ltcai 3.4.1 → 3.5.0

package/latticeai/api/chat.py

@@ -24,6 +24,7 @@ from PIL import Image
 from latticeai.core.agent import AgentRunContext, AgentState
 from latticeai.core.context_builder import format_sources_footnote, retrieve_context_for_generation
 from latticeai.core.document_generator import DocumentGenerationSession, detect_document_intent
+from latticeai.core.hooks import dispatch_tool
 from latticeai.services.chat_service import ChatService
 from latticeai.services.tool_dispatch import build_agent_runtime, collect_created_files
 from telegram_bot import broadcast_web_chat
@@ -653,7 +654,9 @@ def create_chat_router(
         for case in eval_cases:
             case_id = case.get("id", "?")
             try:
-                result   = execute_tool(action_name, case.get("input", {}))
+                case_input = case.get("input", {})
+                result   = dispatch_tool(hooks, action_name, case_input,
+                                         lambda: execute_tool(action_name, case_input), source="eval")
                 criteria = case.get("pass_criteria", "")
                 if "success == true" in criteria:
                     passed = result.get("success") is True

package/latticeai/api/computer_use.py

@@ -11,6 +11,7 @@ from fastapi.responses import StreamingResponse
 from pydantic import BaseModel
 
 from latticeai.core.agent import extract_action as _extract_agent_action
+from latticeai.core.hooks import dispatch_tool
 from tools import (
     ToolError,
     computer_click,
@@ -105,9 +106,15 @@ class CuDragRequest(BaseModel):
     y2: int
 
 
-def create_computer_use_router(*, model_router, require_user, tool_response, save_to_history) -> APIRouter:
+def create_computer_use_router(*, model_router, require_user, tool_response, save_to_history, hooks=None) -> APIRouter:
     router = APIRouter()
 
+    def _dispatch(name, args, fn):
+        # Run a computer-use action through the unified pre_tool/post_tool
+        # lifecycle. With hooks=None this is a transparent pass-through, so the
+        # behaviour is unchanged when hooks are absent.
+        return dispatch_tool(hooks, name, dict(args or {}), fn, source="computer_use")
+
     @router.get("/tools/chrome_status")
     async def tools_chrome_status(request: Request):
         require_user(request)
@@ -122,7 +129,9 @@ def create_computer_use_router(*, model_router, require_user, tool_response, sav
     async def cu_status(request: Request):
         require_user(request)
         try:
-            return computer_status()
+            return _dispatch("computer_status", {}, computer_status)
+        except PermissionError as exc:
+            raise HTTPException(status_code=403, detail=str(exc))
         except ToolError as exc:
             raise HTTPException(status_code=400, detail=str(exc))
 
@@ -130,7 +139,9 @@ def create_computer_use_router(*, model_router, require_user, tool_response, sav
     async def cu_screenshot(request: Request):
         require_user(request)
         try:
-            return computer_screenshot()
+            return _dispatch("computer_screenshot", {}, computer_screenshot)
+        except PermissionError as exc:
+            raise HTTPException(status_code=403, detail=str(exc))
         except ToolError as exc:
             raise HTTPException(status_code=400, detail=str(exc))
 
@@ -196,7 +207,8 @@ def create_computer_use_router(*, model_router, require_user, tool_response, sav
                             "action",
                             {"step": 1, "action": "computer_open_url", "args": {"url": url, "app": "Google Chrome"}},
                         )
-                        result = computer_open_url(url, "Google Chrome")
+                        result = _dispatch("computer_open_url", {"url": url, "app": "Google Chrome"},
+                                           lambda: computer_open_url(url, "Google Chrome"))
                         yield _send("result", {"step": 1, "action": "computer_open_url", "result": result})
                         message = f"Google Chrome에서 {url}을 열었습니다."
                         action_name = "computer_open_url"
@@ -205,14 +217,15 @@ def create_computer_use_router(*, model_router, require_user, tool_response, sav
                             "action",
                             {"step": 1, "action": "computer_open_app", "args": {"app": "Google Chrome"}},
                         )
-                        result = computer_open_app("Google Chrome")
+                        result = _dispatch("computer_open_app", {"app": "Google Chrome"},
+                                           lambda: computer_open_app("Google Chrome"))
                         yield _send("result", {"step": 1, "action": "computer_open_app", "result": result})
                         message = "Google Chrome을 열었습니다."
                         action_name = "computer_open_app"
                     save_to_history("user", req.task, source="web", conversation_id=req.conversation_id)
                     save_to_history("assistant", message, source="web", conversation_id=req.conversation_id)
                     yield _send("final", {"message": message, "steps": [{"step": 1, "action": action_name, "result": result}]})
-                except ToolError as exc:
+                except (ToolError, PermissionError) as exc:
                     yield _send("tool_error", {"step": 1, "action": "computer_open_app", "error": str(exc)})
                 return
 
