate_read,
+    gate_write=PLATFORM.gate_write,
+    workspace_graph=_workspace_graph,
+    build_runners=PLATFORM.build_workflow_runners,
+    append_audit_event=append_audit_event,
+    ui_file_response=ui_file_response,
+    static_dir=STATIC_DIR,
+))
+
+app.include_router(create_agents_router(
+    store=WORKSPACE_OS,
+    orchestrator_factory=PLATFORM.build_orchestrator,
+    require_user=require_user,
+    get_current_user=get_current_user,
+    gate_read=PLATFORM.gate_read,
+    gate_write=PLATFORM.gate_write,
+    workspace_graph=_workspace_graph,
+    append_audit_event=append_audit_event,
+    ui_file_response=ui_file_response,
+    static_dir=STATIC_DIR,
+))
+
+app.include_router(create_realtime_router(
+    bus=REALTIME_BUS,
+    require_user=require_user,
+    get_current_user=get_current_user,
+    allowed_scopes=PLATFORM.allowed_scopes,
+    ui_file_response=ui_file_response,
+    static_dir=STATIC_DIR,
+))
+
+
 # ── Health & Info ──────────────────────────────────────────────────────────────
 
 # ── Model runtime/provider helpers moved to latticeai.services.model_runtime ──

package/latticeai/services/platform_runtime.py

@@ -0,0 +1,200 @@
+"""v2.0 Agentic Workspace Platform runtime — cross-system wiring.
+
+This is the single place the four v2.0 subsystems (Plugin SDK, Workflow
+Designer, Multi-Agent Runtime, Realtime) connect to one another and to the
+workspace. Keeping it out of ``server_app`` honours the AGENTS.md preference for
+small, composable modules and keeps the wiring independently testable.
+
+Recursion is bounded by construction: a workflow's ``agent`` node runs an
+orchestrator *without* a workflow runner, and an orchestrator's workflow runner
+runs an engine *without* an ``agent`` runner — so the deepest chains are
+``agent → workflow → (tool|skill|plugin)`` and ``workflow → agent → plugin``.
+"""
+
+from __future__ import annotations
+
+from typing import Any, Callable, Dict, Optional, Set
+
+from fastapi import HTTPException, Request
+
+from latticeai.core.multi_agent import MultiAgentOrchestrator, default_role_runner
+from latticeai.core.workflow_engine import WorkflowEngine
+
+
+class PlatformRuntime:
+    def __init__(
+        self,
+        *,
+        store,
+        workspace_service,
+        plugin_registry,
+        get_current_user: Callable[[Request], Optional[str]],
+        workspace_graph: Callable[[], Any],
+        workspace_scope_from_request: Callable[[Request], Optional[str]],
+        get_tool_permission: Callable[..., Dict[str, Any]],
+    ):
+        self.store = store
+        self.svc = workspace_service
+        self.registry = plugin_registry
+        self.get_current_user = get_current_user
+        self.workspace_graph = workspace_graph
+        self.scope_from_request = workspace_scope_from_request
+        self.get_tool_permission = get_tool_permission
+
+    # ── request gating ────────────────────────────────────────────────────
+
+    def gate_read(self, request: Request) -> Optional[str]:
+        try:
+            return self.svc.resolve_read_scope(self.scope_from_request(request), self.get_current_user(request))
+        except PermissionError as exc:
+            raise HTTPException(status_code=403, detail=str(exc)) from exc
+
+    def gate_write(self, request: Request) -> Optional[str]:
+        try:
+            return self.svc.resolve_write_scope(self.scope_from_request(request), self.get_current_user(request))
+        except PermissionError as exc:
+            raise HTTPException(status_code=403, detail=str(exc)) from exc
+
+    def allowed_scopes(self, user: Optional[str]) -> Optional[Set[str]]:
+        try:
+            workspaces = self.svc.list_workspaces(user or None).get("workspaces", [])
+            return {ws.get("workspace_id") for ws in workspaces if ws.get("workspace_id")}
+        except Exception:
+            return None
+
+    # ── plugin lifecycle hooks ────────────────────────────────────────────
+
+    def register_plugin_skill(self, skill_name: str, plugin_id: str):
+        return self.store.mark_skill_installed(
+            skill_name, version=f"plugin:{plugin_id}", metadata={"source": f"plugin:{plugin_id}"}
+        )
+
+    # ── shared node runners ───────────────────────────────────────────────
+
+    def _tool_node_runner(self):
+        """Workflow tool node: records the invocation + governance decision but
+        never silently executes exec/destructive tools (those need approval)."""
+        def runner(*, node, context):
+            cfg = node.get("config") or {}
+            name = cfg.get("tool") or ""
+            try:
+                permission = dict(self.get_tool_permission(name))
+            except Exception:
+                permission = {"tool": name, "risk": "unknown"}
+            return {"tool": name, "args": cfg.get("args") or {}, "recorded": True, "permission": permission}
+        return runner
+
+    def _skill_node_runner(self):
+        def runner(*, node, context):
+            cfg = node.get("config") or {}
+            name = cfg.get("skill") or ""
+            entry = self.store.load_state().get("skill_registry", {}).get(name) or {}
+            return {"skill": name, "found": bool(entry), "enabled": bool(entry.get("enabled"))}
+        return runner
+
+    def _context_provider(self, user, scope):
+        def provider(goal: str):
+            try:
+                mems = self.store.search_memories(goal, user_email=user, workspace_id=scope).get("memories", [])
+                return [str(m.get("content") or "")[:160] for m in mems[:5]]
