ltcai 3.4.0 → 3.5.0

package/latticeai/core/config.py

@@ -86,6 +86,7 @@ class Config:
     invite_code: str
     invite_gate_enabled: bool
     admin_emails: List[str]
+    trusted_proxies: List[str]
 
     # ── models ──────────────────────────────────────────────────────
     public_model: str
@@ -139,6 +140,7 @@ class Config:
 
         cors_extra = [item.strip() for item in _value(env, "LATTICEAI_CORS_ALLOWED_ORIGINS", "").split(",") if item.strip()]
         admin_emails = [item.strip().lower() for item in _value(env, "LATTICEAI_ADMIN_EMAILS", "").split(",") if item.strip()]
+        trusted_proxies = [item.strip() for item in _value(env, "LATTICEAI_TRUSTED_PROXIES", "").split(",") if item.strip()]
 
         public_model = _value(env, "LATTICEAI_PUBLIC_MODEL", _value(env, "LATTICEAI_DEFAULT_MODEL", "openai:gpt-4o-mini"))
         local_model = _value(env, "LATTICEAI_LOCAL_MODEL", "mlx-community/gemma-4-12b-it-4bit")
@@ -170,6 +172,7 @@ class Config:
             invite_code=_value(env, "LATTICEAI_INVITE_CODE", "gemma-lattice-ai"),
             invite_gate_enabled=_bool(env, "LATTICEAI_INVITE_GATE_ENABLED", default=False),
             admin_emails=admin_emails,
+            trusted_proxies=trusted_proxies,
             public_model=public_model,
             local_model=local_model,
             local_draft_model=_value(env, "LATTICEAI_LOCAL_DRAFT_MODEL", ""),

package/latticeai/core/hooks.py

@@ -36,11 +36,23 @@ HOOK_KINDS = (
     "post_run",
     "pre_tool",
     "post_tool",
+    "pre_workflow",
+    "post_workflow",
+    "pre_upload",
+    "post_upload",
+    "pre_index",
+    "post_index",
     "agent",
-    "pipeline",
-    "workflow",
 )
 
+# Kinds retired in v3.4.1 in favour of the explicit pre_/post_ lifecycle pairs.
+# Accepted on input and mapped forward so older callers / persisted custom hooks
+# never break.
+LEGACY_KIND_ALIASES = {
+    "workflow": "post_workflow",
+    "pipeline": "post_index",
+}
+
 # Hook statuses a dispatch can record.
 HOOK_STATUSES = ("ok", "blocked", "error", "skipped", "advisory")
 
@@ -172,6 +184,55 @@ def hook_result(**kwargs: Any) -> HookResult:
     return HookResult(**kwargs)
 
 
+def dispatch_tool(
+    hooks: Any,
+    tool_name: str,
+    args: Any,
+    run_fn: Callable[[], Any],
+    *,
+    user_email: Optional[str] = None,
+    workspace_id: Optional[str] = None,
+    source: str = "",
+) -> Any:
+    """Run a tool through the shared ``pre_tool`` → execute → ``post_tool`` lifecycle.
+
+    This is the single tool-dispatch path so every caller (the HTTP ``/tools/*``
+    routes, the single-agent runtime in :mod:`latticeai.core.agent`, and the
+    workflow tool node) fires the same hooks. A blocking ``pre_tool`` hook raises
+    :class:`PermissionError`; a tool error still fires ``post_tool`` (status
+    ``error``) before re-raising. With ``hooks=None`` it is a transparent
+    pass-through, so the tool path is unchanged when hooks are absent.
+    """
+    if hooks is None:
+        return run_fn()
+    try:
+        arg_keys = list(args.keys()) if isinstance(args, dict) else []
+    except Exception:
+        arg_keys = []
+    pre = hooks.fire_hook(
+        "pre_tool", f"tool.{tool_name}",
+        payload={"tool": tool_name, "args_keys": arg_keys, "source": source},
+        user_email=user_email, workspace_id=workspace_id,
+    )
+    if pre.get("blocked"):
+        raise PermissionError(pre.get("block_reason") or f"Tool '{tool_name}' blocked by a pre_tool hook.")
+    try:
+        result = run_fn()
+    except Exception as exc:
+        hooks.fire_hook(
+            "post_tool", f"tool.{tool_name}",
+            payload={"tool": tool_name, "status": "error", "detail": str(exc), "source": source},
+            user_email=user_email, workspace_id=workspace_id,
+        )
+        raise
+    hooks.fire_hook(
+        "post_tool", f"tool.{tool_name}",
+        payload={"tool": tool_name, "status": "ok", "source": source},
+        user_email=user_email, workspace_id=workspace_id,
+    )
+    return result
+
+
 # Built-in hooks describe lifecycle points the platform already exercises. They
 # are honest reflections of existing behaviour (see the `binding` field), made
 # visible and orderable here. Disabling a `managed="platform"` hook is recorded
@@ -243,6 +304,11 @@ BUILTIN_HOOKS: List[Dict[str, Any]] = [
     },
 ]
 
