npm - ltcai - Versions diffs - 3.6.0 → 4.0.1 - Mend

ltcai 3.6.0 → 4.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (238) hide show

package/README.md +39 -31
package/docs/CHANGELOG.md +64 -0
package/docs/REALTIME_COLLABORATION.md +3 -3
package/docs/V3_FRONTEND.md +9 -8
package/docs/V4_BRAIN_ARCHITECTURE.md +322 -0
package/docs/V4_DIGITAL_BRAIN_RECOVERY.md +552 -0
package/docs/V4_IMPLEMENTATION_PLAN.md +470 -0
package/docs/kg-schema.md +51 -53
package/docs/spec-vs-impl.md +10 -10
package/kg_schema.py +2 -520
package/knowledge_graph.py +37 -4629
package/knowledge_graph_api.py +11 -127
package/latticeai/__init__.py +1 -1
package/latticeai/api/admin.py +16 -17
package/latticeai/api/agents.py +20 -7
package/latticeai/api/auth.py +46 -15
package/latticeai/api/chat.py +112 -76
package/latticeai/api/health.py +1 -1
package/latticeai/api/hooks.py +1 -1
package/latticeai/api/invitations.py +100 -0
package/latticeai/api/knowledge_graph.py +139 -0
package/latticeai/api/local_files.py +1 -1
package/latticeai/api/mcp.py +23 -11
package/latticeai/api/memory.py +1 -1
package/latticeai/api/models.py +1 -1
package/latticeai/api/network.py +81 -0
package/latticeai/api/plugins.py +3 -6
package/latticeai/api/realtime.py +5 -8
package/latticeai/api/search.py +26 -2
package/latticeai/api/security_dashboard.py +2 -3
package/latticeai/api/setup.py +2 -2
package/latticeai/api/static_routes.py +11 -16
package/latticeai/api/tools.py +3 -0
package/latticeai/api/ui_redirects.py +26 -0
package/latticeai/api/workflow_designer.py +85 -6
package/latticeai/api/workspace.py +93 -57
package/latticeai/app_factory.py +1781 -0
package/latticeai/brain/__init__.py +18 -0
package/latticeai/brain/_kg_common.py +1123 -0
package/latticeai/brain/context.py +213 -0
package/latticeai/brain/conversations.py +236 -0
package/latticeai/brain/discovery.py +1455 -0
package/latticeai/brain/documents.py +218 -0
package/latticeai/brain/identity.py +175 -0
package/latticeai/brain/ingest.py +644 -0
package/latticeai/brain/memory.py +102 -0
package/latticeai/brain/network.py +205 -0
package/latticeai/brain/projection.py +561 -0
package/latticeai/brain/provenance.py +401 -0
package/latticeai/brain/retrieval.py +1316 -0
package/latticeai/brain/schema.py +640 -0
package/latticeai/brain/store.py +216 -0
package/latticeai/brain/write_master.py +225 -0
package/latticeai/core/agent.py +31 -7
package/latticeai/core/audit.py +0 -7
package/latticeai/core/config.py +1 -1
package/latticeai/core/context_builder.py +1 -2
package/latticeai/core/enterprise.py +1 -1
package/latticeai/core/graph_curator.py +2 -2
package/latticeai/core/invitations.py +131 -0
package/latticeai/core/marketplace.py +1 -1
package/latticeai/core/mcp_registry.py +791 -0
package/latticeai/core/model_compat.py +1 -1
package/latticeai/core/model_resolution.py +0 -1
package/latticeai/core/multi_agent.py +238 -4
package/latticeai/core/policy.py +54 -0
package/latticeai/core/realtime.py +65 -44
package/latticeai/core/security.py +1 -1
package/latticeai/core/sessions.py +66 -10
package/latticeai/core/users.py +147 -0
package/latticeai/core/workflow_engine.py +114 -2
package/latticeai/core/workspace_os.py +477 -29
package/latticeai/models/__init__.py +7 -0
package/latticeai/models/router.py +779 -0
package/latticeai/server_app.py +29 -1536
package/latticeai/services/agent_runtime.py +243 -4
package/latticeai/services/app_context.py +75 -14
package/latticeai/services/ingestion.py +47 -0
package/latticeai/services/kg_portability.py +33 -3
package/latticeai/services/memory_service.py +39 -11
package/latticeai/services/model_runtime.py +2 -5
package/latticeai/services/platform_runtime.py +100 -23
package/latticeai/services/run_executor.py +328 -0
