ltcai 3.6.0 → 4.0.1

package/knowledge_graph_api.py

@@ -1,130 +1,14 @@
-"""Knowledge graph page and API routes."""
+"""Deprecation shim — the knowledge graph router moved in v4.
 
-from pathlib import Path
-from typing import Any, Callable, Dict, Optional
+The ``/knowledge-graph/*`` data router (and legacy ``/graph`` page routes)
+now live in :mod:`latticeai.api.knowledge_graph`. This root module remains
+importable for the deprecation window and will be removed in a future major
+release.
+"""
 
-from fastapi import APIRouter, HTTPException, Request
-from fastapi.responses import FileResponse
-from pydantic import BaseModel
+from latticeai.api.knowledge_graph import (  # noqa: F401
+    KnowledgeGraphIngestRequest,
+    create_knowledge_graph_router,
+)
 
-
-class KnowledgeGraphIngestRequest(BaseModel):
-    type: str
-    content: str = ""
-    role: Optional[str] = None
-    title: Optional[str] = None
-    source: Optional[str] = None
-    conversation_id: Optional[str] = None
-    user_email: Optional[str] = None
-    user_nickname: Optional[str] = None
-    metadata: Optional[Dict[str, Any]] = None
-
-
-def create_knowledge_graph_router(
-    *,
-    get_graph: Callable[[], Any],
-    require_graph: Callable[[], None],
-    require_user: Callable[[Request], str],
-    static_dir: Path,
-) -> APIRouter:
-    router = APIRouter()
-
-    def graph():
-        require_graph()
-        return get_graph()
-
-    @router.get("/graph")
-    async def knowledge_graph_page(request: Request):
-        """Serve the interactive knowledge graph canvas UI."""
-        graph()
-        require_user(request)
-        response = FileResponse(static_dir / "graph.html")
-        response.headers["Cache-Control"] = "no-cache, no-store, must-revalidate"
-        response.headers["Pragma"] = "no-cache"
-        response.headers["Expires"] = "0"
-        return response
-
-    @router.get("/knowledge-graph")
-    async def knowledge_graph_legacy_page(request: Request):
-        """Backward-compatible route for the graph page."""
-        graph()
-        require_user(request)
-        response = FileResponse(static_dir / "graph.html")
-        response.headers["Cache-Control"] = "no-cache, no-store, must-revalidate"
-        response.headers["Pragma"] = "no-cache"
-        response.headers["Expires"] = "0"
-        return response
-
-    @router.get("/knowledge-graph/stats")
-    async def knowledge_graph_stats(request: Request):
-        require_user(request)
-        return graph().stats()
-
-    @router.get("/knowledge-graph/schema")
-    async def knowledge_graph_schema(request: Request):
-        require_user(request)
-        stats = graph().stats()
-        return {
-            "legacy_schema_version": stats.get("schema_version"),
-            "v2_schema_available": stats.get("v2_schema_available"),
-            "v2": stats.get("v2"),
-        }
-
-    @router.get("/knowledge-graph/graph")
-    async def knowledge_graph_data(request: Request, limit: int = 300):
-        require_user(request)
-        return graph().graph(limit)
-
-    @router.get("/knowledge-graph/documents")
-    async def knowledge_graph_documents(request: Request, limit: int = 200):
-        """Ingested documents (uploads + indexed local docs) with index state.
-
-        Backs the Files view so uploaded content is visible end-to-end:
-        upload → Files → Knowledge Graph → Hybrid Search → Chat.
-        """
-        require_user(request)
-        return graph().list_documents(limit)
-
-    @router.get("/knowledge-graph/search")
-    async def knowledge_graph_search(q: str, request: Request, limit: int = 30):
-        require_user(request)
-        if not q or not q.strip():
-            return {"query": q, "matches": []}
-        return graph().search(q, limit)
-
-    @router.get("/knowledge-graph/context")
-    async def knowledge_graph_context(q: str, request: Request, limit: int = 6):
-        require_user(request)
-        return {"query": q, "context": graph().context_for_query(q, limit)}
-
-    @router.get("/knowledge-graph/neighbors/{node_id:path}")
-    async def knowledge_graph_neighbors(node_id: str, request: Request):
-        require_user(request)
-        if not node_id:
-            raise HTTPException(status_code=400, detail="node_id required")
-        return graph().neighbors(node_id)
-
-    @router.post("/knowledge-graph/ingest")
-    async def knowledge_graph_ingest(req: KnowledgeGraphIngestRequest, request: Request):
-        current_user = require_user(request)
-        kg = graph()
-        event_type = (req.type or "").strip().lower()
-        if event_type not in {"message", "ai_response", "note"}:
-            raise HTTPException(status_code=400, detail="지원하는 type: message, ai_response, note")
-        role = req.role or ("assistant" if event_type == "ai_response" else "user")
-        return kg.ingest_message(
-            role,
-            req.content,
-            user_email=req.user_email or current_user,
-            user_nickname=req.user_nickname,
-            source=req.source or "mcp",
-            conversation_id=req.conversation_id,
-            raw={
-                "type": req.type,
-                "title": req.title,
-                "content": req.content,
-                "metadata": req.metadata or {},
-            },
-        )
-
-    return router
+__all__ = ["KnowledgeGraphIngestRequest", "create_knowledge_graph_router"]