+# Built-in hooks now bucket onto the v3.4.1 lifecycle pairs.
+for _hook in BUILTIN_HOOKS:
+    _hook["kind"] = LEGACY_KIND_ALIASES.get(_hook["kind"], _hook["kind"])
+del _hook
+
 
 class HooksRegistry:
     """Persisted registry of lifecycle hooks (built-in + user-registered)."""
@@ -305,6 +371,12 @@ class HooksRegistry:
             hook["enabled"] = bool(custom.get("enabled", True))
             hook["removable"] = True
             hooks.append(hook)
+        # Honest execution flag: a hook actually runs only if a runner is bound
+        # (built-ins) or it carries a command (user hooks); otherwise it is
+        # advisory (listed + ordered, but a no-op when fired).
+        for hook in hooks:
+            hook["executable"] = self.has_runner(hook["id"]) or bool(str(hook.get("command") or "").strip())
+            hook["advisory"] = not hook["executable"]
         hooks.sort(key=lambda h: (HOOK_KINDS.index(h["kind"]) if h["kind"] in HOOK_KINDS else 99, h.get("order", 100), h["id"]))
         return hooks
 
@@ -389,6 +461,7 @@ class HooksRegistry:
     ) -> Dict[str, Any]:
         if not str(name).strip():
             raise ValueError("name is required")
+        kind = LEGACY_KIND_ALIASES.get(kind, kind)
         if kind not in HOOK_KINDS:
             raise ValueError(f"kind must be one of {', '.join(HOOK_KINDS)}")
         slug = str(name).strip().lower().replace(" ", "-")
@@ -466,6 +539,7 @@ class HooksRegistry:
         was blocked, and a per-hook result list. A ``pre_*`` hook that blocks
         short-circuits the remaining hooks (fail-closed gate semantics).
         """
+        kind = LEGACY_KIND_ALIASES.get(kind, kind)
         if kind not in HOOK_KINDS:
             raise ValueError(f"kind must be one of {', '.join(HOOK_KINDS)}")
         if context is None:

package/latticeai/core/marketplace.py

@@ -11,7 +11,7 @@ from copy import deepcopy
 from typing import Any, Dict, List, Optional
 
 
-MARKETPLACE_VERSION = "3.4.0"
+MARKETPLACE_VERSION = "3.5.0"
 TEMPLATE_KINDS = ("plugin", "workflow", "agent")
 
 

package/latticeai/core/multi_agent.py

@@ -14,7 +14,7 @@ from datetime import datetime
 from typing import Any, Callable, Dict, List, Optional
 
 
-MULTI_AGENT_VERSION = "3.4.0"
+MULTI_AGENT_VERSION = "3.5.0"
 