package/latticeai/services/search_service.py +17 -8
package/latticeai/services/tool_dispatch.py +12 -2
package/latticeai/services/triggers.py +241 -0
package/latticeai/services/upload_service.py +37 -12
package/latticeai/services/workspace_service.py +55 -16
package/llm_router.py +29 -772
package/ltcai_cli.py +1 -2
package/mcp_registry.py +25 -788
package/p_reinforce.py +124 -14
package/package.json +10 -20
package/scripts/bump_version.py +99 -0
package/scripts/generate_diagrams.py +0 -1
package/scripts/lint_v3.mjs +105 -18
package/scripts/validate_release_artifacts.py +0 -1
package/scripts/wheel_smoke.py +142 -0
package/server.py +11 -7
package/setup_wizard.py +1142 -0
package/static/sw.js +81 -52
package/static/v3/asset-manifest.json +33 -25
package/static/v3/css/{lattice.base.e4cdd05d.css → lattice.base.49deefb5.css} +1 -1
package/static/v3/css/lattice.base.css +1 -1
package/static/v3/css/{lattice.components.9b49d614.css → lattice.components.cde18231.css} +1 -1
package/static/v3/css/lattice.components.css +1 -1
package/static/v3/css/{lattice.shell.8fcc9d33.css → lattice.shell.29d36d85.css} +1 -1
package/static/v3/css/lattice.shell.css +1 -1
package/static/v3/css/{lattice.tokens.e7018963.css → lattice.tokens.304cbc40.css} +3 -0
package/static/v3/css/lattice.tokens.css +3 -0
package/static/v3/css/{lattice.views.22f69117.css → lattice.views.0a18b6c5.css} +2 -2
package/static/v3/css/lattice.views.css +2 -2
package/static/v3/index.html +3 -4
package/static/v3/js/{app.c541f955.js → app.c5c80c46.js} +1 -1
package/static/v3/js/core/{api.33d6320e.js → api.ba0fbf14.js} +58 -1
package/static/v3/js/core/api.js +57 -0
package/static/v3/js/core/i18n.880e1fec.js +575 -0
package/static/v3/js/core/i18n.js +575 -0
package/static/v3/js/core/routes.37522821.js +101 -0
package/static/v3/js/core/routes.js +71 -63
package/static/v3/js/core/{shell.8c163e0e.js → shell.e3f6bbfa.js} +68 -39
package/static/v3/js/core/shell.js +66 -37
package/static/v3/js/core/{store.34ebd5e6.js → store.7b2aa044.js} +11 -1
package/static/v3/js/core/store.js +11 -1
package/static/v3/js/views/account.eff40715.js +143 -0
package/static/v3/js/views/account.js +143 -0
package/static/v3/js/views/activity.0d271ef9.js +67 -0
package/static/v3/js/views/activity.js +67 -0
package/static/v3/js/views/{admin-users.03bac88c.js → admin-users.f7ac7b43.js} +4 -6
package/static/v3/js/views/admin-users.js +4 -6
package/static/v3/js/views/{agents.014d0b74.js → agents.17c5288d.js} +35 -12
package/static/v3/js/views/agents.js +35 -12
package/static/v3/js/views/{chat.e6dd7dd0.js → chat.e250e2cc.js} +23 -0
package/static/v3/js/views/chat.js +23 -0
package/static/v3/js/views/graph-canvas.17c15d65.js +509 -0
package/static/v3/js/views/graph-canvas.js +509 -0
package/static/v3/js/views/{hybrid-search.b22b97e0.js → hybrid-search.2fb63ed9.js} +1 -2
package/static/v3/js/views/hybrid-search.js +1 -2
package/static/v3/js/views/{knowledge-graph.a96040a5.js → knowledge-graph.4d09c537.js} +60 -44
package/static/v3/js/views/knowledge-graph.js +60 -44
package/static/v3/js/views/network.52a4f181.js +97 -0
package/static/v3/js/views/network.js +97 -0
package/static/v3/js/views/{planning.9ac3e313.js → planning.4876fd77.js} +26 -5
package/static/v3/js/views/planning.js +26 -5
package/static/v3/js/views/runs.b63b2afa.js +144 -0
package/static/v3/js/views/runs.js +144 -0
package/static/v3/js/views/{settings.8631fa5e.js → settings.b7140634.js} +7 -8
package/static/v3/js/views/settings.js +7 -8
package/static/v3/js/views/snapshots.6f5db095.js +135 -0
package/static/v3/js/views/snapshots.js +135 -0
package/static/v3/js/views/{workflows.26c57290.js → workflows.7752225a.js} +87 -2
package/static/v3/js/views/workflows.js +87 -2
package/static/v3/js/views/workspace-admin.c466029b.js +156 -0
