ltcai 3.6.0 → 4.0.0

package/latticeai/api/models.py

@@ -264,7 +264,7 @@ def create_models_router(
 
     @router.post("/setup/set-api-key")
     async def set_api_key(req: SetApiKeyRequest, request: Request):
-        from llm_router import OPENAI_COMPATIBLE_PROVIDERS
+        from latticeai.models.router import OPENAI_COMPATIBLE_PROVIDERS
         config = OPENAI_COMPATIBLE_PROVIDERS.get(req.provider)
         if not config:
             raise HTTPException(status_code=400, detail="알 수 없는 프로바이더입니다.")

package/latticeai/api/network.py

@@ -0,0 +1,81 @@
+"""Brain Network API — device identity, peer pairing, knowledge exchange.
+
+The /network/receive endpoint authenticates PEERS (signed device requests),
+not user sessions; everything else requires a logged-in user, and pairing /
+pushing are deliberate owner actions.
+"""
+
+from __future__ import annotations
+
+from typing import Optional
+
+from fastapi import APIRouter, HTTPException, Request
+from pydantic import BaseModel
+
+
+class PeerPairRequest(BaseModel):
+    name: str
+    base_url: str
+    public_key: str
+
+
+class PeerPushRequest(BaseModel):
+    workspace_id: Optional[str] = None
+
+
+def create_network_router(*, network, identity, require_user) -> APIRouter:
+    router = APIRouter()
+
+    @router.get("/network/identity")
+    async def network_identity(request: Request):
+        require_user(request)
+        return identity.describe()
+
+    @router.get("/network/peers")
+    async def network_peers(request: Request):
+        require_user(request)
+        return {"peers": network.list_peers()}
+
+    @router.post("/network/peers")
+    async def network_pair(req: PeerPairRequest, request: Request):
+        require_user(request)
+        try:
+            return {"status": "paired", "peer": network.add_peer(
+                name=req.name, base_url=req.base_url, public_key=req.public_key,
+            )}
+        except ValueError as exc:
+            raise HTTPException(status_code=400, detail=str(exc)) from exc
+
+    @router.delete("/network/peers/{peer_id}")
+    async def network_unpair(peer_id: str, request: Request):
+        require_user(request)
+        try:
+            return network.remove_peer(peer_id)
+        except FileNotFoundError as exc:
+            raise HTTPException(status_code=404, detail=f"Unknown peer: {exc}") from exc
+
+    @router.post("/network/push/{peer_id}")
+    async def network_push(peer_id: str, req: PeerPushRequest, request: Request):
+        require_user(request)
+        try:
+            return network.push_to_peer(peer_id, workspace_id=req.workspace_id)
+        except FileNotFoundError as exc:
+            raise HTTPException(status_code=404, detail=f"Unknown peer: {exc}") from exc
+        except Exception as exc:
+            raise HTTPException(status_code=502, detail=f"Push failed: {exc}") from exc
+
+    @router.post("/network/receive")
+    async def network_receive(request: Request):
+        # Peer-authenticated: a paired device's signature replaces the session.
+        body = await request.body()
+        try:
+            return network.receive(dict(request.headers), body)
+        except PermissionError as exc:
+            raise HTTPException(status_code=403, detail=str(exc)) from exc
+        except ValueError as exc:
+            raise HTTPException(status_code=400, detail=str(exc)) from exc
+
+    return router
+
+
+__all__ = ["create_network_router"]

package/latticeai/api/realtime.py

@@ -10,7 +10,7 @@ from __future__ import annotations
 
 import secrets
 from pathlib import Path
-from typing import Any, Callable, Dict, Optional, Set
+from typing import Any, Callable, Optional, Set
 
 from fastapi import APIRouter, HTTPException, Request
 from fastapi.responses import StreamingResponse

package/latticeai/api/search.py

@@ -47,17 +47,41 @@ class IndexRebuildRequest(BaseModel):
     include_chunks: bool = True
 