 AGENT_ROLES = ("researcher", "planner", "executor", "reviewer", "release")
 CORE_PIPELINE = ("planner", "executor", "reviewer")

package/latticeai/core/oidc.py

@@ -0,0 +1,205 @@
+"""Self-contained OIDC ID-token validation.
+
+A JWT is ``base64url(header).base64url(claims).base64url(signature)``. The login
+flow must *never* trust a decoded payload on its own — without verifying the
+signature an attacker can forge any ``email``/``sub`` claim. This module verifies
+the RSA signature against the provider's published JWKS and then validates the
+standard registered claims plus the login ``nonce``.
+
+Design goals:
+
+* No third-party JWT dependency — only the standard library plus ``cryptography``
+  (already a transitive dependency, and pinned explicitly in ``pyproject.toml``).
+* **Fail-closed**: any anomaly raises :class:`OIDCValidationError`; the caller
+  must reject the login. There is no "best effort accept".
+* Asymmetric algorithms only (``RS256``/``RS384``/``RS512``). ``alg: none`` and
+  symmetric ``HS*`` tokens are rejected outright — the classic OIDC bypasses.
+* Pure and injectable: :func:`verify_id_token` takes the JWKS and clock as
+  arguments so every rejection path is unit-testable offline.
+"""
+
+from __future__ import annotations
+
+import base64
+import json
+import time
+from typing import Any, Dict, List, Optional
+
+
+class OIDCValidationError(Exception):
+    """Raised when an OIDC ID token fails any validation step (fail-closed)."""
+
+
+# Asymmetric RSA algorithms only. Excluding HS*/none is deliberate: an attacker
+# who can set ``alg`` must not be able to downgrade to a symmetric or unsigned
+# token. Maps JWT alg name → cryptography hash name.
+_ALLOWED_ALGS: Dict[str, str] = {"RS256": "sha256", "RS384": "sha384", "RS512": "sha512"}
+
+
+def _b64url_decode(segment: str) -> bytes:
+    if not isinstance(segment, str) or not segment:
+        raise OIDCValidationError("empty JWT segment")
+    padding = "=" * (-len(segment) % 4)
+    try:
+        return base64.urlsafe_b64decode(segment + padding)
+    except Exception as exc:  # malformed base64
+        raise OIDCValidationError(f"invalid base64url segment: {exc}")
+
+
+def _b64url_uint(value: str) -> int:
+    return int.from_bytes(_b64url_decode(value), "big")
+
+
+def _split(token: str) -> List[str]:
+    parts = str(token or "").split(".")
+    if len(parts) != 3 or not all(parts):
+        raise OIDCValidationError("malformed JWT: expected three non-empty segments")
+    return parts
+
+
+def decode_unverified_header(token: str) -> Dict[str, Any]:
+    """Decode the JWT header WITHOUT verifying it (used only to pick the key)."""
+    header_b64 = _split(token)[0]
+    try:
+        header = json.loads(_b64url_decode(header_b64))
+    except Exception as exc:
+        raise OIDCValidationError(f"invalid JWT header: {exc}")
+    if not isinstance(header, dict):
+        raise OIDCValidationError("JWT header is not an object")
+    return header
+
+
+def _public_key_from_jwk(jwk: Dict[str, Any]):
+    if not isinstance(jwk, dict) or jwk.get("kty") != "RSA":
+        raise OIDCValidationError("unsupported JWK key type (RSA required)")
+    if not jwk.get("n") or not jwk.get("e"):
+        raise OIDCValidationError("JWK missing modulus/exponent")
+    from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicNumbers
+
+    numbers = RSAPublicNumbers(_b64url_uint(jwk["e"]), _b64url_uint(jwk["n"]))
+    return numbers.public_key()
+
+
+def _candidate_keys(jwks: Any, kid: Optional[str]) -> List[Dict[str, Any]]:
+    keys = jwks.get("keys") if isinstance(jwks, dict) else jwks
+    if not isinstance(keys, list) or not keys:
+        raise OIDCValidationError("JWKS contains no keys")
+    rsa_keys = [k for k in keys if isinstance(k, dict) and k.get("kty") == "RSA"]
+    if kid:
+        matched = [k for k in rsa_keys if k.get("kid") == kid]
+        if not matched:
+            raise OIDCValidationError("no JWKS key matches the token 'kid'")
+        return matched
+    return rsa_keys
+
+
+def _verify_signature(token: str, jwks: Any) -> Dict[str, Any]:
+    header_b64, payload_b64, sig_b64 = _split(token)
+    header = decode_unverified_header(token)
+    alg = header.get("alg")
+    if alg not in _ALLOWED_ALGS:
+        # Rejects 'none' and symmetric HS* — the canonical signature-bypass attacks.
+        raise OIDCValidationError(f"unsupported or unsafe JWT alg: {alg!r}")
+
+    from cryptography.exceptions import InvalidSignature
+    from cryptography.hazmat.primitives import hashes
+    from cryptography.hazmat.primitives.asymmetric import padding
+
+    hash_obj = {"sha256": hashes.SHA256(), "sha384": hashes.SHA384(), "sha512": hashes.SHA512()}[
+        _ALLOWED_ALGS[alg]
+    ]
+    signature = _b64url_decode(sig_b64)
+    signing_input = f"{header_b64}.{payload_b64}".encode("ascii")
+
+    for jwk in _candidate_keys(jwks, header.get("kid")):
+        try:
+            public_key = _public_key_from_jwk(jwk)
+            public_key.verify(signature, signing_input, padding.PKCS1v15(), hash_obj)
+        except (InvalidSignature, OIDCValidationError):
+            continue
+        # Signature verified — now it is safe to parse the claims.
+        try:
+            claims = json.loads(_b64url_decode(payload_b64))
+        except Exception as exc:
+            raise OIDCValidationError(f"invalid JWT claims JSON: {exc}")
+        if not isinstance(claims, dict):
+            raise OIDCValidationError("JWT claims are not an object")
+        return claims
+
+    raise OIDCValidationError("signature verification failed against all JWKS keys")
+
+
+def verify_id_token(
+    id_token: str,
+    *,
+    jwks: Any,
+    issuer: str,
+    audience: str,
+    nonce: Optional[str] = None,
+    now: Optional[float] = None,
+    leeway: int = 60,
+) -> Dict[str, Any]:
+    """Verify an OIDC ID token and return its claims, or raise ``OIDCValidationError``.
+
+    Validates, in order: signature (against ``jwks``, RSA only), ``iss``, ``aud``
+    (and ``azp`` when multi-audience), ``exp``, ``iat``/``nbf``, and ``nonce``.
+    All checks are fail-closed.
+    """
+    if not id_token:
+        raise OIDCValidationError("missing id_token")
+    if not issuer:
+        raise OIDCValidationError("issuer not configured")
+    if not audience:
+        raise OIDCValidationError("audience (client_id) not configured")
+
+    claims = _verify_signature(id_token, jwks)
+    current = int(now if now is not None else time.time())
+
+    if claims.get("iss") != issuer:
+        raise OIDCValidationError("issuer mismatch")
+
+    aud = claims.get("aud")
+    audiences = aud if isinstance(aud, list) else [aud]
+    if audience not in audiences:
+        raise OIDCValidationError("audience mismatch")
+    if isinstance(aud, list) and len(aud) > 1 and claims.get("azp") not in (None, audience):
+        raise OIDCValidationError("azp (authorized party) mismatch")
+
+    exp = claims.get("exp")
+    if exp is None:
+        raise OIDCValidationError("token missing 'exp'")
+    if current > int(exp) + leeway:
+        raise OIDCValidationError("token expired")
+
+    iat = claims.get("iat")
+    if iat is not None and int(iat) - leeway > current:
+        raise OIDCValidationError("token 'iat' is in the future")
+
+    nbf = claims.get("nbf")
+    if nbf is not None and int(nbf) - leeway > current:
+        raise OIDCValidationError("token not yet valid ('nbf')")
+
+    if nonce is not None and claims.get("nonce") != nonce:
+        raise OIDCValidationError("nonce mismatch")
+
+    return claims
+
+
+async def fetch_jwks(jwks_uri: str, *, timeout: float = 15.0) -> Dict[str, Any]:
+    """Fetch a provider JWKS document. Network-only; injectable in tests."""
+    if not jwks_uri:
+        raise OIDCValidationError("discovery document has no 'jwks_uri'")
+    import httpx
+
+    async with httpx.AsyncClient() as client:
+        resp = await client.get(jwks_uri, timeout=timeout)
+        resp.raise_for_status()
+        return resp.json()
+
+
+__all__ = [
+    "OIDCValidationError",
+    "verify_id_token",
+    "fetch_jwks",
+    "decode_unverified_header",
+]