package/static/v3/js/views/workspace-admin.js +156 -0
package/static/vendor/chart.umd.min.js +20 -0
package/static/vendor/fonts/inter-latin-300-normal.woff2 +0 -0
package/static/vendor/fonts/inter-latin-400-normal.woff2 +0 -0
package/static/vendor/fonts/inter-latin-500-normal.woff2 +0 -0
package/static/vendor/fonts/inter-latin-600-normal.woff2 +0 -0
package/static/vendor/fonts/inter-latin-700-normal.woff2 +0 -0
package/static/vendor/fonts/inter-latin-800-normal.woff2 +0 -0
package/static/vendor/fonts/inter.css +44 -0
package/static/vendor/icons/tabler-icons.min.css +4 -0
package/static/vendor/icons/tabler-icons.woff2 +0 -0
package/static/vendor/marked.min.js +69 -0
package/telegram_bot.py +1 -2
package/tools/commands.py +4 -2
package/tools/computer.py +1 -1
package/tools/documents.py +1 -3
package/tools/filesystem.py +0 -4
package/tools/knowledge.py +1 -3
package/tools/network.py +1 -3
package/codex_telegram_bot.py +0 -195
package/docs/assets/v3.4.0/agent-run.png +0 -0
package/docs/assets/v3.4.0/agents.png +0 -0
package/docs/assets/v3.4.0/before/chat-before.png +0 -0
package/docs/assets/v3.4.0/before/files-before.png +0 -0
package/docs/assets/v3.4.0/chat.png +0 -0
package/docs/assets/v3.4.0/connect-folder.png +0 -0
package/docs/assets/v3.4.0/files.png +0 -0
package/docs/assets/v3.4.0/home.png +0 -0
package/docs/assets/v3.4.0/hooks-dispatch.png +0 -0
package/docs/assets/v3.4.0/knowledge-graph.png +0 -0
package/docs/assets/v3.4.0/local-agent.png +0 -0
package/docs/assets/v3.4.0/memory.png +0 -0
package/docs/assets/v3.4.0/settings.png +0 -0
package/docs/assets/v3.4.0/vision-input.png +0 -0
package/docs/assets/v3.4.0/workflows.png +0 -0
package/docs/assets/v3.4.1/e2e_runtime_log.txt +0 -42
package/docs/assets/v3.4.1/hooks-dispatch.png +0 -0
package/docs/assets/v3.4.1/local-agent.png +0 -0
package/docs/images/admin-dashboard.png +0 -0
package/docs/images/architecture.png +0 -0
package/docs/images/enterprise.png +0 -0
package/docs/images/graph.png +0 -0
package/docs/images/hero.gif +0 -0
package/docs/images/knowledge-graph.png +0 -0
package/docs/images/lattice-ai-demo.gif +0 -0
package/docs/images/lattice-ai-hero.png +0 -0
package/docs/images/logo.svg +0 -33
package/docs/images/mobile-responsive.png +0 -0
package/docs/images/model-recommendation.png +0 -0
package/docs/images/onboarding.png +0 -0
package/docs/images/organization.png +0 -0
package/docs/images/pipeline.png +0 -0
package/docs/images/screenshot-admin.png +0 -0
package/docs/images/screenshot-chat.png +0 -0
package/docs/images/screenshot-graph.png +0 -0
package/docs/images/skills.png +0 -0
package/docs/images/workspace-dark.png +0 -0
package/docs/images/workspace-light.png +0 -0
package/docs/images/workspace.png +0 -0
package/requirements.txt +0 -16
package/static/account.html +0 -115
package/static/activity.html +0 -73
package/static/admin.html +0 -488
package/static/agents.html +0 -139
package/static/chat.html +0 -844
package/static/css/reference/account.css +0 -439
package/static/css/reference/admin.css +0 -610
package/static/css/reference/base.css +0 -1661
package/static/css/reference/chat.css +0 -4623
package/static/css/reference/graph.css +0 -1016
package/static/css/responsive.css +0 -861
package/static/graph.html +0 -124
package/static/platform.css +0 -104
package/static/plugins.html +0 -136
package/static/scripts/account.js +0 -238
package/static/scripts/admin.js +0 -1614
package/static/scripts/chat.js +0 -5081
package/static/scripts/graph.js +0 -1804
package/static/scripts/platform.js +0 -64
package/static/scripts/ux.js +0 -167
package/static/scripts/workspace.js +0 -948
package/static/v3/js/core/routes.2ce3815a.js +0 -93
package/static/workflows.html +0 -146