package/latticeai/__init__.py

@@ -1,3 +1,3 @@
 """Lattice AI - modular server package."""
 
-__version__ = "3.6.0"
+__version__ = "4.0.1"

package/latticeai/api/admin.py

@@ -2,7 +2,7 @@
 
 import logging
 from collections import defaultdict
-from typing import Any, Callable, Dict, List, Optional
+from typing import Callable, Dict, List, Optional
 
 from fastapi import APIRouter, HTTPException, Request
 from pydantic import BaseModel
@@ -55,6 +55,7 @@ def create_admin_router(
     invite_code: str,
     invite_gate_enabled: bool,
     default_port: int,
+    policy_matrix: Optional[Callable[[], List[Dict[str, object]]]] = None,
 ) -> APIRouter:
     router = APIRouter()
 
@@ -109,16 +110,6 @@ def create_admin_router(
             report["graph"] = {"error": str(e)}
         return report
 
-    # Canonical RBAC capability map — which product areas each role can reach.
-    # This is the real access policy the app enforces, not sample data.
-    _ROLE_CAPS = {
-        "owner": ["all"],
-        "admin": ["users", "policies", "audit", "security", "chat", "search", "files", "pipeline"],
-        "member": ["chat", "search", "files", "pipeline"],
-        "user": ["chat", "search", "files", "pipeline"],
-        "viewer": ["chat", "search"],
-    }
-
     @router.get("/admin/roles")
     async def admin_roles(request: Request):
         _, users = require_admin(request)
@@ -126,13 +117,21 @@ def create_admin_router(
         for email, user in users.items():
             role = (get_user_role(email, users) or "user").lower()
             counts[role] += 1
-        # Always surface the two RBAC tiers the app actually distinguishes so the
-        # matrix is meaningful even before extra users exist.
-        for base in ("admin", "user"):
-            counts.setdefault(base, counts.get(base, 0))
+        matrix = policy_matrix() if policy_matrix else [
+            {"role": "admin", "caps": ["all"]},
+            {"role": "user", "caps": ["chat", "search"]},
+        ]
+        policy_caps = {
+            str(item.get("role") or "user"): list(item.get("caps") or [])
+            for item in matrix
+            if isinstance(item, dict)
+        }
+        for role in policy_caps:
+            counts.setdefault(role, 0)
+        order = {"owner": 0, "admin": 1, "member": 2, "user": 3, "viewer": 4}
         roles = [
-            {"role": role, "members": counts.get(role, 0), "caps": _ROLE_CAPS.get(role, ["chat", "search"])}
-            for role in sorted(counts, key=lambda r: (r != "owner", r != "admin", r))
+            {"role": role, "members": counts.get(role, 0), "caps": policy_caps.get(role, [])}
+            for role in sorted(counts, key=lambda r: (order.get(r, 99), r))
         ]
         return {"roles": roles}
 

package/latticeai/api/agents.py

@@ -14,6 +14,8 @@ from typing import Any, Callable, Dict, List, Optional
 from fastapi import APIRouter, HTTPException, Request
 from pydantic import BaseModel
 
+from latticeai.api.ui_redirects import app_redirect
+
 
 class AgentRunRequest(BaseModel):
     goal: str
@@ -41,6 +43,7 @@ def create_agents_router(
     ui_file_response: Optional[Callable[[Path], Any]] = None,
     static_dir: Optional[Path] = None,
     agent_runtime: Any = None,
+    run_executor: Any = None,
 ) -> APIRouter:
     from latticeai.core.multi_agent import AGENT_ROLES, ROLE_AGENT_IDS
     from latticeai.services.agent_runtime import AgentRuntime
@@ -91,12 +94,7 @@ def create_agents_router(
     @router.get("/agents")
     async def agents_page(request: Request):
         require_user(request)
-        if ui_file_response is None or static_dir is None:
-            raise HTTPException(status_code=404, detail="Multi-Agent UI not available.")
-        page = static_dir / "agents.html"
-        if not page.exists():
-            raise HTTPException(status_code=404, detail="Multi-Agent UI not found.")
-        return ui_file_response(page)
+        return app_redirect("agents", request)
 