+            except Exception:
+                return []
+        return provider
+
+    def plugin_capability_runners(self, user, scope) -> Dict[str, Callable[..., Any]]:
+        """Runners the Plugin SDK boundary dispatches to (one per capability)."""
+        def run_skill(*, plugin_id, action, args, manifest):
+            return {"plugin": plugin_id, "ran_skills": manifest.provides.get("skills", [])}
+
+        def run_tool(*, plugin_id, action, args, manifest):
+            tool = args.get("tool") or (manifest.provides.get("tools") or [None])[0]
+            try:
+                permission = dict(self.get_tool_permission(tool)) if tool else {}
+            except Exception:
+                permission = {}
+            return {"plugin": plugin_id, "tool": tool, "permission": permission, "recorded": True}
+
+        def run_workflow(*, plugin_id, action, args, manifest):
+            wf_id = args.get("workflow_id")
+            if not wf_id:
+                return {"plugin": plugin_id, "skipped": "no workflow_id"}
+            return self.run_workflow_by_id(wf_id, user, scope, with_agent=False, inputs=args.get("inputs"))
+
+        def run_agent(*, plugin_id, action, args, manifest):
+            goal = args.get("goal") or f"Plugin {plugin_id} agent task"
+            return self.run_agent(goal, user, scope, with_workflow=False, inputs=args.get("inputs"))
+
+        return {"skills": run_skill, "tools": run_tool, "workflows": run_workflow, "agents": run_agent}
+
+    def _plugin_node_runner(self, user, scope):
+        def runner(*, node, context):
+            cfg = node.get("config") or {}
+            plugin_id = cfg.get("plugin_id") or cfg.get("plugin") or ""
+            action = cfg.get("action") or "run_skill"
+            result = self.registry.execute_action(
+                plugin_id, action, cfg.get("args") or {}, runners=self.plugin_capability_runners(user, scope)
+            )
+            return result.as_dict()
+        return runner
+
+    def _agent_node_runner(self, user, scope):
+        def runner(*, node, context):
+            cfg = node.get("config") or {}
+            goal = cfg.get("goal") or context.get("goal") or "Run agent"
+            return self.run_agent(goal, user, scope, with_workflow=False, roles=cfg.get("roles"), inputs=context.get("inputs"))
+        return runner
+
+    # ── cross-system runs ─────────────────────────────────────────────────
+
+    def run_workflow_by_id(self, workflow_id, user, scope, *, with_agent: bool, inputs=None) -> Dict[str, Any]:
+        try:
+            workflow = self.store.get_workflow(workflow_id, workspace_id=scope)
+        except FileNotFoundError:
+            return {"error": f"workflow not found: {workflow_id}"}
+        runners = {
+            "tool": self._tool_node_runner(),
+            "skill": self._skill_node_runner(),
+            "plugin": self._plugin_node_runner(user, scope),
+        }
+        if with_agent:
+            runners["agent"] = self._agent_node_runner(user, scope)
+        result = WorkflowEngine(runners).run(workflow, inputs=inputs or {})
+        run = self.store.record_workflow_run(
+            workflow_id=workflow_id, name=workflow.get("name") or "workflow",
+            status=result.status, timeline=result.timeline, outputs=result.outputs,
+            user_email=user, graph=self.workspace_graph(), workspace_id=scope,
+        )
+        return {"workflow_run_id": run["id"], "status": result.status}
+
+    def run_agent(self, goal, user, scope, *, with_workflow: bool, roles=None, inputs=None) -> Dict[str, Any]:
+        role_runner = default_role_runner(
+            workflow_runner=(lambda wf_ref, ctx: self.run_workflow_by_id(wf_ref, user, scope, with_agent=False, inputs=ctx.inputs)) if with_workflow else None,
+            plugin_runner=lambda pid, ctx: self.registry.execute_action(pid, "run_skill", {}, runners=self.plugin_capability_runners(user, scope)).as_dict(),
+            context_provider=self._context_provider(user, scope),
+        )
+        result = MultiAgentOrchestrator(role_runner=role_runner).run(
+            goal, user_email=user, workspace_id=scope, roles=roles, inputs=inputs or {}
+        )
+        run = self.store.record_agent_run(
+            agent_id=result.agent_id, status=result.status, input_text=goal,
+            output_text=result.output, timeline=result.timeline, relationships=[],
+            user_email=user, graph=self.workspace_graph(), workspace_id=scope,
+        )
+        return {"agent_run_id": run["id"], "status": result.status, "output": result.output}
+
+    # ── factories passed to routers ───────────────────────────────────────
+
+    def build_workflow_runners(self, user, scope) -> Dict[str, Callable[..., Any]]:
+        return {
+            "tool": self._tool_node_runner(),
+            "skill": self._skill_node_runner(),
+            "plugin": self._plugin_node_runner(user, scope),
+            "agent": self._agent_node_runner(user, scope),
+        }
+
+    def build_orchestrator(self, user, scope) -> MultiAgentOrchestrator:
+        return MultiAgentOrchestrator(role_runner=default_role_runner(
+            workflow_runner=lambda wf_ref, ctx: self.run_workflow_by_id(wf_ref, user, scope, with_agent=False, inputs=ctx.inputs),
+            plugin_runner=lambda pid, ctx: self.registry.execute_action(pid, "run_skill", {}, runners=self.plugin_capability_runners(user, scope)).as_dict(),
+            context_provider=self._context_provider(user, scope),
+        ))