package/latticeai/core/security.py

@@ -35,12 +35,66 @@ def host_is_loopback(host: str) -> bool:
         return False
 
 
+# ── Trusted-proxy handling ────────────────────────────────────────────────────
+# ``client_ip`` is the key used for IP rate limiting (login / register) and for
+# audit logging. A forwarded header (``X-Forwarded-For`` / ``CF-Connecting-IP``)
+# is *client-controllable*, so honoring it unconditionally lets anyone spoof
+# their source IP and bypass per-IP rate limits. We therefore trust those headers
+# ONLY when the direct peer is a configured trusted proxy (e.g. the Cloudflare /
+# Vercel edge in front of the app). Default: no trusted proxies → use the peer
+# address, which is the safe, local-first behaviour.
+_FORWARDED_HEADERS = ("CF-Connecting-IP", "X-Forwarded-For")
+_trusted_proxies: List["ipaddress._BaseNetwork"] = []
+
+
+def configure_trusted_proxies(values) -> int:
+    """Set the trusted-proxy allowlist from IPs / CIDRs. Returns the count parsed.
+
+    Accepts a comma-separated string or an iterable of IPs/CIDRs. Invalid entries
+    are skipped. Passing an empty value disables forwarded-header trust entirely.
+    """
+    global _trusted_proxies
+    if isinstance(values, str):
+        items = [v.strip() for v in values.split(",")]
+    else:
+        items = [str(v).strip() for v in (values or [])]
+    networks: List["ipaddress._BaseNetwork"] = []
+    for item in items:
+        if not item:
+            continue
+        try:
+            networks.append(ipaddress.ip_network(item, strict=False))
+        except ValueError:
+            continue
+    _trusted_proxies = networks
+    return len(networks)
+
+
+def _peer_is_trusted_proxy(peer: str) -> bool:
+    if not peer or not _trusted_proxies:
+        return False
+    try:
+        addr = ipaddress.ip_address(peer)
+    except ValueError:
+        return False
+    return any(addr in net for net in _trusted_proxies)
+
+
 def client_ip(request) -> str:
-    for header in ("CF-Connecting-IP", "X-Forwarded-For"):
-        val = request.headers.get(header)
-        if val:
-            return val.split(",")[0].strip()
-    return request.client.host if request.client else "unknown"
+    peer = request.client.host if request.client else ""
+    # Only a trusted proxy's forwarded headers are honoured; otherwise the
+    # client-supplied header is ignored so per-IP rate limits cannot be spoofed.
+    if _peer_is_trusted_proxy(peer):
+        for header in _FORWARDED_HEADERS:
+            val = request.headers.get(header)
+            if val:
+                candidate = val.split(",")[0].strip()
+                try:
+                    ipaddress.ip_address(candidate)
+                    return candidate
+                except ValueError:
+                    continue
+    return peer or "unknown"
 