package/static/workspace.css +0 -1121
package/static/workspace.html +0 -357

package/latticeai/services/triggers.py ADDED Viewed

@@ -0,0 +1,241 @@
+"""Trigger system (T7d) — workflows fire beyond 'manual'.
+Two real trigger types:
+* **interval** — a supervised scheduler loop fires the workflow every
+  ``interval_seconds``. Firings missed while the server was down are
+  SKIPPED with a recorded skip event (design-review amendment: no silent
+  gaps, no thundering catch-up).
+* **brain_event** — the killer Digital Brain feature: "when new knowledge
+  enters the brain, run this workflow". Wired through the existing hooks
+  bus (the ingestion pipeline fires ``post_tool`` on ``kg_ingest.<source>``);
+  an optional ``source_type`` filter narrows it.
+Trigger-fired runs carry provenance: their inputs include ``__trigger__``
+describing what fired them, persisted in the run record like any other
+input.
+"""
+from __future__ import annotations
+import json
+import logging
+import threading
+import time
+from pathlib import Path
+from typing import Any, Callable, Dict, List, Optional
+DEFAULT_TICK_SECONDS = 5.0
+MIN_INTERVAL_SECONDS = 60
+TRIGGER_HOOK_NAME = "brain-event-triggers"
+class TriggerService:
+    """Scans workflow definitions for non-manual triggers and fires them."""
+    def __init__(
+        self,
+        *,
+        store: Any,
+        run_workflow: Callable[[str, Dict[str, Any]], Dict[str, Any]],
+        data_dir: Path,
+        clock: Callable[[], float] = time.time,
+        tick_seconds: float = DEFAULT_TICK_SECONDS,
+    ) -> None:
+        self._store = store
+        self._run_workflow = run_workflow
+        self._state_file = Path(data_dir) / "triggers_state.json"
+        self._clock = clock
+        self._tick = float(tick_seconds)
+        self._stop_event = threading.Event()
+        self._thread: Optional[threading.Thread] = None
+        self._lock = threading.Lock()
+    # ── durable state ──────────────────────────────────────────────────────
+    def _load_state(self) -> Dict[str, Any]:
+        if not self._state_file.exists():
+            return {}
+        try:
+            return json.loads(self._state_file.read_text(encoding="utf-8"))
+        except Exception:
+            return {}
+    def _save_state(self, state: Dict[str, Any]) -> None:
+        self._state_file.parent.mkdir(parents=True, exist_ok=True)
+        tmp = self._state_file.with_suffix(".tmp")
+        tmp.write_text(json.dumps(state, ensure_ascii=False, indent=2), encoding="utf-8")
+        tmp.replace(self._state_file)
+    def _record_event(self, state: Dict[str, Any], workflow_id: str, event: Dict[str, Any]) -> None:
+        entry = state.setdefault(workflow_id, {})
+        events = entry.setdefault("events", [])
+        events.append({**event, "at": self._clock()})
+        entry["events"] = events[-50:]
+    # ── definition scanning ────────────────────────────────────────────────
+    def _triggered_workflows(self) -> List[Dict[str, Any]]:
+        found = []
+        try:
+            workflows = list(self._store.load_state().get("workflows") or [])
+        except Exception:
+            return []
+        for wf in workflows:
+            for node in wf.get("nodes") or []:
+                if node.get("type") != "trigger":
+                    continue
+                cfg = node.get("config") or {}
+                kind = str(cfg.get("trigger") or "manual")
+                if kind in ("interval", "brain_event"):
+                    found.append({"workflow": wf, "node": node, "kind": kind, "config": cfg})
+        return found
+    def describe(self) -> Dict[str, Any]:
+        """Honest status surface: what is armed, when it last fired/skipped."""