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ltcai",
-  "version": "1.6.0",
+  "version": "2.0.0",
   "description": "Lattice AI Workspace OS for local-first graph, memory, agent, workflow, and skill operations",
   "homepage": "https://github.com/TaeSooPark-PTS/LatticeAI#readme",
   "repository": {
@@ -19,10 +19,16 @@
     "dev": "python3 ltcai_cli.py --reload",
     "build": "npm run build:python",
     "build:python": "python3 -m build",
-    "check:python": "python3 -m py_compile ltcai_cli.py server.py latticeai/server_app.py latticeai/api/chat.py latticeai/api/computer_use.py latticeai/api/deps.py latticeai/api/garden.py latticeai/api/local_files.py latticeai/api/permissions.py latticeai/api/setup.py latticeai/api/static_routes.py latticeai/api/tools.py latticeai/services/app_context.py latticeai/services/model_runtime.py latticeai/services/model_catalog.py latticeai/services/model_recommendation.py latticeai/services/tool_dispatch.py latticeai/services/upload_service.py latticeai/core/tool_registry.py latticeai/core/enterprise.py latticeai/core/enterprise_admin.py latticeai/core/agent_prompts.py latticeai/core/workspace_os.py knowledge_graph.py knowledge_graph_api.py local_knowledge_api.py llm_router.py p_reinforce.py telegram_bot.py tools.py codex_telegram_bot.py",
+    "check:python": "python3 -m py_compile ltcai_cli.py server.py latticeai/server_app.py latticeai/api/chat.py latticeai/api/computer_use.py latticeai/api/deps.py latticeai/api/garden.py latticeai/api/local_files.py latticeai/api/permissions.py latticeai/api/setup.py latticeai/api/static_routes.py latticeai/api/tools.py latticeai/api/plugins.py latticeai/api/workflow_designer.py latticeai/api/agents.py latticeai/api/realtime.py latticeai/services/app_context.py latticeai/services/model_runtime.py latticeai/services/model_catalog.py latticeai/services/model_recommendation.py latticeai/services/tool_dispatch.py latticeai/services/upload_service.py latticeai/core/tool_registry.py latticeai/core/enterprise.py latticeai/core/enterprise_admin.py latticeai/core/agent_prompts.py latticeai/core/workspace_os.py latticeai/core/plugins.py latticeai/core/workflow_engine.py latticeai/core/multi_agent.py latticeai/core/realtime.py knowledge_graph.py knowledge_graph_api.py local_knowledge_api.py llm_router.py p_reinforce.py telegram_bot.py tools.py codex_telegram_bot.py",
     "test": "python3 -m pytest tests/ -v",
     "test:unit": "python3 -m pytest tests/unit/ -v",
     "test:integration": "python3 -m pytest tests/integration/ -v",
+    "test:visual": "playwright test",
+    "capture:workspace": "node scripts/capture/capture_workspace.js",
+    "capture:graph": "node scripts/capture/capture_graph.js",
+    "capture:skills": "node scripts/capture/capture_skills.js",
+    "capture:enterprise": "node scripts/capture/capture_enterprise.js",
+    "capture:onboarding": "node scripts/capture/capture_onboarding.js",
     "publish:npm": "npm publish --access public",
     "publish:pypi": "python3 -m twine upload --skip-existing dist/ltcai-$npm_package_version.tar.gz dist/ltcai-$npm_package_version-py3-none-any.whl"
   },
@@ -62,18 +68,27 @@
     "static/admin.html",
     "static/graph.html",
     "static/workspace.html",
+    "static/plugins.html",
+    "static/workflows.html",
+    "static/agents.html",
+    "static/activity.html",
     "static/manifest.json",
     "static/sw.js",
     "static/lattice-reference.css",
     "static/workspace.css",
+    "static/platform.css",
     "static/scripts/",
     "static/css/",
     "static/icons/",
+    "plugins/",
     "docs/",
     "requirements.txt",
     "README.md"
   ],
   "publishConfig": {
     "access": "public"
+  },
+  "devDependencies": {
+    "@playwright/test": "^1.60.0"
   }
 }