@@ -256,7 +269,7 @@ def create_computer_use_router(*, model_router, require_user, tool_response, sav
 
                 yield _send("action", {"step": step + 1, "action": name, "args": args})
                 try:
-                    result = execute_tool(name, args)
+                    result = _dispatch(name, args, lambda: execute_tool(name, args))
                     if name == "computer_screenshot" and "screenshot_b64" in result:
                         last_screenshot_b64 = result["screenshot_b64"]
                         result_summary = {k: v for k, v in result.items() if k != "screenshot_b64"}
@@ -275,7 +288,7 @@ def create_computer_use_router(*, model_router, require_user, tool_response, sav
                         last_screenshot_b64 = None
                         transcript.append({"step": step + 1, "action": name, "args": args, "result": result})
                         yield _send("result", {"step": step + 1, "action": name, "result": result})
-                except (ToolError, KeyError, TypeError) as exc:
+                except (ToolError, PermissionError, KeyError, TypeError) as exc:
                     error_str = str(exc)
                     transcript.append({"step": step + 1, "action": name, "args": args, "error": error_str})
                     yield _send("tool_error", {"step": step + 1, "action": name, "error": error_str})

package/latticeai/api/tools.py

@@ -221,17 +221,30 @@ def create_tools_router(
 
     # ── Direct Tool API ───────────────────────────────────────────────────────────
     
-    def _tool_response(fn, *args):
+    def _tool_response(fn, *args, **kwargs):
         # Shared tool lifecycle (same path as the agent + workflow tool calls):
-        # pre_tool (may block) → execute → post_tool.
+        # pre_tool (may block) → execute → post_tool. Keyword args are forwarded
+        # to the tool and surfaced in the hook payload so read_file / edit_file /
+        # grep (which need kwargs) run through the SAME lifecycle as every other
+        # tool instead of bypassing it.
         tool_name = getattr(fn, "__name__", "tool")
         try:
-            result = dispatch_tool(HOOKS, tool_name, {}, lambda: fn(*args), source="http")
+            result = dispatch_tool(HOOKS, tool_name, dict(kwargs), lambda: fn(*args, **kwargs), source="http")
         except PermissionError as exc:
             raise HTTPException(status_code=403, detail=str(exc))
         except ToolError as exc:
             raise HTTPException(status_code=400, detail=str(exc))
         return {"status": "ok", "workspace": str(AGENT_ROOT), "result": result}
+
+    def _dispatch(tool_name, args, fn):
+        # Lifecycle wrapper for callables that aren't a plain tools.* function
+        # (e.g. the server's clear_history). Same pre_tool/post_tool path.
+        try:
+            return dispatch_tool(HOOKS, tool_name, dict(args or {}), fn, source="http")
+        except PermissionError as exc:
+            raise HTTPException(status_code=403, detail=str(exc))
+        except ToolError as exc:
+            raise HTTPException(status_code=400, detail=str(exc))
     
     
     @api_router.post("/tools/list_dir")
@@ -249,11 +262,7 @@ def create_tools_router(
     @api_router.post("/tools/read_file")
     async def tools_read_file(req: ToolReadFileRequest, request: Request):
         require_user(request)
-        try:
-            return {"status": "ok", "workspace": str(AGENT_ROOT),
-                    "result": read_file(req.path, offset=req.offset, limit=req.limit, line_numbers=req.line_numbers)}
-        except ToolError as exc:
-            raise HTTPException(status_code=400, detail=str(exc))
+        return _tool_response(read_file, req.path, offset=req.offset, limit=req.limit, line_numbers=req.line_numbers)
     
     
     @api_router.post("/tools/write_file")
@@ -265,11 +274,7 @@ def create_tools_router(
     @api_router.post("/tools/edit_file")
     async def tools_edit_file(req: ToolEditFileRequest, request: Request):
         require_user(request)
-        try:
-            return {"status": "ok", "workspace": str(AGENT_ROOT),
-                    "result": edit_file(req.path, req.old_string, req.new_string, replace_all=req.replace_all)}
-        except ToolError as exc:
-            raise HTTPException(status_code=400, detail=str(exc))
+        return _tool_response(edit_file, req.path, req.old_string, req.new_string, replace_all=req.replace_all)
     
     
     @api_router.post("/tools/search_files")
@@ -281,18 +286,15 @@ def create_tools_router(
     @api_router.post("/tools/grep")
     async def tools_grep(req: ToolGrepRequest, request: Request):
         require_user(request)
-        try:
-            return {"status": "ok", "workspace": str(AGENT_ROOT),
-                    "result": grep(
-                        req.pattern,
-                        path=req.path,
-                        glob=req.glob,
-                        max_results=req.max_results,
-                        case_insensitive=req.case_insensitive,
-                        context_lines=req.context_lines,
-                    )}
-        except ToolError as exc:
-            raise HTTPException(status_code=400, detail=str(exc))
+        return _tool_response(
+            grep,
+            req.pattern,
+            path=req.path,
+            glob=req.glob,
+            max_results=req.max_results,
+            case_insensitive=req.case_insensitive,
+            context_lines=req.context_lines,
+        )
     
     
     @api_router.post("/tools/todo_read")
@@ -310,7 +312,7 @@ def create_tools_router(
     @api_router.post("/tools/clear_history")
     async def tools_clear_history(req: ToolClearHistoryRequest, request: Request):
         current_user = require_user(request)
-        result = clear_history(req.keep_last)
+        result = _dispatch("clear_history", {"keep_last": req.keep_last}, lambda: clear_history(req.keep_last))
         append_audit_event(
             "history_delete",
             user_email=current_user,
@@ -461,6 +463,7 @@ def create_tools_router(
         require_user=require_user,
         tool_response=_tool_response,
         save_to_history=save_to_history,
+        hooks=HOOKS,
     ))
 
     @api_router.post("/tools/knowledge_save")

package/latticeai/core/config.py

@@ -86,6 +86,7 @@ class Config:
     invite_code: str
     invite_gate_enabled: bool
     admin_emails: List[str]
+    trusted_proxies: List[str]
 
     # ── models ──────────────────────────────────────────────────────
     public_model: str
@@ -139,6 +140,7 @@ class Config:
 
         cors_extra = [item.strip() for item in _value(env, "LATTICEAI_CORS_ALLOWED_ORIGINS", "").split(",") if item.strip()]
         admin_emails = [item.strip().lower() for item in _value(env, "LATTICEAI_ADMIN_EMAILS", "").split(",") if item.strip()]
+        trusted_proxies = [item.strip() for item in _value(env, "LATTICEAI_TRUSTED_PROXIES", "").split(",") if item.strip()]
 
         public_model = _value(env, "LATTICEAI_PUBLIC_MODEL", _value(env, "LATTICEAI_DEFAULT_MODEL", "openai:gpt-4o-mini"))
         local_model = _value(env, "LATTICEAI_LOCAL_MODEL", "mlx-community/gemma-4-12b-it-4bit")
@@ -170,6 +172,7 @@ class Config:
             invite_code=_value(env, "LATTICEAI_INVITE_CODE", "gemma-lattice-ai"),
             invite_gate_enabled=_bool(env, "LATTICEAI_INVITE_GATE_ENABLED", default=False),
             admin_emails=admin_emails,
+            trusted_proxies=trusted_proxies,
             public_model=public_model,
             local_model=local_model,
             local_draft_model=_value(env, "LATTICEAI_LOCAL_DRAFT_MODEL", ""),

package/latticeai/core/marketplace.py

@@ -11,7 +11,7 @@ from copy import deepcopy
 from typing import Any, Dict, List, Optional
 
 
-MARKETPLACE_VERSION = "3.4.1"
+MARKETPLACE_VERSION = "3.5.0"
 TEMPLATE_KINDS = ("plugin", "workflow", "agent")
 
 

package/latticeai/core/multi_agent.py

@@ -14,7 +14,7 @@ from datetime import datetime
 from typing import Any, Callable, Dict, List, Optional
 
 
-MULTI_AGENT_VERSION = "3.4.1"
+MULTI_AGENT_VERSION = "3.5.0"
 
 AGENT_ROLES = ("researcher", "planner", "executor", "reviewer", "release")
 CORE_PIPELINE = ("planner", "executor", "reviewer")

package/latticeai/core/oidc.py

@@ -0,0 +1,205 @@
+"""Self-contained OIDC ID-token validation.
+
+A JWT is ``base64url(header).base64url(claims).base64url(signature)``. The login
+flow must *never* trust a decoded payload on its own — without verifying the
+signature an attacker can forge any ``email``/``sub`` claim. This module verifies
+the RSA signature against the provider's published JWKS and then validates the
+standard registered claims plus the login ``nonce``.
+
+Design goals:
+
+* No third-party JWT dependency — only the standard library plus ``cryptography``
+  (already a transitive dependency, and pinned explicitly in ``pyproject.toml``).
+* **Fail-closed**: any anomaly raises :class:`OIDCValidationError`; the caller
+  must reject the login. There is no "best effort accept".
+* Asymmetric algorithms only (``RS256``/``RS384``/``RS512``). ``alg: none`` and
+  symmetric ``HS*`` tokens are rejected outright — the classic OIDC bypasses.
+* Pure and injectable: :func:`verify_id_token` takes the JWKS and clock as
+  arguments so every rejection path is unit-testable offline.
+"""
+
+from __future__ import annotations
+
+import base64
+import json
+import time
+from typing import Any, Dict, List, Optional
+
+
+class OIDCValidationError(Exception):
+    """Raised when an OIDC ID token fails any validation step (fail-closed)."""
+
+
+# Asymmetric RSA algorithms only. Excluding HS*/none is deliberate: an attacker
+# who can set ``alg`` must not be able to downgrade to a symmetric or unsigned
+# token. Maps JWT alg name → cryptography hash name.
+_ALLOWED_ALGS: Dict[str, str] = {"RS256": "sha256", "RS384": "sha384", "RS512": "sha512"}
+
+
+def _b64url_decode(segment: str) -> bytes:
+    if not isinstance(segment, str) or not segment:
+        raise OIDCValidationError("empty JWT segment")
+    padding = "=" * (-len(segment) % 4)
+    try:
+        return base64.urlsafe_b64decode(segment + padding)
+    except Exception as exc:  # malformed base64
+        raise OIDCValidationError(f"invalid base64url segment: {exc}")
+
+
+def _b64url_uint(value: str) -> int:
+    return int.from_bytes(_b64url_decode(value), "big")
+
+
+def _split(token: str) -> List[str]:
+    parts = str(token or "").split(".")
+    if len(parts) != 3 or not all(parts):
+        raise OIDCValidationError("malformed JWT: expected three non-empty segments")
+    return parts
+
+
+def decode_unverified_header(token: str) -> Dict[str, Any]:
+    """Decode the JWT header WITHOUT verifying it (used only to pick the key)."""
+    header_b64 = _split(token)[0]
+    try:
+        header = json.loads(_b64url_decode(header_b64))
+    except Exception as exc:
+        raise OIDCValidationError(f"invalid JWT header: {exc}")
+    if not isinstance(header, dict):
+        raise OIDCValidationError("JWT header is not an object")
+    return header
+
+
+def _public_key_from_jwk(jwk: Dict[str, Any]):
+    if not isinstance(jwk, dict) or jwk.get("kty") != "RSA":
+        raise OIDCValidationError("unsupported JWK key type (RSA required)")
+    if not jwk.get("n") or not jwk.get("e"):
+        raise OIDCValidationError("JWK missing modulus/exponent")
+    from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicNumbers
+
+    numbers = RSAPublicNumbers(_b64url_uint(jwk["e"]), _b64url_uint(jwk["n"]))
+    return numbers.public_key()
+
+
+def _candidate_keys(jwks: Any, kid: Optional[str]) -> List[Dict[str, Any]]:
+    keys = jwks.get("keys") if isinstance(jwks, dict) else jwks
+    if not isinstance(keys, list) or not keys:
+        raise OIDCValidationError("JWKS contains no keys")
+    rsa_keys = [k for k in keys if isinstance(k, dict) and k.get("kty") == "RSA"]
+    if kid:
+        matched = [k for k in rsa_keys if k.get("kid") == kid]
+        if not matched:
+            raise OIDCValidationError("no JWKS key matches the token 'kid'")