 
 _FILE_MAGIC: Dict[str, List[bytes]] = {

package/latticeai/core/workflow_engine.py

@@ -227,7 +227,7 @@ class WorkflowEngine:
         run = WorkflowRun(workflow_id=definition.get("id"), name=definition.get("name") or "workflow")
         if self.hooks is not None:
             self.hooks.fire_hook(
-                "workflow", "workflow.start",
+                "pre_workflow", "workflow.start",
                 payload={"workflow_id": definition.get("id"), "name": definition.get("name"), "valid": not errors},
             )
         if errors:
@@ -236,7 +236,7 @@ class WorkflowEngine:
             run.finished_at = _now()
             if self.hooks is not None:
                 self.hooks.fire_hook(
-                    "workflow", "workflow.end",
+                    "post_workflow", "workflow.end",
                     payload={"workflow_id": definition.get("id"), "status": run.status},
                 )
             return run
@@ -316,7 +316,7 @@ class WorkflowEngine:
         run.finished_at = _now()
         if self.hooks is not None:
             self.hooks.fire_hook(
-                "workflow", "workflow.end",
+                "post_workflow", "workflow.end",
                 payload={"workflow_id": definition.get("id"), "name": definition.get("name"),
                          "status": run.status, "steps": steps},
             )

package/latticeai/core/workspace_os.py

@@ -18,7 +18,7 @@ from pathlib import Path
 from typing import Any, Callable, Dict, Iterable, List, Optional
 
 
-WORKSPACE_OS_VERSION = "3.4.0"
+WORKSPACE_OS_VERSION = "3.5.0"
 
 # Workspace types separate single-user Personal workspaces from shared
 # Organization workspaces. Both keep the same local-first JSON store; the type

package/latticeai/server_app.py

@@ -40,6 +40,7 @@ from latticeai.core.security import (
     verify_password,
     host_is_loopback as _host_is_loopback_impl,
     client_ip as _client_ip_impl,
+    configure_trusted_proxies as _configure_trusted_proxies,
     bytes_match_extension as _bytes_match_extension_impl,
     redact_secret_text as _redact_secret_text,
     check_ip_rate_limit as _check_ip_rate_limit,
@@ -115,6 +116,7 @@ from latticeai.api.garden import create_garden_router
 from latticeai.api.setup import create_setup_router
 from latticeai.api.hooks import create_hooks_router
 from latticeai.core.hooks import HooksRegistry
+from latticeai.core.builtin_hooks import register_builtin_hook_runners
 from latticeai.api.agent_registry import create_agent_registry_router
 from latticeai.core.agent_registry import AgentRegistry
 from latticeai.api.memory import create_memory_router
@@ -156,6 +158,12 @@ from datetime import datetime
 CONFIG = Config.from_env()
 APP_VERSION = WORKSPACE_OS_VERSION
 
+# Forwarded headers (X-Forwarded-For / CF-Connecting-IP) are only honoured for
+# IP rate limiting when the direct peer is one of these trusted proxies. Empty by
+# default (local-first): the peer address is used and client-supplied headers are
+# ignored, so per-IP rate limits cannot be spoofed.
+_configure_trusted_proxies(CONFIG.trusted_proxies)
+
 APP_MODE = CONFIG.app_mode
 IS_PUBLIC_MODE = CONFIG.is_public
 DEFAULT_HOST = CONFIG.host
@@ -286,7 +294,10 @@ KNOWLEDGE_GRAPH = KnowledgeGraphStore(
     DATA_DIR / "knowledge_graph_blobs",
     embedder=EMBEDDER.provider,
 ) if ENABLE_GRAPH else None
-LOCAL_KG_WATCHER = LocalKnowledgeWatcher(lambda: KNOWLEDGE_GRAPH) if ENABLE_GRAPH else None
+# Hooks registry is constructed here (ahead of the watcher) so folder-watch
+# reindexes can fire the pre_index/post_index lifecycle hooks.
+HOOKS_REGISTRY = HooksRegistry(DATA_DIR / "hooks.json")
+LOCAL_KG_WATCHER = LocalKnowledgeWatcher(lambda: KNOWLEDGE_GRAPH, hooks=HOOKS_REGISTRY) if ENABLE_GRAPH else None
 # ── v2 Realtime bus: constructed first so the store can fan every timeline
 # event into the realtime feed via a single additive sink (no per-call wiring).
 REALTIME_BUS = RealtimeBus()
@@ -300,7 +311,7 @@ PLUGIN_REGISTRY = PluginRegistry(PLUGINS_DIR, store=WORKSPACE_OS)
 TEMPLATE_CATALOG = TemplateCatalog()
 # ── v3.2 platform registries: lifecycle hooks + agent registry, persisted under
 # DATA_DIR so the /app Hooks and Agent Registry views read/write real state.
-HOOKS_REGISTRY = HooksRegistry(DATA_DIR / "hooks.json")
+# (HOOKS_REGISTRY is constructed earlier, before the local-knowledge watcher.)
 AGENT_REGISTRY = AgentRegistry(DATA_DIR / "agent_registry.json")
 # Unified long-term memory platform fronting workspace memories, agent
 # snapshots, conversation history, and the KG graph/vector index.
@@ -1275,6 +1286,7 @@ PLATFORM = PlatformRuntime(
     workspace_graph=_workspace_graph,
     workspace_scope_from_request=_workspace_scope_from_request,
     get_tool_permission=get_tool_permission,
+    hooks=HOOKS_REGISTRY,
 )
 
 # Single AgentRuntime boundary over the orchestrator + run store.
@@ -1290,38 +1302,13 @@ AGENT_RUNTIME = AgentRuntime(
 # The registry lists built-in hooks; binding a runner here makes them *execute*
 # real platform behaviour when fired (not a placeholder). Runners take a
 # HookContext and may mutate its payload, return a status dict, or block.
-def _hook_redact_secrets(context):
-    """pre_run — strip secret-like keys from the agent context packet."""
-    secret_re = ("token", "password", "passwd", "secret", "api_key", "apikey",
-                 "authorization", "auth", "cookie", "session", "private_key")
-    redacted = []
-    payload = context.payload if isinstance(context.payload, dict) else {}
-    for key in list(payload.keys()):
-        if any(s in str(key).lower() for s in secret_re):
-            payload[key] = "***redacted***"
-            redacted.append(key)
-    return {"status": "ok", "output": f"redacted {len(redacted)} field(s)" if redacted else "no secrets present"}
-
-def _hook_audit_agent_run(context):
-    """post_run — append the completed agent run to the workspace audit log."""
-    p = context.payload if isinstance(context.payload, dict) else {}
-    append_audit_event(
-        "hook_post_run",
-        user_email=context.user_email,
-        run_id=p.get("run_id"),
-        agent_id=p.get("agent_id"),
-        status=p.get("status"),
-    )
-    return {"status": "ok", "output": f"audited run {p.get('run_id') or ''}".strip()}
-
-def _hook_pipeline_index_status(context):
-    """pipeline — record ingest/embed/graph-build pipeline state for the index."""
-    p = context.payload if isinstance(context.payload, dict) else {}
-    return {"status": "ok", "output": f"pipeline {context.event}: indexed={p.get('indexed')}"}
-
-HOOKS_REGISTRY.register_hook("builtin:redact-secrets", _hook_redact_secrets)
-HOOKS_REGISTRY.register_hook("builtin:audit-agent-run", _hook_audit_agent_run)
-HOOKS_REGISTRY.register_hook("builtin:pipeline-index-status", _hook_pipeline_index_status)
+# Bind a real runner to every built-in hook so none is a silent no-op.
+register_builtin_hook_runners(
+    HOOKS_REGISTRY,
+    append_audit_event=append_audit_event,
+    get_tool_permission=get_tool_permission,
+    classify_sensitive_message=classify_sensitive_message,
+)
 
 app.include_router(create_plugins_router(
     registry=PLUGIN_REGISTRY,
@@ -1435,6 +1422,7 @@ app.include_router(create_models_router(
 
 app.include_router(create_chat_router(
     config=CONFIG,
+    hooks=HOOKS_REGISTRY,
     model_router=router,
     chat_service=CHAT_SERVICE,
     workspace_store=WORKSPACE_OS,

package/latticeai/services/platform_runtime.py

@@ -17,6 +17,7 @@ from typing import Any, Callable, Dict, Optional, Set
 
 from fastapi import HTTPException, Request
 
+from latticeai.core.hooks import dispatch_tool
 from latticeai.core.multi_agent import MultiAgentOrchestrator, default_role_runner
 from latticeai.core.workflow_engine import WorkflowEngine
 
@@ -32,6 +33,7 @@ class PlatformRuntime:
         workspace_graph: Callable[[], Any],
         workspace_scope_from_request: Callable[[Request], Optional[str]],
         get_tool_permission: Callable[..., Dict[str, Any]],
+        hooks: Any = None,
     ):
         self.store = store
         self.svc = workspace_service
@@ -40,6 +42,9 @@ class PlatformRuntime:
         self.workspace_graph = workspace_graph
         self.scope_from_request = workspace_scope_from_request
         self.get_tool_permission = get_tool_permission
+        # Lifecycle hooks registry — wires the workflow runtime + workflow tool
+        # nodes into the same pre_*/post_* lifecycle as the HTTP + agent paths.
+        self.hooks = hooks
 
     # ── request gating ────────────────────────────────────────────────────
 
@@ -77,11 +82,18 @@ class PlatformRuntime:
         def runner(*, node, context):
             cfg = node.get("config") or {}
             name = cfg.get("tool") or ""
-            try:
-                permission = dict(self.get_tool_permission(name))
-            except Exception:
-                permission = {"tool": name, "risk": "unknown"}
-            return {"tool": name, "args": cfg.get("args") or {}, "recorded": True, "permission": permission}
+            args = cfg.get("args") or {}
+
+            def _record():
+                try:
+                    permission = dict(self.get_tool_permission(name))
+                except Exception:
+                    permission = {"tool": name, "risk": "unknown"}
+                return {"tool": name, "args": args, "recorded": True, "permission": permission}
+
+            # Same tool lifecycle as the HTTP + agent paths (a pre_tool block
+            # raises PermissionError, surfaced as the node error by the engine).
+            return dispatch_tool(self.hooks, name or "tool", args, _record, source="workflow")
         return runner
 
     def _skill_node_runner(self):
@@ -158,7 +170,7 @@ class PlatformRuntime:
         }
         if with_agent:
             runners["agent"] = self._agent_node_runner(user, scope)
-        result = WorkflowEngine(runners).run(workflow, inputs=inputs or {})
+        result = WorkflowEngine(runners, hooks=self.hooks).run(workflow, inputs=inputs or {})
         run = self.store.record_workflow_run(
             workflow_id=workflow_id, name=workflow.get("name") or "workflow",
             status=result.status, timeline=result.timeline, outputs=result.outputs,

package/latticeai/services/tool_dispatch.py

@@ -103,6 +103,7 @@ def build_agent_runtime(
     clear_history: Callable[[int], Dict[str, Any]],
     knowledge_save: Callable[..., Dict[str, Any]],
     audit: Callable[..., None],
+    hooks: Any = None,
 ) -> AgentRuntime:
     ensure_agent_root()
     deps = AgentDeps(
@@ -123,6 +124,7 @@ def build_agent_runtime(
         critic_prompt=CRITIC_PROMPT,
         memory_updater_prompt=MEMORY_UPDATER_PROMPT,
         agent_root=AGENT_ROOT,
+        hooks=hooks,
     )
     return AgentRuntime(deps)