     @router.get("/agents/api/roles")
     async def agent_roles(request: Request):
@@ -163,7 +161,22 @@ def create_agents_router(
         current_user = require_user(request)
         scope = gate_write(request)
         try:
-            return runtime.start(
+            if run_executor is not None:
+                return await run_executor.start_agent(
+                    req.goal,
+                    user_email=current_user or None,
+                    scope=scope,
+                    roles=req.roles or None,
+                    inputs=req.inputs,
+                    max_retries=req.max_retries,
+                )
+            # Worker thread: an LLM-backed run blocks on model generation and
+            # must not stall the event loop (the sync model bridge also
+            # requires a loop-free thread).
+            import asyncio
+
+            return await asyncio.to_thread(
+                runtime.start,
                 req.goal,
                 user_email=current_user or None,
                 scope=scope,

package/latticeai/api/auth.py

@@ -1,5 +1,7 @@
 """Authentication API router: register, login, logout, SSO, profile."""
 
+import base64
+import hashlib
 import logging
 import secrets
 import time
@@ -10,6 +12,7 @@ from fastapi import APIRouter, HTTPException, Request
 from fastapi.responses import JSONResponse, RedirectResponse
 from pydantic import BaseModel
 
+from latticeai.core.users import normalize_email
 from latticeai.core.oidc import (
     OIDCValidationError,
     fetch_jwks as _default_fetch_jwks,
@@ -64,27 +67,42 @@ def create_auth_router(
     open_registration: bool,
     session_ttl: int,
     require_auth: bool = True,
+    ensure_identity: Optional[Callable[[str, Dict], None]] = None,
     verify_id_token: Callable[..., Dict] = _default_verify_id_token,
     fetch_jwks: Callable[[str], Awaitable[Dict]] = _default_fetch_jwks,
 ) -> APIRouter:
     router = APIRouter()
 
+    def _enforce_password_policy(password: str) -> None:
+        # Real policy (v4): length >= 8 with letters AND digits. A 4-char
+        # minimum was not a policy.
+        pw = str(password or "")
+        if len(pw) < 8 or not any(c.isalpha() for c in pw) or not any(c.isdigit() for c in pw):
+            raise HTTPException(
+                status_code=400,
+                detail="비밀번호는 8자 이상이며 영문자와 숫자를 모두 포함해야 합니다.",
+            )
+
     @router.post("/register")
     async def register(req: UserRegister, request: Request):
         check_ip_rate_limit(client_ip(request), "register", max_calls=5, window_secs=3600)
         if not open_registration:
             raise HTTPException(status_code=403, detail="회원가입이 비활성화되어 있습니다. 관리자에게 문의하세요.")
+        _enforce_password_policy(req.password)
+        email = normalize_email(req.email)
         users = load_users()
-        if req.email in users:
+        if email in users:
             raise HTTPException(status_code=400, detail="이미 존재하는 이메일입니다.")
         role = "admin" if not users else "user"
-        users[req.email] = {
+        users[email] = {
             "password": hash_password(req.password),
             "name": req.name,
             "nickname": req.nickname,
             "role": role,
             "disabled": False,
         }
+        if ensure_identity is not None:
+            ensure_identity(email, users[email])
         save_users(users)
         msg = "회원가입 성공! 첫 번째 사용자로 관리자 권한이 부여되었습니다." if role == "admin" else "회원가입 성공!"
         return {"status": "ok", "message": msg, "role": role}
@@ -92,19 +110,20 @@ def create_auth_router(
     @router.post("/login")
     async def login(req: UserLogin, request: Request):
         check_ip_rate_limit(client_ip(request), "login", max_calls=10, window_secs=300)
+        email = normalize_email(req.email)
         users = load_users()
-        user = users.get(req.email)
-        if not user or not verify_and_migrate(req.email, req.password, user.get("password", ""), users):
+        user = users.get(email)
+        if not user or not verify_and_migrate(email, req.password, user.get("password", ""), users):
             raise HTTPException(status_code=401, detail="이메일 또는 비밀번호가 틀렸습니다.")
         if user.get("disabled"):
             raise HTTPException(status_code=403, detail="비활성화된 계정입니다.")
-        role = get_user_role(req.email, users)
-        token = create_session(req.email)
+        role = get_user_role(email, users)
+        token = create_session(email)
         response = JSONResponse(content={
             "status": "ok",
             "nickname": user["nickname"],
             "name": user["name"],
-            "email": req.email,
+            "email": email,
             "role": role,
             "is_admin": role == "admin",
         })
@@ -123,7 +142,15 @@ def create_auth_router(
             raise HTTPException(status_code=503, detail="SSO가 설정되지 않았습니다.")
         state = secrets.token_urlsafe(16)
         nonce = secrets.token_urlsafe(16)
-        _sso_states[state] = (time.time(), nonce)
+        # PKCE (S256): bind the token exchange to this login, so an
+        # intercepted authorization code is useless without the verifier.
+        code_verifier = secrets.token_urlsafe(48)
+        code_challenge = (
+            base64.urlsafe_b64encode(hashlib.sha256(code_verifier.encode("ascii")).digest())
+            .rstrip(b"=")
+            .decode("ascii")
+        )
+        _sso_states[state] = (time.time(), nonce, code_verifier)
         params = urlencode({
             "client_id": settings["client_id"],
             "response_type": "code",
@@ -131,6 +158,8 @@ def create_auth_router(
             "scope": settings.get("scopes") or "openid email profile",
             "state": state,
             "nonce": nonce,
+            "code_challenge": code_challenge,
+            "code_challenge_method": "S256",
         })
         return RedirectResponse(f"{discovery['authorization_endpoint']}?{params}")
 
@@ -141,7 +170,7 @@ def create_auth_router(
         entry = _sso_states.pop(state, None)
         if entry is None or time.time() - entry[0] > 300:
             raise HTTPException(status_code=400, detail="유효하지 않은 SSO 상태입니다.")
-        _, nonce = entry
+        _, nonce, code_verifier = entry
         settings = get_sso_settings()
         discovery = await get_sso_discovery()
         if not settings.get("enabled") or not discovery:
@@ -154,6 +183,7 @@ def create_auth_router(
                 "redirect_uri": settings["redirect_uri"],
                 "client_id": settings["client_id"],
                 "client_secret": settings["client_secret"],
+                "code_verifier": code_verifier,
             }, headers={"Accept": "application/json"}, timeout=15)
             tokens = r.json()
         id_token = tokens.get("id_token")
@@ -178,7 +208,7 @@ def create_auth_router(
         except Exception as exc:  # discovery/JWKS fetch failure → fail closed
             logging.warning("SSO token validation error: %s", exc)
             raise HTTPException(status_code=502, detail="SSO 공급자 검증에 실패했습니다.")
-        email = payload.get("email") or payload.get("preferred_username") or payload.get("upn") or ""
+        email = normalize_email(payload.get("email") or payload.get("preferred_username") or payload.get("upn") or "")
         if not email:
             raise HTTPException(status_code=400, detail="이메일을 확인할 수 없습니다.")
         users = load_users()
@@ -192,6 +222,8 @@ def create_auth_router(
                 "disabled": False,
                 "sso": True,
             }
+            if ensure_identity is not None:
+                ensure_identity(email, users[email])
             save_users(users)
         if users[email].get("disabled"):
             raise HTTPException(status_code=403, detail="비활성화된 계정입니다.")
@@ -211,11 +243,10 @@ def create_auth_router(
 
     @router.post("/account/change-password")
     async def change_password(req: ChangePasswordRequest, request: Request):
-        email = require_user(request)
+        email = normalize_email(require_user(request))
         if not email:
             raise HTTPException(status_code=401, detail="인증이 필요합니다.")
-        if len(req.new_password) < 4:
-            raise HTTPException(status_code=400, detail="새 비밀번호는 4자 이상이어야 합니다.")
+        _enforce_password_policy(req.new_password)
         users = load_users()
         user = users.get(email)
         if not user:
@@ -228,7 +259,7 @@ def create_auth_router(
 
     @router.patch("/account/profile")
     async def update_profile(req: UpdateProfileRequest, request: Request):
-        email = require_user(request)
+        email = normalize_email(require_user(request))
         if not email:
             raise HTTPException(status_code=401, detail="인증이 필요합니다.")
         if req.name is not None and not req.name.strip():
@@ -248,7 +279,7 @@ def create_auth_router(
 
     @router.get("/account/profile")
     async def get_profile(request: Request):
-        email = require_user(request)
+        email = normalize_email(require_user(request))
         if not email:
             if require_auth:
                 raise HTTPException(status_code=401, detail="인증이 필요합니다.")