 
+class _ScopedSearchService:
+    """Injects the caller's workspace scope into every search call —
+    enforcement lives at this one chokepoint, not in each handler."""
+
+    _SCOPED = {"keyword_search", "vector_search", "graph_search", "hybrid_search"}
+
+    def __init__(self, service: SearchService, allowed):
+        self._service = service
+        self._allowed = allowed
+
+    def __getattr__(self, name):
+        attr = getattr(self._service, name)
+        if name in self._SCOPED:
+            def scoped(*args, **kwargs):
+                kwargs.setdefault("allowed_workspaces", self._allowed)
+                return attr(*args, **kwargs)
+            return scoped
+        return attr
+
+
 def create_search_router(
     *,
     service: SearchService,
     require_user: Callable[[Request], str],
     embedding_info: Optional[Callable[[], Dict[str, Any]]] = None,
+    allowed_workspaces_for: Optional[Callable[[Optional[str]], Any]] = None,
 ) -> APIRouter:
     router = APIRouter()
 
     def _guarded(request: Request) -> SearchService:
-        require_user(request)
-        return service
+        user = require_user(request)
+        allowed = None
+        if allowed_workspaces_for is not None and user:
+            allowed = allowed_workspaces_for(user)
+        return _ScopedSearchService(service, allowed)
 
     def _raise_graph_error(exc: Exception) -> None:
         raise HTTPException(status_code=404, detail=str(exc)) from exc

package/latticeai/api/security_dashboard.py

@@ -27,13 +27,12 @@ import io
 import json
 import logging
 import re
-import time
 from collections import defaultdict
 from datetime import datetime
-from typing import Any, Callable, Dict, List, Optional, Tuple
+from typing import Any, Callable, Dict, List, Optional
 
 from fastapi import APIRouter, HTTPException, Query, Request
-from fastapi.responses import Response, StreamingResponse
+from fastapi.responses import Response
 from pydantic import BaseModel
 
 from ..core import timezones

package/latticeai/api/setup.py

@@ -15,8 +15,8 @@ from auto_setup import (
     recommend as auto_setup_recommend,
     verify as auto_setup_verify,
 )
-from llm_router import parse_model_ref
-from setup import get_recommendations, install_stream, open_url, scan_environment
+from latticeai.models.router import parse_model_ref
+from setup_wizard import get_recommendations, install_stream, open_url, scan_environment
 
 
 def create_setup_router(*, model_router, require_user) -> APIRouter:

package/latticeai/api/static_routes.py

@@ -2,7 +2,6 @@
 
 from __future__ import annotations
 
-import re
 import subprocess
 from dataclasses import dataclass
 from pathlib import Path
@@ -58,7 +57,7 @@ def create_static_routes_router(
             return response
     
         # 3. 인증 실패 시 차단 화면
-        return HTMLResponse(content=f"""
+        return HTMLResponse(content="""
             <body style="background:#0f1115; color:white; display:flex; flex-direction:column; align-items:center; justify-content:center; height:100vh; font-family:sans-serif;">
                 <div style="background:#16191f; padding:40px; border-radius:24px; border:1px solid rgba(255,255,255,0.1); text-align:center; box-shadow: 0 20px 40px rgba(0,0,0,0.5);">
                     <div style="font-size:48px; margin-bottom:20px;">🔒</div>
@@ -145,7 +144,7 @@ def create_static_routes_router(
     async def local_sysinfo(request: Request):
         """CPU / RAM / GPU(MLX) 사용량을 반환합니다."""
         require_user(request)
-        import subprocess, re as _re
+        import re as _re
         result = {"cpu_pct": 0.0, "ram_pct": 0.0, "gpu_mem_pct": 0.0, "gpu_mem_gb": 0.0}
         try:
             # CPU
@@ -157,7 +156,6 @@ def create_static_routes_router(
                         result["cpu_pct"] = round(float(m.group(1)) + float(m.group(2)), 1)
             # RAM
             vm_out = subprocess.run(["vm_stat"], capture_output=True, text=True, timeout=4).stdout
-            page_size = 16384
             pages: dict = {}
             for line in vm_out.splitlines():
                 for key in ["Pages free", "Pages active", "Pages inactive", "Pages wired down", "Pages occupied by compressor"]:

package/latticeai/api/tools.py

@@ -178,6 +178,7 @@ class ToolGitShowRequest(BaseModel):
 def create_tools_router(
     *,
     config,
+    ingestion_pipeline,
     data_dir: Path,
     static_dir: Path,
     model_router,
@@ -438,6 +439,7 @@ def create_tools_router(
             current_user=current_user,
             enable_graph=ENABLE_GRAPH,
             knowledge_graph=KNOWLEDGE_GRAPH,
+            ingestion_pipeline=ingestion_pipeline,
             bytes_match_extension=_bytes_match_extension,
             classify_sensitive_message=classify_sensitive_message,
             append_audit_event=append_audit_event,
@@ -588,6 +590,7 @@ def create_tools_router(
         tool_response=_tool_response,
         require_graph=_require_graph,
         knowledge_graph=KNOWLEDGE_GRAPH,
+        ingestion_pipeline=ingestion_pipeline,
         data_dir=DATA_DIR,
     ))
 

package/latticeai/api/workflow_designer.py

@@ -32,6 +32,10 @@ class WorkflowUpdateRequest(BaseModel):
     metadata: Optional[Dict[str, Any]] = None
 
 
+class WorkflowResumeRequest(BaseModel):
+    approved: bool = True
+
+
 class WorkflowRunRequest(BaseModel):
     inputs: Dict[str, Any] = {}
 
@@ -159,10 +163,52 @@ def create_workflow_designer_router(
             user_email=current_user or None,
             graph=workspace_graph(),
             workspace_id=scope,
+            mode="live",
+            pause={"node": result.paused_node, "pending": result.pending_approval,
+                   "context": result.paused_context} if result.status == "awaiting_approval" else None,
         )
         append_audit_event("workflow_run", user_email=current_user, workflow_id=workflow_id, status=result.status)
         return {"run": run, "result": result.as_dict()}
 
+    @router.post("/workflows/api/runs/{run_id}/resume")
+    async def resume_run(run_id: str, req: WorkflowResumeRequest, request: Request):
+        """Decide a paused (awaiting_approval) run: approve → the paused node
+        executes and the run continues; deny → the run fails honestly."""
+        current_user = require_user(request)
+        scope = gate_write(request)
+        run_record = store.get_workflow_run(run_id, workspace_id=scope)
+        pause = run_record.get("pause") or {}
+        if run_record.get("status") != "awaiting_approval" or not pause.get("node"):
+            raise HTTPException(status_code=409, detail="run is not awaiting approval")
+        workflow = store.get_workflow(run_record.get("workflow_id"), workspace_id=scope)
+        runners = build_runners(current_user or None, scope)
+        engine = WorkflowEngine(runners, hooks=hooks)
+        result = engine.resume(
+            workflow,
+            paused_node=pause["node"],
+            paused_context=pause.get("context") or {},
+            approved=bool(req.approved),
+            prior_timeline=run_record.get("timeline") or [],
+        )
+        resumed = store.record_workflow_run(
+            workflow_id=run_record.get("workflow_id"),
+            name=run_record.get("name") or "workflow",
+            status=result.status,
+            timeline=result.timeline,
+            outputs=result.outputs,
+            user_email=current_user or None,
+            graph=workspace_graph(),
+            workspace_id=scope,
+            mode="live",
+            pause={"node": result.paused_node, "pending": result.pending_approval,
+                   "context": result.paused_context} if result.status == "awaiting_approval" else None,
+        )
+        store.mark_workflow_run_resolved(run_id, resumed_run_id=resumed["id"],
+                                         approved=bool(req.approved), workspace_id=scope)
+        append_audit_event("workflow_run_resume", user_email=current_user,
+                           run_id=run_id, approved=bool(req.approved), status=result.status)
+        return {"run": resumed, "result": result.as_dict(), "resumed_from": run_id}
+
     @router.get("/workflows/api/definitions/{workflow_id}/runs")
     async def list_runs(workflow_id: str, request: Request, limit: int = 50):
         require_user(request)

package/latticeai/api/workspace.py

@@ -15,12 +15,13 @@ from __future__ import annotations
 import asyncio
 import logging
 from datetime import datetime
-from pathlib import Path
-from typing import Any, Callable, Dict, List, Optional
+from typing import Dict, List, Optional
 
 from fastapi import APIRouter, HTTPException, Request
 from pydantic import BaseModel
 