+        state = self._load_state()
+        armed = []
+        for item in self._triggered_workflows():
+            wf_id = item["workflow"].get("id")
+            armed.append({
+                "workflow_id": wf_id,
+                "name": item["workflow"].get("name"),
+                "kind": item["kind"],
+                "config": {k: v for k, v in item["config"].items() if k != "trigger"},
+                "last_fired_at": (state.get(wf_id) or {}).get("last_fired_at"),
+                "recent_events": (state.get(wf_id) or {}).get("events", [])[-5:],
+            })
+        return {
+            "running": bool(self._thread and self._thread.is_alive()),
+            "tick_seconds": self._tick,
+            "armed": armed,
+        }
+    # ── interval scheduling ────────────────────────────────────────────────
+    def reconcile_missed(self) -> int:
+        """Startup pass: record (never replay) firings missed while down."""
+        now = self._clock()
+        skipped = 0
+        with self._lock:
+            state = self._load_state()
+            for item in self._triggered_workflows():
+                if item["kind"] != "interval":
+                    continue
+                wf_id = item["workflow"].get("id")
+                interval = max(MIN_INTERVAL_SECONDS, int(item["config"].get("interval_seconds") or 0))
+                entry = state.setdefault(wf_id, {})
+                last = entry.get("last_fired_at")
+                if last is not None and now - float(last) > interval:
+                    missed = int((now - float(last)) // interval)
+                    self._record_event(state, wf_id, {
+                        "type": "skipped",
+                        "reason": f"{missed} interval firing(s) missed while the server was down",
+                    })
+                    skipped += missed
+                # Reset the cadence from now — no catch-up storm.
+                entry["last_fired_at"] = now if last is not None else entry.get("last_fired_at")
+            self._save_state(state)
+        return skipped
+    def tick_intervals(self) -> int:
+        """One scheduler pass; returns how many workflows fired."""
+        now = self._clock()
+        fired = 0
+        with self._lock:
+            state = self._load_state()
+            for item in self._triggered_workflows():
+                if item["kind"] != "interval":
+                    continue
+                wf_id = item["workflow"].get("id")
+                interval = max(MIN_INTERVAL_SECONDS, int(item["config"].get("interval_seconds") or 0))
+                entry = state.setdefault(wf_id, {})
+                last = entry.get("last_fired_at")
+                if last is None:
+                    # First sighting arms the schedule; it fires one interval later.
+                    entry["last_fired_at"] = now
+                    continue
+                if now - float(last) < interval:
+                    continue
+                entry["last_fired_at"] = now
+                self._record_event(state, wf_id, {"type": "fired", "trigger": "interval"})
+                fired += 1
+                self._fire(wf_id, {
+                    "type": "interval",
+                    "interval_seconds": interval,
+                    "fired_at": now,
+                })
+            self._save_state(state)
+        return fired
+    # ── brain events ───────────────────────────────────────────────────────
+    def on_brain_event(self, event: str, payload: Optional[Dict[str, Any]] = None) -> int:
+        """Fire workflows whose brain_event trigger matches this ingestion."""
+        payload = payload or {}
+        source_type = str(payload.get("source_type") or event.split(".", 1)[-1] or "")
+        fired = 0
+        with self._lock:
+            state = self._load_state()
+            for item in self._triggered_workflows():
+                if item["kind"] != "brain_event":
+                    continue
+                wanted = str(item["config"].get("source_type") or "").strip()
+                if wanted and wanted != source_type:
+                    continue
+                wf_id = item["workflow"].get("id")
+                state.setdefault(wf_id, {})["last_fired_at"] = self._clock()
+                self._record_event(state, wf_id, {
+                    "type": "fired", "trigger": "brain_event", "source_type": source_type,
+                })
+                fired += 1
+                self._fire(wf_id, {
+                    "type": "brain_event",
+                    "event": event,
+                    "source_type": source_type,
+                    "node_id": payload.get("node_id"),
+                })
+            self._save_state(state)
+        return fired
+    def hook_runner(self):
+        """A post_tool hook runner: ingestion events fan into triggers."""
+        def runner(context):
+            event = str(getattr(context, "event", "") or "")
+            if not event.startswith("kg_ingest."):
+                return {"status": "ok", "output": "not an ingestion event"}
+            payload = context.payload if isinstance(context.payload, dict) else {}
+            fired = self.on_brain_event(event, payload)
+            return {"status": "ok", "output": f"fired {fired} workflow trigger(s)"}
+        return runner
+    # ── execution + lifecycle ──────────────────────────────────────────────
+    def _fire(self, workflow_id: str, trigger_info: Dict[str, Any]) -> None:
+        def _run():
+            try:
+                self._run_workflow(workflow_id, {"__trigger__": trigger_info})
+            except Exception as exc:
+                logging.warning("trigger run failed for %s: %s", workflow_id, exc)
+        threading.Thread(target=_run, name=f"trigger-{workflow_id}", daemon=True).start()
+    def start(self) -> None:
+        if self._thread and self._thread.is_alive():
+            return
+        self.reconcile_missed()
+        self._stop_event.clear()
+        def _loop():
+            while not self._stop_event.wait(self._tick):
+                try:
+                    self.tick_intervals()
+                except Exception as exc:
+                    logging.warning("trigger scheduler tick failed: %s", exc)
+        self._thread = threading.Thread(target=_loop, name="trigger-scheduler", daemon=True)
+        self._thread.start()
+    def stop(self) -> None:
+        self._stop_event.set()
+        if self._thread:
+            self._thread.join(timeout=2)
+__all__ = ["TriggerService", "TRIGGER_HOOK_NAME", "MIN_INTERVAL_SECONDS"]

package/latticeai/services/upload_service.py CHANGED Viewed

@@ -9,6 +9,7 @@ from pathlib import Path
 from fastapi import HTTPException, Request, UploadFile
+from latticeai.services.ingestion import IngestionItem
 from tools import ToolError, read_document
@@ -19,6 +20,7 @@ async def process_uploaded_document(
     current_user: str,
     enable_graph: bool,
     knowledge_graph,
+    ingestion_pipeline=None,
     bytes_match_extension,
     classify_sensitive_message,
     append_audit_event,
@@ -71,18 +73,41 @@ async def process_uploaded_document(
         try:
             if not (enable_graph and knowledge_graph):
                 raise RuntimeError("graph disabled")
-            graph_result = knowledge_graph.ingest_document(
-                Path(tmp_path),
-                original_filename=file.filename,
-                mime_type=file.content_type,
-                uploader=current_user,
-                conversation_id=request.query_params.get("conversation_id"),
-                extracted=result,
-            )
-            result["knowledge_graph"] = {
-                "node_id": graph_result["node_id"],
-                "sha256": graph_result["sha256"],
-            }
+            if ingestion_pipeline is not None:
+                # v4: uploads enter the brain through the unified ingestion
+                # pipeline (provenance + kg_ingest hook lifecycle).
+                ingest = ingestion_pipeline.ingest(
+                    IngestionItem(
+                        source_type="upload",
+                        title=file.filename,
+                        path=tmp_path,
+                        mime_type=file.content_type,
+                        owner=current_user,
+                        conversation_id=request.query_params.get("conversation_id"),
+                        metadata={"extracted": result},
+                    ),
+                    user_email=current_user,
+                )
+                if ingest.status != "ok":
+                    raise RuntimeError(ingest.detail or f"ingestion {ingest.status}")
+                result["knowledge_graph"] = {
+                    "node_id": ingest.node_id,
+                    "sha256": ingest.content_hash,
+                    "provenance_id": ingest.provenance_id,
+                }
+            else:
+                graph_result = knowledge_graph.ingest_document(
+                    Path(tmp_path),
+                    original_filename=file.filename,
+                    mime_type=file.content_type,
+                    uploader=current_user,
+                    conversation_id=request.query_params.get("conversation_id"),
+                    extracted=result,
+                )
+                result["knowledge_graph"] = {
+                    "node_id": graph_result["node_id"],
+                    "sha256": graph_result["sha256"],
+                }
         except Exception as graph_error:
             logging.warning("knowledge graph document ingest failed: %s", graph_error)
             result["knowledge_graph"] = {"error": str(graph_error)}

package/latticeai/services/workspace_service.py CHANGED Viewed

@@ -26,7 +26,7 @@ Guardrail summary (v1.2.0):
 from __future__ import annotations
-from typing import Any, Dict, Optional
+from typing import Any, Callable, Dict, Optional
 from latticeai.core.workspace_os import WorkspaceOSStore
@@ -38,13 +38,20 @@ class WorkspaceService:
     # partitioned per workspace. Surfaced so the UI / docs can be explicit.
     SHARED_GLOBAL_AREAS = ("graph", "skills")
-    def __init__(self, store: WorkspaceOSStore):
+    def __init__(self, store: WorkspaceOSStore, *, resolve_user_id: Optional[Callable[[Optional[str]], Optional[str]]] = None):
         self.store = store
+        self._resolve_user_id = resolve_user_id or (lambda user_id: user_id)
+    def _identity(self, user_id: Optional[str]) -> Optional[str]:
+        if isinstance(user_id, str) and user_id.startswith("user:"):
+            return user_id
+        return self._resolve_user_id(user_id)
     # ── scope resolution + gating ────────────────────────────────────────
     def _ensure_permission(self, workspace_id: str, user_id: Optional[str], permission: str) -> None:
-        if not self.store.has_permission(workspace_id, user_id, permission):
+        resolved_user = self._identity(user_id)
+        if not self.store.has_permission(workspace_id, resolved_user, permission):
             raise PermissionError(
                 f"'{user_id or 'anonymous'}' lacks '{permission}' on workspace '{workspace_id}'"
             )
@@ -67,51 +74,83 @@ class WorkspaceService:
         return workspace_id
     def can_read(self, workspace_id: str, user_id: Optional[str]) -> bool:
-        return self.store.has_permission(workspace_id, user_id, "read")
+        return self.store.has_permission(workspace_id, self._identity(user_id), "read")
     def can_write(self, workspace_id: str, user_id: Optional[str]) -> bool:
-        return self.store.has_permission(workspace_id, user_id, "write")
+        return self.store.has_permission(workspace_id, self._identity(user_id), "write")
+    # ── record-level authorization (by-id access must not bypass gating) ──
+    def authorize_record_read(self, record: Dict[str, Any], user_id: Optional[str]) -> None:
+        """Authorize reading a record against ITS OWN workspace.
+        Records predating workspace scoping carry no workspace_id and remain
+        readable (legacy-global compatibility); a scoped record requires read
+        permission on its workspace regardless of any caller-supplied header.
+        """
+        workspace_id = (record or {}).get("workspace_id")
+        if workspace_id:
+            self._ensure_permission(workspace_id, user_id, "read")
+    def authorize_memory_delete(self, record: Dict[str, Any], user_id: Optional[str]) -> None:
+        """Delete requires owning the memory or write access to its workspace.
+        Ownerless records with no workspace keep their pre-v4 behaviour
+        (deletable by any authenticated local user).
+        """
+        owner = (record or {}).get("user_email")
+        workspace_id = (record or {}).get("workspace_id")
+        resolved_user = self._identity(user_id)
+        if owner and owner in {user_id, resolved_user}:
+            return
+        if workspace_id:
+            self._ensure_permission(workspace_id, resolved_user, "write")
+            return
+        if owner and owner not in {user_id, resolved_user}:
+            raise PermissionError(
+                f"'{user_id or 'anonymous'}' is not the owner of memory '{record.get('id')}'"
+            )
     # ── workspace registry / summary ─────────────────────────────────────
     def summary(self, user_id: Optional[str]) -> Dict[str, Any]:
         data = self.store.summary()
-        data["workspace_registry"] = self.store.list_workspaces(user_id=user_id)
+        data["workspace_registry"] = self.store.list_workspaces(user_id=self._identity(user_id))
         data["shared_global_areas"] = list(self.SHARED_GLOBAL_AREAS)
         return data
     def list_workspaces(self, user_id: Optional[str]) -> Dict[str, Any]:
-        return self.store.list_workspaces(user_id=user_id)
+        return self.store.list_workspaces(user_id=self._identity(user_id))
     def get_workspace(self, workspace_id: str, user_id: Optional[str]) -> Dict[str, Any]:
         # Reading workspace metadata requires read access to that workspace.
         self._ensure_permission(workspace_id, user_id, "read")
-        return self.store.get_workspace(workspace_id, user_id=user_id)
+        return self.store.get_workspace(workspace_id, user_id=self._identity(user_id))
     def workspace_summary(self, workspace_id: str, user_id: Optional[str]) -> Dict[str, Any]:
         self._ensure_permission(workspace_id, user_id, "read")
-        return self.store.workspace_summary(workspace_id, user_id=user_id)
+        return self.store.workspace_summary(workspace_id, user_id=self._identity(user_id))
     # ── organization workspace management (delegates with actor) ─────────
     def create_organization_workspace(self, *, name: str, owner_user_id: Optional[str], settings: Optional[Dict[str, Any]] = None) -> Dict[str, Any]:
-        return self.store.create_organization_workspace(name=name, owner_user_id=owner_user_id, settings=settings)
+        return self.store.create_organization_workspace(name=name, owner_user_id=self._identity(owner_user_id), settings=settings)
     def update_workspace(self, workspace_id: str, *, name=None, settings=None, actor=None) -> Dict[str, Any]:
-        return self.store.update_workspace(workspace_id, name=name, settings=settings, actor=actor)
+        return self.store.update_workspace(workspace_id, name=name, settings=settings, actor=self._identity(actor))
     def archive_workspace(self, workspace_id: str, *, actor=None) -> Dict[str, Any]:
-        return self.store.archive_workspace(workspace_id, actor=actor)
+        return self.store.archive_workspace(workspace_id, actor=self._identity(actor))
     def add_member(self, workspace_id: str, *, user_id: str, role: str = "member", actor=None) -> Dict[str, Any]:
-        return self.store.add_member(workspace_id, user_id=user_id, role=role, actor=actor)
+        return self.store.add_member(workspace_id, user_id=self._identity(user_id) or user_id, role=role, actor=self._identity(actor))
     def update_member_role(self, workspace_id: str, *, user_id: str, role: str, actor=None) -> Dict[str, Any]:
-        return self.store.update_member_role(workspace_id, user_id=user_id, role=role, actor=actor)
+        return self.store.update_member_role(workspace_id, user_id=self._identity(user_id) or user_id, role=role, actor=self._identity(actor))
     def remove_member(self, workspace_id: str, *, user_id: str, actor=None) -> Dict[str, Any]:
-        return self.store.remove_member(workspace_id, user_id=user_id, actor=actor)
+        return self.store.remove_member(workspace_id, user_id=self._identity(user_id) or user_id, actor=self._identity(actor))
     def set_active_workspace(self, workspace_id: str, user_id: Optional[str]) -> Dict[str, Any]:
         # Membership is enforced inside the store for organization workspaces.
-        return self.store.set_active_workspace(workspace_id, user_id=user_id)
+        return self.store.set_active_workspace(workspace_id, user_id=self._identity(user_id))