package/plugins/README.md

@@ -0,0 +1,35 @@
+# Lattice AI Plugins
+
+This directory holds **Plugin SDK** packages discovered by the Lattice AI server
+at runtime. Each plugin is a folder containing a `plugin.json` manifest.
+
+A plugin is an additive, versioned, permissioned unit that **extends** the
+existing Skill / Tool / Workflow surfaces — it never replaces them. Installed
+standalone skills keep working unchanged.
+
+See [`docs/PLUGIN_SDK.md`](../docs/PLUGIN_SDK.md) for the full manifest schema,
+permission model, lifecycle, and execution boundary.
+
+## Bundled examples
+
+| Plugin | What it shows |
+| --- | --- |
+| `hello-world` | Bundling a skill + a workflow template + a declarative action |
+| `git-insights` | Declaring `run_tools` and surfacing read-only git insights through the permission boundary |
+
+## Minimal manifest
+
+```json
+{
+  "id": "my-plugin",
+  "name": "My Plugin",
+  "version": "1.0.0",
+  "description": "What it does.",
+  "lattice_version": ">=2.0.0",
+  "permissions": ["read_workspace"],
+  "provides": { "skills": [], "tools": [], "workflows": [], "actions": [] }
+}
+```
+
+Permissions must be drawn from the SDK allow-list; the execution boundary
+refuses any capability a plugin did not declare and was not granted at install.

package/plugins/git-insights/plugin.json

@@ -0,0 +1,15 @@
+{
+  "id": "git-insights",
+  "name": "Git Insights",
+  "version": "1.0.0",
+  "description": "Example plugin that surfaces read-only git status and log insights through the permissioned tool execution boundary.",
+  "author": "Lattice AI",
+  "lattice_version": ">=2.0.0",
+  "permissions": ["read_workspace", "run_tools"],
+  "provides": {
+    "tools": ["git_status", "git_log"],
+    "actions": ["summarize_repo"]
+  },
+  "entrypoint": "",
+  "homepage": "https://github.com/TaeSooPark-PTS/LatticeAI/blob/main/docs/PLUGIN_SDK.md"
+}