+from latticeai.services.app_context import AppContext
+
 
 # ── Request models (workspace-only; moved verbatim from server_app) ──────────
 
@@ -135,54 +136,47 @@ def _workspace_scope_from_request(request: Request) -> Optional[str]:
     return query.strip() if query and query.strip() else None
 
 
-def create_workspace_router(
-    *,
-    service,
-    require_user: Callable[[Request], str],
-    require_admin: Callable[[Request], Any],
-    get_current_user: Callable[[Request], Optional[str]],
-    append_audit_event: Callable[..., None],
-    graph_stats: Callable[[], Dict],
-    workspace_models: Callable[[], Dict],
-    workspace_settings: Callable[[], Dict],
-    get_history: Callable[[], List[Dict]],
-    get_audit_log: Callable[[], List[Dict]],
-    require_graph: Callable[[], Any],
-    workspace_graph: Callable[[], Any],
-    knowledge_graph: Any,
-    local_kg_watcher: Any,
-    load_users: Callable[[], Dict],
-    scan_environment: Callable[[], Any],
-    local_sysinfo: Callable[[Request], Any],
-    get_recommendations: Callable[[Any], Any],
-    fetch_skills_marketplace: Callable[..., Any],
-    install_skill: Callable[..., Any],
-    remove_skill_directory: Callable[..., Dict],
-    redact_secret_text: Callable[[str], str],
-    skills_dir: Path,
-    capability_registry: Any,
-    ui_file_response: Callable[[Path], Any],
-    static_dir: Path,
-    local_model: Optional[str],
-    public_model: Optional[str],
-) -> APIRouter:
+def create_workspace_router(context: AppContext) -> APIRouter:
+    """Build the workspace/org router from the typed application context.
+
+    Replaces the historical ~30-kwarg factory signature: ``context``
+    (:class:`latticeai.services.app_context.AppContext`) carries the same
+    dependencies as typed fields.
+    """
     router = APIRouter()
 
     # Bind injected deps to the names the moved handler bodies expect.
+    service = context.workspace_service
+    require_user = context.require_user
+    require_admin = context.require_admin
+    get_current_user = context.get_current_user
+    append_audit_event = context.append_audit_event
+    get_history = context.get_history
+    get_audit_log = context.get_audit_log
+    load_users = context.load_users
+    scan_environment = context.scan_environment
+    local_sysinfo = context.local_sysinfo
+    get_recommendations = context.get_recommendations
+    install_skill = context.install_skill
+    remove_skill_directory = context.remove_skill_directory
+    redact_secret_text = context.redact_secret_text
+    capability_registry = context.capability_registry
+    ui_file_response = context.ui_file_response
+
     svc = service
     WORKSPACE_OS = service.store
-    _workspace_graph = workspace_graph
-    _graph_stats_safe = graph_stats
-    _workspace_models_payload = workspace_models
-    _workspace_settings_payload = workspace_settings
-    _require_graph = require_graph
-    KNOWLEDGE_GRAPH = knowledge_graph
-    LOCAL_KG_WATCHER = local_kg_watcher
-    SKILLS_DIR = skills_dir
-    STATIC_DIR = static_dir
-    LOCAL_MODEL = local_model
-    PUBLIC_MODEL = public_model
-    _fetch_skills_marketplace = fetch_skills_marketplace
+    _workspace_graph = context.workspace_graph
+    _graph_stats_safe = context.graph_stats
+    _workspace_models_payload = context.workspace_models
+    _workspace_settings_payload = context.workspace_settings
+    _require_graph = context.require_graph
+    KNOWLEDGE_GRAPH = context.knowledge_graph
+    LOCAL_KG_WATCHER = context.local_kg_watcher
+    SKILLS_DIR = context.skills_dir
+    STATIC_DIR = context.static_dir
+    LOCAL_MODEL = context.local_model
+    PUBLIC_MODEL = context.public_model
+    _fetch_skills_marketplace = context.fetch_skills_marketplace
     _workspace_scope = _workspace_scope_from_request
 
     def _gate_read(request: Request):
@@ -197,6 +191,24 @@ def create_workspace_router(
         except PermissionError as exc:
             raise HTTPException(status_code=403, detail=str(exc)) from exc
 