+        return matched
+    return rsa_keys
+
+
+def _verify_signature(token: str, jwks: Any) -> Dict[str, Any]:
+    header_b64, payload_b64, sig_b64 = _split(token)
+    header = decode_unverified_header(token)
+    alg = header.get("alg")
+    if alg not in _ALLOWED_ALGS:
+        # Rejects 'none' and symmetric HS* — the canonical signature-bypass attacks.
+        raise OIDCValidationError(f"unsupported or unsafe JWT alg: {alg!r}")
+
+    from cryptography.exceptions import InvalidSignature
+    from cryptography.hazmat.primitives import hashes
+    from cryptography.hazmat.primitives.asymmetric import padding
+
+    hash_obj = {"sha256": hashes.SHA256(), "sha384": hashes.SHA384(), "sha512": hashes.SHA512()}[
+        _ALLOWED_ALGS[alg]
+    ]
+    signature = _b64url_decode(sig_b64)
+    signing_input = f"{header_b64}.{payload_b64}".encode("ascii")
+
+    for jwk in _candidate_keys(jwks, header.get("kid")):
+        try:
+            public_key = _public_key_from_jwk(jwk)
+            public_key.verify(signature, signing_input, padding.PKCS1v15(), hash_obj)
+        except (InvalidSignature, OIDCValidationError):
+            continue
+        # Signature verified — now it is safe to parse the claims.
+        try:
+            claims = json.loads(_b64url_decode(payload_b64))
+        except Exception as exc:
+            raise OIDCValidationError(f"invalid JWT claims JSON: {exc}")
+        if not isinstance(claims, dict):
+            raise OIDCValidationError("JWT claims are not an object")
+        return claims
+
+    raise OIDCValidationError("signature verification failed against all JWKS keys")
+
+
+def verify_id_token(
+    id_token: str,
+    *,
+    jwks: Any,
+    issuer: str,
+    audience: str,
+    nonce: Optional[str] = None,
+    now: Optional[float] = None,
+    leeway: int = 60,
+) -> Dict[str, Any]:
+    """Verify an OIDC ID token and return its claims, or raise ``OIDCValidationError``.
+
+    Validates, in order: signature (against ``jwks``, RSA only), ``iss``, ``aud``
+    (and ``azp`` when multi-audience), ``exp``, ``iat``/``nbf``, and ``nonce``.
+    All checks are fail-closed.
+    """
+    if not id_token:
+        raise OIDCValidationError("missing id_token")
+    if not issuer:
+        raise OIDCValidationError("issuer not configured")
+    if not audience:
+        raise OIDCValidationError("audience (client_id) not configured")
+
+    claims = _verify_signature(id_token, jwks)
+    current = int(now if now is not None else time.time())
+
+    if claims.get("iss") != issuer:
+        raise OIDCValidationError("issuer mismatch")
+
+    aud = claims.get("aud")
+    audiences = aud if isinstance(aud, list) else [aud]
+    if audience not in audiences:
+        raise OIDCValidationError("audience mismatch")
+    if isinstance(aud, list) and len(aud) > 1 and claims.get("azp") not in (None, audience):
+        raise OIDCValidationError("azp (authorized party) mismatch")
+
+    exp = claims.get("exp")
+    if exp is None:
+        raise OIDCValidationError("token missing 'exp'")
+    if current > int(exp) + leeway:
+        raise OIDCValidationError("token expired")
+
+    iat = claims.get("iat")
+    if iat is not None and int(iat) - leeway > current:
+        raise OIDCValidationError("token 'iat' is in the future")
+
+    nbf = claims.get("nbf")
+    if nbf is not None and int(nbf) - leeway > current:
+        raise OIDCValidationError("token not yet valid ('nbf')")
+
+    if nonce is not None and claims.get("nonce") != nonce:
+        raise OIDCValidationError("nonce mismatch")
+
+    return claims
+
+
+async def fetch_jwks(jwks_uri: str, *, timeout: float = 15.0) -> Dict[str, Any]:
+    """Fetch a provider JWKS document. Network-only; injectable in tests."""
+    if not jwks_uri:
+        raise OIDCValidationError("discovery document has no 'jwks_uri'")
+    import httpx
+
+    async with httpx.AsyncClient() as client:
+        resp = await client.get(jwks_uri, timeout=timeout)
+        resp.raise_for_status()
+        return resp.json()
+
+
+__all__ = [
+    "OIDCValidationError",
+    "verify_id_token",
+    "fetch_jwks",
+    "decode_unverified_header",
+]

package/latticeai/core/security.py

@@ -35,12 +35,66 @@ def host_is_loopback(host: str) -> bool:
         return False
 
 
+# ── Trusted-proxy handling ────────────────────────────────────────────────────
+# ``client_ip`` is the key used for IP rate limiting (login / register) and for
+# audit logging. A forwarded header (``X-Forwarded-For`` / ``CF-Connecting-IP``)
+# is *client-controllable*, so honoring it unconditionally lets anyone spoof
+# their source IP and bypass per-IP rate limits. We therefore trust those headers
+# ONLY when the direct peer is a configured trusted proxy (e.g. the Cloudflare /
+# Vercel edge in front of the app). Default: no trusted proxies → use the peer
+# address, which is the safe, local-first behaviour.
+_FORWARDED_HEADERS = ("CF-Connecting-IP", "X-Forwarded-For")
+_trusted_proxies: List["ipaddress._BaseNetwork"] = []
+
+
+def configure_trusted_proxies(values) -> int:
+    """Set the trusted-proxy allowlist from IPs / CIDRs. Returns the count parsed.
+
+    Accepts a comma-separated string or an iterable of IPs/CIDRs. Invalid entries
+    are skipped. Passing an empty value disables forwarded-header trust entirely.
+    """
+    global _trusted_proxies
+    if isinstance(values, str):
+        items = [v.strip() for v in values.split(",")]
+    else:
+        items = [str(v).strip() for v in (values or [])]
+    networks: List["ipaddress._BaseNetwork"] = []
+    for item in items:
+        if not item:
+            continue
+        try:
+            networks.append(ipaddress.ip_network(item, strict=False))
+        except ValueError:
+            continue
+    _trusted_proxies = networks
+    return len(networks)
+
+
+def _peer_is_trusted_proxy(peer: str) -> bool:
+    if not peer or not _trusted_proxies:
+        return False
+    try:
+        addr = ipaddress.ip_address(peer)
+    except ValueError:
+        return False
+    return any(addr in net for net in _trusted_proxies)
+
+
 def client_ip(request) -> str:
-    for header in ("CF-Connecting-IP", "X-Forwarded-For"):
-        val = request.headers.get(header)
-        if val:
-            return val.split(",")[0].strip()
-    return request.client.host if request.client else "unknown"
+    peer = request.client.host if request.client else ""
+    # Only a trusted proxy's forwarded headers are honoured; otherwise the
+    # client-supplied header is ignored so per-IP rate limits cannot be spoofed.
+    if _peer_is_trusted_proxy(peer):
+        for header in _FORWARDED_HEADERS:
+            val = request.headers.get(header)
+            if val:
+                candidate = val.split(",")[0].strip()
+                try:
+                    ipaddress.ip_address(candidate)
+                    return candidate
+                except ValueError:
+                    continue
+    return peer or "unknown"
 
 
 _FILE_MAGIC: Dict[str, List[bytes]] = {

package/latticeai/core/workspace_os.py

@@ -18,7 +18,7 @@ from pathlib import Path
 from typing import Any, Callable, Dict, Iterable, List, Optional
 
 
-WORKSPACE_OS_VERSION = "3.4.1"
+WORKSPACE_OS_VERSION = "3.5.0"
 
 # Workspace types separate single-user Personal workspaces from shared
 # Organization workspaces. Both keep the same local-first JSON store; the type

package/latticeai/server_app.py

@@ -40,6 +40,7 @@ from latticeai.core.security import (
     verify_password,
     host_is_loopback as _host_is_loopback_impl,
     client_ip as _client_ip_impl,
+    configure_trusted_proxies as _configure_trusted_proxies,
     bytes_match_extension as _bytes_match_extension_impl,
     redact_secret_text as _redact_secret_text,
     check_ip_rate_limit as _check_ip_rate_limit,
@@ -157,6 +158,12 @@ from datetime import datetime
 CONFIG = Config.from_env()
 APP_VERSION = WORKSPACE_OS_VERSION
 
+# Forwarded headers (X-Forwarded-For / CF-Connecting-IP) are only honoured for
+# IP rate limiting when the direct peer is one of these trusted proxies. Empty by
+# default (local-first): the peer address is used and client-supplied headers are
+# ignored, so per-IP rate limits cannot be spoofed.
+_configure_trusted_proxies(CONFIG.trusted_proxies)
+
 APP_MODE = CONFIG.app_mode
 IS_PUBLIC_MODE = CONFIG.is_public
 DEFAULT_HOST = CONFIG.host

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ltcai",
-  "version": "3.4.1",
+  "version": "3.5.0",
   "description": "Lattice AI v3 local-first AI workspace platform with knowledge graph, vector index, hybrid search, agents, and workspace modes.",
   "homepage": "https://github.com/TaeSooPark-PTS/LatticeAI#readme",
   "repository": {
@@ -20,7 +20,7 @@
     "build": "npm run build:assets && npm run build:python",
     "build:assets": "node scripts/build_v3_assets.mjs",
     "build:python": "python3 -m build",
-    "check:python": "python3 -m py_compile ltcai_cli.py server.py latticeai/server_app.py latticeai/api/auth.py latticeai/api/chat.py latticeai/api/computer_use.py latticeai/api/deps.py latticeai/api/garden.py latticeai/api/local_files.py latticeai/api/permissions.py latticeai/api/setup.py latticeai/api/static_routes.py latticeai/api/tools.py latticeai/api/plugins.py latticeai/api/workflow_designer.py latticeai/api/agents.py latticeai/api/realtime.py latticeai/api/marketplace.py latticeai/api/search.py latticeai/services/search_service.py latticeai/core/local_embeddings.py latticeai/core/embedding_providers.py latticeai/services/agent_runtime.py latticeai/core/config.py latticeai/api/admin.py latticeai/services/app_context.py latticeai/services/model_runtime.py latticeai/services/model_catalog.py latticeai/services/model_recommendation.py latticeai/services/tool_dispatch.py latticeai/services/upload_service.py latticeai/core/tool_registry.py latticeai/core/enterprise.py latticeai/core/enterprise_admin.py latticeai/core/agent_prompts.py latticeai/core/workspace_os.py latticeai/core/plugins.py latticeai/core/marketplace.py latticeai/core/workflow_engine.py latticeai/core/multi_agent.py latticeai/core/realtime.py latticeai/api/mcp.py latticeai/core/hooks.py latticeai/core/builtin_hooks.py latticeai/api/hooks.py latticeai/core/agent_registry.py latticeai/api/agent_registry.py latticeai/services/memory_service.py latticeai/api/memory.py knowledge_graph.py knowledge_graph_api.py local_knowledge_api.py llm_router.py p_reinforce.py telegram_bot.py tools.py codex_telegram_bot.py",
+    "check:python": "python3 scripts/check_python.py",
     "lint": "node --check static/scripts/account.js && node --check static/scripts/admin.js && node --check static/scripts/chat.js && node --check static/scripts/graph.js && node --check static/scripts/platform.js && node --check static/scripts/ux.js && node --check static/scripts/workspace.js && node --check tests/visual/mock_server.cjs && node --check tests/visual/v3.spec.js && npm run lint:v3",
     "lint:v3": "node scripts/lint_v3.mjs",
     "typecheck": "cd vscode-extension && npm run build",
@@ -70,7 +70,7 @@
     "llm_router.py",
     "p_reinforce.py",
     "telegram_bot.py",
-    "tools.py",
+    "tools/",
     "codex_telegram_bot.py",
     "mcp_registry.py",
     "latticeai/**/*.py",

package/requirements.txt

@@ -10,6 +10,7 @@ python-pptx
 python-multipart
 keyring
 authlib
+cryptography
 pdfplumber
 pypdfium2
 watchdog