package/plugins/hello-world/plugin.json

@@ -0,0 +1,16 @@
+{
+  "id": "hello-world",
+  "name": "Hello World",
+  "version": "1.0.0",
+  "description": "Example plugin demonstrating the Lattice AI Plugin SDK: bundles a skill, a workflow template, and a greet action.",
+  "author": "Lattice AI",
+  "lattice_version": "2.0.0",
+  "permissions": ["read_workspace", "run_skills"],
+  "provides": {
+    "skills": ["hello_skill"],
+    "workflows": ["hello-workflow"],
+    "actions": ["greet"]
+  },
+  "entrypoint": "",
+  "homepage": "https://github.com/TaeSooPark-PTS/LatticeAI/blob/main/docs/PLUGIN_SDK.md"
+}

package/plugins/hello-world/skills/hello_skill/SKILL.md

@@ -0,0 +1,15 @@
+---
+name: hello_skill
+description: A minimal example skill bundled by the hello-world plugin to show that plugins extend (not replace) the existing skill system.
+---
+
+# Hello Skill
+
+This skill is contributed by the `hello-world` plugin. When the plugin is
+installed, the Plugin SDK registers this skill into the existing Workspace skill
+registry via the same `mark_skill_installed` path used by standalone skills —
+demonstrating that plugins are an additive layer on top of skills.
+
+## Usage
+
+Ask Lattice AI to greet a workspace member, or invoke the plugin action `greet`.

package/static/activity.html

@@ -0,0 +1,70 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  <title>Realtime Activity — Lattice AI</title>
+  <link rel="stylesheet" href="/static/platform.css" />
+</head>
+<body>
+  <main>
+    <h1>Realtime Activity</h1>
+    <p class="sub" id="sub">Live presence + activity feed across workspace, graph, agent, and workflow events (SSE).</p>
+
+    <div class="row">
+      <span class="badge" id="connBadge">connecting…</span>
+      <span class="badge" id="presenceBadge">presence: 0</span>
+      <div class="spacer"></div>
+      <button class="ghost" id="clearBtn">Clear view</button>
+    </div>
+
+    <div class="section">
+      <h3>Live feed</h3>
+      <div id="feed"><div class="empty">Waiting for events…</div></div>
+    </div>
+  </main>
+
+  <script type="module">
+    import { mountHeader, api, escapeHtml, badge } from "/static/scripts/platform.js";
+    mountHeader("/activity");
+
+    const feed = document.getElementById("feed");
+    const seen = new Set();
+
+    function renderEvent(ev) {
+      if (ev.seq && seen.has(ev.seq)) return;
+      if (ev.seq) seen.add(ev.seq);
+      if (feed.querySelector(".empty")) feed.innerHTML = "";
+      const node = document.createElement("div");
+      node.className = "timeline-item";
+      node.innerHTML = `<div class="row">${badge(ev.area || "event")} <strong>${escapeHtml(ev.event_type || "")}</strong>
+        <span class="t-meta">${escapeHtml(ev.workspace_id || "personal")} · ${escapeHtml(ev.received_at || ev.timestamp || "")}</span></div>
+        <pre style="max-height:160px">${escapeHtml(JSON.stringify(ev.payload || {}, null, 2))}</pre>`;
+      feed.prepend(node);
+      while (feed.children.length > 100) feed.lastChild.remove();
+    }
+
+    async function refreshPresence() {
+      try {
+        const data = await api("/realtime/presence");
+        document.getElementById("presenceBadge").textContent = `presence: ${data.presence.length}`;
+        document.getElementById("sub").textContent =
+          `Transport: ${data.stats.transport.toUpperCase()} · subscribers: ${data.stats.subscribers} · feed: ${data.stats.feed_size}`;
+      } catch {}
+    }
+
+    document.getElementById("clearBtn").addEventListener("click", () => { feed.innerHTML = `<div class="empty">Cleared.</div>`; });
+
+    // Seed with recent feed, then connect to the SSE stream.
+    api("/realtime/feed?limit=30").then((d) => (d.events || []).reverse().forEach(renderEvent)).catch(() => {});
+
+    const es = new EventSource("/realtime/stream");
+    es.onopen = () => { document.getElementById("connBadge").textContent = "● live"; document.getElementById("connBadge").className = "badge ok"; };
+    es.onerror = () => { document.getElementById("connBadge").textContent = "○ reconnecting"; document.getElementById("connBadge").className = "badge warn"; };
+    es.onmessage = (e) => { try { renderEvent(JSON.parse(e.data)); } catch {} };
+
+    refreshPresence();
+    setInterval(refreshPresence, 8000);
+  </script>
+</body>
+</html>

package/static/admin.html

@@ -26,6 +26,7 @@
             <a href="#users" data-admin-nav="users"><i class="ti ti-users"></i> <span data-i18n="nav_users">사용자 관리</span></a>
             <a href="#permissions" data-admin-nav="permissions"><i class="ti ti-key"></i> <span data-i18n="nav_permissions">권한 관리</span></a>
             <a href="#sso" data-admin-nav="sso"><i class="ti ti-lock-access"></i> <span data-i18n="nav_sso">SSO 관리</span></a>
+            <a href="#enterprise" data-admin-nav="enterprise"><i class="ti ti-building-skyscraper"></i> <span data-i18n="nav_enterprise">Enterprise</span></a>
             <a href="#security" data-admin-nav="security"><i class="ti ti-shield-check"></i> <span data-i18n="nav_security">보안 모니터링</span></a>
             <a href="#audit" data-admin-nav="audit"><i class="ti ti-report-search"></i> <span data-i18n="nav_audit">감사 로그</span></a>
             <a href="/workspace"><i class="ti ti-layout-dashboard"></i> <span>Workspace OS</span></a>
@@ -256,6 +257,67 @@
                 </section>
             </section>
 
+            <section class="admin-view" id="admin-view-enterprise" data-admin-view="enterprise">
+                <section class="panel">
+                    <div class="panel-header">
+                        <div>
+                            <h3 data-i18n="enterprise_title">Enterprise Admin</h3>
+                            <p data-i18n="enterprise_desc">Admin policies, audit export, SIEM export, organization settings, and capability status.</p>
+                        </div>
+                        <div class="tag-row" id="enterprise-status-tags"></div>
+                    </div>
+                    <div class="panel-body">
+                        <div class="enterprise-grid" id="enterprise-capability-status"></div>
+                    </div>
+                </section>
+
+                <section class="panel-grid">
+                    <article class="panel">
+                        <div class="panel-header">
+                            <div>
+                                <h3 data-i18n="enterprise_policies">Admin Policies</h3>
+                                <p data-i18n="enterprise_policies_desc">Effective Community policy and Enterprise policy-pack status.</p>
+                            </div>
+                        </div>
+                        <div class="panel-body" id="enterprise-admin-policies"></div>
+                    </article>
+                    <article class="panel">
+                        <div class="panel-header">
+                            <div>
+                                <h3 data-i18n="enterprise_org">Organization Settings</h3>
+                                <p data-i18n="enterprise_org_desc">Workspace governance and organization capability status.</p>
+                            </div>
+                        </div>
+                        <div class="panel-body" id="enterprise-org-settings"></div>
+                    </article>
+                </section>
+
+                <section class="panel-grid">
+                    <article class="panel">
+                        <div class="panel-header">
+                            <div>
+                                <h3 data-i18n="enterprise_audit_export">Audit Export</h3>
+                                <p data-i18n="enterprise_audit_export_desc">Local export remains available in Community; retention is an Enterprise extension point.</p>
+                            </div>
+                        </div>
+                        <div class="panel-body" id="enterprise-audit-export"></div>
+                    </article>
+                    <article class="panel">
+                        <div class="panel-header">
+                            <div>
+                                <h3 data-i18n="enterprise_siem">SIEM Export</h3>
+                                <p data-i18n="enterprise_siem_desc">Preview the SIEM envelope without streaming external events in Community.</p>
+                            </div>
+                            <button class="btn" id="refresh-siem-btn" type="button"><i class="ti ti-refresh"></i> <span>SIEM</span></button>
+                        </div>
+                        <div class="panel-body">
+                            <div id="enterprise-siem-export"></div>
+                            <pre class="enterprise-json" id="enterprise-siem-preview"></pre>
+                        </div>
+                    </article>
+                </section>
+            </section>
+
             <section class="admin-view" id="admin-view-security" data-admin-view="security">
                 <!-- Security & Audit Command Center (피드백 #5) -->
                 <section class="panel" id="security-overview-panel">