+    def _load_snapshot_authorized(request: Request, snapshot_id: str) -> dict:
+        """Fetch a snapshot and authorize against the RECORD'S own workspace.
+
+        By-id access must not bypass workspace gating: a snapshot belonging to
+        an organization workspace is readable only by its members. Snapshots
+        predating workspace scoping carry no workspace_id and stay readable
+        (legacy-global compatibility).
+        """
+        try:
+            snapshot = WORKSPACE_OS.get_snapshot(snapshot_id)
+        except FileNotFoundError as exc:
+            raise HTTPException(status_code=404, detail=f"Snapshot not found: {exc}") from exc
+        try:
+            svc.authorize_record_read(snapshot, get_current_user(request))
+        except PermissionError as exc:
+            raise HTTPException(status_code=403, detail=str(exc)) from exc
+        return snapshot
+
     # ── Workspace UI pages ────────────────────────────────────────────────
 
     @router.get("/workspace")
@@ -343,6 +355,8 @@ def create_workspace_router(
     @router.post("/workspace/snapshots/compare")
     async def workspace_snapshot_compare(req: WorkspaceSnapshotCompareRequest, request: Request):
         require_user(request)
+        _load_snapshot_authorized(request, req.before_id)
+        _load_snapshot_authorized(request, req.after_id)
         try:
             return WORKSPACE_OS.compare_snapshots(req.before_id, req.after_id)
         except FileNotFoundError as exc:
@@ -351,14 +365,12 @@ def create_workspace_router(
     @router.get("/workspace/snapshots/{snapshot_id}")
     async def workspace_snapshot_get(snapshot_id: str, request: Request):
         require_user(request)
-        try:
-            return WORKSPACE_OS.get_snapshot(snapshot_id)
-        except FileNotFoundError as exc:
-            raise HTTPException(status_code=404, detail=f"Snapshot not found: {exc}") from exc
+        return _load_snapshot_authorized(request, snapshot_id)
 
     @router.get("/workspace/snapshots/{snapshot_id}/{area}")
     async def workspace_snapshot_area(snapshot_id: str, area: str, request: Request):
         require_user(request)
+        _load_snapshot_authorized(request, snapshot_id)
         try:
             return WORKSPACE_OS.snapshot_view(snapshot_id, area)
         except FileNotFoundError as exc:
@@ -367,6 +379,7 @@ def create_workspace_router(
     @router.post("/workspace/snapshots/{snapshot_id}/export")
     async def workspace_snapshot_export(snapshot_id: str, request: Request):
         current_user = require_user(request)
+        _load_snapshot_authorized(request, snapshot_id)
         try:
             result = WORKSPACE_OS.export_snapshot(snapshot_id)
         except FileNotFoundError as exc:
@@ -383,6 +396,7 @@ def create_workspace_router(
     @router.get("/workspace/time-machine/{snapshot_id}/{area}")
     async def workspace_time_machine_view(snapshot_id: str, area: str, request: Request):
         require_user(request)
+        _load_snapshot_authorized(request, snapshot_id)
         try:
             return WORKSPACE_OS.snapshot_view(snapshot_id, area)
         except FileNotFoundError as exc:
@@ -424,6 +438,14 @@ def create_workspace_router(
     @router.delete("/workspace/memories/{memory_id}")
     async def workspace_memory_delete(memory_id: str, request: Request):
         require_user(request)
+        try:
+            record = WORKSPACE_OS.get_memory(memory_id)
+        except FileNotFoundError as exc:
+            raise HTTPException(status_code=404, detail=f"Memory not found: {exc}") from exc
+        try:
+            svc.authorize_memory_delete(record, get_current_user(request))
+        except PermissionError as exc:
+            raise HTTPException(status_code=403, detail=str(exc)) from exc
         try:
             return WORKSPACE_OS.delete_memory(memory_id)
         except FileNotFoundError as exc: